I am writing a PHP application (acting as SAML IdP) that tries to login via SAML's response to the server (acting as SAML SP. I am currently stuck on a server rejecting the request (I just get 500 Bad Request).
I wrote a test application (in Java / openSAML - which I'm sure the server is using), and can see that the problem is that the SAML SignatureValidator check generates
org.apache.xml.security.signature.XMLSignatureException: invalid DSDS DSDS format
Looking at the SAML SignatureValidator code I can see that it checks that the XMLDISG signature is only 40 bytes long (P1363? Format), while the generated signature is 46-48 bytes (DER ASN.1? Format).
The signature is generated by PHP openssl_sign, as shown below.
openssl_sign($canonicalized_signedinfo, $signature, $private_key, OPENSSL_ALGO_DSS1))
An example signature (displayed as binary for hexadecimal for clarity) as shown below. This is 46 bytes, but I noticed that it changes (depending on the random key?) From 46 to 48 bytes.
302c02146e74afeddb0fafa646757d73b43bca688a12ffc5021473dc0ca572352c922b80abd0662965e7b866416d
I can successfully verify this signature using PHP openssl_verify as shown below.
openssl_verify ($canonicalized_signedinfo, $signature , $public_key, OPENSSL_ALGO_DSS1))
But in my test application, when I do a SignatureValidator validation (as shown below), I get an XMLSignatureException: Invalid XMLDSIG format of DSA signature .
BasicCredential credential = new BasicCredential(); credential.setPublicKey(publicKey); credential.setUsageType(UsageType.SIGNING); SignatureValidator sigValidator = new SignatureValidator(credential); sigValidator.validate(signature);
Does anyone know how to convert a PHP signature from the 46-48 DER ASN.1 format generated by openssl_sign PHP to the 40-byte P1363 format expected by openSAML?