Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML signature issue(s)

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML signature issue(s)


Chronological Thread 
  • From: Hubert Le Van Gong <>
  • To:
  • Subject: Re: [OpenSAML] XML signature issue(s)
  • Date: Thu, 11 Sep 2008 20:21:41 +0200


On Sep 11, 2008, at 5:51 PM, Brent Putman wrote:

Hubert Le Van Gong wrote:
Thanks Brent,

After double checking I found that I was performing a validity check
on the
certificate used to sign the assertion. I removed it and it seems to
be working
fine now, at least when it comes to signing SAML assertions;

Ok, good to know.

I have to
check this with non SAML classes like my EPRs.

Ok. Just pointing out in case it isn't obvious: The mechanism that
you're implicitly using here is enveloped signature. I'm assuming
enveloped is schema valid for the elements/classes you want to sign? If
this EPR here is WS-Addressing EndpointReference, then I guess it is,
based on its extensible schema (wildcard child elements). Just
something to be aware of. OpenSAML also supports detached signatures
should you need to do that.

Yup I had checked it was enveloped signature.
I suppose you haven't seen much demand for enveloping signature?


As you mentioned I'll need
to add a ContentReference to the signature too.
I presume a URIContentReference set to "" will point at the root of
the EPR, correct?

Based on my understanding, no. Empty "" URI means (from the Signature
spec):

URI=""
Identifies the node-set (minus any comment nodes) of the XML
resource containing the signature

Which means the entire Document in which the EPR would be contained.
Very likely may not be what you want: You sign it stand-alone, and it
verifies. Then you embed it in another document, and the signature breaks.

You may instead want to use the DocumentInternalIDContentReference.
That assumes that the element(s) you want to sign support an ID-typed
attribute, which can be used as the target of a document fragment
reference. EPR would seem to, since it's also extensible via wildcard
attributes. Again, it's a question of schema validity.

You make a good point, although in the present use case I do have an EPR
that is standalone. For the general case using DocumentInternalIDContentReference
seems better indeed.

Thanks,
Hubert




Archive powered by MHonArc 2.6.16.

Top of Page