UNHANDLEDEXCEPTION - Unable to validate Signature

3,885 views
Skip to first unread message

laurence.h...@gemalto.com

unread,
Feb 15, 2012, 10:02:08 AM2/15/12
to simpleSAMLphp
Hello,

SimpleSAMLphp produces an error when receiving the response of Feide
OpenIDp.
Something is missing from the configuration of my SP. I cannot figure
out what, I have spent the day reading SimpleSAMLphp documents and
changing options but it didn't help.
Please could you let me know what could cause this situation ? Which
key is involved at this point ?
What can I do ?

3bcfe694d5
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 D:\xampp\htdocs\simplesamlphp-1.8.2\www\module.php:180 (N/A)
Caused by: Exception: Unable to validate Signature
Backtrace:
6 D:\xampp\htdocs\simplesamlphp-1.8.2\lib\SAML2\Utils.php:104
(SAML2_Utils::validateSignature)
5 [builtin] (call_user_func)
4 D:\xampp\htdocs\simplesamlphp-1.8.2\lib\SAML2\Message.php:210
(SAML2_Message::validate)
3 D:\xampp\htdocs\simplesamlphp-1.8.2\modules\saml\lib\Message.php:199
(sspmod_saml_Message::checkSign)
2 D:\xampp\htdocs\simplesamlphp-1.8.2\modules\saml\lib\Message.php:500
(sspmod_saml_Message::processResponse)
1 D:\xampp\htdocs\simplesamlphp-1.8.2\modules\saml\www\sp\saml2-
acs.php:50 (require)
0 D:\xampp\htdocs\simplesamlphp-1.8.2\www\module.php:135 (N/A)


Thank you
Best regards
Laurence

PS: here are a few logs attached to the error:

SAML N°1
GET
https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVJta9swEP4rRt9tyZ4dtyIJZA3bAt0a6rSUfhmKfG4EsqTp5K3795Ptjmaw9osEd%2Fe83MMtUfTa8c0QTuYWfgyAIXnutUE%2BNVZk8IZbgQq5ET0gD5I3m6%2FXvMgYd94GK60mZ5D3EQIRfFDWkGS3XZHvVVHldV6wvL5ctDUcO1hAWRxrYFW5qMvumFeyrC4%2FMEGSe%2FAYkSsSiSIccYCdwSBMiCWWFykr0rw6sAteXnDGHkmyjdsoI8KEOoXgkFNqHRjVuqwD1UJmLEXVOw2jdzo%2BBY1d2jQ3DfifSkLmTo4km7%2FGr6zBoQf%2F0r27vX6l1lYKfbIYzjl72w56YqGzxvwXqZA4VZte%2BPA5RuUjt4GHKZ39S7QflWmVeXo%2F1eM8hPzL4bBP9zfNgayXowifUvLr%2FxgcRZ9GUTmKPkdRuqTnmOV8Gd%2FizG67t1rJ38kn63sR3jaTZ%2FlUUW3aTaN8MOhAqk5BG0PU2v668iACrEjwAxC6nkX%2FvcD1Hw%3D%3D&RelayState=https%3A%2F%2Flocalhost%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DSmartGamerConneXion
HTTP/1.1
Host: openidp.feide.no
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.1) Gecko/20100101
Firefox/10.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://localhost/simplesaml/module.php/core/authenticate.php
Cookie: PHPSESSID=fb4448e4b066812a2b4c9dd1c6878d15;
SimpleSAMLAuthToken=_fd1e8afca8f181064de61e083619808181e1b4b951

HTTP/?.? 200 OK
Date: Wed, 15 Feb 2012 08:48:00 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5 Python/2.5.2
mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 5260
Connection: close
Content-Type: text/html

