Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Signature length not correct: got 257 but was expecting 256

See original GitHub issue

Hello, I’m getting the following error message from my IdP when its processing the signed AuthnRequest generated from Samlify on the Service Provider.

Signature length not correct: got 257 but was expecting 256

This is an example AuthnRequest:

<samlp:AuthnRequest
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a9a06995-8cda-4042-9b80-d66f1118033c" Version="2.0" IssueInstant="2018-11-07T01:43:40.028Z" Destination="https://mysite.com/saml/auth" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost:7071/api/v1/saml/post/ac">
	<saml:Issuer>https://localhost:7071/saml/metadata</saml:Issuer>
	<ds:Signature
		xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
			<ds:Reference URI="#_a9a06995-8cda-4042-9b80-d66f1118033c">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
				<ds:DigestValue>2S1bBotRxtMZHGeHwHkPp98bvV1GioFmHxyYAe2erl0=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>UKSo4HYUyzjMD49G4CI8g1eEbECzWA2cs9YZTkm3Jt2FN8gM9OJ99GyEai7VInH4m0KsaStOjJWDhZokDwx/ifIcDKYLaopmVG/qo3CoCLzxXFvDHQjs4qMs/+qcKQRKkgzU2rOLOE/cu9wsyK9TPGxF8/w0IZN/t1LXy+9tLtbRDFSV5YkKm9oMTNpKZEI17ilg2yXTbY69BiJZP3u3Bd2Qj3CD6j6lEAiwMoRtr98U/ZWuQNk1f6lhtwCOyO/1i7ipsMRKVClX2DpqGS4E+ppyhs+hVcc7wNVpxHM6fCZp49CmfKmFylFpjxUyXRfq57/dLwk02bkzAfS1Yu1T/6c=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIDbTCCAlSgAwIBAgIBADANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJ1czELMAkGA1UECAwCTlkxCzAJBgNVBAoMAkNOMSYwJAYDVQQDDB1jdGZkYXRhLWRldi5henVyZXdlYnNpdGVzLm5ldDAgFw0xODEwMTYwODQ3MDhaGA8yMTU1MDkwODA4NDcwOFowTzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAk5ZMQswCQYDVQQKDAJDTjEmMCQGA1UEAwwdY3RmZGF0YS1kZXYuYXp1cmV3ZWJzaXRlcy5uZXQwggEjMA0GCSqGSIb3DQEBAQUAA4IBEAAwggELAoIBAgC5mScqWHd8jXFnIvZ/lgv4TtpHCz+g+6d7DyqcNVy2ATMDpGm2r/JtjftWwb70ARF3vyyMiX4gK5HFjlxsruS+T5p/0zD8v6fQXoObgZYcSD+2bDRxVeZOTwh+MHu1wh6UOJvoZA0w8UmhJ1+4x4nA8B9LzN4YIiGeJdtUTfpraNoenn89YzN0p2FABLRCE3wh2b3Z37oXs4q3lHLxzohURZmiLQnIROOaeShtQ7wN0PXmF/7vUvpLCGtw8Kuk4SUlQQbeexyXLC6/LQKcHV+mgdZnFy/h5vR0HEZUmEBxI2TsbPHN369SqmdrlpAE09D420AW9tXGFGdJ1Cng9E2GEwIDAQABo1AwTjAdBgNVHQ4EFgQUYnwRAUL7TRRXEfHTGWcUm7VLxEcwHwYDVR0jBBgwFoAUYnwRAUL7TRRXEfHTGWcUm7VLxEcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQIAFhLfssI9OLHOGNTE+gbrEG+YldlFk0zPC81SXhVqeSegpu/atN8aDeoVyaCIcx1ZPx7G29wvHNaBGGXAIQ3rKD4y2i0XyyGAUsN6FPksjloY1cbv1SX2eAGCiMSQNOOpO8QPCaRYkfArbuCQEAqOFNrRtdg2pQ8EL9+pdgOXylUYkxsWEt6mNOUEf5frr66fEeisqaB6sYgUBQTsdkd5PxZNXlclya7GkybjKS7Xzle398NubkntZGznQn7UqhmGc8NEx13MwV7KZBpM0B8I2X7iK3hnh6+1FhaAggWwgtZISAd4LRs13L919PyI+UUq4LawwRA2nHzApF9kFXJm3u4=</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/>
</samlp:AuthnRequest>

If you take a look at the signature, it does in fact appear to have a length of 257 instead of 256.

Interestingly, we have three environments utilizing the same code with samlify and the same IDP and only one environment has this issue. The environment that fails always fails, the environments that work always work.

Any thoughts/ideas on how to troubleshoot this?

Issue Analytics

State:
Created 5 years ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

securityvoidcommented, Jan 22, 2020

I worked around this, but I never resolved it.

I regenerated my SSL Certificates for the environment and the new certificates worked fine for that environment.

As I recall (This was awhile ago); I had to regenerate the certificate several times to finally get one that worked and one out of every 5 or so would still fail.

I moved on with one of the working certificates.

0reactions

tngancommented, Jan 23, 2020

Ok, thanks for your update, then let me close this issue first.

Top Results From Across the Web

SignatureException: Signature doesn't match or Signature ...

SignatureException: Signature doesn't match or Signature length not correct: got 256 but was expecting 512 Follow · Make sure there is no -Djsse....

RSA SignatureException: Signature length not correct

SignatureException: Signature length not correct: got 336 but was expecting 128 at sun.security.rsa.RSASignature.

Signature length not correct: got 256 but was expecting 128 ...

Getting "Security issue: Signature length not correct: got 256 but was expecting 128" since about one hour ago. 7530 views.

New src/share/classes/sun/security/rsa/RSASignature.java

getByteLength(publicKey)) { 189 throw new SignatureException("Signature length not correct: got " + 190 sigBytes.length + " but was expecting " + 191 ...

Signature length not correct: got 128 but was expecting 256

支付宝公钥(alipay_public_key)与sign不匹配。 Signature length not correct: got 257 but was expecting 256，表示签名长度不正确：得到257，但预期为256。