OpenSAML user discussion

["Håkon Sagehaug" <>]

Hi

thanks for the good replay. See other comments inline

2008/1/10, Brent Putman <>:

If you haven't already, you may want to take a look at this Wiki topic,
which discusses these trust engines as used in Shibboleth:

https://spaces.internet2.edu/display/SHIB/TrustEngine

The ExplicitX509CertificateTrustEngine is just a variant on the
ExplicitKey one, that compares the entire cert for equality with a
trusted cert rather than just the public key.  We don't use in
Shibboleth, but I went ahead and added because it was easy and somebody
may want to use it.

In the Java stack, these obtain trusted information against which to
validate the untrusted token (key/cert as encapsulated by an instance of
our Credential interface) via a trusted information resolver.  For the
key and certificate ones, it uses a CredentialResolver to resolve
trusted Credentials, for the PKIX one it uses a
PKIXValidationInformationResolver.  These take as an input a CriteriaSet
which specifies criteria for resolving the trusted information ( e.g. the
SAML entity ID of the signer).

If you have the peer's actual key/cert in advance (by value) then you'd
probably want to use the ExplicitKeyTrustEngine in conjunction with a
CredentialResolver that can resolve the set of trustedCredentials ( e.g.
from SAML metadata).  Otherwise you'd probably want to use the PKIX engine.

Note these trust engines are primarily for cases where you just want to
establish trust of a key/cert that has been presented, where any crypto
has already been performed (so e.g. establish trust of a client TLS
cert).  If what you're trying to do is validate an XML or raw/blob
signature, there are SignatureTrustEngine impls that do the signature
validation and then establish trust using similar mechanisms and logic
(explicit key vs. PKIX).  Those are in the signature and signature.impl
packages in java-xmltooling.  It wasn't quite clear from your question
what you wanted to do (i.e. validate the Assertions's signature?).

I was not sure about that when I wrote this either, but now it seems that I need to verify the signature from the public key inside the assertion and verify that the public key is among the trusted host certificated located in the trusted files director. Now my host cert either have the extension .pem or hash_value.0, because I looed at the FilesystemCredentialResolver but the extension accepted there does not mach what I got, I think. Is there a another way or doing the same thing, loading all the certificates from a directory? I guess I could go through the trusted directory create java x509Cerfiticate, then create opensaml credentials from these and use this to validate the public key contained in the saml assertion

HTH,
Brent



Håkon Sagehaug wrote:
> Hi
>
> I want to be able to validate a saml assertion with a public key
> aginst my trused host certificates in a directory. So from browsing
> the xml-tooling library, I ve found these three trust engins
>
> 1. ExplicitKeyTrustEngine
> 2. ExplicitX509CertificateTrustEngine
> 3. PKIXX509CredentialTrustEngine
>
> And not sure what to use, is 1 best if its the key one wants to
> compare. Or is some other way better for this type use.
>
> cheers
>
> --
> Håkon Sagehaug
> Research Assistant
> Parallab
> Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)

-- 
Håkon Sagehaug 
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)