OpenSAML user discussion

[Brad Anderson <>]

Hi,

I'm getting the following error:
java.lang.IllegalArgumentException: Verification key may not be null
        at
org.opensaml.xml.signature.SignatureValidator.<init>(SignatureValidator.java:45)
        at 
com.xxxxx.bi.admin.sso.VerifySignature.verify(VerifySignature.java:47)

when trying to get a SignatureValidator with this code:

-----------------------------------
package com.xxxxx.bi.admin.sso;

import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;

import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureBuilder;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;

import com.xxxxx.bi.util.Log;

public class VerifySignature {

    private SignatureBuilder signatureBuilder;

    public VerifySignature() {}

    public boolean verify(RawRSAKey rawKey, Element assertionElem) {

        boolean ret = false;

        org.apache.xml.security.Init.init();
        RSAPublicKeySpec publicSpec = new RSAPublicKeySpec
                     (rawKey.getModulus(), rawKey.getExponent());

        KeyFactory keyFactory = null;
        PublicKey publicKey = null;
        Element sigElem = (Element)
          assertionElem.getElementsByTagName("Signature").item(0);

        signatureBuilder = new SignatureBuilder();
        Signature signature = signatureBuilder.buildObject(sigElem);
        signature.setCanonicalizationAlgorithm(Canonicalizer.
                     ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        signature.setSignatureAlgorithm(XMLSignature.
                     ALGO_ID_SIGNATURE_RSA_SHA1);

47*    SignatureValidator signatureValidator = new
                     SignatureValidator(publicKey);

        try {
            keyFactory = KeyFactory.getInstance("RSA");
            publicKey = keyFactory.generatePublic(publicSpec);

            signatureValidator.validate(signature);

            // if we got here, sig is valid
            ret = true;
            Log.logDbg(4, "Signature Valid: " + ret);

        } catch (NoSuchAlgorithmException noAlgorithm) {
            Log.logErr(noAlgorithm);
            return false;
        } catch (InvalidKeySpecException badSpec) {
            Log.logErr(badSpec);
            return false;
        } catch (ValidationException badSig) {
            Log.logErr(badSig);
            return false;
        }

        return ret;
    }
}
-----------------------------------

I've modeled this after SignedAssertionTest.java in org.opensaml.saml2.core
r766, although all the examples I see on the web are round-trips signing and
verifying.  I am getting this assertion from a .NET platform, so will not have
the private key, and as such, I omit that from my code.  I also had to use the
RSAPublicKeySpec to read the XML doc with Exponent and Modulus into a
PublicKey object.

Any thoughts?

Cheers,
Brad