Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] getting and setting x509 credential

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] getting and setting x509 credential


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] getting and setting x509 credential
  • Date: Tue, 30 Mar 2010 14:22:12 -0400
  • Organization: Itumi, LLC

If you read the Javadoc for X509Certificate you'll that getSubjectDN is
not recommended, but otherwise yes. You may also want to explictly
state which format to use for the DN. I believe the SAML spec
specifically requires the RFC2253 form for the X509SubjectName name
identifier format, but you'd have to check the spec to confirm that.

On 3/30/10 2:19 PM, Jason Countryman wrote:
> Ok, so would something like this work, or do I need the alt names?
>
> Principal subjectName = cert.getSubjectDN();
>
> // Issuer
> SAMLObjectBuilder<Issuer> issuerBuilder = (SAMLObjectBuilder<Issuer>)
> builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
> Issuer issuer = issuerBuilder.buildObject();
> issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName");
> issuer.setValue(subjectName.getName());
>
> ______________________________
> Jason T. Countryman
> Programmer
> Community Computer Service
>
>
> *---------- Original Message -----------*
> From: Chad La Joie
> <>
> To:
>
> Sent: Tue, 30 Mar 2010 14:10:50 -0400
> Subject: Re: [OpenSAML] getting and setting x509 credential
>
>> No, the subject data is available directly from X509Certificate APIs.
>> The helper classes are there to provide additional features that are not
>> available via the standard APIs (e.g. retrieval of specific types of alt
>> names.
>>
>> On 3/30/10 2:07 PM, Jason Countryman wrote:
>> > Well, that leads me to my next question. I need to replicate this for
>> > the issuer element:
>> >
>> > <saml2:Issuer
>> >
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName">CN=*.test.com,OU=Secure
>
>> > Link SSL Wildcard,O=Test Corp.,STREET=2 Test Street,L=Test
>> > City,S=NY,PostalCode=10000,C=US</saml2:Issuer>
>> >
>> > Basically, the information from the Subject: in the key. How do I go
>> > about accessing that information? I'm assuming its in the X509Util
> class
>> > somewhere, right?
>> >
>> > Thanks again for all your help.
>> > ______________________________
>> > Jason T. Countryman
>> > Programmer
>> > Community Computer Service
>> >
>> >
>> > *---------- Original Message -----------*
>> > From: Chad La Joie
>> > <>
>> > To:
>> >
>> > Sent: Tue, 30 Mar 2010 11:35:42 -0400
>> > Subject: Re: [OpenSAML] getting and setting x509 credential
>> >
>> >> Note, you might want to look at
> org.opensaml.xml.security.SecurityHelper
>> >> and org.opensaml.xml.security.x509.X509Util. These classes provide a
>> >> lot of helpers for reading in keys and certs, in various formats, and
>> >> working with them.
>> >>
>> >> On 3/30/10 11:29 AM, Jason Countryman wrote:
>> >> > Thank you both, you guys were right on. Changed the packaged to
>> >> > java.security.cert.X509Certificate and my code looks like this now:
>> >> >
>> >> > CertificateFactory cf = CertificateFactory.getInstance("X.509");
>> >> > X509Certificate cert =
>> >> > (X509Certificate)cf.generateCertificate(inStream);
>> >> > inStream.close();
>> >> > privateCredential.setEntityCertificate(cert);
>> >> >
>> >> > You guys rock.
>> >> >
>> >> >
>> >> > ______________________________
>> >> > Jason T. Countryman
>> >> > Programmer
>> >> > Community Computer Service
>> >> >
>> >> >
>> >> > *---------- Original Message -----------*
>> >> > From: "JASON D'CRUZ"
>> >> > <>
>> >> > To:
>> >> >
>> >> > Sent: Tue, 30 Mar 2010 20:49:09 +0530
>> >> > Subject: Re: [OpenSAML] getting and setting x509 credential
>> >> >
>> >> >> check your package.
>> >> >>
>> >> >> the setEntityCertficiate () method requires the
>> >> > java,security.cert.X509Certificate
>> >> >>
>> >> >> You appear to have used the java*x*,security.cert.X509Certificate
>> > class
>> >> >>
>> >> >> On Tue, Mar 30, 2010 at 8:39 PM,
>> >> >> <
>> >> > <mailto:>>
>> >> > wrote:
>> >> >>
>> >> >
>> >> > Hello all,
>> >> > >
