Thanks Malcom. I'll try those suggestions. -- Brandon Moser
On Apr 6, 2011, at 5:41 PM, Malcolm Young <[email protected]> wrote: > Also, I was wondering what you meant by a 'tranform that allows for > whitespace changes'. I am unaware of a transform that does that. I did notice > you've been changing around your canonicalisation transforms. I would suggest > you stick to the exclusive canonicalisation transform. > > Also, a small point but I would place that canonicalisation transform AFTER > the enveloped signature transform. I don't know about Santuario but that > would avoid a node set to stream conversion and prevent another pass using > standard canonicalisation (in my stack at least). > > I strongly suspect that what you are seeing is a whitespace related issue. > > Cheers, > > mal > > On Thu, Apr 7, 2011 at 8:28 AM, Brandon Moser <[email protected]> wrote: > Yes, we are using the Enveloped Signature Transform. The Signature is inside > the saml2:Assertion element, which is nested inside of the saml2:Response > element. > > What we're beginning to wonder is if the signature is actually being ignored > during the check. What is the best way to determine what is being checked and > what is not? > > > > On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote: > > > Is the Signature element within the scope of one of your references? > > For example, that happens when the Reference is the whole document. > > To make those signatures verifiable, you need the Enveloped Signature > > Transform > > to ignore the Signature element when computing the digest. > > > > -----Original Message----- > > From: Brandon Moser [mailto:[email protected]] > > Sent: Wednesday, April 06, 2011 5:20 PM > > To: [email protected] > > Subject: Re: Issue in Verifying Signing > > > > So, we decided to use a Transform that allows for whitespace changes, but > > we are still receiving False when attempting to check the signature > > immediately after signing. It appears in the log file that the Pre-Digest > > value before signing doesn't contain the SignatureValue and DigestValue > > (expected), yet after signing the checkSignatureValue contains both > > Signature & Digest values, which I would believe cause the digest to be > > different. Is it possible to check the signature value immediately after > > signing and get a valid response of True? > > > > I have tried to use the Online validator and oxygen's validator and both > > return, "Signature Invalid". We have included the public RSA key in the > > output in any attempt to validate this output. Since we are development the > > data is not valuable, I have attached the XML output and the log. > > > >
