DOM exception while parsing signed SAML request with extensions

Brent Putman putmanb at georgetown.edu
Mon Oct 21 17:29:39 EDT 2013


Please don't email me directly, use the list(s).  That way everyone gets
the benefit of the answer and/or can help you as their time allows.

Also, please move this discussion to the dev list, it's more appropriate
there.




On 10/21/13 11:09 AM, koteshwarv at gmail.com wrote:
> Hi Brent Putman, 
> Thanks for reviewing my questions. This is the sample I have. I have SAML signed request with some extensions. This extenion tag one custom tag called - CustomTag
> If I keep any valid XML under CustomTag, shibboleth is able to parse the request. If I keep any valid XML with signature elements like below, the request parsing is failing. For easy understanding and for my testing, I am using the singed SAML response under the CustomTag



I threw this XML into a test case that just parses and unmarshalls it. 
It works fine for me.  I don't see any reason why OpenSAML would not be
able to handle this.


Your original message had this as the key part of the exception stack trace:



> ERROR
> [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:89]
> - Error occurred while processing request
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
>             at org.apache.xml.security.signature.Manifest.<init>(Unknown
> Source) ~[xmlsec.jar:na]
>             at org.apache.xml.security.signature.SignedInfo.<init>(Unknown
> Source) ~[xmlsec.jar:na]
>             at org.apache.xml.security.signature.XMLSignature.<init>(Unknown
> Source) ~[xmlsec.jar:na]
>             at
> org.opensaml.xml.signature.impl.SignatureUnmarshaller.unmarshall(SignatureUnmarshaller.java:64)



I don't see any Manifest element in the XML below, so it seems to me
that the XML below is not consistent with what is causing your problem.





