如何验证 SAML 断言签名
How to validate SAML assertion signatures
如何验证 SAML 断言签名?
for (Assertion assertion : samlResponse.getAssertions()) {
try {
if (assertion.getSignature() != null) {
Optional<X509Certificate> x509Certificate = assertion.getSignature().getKeyInfo().getX509Datas()
.stream()
.findFirst()
.map(x509Data -> x509Data.getX509Certificates()
.stream()
.findFirst()
.orElse(null)
);
if (x509Certificate.isPresent()) {
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(KeyInfoHelper.getCertificate(x509Certificate.get()));
// what pub key credential to use here?
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(assertion.getSignature());
}
}
} catch (ValidationException | CertificateException e) {
throw new SAMLException(e.getMessage(), e);
}
}
基本上要放什么 new SignatureValidator(credential)
据我了解,提供 KeyInfo 的 SAML 断言和 X809 证书至少应验证 (SAML: Why is the certificate within the Signature?)
我还有一个来自 idps 元数据的 x509 证书,如果断言或信任链中没有 x509 证书,我想通常应该使用它 (?)
基本上断言中的 x509 证书和 idp 元数据中的证书似乎都不起作用。我在这里错过了什么?
原来我做的一切都是正确的。
打印 opensaml 对象时 xml 您不应使用以下代码:
public static String xmlObjectToString(XMLObject xmlObject) {
try {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xmlObject);
StringWriter sw = new StringWriter();
Element authDOM = marshaller.marshall(xmlObject);
toString(sw, authDOM);
return sw.toString();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private static void toString(StringWriter rspWrt, Element authDOM) throws ParserConfigurationException, TransformerException {
DOMSource domSource = new DOMSource(authDOM);
StreamResult result = new StreamResult(rspWrt);
TransformerFactory tf = TransformerFactory.newInstance();
Transformer transformer = tf.newTransformer();
transformer.transform(domSource, result);
}
以上代码改变了原对象的一些内部状态
而是选择
org.opensaml.xml.util.XMLHelper.prettyPrintXML(message.getDOM())
如何验证 SAML 断言签名?
for (Assertion assertion : samlResponse.getAssertions()) {
try {
if (assertion.getSignature() != null) {
Optional<X509Certificate> x509Certificate = assertion.getSignature().getKeyInfo().getX509Datas()
.stream()
.findFirst()
.map(x509Data -> x509Data.getX509Certificates()
.stream()
.findFirst()
.orElse(null)
);
if (x509Certificate.isPresent()) {
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(KeyInfoHelper.getCertificate(x509Certificate.get()));
// what pub key credential to use here?
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(assertion.getSignature());
}
}
} catch (ValidationException | CertificateException e) {
throw new SAMLException(e.getMessage(), e);
}
}
基本上要放什么 new SignatureValidator(credential)
据我了解,提供 KeyInfo 的 SAML 断言和 X809 证书至少应验证 (SAML: Why is the certificate within the Signature?)
我还有一个来自 idps 元数据的 x509 证书,如果断言或信任链中没有 x509 证书,我想通常应该使用它 (?)
基本上断言中的 x509 证书和 idp 元数据中的证书似乎都不起作用。我在这里错过了什么?
原来我做的一切都是正确的。
打印 opensaml 对象时 xml 您不应使用以下代码:
public static String xmlObjectToString(XMLObject xmlObject) {
try {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xmlObject);
StringWriter sw = new StringWriter();
Element authDOM = marshaller.marshall(xmlObject);
toString(sw, authDOM);
return sw.toString();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private static void toString(StringWriter rspWrt, Element authDOM) throws ParserConfigurationException, TransformerException {
DOMSource domSource = new DOMSource(authDOM);
StreamResult result = new StreamResult(rspWrt);
TransformerFactory tf = TransformerFactory.newInstance();
Transformer transformer = tf.newTransformer();
transformer.transform(domSource, result);
}
以上代码改变了原对象的一些内部状态
而是选择
org.opensaml.xml.util.XMLHelper.prettyPrintXML(message.getDOM())