SAML N°2
POST https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/SmartGamerConneXion
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.1) Gecko/20100101
Firefox/10.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:
https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVJta9swEP4rRt9tyZ4dtyIJZA3bAt0a6rSUfhmKfG4EsqTp5K3795Ptjmaw9osEd%2Fe83MMtUfTa8c0QTuYWfgyAIXnutUE%2BNVZk8IZbgQq5ET0gD5I3m6%2FXvMgYd94GK60mZ5D3EQIRfFDWkGS3XZHvVVHldV6wvL5ctDUcO1hAWRxrYFW5qMvumFeyrC4%2FMEGSe%2FAYkSsSiSIccYCdwSBMiCWWFykr0rw6sAteXnDGHkmyjdsoI8KEOoXgkFNqHRjVuqwD1UJmLEXVOw2jdzo%2BBY1d2jQ3DfifSkLmTo4km7%2FGr6zBoQf%2F0r27vX6l1lYKfbIYzjl72w56YqGzxvwXqZA4VZte%2BPA5RuUjt4GHKZ39S7QflWmVeXo%2F1eM8hPzL4bBP9zfNgayXowifUvLr%2FxgcRZ9GUTmKPkdRuqTnmOV8Gd%2FizG67t1rJ38kn63sR3jaTZ%2FlUUW3aTaN8MOhAqk5BG0PU2v668iACrEjwAxC6nkX%2FvcD1Hw%3D%3D&RelayState=https%3A%2F%2Flocalhost%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DSmartGamerConneXion
Cookie: language=en; PHPSESSID=ea6f705f3e28764352ee89c6f00b671c
Content-Type: application/x-www-form-urlencoded
Content-Length: 11495

HTTP/?.? 500 Internal Server Error
Date: Wed, 15 Feb 2012 08:48:00 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8
mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
check=0
Pragma: no-cache
Content-Length: 4004
Connection: close
Content-Type: text/html


AcessLog in Apache:

127.0.0.1 - - [15/Feb/2012:09:48:00 +0100]
"GET /simplesaml/module.php/core/authenticate.php?
as=SmartGamerConneXion HTTP/1.1" 302 1966 "https://localhost/
simplesaml/module.php/core/authenticate.php" "Mozilla/5.0 (Windows NT
5.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

127.0.0.1 - - [15/Feb/2012:09:48:00 +0100]
"POST /simplesaml/module.php/saml/sp/saml2-acs.php/SmartGamerConneXion
HTTP/1.1" 500 4004 "https://openidp.feide.no/simplesaml/saml2/idp/
SSOService.php?
SAMLRequest=fVJta9swEP4rRt9tyZ4dtyIJZA3bAt0a6rSUfhmKfG4EsqTp5K3795Ptjmaw9osEd
%2Fe83MMtUfTa8c0QTuYWfgyAIXnutUE
%2BNVZk8IZbgQq5ET0gD5I3m6%2FXvMgYd94GK60mZ5D3EQIRfFDWkGS3XZHvVVHldV6wvL5ctDUcO1hAWRxrYFW5qMvumFeyrC4%2FMEGSe
%2FAYkSsSiSIccYCdwSBMiCWWFykr0rw6sAteXnDGHkmyjdsoI8KEOoXgkFNqHRjVuqwD1UJmLEXVOw2jdzo
%2BBY1d2jQ3DfifSkLmTo4km7%2FGr6zBoQf
%2F0r27vX6l1lYKfbIYzjl72w56YqGzxvwXqZA4VZte
%2BPA5RuUjt4GHKZ39S7QflWmVeXo%2F1eM8hPzL4bBP9zfNgayXowifUvLr
%2FxgcRZ9GUTmKPkdRuqTnmOV8Gd%2FizG67t1rJ38kn63sR3jaTZ
%2FlUUW3aTaN8MOhAqk5BG0PU2v668iACrEjwAxC6nkX%2FvcD1Hw%3D
%3D&RelayState=https%3A%2F%2Flocalhost%2Fsimplesaml%2Fmodule.php%2Fcore
%2Fauthenticate.php%3Fas%3DSmartGamerConneXion" "Mozilla/5.0 (Windows
NT 5.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

SSL log in Apache:

[15/Feb/2012:09:48:00 +0100] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA
"GET /simplesaml/module.php/core/authenticate.php?
as=SmartGamerConneXion HTTP/1.1" 1966
[15/Feb/2012:09:48:00 +0100] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA
"POST /simplesaml/module.php/saml/sp/saml2-acs.php/SmartGamerConneXion
HTTP/1.1" 4004


PHP log:

