OpenSAML user discussion

[Brent Putman <>]

Take a look at the Javadocs for the Decrypter superclass in xmltooling,
this issue is addressed there.  See 3rd paragraph from bottom.  The
2.3.0 docs on the opensaml.org site apparently weren't built with the
openws and xmltooling docs, but the 2.2.2 has them and these components
haven't changed since then:

http://www.opensaml.org/docs/2.2.2/apidocs/org/opensaml/xml/encryption/Decrypter.html

In short, try calling setRootInNewDocument(true) on the Decrypter before
you decrypt the Asserton.  That will give you an Assertion with a
properly rooted DOM that should allow signature verification to succeed.

The reason why your marshalling workaround works is that I believe it
effectively does the same thing, as a (possibly unintentional) side effect.

--Brent



Deena Gurajala wrote:
> I have another problem with it. How to verify the signature inside the
> encrypted assertion on the client side. This is how I am doing.
>
> UnmarshallerFactory unmarshallerFactory =
> Configuration.getUnmarshallerFactory();
>  Unmarshaller unmarshaller = unmarshallerFactory
> .getUnmarshaller(element);
>
>  Response samlResponse = (Response) unmarshaller.unmarshall(element);
>
> EncryptedAssertion encAssertion = samlResponse
> .getEncryptedAssertions().get(0);
> Assertion assertion=decryptyAssertion(encAssertion);
>
> Signature signature=assertion.getSignature();
>
> BasicX509Credential credential =getCredentials();
>
> SignatureValidator sigValidator = new SignatureValidator(credential);
> sigValidator.validate(signature);
>
> I am getting the following error when I follow the above steps.
>
> org.opensaml.xml.validation.ValidationException: Unable to evaluate
> key against signature
>     at
> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:73)....
> Caused by: org.apache.xml.security.signature.XMLSignatureException:
> The Reference for URI #tomTcusGeV has no XMLSignatureInput
> Original Exception was
> org.apache.xml.security.signature.MissingResourceFailureException: The
> Reference for URI #tomTcusGeV has no XMLSignatureInput
> Original Exception was
> org.apache.xml.security.signature.ReferenceNotInitializedException:
> Cannot resolve element with ID tomTcusGeV
> -------------------------------------------------------------------------------
> But if I do the following way, it works fine.
>
> UnmarshallerFactory unmarshallerFactory =
> Configuration.getUnmarshallerFactory();
>  Unmarshaller unmarshaller = unmarshallerFactory
> .getUnmarshaller(element);
>
>  Response samlResponse = (Response) unmarshaller.unmarshall(element);
>
> EncryptedAssertion encAssertion = samlResponse
> .getEncryptedAssertions().get(0);
> Assertion assertion=decryptyAssertion(encAssertion);
>
> Marshaller asrtnMarshaller = marshallerFactory
>         .getMarshaller(assertion);
> asrtnMarshaller.marshall(assertion);
>
> Signature signature=assertion.getSignature();
>
> BasicX509Credential credential =getCredentials();
>
> SignatureValidator sigValidator = new SignatureValidator(credential);
> sigValidator.validate(signature);
>
> The above code works fine and it able to validate the signature. My
> question is, Is it expected behavior? Or I am doing some thing wrong.
>
> On Mon, Sep 14, 2009 at 9:35 AM, Deena Gurajala
> <
>  
> <mailto:>>
>  wrote:
>
>     Yeah. I had that idea,but was skeptical as I have to do the
>     marshaling twice. I tried after your suggestion.
>     It worked. Thank you very much.
>
>
>     On Mon, Sep 14, 2009 at 9:30 AM, Brent Putman
>     
> <
>  
> <mailto:>>
>  wrote:
>
>
>
>         Deena Gurajala wrote:
>         > Hi,
>         >
>         > How can we achieve the XML encryption with openSAML library
>         as per
>         > SAML 2.0 Spec where it involves both Digital Signature and
>         XML encryption.
>         >
>         > SAML 2.0 Spec says the following.
>         >
>         > "When a signed <Assertion> element is encrypted, the
>         signature MUST
>         > first be calculated and placed within the <Assertion>
>         element before
>         > the element is encrypted."
>         >
>         > How can we achieve the above? I was able to successfully
>         encrypt the
>         > assertion using openSAML. I also know how to do sign the
>         message. But
>         > I don't know how to do as it stated in spec.
>
>
>         You need to fully sign the assertion before it is encrypted.
>          Full docs
>         are in the wiki, but the summary is you need to marshall the
>         Assertion
>         and call Signer.signObject before you do the encryption of the
>         Assertion.
>
>         https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG
>
>
>         >
>         > I was trying to do this.
>         >
>         > Response response=getResponse();
>         > Assertion assertion=getAssertion();
>         >
>         > Signature signature=getSignature();
>         > assertion.setSignature(
>         > signature);
>         >
>         > EncryptedAssertion
>         encAssertion=getEncryptedAssertion(assertion);
>         > response.getEncryptedAssertion.add(encAssertion);
>         >
>         > MarshallerFactory marshalFact = Configuration
>         .getMarshallerFactory();
>         > Marshaller marshaller = marshalFact.getMarshaller(response);
>         > Element responseElement = marshaller.marshall(response);
>         >
>         >  Signer.signObject(signature);
>
>         So instead do this:
>
>         Response response=getResponse();
>         Assertion assertion=getAssertion();
>
>         Signature signature=getSignature();
>         assertion.setSignature(signature);
>
>         MarshallerFactory marshalFact = Configuration
>         .getMarshallerFactory();
>         Marshaller marshallerAssertion =
>         marshalFact.getMarshaller(assertion);
>         marshallerAssertion.marshall(assertion);
>
>         Signer.signObject(signature);
>
>         // Now enccrypt it
>
>         EncryptedAssertion encAssertion=getEncryptedAssertion(assertion);
>         response.getEncryptedAssertion.add(encAssertion);
>
>         Marshaller marshallerResponse =
>         marshalFact.getMarshaller(response);
>         Element responseElement = marshallerResponse.marshall(response);
>
>
>
>
>
>
>         > But I don't see any signature when decrypt the assertion. It has
>         > signature in the assertion element. But signature value is
>         empty.
>
>
>         Yeah, that's exactly what I'd expect from your original code,
>         b/c what
>         you encrypted had the skeletal signature structure, but was
>         not actually
>         yet effectively signed.
>
>
>
>