santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phillip Duba" <>
Subject Verifying Signature
Date Tue, 27 Mar 2007 19:52:33 GMT
I'm hoping this is the right list to be emailing this question to. I
created a function to do verification of a SAML Assertion, well at least
the digital signature part anyways. The function is called from an
external application and is below.
    public boolean VerifySignature(String token, String certPath) throws
Exception {
      //Initialize the library;
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      DocumentBuilder db = dbf.newDocumentBuilder();
      byte inputBytes[] = token.getBytes();
      Document doc = db.parse(new ByteArrayInputStream(inputBytes));
      Element sigElement = null;
      NodeList nodes =
      String password = "mypass";
         if(nodes.getLength() !=0 ){
               // Found Nodes for Signature element
            sigElement = (Element)nodes.item(0);
            XMLSignature signature = new XMLSignature(sigElement,"");
            KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(new
            PublicKey pubkey =
            return signature.checkSignatureValue(pubkey);
      return false;
On all of the examples and test files I see user files for the XML and
subsequently use something like file.toUrl().toString() for the URI
definition for the XMLSignature creation. I have a "" for it. In this
case, I am passing the string representation of the XML (that's how it
is received) into the function and I used "" for the URI. The one item I
do not have in my class that I have seen in some, but not all, of the
examples is the ResourceResolver class. The saml:Assertion part of the
document isn't the top-level node, it's about 3 nodes deep and contains
the signature. The Reference node contains a self-referencing identifier
to the saml:Assertion node. The above method works fine when the
referenced node is the root node, but not if it is a child node. I know
I am doing something wrong here, but I can't find that much
documentation on the Apache library or examples the way I need to
execute the verification. I am using the 1.2.0 library with
xml-sec-1.2.96.jar due to JRE restrictions of the my application server.
Thanks for any help provided.
-- Phil

View raw message