santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Massimiliano Masi <massimiliano.m...@gmail.com>
Subject XML error on validating signature
Date Wed, 07 Aug 2013 12:57:40 GMT
Hi All,

I am facing a very strange XML error. I receive a saml assertion (I am
using opensaml 2.4.1,
and xmlsec-1.4.4).

After reading it from the socket, I have the following:

 842013-08-07 13:27:18,245 INFO  [STDOUT] CanonicalXML :<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_ba47b474-991e-433b-a766-0851f0719db5"
IssueInstant="2013-08-07T11:26:54.713Z" Version="2.0">

The assertion has the correct namespaces.

Then, I have (unfortunately) the following error, as you can see in the
attached log.

Some classes is adding the following (unwanted) additional namespace, maybe
in the ResolverFragment.
xmlns="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"


Do you have any ideas?

Thanks a lot,


     Massi

 2962013-08-07 13:27:18,941 DEBUG
[org.apache.xml.security.signature.XMLSignature] SignatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
 842013-08-07 13:27:18,942 DEBUG
[org.apache.xml.security.algorithms.SignatureAlgorithm] Create URI "
http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
 842013-08-07 13:27:18,942 DEBUG
[org.apache.xml.security.algorithms.JCEMapper] Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1
 842013-08-07 13:27:18,942 DEBUG
[org.apache.xml.security.algorithms.implementations.SignatureBaseRSA]
Created SignatureRSA using SHA1withRSA
 842013-08-07 13:27:18,943 DEBUG
[org.apache.xml.security.signature.XMLSignature] jceSigAlgorithm    =
SHA1withRSA
 842013-08-07 13:27:18,943 DEBUG
[org.apache.xml.security.signature.XMLSignature] jceSigProvider     =
SunRsaSign
 842013-08-07 13:27:18,944 DEBUG
[org.apache.xml.security.signature.XMLSignature] PublicKey = Sun RSA public
key, 2048 bits
  modulus:
24799766059329790406169469529913375354015410907823097625781145716156788142575108367851516875478409089198935758770222527072973533149182814113761377529539185659783081793529418755636479673041367327253771161663220130794582326021463337307128596092728849066233597693923880146766772026386117370519579964873151584589304283673042520498510336036699174034197583778418586896096125417767769366411583180756972714057643071805688007745306377216125688210333120173323369838126344395010563554230685985381433311033509752386766112414886870571231007221369204671050014653427477888240153062608330221949767312703162762606146367557363498114439
  public exponent: 65537
 842013-08-07 13:27:18,948 DEBUG
[org.apache.xml.security.utils.SignerOutputStream] Canonicalized SignedInfo:
 842013-08-07 13:27:18,949 DEBUG
[org.apache.xml.security.utils.SignerOutputStream] <ds:SignedInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
"></ds:SignatureMethod>
<ds:Reference URI="#_ba47b474-991e-433b-a766-0851f0719db5">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="del ds saml2
#default xs xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"></ds:DigestMethod>
<ds:DigestValue>WeM4mwb/csuv52PdUGzYjhIzoYo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
 842013-08-07 13:27:18,950 DEBUG
[org.apache.xml.security.signature.Manifest] verify 1 References
 842013-08-07 13:27:18,951 DEBUG
[org.apache.xml.security.signature.Manifest] I am not requested to follow
nested Manifests
 842013-08-07 13:27:18,951 DEBUG
[org.apache.xml.security.utils.ElementProxy] setElement("ds:Reference", "")
 842013-08-07 13:27:18,951 DEBUG
[org.apache.xml.security.utils.ElementProxy] setElement("ds:Transforms", "")
 842013-08-07 13:27:18,952 DEBUG
[org.apache.xml.security.algorithms.JCEMapper] Request for URI
http://www.w3.org/2000/09/xmldsig#sha1
 842013-08-07 13:27:18,952 DEBUG
