Artifact绑定解析是否应支持在Assertion元素级别进行签名验证？ _程序开发

Artifact绑定解析是否应支持在Assertion元素级别进行签名验证？

创始人

2024-11-10 21:00:32

0次

在SAML 2.0规范中，Artifact Binding通过HTTP重定向或HTTP POST将SAML Assertion传递给服务提供商。 Assertion被封装在一个叫做Artifact的短字符串中，服务提供者会向SAML断言发布者发送请求来获取该Assertion。

为了保护Assertion在这个过程中的安全性和完整性，可以使用数字签名对其进行签名和验证。以下是一些基于Java的代码示例，用于验证在Artifact Binding过程中传输的Assertion是否合法：

import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.impl.ResponseUnmarshaller;
import org.opensaml.saml2.core.impl.ResponseValidator;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.CredentialResolver;
import org.opensaml.xml.security.credential.CredentialResolverException;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.util.Base64;
import org.w3c.dom.Element;

import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;

public class ArtifactBindingValidation {
    private static final String PKIX_TRUST_ENGINE = "PKIX";

    private static final String ARTIFACT_BINDING_URI = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact";

    // The trust engine that will be used to verify the signature
    private static final SignatureTrustEngine trustEngine;

    static {
        try {
            // Read the certificate that was used to sign the assertion
            X509Certificate cert = readCertificate();

            // Create a credential object that contains the certificate, allowing the trust engine
            // to verify the signature.
            CredentialResolver credResolver = getCredentialResolver();
            Credential credential = credResolver.resolveSingle(new CriteriaSet(
                    new EntityIDCriteria(cert.getIssuerDN().getName()),
                    new UsageCriteria(UsageType.SIGNING)
            ));

            // Create a trust engine that will be used to verify the signature using the provided credentials.
            trustEngine = new ExplicitKeySignatureTrustEngine(credResolver, SecurityConfigurationSupport.getInMemorySignatureTrustEngineOptions());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static void main(String[] args) throws Exception {
        String artifact = "SAMPLE_ARTIFACT";
        String samlResponse = "SAMPLE_SAML_RESPONSE"; // In Base64-encoded format
        boolean validateSignature = true;

        Response samlResponseObj = unmarshall(Response.class, samlResponse);

        if (ARTIFACT_BINDING_URI.equals(samlResponseObj.getDestination())) {
            // If the message was sent using Artifact Binding, send an HTTP request to retrieve the
            // Assertion from the Assertion Consumer Service (ACS)
            Assertion artifactResponse = retrieveAssertionUsingArtifactBinding(artifact, samlResponseObj.getID());

            if (validateSignature) {
                // Verify the signature on

上一篇：Artifact androidx.work:work-runtime（2.8.0-2.9.0）中的SystemForegroundService未适配到android14。

下一篇：Artifactory - catalina 日志中有许多“org.apache.catalina.connector.ClientAbortException: java.io.IOException: Broken pipe”的错误

Artifact绑定解析是否应支持在Assertion元素级别进行签名验证？

相关内容

热门资讯