Security Token Reference, signature validation error

Chad La Joie lajoie at itumi.biz
Fri Aug 3 06:32:28 EDT 2012 

OpenSAML questions need to be sent to the dev list.  WSSE4J question,
which this is, needs to be sent to their mailing list.

On Fri, Aug 3, 2012 at 6:29 AM, massimiliano.masi at gmail.com
<massimiliano.masi at gmail.com> wrote:
> Hi All,
>
> Using OpenSAML I correctly validate the signature of an assertion that has
> as Subject Confirmation Data the following
>
>  <wsse:SecurityTokenReference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>             <wsse:KeyIdentifier
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">
>                 Ytig1daWMVvZKbESb1W10TpDcJY=
>             </wsse:KeyIdentifier>
>
>         </wsse:SecurityTokenReference>
>
>
> When I add this assertion (using wsse4j) to the security header, DOM is
> pushing the namespace in the security header element, as:
>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>             <saml2:Assertion
>
>
> causing the keyInfo of the Subject Confirmation Data to be:
>
>
> <wsse:SecurityTokenReference><wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">Ytig1daWMVvZKbESb1W10TpDcJY=</wsse:KeyIdentifier></wsse:SecurityTokenReference>
>
>
> and this seems to break the validation of the saml assertion:
>
>
> Caused by: org.opensaml.xml.validation.ValidationException: Signature did
> not validate against the credential's key
>
> at
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
>
>
> How to avoid this situation? The assertion's SignedInfo is:
>
>
>           <ds:SignedInfo>
>
>             <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
>             <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
>             <ds:Reference URI="#uuid-d8840a0d-fa90-4522-806e-edc8dc427d2b">
>
>               <ds:Transforms>
>
>                 <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
>                 <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
>               </ds:Transforms>
>
>               <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
>               <ds:DigestValue>ghAD3gMLcZvyXFhVXJwNkeHCGi8=</ds:DigestValue>
>
>             </ds:Reference>
>
>           </ds:SignedInfo>
>
>
> AFAIK, the two xmls are semantically equivalent, thus the signature shall
> behave the same, or am I wrong?
>
>
> Thanks a lot,
>
>
>      Massi
>
>
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

More information about the users mailing list