Skip to Content.
Sympa Menu

mace-opensaml-users - Using Holder of Key with Digital Signature

Subject: OpenSAML user discussion

List archive

Using Holder of Key with Digital Signature


Chronological Thread 
  • From: Deena Gurajala <>
  • To:
  • Subject: Using Holder of Key with Digital Signature
  • Date: Tue, 28 Jul 2009 12:18:27 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=M6q2Nl5C8CXRoAfXBxTM5g5Ud2xL1Tj7e6v9h+eAYZJEhWvFtGhjJ8Kd3LX03hCIF0 EnIwhpj78HGCtwusXmsid3P3t8n/6jGNte3apgTNae3oXHtbZFWZGFVG1huIMTk7WaTt GSeS/mKcYuSb836aMDNxMPuXcbIjY9K/XWIpA=
Hi,

I am trying to create an AuthenticationRequest with openSAML. this request is signed using client private key and contains Holder-of-Key. I am able to generate the request but signature validation is failing on other side. Here is the code how I am doing.

AuthnRequestBuilder authnReqQryBldr = new AuthnRequestBuilder();
            AuthnRequest authnReq = authnReqQryBldr.buildObject();

            authnReq.setIssueInstant(new DateTime());
            authnReq. setAssertionConsumerServiceURL
("http://arache/httpClient");
            authnReq.setID("_mmd222");
           
            IssuerBuilder issrBldr = new IssuerBuilder();
            Issuer issr = issrBldr.buildObject();
            issr.setValue("http://some.com/issue");

            authnReq.setIssuer(issr);

            SubjectBuilder subBldr = new SubjectBuilder();
            Subject subject = subBldr.buildObject();


            SubjectConfirmationBuilder subjConfBldr=new SubjectConfirmationBuilder();
            SubjectConfirmation subjConf = (SubjectConfirmation) subjConfBldr.buildObject();
           
           
            subjConf.setMethod("urn:oasis:names:tc:2.0:cm:holder-of-key");

            SubjectConfirmationDataBuilder subConnfrmDatBldr=new SubjectConfirmationDataBuilder();
            SubjectConfirmationData subjData = (SubjectConfirmationData) subConnfrmDatBldr.buildObject();
            subjData.getUnknownAttributes().put(
                    new QName("http://www.w3.org/2001/XMLSchema-instance",
                            "type", "xsi"), "saml:KeyInfoConfirmationDataType");

            subjConf.setSubjectConfirmationData(subjData);

   

            KeyInfoBuilder keyInfoBldr=new KeyInfoBuilder();
            KeyInfo keyInfo = (KeyInfo) keyInfoBldr.buildObject();
            subjData.getUnknownXMLObjects().add(keyInfo);

            KeyNameBuilder keyNameBldr=new KeyNameBuilder();
            KeyName kn = (KeyName) keyNameBldr.buildObject();
            kn.setValue("clientkey");
           
            keyInfo.getKeyNames().add(kn);
           
            subject.getSubjectConfirmations().add(subjConf);
           
            authnReq.setSubject(subject);

            KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
            char[] password = "cspass".toCharArray();
            FileInputStream fis = new FileInputStream("clientKeystore.jks");
            ks.load(fis, password);
            fis.close();

            KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks
                    .getEntry("clientkey", new KeyStore.PasswordProtection(
                            "ckpass".toCharArray()));
            PrivateKey pk = pkEntry.getPrivateKey();
            X509Certificate certificate = (X509Certificate) pkEntry
                    .getCertificate();

            BasicX509Credential credential = new BasicX509Credential();
            credential.setEntityCertificate(certificate);
            credential.setPrivateKey(pk);

         
           
            SignatureBuilder signBldr=new SignatureBuilder();
            Signature signature = signBldr.buildObject();

            signature.setSigningCredential(credential);

            signature
                    .setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

            signature
                    .setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

           
            authnReq.setSignature(signature);

         
            MarshallerFactory marshallerFactory = Configuration
                    .getMarshallerFactory();
            Marshaller marshaller = marshallerFactory.getMarshaller(authnReq);
            Element element = marshaller.marshall(authnReq);
           
            Signer.signObject(signature);
           
            If don't add Subject Confirmation it works fine.

The following is the exception I am getting.

Jul 27, 2009 4:17:03 PM org.apache.xml.security.signature.Reference verify
WARNING: Verification failed for URI "#_mmd222"
Jul 27, 2009 4:17:03 PM org.apache.xml.security.signature.Reference verify
WARNING: Expected Digest: gnOowp1+58Ity5q/nESJa3GvwNg=
Jul 27, 2009 4:17:03 PM org.apache.xml.security.signature.Reference verify
WARNING: Actual Digest: nOXYcq5CDFXDW5oWoAB7vaP3tSs=
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
    at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)

Any Help is really appreciated.

Archive powered by MHonArc 2.6.16.

Top of Page