OpenSAML user discussion

[Brent Putman <>]

murali mca wrote:

 

 

However, I am getting "null pointer exception" while retrieving the Credential (signatureToValidate.getSigningCredential();) from signature.

That method (and also the getContentReferences()) is only used during signing to supply the signing key.  It isn't used during validation and isn't populated by the unmarshaller, hence the NPE.  I don't think any of our docs or examples on the wiki have anything like that in them, but if they do, let us know where so we can fix them.

You need to supply the validation Credential from elsewhere.  You can pull the actual Key/Credential out of the Signature/KeyInfo data, either by manual processing or using the KeyInfoCredentialResolver, and then use the SignatureValidator with resulti.  Or you can pull it from out-of-band trusted data.

For a real-world deployment, note the warning about using KeyInfo-derived Credential *only* to validate the signature. 

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG#OSTwoUserManJavaDSIG-VerifyingaSignaturewithaCredential


You must somehow establish the trust of the validation key.  For that you might consider using a SignatureTrustEngine rather than the low-level SignatureValidator, as discussed in the next section on the wiki.

--Brent