OpenSAML user discussion

["Jerry Thome" <>]

Thank you Brent!  This was the
most accurate, comprehensive, and quickest response that I've received
in a long time from any 'third party'.  I was able to get my simple
validation working right away and openSAML is now a little de-mystified
for me.  The documentation did make more sense once I got my example
working.... although my example was exactly what the documentation said
 ;  )

I did have a little trouble with the
KeyInfoCredentialResolver suggestion.
 The resolveSingle() method was not available to me.  I must
not have the base 'configuration' enabled or something else not setup.
 I used the helpers to create the credential as you recommended.  I
really need to dig into the User's Manual more and understand more of the
toolkit.

Anyhow, thanks again.  I look forward
to expanding my use of this API.

"Brent Putman" <>

02/15/2008 05:22 PM

Please respond to

To
cc
Subject	Re: Validating a signature - Help

In case you didn't find it, have a look here:

https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG

That describes the use of the org.opensaml.xml.signature.SignatureValidator,
which is our lowest level component that does the actual cryptographic
validation of the signature..

More below...


Jerry Thome wrote: 


I spent a couple hours yesterday downloading the various projects and finally
got openSAML2 to build.  I found an example somewhere on how to start
processing an XML doc (I think here http://code.crt.realtors.org/projects/websso).
 I took the HTTP response, base64 decoded it and put it in an XML
file.  I've performed basic structure validation, but I can't quite
figure out how to make the leap to actually validate the signature.  
I think I need to use 'TrustEngines' or 'CredentialResolvers' but I need
some help.


Yeah, the above SignatureValidator is what you need for the low-level crypto
operation.  

To get a Java X509Certificate or PublicKey object from the KeyInfo, see
the org.opensaml.xml.security.keyinfo.KeyInfoHelper class.  There
are methods to convert the Java cert or key into a Credential in the org.opensaml.xml.security.SecurityHelper.

Or even better, see the KeyInfoCredentialResolver stuff in the security.keyinfo
package.

These are the lowest level things you could do



Does anyone have an example?  For a real production implementation,
I know I would use certificates from a MetaData file to compare with the
cert in the KeyInfo... but here I just want to use everything in the Response.



To be clear, you don't *have* to use certificates or keys from SAML metadata.
 But for production use, you do have to perform some trust evaluation
on the validation key.  You can't just validate with what's in the
response KeyInfo and be done.  For anything other than playing around
and learning, you have to do some trust evaluation, and that's what the
SignatureTrustEngines are for - the perform the cryptographic validation
of the signature and the trust evaluation of the key/certificate together,
based on resolving trusted information using some kind of resolver, e.g.
CredentialResolver of trusted credentials.  Just FYI.




// Unmarshall using the document root element 
ResponseImpl inCommonMD = (ResponseImpl) unmarshaller.unmarshall(respRoot);



Technically, you probably shouldn't cast that to a ResponseImpl, but rather
just Response, which is an interface.  Don't want to make assumptions
about the underlying class implementation.  It might change, etc.


KeyInfo keyInfo = sig.getKeyInfo();
List list = keyInfo.getX509Datas(); 
X509Data data = "(X509Data)" list.get(0); 
List certs = data.getX509Certificates(); 
X509Certificate certificate = (X509Certificate) certs.get(0);


You can also use a KeyInfoCredentialResolver to get the Credential out
of the KeyInfo:

KeyInfoCredentialResolver kiResolver = 
   Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
CriteriaSet criteriaSet = new CriteriaSet( new KeyInfoCriteria(keyInfo)
);
Credential cred = kiResolver.resolveSingle(criteriaSet);


And use that resolved credential as the input to the SignatureValidator.





ResponseSchemaValidator validator = new ResponseSchemaValidator();
validator.validate(inCommonMD); 

SAMLSignatureProfileValidator val = new SAMLSignatureProfileValidator();
val.validate(sig); 

SignatureSchemaValidator sigVal = new SignatureSchemaValidator();
sigVal.validate(sig); 


Note that the *SchemaValidators called like that only validate that actual
object, not any children (e.g. Assertions within the Response).  If
you to validate the whole response, do something like:


ValidatorSuite suite = Configuration.getValidatorSuite("saml2-core-schema-validator");
suite.validate(response);


Assuming that you're using SAML 2.

Of course you could also do DOM-level schema validation via the ParserPool,
which would be much more efficient.

HTH,
Brent

---

The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email.