Return-Path: 
 <dev-return-7706-apmail-santuario-dev-archive=santuario.apache.org@santuario.apache.org>
Delivered-To: apmail-santuario-dev-archive@www.apache.org
Received: (qmail 35386 invoked from network); 6 Apr 2011 22:42:28 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 6 Apr 2011 22:42:28 -0000
Received: (qmail 89040 invoked by uid 500); 6 Apr 2011 22:42:28 -0000
Delivered-To: apmail-santuario-dev-archive@santuario.apache.org
Received: (qmail 89023 invoked by uid 500); 6 Apr 2011 22:42:28 -0000
Mailing-List: contact dev-help@santuario.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@santuario.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@santuario.apache.org>
List-Post: <mailto:dev@santuario.apache.org>
List-Id: <dev.santuario.apache.org>
Reply-To: dev@santuario.apache.org
Delivered-To: mailing list dev@santuario.apache.org
Received: (qmail 89016 invoked by uid 99); 6 Apr 2011 22:42:28 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2011 22:42:28 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of malcolm.young@gmail.com
 designates 74.125.82.182 as permitted sender)
Received: from [74.125.82.182] (HELO mail-wy0-f182.google.com) (74.125.82.182)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2011 22:42:20 +0000
Received: by wyf23 with SMTP id 23so3004963wyf.27
        for <dev@santuario.apache.org>; Wed, 06 Apr 2011 15:41:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=Ma+ejPyj4Q9kUe8AknyPTgg2K2LpzdrhV8CS8YOtGH0=;
        b=NN3y4wgRGQKalHySL6fg8c0MrAi7qLFjlAzqdQtW6NvzOT+PomNtZUkOpjeOYGa4yg
         Jfj+EfW+eXgWXykL7qMluwQXTIT33rYorI119tZIlo/P45h8u+j46+3xfriVcpQXl6ro
         W0Y+/9eL9nDT559YbXVgQDbXXYyeiH9jCVlp0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=T+RVH/btbyBDCBacqGA3OvNSflM200MYqYnZC02D6p8ZrGgyxVjjEZ/nucnL/6lbdn
         A/FEwKauzmAmoKEn83mzyJt+YGr16fDB4oQg4UV3trq78UKC78grq3HtalHl2PtK5/XM
         ra31wLUOZ4eIbK9toh/WLE3kf+OXWYnzX8zDA=
MIME-Version: 1.0
Received: by 10.227.110.147 with SMTP id n19mr161417wbp.51.1302129719826; Wed,
 06 Apr 2011 15:41:59 -0700 (PDT)
Received: by 10.227.129.15 with HTTP; Wed, 6 Apr 2011 15:41:59 -0700 (PDT)
In-Reply-To: <43C6E13A-B14A-49BC-B05A-3C6779E7EB2E@gmail.com>
References: <BB4D1F19-7570-46B6-A4E7-82AB462EB6BA@gmail.com>
	<7EE86E89365CA94F8E7B8251F926071007ABEDF4@CIO-KRC-D1MBX01.osuad.osu.edu>
	<9892EC6224DBC54598164D1F77721D7550847B69@IBIUSMBSB.ibi.com>
	<66CB2AC8-5AFD-4E41-ABC9-47A745F95048@gmail.com>
	<9892EC6224DBC54598164D1F77721D755084802F@IBIUSMBSB.ibi.com>
	<43C6E13A-B14A-49BC-B05A-3C6779E7EB2E@gmail.com>
Date: Thu, 7 Apr 2011 08:41:59 +1000
Message-ID: <BANLkTinO-PL-1s5-J9f7zRrAKwSEgwT3tw@mail.gmail.com>
Subject: Re: Issue in Verifying Signing
From: Malcolm Young <malcolm.young@gmail.com>
To: dev@santuario.apache.org
Content-Type: multipart/alternative; boundary=000e0cd4846066d98504a047b321
X-Virus-Checked: Checked by ClamAV on apache.org

--000e0cd4846066d98504a047b321
Content-Type: text/plain; charset=ISO-8859-1

Also, I was wondering what you meant by a 'tranform that allows for
whitespace changes'. I am unaware of a transform that does that. I did
notice you've been changing around your canonicalisation transforms. I would
suggest you stick to the exclusive canonicalisation transform.

Also, a small point but I would place that canonicalisation transform AFTER
the enveloped signature transform. I don't know about Santuario but that
would avoid a node set to stream conversion and prevent another pass using
standard canonicalisation (in my stack at least).

I strongly suspect that what you are seeing is a whitespace related issue.

