mace-opensaml-users - Re: [OpenSAML] Problems creating KeyInfo object
Subject: OpenSAML user discussion
List archive
- From: "Joana M. F. Trindade" <>
- To:
- Subject: Re: [OpenSAML] Problems creating KeyInfo object
- Date: Thu, 26 Jun 2008 14:02:17 -0300
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=TMWDeQ2k0JUUHVThFWKUOqLjABkqOYxMjQowrD7xvv7LEItn/YyLQFwhzkduTs62Ef aBOSPu0SZ4+YLNL/QLPuSwSk/IzcFqqgmC81nE2hX/7ecyqZfieUkkQQdv/Y9+QRxu0c EkCBconQuCsIvJH2ykl/80rOrTGzfIZuqHhb8=
Hi Brentt,
Thanks a lot. I tested with both approaches and they seem to produce the same result.
Cheers,
Joana
On Thu, Jun 26, 2008 at 2:54 AM, Brent Putman <> wrote:
Sorry these aren't documented well yet on the wiki. I'll put that on my todo list for when I get back from vacation.
Briefly: the KeyInfoHelper approach and the KeyInfoGenerator approach are supposed to be somewhat mutually exclusive. If you want a low-level API, you can use the KeyInfoHelper methods on a KeyInfo instance that you have built.
If you want to use the higher level KeyInfoGenerator approach: you set whatever emit* options you want on the KeyInfoGeneratorFactory and then obtain a generator instance from the factory. The emit options control what information from the Credential are expressed in the generated KeyInfo, and in some cases in what form.
Originally you were doing this:
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
KeyInfoGenerator kiGenerator = kiFactory.newInstance();KeyInfo keyInfo = kiGenerator.generate(credential);which is *almost* correct, but doesn't wind up emitting anything because you haven't told it to emit anything (all the emit* options default to false). You just needed to do something like the following to the factory before getting the kiGenerator instance and it should have been what you wanted:
kiFactory.setEmitEntityCertificate(true)
There's slews of emit* options for controlling what you want to put in your KeyInfo (keys by value, by reference/identifier, etc)
If you use the SecurityHelper like this :it uses a default factory as configured in the global SecurityConfiguration, which gets init'ed via the DefaultSecurityConfigurationBootstrap like so:
KeyInfoGenerator kiGenerator = SecurityHelper.getKeyInfoGenerator(credential, null, null);
KeyInfo keyInfo = kiGenerator.generate(credential);
// Generator for basic Credentials
BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
basicFactory.setEmitPublicKeyValue(true);
// Generator for X509Credentials
X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
x509Factory.setEmitEntityCertificate(true);
So by default what you have there should emit the entity cert value as an KeyInfo/X509Data/X509Certificate (since you're using an X509Credential).
So you shouldn't need to do this:
KeyInfoHelper.addCertificate(keyInfo, (X509Certificate));
I believe that is in fact adding the cert a second time (you would see two X509Certificate elements in your KeyInfo/X509Data).
--Brent
--
Joana M. F. da Trindade
Email:
Personal Homepage: http://www.inf.ufrgs.br/~jmftrindade
LinkedIn: http://www.linkedin.com/in/joanatrindade
- Problems creating KeyInfo object, Joana M. F. Trindade, 06/25/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Kurt Werner, 06/25/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Joana M. F. Trindade, 06/25/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Brent Putman, 06/26/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Joana M. F. Trindade, 06/26/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Brent Putman, 06/26/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Joana M. F. Trindade, 06/25/2008
- Re: [OpenSAML] Problems creating KeyInfo object, Kurt Werner, 06/25/2008
Archive powered by MHonArc 2.6.16.