[Code] How to use association secret to sign additional data?
Benedikt Schröfel
b.schroefel at gmx.net
Mon Mar 8 08:36:11 UTC 2010
Hello,
I'm experimenting on an OpenID Implementation using a TPM for doing the
client authentication at the OpenID Provider.
I use the OpenID4Java <http://code.google.com/p/openid4java/> libary. I
set up the (simple) example OpenID Provider an the RP of this libary
example.
I have a few questions regarding the association (secret) and signatures:
The provider uses the association secret for signing the response to a
request of a RP. Is it possible to use the secret for signing
"arbitrary" data? I have a public RSA key and would like to sign it. The
RP should use the shared secret with the Provider to verify this
sigature and thus be able to trust the origin of the key. The key is
available as byte array or as string (whatever is needed for this
purpose... )
What functions of the java libarys could I use for signing and verifiying?
And a little question on the Attribute Exchange 1.0:
Which parts of the attributes the RP receives from the provider are
signed? Would it be possible to change them after the provider has send?
(I would like to move the userdata, such as nickname, email etc. from
the provider to the user side, so the data will be filled in at the user
side during the redirect to the RP).
If the attributes are signed then I will forget about this idea ;)
Many thanks in advance for any replies :) !
Kind regards
Beni
More information about the Code
mailing list