Hi there,
I am having some issues validating the signature on the following XML
file using both xmlsec-1.4.0 and xmlsec-1.4.1:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="urn:uuid:44FFFE2742C5DBB6311203096718823"
IssueInstant="2008-02-15T17:31:58.817Z" Issuer="https://rh150.sohosmart.net/TokenService/services/Trust
" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2008-02-15T17:31:58.817Z"
NotOnOrAfter="2008-02-22T17:31:58.817Z"/>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="privatepersonalidentifier"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
">
<saml:AttributeValue>NBkhyg1zm4UTqbpjkQg7LhXFlS8EpMpDtnphO1SvASA=</
saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
">
<saml:AttributeValue>[EMAIL PROTECTED]</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#
" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
"/>
<ds:Reference URI="#urn:uuid:44FFFE2742C5DBB6311203096718823
">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature
"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"/>
<DigestValue xmlns="http://www.w3.org/2000/09/
xmldsig#">IjaxSnB43LryrBM25gCeFFEoaMc=</DigestValue>
</ds:Reference>
</ds:SignedInfo>
<SignatureValue xmlns="http://www.w3.org/2000/09/
xmldsig#">BQadvf3/
JZquVfzTGVa0OSGkmddVwMWdn30JEHTKYZvT26Goxg62iYg9xkB527dphU2bHBd2KICyo2cliivKsOxFqKpOPcIxgft
/y+vv+RqE5cTn2BDsVZ6WfWWfiXHgEUAkzF+BUBoGG7mJ1Gs8ycZoIl/
9pYgCzeUjSJXYNSU=</SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<Modulus xmlns="http://www.w3.org/2000/09/
xmldsig#">
imhZHVDvtboiubhWbcNFyIDOamOaOVWIdD6QpDq8i/D3MltwgBTDorX+/
prqfj8RMWxbmYlmbuts
q9ZBHlaCz8eKdXqZQJ3bUmqDtAXU6PnAM0J4UsW/
S1ikTEVgcpV6mGpjsEF8UojhcNOJkwMyDipk
xmtcY+YknWkiJ5sl+LE=
</Modulus>
<Exponent xmlns="http://www.w3.org/2000/09/
xmldsig#">AQAB</Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
The code I am using to verify the signature is the following:
public static boolean verifyXmlSignature(Document doc) {
Element signatureElement = (Element)
doc.getElementsByTagNameNS(Constants.SignatureSpecNS,
"Signature").item(0);
logger.debug("signatureElement? " + signatureElement);
XMLSignature signature;
try {
signature = new XMLSignature(signatureElement,
System.getProperty("java.io.tmpdir"));
} catch (XMLSecurityException e) {
logger.warn("error verifying digital signature", e);
return false;
}
SignedInfo signedInfo = signature.getSignedInfo();
logger.info("signedInfo? " + signedInfo);
signature.setFollowNestedManifests(true);
KeyInfo ki = signature.getKeyInfo();
logger.info("keyInfo is: " + ki);
PublicKey pk;
try {
pk = signature.getKeyInfo().getPublicKey();
logger.info("public key is: " + pk);
} catch (KeyResolverException e) {
logger.warn("Signature did not contain public key
data", e);
return false;
}
try {
System.out.println("KEY The XML signature in file "
+
(signature.checkSignatureValue(pk)
? "valid (good)"
: "invalid !!!!!
(bad)"));
} catch (XMLSignatureException e) {
logger.warn("Signature was invalid", e);
return false;
}
return true;
}
it always says the signature is invalid... I wonder if I am even
setting everything up correctly? I got most of the code above from
the sample files included in the 1.4.0 dist...
Am I missing something fundamental?
Thank you for any insight!
- ian.
