mace-opensaml-users - Notes on KeyInfoGenerator (was: RE: Sha2 signature info requested)
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Subject: Notes on KeyInfoGenerator (was: RE: Sha2 signature info requested)
- Date: Wed, 03 Oct 2007 16:01:42 -0400
Scott already commented on the canonicalization algorithm issue, so
sounds like you got that straightened out. Since you included some
code snippets about the KeyInfoGenerator stuff, I wanted to comment on
that. We don't have any more specific docs up on this part of the
library in the wiki, but we should have soon, now that we are moving
closer to release. The KeyInfoGenerator-related classes are more of a lower-level toolkit thing. You would have to do a little more setup to actually use them. Specifically, the KeyInfoGeneratorManger (if used at all) needs to be populated with KeyInfoGeneratorFactory instances. The latter in turn need to be configured with the desired options for what representations of key material and/or other key identifier and supporting information are desired to be emitted in the resultant KeyInfo. You would generally have a separate factory configured for each type of credential (keys and related info) to be supported. The manager takes care of managing factories and returning the right factory based on credential type. We currently have 2 types of credentials supported in the library: Credential (just contains a key or key pair and a couple of bits of associated info) and X509Credential (for X.509 certs and cert chains).
So this manager as created here doesn't have any factories in it and so the getFactory(Credential) is going to return null;
And so you're then going to get an NPE here.
If you want just a set of basic factories that have reasonable defaults, and you're using our DefaultBootstrap library init process, then you can get a working instance of a KeyInfoGeneratorManger from the global security config like this: Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager(); And then the rest of your code as written should work. For the current default config that is used there: if the credential was just a plain Credential containing a public key, then a ds:KeyValue will be emitted, of the appropriate type (e.g DSAKeyValue or RSAKeyValue). If an X509Credential, then a ds:X509Data with a ds:X509Certificate containing the end-entity cert will be emitted. Only you can know what key material or identifiers you need or want to send to a recipient via a ds:KeyInfo, if anything at all (it's optional), so these defaults may not work for you. Like with the other library security config options, if you want to change the library-wide defaults, you could override (or replace) DefaultBootstrap and change whatever you want. At some future point, the config will hopefully be configurable declaratively in some config file. If you want to create factories and/or managers yourself, you can take a look in java-xmltooling in the security package at: DefaultSecurityConfigurationBootstrap#populateKeyInfoGeneratorManager In particular the X509Credential KeyInfo generator factory has a plethora of options for what can be emitted in the KeyInfo. For the signature KeyInfo use case, you can also just build and populate a KeyInfo object "manually" if you like, just like any other XMLObject, for example using the support in our KeyInfoHelper utility class. But using a generator is definitely the easier route to go. Like I said, when I get the time there will eventually be more docs up on the Wiki on all this. --Brent |
- Sha2 signature info requested, Prasanna Krishna, 10/02/2007
- Re: Sha2 signature info requested, Brent Putman, 10/02/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/02/2007
- Re: Sha2 signature info requested, Brent Putman, 10/02/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/03/2007
- RE: Sha2 signature info requested, Paul Hethmon, 10/03/2007
- RE: Sha2 signature info requested, Scott Cantor, 10/03/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/03/2007
- Notes on KeyInfoGenerator (was: RE: Sha2 signature info requested), Brent Putman, 10/03/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/05/2007
- Re: Sha2 signature info requested, Brent Putman, 10/05/2007
- RE: Sha2 signature info requested, Scott Cantor, 10/05/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/05/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/03/2007
- Re: Sha2 signature info requested, Brent Putman, 10/02/2007
- RE: Sha2 signature info requested, Prasanna Krishna, 10/02/2007
- Re: Sha2 signature info requested, Brent Putman, 10/02/2007
Archive powered by MHonArc 2.6.16.