InlineX509DataProvider skips credential extraction if only X509SKI is present

[devkat]

Hi everyone,

were're receiving a SAML response containing a signature with this KeyInfo:

Code:

        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509SKI>
                    ....
                </ds:X509SKI>
            </ds:X509Data>
        </ds:KeyInfo>

The signature validation failes. Apparently the InlineX509DataProvider skips processing because it doesn't find any X509Certificate elements. The subject key identifier doesn't seem to be sufficient to denote the key.

Code:

        List<X509Certificate> certs = extractCertificates(x509Data);
        if (certs.isEmpty()) {
            log.info("The X509Data contained no X509Certificate elements, skipping credential extraction");
            return null;
        }

Is this behaviour desired? Can we do anything to make the signature validation work?
TIA for any hints!

-- Andreas

[devkat]

Actually I suppose this question should be posted in the OpenSAML forum instead. Sorry for the noise.

[vsch]

Hi Andreas,

As long as you use MetaIOP security profile (which is the default) the signature validation will continue even in case when no credential can be parsed from the signature. System will try to verify the signature with keys found in these places:

- key with alias specified under property signingKey of ExtendedMetadata for your IDP (if any)
- all signing keys found in the metadata of your IDP

So as long as you have the key which was used to create the signature just import it to your keystore and set the signingKey property or add it to your IDP metadata.