Shibboleth Developers

["Scott Cantor" <>]

> If I get KeyInfo that is a cert (as from DigitalMe) then I can
> indeed turn that into DER and send it to the environment.  If,
> however, all I get is a public key (as from CardSpace) then I
> can't turn it into a cert, as the cert is a signed thing and I have
> nothing to sign it with, and I therefore cannot turn it into DER.
> All I have are two numbers.  (I could base64 encode them.)

By DER, what I meant is the syntax that openssl uses for unencrypted public
keys. The openssl docs say:

       -inform DER|NET|PEM
           This specifies the input format. The DER option uses an ASN1 DER
           encoded form compatible with the PKCS#1 RSAPrivateKey or Subject-
           PublicKeyInfo format.  The PEM form is the default format: it
con-
           sists of the DER format base64 encoded with additional header and
           footer lines. On input PKCS#8 format private keys are also
           accepted. The NET form is a format is described in the NOTES sec-
           tion.

So I guess I'm talking about the SubjectPublicKeyInfo format.

Now, getting that out probably would take some openssl calls, I suspect, by
casting the Apache key object to the OpenSSL subclass after verifying the
underlying implementation is OpenSSL, and then using operations on an RSA*
to get the DER.

I thought that the DER was available directly from the Apache object, but
it's not, you're right. So I guess a unique hash would be better, I guess of
a concatenation of the two numbers? Or maybe just of the whole KeyInfo, but
that would be a problem because tweaking the XML would change the hash.

-- Scott