[15-Feb-2012 09:48:00] PHP Warning: openssl_verify() [<a
href='function.openssl-verify'>function.openssl-verify</a>]: Don't
know how to get public key from this private key in D:\xampp\htdocs
\simplesamlphp-1.8.2\lib\xmlseclibs.php on line 463
[15-Feb-2012 09:48:00] PHP Warning: openssl_verify() [<a
href='function.openssl-verify'>function.openssl-verify</a>]: supplied
key param cannot be coerced into a public key in D:\xampp\htdocs
\simplesamlphp-1.8.2\lib\xmlseclibs.php on line 463

private function verifyOpenSSL($data, $signature) {
$algo = OPENSSL_ALGO_SHA1;
if (! empty($this->cryptParams['digest'])) {
$algo = $this->cryptParams['digest'];
}
return openssl_verify ($data, $signature, $this->key, $algo);
}





Olav Morken

unread,
Feb 16, 2012, 1:55:16 AM2/16/12
to simple...@googlegroups.com
On Wed, Feb 15, 2012 at 07:02:08 -0800, laurence.h...@gemalto.com wrote:
> Hello,
>
> SimpleSAMLphp produces an error when receiving the response of Feide
> OpenIDp.
> Something is missing from the configuration of my SP. I cannot figure
> out what, I have spent the day reading SimpleSAMLphp documents and
> changing options but it didn't help.
> Please could you let me know what could cause this situation ?

This is a rather strange error. By this time, almost all the work
involved in the verification of the response is done. All that remains
is to check the actual signature on the <ds:SignedInfo>-element.

> Which
> key is involved at this point ?

The one found in the response (unless you have added any other keys?)

> What can I do ?

[...]


> [15-Feb-2012 09:48:00] PHP Warning: openssl_verify() [<a
> href='function.openssl-verify'>function.openssl-verify</a>]: Don't
> know how to get public key from this private key in D:\xampp\htdocs
> \simplesamlphp-1.8.2\lib\xmlseclibs.php on line 463

Private key? Have you added something to the OpenIdP entry in
saml20-idp-remote.php? What does it look like?

Best regards,
Olav Morken
UNINETT / Feide

HANNEGUELLE Laurence

unread,
Feb 16, 2012, 5:36:51 AM2/16/12
to simple...@googlegroups.com
Hello Olav

Thank you for your help.
I have added nothing to saml20-idp-remote.php, except the description of another IDp, but I am currently using Feide OpenIDp.

A code addition that I hacked into xmlseclibs.php produces:

TRACE OF VERIFYOPENSSL
data=[ ZluGxzhFZBVXQxP+ISBy/CrquCc=]
key resource type=[OpenSSL key]

How could I retrieve the value of a variable with type= "OpenSSL key" ? This would enable us to see the value of the key that is used.

Other traces I could get for the same event same time (line number is +5 due to my addition):

16 Feb.2012 - 11h20 - Log identifier = e26450e1bd

Warning: openssl_verify() [function.openssl-verify]: Don't know how to get public key from this private key in D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php on line 468

Warning: openssl_verify() [function.openssl-verify]: supplied key param cannot be coerced into a public key in D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php on line 468


POST https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/SmartGamerConneXion HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8


Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Referer: https://openidp.feide.no/simplesaml/module.php/core/loginuserpass.php?
Cookie: language=en; PHPSESSID=2b09f67214327bef14db4e93b2699310; SimpleSAMLAuthToken=_c4943613bbfca635803da1ecb4dd869b6534c33f5d
Content-Type: application/x-www-form-urlencoded
Content-Length: 11495

HTTP/?.? 500 Internal Server Error

Date: Thu, 16 Feb 2012 10:20:10 GMT


Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

Content-Length: 4784
Connection: close
Content-Type: text/html

Best regards
Laurence

Dick Visser

unread,
Feb 16, 2012, 5:42:19 AM2/16/12
to simple...@googlegroups.com
Could you post your saml20-idp-remote.php?

On 16 February 2012 11:36, HANNEGUELLE Laurence

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>

--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands

HANNEGUELLE Laurence

unread,
Feb 16, 2012, 6:08:07 AM2/16/12
to simple...@googlegroups.com

Yes, sure, please find it in attachment.

