Signing both Message and Assertion throws Invalid Signature Error

[Jess103]

Hi,

I have alreay posted the same question in stackoverflow but no luck that I'm submitting the issue here.

Java Version : 8 Validation Check Tool : https://samltool.io/ Signing Assertion Only : Valid Signing Response Only : Valid Signing Both : Response Signature Invalid I tried

sign assertion > add assertion in response > sign response pull out assertion from the response > sign assertion > add agdin in response > sign response but nothing worked; always getting the "Response Signature Invlid" when I sign both. Is signing both using onelogin(java-saml.jar) not allowed? Onelogin Toolkit though spits valid "Sign Message and Assertion"...

[Jess103]

Ok it was the line break in assertion that was making this whole issue. I just replaced the special characters like "&#13 ;" and "&#xD ;" and it magically works so well now.. wow....

[anastasig]

Hi Jess103, I'm tryng to follow your suggest but I continue to have your same error. Here my code

` try { InitializationService.initialize(); } catch (InitializationException e) { // TODO Auto-generated catch block e.printStackTrace(); } org.opensaml.saml.saml2.core.impl.StatusCodeBuilder statusCodeBuilder = new org.opensaml.saml.saml2.core.impl.StatusCodeBuilder(); StatusCode statusCode = statusCodeBuilder.buildObject(); statusCode.setValue(StatusCode.SUCCESS);

    org.opensaml.saml.saml2.core.impl.StatusBuilder statusBuilder = new org.opensaml.saml.saml2.core.impl.StatusBuilder();
    org.opensaml.saml.saml2.core.Status status = statusBuilder.buildObject();
    status.setStatusCode(statusCode);

    org.opensaml.saml.saml2.core.impl.IssuerBuilder issuerBuilder = new org.opensaml.saml.saml2.core.impl.IssuerBuilder();
    org.opensaml.saml.saml2.core.Issuer issuer = issuerBuilder.buildObject();
    issuer.setValue("https://example.com/issuer");  

    org.opensaml.saml.saml2.core.impl.ResponseBuilder responseBuilder = new  org.opensaml.saml.saml2.core.impl.ResponseBuilder();
    org.opensaml.saml.saml2.core.Response response = responseBuilder.buildObject();
    response.setID(UUID.randomUUID().toString());
    response.setVersion(SAMLVersion.VERSION_20);
    response.setIssuer(issuer);
    response.setStatus(status);
    response.setIssueInstant(new DateTime()); // Specifica la data e l'ora di creazione della Response

    org.opensaml.saml.saml2.core.impl.AssertionBuilder assertionBuilder = new org.opensaml.saml.saml2.core.impl.AssertionBuilder();
    org.opensaml.saml.saml2.core.Assertion assertion = assertionBuilder.buildObject();
    assertion.setID(UUID.randomUUID().toString());
    assertion.setIssueInstant(new DateTime());
    assertion.setSubject(createSubject("provai1",11));

    org.opensaml.saml.saml2.core.Issuer issuer2 = issuerBuilder.buildObject();
    issuer2.setValue("https://example.com/issuer"); 
    assertion.setIssuer(issuer2);

    /* OneLogin */
    // 1. Sign Assertion > Turn signed string back to Assertion
    org.opensaml.saml.saml2.core.impl.AssertionMarshaller aMarshaller = new org.opensaml.saml.saml2.core.impl.AssertionMarshaller();
    String astStr = null;
    try {
        astStr = Util.addSign(aMarshaller.marshall(assertion), privateKey, cert, null);
        astStr = astStr.replace("
", "").replace("
", "");
    } catch (XPathExpressionException | ParserConfigurationException | XMLSecurityException
            | MarshallingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    try {
        assertion = (Assertion) stringTOobject(astStr);
    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    // 2. Add Assertion into Response
    response.getAssertions().add(assertion);
    // 3. Sign Response > Turn signed string back to Response
    org.opensaml.saml.saml2.core.impl.ResponseMarshaller marshaller = new org.opensaml.saml.saml2.core.impl.ResponseMarshaller();
    String resStr = null;
    try {
        resStr = Util.addSign(marshaller.marshall(response), privateKey, cert, null);
        resStr = resStr.replace("
", "").replace("
", "");

