Also, I was wondering what you meant by a 'tranform that allows for whitespace changes'. I am unaware of a transform that does that. I did notice you've been changing around your canonicalisation transforms. I would suggest you stick to the exclusive canonicalisation transform.
Also, a small point but I would place that canonicalisation transform AFTER the enveloped signature transform. I don't know about Santuario but that would avoid a node set to stream conversion and prevent another pass using standard canonicalisation (in my stack at least). I strongly suspect that what you are seeing is a whitespace related issue. Cheers, mal On Thu, Apr 7, 2011 at 8:28 AM, Brandon Moser <[email protected]>wrote: > Yes, we are using the Enveloped Signature Transform. The Signature is > inside the saml2:Assertion element, which is nested inside of the > saml2:Response element. > > What we're beginning to wonder is if the signature is actually being > ignored during the check. What is the best way to determine what is being > checked and what is not? > > > > On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote: > > > Is the Signature element within the scope of one of your references? > > For example, that happens when the Reference is the whole document. > > To make those signatures verifiable, you need the Enveloped Signature > Transform > > to ignore the Signature element when computing the digest. > > > > -----Original Message----- > > From: Brandon Moser [mailto:[email protected]] > > Sent: Wednesday, April 06, 2011 5:20 PM > > To: [email protected] > > Subject: Re: Issue in Verifying Signing > > > > So, we decided to use a Transform that allows for whitespace changes, but > we are still receiving False when attempting to check the signature > immediately after signing. It appears in the log file that the Pre-Digest > value before signing doesn't contain the SignatureValue and DigestValue > (expected), yet after signing the checkSignatureValue contains both > Signature & Digest values, which I would believe cause the digest to be > different. Is it possible to check the signature value immediately after > signing and get a valid response of True? > > > > I have tried to use the Online validator and oxygen's validator and both > return, "Signature Invalid". We have included the public RSA key in the > output in any attempt to validate this output. Since we are development the > data is not valuable, I have attached the XML output and the log. > > > >
