SAMLUtil.getCredentialDirectlyFromKeyInfo(
keyInfo.getDOM(), data.getSigVerCrypto()
);
if (algorithmSuite != null) {
AlgorithmSuiteValidator algorithmSuiteValidator = new
AlgorithmSuiteValidator(algorithmSuite);
PublicKey key = null;
if (samlKeyInfo.getCerts() != null && samlKeyInfo.getCerts()[0] != null) {
key = samlKeyInfo.getCerts()[0].getPublicKey();
} else if (samlKeyInfo.getPublicKey() != null) {
key = samlKeyInfo.getPublicKey();
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity",
"cannot get certificate or key");
}
// Not checking signature here, just marshalling into an XMLSignature
// structure for testing the transform/digest algorithms etc.
XMLValidateContext context = new DOMValidateContext(key, sig.getDOM());
context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
XMLSignature xmlSignature;
try {
xmlSignature = signatureFactory.unmarshalXMLSignature(context);
} catch (MarshalException ex) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLsecurity",
new Object[]{"cannot get certificate or key"}, ex
);
}
algorithmSuiteValidator.checkSignatureAlgorithms(xmlSignature);
algorithmSuiteValidator.checkAsymmetricKeyLength(key);
}
samlAssertion.verifySignature(samlKeyInfo);
}
// Parse the HOK subject if it exists