Wednesday, July 15, 2015

Adding KeyInfo to a SAML message

When a message is signed with a private key, the receiving end will need to verify the message using the corresponding public key/certificate. But in order to do this, the receiving end must have the certificate.

The certificate is transported in encoded form in a KeyInfo element. Below is a example


        
          MIICizCCAfQCCQCY8tKaMc0BMjANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCTk8xEjAQBgNVBAgTCVRyb25kaGVpbTEQMA4GA1UEChMHVU5JTkVUVDEOMAwGA1UECxMFRmVpZGUxGTAXBgNVBAMTEG9wZW5pZHAuZmVpZGUubm8xKTAnBgkqhkiG9w0BCQEWGmFuZHJlYXMuc29sYmVyZ0B1bmluZXR0Lm5vMB4XDTA4MDUwODA5MjI0OFoXDTM1MDkyMzA5MjI0OFowgYkxCzAJBgNVBAYTAk5PMRIwEAYDVQQIEwlUcm9uZGhlaW0xEDAOBgNVBAoTB1VOSU5FVFQxDjAMBgNVBAsTBUZlaWRlMRkwFwYDVQQDExBvcGVuaWRwLmZlaWRlLm5vMSkwJwYJKoZIhvcNAQkBFhphbmRyZWFzLnNvbGJlcmdAdW5pbmV0dC5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8jLoqI1VTlxAZ2axiDIThWcAOXdu8KkVUWaN/SooO9O0QQ7KRUjSGKN9JK65AFRDXQkWPAu4HlnO4noYlFSLnYyDxI66LCr71x4lgFJjqLeAvB/GqBqFfIZ3YK/NrhnUqFwZu63nLrZjcUZxNaPjOOSRSDaXpv1kb5k3jOiSGECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQYj4cAafWaYfjBU2zi1ElwStIaJ5nyp/s/8B8SAPK2T79McMyccP3wSW13LHkmM1jwKe3ACFXBvqGQN0IbcH49hu0FKhYFM/GPDJcIHFBsiyMBXChpye9vBaTNEBCtU3KjjyG0hRT2mAQ9h+bkPmOvlEo/aH0xR68Z9hw4PF13w==
        
      


There are many ways to give the receiving end the certificate. Two common methods is metadata and in the message.

When using the metadata method the KeyInfo object is embedded in the metadata inside the KeyDescriptor element. When attaching KeyInfo to the SAML message the element is embedded in the Signature object.

To create and add a KeyInfo object and add it to a SAML message signature, add this call to SecurityHelper before generating the signature.

SecurityHelper.prepareSignatureParams(signature, IDPCredentials.getCredential(),
                    Configuration.getGlobalSecurityConfiguration(), null);
This helper method does not only add a the key info but it also sets the

  • signature algorithm URI
  • canonicalization algorithm URI
  • and HMAC output length (if applicable and a value is configured)

Customising the KeyInfo

The above statement only uses the default configuration of for generating KeyInfo. To customise the KeyInfo you create your own instance of KeyInfoGeneratorFactory, set it up as preferred and use it in the statement. 
The example below shows how to use a X509KeyInfoGeneratorFactory to create a KeyInfo with properties from the X509 certificate used as credential.

X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
x509Factory.setEmitEntityCertificate(true);
x509Factory.setEmitEntityCertificateChain(true);
x509Factory.setEmitX509IssuerSerial(true);
x509Factory.setEmitX509SubjectName(true);

Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().registerFactory("x509emitingKeyInfoGenerator", x509Factory);

SecurityHelper.prepareSignatureParams(signature, SPCredentials.getCredential(), null,  "x509emitingKeyInfoGenerator");

2 comments: