Hi all,
I've tried using the rampart 1.5, and made a sts service that issues a SAML2
assertion, so now I want to try to validate the signature. But facing
problems doing that. My sts services is that same as the one provided by the
distribution. Ive looked at the openSAML list and documentation and my
signature validation code looks like this
KeyStore ks = KeyStore.getInstance("JKS");
InputStream is = new FileInputStream("resource/service.jks");
// char password [] = new char[]{""};
ks.load(is, "pass".toCharArray());
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks
.getEntry("alias", new KeyStore.PasswordProtection(
"pass".toCharArray()));
X509Certificate cert = (X509Certificate) pkEntry.getCertificate();
BasicX509Credential x509Credential = new BasicX509Credential();
x509Credential.setEntityCertificate(cert);
x509Credential.getEntityCertificateChain().add(cert);
SAMLSignatureProfileValidator signProfileValidator = new
SAMLSignatureProfileValidator();
signProfileValidator.validate(ass.getSignature());
SignatureValidator signValidator = new SignatureValidator(
x509Credential);
signValidator.validate(ass.getSignature());
But I alwasy get
org.opensaml.xml.validation.ValidationException: Signature did not validate
against the credential's key
I do the conversion from org.apache.rahas.Token to SAML Assertion like this
OMSource source = new OMSource(responseToken.getToken());
Element assercioSAMLDOM = null;
Transformer transformer;
TransformerFactory transFac = TransformerFactory.newInstance();
try {
transformer = transFac.newTransformer();
DOMResult result = new DOMResult();
transformer.transform(source, result);
assercioSAMLDOM = ((Document) result.getNode())
.getDocumentElement();
} catch (TransformerConfigurationException e2) {
e2.printStackTrace();
} catch (TransformerException e) {
e.printStackTrace();
}
UnmarshallerFactory unmarshallerFactory = Configuration
.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory
.getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME);
Assertion ass = (Assertion) unmarshaller
.unmarshall(assercioSAMLDOM);
Seen on the SAML list that often these errors are due to conversion from one
xml model to another(token to SAML Assertion).
So my question is, I looked in the rampart svn for validation code for SAML
2 tokens, but could not find anything, has anyone tried this? Also is the
conversion form the rahas token to dom element correct? I managed to
validate signatures when validating SAML 1 token issued, but not now.
cheers, Håkon
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
