mace-opensaml-users - Re: Signature Verification error
Subject: OpenSAML user discussion
List archive
- From: Brad Anderson <>
- To:
- Subject: Re: Signature Verification error
- Date: Wed, 29 Nov 2006 17:34:42 -0500
- Organization: The Sankaty Group, Inc.
Brad Anderson wrote:
> Brad Anderson wrote:
>> Hi,
>>
>> I'm getting the following error:
>> java.lang.IllegalArgumentException: Verification key may not be null
>> at
>> org.opensaml.xml.signature.SignatureValidator.<init>(SignatureValidator.java:45)
>> at
>> com.xxxxx.bi.admin.sso.VerifySignature.verify(VerifySignature.java:47)
>>
>> when trying to get a SignatureValidator with this code:
>>
>> -----------------------------------
>> package com.xxxxx.bi.admin.sso;
>>
>> import java.security.KeyFactory;
>> import java.security.NoSuchAlgorithmException;
>> import java.security.PublicKey;
>> import java.security.spec.InvalidKeySpecException;
>> import java.security.spec.RSAPublicKeySpec;
>>
>> import org.apache.xml.security.c14n.Canonicalizer;
>> import org.apache.xml.security.signature.XMLSignature;
>> import org.opensaml.xml.signature.Signature;
>> import org.opensaml.xml.signature.SignatureBuilder;
>> import org.opensaml.xml.signature.SignatureValidator;
>> import org.opensaml.xml.validation.ValidationException;
>> import org.w3c.dom.Element;
>>
>> import com.xxxxx.bi.util.Log;
>>
>> public class VerifySignature {
>>
>> private SignatureBuilder signatureBuilder;
>>
>> public VerifySignature() {}
>>
>> public boolean verify(RawRSAKey rawKey, Element assertionElem) {
>>
>> boolean ret = false;
>>
>> org.apache.xml.security.Init.init();
>> RSAPublicKeySpec publicSpec = new RSAPublicKeySpec
>> (rawKey.getModulus(), rawKey.getExponent());
>>
>> KeyFactory keyFactory = null;
>> PublicKey publicKey = null;
>> Element sigElem = (Element)
>> assertionElem.getElementsByTagName("Signature").item(0);
>>
>> signatureBuilder = new SignatureBuilder();
>> Signature signature = signatureBuilder.buildObject(sigElem);
>> signature.setCanonicalizationAlgorithm(Canonicalizer.
>> ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>> signature.setSignatureAlgorithm(XMLSignature.
>> ALGO_ID_SIGNATURE_RSA_SHA1);
>>
>> 47* SignatureValidator signatureValidator = new
>> SignatureValidator(publicKey);
>>
>> try {
>> keyFactory = KeyFactory.getInstance("RSA");
>> publicKey = keyFactory.generatePublic(publicSpec);
>>
>> signatureValidator.validate(signature);
>>
>> // if we got here, sig is valid
>> ret = true;
>> Log.logDbg(4, "Signature Valid: " + ret);
>>
>> } catch (NoSuchAlgorithmException noAlgorithm) {
>> Log.logErr(noAlgorithm);
>> return false;
>> } catch (InvalidKeySpecException badSpec) {
>> Log.logErr(badSpec);
>> return false;
>> } catch (ValidationException badSig) {
>> Log.logErr(badSig);
>> return false;
>> }
>>
>> return ret;
>> }
>> }
>> -----------------------------------
>>
>> I've modeled this after SignedAssertionTest.java in org.opensaml.saml2.core
>> r766, although all the examples I see on the web are round-trips signing
>> and
>> verifying. I am getting this assertion from a .NET platform, so will not
>> have
>> the private key, and as such, I omit that from my code. I also had to use
>> the
>> RSAPublicKeySpec to read the XML doc with Exponent and Modulus into a
>> PublicKey object.
>>
>> Any thoughts?
>>
>> Cheers,
>> Brad
>>
>
> Duh, I have to put the SignatureValidator in the try block after publicKey
> is
> set. Okay, so I'm not so bright.
>
> After doing that, however, I got:
>
> java.lang.NullPointerException
> at
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:60)
> at
> com.xxxxx.bi.admin.sso.VerifySignature.verify(VerifySignature.java:52)
>
> Line 52 is the next one:
> signatureValidator.validate(signature);
>
> Now does anyone have any thoughts?
>
> Cheers,
> Brad
>
Wow, replied to myself twice already. Helluva citizen. I switched some
things around and got further, by getting rid of the signatureBuilder and
sigElem and assertionElem stuff. I pass the saml1.core.Assertion into the
verify() method and have assertion.getSignature() give me the signature.
So now the signatureValidator.validate() throws no error. Cool, right? Well,
I went ahead and changed one letter in the PublicKey exponent or modulus to
make it an incorrect key, and things still worked. :(
Investigating further, I turned on log4j DEBUG and after sifting thru it, I
found this:
http://www.rafb.net/paste/results/LKkGF956.html
The last line there, about ignoring the unknown element {}Signature - is this
expecting ds:Signature?
One of our signed assertions (Signature node) looks like this:
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>6mmsd0QVzikiEuFap5g5R9Ahtr8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XQSNx69JX+FnXAeb7GZ4wF2uMpMO4LrAHriz886m1DvEySiB1n6X2dzZJfBAsNiBEemterh9m3nwDn323xK1r2EdArFEmK2YPqaKfnOSo65zW9jXS83EWU7aZSA/OojamRNWfzshswxsvKg1b0B/l6gJzQeLUsF3hTwFD4UEqFI=</SignatureValue>
</Signature>
Anything I'm missing ??
Thanks,
BA
- Signature Verification error, Brad Anderson, 11/29/2006
- Re: Signature Verification error, Brad Anderson, 11/29/2006
- Re: Signature Verification error, Brad Anderson, 11/29/2006
- RE: Signature Verification error, Scott Cantor, 11/29/2006
- RE: Signature Verification error, Scott Cantor, 11/29/2006
- Re: Signature Verification error, Brad Anderson, 11/29/2006
- <Possible follow-up(s)>
- Re: Signature Verification error, Ramesh Sundararajan, 11/29/2006
- Re: Signature Verification error, Brad Anderson, 11/29/2006
Archive powered by MHonArc 2.6.16.