>
> =============================
>
> <ns3:AuthnRequest
>     xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
>     xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>     xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
>     xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
>     AssertionConsumerServiceURL="https://sp.browse.test.com/idptester/checkuser.jsp"
>     Destination="https://idp.test.com/idp/profile/SAML2/POST/SSO"
>     ForceAuthn="true"
>     ID="_51445c63ed09b24499ca2c5f895fc23"
>     IssueInstant="2013-10-21T14:40:28.796Z"
>     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>     Version="2.0">
>     <Issuer>
>         https://sp.browse.test.com/
>     </Issuer>
>     <ns3:Extensions>
>         <Sc:CustomTag ID="ID_111111111" xmlns:Sc="urn:test:saml:Sc.01" 
> 					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> 					xsi:schemaLocation="urn:test:saml:Sc.01 Sc.01.xsd">
> 					<saml2p:Response
> 						    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> 						    Destination="http://spweb.test.com/cgi-bin/samldecoder.pl"
> 						    ID="_3a79f88b138bacaf21763fb70c871144"
> 						    InResponseTo="_l0k8-tpzk-ann5-9rkl-fw28-k1mi-e7un-kxsq"
> 						    IssueInstant="2013-10-21T14:57:22.576Z"
> 						    Version="2.0">
> 						    <saml2:Issuer
> 						        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> 						        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> 						        https://idp.testnet.test.com/idp
> 						    </saml2:Issuer>
> 						    <saml2p:Status>
> 						        <saml2p:StatusCode
> 						            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> 						    </saml2p:Status>
> 						    <saml2:Assertion
> 						        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> 						        ID="_e0bb8d3984ab795acb213754ec23be97"
> 						        IssueInstant="2013-10-21T14:57:22.576Z"
> 						        Version="2.0"
> 						        xmlns:xs="http://www.w3.org/2001/XMLSchema">
> 						        <saml2:Issuer
> 						            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> 						            https://idp.testnet.test.com/idp
> 						        </saml2:Issuer>
> 						        <ds:Signature
> 						            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 						            <ds:SignedInfo>
> 						                <ds:CanonicalizationMethod
> 						                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> 						                <ds:SignatureMethod
> 						                    Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> 						                <ds:Reference
> 						                    URI="#_e0bb8d3984ab795acb213754ec23be97">
> 						                    <ds:Transforms>
> 						                        <ds:Transform
> 						                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> 						                        <ds:Transform
> 						                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> 						                            <ec:InclusiveNamespaces
> 						                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> 						                                PrefixList="xs"/>
> 						                        </ds:Transform>
> 						                    </ds:Transforms>
> 						                    <ds:DigestMethod
> 						                        Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> 						                    <ds:DigestValue>
> 						                        MXz9pSaYBsOhxrKVxK26ypDHlxfzWrpF214RdXS6o2Y=
> 						                    </ds:DigestValue>
> 						                </ds:Reference>
> 						            </ds:SignedInfo>
> 						            <ds:SignatureValue>
> 						                JUcc3iVr/tuY4x1xP+zw1WC+LubNSVWIMd3v6Q0P1R7qgVbKF8kLfoAnYEGp5Yqqo2qXMUip7F9pA9Gj8fCbQ0+VJnGsXFepCA63NPcUnnkY/h08fU+yteS/h5ZWnBjjj+KXN+bnwGyf612SNL9o8jR80oaEhE44KNqflTdzYd0HbInqjjvAVuuOBbb9Ifqsy6TsEHQ9Pl8Lu4EmmqTJ0/yrZoYPh6WVFcjZMGqgd/DHLokNEBRI5Z6PGsvL5Y1sG9MhJSQBysv6WUq4SO2rI9LRGERr2CwxmxwlFt1BlRG1Z4NOvcxdLScBZ9MpvVhPS4fACYX//Ey+5fFddB37zQ==
> 						            </ds:SignatureValue>
> 						            <ds:KeyInfo>
> 						                <ds:X509Data>
> 						                    <ds:X509Certificate>
