Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [opensaml2.0]Validating XML Signature

Subject: OpenSAML user discussion

List archive

Re: [opensaml2.0]Validating XML Signature


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Cc:
  • Subject: Re: [opensaml2.0]Validating XML Signature
  • Date: Wed, 06 Feb 2008 00:35:10 -0500



Dimuthu Leelarathne wrote:
To my extreme delight the signature validates successfully when I use
the pure xmlsec-1.4.1.jar .


By "pure xmlsec-1.4.1.jar", do you mean code with just straight DOM and Apache XML Security lib (i.e. no OpenSAML), or did you mean you were using a modified xmlsec jar with OpenSAML?


So the most logical explanation is that I am doing something wrong when
generating the public key using the modulus and exponent inside my
X509Credential impl.


It's possible, but that explanation sounds a little suspicious. Are you sure nothing else is different in the way you are parsing and unmarshalling the signed assertion in the 2 cases? Such as its context (wrapped in something else) and so forth, re: Chad's earlier comment about the C14N.



I can't figure out what is wrong, because it is a simple key generation
using RSAPublicKeySpec.[1]

Please let me know if there is a better way to create the public key
from modulus and exponent.


Well, we do have a ton of support for both processing and generating ds:KeyInfo. See the org.opensaml.xml.security.keyinfo package. The KeyInfoHelper utility class has many methods for converting KeyInfo child objects to and from Java native types. The org.opensaml.xml.security.SecurityHelper utility class has a couple of methods for creating simple Credentials out of keys/certs, in case you don't want to use a full CredentialResolver impl.

If you want a more dynamic and extensible way to process KeyInfo's that are received, take a look at the KeyInfoCredentialResolver stuff in the above keyinfo package and the keyinfo.provider sub-package. This would allow you to be more flexible and avoid assuming that you always have a KeyInfo/RSAKeyValue, vs DSAKeyValue, X509Data, etc.



[1]
RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus,
publicExponent);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
publicKey = keyFactory.generatePublic(spec);


I don't see anything obviously wrong there. This is pretty much what the relevant methods in our KeyInfoHelper class do, and they're pretty well tested, so we know they work. That's why I'm a little suspicious that this is really related to the issue that you're seeing - unless you're doing other things inside the Credential impl that you're passing to the validator. In particular see the KeyInfoHelper methods:

getKey(KeyValue)
getRSAKey(RSAKeyValue)
buildKey(KeySpec, String).



HTH,
Brent








Archive powered by MHonArc 2.6.16.

Top of Page