In the legacy code that I am porting up to CXF 2.7, there is some code that gets a SAML assertion from an STS and verifies the signature:
SecurityToken token = this.stsClient.requestSecurityToken();
SAMLAssertion assertion = new SAMLAssertion(token.getToken());
assertion.verify();
OpenSAML 2 no longer has a verify() method, so I thought I would replace it with something like:
SecurityToken token = this.stsClient.requestSecurityToken();
AssertionWrapper assertion = new AssertionWrapper(token.getToken());
assertion.verifySignature(assertion.getSignatureKeyInfo());
The problem is, the getSignatureKeyInfo() method returns null. The signature block out of the assertion looks like this:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
...
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
So, there is an X509 credential there as part of the signature, I just can't seem to get at it. Trying to access the signing credential via the OpenSAML Signature object had the same problem.
So it seems obvious that I'm missing something somewhere along the line here, but I can't figure out what. Can someone point me in the right direction?
Thanx,
Stephen W. Chappell
SecurityToken token = this.stsClient.requestSecurityToken();
SAMLAssertion assertion = new SAMLAssertion(token.getToken());
assertion.verify();
OpenSAML 2 no longer has a verify() method, so I thought I would replace it with something like:
SecurityToken token = this.stsClient.requestSecurityToken();
AssertionWrapper assertion = new AssertionWrapper(token.getToken());
assertion.verifySignature(assertion.getSignatureKeyInfo());
The problem is, the getSignatureKeyInfo() method returns null. The signature block out of the assertion looks like this:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
...
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
So, there is an X509 credential there as part of the signature, I just can't seem to get at it. Trying to access the signing credential via the OpenSAML Signature object had the same problem.
So it seems obvious that I'm missing something somewhere along the line here, but I can't figure out what. Can someone point me in the right direction?
Thanx,
Stephen W. Chappell