mace-opensaml-users - Re: [OpenSAML] XML Encryption with openSAML
Subject: OpenSAML user discussion
List archive
- From: Deena Gurajala <>
- To:
- Subject: Re: [OpenSAML] XML Encryption with openSAML
- Date: Mon, 14 Sep 2009 09:35:51 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=hR+SF4NhguBNXqwH8Urg3BwUBCuVPIGKFzw7/aPrZeqnMw6pvZqc2yaIxTn1UA4i4u Xfy7zuNoFDzfJrLW7EiVcf7rLcyQDYIO1wAGpG3+sdS0jG+JQYtsZ0HqKvbUcuUb/vC5 kmIGQ+YDmtKlNMj9E0PY3QbIK9CCdMLk0RrnM=
Yeah. I had that idea,but was skeptical as I have to do the marshaling twice. I tried after your suggestion.
It worked. Thank you very much.
On Mon, Sep 14, 2009 at 9:30 AM, Brent Putman <> wrote:
You need to fully sign the assertion before it is encrypted. Full docs
Deena Gurajala wrote:
> Hi,
>
> How can we achieve the XML encryption with openSAML library as per
> SAML 2.0 Spec where it involves both Digital Signature and XML encryption.
>
> SAML 2.0 Spec says the following.
>
> "When a signed <Assertion> element is encrypted, the signature MUST
> first be calculated and placed within the <Assertion> element before
> the element is encrypted."
>
> How can we achieve the above? I was able to successfully encrypt the
> assertion using openSAML. I also know how to do sign the message. But
> I don't know how to do as it stated in spec.
are in the wiki, but the summary is you need to marshall the Assertion
and call Signer.signObject before you do the encryption of the Assertion.
https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG
So instead do this:
>
> I was trying to do this.
>
> Response response=getResponse();
> Assertion assertion=getAssertion();
>
> Signature signature=getSignature();
> assertion.setSignature(
> signature);
>
> EncryptedAssertion encAssertion=getEncryptedAssertion(assertion);
> response.getEncryptedAssertion.add(encAssertion);
>
> MarshallerFactory marshalFact = Configuration .getMarshallerFactory();
> Marshaller marshaller = marshalFact.getMarshaller(response);
> Element responseElement = marshaller.marshall(response);
>
> Signer.signObject(signature);
MarshallerFactory marshalFact = Configuration .getMarshallerFactory();
Response response=getResponse();
Assertion assertion=getAssertion();
Signature signature=getSignature();
assertion.setSignature(signature);
Marshaller marshallerAssertion = marshalFact.getMarshaller(assertion);
marshallerAssertion.marshall(assertion);
Signer.signObject(signature);
// Now enccrypt it
Marshaller marshallerResponse = marshalFact.getMarshaller(response);
EncryptedAssertion encAssertion=getEncryptedAssertion(assertion);
response.getEncryptedAssertion.add(encAssertion);
Element responseElement = marshallerResponse.marshall(response);
Yeah, that's exactly what I'd expect from your original code, b/c what
> But I don't see any signature when decrypt the assertion. It has
> signature in the assertion element. But signature value is empty.
you encrypted had the skeletal signature structure, but was not actually
yet effectively signed.
- XML Encryption with openSAML, Deena Gurajala, 09/14/2009
- Re: [OpenSAML] XML Encryption with openSAML, Chad La Joie, 09/14/2009
- Re: [OpenSAML] XML Encryption with openSAML, Brent Putman, 09/14/2009
- Re: [OpenSAML] XML Encryption with openSAML, Deena Gurajala, 09/14/2009
- Re: [OpenSAML] XML Encryption with openSAML, Deena Gurajala, 09/21/2009
- Re: [OpenSAML] XML Encryption with openSAML, Brent Putman, 09/21/2009
- Re: [OpenSAML] XML Encryption with openSAML, Deena Gurajala, 09/21/2009
- Re: [OpenSAML] XML Encryption with openSAML, Deena Gurajala, 09/14/2009
Archive powered by MHonArc 2.6.16.