(FYI, when we use the other IPd, and we
Un-comment //'sign.authnrequest' => TRUE,
Apache commits suicide).

saml20-idp-remote.php

Olav Morken

unread,
Feb 16, 2012, 6:20:03 AM2/16/12
to simple...@googlegroups.com
On Thu, Feb 16, 2012 at 12:08:07 +0100, HANNEGUELLE Laurence wrote:
>
> Yes, sure, please find it in attachment.
>
> (FYI, when we use the other IPd, and we
> Un-comment //'sign.authnrequest' => TRUE,
> Apache commits suicide).

That's strange. Maybe there is a problem with the OpenSSL-library in
your installation?


Could you send the raw authentication response? You can dump it to a
file by adding something like the following to the beginning of
modules/saml/www/sp/saml2-acs.php:

file_put_contents('/path/to/file.base64', $_POST['SAMLResponse']);

HANNEGUELLE Laurence

unread,
Feb 16, 2012, 6:37:10 AM2/16/12
to simple...@googlegroups.com
>>-----Original Message-----
>>From: simple...@googlegroups.com >>[mailto:simple...@googlegroups.com] On Behalf Of Olav Morken
>>Sent: jeudi 16 février 2012 12:20
>> Could you send the raw authentication response? [...]


Please find "Log.txt" in attachment.

Associated trace:

635b60bc6f

POST https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/SmartGamerConneXion HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://openidp.feide.no/simplesaml/module.php/core/loginuserpass.php?

Cookie: language=en; PHPSESSID=29bae40d6789a7c8145ca9556f5c8972; SimpleSAMLAuthToken=_b05d14d876abe37c838ea35595a94c16ed54e0369d
Content-Type: application/x-www-form-urlencoded
Content-Length: 11495

HTTP/?.? 500 Internal Server Error

Date: Thu, 16 Feb 2012 11:33:56 GMT


Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

log.txt

Olav Morken

unread,
Feb 16, 2012, 7:06:52 AM2/16/12
to simple...@googlegroups.com
On Thu, Feb 16, 2012 at 12:37:10 +0100, HANNEGUELLE Laurence wrote:
> >>-----Original Message-----
> >>From: simple...@googlegroups.com >>[mailto:simple...@googlegroups.com] On Behalf Of Olav Morken
> >>Sent: jeudi 16 f�vrier 2012 12:20
> >> Could you send the raw authentication response? [...]
>
>
> Please find "Log.txt" in attachment.

I did a few test here, and there were no problems verifying the
signature, so the response itself is valid.

Are you certain that you do not have any modifications to the code
files in simpleSAMLphp?

HANNEGUELLE Laurence

unread,
Feb 16, 2012, 8:03:38 AM2/16/12
to simple...@googlegroups.com
>> Are you certain that you do not have any modifications
>> to the code files in simpleSAMLphp?

Yes, I am absolutely sure that I did not modify the code in SimpleSAMLphp.
I only followed the Guidelines and changed things in three configuration files (authsources.php, config.php, saml20-idp-remote.php).
Only today, I hacked into xmlseclibs.php to trace what data and which key it is using. I could see the key content if I knew how to transform a resource of type " OpenSSL key" to a character string. If you think it could help...

(I have been unable to create a log file, also. The /log directory still contains "_placeholder.php", although I followed the procedure described in documents).

Please note that I am using Windows XP, not Unix.
The SimpleSAMLphp library and the application are at the same level, in the document root:
D:\xampp\htdocs\simplesamlphp-1.8.2\
D:\xampp\htdocs\smartgamerconnexion\

As for OpenSSL, the environment variable OPENSSL_CONF points to
D:\xampp\php\extras\openssl\openssl.conf
But the xampp package has two different openssl.exe (one in Apache/bin, one in php/extras/openssl), I don't know why, and there are more elsewhere on my machine, so yes, openssl could be the culprit. Is there a standard way to set openssl ?

Olav Morken

unread,
Feb 16, 2012, 8:28:28 AM2/16/12
to simple...@googlegroups.com
On Thu, Feb 16, 2012 at 14:03:38 +0100, HANNEGUELLE Laurence wrote:
> >> Are you certain that you do not have any modifications
> >> to the code files in simpleSAMLphp?
>
> Yes, I am absolutely sure that I did not modify the code in SimpleSAMLphp.
> I only followed the Guidelines and changed things in three configuration files (authsources.php, config.php, saml20-idp-remote.php).
> Only today, I hacked into xmlseclibs.php to trace what data and which key it is using. I could see the key content if I knew how to transform a resource of type " OpenSSL key" to a character string. If you think it could help...

