OpenSAML user discussion

[Paolo Selvini <>]

Hi,

I need to parse a signed metadata file and verify its signature against a given certificate.

I am using version 2.1.0 of the OpenSAML library and now in fact the getSignature() method of EntityDescriptor returns a non null object. :-)

 

For a clear start I got a sample signed metadata from the OpenSAML-J 2.1.0 source code, in the file src\test\resources\data\org\opensaml\saml2\metadata\metadata.switchaai_signed.xml.

Then I extracted the public certificate in PEM format from such file and I have subsequently saved it, to use in the code.

 

The following is the code I used for reading and verifying the signed metadata file:

 

FilesystemMetadataProvider fsmd = new FilesystemMetadataProvider(new File(signedMetadataFilename));
fsmd.setParserPool(new BasicParserPool());
fsmd.initialize();
EntityDescriptor signedEntityDescriptor = fsmd.getMetadata();

 

java.security.cert.X509Certificate x509Certificate = getSigningCertificate();

 

boolean isVerified = true;
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
 profileValidator.validate(signedEntityDescriptor.getSignature());
 BasicX509Credential credential = new BasicX509Credential();
 credential.setEntityCertificate(x509Certificate);
 SignatureValidator signatureValidator = new SignatureValidator(credential);
 signatureValidator.validate(signedMetadata.getSignature());
} catch(ValidationException ex) {
 isVerified = false;
}

 

if(isVerified) {
 System.out.println("Verified");
} else {
 System.out.println("Not verified"); 
}

 

The code above always returns false for isVerified.

On the contrary, if I replace the top 4 rows with the following code, the verification passes:

 

BasicParserPool parser = new BasicParserPool();
Document samlObject = parser.parse(new FileInputStream(filename));
Element samlObjectRootElement = samlObject.getDocumentElement();
Unmarshaller unmarshaller = Configuration.getUnmarshallerFactory().getUnmarshaller(samlObjectRootElement);
XMLObject signedEntityDescriptor = unmarshaller.unmarshall(samlObjectRootElement);

 

What's wrong with the former way to read a metadata from the file system? I assume the same would happen with a FileBackedURLMetadataProvider.

I would like to keep using the providers for reading metadata, as they embed the caching mechanism.

 

Thanks a lot for your help.

 

Paolo

 

 

 

---

Le informazioni contenute in questa comunicazione e negli allegati sono riservate; e' vietato a soggetti diversi dai destinatari qualsiasi uso, copia, diffusione di quanto in essi contenuto.
Se avete ricevuto questa copia per errore, vi preghiamo di distruggerla immediatamente ed informarci via e-mail.

Prima di stampare questa e-mail consideratene l’impatto sull’ambiente. Grazie per la collaborazione.


This e-mail and any attachment(s) are strictly confidential. This message must not be copied, disclosed or used by anybody other than the intended recipient(s).
If you are not the intended recipient, please inform the sender by e-mail and destroy this message immediately.

Please consider the environment before printing this e-mail. Thank you for your cooperation.