[org.apache.xml.security.utils.resolver.ResourceResolver] I was asked to
create a ResourceResolver and got 0
 842013-08-07 13:27:18,952 DEBUG
[org.apache.xml.security.utils.resolver.ResourceResolver]  extra resolvers
to my existing 4 system-wide resolvers
 842013-08-07 13:27:18,953 DEBUG
[org.apache.xml.security.utils.resolver.ResourceResolver] check
resolvability by class
org.apache.xml.security.utils.resolver.implementations.ResolverFragment
 842013-08-07 13:27:18,953 DEBUG
[org.apache.xml.security.utils.resolver.implementations.ResolverFragment]
State I can resolve reference: "#_ba47b474-991e-433b-a766-0851f0719db5"
 842013-08-07 13:27:18,953 DEBUG [org.apache.xml.security.utils.IdResolver]
getElementByIdType() Search for ID _ba47b474-991e-433b-a766-0851f0719db5
 842013-08-07 13:27:18,953 DEBUG [org.apache.xml.security.utils.IdResolver]
getElementByIdUsingDOM() Search for ID _ba47b474-991e-433b-a766-0851f0719db5
 842013-08-07 13:27:18,954 DEBUG [org.apache.xml.security.utils.IdResolver]
I could find an Element using the simple getElementByIdUsingDOM method:
saml2:Assertion
 842013-08-07 13:27:18,954 DEBUG
[org.apache.xml.security.utils.resolver.implementations.ResolverFragment]
Try to catch an Element with ID _ba47b474-991e-433b-a766-0851f0719db5 and
Element was [saml2:Assertion: null]
 842013-08-07 13:27:18,954 DEBUG
[org.apache.xml.security.utils.ElementProxy] setElement("ds:Transform", "")
 842013-08-07 13:27:18,955 DEBUG
[org.apache.xml.security.transforms.Transforms] Perform the (0)th
http://www.w3.org/2000/09/xmldsig#enveloped-signature transform
 842013-08-07 13:27:18,955 DEBUG
[org.apache.xml.security.utils.ElementProxy] setElement("ds:Transform", "")
 842013-08-07 13:27:18,955 DEBUG
[org.apache.xml.security.utils.ElementProxy]
setElement("ec:InclusiveNamespaces", "")
 842013-08-07 13:27:18,961 DEBUG
[org.apache.xml.security.utils.DigesterOutputStream] Pre-digested input:
 842013-08-07 13:27:18,962 DEBUG
[org.apache.xml.security.utils.DigesterOutputStream] <saml2:Assertion
xmlns="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_ba47b474-991e-433b-a766-0851f0719db5"
IssueInstant="2013-08-07T11:26:54.713Z" Version="2.0"><saml2:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:tiani-spirit:sts</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">principal</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
"><ds:X509Data><ds:X509Certificate>MIIGUTCCBDmgAwIBAgIKThkA9AAAAAAArjANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJBVDEN
MAsGA1UECBMETGluejEpMCcGA1UEChMgT09FLiBHZXN1bmRoZWl0cy0gdW5kIFNwaXRhbHMtQUcx
FDASBgNVBAsTC1RydXN0Y2VudGVyMRgwFgYDVQQDEw9nZXNwYWcgQ29tcCBDQTMwHhcNMTIwMzI2
MTIxMDA3WhcNMTcwMzI1MTIxMDA3WjCBhTELMAkGA1UEBhMCQVQxDTALBgNVBAgTBExpbnoxDTAL
BgNVBAcTBExpbnoxKDAmBgNVBAoTH09PRS4gR2VzdW5kaGVpdHMtIHVuZCBTcGl0YWxzQUcxFDAS
BgNVBAsTC1RydXN0Y2VudGVyMRgwFgYDVQQDEw9xb3V0LmVncC1vb2UuYXQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDEc7WH3hEratz4OJfnKxW0dSFA4oaN+kX4iovkmDQZa2ihwqge
gdLbplyBr91xqwi2CIQ3SqgMfZEuIhimkSEKPURc/YA0xxmIDXrUDNntqJySVKYuJjpHG4F9EAjQ
7beyj/VcMmvlvfJGnmXa5zt0V3EfkVPQa2N+t7RWcg9qdwnx+GVwaQtLrli8egsrTay/5KTW/USz
ZkO+ueO98p0XLNBD9L97ZBSaapj3PR+aeWKkmkJ6EV6Bl9sRKEMP6O9rBeto4cMlE6AxrHgxFXe0
7Cqmlqum4TsczE0UMyjVqE3WS/X3Csjpq5MWJe491vdqMU0wPg55MsGyGhXFql2HAgMBAAGjggHO
MIIByjAdBgNVHQ4EFgQUWqJGlqlEOPYNRFpxibGd6rBvGzUwHwYDVR0jBBgwFoAU6XIlgxo7NRi8
BamjjGRXWRHw55gwbQYDVR0fBGYwZDBioGCgXoYsaHR0cDovL2NlcnQuZ2VzcGFnLmF0L2NlcnRk
YXRhL2NvbXBjYTMwMS5jcmyGLmh0dHA6Ly9jZXJ0Lmdlc3BhZy5pbmZvL2NlcnRkYXRhL2NvbXBj
YTMwMS5jcmwwgYQGCCsGAQUFBwEBBHgwdjA4BggrBgEFBQcwAoYsaHR0cDovL2NlcnQuZ2VzcGFn
LmF0L2NlcnRkYXRhL2NvbXBjYTMwMS5jcnQwOgYIKwYBBQUHMAKGLmh0dHA6Ly9jZXJ0Lmdlc3Bh
Zy5pbmZvL2NlcnRkYXRhL2NvbXBjYTMwMS5jcnQwCwYDVR0PBAQDAgWgMD0GCSsGAQQBgjcVBwQw
