OpenSAML user discussion

[Brent Putman <>]

 wrote:
> Hi to all
>
> i'm an university student and i'm developing a project that need to use some SAML component. In particular i've choose openSAML 1.1b for the java side; 

Like Scott said, that version's not really supported any more, but read 
on...

> ##################################################################################
> KeyPairGenerator keyGen =KeyPairGenerator.getInstance("DSA", "SUN");
>                         SecureRandom random = SecureRandom.getInstance("SHA1PRNG", 
> "SUN");
>                         keyGen.initialize(1024, random);
>                         KeyPair pair = keyGen.generateKeyPair();
>                         PrivateKey priv = pair.getPrivate();
>                         PublicKey pub = pair.getPublic();
>                         
>                         ArrayList nuova=new ArrayList();
>                         nuova.add(cert);
>                         
>                         
> asr.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA1,
>  priv, nuova);
> ##################################################################################
>               
>   



You've got some mismatch of key types here.  You're trying to sign with 
the RSA-SHA1 algorithm URI, but you're generating a DSA key in the 
KeyGenerator and using that private key as the signing key.  If I recall 
correctly, this mismatch will result in the error you're seeing. 


Also, maybe this is just test code or you have redacted something in the 
middle there, but: it doesn't really make sense to generate a signing 
key and then include some unrelated cert in the KeyInfo (your nuova 
array).  The X509Data/X509Certificate element(s) generally have to 
either contain the end-entity cert with the public half of the signing 
key pair, or other certs that are a part of the signing certificate's 
chain, which is used for validation (establishing trust).  That's not 
causing this error, just FYI.

--Brent