santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malcolm Young <>
Subject Re: Issue in Verifying Signing
Date Wed, 06 Apr 2011 22:41:59 GMT
Also, I was wondering what you meant by a 'tranform that allows for
whitespace changes'. I am unaware of a transform that does that. I did
notice you've been changing around your canonicalisation transforms. I would
suggest you stick to the exclusive canonicalisation transform.

Also, a small point but I would place that canonicalisation transform AFTER
the enveloped signature transform. I don't know about Santuario but that
would avoid a node set to stream conversion and prevent another pass using
standard canonicalisation (in my stack at least).

I strongly suspect that what you are seeing is a whitespace related issue.



On Thu, Apr 7, 2011 at 8:28 AM, Brandon Moser <>wrote:

> Yes, we are using the Enveloped Signature Transform. The Signature is
> inside the saml2:Assertion element, which is nested inside of the
> saml2:Response element.
> What we're beginning to wonder is if the signature is actually being
> ignored during the check. What is the best way to determine what is being
> checked and what is not?
> On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote:
> > Is the Signature element within the scope of one of your references?
> > For example, that happens when the Reference is the whole document.
> > To make those signatures verifiable, you need the Enveloped Signature
> Transform
> > to ignore the Signature element when computing the digest.
> >
> > -----Original Message-----
> > From: Brandon Moser []
> > Sent: Wednesday, April 06, 2011 5:20 PM
> > To:
> > Subject: Re: Issue in Verifying Signing
> >
> > So, we decided to use a Transform that allows for whitespace changes, but
> we are still receiving False when attempting to check the signature
> immediately after signing. It appears in the log file that the Pre-Digest
> value before signing doesn't contain the SignatureValue and DigestValue
> (expected), yet after signing the checkSignatureValue contains both
> Signature & Digest values, which I would believe cause the digest to be
> different. Is it possible to check the signature value immediately after
> signing and get a valid response of True?
> >
> > I have tried to use the Online validator and oxygen's validator and both
> return, "Signature Invalid".  We have included the public RSA key in the
> output in any attempt to validate this output. Since we are development the
> data is not valuable, I have attached the XML output and the log.
> >

View raw message