[OpenSAML] OpenSAML SignatureValidator Issues!
yangw...@ceopen.cn
following error:
ERROR:
126221 [http-80-1] INFO org.apache.xml.security.signature.Reference -
Verification successful for URI "#123456"
org.opensaml.xml.validation.ValidationException: Signature did not
validate against the credential's key
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.j苔va:
78)
at simplesaml.SingerAssertion.veriSignAssertion(SingerAssertion.java:
167)
at simplesaml.SPSamlHandler.doPost(SPSamlHandler.java:137)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicatio要FilterChain.java:
290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterC虐ain.java:
206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.j苔va:
233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.j苔va:
175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.jav苔:
109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
844)
at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:
447)
at java.lang.Thread.run(Thread.java:595)
Code is :
X509Certificate certificate = null;
BasicX509Credential stCred = null;
try {
CertificateFactory certificatefactory = CertificateFactory
.getInstance("X.509");
FileInputStream fin = new FileInputStream(
"D:/jdk1.5.0_01/jre/lib/security/samlcert");
certificate = (X509Certificate) certificatefactory
.generateCertificate(fin);
stCred = new BasicX509Credential();
stCred.setEntityCertificate(certificate);
stCred.setPublicKey(certificate.getPublicKey());
} catch (Exception e) {
e.printStackTrace();
}
SAMLSignatureProfileValidator profileValidator = new
SAMLSignatureProfileValidator();
try {
profileValidator.validate(o.getSignature());
} catch (ValidationException e) {
e.printStackTrace();
}
SignatureValidator sigValidator = new SignatureValidator(
stCred);
try {
sigValidator.validate(o.getSignature());
return true;
} catch (ValidationException e) {
// Indicates signature was not cryptographically valid, or possibly
// a processing error
e.printStackTrace();
return false;
}
And the SAMLReponse xml is :
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="789123" InResponseTo="http://ce-ywq/samltool/simplesp" IssueInstant="2008-11-07T02:36:57.575Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ce-ywq/samltool/simpleidp</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="123456" IssueInstant="2008-11-07T02:36:57.455Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ce-ywq/samltool/simpleidp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ds:Reference URI="#123456">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VIzvRsGNAkgdJFVQEuAUnHilaSk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
a+d7GXVeBvwsAF1b7r0mEZSjdH/zNQ1pHnP9gTilDDnxS1whTxbH0iOC4ZKiwpySPsphfiYnsSsN
yPcUZyqIL0AjoouA59hyO55+a+rOMgs2i7XViE1dR+sYS/jraSECPgX2sOTJUYnkxblWtsQC3Suh
oWYVOxv+SiQ6u2NTxbA=
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICDDCCAXUCBEkFdD0wDQYJKoZIhvcNAQEEBQAwTTELMAkGA1UEBhMCY24xCzAJBgNVBAgTAmJq
MQswCQYDVQQHEwJiajELMAkGA1UEChMCY2UxCzAJBgNVBAsTAmNlMQowCAYDVQQDEwF5MB4XDTA4
MTAyNzA3NTY0NVoXDTA4MTEwMzA3NTY0NVowTTELMAkGA1UEBhMCY24xCzAJBgNVBAgTAmJqMQsw
CQYDVQQHEwJiajELMAkGA1UEChMCY2UxCzAJBgNVBAsTAmNlMQowCAYDVQQDEwF5MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQChUhSspIq7mGxCu6sel3m7nMrfviWJ40hI/qJ6IZCT5JbByXdc
eAqxlelXF4YkjgdXcuDEgzek+ENG6W+Uw3DpYFkv6HyW8dtBaeHCDljagZ01e3EAIVFfAwF99UKt
BqbZjbz2PYCZZlQDJDWquNFveJcokr1Pqnbdl+kMVV3xRwIDAQABMA0GCSqGSIb3DQEBBAUAA4GB
ACLhpPaIK+weeVERn4U3XYUw3iHzGzFSmt8xg7s1fDiLchcAI6Iq0EKuJKLS59vvcVYZo3uEYnag
yLd26CJN2v7w5oPG5qersm3mBZ+8TM5zRksp/1xxSq2IqL6CpetQ7QLya6gH8wEs+YEXnAgo8iGZ
ITRy3xjSlOiKhywgg9OZ</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">11</saml:NameID><saml:SubjectConfirmation>
<saml:SubjectConfirmationData InResponseTo="456789" NotOnOrAfter="2008-11-07T02:41:57.465Z" Recipient="http://ce-ywq/samltool/simplesp"/>
</saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2008-11-07T02:36:57.465Z" NotOnOrAfter="2008-11-07T02:36:57.471Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AudienceRestriction><saml:Audience>http://ce-ywq/samltool/simplesp</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2008-11-07T02:36:57.505Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AuthzDecisionStatement Decision="Permit" Resource="DoubleIt" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Action Namespace="urn:doubleit:doubleitactions">DoubleEvenNumbers</saml:Action></saml:AuthzDecisionStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute Name="degree" NameFormat="http://www.example.org/DoubleIt/Security"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mathematics</saml:AttributeValue></saml:Attribute></s
aml:AttributeStatement></saml:Assertion></samlp:Response>
I have no idea to this question, can some one help me ?
