Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Not able to load certificate into the Signed Attribute Query

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Not able to load certificate into the Signed Attribute Query


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] Not able to load certificate into the Signed Attribute Query
  • Date: Thu, 14 Jan 2010 20:20:22 +0100
  • Organization: SWITCH

Again, the code you provide doesn't help at all. It's likely, like I said before, that you're seeing another problem related to the first one. How are you initializing the OpenSAML library?

Chandra Tondepu wrote:
I have a canned AttributeQuery being loaded from the file. I am
unmarshalling and building an AttributeQuery of it.

Using the OpenSAML XMLDigitalSignature API, I am able to sign the document.


I am able to sign the AttributeQuery which looks like as shown:
*******Signed Attribute Query starts here*********
<?xml version="1.0" encoding="UTF-8"?><saml2p:AttributeQuery
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="AttrQuery12345789"
IssueInstant="2010-01-14T17:37:25.179Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://atg.tcs.com/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#AttrQuery12345789">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds saml2 saml2p"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Jps0H3ST78VyLkXXuS3ggUzCO08=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ilEwL3mLWGHNDdS/f5AxZeuqQhkx1ikXPNWSvxEnmyj9gdZ5CQYY1N/epN7C+GXuB3GVyLy3oCbT
conX8AILTmpkRW5EqzjKlcJC+pJB4JoVvM8ryDhsip6oY4H8uSisJTTy5L5wzwwEfOUalFPkP/73
USjonsDPT+TzfhyqNgpCqo4E15h4baQBbYu1Xc3whi8HcLY8WhJuX7vRofKomMsuWikLldk6hHuP
0Jexqv/98JDoPIZ2ppsvuQ+R5s1AtbKkRw49KLx1E0UpUjaPWzItsSM+BX2OJ61vALJqD1L5SNA9
w2k2NiQpbH/6pa0VW+0R+u7MOlTVu4hJ7iXHNA==
</ds:SignatureValue>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
</saml2:NameID>
</saml2:Subject>
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="UID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="CN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</saml2p:AttributeQuery>
******* Signed Attribute Query ends here*********


However I have placed the keystore file in my "WebContent" directory. But I
am explicitly loading the keystore file as shown below:

java.security.KeyStore keyStore123 =
java.security.KeyStore.getInstance(KeyStore.getDefaultType()); ;
char[] password = "test".toCharArray();
FileInputStream fis = new
FileInputStream("C:\\cst\\Workspace\\AttrQry\\WebContent\\SPsigning.jks");
keyStore123.load(fis, password);
fis.close();

But the above signed AttributeQuery is not complete until I have the KeyInfo
is part of it. For some reason , I am getting this exception while loading
KeyInfo with the code below (Exception is also provided):

X509KeyInfoGeneratorFactory kiFactory = new
X509KeyInfoGeneratorFactory();
System.out.println("Whats in X509KeyInfoGeneratorFactory?? " +
kiFactory);
kiFactory.setEmitEntityCertificate(true);
org.opensaml.xml.signature.KeyInfo keyInfo123 = null;
try {
keyInfo123 = (org.opensaml.xml.signature.KeyInfo)
kiFactory.newInstance().generate(cred);
} catch (SecurityException e10) {
e10.printStackTrace();
}
signature123.setKeyInfo(keyInfo123);

Exception:

java.lang.NullPointerException
at
org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory$BasicKeyInfoGenerator.generate(BasicKeyInfoGeneratorFactory.java:171)
at
org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.generate(X509KeyInfoGeneratorFactory.java:384)
at
com.cst.saml2.attrqry.SignAttributeQuery.signTheContent(SignAttributeQuery.java:279)
at
com.cst.saml2.attrqry.SignAttributeQuery.handleRequest(SignAttributeQuery.java:178)
at
com.cst.saml2.attrqry.SignAttributeQuery.doPost(SignAttributeQuery.java:151)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
at java.lang.Thread.run(Unknown Source)

I am thinking the way I am loading the KeyStore may be problem, which the
Tomcat server is not able to load the certificate from the Keystore
therefore it is throwing an exception while attempting to grab the cert.

Any help is greatly appreciated.


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page