mace-opensaml-users - Re: Validating a signature - Help
Subject: OpenSAML user discussion
List archive
- From: "Jerry Thome" <>
- To:
- Subject: Re: Validating a signature - Help
- Date: Mon, 18 Feb 2008 07:38:51 -0600
Thank you Brent! This was the most accurate, comprehensive, and quickest response that I've received in a long time from any 'third party'. I was able to get my simple validation working right away and openSAML is now a little de-mystified for me. The documentation did make more sense once I got my example working.... although my example was exactly what the documentation said ; )
I did have a little trouble with the KeyInfoCredentialResolver suggestion. The resolveSingle() method was not available to me. I must not have the base 'configuration' enabled or something else not setup. I used the helpers to create the credential as you recommended. I really need to dig into the User's Manual more and understand more of the toolkit.
Anyhow, thanks again. I look forward to expanding my use of this API.
"Brent Putman"
<>
02/15/2008 05:22 PM
|
|
In case you didn't find it, have a look here:
https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG
That describes the use of the org.opensaml.xml.signature.SignatureValidator, which is our lowest level component that does the actual cryptographic validation of the signature..
More below...
Jerry Thome wrote:
I spent a couple hours yesterday downloading the various projects and finally got openSAML2 to build. I found an example somewhere on how to start processing an XML doc (I think here http://code.crt.realtors.org/projects/websso). I took the HTTP response, base64 decoded it and put it in an XML file. I've performed basic structure validation, but I can't quite figure out how to make the leap to actually validate the signature. I think I need to use 'TrustEngines' or 'CredentialResolvers' but I need some help.
Yeah, the above SignatureValidator is what you need for the low-level crypto operation.
To get a Java X509Certificate or PublicKey object from the KeyInfo, see the org.opensaml.xml.security.keyinfo.KeyInfoHelper class. There are methods to convert the Java cert or key into a Credential in the org.opensaml.xml.security.SecurityHelper.
Or even better, see the KeyInfoCredentialResolver stuff in the security.keyinfo package.
These are the lowest level things you could do
Does anyone have an example? For a real production implementation, I know I would use certificates from a MetaData file to compare with the cert in the KeyInfo... but here I just want to use everything in the Response.
To be clear, you don't *have* to use certificates or keys from SAML metadata. But for production use, you do have to perform some trust evaluation on the validation key. You can't just validate with what's in the response KeyInfo and be done. For anything other than playing around and learning, you have to do some trust evaluation, and that's what the SignatureTrustEngines are for - the perform the cryptographic validation of the signature and the trust evaluation of the key/certificate together, based on resolving trusted information using some kind of resolver, e.g. CredentialResolver of trusted credentials. Just FYI.
// Unmarshall using the document root element
ResponseImpl inCommonMD = (ResponseImpl) unmarshaller.unmarshall(respRoot);
Technically, you probably shouldn't cast that to a ResponseImpl, but rather just Response, which is an interface. Don't want to make assumptions about the underlying class implementation. It might change, etc.
KeyInfo keyInfo = sig.getKeyInfo();
List list = keyInfo.getX509Datas();
X509Data data = "(X509Data)" list.get(0);
List certs = data.getX509Certificates();
X509Certificate certificate = (X509Certificate) certs.get(0);
You can also use a KeyInfoCredentialResolver to get the Credential out of the KeyInfo:
KeyInfoCredentialResolver kiResolver =
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
CriteriaSet criteriaSet = new CriteriaSet( new KeyInfoCriteria(keyInfo) );
Credential cred = kiResolver.resolveSingle(criteriaSet);
And use that resolved credential as the input to the SignatureValidator.
ResponseSchemaValidator validator = new ResponseSchemaValidator();
validator.validate(inCommonMD);
SAMLSignatureProfileValidator val = new SAMLSignatureProfileValidator();
val.validate(sig);
SignatureSchemaValidator sigVal = new SignatureSchemaValidator();
sigVal.validate(sig);
Note that the *SchemaValidators called like that only validate that actual object, not any children (e.g. Assertions within the Response). If you to validate the whole response, do something like:
ValidatorSuite suite = Configuration.getValidatorSuite("saml2-core-schema-validator");
suite.validate(response);
Assuming that you're using SAML 2.
Of course you could also do DOM-level schema validation via the ParserPool, which would be much more efficient.
HTH,
Brent
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email.
- Validating a signature - Help, Jerry Thome, 02/15/2008
- Re: Validating a signature - Help, Brent Putman, 02/15/2008
- Re: Validating a signature - Help, Jerry Thome, 02/18/2008
- Re: Validating a signature - Help, Brent Putman, 02/19/2008
- Re: Validating a signature - Help, Brent Putman, 02/19/2008
- Re: Validating a signature - Help, Jerry Thome, 02/18/2008
- Re: Validating a signature - Help, Brent Putman, 02/15/2008
Archive powered by MHonArc 2.6.16.