[OpenSAML] How to Best Validate Signature in Redirect Profile
Robert Winch
Thanks in advance,
Rob
Deena Gurajala
public static byte[] getinflatedString(byte[] byteArray) throws Exception {
byte[] unCompBytes = null;
ByteArrayOutputStream byteArrOtptStr = null;
try {
Inflater inflater = new Inflater(true);
inflater.setInput(byteArray);
byteArrOtptStr = new ByteArrayOutputStream(byteArray.length);
byte[] buf = new byte[1024];
while (!inflater.finished()) {
int count = inflater.inflate(buf);
byteArrOtptStr.write(buf, 0, count);
}
unCompBytes = byteArrOtptStr.toByteArray();
} finally {
byteArrOtptStr.close();
}
return unCompBytes;
}
after you deflate the incoming request, convert it to XML element.
Then use the Unmarshaller to parse the element into corresponding openSAML object (like AuthneticationReqest object etc).
Hope it helps.
Scott Cantor
> You can use the following method to decompress the incoming request.
Your code is just reimplementing the MessageDecoder framework that's already
in the library.
Signature verification, which was the original question, is a hugely complex
issue, since verification alone is still leaving out the trust question.
Verification alone relies on a Validator object, I think.
-- Scott
Brent Putman
There is a Validator for XML Signatures, but if the question is about
the raw/blob signature of HTTP Redirect DEFLATE, that is only
implemented in a SecurityPolicyRule.
That component is the
org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule,
which is supplied to a MessageContext as a part of a SecurityPolicy:
The use of the MessageContext and MessageDecoder components is mostly
not currently documented very well, but the unit test for this rule
actually illustrates the basics (be sure to also see the test super class):
The rule requires a SignatureTrustEngine, about which some more info can
be found on the signature user's manual page:
https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG
--Brent