mace-opensaml-users - Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Subject: OpenSAML user discussion
List archive
Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Chronological Thread
- From: JM Tremblay <>
- To:
- Subject: Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
- Date: Tue, 2 Nov 2010 15:57:22 -0400
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=OZTAOKbI4EOvOgN63vTsIgGrma1v2emQP9W3qUTcpASFuBAqxzIZOVCxpKgT0J5+EM 6874IiBxBeEjC4B/t3KeROockIg4Emc4XxVgQTATJBHEYNBHOlvk6BNpxxm6co8F0p5t DfhO7xzmoOagdC5Zv9TP4j3Faew9eP7WoVtGU=
Ok, sorry. With "log4j.logger.org.apache.xml.security=DEBUG", I do see extra end-of-lines before and after the <ec:InclusiveNamespaces> element in the "Canonicalized SignedInfo. That doesn't look right.
Decoded:
2010-11-02 15:40:35.713 [DEBUG] (main) org.apache.xml.security.utils.SignerOutputStream - Canonicalized SignedInfo:
2010-11-02 15:40:35.713 [DEBUG] (main) org.apache.xml.security.utils.SignerOutputStream - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod><ds:Reference URI="#_91da63dc-d7cb-41da-a4fc-38ad3961d7fd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces>
</ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>AatpaNfl3oViZ62EdVuSZdxQYUw=</ds:DigestValue></ds:Reference></ds:SignedInfo>
Encoded:
2010-11-02 15:40:35.607 [DEBUG] (29686429@qtp-1119464-7) org.apache.xml.security.utils.SignerOutputStream - Canonicalized SignedInfo:
2010-11-02 15:40:35.607 [DEBUG] (29686429@qtp-1119464-7) org.apache.xml.security.utils.SignerOutputStream - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod><ds:Reference URI="#_91da63dc-d7cb-41da-a4fc-38ad3961d7fd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>AatpaNfl3oViZ62EdVuSZdxQYUw=</ds:DigestValue></ds:Reference></ds:SignedInfo>
Now I need to figure out if I have any control over that.
-JM
On Tue, Nov 2, 2010 at 3:29 PM, Scott Cantor <> wrote:
> Do the logs help? I can step in the code now in Eclipse, so maybe there'sThe signature debugging page in the wiki discusses the issues, you need to
> something I should look for?
get access to the digest octets on both ends and compare them. Nothing else
is relevant unless somebody eyeballs an issue in the XML and gets lucky.
-- Scott
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jean-Michel Tremblay, 11/02/2010
- RE: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- RE: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, JM Tremblay, 11/02/2010
- <Possible follow-up(s)>
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jim Fox, 11/02/2010
- RE: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Scott Cantor, 11/02/2010
Archive powered by MHonArc 2.6.16.