Saml 2.0 Signature Validation fails
Question
I am trying to do a signature verification for SAML 2.0 response, but facing an issue and getting the below error. Strange thing is if I use SunJSSE Provider I get "Signature length not correct: got 512 but was expecting 256", but if I use Bouncy Castle Provider then the below error
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#Assertion-uuidab41cfa-014b-103a-bfdc-b02f8a93776c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi"></xc14n:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>xRjm9aVPUGwyzxWuhWL9/M/To1DGh0KvWWceX+e6Gj4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
WARN 2015-01-27 - Signature verification failed.
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
My code for verifying the signature is as follows
try {
byte[] certByte = idp.getIdpDescriptor().getKeyDescriptors().get(0).getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue().getBytes();
InputStream ss = new ByteArrayInputStream(Base64.decodeBase64(certByte));
Certificate myCert = CertificateFactory
.getInstance("X509").generateCertificate(ss);
X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(myCert.getPublicKey().getEncoded());
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey key = keyFactory.generatePublic(publicKeySpec);
System.out.println(key.getEncoded().length);
/*myCert = CertificateFactory
.getInstance("X509")
.generateCertificate(
// string encoded with default charset
new ByteArrayInputStream(idp.getIdpDescriptor().getKeyDescriptors().get(0).getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue().getBytes("UTF-8"))
);*/
X509Certificate cert = (X509Certificate) myCert;
BasicX509Credential x509Credential = new BasicX509Credential();
x509Credential.setPublicKey(cert.getPublicKey());
x509Credential.setEntityCertificate(cert);
x509Credential.getEntityCertificateChain().add(cert);
Credential credential = x509Credential;
SignatureValidator sigValidator = new SignatureValidator(
credential);
sigValidator.validate(assertion.getSignature());
System.out.println("Validated.....YYIIIIIPPPPPEEEEEEEEEEEE");
} catch (CertificateException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (ValidationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeySpecException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
I am new to java security so can't figure it out. I am also putting my SAML Response as below.
