Security Token Reference, signature validation error

massimiliano.masi at gmail.com massimiliano.masi at gmail.com
Fri Aug 3 06:29:07 EDT 2012 

Hi All,

Using OpenSAML I correctly validate the signature of an assertion that has
as Subject Confirmation Data the following

 <wsse:SecurityTokenReference
            xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
            <wsse:KeyIdentifier
                ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
">
                Ytig1daWMVvZKbESb1W10TpDcJY=
            </wsse:KeyIdentifier>
        </wsse:SecurityTokenReference>


When I add this assertion (using wsse4j) to the security header, DOM is
pushing the namespace in the security header element, as:

<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
            <saml2:Assertion


causing the keyInfo of the Subject Confirmation Data to be:


<wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
">Ytig1daWMVvZKbESb1W10TpDcJY=
</wsse:KeyIdentifier></wsse:SecurityTokenReference>


and this seems to break the validation of the saml assertion:


Caused by: org.opensaml.xml.validation.ValidationException: Signature did
not validate against the credential's key

at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)


How to avoid this situation? The assertion's SignedInfo is:


          <ds:SignedInfo>

            <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>

            <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

            <ds:Reference URI="#uuid-d8840a0d-fa90-4522-806e-edc8dc427d2b">

              <ds:Transforms>

                <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>

              </ds:Transforms>

              <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>

              <ds:DigestValue>ghAD3gMLcZvyXFhVXJwNkeHCGi8=</ds:DigestValue>

            </ds:Reference>

          </ds:SignedInfo>


AFAIK, the two xmls are semantically equivalent, thus the signature shall
behave the same, or am I wrong?


Thanks a lot,


     Massi



-- 
Massimiliano Masi

http://www.mascanc.net/~max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120803/dbe9042b/attachment.html

More information about the users mailing list