Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Problems creating KeyInfo object

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Problems creating KeyInfo object


Chronological Thread 
  • From: "Joana M. F. Trindade" <>
  • To:
  • Subject: Re: [OpenSAML] Problems creating KeyInfo object
  • Date: Thu, 26 Jun 2008 14:02:17 -0300
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=TMWDeQ2k0JUUHVThFWKUOqLjABkqOYxMjQowrD7xvv7LEItn/YyLQFwhzkduTs62Ef aBOSPu0SZ4+YLNL/QLPuSwSk/IzcFqqgmC81nE2hX/7ecyqZfieUkkQQdv/Y9+QRxu0c EkCBconQuCsIvJH2ykl/80rOrTGzfIZuqHhb8=

Hi Brentt,

Thanks a lot. I tested with both approaches and they seem to produce the same result.

Cheers,
Joana

On Thu, Jun 26, 2008 at 2:54 AM, Brent Putman <> wrote:
Sorry these aren't documented well yet on the wiki.  I'll put that on my todo list for when I get back from vacation.

Briefly: the KeyInfoHelper approach and the KeyInfoGenerator approach are supposed to be somewhat mutually exclusive.  If you want a low-level API, you can use the KeyInfoHelper methods on a KeyInfo instance that you have built.

If you want to use the higher level KeyInfoGenerator approach:  you set whatever emit* options you want on the KeyInfoGeneratorFactory and then obtain a generator instance from the factory.  The emit options control what information from the Credential are expressed in the generated KeyInfo, and in some cases in what form.

Originally you were doing this:


X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
KeyInfoGenerator kiGenerator = kiFactory.newInstance();
KeyInfo keyInfo = kiGenerator.generate(credential);

which is *almost* correct, but doesn't wind up emitting anything because you haven't told it to emit anything (all the emit* options default to false).  You just needed to do something like the following to the factory before getting the kiGenerator instance and it should have been what you wanted:

kiFactory.setEmitEntityCertificate(true)

There's slews of emit* options for controlling what you want to put in your KeyInfo (keys by value, by reference/identifier, etc)

If you use the SecurityHelper like this :


KeyInfoGenerator kiGenerator = SecurityHelper.getKeyInfoGenerator(credential, null, null);
KeyInfo keyInfo = kiGenerator.generate(credential);

it uses a default factory as configured in the global SecurityConfiguration, which gets init'ed via the DefaultSecurityConfigurationBootstrap like so:

      // Generator for basic Credentials
      BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
      basicFactory.setEmitPublicKeyValue(true);
            // Generator for X509Credentials
      X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
      x509Factory.setEmitEntityCertificate(true);


So by default what you have there should emit the entity cert value as an KeyInfo/X509Data/X509Certificate (since you're using an X509Credential).

So you shouldn't need to do this:
KeyInfoHelper.addCertificate(keyInfo, (X509Certificate));

I believe that is in fact adding the cert a second time (you would see two X509Certificate elements in your KeyInfo/X509Data).

--Brent







--
Joana M. F. da Trindade

Email:
Personal Homepage: http://www.inf.ufrgs.br/~jmftrindade
LinkedIn: http://www.linkedin.com/in/joanatrindade


Archive powered by MHonArc 2.6.16.

Top of Page