OpenSAML user discussion

[Brent Putman <>]

Dimuthu Leelarathne wrote:
> To my extreme delight the signature validates successfully when I use
> the pure xmlsec-1.4.1.jar .
>   


By "pure xmlsec-1.4.1.jar", do you mean code with just straight DOM and 
Apache XML Security lib (i.e. no OpenSAML), or did you mean you were 
using a modified xmlsec jar with OpenSAML?


> So the most logical explanation is that I am doing something wrong when
> generating the public key using the modulus and exponent inside my
> X509Credential impl. 
>   


It's possible, but that explanation sounds a little suspicious.  Are you 
sure nothing else is different in the way you are parsing and 
unmarshalling the signed assertion in the 2 cases?  Such as its context 
(wrapped in something else) and so forth, re: Chad's earlier comment 
about the C14N.



> I can't figure out what is wrong, because it is a simple key generation
> using RSAPublicKeySpec.[1]
>
> Please let me know if there is a better way to create the public key
> from modulus and exponent.
>   


Well, we do have a ton of support for both processing and generating 
ds:KeyInfo.  See the org.opensaml.xml.security.keyinfo package.  The 
KeyInfoHelper utility class has many methods for converting KeyInfo 
child objects to and from Java native types.  The 
org.opensaml.xml.security.SecurityHelper utility class has a couple of 
methods for creating simple Credentials out of keys/certs, in case you 
don't want to use a full CredentialResolver impl.

If you want a more dynamic and extensible way to process KeyInfo's that 
are received, take a look at the KeyInfoCredentialResolver stuff in the 
above keyinfo package and the keyinfo.provider sub-package.  This would 
allow you to be more flexible and avoid assuming that you always have a 
KeyInfo/RSAKeyValue, vs DSAKeyValue, X509Data, etc.


> [1]
> RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus,
>                     publicExponent);
> KeyFactory keyFactory = KeyFactory.getInstance("RSA");
> publicKey = keyFactory.generatePublic(spec);
>   


I don't see anything obviously wrong there.  This is pretty much what 
the relevant methods in our KeyInfoHelper class do, and they're pretty 
well tested, so we know they work.  That's why I'm a little suspicious 
that this is really related to the issue that you're seeing - unless 
you're doing other things inside the Credential impl that you're passing 
to the validator. In particular see the KeyInfoHelper methods:

getKey(KeyValue)
getRSAKey(RSAKeyValue)
buildKey(KeySpec, String).



HTH,
Brent