Re: XML error on validating signature

Massimiliano Masi Wed, 07 Aug 2013 08:15:50 -0700

Just a side note: if I print the XML before calling the validation, it
works.
I print the xml with the attached code.


I am extremely confused!!!




try
           {
               System.out.println( "------>
SAML2Utils.toElement(assertion).getOwnerDocument() " );
               OutputFormat format = new OutputFormat();
               format.setIndenting( false );
               XMLSerializer serialize = new XMLSerializer( System.out,
format );
               serialize.serialize( SAML2Utils.toElement( assertion
).getOwnerDocument() );
           }
           catch( Exception e )
           {
               e.printStackTrace();
           }
           try
           {
               System.out.println( "------> assertion.getDOM() " );
               OutputFormat format = new OutputFormat();
               format.setIndenting( false );
               XMLSerializer serialize = new XMLSerializer( System.out,
format );
               serialize.serialize( assertion.getDOM() );
           }
           catch( Exception e )
           {
               e.printStackTrace();
           }


Serializer is calling

XMLSerializer serializer = new XMLSerializer(out, format);

serializer.serialize(document);






On Wed, Aug 7, 2013 at 2:57 PM, Massimiliano Masi <
[email protected]> wrote:

> Hi All,
>
> I am facing a very strange XML error. I receive a saml assertion (I am
> using opensaml 2.4.1,
> and xmlsec-1.4.4).
>
> After reading it from the socket, I have the following:
>
>  842013-08-07 13:27:18,245 INFO  [STDOUT] CanonicalXML :<saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_ba47b474-991e-433b-a766-0851f0719db5"
> IssueInstant="2013-08-07T11:26:54.713Z" Version="2.0">
>
> The assertion has the correct namespaces.
>
> Then, I have (unfortunately) the following error, as you can see in the
> attached log.
>
> Some classes is adding the following (unwanted) additional namespace,
> maybe in the ResolverFragment.
> xmlns="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>
>
> Do you have any ideas?
>
> Thanks a lot,
>
>
>      Massi
>
>  2962013-08-07 13:27:18,941 DEBUG
> [org.apache.xml.security.signature.XMLSignature] SignatureMethodURI =
> http://www.w3.org/2000/09/xmldsig#rsa-sha1
>  842013-08-07 13:27:18,942 DEBUG
> [org.apache.xml.security.algorithms.SignatureAlgorithm] Create URI "
> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "class
> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
>  842013-08-07 13:27:18,942 DEBUG
> [org.apache.xml.security.algorithms.JCEMapper] Request for URI
> http://www.w3.org/2000/09/xmldsig#rsa-sha1
>  842013-08-07 13:27:18,942 DEBUG
> [org.apache.xml.security.algorithms.implementations.SignatureBaseRSA]
> Created SignatureRSA using SHA1withRSA
>  842013-08-07 13:27:18,943 DEBUG
> [org.apache.xml.security.signature.XMLSignature] jceSigAlgorithm    =
> SHA1withRSA
>  842013-08-07 13:27:18,943 DEBUG
> [org.apache.xml.security.signature.XMLSignature] jceSigProvider     =
> SunRsaSign
>  842013-08-07 13:27:18,944 DEBUG
> [org.apache.xml.security.signature.XMLSignature] PublicKey = Sun RSA public
> key, 2048 bits
>   modulus:
