mace-opensaml-users - Re: [opensaml2.0]Validating XML Signature
Subject: OpenSAML user discussion
List archive
- From: Dimuthu Leelarathne <>
- To:
- Subject: Re: [opensaml2.0]Validating XML Signature
- Date: Wed, 06 Feb 2008 12:15:31 +0530
- Organization: WSO2
Hi,
Please see my comments below.
On Wed, 2008-02-06 at 00:35 -0500, Brent Putman wrote:
>
> Dimuthu Leelarathne wrote:
> > To my extreme delight the signature validates successfully when I use
> > the pure xmlsec-1.4.1.jar .
> >
>
>
> By "pure xmlsec-1.4.1.jar", do you mean code with just straight DOM and
> Apache XML Security lib (i.e. no OpenSAML), or did you mean you were
> using a modified xmlsec jar with OpenSAML?
I am using the same xmlsec-1.4.1.jar everywhere. What I meant by pure
xmalsec.jar is that I straight away call the signature validation method
in XMLSignature class without going through opensaml.
>
> > So the most logical explanation is that I am doing something wrong when
> > generating the public key using the modulus and exponent inside my
> > X509Credential impl.
> >
>
>
> It's possible, but that explanation sounds a little suspicious. Are you
> sure nothing else is different in the way you are parsing and
> unmarshalling the signed assertion in the 2 cases? Such as its context
> (wrapped in something else) and so forth, re: Chad's earlier comment
> about the C14N.
It was a issue in creating the modulus and exponent as a BigInteger. The
problem is either inside the org.opensaml.xml.util.Base64 or the way
create the BigInteger.
However I have uploaded both situations.
http://ww2.wso2.org/~dimuthul/SAML2TestSuccess.java - this works
http://ww2.wso2.org/~dimuthul/SAML2Test.java - this doesn't
My X509Credential impl is the same in both situations.
Thank you,
Dimuthu
>
>
> > I can't figure out what is wrong, because it is a simple key generation
> > using RSAPublicKeySpec.[1]
> >
> > Please let me know if there is a better way to create the public key
> > from modulus and exponent.
> >
>
>
> Well, we do have a ton of support for both processing and generating
> ds:KeyInfo. See the org.opensaml.xml.security.keyinfo package. The
> KeyInfoHelper utility class has many methods for converting KeyInfo
> child objects to and from Java native types. The
> org.opensaml.xml.security.SecurityHelper utility class has a couple of
> methods for creating simple Credentials out of keys/certs, in case you
> don't want to use a full CredentialResolver impl.
>
> If you want a more dynamic and extensible way to process KeyInfo's that
> are received, take a look at the KeyInfoCredentialResolver stuff in the
> above keyinfo package and the keyinfo.provider sub-package. This would
> allow you to be more flexible and avoid assuming that you always have a
> KeyInfo/RSAKeyValue, vs DSAKeyValue, X509Data, etc.
>
>
> >
> > [1]
> > RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus,
> > publicExponent);
> > KeyFactory keyFactory = KeyFactory.getInstance("RSA");
> > publicKey = keyFactory.generatePublic(spec);
> >
>
>
> I don't see anything obviously wrong there. This is pretty much what
> the relevant methods in our KeyInfoHelper class do, and they're pretty
> well tested, so we know they work. That's why I'm a little suspicious
> that this is really related to the issue that you're seeing - unless
> you're doing other things inside the Credential impl that you're passing
> to the validator. In particular see the KeyInfoHelper methods:
>
> getKey(KeyValue)
> getRSAKey(RSAKeyValue)
> buildKey(KeySpec, String).
>
>
>
> HTH,
> Brent
>
>
>
>
>
- [opensaml2.0]Validating XML Signature, Dimuthu Leelarathne, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Chad La Joie, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Tom Scavo, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Chad La Joie, 02/05/2008
- RE: [opensaml2.0]Validating XML Signature, Scott Cantor, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Chad La Joie, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Dimuthu Leelarathne, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Brent Putman, 02/06/2008
- Re: [opensaml2.0]Validating XML Signature, Dimuthu Leelarathne, 02/06/2008
- Re: [opensaml2.0]Validating XML Signature, Brent Putman, 02/06/2008
- Re: [opensaml2.0]Validating XML Signature, Brent Putman, 02/06/2008
- Re: [opensaml2.0]Validating XML Signature, Dimuthu Leelarathne, 02/06/2008
- Re: [opensaml2.0]Validating XML Signature, Dimuthu Leelarathne, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Chad La Joie, 02/05/2008
- RE: [opensaml2.0]Validating XML Signature, Scott Cantor, 02/05/2008
- Re: [opensaml2.0]Validating XML Signature, Chad La Joie, 02/05/2008
- RE: [opensaml2.0]Validating XML Signature, Scott Cantor, 02/05/2008
Archive powered by MHonArc 2.6.16.