mace-opensaml-users - Re: KeyInfo Question (java)
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Subject: Re: KeyInfo Question (java)
- Date: Tue, 08 Jan 2008 16:10:15 -0500
Massimiliano Masi wrote:
Hello,
I've the following problem: I'm trying to add the X509Data to the keyInfo
in the xml signature. I add with this code:
You're right, there was a index out-of-bounds bug in the KeyInfoHelper#addCertificate and #addCRL methods. I've fixed those and added unit tests, so they should work now. So you could now avoid doing all this manually.
Note there are also several KeyInfoHelper build* methods, which take native Java types and create the corresponding XML provider object (e.g. buildX509Certificate(java.security.cert.X509Certificate) which returns an X509Certificate provider properly populated with the cert data) as well as a variety of get* methods which take an XML provider object and return a Java native type.
//Xuaconfiguration.getspiritidpPublicKey is a
java.security.cert.X509Certificate
certXMLAssertion.setValue(Base64.encode(XUAconfiguration.getSpiritIdPPublicKey().toString().getBytes()));
I think this is your problem, the toString() on the Java X509Certificate class returns some human-readable info about the cert, not some representation of the actual cert structure. I think you meant to use the getEncoded() method, as in our buildX509Certificate():
public static org.opensaml.xml.signature.X509Certificate
buildX509Certificate(X509Certificate cert) throws CertificateEncodingException {
org.opensaml.xml.signature.X509Certificate xmlCert =
(org.opensaml.xml.signature.X509Certificate) Configuration.getBuilderFactory()
.getBuilder(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME)
.buildObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
xmlCert.setValue(Base64.encodeBytes(cert.getEncoded()));
return xmlCert;
}
And the certificate is added (When using the
KeyInfoHelper.addCertificate I got a index out of bound, since the
X509Data list is set to 0)
Yeah, that should be fixed now, if you want to use it.
I take it like this:
KeyInfo keyInfo = assertion.getSignature().getKeyInfo();
List<X509Data> li = keyInfo.getX509Datas();
for (int i=0; i< li.size(); i++)
{
l.debug("Found x509data");
X509Data x509data = (X509Data)li.get(i);
List<X509Certificate> li1 = x509data.getX509Certificates();
for (int j=0; j<li1.size(); j++)
{
l.debug("Found a certificate");
X509Certificate x509Cert = (X509Certificate)li1.get(j);
l.debug(x509Cert.getValue());
try
{
byte[] certificateDecoded = Base64.decode(x509Cert.getValue());
java.security.cert.X509Certificate cert =
CertificateReader.readX509(new
ByteArrayInputStream(certificateDecoded));
l.debug("Certificate issued by " +cert.getIssuerDN().getName());
}
catch (CertificateException e)
{
e.printStackTrace();
}
catch (IOException e)
{
e.printStackTrace();
}
}
}
But I got this exception:
ava.security.cert.CertificateParsingException: invalid DER-encoded
certificate data
I don't know what your CertificateReader class does, but as long as it can take the DER-encoded cert data and produce a Java X509Certificate, that all looks good.
Note however that there is a substantial amount of code in java-xmltooling related to KeyInfo handling, i.e. KeyInfo generation and KeyInfo processing (key extraction, etc). See the KeyInfoGenerator interface and related classes and impls for KeyInfo creation, and the KeyInfoCredentialResolver stuff for processing KeyInfo's. Both of these sets of classes use our key/cert wrapping abstraction, represented by the Credential interface.
If you're not using Credentials from one of our CredentialResolvers, see the SecurityHelper#getSimpleCredential methods for turning Java keys/certs into Credentials.
Default configurations of those KeyInfo-handling components can be obtained from Configuration#getGlobalSecurityConfiguration. See getDefaultKeyInfoCredentialResolver and getKeyInfoGeneratorManager.
HTH,
--Brent
- KeyInfo Question (java), Massimiliano Masi, 01/07/2008
- Re: KeyInfo Question (java), Brent Putman, 01/08/2008
Archive powered by MHonArc 2.6.16.