OpenSAML user discussion

[Brent Putman <>]

Mike Mattozzi wrote:
>
> Now for a nitty-gritty question: Do you have support for xpointer?


To add to (and slightly diverge from) what Chad said:  From the errors,
your particular issue is happening because the Apache XML Security
library isn't able to resolve the XPointer reference during signature
verification.  All of the work of doing signature verification is
delegated to their library:  if they support it, we support it.  If they
don't, we don't either (unless we or someone writes the extensions, see
below).

In their library, resolving Signature References is implemented by what
they call a ResourceResolver.  See: 
http://xml.apache.org/security/Java/resolver.html


They do have some limited support for dereferencing XPointer References
via a ResourceResolver impl called:
org.apache.xml.security.utils.resolver.implementations.ResolverXPointer.
I checked and that ResourceResolver is configured for use in their
v.1.4.1 (the version we currently use).


Their Javadocs aren't working on their site, but here is what they say:

/**
 * Handles barename XPointer Reference URIs.
 * <BR />
 * To retain comments while selecting an element by an identifier ID,
 * use the following full XPointer: URI='#xpointer(id('ID'))'.
 * <BR />
 * To retain comments while selecting the entire document,
 * use the following full XPointer: URI='#xpointer(/)'.
 * This XPointer contains a simple XPath expression that includes
 * the root node, which the second to last step above replaces with all
 * nodes of the parse tree (all descendants, plus all attributes,
 * plus all namespaces nodes).
 *
 * @author $Author: raul $
 */







> I
> was working through a signature validation using the
> SignatureValidator and the sample Assertion I have uses the Reference
> URI="#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])"
>


From looking at the code, they only support simple XPointer references
of the form "#xpointer(id(ID_VALUE))" or the literal value
"#xpointer(/)".  So basically just whole document references, or simple
ID references (that they then resolve with their IDResolver).  So
unfortunately it appears their impl is too constrained to support the
more complex XPointer reference value you have.

>
>
> I tried replacing the URI with just the assertion id, in which case it
> seems to find everything it's looking for just fine, but then the
> fails with "Signature did not validate against the credential's key"
> which I guess makes sense given the fact that I just changed part of
> the XML (or would this part be excluded from the signing?)

No, it's definitely included in what is signed, so that's what's causing
the verification to fail.


>
> Either way, is there any way I can get this xpointer to resolve?


It's possible (but I fear perhaps unlikely....) that someone, somewhere
has written an implementation of their ResourceResolver that supports
more complex XPointer references.  If you have a pressing need, you
could inquire over on 
,
 it's an open list.  
Or ask if they have something in the pipeline.  Actually, I'll go ahead
and ask them, but I fear the answer is no.  Know any Java programmer
XPointer experts?  :-)

Just to finish this topic out: If you wanted to *generate* a signature
with an XPointer reference using XMLTooling/OpenSAML 2 - in addition to
probably needing the appropriate resource resolver described, you'd also
have to have an appropriate implementation of our ContentReference
interface.  This is (I imagine) relatively easy compared to what is
required to implement the resolver (but I know little of XPointer).


--Brent