mace-opensaml-users - Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist.
Subject: OpenSAML user discussion
List archive
Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist.
Chronological Thread
- From: "Ender Wiggin" <>
- To:
- Subject: Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist.
- Date: Mon, 4 Aug 2008 18:48:32 -0400
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=ddaM7qmxu+rgJUqPI6O6wCcEEoMbclDMFpRPpOG/Z4hrrdrF37gnjNxt3kPQYkGI45 Sua2hI5YkxYvWXs+/XwmyOasYBUEYdiBiUrpYocRRQzp4BdDiqPfSLfVgzC2LsDujdge PqbJYPRv37rWoKhudHxt53UPeSEPK1Qru3ymA=
Hi Brent:
Is there an example of signing with certificate that I may be able to reference as I am pretty new to this as well. I have put together the code sample below, but I am not sure if its valid and if it will hold up when the assertion is used as part of a call services in other systems. In particular I am uncertain about the approach I am using to create the private keys, algorithms, etc.
-------------------Signing Code----------------------
SignatureBuilder sigBuilder = (SignatureBuilder)builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME);
Signature signature = sigBuilder.buildObject();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
String ksName = res.getString("KEYSTORE");
FileInputStream ksfis = new FileInputStream(ksName);
BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
String ksPassword = res.getString("KEYSTORE_PSWD");
String ksPrivAlias = res.getString("KEYSTORE_PRIVKEY_ALIAS");
ks.load(ksbufin, ksPassword.toCharArray());
Certificate cert = ks.getCertificate(ksPrivAlias);
PublicKey pubKey = cert.getPublicKey();
KeyPair kp = SecurityTestHelper.generateKeyPair("RSA", 1024, null);
-------------------------------------------------------------
Resulting output -------------------------------
<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2008-08-04T22:47:27.843Z" Issuer="openiam.multiplan.com" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2008-08-04T22:47:27.843Z" NotOnOrAfter="2008-08-04T23:17:27.937Z"/><saml:AuthenticationStatement AuthenticationInstant="2008-08-04T22:47:27.843Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier NameQualifier="openiam.com">sshah2</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">uBRKG60iDR9VyYxSMe7kF4WmrXo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
HvrI+WZ5se/ytjAzxYwFXDkLe+4f0qJE7Ktmz2U96knQEfQPugnL2Z7HOhtpqJ8EwQLF6aSwhbtK
aB2Nl8xkRnn0KZg9gSn7unS2OG2+w99+csf47bDJmXfUo8jnQ1hdYuItx5vhkncnbwzPiwKlIy4t
01f2N/iQAhH1RMBWm8U=
</ds:SignatureValue>
</ds:Signature></saml:Assertion>
-------------------------------------------------------
Thanks for your help.
Is there an example of signing with certificate that I may be able to reference as I am pretty new to this as well. I have put together the code sample below, but I am not sure if its valid and if it will hold up when the assertion is used as part of a call services in other systems. In particular I am uncertain about the approach I am using to create the private keys, algorithms, etc.
-------------------Signing Code----------------------
SignatureBuilder sigBuilder = (SignatureBuilder)builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME);
Signature signature = sigBuilder.buildObject();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
String ksName = res.getString("KEYSTORE");
FileInputStream ksfis = new FileInputStream(ksName);
BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
String ksPassword = res.getString("KEYSTORE_PSWD");
String ksPrivAlias = res.getString("KEYSTORE_PRIVKEY_ALIAS");
ks.load(ksbufin, ksPassword.toCharArray());
Certificate cert = ks.getCertificate(ksPrivAlias);
PublicKey pubKey = cert.getPublicKey();
KeyPair kp = SecurityTestHelper.generateKeyPair("RSA", 1024, null);
-------------------------------------------------------------
Resulting output -------------------------------
<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2008-08-04T22:47:27.843Z" Issuer="openiam.multiplan.com" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2008-08-04T22:47:27.843Z" NotOnOrAfter="2008-08-04T23:17:27.937Z"/><saml:AuthenticationStatement AuthenticationInstant="2008-08-04T22:47:27.843Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier NameQualifier="openiam.com">sshah2</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">uBRKG60iDR9VyYxSMe7kF4WmrXo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
HvrI+WZ5se/ytjAzxYwFXDkLe+4f0qJE7Ktmz2U96knQEfQPugnL2Z7HOhtpqJ8EwQLF6aSwhbtK
aB2Nl8xkRnn0KZg9gSn7unS2OG2+w99+csf47bDJmXfUo8jnQ1hdYuItx5vhkncnbwzPiwKlIy4t
01f2N/iQAhH1RMBWm8U=
</ds:SignatureValue>
</ds:Signature></saml:Assertion>
-------------------------------------------------------
Thanks for your help.
On Mon, Aug 4, 2008 at 3:33 PM, Brent Putman <> wrote:
Like Scott said, that version's not really supported any more, but read on...
wrote:
Hi to all
i'm an university student and i'm developing a project that need to use some SAML component. In particular i've choose openSAML 1.1b for the java side;
You've got some mismatch of key types here. You're trying to sign with the RSA-SHA1 algorithm URI, but you're generating a DSA key in the KeyGenerator and using that private key as the signing key. If I recall correctly, this mismatch will result in the error you're seeing.
##################################################################################
KeyPairGenerator keyGen =KeyPairGenerator.getInstance("DSA", "SUN");
SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();
ArrayList nuova=new ArrayList();
nuova.add(cert);
asr.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA1, priv, nuova);
##################################################################################
Also, maybe this is just test code or you have redacted something in the middle there, but: it doesn't really make sense to generate a signing key and then include some unrelated cert in the KeyInfo (your nuova array). The X509Data/X509Certificate element(s) generally have to either contain the end-entity cert with the public half of the signing key pair, or other certs that are a part of the signing certificate's chain, which is used for validation (establishing trust). That's not causing this error, just FYI.
--Brent
- XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist., massive_cava, 08/04/2008
- RE: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist., Scott Cantor, 08/04/2008
- Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist., Brent Putman, 08/04/2008
- Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist., Ender Wiggin, 08/04/2008
- Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist., Brent Putman, 08/04/2008
- Re: [OpenSAML] XMLSignatureException: algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 does not exist., Ender Wiggin, 08/04/2008
Archive powered by MHonArc 2.6.16.