Databases
StackOverflow2013
Postsdbo
POPHP DSA Signature Conversion from DER ASN.1 to XMLDSIG P1363
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPHP DSA Signature Conversion from DER ASN.1 to XMLDSIG P1363
    primarykey
    data
    text
    <p>I am writing a PHP app (acting as a SAML IdP) which is trying to do a login via a SAML Response to a server (acting as the SAML SP. I am currently stuck with the server rejecting the request (I just get a 500 Bad Request). </p> <p>I have written a test app (in Java/openSAML - which I'm pretty sure the server is using), and can see that the problem is that the SAML SignatureValidator validate generates</p> <blockquote> <p>org.apache.xml.security.signature.XMLSignatureException: Invalid XMLDSIG format of DSA signature</p> </blockquote> <p>Looking at the <a href="http://grepcode.com/file/repository.jboss.org/maven2/opensaml/xmltooling/1.0/org/opensaml/xml/signature/SignatureValidator.java" rel="nofollow">SAML SignatureValidator code</a> I can see that it checks that the XMLDISG signature is exactly 40 bytes long (P1363 format?) - whereas the generated signature is 46-48 bytes long (DER ASN.1 format?).</p> <p>The signature is being generated by PHP openssl_sign as below.</p> <pre><code>openssl_sign($canonicalized_signedinfo, $signature, $private_key, OPENSSL_ALGO_DSS1)) </code></pre> <p>An example signature (displayed as binary to hex for clarity) is as below. This is 46 bytes, but I notice it varies (depending on the random key?) from 46 to 48 bytes.</p> <blockquote> <p>302c02146e74afeddb0fafa646757d73b43bca688a12ffc5021473dc0ca572352c922b80abd0662965e7b866416d</p> </blockquote> <p>I can successfully verify this signature using PHP openssl_verify as below.</p> <pre><code>openssl_verify ($canonicalized_signedinfo, $signature , $public_key, OPENSSL_ALGO_DSS1)) </code></pre> <p>But in my test app when I do a SignatureValidator validate (as below) I get the <code>XMLSignatureException: Invalid XMLDSIG format of DSA signature</code> exception.</p> <pre><code> BasicCredential credential = new BasicCredential(); credential.setPublicKey(publicKey); credential.setUsageType(UsageType.SIGNING); SignatureValidator sigValidator = new SignatureValidator(credential); sigValidator.validate(signature); </code></pre> <p>Does anyone know how to do the PHP signature conversion from the 46-48 DER ASN.1 format generated by PHP openssl_sign to the 40 byte P1363 format expected by openSAML?</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USChris Moutray
    1. USTorid
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POPHP DSA Signature Conversion from DER ASN.1 to XMLDSIG P1363
      1. USTorid
      1. VTBountyStart
    2. VO
      singulars
      1. POPHP DSA Signature Conversion from DER ASN.1 to XMLDSIG P1363
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POPHP DSA Signature Conversion from DER ASN.1 to XMLDSIG P1363
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload