斷言中的 SAML 簽名驗證

Question

我有一個從第三方獲得的 SAML。 我必須使用他們的公共證書來驗證它。 我以前這樣做過，但這次簽名在斷言中，所以我的Response.getSignature()返回 null。

我正在使用 Java OpenSAML 庫，所以現在即使我得到斷言並從下面的斷言中得到簽名，我的SignatureValidature總是出錯。

下面的代碼片段：

main()....
{
    response = (Response) parseSamlObject(samlString);
    assertion = resp.getAssertion().get(0);
    signature = assertion.getSignature(); // I get signature here
    SignatureValidator signatureValidator = new SignatureValidator(getCredential());
    signatureValidator.validate(sign); //ERRORS OUT HERE
    ....
}

private static Credential getCredential() throws org.opensaml.xml.validation.ValidationException, FileNotFoundException {
    PublicKey key=null;

    //Get Public Key
    BasicX509Credential publicCredential = new BasicX509Credential();
    Credential verifiyingCredential = null;
    String certFileName = "myPublicCertificate.cer";
    InputStream fileStream = MyClass.class.getClassLoader().getResourceAsStream(certFileName);

    System.out.println("CertificateStream is Obtained from Resources......" );
    java.security.cert.CertificateFactory certificateFactory=null;
    java.security.cert.X509Certificate certificate=null;

    try {
        certificateFactory = java.security.cert.CertificateFactory.getInstance("X.509");
        certificate = (java.security.cert.X509Certificate) certificateFactory.generateCertificate(fileStream);
    } catch (CertificateException e3) {
        e3.printStackTrace();
    }
    try {
        fileStream.close();
    } catch (IOException e2) {
        e2.printStackTrace();
    }

    key= certificate.getPublicKey();//got publicKey here

    //Validate Public Key against Signature
    if (key != null) {
        publicCredential.setPublicKey(key);
        publicCredential.setEntityCertificate(certificate);
        verifiyingCredential = publicCredential;
    }

    return verifiyingCredential;
}

每次都出現以下錯誤： org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

這是 SAML： https : //pastebin.com/D1Rwm5Y5
有什么想法嗎？

Answer 1

SignatureValidator 是帶有靜態方法的 Final 類，因此您無需創建實例

response = (Response) parseSamlObject(samlString);
assertion = resp.getAssertion().get(0);
signature = assertion.getSignature();

//Now you need to create a x509Credential
ByteArrayInputStream certInputStream = new ByteArrayInputStream(yourCert);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(certInputStream);
BasicX509Credential credential = new BasicX509Credential(certificate);

//Now you can validate the Signature with you cert
SignatureValidator.validate(signature , credential);

希望這有效！！ ;)