OpenSAML user discussion

["Paul Hethmon" <>]

Prasanna,

 

Take a look at my documents and code here where I've created a SP/IdP wrapper around the OpenSAML libraries. It's not complete, but the document attempts to explain what's being done and the code has lots of comments.

 

  http://code.crt.realtors.org/projects/websso

 

Paul

 

From: Prasanna Krishna [mailto:]
Sent: Wednesday, October 03, 2007 4:13 AM
To:
Subject: RE: Sha2 signature info requested

 

Hi Brent -
 
As suggested by you, I took the latest code from svn for opensaml, openws and xmltooling and created jar files.
 
I followed the instrs provided by you and also at https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG
 
The only diff between your approach and the approach at the above URL is setting of canonicalization algorithm.
 
I get the following exception:
 

An error occured computing the digital signature

org.apache.xml.security.signature.XMLSignatureException: Unknown canonicalizer. No handler installed for URI http://www.w3.org/2001/04/xmlenc#sha256

Original Exception was org.apache.xml.security.c14n.InvalidCanonicalizerException: Unknown canonicalizer. No handler installed for URI http://www.w3.org/2001/04/xmlenc#sha256

at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)

at org.opensaml.xml.signature.Signer.signObject(Signer.java:77)
 
My code looks as follows:
 

// NOTE: The following 6 steps to sign SAML doc are picked up from

// https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG

// Step 1: Create a Signature object using the

// org.opensaml.xml.signature.SignatureBuilder (this is found in the

// XMLTooling library).

SignatureBuilder sb = new SignatureBuilder();

Signature sig = sb.buildObject();

// Step 2: Add the Credential containing the signing key using the

// Signature#setSigningCredential(Credential) method.

Credential cr = SecurityHelper.getSimpleCredential(service

.getSignatureCertificate().getPublicKey(), service

.getPrivateKey());

sig.setSigningCredential(cr);

// Step 3: Add the signature method algorithm URI with the method

// Signature#setSignatureAlgorithm(String). Note that the algorithm

// URI is dependent on the type of key contained with the signing

// credential.

sig

.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

// Step 4: Add the canonicalization method algorithm URI with the

// method

// Signature#setCanonicalizationAlgorithm(String).

 

sig.setCanonicalizationAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);

 

// Step 5: If desired, add a KeyInfo containing information about

// the

// signature verification key using Signature#setKeyInfo(KeyInfo).

// The KeyInfo may be created manually, or may be generated

// dynamically from the signing credential using a KeyInfoGenerator,

// usually obtained from a KeyInfoGeneratorFactory via a

// KeyInfoGeneratorManager.

KeyInfoGeneratorManager kmgr = new KeyInfoGeneratorManager();

KeyInfoGeneratorFactory kfactory = kmgr.getFactory(cr);

KeyInfoGenerator kgenerator = kfactory.newInstance();

KeyInfo kinfo = kgenerator.generate(cr);

sig.setKeyInfo(kinfo);

 

// Step 6: Add the Signature to the SAMLObject using the

// setSignature(Signature) method. A SAMLObjectContentReference will

// automatically be added to the list of signature references

// exposed via Signature#getContentReferences()

response.setSignature(sig);

 

// Step 7: As suggested by Brent

((SAMLObjectContentReference) sig.getContentReferences().get(0))

.setDigestAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);

I tried both the approaches of setting canonicalization algorithm.  I commented out step 4 and retained step 7, then I commented out 7 and retained 4 and then I commented out both.
 
I get the exception in all the cases.
 
Your inputs are very much appreciated.
 
Regards
Prasanna Krishna

---

Date: Tue, 2 Oct 2007 18:14:36 -0400
From:
To:
Subject: Re: Sha2 signature info requested



Prasanna Krishna wrote:

Hi Brent -
 
Thank you for your patience and immediate appropriate reply.
 
We now have another question: 
 
At this juncture we probably cannot move with the latest saml code base for this version of ours since we are already production like.

Well, the OpenSAML stack is (just barely, as of last week) implicitly in a beta state, because we rolled out Shibboleth in beta1.  Based on the key vs. Credential API change I noted, which SVN shows took place on 5/22/07, the (alpha) code that you are using is at least 4+ months old.  There have been a lot of changes to the code since then, especially with the security related components.  I obviously can't tell you what to do, but I would strongly advise you to reconsider using that in production.

 
Please suggest how I can set the digest algorithm to 'sha1' from within the code snippet I sent you earlier.

Well, it's going to be the same mechanism, just change the algorithm URI constant:

response.setSignature(signature);
((SAMLObjectContentReference)signature.getContentReferences().get(0))
      .setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);

 
Also can you please let me know or point me to the current stable distribution of open saml or is it that we should build the jars from the source?

There is currently no packaged source or binary distribution, stable or otherwise.  Checkout from SVN is still the way to go.  The OpenSAML stack is implictly in a beta1 state, concurrent with the Shibboleth beta1 (really a rolling beta), although we haven't actually formally tagged a beta1 for OpenSAML yet.  We'll probably do that very soon, to give people a consistent target against which to start really testing and developing in earnest.  However, I doubt we will be providing an official binary distribution for at least a little while - at the earliest probably a later, more formal beta stage.  We haven't discussed a timeline for that yet, it could be sooner.


--Brent

 

---

Windows Live Spaces is here! It’s easy to create your own personal Web site. Check it out!