> 						                        MIIDvDCCAqSgAwIBAgIETMxEnTANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQKEwVTV0lGVDAeFw0x
> 						                        MTEyMjkyMTQ0MjFaFw0xMzEyMjkyMjE0MjFaMEExDjAMBgNVBAoTBXN3aWZ0MQ4wDAYDVQQKEwVz
> 						                        d2lmdDERMA8GA1UEAxMIc3dpZnRpZHAxDDAKBgNVBAMUAyUxMTCCASIwDQYJKoZIhvcNAQEBBQAD
> 						                        ggEPADCCAQoCggEBAIiEnhUL51QksCkzoRYO22RzmMBXw9DKMOBrcTziqelnm6Lg06VYys6JfF0/
> 						                        8J1DCU8lIDSTSDAsaSXsimEi219AvVoICtx+8DLULq1JgaXF/3qv2ffRAQoMhZ4h5pKmYHcZme5T
> 						                        1FkgxGWL7KDwSMH0KoZ/BM4nP2stBZnqZhRJ4bFV4HcMjrzYAi9NYEHxsNkOKmc0y3bfPltV16tG
> 						                        LQYHqwfJo1lhgkZiZpMp4qSN2DGISuxuW//+oGh5SOj8/DC90daiSqfrQoiveGNjcfXYlaHB9GqO
> 						                        ZNGVRPJGUk7pN3h7EPUXjlRz2adf0uDQ4G+FU2bZclCmyEzXU+x3ZwsCAwEAAaOB7DCB6TALBgNV
> 						                        HQ8EBAMCBaAwKwYDVR0QBCQwIoAPMjAxMTEyMjkyMTQ0MjFagQ8yMDEzMDYzMDA0MTQyMVowEQYJ
> 						                        YIZIAYb4QgEBBAQDAgZAMDQGA1UdHwQtMCswKaAnoCWkIzAhMQ4wDAYDVQQKEwVTV0lGVDEPMA0G
> 						                        A1UEAxMGQ1JMNTMwMB8GA1UdIwQYMBaAFI+vVryAd6P9ntKJg5j+mMcgZSPMMB0GA1UdDgQWBBSa
> 						                        VNlZ5nTx4xUcm3ZwCIH90xcmzzAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgOo
> 						                        MA0GCSqGSIb3DQEBBQUAA4IBAQA340g5S24vqrnM/Y2lq6CLrZncSeO47WELNKJF/XWMLqy11BvM
> 						                        Hyc0qiMRLgVbjI3NqOAi+5yDXm4p1dSHclO40pJzDAg+sIdFKZXJS2GvqJvZfiejIrX7T/f3Lyb6
> 						                        3NWSZw2mIEDVd2dAzR02w23bOmoMdqucggVh7HBZ0driqIKIxBenJd14eWr9V4WxuojgJaWU2DIq
> 						                        TiMa18G0bF2yAo6SwNdX2Vk1vZtSijvoDY6XFGz/IbVHE8Gpkctl9JjxNeBlx6egavfi/PAR7DOC
> 						                        q0D5lIgMIIOf1XWakOGQPBJelkLZW2FHrG/69tJJ+frk7BE3PqHHv198GpA+LDqQ
> 						                    </ds:X509Certificate>
> 						                </ds:X509Data>
> 						            </ds:KeyInfo>
> 						        </ds:Signature>
> 						        <saml2:Subject>
> 						            <saml2:NameID
> 						                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> 						                NameQualifier="https://idp.testnet.test.com/idp"
> 						                SPNameQualifier="http://spweb.test.com/">
> 						                x8+NhaQyC7ASd0B8t0zSd3+XZZk=
> 						            </saml2:NameID>
> 						            <saml2:SubjectConfirmation
> 						                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> 						                <saml2:SubjectConfirmationData
> 						                    Address="10.8.160.152"
> 						                    InResponseTo="_l0k8-tpzk-ann5-9rkl-fw28-k1mi-e7un-kxsq"
> 						                    NotOnOrAfter="2013-10-21T15:02:22.576Z"
> 						                    Recipient="http://spweb.test.com/cgi-bin/samldecoder.pl"/>
> 						            </saml2:SubjectConfirmation>
> 						        </saml2:Subject>
> 						        <saml2:Conditions
> 						            NotBefore="2013-10-21T14:57:22.576Z"
> 						            NotOnOrAfter="2013-10-21T15:02:22.576Z">
> 						            <saml2:AudienceRestriction>
> 						                <saml2:Audience>
> 						                    http://spweb.test.com/
> 						                </saml2:Audience>
> 						            </saml2:AudienceRestriction>
> 						        </saml2:Conditions>
> 						        <saml2:AuthnStatement
> 						            AuthnInstant="2013-10-21T14:57:22.465Z"
> 						            SessionIndex="0116595cfe1789c9c067b4e4c7e422e6a9aaa9874a6401e17ede34e7dc82128a">
> 						            <saml2:SubjectLocality
> 						                Address="10.8.160.152"/>
> 						            <saml2:AuthnContext>
> 						                <saml2:AuthnContextClassRef>
> 						                    urn:oasis:names:tc:SAML:2.0:ac:classes:X509
> 						                </saml2:AuthnContextClassRef>
> 						            </saml2:AuthnContext>
> 						        </saml2:AuthnStatement>
> 						        <saml2:AttributeStatement>
> 						            <saml2:Attribute
> 						                Name="SubjectDN"
> 						                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> 						                <saml2:AttributeValue
