mace-opensaml-users - Re: [OpenSAML] RE: Digital signature not valid
Subject: OpenSAML user discussion
List archive
- From: Deena Gurajala <>
- To:
- Subject: Re: [OpenSAML] RE: Digital signature not valid
- Date: Fri, 28 Aug 2009 10:16:41 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=pLjelJRccdHc2k14Jy7Tq9MCo/SMIgheqA6YchOsoUvE5C/Cgpt12fhKA4udxMopD4 QLYqdQpHIARwX7nhK1GDikTAdMCHkTMoMR0mxa6FY6KWpgygpMXU/6h6nuClvr6zp5jb +DHDOWZY3XOn6WaZpGkNgvp/GYTFJYqaQrcJI=
The validation I was doing is below.
UnmarshallerFactory unmarshallerFactory = Configuration
.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory
.getUnmarshaller(element);
AuthnRequest authnReq = (AuthnRequest) unmarshaller.unmarshall(element);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = "xxxxxx".toCharArray();
FileInputStream fis = new FileInputStream("test.jks");
ks.load(fis, password);
fis.close();
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks
.getEntry("xxxxxxx", new KeyStore.PasswordProtection(
"keypass".toCharArray()));
X509Certificate x509Certificate =(X509Certificate) pkEntry.getCertificate();
Signature signature = authnReq.getSignature();
SAMLSignatureProfileValidator profVldr = new SAMLSignatureProfileValidator();
profVldr.validate(signature);
BasicX509Credential credential = new BasicX509Credential();
credential
.setEntityCertificate((java.security.cert.X509Certificate) x509Certificate);
SignatureValidator sigValidator = new SignatureValidator(credential);
sigValidator.validate(signature);
This is the success output.
1955 [main] INFO org.apache.xml.security.signature.Reference - Verification successful for URI "#_k7722b88"
The reason, I am asking try this way is because, if you the code below, it auto generates the namespace. And also give some unique id for the signatures element (Assertion). I did experience this exception before. But not this one. I was trying to set some name space manually and it was throwing this error. I used the builder object, it worked fine.
Hope it works for you.
On Fri, Aug 28, 2009 at 9:31 AM, Deena Gurajala <> wrote:
Hi,
I don't you found the solution or not. Thebelow code is working for me. Everything you and I are doing the sma except the way building the signature. Please find the modified code below. I hope it works.
assertion.setID("_k7722b88");
// This below part is same is same//Below is the difference
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = "xxxxxx".toCharArray();
FileInputStream fis = new FileInputStream("c:/keystore/test.ks");
ks.load(fis, password);
fis.close();
char[] achKeyStorePass = password;
String keyAlias = "mytestkey";
PrivateKey pk = (PrivateKey) ks.getKey(keyAlias,achKeyStorePass);
X509Certificate certificate = (X509Certificate) ks.getCertificate(keyAlias);
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);
credential.setPrivateKey(pk);
SignatureBuilder signBldr=new SignatureBuilder();
Signature signature = signBldr.buildObject();
signature.setSigningCredential(credential);
signature
.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature
.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
assertion.setSignature(signature);
MarshallerFactory marshallerFactory = Configuration
.getMarshallerFactory();
Marshaller marshaller = marshallerFactory.getMarshaller(assertion);
element = marshaller.marshall(assertion);
Signer.signObject(assertion);
On Fri, Aug 28, 2009 at 8:40 AM, Scott Cantor <> wrote:
Ravi Balasubramanian wrote on 2009-08-28:
> Yes, it is the ID I set to assertion...Then the xmlsec verifier doesn't know what IDs exist, which is not terribly
unusual. I suspect you're doing SAML 1 and would have to do SAML 2 to get
that online verifier to work by guessing that an attribute called ID is an
XML ID. Patently insecure, but that's common.
-- Scott
- Re: [OpenSAML] RE: Digital signature not valid, (continued)
- Re: [OpenSAML] RE: Digital signature not valid, Chad La Joie, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- Message not available
- Re: [OpenSAML] RE: Digital signature not valid, Deena Gurajala, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Deena Gurajala, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Deena Gurajala, 08/28/2009
- Endorsing Jars in Weblogic, ravi . balasubramanian, 08/31/2009
- Re: [OpenSAML] Endorsing Jars in Weblogic, Chad La Joie, 08/31/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Chad La Joie, 08/28/2009
Archive powered by MHonArc 2.6.16.