Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [Shib-Users] Re: Adding KeyInfo to signature

Subject: OpenSAML user discussion

List archive

Re: [Shib-Users] Re: Adding KeyInfo to signature


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [Shib-Users] Re: Adding KeyInfo to signature
  • Date: Thu, 07 May 2009 15:55:32 -0400
I am moving this thread to the OpenSAML list from (Shibboleth users), since you seem to be on both.



anyz wrote:
Finally this snippet of code seems working:

KeyInfoBuilder keyInfoBuilder =(KeyInfoBuilder) builderFactory.getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);
KeyInfo keyInfo = (KeyInfo) keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Certificate certificate = (X509Certificate)ks.getCertificate("xxxxx");
credential.setEntityCertificate(certificate);
KeyInfoHelper.addPublicKey(keyInfo, certificate.getPublicKey());
KeyInfoHelper.addCertificate(keyInfo, certificate);
signature.setKeyInfo(keyInfo);
 


This is the "manual" way to build a KeyInfo and it works, but obviously means that your code is tied to the hard-coded assumptions that you make in the above code about what you want.  Using a KeyInfoGenerator (from the SecurityConfiguration for example) gives you a level of abstraction there.  If that distinction isn't important for your use case, then the above code is fine.


however i still can't validate through http://www.infomosaic.net/SecureXMLVerifyWS.htm. If anyone has used it please suggest?

The absence of the KeyInfo has nothing to do with this, see below.


Thanks
 

 
On Thu, May 7, 2009 at 3:06 PM, anyz <> wrote:

 
Is it possible to generate keyinfo in above format? Also when i try to verify AuthResponse generated by OpenSAML(without KeyInfo in it ) through http://www.infomosaic.net/SecureXMLVerifyWS.htm it gives "Digest validation or calculation failed " error.


No, this means the data pointed to by the ds:Reference is different at validation time vs. signing time.  This is not surprising if you're cutting/pasting the XML into that web app.  Any whitespace changes for example will cause the signature validation to fail.  Don't test your validation that way.  Do it programatically, for example using the large amount of code in OpenSAML exactly for that purpose.  Examples of that are on the signature page on the OpenSAML wiki that you already alluded to.


I think it is due to missing KeyInfo value.
 

No, the 2 things are totally unrelated.  The ds:KeyInfo in the Signature is not a part of the data that is signed.  You can actually change the KeyInfo data *after* signing without breaking the signature.  Which is precisely why you can only treat it as a hint as to the key that was used.  You need to verify the trust of that key using other mechanisms.

--Brent



Archive powered by MHonArc 2.6.16.

Top of Page