OpenSAML user discussion

["Håkon Sagehaug" <>]

Hi

See questions/comments inline

2008/1/15, Brent Putman <>:

Håkon Sagehaug wrote:
> Hi
>
> Have some more question(s) about validating a public key inside a saml
> assertion, how I do it know is like this,
>
>    BasicX509Credential x509Credential = new BasicX509Credential();
>    x509Credential.setEntityCertificate (cert);
Note there are helper methods for this, see the methods
SecurityHelper#getSimpleCredential


>
>    cert is from a java x509 cert created from the keyInfo element
> inside the assertion

Note also that a KeyInfoCredentialResolver can do all of this for you,
that's its reason for existence.  A basic usage using the default
KeyInfo resolver config from the global security configuration would be:

KeyInfoCredentialResolver keyInfoResolver =

Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();

CriteriaSet criteriaSet = new CriteriaSet( new
KeyInfoCriteria(signature.getKeyInfo ()) );

Iterable<Credential> credentials = keyInfoResolver.resolve(criteriaSet);

Here only the credentials  that matches the keyinfo from the signature are returned, or??

The BasicProviderKeyInfoCredentialResolver is highly flexible to support
advanced use cases via provider plugins and class extension.  There are
existing provider plugins to support the most common embedded key cases,
such as RSA and DSA KeyValue and X509Data/X509Certificates.



>
>    PublicKeyCriteria publicKeyCriteria = new
> PublicKeyCriteria(cert.getPublicKey());
>    EvaluablePublicKeyCredentialCriteria evaluablePK = new
> EvaluablePublicKeyCredentialCriteria(publicKeyCriteria);
>    evaluablePK.evaluate(x509Credential);
>
> Is this right?For now I just evaluates the credential against it self
> for testing, which is built from the public key inside the
> <dsX509Certificate> element in the saml assertion, it returns true so
> I hope this is right, but since it's my first time I wanted some feedback


Hmm, no, not exactly, this really isn't relevant to what you're trying
to do.  Criteria are primarily intended as input for Resolvers.  The
PublicKeyCriteria would be used, for example, to get a Credential from a
resolver that has a given public key (e.g. it's a local credential, you
received some encrypted data which specified that that public key was
used to encrypt the data to you, and you need to resolve the credential
containing the corresponding private key in order to decrypt).  The
evaluable criteria variants would mostly be used internally within
Resolvers as a filtering mechanism, although they could be used for
other purposes I suppose.

Using the evaluable public key criteria to match keys for trust
evaluation purposes isn't strictly wrong, I suppose, but I would use the
trust engines instead.

Your example is effectively just testing cert.getPublicKey().equals(
x509Credential.getPublicKey() ) .  Which is essentially also what the
explicit key trust engines impls do, but the use cases are very different.

--Brent

-- 
Håkon Sagehaug 
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)