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="uuidab41d1c-014b-15f6-b5cd-b02f8a93776c">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#Assertion-uuidab41cfa-014b-103a-bfdc-b02f8a93776c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>xRjm9aVPUGwyzxWuhWL9/M/To1DGh0KvWWceX+e6Gj4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PHQGp9g8t8arots0MUsdEAobySe0Cn4FP7M/nUaBbraRRQE5HafATeHJZ96d/udKpHzOgzPnbEbsxNtjT/x6KHwS1HLbktBbBbTfbpEBDPIVYWsTUEEkAIh31V+2gF81dI9dor7ZdpPVhE1i+krgQaTtI5evLjbfwNEIcpjD1q6mKWx/kQR6tg9mwAytuvYLeYylvbiQFnjWJeDNdCqThX3q4LTrom3jPyiSSVORIQIOG4FjN3Bo3caZE31X3Ei0cnxCmJTMfyoGc1h4Kpjvd+UHiXCu5S9THpq9Xz90ol55brZeKHj00g1VZhzjYEdJUqNZTNFUBDGd5IhECKObY39bwQEeE1YhKS6PIScBZ7yFNPQf7Jg8Mhuab147dCX7gXCfwzINxbUfKoQ7GgIS7gKtYSied4uLVR7AjjNnQASZT9Y6eggZSe4NVb7CEECM1X5niFCiYsJ0nuylsOT12Q0B551AyZTb3QEuCy2Y7FOPt4Y2IJt5CCll0zycd2zURHk6HHvq5y+h0hsQrkK4F9lMuhqRIarKx+oNsbwiiPJEEqS48zGyintW5b2p6aoDTfdAoEgRbrOM9BVAMy4qlHwwPkx9OyBS4mEcu8+CEb8Uvj8oGCOMO4MsdZbApkaAHGG/Mzsse09zP6/Odw6aRPpQipiDeGaxGmXoBIqprZQ=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFFDCCAvygAwIBAgIEU7sqbzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJBVTEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKEwNNR0wxDDAKBgNVBAsTA0lBTTEQMA4GA1UEAxMHRklNLVNJVDAeFw0xNDA3MDcyMzE3MDNaFw0yNDA3MDQyMzE3MDNaMEwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQHEwZTeWRuZXkxDDAKBgNVBAoTA01HTDEMMAoGA1UECxMDSUFNMRAwDgYDVQQDEwdGSU0tU0lUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwNSu2CZGpWtgnWBtPzwHXoU1pyh38u97racDwngL6Gzj+q1ZbfZCGepUYCbstWHzAJUGQ9Om0pk/vRVYkzzPm+scfY7nS31LL6FJ4RB/KDeoYretNatBrGqCN9++Go3N4kWjyydq2Bj+q0eLwv2nveiAxnd0zG4nOXH398+ovsOGcsdzAz5g7mzqu/soTqpmAQxY+2+Z0Lyw4IjoROOD/6f3nh4fIelcpBFu8Q6W7rmBWZqMmMcqtGSoZAgduhK9BvlKYJHp3+Wy0YO3Cmf28RsX+EOMUWkJXk8kav6rsMkT+9Fchb8Xop3/Bwl0tpjXk5macXSlPU7v5jnISzqnZ1hq1cKKTcU3C48CKdRmYEwVqjX8VLFDzXAPMONcDvGD3HMBWo6w6l2XKTjkPRRa9+3lodPFaK41R7K/auaR6vxx1NBdIx8P/6LfyKdb/1ZVVP1TsZIvwTUAk2h5GZqwv5O16U5gBOiy5JfSQdL5PMIUQv9KWXicjB4PC0FKZOMCuJ3mDe7otVojLVbO8102sMfXAsiRxS4PUgduD5XxC2N21VfiN32slendlFIRMGxERUJbUaBfjiuXRNlTwzXaVkc/32FdSPGE9onQNHrP3EoWVSTHNE1qNgqBi6GLmcBCJSGLXisDBzGo47IvPP8FGgsFZIVcKNpWW8YsJx2LAokCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEApNhmplDA1phtWJIuihejyosHMh00g0xEvZe1I9cyiz8wjUK/ZzsCoqQgyb19LdPj1/H3hLHudApEm6yzZc5lLYid6YJhnPy0T8Rf8BgbbiUAeAFyt5PVGZDuIV0+6S9rgotRBYqPjt9sIlKkz/NZGS50ptWvDEQIWLFIsEDa1u+pbu7SxmMH9SQkPXQ2uaFuLaBI68XTIyyR7FKVpi3tDTC6Yl5CksbQTXGvs44mXG0Qd7TLMsWiAnk0YWyDtUiz2J714fwDtafLyTxfwYBU6YWC13F98gdpkimn+jUuhtdDDCRIYxis7SiJLEoRwZ3xz7Xt0dR2+Jdn7gPDWOaq1KIzL/Gr+wcgebswdiXxvqqjerC3lvBVSJ5Ui/FfGKCivn8/1Et2YRGsINp6zZZpQXnK/oqC/9jZ9P0fJm0kI9QP7y5RWuXD0WPMQTo+VXqj4XdYGdaELPNc80OCMgsaCW1yTm7Svxk/ufkVRgzVke0hjyMZOwdjdIO5ooMgpQRFCBy6Lg9+ABk6e4YlxSjwlwGga7FIttrNkjch3ekF1APLezbvxQ/E2csMoiUzIuXHsaJbGeV1QGl4YqEzVavnadiuqtyBCqum6CSPi/plSuyn3eG7C3BbxZMIq4h3MZ7TXDx/bCw5Xb+0I84X8AIXHDfAT8n6cgJWR+vo+/WVWrY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
Below mentioned is the IDP Metadata
