OpenSAML user discussion

[Chris Card <>]

I've got a SAML response which has a signed Assertion in it, and the corresponding SAML2 metadata containing the X509 certificate for the public key.

I've written code that attempts to verify the signature in the Assertion with the public key taken from the metadata, here's a snippet:

        const KeyInfoResolver* keyInfoResolver = XMLToolingConfig::getConfig().getKeyInfoResolver();
        if (!keyInfoResolver)
        {
            log.error("Failed to get key info resolver");
            throw XMLToolingException("Failed to get key info resolver");
        }

        const Credential* credential = keyInfoResolver->resolve(keyInfo);
        if (!credential)
        {
            log.error("Failed to resolve keyInfo into credential");
            throw XMLToolingException("Failed to resolve keyInfo into credential");
        }

        // Validate the signature
        try
        {
            SignatureValidator* signatureValidator = new SignatureValidator(credential);
            signatureValidator->validate(signatureToValidate);
        }

The keyInfo was created from the metadata xml like this:

        const std::vector<IDPSSODescriptor*>& idpssoDescriptors = entityDescriptor_->getIDPSSODescriptors();
        if (!idpssoDescriptors.empty())
        {
            const IDPSSODescriptor* idpssoDescriptor = idpssoDescriptors[0];
            const std::vector<KeyDescriptor*>& keyDescriptors = idpssoDescriptor->getKeyDescriptors();
            if (!keyDescriptors.empty())
            {
                for (std::vector<KeyDescriptor*>::const_iterator it = keyDescriptors.begin();
                     it != keyDescriptors.end();
                     ++it)
                {
                    if (XMLString::equals((*it)->getUse(), KeyDescriptor::KEYTYPE_SIGNING))
                    {
                        signingKeyInfo_ = (*it)->getKeyInfo()->cloneKeyInfo();
                    }
                }
            }
        }

However, the call to validate() throws, because the underlying call to DSIGSignature::verify() returns false, and I see the error message "Digital signature does not validate with the supplied key".

As far as I know, the public key from the metadata and the signature are correct and correspond to each other, but they are generated by a 3rd party product, so I can't be absolutely sure.

Any idea how to go about debugging this?

Chris