You may be able to find out something by looking at where the key is
loaded. The loadKey()-function in the same class handles this. At that
point $key is still a string. What confuses me is that the warning
claims that the key is a private key, but it should really be a public
key.

You could try verifying that openssl_get_publickey() is called in that
function.


> (I have been unable to create a log file, also. The /log directory still contains "_placeholder.php", although I followed the procedure described in documents).

That's strange. Maybe there is some permission problem?

> Please note that I am using Windows XP, not Unix.
> The SimpleSAMLphp library and the application are at the same level, in the document root:
> D:\xampp\htdocs\simplesamlphp-1.8.2\
> D:\xampp\htdocs\smartgamerconnexion\
>
> As for OpenSSL, the environment variable OPENSSL_CONF points to
> D:\xampp\php\extras\openssl\openssl.conf
> But the xampp package has two different openssl.exe (one in Apache/bin, one in php/extras/openssl), I don't know why, and there are more elsewhere on my machine, so yes, openssl could be the culprit. Is there a standard way to set openssl ?

I have no idea how that works on Windows. Note that the openssl.exe has
nothing to do with what PHP and Apache uses internally. But if there
are two openssl binaries, I guess there could also be two libraries
that may create problems...

HANNEGUELLE Laurence

unread,
Feb 21, 2012, 6:26:12 AM2/21/12
to simple...@googlegroups.com
Hello Olav

Trying to tackle this Exception problem again.

In attachment, a screenshot of the modifications, as suggested.
"this->key" contains the certificate of the IDp. No difference, except trace has bytes '0D 0A' where the ".crt" has only '0A'.

<p>ELSETHISKEY=-----BEGIN CERTIFICATE-----
MIIDKDCCAhC [...certificate of IPD here...] SRXO5SJUiU=
-----END CERTIFICATE-----
</p><p>GETPUBLICKEY=Resource id #133</p><br />
<b>Warning</b>: openssl_verify() [<a href='function.openssl-verify'>function.openssl-verify</a>]: Don't know how to get public key from this private key in <b>D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php</b> on line <b>468</b><br />
<br />
<b>Warning</b>: openssl_verify() [<a href='function.openssl-verify'>function.openssl-verify</a>]: supplied key param cannot be coerced into a public key in <b>D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php</b> on line <b>468</b><br />

<!DOCTYPE html PUBLIC [etc...]


In saml20-idp-remote.php, the fingerprint has the correct value
'certFingerprint' => 'a4d2[...]
We even produced an error and pasted the expected value. We can see it also with Windows by double-clicking on the ".crt".
Signature algorithm=sha1RSA, public key RSA(2048 Bits).


Exception occurs also if I use Feide OpenID as the IDP. Here is the trace:

<p>ELSETHISKEY=-----BEGIN CERTIFICATE-----
MIICizCCAfQCCQCY8tKaMc0BMjANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC
Tk8xEjAQBgNVBAgTCVRyb25kaGVpbTEQMA4GA1UEChMHVU5JTkVUVDEOMAwGA1UE
CxMFRmVpZGUxGTAXBgNVBAMTEG9wZW5pZHAuZmVpZGUubm8xKTAnBgkqhkiG9w0B
CQEWGmFuZHJlYXMuc29sYmVyZ0B1bmluZXR0Lm5vMB4XDTA4MDUwODA5MjI0OFoX
DTM1MDkyMzA5MjI0OFowgYkxCzAJBgNVBAYTAk5PMRIwEAYDVQQIEwlUcm9uZGhl
aW0xEDAOBgNVBAoTB1VOSU5FVFQxDjAMBgNVBAsTBUZlaWRlMRkwFwYDVQQDExBv
cGVuaWRwLmZlaWRlLm5vMSkwJwYJKoZIhvcNAQkBFhphbmRyZWFzLnNvbGJlcmdA
dW5pbmV0dC5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8jLoqI1VTlx
AZ2axiDIThWcAOXdu8KkVUWaN/SooO9O0QQ7KRUjSGKN9JK65AFRDXQkWPAu4Hln
O4noYlFSLnYyDxI66LCr71x4lgFJjqLeAvB/GqBqFfIZ3YK/NrhnUqFwZu63nLrZ
jcUZxNaPjOOSRSDaXpv1kb5k3jOiSGECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQ
Yj4cAafWaYfjBU2zi1ElwStIaJ5nyp/s/8B8SAPK2T79McMyccP3wSW13LHkmM1j
wKe3ACFXBvqGQN0IbcH49hu0FKhYFM/GPDJcIHFBsiyMBXChpye9vBaTNEBCtU3K
jjyG0hRT2mAQ9h+bkPmOvlEo/aH0xR68Z9hw4PF13w==
-----END CERTIFICATE-----
</p><p>GETPUBLICKEY=Resource id #154</p><br />
<b>Warning</b>: openssl_verify() [<a href='function.openssl-verify'>function.openssl-verify</a>]: Don't know how to get public key from this private key in <b>D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php</b> on line <b>468</b><br />
<br />

