Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail

Subject: OpenSAML user discussion

List archive

Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail


Chronological Thread 
  • From: JM Tremblay <>
  • To:
  • Subject: Re: Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
  • Date: Tue, 2 Nov 2010 16:24:36 -0400
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=wChNZW97CFMSTsirR5EUZqkeciY/MMj9+JisF9gyQ7MWAF9GZzTz2LoTbnAeKhegk7 SubHd31lXMcurmC5dRWICIxWRfmNm1G/S7fARwWVyetR6qNlwRUn+m1x6BVTWteDEvFb AcbsYhp10JL3BhAnkKGlcd92WlO6ulZvmEYgY=

Here's the  Canonicalized SignedInfo when I don't use XSString attributes.  The encoded/decoded SignedInfos match and don't have (require) any ec:InclusiveNamespaces element. That explains why the "xs" attributes trigger the problem.

2010-11-02 16:12:16.442 [DEBUG] (main) org.apache.xml.security.utils.SignerOutputStream  - Canonicalized SignedInfo:
2010-11-02 16:12:16.443 [DEBUG] (main) org.apache.xml.security.utils.SignerOutputStream  - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod><ds:Reference URI="#_2c0d4932-8ef2-4c76-bb16-002af7116998"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>cengJGzybQWVvmDYUmDRF42t8pw=</ds:DigestValue></ds:Reference></ds:SignedInfo>

2010-11-02 16:11:40.725 [DEBUG] (14534444@qtp-3324757-7) org.apache.xml.security.utils.SignerOutputStream  - Canonicalized SignedInfo:
2010-11-02 16:11:40.725 [DEBUG] (14534444@qtp-3324757-7) org.apache.xml.security.utils.SignerOutputStream  - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod><ds:Reference URI="#_2c0d4932-8ef2-4c76-bb16-002af7116998"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>cengJGzybQWVvmDYUmDRF42t8pw=</ds:DigestValue></ds:Reference></ds:SignedInfo>

JM



Archive powered by MHonArc 2.6.16.

Top of Page