    } catch (XPathExpressionException | ParserConfigurationException | XMLSecurityException
            | MarshallingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    try {
        response = (org.opensaml.saml.saml2.core.Response) stringTOobject(resStr);
    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    // 4. To XMLString
    try {
        String samlStr = SerializeSupport.nodeToString(marshaller.marshall(response));
        LOGGER.debug("Result in Base64: "+Util.base64encoder(samlStr));
    } catch (MarshallingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }`

but when I tried to execute it, I have this

I'm using this tool to verify my Saml https://samltool.io/

this is the xml generated `<?xml version="1.0" encoding="UTF-8"?>

https://example.com/issuer SPMtU0bYT37cCVNqGDKcdX7vtug= dBBX06tKRldHc0kfT3MV9Sd2DwR+hA7v13+efZWBoiyCjjAqTuRx6KsAwLUudcj0E4ogHKoEaEmh wvoYEjlow7QEJEivZZknhuDdN+MomUL9OElDGUuOz9ROBjhXHiMVoqw6W8myDJYiKS/cgO3AOrj5 8VbE0IxdMiLOBLpc+hPBPbkcVbKTg/nZcNb/U/9qH+MbjUq8SEpTb1mZPNNSA8jkcofjGk0Qnk2+ o6qrFT5qRuzTENmatNBLXSyd3oSJLxrXLLpxmHhomO4LFTysQk5NZ7KLH372ClOo8o0gEXvryZBE e5AssJ19tn/KsUIw/KsW8f2LISD98gH7/Ov06KBBajzf40uSJducTVE3uWmEv21nJOrRUndcqeBE CxawZXGvGtsz2u2WBUB7K9LpWLyEyPKzp4aMaaKGCRmdOflgoT2u1zjiZQtLjDlZvlsRQz2LOzZ9 BDu2sfDPWgJMv59zq2C5VLrJw8kJ+hVvI2pxlctJTbeVET8+kNCD6bYe7A2fX9PlT1oE1dEgVVON PldepBw5jRiUx/qjUajzm2QNVd9hJKsxI7QmhMlCfRxnlok5D61NTPqfOjq7CLNGnarLk4Q1Tmm0 gn1GuNLk25uj8Quq22ADrYIRfYCnYPJlngaArZcBqWWA9QF51MjxEB9+Chtj51CCJL7N9RBlF8w= MIIE/zCCAuegAwIBAgIUVL4ikDMIJosdOqAt7aCk3/ZArqkwDQYJKoZIhvcNAQELBQAwGjEYMBYG A1UEAwwPY2VkYWNyaWdyb3VwLml0MB4XDTIzMDUxNjEyMjIwMloXDTM3MDEyMjEyMjIwMlowGjEY MBYGA1UEAwwPY2VkYWNyaWdyb3VwLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA t2YHh1rxXY8NxIb6LDOEa0oPnSKHfxx2YMcSc4dACOE1KpNmjqnhwivSN8HuiP1bSTl64v69pcI4 THGNl6Uif+u0JG8Z1L7C44QZ93ibJz4Nny+PbdVuz9nr/hv7oZspaCD6thHq4sY2vrBCMQzbzS7+ Si7Ij6ykTJHSEEI2SVBw/mdMGf4TZREUvPU167cIUPsTaWLOY/PSbkE0twXF2nXfGxkwIDun1ipx