OpenSAML user discussion

[Brent Putman <>]

Clifford Johnson wrote:
> Brett,
>
> Your changes in 489 seem to do the trick.  I discovered that the encoded
> private key in ExplicitKeySignatureTrustEngineTest doesn't use a PKCS8
> so the Sun RSA key generator fails.  The key *is* a simple PKCS1 encoded
> private key.  

Yeah, my mistake, I thought I had converted the output of openssl genrsa 
to PKCS#8 with openssl pkcs8, but obviously not. 

I was also doubly confused because if you do successfully create a 
PrivateKey from that base64-encoded info in the unit test (either by 
having the BC provider installed or with the not-yet-commons-ssl lib), 
if you do a getFormat() on the resulting PrivateKey it says "PKCS#8".  
And that's because they both apparently allow the PKCS#1 structure 
(which the not-yet-commons lib calls the "OpenSSL "Traditional SSLeay 
Compatible Format"" - is there a difference with PKCS#1, I wonder?  I'm 
not familiar with the history...) to be passed in where PKCS8 is 
expected.  The commons lib, through the DER data passed to the 
constructor of PKCS8Key class, actually reformats the openssl PKCS1(?) 
DER structure into PKCS8 and just creates a standard Java 
PKCS8EncodedKeySpec and then just uses whatever default RSA KeyFactory 
provider is configured.  I haven't looked at BC, but I suspect that 
their KeyFactory impl just handles the conversion in a similar way, 
since it was working correctly with that data passed straight into a 
PKCS8EncodedKeySpec.


> Before I saw your note, I was in the process of assembling
> a decoding for the PKCS1 encoding so that the
> java.security.spec.RSAPrivateCrtKeySpec could be used (it doesn't have
> an encoded key constructor).
>   


Yeah, I actually couldn't off-hand find anything in the standard Java 
security classes (KeySpec's, etc) that actually allowed direct input of 
a PKCS#1 structure, which I find interesting.

Just thought I'd note all this for the archives.

--Brent