OpenSAML user discussion

[Paul Hethmon <>]

John,

Here's a method I use to pick up the public key to verify signatures from
SAML metadata, it might help a bit. In my ctor for this class I also
specify to use BouncyCastle as the preferred provider:

-----
    // Choose to use the Bouncy Castle JCE provider most often
    Security.insertProviderAt(new BouncyCastleProvider(), 2);
-----


  public boolean fetchMetaData()
    throws MetadataProviderException,
java.security.cert.CertificateException,
java.security.NoSuchAlgorithmException,
      java.security.spec.InvalidKeySpecException
  {
    // Pull the metadata from the web server
    FileBackedHTTPMetadataProvider fbmd;
    fbmd = new FileBackedHTTPMetadataProvider(getMetaUrl(),
getMetaTimeout(), getMetaFile());
    fbmd.setParserPool(parser);
    fbmd.initialize();
    
    // Now start to parse it out.
    EntityDescriptorImpl exml;
    exml = (EntityDescriptorImpl) fbmd.getMetadata();
//    System.out.println("Have EntityDescriptorImpl XMLObject");
    
    IDPSSODescriptorImpl idp;
    idp = (IDPSSODescriptorImpl)
exml.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
//    System.out.println("Got IDPSSODescriptor");
    
    java.util.List<KeyDescriptor> keyList;
    keyList = idp.getKeyDescriptors();
    
    KeyDescriptorImpl keyDesc;
    keyDesc = (KeyDescriptorImpl) keyList.get(0);
    
    // Get the KeyInfo node
    KeyInfo keyInfo;
    keyInfo = keyDesc.getKeyInfo();
//    System.out.println("Got KeyInfo");

    // Get the list of certificates
    java.util.List<X509Data> x509List;
    x509List = keyInfo.getX509Datas();
    
    // Pull out the first x509 data element
    X509Data x509Data;
    x509Data = x509List.get(0);
    
    // Now the certificates
    java.util.List<X509Certificate> x509CertList;
    x509CertList = x509Data.getX509Certificates();
    
    // finally the certificate
    X509Certificate x509Cert;
    x509Cert = x509CertList.get(0);

    // We need a Java X509Certificate object first
    java.security.cert.X509Certificate jX509Cert;
    // Now create it based on the OpenSAML X509Certificate object
    jX509Cert = KeyInfoHelper.getCertificate(x509Cert);
    // Now we can pull out the public key part of the certificate into a
KeySpec
    X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(
jX509Cert.getPublicKey().getEncoded() );
    
    // Get our KeyFactory object that creates key objects for us
specifying RSA
    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
//    System.out.println("provider = " +
keyFactory.getProvider().toString() );
    // Now let's finally generate that PublicKey that we can actually use
to validate signatures
    setPublicKey(keyFactory.generatePublic(pubKeySpec));
    
    // Now we need to validate the signature. First create the Credentials
    org.opensaml.xml.security.x509.BasicX509Credential publicCredential =
new org.opensaml.xml.security.x509.BasicX509Credential();
    // Add the PublicKey value
    publicCredential.setPublicKey(getPublicKey());
    // And create a SignatureValidator with it.
    setSignatureValidator( new
org.opensaml.xml.signature.SignatureValidator(publicCredential) );
    
    return true;
  }