//throws XMLSecurityException
/**
* This will verify the XRD against the given public key. DOM
* must already be associated with this descriptor.
* @param oPubKey
* @throws XMLSecurityException
*/
public void verifySignature(PublicKey oPubKey)
{
if (moElem == null) {
throw new XMLSecurityException(
"Cannot verify the signature. No DOM stored for XRD");
}
// make sure the ID attribute is present
string sIDAttr = Tags.ATTR_ID_LOW;
string sIDAttrNS = Tags.NS_XML;
string sID = moElem.getAttributeNS(sIDAttrNS, sIDAttr);
if ((sID == null) || (sID.Equals(""))) {
throw new XMLSecurityException(
"Cannot verify the signature. ID is missing for " +
moElem.LocalName);
}
string sRef = "#" + sID;
// Set the DOM so that it can be verified
DOM3Utils.bestEffortSetIDAttr(moElem, sIDAttrNS, sIDAttr);
XmlElement oAssertionElem =
DOMUtils.getFirstChildElement(
moElem, Tags.NS_SAML, Tags.TAG_ASSERTION);
if (oAssertionElem == null) {
throw new XMLSecurityException(
"Cannot verify the signature. No Assertion in XRD");
}
XmlElement oSigElem =
DOMUtils.getFirstChildElement(
oAssertionElem, Tags.NS_XMLDSIG, Tags.TAG_SIGNATURE);
if (oSigElem == null) {
throw new XMLSecurityException(
"Cannot verify the signature. No signature in Assertion");
}
// create the signature element to verify
XMLSignature oSig = null;
oSig = new XMLSignature(oSigElem, null);
// Validate the signature content by checking the references
string sFailedRef = null;
SignedInfo oSignedInfo = oSig.getSignedInfo();
if (oSignedInfo.getLength() != 1) {
throw new XMLSecurityException(
"Cannot verify the signature. Expected 1 reference, got " +
oSignedInfo.getLength());
}
// make sure it references the correct element
Reference oRef = oSignedInfo.item(0);
string sURI = oRef.getURI();
if (!sRef.Equals(sURI)) {
throw new XMLSecurityException(
"Cannot verify the signature. Reference Uri did not match ID");
}
// check that the transforms are ok
bool bEnvelopedFound = false;
Transforms oTransforms = oRef.getTransforms();
for (int i = 0; i < oTransforms.getLength(); i++) {
string sTransform = oTransforms.item(i).getURI();
if (Transforms.TRANSFORM_ENVELOPED_SIGNATURE.Equals(sTransform)) {
// mark that we got the required transform
bEnvelopedFound = true;
} else if (
!Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS.Equals(
sTransform)) {
// bonk if we don't have one of the two acceptable transforms
throw new XMLSecurityException(
"Unexpected transform in signature");
}
}
if (!bEnvelopedFound) {
throw new XMLSecurityException(
"Could not find expected " +
Transforms.TRANSFORM_ENVELOPED_SIGNATURE +
" transform in signature");
}
// finally check the signature
if (!oSig.checkSignatureValue(oPubKey)) {
throw new RuntimeException("Signature failed to verify.");
}
}