Brent Putman
yangw...@ceopen.cn wrote:
> When I use SignatureValidator to Valid an Assertion,I occured the
> following error:
> ERROR:
> 126221 [http-80-1] INFO org.apache.xml.security.signature.Reference -
> Verification successful for URI "#123456"
> org.opensaml.xml.validation.ValidationException: Signature did not
> validate against the credential's key
> at
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.j苔va:
> 78)
>
>
The Reference digest evaluation is fine. It's failing the evaluation of
the actual SignatureValue of the SignedInfo. One of the most common
signature validation failure causes is that the XML has been modified
after it was signed by pretty printing or incorrect serialization or
deserialization. Since the Reference here is succeeding, that actually
indicates that that may not be the case here. But I would double-check
both ends as to how the XML is being processed.
It actually sounds like maybe you are just not validating with the right
cert/key. I would sanity check that that key you are reading in the
from the filesystem is actually the public half of the signing key
pair. Also try comparing it to the cert in the Signature's KeyInfo,
since presumably that is the correct one.
> Code is :
>
>
Your code itself looks fine.
Brent Putman
directly...
yangw...@ceopen.cn wrote:
> Thanks for Brent Putman's reply.
>
> I checked the code again,the cert/key is right,and the cert/key value is same to keyInfo. Then ,I modify the Credential create like this (the same to signature code):
>
> PrivateKey priv = null;
> Certificate kscert = null,cert;
> try {
> priv = (PrivateKey) getKeyStore().getKey("samlcert", "password".toCharArray());
> kscert = getKeyStore().getCertificate("samlcert");
> } catch (KeyStoreException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (NoSuchAlgorithmException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (UnrecoverableKeyException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> }
>
> Credential stCred = SecurityHelper.getSimpleCredential(kscert.getPublicKey(), priv);
>
That looks correct, as far as generating the Credential with which to sign.
> but the same error happened : org.opensaml.xml.validation.ValidationException: Signature did not
> validate against the credential's key .
>
Well, if you're sure you are validating with the right key, then it
almost certainly must be the case that the SignedInfo element really has
been modified since it was signed. You'll need to double-check the
serialization process on the signer side, and the deserialization and
unmarshalling process on the receiving side, to find out where and how.
That's all I can tell you.
Remember that any change to the signed document will cause the signature
to fail, even something as trivial as addition or removal of whitespace.
> When The same cert signature text and valid it using java.security.Signature from JDK1.5 , it has no problem.
>
I'm not sure what you mean here, what you are validating with the
java.security.Signature? Or are you saying there seems to be difference
in behavior beween JDK1.5 and some other JDK version?
> And ,I have another question.Why was My Assertion's signature info contained by <samp:Assetion ..> ..</samp:Assetion> , when the SignatureValidator.validate(..) excuted , whether can the signature info be computered to the encrypted Value by the PublicKey?
>
I'm sorry, I don't understand what you are asking here. Can you please
rephrase the question?
--Brent