mace-opensaml-users - RE: What is digested
Subject: OpenSAML user discussion
List archive
- From: Scott Cantor <>
- To: 'Mark Wilcox' <>,
- Subject: RE: What is digested
- Date: Fri, 07 May 2004 22:12:30 -0400
- Organization: The Ohio State University
> What values are used to create the digest in the ds:DigestValue tag :
> like so <ds:DigestValue>gmjaBYw5W/F1z6XMjbsGibcwI4o=</ds:DigestValue>
>
> And is the algorithm just plain SHA-1 and Base64 encoding the
> output of SHA-1 or is something else going on.
It's XML signature processing, with a few rules defined by SAML to simplify
the work for SAML implementers so that the full range of possible signature
options aren't available.
The spec doesn't dictate algorithms. The common case is RSAwithSHA1, so the
digest is SHA-1, but yes, it's base-64 encoded when it appears in the
markup.
The digest input is defined by the SignedInfo element, which includes a
Reference to the ID of the root element being signed, and the transforms
that define how to take that node set and turn into an octet stream. SAML
limits the transforms that can be used to simplify the determination of what
was signed.
I suggest reading the signature spec if you really want to understand the
process, it's relatively readable given the subject matter, although some
working XPath knowledge is helpful.
http://www.w3.org/TR/xmldsig-core/
Understanding canonicalization is also fairly critical.
-- Scott
- C++ SAMLResponse, andy, 05/06/2004
- RE: C++ SAMLResponse, Scott Cantor, 05/06/2004
- What is digested, Mark Wilcox, 05/07/2004
- RE: What is digested, Scott Cantor, 05/07/2004
Archive powered by MHonArc 2.6.16.