SignatureValidation failing for XML response of ADFS server. -org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SignatureValidation failing for XML response of ADFS server. -org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

rupalilalwani
This post was updated on .
Hi All,

I am new to OpenSAML and trying to implement SP which will consume the assertion generated by ADFS server. Client has sent me the public key cert - named pub2.cert and using it I am creating the keystore(.JKS) file as follows. Please note we are using algo SHA256withRSA and key size 2048
----------------------------------------
C:\eClinicalWorks\jdk16\bin>keytool -genkey -sigalg SHA256withRSA -keyalg RSA -k
eystore test_2048_sha256.jks -validity 360 -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  rupali lalwani
What is the name of your organizational unit?
  [Unknown]:  ecw
What is the name of your organization?
  [Unknown]:  ecw
What is the name of your City or Locality?
  [Unknown]:  westborough
What is the name of your State or Province?
  [Unknown]:  ma
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=rupali lalwani, OU=ecw, O=ecw, L=westborough, ST=ma, C=us correct?
  [no]:  y

Enter key password for <mykey>
        (RETURN if same as keystore password):
Re-enter new password:

C:\eClinicalWorks\jdk16\bin>keytool -certreq -keyalg RSA -file test_2048_sha256.
csr -keystore test_2048_sha256.jks
Enter keystore password:

C:\eClinicalWorks\jdk16\bin>keytool -import -alias newkey -file pub2.cer -keysto
re test_2048_sha256.jks
Enter keystore password:
----------------------------
----------------------------
-------------------------
Trust this certificate? [no]:  y
Certificate was added to keystore

---------------------------------

After importing the Pub2.cert(provided by client). I am trying to validate the signature as follows.
-----------------
/*     */   public void processSamlResponse(String encryptedSamlResponse)
/*     */     throws Exception
/*     */   {
/*     */     try
/*     */     {
/* 171 */      
/*     */  
/* 175 */      
/*     */      
/*     */
/* 178 */       Response samlResponse = getResponse(decodedSamlResponse);

                               
/* 179 */       Signature signature =samlResponse.getAssertions().get(0).getSignature();//samlResponse.getSignature();
 
/*     */
/* 184 */       String issuer = samlResponse.getIssuer().getValue();
/* 185 */       SSOConfig ssoConfig = getIssuerConfig(issuer);
/* 186 */       String strKeystorePath = "";
/* 187 */       if (ssoConfig != null)
/*     */       {
/* 188 */         strKeystorePath = ssoConfig.getKeyStorePath();
/* 189 */         if ((strKeystorePath != null) && (strKeystorePath.length() != 0))
/*     */         {
/* 190 */           File keyStoreFile = new File(strKeystorePath);
/* 191 */           if (keyStoreFile.exists())
/*     */           {
/* 193 */             MetadataTool metaDataTool = new MetadataTool();
/* 194 */             KeyStore keystore = MetadataTool.getKeyStore(strKeystorePath, "JKS", "hello123");
/* 195 */             Credential verificationCredential = MetadataTool.getVerificationCredential(keystore, "mykey");
                                                String alias ="mykey";
/* 196 */             Credential cred = MetadataTool.getSigningCredential(keystore, alias, "hello123");
/* 197 */             PrivateKey privateKey = cred.getPrivateKey();
/* 198 */             PublicKey publicKey = verificationCredential.getPublicKey();

/* 200 */             if (signature != null)
/*     */             {
/* 202 */               boolean isSignValid = validateSignature(signature, verificationCredential);

                        }
......
}

/*     */   public Response getResponse(String decodedString)
/*     */     throws Exception
/*     */   {
/* 116 */     Response response = null;
/*     */     try
/*     */     {
                                DefaultBootstrap.bootstrap ();
/* 118 */       DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
/* 119 */       documentBuilderFactory.setNamespaceAware(true);
                                documentBuilderFactory.setIgnoringElementContentWhitespace(true);
                                documentBuilderFactory.setIgnoringComments(true);
                                //documentBuilderFactory.etRootInNewDocument(true);
/* 120 */       DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();

                                File xmlFile = new File("C:\\portal_ws\\eCWPOST-WithSHA-1.xml");//eCWPost.xml");//verifiedSignedCWPost1.xml");  //AttributeResponse_pretty.xml");

                                //parse xml file
                                FileInputStream fileInputStream = new FileInputStream(xmlFile);
                                InputStream inputStream = fileInputStream;
//Document document = parserPoolManager.parse(inputStream);

                                //String fileAsString=readTextFile("C:\\portal_ws\\eCWPost.xml");
                               
                                //String decoded= decodeBase64(fileAsString);
/* 121 */       Document document = docBuilder.parse(inputStream);//new ByteArrayInputStream(decodedString.trim().getBytes()));
                                //Document document = docBuilder.parse(new ByteArrayInputStream(decoded.trim().getBytes()));


/* 122 */       Element element = document.getDocumentElement();


/* 123 */      UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
/* 124 */      Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
/* 125 */      response = (Response)unmarshaller.unmarshall(element);
/*     */     }
/*     */     catch (Exception e)
/*     */     {
/* 128 */       e.printStackTrace();
/* 129 */       throw e;
/*     */     }
/* 131 */     return response;
/*     */   }

/*     */   public boolean validateSignature(Signature signature, Credential cred)
/*     */     throws Exception
/*     */   {
/* 319 */     boolean isValid = false;

/*     */     try
/*     */     {
/* 321 */       SignatureValidator signatureValidator = new SignatureValidator(cred);

/* 322 */       SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
/*     */       try
/*     */       {
/* 325 */         profileValidator.validate(signature);
/* 326 */         signatureValidator.validate(signature);
/* 327 */         isValid = true;
/*     */       }
/*     */       catch (ValidationException e)
/*     */       {
/* 329 */         e.printStackTrace();
/* 330 */         isValid = false;
/*     */       }
/*     */     }
/*     */     catch (Exception e)
/*     */     {
/* 334 */       e.printStackTrace();
/* 335 */       throw e;
/*     */     }
/* 337 */     return isValid;
/*     */   }
/*     */  
----------------

but above code is not working for the XML provided by client. If I create my own assertion and then verify it, the code works fine. I am not sure what is going wrong. I have already copied the files from "jce_policy-6" even thats dint work.

Can any one please help me out to figure whats wrong? If you need any more detail please let me know.