mace-opensaml-users - Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Cc: rangeli nepal <>
- Subject: Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule
- Date: Thu, 27 May 2010 00:04:56 -0400
On 5/26/2010 10:18 PM, rangeli nepal wrote:
> Currently I am using SAML2HTTPRedirectDeflateSignatureRule and
> SAML2HTTPPostSimpleSignRule with metadata. Both works for me. Now I am
> trying to understand how they work :).
>
> I think they try to build signature from metadata provided
> credential(X509Certificate) and Message specified credential and
> compare them?
Hit send button too quickly.. Actually, I meant to also add that that
isn't literally quite right, at least for the asymmetric crypto case
(public/private key pair). Conceptually, the security rules and trust
engines can not compute the signature from the message-specified
credential, because they don't have the corresponding private key. But
of course they don't have to, because the signature (a byte[]) is
obviously included in the message, that being the whole point of this.
The rules/engines then ensure that the supplied signature byte[] is
consistent with both the signed content and the key pair used for
signing, the latter via the corresponding public key, which *is* known
one way or another (e.g. from metadata or from the message). They also
verify that the public key is trusted. The crypto is done in
algorithm-specific manner (e.g. RSA) in the corresponding Java Security
Signature impl.
For the symmetric key (HMAC) case, the verifier knows the shared secret,
so it just re-computes the signature byte[] over the message content and
compares to the signature byte[] that was sent in the message.
- SAML2HTTPRedirectDeflateSignatureRule, rangeli nepal, 05/26/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, Brent Putman, 05/26/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, Brent Putman, 05/27/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, rangeli nepal, 05/27/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, Chad La Joie, 05/27/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, rangeli nepal, 05/28/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, Chad La Joie, 05/27/2010
- Re: [OpenSAML] SAML2HTTPRedirectDeflateSignatureRule, rangeli nepal, 05/27/2010
Archive powered by MHonArc 2.6.16.