SAML 2.0 - 如何验证发件人证书? [英] SAML 2.0 - How to verify the sender certificate?
问题描述
我在Java中实现了一个SAML SP。
我将一个AuthnRequest发送到SAML 2.0 IDP并获得加密响应。
我的问题是:
我如何确保响应确实来自IDP,而不是来自黑客?
验证签名是不够的,因为这只告诉我发件人有一对匹配的私人/公钥,但它可以是任何人。
所以,我需要IDP提前提供我上传到jks文件的证书,并每次将它与我从ds中提取的证书进行比较:响应的X509Certificate元素。
现在,有没有一种标准方法可以将发件人的证书与存储在我的密钥库中的证书进行比较?
我看到以下代码:
I implement a SAML SP in Java.
I send an AuthnRequest to SAML 2.0 IDP and gets an encrypted response.
My question is:
How do I make sure that the response indeed comes from the IDP and not from a hacker?
It is not enough to validate the signature, since this only tells me that the sender has a matching pair of private/public keys, but it could be anyone.
So, I need the IDP to supply me in advance a certificate which I upload to a jks file, and compare it each time to the certificate I extract from the ds:X509Certificate element of the response.
Now, is there a standard way of comparing the sender's certificates with the one stored in my keystore?
I saw the following code:
KeyStore keyStore = getKS();
PKIXParameters params = new PKIXParameters(keyStore);
params.setRevocationEnabled(false);
CertPath certPath = certificateFactory.generateCertPath(Arrays.asList(certFromResponse));
CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
CertPathValidatorResult result = certPathValidator.validate(certPath, params);
这还够吗?如果验证没有抛出异常,它会验证发件人的身份吗?
Is it enough? If the validation doesn't throw an exception it verifies the sender's identity?
推荐答案
这是我用OpenSAML解决签名验证的方式
This is the way i have solved the verification of signatures with OpenSAML
http://blog.samlsecurity.com/2012 /11/verifying-signatures-with-opensaml.html
我还写了一本书, OpenSAML指南,其中详细解释加密和签名以及更多使用OpenSAML。
I have also written a book, A Guide to OpenSAML, where I explain in detail encryption and signing and more using OpenSAML.
OpenSAML验证方法的重要之处在于它们只验证签名的加密有效性(内容未被更改)。但是,它不会验证发件人是否是您信任的人。
What is important with the OpenSAML verification methods is that they only verify the cryptographic validity of the signature (That the content has not been changed). It does not however verify that the sender is someone that you trust.
签名验证器使用发件人的公钥进行实例化,以验证公钥。发件人。通常交换的是使用 SAML元数据
The Signature validator is instantiated with the public key of the sender to validate against, the public key of the sender. This is normally exchanged is the setup of an identity federation using SAML Metadata
这篇关于SAML 2.0 - 如何验证发件人证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
