OpenSAML user discussion

["Mike Mattozzi" <>]

Thanks for the discussion... looking forward to the final release of
OpenSAML 2, I'm sure you guys are too :)

Now for a nitty-gritty question: Do you have support for xpointer? I
was working through a signature validation using the
SignatureValidator and the sample Assertion I have uses the Reference
URI="#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])"
When validate() is called on the signature, I get a nice blob of errors:

Exception in thread "main"
org.opensaml.xml.validation.ValidationException: Unable to evaluate
key against signature
        at 
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:75)
        at samltest.Samltest.parseSAML1withCert(Samltest.java:160)
        at samltest.Samltest.main(Samltest.java:67)
Caused by: org.apache.xml.security.signature.XMLSignatureException:
The Reference for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
        at 
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown
Source)
        at 
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:68)
        ... 2 more

I tried replacing the URI with just the assertion id, in which case it
seems to find everything it's looking for just fine, but then the
fails with "Signature did not validate against the credential's key"
which I guess makes sense given the fact that I just changed part of
the XML (or would this part be excluded from the signing?)

Either way, is there any way I can get this xpointer to resolve?

thanks!

On 6/5/07, Scott Cantor 
<>
 wrote:
> Mike Klein wrote:
> > I am using routines documented on this page to verify signer of identity
> > document and to verify/sign assertions. Code seems to work fine and
> > messages are tamper-proof.
>
> Yes, as long as your use case is simple enough that a single
> predetermined certificate is available for each signer and you do the
> mapping between who the signer is and where the certificate is.
>
> > Grabbing a public cert from a keystore can be done in 3 lines of code or
> > so...this isn't an issue. OpenSAML won't provide you an uber-keystore
> > concept or anything I think so you'll need to load and cache them yourself.
>
> Actually, that's pretty much exactly what it does, or will do, along with
> support for TLS/SSL connection management with the same trust facilities.
>
> -- Scott