Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML Signature verification issue

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML Signature verification issue


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] XML Signature verification issue
  • Date: Tue, 11 Jan 2011 05:30:05 -0500
  • Organization: Itumi, LLC

The issue is very common for signatures. But there isn't anything we can do about it in the library. Something, somewhere, in the processing chain has done something bad and there is no way we detect or correct it.

The comment you're referencing is about something else, not the issue you're seeing.

On 1/11/11 5:27 AM, Daniel Förberg wrote:
Well, i have already read trough this Article you suggest. Not yet tough
carefully compared
when the digestvalue breaks, before verification. I will do that. This
usecase is not that
common or ? Does this have something to do, with the issue we have:

// Unmarshall new tree around DOM to avoid side effects and Apache
xmlsec bug.
This comment is from SignatureTest of the OpenSAML source code.

Regards,

Daniel

2011/1/11 Chad La Joie
<

<mailto:>>

If you check the opensaml archives you'll see this is a relatively
common issues. Signatures are notoriously brittle (by design
really). Something between the moment the signature is created and
the moment you verify the signature is corrupting it. It's going to
be impossible for anyone on this list to say where and when that it.
So you'll need to do the investigation.

One place to start would be to look at the Troubleshooting Signature
Problems[1] document. You'll need to get the digest of the
signature right after the signature was created and then check it at
various spots before it gets to your verification process. When the
digest changes you've found the cause of the problem.

[1] https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManSigErrors


On 1/11/11 5:04 AM, Daniel Förberg wrote:

Well the the signature generation and verification of the Assertions
isolated works perfectly fine.
When adding the 3 Assertions into a SOAP Header of a SOAP
Enevelope,
whithout formatting
the content. The Assertions are extracted from the Actual SOAP
Message
in an Interceptor
to front the Service Producer using CXF. When the verification is
performed Using a TrustEngine,
the Error message is "Signature Hash does not match signed
content". Any
clue, to be able
to verify the Signature correctly? I followed all tips and
instruction
on the OpenSAML without any
result yet. Thanks in advance.


--
Chad La Joie
http://itumi.biz
trusted identities, delivered



--
Chad La Joie
http://itumi.biz
trusted identities, delivered



Archive powered by MHonArc 2.6.16.

Top of Page