Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML Signature verification issue

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML Signature verification issue


Chronological Thread 
  • From: Daniel Förberg <>
  • To:
  • Subject: Re: [OpenSAML] XML Signature verification issue
  • Date: Tue, 11 Jan 2011 14:17:23 +0100

Ok. Is the "pre-digest" value, the same as pre-digested input, which is the Assertion without signature?
In this case when unmarshalling from SOAP Message the Assertion already contains the enveloped Signature.

Regards,

Daniel

2011/1/11 Chad La Joie <>
The issue is very common for signatures.  But there isn't anything we can do about it in the library.  Something, somewhere, in the processing chain has done something bad and there is no way we detect or correct it.

The comment you're referencing is about something else, not the issue you're seeing.


On 1/11/11 5:27 AM, Daniel Förberg wrote:
Well, i have already read trough this Article you suggest. Not yet tough
carefully compared
when the digestvalue breaks, before verification. I will do that. This
usecase is not that
common or ? Does this have something to do, with the issue we have:

// Unmarshall new tree around DOM to avoid side effects and Apache
xmlsec bug.
This comment is from SignatureTest of the OpenSAML source code.

Regards,

Daniel

2011/1/11 Chad La Joie < <mailto:>>


   If you check the opensaml archives you'll see this is a relatively
   common issues.  Signatures are notoriously brittle (by design
   really). Something between the moment the signature is created and
   the moment you verify the signature is corrupting it.  It's going to
   be impossible for anyone on this list to say where and when that it.
     So you'll need to do the investigation.

   One place to start would be to look at the Troubleshooting Signature
   Problems[1] document.  You'll need to get the digest of the
   signature right after the signature was created and then check it at
   various spots before it gets to your verification process.  When the
   digest changes you've found the cause of the problem.

   [1] https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManSigErrors


   On 1/11/11 5:04 AM, Daniel Förberg wrote:

       Well the the signature generation and verification of the Assertions
       isolated works perfectly fine.
       When adding the 3 Assertions into a SOAP  Header of a SOAP
       Enevelope,
       whithout formatting
       the content. The Assertions are extracted from the Actual SOAP
       Message
       in an Interceptor
       to front the Service Producer using CXF. When the verification is
       performed Using a TrustEngine,
       the Error message is "Signature Hash does not match signed
       content". Any
       clue, to be able
       to verify the Signature correctly? I followed all tips and
       instruction
       on the OpenSAML without any
       result yet. Thanks in advance.


   --
   Chad La Joie
   http://itumi.biz
   trusted identities, delivered



--
Chad La Joie
http://itumi.biz
trusted identities, delivered




Archive powered by MHonArc 2.6.16.

Top of Page