<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIFFDCCAvygAwIBAgIEU7sqbzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJBVTEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKEwNNR0wxDDAKBgNVBAsTA0lBTTEQMA4GA1UEAxMHRklNLVNJVDAeFw0xNDA3MDcyMzE3MDNaFw0yNDA3MDQyMzE3MDNaMEwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQHEwZTeWRuZXkxDDAKBgNVBAoTA01HTDEMMAoGA1UECxMDSUFNMRAwDgYDVQQDEwdGSU0tU0lUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwNSu2CZGpWtgnWBtPzwHXoU1pyh38u97racDwngL6Gzj+q1ZbfZCGepUYCbstWHzAJUGQ9Om0pk/vRVYkzzPm+scfY7nS31LL6FJ4RB/KDeoYretNatBrGqCN9++Go3N4kWjyydq2Bj+q0eLwv2nveiAxnd0zG4nOXH398+ovsOGcsdzAz5g7mzqu/soTqpmAQxY+2+Z0Lyw4IjoROOD/6f3nh4fIelcpBFu8Q6W7rmBWZqMmMcqtGSoZAgduhK9BvlKYJHp3+Wy0YO3Cmf28RsX+EOMUWkJXk8kav6rsMkT+9Fchb8Xop3/Bwl0tpjXk5macXSlPU7v5jnISzqnZ1hq1cKKTcU3C48CKdRmYEwVqjX8VLFDzXAPMONcDvGD3HMBWo6w6l2XKTjkPRRa9+3lodPFaK41R7K/auaR6vxx1NBdIx8P/6LfyKdb/1ZVVP1TsZIvwTUAk2h5GZqwv5O16U5gBOiy5JfSQdL5PMIUQv9KWXicjB4PC0FKZOMCuJ3mDe7otVojLVbO8102sMfXAsiRxS4PUgduD5XxC2N21VfiN32slendlFIRMGxERUJbUaBfjiuXRNlTwzXaVkc/32FdSPGE9onQNHrP3EoWVSTHNE1qNgqBi6GLmcBCJSGLXisDBzGo47IvPP8FGgsFZIVcKNpWW8YsJx2LAokCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEApNhmplDA1phtWJIuihejyosHMh00g0xEvZe1I9cyiz8wjUK/ZzsCoqQgyb19LdPj1/H3hLHudApEm6yzZc5lLYid6YJhnPy0T8Rf8BgbbiUAeAFyt5PVGZDuIV0+6S9rgotRBYqPjt9sIlKkz/NZGS50ptWvDEQIWLFIsEDa1u+pbu7SxmMH9SQkPXQ2uaFuLaBI68XTIyyR7FKVpi3tDTC6Yl5CksbQTXGvs44mXG0Qd7TLMsWiAnk0YWyDtUiz2J714fwDtafLyTxfwYBU6YWC13F98gdpkimn+jUuhtdDDCRIYxis7SiJLEoRwZ3xz7Xt0dR2+Jdn7gPDWOaq1KIzL/Gr+wcgebswdiXxvqqjerC3lvBVSJ5Ui/FfGKCivn8/1Et2YRGsINp6zZZpQXnK/oqC/9jZ9P0fJm0kI9QP7y5RWuXD0WPMQTo+VXqj4XdYGdaELPNc80OCMgsaCW1yTm7Svxk/ufkVRgzVke0hjyMZOwdjdIO5ooMgpQRFCBy6Lg9+ABk6e4YlxSjwlwGga7FIttrNkjch3ekF1APLezbvxQ/E2csMoiUzIuXHsaJbGeV1QGl4YqEzVavnadiuqtyBCqum6CSPi/plSuyn3eG7C3BbxZMIq4h3MZ7TXDx/bCw5Xb+0I84X8AIXHDfAT8n6cgJWR+vo+/WVWrY=
</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></md:EncryptionMethod>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIFFDCCAvygAwIBAgIEU7sqbzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJBVTEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKEwNNR0wxDDAKBgNVBAsTA0lBTTEQMA4GA1UEAxMHRklNLVNJVDAeFw0xNDA3MDcyMzE3MDNaFw0yNDA3MDQyMzE3MDNaMEwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQHEwZTeWRuZXkxDDAKBgNVBAoTA01HTDEMMAoGA1UECxMDSUFNMRAwDgYDVQQDEwdGSU0tU0lUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwNSu2CZGpWtgnWBtPzwHXoU1pyh38u97racDwngL6Gzj+q1ZbfZCGepUYCbstWHzAJUGQ9Om0pk/vRVYkzzPm+scfY7nS31LL6FJ4RB/KDeoYretNatBrGqCN9++Go3N4kWjyydq2Bj+q0eLwv2nveiAxnd0zG4nOXH398+ovsOGcsdzAz5g7mzqu/soTqpmAQxY+2+Z0Lyw4IjoROOD/6f3nh4fIelcpBFu8Q6W7rmBWZqMmMcqtGSoZAgduhK9BvlKYJHp3+Wy0YO3Cmf28RsX+EOMUWkJXk8kav6rsMkT+9Fchb8Xop3/Bwl0tpjXk5macXSlPU7v5jnISzqnZ1hq1cKKTcU3C48