OpenSAML user discussion

[Dimuthu Leelarathne <>]

Hi,

Please see my comments below.

On Wed, 2008-02-06 at 00:35 -0500, Brent Putman wrote:
> 
> Dimuthu Leelarathne wrote:
> > To my extreme delight the signature validates successfully when I use
> > the pure xmlsec-1.4.1.jar .
> >   
> 
> 
> By "pure xmlsec-1.4.1.jar", do you mean code with just straight DOM and 
> Apache XML Security lib (i.e. no OpenSAML), or did you mean you were 
> using a modified xmlsec jar with OpenSAML?

I am using the same xmlsec-1.4.1.jar everywhere. What I meant by pure
xmalsec.jar is that I straight away call the signature validation method
in XMLSignature class without going through opensaml. 


> 
> > So the most logical explanation is that I am doing something wrong when
> > generating the public key using the modulus and exponent inside my
> > X509Credential impl. 
> >   
> 
> 
> It's possible, but that explanation sounds a little suspicious.  Are you 
> sure nothing else is different in the way you are parsing and 
> unmarshalling the signed assertion in the 2 cases?  Such as its context 
> (wrapped in something else) and so forth, re: Chad's earlier comment 
> about the C14N.

It was a issue in creating the modulus and exponent as a BigInteger. The
problem is either inside the org.opensaml.xml.util.Base64 or the way
create the BigInteger.

However I have uploaded both situations.

http://ww2.wso2.org/~dimuthul/SAML2TestSuccess.java - this works
http://ww2.wso2.org/~dimuthul/SAML2Test.java - this doesn't


My X509Credential impl is the same in both situations.

Thank you,
Dimuthu

> 
> 
> > I can't figure out what is wrong, because it is a simple key generation
> > using RSAPublicKeySpec.[1]
> >
> > Please let me know if there is a better way to create the public key
> > from modulus and exponent.
> >   
> 
> 
> Well, we do have a ton of support for both processing and generating 
> ds:KeyInfo.  See the org.opensaml.xml.security.keyinfo package.  The 
> KeyInfoHelper utility class has many methods for converting KeyInfo 
> child objects to and from Java native types.  The 
> org.opensaml.xml.security.SecurityHelper utility class has a couple of 
> methods for creating simple Credentials out of keys/certs, in case you 
> don't want to use a full CredentialResolver impl.
> 
> If you want a more dynamic and extensible way to process KeyInfo's that 
> are received, take a look at the KeyInfoCredentialResolver stuff in the 
> above keyinfo package and the keyinfo.provider sub-package.  This would 
> allow you to be more flexible and avoid assuming that you always have a 
> KeyInfo/RSAKeyValue, vs DSAKeyValue, X509Data, etc.
> 
> 
> >
> > [1]
> > RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus,
> >                     publicExponent);
> > KeyFactory keyFactory = KeyFactory.getInstance("RSA");
> > publicKey = keyFactory.generatePublic(spec);
> >   
> 
> 
> I don't see anything obviously wrong there.  This is pretty much what 
> the relevant methods in our KeyInfoHelper class do, and they're pretty 
> well tested, so we know they work.  That's why I'm a little suspicious 
> that this is really related to the issue that you're seeing - unless 
> you're doing other things inside the Credential impl that you're passing 
> to the validator. In particular see the KeyInfoHelper methods:
> 
> getKey(KeyValue)
> getRSAKey(RSAKeyValue)
> buildKey(KeySpec, String).
> 
> 
> 
> HTH,
> Brent
> 
> 
> 
> 
>