Could there be a wrong parameter somewhere ? Are there more code modifications I could do ?

Best regards
L.H.


trace_xmlseclibs.php.gif

Olav Morken

unread,
Feb 22, 2012, 10:07:51 AM2/22/12
to simple...@googlegroups.com
On Tue, Feb 21, 2012 at 12:26:12 +0100, HANNEGUELLE Laurence wrote:
> Hello Olav
>
> Trying to tackle this Exception problem again.
>
> In attachment, a screenshot of the modifications, as suggested.
> "this->key" contains the certificate of the IDp. No difference, except trace has bytes '0D 0A' where the ".crt" has only '0A'.
>
> <p>ELSETHISKEY=-----BEGIN CERTIFICATE-----
> MIIDKDCCAhC [...certificate of IPD here...] SRXO5SJUiU=
> -----END CERTIFICATE-----
> </p><p>GETPUBLICKEY=Resource id #133</p><br />
> <b>Warning</b>: openssl_verify() [<a href='function.openssl-verify'>function.openssl-verify</a>]: Don't know how to get public key from this private key in <b>D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php</b> on line <b>468</b><br />
> <br />
> <b>Warning</b>: openssl_verify() [<a href='function.openssl-verify'>function.openssl-verify</a>]: supplied key param cannot be coerced into a public key in <b>D:\xampp\htdocs\simplesamlphp-1.8.2\lib\xmlseclibs.php</b> on line <b>468</b><br />
[...]

> Could there be a wrong parameter somewhere ? Are there more code modifications I could do ?

That would be strange, since this code works elsewhere. I wonder if
OpenSSL works correctly in your PHP installation. Could you test the
attached PHP file? What is the output?

test-verify.php

HANNEGUELLE Laurence

unread,
Feb 22, 2012, 11:53:04 AM2/22/12
to simple...@googlegroups.com
Hi Olav

The result of the PHP script you sent, is that Apache crashes.
No trace in the log file of php.

I also noted this:

If saml20-idp-remote.php contains 'sign.logout' => TRUE,
(happens also with 'sign.authnrequest' => TRUE,)
whatever the IDp,
when "index.php" of the application is reduced to the strict minimum,
no matter if we start from "index.php" or /simplesaml/,
Apache crashes.
Apache HTTP Server has encountered a problem and needs to close. We are sorry for the inconvenience.
Error signature:
AppName: httpd.exe AppVer: 2.2.21.0 ModName: unknown
ModVer: 0.0.0.0 Offset: 00000000

I thought that maybe the signature made the SAML URL too long for this XAMPP Apache to handle. Could there be a nasty parameter somewhere, that sets a boundary on the flow length, or something ? I've been looking through php.ini today, for another reason (without output_buffering set to a minimum value, a freshly installed simpleSAMLphp would only scream "header already sent"). I did not find anything related to this.

