Re: [higgins-dev] self-issued STS authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] self-issued STS authentication

From: Johnny Bufu <johnny@xxxxxxxx>
Date: Tue, 18 Sep 2007 17:17:44 -0700
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

Hi Mike,

I'm using java 1.5, and as far as I can tell the unlimited JCE policyfiles were already installed (the 256bit crypto in the OpenID lib I'mworking on requires them, and it works fine).

Just to make sure I downloaded and installed them again, but amgetting the same error. Any idea if anything else could be wrong?

I went in with the debugger: the elemEncryptedData passed toXMLSecurityApacheExtension() looks ok, but XMLHelper.toDom(String)returns an empty dom element when calling documentBuilder.parse().



Thanks,
Johnny

On 18-Sep-07, at 4:13 PM, Michael McIntosh wrote:

You need to download and install the unlimited crypto jurisdictionfiles -

instructions are here:
http://java.sun.com/products/jce/index-14.html#UnlimitedDownload

Regards,
Mike

higgins-dev-bounces@xxxxxxxxxxx wrote on 09/18/2007 05:07:48 PM:

Daniel,

On 18-Sep-07, at 6:30 AM, Daniel Sanders wrote:

Are you talking about a managed card whose user credential is a
self-issued card?  If so, that feature has been available in the
STS for much longer than two months now, and it works fine.


Yes, sorry for the ambiguity, that's what I meant.

You have to make sure that your context provider supports the
credential type.  The JNDI provider supports it.  You also have to
make sure that when you issue the managed card, you create an
association between the PPID+public Key of the personal card and
the user profile so that when the STS authenticates using that PPID
+public key, it will be able to find the correct user profile.  The
JNDI context provider creates a SHA1 hash of PPID+public key and
expects to be able to lookup the user object by querying on an
attribute called 'cardKeyHash' using that holds the hash value.
The cardKeyHash attribute needs to be populated by the process that
issues the managed card.


I'm using r671 from https://forgesvn1.novell.com/svn/bandit/trunk,
which has the last change date Jul 23, with an OpenLDAP JNDI context
provider.

All the above is done by the Higgins STS, but
XMLSecurityApacheExtension.DecryptElement() throws the exception
below, when  calling xmlCipher.doFinal() :

org.apache.xml.security.encryption.XMLEncryptionException: Illegal
key size
Original Exception was java.security.InvalidKeyException: Illegal key
size

The problem seems to be with this call in DecryptElement(), which
returns an empty dom Element:

final org.w3c.dom.Element domEncryptedData = (org.w3c.dom.Element)
elemEncryptedData.getAs(org.w3c.dom.Element.class);


Has anyone seen this before, or has it been fixed since July?


Thanks!
Johnny

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev


_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

References:
- Re: [higgins-dev] self-issued STS authentication
  - From: Michael McIntosh

Prev by Date: Re: [higgins-dev] self-issued STS authentication
Next by Date: [higgins-dev] Updates to Higgins website
Previous by thread: Re: [higgins-dev] self-issued STS authentication
Next by thread: [higgins-dev] Contribute EncryptedStore and RoamingStore impl
Index(es):
- Date
- Thread

Breadcrumbs