Skip to Content.
Sympa Menu

mace-opensaml-users - RE: signing a SAML response - C++

Subject: OpenSAML user discussion

List archive

RE: signing a SAML response - C++


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: signing a SAML response - C++
  • Date: Wed, 2 Jan 2008 13:34:32 -0500
  • Organization: The Ohio State University

> It looks as though there are 3 different ways to sign a SAML response: 1)
> sign the response while marshalling, 2) use the
> Signature::createRawSignature method, or 3) use the Signature::sign
method.
> I assume that any of those approaches can be used.

(2) is not for signing XML, it's for raw signing of blobs. (1) is strongly
recommended. (3) is harder to get right.

>At first glance, the
> Signature::sign method seemed a natural choice because I had already
written
> the subsequent block of code to perform marshalling of the response using
> domWriter->writeNode(&target,
*static_cast<DOMNode*>(response->marshall())).

Yes, but now your DOM is written without the signature. If you do the
signing afterward, it's usually less efficient, and you would have to make
sure the signature child is already set before marshalling.

> My signature code block is as follows:
>
> CredentialCriteria criteria;
> criteria.setUsage(Credential::SIGNING_CREDENTIAL);
> Locker locker(resolver);
> const Credential* credential = resolver->resolve(&criteria);

You don't show what the resolver is, but assuming it's just the file-system
plugin, that's fine. You'd normally want to actually create the signature
though, set all its algorithms, and then set that into the criteria object.

> opensaml::ContentReference* reference = new
> opensaml::ContentReference(*assertion);

Don't do that. Calling setSignature() on a SAML object will create it for
you.

> xmlStr =
> XMLString::transcode("http://www.w3.org/2000/09/xmldsig#sha1";);
> reference->setDigestAlgorithm(xmlStr);

Just move that code down after you call setSignature(). You also can find
all those unicode constants in the xmlsec library.

> signature->setContentReference(reference);

Don't need that.

> assertion->setSignature(signature);

Move that higher, basically as soon as it's created.

> The last line of code results in the following SignatureException: "No
> ContentReference object set for signature creation." I first tried using
> signature->getContentReference, but it returned a NULL pointer.

Because the signature wasn't set into the parent yet.

> If so, how do I set the ContentReference and will I also need to set the
> SigningKey and the KeyInfo?

The signing key is in the Credential. You can pass that to the sign method.
Normally the Credential will provide a KeyInfo representation of itself to
use without setting anything else explicitly.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page