Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Classes needed for validating a saml assertion with a public key

Subject: OpenSAML user discussion

List archive

Re: Classes needed for validating a saml assertion with a public key


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: Classes needed for validating a saml assertion with a public key
  • Date: Wed, 16 Jan 2008 18:20:22 -0500

I agree with what Chad said, but also consider that KeyInfo is optional in a Signature, and even if present, may not include the key by value, instead only by reference (e.g. via KeyName or X509SubjectName, etc). If you don't know that the sender/signer of the message will always include a usable embedded key, you may want to take that into account.

I think the exact algorithm used in our SignatureTrustEngine(s) is:

-Extract key from KeyInfo, if present
-Validate signature using the KeyInfo-derived key
-If was valid, establish trust by matching that KeyInfo key to the trusted keys you have
-If signature was not validated using the KeyInfo key, or the KeyInfo key didn't match a trusted key, or no KeyInfo key was present, then validate the signature against all trusted keys directly

So one assumption is that the resolved trusted keys are known to be associated with with the "claimed" signer identity.




Chad La Joie wrote:
Yep, that sounds right.

If the system is going to see modest load you'll probably want to create some bit of code that reads in the certs from the directory, parses them into their Java objects, caches them and then just occasionally sweeps the directory for new/removed certs. Parsing the certs is a semi-expensive task so you don't necessarily want to be doing that every time you get a new message.

Håkon Sagehaug wrote:
Hi

So the setup currently is this, I've got a directory on a filesystem, not LDAP, that contains all the host certs I trust. When the assertion comes in I want to first check if the public key inside the <ds:X509Cert> can be resolved to one of the certs in my trusted directory. If this clears I will see if the signature validates against the public key from the saml assertion. Is this setup right?

cheers, Håkon





Archive powered by MHonArc 2.6.16.

Top of Page