>> >> > > I'm totally new to using SAML and OpenSAML in particular.
> I need
>> >> > to create a sender-vouches assertion that is signed using an
> x509
>> >> > key. (for NYS Heal5 HIE, if anyone is wondering) I have the
>> >> > following code:
>> >> > >
>> >> > > DefaultBootstrap.bootstrap(); // initialize the opensaml
> library
>> >> > > // jtc -- now, build the assertion
>> >> > > XMLObjectBuilderFactory builderFactory =
>> >> > Configuration.getBuilderFactory();
>> >> > > SAMLObjectBuilder<Assertion> builder =
>> >> > (SAMLObjectBuilder<Assertion>)
>> >> > builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
>> >> > > Assertion assertion = builder.buildObject();
>> >> > > // jtc -- we have the naked assertion now. let's add the
>> >> > interesting stuff.
>> >> > >
>> >> > > // jtc - signature and credential
>> >> > > BasicX509Credential privateCredential = new
>> > BasicX509Credential();
>> >> > > InputStream inStream = new FileInputStream((String)
>> >> > samlInfoVector.get(0));
>> >> > > // position 0 has the key file
>> >> > > X509Certificate cert = X509Certificate.getInstance(inStream);
>> >> > > inStream.close();
>> >> > > privateCredential.setEntityCertificate(cert);
>> >> > >
>> >> > > I'm having a problem with that last line, setting the
>> >> > EntityCertificate. The error I'm getting is:
>> >> > >
>> >> > > The method setEntityCertificate(X509Certificate) in the type
>> >> > BasicX509Credential is not applicable for the arguments
>> >> > (X509Certificate)
>> >> > >
>> >> > > Any guidance on what's going here would be much appreciated.
>> >> > >
>> >> > > Thanks
>> >> > > Jason Countryman
>> >> > >
>> >> >
>> >> >
>> >> >>
>> >> >
>> >> >> --
>> >> >> Regards,
>> >> >> Jason
>> >> > *------- End of Original Message -------*
>> >> > This message has been scanned for viruses and dangerous content by
>> >> > MailScanner, SpamAssassin & ClamAV.
>> >> >
>> >> > This message and any attachments may contain information that is
>> >> > protected by law as privileged and confidential, and
>> >> > is transmitted for the sole use of the intended recipient(s). If you
>> > are
>> >> > not the intended recipient, you are hereby notified
>> >> > that any use, dissemination, copying or retention of this e-mail
> or the
>> >> > information contained herein is strictly prohibited.
>> >> > If you received this e-mail in error, please immediately notify the
>> >> > sender by e-mail, and permanently delete this e-mail.
>> >>
>> >> --
>> >> Chad La Joie
>> >> www.itumi.biz <http://www.itumi.biz/> <http://www.itumi.biz/>
>> >> trusted identities, delivered
>> > *------- End of Original Message -------*
>> > This message has been scanned for viruses and dangerous content by
>> > MailScanner, SpamAssassin & ClamAV.
>> >
>> > This message and any attachments may contain information that is
>> > protected by law as privileged and confidential, and
>> > is transmitted for the sole use of the intended recipient(s). If you
> are
>> > not the intended recipient, you are hereby notified
>> > that any use, dissemination, copying or retention of this e-mail or the
>> > information contained herein is strictly prohibited.
>> > If you received this e-mail in error, please immediately notify the
>> > sender by e-mail, and permanently delete this e-mail.
>>
>> --
>> Chad La Joie
>> www.itumi.biz <http://www.itumi.biz/>
>> trusted identities, delivered
> *------- End of Original Message -------*
> This message has been scanned for viruses and dangerous content by
> MailScanner, SpamAssassin & ClamAV.
>
> This message and any attachments may contain information that is
> protected by law as privileged and confidential, and
> is transmitted for the sole use of the intended recipient(s). If you are
> not the intended recipient, you are hereby notified
> that any use, dissemination, copying or retention of this e-mail or the
> information contained herein is strictly prohibited.
> If you received this e-mail in error, please immediately notify the
> sender by e-mail, and permanently delete this e-mail.

--
Chad La Joie
www.itumi.biz
trusted identities, delivered



Archive powered by MHonArc 2.6.16.

Top of Page