OpenSAML user discussion

[Brent Putman <>]

Scott already commented on the canonicalization algorithm issue, so sounds like you got that straightened out.  Since you included some code snippets about the KeyInfoGenerator stuff, I wanted to comment on that.  We don't have any more specific docs up on this part of the library in the wiki, but we should have soon, now that we are moving closer to release.

The KeyInfoGenerator-related classes are more of a lower-level toolkit thing.  You would have to do a little more setup to actually use them.  Specifically, the KeyInfoGeneratorManger (if used at all) needs to be populated with KeyInfoGeneratorFactory instances.  The latter in turn need to be configured with the desired options for what representations of key material and/or other key identifier and supporting information are desired to be emitted in the resultant KeyInfo.  You would generally have a separate factory configured for each type of credential (keys and related info) to be supported.  The manager takes care of managing factories and returning the right factory based on credential type.  We currently have 2 types of credentials supported  in the library:  Credential (just contains a key or key pair and a couple of bits of associated info) and X509Credential (for X.509 certs and cert chains).

// Step 5: If desired, add a KeyInfo containing information about

// the

// signature verification key using Signature#setKeyInfo(KeyInfo).

// The KeyInfo may be created manually, or may be generated

// dynamically from the signing credential using a KeyInfoGenerator,

// usually obtained from a KeyInfoGeneratorFactory via a

// KeyInfoGeneratorManager.

KeyInfoGeneratorManager kmgr = new KeyInfoGeneratorManager();

KeyInfoGeneratorFactory kfactory = kmgr.getFactory(cr);

So this manager as created here doesn't have any factories in it and so the getFactory(Credential) is going to return null;

KeyInfoGenerator kgenerator = kfactory.newInstance();

And so you're then going to get an NPE here.

KeyInfo kinfo = kgenerator.generate(cr);

sig.setKeyInfo(kinfo);

If you want just a set of basic factories that have reasonable defaults, and you're using our DefaultBootstrap library init process, then you can get a working instance of a KeyInfoGeneratorManger from the global security config like this:

Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager();

And then the rest of your code as written should work.

For the current default config that is used there: if the credential was just a plain Credential containing a public key, then a ds:KeyValue will be emitted, of the appropriate type (e.g DSAKeyValue or RSAKeyValue).  If an X509Credential, then a ds:X509Data with a ds:X509Certificate containing the end-entity cert will be emitted.

Only you can know what key material or identifiers you need or want to send to a recipient via a ds:KeyInfo, if anything at all (it's optional), so these defaults may not work for you.

Like with the other library security config options, if you want to change the library-wide defaults, you could override (or replace) DefaultBootstrap and change whatever you want.  At some future point, the config will hopefully be configurable declaratively in some config file.

If you want to create factories and/or managers yourself, you can take a look in java-xmltooling in the security package at:
DefaultSecurityConfigurationBootstrap#populateKeyInfoGeneratorManager

In particular the X509Credential KeyInfo generator factory has a plethora of options for what can be emitted in the KeyInfo.

For the signature KeyInfo use case, you can also just build and populate a KeyInfo object "manually" if you like, just like any other XMLObject, for example using the support in our KeyInfoHelper utility class.  But using a generator is definitely the easier route to go.

Like I said, when I get the time there will eventually be more docs up on the Wiki on all this.

--Brent