santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Hummel <hum...@parityinc.net>
Subject Help validating XML signature
Date Fri, 15 Feb 2008 22:31:10 GMT
Hi there,


I am having some issues validating the signature on the following XML  
file using both xmlsec-1.4.0 and xmlsec-1.4.1:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"  
AssertionID="urn:uuid:44FFFE2742C5DBB6311203096718823"  
IssueInstant="2008-02-15T17:31:58.817Z" Issuer="https://rh150.sohosmart.net/TokenService/services/Trust

" MajorVersion="1" MinorVersion="1">
     <saml:Conditions NotBefore="2008-02-15T17:31:58.817Z"  
NotOnOrAfter="2008-02-22T17:31:58.817Z"/>
     <saml:AttributeStatement>
         <saml:Subject>
             <saml:SubjectConfirmation>
                 <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer 
</saml:ConfirmationMethod>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Attribute AttributeName="privatepersonalidentifier"  
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims 
">
              
<saml:AttributeValue>NBkhyg1zm4UTqbpjkQg7LhXFlS8EpMpDtnphO1SvASA=</ 
saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute AttributeName="emailaddress"  
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims 
">
             <saml:AttributeValue>j@j.com</saml:AttributeValue>
         </saml:Attribute>
     </saml:AttributeStatement>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
             <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig# 
" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
             <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1

"/>
             <ds:Reference URI="#urn:uuid:44FFFE2742C5DBB6311203096718823 
">
                 <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature

"/>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# 
"/>
                 </ds:Transforms>
                 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 
"/>
                 <DigestValue xmlns="http://www.w3.org/2000/09/ 
xmldsig#">IjaxSnB43LryrBM25gCeFFEoaMc=</DigestValue>
             </ds:Reference>
         </ds:SignedInfo>
         <SignatureValue xmlns="http://www.w3.org/2000/09/ 
xmldsig#">BQadvf3/ 
JZquVfzTGVa0OSGkmddVwMWdn30JEHTKYZvT26Goxg62iYg9xkB527dphU2bHBd2KICyo2cliivKsOxFqKpOPcIxgft

/y+vv+RqE5cTn2BDsVZ6WfWWfiXHgEUAkzF+BUBoGG7mJ1Gs8ycZoIl/ 
9pYgCzeUjSJXYNSU=</SignatureValue>
         <ds:KeyInfo>
             <ds:KeyValue>
                 <ds:RSAKeyValue>
                     <Modulus xmlns="http://www.w3.org/2000/09/ 
xmldsig#">
imhZHVDvtboiubhWbcNFyIDOamOaOVWIdD6QpDq8i/D3MltwgBTDorX+/ 
prqfj8RMWxbmYlmbuts
q9ZBHlaCz8eKdXqZQJ3bUmqDtAXU6PnAM0J4UsW/ 
S1ikTEVgcpV6mGpjsEF8UojhcNOJkwMyDipk
xmtcY+YknWkiJ5sl+LE=
</Modulus>
                     <Exponent xmlns="http://www.w3.org/2000/09/ 
xmldsig#">AQAB</Exponent>
                 </ds:RSAKeyValue>
             </ds:KeyValue>
         </ds:KeyInfo>
     </ds:Signature>
</saml:Assertion>


The code I am using to verify the signature is the following:

	public static boolean verifyXmlSignature(Document doc) {
	    Element signatureElement = (Element)  
doc.getElementsByTagNameNS(Constants.SignatureSpecNS,  
"Signature").item(0);
	    logger.debug("signatureElement? " + signatureElement);
	    XMLSignature signature;
		try {
			signature = new XMLSignature(signatureElement,  
System.getProperty("java.io.tmpdir"));
		} catch (XMLSecurityException e) {
			logger.warn("error verifying digital signature", e);
			return false;
		}

	    SignedInfo signedInfo = signature.getSignedInfo();
	    logger.info("signedInfo? " + signedInfo);
	    signature.setFollowNestedManifests(true);
	    KeyInfo ki = signature.getKeyInfo();
		logger.info("keyInfo is: " + ki);
	    PublicKey pk;
		try {
			pk = signature.getKeyInfo().getPublicKey();
			logger.info("public key is: " + pk);

		} catch (KeyResolverException e) {
			logger.warn("Signature did not contain public key data", e);
			return false;
		}
		try {
			System.out.println("KEY The XML signature in file "
					                     + (signature.checkSignatureValue(pk)
					                        ? "valid (good)"
					                        : "invalid !!!!! (bad)"));
		} catch (XMLSignatureException e) {
			logger.warn("Signature was invalid", e);
			return false;
		}
		return true;
	}


it always says the signature is invalid... I wonder if I am even  
setting everything up correctly?  I got most of the code above from  
the sample files included in the 1.4.0 dist...

Am I missing something fundamental?


Thank you for any insight!

- ian.


Mime
View raw message