OpenSAML user discussion

[Brent Putman <>]

On 4/9/2010 2:02 PM, Jason Countryman wrote:

Hello,

I'm trying to add a custom SAMLObjectContentReference to my signature.  Here is the code I am using to generate the content reference:

SAMLObjectContentReference contentReference = new SAMLObjectContentReference(assertion);

contentReference.setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);

contentReference.getTransforms().add(SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE);

contentReference.getTransforms().add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS); 

signature.getContentReferences().add(contentReference);

Well 2 things going on here, I think.  First: Be mindful of the defaults.  A SAMLObjectContentReference when it is created already has 2 transforms in it, 
SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE and SignatureConstants.TRANSFORM_C14N_EXCL_WITH_COMMENTS.  See the Javadocs:

http://svn.middleware.georgetown.edu/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/common/impl/SAMLObjectContentReference.java?revision=1377&view=markup

So if you want to change the transforms, you need to clear the list first and add what you want, or at least manipulate that list in some way.  But unless you really care about the difference between the exclusive c14 with vs. without comments, the defaults are exactly what you have above.

And second:  The AbstractSignableSAMLObject overrides setSignature such that it automatically adds a SAMLObjectContentReference to the Signature.

http://svn.middleware.georgetown.edu/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/common/impl/AbstractSignableSAMLObject.java?revision=1303&view=markup


So effectively above, in the last line, you are adding a second one to the SignableSAMLObject, which is actually an error vis-a-vis the SAML XML Signature profile.

If you really want to change the defaults, you  need to either: 1) get the SAMLContentReference that is automatically added, after you call setSignature on the SAMLObject, by using signature.getContentReferences(), and then modify it or else 2) just clear that list and create your own and and add it before you sign.

When I run this code, the following error occurs when marshalling the assertion:

java.lang.ArrayIndexOutOfBoundsException: 3

at org.apache.xml.security.transforms.Transforms.item(Unknown Source)

That's coming from Apache xmlsec.  Not sure exactly why that is happening, why it's tripping an array bounds, but it's undoubtedly due to one or both of the above issues.

--Brent