OpenSAML user discussion

["Jerry Thome" <>]

Can anyone in openSAML2-land help me
out?  I think this is a very basic request...

I have an HTTP request parameter, SAMLResponse,
whose value (a SAML Response) contains a signature and keyinfo section.
 I want to use openSAML2 to validate the signature.

I spent a couple hours yesterday downloading
the various projects and finally got openSAML2 to build.  I found
an example somewhere on how to start processing an XML doc (I think here
http://code.crt.realtors.org/projects/websso).  I took the HTTP response,
base64 decoded it and put it in an XML file.  I've performed basic
structure validation, but I can't quite figure out how to make the leap
to actually validate the signature.   I think I need to use 'TrustEngines'
or 'CredentialResolvers' but I need some help.

Does anyone have an example?  For
a real production implementation, I know I would use certificates from
a MetaData file to compare with the cert in the KeyInfo... but here I just
want to use everything in the Response.

Thanks to anyone who replies!

(Below is basically all I have figured
out so far).


// Initialize the library
DefaultBootstrap.bootstrap();

// Get parser pool manager
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);

// Parse Response file
InputStream in = new FileInputStream(new
File("C:\\blah\\sample.xml"));
Document inCommonMDDoc = ppMgr.parse(in);
Element respRoot = inCommonMDDoc.getDocumentElement();

// Get apropriate unmarshaller
UnmarshallerFactory unmarshallerFactory
= Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(respRoot);

// Unmarshall using the document root
element
ResponseImpl inCommonMD = (ResponseImpl)
unmarshaller.unmarshall(respRoot);
Signature sig = inCommonMD.getSignature();

KeyInfo keyInfo = sig.getKeyInfo();
List list = keyInfo.getX509Datas();
X509Data data = "(X509Data)" list.get(0);
List certs = data.getX509Certificates();
X509Certificate certificate = (X509Certificate)
certs.get(0);

System.out.println(certificate.getValue());
System.out.println(sig.getSignatureAlgorithm());
System.out.println(sig.getCanonicalizationAlgorithm());

ResponseSchemaValidator validator =
new ResponseSchemaValidator();
validator.validate(inCommonMD);

SAMLSignatureProfileValidator val =
new SAMLSignatureProfileValidator();
val.validate(sig);

SignatureSchemaValidator sigVal = new
SignatureSchemaValidator();
sigVal.validate(sig);

---

The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email.