1 Reply Latest reply: Dec 7, 2012 9:00 AM by Stephan Kesper RSS

    Strange invalid Signature in SAML Assertion

    Stephan Kesper Newbie

      Hello,

       

      I've a problem with PicketLink 2.0.3.Final. I create a SAML Assertion programmatically and try to sign it. Directly after that I check the Signature, which is valid. Then I serialize the Assertion Document to a String and parse it back. After that the signature is not valid any more. Could it be an encoding problem?

       

      Thats the code I use:

       

      "originalAssertion" is the Document that contains the unsigned assertion.

       

              // Create Signature
              SAML2Signature samlSignature = new SAML2Signature();
              samlSignature.signSAMLDocument(originalAssertion, keypair);
      
              String xmlAssertion = DocumentUtil.asString(originalAssertion);
      
              Document reconstructedAssertion = DocumentUtil.getDocument(xmlAssertion);
      
              boolean orignValid = AssertionUtil.isSignatureValid(originalAssertion.getDocumentElement(), keypair.getPublic());
              boolean reconValid = AssertionUtil.isSignatureValid(reconstructedAssertion.getDocumentElement(), keypair.getPublic());
      
              System.out.println("Signatures valid: orig="+orignValid+", recon="+reconValid);
              if (orignValid!=reconValid) {
                  System.err.println(xmlAssertion);
                  throw new RuntimeException("Signatures don't match!");
              }
      

       

       

       

      I would appreciate any hint,

       

      thanks,

      Stephan

        • 1. Re: Strange invalid Signature in SAML Assertion
          Stephan Kesper Newbie

          Thats the created assertion:

           

           

          <?xml version="1.0" encoding="UTF-8"?>
          <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s21c382e142398ef50ce94892f6056ed6de020a27d" IssueInstant="2012-12-07T14:57:59.016+01:00" Version="2.0">
                    <saml:Subject>
                              <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://some.url.com">eZOuCF+zGDyKB3UbmE6QXt3bkAio</saml:NameID>
                              <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                        <saml:SubjectConfirmationData InResponseTo="responseID" NotOnOrAfter="2012-12-07T14:57:59.016+01:00" Recipient="https://some.url.com/saml/SP/AssertionConsumerService"/>
                              </saml:SubjectConfirmation>
                    </saml:Subject>
                    <saml:Conditions NotBefore="2012-12-07T14:57:59.016+01:00" NotOnOrAfter="2012-12-07T14:57:59.016+01:00">
                              <saml:AudienceRestriction>
                                        <saml:Audience>https://some.url.com</saml:Audience>
                              </saml:AudienceRestriction>
                    </saml:Conditions>
                    <saml:AuthnStatement AuthnInstant="2012-12-07T14:57:59.016+01:00" SessionIndex="s2264354343fd33a0827ed381021027deb36c1ff01">
                              <saml:AuthnContext>
                                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                              </saml:AuthnContext>
                    </saml:AuthnStatement>
                    <saml:AttributeStatement>
                              <saml:Attribute Name="Group">
                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">users</saml:AttributeValue>
                              </saml:Attribute>
                              <saml:Attribute Name="GroupType">
                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">the-group</saml:AttributeValue>
                              </saml:Attribute>
                              <saml:Attribute Name="Nachname">
                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Lastname</saml:AttributeValue>
                              </saml:Attribute>
                              <saml:Attribute Name="Role">
                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">plain</saml:AttributeValue>
                              </saml:Attribute>
                              <saml:Attribute Name="UniqueID">
                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1000172</saml:AttributeValue>
                              </saml:Attribute>
                              <saml:Attribute Name="Vorname">
                                        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">first-name</saml:AttributeValue>
                              </saml:Attribute>
                    </saml:AttributeStatement>
                    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                              <dsig:SignedInfo>
                                        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                                        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                        <dsig:Reference URI="#s21c382e142398ef50ce94892f6056ed6de020a27d">
                                                  <dsig:Transforms>
                                                            <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                  </dsig:Transforms>
                                                  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                                  <dsig:DigestValue>nW/nIgYpHmu8TaEGyNlTCLPNSsM=</dsig:DigestValue>
                                        </dsig:Reference>
                              </dsig:SignedInfo>
                              <dsig:SignatureValue>dCZ2haoMJbjk6r7YLO+Z70EHge/i5xxmP/bSIOashxmpAs7kyilnjlPN10I7vgOBeA89d+KcQ9lU
          CNrDlwauB7sFLsMt2VDR+A7uHWTeIjyceTlG1pmwI9THgnOveYzpV9LfhxkWaMuttnJWX7q+e9Dy
          RXenksBLH73eG2u6SCY=</dsig:SignatureValue>
                              <dsig:KeyInfo>
                                        <dsig:KeyValue>
                                                  <dsig:RSAKeyValue>
                                                            <dsig:Modulus>ohszr7eLZuc73cQUoN65AY39WLA5vAnvSPbFSEDWKB72VZJw48Ls8uYDK52jcEb1b7kCTmvxj20K
          iiRgyyq1WcZULfuysJuzlkH3fhSxyNSnxGVC2k4F9FhSyDYgeVXrnfNSuv+zxaIZm7Lt/CmnUm8F
          S3T25DQPbyHxycbdOvM=</dsig:Modulus>
                                                            <dsig:Exponent>AQAB</dsig:Exponent>
                                                  </dsig:RSAKeyValue>
                                        </dsig:KeyValue>
                              </dsig:KeyInfo>
                    </dsig:Signature>
          </saml:Assertion>