OpenSAML user discussion

[Brent Putman <>]

Håkon Sagehaug wrote:
> Hi
>
> Have some more question(s) about validating a public key inside a saml 
> assertion, how I do it know is like this,
>
>    BasicX509Credential x509Credential = new BasicX509Credential();
>    x509Credential.setEntityCertificate (cert);
Note there are helper methods for this, see the methods 
SecurityHelper#getSimpleCredential


>    cert is from a java x509 cert created from the keyInfo element 
> inside the assertion

Note also that a KeyInfoCredentialResolver can do all of this for you, 
that's its reason for existence.  A basic usage using the default 
KeyInfo resolver config from the global security configuration would be:

KeyInfoCredentialResolver keyInfoResolver =
   
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
      
CriteriaSet criteriaSet = new CriteriaSet( new 
KeyInfoCriteria(signature.getKeyInfo()) );
      
Iterable<Credential> credentials = keyInfoResolver.resolve(criteriaSet);



The BasicProviderKeyInfoCredentialResolver is highly flexible to support 
advanced use cases via provider plugins and class extension.  There are 
existing provider plugins to support the most common embedded key cases, 
such as RSA and DSA KeyValue and X509Data/X509Certificates.



>    PublicKeyCriteria publicKeyCriteria = new 
> PublicKeyCriteria(cert.getPublicKey());
>    EvaluablePublicKeyCredentialCriteria evaluablePK = new 
> EvaluablePublicKeyCredentialCriteria(publicKeyCriteria); 
>    evaluablePK.evaluate(x509Credential);
>
> Is this right?For now I just evaluates the credential against it self 
> for testing, which is built from the public key inside the 
> <dsX509Certificate> element in the saml assertion, it returns true so 
> I hope this is right, but since it's my first time I wanted some feedback


Hmm, no, not exactly, this really isn't relevant to what you're trying 
to do.  Criteria are primarily intended as input for Resolvers.  The 
PublicKeyCriteria would be used, for example, to get a Credential from a 
resolver that has a given public key (e.g. it's a local credential, you 
received some encrypted data which specified that that public key was 
used to encrypt the data to you, and you need to resolve the credential 
containing the corresponding private key in order to decrypt).  The 
evaluable criteria variants would mostly be used internally within 
Resolvers as a filtering mechanism, although they could be used for 
other purposes I suppose.

Using the evaluable public key criteria to match keys for trust 
evaluation purposes isn't strictly wrong, I suppose, but I would use the 
trust engines instead.

Your example is effectively just testing cert.getPublicKey().equals( 
x509Credential.getPublicKey() ) .  Which is essentially also what the 
explicit key trust engines impls do, but the use cases are very different.

--Brent