OpenSAML user discussion

[Brent Putman <>]

On 11/15/10 10:11 PM, rangeli nepal wrote:
> 
> I am trying to read self signed cert and build a saml metadata
> X509Certificate section. It seems I can not store directly due to
> ----BEGIN CERTIFICATE--- and ---END CERTIFICATE--- section.
> I can always remove those lines from cert and store in X509Certificate
> section. Is this a correct way to do? I see several pertinent methods
> in  org.opensaml.xml.security.SecurityHelper and X509Util but not sure
> what to use.
> 


You *could* just strip out the BEGIN and END header/footer lines and
then just manually insert that directly into the KeyInfo/X509Certificate
element. That's probably the messier way to do, but it would work, if
you don't mind doing the text munging.

The more "elegant" approach, for which there is support in the OpenSAML
library, would be to:

1) read in the cert data into a java.security.cert.X509Certificate
object.  See the decodeCertificate(...) methods in X509Util, esp the one
that takes a File as the argument.

2) using the Java X509Certificate object, generate the appropriate
XMLObject KeyInfo structure. There are some helper methods in
KeyInfoHelper.  You can generate just the X509Certificate XMLObject
using the buildX509Certificate(X509Certificate cert) method, or you can
use addCertificate(KeyInfo keyInfo, X509Certificate cert) to add the
cert to an existing KeyInfo instance.

There is also a higher level of abstraction possible here, where you can
build an X509Credential from the cert object (or resolve the credential
using a CredentialResolver in the first place), and then generate a
KeyInfo structure from the credential using a KeyInfoGenerator (in
particular an X509KeyInfoGenerator).  See specifically the
X509KeyInfoGeneratorFactory.