OpenSAML user discussion

["Brian Sheely" <>]

I'm having some difficulty with signature validation. If I understand the code correctly, validation of the signature in a SAML response is done via a SignatureValidator which requires that its Credential be set. A Credential is obtained via a CredentialResolver. I'm attempting to create a CredentialResolver using the same code found in the buildSimpleResolver function in samlsign.cpp. In my case, the parameter that I pass in is the cert parameter which, I assume, is the value of the IdP's X509 Certificate.  However, I'm getting an exception when I try to create the CredentialResolver

 

try {

      CredentialResolver* resolver =       XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, root);

}

 

I tried adding XMLToolingConfig::getConfig().init(), but that wasn't the issue. Once I have a CredentialResolver, my plan was to use the following code to validate the response:

 

CredentialCriteria criteria;

criteria.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);

const Credential* credential = resolver->resolve(&criteria);

SignatureValidator signatureValidator;

signatureValidator.setCredential(credential);

unsigned length;

XMLByte* decoded = Base64::decode(reinterpret_cast<const XMLByte*>(response), &length);

istringstream is(reinterpret_cast<char*>(decoded));

XMLString::release(&decoded);

DOMDocument* doc = XMLToolingConfig::getConfig().getParser().parse(is);

XMLObject* xmlObject = XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true);

 

try {

      signatureValidator.validate(xmlObject);

}

 

1) Is this the proper approach?

2) Any ideas on what am I not doing correctly in creating the CredentialResolver?

 

Thanks in advance!

 

Brian Sheely