The certificate object (Credential) contains key information. The key can be symmetric or asymmetric. It may be one or multiple. Its important role is to serve as a container for the key. exist. Certificate objects are not the same concept as what we usually call digital certificates.
The certificate object Credential can be automatically generated through the KeySupport tool. KeySupport can generate symmetric keys and asymmetric key pairs. The following example generates an RSA key pair and generates a certificate object:
How to read an existing key into a certificate object? OpenSAML's recommended approach is to use various CredentialResolvers class objects to put existing keys into newly created certificate objects.
For example, if the key is stored in JavaKeyStore, KeyStoreCredentialResolver should be used accordingly. Its constructor requires the key store and the Map of key aliases and passwords.
Query the credentials in the credential resolver through the criterion with the key alias.
In addition, there are the following commonly used CredentialResolvers:
Signature is a means of cryptography to prove data integrity. OpenSAML provides tools to sign SMS messages and verify signatures. Since the assertion is expressed in XML, its signature is also based on the XML signature method.
Here is a brief introduction to the signature method of XML files. For details, please refer to the following article:
The general process is:
Verification and verification of XML Signature:
In OpenSAML, every object that implements the SignableXMLObject interface can be signed. Signature generation is divided into 4 steps:
In some cases, OpenSAML will automatically complete the signature process, such as when transmitting SAML messages, see the content about HTTPRedirectDeflateEncoder for details.
Before verifying the signature, it is best to determine whether the message is signed:
The first step in verifying the signature is to determine whether the signature conforms to the standard statement of SAML signature, that is, whether it is applied The standardization algorithm of XML is adopted:
Then the signature is verified in the true cryptographic sense:
The credential object is set in the SignatureValidator object, which contains the key information.
In OpenSAML, asserting that information needs to be encrypted requires the use of a symmetric key to encrypt the data, and another asymmetric key to encrypt the symmetric key. The ciphertext of the assertion and the ciphertext of the key will be reflected in ArtifactResponse.
Encrypter can not only encrypt Assertion, but also XMLObjects such as Attribute and NameID can be encrypted.
keyInfoCredentialResolver is used to obtain the asymmetric password, which is used to decrypt the symmetric key; then the symmetric key is used to obtain the data.
For more information about the implementation of the SAML protocol, please see a series of tutorial articles written by me, which introduce how to use OpenSAML. Welcome to read and correct me: