Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail

Subject: OpenSAML user discussion

List archive

[OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail


Chronological Thread 
  • From: Jean-Michel Tremblay <>
  • To:
  • Subject: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
  • Date: Fri, 22 Oct 2010 11:39:17 -0400 (EDT)

Hi,

I'm using OpenSAML 2.4.0 (Java) to generate SAML 2.0 requests and responses
back and forth between my junit test and my actual SAML service (also using
OpenSAML).

Both requests and responses are signed. Signature validation works well in
all cases so far except when a response contains an AttributeValue of type
XSString or XSInteger, in which case PKIXSignatureTrustEngine's validate()
method returns false. An attribute without value doesn't cause any problem.
And the same AttributeValue element with no "type" (no XML attribute) works
fine as well.

The attribute statement is marshalled as this:
<saml2:AttributeStatement>
<saml2:Attribute Name="IsAccountIdLookup"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml2:Attribute Name="PartnerId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:integer">32767</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

Removing this part (before signing) works fine:
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:integer"

The AttributeValue generation code looks like this:
private XSInteger makeAttributeValue(Integer value) {
XSIntegerBuilder integerBuilder =
(XSIntegerBuilder)builderFactory.getBuilder(XSInteger.TYPE_NAME);
XSInteger intValue =
integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME,
XSInteger.TYPE_NAME);
intValue.setValue(value);
return intValue;
}

The response (with some parts replaced with ...) looks like this :

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema";
Destination="http://localhost:8480/aaa/services/SAML2/SSO/POST/Response";
ID="_306bf472-0d00-40df-bf56-6ba96749cffc"
InResponseTo="_6e7576c1-da97-4bca-ac7f-f201cff39a78"
IssueInstant="2010-10-22T15:21:30.248Z" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:...:saml:2.0</saml2:Is
suer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<ds:Reference URI="#_306bf472-0d00-40df-bf56-6ba96749cffc">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vflK1H4IHlQwPHv0/Wtx+DoiVA8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>...</ds:X509SubjectName>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_9efae415-ae5c-4052-90e3-0d34799e32d6"
IssueInstant="2010-10-22T15:21:30.249Z" Version="2.0">
<saml2:Issuer>urn:...:saml:2.0</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">DummyAuthex</sam
l2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="_6e7576c1-da97-4bca-ac7f-f201cff39a78"
NotBefore="2010-10-22T15:21:30.251Z" NotOnOrAfter="2010-10-22T15:23:30.251Z"
Recipient="urn:...:saml:2.0"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2010-10-22T15:21:30.252Z"
SessionIndex="8a59e200-29c2-4a01-bfcf-2e79f72aba80">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordPro
tectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="IsAccountIdLookup"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml2:Attribute Name="PartnerId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:integer">32767</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>

Any help would be appreciated.

-JMT



Archive powered by MHonArc 2.6.16.

Top of Page