OpenSAML user discussion

[Brent Putman <>]

Please be sure to reply-to-all or to the list, rather than the sender
directly...



 wrote:
>  Thanks for Brent Putman's reply.
>  
>   I checked the code again,the cert/key is right,and the cert/key value is 
> same to keyInfo. Then ,I modify the Credential create like this (the same 
> to signature code): 
>
>                   PrivateKey priv = null;
>               Certificate  kscert = null,cert;
>               try {
>                       priv = (PrivateKey) getKeyStore().getKey("samlcert", 
> "password".toCharArray());
>                       kscert = getKeyStore().getCertificate("samlcert");
>               } catch (KeyStoreException e1) {
>                       // TODO Auto-generated catch block
>                       e1.printStackTrace();
>               } catch (NoSuchAlgorithmException e1) {
>                       // TODO Auto-generated catch block
>                       e1.printStackTrace();
>               } catch (UnrecoverableKeyException e1) {
>                       // TODO Auto-generated catch block
>                       e1.printStackTrace();
>               }
>
>               Credential stCred = 
> SecurityHelper.getSimpleCredential(kscert.getPublicKey(), priv);
>   

That looks correct, as far as generating the Credential with which to sign.

> but the same error happened : 
> org.opensaml.xml.validation.ValidationException: Signature did not 
> validate against the credential's key  .
>   

Well, if you're sure you are validating with the right key, then it
almost certainly must be the case that the SignedInfo element really has
been modified since it was signed.  You'll need to double-check the
serialization process on the signer side, and the deserialization and
unmarshalling process on the receiving side, to find out where and how. 
That's all I can tell you.

Remember that any change to the signed document will cause the signature
to fail, even something as trivial as addition or removal of whitespace.

>   When The same cert signature text and valid it using 
> java.security.Signature from JDK1.5 , it has no problem.   
>   

I'm not sure what you mean here, what you are validating with the
java.security.Signature?  Or are you saying there seems to be difference
in behavior beween JDK1.5 and some other JDK version?

>    And ,I have another question.Why was My Assertion's signature info 
> contained by <samp:Assetion ..> ..</samp:Assetion> ,  when the 
> SignatureValidator.validate(..)  excuted , whether can the signature info 
> be computered to the encrypted Value by the PublicKey?
>   

I'm sorry, I don't understand what you are asking here.  Can you please
rephrase the question?


--Brent