mace-opensaml-users - Re: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field
Subject: OpenSAML user discussion
List archive
Re: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field
Chronological Thread
- From: Brent Putman <>
- To:
- Subject: Re: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field
- Date: Mon, 14 Feb 2011 14:37:05 -0500
On 2/14/11 9:37 AM, Cantor, Scott E. wrote:
>> What does <xenc:CipherValue> field contains exactly and how can it be
>> generated within my client??
>
> Holder of key doesn't involve XML encryption, at least not typically.
I'd agree that's true in our usual SAML world (Web SSO), but the people
involved more with the WS-Security/WS-Trust world seem to be oddly
concerned/obsessed/fixated with the symmetric proof key case, rather
than asymmetric. I guess they perhaps assume that WS clients typically
don't have long-term key-pairs, and so since you're going to generate an
ephemeral proof key anyway, might as well do symmetric and be more
efficient.
I mention that since the poster mentioned STS and the example includes a
wsse:SecurityTokenReference, and what he described sounds like a
symmetric key case.
Anyway, to the original poster: you should probably take a look at the
XML Encryption spec if you really need to know about these details
(hint: the xenc:CipherValue contains the actual encrypted key data).
In terms of Java OpenSAML: Take a look at the
org.opensaml.xml.encryption.Encrypter class, in particular the
encryptKey(..) methods. That's how you'd generate the xenc:EncryptedKey
element.
And along the lines of what Scott said, if your use case allows, you
could potentially save yourself some pain and just use an asymmetric
proof-of-possession keypair. Then you don't have to deal with XML
Encryption - the STS would embed the client's public key as-is in the
Assertion's subject confirmation data.
--Brent
- [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field, Enrique Sabatel, 02/14/2011
- RE: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field, Cantor, Scott E., 02/14/2011
- Re: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field, Brent Putman, 02/14/2011
- Re: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field, Enrique Sabatel, 02/14/2011
- Re: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field, Brent Putman, 02/14/2011
- RE: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field, Cantor, Scott E., 02/14/2011
Archive powered by MHonArc 2.6.16.