OpenSAML user discussion

[Marius Scurtescu <>]

Scott Cantor wrote:
> > I say 'mostly' because there still is a digest inside the SAML which
> > is done with SHA1 and I could not find a way to make this one use
> > SHA256.
>
>
> All I do is pass in whatever algorithm you give me. If xmlsec is internally
> forcing SHA-1, it's not because I told it to, so I don't know that I can
> override it, but if you say you managed it...
>
> What happens if you pass in the ALGO_ID_SIGNATURE_RSA_SHA256 constant to
> sign()?

That is exactly what I did, and the signatures ends up as expected,
SHA256.

The only problem I can see is the fact that the digest is still done
using SHA1 and there is no parameter to override this. The digest
flag MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256 seems to be the
recommended one, but SHA1 is the only required (in xmlsec 1.2.1).

> However, this is all academic. The C++ library and openssl don't support
> SHA256 yet, so it's a moot point unless your interest is solely to talk to
> implementations you control.

I know that OpenSSL does not support this. We control both ends so this
is not an issue for us.

> > From an interop standpoint, it turns out that RSA-SHA1 is it (excluding
> DSA). This is a problem, IMHO, but it's not one we can fix in code because
> the spec only required SHA-1.
>
> -- Scott

Thanks,
Marius