mace-opensaml-users - Validating a signature - Help
Subject: OpenSAML user discussion
List archive
- From: "Jerry Thome" <>
- To:
- Subject: Validating a signature - Help
- Date: Fri, 15 Feb 2008 15:22:31 -0600
Can anyone in openSAML2-land help me out? I think this is a very basic request...
I have an HTTP request parameter, SAMLResponse, whose value (a SAML Response) contains a signature and keyinfo section. I want to use openSAML2 to validate the signature.
I spent a couple hours yesterday downloading the various projects and finally got openSAML2 to build. I found an example somewhere on how to start processing an XML doc (I think here http://code.crt.realtors.org/projects/websso). I took the HTTP response, base64 decoded it and put it in an XML file. I've performed basic structure validation, but I can't quite figure out how to make the leap to actually validate the signature. I think I need to use 'TrustEngines' or 'CredentialResolvers' but I need some help.
Does anyone have an example? For a real production implementation, I know I would use certificates from a MetaData file to compare with the cert in the KeyInfo... but here I just want to use everything in the Response.
Thanks to anyone who replies!
(Below is basically all I have figured out so far).
// Initialize the library
DefaultBootstrap.bootstrap();
// Get parser pool manager
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);
// Parse Response file
InputStream in = new FileInputStream(new File("C:\\blah\\sample.xml"));
Document inCommonMDDoc = ppMgr.parse(in);
Element respRoot = inCommonMDDoc.getDocumentElement();
// Get apropriate unmarshaller
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(respRoot);
// Unmarshall using the document root element
ResponseImpl inCommonMD = (ResponseImpl) unmarshaller.unmarshall(respRoot);
Signature sig = inCommonMD.getSignature();
KeyInfo keyInfo = sig.getKeyInfo();
List list = keyInfo.getX509Datas();
X509Data data = "(X509Data)" list.get(0);
List certs = data.getX509Certificates();
X509Certificate certificate = (X509Certificate) certs.get(0);
System.out.println(certificate.getValue());
System.out.println(sig.getSignatureAlgorithm());
System.out.println(sig.getCanonicalizationAlgorithm());
ResponseSchemaValidator validator = new ResponseSchemaValidator();
validator.validate(inCommonMD);
SAMLSignatureProfileValidator val = new SAMLSignatureProfileValidator();
val.validate(sig);
SignatureSchemaValidator sigVal = new SignatureSchemaValidator();
sigVal.validate(sig);
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email.
- Validating a signature - Help, Jerry Thome, 02/15/2008
- Re: Validating a signature - Help, Brent Putman, 02/15/2008
- Re: Validating a signature - Help, Jerry Thome, 02/18/2008
- Re: Validating a signature - Help, Brent Putman, 02/19/2008
- Re: Validating a signature - Help, Brent Putman, 02/19/2008
- Re: Validating a signature - Help, Jerry Thome, 02/18/2008
- Re: Validating a signature - Help, Brent Putman, 02/15/2008
Archive powered by MHonArc 2.6.16.