OpenSAML user discussion

[Terry Cumming <>]

I have been using OpenSAML 0.8 (Java) for a week now to build demo code.
All works well except the digital signatures. If I create some
SAMLSignedObject types such as SAMLRequest or SAMLResponse and sign them
then immediately verify them they verify successfully. 

If however I transport a SAMLRequest across a network via SAMLSOAPBinding
and try signature verification at the receiving end, I receive errors. 

The error I get is occurs in SAMLSignedObject.verify() after line
sig.checkSignatureValue(k):
InvalidCryptoException("SAMLSignedObject.verify() failed to validate
signature value"); 

I have test code now to reproduce the problem but the symptoms are slightly
different. I create a SAMLRequest, do a toDOM, then create a new
SAMLRequest object taking the DOM root element in the constructor. Now I
receive: "SAMLQuery.getInstance() unable to locate an implementation of
specified query type". My request contains an AssertionArtifact.

I notice that Init.java does not have any registration for query by
AssertionArtifact, and there is no SAMLQuery class for this either, which
is I think why I get the error.

So I may have two different problems now - I am a bit confused. Anything
else I can try? 

Full compilable code sample below - you just need a key in a keystore.
Error handling and comments removed for brevity.

Terry Cumming

import java.io.*;
import java.util.*;
import java.security.*;
import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.*;
import javax.xml.parsers.*;
import org.opensaml.*;

public class TestSAMLVerify2 {
    public static void main(String[] args) throws Exception {

        try {
            String artifactId = "123456789012";
            ArrayList respondWiths = new ArrayList();
            QName respondWithAuthnStmt = new QName(XML.SAML_NS,
"AuthenticationStatement");
            ArrayList artifacts = new ArrayList();
            artifacts.add(artifactId);
            SAMLRequest samlReq = new SAMLRequest(respondWiths, null, null,
artifacts);
            
            // Sign the request.
            String ksFname = "D:/JProjects/NB/SAMLProto/samlproto.keystore";
            String alias = "root";
            String pswd = "samlprotopswd";
            String pvKeyPswd = "rootpswd";
            org.apache.xml.security.Init.init();
            KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(ksFname), pswd.toCharArray());
            Key k = ks.getKey(alias, pvKeyPswd.toCharArray());
            samlReq.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
                         k,
                         Arrays.asList(ks.getCertificateChain(alias)),
                         true);            

            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            DocumentBuilder db = dbf.newDocumentBuilder();
            Document d = db.newDocument();
            Node n = samlReq.toDOM();
            
            SAMLRequest newReq = new SAMLRequest((Element) n);
            newReq.verify(true);
            System.out.println("Verified ok");
        } catch (SAMLException e) {
            System.out.println("SAMLException caught: " + e.getMessage());
        }

        return;
    } // end main
} // end class TestSAMLVerify2




---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--