This discussion is archived
1 Reply Latest reply: Sep 22, 2011 4:45 AM by 882069 RSS

Error verifying embedded SAML 1.1 signature

729235 Newbie
Currently Being Moderated
I'm trying to verify the embedded signature in a SAML 1.1 assertion. SAML assertion + signature were generated using the OpenSAML library. The verification fails on the tag InclusiveNamespaces. Is InclusiveNamespaces supported in OEG?

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" AssertionID="ID_18e6bafa-ce0e-45a4-ab07-169b547a67de" IssueInstant="2011-09-22T08:21:20.181Z" Issuer="sts" MajorVersion="1" MinorVersion="1">

<!--stripped statements-->

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:CanonicalizationMethod>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#ID_18e6bafa-ce0e-45a4-ab07-169b547a67de">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>eqghGudOeei3uFGIb80lMC6TSso=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>FRw+QTWJ1Awt2R2C1fMdBQ3cgolPKaNnwZUz+8Vp3+394qu4/Sz4phNUSh/ROZPlPdwZ5CgJMhm2/PMMOx+w0S67YaCcfWLs1McfyJTaCrLCD2Xiaw2O35+vow6eVbUu2b7jht5auCzIL58iSpi9i1+nAjB+PMkO4eg/muCHDjGMNJwLmIwKZHcD+xa48grMIym75pPWj7uT0aKMfaMQ1BC4fTQp6X0FcnFAq6v/A075YLNe9IR32Y9v2+77zhH/z99br+O2N0QasOs0osoTEodoPfL98lfW14bzkNVtYBosPqvJz9jea55+89q9WlaWp/slCYpHj5XNmYnZe8kOsw==</dsig:SignatureValue>
</dsig:Signature>
</saml:Assertion>


First signature in first SAML assertion 1.1


signature error: PrefixList/exc-c14n, invalid node attribute: node=InclusiveNamespaces (source location ..\src\c14n.c/136)
signature error: id->readNode/not specified, xmlsec library function failed: transform=exc-c14n (source location ..\src\transforms.c/1603)
signature error: xmlSecTransformNodeRead/not specified, xmlsec library function failed: name=CanonicalizationMethod (source location ..\src\transforms.c/668)
signature error: xmlSecTransformCtxNodeRead/not specified, xmlsec library function failed: node=CanonicalizationMethod (source location ..\src\xmldsig.c/697)
signature error: xmlSecDSigCtxProcessSignedInfoNode/not specified, xmlsec library function failed: (source location ..\src\xmldsig.c/550)
signature error: xmlSecDSigCtxSigantureProcessNode/not specified, xmlsec library function failed: (source location ..\src\xmldsig.c/369)
failed to verify signature: com.vordel.security.sig.SignatureException: XMLSig verify :- verify failed at com.vordel.security.sig.XMLSignatureVerifier.verify(Native Method) at com.vordel.circuit.sig.IntegrityVerifySignatureProcessor.invoke(IntegrityVerifySignatureProcessor.java:340)      at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162) at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:123) at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation.java:264) at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:27) at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:197) at com.vordel.dwe.http.WebServicePlugin.invokeDispose(WebServicePlugin.java:103) at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:121)
  • 1. Re: Error verifying embedded SAML 1.1 signature
    882069 Explorer
    Currently Being Moderated
    The OEG does support (generate and consume) the InclusiveNamespaces node in signatures. From further investigation the OEG requires the PrefixList attribute on the InclusiveNamespaces element. This is not there in the signature below, and so the error is generated. Can the signature be generated with the prefixlist ?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points