OpenSAML user discussion

[murali mca <>]

Thanks for correcting me.
 
I am trying to use trusted keystore to validate the signature as below:
 
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
profileValidator.validate( signatureToValidate );
log.info("SAML signature profile validation has been successful");
 
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = "sspass".toCharArray();

FileInputStream fis = new FileInputStream("C:\\Program Files\\Java\\jdk1.5.0_15\\bin\\serviceKeystore1.jks");
ks.load(fis, password);
fis.close();
KeyStore.TrustedCertificateEntry tcEntry = (KeyStore.TrustedCertificateEntry) ks.getEntry("MyClientKey", null);
java.security.cert.X509Certificate samlCertificate = (java.security.cert.X509Certificate) tcEntry.getTrustedCertificate();

BasicX509Credential credentialsSign509 = new BasicX509Credential();
credentialsSign509.setEntityCertificate(samlCertificate);
credentialsSign509.setPublicKey(samlCertificate.getPublicKey());

// And create a SignatureValidator with it.
SignatureValidator signatureValidator = new SignatureValidator( credentialsSign509 );
 
try{
signatureValidator.validate( signatureToValidate );
}catch (ValidationException e) {

e.printStackTrace();
}
INFO: ObjectProviders load complete
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateAssertionParams  - assertion ID is:123
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateAssertionParams  - IssuerName is:http://some.issuer.here
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateAssertionParams  - Issuer is: http://some.issuer.here
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateAssertionParams  - 2009-10-09T18:48:07.000Z
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateAssertionParams  - false
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateSAML2Signature  - SAML signature profile validation has been successful
[http-8083-1] INFO  com.aviva.tam.pmi.ValidateSAML2Signature  - SAML signature profile validation has been successful

09-Oct-2009 19:53:11 org.apache.xml.security.signature.Reference verify
WARNING: Verification failed for URI "#123"
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
        at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
        at com.aviva.tam.pmi.ValidateSAML2Signature.signatureValidator(ValidateSAML2Signature.java:168)
        at org.apache.jsp.service_005fprovider_jsp._jspService(service_005fprovider_jsp.java:241)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:196)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
        at java.lang.Thread.run(Unknown Source)

I am sure I am using correct key for validation.
I have no clue about this error, can  some one help me ?
Enabled the "debug" level in logg4j.properties file, but could not see the
debug statements of the SAML API classes in the output. Any idea how can I see the debug messages?
 
Many Thanks

--- On Fri, 20/11/09, Brent Putman <> wrote:

From: Brent Putman <>
Subject: Re: [OpenSAML] SAML signature validation
To:
Date: Friday, 20 November, 2009, 5:52 AM

That method (and also the getContentReferences()) is only used during signing to supply the signing key.  It isn't used during validation and isn't populated by the unmarshaller, hence the NPE.  I don't think any of our docs or examples on the wiki have anything like that in them, but if they do, let us know where so we can fix them.

You need to supply the validation Credential from elsewhere.  You can pull the actual Key/Credential out of the Signature/KeyInfo data, either by manual processing or using the KeyInfoCredentialResolver, and then use the SignatureValidator with resulti.  Or you can pull it from out-of-band trusted data.

For a real-world deployment, note the warning about using KeyInfo-derived Credential *only* to validate the signature. 

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG#OSTwoUserManJavaDSIG-VerifyingaSignaturewithaCredential


You must somehow establish the trust of the validation key.  For that you might consider using a SignatureTrustEngine rather than the low-level SignatureValidator, as discussed in the next section on the wiki.

--Brent

---

The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.