OpenSAML user discussion

[Mike Brennan <>]

Error message in shibd.log:

      2011-03-01 18:52:19 ERROR XMLTooling.SecurityHelper : hash algorithm 
(SHA1) not available


In xmltooling-1.4/xmltooling/security/impl/SecurityHelper.cpp, when I change:

      const EVP_MD* md = EVP_get_digestbyname(hashAlg);
      if (!md) {
          
Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash 
algorithm (%s) not available", hashAlg);
          return ret;
      }

to:

      const EVP_MD* md = EVP_get_digestbyname(hashAlg);
      if (!md) {
          OpenSSL_add_all_digests();
          md = EVP_get_digestbyname(hashAlg);
          if (!md) {
              
Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash 
algorithm (%s) not available", hashAlg);
              return ret;
          }
      }

... the message no longer appears in the log.

The failing code is in SecurityHelper::doHash()

So, at the point when SecurityHelper::doHash() is being called, the
openssl library hasn't been initialized with all required digests.

OpenSSL_add_all_algorithms(), which will also add the SHA-1 digest,
is called in xml-security-c-1.6.0/xsec/enc/OpenSSL/OpenSSLCryptoProvider.cpp,
in the OpenSSLCryptoProvider constructor.  Apparently OpenSSLCryptoProvider
is one type of XSECCryptoProvider that's part of xmlsecurity.

Bottom line, then: An object of type OpenSSLCryptoProvider needs to
be instantiated for the necessary openssl initializations to be completed.
Does xmltooling or shibd expect this has been done before the first call to
SecurityHelper::doHash()?  Where and at what point would the first
OpenSSLCryptoProvider be created?
 

xmltooling-1.4  SecurityHelper.cpp  libxmltooling.a  [libxmltooling.so.5]
xml-security-c-1.6.0
shibboleth-2.4
openssl-0.9.8p
AIX 5.3.8
xlC

--Mike