CKdRmYEwVqjX8VLFDzXAPMONcDvGD3HMBWo6w6l2XKTjkPRRa9+3lodPFaK41R7K/auaR6vxx1NBdIx8P/6LfyKdb/1ZVVP1TsZIvwTUAk2h5GZqwv5O16U5gBOiy5JfSQdL5PMIUQv9KWXicjB4PC0FKZOMCuJ3mDe7otVojLVbO8102sMfXAsiRxS4PUgduD5XxC2N21VfiN32slendlFIRMGxERUJbUaBfjiuXRNlTwzXaVkc/32FdSPGE9onQNHrP3EoWVSTHNE1qNgqBi6GLmcBCJSGLXisDBzGo47IvPP8FGgsFZIVcKNpWW8YsJx2LAokCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEApNhmplDA1phtWJIuihejyosHMh00g0xEvZe1I9cyiz8wjUK/ZzsCoqQgyb19LdPj1/H3hLHudApEm6yzZc5lLYid6YJhnPy0T8Rf8BgbbiUAeAFyt5PVGZDuIV0+6S9rgotRBYqPjt9sIlKkz/NZGS50ptWvDEQIWLFIsEDa1u+pbu7SxmMH9SQkPXQ2uaFuLaBI68XTIyyR7FKVpi3tDTC6Yl5CksbQTXGvs44mXG0Qd7TLMsWiAnk0YWyDtUiz2J714fwDtafLyTxfwYBU6YWC13F98gdpkimn+jUuhtdDDCRIYxis7SiJLEoRwZ3xz7Xt0dR2+Jdn7gPDWOaq1KIzL/Gr+wcgebswdiXxvqqjerC3lvBVSJ5Ui/FfGKCivn8/1Et2YRGsINp6zZZpQXnK/oqC/9jZ9P0fJm0kI9QP7y5RWuXD0WPMQTo+VXqj4XdYGdaELPNc80OCMgsaCW1yTm7Svxk/ufkVRgzVke0hjyMZOwdjdIO5ooMgpQRFCBy6Lg9+ABk6e4YlxSjwlwGga7FIttrNkjch3ekF1APLezbvxQ/E2csMoiUzIuXHsaJbGeV1QGl4YqEzVavnadiuqtyBCqum6CSPi/plSuyn3eG7C3BbxZMIq4h3MZ7TXDx/bCw5Xb+0I84X8AIXHDfAT8n6cgJWR+vo+/WVWrY=
</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
</md:KeyDescriptor>
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www-test.com.au/sps/login/saml20/soap"
index="0" isDefault="true" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www-test.com.au/sps/login/saml20/slo" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://www-test.com.au/sps/login/saml20/slo" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www-test.com.au/sps/login/saml20/login" />
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://www-test.com.au/sps/login/saml20/login" />
</md:IDPSSODescriptor>
1 answers
solution1
0 2015-01-29 17:07:16
I'm not 100% here but it sounds like the SAMLResponse is specifying 1 signature method but actually using a different one to generate the signature. The message is telling the SP to use sha256 for validation:
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
but the signature validation code is smart enough to realize it is really something else (sha512?). Since the two don't match, the signature is invalid. See what happens when the two match as expected.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
SAML2.0 signature validation failed for SAML Response
Signature Attribute Values in SAML 2.0
Signature validation failed for SAML Response
SAML Signature validation within Assertion
OpenSAML (2.0) Signature validation not working
Spring JWT signature Validation fails
XML signature validation fails in java
OpenSAML (2.0) EntitiesDescriptor signature validation not working
Apple MDM CSR Signing fails on Signature validation
How to add KeyInfo & X509Data under the Signature in SAML 2.0 using Java
Related Tags