我正在尝试验证证书的签名值,并且正在使用此方法 checkSignatureValue(certificate),但此方法始终返回false。这是解码后的SAMLResponse
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://208.40.178.184/lin/SAMLSSOLogin" ID="STP-834896c0-1d11-4022-b77" IssueInstant="2013-10-10T16:56:42.159Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">EBIXSTP</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="STP-6520f20f-cee2-434d-ac1b-e4499014f17b" IssueInstant="2013-10-10T16:56:42.159Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="xs" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#EBIXSTP-6520f20f-cee2-434d-ac1b-e4499014f17b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="xs" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>i093NWIx4OhS9J9ts5N2fTmQ/C0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>nvfeEo4wtOPxHfgeMC3+wqkxbF55yCc8j5/Af7Ly7c7cHWt86w3wqIY+zOTLkmS8MnExoOaZ2wltLjwZoUMM5ossV3PL46fBopMaFBc9toH2MI09Mdyr4Nr6eA8cpy2uDKvNWh9o58NF/tnL3zsbidD0mV1UM5agz69V9ZW1/kd7kDtHxfIPd0Q1541+ooi7u3gQOb6bkx8CYwZHMqP8Siy1KI7lh2qgWt5z5GkS9l7wn42j/zMDKWqMZ3Y7WsGmovgT0xpPhet0PUHe0C5ojDrlE28qZUjdjUyKoLfQszPnlWsHuwTead3PytdnTVWTRP4KS2aB3mqzkRf/DhQCKw==</SignatureValue>
</Signature>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">EBIXSTP</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:ClientID">NATIONWIDE</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2013-10-10T17:07:42.159Z" Recipient="LIN" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-10-10T16:56:42.159Z" NotOnOrAfter="2013-10-10T17:07:42.159Z">
<saml2:AudienceRestriction>
<saml2:Audience>LIN</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-10-10T16:56:42.159Z" SessionIndex="8bc43702-bb8f-47a3-85e6-d3e9d00a6fde">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="userid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue>777885544</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="userGUID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue />
</saml2:Attribute>
<saml2:Attribute Name="externalUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue></saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="localAppUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue />
</saml2:Attribute>
<saml2:Attribute Name="parentApp" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue>N</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="action" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue />
</saml2:Attribute>
<saml2:Attribute Name="module" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue>CLAIMS</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="data" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue><![CDATA[<Data><Extensions><Extension Id="clientData"><User><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue>777885544</IdValue></Id></Ids><TaxIds><TaxId><Value/><Type>SOCIAL_SECURITY_NUMBER</Type></TaxId></TaxIds><EmailAddress>mattsmith@email.com</EmailAddress><Role><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Ids></Role><PersonName><FirstName>Matthew</FirstName><MName/><LastName>Smith</LastName></PersonName><BusinessUnitLinks><BusinessUnitLink><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Ids></BusinessUnitLink></BusinessUnitLinks><Addresses><Address><Type/><Line1/><Line2/><Line3/><City/><State/><PostalCode/><Country/></Address></Addresses><Telephones><Telephone><Number/></Telephone></Telephones><Parameters><Parameter><Name>GroupID</Name><Value>PLAYGROUND</Value></Parameter></Parameters></User><BusinessUnits><BusinessUnit><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Ids><Name/><Class><Id><PartyId>NATIONWIDE</PartyId><IdValue>Level 0</IdValue></Id></Class><Parent><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Parent></BusinessUnit><BusinessUnit><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Ids><Name/><Class><Id><PartyId>NATIONWIDE</PartyId><IdValue>Level 