OpenSAML user discussion

[Brad Anderson <>]

Brad Anderson wrote:
> Brad Anderson wrote:
>> Hi,
>>
>> I'm getting the following error:
>> java.lang.IllegalArgumentException: Verification key may not be null
>>         at
>> org.opensaml.xml.signature.SignatureValidator.<init>(SignatureValidator.java:45)
>>         at 
>> com.xxxxx.bi.admin.sso.VerifySignature.verify(VerifySignature.java:47)
>>
>> when trying to get a SignatureValidator with this code:
>>
>> -----------------------------------
>> package com.xxxxx.bi.admin.sso;
>>
>> import java.security.KeyFactory;
>> import java.security.NoSuchAlgorithmException;
>> import java.security.PublicKey;
>> import java.security.spec.InvalidKeySpecException;
>> import java.security.spec.RSAPublicKeySpec;
>>
>> import org.apache.xml.security.c14n.Canonicalizer;
>> import org.apache.xml.security.signature.XMLSignature;
>> import org.opensaml.xml.signature.Signature;
>> import org.opensaml.xml.signature.SignatureBuilder;
>> import org.opensaml.xml.signature.SignatureValidator;
>> import org.opensaml.xml.validation.ValidationException;
>> import org.w3c.dom.Element;
>>
>> import com.xxxxx.bi.util.Log;
>>
>> public class VerifySignature {
>>
>>     private SignatureBuilder signatureBuilder;
>>
>>     public VerifySignature() {}
>>
>>     public boolean verify(RawRSAKey rawKey, Element assertionElem) {
>>
>>         boolean ret = false;
>>
>>         org.apache.xml.security.Init.init();
>>         RSAPublicKeySpec publicSpec = new RSAPublicKeySpec
>>                      (rawKey.getModulus(), rawKey.getExponent());
>>
>>         KeyFactory keyFactory = null;
>>         PublicKey publicKey = null;
>>         Element sigElem = (Element)
>>           assertionElem.getElementsByTagName("Signature").item(0);
>>
>>         signatureBuilder = new SignatureBuilder();
>>         Signature signature = signatureBuilder.buildObject(sigElem);
>>         signature.setCanonicalizationAlgorithm(Canonicalizer.
>>                      ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>         signature.setSignatureAlgorithm(XMLSignature.
>>                      ALGO_ID_SIGNATURE_RSA_SHA1);
>>
>> 47*    SignatureValidator signatureValidator = new
>>                      SignatureValidator(publicKey);
>>
>>         try {
>>             keyFactory = KeyFactory.getInstance("RSA");
>>             publicKey = keyFactory.generatePublic(publicSpec);
>>
>>             signatureValidator.validate(signature);
>>
>>             // if we got here, sig is valid
>>             ret = true;
>>             Log.logDbg(4, "Signature Valid: " + ret);
>>
>>         } catch (NoSuchAlgorithmException noAlgorithm) {
>>             Log.logErr(noAlgorithm);
>>             return false;
>>         } catch (InvalidKeySpecException badSpec) {
>>             Log.logErr(badSpec);
>>             return false;
>>         } catch (ValidationException badSig) {
>>             Log.logErr(badSig);
>>             return false;
>>         }
>>
>>         return ret;
>>     }
>> }
>> -----------------------------------
>>
>> I've modeled this after SignedAssertionTest.java in org.opensaml.saml2.core
>> r766, although all the examples I see on the web are round-trips signing 
>> and
>> verifying.  I am getting this assertion from a .NET platform, so will not 
>> have
>> the private key, and as such, I omit that from my code.  I also had to use 
>> the
>> RSAPublicKeySpec to read the XML doc with Exponent and Modulus into a
>> PublicKey object.
>>
>> Any thoughts?
>>
>> Cheers,
>> Brad
>>
> 
> Duh, I have to put the SignatureValidator in the try block after publicKey 
> is
> set.  Okay, so I'm not so bright.
> 
> After doing that, however, I got:
> 
> java.lang.NullPointerException
>         at
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:60)
>         at 
> com.xxxxx.bi.admin.sso.VerifySignature.verify(VerifySignature.java:52)
> 
> Line 52 is the next one:
> signatureValidator.validate(signature);
> 
> Now does anyone have any thoughts?
> 
> Cheers,
> Brad
> 

Wow, replied to myself twice already.  Helluva citizen.  I switched some
things around and got further, by getting rid of the signatureBuilder and
sigElem and assertionElem stuff.  I pass the saml1.core.Assertion into the
verify() method and have assertion.getSignature() give me the signature.

So now the signatureValidator.validate() throws no error.  Cool, right?  Well,
I went ahead and changed one letter in the PublicKey exponent or modulus to
make it an incorrect key, and things still worked.  :(

Investigating further, I turned on log4j DEBUG and after sifting thru it, I
found this:

http://www.rafb.net/paste/results/LKkGF956.html

The last line there, about ignoring the unknown element {}Signature - is this
expecting ds:Signature?

One of our signed assertions (Signature node) looks like this:

  <Signature
      xmlns="http://www.w3.org/2000/09/xmldsig#";>
    <SignedInfo>
      <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
/>
      <Reference URI="">
        <Transforms>
          <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
        <DigestValue>6mmsd0QVzikiEuFap5g5R9Ahtr8=</DigestValue>
      </Reference>
    </SignedInfo>

<SignatureValue>XQSNx69JX+FnXAeb7GZ4wF2uMpMO4LrAHriz886m1DvEySiB1n6X2dzZJfBAsNiBEemterh9m3nwDn323xK1r2EdArFEmK2YPqaKfnOSo65zW9jXS83EWU7aZSA/OojamRNWfzshswxsvKg1b0B/l6gJzQeLUsF3hTwFD4UEqFI=</SignatureValue>
  </Signature>

Anything I'm missing ??

Thanks,
BA