Skip to Content.
Sympa Menu

mace-opensaml-users - Re: XMLTooling - SignatureUnmarshaller

Subject: OpenSAML user discussion

List archive

Re: XMLTooling - SignatureUnmarshaller


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: XMLTooling - SignatureUnmarshaller
  • Date: Thu, 19 Apr 2007 17:12:25 -0400

Laurent,
Sorry for the delay in responding, just got back to the office from a
conference...

I concur with what Scott said in his reply. We handle ds:Signature and
its children differently from other XMLObject providers. The only child
of ds:Signature we provide "normal" marshall/unmarshall ops for is
ds:KeyInfo. For everything else (e.g. ds:Reference), it's handled
internally by the Signature object itself. So if Apache XML Security
says there's no reference in what you parsed, then there probably isn't
(b/c it's looking at the DOM level, not XMLObject). How are generating
and signing your Response below? What might be helpful as a sanity
check is to dump out your 'w3cResponse' and send us that. And/or the
code that is generating and signing the response, assuming you are using
OpenSAML for that.

Of course, we could have a bug - for that it would be helpful to see the
signed document you're trying to verify.

FYI, there are some utility methods in our org.apache.xml.util.XMLHelper
class to simplify serializing XMLObjects and Elements/Nodes to strings,
for debugging, etc.

-Brent


Laurent CHARTIER wrote:
> When I unmarshall a response, it unmarshalls automatically the child
> nodes. However, it seems that the unmarshalling of the signature isn't
> complete.
> I miss the <ds:reference> child.
>
> Here is my code:
>
> try {
> DefaultBootstrap.bootstrap();
> } catch (ConfigurationException e) {
> e.printStackTrace();
> }
>
> byte[] xmlBytes = null;
> ....
> Element w3cResponse = null;
> InputStream reponseSAMLInputStream = new ByteArrayInputStream(xmlBytes);
> BasicParserPool parserPool = new BasicParserPool();
> parserPool.setNamespaceAware(true);
> try {
> Document doc = parserPool.parse(reponseSAMLInputStream);
> w3cResponse = doc.getDocumentElement();
> } catch (XMLParserException xmlParserException) {
> xmlParserException.printStackTrace();
> }
>
> Response response = null;
> try {
> Unmarshaller unmarshaller = new ResponseUnmarshaller();
> response = (Response) unmarshaller.unmarshall(w3cResponse);
> } catch (UnmarshallingException unmarshallingException) {
> unmarshallingException.printStackTrace();
> }
>
> If I try to validate the signature of the response, it gives me a
> "Unable to evaluate key against signature" because there's no references
> in the signature of the response.
> The debug log indicates [org.apache.xml.security.signature.Manifest]
> [verifyReferences] verify 0 References
>
> Here is the code of the validation method using the certificate of the
> signature:
>
> private boolean isValid(Signature signature, Certificate certificate) {
> try {
> BasicX509Credential credential = new
> BasicX509Credential();
> credential
>
> .setEntityCertificate((java.security.cert.X509Certificate) certificate);
> SignatureValidator validator = new
> SignatureValidator(credential);
> validator.validate(signature);
> return true;
> } catch (ValidationException validationException) {
> validationException.printStackTrace();
> return false;
> }
> }
>
> Could you please help me finding where the problem is?
> Thank you.
>
>
>
>
> Ce message est prot?g? par les r?gles relatives au secret des
> correspondances. Il est donc ?tabli ? destination exclusive de son
> destinataire. Celui-ci peut donc contenir des informations confidentielles.
> La divulgation de ces informations est ? ce titre rigoureusement interdite.
> Si vous avez re?u ce message par erreur, merci de le renvoyer ?
> l'exp?diteur dont l'adresse e-mail figure ci-dessus et de d?truire le
> message ainsi que toute pi?ce jointe.
>
> This message is protected by the secrecy of correspondence rules.
> Therefore, this message is intended solely for the attention of the
> addressee. This message may contain privileged or confidential information,
> as such the disclosure of these informations is strictly forbidden. If, by
> mistake, you have received this message, please return this message to the
> addressser whose e-mail address is written above and destroy this message
> and all files attached.
>
>



Archive powered by MHonArc 2.6.16.

Top of Page