1 Reply Latest reply: Dec 7, 2012 9:00 AM by Stephan Kesper RSS

Strange invalid Signature in SAML Assertion

Stephan Kesper Newbie

Hello,

 

I've a problem with PicketLink 2.0.3.Final. I create a SAML Assertion programmatically and try to sign it. Directly after that I check the Signature, which is valid. Then I serialize the Assertion Document to a String and parse it back. After that the signature is not valid any more. Could it be an encoding problem?

 

Thats the code I use:

 

"originalAssertion" is the Document that contains the unsigned assertion.

 

        // Create Signature
        SAML2Signature samlSignature = new SAML2Signature();
        samlSignature.signSAMLDocument(originalAssertion, keypair);

        String xmlAssertion = DocumentUtil.asString(originalAssertion);

        Document reconstructedAssertion = DocumentUtil.getDocument(xmlAssertion);

        boolean orignValid = AssertionUtil.isSignatureValid(originalAssertion.getDocumentElement(), keypair.getPublic());
        boolean reconValid = AssertionUtil.isSignatureValid(reconstructedAssertion.getDocumentElement(), keypair.getPublic());

        System.out.println("Signatures valid: orig="+orignValid+", recon="+reconValid);
        if (orignValid!=reconValid) {
            System.err.println(xmlAssertion);
            throw new RuntimeException("Signatures don't match!");
        }

 

 

 

I would appreciate any hint,

 

thanks,

Stephan

  • 1. Re: Strange invalid Signature in SAML Assertion
    Stephan Kesper Newbie

    Thats the created assertion:

     

     

    <?xml version="1.0" encoding="UTF-8"?>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s21c382e142398ef50ce94892f6056ed6de020a27d" IssueInstant="2012-12-07T14:57:59.016+01:00" Version="2.0">
              <saml:Subject>
                        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://some.url.com">eZOuCF+zGDyKB3UbmE6QXt3bkAio</saml:NameID>
                        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                  <saml:SubjectConfirmationData InResponseTo="responseID" NotOnOrAfter="2012-12-07T14:57:59.016+01:00" Recipient="https://some.url.com/saml/SP/AssertionConsumerService"/>
                        </saml:SubjectConfirmation>
              </saml:Subject>
              <saml:Conditions NotBefore="2012-12-07T14:57:59.016+01:00" NotOnOrAfter="2012-12-07T14:57:59.016+01:00">
                        <saml:AudienceRestriction>
                                  <saml:Audience>https://some.url.com</saml:Audience>
                        </saml:AudienceRestriction>
              </saml:Conditions>
              <saml:AuthnStatement AuthnInstant="2012-12-07T14:57:59.016+01:00" SessionIndex="s2264354343fd33a0827ed381021027deb36c1ff01">
                        <saml:AuthnContext>
                                  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                        </saml:AuthnContext>
              </saml:AuthnStatement>
              <saml:AttributeStatement>
                        <saml:Attribute Name="Group">
                                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">users</saml:AttributeValue>
                        </saml:Attribute>
                        <saml:Attribute Name="GroupType">
                                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">the-group</saml:AttributeValue>
                        </saml:Attribute>
                        <saml:Attribute Name="Nachname">
                                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Lastname</saml:AttributeValue>
                        </saml:Attribute>
                        <saml:Attribute Name="Role">
                                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">plain</saml:AttributeValue>
                        </saml:Attribute>
                        <saml:Attribute Name="UniqueID">
                                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1000172</saml:AttributeValue>
                        </saml:Attribute>
                        <saml:Attribute Name="Vorname">
                                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">first-name</saml:AttributeValue>
                        </saml:Attribute>
              </saml:AttributeStatement>
              <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                        <dsig:SignedInfo>
                                  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                                  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                  <dsig:Reference URI="#s21c382e142398ef50ce94892f6056ed6de020a27d">
                                            <dsig:Transforms>
                                                      <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                                      <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                            </dsig:Transforms>
                                            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                            <dsig:DigestValue>nW/nIgYpHmu8TaEGyNlTCLPNSsM=</dsig:DigestValue>
                                  </dsig:Reference>
                        </dsig:SignedInfo>
                        <dsig:SignatureValue>dCZ2haoMJbjk6r7YLO+Z70EHge/i5xxmP/bSIOashxmpAs7kyilnjlPN10I7vgOBeA89d+KcQ9lU
    CNrDlwauB7sFLsMt2VDR+A7uHWTeIjyceTlG1pmwI9THgnOveYzpV9LfhxkWaMuttnJWX7q+e9Dy
    RXenksBLH73eG2u6SCY=</dsig:SignatureValue>
                        <dsig:KeyInfo>
                                  <dsig:KeyValue>
                                            <dsig:RSAKeyValue>
                                                      <dsig:Modulus>ohszr7eLZuc73cQUoN65AY39WLA5vAnvSPbFSEDWKB72VZJw48Ls8uYDK52jcEb1b7kCTmvxj20K
    iiRgyyq1WcZULfuysJuzlkH3fhSxyNSnxGVC2k4F9FhSyDYgeVXrnfNSuv+zxaIZm7Lt/CmnUm8F
    S3T25DQPbyHxycbdOvM=</dsig:Modulus>
                                                      <dsig:Exponent>AQAB</dsig:Exponent>
                                            </dsig:RSAKeyValue>
                                  </dsig:KeyValue>
                        </dsig:KeyInfo>
              </dsig:Signature>
    </saml:Assertion>