Regarding OpenSSL, I do have a problem. XAMPP documents do not indicate what to do to configure OpenSSL properly. I searched in Google in vain.
Apache/bin contains openssl.exe and a openssl conf file
Php/extras/openSSL/ contains also openssl.exe and a openssl conf file

I had to set the environment variable OPENSSL_CONF to D:/xampp/apache/bin/openssl.cnf

And I had to add manually the line to php.ini that everybody say should be there, because it was nowhere to start with:
extension=php_openssl.dll
(the file php_openssl.dll is present in php/ext/)


Now I can produce a certificate if I run a command from Apache/bin manually in DOS
But my knowledge stops there; any help greatly appreciated

Best regards
Laurence


Peter Schober

unread,
Feb 22, 2012, 1:52:09 PM2/22/12
to simple...@googlegroups.com
* HANNEGUELLE Laurence <Laurence.H...@gemalto.com> [2012-02-22 17:53]:

> Now I can produce a certificate if I run a command from Apache/bin
> manually in DOS But my knowledge stops there; any help greatly
> appreciated

That's not really the right place for such questions,
-peter

Peter Schober

unread,
Feb 23, 2012, 2:32:47 AM2/23/12
to simple...@googlegroups.com
* Peter Schober <peter....@univie.ac.at> [2012-02-22 19:52]:

I may have misunderstood. If you're saying you've now managed to
generate a key pair and don't know what to do with it, there's
http://simplesamlphp.org/docs/1.8/simplesamlphp-sp#section_1_1
-peter

HANNEGUELLE Laurence

unread,
Feb 23, 2012, 4:24:51 AM2/23/12
to simple...@googlegroups.com

> That's not really the right place for such questions,

> [...]
> http://simplesamlphp.org/docs/1.8/simplesamlphp-sp#section_1_1

Hello Peter

Thank you for your answer.

I did produce the SAML.crt/SAML.pem pair from the start, with a manual command on my machine and it worked and it's been in the /cert directory since. So I suppose the OpenSSL library is configured correctly for manual use.

I am trying to understand what was the purpose of the script " test-verify.php" that Olav sent to me to experiment with, and what conclusions you come to, if it makes Apache HTTP server crash.

Is this proving that there is another configuration, to let PHP use openSSL, which is not OK on my machine ? I am currently researching in this direction.

Olav Morken

unread,
Feb 23, 2012, 6:21:51 AM2/23/12
to simple...@googlegroups.com
On Thu, Feb 23, 2012 at 10:24:51 +0100, HANNEGUELLE Laurence wrote:
> I am trying to understand what was the purpose of the script " test-verify.php" that Olav sent to me to experiment with, and what conclusions you come to, if it makes Apache HTTP server crash.
>
> Is this proving that there is another configuration, to let PHP use openSSL, which is not OK on my machine ? I am currently researching in this direction.

It shows that your PHP OpenSSL library is broken. It should never crash
Apache. I doubt it is a configuration issue, but more likely something
about the PHP/Apache packages you have installed. I have never used any
PHP packages for windows, so I have no idea about how this should be
fixed.

You should try to reduce the test script to the minimal amount of code
that crashes Apache, and try to contact some sort of support forum for
the PHP/Apache packages you have installed

Peter Schober

unread,
Feb 23, 2012, 7:47:30 AM2/23/12
to simple...@googlegroups.com
* Olav Morken <olav....@uninett.no> [2012-02-23 12:22]:

> It shows that your PHP OpenSSL library is broken. It should never crash
> Apache. I doubt it is a configuration issue, but more likely something
> about the PHP/Apache packages you have installed. I have never used any
> PHP packages for windows, so I have no idea about how this should be
> fixed.
>
> You should try to reduce the test script to the minimal amount of code
> that crashes Apache, and try to contact some sort of support forum for
> the PHP/Apache packages you have installed

Adding to that: It seems all you're testing/debugging is your OS,
libraries, webserver, PHP installation, etc. -- i.e., everything
except the thing you probably came here for (simpleSAMLphp).

So if this is just to find out whether SSP is suitable for your needs
I'd suggest using a platform that is less broken or less painful to deal
with. If you're then happy with the results you can invest additional
effort in debugging your generic PHP and SSL problems on your platform
of choice. (Unless you're already in the latter stage and you're
dealing with productionalization, but then this isn't the right place
to ask.)
-peter

HANNEGUELLE Laurence

unread,
Feb 24, 2012, 2:33:05 AM2/24/12
to simple...@googlegroups.com

Hi

>> I'd suggest using a platform that is less broken

This is a big cubicle-type company, all I have to perform tests is my laptop, and a distant Windows web server. So I do not really have a choice of platform. Eventually, I will transfer everything to some Unix hosting server that we rented. If OpenSSL is a key element, I am going to struggle with it three times.