1</IdValue></Id></Class><Parent><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Parent></BusinessUnit><BusinessUnit><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Ids><Name/><Class><Id><PartyId>NATIONWIDE</PartyId><IdValue>Level 2</IdValue></Id></Class><Parent><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Parent></BusinessUnit><BusinessUnit><Ids><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Ids><Name/><Class><Id><PartyId>NATIONWIDE</PartyId><IdValue>Level 3</IdValue></Id></Class><Parent><Id><PartyId>NATIONWIDE</PartyId><IdValue/></Id></Parent></BusinessUnit></BusinessUnits></Extension><Extension Id="HLTHSPPRTLData"><Parameters><Parameter><Name>Theme</Name><Value>Theme123</Value></Parameter></Parameters></Extension></Extensions></Data>]]></saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
AND这是包含证书的idp元数据:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="STP" entityID="STP">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDDzCCAfegAwIBAgIQMPYpDq/9vYhD8AA+vxUpRTANBgkqhkiG9w0BAQUFADAW
MRQwEgYDVQQDEwthc2hpc2guamFpbjAgFw0xNDEyMDUxMDMwNTRaGA8yMTE0MTEx
MTEwMzA1NFowFjEUMBIGA1UEAxMLYXNoaXNoLmphaW4wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQD9jZc2b70S5nh8rgBk1h8i3Ipjq+CUVidwdHx8IwcZ
JOF4JEdfgouUjgME9rc+j6f1zcAmb3AJXUPNBkW/oQVxBCEY25gWtnQFmNv/VK9l
ocgrQDhejLcU9rBGKhM09vMIOIdvS0yzQEK/sQsQgAB9NsLRfdCvSpimCH65dJc7
eNC3XqyY26yorCfeM44jYtoLGUM6/xXdnZILVQ3nXK6J1Y4KWruunc6Tn2toeLmF
nIQgIMjWQ2T78AxgDs9FLl9pMI1yXqf6zV3MLbpkECxBEHx9jeuBlgEjoUg+0v+1
y2w+D8mHU/Pg/SiUpjhm8GDmFM+UpTHiEaiSzWogNHkXAgMBAAGjVzBVMBUGA1Ud
JQQOMAwGCisGAQQBgjcKAwQwMQYDVR0RBCowKKAmBgorBgEEAYI3FAIDoBgMFmFz
aGlzaC5qYWluQElORElBRUJJWAAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOC
AQEAs2zfpAlB4Lbw0YnRkQ7OpwVIPDAOyaR2YVOA/i3DdiqVIynYcBP9+UN1q70o
rf7FcL71xS+1yPaUJri4EJJPDQgxBQFboVEBd3KYmAOxXzefRTwNiCVhT1e89HTU
0DBkyn9KSqI/1tT+1LyHjRfw+ytfqRd64q2Bu0mNbANdw9e9pPUcIGyPTsyN3Mon
xgfkIACf2rGRqF5h3+e1e7gljFwEKP2I1TQ5WTp10TKODdmEHsxT1K4g51pNXtdd
aBC6dIcErsmSqdXzKakpEIzaVKRyxCnWVBsG7kSzbXPpwzzO2WJMdU+Kit1Ycb6V
IS4Uynxs5Xd2eMyNhRU8G4cMkw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="luser@gmail.com"/>
</md:EntityDescriptor>
现在,当我尝试通过此功能验证其签名时:
public boolean verifySignature(X509Certificate certificate,XMLObject obj) throws KeyResolverException {
XMLObject ob = obj;
if (certificate == null) {
throw new SAMLRuntimeException(SAMLRuntimeException.ERROR_INVALID_PARTNER_SETTINGS,
"Certificate cannot be null");
}
Signature signature = null;
if (obj instanceof SignableSAMLObject) {
SignableSAMLObject signableObject = (SignableSAMLObject) obj;
signature = signableObject.getSignature();
} else if (obj instanceof ElementExtensibleXMLObject) {
signature = SAMLUtil.getFirstElement((ElementExtensibleXMLObject) obj, Signature.class);
}
if (signature == null) {
log.warn("No signature present in object " + obj);
return false;
}
try {
boolean value = buildSignature(signature).checkSignatureValue(certificate);
System.out.println("Signature Value " + value);
return value;
} catch (org.apache.xml.security.signature.XMLSignatureException e) {
e.printStackTrace();
log.warn("The signature does not match the signature of the login site", e);
return false;
}
}
protected org.apache.xml.security.signature.XMLSignature buildSignature(Signature signature)
throws XMLSignatureException {
if (((SignatureImpl) signature).getXMLSignature() != null) {
byte[] signatureValue = ((SignatureImpl) signature).getXMLSignature().getSignatureValue();
return ((SignatureImpl) signature).getXMLSignature();
}
return null;
}
在XMLObject中,我有saml解码的响应。但是
boolean value = buildSignature(signature).checkSignatureValue(certificate);
总是返回false。我刚开始使用saml,但无法弄清楚我错了。任何帮助将不胜感激。