OpenSAML user discussion

["Scott Cantor" <>]

> Okay, even though approach #3 is harder to get right, I'm not quite
> ready to give up on it. My perform marshalling block of code comes after
> my signature block so I assume my DOM will be written with the signature
> (once I get it working).

No, it won't. You MUST marshall, then sign. Actually writing the DOM out is
not the same as marshalling, of course, it's the generation of the DOM
itself. You MUST generate the DOM before signing, and the signature object
MUST be in place before both. That's why the simplest thing to do is to pass
in the signature list during marshalling, then you can't get the order
wrong.

>       signature->setSigningKey(credential->getPrivateKey());

You don't need that, the sign() method does it for you.

>       signature->sign(credential);
> 
> The ContentReference object is valid regardless of whether I call
> assertion->getContentReference() or signature->getContentReference().

Do not call assertion->getContentReference. Looking at it, I think it was
supposed to be protected but I have to review the code. That definitely
isn't what you want in order to change the digest.
 
> Does it matter which I use?

Yes, a lot.

> Based on your comments, I assume I needed to
> call setSignature on the CredentialCriteria object.

You can, it won't matter much unless the resolver in question is much richer
than a single file. It's going to give you the same credential back no
matter what.

> Should I also call
> setSigningKey on the Signature object? Anyway, the signature->sign()
> call generates the same exception as before.

Sorry, I don't know quite what you're doing altogether, but perhaps it's
just not handling something else you're doing out of order, the error
message might be wrong.

There's really nothing special about using sign() directly, the only
difference is that you have to call both marshall and sign instead of just
marshall, and do it in the right order. That's why it's usually pointless to
do it.

-- Scott