OpenSAML user discussion

[Brent Putman <>]

Bailo, John wrote:
> I have an application that requires:
>
> RSA key pair generation
> Decryption of a form field using private key
> No SAML involved
>
>
> I'm wondering if I can use the openSAML package to do this easily?
>   

Not really.  We have some security helper methods and such, but actually
not really anything that's directly applicable to what you need to do. 
We have a signing utility for working with raw signatures, but nothing
for working with raw encryption/decryption ops directly.  

Like Chad said, just use the Java security providers from the Java
Cryptography Architecture directly.  It's not that hard,  and you can
google plenty of simple example code.

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html


> It seems like there is a package called com.opensaml.xml that has some
> security methods (for some reason, I'm having a hard time locating its
> api docs).
>   

The docs for the 3 libraries in the OpenSAML stack (opensaml2, openws,
xmltooling) are published separately.

http://www.opensaml.org/docs/

That package corresponds to the xmltooking project.


> You also seem to use the Bouncey Castle libraries which I've been told
> are a bootstrap to JCE.
>   

Well, yes, we use some functionality of classes that are in the BC
provider jar,  mostly some stuff for parsing ASN.1 structures in X.509
certs.   But we don't necessarily require you to configure the BC
provider in your security provider set
(jre/lib/security/java.security).  So we don't necessarily use it as a
JCA provider per se.  Deployers can if they want, just depends on what
algorithms, max key lengths, etc that they want to support, taking
advantage of the pluggable and extensible nature of the Java security
provider architecture.