santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brandon Moser <>
Subject Re: Issue in Verifying Signing
Date Wed, 06 Apr 2011 23:22:52 GMT
Thanks Malcom. I'll try those suggestions. 

Brandon Moser

On Apr 6, 2011, at 5:41 PM, Malcolm Young <> wrote:

> Also, I was wondering what you meant by a 'tranform that allows for whitespace changes'.
I am unaware of a transform that does that. I did notice you've been changing around your
canonicalisation transforms. I would suggest you stick to the exclusive canonicalisation transform.
> Also, a small point but I would place that canonicalisation transform AFTER the enveloped
signature transform. I don't know about Santuario but that would avoid a node set to stream
conversion and prevent another pass using standard canonicalisation (in my stack at least).
> I strongly suspect that what you are seeing is a whitespace related issue.
> Cheers,
> mal
> On Thu, Apr 7, 2011 at 8:28 AM, Brandon Moser <> wrote:
> Yes, we are using the Enveloped Signature Transform. The Signature is inside the saml2:Assertion
element, which is nested inside of the saml2:Response element.
> What we're beginning to wonder is if the signature is actually being ignored during the
check. What is the best way to determine what is being checked and what is not?
> On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote:
> > Is the Signature element within the scope of one of your references?
> > For example, that happens when the Reference is the whole document.
> > To make those signatures verifiable, you need the Enveloped Signature Transform
> > to ignore the Signature element when computing the digest.
> >
> > -----Original Message-----
> > From: Brandon Moser []
> > Sent: Wednesday, April 06, 2011 5:20 PM
> > To:
> > Subject: Re: Issue in Verifying Signing
> >
> > So, we decided to use a Transform that allows for whitespace changes, but we are
still receiving False when attempting to check the signature immediately after signing. It
appears in the log file that the Pre-Digest value before signing doesn't contain the SignatureValue
and DigestValue (expected), yet after signing the checkSignatureValue contains both Signature
& Digest values, which I would believe cause the digest to be different. Is it possible
to check the signature value immediately after signing and get a valid response of True?
> >
> > I have tried to use the Online validator and oxygen's validator and both return,
"Signature Invalid".  We have included the public RSA key in the output in any attempt to
validate this output. Since we are development the data is not valuable, I have attached the
XML output and the log.
> >

View raw message