I'm hoping this is the right list to be emailing this question to. I
created a function to do verification of a SAML Assertion, well at least
the digital signature part anyways. The function is called from an
external application and is below.
public boolean VerifySignature(String token, String certPath) throws
Exception {
//Initialize the library
org.apache.xml.security.Init.init();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.newInstance();
dbf.setNamespaceAware(true);
dbf.setAttribute("http://xml.org/sax/features/namespaces",
Boolean.TRUE);
DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(new
org.apache.xml.security.utils.IgnoreAllErrorHandler());
byte inputBytes[] = token.getBytes();
Document doc = db.parse(new ByteArrayInputStream(inputBytes));
Element sigElement = null;
NodeList nodes =
doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa
tureSpecNS,"Signature");
String password = "mypass";
if(nodes.getLength() !=0 ){
// Found Nodes for Signature element
sigElement = (Element)nodes.item(0);
XMLSignature signature = new XMLSignature(sigElement,"");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new
File(certPath)),password.toCharArray());
PublicKey pubkey =
ks.getCertificate("mycert").getPublicKey();
return signature.checkSignatureValue(pubkey);
}
return false;
}
On all of the examples and test files I see user files for the XML and
subsequently use something like file.toUrl().toString() for the URI
definition for the XMLSignature creation. I have a "" for it. In this
case, I am passing the string representation of the XML (that's how it
is received) into the function and I used "" for the URI. The one item I
do not have in my class that I have seen in some, but not all, of the
examples is the ResourceResolver class. The saml:Assertion part of the
document isn't the top-level node, it's about 3 nodes deep and contains
the signature. The Reference node contains a self-referencing identifier
to the saml:Assertion node. The above method works fine when the
referenced node is the root node, but not if it is a child node. I know
I am doing something wrong here, but I can't find that much
documentation on the Apache library or examples the way I need to
execute the verification. I am using the 1.2.0 library with
xml-sec-1.2.96.jar due to JRE restrictions of the my application server.
Thanks for any help provided.
-- Phil