OpenSAML user discussion

[Brent Putman <>]

On 11/15/10 5:25 PM, JM Tremblay wrote:
> Hi,
> 
> I'm looking at PKIXSignatureTrustEngine.evaluateTrust() and
> checkNames() in OpenSAML Java 2.4.0 and I see that with some Criteria
> I could get the trust engine to validate that the received signing
> certificate has a certain subject name. 


Yes, the intention there being that the supplied Criteria are used as
the basis for resolving some set of trusted names as a Set<String> using
the supplied
org.opensaml.xml.security.x509.PKIXValidationInformationResolver.




> But do you guys have a hint on
> how I could validate only certain parts of the subject name (eg.
> O=organization)?   I was hoping I could derive some custom Criteria or
> pass in an X509SubjectNameCriteria with some wildcards. But that
> doesn't seem possible. Do you recommend deriving a custom
> PKIXSignatureTrustEngine?


I think the most straightforward approach would be to supply your own
impl of org.opensaml.xml.security.x509.X509CredentialNameEvaluator.
That's pretty much what it does, evaluate the Credential (i.e.
certificate) names.  One of the PKIX signature trust engine constructors
defaults it to
org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator, but you
can supply an impl explicitly with one of the other constructors.

You might just extend that Basic- one with your own additional checks,
which supports eval against the 1) full subject DN 2) subject DN's CN
value 3) subject alt names of specifiable types.   You can individually
toggle those checks.

You could more or less hardcode the specific names, etc in your impl,
but pehaps better: you could have them be resolved dynamically from the
PKIXValidationInformationResolver and then evaluated by the
X509CredentialNameEvaluator, which is the real intent there.

You could also just subclass the trust engine and override the
checkNames(...) method, but I'd see that as the messier approach, since
there is already a pluggable component exposed.

HTH,
Brent