OpenSAML user discussion

[Chad La Joie <>]

The issue is very common for signatures.  But there isn't anything we 
can do about it in the library.  Something, somewhere, in the processing 
chain has done something bad and there is no way we detect or correct it.

The comment you're referencing is about something else, not the issue 
you're seeing.

On 1/11/11 5:27 AM, Daniel Förberg wrote:
> Well, i have already read trough this Article you suggest. Not yet tough
> carefully compared
> when the digestvalue breaks, before verification. I will do that. This
> usecase is not that
> common or ? Does this have something to do, with the issue we have:
>
> // Unmarshall new tree around DOM to avoid side effects and Apache
> xmlsec bug.
> This comment is from SignatureTest of the OpenSAML source code.
>
> Regards,
>
> Daniel
>
> 2011/1/11 Chad La Joie 
> <
>  
> <mailto:>>
>
>     If you check the opensaml archives you'll see this is a relatively
>     common issues.  Signatures are notoriously brittle (by design
>     really). Something between the moment the signature is created and
>     the moment you verify the signature is corrupting it.  It's going to
>     be impossible for anyone on this list to say where and when that it.
>       So you'll need to do the investigation.
>
>     One place to start would be to look at the Troubleshooting Signature
>     Problems[1] document.  You'll need to get the digest of the
>     signature right after the signature was created and then check it at
>     various spots before it gets to your verification process.  When the
>     digest changes you've found the cause of the problem.
>
>     [1] https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManSigErrors
>
>
>     On 1/11/11 5:04 AM, Daniel Förberg wrote:
>
>         Well the the signature generation and verification of the Assertions
>         isolated works perfectly fine.
>         When adding the 3 Assertions into a SOAP  Header of a SOAP
>         Enevelope,
>         whithout formatting
>         the content. The Assertions are extracted from the Actual SOAP
>         Message
>         in an Interceptor
>         to front the Service Producer using CXF. When the verification is
>         performed Using a TrustEngine,
>         the Error message is "Signature Hash does not match signed
>         content". Any
>         clue, to be able
>         to verify the Signature correctly? I followed all tips and
>         instruction
>         on the OpenSAML without any
>         result yet. Thanks in advance.
>
>
>     --
>     Chad La Joie
>     http://itumi.biz
>     trusted identities, delivered

--
Chad La Joie
http://itumi.biz
trusted identities, delivered