> 24799766059329790406169469529913375354015410907823097625781145716156788142575108367851516875478409089198935758770222527072973533149182814113761377529539185659783081793529418755636479673041367327253771161663220130794582326021463337307128596092728849066233597693923880146766772026386117370519579964873151584589304283673042520498510336036699174034197583778418586896096125417767769366411583180756972714057643071805688007745306377216125688210333120173323369838126344395010563554230685985381433311033509752386766112414886870571231007221369204671050014653427477888240153062608330221949767312703162762606146367557363498114439
>   public exponent: 65537
>  842013-08-07 13:27:18,948 DEBUG
> [org.apache.xml.security.utils.SignerOutputStream] Canonicalized SignedInfo:
>  842013-08-07 13:27:18,949 DEBUG
> [org.apache.xml.security.utils.SignerOutputStream] <ds:SignedInfo xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#";>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> "></ds:SignatureMethod>
> <ds:Reference URI="#_ba47b474-991e-433b-a766-0851f0719db5">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
> <ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="del ds
> saml2 #default xs xsi"></ec:InclusiveNamespaces></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "></ds:DigestMethod>
> <ds:DigestValue>WeM4mwb/csuv52PdUGzYjhIzoYo=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>  842013-08-07 13:27:18,950 DEBUG
> [org.apache.xml.security.signature.Manifest] verify 1 References
>  842013-08-07 13:27:18,951 DEBUG
> [org.apache.xml.security.signature.Manifest] I am not requested to follow
> nested Manifests
>  842013-08-07 13:27:18,951 DEBUG
> [org.apache.xml.security.utils.ElementProxy] setElement("ds:Reference", "")
>  842013-08-07 13:27:18,951 DEBUG
> [org.apache.xml.security.utils.ElementProxy] setElement("ds:Transforms", "")
>  842013-08-07 13:27:18,952 DEBUG
> [org.apache.xml.security.algorithms.JCEMapper] Request for URI
> http://www.w3.org/2000/09/xmldsig#sha1
>  842013-08-07 13:27:18,952 DEBUG
> [org.apache.xml.security.utils.resolver.ResourceResolver] I was asked to
> create a ResourceResolver and got 0
>  842013-08-07 13:27:18,952 DEBUG
> [org.apache.xml.security.utils.resolver.ResourceResolver]  extra resolvers
> to my existing 4 system-wide resolvers
>  842013-08-07 13:27:18,953 DEBUG
> [org.apache.xml.security.utils.resolver.ResourceResolver] check
> resolvability by class
> org.apache.xml.security.utils.resolver.implementations.ResolverFragment
>  842013-08-07 13:27:18,953 DEBUG
> [org.apache.xml.security.utils.resolver.implementations.ResolverFragment]
> State I can resolve reference: "#_ba47b474-991e-433b-a766-0851f0719db5"
>  842013-08-07 13:27:18,953 DEBUG
> [org.apache.xml.security.utils.IdResolver] getElementByIdType() Search for
> ID _ba47b474-991e-433b-a766-0851f0719db5
>  842013-08-07 13:27:18,953 DEBUG
> [org.apache.xml.security.utils.IdResolver] getElementByIdUsingDOM() Search
> for ID _ba47b474-991e-433b-a766-0851f0719db5
>  842013-08-07 13:27:18,954 DEBUG
> [org.apache.xml.security.utils.IdResolver] I could find an Element using
> the simple getElementByIdUsingDOM method: saml2:Assertion
>  842013-08-07 13:27:18,954 DEBUG
> [org.apache.xml.security.utils.resolver.implementations.ResolverFragment]
> Try to catch an Element with ID _ba47b474-991e-433b-a766-0851f0719db5 and
> Element was [saml2:Assertion: null]
