OpenSAML user discussion

["Scott Cantor" <>]

> VALIDATION:
> ----------
> SignatureValidator signValidator = new SignatureValidator( key );
> signValidator.validate( sign );

In this case, "key" is the public key of the signer.

> PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine();
> WrapperKeyInfoSource wrapper = new WrapperKeyInfoSource( "SignKeyInfo",
> sign.getKeyInfo() );
> InlineX509KeyInfoResolver resolver = new InlineX509KeyInfoResolver();
> boolean res = engine.validate( sign, wrapper, resolver )

A PKIX engine does not know the public key of the signer, that's it's
purpose. You have to give it a KeyName identifying the signer's key via the
KeyInfoSource, and then a set of PKIX policies to validate the actual
certificate in the message.

I think you want the ExplicitKeyTrustEngine (that's what I called it, not
sure what the Java version is called).

> but the result of the process is always false. What's wrong with my code?
> Anybody can give me a clue? Thanks for your help.

Look up TrustEngine on the Shib wiki.

-- Scott