OpenSAML user discussion

[Brent Putman <>]

If you haven't already, you may want to take a look at this Wiki topic, 
which discusses these trust engines as used in Shibboleth:

https://spaces.internet2.edu/display/SHIB/TrustEngine

The ExplicitX509CertificateTrustEngine is just a variant on the 
ExplicitKey one, that compares the entire cert for equality with a 
trusted cert rather than just the public key.  We don't use in 
Shibboleth, but I went ahead and added because it was easy and somebody 
may want to use it.

In the Java stack, these obtain trusted information against which to 
validate the untrusted token (key/cert as encapsulated by an instance of 
our Credential interface) via a trusted information resolver.  For the 
key and certificate ones, it uses a CredentialResolver to resolve 
trusted Credentials, for the PKIX one it uses a 
PKIXValidationInformationResolver.  These take as an input a CriteriaSet 
which specifies criteria for resolving the trusted information (e.g. the 
SAML entity ID of the signer).

If you have the peer's actual key/cert in advance (by value) then you'd 
probably want to use the ExplicitKeyTrustEngine in conjunction with a 
CredentialResolver that can resolve the set of trustedCredentials (e.g. 
from SAML metadata).  Otherwise you'd probably want to use the PKIX engine.

Note these trust engines are primarily for cases where you just want to 
establish trust of a key/cert that has been presented, where any crypto 
has already been performed (so e.g. establish trust of a client TLS 
cert).  If what you're trying to do is validate an XML or raw/blob 
signature, there are SignatureTrustEngine impls that do the signature 
validation and then establish trust using similar mechanisms and logic 
(explicit key vs. PKIX).  Those are in the signature and signature.impl 
packages in java-xmltooling.  It wasn't quite clear from your question 
what you wanted to do (i.e. validate the Assertions's signature?).

HTH,
Brent



Håkon Sagehaug wrote:
> Hi
>
> I want to be able to validate a saml assertion with a public key 
> aginst my trused host certificates in a directory. So from browsing 
> the xml-tooling library, I ve found these three trust engins
>
> 1. ExplicitKeyTrustEngine
> 2. ExplicitX509CertificateTrustEngine
> 3. PKIXX509CredentialTrustEngine
>
> And not sure what to use, is 1 best if its the key one wants to 
> compare. Or is some other way better for this type use.
>
> cheers
>
> --
> Håkon Sagehaug
> Research Assistant
> Parallab
> Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)