OpenSAML user discussion

[Daniel Förberg <>]

Well, i have already read trough this Article you suggest. Not yet tough carefully compared
when the digestvalue breaks, before verification. I will do that. This usecase is not that
common or ? Does this have something to do, with the issue we have:

// Unmarshall new tree around DOM to avoid side effects and Apache xmlsec bug.
This comment is from SignatureTest of the OpenSAML source code.

Regards,

Daniel

2011/1/11 Chad La Joie <>

If you check the opensaml archives you'll see this is a relatively common issues.  Signatures are notoriously brittle (by design really). Something between the moment the signature is created and the moment you verify the signature is corrupting it.  It's going to be impossible for anyone on this list to say where and when that it.  So you'll need to do the investigation.

One place to start would be to look at the Troubleshooting Signature Problems[1] document.  You'll need to get the digest of the signature right after the signature was created and then check it at various spots before it gets to your verification process.  When the digest changes you've found the cause of the problem.

[1] https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManSigErrors

On 1/11/11 5:04 AM, Daniel Förberg wrote:

Well the the signature generation and verification of the Assertions
isolated works perfectly fine.
When adding the 3 Assertions into a SOAP  Header of a SOAP Enevelope,
whithout formatting
the content. The Assertions are extracted from the Actual SOAP Message
in an Interceptor
to front the Service Producer using CXF. When the verification is
performed Using a TrustEngine,
the Error message is "Signature Hash does not match signed content". Any
clue, to be able
to verify the Signature correctly? I followed all tips and instruction
on the OpenSAML without any
result yet. Thanks in advance.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered