1 Reply Latest reply: Sep 22, 2011 6:45 AM by 882069 RSS

    Error verifying embedded SAML 1.1 signature

    wsalembi
      I'm trying to verify the embedded signature in a SAML 1.1 assertion. SAML assertion + signature were generated using the OpenSAML library. The verification fails on the tag InclusiveNamespaces. Is InclusiveNamespaces supported in OEG?

      <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" AssertionID="ID_18e6bafa-ce0e-45a4-ab07-169b547a67de" IssueInstant="2011-09-22T08:21:20.181Z" Issuer="sts" MajorVersion="1" MinorVersion="1">

      <!--stripped statements-->

      <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <dsig:SignedInfo>
      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <exc14n:InclusiveNamespaces xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </dsig:CanonicalizationMethod>
      <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <dsig:Reference URI="#ID_18e6bafa-ce0e-45a4-ab07-169b547a67de">
      <dsig:Transforms>
      <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <exc14n:InclusiveNamespaces xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </dsig:Transform>
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <dsig:DigestValue>eqghGudOeei3uFGIb80lMC6TSso=</dsig:DigestValue>
      </dsig:Reference>
      </dsig:SignedInfo>
      <dsig:SignatureValue>FRw+QTWJ1Awt2R2C1fMdBQ3cgolPKaNnwZUz+8Vp3+394qu4/Sz4phNUSh/ROZPlPdwZ5CgJMhm2/PMMOx+w0S67YaCcfWLs1McfyJTaCrLCD2Xiaw2O35+vow6eVbUu2b7jht5auCzIL58iSpi9i1+nAjB+PMkO4eg/muCHDjGMNJwLmIwKZHcD+xa48grMIym75pPWj7uT0aKMfaMQ1BC4fTQp6X0FcnFAq6v/A075YLNe9IR32Y9v2+77zhH/z99br+O2N0QasOs0osoTEodoPfL98lfW14bzkNVtYBosPqvJz9jea55+89q9WlaWp/slCYpHj5XNmYnZe8kOsw==</dsig:SignatureValue>
      </dsig:Signature>
      </saml:Assertion>


      First signature in first SAML assertion 1.1


      signature error: PrefixList/exc-c14n, invalid node attribute: node=InclusiveNamespaces (source location ..\src\c14n.c/136)
      signature error: id->readNode/not specified, xmlsec library function failed: transform=exc-c14n (source location ..\src\transforms.c/1603)
      signature error: xmlSecTransformNodeRead/not specified, xmlsec library function failed: name=CanonicalizationMethod (source location ..\src\transforms.c/668)
      signature error: xmlSecTransformCtxNodeRead/not specified, xmlsec library function failed: node=CanonicalizationMethod (source location ..\src\xmldsig.c/697)
      signature error: xmlSecDSigCtxProcessSignedInfoNode/not specified, xmlsec library function failed: (source location ..\src\xmldsig.c/550)
      signature error: xmlSecDSigCtxSigantureProcessNode/not specified, xmlsec library function failed: (source location ..\src\xmldsig.c/369)
      failed to verify signature: com.vordel.security.sig.SignatureException: XMLSig verify :- verify failed at com.vordel.security.sig.XMLSignatureVerifier.verify(Native Method) at com.vordel.circuit.sig.IntegrityVerifySignatureProcessor.invoke(IntegrityVerifySignatureProcessor.java:340)      at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162) at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:123) at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation.java:264) at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:27) at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:197) at com.vordel.dwe.http.WebServicePlugin.invokeDispose(WebServicePlugin.java:103) at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:121)
        • 1. Re: Error verifying embedded SAML 1.1 signature
          882069
          The OEG does support (generate and consume) the InclusiveNamespaces node in signatures. From further investigation the OEG requires the PrefixList attribute on the InclusiveNamespaces element. This is not there in the signature below, and so the error is generated. Can the signature be generated with the prefixlist ?