santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phillip Duba" <p...@philduba.com>
Subject Verifying Signature
Date Tue, 27 Mar 2007 19:52:33 GMT
I'm hoping this is the right list to be emailing this question to. I
created a function to do verification of a SAML Assertion, well at least
the digital signature part anyways. The function is called from an
external application and is below.
 
    public boolean VerifySignature(String token, String certPath) throws
Exception {
      //Initialize the library
      org.apache.xml.security.Init.init();
      
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      dbf.newInstance();
      dbf.setNamespaceAware(true);
      dbf.setAttribute("http://xml.org/sax/features/namespaces",
Boolean.TRUE);
      DocumentBuilder db = dbf.newDocumentBuilder();
      db.setErrorHandler(new
org.apache.xml.security.utils.IgnoreAllErrorHandler());
            
      byte inputBytes[] = token.getBytes();
      Document doc = db.parse(new ByteArrayInputStream(inputBytes));
          
      Element sigElement = null;
      NodeList nodes =
doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa
tureSpecNS,"Signature");
      String password = "mypass";
          
         if(nodes.getLength() !=0 ){
               // Found Nodes for Signature element
            sigElement = (Element)nodes.item(0);
            XMLSignature signature = new XMLSignature(sigElement,"");
            KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(new
File(certPath)),password.toCharArray());
            PublicKey pubkey =
ks.getCertificate("mycert").getPublicKey();
            return signature.checkSignatureValue(pubkey);
          }
      return false;
    }
 
On all of the examples and test files I see user files for the XML and
subsequently use something like file.toUrl().toString() for the URI
definition for the XMLSignature creation. I have a "" for it. In this
case, I am passing the string representation of the XML (that's how it
is received) into the function and I used "" for the URI. The one item I
do not have in my class that I have seen in some, but not all, of the
examples is the ResourceResolver class. The saml:Assertion part of the
document isn't the top-level node, it's about 3 nodes deep and contains
the signature. The Reference node contains a self-referencing identifier
to the saml:Assertion node. The above method works fine when the
referenced node is the root node, but not if it is a child node. I know
I am doing something wrong here, but I can't find that much
documentation on the Apache library or examples the way I need to
execute the verification. I am using the 1.2.0 library with
xml-sec-1.2.96.jar due to JRE restrictions of the my application server.
Thanks for any help provided.
 
-- Phil

Mime
View raw message