>> if this is just to find out whether SSP is suitable for your needs

It is more than that. We will suggest simpleSAMLphp to our customers who have a web site in PHP. My current purpose is to make a demo to prove that it works with a specific IDp.

As a new user (and also new to the job), I am confused whether SimpleSAMLphp or OpenSSL is the cause of a malfunction, until you point it out. Now that I know, I'll work on the configuration. By the way, I used a fresh installation of XAMPP, a popular package, and did not mess it up, so if Apache cannot execute some signature statements, it can be expected that other people will encounter this problem as well, and ask you the wrong questions. Sorry about that. It's great to have such a good support on an open source item. I posted a question to XAMPP group but never got an answer.

Thank you for your help
Bets regards
Laurence

HANNEGUELLE Laurence

unread,
Feb 24, 2012, 6:11:07 AM2/24/12
to simple...@googlegroups.com
Hi

The statement that crashes Apache in your test file is this:

openssl_sign($data, $signature, $private_key, OPENSSL_ALGO_SHA1);

Maybe my platform is not broken, but I ran into a bug of PHP:

http://www.archivum.info/php.bugs/2011-10/00682/Bug-46149-%28Com%29-openssl_sign%28%29-can%27t-generate-the-signature-where-sign-DSA-Private-key.html

Above, they indicate version 5.2.6, my version is 5.3.8.
Just my luck, I used PHP when my colleagues were recommending Java.

No one ran into this bug with UNIX platforms ?

Best regards
Laurence


Olav Morken

unread,
Feb 24, 2012, 7:08:08 AM2/24/12
to simple...@googlegroups.com
On Fri, Feb 24, 2012 at 12:11:07 +0100, HANNEGUELLE Laurence wrote:
> Hi
>
> The statement that crashes Apache in your test file is this:
>
> openssl_sign($data, $signature, $private_key, OPENSSL_ALGO_SHA1);
>
> Maybe my platform is not broken, but I ran into a bug of PHP:
>
> http://www.archivum.info/php.bugs/2011-10/00682/Bug-46149-%28Com%29-openssl_sign%28%29-can%27t-generate-the-signature-where-sign-DSA-Private-key.html

This is about DSA keys, not RSA keys, and the cause was due to missing
support for signing with DSA keys in PHP. See:

https://bugs.php.net/bug.php?id=41033

We are however using RSA keys, so lack of support for DSA keys should
not be a problem.

> Above, they indicate version 5.2.6, my version is 5.3.8.
> Just my luck, I used PHP when my colleagues were recommending Java.
>
> No one ran into this bug with UNIX platforms ?

I cannot remember to have seen anyone else having trouble with OpenSSL,
and other people are also using it successfully on Windows.

Message has been deleted

Krishna Pullakandam

unread,
Aug 24, 2012, 3:17:23 AM8/24/12
to simple...@googlegroups.com, olav....@uninett.no
Hi,

I am stuck with the same problem on windows 7 with xampp 1.8.0. However simplesamlphp as sp works fine with a wamp installation. There is a difference in version of php on xampp and wamp. It is 5.4.4 on xampp and 5.3.0 on wamp.

Seems to be some problem/incompatibility with php_openssl.dll.

Here is my setup so far
1) Installed simplesamlphp as IDP on a linux box, configured it to work with AD using LDAP auth
2) Installed and configured simplesamlphp as SP on a windows 7 xampp (tried on wamp with old php version and works fine)

I wanted to use authmemcookie and perl installation on xampp was a simple way without compiling the mod for windows, and hence trying the installation with xampp.

Anyone able to resolve this?

Thanks!
Krishna.

Krishna Pullakandam

unread,
Aug 24, 2012, 5:01:37 AM8/24/12
to simple...@googlegroups.com, olav....@uninett.no
I tried with xampp 1.7.1 version, it works fine... might be a problem with php_openssl.dll shipped with xampp 1.8.

Thanks!
Krishna.
Reply all
Reply to author
Forward
0 new messages