Security Token Reference, signature validation error
massimiliano.masi at gmail.com
massimiliano.masi at gmail.com
Fri Aug 3 06:34:43 EDT 2012
Chad, thanks for your answer. Sorry for my funny english, but the question
was for me more related to OpenSAML, and not to
wsse4j.
The two assertions are semantically the same, so I can't understand why the
signature fails.
On Fri, Aug 3, 2012 at 12:32 PM, Chad La Joie <lajoie at itumi.biz> wrote:
> OpenSAML questions need to be sent to the dev list. WSSE4J question,
> which this is, needs to be sent to their mailing list.
>
> On Fri, Aug 3, 2012 at 6:29 AM, massimiliano.masi at gmail.com
> <massimiliano.masi at gmail.com> wrote:
> > Hi All,
> >
> > Using OpenSAML I correctly validate the signature of an assertion that
> has
> > as Subject Confirmation Data the following
> >
> > <wsse:SecurityTokenReference
> >
> > xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> > <wsse:KeyIdentifier
> >
> > ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> ">
> > Ytig1daWMVvZKbESb1W10TpDcJY=
> > </wsse:KeyIdentifier>
> >
> > </wsse:SecurityTokenReference>
> >
> >
> > When I add this assertion (using wsse4j) to the security header, DOM is
> > pushing the namespace in the security header element, as:
> >
> > <wsse:Security
> > xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> > <saml2:Assertion
> >
> >
> > causing the keyInfo of the Subject Confirmation Data to be:
> >
> >
> > <wsse:SecurityTokenReference><wsse:KeyIdentifier
> > ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> ">Ytig1daWMVvZKbESb1W10TpDcJY=</wsse:KeyIdentifier></wsse:SecurityTokenReference>
> >
> >
> > and this seems to break the validation of the saml assertion:
> >
> >
> > Caused by: org.opensaml.xml.validation.ValidationException: Signature did
> > not validate against the credential's key
> >
> > at
> >
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
> >
> >
> > How to avoid this situation? The assertion's SignedInfo is:
> >
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >
> > <ds:Reference
> URI="#uuid-d8840a0d-fa90-4522-806e-edc8dc427d2b">
> >
> > <ds:Transforms>
> >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >
> >
> <ds:DigestValue>ghAD3gMLcZvyXFhVXJwNkeHCGi8=</ds:DigestValue>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> >
> > AFAIK, the two xmls are semantically equivalent, thus the signature shall
> > behave the same, or am I wrong?
> >
> >
> > Thanks a lot,
> >
> >
> > Massi
> >
> >
> >
> > --
> > Massimiliano Masi
> >
> > http://www.mascanc.net/~max
> >
> > --
> > To unsubscribe from this list send an email to
> > users-unsubscribe at shibboleth.net
>
>
>
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Massimiliano Masi
http://www.mascanc.net/~max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120803/79005b0d/attachment-0001.html
More information about the users
mailing list