Signature did not validate against the credential's key

Question

I have a saml response from idp, it is signed in both response and assertions. I am trying to validate the signature using the X509 certificate a public key. This is my code

public class SamlTest {

public static void main(String[] args) throws Exception {

    // read the file
    File file = new File("filepath");   
    FileReader fileReader = new FileReader(file);
    BufferedReader bf = new BufferedReader(fileReader);
    String str;
    String samlStr = "";
    while ((str = bf.readLine()) != null) {
        samlStr += str;
    }

    Response response = SamlTest.unmarshall(samlStr);

    SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
    try {
        profileValidator.validate(response.getSignature());
    } catch (ValidationException e) {
        System.out.println("ErrorString [Error in SAMLSignatureProfilValidation]");
    }

    Certificate certificate = SamlTest.getCertificate(response.getSignature());

    BasicCredential verificationCredential = new BasicCredential();
    verificationCredential.setPublicKey(certificate.getPublicKey());


    SignatureValidator sigValidator = new SignatureValidator(verificationCredential);
    try {
        sigValidator.validate(response.getSignature());
    } catch (ValidationException e) {
        e.printStackTrace();
    }
}

private static Response unmarshall(String samlStr) throws Exception {

    DefaultBootstrap.bootstrap();
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();

    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(samlStr.getBytes());

    Document document = docBuilder.parse(byteArrayInputStream);

    Element element = document.getDocumentElement();
    UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
    Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);

}

private static Certificate getCertificate(Signature signature) {
    try {
        X509Certificate certificate = signature.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0);

        if (certificate != null) {
            //Converts org.opensaml.xml.signature.X509Certificate to java.security.cert.Certificate
            String lexicalXSDBase64Binary = certificate.getValue();
            byte[] decoded = DatatypeConverter.parseBase64Binary(lexicalXSDBase64Binary);

            try {
                CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
                Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(decoded));
                System.out.println(cert);
                return cert;
            } catch (CertificateException e) {
                //this should never happen
                System.out.println("SAML Signature issue");
                return null;
            }
        }
        return null; // TODO Auto-generated method stub

    } catch (NullPointerException e) {
        //Null certificates

        return null;
    }
}}

I have tried multiple saml responses, not just mine. But I get an error saying:

WARN org.apache.xml.security.signature.XMLSignature - Signature verification failed. org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

This question has been asked before but there never has been a clear answer so asking again.

Example of a saml response I am trying to test is the following:

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
            ID="pfx7832688a-4c9f-d986-a331-68a568701125" Version="2.0" IssueInstant="2014-07-17T01:01:48Z"
            Destination="http://sp.example.com/demo1/index.php?acs"
            InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#pfx7832688a-4c9f-d986-a331-68a568701125">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>omD68BGTOD4rSkKgo3zHEz2D0Ak=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        C+QerLk231g7kSvB/Bo+JrfdYHrzqt+3ql0+WqBIOPRx7xHHvvSx1GiUyDncs7x+LnldDHb/jU8V1Bay+mHKaKB2GnL06XZW33vK/z5GsVLzIF7h9mfybRrbFwdOPYNQzHgnGxWDp3LsehzL58cRXtu2V+aLbYRB0e3wI6tcpBY=
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
                ID="pfxbab80599-f888-0071-7fd5-1771ae32f2b5" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#pfxbab80599-f888-0071-7fd5-1771ae32f2b5">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>ui6giJBmDP2ShSBq06MQ/hVkK6U=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            eG/U9aPs3WJjgLQwPJF+liaPVAngVXkonmLxVEmTRa01sivZboNZr+5xgNMqqXjOHsuMfpA9sCJi/Iv3u4g2YEyamo3DxdPG2h/Qx9lcA3hjKIhkKIicqCbwZhMsKupZs71FmvJCKS/MrzNiZJWxtjtCD+Rn3CpWhXPCz4vzfj8=
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
        <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php"
                     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
            _ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7
        </saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z"
                                          Recipient="http://sp.example.com/demo1/index.php?acs"
                                          InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
        <saml:AudienceRestriction>
            <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z"
                         SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
            <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

Please let me know if anyone can spot an issue. Thanks a lot!

Answer 1

When I validate this mesage on SAML tool I get "Signature validation failed. Reference validation failed". (emphasis mine)

This leads me to think you may have formatted, or changed the xml content prior to validating the signature.

XML signing has two parts : the signed references are transformed into a Digest value, and the digest value is then encrypted to a signature value.

Validation also does these two parts :

1. Reference validation : Each Reference's digest is verified by retrieving the corresponding resource and applying any transforms and then the specified digest method to it. The result is compared to the recorded DigestValue; if they do not match, validation fails.
2. Signature validation : The SignedInfo element is serialized using the canonicalization method specified in CanonicalizationMethod, the key data is retrieved using KeyInfo or by other means, and the signature is verified using the method specified in SignatureMethod.