OpenSAML user discussion

[Brent Putman <>]

On 5/26/2010 10:18 PM, rangeli nepal wrote:
> Currently I am using SAML2HTTPRedirectDeflateSignatureRule and
> SAML2HTTPPostSimpleSignRule with metadata. Both works for me. Now I am
> trying to understand how they work :).
>
> I think they try to build signature from metadata provided
> credential(X509Certificate) and Message specified credential and
> compare them?
> Any explanation will be highly appreciated.


Well, ultimately yes, but the precise low-level crypto operations you
describe are ultimately performed by Java Signature and Mac instances,
for public key and symmetric key cases respectively.  The rules use a
SignatureTrustEngine, and the impls of those we ship use the SigningUtil
helper class (below) for the raw (non-XML) signatures.  The
SignatureTrustEngines call the SigningUtil verifyWithURI method to
evaluate the simple signatures:

http://svn.middleware.georgetown.edu/view/java-xmltooling/branches/REL_1/src/main/java/org/opensaml/xml/security/SigningUtil.java?revision=564&view=markup

The Java Signature class API has a built-in method for signature
verification.  The Mac API doesn't, so you just generate the MAC over
the data using it and then compare the byte[] arrays externally.