>  842013-08-07 13:27:18,954 DEBUG
> [org.apache.xml.security.utils.ElementProxy] setElement("ds:Transform", "")
>  842013-08-07 13:27:18,955 DEBUG
> [org.apache.xml.security.transforms.Transforms] Perform the (0)th
> http://www.w3.org/2000/09/xmldsig#enveloped-signature transform
>  842013-08-07 13:27:18,955 DEBUG
> [org.apache.xml.security.utils.ElementProxy] setElement("ds:Transform", "")
>  842013-08-07 13:27:18,955 DEBUG
> [org.apache.xml.security.utils.ElementProxy]
> setElement("ec:InclusiveNamespaces", "")
>  842013-08-07 13:27:18,961 DEBUG
> [org.apache.xml.security.utils.DigesterOutputStream] Pre-digested input:
>  842013-08-07 13:27:18,962 DEBUG
> [org.apache.xml.security.utils.DigesterOutputStream] <saml2:Assertion
> xmlns="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_ba47b474-991e-433b-a766-0851f0719db5"
> IssueInstant="2013-08-07T11:26:54.713Z" Version="2.0"><saml2:Issuer
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:tiani-spirit:sts</saml2:Issuer><saml2:Subject><saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">principal</saml2:NameID><saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> "><ds:X509Data><ds:X509Certificate>MIIGUTCCBDmgAwIBAgIKThkA9AAAAAAArjANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJBVDEN
>
> MAsGA1UECBMETGluejEpMCcGA1UEChMgT09FLiBHZXN1bmRoZWl0cy0gdW5kIFNwaXRhbHMtQUcx
>
> FDASBgNVBAsTC1RydXN0Y2VudGVyMRgwFgYDVQQDEw9nZXNwYWcgQ29tcCBDQTMwHhcNMTIwMzI2
>
> MTIxMDA3WhcNMTcwMzI1MTIxMDA3WjCBhTELMAkGA1UEBhMCQVQxDTALBgNVBAgTBExpbnoxDTAL
>
> BgNVBAcTBExpbnoxKDAmBgNVBAoTH09PRS4gR2VzdW5kaGVpdHMtIHVuZCBTcGl0YWxzQUcxFDAS
>
> BgNVBAsTC1RydXN0Y2VudGVyMRgwFgYDVQQDEw9xb3V0LmVncC1vb2UuYXQwggEiMA0GCSqGSIb3
>
> DQEBAQUAA4IBDwAwggEKAoIBAQDEc7WH3hEratz4OJfnKxW0dSFA4oaN+kX4iovkmDQZa2ihwqge
>
> gdLbplyBr91xqwi2CIQ3SqgMfZEuIhimkSEKPURc/YA0xxmIDXrUDNntqJySVKYuJjpHG4F9EAjQ
>
> 7beyj/VcMmvlvfJGnmXa5zt0V3EfkVPQa2N+t7RWcg9qdwnx+GVwaQtLrli8egsrTay/5KTW/USz
>
> ZkO+ueO98p0XLNBD9L97ZBSaapj3PR+aeWKkmkJ6EV6Bl9sRKEMP6O9rBeto4cMlE6AxrHgxFXe0
>
> 7Cqmlqum4TsczE0UMyjVqE3WS/X3Csjpq5MWJe491vdqMU0wPg55MsGyGhXFql2HAgMBAAGjggHO
>
> MIIByjAdBgNVHQ4EFgQUWqJGlqlEOPYNRFpxibGd6rBvGzUwHwYDVR0jBBgwFoAU6XIlgxo7NRi8
>
> BamjjGRXWRHw55gwbQYDVR0fBGYwZDBioGCgXoYsaHR0cDovL2NlcnQuZ2VzcGFnLmF0L2NlcnRk
>
> YXRhL2NvbXBjYTMwMS5jcmyGLmh0dHA6Ly9jZXJ0Lmdlc3BhZy5pbmZvL2NlcnRkYXRhL2NvbXBj
>
> YTMwMS5jcmwwgYQGCCsGAQUFBwEBBHgwdjA4BggrBgEFBQcwAoYsaHR0cDovL2NlcnQuZ2VzcGFn
>
> LmF0L2NlcnRkYXRhL2NvbXBjYTMwMS5jcnQwOgYIKwYBBQUHMAKGLmh0dHA6Ly9jZXJ0Lmdlc3Bh
>
> Zy5pbmZvL2NlcnRkYXRhL2NvbXBjYTMwMS5jcnQwCwYDVR0PBAQDAgWgMD0GCSsGAQQBgjcVBwQw
>
> MC4GJisGAQQBgjcVCIbPzAGH7uQHhdmHEYGTzSGGx9oaOYSgqRSDovQ0AgFkAgECMB0GA1UdJQQW
>
> MBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsG
>
> AQUFBwMBMA0GCSqGSIb3DQEBBQUAA4ICAQCdHVUoB9JWE60ULL8CXZo37F2wx2VEDr5Rpi8sPw4h
>
> l4QafKnWZtJf2roO+jOdH3oc9veE4/jzO3AUNXXAqCS9mFwFtL9NVbEWY/GzLb+gQexS/t/urd9O
>
> cjgdzSNf8eIhyhpE9jgqH0vdaZ1h78wZnVcL1HKkz76/JuQtp/RzL00zGBHWt9rD7CwNB7aKwDC4
>
> m1z5c3xMU8xKoXXIb/DNkdhx3/VXbmW8oVBUqsudPwZl5GdVA9LMwZQF58toiXHkxuTC6BM5y4bF
>
> c6EOZiLLRYRFtFQsdq2/CmoDNBGlBRJci8aYDDZiPUngIofIJvNFrNKaff8kwkRcr090qeNnWIVn
>
> jrYXj0oNQKIZotvMyCzJT3s7KtJlTZ74YMs22SV6s1nq/tXQNI410zRPMoVJQgdMPuiNUlv+3Av5
>
> 59mxvmSsyp3FyxvdMdXUdRgPr9vSJ2rQL7IAlzqsqjnN/bE0s3SrcJez2RBT0ospjyDlV51npW7q
>
