Hi Håkon,
Did you take a look at the patch [1]. It is not yet applied to WSS4J
trunk but I think it will be useful for you.
regards,
Nandana
[1] - https://issues.apache.org/jira/browse/WSS-204
2009/10/21 Håkon Sagehaug <[email protected]>
> Hi all,
>
> I've tried using the rampart 1.5, and made a sts service that issues a
> SAML2
> assertion, so now I want to try to validate the signature. But facing
> problems doing that. My sts services is that same as the one provided by
> the
> distribution. Ive looked at the openSAML list and documentation and my
> signature validation code looks like this
>
> KeyStore ks = KeyStore.getInstance("JKS");
> InputStream is = new FileInputStream("resource/service.jks");
> // char password [] = new char[]{""};
>
> ks.load(is, "pass".toCharArray());
>
> KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks
> .getEntry("alias", new KeyStore.PasswordProtection(
> "pass".toCharArray()));
>
> X509Certificate cert = (X509Certificate) pkEntry.getCertificate();
>
> BasicX509Credential x509Credential = new BasicX509Credential();
>
> x509Credential.setEntityCertificate(cert);
> x509Credential.getEntityCertificateChain().add(cert);
>
> SAMLSignatureProfileValidator signProfileValidator = new
> SAMLSignatureProfileValidator();
> signProfileValidator.validate(ass.getSignature());
>
> SignatureValidator signValidator = new SignatureValidator(
> x509Credential);
>
> signValidator.validate(ass.getSignature());
>
> But I alwasy get
>
> org.opensaml.xml.validation.ValidationException: Signature did not validate
> against the credential's key
>
> I do the conversion from org.apache.rahas.Token to SAML Assertion like this
>
> OMSource source = new OMSource(responseToken.getToken());
> Element assercioSAMLDOM = null;
> Transformer transformer;
> TransformerFactory transFac = TransformerFactory.newInstance();
>
> try {
> transformer = transFac.newTransformer();
> DOMResult result = new DOMResult();
> transformer.transform(source, result);
>
> assercioSAMLDOM = ((Document) result.getNode())
> .getDocumentElement();
>
> } catch (TransformerConfigurationException e2) {
> e2.printStackTrace();
> } catch (TransformerException e) {
> e.printStackTrace();
> }
>
> UnmarshallerFactory unmarshallerFactory = Configuration
> .getUnmarshallerFactory();
> Unmarshaller unmarshaller = unmarshallerFactory
> .getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME);
>
> Assertion ass = (Assertion) unmarshaller
> .unmarshall(assercioSAMLDOM);
>
>
> Seen on the SAML list that often these errors are due to conversion from
> one
> xml model to another(token to SAML Assertion).
>
> So my question is, I looked in the rampart svn for validation code for SAML
> 2 tokens, but could not find anything, has anyone tried this? Also is the
> conversion form the rahas token to dom element correct? I managed to
> validate signatures when validating SAML 1 token issued, but not now.
>
>
> cheers, Håkon
>
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana.org/
http://www.wso2.org