> 						                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> 						                    xsi:type="xs:string">
> 						                    cn=testuser,ou=users,o=sporgdn1,o=test
> 						                </saml2:AttributeValue>
> 						            </saml2:Attribute>
> 						        </saml2:AttributeStatement>
> 						    </saml2:Assertion>
> 						</saml2p:Response>
> 				</Sc:CustomTag>
>     </ns3:Extensions>
>     <Signature
>         xmlns="http://www.w3.org/2000/09/xmldsig#">
>         <SignedInfo>
>             <CanonicalizationMethod
>                 Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
>             <SignatureMethod
>                 Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>             <Reference
>                 URI="#_51445c63ed09b24499ca2c5f895fc23">
>                 <Transforms>
>                     <Transform
>                         Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                 </Transforms>
>                 <DigestMethod
>                     Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>                 <DigestValue>
>                     sWWwWPc5qefACtgIdwxXK9h7DCcv8c3P4coeX19yd5w=
>                 </DigestValue>
>             </Reference>
>         </SignedInfo>
>         <SignatureValue>
>             JCDwo8gleAiYQo1Enjd3TU7wgg9pIc1W1V94p1dcBSIECDohRg8LBk1v16RVduAFaX2PKLPT5qo3
>             S84lYzrQiyxowNrYW2whQmecDJpJsSMcPw7OE9RQHE+mqxFvoF7CgOylWFLkk8ixfKkBWO8qz77x
>             6SecGuk76vY5Zu8LD7suczvvQthzw7l1ctagU0oNq2m4rERvNaNFB9pTwTd+GBYypjle8Rzp++/Z
>             6pF69i+J96aBzvbRNfDB/qy2k3iTKHC42JHzv5FBkBbQXcImISexjpUBfmhpRzYl+V802UmOJfxO
>             esSfVC3Br6dzZ+xjhL+/ylAFICj3ZwG2fAWtEw==
>         </SignatureValue>
>         <KeyInfo>
>             <X509Data>
>                 <X509SubjectName>
>                     CN=sp-dn-test,O=sporgdn1,C=ww
>                 </X509SubjectName>
>                 <X509Certificate>
>                     MIIDzDCCArSgAwIBAgIETMxISTANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQKEwVTV0lGVDAeFw0x
>                     MjAxMTAyMTE5MjVaFw0xNDAxMTAyMTQ5MjVaMDoxCzAJBgNVBAYTAnd3MREwDwYDVQQKEwhib3Nz
>                     dXMzMzEYMBYGA1UEAxMPc3AtYnJvd3NlLXN3aWZ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>                     CgKCAQEAixOnS9JqBfVPamfDPFcMinypKr8Fulm/e6N9eSHQBq1Uq2UGbNEJdDf1nV2RBX848PWn
>                     pFtk+NmYaUsv2KvRmIrqrhCDhTBaLt8cj0D/kRfChLvLxG3Xpu/UDcKoXHM9vpFeml8qL/2wILqd
>                     0MsZt16+MxfhxVuL7N3YiVmaPKM+doio9MzlrDMcfuBySGIhMgHrA35q+FYbnXs6E/kxYGMrvoDc
>                     oC9OEoOXuu6Pl6+0K+u/3/fKxRZ6qL+5u/1KbyR1jr4ZHIbq7DA8qKzlNRdP7CtFWVbDjBiPPJu8
>                     NzSHhmi6Ft0IsxzYWhxYYDnF4Sd5rZab6eyLGNFofgIMYQIDAQABo4IBAjCB/zALBgNVHQ8EBAMC
>                     BaAwKwYDVR0QBCQwIoAPMjAxMjAxMTAyMTE5MjVagQ8yMDEzMDcxMjAzNDkyNVowEQYJYIZIAYb4
>                     QgEBBAQDAgWgMBQGA1UdIAQNMAswCQYHKxUGBgpkBDA0BgNVHR8ELTArMCmgJ6AlpCMwITEOMAwG
>                     A1UEChMFU1dJRlQxDzANBgNVBAMTBkNSTDUzMDAfBgNVHSMEGDAWgBSPr1a8gHej/Z7SiYOY/pjH
>                     IGUjzDAdBgNVHQ4EFgQU0ordUl0b/kqPM0eNLlj9wF7bm1EwCQYDVR0TBAIwADAZBgkqhkiG9n0H
>                     QQAEDDAKGwRWNy4xAwIDqDANBgkqhkiG9w0BAQUFAAOCAQEAYgHjVSo2AOkDj0NOj3Ep7Xz1BJHc
>                     6p2v2NQyw3ZoN8J2mF76BtrIaay/vDbD08EAiI85EdfwQnwr3jk5cqz/jtEiBdd+17IExu+pOBHK
>                     oJ7gVh9E7roAJd9RuLSK6uWQ3BVT1KzkWfCqf7xPn3gg5g7no9ki0wV1AX9fT/PhVB1mnEVC4/4d
>                     CsgAtQkcypeS74iPCldSQyQg+yDbx4Xjej+3EcYNS+1KFYh19p0ZGOd9ZCf888irvkZs83bGufPx
>                     nVoUrZmxetFpGnOhe+LIz3IuhS36p+IJs7jE0+Ra9iszZDS7y22WutPZU0XRCALTJHR0QRtL2yhg
>                     CO7OZjQIfw==
>                 </X509Certificate>
>             </X509Data>
>         </KeyInfo>
>     </Signature>
> </ns3:AuthnRequest>
>
> ==========================
>
> Please email me at koteshwarv at gmail.com for any other input. I really appreciate your help on this.
>
> Thanks,
> Kotesh
>
> _____________________________________
> Sent from http://shibboleth.1660669.n2.nabble.com
>



More information about the users mailing list