Java で SAML2.0 トークンのデジタル署名を検証できます。以下のコード スニペットを使用します。
DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), nl.item(0));
//Unmarshaling the XML Signature
XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = factory.unmarshalXMLSignature(valContext);
//Validating the XML Signature
boolean coreValidity = signature.validate(valContext);
if (coreValidity == false) {
System.err.println("Signature failed");
} else {
System.out.println("Signature passed");
}
if(!coreValidity){
boolean sv = signature.getSignatureValue().validate(valContext);
Iterator i = signature.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++) {
boolean refValid = ((Reference)i.next()).validate(valContext);
}
}
ただし、Java で SAML1.1 トークンのデジタル署名を検証できません。•参照の検証 (署名内の各参照のダイジェストの検証) に失敗しました •署名の検証 (署名の暗号化検証) に失敗しました
同じ問題を解決するには助けが必要です。
以下のコード スニペットで例外を解決しました
NodeList assertnode = doc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion");
NamedNodeMap attrStore = assertnode.item(0).getAttributes();
System.out.println("ID - " + attrStore.getNamedItem("AssertionID").getNodeValue());
IdResolver.registerElementById(doc.getDocumentElement(), attrStore.getNamedItem("AssertionID").getNodeValue());
以下でスローされる例外
exception:-> javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:352)
at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:311)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:244)
at com.pkg.RequestProcessor.processTokenResponse(RequestProcessor.java:134)
at com.pkg.LoginFilter.doFilter(LoginFilter.java:69)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:185)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:269)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:82)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:344)
... 20 more
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:89)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:236)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:75)
... 21 more
また、STS サーバーから返された要求からの XML も以下にリストされています。
<trust:RequestSecurityTokenResponseCollection
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse>
<trust:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-04-20T11:58:45.250Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-04-20T12:38:45.250Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost:8080/</Address>
</EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_eadcac75-e528-4b58-9b53-f6f03a8ec691" Issuer="http://3MTLO/STS/"
IssueInstant="2012-04-20T11:58:45.250Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2012-04-20T11:58:45.250Z"
NotOnOrAfter="2012-04-20T12:38:45.250Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>http://localhost:8080/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="name"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>user1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="Firstname"
AttributeNamespace="http://mmm.his.com/identity/claims">
<saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="Lastname"
AttributeNamespace="http://mmm.his.com/identity/claims">
<saml:AttributeValue>Doe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>user@user.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="role"
AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>User</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="ApplicationName"
AttributeNamespace="http://mmm.his.com/identity/claims">
<saml:AttributeValue>App1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_eadcac75-e528-4b58-9b53-f6f03a8ec691">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mLiTJH3R86N3G6N8f0qFmvbmzQMXELpn/JTn3xNGtf4=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>lpvRnkevRgtd+cuV+judi2rfM11CuvQ1hZQJlCYUz8wsJScub9vgB3PisDfFFSnV70dR+R6SVhXyrWraIbpXVNaCvghrDITEJirUS7rMxvM9haxFC1ujIXLamFhnNcKY7UP55dFhAO6hZxTtreUIFffg8GwfHdRsazmhPc5SMGPOH++zk+GsQywo+T+fKNby3r2jOz099pHWtcrkJCT5cFKwdnkU9Sre/AtlMWkCSALsjSOSiTHNyC/6gBW423Zowrltjs986m33jNWRxB/1FoCpKcXwbNp2GV8rPR6FzLRBn/j9IjsD7pO6XdPI8gfErDydNx0jiuJwunHB3spspw==
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC5DCCAcygAwIBAgIQLhotot90t7ZCWstBDJgCfTANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtTVFNUZXN0Q2VydDAeFw0xMTEyMDYwMTM4MTZaFw0xMjEyMDUwNzM4MTZaMBYxFDASBgNVBAMTC1NUU1Rlc3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyQJJ6VeBw5yT4pNLTgW4wmKPit1omxdbSMVv7OxgRrECIKRxuGdNxkJHUhrjoyolLRnoXw5LpeLfD7eAWQPasvyumfCJZ07h5paLcS5gSqDy7R6YoTn4jUZwmqNh/X2lbHgIwkAWs7IWGHRkiPGDduDLK94nE6DErDO8pb8uIfL81wPCAnCCrI61C4lne5ES3f1tqpgfwSn23QHOJm9JGfXf8sAQvOd/sk+lpS16q4tHdjCpPZQtGv6pDMaz3OUWnkO82r5xgKYzxE+x6902mF7e8P2QenN99Ofo9sHP07aDTnXJG4nWDVFKzXaf299UCigz1LxtNitAeENZcvz0HQIDAQABoy4wLDALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPT4jquZkXO8hlnKu4TSVANGO7YlMA0GCSqGSIb3DQEBBQUAA4IBAQCTnk3MwK6DWrJbSFxrr3ImCDXnpVR+sdypKdrVCme3Iwr0cnjJWkf16iMOIdoAmhC+A7JT6htAAXYk0gu06s1SMC/DPv/7a1zklO+FHS3gobx0pvFjBSDCC6ohqXCRxL5dos2r2SG2TCf4Uru9ihn0bdEy7BjdwQ7XM5cryrdVhhvf6o8Eh6z3EnqQyO4KPcCRREAXlQfrU0u/aPyYsBfoyjmsGTSMOxEDytwq20j35m0ckWg1mZi9r0BeL3klx4DS4Ibr5pyxyd9YmU/9AUlu+/pQqiVHKlv1qvUWsQ5S+2RWc+cvRwfRlGdBQeQqsvz9oyV3MXCmYFV4YKwVMyqb
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_eadcac75-e528-4b58-9b53-f6f03a8ec691</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_eadcac75-e528-4b58-9b53-f6f03a8ec691</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion
</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
</trust:KeyType>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>