Cheers,

mal

On Thu, Apr 7, 2011 at 8:28 AM, Brandon Moser <brandonmoser@gmail.com>wrote:

> Yes, we are using the Enveloped Signature Transform. The Signature is
> inside the saml2:Assertion element, which is nested inside of the
> saml2:Response element.
>
> What we're beginning to wonder is if the signature is actually being
> ignored during the check. What is the best way to determine what is being
> checked and what is not?
>
>
>
> On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote:
>
> > Is the Signature element within the scope of one of your references?
> > For example, that happens when the Reference is the whole document.
> > To make those signatures verifiable, you need the Enveloped Signature
> Transform
> > to ignore the Signature element when computing the digest.
> >
> > -----Original Message-----
> > From: Brandon Moser [mailto:brandonmoser@gmail.com]
> > Sent: Wednesday, April 06, 2011 5:20 PM
> > To: dev@santuario.apache.org
> > Subject: Re: Issue in Verifying Signing
> >
> > So, we decided to use a Transform that allows for whitespace changes, but
> we are still receiving False when attempting to check the signature
> immediately after signing. It appears in the log file that the Pre-Digest
> value before signing doesn't contain the SignatureValue and DigestValue
> (expected), yet after signing the checkSignatureValue contains both
> Signature & Digest values, which I would believe cause the digest to be
> different. Is it possible to check the signature value immediately after
> signing and get a valid response of True?
> >
> > I have tried to use the Online validator and oxygen's validator and both
> return, "Signature Invalid".  We have included the public RSA key in the
> output in any attempt to validate this output. Since we are development the
> data is not valuable, I have attached the XML output and the log.
> >
>
>

--000e0cd4846066d98504a047b321
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div>Also, I was wondering what you meant by a &#39;tranform that allows fo=
r whitespace changes&#39;. I am unaware of a transform that does that. I di=
d notice you&#39;ve been changing around your canonicalisation transforms. =
I would suggest you stick to the exclusive canonicalisation transform.</div=
>
<div>=A0</div><div>Also, a small point but I would place that canonicalisat=
ion transform AFTER the enveloped signature transform. I don&#39;t know abo=
ut Santuario but that would avoid a node set to stream conversion and preve=
nt another pass using standard canonicalisation (in my stack at least).</di=
v>
<div>=A0</div><div>I strongly suspect that what you are seeing is a whitesp=
ace related issue.</div><div>=A0</div><div>Cheers,</div><div>=A0</div><div>=
mal<br><br></div><div class=3D"gmail_quote">On Thu, Apr 7, 2011 at 8:28 AM,=
 Brandon Moser <span dir=3D"ltr">&lt;<a href=3D"mailto:brandonmoser@gmail.c=
om">brandonmoser@gmail.com</a>&gt;</span> wrote:<br>
<blockquote style=3D"margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-l=
eft-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: s=
olid;" class=3D"gmail_quote">Yes, we are using the Enveloped Signature Tran=
sform. The Signature is inside the saml2:Assertion element, which is nested=
 inside of the saml2:Response element.<br>

<br>
What we&#39;re beginning to wonder is if the signature is actually being ig=
nored during the check. What is the best way to determine what is being che=
cked and what is not?<br>
<div><div></div><div class=3D"h5"><br>
<br>
<br>
On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote:<br>
<br>
&gt; Is the Signature element within the scope of one of your references?<b=
r>
&gt; For example, that happens when the Reference is the whole document.<br=
>
&gt; To make those signatures verifiable, you need the Enveloped Signature =
Transform<br>
&gt; to ignore the Signature element when computing the digest.<br>
&gt;<br>
&gt; -----Original Message-----<br>
&gt; From: Brandon Moser [mailto:<a href=3D"mailto:brandonmoser@gmail.com">=
brandonmoser@gmail.com</a>]<br>
&gt; Sent: Wednesday, April 06, 2011 5:20 PM<br>
&gt; To: <a href=3D"mailto:dev@santuario.apache.org">dev@santuario.apache.o=
rg</a><br>
&gt; Subject: Re: Issue in Verifying Signing<br>
&gt;<br>
&gt; So, we decided to use a Transform that allows for whitespace changes, =
but we are still receiving False when attempting to check the signature imm=
ediately after signing. It appears in the log file that the Pre-Digest valu=
e before signing doesn&#39;t contain the SignatureValue and DigestValue (ex=
pected), yet after signing the checkSignatureValue contains both Signature =
&amp; Digest values, which I would believe cause the digest to be different=
. Is it possible to check the signature value immediately after signing and=
 get a valid response of True?<br>

&gt;<br>
&gt; I have tried to use the Online validator and oxygen&#39;s validator an=
d both return, &quot;Signature Invalid&quot;. =A0We have included the publi=
c RSA key in the output in any attempt to validate this output. Since we ar=
e development the data is not valuable, I have attached the XML output and =
the log.<br>

&gt;<br>
<br>
</div></div></blockquote></div><br>

--000e0cd4846066d98504a047b321--