Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Signing SAML Messages - HOWTO Create Signing Credential

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Signing SAML Messages - HOWTO Create Signing Credential


Chronological Thread 
  • From: John Gonzales <>
  • To:
  • Cc: Paul Hethmon <>
  • Subject: Re: [OpenSAML] Signing SAML Messages - HOWTO Create Signing Credential
  • Date: Wed, 09 Feb 2011 09:43:50 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=TWL6KdOIjbt9S2E9sTPT/0znBKqjhj1eIooQFtoIzD/RLp67io0DiTQ1F8F2SVKz2t ilzon0GeN9GNCyuLqbujEqqeTfLkCpvb5jfDin38+aIdA4byE8BYMxh3pD21iv1dYw6K CKYUeuXOP16ZLk/PurC4S+4KmlGvFEMiPCiJ8=
Thanks Paul! This should help me get started. I'll take a closer look at it tonight.

On 09/02/2011 9:29 AM, Paul Hethmon wrote:
John,

Here's a method I use to pick up the public key to verify signatures from
SAML metadata, it might help a bit. In my ctor for this class I also
specify to use BouncyCastle as the preferred provider:

-----
// Choose to use the Bouncy Castle JCE provider most often
Security.insertProviderAt(new BouncyCastleProvider(), 2);
-----


public boolean fetchMetaData()
throws MetadataProviderException,
java.security.cert.CertificateException,
java.security.NoSuchAlgorithmException,
java.security.spec.InvalidKeySpecException
{
// Pull the metadata from the web server
FileBackedHTTPMetadataProvider fbmd;
fbmd = new FileBackedHTTPMetadataProvider(getMetaUrl(),
getMetaTimeout(), getMetaFile());
fbmd.setParserPool(parser);
fbmd.initialize();

// Now start to parse it out.
EntityDescriptorImpl exml;
exml = (EntityDescriptorImpl) fbmd.getMetadata();
// System.out.println("Have EntityDescriptorImpl XMLObject");

IDPSSODescriptorImpl idp;
idp = (IDPSSODescriptorImpl)
exml.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
// System.out.println("Got IDPSSODescriptor");

java.util.List<KeyDescriptor> keyList;
keyList = idp.getKeyDescriptors();

KeyDescriptorImpl keyDesc;
keyDesc = (KeyDescriptorImpl) keyList.get(0);

// Get the KeyInfo node
KeyInfo keyInfo;
keyInfo = keyDesc.getKeyInfo();
// System.out.println("Got KeyInfo");

// Get the list of certificates
java.util.List<X509Data> x509List;
x509List = keyInfo.getX509Datas();

// Pull out the first x509 data element
X509Data x509Data;
x509Data = x509List.get(0);

// Now the certificates
java.util.List<X509Certificate> x509CertList;
x509CertList = x509Data.getX509Certificates();

// finally the certificate
X509Certificate x509Cert;
x509Cert = x509CertList.get(0);

// We need a Java X509Certificate object first
java.security.cert.X509Certificate jX509Cert;
// Now create it based on the OpenSAML X509Certificate object
jX509Cert = KeyInfoHelper.getCertificate(x509Cert);
// Now we can pull out the public key part of the certificate into a
KeySpec
X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(
jX509Cert.getPublicKey().getEncoded() );

// Get our KeyFactory object that creates key objects for us
specifying RSA
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
// System.out.println("provider = " +
keyFactory.getProvider().toString() );
// Now let's finally generate that PublicKey that we can actually use
to validate signatures
setPublicKey(keyFactory.generatePublic(pubKeySpec));

// Now we need to validate the signature. First create the Credentials
org.opensaml.xml.security.x509.BasicX509Credential publicCredential =
new org.opensaml.xml.security.x509.BasicX509Credential();
// Add the PublicKey value
publicCredential.setPublicKey(getPublicKey());
// And create a SignatureValidator with it.
setSignatureValidator( new
org.opensaml.xml.signature.SignatureValidator(publicCredential) );

return true;
}






Archive powered by MHonArc 2.6.16.

Top of Page