mace-opensaml-users - Re: [OpenSAML] XML Signature verification issue
Subject: OpenSAML user discussion
List archive
- From: Daniel Förberg <>
- To:
- Subject: Re: [OpenSAML] XML Signature verification issue
- Date: Tue, 11 Jan 2011 14:17:23 +0100
Ok. Is the "pre-digest" value, the same as pre-digested input, which is the Assertion without signature?
In this case when unmarshalling from SOAP Message the Assertion already contains the enveloped Signature.
Regards,
Daniel
2011/1/11 Chad La Joie <>
The issue is very common for signatures. But there isn't anything we can do about it in the library. Something, somewhere, in the processing chain has done something bad and there is no way we detect or correct it.
The comment you're referencing is about something else, not the issue you're seeing.
On 1/11/11 5:27 AM, Daniel Förberg wrote:
Well, i have already read trough this Article you suggest. Not yet tough2011/1/11 Chad La Joie < <mailto:>>
carefully compared
when the digestvalue breaks, before verification. I will do that. This
usecase is not that
common or ? Does this have something to do, with the issue we have:
// Unmarshall new tree around DOM to avoid side effects and Apache
xmlsec bug.
This comment is from SignatureTest of the OpenSAML source code.
Regards,
Daniel
If you check the opensaml archives you'll see this is a relatively
common issues. Signatures are notoriously brittle (by design
really). Something between the moment the signature is created and
the moment you verify the signature is corrupting it. It's going to
be impossible for anyone on this list to say where and when that it.
So you'll need to do the investigation.
One place to start would be to look at the Troubleshooting Signature
Problems[1] document. You'll need to get the digest of the
signature right after the signature was created and then check it at
various spots before it gets to your verification process. When the
digest changes you've found the cause of the problem.
[1] https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManSigErrors
On 1/11/11 5:04 AM, Daniel Förberg wrote:
Well the the signature generation and verification of the Assertions
isolated works perfectly fine.
When adding the 3 Assertions into a SOAP Header of a SOAP
Enevelope,
whithout formatting
the content. The Assertions are extracted from the Actual SOAP
Message
in an Interceptor
to front the Service Producer using CXF. When the verification is
performed Using a TrustEngine,
the Error message is "Signature Hash does not match signed
content". Any
clue, to be able
to verify the Signature correctly? I followed all tips and
instruction
on the OpenSAML without any
result yet. Thanks in advance.
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Chad La Joie, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Chad La Joie, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Brent Putman, 01/12/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/12/2011
- RE: [OpenSAML] XML Signature verification issue, Cantor, Scott E., 01/12/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/14/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/14/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/12/2011
- Re: [OpenSAML] XML Signature verification issue, Brent Putman, 01/12/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Chad La Joie, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Daniel Förberg, 01/11/2011
- Re: [OpenSAML] XML Signature verification issue, Chad La Joie, 01/11/2011
Archive powered by MHonArc 2.6.16.