OpenSAML user discussion

["Ravi Balasubramanian" <>]

No. I am want to make sure the code segment I have is right, as I tried in
multiple signature validators and all failed to validate. 

The error I get is digest value and data does not match.

-----Original Message-----
From: Chad La Joie 
[mailto:]
 
Sent: Friday, August 28, 2009 8:50 AM
To: 

Subject: Re: [OpenSAML] RE: Digital signature not valid

You're on the wrong mailing list, if some one else's signature validator 
has a problem you need to contact them.

Ravi Balasubramanian wrote:
> I am generating a SAML response with digital signature and my
> x509certificate data. Trying to validate the digital signature using
> http://www.aleksey.com/xmlsec/xmldsig-verifier.html
> 
> Having two issues:
> 
> 1.    The verifier is looking for node within <Signature.. /> specified by
> Reference URI. But my digital signature does not have that node. Reference
> URL is defaulting to the Assertion ID which is being digitally signed. 
> 2.    Even when I manually add the node, the verification fails.  My
> digital signature code looks like this:
> 
>  
> 
>                     KeyStore ks =
> KeyStore.getInstance(KeyStore.getDefaultType()); 
> 
>                     char[] password = "xxxxxx".toCharArray(); 
> 
>                     FileInputStream fis = new
> FileInputStream("c:/keystore/test.ks"); 
> 
>                     ks.load(fis, password); 
> 
>                     fis.close(); 
> 
>                     char[] achKeyStorePass = password;
> 
>                     String keyAlias = "mytestkey";
> 
>                     PrivateKey pk =  (PrivateKey)
> ks.getKey(keyAlias,achKeyStorePass);
> 
>                     X509Certificate certificate = (X509Certificate)
> ks.getCertificate(keyAlias);
> 
>                     BasicX509Credential credential = new
> BasicX509Credential(); 
> 
>                     credential.setEntityCertificate(certificate); 
> 
>                     credential.setPrivateKey(pk); 
> 
>                     Signature signature = (new
> SignatureBuilder()).buildObject(); 
> 
>                     Namespace signNS = new
> Namespace("http://www.w3.org/2009/09/xmldsig#
> <http://www.w3.org/2009/09/xmldsig> ", "");
> 
>                     signature.addNamespace(signNS);
> 
>                     signature.setSigningCredential(credential); 
> 
>  
> signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA);

> 
>  
>
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_OMIT_
> COMMENTS); 
> 
>                     KeyInfo keyinfo = (new
> KeyInfoBuilder()).buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
> 
>                     KeyInfoHelper.addCertificate(keyinfo, certificate);
> 
>  
> SecurityHelper.prepareSignatureParams(signature,credential, null, null);
> 
>                     assertion.setSignature(signature);
> 
>  
> 
> The code generates signature but when validating, says not able to
validate.
> 
>  
> 
> 

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch