OpenSAML user discussion

[Brent Putman <>]

Massimiliano Masi wrote:
> Hello,
>
> I've the following problem: I'm trying to add the X509Data to the keyInfo
> in the xml signature. I add with this code:

You're right, there was a index out-of-bounds bug in the 
KeyInfoHelper#addCertificate and #addCRL methods.  I've fixed those and 
added unit tests, so they should work now.  So you could now avoid doing 
all this manually.

Note there are also several KeyInfoHelper build* methods, which take 
native Java types and create the corresponding XML provider object (e.g. 
buildX509Certificate(java.security.cert.X509Certificate) which returns 
an X509Certificate provider properly populated with the cert data) as 
well as a variety of get* methods which take an XML provider object and 
return a Java native type.



> //Xuaconfiguration.getspiritidpPublicKey is a
> java.security.cert.X509Certificate
>
> certXMLAssertion.setValue(Base64.encode(XUAconfiguration.getSpiritIdPPublicKey().toString().getBytes())); 

I think this is your problem, the toString() on the Java X509Certificate 
class returns some human-readable info about the cert, not some 
representation of the actual cert structure.  I think you meant to use 
the getEncoded() method, as in our buildX509Certificate():

  public static org.opensaml.xml.signature.X509Certificate
   buildX509Certificate(X509Certificate cert) throws 
CertificateEncodingException {
       org.opensaml.xml.signature.X509Certificate xmlCert =
           (org.opensaml.xml.signature.X509Certificate) 
Configuration.getBuilderFactory()
           
.getBuilder(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME)
           
.buildObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
      
       xmlCert.setValue(Base64.encodeBytes(cert.getEncoded()));
      
       return xmlCert;
   }


> And the certificate is added (When using the
> KeyInfoHelper.addCertificate I got a index out of bound, since the
> X509Data list is set to 0)

Yeah, that should be fixed now, if you want to use it.



> I take it like this:
>
>         KeyInfo keyInfo = assertion.getSignature().getKeyInfo();
>         List<X509Data> li = keyInfo.getX509Datas();
>
>         for (int i=0; i< li.size(); i++)
>         {
>             l.debug("Found x509data");
>
>             X509Data x509data = (X509Data)li.get(i);
>             List<X509Certificate> li1 = x509data.getX509Certificates();
>
>             for (int j=0; j<li1.size(); j++)
>             {
>                 l.debug("Found a certificate");
>                 X509Certificate x509Cert = (X509Certificate)li1.get(j);
>                 l.debug(x509Cert.getValue());
>                 try
>                 {
>                     byte[] certificateDecoded = 
> Base64.decode(x509Cert.getValue());
>                     java.security.cert.X509Certificate cert =
> CertificateReader.readX509(new
> ByteArrayInputStream(certificateDecoded));
>                     l.debug("Certificate issued by " 
> +cert.getIssuerDN().getName());
>
>                 }
>                 catch (CertificateException e)
>                 {
>                     e.printStackTrace();
>                 }
>                 catch (IOException e)
>                 {
>                     e.printStackTrace();
>                 }
>             }
>         }
>
> But I got this exception:
>
> ava.security.cert.CertificateParsingException: invalid DER-encoded
> certificate data


I don't know what your CertificateReader class does, but as long as it 
can take the DER-encoded cert data and produce a Java X509Certificate, 
that all looks good.

Note however that there is a substantial amount of code in 
java-xmltooling related to KeyInfo handling, i.e. KeyInfo generation and 
KeyInfo processing (key extraction, etc).  See the KeyInfoGenerator 
interface and related classes and impls for KeyInfo creation, and the 
KeyInfoCredentialResolver stuff for processing KeyInfo's.  Both of these 
sets of classes use our key/cert wrapping abstraction, represented by 
the Credential interface. 

If you're not using Credentials from one of our CredentialResolvers, see 
the SecurityHelper#getSimpleCredential methods for turning Java 
keys/certs into Credentials.

Default configurations of those KeyInfo-handling components can be 
obtained from Configuration#getGlobalSecurityConfiguration.  See 
getDefaultKeyInfoCredentialResolver and getKeyInfoGeneratorManager.


HTH,
--Brent