OpenSAML user discussion

[Brent Putman <>]

On 11/17/10 3:20 AM, rangeli nepal wrote:
> I was under the impression that both
> SAML2HTTPPostSimpleSignRule,SAML2HTTPRedirectDeflateSignatureRule use
> X509Util.decodeCertificate.
> and X509Certificate on Metadata or with authnrequest are without
> ---BEGIN--- and ----END---
> rn
> 


Yes, you are right, I must have been thinking of something else.  Things
that read in a cert from a KeyInfo, e.g. from metadata or from a SAML
message or assertion, do use X509Util.decodeCertificate, although it's
buried under several layers of calls.  Take a look at the KeyInfoHelper
class to see how that gets used.

So I guess the non-yet-commons-ssl TrustMaterial must support reading in
either format, and the error that you reported must have been from
something else.  You didn't post the actual exception or error you were
getting. You might want to look at that a little more closely, maybe see
if there is anything being logged that is helpful.

For reference, the KeyInfoHelper getCertificate method just does this:

Collection<X509Certificate> certs =
X509Util.decodeCertificate(Base64.decode(xmlCert.getValue()));

where the xmlCert.getValue() is the Base64-encoded DER value (contents
of the X509Certificate element), which should be essentially the same as
the PEM format without the BEGIN and END lines.