Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
  • Date: Thu, 30 Oct 2008 11:11:12 +0100
  • Openpgp: id=146B2514
  • Organization: SWITCH
Yeah, this isn't too surprising. Encrypted content would be fine
because it's all a Base64 encoded blob and so doesn't have any non-ASCII
characters.

But yes, if you tell your container to use something other than UTF-8
and then try to send UTF-8 content it's going to mess things up. This
isn't anything the IdP would be able to address. It has no access to
the containers request handler configuration (not even to check to see
if there is an encoding mismatch). I can not stress enough that people
running webapps actually *do* have to know what their container is doing
and how to configure it.

Kristof BAJNOK wrote:
> On Wednesday 29 October 2008 Scott Cantor wrote:
>>> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema";
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>> xsi:type="xs:string">Lantos ?d?m</saml:AttributeValue>
>>>
>>> These characters should be 'Ádám'... Maybe there are some character
>>> encoding issues here :s
>> Since Java handles Unicode as well as anything else does, if not better,
>> it's pretty likely the data was corrupted either on the way into the IdP
>> via the connector, or after it was sent to the SP. Can you pull it off
>> the browser form and dump that? Is it already corrupted by then?
>
> I can confirm that something screws up the Response before it gets base64
> encoded when Tomcat is started with POSIX locale. Even Shib SP fails when
> the Assertion is not encrypted. (Although it works fine with
> EncryptedAssertion)
>
> 2008-10-30 11:01:18 DEBUG XMLTooling.TrustEngine.ExplicitKey [20]: public
> key did not validate signature: Digital signature does not validate with
> the supplied key.
> 2008-10-30 11:01:18 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [20]:
> unable to verify message signature with supplied trust engine
>
> Kristof

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch


Archive powered by MHonArc 2.6.16.

Top of Page