MC4GJisGAQQBgjcVCIbPzAGH7uQHhdmHEYGTzSGGx9oaOYSgqRSDovQ0AgFkAgECMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsG
AQUFBwMBMA0GCSqGSIb3DQEBBQUAA4ICAQCdHVUoB9JWE60ULL8CXZo37F2wx2VEDr5Rpi8sPw4h
l4QafKnWZtJf2roO+jOdH3oc9veE4/jzO3AUNXXAqCS9mFwFtL9NVbEWY/GzLb+gQexS/t/urd9O
cjgdzSNf8eIhyhpE9jgqH0vdaZ1h78wZnVcL1HKkz76/JuQtp/RzL00zGBHWt9rD7CwNB7aKwDC4
m1z5c3xMU8xKoXXIb/DNkdhx3/VXbmW8oVBUqsudPwZl5GdVA9LMwZQF58toiXHkxuTC6BM5y4bF
c6EOZiLLRYRFtFQsdq2/CmoDNBGlBRJci8aYDDZiPUngIofIJvNFrNKaff8kwkRcr090qeNnWIVn
jrYXj0oNQKIZotvMyCzJT3s7KtJlTZ74YMs22SV6s1nq/tXQNI410zRPMoVJQgdMPuiNUlv+3Av5
59mxvmSsyp3FyxvdMdXUdRgPr9vSJ2rQL7IAlzqsqjnN/bE0s3SrcJez2RBT0ospjyDlV51npW7q
Vm1ij2S6q+DvdwvfnR8AjfqA7pKjlanfQQKHHiQf0WMDfNItsdQUCT003J5cQ0HIS9LeFcin5nxy
umZGZaRM50/PUtrpE3RuSGRx+igS9PUITCCLZ/0NP5M0FpeHh3ez9XUpG96gteq8R6AaRxXf6Hrp
rBoYDn3uuilU+cKkVVCe3HpWy1s0Q/MFaw==</ds:X509Certificate><ds:X509SubjectName>CN=
qout.egp-ooe.at, OU=Trustcenter, O=OOE. Gesundheits- und SpitalsAG, L=Linz,
ST=Linz,
C=AT</ds:X509SubjectName><ds:X509IssuerSerial><ds:X509IssuerName>CN=gespag
Comp CA3, OU=Trustcenter, O=OOE. Gesundheits- und Spitals-AG, ST=Linz,
C=AT</ds:X509IssuerName><ds:X509SerialNumber>368805822945569382858926</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2013-08-07T11:26:54.713Z"
NotOnOrAfter="2013-08-07T15:25:54.713Z"><saml2:AudienceRestriction><saml2:Audience>
http://ihe.connecthaton.XUA/X-ServiceProvider-IHE-Connectathon</saml2:Audience></saml2:AudienceRestriction><saml2:Condition
xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="del:DelegationRestrictionType"><del:Delegate
ConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
DelegationInstant="2013-08-07T11:26:54.713Z"><saml2:NameID
Format="urn:nameid:format">gespagarzt</saml2:NameID></del:Delegate></saml2:Condition></saml2:Conditions><saml2:AuthnStatement
AuthnInstant="2013-08-07T11:26:54.713Z"
SessionIndex="123456"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
FriendlyName="XSPA Subject"
Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">gespagarzt</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="XSPA Organization"
Name="urn:oasis:names:tc:xspa:1.0:subject:organization"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">GESPAG</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="XSPA Organization ID"
Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyURI">urn:oid:1.2.40.28.200.2.10</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="urn:oasis:names:tc:xacml:2.0:subject:role"><saml2:AttributeValue><Role
xmlns="urn:hl7-org:v3" code="Arzt" codeSystem="eGP_Roles"
codeSystemName="eGP_Roles" displayName="eGP
Arzt"></Role></saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"><saml2:AttributeValue><PurposeOfUse
xmlns="urn:hl7-org:v3" code="TREATMENT" codeSystem="eGP PurposOfUse codes"
codeSystemName="eGP PurposeOfUse codes"
displayName="TREATMENT"></PurposeOfUse></saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="Date of Contact"
Name="urn:egpooe-egor:2010:xds:date-of-contact"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:dateTime">2013-08-05T12:23:50.000Z</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
 842013-08-07 13:27:18,962 WARN
 [org.apache.xml.security.signature.Reference] Verification failed for URI
"#_ba47b474-991e-433b-a766-0851f0719db5"
 1042013-08-07 13:27:18,962 WARN
 [org.apache.xml.security.signature.Reference] Expected Digest:
WeM4mwb/csuv52PdUGzYjhIzoYo=
 1042013-08-07 13:27:18,963 WARN
 [org.apache.xml.security.signature.Reference] Actual Digest:
q0fzM7EzEi0qKpcRE/Fm6yGu/Z0=
 1042013-08-07 13:27:18,963 DEBUG
[org.apache.xml.security.signature.Manifest] The Reference has Type

-- 
Massimiliano Masi

http://www.mascanc.net/~max

Mime
View raw message