OpenSAML user discussion

[Chad La Joie <>]

Yeah, unfortunately I don't believe there is a general fix for this.

Two things get in the way: enveloping vs. enveloped signatures and
content referencing.  Because of the various ways to mix and match
options only the developer knows when it's safe to marshall the object tree.

I'll discuss with one of the other developers, tomorrow, whether there
is a way to detect the general, degenerate, case that occurs in SAML
protocol messages (always enveloped signatures).  If so we could create
a simpler API that handled that case.

Paul Hethmon wrote:
> Sure, here's what I originally thought to do:
> 
>       socr = new
> org.opensaml.common.impl.SAMLObjectContentReference(assertion);
>       signature.getContentReferences().add(socr);
>       assertion.setSignature(signature);
>       // Now sign it
>       org.opensaml.xml.signature.Signer.signObject(signature);
> 
> That doesn't error out, but ends up without a signature value. A message
> on the mailing list from last October led me to this:
> 
>       socr = new
> org.opensaml.common.impl.SAMLObjectContentReference(assertion);
>       signature.getContentReferences().add(socr);
>       assertion.setSignature(signature);
>       // Get the marshaller factory
>       MarshallerFactory marshallerFactory =
> org.opensaml.Configuration.getMarshallerFactory();
>       Marshaller marshaller =
> marshallerFactory.getMarshaller(assertion);
>       try {
>         // By marshalling the assertion, we will create the XML so that
> the signing will have something to sign
>         marshaller.marshall(assertion);
>       } catch (MarshallingException e) {
>         e.printStackTrace();
>       }
>       // Now sign it
>       org.opensaml.xml.signature.Signer.signObject(signature);
> 
> That seems to work to the best I can figure out. At least I can validate
> with my public key after signing this way.
> 
> Paul
> 
> 
> -----Original Message-----
> From: Chad La Joie 
> [mailto:]
>  
> Sent: Sunday, August 05, 2007 12:33 PM
> To: 
> 
> Subject: Re: decoding public keys in metadata
> 
> Paul Hethmon wrote:
>> One thing that did throw me was actually computing the signature, it
> was
>> certainly not intuitive to me that I needed to marshall the signature
>> the compute it. In hindsight, it makes sense as that is the
>> representation that the signature is computing over, but getting the
>> error that XMLSignature is null made me hit my head against the
> keyboard
>> for a while.
> 
> I think I understand what you're saying here but could you elaborate a
> bit on this?  Maybe a snippet of code?

-- 
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124