For any who are interested, it looks like I've solved this particular issue. I
had to retrieve the X.509 certificate from the Signature, build a SAMLKeyInfo
object, then use AssertionWrapper's verify to validate the signature. I also
needed a few extra packages in my pom. Here's some code, minus a bunch of error
checking:
AssertionWrapper assertion = new AssertionWrapper(token.getToken());
Signature sig = assertion.getSignature();
KeyInfo ki = sig.getKeyInfo();
X509Certificate cert = KeyInfoHelper.getCertificates(ki).get(0);
SAMLKeyInfo samlKI = new SAMLKeyInfo(new X509Certificate[]{cert});
assertion.verifySignature(samlKI);
Obviously, this assumes there's always an X.509 cert in the Signature, which in
my case is always true. If not, you'd have to retrieve the cert from somewhere
else.
I also needed a few additional pom dependencies:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId>
<version>1.45</version>
</dependency>
<dependency>
<groupId>ca.juliusdavies</groupId>
<artifactId>not-yet-commons-ssl</artifactId>
<version>0.3.9</version>
</dependency>
I'm not 100% sure I needed bouncy castle, but I was addressing some warnings
that popped up in my log with it, and including it seemed to make it happy.
OpenSAML 2 requires org.apache.commons.ssl.TrustMaterial, which is in the
not-yet-commons-ssl package - which was hard (for me) to figure out for some
reason.
In any case, problem solved. Hopefully this info helps someone else out.
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Monday, September 29, 2014 2:38 PM
To: users@cxf.apache.org
Subject: Verifying signature on AssertionWrapper
In the legacy code that I am porting up to CXF 2.7, there is some code that
gets a SAML assertion from an STS and verifies the signature:
SecurityToken token = this.stsClient.requestSecurityToken();
SAMLAssertion assertion = new SAMLAssertion(token.getToken());
assertion.verify();
OpenSAML 2 no longer has a verify() method, so I thought I would replace it
with something like:
SecurityToken token = this.stsClient.requestSecurityToken();
AssertionWrapper assertion = new AssertionWrapper(token.getToken());
assertion.verifySignature(assertion.getSignatureKeyInfo());
The problem is, the getSignatureKeyInfo() method returns null. The signature
block out of the assertion looks like this:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
...
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
So, there is an X509 credential there as part of the signature, I just can't
seem to get at it. Trying to access the signing credential via the OpenSAML
Signature object had the same problem.
So it seems obvious that I'm missing something somewhere along the line here,
but I can't figure out what. Can someone point me in the right direction?
Thanx,
Stephen W. Chappell
