[OpenSAML] Adding X509 certificate info to SAML assertion

[lakshmi narasimhan]

Hello all,

I'm trying to generate a valid SAML assertion using openSAML API. For signing the assertion, I'm generating the certificate using Java Keytool utility as follows:

 keytool -genkey -alias myservicekey -keyalg RSA -sigalg SHA1withRSA -keypass skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"
keytool -genkey -alias myclientkey -keyalg RSA -sigalg SHA1withRSA -keypass ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"
keytool -genkey -alias unauthorizedkey -keyalg RSA -sigalg SHA1withRSA -keypass ukpass -storepass uspass -keystore unauthIdentity.jks -dname "cn=unauthorizedkey"

keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias MyClientKey -file MyClient.cer
keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass -alias MyClientKey -file MyClient.cer -noprompt

keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias MyServiceKey -file MyService.cer
keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass -alias MyServiceKey -file MyService.cer -noprompt  

import java.security.cert.X509Certificate;

    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
          char[] password = "cspass".toCharArray();
          FileInputStream fis = new FileInputStream("C:/clientKeystore.jks");
          ks.load(fis, password);
          fis.close();

          KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)ks.getEntry("myclientkey", new   KeyStore.PasswordProtection("ckpass".toCharArray()));
          PrivateKey pk = pkEntry.getPrivateKey();                  
 //I'm receiving type cast error here
          org.opensaml.xml.signature.X509Certificate certificate = (org.opensaml.xml.signature.X509Certificate)pkEntry.getCertificate();

          BasicX509Credential credential = new BasicX509Credential();
          //credential.setEntityCertificate(certificate);
          credential.setPrivateKey(pk);
   
   
While running the above code, I'm getting the following exception:

10-Nov-2009 17:40:01 org.opensaml.xml.XMLConfigurator load
INFO: ObjectProviders load complete
10-Nov-2009 17:40:01 org.opensaml.xml.XMLConfigurator load
INFO: Preparing to load ObjectProviders
10-Nov-2009 17:40:01 org.opensaml.xml.XMLConfigurator load
INFO: ObjectProviders load complete
java.lang.ClassCastException: sun.security.x509.X509CertImpl
 at com.aviva.tam.pmi.SAML2ResponseCreate.main(SAML2ResponseCreate.java:161)
 
I'm getting the exception mentioned above when I try typecasting the X509 cert generated by Java API into an OpenSAML X509Certificate. Could you please suggest how I should add an X509 certificate to a SAML assertion using OpenSAML API v2.0?

Thanks,
Laks.

[Chad La Joie]

Check the Javadocs for the return type of KeyStore.PrivateKeyEntry, it's
not org.opensaml.xml.signature.X509Certificate. The OpenSAML object is
the XMLObject for the XML Digital Signature spec's X509Certificate element.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

[Scott Cantor]

lakshmi narasimhan wrote on 2009-11-10:
> I'm getting the exception mentioned above when I try typecasting the X509
> cert generated by Java API into an OpenSAML X509Certificate. Could you
> please suggest how I should add an X509 certificate to a SAML assertion
> using OpenSAML API v2.0?

The classes in OpenSAML are for manipulating the XML representations of such
objects, they have nothing to do with the underlying security objects
themselves and certainly can't be cast back and forth.

-- Scott