如何验证 SAML 断言签名 [英] How to validate SAML assertion signatures

问题描述

如何验证 SAML 断言签名?

How to validate SAML assertion signatures?

    for (Assertion assertion : samlResponse.getAssertions()) {
        try {
            if (assertion.getSignature() != null) {
                Optional<X509Certificate> x509Certificate = assertion.getSignature().getKeyInfo().getX509Datas()
                        .stream()
                        .findFirst()
                        .map(x509Data -> x509Data.getX509Certificates()
                                .stream()
                                .findFirst()
                                .orElse(null)
                        );
                if (x509Certificate.isPresent()) {
                    BasicX509Credential credential = new BasicX509Credential();
                    credential.setEntityCertificate(KeyInfoHelper.getCertificate(x509Certificate.get()));
                    // what pub key credential to use here?
                    SignatureValidator validator = new SignatureValidator(credential);
                    validator.validate(assertion.getSignature());
                }
            }
        } catch (ValidationException | CertificateException e) {
            throw new SAMLException(e.getMessage(), e);
        }
    }

基本上要放入什么new SignatureValidator(credential)

据我所知，提供 KeyInfo 和 X809 证书的 SAML 断言至少应该验证(SAML:为什么签名中包含证书?)

As far as I understand, A SAML assertion with KeyInfo supplied and a X809 cert should at least validate (SAML: Why is the certificate within the Signature?)

我还有一个来自 idps 元数据的 x509 证书，我想如果断言或信任链中没有 x509 证书(?)

I also have an x509 cert from the idps metadata which I guess should general be used if there is no x509 cert in the assertion or within a trust chain (?)

基本上，断言中的 x509 证书和 idp 元数据中的证书似乎都不起作用.我在这里缺少什么?

Basically neither the x509 cert in the assertion nor the cert from the idp metadata seems to work. What am I missing here?

推荐答案

结果我做的一切都正确.

Turned out I did everything correctly.

打印 opensaml 对象 xml 时不应使用以下代码:

When printing an opensaml object xml you should NOT use the following code:

public static String xmlObjectToString(XMLObject xmlObject) {
    try {
        Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xmlObject);
        StringWriter sw = new StringWriter();
        Element authDOM = marshaller.marshall(xmlObject);
        toString(sw, authDOM);
        return sw.toString();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}


private static void toString(StringWriter rspWrt, Element authDOM) throws ParserConfigurationException, TransformerException {
    DOMSource domSource = new DOMSource(authDOM);
    StreamResult result = new StreamResult(rspWrt);
    TransformerFactory tf = TransformerFactory.newInstance();
    Transformer transformer = tf.newTransformer();
    transformer.transform(domSource, result);
} 

上面的代码改变了原始对象的一些内部状态

The above code changes some internal states of the original object

而是去

org.opensaml.xml.util.XMLHelper.prettyPrintXML(message.getDOM())

这篇关于如何验证 SAML 断言签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！