OpenSAML user discussion

[Mike Klein <>]

I am using routines documented on this page to verify signer of identity
document and to verify/sign assertions. Code seems to work fine and
messages are tamper-proof.

Grabbing a public cert from a keystore can be done in 3 lines of code or
so...this isn't an issue. OpenSAML won't provide you an uber-keystore
concept or anything I think so you'll need to load and cache them yourself.

I added maybe 10-20 lines of code to existing sample and can sign and
verify.


mike

Mike Mattozzi wrote:
> Is the PKIXX509EntityCredentialTrustEngine or the
> BasicSignatureTrustEngine functional yet? I'm a little confused about
> how to get started with trust engines and the concept of
> CredentialCriteria. Are there any examples of how to use this to
> verify a signed saml assertion?
>
> As you might guess, I'm new to opensaml and I find the api for
> marshalling and unmarshalling assertions along with walking through
> the elements of the assertion to be quite intuitive... but I'm a
> little confused about the best way to take the next step to start
> acting on the key data and Action information contained within. I'm
> assuming there's better methods than writing my own code to pull down
> public keys and use the signaturevalidator?
>
> Appreciate the help, Mike
>
> On 6/4/07, Mike Klein 
> <>
>  wrote:
>> There is wiki page for this.
>>
>> https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG
>>
>>
>>
>> Mike Mattozzi wrote:
>> > Hi,
>> >
>> > What would be the equivalent of this in OpenSAML 2.0?
>> >
>> > thanks, Mike
>> >
>> > -----Original Message-----
>> > # From: "George Stanchev" < 
>> > >
>> > # To: < 
>> > >
>> > # Subject: RE: Verify a SAML token
>> > # Date: Thu, 24 May 2007 14:59:54 -0700
>> > # Thread-index: AceeRDGX5egc6jTaRt6JVDpdin4gwQAAxjCQ
>> > # Thread-topic: Verify a SAML token
>> >
>> > I assume you are talking about verfiy() not validate() in
>> OpenSAML1.1...
>> >
>> > In openSAML1.1, you have
>> > to manually pull the signature signing matherial (either
>> > public key or X509 certificate) and compare it yourself
>> > against the STS public key you have stored locally.
>> >
>> > You can use asserion.getX509Certificates() to extract
>> > the signing materials. If the signature contains a public key,
>> > it's a bit more complicated. OpenSAML1.1 uses XML-Security
>> > as underlying XML PKI engine and you can get a hold of the
>> > native object and work with it directly:
>> >
>> > Object sigObj = assertion.getNativeSignature();
>> > if (sigObj instanceof XMLSignature) {
>> > XMLSignature sig = (XMLSignature) sigObj;
>> > KeyInfo ki = sig.getKeyInfo();
>> > if (ki != null) {
>> > PublicKey pk = null;
>> > try {
>> > pk = ki.getPublicKey();
>> > } catch (KeyResolverException e) {
>> > ...
>> >
>> > Once you have the public keys, you can compare directly or
>> > walk up the certificate chain you have locally.
>> >
>> > Best Regards,
>> > George
>>