> Vm1ij2S6q+DvdwvfnR8AjfqA7pKjlanfQQKHHiQf0WMDfNItsdQUCT003J5cQ0HIS9LeFcin5nxy
>
> umZGZaRM50/PUtrpE3RuSGRx+igS9PUITCCLZ/0NP5M0FpeHh3ez9XUpG96gteq8R6AaRxXf6Hrp
>
> rBoYDn3uuilU+cKkVVCe3HpWy1s0Q/MFaw==</ds:X509Certificate><ds:X509SubjectName>CN=
> qout.egp-ooe.at, OU=Trustcenter, O=OOE. Gesundheits- und SpitalsAG,
> L=Linz, ST=Linz,
> C=AT</ds:X509SubjectName><ds:X509IssuerSerial><ds:X509IssuerName>CN=gespag
> Comp CA3, OU=Trustcenter, O=OOE. Gesundheits- und Spitals-AG, ST=Linz,
> C=AT</ds:X509IssuerName><ds:X509SerialNumber>368805822945569382858926</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
> NotBefore="2013-08-07T11:26:54.713Z"
> NotOnOrAfter="2013-08-07T15:25:54.713Z"><saml2:AudienceRestriction><saml2:Audience>
> http://ihe.connecthaton.XUA/X-ServiceProvider-IHE-Connectathon</saml2:Audience></saml2:AudienceRestriction><saml2:Condition
> xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="del:DelegationRestrictionType"><del:Delegate
> ConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
> DelegationInstant="2013-08-07T11:26:54.713Z"><saml2:NameID
> Format="urn:nameid:format">gespagarzt</saml2:NameID></del:Delegate></saml2:Condition></saml2:Conditions><saml2:AuthnStatement
> AuthnInstant="2013-08-07T11:26:54.713Z"
> SessionIndex="123456"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
> FriendlyName="XSPA Subject"
> Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:string">gespagarzt</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> FriendlyName="XSPA Organization"
> Name="urn:oasis:names:tc:xspa:1.0:subject:organization"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:string">GESPAG</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> FriendlyName="XSPA Organization ID"
> Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:anyURI">urn:oid:1.2.40.28.200.2.10</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> Name="urn:oasis:names:tc:xacml:2.0:subject:role"><saml2:AttributeValue><Role
> xmlns="urn:hl7-org:v3" code="Arzt" codeSystem="eGP_Roles"
> codeSystemName="eGP_Roles" displayName="eGP
> Arzt"></Role></saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"><saml2:AttributeValue><PurposeOfUse
> xmlns="urn:hl7-org:v3" code="TREATMENT" codeSystem="eGP PurposOfUse codes"
> codeSystemName="eGP PurposeOfUse codes"
> displayName="TREATMENT"></PurposeOfUse></saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> FriendlyName="Date of Contact"
> Name="urn:egpooe-egor:2010:xds:date-of-contact"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:dateTime">2013-08-05T12:23:50.000Z</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
>  842013-08-07 13:27:18,962 WARN
>  [org.apache.xml.security.signature.Reference] Verification failed for URI
> "#_ba47b474-991e-433b-a766-0851f0719db5"
>  1042013-08-07 13:27:18,962 WARN
>  [org.apache.xml.security.signature.Reference] Expected Digest:
> WeM4mwb/csuv52PdUGzYjhIzoYo=
>  1042013-08-07 13:27:18,963 WARN
>  [org.apache.xml.security.signature.Reference] Actual Digest:
> q0fzM7EzEi0qKpcRE/Fm6yGu/Z0=
>  1042013-08-07 13:27:18,963 DEBUG
> [org.apache.xml.security.signature.Manifest] The Reference has Type
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>



-- 
Massimiliano Masi

http://www.mascanc.net/~max

Re: XML error on validating signature

Reply via email to