I think you should add envelope-signature transformation to the signature,
it should help you,
On 3/27/07, Phillip Duba <[EMAIL PROTECTED]> wrote:
I'm hoping this is the right list to be emailing this question to. I
created a function to do verification of a SAML Assertion, well at least the
digital signature part anyways. The function is called from an external
application and is below.
*public* *boolean* VerifySignature(String token, String certPath) *
throws* Exception {
//Initialize the library
org.apache.xml.security.Init.init();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.newInstance();
dbf.setNamespaceAware(*true*);
dbf.setAttribute("http://xml.org/sax/features/namespaces";,
Boolean.TRUE);
DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(*new*
org.apache.xml.security.utils.IgnoreAllErrorHandler());
*byte* inputBytes[] = token.getBytes();
Document doc = db.parse(*new* ByteArrayInputStream(inputBytes));
Element sigElement = *null*;
NodeList nodes = doc.getElementsByTagNameNS(
org.apache.xml.security.utils.Constants.SignatureSpecNS,"Signature");
String password = "mypass";
*if*(nodes.getLength() !=0 ){
// Found Nodes for Signature element
sigElement = (Element)nodes.item(0);
XMLSignature signature = *new* XMLSignature(sigElement,"");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(*new* FileInputStream(*new* File(certPath)),
password.toCharArray());
PublicKey pubkey = ks.getCertificate("mycert").getPublicKey();
*return* signature.checkSignatureValue(pubkey);
}
*return* *false*;
}
On all of the examples and test files I see user files for the XML and
subsequently use something like file.toUrl().toString() for the URI
definition for the XMLSignature creation. I have a "" for it. In this case,
I am passing the string representation of the XML (that's how it is
received) into the function and I used "" for the URI. The one item I do not
have in my class that I have seen in some, but not all, of the examples is
the ResourceResolver class. The saml:Assertion part of the document isn't
the top-level node, it's about 3 nodes deep and contains the signature. The
Reference node contains a self-referencing identifier to the saml
:Assertion node. The above method works fine when the referenced node is
the root node, but not if it is a child node. I know I am doing something
wrong here, but I can't find that much documentation on the Apache library
or examples the way I need to execute the verification. I am using the
1.2.0 library with xml-sec-1.2.96.jar due to JRE restrictions of the
myapplication server. Thanks for any help provided.
-- Phil
--
http://r-bg.com
