[OpenSAML] Adding KeyInfo to signature

1,644 views
Skip to first unread message

anyz

unread,
May 7, 2009, 2:16:56 AM5/7/09
to mace-open...@internet2.edu
I have generated authResponse message using OpenSAML. However when verified through http://www.infomosaic.net/SecureXMLVerifyWS.htm service the signatures are not validated. I saw the sample response message at infomosaic includes KeyInfo tags in Signature elements.
 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="MySignature">
   <KeyInfo><KeyValue><RSAKeyValue><Modulus>xxxxx</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue>
<X509Data><X509Certificate>xxxxxxxx</X509Certificate></X509Data></KeyInfo></Signature>
 
I tried tutorial at https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG and forums but could not add KeyInfo in AuthReponse message. Can you guide what i'm missing? Following is snnipet how id tried adding keyinfo.
 
 

SecurityConfiguration secConfiguration = Configuration.getGlobalSecurityConfiguration();
NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getKeyInfoGeneratorManager();
KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(credential);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
KeyInfo keyInfo =

null;
try{
keyInfo = keyInfoGenerator.generate(credential);
}catch (SecurityException e) {
System.out.println(e);
}
signature.setKeyInfo(keyInfo);

Thanks

 

anyz

unread,
May 7, 2009, 3:44:33 AM5/7/09
to mace-open...@internet2.edu
On debuging i found keyInfo generated is NULL. Is there something wrong with code for generating keyinfo?

Thai Quoc Nguyen

unread,
May 7, 2009, 2:17:45 PM5/7/09
to mace-open...@internet2.edu
Did you have these lines:
try {
      DefaultBootstrap.bootstrap();
    } catch (ConfigurationException e) {
      // TODO Auto-generated catch block
      e.printStackTrace();
    }

at the beginning of your code?

Thai
--
Thai - from Zorro

Brent Putman

unread,
May 7, 2009, 3:45:28 PM5/7/09
to mace-open...@internet2.edu
That's good advice, you do have to do that prior to using any aspect of OpenSAML.  However, if he hadn't done that, I believe he'd be getting a null exception somewhere in there.

Brent Putman

unread,
May 7, 2009, 3:46:49 PM5/7/09
to mace-open...@internet2.edu
That code looks correct. The only way I can see offhand that it
wouldn't generate a KeyInfo is if the Credential in fact didn't have a
public key (or entity certificate) in it. From where or how are you
getting the Credential.

anyz wrote:
> On debuging i found keyInfo generated is NULL. Is there something
> wrong with code for generating keyinfo?
>
>
>
> On Thu, May 7, 2009 at 11:16 AM, anyz <any...@gmail.com
> <mailto:any...@gmail.com>> wrote:
>
> I have generated authResponse message using OpenSAML. However when
> verified through
> http://www.infomosaic.net/SecureXMLVerifyWS.htm service the
> signatures are not validated. I saw the sample response message at
> infomosaic includes KeyInfo tags in Signature elements.
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="MySignature">
>
> <KeyInfo><KeyValue><RSAKeyValue><Modulus>xxxxx</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue>
> <X509Data><X509Certificate>xxxxxxxx</X509Certificate></X509Data></KeyInfo></Signature>
>
> I tried tutorial at
> https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG and
> forums but could not add KeyInfo in AuthReponse message. Can you
> guide what i'm missing? Following is snnipet how id tried adding
> keyinfo.
>
>
>
> SecurityConfiguration secConfiguration =

> Configuration./getGlobalSecurityConfiguration/();


> NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager =
> secConfiguration.getKeyInfoGeneratorManager();
> KeyInfoGeneratorManager keyInfoGeneratorManager =
> namedKeyInfoGeneratorManager.getDefaultManager();
> KeyInfoGeneratorFactory keyInfoGeneratorFactory =
> keyInfoGeneratorManager.getFactory(credential);
> KeyInfoGenerator keyInfoGenerator =
> keyInfoGeneratorFactory.newInstance();
> KeyInfo keyInfo =
>

> *null*;
> *try*{
> keyInfo = keyInfoGenerator.generate(credential);
> }*catch* (SecurityException e) {
> System./out/.println(e);
> }
> signature.setKeyInfo(keyInfo);
>
> Thanks
>
>
>
>

Brent Putman

unread,
May 7, 2009, 3:55:32 PM5/7/09
to mace-open...@internet2.edu
I am moving this thread to the OpenSAML list from (Shibboleth users), since you seem to be on both.



anyz wrote:
Finally this snippet of code seems working:

KeyInfoBuilder keyInfoBuilder =(KeyInfoBuilder) builderFactory.getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);
KeyInfo keyInfo = (KeyInfo) keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Certificate certificate = (X509Certificate)ks.getCertificate("xxxxx");
credential.setEntityCertificate(certificate);
KeyInfoHelper.addPublicKey(keyInfo, certificate.getPublicKey());
KeyInfoHelper.addCertificate(keyInfo, certificate);
signature.setKeyInfo(keyInfo);
 


This is the "manual" way to build a KeyInfo and it works, but obviously means that your code is tied to the hard-coded assumptions that you make in the above code about what you want.  Using a KeyInfoGenerator (from the SecurityConfiguration for example) gives you a level of abstraction there.  If that distinction isn't important for your use case, then the above code is fine.


however i still can't validate through http://www.infomosaic.net/SecureXMLVerifyWS.htm. If anyone has used it please suggest?

The absence of the KeyInfo has nothing to do with this, see below.


Thanks
 

 
On Thu, May 7, 2009 at 3:06 PM, anyz <any...@gmail.com> wrote:

 
Is it possible to generate keyinfo in above format? Also when i try to verify AuthResponse generated by OpenSAML(without KeyInfo in it ) through http://www.infomosaic.net/SecureXMLVerifyWS.htm it gives "Digest validation or calculation failed " error.


No, this means the data pointed to by the ds:Reference is different at validation time vs. signing time.  This is not surprising if you're cutting/pasting the XML into that web app.  Any whitespace changes for example will cause the signature validation to fail.  Don't test your validation that way.  Do it programatically, for example using the large amount of code in OpenSAML exactly for that purpose.  Examples of that are on the signature page on the OpenSAML wiki that you already alluded to.


I think it is due to missing KeyInfo value.
 

No, the 2 things are totally unrelated.  The ds:KeyInfo in the Signature is not a part of the data that is signed.  You can actually change the KeyInfo data *after* signing without breaking the signature.  Which is precisely why you can only treat it as a hint as to the key that was used.  You need to verify the trust of that key using other mechanisms.

--Brent


Reply all
Reply to author
Forward
0 new messages