SAML Signature validation within Assertion

1
votes

I have a SAML which I get from a third party. I have to validate it by using their public certificate. I have done this previously but this time the Signature is within the Assertion so my Response.getSignature() returns null.

I am using Java OpenSAML lib, so now even though I get the assertion and get the signature from Assertion like below, My SignatureValidature always errors out.

Code snippet below:

main()....
{
    response = (Response) parseSamlObject(samlString);
    assertion = resp.getAssertion().get(0);
    signature = assertion.getSignature(); // I get signature here
    SignatureValidator signatureValidator = new SignatureValidator(getCredential());
    signatureValidator.validate(sign); //ERRORS OUT HERE
    ....
}

private static Credential getCredential() throws org.opensaml.xml.validation.ValidationException, FileNotFoundException {
    PublicKey key=null;

    //Get Public Key
    BasicX509Credential publicCredential = new BasicX509Credential();
    Credential verifiyingCredential = null;
    String certFileName = "myPublicCertificate.cer";
    InputStream fileStream = MyClass.class.getClassLoader().getResourceAsStream(certFileName);

    System.out.println("CertificateStream is Obtained from Resources......" );
    java.security.cert.CertificateFactory certificateFactory=null;
    java.security.cert.X509Certificate certificate=null;

    try {
        certificateFactory = java.security.cert.CertificateFactory.getInstance("X.509");
        certificate = (java.security.cert.X509Certificate) certificateFactory.generateCertificate(fileStream);
    } catch (CertificateException e3) {
        e3.printStackTrace();
    }
    try {
        fileStream.close();
    } catch (IOException e2) {
        e2.printStackTrace();
    }

    key= certificate.getPublicKey();//got publicKey here

    //Validate Public Key against Signature
    if (key != null) {
        publicCredential.setPublicKey(key);
        publicCredential.setEntityCertificate(certificate);
        verifiyingCredential = publicCredential;
    }

    return verifiyingCredential;
}

Errors out with the following everytime:org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

Here is the SAML: https://pastebin.com/D1Rwm5Y5
Any thoughts?

1
javavalidationsaml-2.0signatureopensaml
Is there a way you can look into the implemenation of SignatureValidator.validate() and may be put a debug point? - yogidilip
First try to validare the signature using this online tool. This will tell you if it is your certificate of the java implementation that is wrong. samltool.com/validate_response.php - Stefan Rasmusson
I am using the generic SignatureValidator at org.opensaml.xml.signature. - james2611nov
Do we also need to consider KeyInfo to do any validation? - james2611nov
I am able to see that the X509 certificate in the KeyInfo part of the SAML is same as the publicX509 certificate that was securely given to me. However SignatureValidator.validate( assertion.getSignature) still errors out with the same error as above. Any ideas of what I may have missed? - james2611nov

1 Answers

1
votes

SignatureValidator is a Final class with a static method, so you don't need to create an instance

response = (Response) parseSamlObject(samlString);
assertion = resp.getAssertion().get(0);
signature = assertion.getSignature();

//Now you need to create a x509Credential
ByteArrayInputStream certInputStream = new ByteArrayInputStream(yourCert);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(certInputStream);
BasicX509Credential credential = new BasicX509Credential(certificate);

//Now you can validate the Signature with you cert
SignatureValidator.validate(signature , credential);

Hope this works!! ;)