mace-opensaml-users - Re: Classes needed for validating a saml assertion with a public key
Subject: OpenSAML user discussion
List archive
- From: "Håkon Sagehaug" <>
- To:
- Subject: Re: Classes needed for validating a saml assertion with a public key
- Date: Tue, 15 Jan 2008 14:49:53 +0100
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=aBzwiz/xtKA0Xsk68Mn2FePUWw5Igaiyjp/1cs5M/cn9pPwrZaKF2oy1ystGtkQmKLIoxMPWZqIyvhLb2UrWvSgp9qN4KLaAsM18IdDTrNj8NpN4gV2FNLc/8h8u+9w9SIDeJcwOVXEBYiyCVIh+SH9xxWzn6n2F77XZfBPA08M=
Hi
Have some more question(s) about validating a public key inside a saml assertion, how I do it know is like this,
BasicX509Credential x509Credential = new BasicX509Credential();
x509Credential.setEntityCertificate (cert);
cert is from a java x509 cert created from the keyInfo element inside the assertion
PublicKeyCriteria publicKeyCriteria = new PublicKeyCriteria(cert.getPublicKey());
EvaluablePublicKeyCredentialCriteria evaluablePK = new EvaluablePublicKeyCredentialCriteria(publicKeyCriteria);
evaluablePK.evaluate(x509Credential);
Is this right?For now I just evaluates the credential against it self for testing, which is built from the public key inside the <dsX509Certificate> element in the saml assertion, it returns true so I hope this is right, but since it's my first time I wanted some feedback
cheers, Håkon.
2008/1/11, Håkon Sagehaug <>:
Hi
thanks for the good replay. See other comments inline2008/1/10, Brent Putman <>:If you haven't already, you may want to take a look at this Wiki topic,
which discusses these trust engines as used in Shibboleth:
https://spaces.internet2.edu/display/SHIB/TrustEngine
The ExplicitX509CertificateTrustEngine is just a variant on the
ExplicitKey one, that compares the entire cert for equality with a
trusted cert rather than just the public key. We don't use in
Shibboleth, but I went ahead and added because it was easy and somebody
may want to use it.
In the Java stack, these obtain trusted information against which to
validate the untrusted token (key/cert as encapsulated by an instance of
our Credential interface) via a trusted information resolver. For the
key and certificate ones, it uses a CredentialResolver to resolve
trusted Credentials, for the PKIX one it uses a
PKIXValidationInformationResolver. These take as an input a CriteriaSet
which specifies criteria for resolving the trusted information ( e.g. the
SAML entity ID of the signer).
If you have the peer's actual key/cert in advance (by value) then you'd
probably want to use the ExplicitKeyTrustEngine in conjunction with a
CredentialResolver that can resolve the set of trustedCredentials ( e.g.
from SAML metadata). Otherwise you'd probably want to use the PKIX engine.Note these trust engines are primarily for cases where you just want to
establish trust of a key/cert that has been presented, where any crypto
has already been performed (so e.g. establish trust of a client TLS
cert). If what you're trying to do is validate an XML or raw/blob
signature, there are SignatureTrustEngine impls that do the signature
validation and then establish trust using similar mechanisms and logic
(explicit key vs. PKIX). Those are in the signature and signature.impl
packages in java-xmltooling. It wasn't quite clear from your question
what you wanted to do (i.e. validate the Assertions's signature?).
I was not sure about that when I wrote this either, but now it seems that I need to verify the signature from the public key inside the assertion and verify that the public key is among the trusted host certificated located in the trusted files director. Now my host cert either have the extension .pem or hash_value.0, because I looed at the FilesystemCredentialResolver but the extension accepted there does not mach what I got, I think. Is there a another way or doing the same thing, loading all the certificates from a directory? I guess I could go through the trusted directory create java x509Cerfiticate, then create opensaml credentials from these and use this to validate the public key contained in the saml assertionHTH,
Brent
Håkon Sagehaug wrote:
> Hi
>
> I want to be able to validate a saml assertion with a public key
> aginst my trused host certificates in a directory. So from browsing
> the xml-tooling library, I ve found these three trust engins
>
> 1. ExplicitKeyTrustEngine
> 2. ExplicitX509CertificateTrustEngine
> 3. PKIXX509CredentialTrustEngine
>
> And not sure what to use, is 1 best if its the key one wants to
> compare. Or is some other way better for this type use.
>
> cheers
>
> --
> Håkon Sagehaug
> Research Assistant
> Parallab
> Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
--
Håkon Sagehaug
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
--
Håkon Sagehaug
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
- Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/10/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/10/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/11/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/15/2008
- RE: Classes needed for validating a saml assertion with a public key, Scott Cantor, 01/15/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/15/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Message not available
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Chad La Joie, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Chad La Joie, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Chad La Joie, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/15/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/15/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/11/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/10/2008
Archive powered by MHonArc 2.6.16.