FileCredentialResolver

Overview

Indicated by type="File", loads keys and certificates stored in local or remote files using common formats. PEM, DER, and PKCS#12 are supported.

Obviously for security reasons, local files are generally used to store credentials, but it is possible to load them remotely, particularly in the case of a CRL (certificate revocation list).

Reference

Attributes

Name

Type

Default

Description

Name

Type

Default

Description

type 

string

 

Required, set to "File" in the case of this plugin

certificate

local pathname

 

Shorthand for a <Certificate> element whose <Path> element contains the value of the attribute

key

local pathname

 

Shorthand for a <Key> element whose <Path> element contains the value of the attribute

password 

string

 

Optional password for decrypting the private key if the key shorthand attribute is used.

keyName 

string

 

Optional "alias" for the key if the key shorthand attribute is used. See the <Name> element in the topic.

use 

"signing", "TLS", "encryption",

 

Optional setting that limits the use of the credential to the designated purpose. Note that "signing" implies "TLS" (it's a superset).

keyInfoMask 

integer bitmask

15

Optional bitmask controlling the content of generated KeyInfo information. By default, various combinations of the key value, name(s), X.509 certificate, and X.509 subject name are included. Certificate issuer and serial number are not, because of known bugs in non-Shibboleth software. The actual output in any given case depends on the underlying implementation.

extractNames 

boolean

true

Optional flag to disable the default extraction of "key names" based on the supplied certificate. Allows deployer to maximize control over the exact names, if any, that will be available to match against a compared key in a signature or encrypted key block. Normally left on except in specialized cases.

Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<Key>

0 or 1

References a private key. See also the key attribute above.

<Certificate> 

0 or 1

References one or more X.509 certificates. See also the certificate attribute above.

<CRL>

0 or 1

References a certificate revocation list

Examples

The following two examples are equivalent:

<FileCredentialResolver type="File" key="sp.key" certificate="sp.crt"/>

 

<FileCredentialResolver type="File"> <Key> <Path>sp.key</Path> </Key> <Certificate> <Path>sp.crt</Path> </Certificate> </FileCredentialResolver>

Â