dBSHNkpEmHkiMscLRnzE6cvudXR4kqqqJNc5a9mE9Pt+AxrI5UMgcBnTjJJQf/PAAAVgsUAbcMRS G1nVClZbsWpXm/LpM1UHvHltgiljZ+uiLyADxwoaCKqTilJ4flSgDCg1dEJToJUooTTaVdJkt9aR z6clQQOKlBnfPh93NFmNPGhn54CibJrEBtTRwnL3cP08HNC/RLr4byFVK2zYw2XjIDrOmwMPkdny 1o1p8EsvTZde5Uh4FGlsghFRQx/5nrTmUuxJlAfIPSAGLXv4CGhtxpuryGKVQD6E9OcnYroEgBf4 HDSpTmu9MzCod66XjJHcYfVr5K4wSlWhexM6sNNHLWE9Uo8lZgKcrJa9K/MxdNnilQVotKnPqDhC tCbPnePlp+LtTqCbELAAwLS1gfrE111z+Y0GUHYrX9rb+yGIMuwwj0cdemj42vmMTyy1Vmsg7h8C AwEAAaM9MDswGgYDVR0RBBMwEYIPY2VkYWNyaWdyb3VwLml0MB0GA1UdDgQWBBT4L6YBlCqsKnXx kI6R338ZYF28xjANBgkqhkiG9w0BAQsFAAOCAgEAoAdYRM8fsq4yjaD3sQ2psiatlQwYKdWiXlZC EB8ojDx7mZJalzhcNMXVueK9cRiZI0Y+MRTVe2340kQrtWit++UqZSHyO/I0dc/XqB2RQ5WDKmDg D+33GT1s1diX93YipElml5UhvvGTlfZq1T2u4COJ18/FnJRMBBkKkcfR8+wBd9uuRhpRKzBYvLxe 4rexy7LSUJ3wNB6UtTkn8/0I90f7Z0korqSL/rtl8T3U7b7jZ/Ws58VN9XmTOYO/e9aBkuCfTWQl hwOKGREeJqkBRzhRKT/SYQazddrJeYg0mjNGgaXr3KQhx42nCXNHHrqox1gqcVaHVzORW7mVFy07 7YSTMmTTrNi2ZNhBm/GY/lFtToq4PvWoctHluQzKkLWlgtEcLHc1dj5fGu+BJr0uADptFMGERXws oJ2j/7P3iLEz0WJ/dfBeuR+NKYHUkBurET/XO8Q9ggfiiJAtD20YulWvKT2JdXaoNpt07jWdtBUn IOn3O28Yc3ycM0e5E9dO8Yqn3yaFGJznfxNaMiqIQlWzbYZqmcPuhpC5FYmtJJ0rxVx4RHIMqtx6 kfl7gzRsBpYrWHcd4CMW0qYI2gkgDjkxzGNQYbgCOtYj5fr2tz1PbspswL2lEN6pUte/RTEYAFGY 5B4NPbhtCCj9UWzlQFHjp4y2xQTp6z7SeHYNnAs= https://example.com/issuer EhuDc8SdImYVKrtO/oEkJ4h4SAs= ib3nd5zzrWN0QXS3pkKl1P5BBLcr/6KiTtDCNIbp9xxit3zY06XVmshVyKHxk9m99jhKvAMaCLHZ LFTcw3JmTdon5nChdPmiGSepcBY97zVrwKuqtigsfNxmUvm4WPPB7sftM/cPstwk0gTSJC2WiGD/ Se5Zpa7cImT5yndwTRYq1GKRyi8DkKKnLh8g6WaQHtMvJEUHk0TgWF0Uv6URqaEQ1BfbLeJz5kWn bh51PYgtE0bmDxM1up8abGJZsU8fTk/L6WUlxIkg6onPDTVztmI6JgvrCEV52PIX9Ot/3czYFGxK MmQ03WmuzQf/uZdeOgJtvnl0xwapxBicTk9pdEGUjlsr1XbNt04wi/WuOw81MXgj++IOJbEsfGJ9 VabDJad6QOIj+xR64IdGExygkrKJ6J4aF9PiWisPjVka5mEGReMcw+W27t0GAPyM8OcVoX0EUYzO Eg7K+arYRgVgppg7FDeKuqtYrvTO6y4AZJUzlV+AQXiO77vnbqZViehEJzCiJgP7qrgzNm04uJB5 0Nf9nFDUOrtIem1VkWY4e2oBHcuaiCX/vFIORCQeIyAHj+489K6X5s5KhEczO+rayZs7BXN+aWyG