In the legacy code that I am porting up to CXF 2.7, there is some code that
gets a SAML assertion from an STS and verifies the signature:
SecurityToken token = this.stsClient.requestSecurityToken();
SAMLAssertion assertion = new SAMLAssertion(token.getToken());
assertion.verify();
OpenSAML 2 no longer has a verify() method, so I thought I would replace it
with something like:
SecurityToken token = this.stsClient.requestSecurityToken();
AssertionWrapper assertion = new AssertionWrapper(token.getToken());
assertion.verifySignature(assertion.getSignatureKeyInfo());
The problem is, the getSignatureKeyInfo() method returns null. The signature
block out of the assertion looks like this:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
...
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
So, there is an X509 credential there as part of the signature, I just can't
seem to get at it. Trying to access the signing credential via the OpenSAML
Signature object had the same problem.
So it seems obvious that I'm missing something somewhere along the line here,
but I can't figure out what. Can someone point me in the right direction?
Thanx,
Stephen W. Chappell
