1 Reply Latest reply on Dec 7, 2012 9:00 AM by stephan68

    Strange invalid Signature in SAML Assertion

    stephan68

      Hello,

       

      I've a problem with PicketLink 2.0.3.Final. I create a SAML Assertion programmatically and try to sign it. Directly after that I check the Signature, which is valid. Then I serialize the Assertion Document to a String and parse it back. After that the signature is not valid any more. Could it be an encoding problem?

       

      Thats the code I use:

       

      "originalAssertion" is the Document that contains the unsigned assertion.

       

      {code}

              // Create Signature

              SAML2Signature samlSignature = new SAML2Signature();

              samlSignature.signSAMLDocument(originalAssertion, keypair);

       

              String xmlAssertion = DocumentUtil.asString(originalAssertion);

       

              Document reconstructedAssertion = DocumentUtil.getDocument(xmlAssertion);

       

              boolean orignValid = AssertionUtil.isSignatureValid(originalAssertion.getDocumentElement(), keypair.getPublic());

              boolean reconValid = AssertionUtil.isSignatureValid(reconstructedAssertion.getDocumentElement(), keypair.getPublic());

       

              System.out.println("Signatures valid: orig="+orignValid+", recon="+reconValid);

              if (orignValid!=reconValid) {

                  System.err.println(xmlAssertion);

                  throw new RuntimeException("Signatures don't match!");

              }

      {code}

       

       

      I would appreciate any hint,

       

      thanks,

      Stephan

        • 1. Re: Strange invalid Signature in SAML Assertion
          stephan68

          Thats the created assertion:

           

           

          {code:xml}

          <?xml version="1.0" encoding="UTF-8"?>

          <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s21c382e142398ef50ce94892f6056ed6de020a27d" IssueInstant="2012-12-07T14:57:59.016+01:00" Version="2.0">

                    <saml:Subject>

                              <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://some.url.com">eZOuCF+zGDyKB3UbmE6QXt3bkAio</saml:NameID>

                              <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                                        <saml:SubjectConfirmationData InResponseTo="responseID" NotOnOrAfter="2012-12-07T14:57:59.016+01:00" Recipient="https://some.url.com/saml/SP/AssertionConsumerService"/>

                              </saml:SubjectConfirmation>

                    </saml:Subject>

                    <saml:Conditions NotBefore="2012-12-07T14:57:59.016+01:00" NotOnOrAfter="2012-12-07T14:57:59.016+01:00">

                              <saml:AudienceRestriction>

                                        <saml:Audience>https://some.url.com</saml:Audience>

                              </saml:AudienceRestriction>

                    </saml:Conditions>

                    <saml:AuthnStatement AuthnInstant="2012-12-07T14:57:59.016+01:00" SessionIndex="s2264354343fd33a0827ed381021027deb36c1ff01">

                              <saml:AuthnContext>

                                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

                              </saml:AuthnContext>

                    </saml:AuthnStatement>

                    <saml:AttributeStatement>

                              <saml:Attribute Name="Group">

                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">users</saml:AttributeValue>

                              </saml:Attribute>

                              <saml:Attribute Name="GroupType">

                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">the-group</saml:AttributeValue>

                              </saml:Attribute>

                              <saml:Attribute Name="Nachname">

                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Lastname</saml:AttributeValue>

                              </saml:Attribute>

                              <saml:Attribute Name="Role">

                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">plain</saml:AttributeValue>

                              </saml:Attribute>

                              <saml:Attribute Name="UniqueID">

                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1000172</saml:AttributeValue>

                              </saml:Attribute>

                              <saml:Attribute Name="Vorname">

                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">first-name</saml:AttributeValue>

                              </saml:Attribute>

                    </saml:AttributeStatement>

                    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

                              <dsig:SignedInfo>

                                        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>

                                        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                                        <dsig:Reference URI="#s21c382e142398ef50ce94892f6056ed6de020a27d">

                                                  <dsig:Transforms>

                                                            <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                                                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                                                  </dsig:Transforms>

                                                  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                                                  <dsig:DigestValue>nW/nIgYpHmu8TaEGyNlTCLPNSsM=</dsig:DigestValue>

                                        </dsig:Reference>

                              </dsig:SignedInfo>

                              <dsig:SignatureValue>dCZ2haoMJbjk6r7YLO+Z70EHge/i5xxmP/bSIOashxmpAs7kyilnjlPN10I7vgOBeA89d+KcQ9lU

          CNrDlwauB7sFLsMt2VDR+A7uHWTeIjyceTlG1pmwI9THgnOveYzpV9LfhxkWaMuttnJWX7q+e9Dy

          RXenksBLH73eG2u6SCY=</dsig:SignatureValue>

                              <dsig:KeyInfo>

                                        <dsig:KeyValue>

                                                  <dsig:RSAKeyValue>

                                                            <dsig:Modulus>ohszr7eLZuc73cQUoN65AY39WLA5vAnvSPbFSEDWKB72VZJw48Ls8uYDK52jcEb1b7kCTmvxj20K

          iiRgyyq1WcZULfuysJuzlkH3fhSxyNSnxGVC2k4F9FhSyDYgeVXrnfNSuv+zxaIZm7Lt/CmnUm8F

          S3T25DQPbyHxycbdOvM=</dsig:Modulus>

                                                            <dsig:Exponent>AQAB</dsig:Exponent>

                                                  </dsig:RSAKeyValue>

                                        </dsig:KeyValue>

                              </dsig:KeyInfo>

                    </dsig:Signature>

          </saml:Assertion>

          {code:xml}