DO NOT REPLY [Bug 45586] Signature verification fails, C14N transform returns null

Fri, 15 Aug 2008 10:07:09 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45586


[EMAIL PROTECTED] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO




--- Comment #2 from [EMAIL PROTECTED]  2008-08-15 10:06:46 PST ---
I have marked this as NEEDINFO. Here's my analysis that I also 
posted to the mailing list:

Returning null is intentional and is a performance optimization as
Raul mentions. The c14ned bytes are still being written to the output
stream.

I validated the signature with the JSR 105 API, and it is invalid. The
reference digests don't match. Here's some debugging info:

Expected digest: SVUf+cO2NKZpSOHHhPfQjLQNhiE= 
Actual digest: Us20IPzJot+nTKMGap+rv81TVOo=

Pre-digested input (likely skewed by the email app):

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
AssertionID="c63cc59337d833aeb06186e4d19556b2" Id="id-23761097" 
IssueInstant="2008-08-01T08:28:40.298Z" Issuer="SmartInternetTechnology" 
MajorVersion="1" MinorVersion="0"><Conditions
xmlns="urn:oasis:names:tc:SAML:1.0:assertion" 
NotBefore="2008-08-01T08:27:58.688Z" 
NotOnOrAfter="2008-08-01T09:27:58.688Z"></Conditions><AuthenticationStatemen
t
xmlns="urn:oasis:names:tc:SAML:1.0:assertion" 
AuthenticationInstant="2008-08-01T08:27:58.688Z" 
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><Nam
eIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun</NameIde
ntifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0
:cm:holder-of-key</ConfirmationMethod></SubjectConfirmation></Subject></Auth
enticationStatement><AttributeStatement
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><Subject><NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun</NameIde
ntifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0
:cm:holder-of-key</ConfirmationMethod></SubjectConfirmation></Subject><Attri
bute
AttributeName="telephoneNumber" 
AttributeNamespace="telephoneNumber"><AttributeValue>a</AttributeValue></Att
ribute></AttributeStatement></saml:Assertion>

I suggest you dump the pre-digested input when signing and compare byte for
byte to see what broke the signature.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Reply via email to