OpenSAML user discussion

[Brent Putman <>]

There's some opensaml2 docs on signing here, maybe you already found those:

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG

But they don't really cover your question, because it's not really an 
opensaml question, but rather a general crypto, digital signature and 
PKI one.  I suggest you take a look at some tutorials on that.  But in a 
nutshell: you don't really sign with a *certificate* (which contains a 
public key), but rather with the private key that corresponds to the 
cert's public key.  The recipient then validates with the cert's public key.

So if you have a key pair and cert, you don't generate a new key pair to 
get a private key, that's not ever going to work.  You need to use the 
private key that  corresponds to the public key/cert that you're using.  
If you're using a KeyStore and you have an existing PrivateKeyEntry in 
there with cert and key, see the API docs, which have an example like 
this for getting the private key out of the keystore:

   // get my private key
   KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
       ks.getEntry("privateKeyAlias", password);
   PrivateKey myPrivateKey = pkEntry.getPrivateKey();


--Brent




Ender Wiggin wrote:
> Hi Brent:
>
> Is there an example of signing with certificate that I may be able to 
> reference as I am pretty new to this as well. I have put together the 
> code sample below, but I am not sure if its valid and if it will hold 
> up when the assertion is used as part of a call services in other 
> systems.  In particular I am uncertain about the approach I am using 
> to create the private keys, algorithms, etc.
>
> -------------------Signing Code----------------------
>            SignatureBuilder sigBuilder  = 
> (SignatureBuilder)builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME);
>            Signature signature = sigBuilder.buildObject();
>            KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
>             
>            String ksName = res.getString("KEYSTORE");
>            FileInputStream ksfis = new FileInputStream(ksName);
>            BufferedInputStream ksbufin = new BufferedInputStream(ksfis); 
>                
>             String ksPassword = res.getString("KEYSTORE_PSWD");
>             String ksPrivAlias = 
> res.getString("KEYSTORE_PRIVKEY_ALIAS");          
>             ks.load(ksbufin, ksPassword.toCharArray());
>               
>        
>             Certificate cert = ks.getCertificate(ksPrivAlias);        
>             PublicKey pubKey = cert.getPublicKey();
>           
>              KeyPair kp = SecurityTestHelper.generateKeyPair("RSA", 
> 1024, null);
>
> -