mace-opensaml-users - Re: [OpenSAML] [OpenSAML java] encrypted assertion
Subject: OpenSAML user discussion
List archive
- From: <>
- To: <>, <>
- Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
- Date: Thu, 21 Apr 2011 17:27:47 +0800
Hi Putman,
I need digest whole aeestion with Enveloped method, here is few lines of code:
Assertion assertion = getAssertion2();
Signature signature = create(Signature.class, Signature.DEFAULT_ELEMENT_NAME);
org.opensaml.xml.signature.KeyInfo openKeyInfo = create(org.opensaml.xml.signature.KeyInfo.class,org.opensaml.xml.signature.KeyInfo.DEFAULT_ELEMENT_NAME);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
X509Certificate cert = (X509Certificate)publickeyStore.getCertificate("serverkey");
KeyInfoHelper.addCertificate(openKeyInfo, cert);
signature.setKeyInfo(openKeyInfo);
signature.setSigningCredential(privatecredential);
SAMLObjectContentReference contentReference = new SAMLObjectContentReference(assertion);
signature.getContentReferences().add(contentReference);
Below is assertion output, I can't find anything in <ds:DigestValue/>,why?
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
<ds:SignatureMethod/>
<ds:Reference
URI="#_01f817fbb3f0714ec25bf19a509cc6ab"
>
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml2"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue/>
</ds:Reference>
<ds:Reference
URI="#_01f817fbb3f0714ec25bf19a509cc6ab"
>
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml2"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICHzCCAYigAwIBAgIETawCXzANBgkqhkiG9w0BAQUFADBUMQwwCgYDVQQGEwNtY2IxDDAKBgNV
BAgTA21jYjEMMAoGA1UEBxMDbWNiMQwwCgYDVQQKEwNtY2IxDDAKBgNVBAsTA21jYjEMMAoGA1UE
AxMDbWNiMB4XDTExMDQxODA5MjAzMVoXDTExMDcxNzA5MjAzMVowVDEMMAoGA1UEBhMDbWNiMQww
CgYDVQQIEwNtY2IxDDAKBgNVBAcTA21jYjEMMAoGA1UEChMDbWNiMQwwCgYDVQQLEwNtY2IxDDAK
BgNVBAMTA21jYjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo3nuqqSaZ+5/vFub9vWoUM26
9klTmshTMXskPcs+UzQG0/S8O/cbi/uZpSK/z3ZYtD2P/E6PofdwgREXl1tYydgRn6iG48i7IIRX
QmoLk++GEWu1RLe0M5R9kyno5E0qMehtfoO37vLo9S09j+mperRYJDspi+1KmiiOb9zA5H8CAwEA
ATANBgkqhkiG9w0BAQUFAAOBgQCJr4T7o+4SSVFhJhW3e0bxxYNu0Qy0M0sw0bjDJKzuOOoq6RqG
nbXNlYfW+FINhrgSxQByyNER4yGC39nRjAECUkZcBMzZvQ2R9CCduTxxx67lNmtDm1VuW9GfwVKU
A+G3INKFxQ1L6wdrc7tpe5tUvR+NK2uVxVOczvgabkkPyA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
Thanks&Best Regards
Li Ji Xian
----- Original Message -----
From: Brent Putman [mailto:]
To:
Sent: Wed, 20 Apr 2011 08:52:21 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
You'll have to elaborate on what you mean by needing to digest the assertion. If you are talking about XML Signature, the requirements there are a lot more complicated than just digesting some element(s).
On 4/20/11 4:02 AM, wrote:
Many thanks, Putmanb.
By the way, if I need digest assertion, should I digest signature info or digest only other assertion info except signature info?
Thanks&Best Regards
Li Ji Xian
----- Original Message -----
From: Brent Putman []
To:
Sent: Mon, 18 Apr 2011 10:33:18 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
Well, you can't use RSA to encrypt the actual data, you have to use a symmetric block algorithm for the data encryption, and then encrypt the data encryption key as an EncryptedKey and send it along with the EncryptedAssertion. The examples in the wiki illustrate this.
The technical reason is that that RSA can only encrypt a block that is slightly smaller than it's modulus size, not nearly enough for a SAML assertion. And there are no cipher modes defined for RSA for multi-block encryption (or at least if there are, XML Encryption doesn't support them). For more info, you can google. Using an ephemeral symmetric data encryption key is is the standard approach to using RSA encryption for pretty much anything out there, not just SAML.
On 4/18/11 6:43 AM, wrote:Hi Putmanb,
Thanks for your response.
I can run it, but I have another question, if I use RSA algorithm to encrypt, how do I set block size of RSA algorithm? Below is exception:
org.opensaml.xml.encryption.EncryptionException: Error encrypting XMLObject
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:453)
at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:343)
at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:257)
at SamlTest.main(SamlTest.java:208)
Caused by: java.lang.ArrayIndexOutOfBoundsException: too much data for RSA block
at org.bouncycastle.jce.provider.JCERSACipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Unknown Source)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:450)
... 3 more
Thanks&Best Regards
Li Ji Xian
----- Original Message -----
From: Brent Putman []
To:
Sent: Mon, 18 Apr 2011 02:20:39 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
This is documented pretty extensively in the wiki:
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaXMLEncryption
On 4/18/11 1:56 AM, wrote:
>
> Hi,
>
> who can give me an example how to encrypt assertion? thanks.
>
> Thanks&Best Regards
> Li Ji Xian
>
- [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/18/2011
- <Possible follow-up(s)>
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/20/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/20/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/21/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/21/2011
Archive powered by MHonArc 2.6.16.