Announcement Announcement Module
Collapse
No announcement yet.
Import public keys Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Import public keys

    Hi,

    My web application is integrated with Spring Security - SAML extenstion. The user is authenticated by an IDP, which its public certificate is embedded in its metadata. How can I import the IDP certificate/public key into my web application's keystore? Please suggest me.

    patch

  • #2
    I have a similar objective - to construct samlKeystore.jks file with custom certificates and passwords. So far, I have found programmatic solution of creating custom JKS store [1].

    Perhaps you could advise:
    - Whether there are tools to create custom JKS stores "on fly"
    - Approach that comes with spring-security-saml2-sample embeds JKS store into .war file.
    Is there a way to manage certificates expiry without rebuilding/redeploying the .war file?

    Thanks
    Dan

    [1] http://docs.oracle.com/javase/6/docs...-external=true

    Comment


    • #3
      Hi Dan,

      The certificate store is abstracted in interface org.springframework.security.saml.key.KeyManager, you could implement your own version which e.g. doesn't use JKS keystores, but instead relies on your custom configuration. This would allow you to have complete control over which certificate is returned at a given point of time.

      For remote IDPs and their certificates you can use ExtendedMetadata and define additional signingKey/encryptionKey which will be used in addition to the keys provided in metadata and which could serve for roll-over. Other option is to periodically re-load the IDP metadata, which will automatically fetch fresh certificates as part of it.

      There's currently no mechanism for roll-over of SP signing/encryption keys, but as modfiying the KeyManager is one option, the other is overriding SAMLContextProvider (see where calls to keyManager.getDefaultCredential() are made).

      If you have a moment please open a feature request for in Jira and describe your use-cases. When I have a moment I'll look into possible solutions.

      Cheers, Vladi

      Comment


      • #4
        Patch,

        Certificates which are part of metadata are automatically available for signature verification and encryption purposes, so you don't need to import them to the keystore for that purpose. But in case you really want to do that - just copy paste the ds:X509Certificate element into a new file (e.g. cert.cer) and import it to your keystore using the keytool command. You can find some details in chapter 4.5 of the SAML extension manual.

        The content of the file would look e.g. like this:

        Code:
        -----BEGIN CERTIFICATE-----
        MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMC
        REUxEjAQBgNVBAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1
        NzIxWhcNMTYwODE3MTk1NzIxWjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NP
        Q2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNVBAMTEWlkcC5zc29jaXJjbGUuY29t
        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/aC2gMqRVVaLdPJJE
        wpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78fP1c
        mt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4K
        U6zCsM622Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJ
        KoZIhvcNAQEEBQADggEBAJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YU
        cza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVg
        yyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6ZecUz6N24sSS7itEBC6n
        wCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBncYJn9NgN
        i3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJss
        DgakeL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q=
        -----END CERTIFICATE-----
        Cheers, Vladi

        Comment


        • #5
          Vladi

          Thank you for fast and detailed reply.
          There is definitelly an experience/expertise gap on my side, and it will take some time before I can confidently override SAMLContextProvider.

          Currently I am considering custom samlKeystore.jks with custom certificates and passwords.
          Would it be possible to share the code/tool, you used to create samlKeystore.jks file for spring-security-saml2-sample?

          Thank you
          Dan

          Comment


          • #6
            Dan,

            The samlKeystore.jks was created with the keytool command which comes with Java JDK.

            Do you have some additional use-cases to cover apart from the certificate roll-overs? If it's the only one, with a bit of luck I'll find some time to implement an alternative KeyManager with support for this.

            Cheers, Vladi

            Comment


            • #7
              Vladi

              Its a real pleasure to receive your answers - professional and laconic.
              At given moment "certificate roll-over" is the only use-case we have though of.

              I am pretty sure that (assuming keytool turn out to be easy-to-use tool) current framework will satisfy our immediate needs.
              Let me thank you for your efforts and a great product.

              Sincerely
              Dan

              Comment


              • #8
                Decided to share simple instructions on the keytool usage - perhaps it will save few hours for somebody:

                1. Creating keystore with self-signed certificate. Here, we set validity window for 3 years, generate 2048 RSA private key:

                $> keytool -storetype jks -keystore YOUR_KEYSTORE_FILENAME.jks -storepass YOUR_KEYSTORE_PASSWORD -alias YOUR_ALIAS -genkeypair -keyalg RSA -keysize 2048 -keypass YOUR_PRIVATE_KEY_PASSWORD -validity 1095 -dname "emailAddress=[email protected], CN=YOUR NAME, OU=YOUR DIVISION, L=YOUR CITY, ST=YOUR STATE, O=YOUR COMPANY, C=YOUR_COUNTRY (TWO CHAR)"

                2. Listing keystore content

                $> keytool -list -v -keystore YOUR_KEYSTORE_FILENAME.jks

                Comment


                • #9
                  Hi Vladi,

                  The certificate of IDP is a part of the IDP metadata, so I don't import it as you suggested.

                  My app (integrated with Spring Security - SAML extenstion) is acting as an SP. How can I make sure that the Authentication response from this IDP is verified the signature? Do I need to set any property of any bean in application context file?

                  patch


                  Originally posted by vsch View Post
                  Patch,

                  Certificates which are part of metadata are automatically available for signature verification and encryption purposes, so you don't need to import them to the keystore for that purpose. But in case you really want to do that - just copy paste the ds:X509Certificate element into a new file (e.g. cert.cer) and import it to your keystore using the keytool command. You can find some details in chapter 4.5 of the SAML extension manual.

                  The content of the file would look e.g. like this:

                  Code:
                  -----BEGIN CERTIFICATE-----
                  MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMC
                  REUxEjAQBgNVBAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1
                  NzIxWhcNMTYwODE3MTk1NzIxWjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NP
                  Q2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNVBAMTEWlkcC5zc29jaXJjbGUuY29t
                  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/aC2gMqRVVaLdPJJE
                  wpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78fP1c
                  mt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4K
                  U6zCsM622Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJ
                  KoZIhvcNAQEEBQADggEBAJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YU
                  cza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVg
                  yyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6ZecUz6N24sSS7itEBC6n
                  wCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBncYJn9NgN
                  i3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJss
                  DgakeL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q=
                  -----END CERTIFICATE-----
                  Cheers, Vladi

                  Comment


                  • #10
                    Hi again Vladi,

                    Regarding my question above, I did something for testing
                    - change from HTTPMetadataProvider to FilesystemMetadataProvider, and then save idp metadata in a file
                    - modify the <ds:X509Certificate> for signing
                    - test via my web app
                    - get XMLSignature - Signature verification failed error

                    So, my current 'application context' file is already configured for signature verification. But I don't know which parameters/beans affact this signature verification?

                    Can you please tell me which parameters/beans in the 'application context' file handle the signature verification?

                    patch

                    Comment

                    Working...
                    X