Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML Encryption with openSAML

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML Encryption with openSAML


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] XML Encryption with openSAML
  • Date: Mon, 14 Sep 2009 12:30:13 -0400



Deena Gurajala wrote:
> Hi,
>
> How can we achieve the XML encryption with openSAML library as per
> SAML 2.0 Spec where it involves both Digital Signature and XML encryption.
>
> SAML 2.0 Spec says the following.
>
> "When a signed <Assertion> element is encrypted, the signature MUST
> first be calculated and placed within the <Assertion> element before
> the element is encrypted."
>
> How can we achieve the above? I was able to successfully encrypt the
> assertion using openSAML. I also know how to do sign the message. But
> I don't know how to do as it stated in spec.


You need to fully sign the assertion before it is encrypted. Full docs
are in the wiki, but the summary is you need to marshall the Assertion
and call Signer.signObject before you do the encryption of the Assertion.

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG


>
> I was trying to do this.
>
> Response response=getResponse();
> Assertion assertion=getAssertion();
>
> Signature signature=getSignature();
> assertion.setSignature(
> signature);
>
> EncryptedAssertion encAssertion=getEncryptedAssertion(assertion);
> response.getEncryptedAssertion.add(encAssertion);
>
> MarshallerFactory marshalFact = Configuration .getMarshallerFactory();
> Marshaller marshaller = marshalFact.getMarshaller(response);
> Element responseElement = marshaller.marshall(response);
>
> Signer.signObject(signature);

So instead do this:

Response response=getResponse();
Assertion assertion=getAssertion();

Signature signature=getSignature();
assertion.setSignature(signature);

MarshallerFactory marshalFact = Configuration .getMarshallerFactory();
Marshaller marshallerAssertion = marshalFact.getMarshaller(assertion);
marshallerAssertion.marshall(assertion);

Signer.signObject(signature);

// Now enccrypt it

EncryptedAssertion encAssertion=getEncryptedAssertion(assertion);
response.getEncryptedAssertion.add(encAssertion);

Marshaller marshallerResponse = marshalFact.getMarshaller(response);
Element responseElement = marshallerResponse.marshall(response);






> But I don't see any signature when decrypt the assertion. It has
> signature in the assertion element. But signature value is empty.


Yeah, that's exactly what I'd expect from your original code, b/c what
you encrypted had the skeletal signature structure, but was not actually
yet effectively signed.





Archive powered by MHonArc 2.6.16.

Top of Page