SES-51: Invalid signature does not result in failure

[spring-projects-issues]

Phil Varner (Migrated from SES-51) said:

In AbstractProfileBase, this method is used to verify the signature of a message:

protected void verifySignature(Signature signature, String IDPEntityID) throws org.opensaml.xml.security.SecurityException, ValidationException {
SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(IDPEntityID));
criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
log.debug("Verifying signature", signature);
trustEngine.validate(signature, criteriaSet);
}

However, trustEngine.validate (SignatureTrustEngine.validate) returns "false" if the signature is invalid, rather than throwing a ValidationException as I believe this method is expecting. According to the javadoc for this method:

 * @return true if the signature was valid for the provided content
 * 
 * @throws SecurityException thrown if there is a problem attempting to verify the signature such as the signature
 *             algorithim not being supported