OpenSAML user discussion

[Brent Putman <>]

In case you didn't find it, have a look here:

https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG

That describes the use of the org.opensaml.xml.signature.SignatureValidator, which is our lowest level component that does the actual cryptographic validation of the signature..

More below...


Jerry Thome wrote:

I spent a couple hours yesterday downloading the various projects and finally got openSAML2 to build.  I found an example somewhere on how to start processing an XML doc (I think here http://code.crt.realtors.org/projects/websso).  I took the HTTP response, base64 decoded it and put it in an XML file.  I've performed basic structure validation, but I can't quite figure out how to make the leap to actually validate the signature.   I think I need to use 'TrustEngines' or 'CredentialResolvers' but I need some help.

Yeah, the above SignatureValidator is what you need for the low-level crypto operation. 

To get a Java X509Certificate or PublicKey object from the KeyInfo, see the org.opensaml.xml.security.keyinfo.KeyInfoHelper class.  There are methods to convert the Java cert or key into a Credential in the org.opensaml.xml.security.SecurityHelper.

Or even better, see the KeyInfoCredentialResolver stuff in the security.keyinfo package.

These are the lowest level things you could do

Does anyone have an example?  For a real production implementation, I know I would use certificates from a MetaData file to compare with the cert in the KeyInfo... but here I just want to use everything in the Response.

To be clear, you don't *have* to use certificates or keys from SAML metadata.  But for production use, you do have to perform some trust evaluation on the validation key.  You can't just validate with what's in the response KeyInfo and be done.  For anything other than playing around and learning, you have to do some trust evaluation, and that's what the SignatureTrustEngines are for - the perform the cryptographic validation of the signature and the trust evaluation of the key/certificate together, based on resolving trusted information using some kind of resolver, e.g. CredentialResolver of trusted credentials.  Just FYI.

// Unmarshall using the document root element
ResponseImpl inCommonMD = (ResponseImpl) unmarshaller.unmarshall(respRoot);

Technically, you probably shouldn't cast that to a ResponseImpl, but rather just Response, which is an interface.  Don't want to make assumptions about the underlying class implementation.  It might change, etc.

KeyInfo keyInfo = sig.getKeyInfo();
List list = keyInfo.getX509Datas();
X509Data data = "(X509Data)" list.get(0);
List certs = data.getX509Certificates();
X509Certificate certificate = (X509Certificate) certs.get(0);

You can also use a KeyInfoCredentialResolver to get the Credential out of the KeyInfo:

KeyInfoCredentialResolver kiResolver =
   Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
CriteriaSet criteriaSet = new CriteriaSet( new KeyInfoCriteria(keyInfo) );
Credential cred = kiResolver.resolveSingle(criteriaSet);


And use that resolved credential as the input to the SignatureValidator.

ResponseSchemaValidator validator = new ResponseSchemaValidator();
validator.validate(inCommonMD);

SAMLSignatureProfileValidator val = new SAMLSignatureProfileValidator();
val.validate(sig);

SignatureSchemaValidator sigVal = new SignatureSchemaValidator();
sigVal.validate(sig);

Note that the *SchemaValidators called like that only validate that actual object, not any children (e.g. Assertions within the Response).  If you to validate the whole response, do something like:


ValidatorSuite suite = Configuration.getValidatorSuite("saml2-core-schema-validator");
suite.validate(response);


Assuming that you're using SAML 2.

Of course you could also do DOM-level schema validation via the ParserPool, which would be much more efficient.

HTH,
Brent