All geek questions in one place

SP metadata: certificate for signature and encryption

The specification says that:

OASIS Security Assertion Markup Language (SAML) V2.0 Metadata

2.4.1.1 Element <KeyDescriptor>

The <KeyDescriptor> element provides information about the cryptographic key (s) that the object uses to sign data or obtain encrypted keys, as well as additional cryptographic details. Its complex KeyDescriptorType type consists of the following elements and attributes:

use [Optional]

An optional attribute that defines the purpose of the described key. The values ​​are taken from the KeyTypes enumeration and consist of encryption and signing values.

<ds:KeyInfo> [Required]

An optional element that directly or indirectly identifies a key.

As far as I know, to send protected data in both directions I should have:

  1. My private key
  2. My own public key
  3. Recipient Public Key

Certificate about which key should I specify in the SP- metadata and can I use the same certificate for signing and encryption?

The IdP provider has provided a so-called “metadata template” that indicates what and where to indicate.

Here is the relevant part (literally):

 ... <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> <!-- TODO It is necessary to insert here the certificate of the signature key of the service provider in X509 DER format and Base64 encoded --> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> <!-- TODO It is necessary to insert here the certificate of the signature key of the service provider in X509 DER format and Base64 encoded --> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> ...

I do like this:

 ... <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIID...ZiQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIID...ZiQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> ...

This does not work.

So, AFAIK I have to use my private key certificate for signing, and for encryption I have to use the IdP public key certificate.

IMHO should be so.

 ... <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> <!-- certificate of my private key here--> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> <!-- certificate of the open key of IdP here --> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> ...

I'm right?

+6
source share
1 answer

The metadata of your own service must contain your public key with a certificate. And yes, you can use the same one for signing and encryption.

When the IDP wants to encrypt data sent to the SP, it does this using the SP public key. Therefore, there is no need to include an “IdP public key certificate” as an encryption key.

You mentioned that using the same key for signing and encryption does not work, can you get more detailed information about what exactly fails and where?

+6
source

Source: https://habr.com/ru/post/972219/

More articles:


All Articles