mace-opensaml-users - A suggestion about digital signatures
Subject: OpenSAML user discussion
List archive
- From: Massimiliano Masi <>
- To:
- Subject: A suggestion about digital signatures
- Date: Wed, 19 Sep 2007 12:26:59 +0200
Hi all,
I have the following problem:
My client requests via WS-Trust a SAML Authentication assertion.
In the identity provider, I authenticate the user, I issue the SAML assertion,
and I contact the Attribute Auhtority for obtaining an Attribute Assertion.
Then I create an XML as the following
<RequestSecurityResponse>
<TokenType>saml...</TokenType>
<RequestedSecurityToken>
<saml:Assertion/> (signed by the Identity Provider, the AuthAssertin)
<saml:Assertion/> (signed by the Attribute Authority, the AttrAssertion)
</RequestedSecurityToken>
</RequestSecurityTokenResponse>
My question is: for you, this token is correct?
Using the following code:
SignatureBuilder signatureBuilder = (SignatureBuilder) builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME);
Signature assertionSignature =
signatureBuilder.buildObject();
assertionSignature.getContentReferences().add(new SAMLObjectContentReference(assertion));
PublicKey servicePublicKey = serviceCertificate.getPublicKey();
BasicCredential credential = SecurityHelper.getSimpleCredential(servicePublicKey, servicePrivateKey);
assertionSignature.setSigningCredential(credential);
assertionSignature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
assertionSignature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA);
assertionSignature.getContentReferences().add(new SAMLObjectContentReference(assertion));
assertion.setSignature(assertionSignature);
MarshallerFactory marshallerFactory = Configuration.getMarshallerFactory();
Marshaller marshaller =
marshallerFactory.getMarshaller(assertion);
//
//
Element assertionElement = marshaller.marshall(assertion);
Signer.signObject(assertionSignature);
in the ds:Signature I've the reference of the assertion twice:
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_fd1e981a2f58bb0f6266ace518ab6e75">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments";>
<ec:InclusiveNamespaces PrefixList="ds saml"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8cEI5v0k9eJ+6JMTrLy8xWZ8l/oKk7aD1wXRYhJBHvY=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_fd1e981a2f58bb0f6266ace518ab6e75">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
−
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments";>
<ec:InclusiveNamespaces PrefixList="ds saml"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8cEI5v0k9eJ+6JMTrLy8xWZ8l/oKk7aD1wXRYhJBHvY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
−
<ds:SignatureValue>
BI/dS0LvNBoZWcHRHJao1f12Iwhw1OSl04ZAHGmAYwBdWS3GFnjff6sNz4KLdara2Q4ZjHUq09yO
8gKXXYU6Gw==
</ds:SignatureValue>
</ds:Signature>
As you can see, the signature is the same. Is this correct?
Another issue is that In the attribute authority, I sign the samlp:response
and the saml:Assertion.
When the samlp:Response comes back to the identity provider, I validate the signature and I put the assertion in the <RequestedSecurityToken>
When, in the client, I validate the assertions, the first, validates OK,
the second (the attribute assertion) fails, because in the signature block
there is still the response reference, that is not present in the
<requestedSecurityToken>. How can I detach this signature in the identity
provider?
Sorry for this long mail.
Thanks,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
- A suggestion about digital signatures, Massimiliano Masi, 09/19/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/19/2007
- RE: A suggestion about digital signatures, George Stanchev, 09/19/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/20/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/21/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/21/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/22/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/23/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/22/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/21/2007
- RE: A suggestion about digital signatures, George Stanchev, 09/19/2007
- Re: A suggestion about digital signatures, Brent Putman, 09/19/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/19/2007
Archive powered by MHonArc 2.6.16.