I don't quite understand what you mean by that statement, Raul. The passed in XML contains an enveloped signature. Are you refering to the XMLSignature constructor that I should be using the XMLSignature((org.w3c.dom.Document doc, java.lang.String BaseURI, java.lang.String SignatureMethodURI, java.lang.String CanonicalizationMethodURI) instead of the XMLSignature(org.w3c.dom.Document doc, java.lang.String.BaseURI) constructor? Thanks, Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: Tuesday, March 27, 2007 6:22 PM To: security-dev@xml.apache.org Subject: Re: Verifying Signature I think you should add envelope-signature transformation to the signature, it should help you, On 3/27/07, Phillip Duba < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: I'm hoping this is the right list to be emailing this question to. I created a function to do verification of a SAML Assertion, well at least the digital signature part anyways. The function is called from an external application and is below. public boolean VerifySignature(String token, String certPath) throws Exception { //Initialize the library org.apache.xml.security.Init.init(); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.newInstance(); dbf.setNamespaceAware(true ); dbf.setAttribute(" <http://xml.org/sax/features/namespaces> http://xml.org/sax/features/namespaces";, Boolean.TRUE); DocumentBuilder db = dbf.newDocumentBuilder(); db.setErrorHandler( new org.apache.xml.security.utils.IgnoreAllErrorHandler()); byte inputBytes[] = token.getBytes(); Document doc = db.parse(new ByteArrayInputStream(inputBytes)); Element sigElement = null ; NodeList nodes = doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa tureSpecNS ,"Signature" ); String password = "mypass" ; if (nodes.getLength() !=0 ){ // Found Nodes for Signature element sigElement = (Element)nodes.item(0); XMLSignature signature = new XMLSignature(sigElement,"" ); KeyStore ks = KeyStore.getInstance("JKS" ); ks.load(new FileInputStream(new File(certPath)),password.toCharArray()); PublicKey pubkey = ks.getCertificate("mycert" ).getPublicKey(); return signature.checkSignatureValue(pubkey); } return false ; } On all of the examples and test files I see user files for the XML and subsequently use something like file.toUrl().toString() for the URI definition for the XMLSignature creation. I have a "" for it. In this case, I am passing the string representation of the XML (that's how it is received) into the function and I used "" for the URI. The one item I do not have in my class that I have seen in some, but not all, of the examples is the ResourceResolver class. The saml:Assertion part of the document isn't the top-level node, it's about 3 nodes deep and contains the signature. The Reference node contains a self-referencing identifier to the saml:Assertion node. The above method works fine when the referenced node is the root node, but not if it is a child node. I know I am doing something wrong here, but I can't find that much documentation on the Apache library or examples the way I need to execute the verification. I am using the 1.2.0 library with xml-sec-1.2.96.jar due to JRE restrictions of the my application server. Thanks for any help provided. -- Phil
-- http://r-bg.com
