Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] [OpenSAML java] encrypted assertion

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] [OpenSAML java] encrypted assertion


Chronological Thread 
  • From: <>
  • To: <>, <>
  • Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
  • Date: Thu, 21 Apr 2011 17:27:47 +0800

Hi Putman,

I need digest whole aeestion with Enveloped method, here is few lines of code:

Assertion assertion = getAssertion2();

Signature signature = create(Signature.class, Signature.DEFAULT_ELEMENT_NAME);
         org.opensaml.xml.signature.KeyInfo openKeyInfo = create(org.opensaml.xml.signature.KeyInfo.class,org.opensaml.xml.signature.KeyInfo.DEFAULT_ELEMENT_NAME);
         signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
         X509Certificate cert = (X509Certificate)publickeyStore.getCertificate("serverkey");
         KeyInfoHelper.addCertificate(openKeyInfo, cert);
         signature.setKeyInfo(openKeyInfo);
         signature.setSigningCredential(privatecredential);
         SAMLObjectContentReference contentReference = new SAMLObjectContentReference(assertion);
         signature.getContentReferences().add(contentReference);
         

Below is assertion output, I can't find anything in <ds:DigestValue/>,why?

<ds:Signature
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  >
    <ds:SignedInfo>
      <ds:CanonicalizationMethod
        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
      />
      <ds:SignatureMethod/>
      <ds:Reference
        URI="#_01f817fbb3f0714ec25bf19a509cc6ab"
      >
        <ds:Transforms>
          <ds:Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
          />
          <ds:Transform
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
          >
            <ec:InclusiveNamespaces
              xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
              PrefixList="ds saml2"
            />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
        />
        <ds:DigestValue/>
      </ds:Reference>
      <ds:Reference
        URI="#_01f817fbb3f0714ec25bf19a509cc6ab"
      >
        <ds:Transforms>
          <ds:Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
          />
          <ds:Transform
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
          >
            <ec:InclusiveNamespaces
              xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
              PrefixList="ds saml2"
            />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
        />
        <ds:DigestValue/>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue/>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICHzCCAYigAwIBAgIETawCXzANBgkqhkiG9w0BAQUFADBUMQwwCgYDVQQGEwNtY2IxDDAKBgNV
BAgTA21jYjEMMAoGA1UEBxMDbWNiMQwwCgYDVQQKEwNtY2IxDDAKBgNVBAsTA21jYjEMMAoGA1UE
AxMDbWNiMB4XDTExMDQxODA5MjAzMVoXDTExMDcxNzA5MjAzMVowVDEMMAoGA1UEBhMDbWNiMQww
CgYDVQQIEwNtY2IxDDAKBgNVBAcTA21jYjEMMAoGA1UEChMDbWNiMQwwCgYDVQQLEwNtY2IxDDAK
BgNVBAMTA21jYjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo3nuqqSaZ+5/vFub9vWoUM26
9klTmshTMXskPcs+UzQG0/S8O/cbi/uZpSK/z3ZYtD2P/E6PofdwgREXl1tYydgRn6iG48i7IIRX
QmoLk++GEWu1RLe0M5R9kyno5E0qMehtfoO37vLo9S09j+mperRYJDspi+1KmiiOb9zA5H8CAwEA
ATANBgkqhkiG9w0BAQUFAAOBgQCJr4T7o+4SSVFhJhW3e0bxxYNu0Qy0M0sw0bjDJKzuOOoq6RqG
nbXNlYfW+FINhrgSxQByyNER4yGC39nRjAECUkZcBMzZvQ2R9CCduTxxx67lNmtDm1VuW9GfwVKU
A+G3INKFxQ1L6wdrc7tpe5tUvR+NK2uVxVOczvgabkkPyA==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>


Thanks&Best Regards
Li Ji Xian


----- Original Message -----
From: Brent Putman [mailto:]
To:
Sent: Wed, 20 Apr 2011 08:52:21 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion

You'll have to elaborate on what you mean by needing to digest the assertion.  If you are talking about XML Signature, the requirements there are a lot more complicated than just digesting some element(s).


On 4/20/11 4:02 AM, wrote:

Many thanks, Putmanb.

By the way, if I need digest assertion, should I digest signature info or digest only other assertion info except signature info?


Thanks&Best Regards
Li Ji Xian


----- Original Message -----
From: Brent Putman []
To:
Sent: Mon, 18 Apr 2011 10:33:18 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion

Well, you can't use RSA to encrypt the actual data, you have to use a symmetric block algorithm for the data encryption, and then encrypt the data encryption key as an EncryptedKey and send it along with the EncryptedAssertion.   The examples in the wiki illustrate this.

The technical reason is that that RSA can only encrypt a block that is slightly smaller than it's modulus size, not nearly enough for a SAML assertion.  And there are no cipher modes defined for RSA for multi-block encryption (or at least if there are, XML Encryption doesn't support them).  For more info, you can google.  Using an ephemeral symmetric data encryption key is is the standard approach to using RSA encryption for pretty much anything out there, not just SAML.



On 4/18/11 6:43 AM, wrote:

Hi Putmanb,

Thanks for your response.

I can run it, but I have another question, if I use RSA algorithm to encrypt, how do I set block size of RSA algorithm? Below is exception:

 

org.opensaml.xml.encryption.EncryptionException: Error encrypting XMLObject
 at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:453)
 at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:343)
 at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:257)
 at SamlTest.main(SamlTest.java:208)
Caused by: java.lang.ArrayIndexOutOfBoundsException: too much data for RSA block
 at org.bouncycastle.jce.provider.JCERSACipher.engineDoFinal(Unknown Source)
 at javax.crypto.Cipher.doFinal(Unknown Source)
 at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
 at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
 at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:450)
 ... 3 more



Thanks&Best Regards
Li Ji Xian


----- Original Message -----
From: Brent Putman []
To:
Sent: Mon, 18 Apr 2011 02:20:39 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion

This is documented pretty extensively in the wiki:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaXMLEncryption



On 4/18/11 1:56 AM, wrote:
>
> Hi,
>
> who can give me an example how to encrypt assertion? thanks.
>
> Thanks&Best Regards
> Li Ji Xian
>


Archive powered by MHonArc 2.6.16.

Top of Page