First of all: Looks like you're using a fairly old version of the
code. I would suggest updating to the latest version of the code. The
default for the Signature Reference/DigestMethod algorithm is actually
now effectively SHA-1, not SHA-256 as you are seeing. We had to set it
to the lowest common denominator that would be supported by everything
out there. For example, some older versions of OpenSSL (e.g. used by a
non-Java SP) don't support SHA-256 apparently. Also, the API has
changed, the Signature no longer takes the signing key, it takes a
Credential that holds the signing key. If you aren't using one of our
CredentialResolver impls to get the signing key or key pair, then just
use SecurityHelper#getSimpleCredential(PublicKey, PrivateKey) or
SecurityHelper#getSimpleCredential(SecretKey).
Also, you don't need to manually add the SAMLObjectContentReference -
that is done automatically by
SignableSAMLObject#setSignature(Signature). That's why you're getting
2 References in your SignedInfo, which is not even technically valid
under the SAML XML Signature profile.
On supporting SHA-256:
Yes, OpenSAML should support any algorithms that are supported by the
underlying Apache XML Security library which we use, and this in turn
is mostly determined by the installed set of Java JCA security
providers. SHA-256 (for both Reference digest method and RSA signature
algorithms) is supported, assuming support by the underlying JRE
config. Sun's default provider stack in 1.5 is known to work fine.
For the signature algorithm method, just do:
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
For the Reference/DigestMethod - since we (effectively) now default
this to SHA-1 internally, you'll have to pull the SAML object content
reference off *after* adding it to the reponse (or whatever), and
change the value:
response.setSignature(signature);
((SAMLObjectContentReference)signature.getContentReferences().get(0))
.setDigestAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
BTW, that constant is defined in EncryptionConstants b/c that algorithm
URI is defined in the XML Encryption spec, not the XML Signature spec
Technically the default reference digest method is now pulled from the
global security configuration, if available, from:
Configuration.getGlobalSecurityConfiguration().getSignatureReferenceDigestMethod().
So if you wanted to change the default library-wide and you're using
our DefaultBootstrap process to init the library, you could use a
custom bootstrap class extending that and override:
DefaultBootstrap#initializeGlobalSecurityConfiguration()
and change whatever values you want, like the default signature
reference digest method. In the future the global security config will
hopefully be configurable declaratively via a config file, but that's
almost certainly not going to make it into 2.0. Sorry.
Thanks,
Brent
Hi -
Can you please let me know what needs to be done to set the signature
algorithm and digest value set to sha256?
Currently in my code I set only signature algorithm which if I set to
sha1 as per one of the examples on signing on OPENSAML site, it get the
following in the output:
The final goal is to have sha256. Does opensaml support it and how can
that be achieved. Please note that I am not setting digest method algo
to anything but its being pickedup as sha256.
Thanks
Prasanna Krishna
|
