OpenSAML user discussion

[Brent Putman <>]

Håkon Sagehaug wrote:
> Hi
>
> Thanks for all the replays. So the *TrustEngines does both the trust 
> evaluation of the keyInfo element and validating the signature inside 
> the ds:signatureValue element.


Yes, exactly.  More precisely the *SignatureTrustEngines do that (so not 
*all* trust engines, just the ones that take a Signature object as the 
untrusted token to validate).




> I've tried the approach with SignatureValidator, after I've checked 
> that I trust the x509Certificate inside keyInfo,
> and done
>
> SignatureValidator validator = new SignatureValidator(x509Credential);
> where x509Credential is made from the info inside keyINfo
>
> and tried did
>
> validator.validate(samlAssertion.getSignature())
>
> but I always get this back
>
> WARN  o.a.xml.security.signature.Reference - Verification failed for 
> URI "#_05d3afc2-0e55-482e-a2b6-1533fa17f109"
> DEBUG o.o.xml.signature.SignatureValidator - Signature did not 
> validate against the credential's key



Ok, then basically it means what it says.  Either the signer made a 
mistake and didn't include the right certificate in the KeyInfo, or more 
likely, the XML document has actually been changed in some way that 
breaks the signature.  Likely causes are the way that the document was 
serialized after it was signed for transmission over the network (e.g. 
was pretty print formatted, etc) , or possibly by being inadvertently 
changed before it was parsed and unmarshalled on the receiving side.  
Remember that any change to the signed portion of the XML document after 
signing, even the addition of a single space, newline or other 
whitespace, will invalidate the signature.


--Brent