mace-opensaml-users - Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail

Subject: OpenSAML user discussion

List archive

Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail

From: Jean-Michel Tremblay <>
To:
Subject: Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Date: Tue, 2 Nov 2010 14:56:47 -0400 (EDT)

(Sorry for late reply, I was finalizing the rest of the code.)

Yes, both the singing and validating parts use OpenSAML Java.

I tried the three other canonicalization algorithms
(SignatureConstants.ALGO_ID_C14N*), and I get the same error.

Here's the log on the validating side:
2010-11-02 14:26:07.407 [DEBUG] (main)
org.opensaml.xml.signature.impl.SignatureUnmarshaller - Starting to
unmarshall Apache XML-Security-based SignatureImpl element
2010-11-02 14:26:07.407 [DEBUG] (main)
org.opensaml.xml.signature.impl.SignatureUnmarshaller - Constructing Apache
XMLSignature object
2010-11-02 14:26:07.407 [DEBUG] (main)
org.opensaml.xml.signature.impl.SignatureUnmarshaller - Adding
canonicalization and signing algorithms, and HMAC output length to Signature
2010-11-02 14:26:07.407 [DEBUG] (main)
org.opensaml.xml.signature.impl.SignatureUnmarshaller - Adding KeyInfo to
Signature
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.security.SAMLSignatureProfileValidator - Saw Enveloped signature
transform
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.security.SAMLSignatureProfileValidator - Saw Exclusive C14N
signature transform
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Attempting to
verify signature and establish trust using KeyInfo-derived credentials
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver -
Found 0 key names: []
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver -
Processing KeyInfo child with qname:
{http://www.w3.org/2000/09/xmldsig#}X509Data
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver -
Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver -
Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver -
Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with
provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2010-11-02 14:26:07.412 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider -
Attempting to extract credential from an X509Data
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Found 1
X509Certificates
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Found 0
X509CRLs
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Single
certificate was present, treating as end-entity certificate
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver -
Credentials successfully extracted from child
{http://www.w3.org/2000/09/xmldsig#}X509Data by provider
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - A
total of 1 credentials were resolved
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegis
try - Registry could not locate evaluable criteria for criteria class
org.opensaml.xml.security.keyinfo.KeyInfoCriteria
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.signature.SignatureValidator - Attempting to validate
signature using key from supplied credential
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.signature.SignatureValidator - Creating XMLSignature object
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.signature.SignatureValidator - Validating signature with
signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
2010-11-02 14:26:07.415 [DEBUG] (main)
org.opensaml.xml.signature.SignatureValidator - Validation credential key
algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2010-11-02 14:26:07.417 [DEBUG] (main)
org.opensaml.xml.signature.SignatureValidator - Signature did not validate
against the credential's key
2010-11-02 14:26:07.417 [DEBUG] (main)
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Signature
validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not validate
against the credential's key
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java
:78)
at
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseS
ignatureTrustEngine.java:141)
at
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.validate(BaseSignatur
eTrustEngine.java:99)
at
org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine.validate(PKIXSignatur
eTrustEngine.java:157)
at
org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine.validate(PKIXSignatur
eTrustEngine.java:53)
at
com.rp.aaa.service.saml.SamlFacade.isSignatureValid(SamlFacade.java:486)
at
com.rp.aaa.test.integration.saml.SamlSingleSignOnTest.assertMsdpResponse(SamlS
ingleSignOnTest.java:1390)
at
com.rp.aaa.test.integration.saml.SamlSingleSignOnTest.assertMsdpResponse(SamlS
ingleSignOnTest.java:1350)
at
com.rp.aaa.test.integration.saml.SamlSingleSignOnTest.testWebLoginLogout_MainC
ase(SamlSingleSignOnTest.java:300)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.ja
va:44)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.jav
a:15)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java
:41)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:
20)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:
76)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:
50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:31)
at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestRefer
ence.java:46)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunn
er.java:467)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunn
er.java:683)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.ja
va:390)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.j
ava:197)
2010-11-02 14:26:07.418 [DEBUG] (main)
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Failed to verify
signature and/or establish trust using any KeyInfo-derived credentials
2010-11-02 14:26:07.418 [DEBUG] (main)
org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine - PKIX validation of
signature failed, unable to resolve valid and trusted signing key
2010-11-02 14:26:07.418 [ERROR] (main) com.rp.aaa.service.saml.SamlFacade -
Signature was either invalid or signing key could not be established as
trusted

Here's the log on the encoding side:
2010-11-02 14:26:07.302 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.common.SAMLObjectHelper - Examing signed object for content
references with exclusive canonicalization transform
2010-11-02 14:26:07.302 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.common.SAMLObjectHelper - Saw exclusive transform, declaring
non-visible namespaces on signed object
2010-11-02 14:26:07.303 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.xml.signature.impl.SignatureMarshaller - Starting to marshall
{http://www.w3.org/2000/09/xmldsig#}Signature
2010-11-02 14:26:07.303 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.xml.signature.impl.SignatureMarshaller - Creating XMLSignature
object
2010-11-02 14:26:07.303 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.xml.signature.impl.SignatureMarshaller - Adding content to
XMLSignature.
2010-11-02 14:26:07.304 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.common.impl.SAMLObjectContentReference - Adding list of
inclusive namespaces for signature exclusive canonicalization transform
2010-11-02 14:26:07.304 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.xml.signature.impl.SignatureMarshaller - Creating Signature DOM
element
2010-11-02 14:26:07.306 [DEBUG]
(30720210@qtp-26267652-7)
org.opensaml.xml.signature.Signer - Computing signature over XMLSignature
object

The signature looks like this in this case (in the same Response I pasted in
my original post):
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<ds:Reference URI="#_3aced2a3-4714-4db8-abb8-75ee5af15b5e">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>udEl/gp4pPvURLjb0PQfLDW1yws=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>...</ds:X509SubjectName>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

I also sign and validate SSO and SLO requests without problems. Same for SLO
responses. Same for SSO Responses without attributes.

I don't know why, but the problem is really triggered/exposed when a response
contains attributes built from XSString/XSInteger.

To work around the problem, I'm replacing these methods:
private XSString makeAttributeValue(String value) {
XSStringBuilder stringBuilder =
(XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
XSString stringValue =
stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME,
XSString.TYPE_NAME);
stringValue.setValue(value);
return stringValue;
}

private XSInteger makeAttributeValue(Integer value) {
XSIntegerBuilder integerBuilder =
(XSIntegerBuilder)builderFactory.getBuilder(XSInteger.TYPE_NAME);
XSInteger intValue =
integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME,
XSInteger.TYPE_NAME);
intValue.setValue(value);
return intValue;
}

With this one:
private XSAny makeAttributeValue(Object value) {
XSAnyBuilder xsAnyBuilder =
(XSAnyBuilder)builderFactory.getBuilder(XSAny.TYPE_NAME);
XSAny attr =
xsAnyBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME);
attr.setTextContent(value.toString());
return attr;
}

But I need to support both.

Do the logs help? I can step in the code now in Eclipse, so maybe there's
something I should look for?

Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jean-Michel Tremblay, 11/02/2010
- RE: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
  - Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
    - Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
      - Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 11/02/2010
    - Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 11/02/2010
      - Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
        
        RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
        
        Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
        
        RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- <Possible follow-up(s)>
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jim Fox, 11/02/2010

List archive

Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail