Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Problem with Oracle Security Developer Tools creating signed SAML Assertion

jimcplApr 4 2009 — edited Apr 5 2009
Hi,

I'm trying to use OSDT to create a signed SAML assertion.

Basically, what I've done is to use the ST_Test.java sample and the SignXMLEnveloped.java sample together.

This is just a proof-of-concept, so what I did was use the code from ST_Test.java to create the unsigned assertion, take the byte array that results, and use it in a ByteArrayInputStream feeding into slightly modified SignXMLEnveloped.java code.

I was actually able to created a signed assertion, but the signature on the signed assertion does not validate.

I think that the reason it doesn't validate is because the original code in SignXMLEnveloped.java sets the URI in the reference to "", whereas the reference should be to something like "XXXXXX", which is the "AssertionID" attribute on the Assertion element.

However, if I modify the SignedXMLEnveloped code to do a setUri to "#XXXXXX", I get the following error:

Exception in thread "main" oracle.security.xmlsec.dsig.SigningException: Cannot find node with @Id="theassertion"
at oracle.security.xmlsec.dsig.XSSignature.sign(Unknown Source)
at SignXMLEnveloped.main(SignXMLEnveloped.java:116)
Caused by: oracle.security.xmlsec.dsig.ReferenceException: Cannot find node with @Id="theassertion"
at oracle.security.xmlsec.dsig.ObjectReference.dereference(Unknown Source)
at oracle.security.xmlsec.dsig.XSReference.getTBDData(Unknown Source)
at oracle.security.xmlsec.dsig.XSReference.computeDigest(Unknown Source)About to sign the Assertion...
at oracle.security.xmlsec.dsig.XSReference.computeDigest(Unknown Source)
at oracle.security.xmlsec.dsig.ReferenceList.computeRefDigests(Unknown Source)
... 2 more

I think I know what the problem may be, but I'm not sure how to workaround it. I have written some apps to do digital signature verification before, and I know that there is a problem with SAML 1.1 called the "idness" problem, where the "AssertionID" attribute is not an "id" type attribute in the schema. I have a feeling that I'm running into the same problem here, with OSDT.

Has anyone been successful at doing something like this with OSDT? If so, how?

Thanks,
Jim
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 3 2009
Added on Apr 4 2009
#database-security, #database-security-general
2 comments
3,140 views