foBjPk4mxNZym6WNa5xsoxS4fyiRd+qRb2Qofa7b/iOMVdr3eSJqSj2nxF0k3rwUzEYe3kGeBfc= MIIE/zCCAuegAwIBAgIUVL4ikDMIJosdOqAt7aCk3/ZArqkwDQYJKoZIhvcNAQELBQAwGjEYMBYG A1UEAwwPY2VkYWNyaWdyb3VwLml0MB4XDTIzMDUxNjEyMjIwMloXDTM3MDEyMjEyMjIwMlowGjEY MBYGA1UEAwwPY2VkYWNyaWdyb3VwLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA t2YHh1rxXY8NxIb6LDOEa0oPnSKHfxx2YMcSc4dACOE1KpNmjqnhwivSN8HuiP1bSTl64v69pcI4 THGNl6Uif+u0JG8Z1L7C44QZ93ibJz4Nny+PbdVuz9nr/hv7oZspaCD6thHq4sY2vrBCMQzbzS7+ Si7Ij6ykTJHSEEI2SVBw/mdMGf4TZREUvPU167cIUPsTaWLOY/PSbkE0twXF2nXfGxkwIDun1ipx dBSHNkpEmHkiMscLRnzE6cvudXR4kqqqJNc5a9mE9Pt+AxrI5UMgcBnTjJJQf/PAAAVgsUAbcMRS G1nVClZbsWpXm/LpM1UHvHltgiljZ+uiLyADxwoaCKqTilJ4flSgDCg1dEJToJUooTTaVdJkt9aR z6clQQOKlBnfPh93NFmNPGhn54CibJrEBtTRwnL3cP08HNC/RLr4byFVK2zYw2XjIDrOmwMPkdny 1o1p8EsvTZde5Uh4FGlsghFRQx/5nrTmUuxJlAfIPSAGLXv4CGhtxpuryGKVQD6E9OcnYroEgBf4 HDSpTmu9MzCod66XjJHcYfVr5K4wSlWhexM6sNNHLWE9Uo8lZgKcrJa9K/MxdNnilQVotKnPqDhC tCbPnePlp+LtTqCbELAAwLS1gfrE111z+Y0GUHYrX9rb+yGIMuwwj0cdemj42vmMTyy1Vmsg7h8C AwEAAaM9MDswGgYDVR0RBBMwEYIPY2VkYWNyaWdyb3VwLml0MB0GA1UdDgQWBBT4L6YBlCqsKnXx kI6R338ZYF28xjANBgkqhkiG9w0BAQsFAAOCAgEAoAdYRM8fsq4yjaD3sQ2psiatlQwYKdWiXlZC EB8ojDx7mZJalzhcNMXVueK9cRiZI0Y+MRTVe2340kQrtWit++UqZSHyO/I0dc/XqB2RQ5WDKmDg D+33GT1s1diX93YipElml5UhvvGTlfZq1T2u4COJ18/FnJRMBBkKkcfR8+wBd9uuRhpRKzBYvLxe 4rexy7LSUJ3wNB6UtTkn8/0I90f7Z0korqSL/rtl8T3U7b7jZ/Ws58VN9XmTOYO/e9aBkuCfTWQl hwOKGREeJqkBRzhRKT/SYQazddrJeYg0mjNGgaXr3KQhx42nCXNHHrqox1gqcVaHVzORW7mVFy07 7YSTMmTTrNi2ZNhBm/GY/lFtToq4PvWoctHluQzKkLWlgtEcLHc1dj5fGu+BJr0uADptFMGERXws oJ2j/7P3iLEz0WJ/dfBeuR+NKYHUkBurET/XO8Q9ggfiiJAtD20YulWvKT2JdXaoNpt07jWdtBUn IOn3O28Yc3ycM0e5E9dO8Yqn3yaFGJznfxNaMiqIQlWzbYZqmcPuhpC5FYmtJJ0rxVx4RHIMqtx6 kfl7gzRsBpYrWHcd4CMW0qYI2gkgDjkxzGNQYbgCOtYj5fr2tz1PbspswL2lEN6pUte/RTEYAFGY 5B4NPbhtCCj9UWzlQFHjp4y2xQTp6z7SeHYNnAs= provai1 `

[anastasig]

using this version:

com.onelogin java-saml 2.9.0

I resolved the problem