OpenSAML user discussion

["Brian Sheely" <>]

Okay, even though approach #3 is harder to get right, I'm not quite
ready to give up on it. My perform marshalling block of code comes after
my signature block so I assume my DOM will be written with the signature
(once I get it working). Yes, my CredentialResolver is a file-system
plugin. I've changed the ordering of my code to the following:


        CredentialCriteria criteria;
        criteria.setUsage(Credential::SIGNING_CREDENTIAL);
        Signature* signature = SignatureBuilder::buildSignature();
        assertion->setSignature(signature); 
        
signature->setSignatureAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA1)
;
        
signature->setCanonicalizationMethod(DSIGConstants::s_unicodeStrURIEXC_C
14N_NOC);
        opensaml::ContentReference* reference =
dynamic_cast<opensaml::ContentReference*>(assertion->getContentReference
());

        if (!reference)
                return NULL_CONTENT_REFERENCE;

        xmlStr = XMLString::transcode(URI_ID_SHA1);
        reference->setDigestAlgorithm(xmlStr);
        XMLString::release(&xmlStr);
        criteria.setSignature(*signature); 
        Locker locker(resolver);
        const Credential* credential = resolver->resolve(&criteria); 
        signature->setSigningKey(credential->getPrivateKey());
        signature->sign(credential);

The ContentReference object is valid regardless of whether I call
assertion->getContentReference() or signature->getContentReference().
Does it matter which I use? Based on your comments, I assume I needed to
call setSignature on the CredentialCriteria object. Should I also call
setSigningKey on the Signature object? Anyway, the signature->sign()
call generates the same exception as before. 

Brian Sheely



-----Original Message-----
From: Scott Cantor 
[mailto:]
 
Sent: Wednesday, January 02, 2008 1:35 PM
To: 

Subject: RE: signing a SAML response - C++

> It looks as though there are 3 different ways to sign a SAML response:
1)
> sign the response while marshalling, 2) use the
> Signature::createRawSignature method, or 3) use the Signature::sign
method.
> I assume that any of those approaches can be used.

(2) is not for signing XML, it's for raw signing of blobs. (1) is
strongly
recommended. (3) is harder to get right.
 
>At first glance, the
> Signature::sign method seemed a natural choice because I had already
written
> the subsequent block of code to perform marshalling of the response
using
> domWriter->writeNode(&target,
*static_cast<DOMNode*>(response->marshall())).

Yes, but now your DOM is written without the signature. If you do the
signing afterward, it's usually less efficient, and you would have to
make
sure the signature child is already set before marshalling.

> My signature code block is as follows:
> 
>       CredentialCriteria criteria;
>       criteria.setUsage(Credential::SIGNING_CREDENTIAL);
>       Locker locker(resolver);
>       const Credential* credential = resolver->resolve(&criteria);

You don't show what the resolver is, but assuming it's just the
file-system
plugin, that's fine. You'd normally want to actually create the
signature
though, set all its algorithms, and then set that into the criteria
object.

>       opensaml::ContentReference* reference = new
> opensaml::ContentReference(*assertion);

Don't do that. Calling setSignature() on a SAML object will create it
for
you.

>       xmlStr =
> XMLString::transcode("http://www.w3.org/2000/09/xmldsig#sha1";);
>       reference->setDigestAlgorithm(xmlStr);

Just move that code down after you call setSignature(). You also can
find
all those unicode constants in the xmlsec library.

>       signature->setContentReference(reference);

Don't need that.

>       assertion->setSignature(signature);

Move that higher, basically as soon as it's created.

> The last line of code results in the following SignatureException: "No
> ContentReference object set for signature creation." I first tried
using
> signature->getContentReference, but it returned a NULL pointer.

Because the signature wasn't set into the parent yet.

> If so, how do I set the ContentReference and will I also need to set
the
> SigningKey and the KeyInfo?

The signing key is in the Credential. You can pass that to the sign
method.
Normally the Credential will provide a KeyInfo representation of itself
to
use without setting anything else explicitly.

-- Scott