Hopefully someone can point me in the right direction to solve this
problem. I have a SAML 1.1 Assertion being verified, however, it fails
verification as I receive a "Cannot resolve element with ID ." error.
The issue arises, from what I can tell doing a Google search, is that
the SAML Assertion 1.1 schema has the AssertionID of type ID but no ID
attribute so the Reference lookup fails. Below is my logic for
verification:
public boolean VerifySignature(String token, String certPath) throws
Exception {
//Initialize the library
org.apache.xml.security.Init.init();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.newInstance();
dbf.setNamespaceAware(true);
dbf.setAttribute("http://xml.org/sax/features/namespaces";,
Boolean.TRUE);
DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(new
org.apache.xml.security.utils.IgnoreAllErrorHandler());
byte inputBytes[] = token.getBytes();
Document doc = db.parse(new ByteArrayInputStream(inputBytes));
// Set up required ID attribute using DOM3 support
String uriRef =
doc.getDocumentElement().getAttribute("AssertionID");
Element sigElement = null;
NodeList nodes =
doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa
tureSpecNS,"Signature");
String password = "mypass";
if(nodes.getLength() !=0 ){
// Found Nodes for Signature element
sigElement = (Element)nodes.item(0);
XMLSignature signature = new
XMLSignature(sigElement,uriRef);
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new
File(certPath)),password.toCharArray());
PublicKey pubkey =
ks.getCertificate("SamlTest").getPublicKey();
return signature.checkSignatureValue(pubkey);
}
return false;
}
A sample of the XML being submitted is:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="B9B97DFA-188B-10AF-6C7D03F0B072070E"
IssueInstance="2007-05-23T16:16:20Z" Issuer="http://samltest.dev/";
MajorVersion="1" MinorVersion="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:Canonic
alizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMet
hod>
<ds:Reference URI="#B9B97DFA-188B-10AF-6C7D03F0B072070E">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:T
ransform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>JF/Dh0v786ttB38KYCq1w+X+gtk=</ds:DigestValue>
</ds:Reference>
...
The system configuration versioning is limited by an application server
and is:
JDK 1.4.11
XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar
Most of the solutions I have found have focused on DOM3 capabilities
which I do not have access to or using an IdResolver with which I have
had no luck. Any help would be appreciated. Thanks,
Phil
