Hi Anil,

I could easily fork pl 2.5 from github and port my changes on that version, so you can check the changes.

Basically what I'm trying to do is to have a flag in the picketlink-sts.xml configuration, a sort of includeCertInsigning, to set true or false and based on it call the right api in the StandardRequestHandler.

I've also addes an api in XmlSignatureUtil:

public static Document sign(Document doc, KeyPair keyPair, Certificate cer, String digestMethod, String signatureMethod, String referenceURI)
            throws GeneralSecurityException, MarshalException, XMLSignatureException

and modified the sigimpl to include the certificate based on conditions.

I'm open to changes or suggestions. Let me know if it's the right way or you just prefer another type of resolution.

I saw you solved the issue on the plink code.

I have also worked on https://issues.jboss.org/browse/PLINK2-51. It solves some compatibility problems with SAP.

I have a pull requst ready to send, so if you agree I will send you and you can take a look.

I'm also on #picketlink on freenode.

Yes, I looked at your code and it's quite similar to what I'd done in my local fix, excepts that mine was more raw .

I pulled in my modifications for plink2-51, so llet me know your considerations on it. https://github.com/picketlink2/federation/pull/183

Yes, I will test your modifications in our environment when I will back in Italy next week.

Hi Anil,

Sorry for the delay, I was away for a while.

I'm testing your code. Do I need any configuration parameter in picketlink-sts.xml?

Thanks Anil, It works! There are only two little issues:

1. In GeneralConstants you defined X509CERTIFICATE, so if you use X509Certificate in the configuration it won't work.

2. In the KeyInfo element the RsaKeyValue is still present, I don't know if this is correct or not. See the section below:

<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:X509Data xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:X509Certificate xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">MIIGhDCCBWygAwIBAgIKWXKzygAAAAACZzANBgkqhkiG9w0BAQUFADBmMRMwEQYKCZImiZPyLGQBGRYDbmV0MRgwFgYKCZImiZPyLGQBGRYIZ2VuZXJhbGkxFDASBgoJkiaJk/IsZAEZFgRjb3JwMR8wHQYDVQQDExZHRU5FUkFMSS1JbnRlcm5hbEVOVENBMB4XDTEzMDUwNjEyNTMzOFoXDTE1MDUwNjEyNTMzOFowga8xCzAJBgNVBAYTAklUMRAwDgYDVQQIEwdUcmV2aXNvMRgwFgYDVQQHEw9Nb2dsaWFubyBWZW5ldG8xJjAkBgNVBAoTHUFzc2ljdXJhemlvbmkgR2VuZXJhbGkgUy5wLkEuMS0wKwYDVQQLEyRHZW5lcmFsaSBCdXNpbmVzcyBTb2x1dGlvbnMgUy5DLnAuQS4xHTAbBgNVBAMTFHN0c2hjczAxLmdlbmVyYWxpLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjMHsMBAQPU9bPQjrgys2qmppLMkCNKKeCwvIFfHtWp4n0/jV6QHegThXm+mYpLY+6rNl26ifWddDFOBPtcKtXKAa834AHU1mT/XJX59eNfin80TRaIoNotbZIMam3/Pok3PUw1klDzD/k+6ofcLywlLcCHIXhesR90VLxSrKiwt+DJB5nzQFISE9rX0xXfHXtQ5h6wUm9a3E5ZLw9b/B6laVT9lUgURmx1QMtZFO3+DYZx0uUQsftBcD+Nf57rOHBndoQntm6EO1dA61diaZYP0trrcxjjCBSyFjFa9LkeHc3+2ed+dFKHhd+pmIPQOC4guRUR61SP3342ESsvBuYwIDAQABo4IC6DCCAuQwHQYDVR0OBBYEFDwdzeLTgT1UWkI94BVpyI65dxxpMB8GA1UdIwQYMBaAFNDkZ+qBOaM5xF162+E8/VH/GI72MIIBEwYDVR0fBIIBCjCCAQYwggECoIH/oIH8hoHCbGRhcDovLy9DTj1HRU5FUkFMSS1JbnRlcm5hbEVOVENBLENOPUQzRU5UQ0FUVjAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWdlbmVyYWxpLERDPW5ldD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGNWh0dHA6Ly9wa2kuZ2VuZXJhbGkuaXQvQ0RQL0dFTkVSQUxJLUludGVybmFsRU5UQ0EuY3JsMIIBDAYIKwYBBQUHAQEEgf8wgfwwgbYGCCsGAQUFBzAChoGpbGRhcDovLy9DTj1HRU5FUkFMSS1JbnRlcm5hbEVOVENBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWdlbmVyYWxpLERDPW5ldD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBBBggrBgEFBQcwAoY1aHR0cDovL3BraS5nZW5lcmFsaS5pdC9BSUEvR0VORVJBTEktSW50ZXJuYWxFTlRDQS5jcnQwCwYDVR0PBAQDAgWgMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIeLhCSm3C6G8Zkgh9LcA4brzn9UhajTSoXF4R8CAWQCAQQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEANpfYnc1M4Ya2z0OKfRwpVnXWvWVEnZKh7oskSxrz9b8hCKma+/ChHxHkc+PpPPKymZwTsWL0AY/5GGAz1U8LzjuCBgSWgu+NheJYM9WJeu4POxG1Jbv5VXCwQ/e/oIZf+6zkmlntU/tTliKuDqoVRvXn9yRNj9Wbyj351T6Jd9TVIpJ8fNt4lQ9I5Fp7YfqhrsR15TpXrhOFAc6lK1TcY4rT0UMUx61udR+kliRjgwaMwZMolUoUApFsX1H2UvivvIpsqQVlaW+xllkJVIBuHQHkkv5k9MwFOl36GF3//UnHj99y0CiwNDDb9KdXyU2u4pnWG5HVYNvz+MvrB3P3kg==</dsig:X509Certificate></dsig:X509Data><dsig:KeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:RSAKeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Modulus xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">jMHsMBAQPU9bPQjrgys2qmppLMkCNKKeCwvIFfHtWp4n0/jV6QHegThXm+mYpLY+6rNl26ifWddDFOBPtcKtXKAa834AHU1mT/XJX59eNfin80TRaIoNotbZIMam3/Pok3PUw1klDzD/k+6ofcLywlLcCHIXhesR90VLxSrKiwt+DJB5nzQFISE9rX0xXfHXtQ5h6wUm9a3E5ZLw9b/B6laVT9lUgURmx1QMtZFO3+DYZx0uUQsftBcD+Nf57rOHBndoQntm6EO1dA61diaZYP0trrcxjjCBSyFjFa9LkeHc3+2ed+dFKHhd+pmIPQOC4guRUR61SP3342ESsvBuYw==</dsig:Modulus><dsig:Exponent xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo>

Apart from the two issues I wrote about, It fixes the needs in plink2-67, but we need also plink2-51 (my pull request) to keep all working with SAP. I know my changes are only a quick fix, but if you need some rework I'm here.

Thanks.