Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML Signature verification issue

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML Signature verification issue


Chronological Thread 
  • From: Daniel Förberg <>
  • To:
  • Subject: Re: [OpenSAML] XML Signature verification issue
  • Date: Wed, 12 Jan 2011 22:05:38 +0100

Well do know how to enable debug level in Java no problem.
But i just wanted to make shure that i look for the right output.
It was written at the INFO level while verifying signature, but
not while signing, though there is a precalculated digest value
in the assertion. This value is recalculated and is not correct.

The reason to this i don't know yet, but if the content has been
changed of any reason, which it should not have been. It does
work before i put it in the SOAP Header both signing and
verification using a TrustEngine loading from the truststore. Need
to do some more tests before i can be sure what's wrong. I appreciate
the support/advice i can get from you. Since it's very important to
solve this problem while the customer are in hurry as always. 
Thanks in advance.

Daniel


2011/1/12 Brent Putman <>


On 1/11/11 8:17 AM, Daniel Förberg wrote:
> Ok. Is the "pre-digest" value, the same as pre-digested input, which
> is the Assertion without signature?
> In this case when unmarshalling from SOAP Message the Assertion
> already contains the enveloped Signature.

No, not exactly.  The pre-digest value being discussed is the value over
which the Signature's Reference's digest is calculated.  This is
calculated basically as the result of resolving the Reference's URI and
then running the Reference's Transforms over it, which for SAML will
usually include a canonicalization transform (hopefully
self-explanatory) and the enveloped signature transform, which removes
the entire Signature element.  The output of the Transforms chain is the
octet stream over which the Reference's digest value is calculated. Note
that this pre-digest value is NOT what you see at any point in the
serialized instance document(s).  It's an internal detail of the XML
Signature process.

That pre-digest output will be (or should be) the same on both the
signing and validation sides.  If it's not, that's when you see a
validation error.  Apache xmlsec for Java has debug options for
obtaining the pre-digest value, both at signing and validation time. See
the article Chad referenced for turning this debug output on.  You get
the 2 values from signing and from validation, and compare them.  If one
side or the other in your flow isn't Apache xmlsec Java, then you need
to see if that software does have the capability to emit the pre-digest
value.  If not, you might have to hack some debug code in.  I believe
that the later versions of Apache xmlsec C++ do have.  Not sure about
other XML Signature libraries.

Hope that helps,
Brent






Archive powered by MHonArc 2.6.16.

Top of Page