Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] [OpenSAML java] encrypted assertion

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] [OpenSAML java] encrypted assertion


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
  • Date: Thu, 21 Apr 2011 12:44:10 -0400
Similar to your encryption question, there is an entire wiki page devoted to using XML Signature in OpenSAML, including examples:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaDSIG

Off-hand, you aren't calling the Signer to actually sign the data, and you are also needlessly adding a SAMLObjectContentReference, which is resulting in a duplicate Reference in the SignedInfo.  There are also nicer API's for generating the KeyInfo rather than what you are doing.

--Brent



On 4/21/11 5:27 AM, wrote:

Hi Putman,

I need digest whole aeestion with Enveloped method, here is few lines of code:

Assertion assertion = getAssertion2();

Signature signature = create(Signature.class, Signature.DEFAULT_ELEMENT_NAME);
         org.opensaml.xml.signature.KeyInfo openKeyInfo = create(org.opensaml.xml.signature.KeyInfo.class,org.opensaml.xml.signature.KeyInfo.DEFAULT_ELEMENT_NAME);
         signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
         X509Certificate cert = (X509Certificate)publickeyStore.getCertificate("serverkey");
         KeyInfoHelper.addCertificate(openKeyInfo, cert);
         signature.setKeyInfo(openKeyInfo);
         signature.setSigningCredential(privatecredential);
         SAMLObjectContentReference contentReference = new SAMLObjectContentReference(assertion);
         signature.getContentReferences().add(contentReference);
         

Below is assertion output, I can't find anything in <ds:DigestValue/>,why?

<ds:Signature
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  >
    <ds:SignedInfo>
      <ds:CanonicalizationMethod
        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
      />
      <ds:SignatureMethod/>
      <ds:Reference
        URI="#_01f817fbb3f0714ec25bf19a509cc6ab"
      >
        <ds:Transforms>
          <ds:Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
          />
          <ds:Transform
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
          >
            <ec:InclusiveNamespaces
              xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
              PrefixList="ds saml2"
            />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
        />
        <ds:DigestValue/>
      </ds:Reference>
      <ds:Reference
        URI="#_01f817fbb3f0714ec25bf19a509cc6ab"
      >
        <ds:Transforms>
          <ds:Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
          />
          <ds:Transform
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
          >
            <ec:InclusiveNamespaces
              xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
              PrefixList="ds saml2"
            />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod
          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
        />
        <ds:DigestValue/>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue/>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICHzCCAYigAwIBAgIETawCXzANBgkqhkiG9w0BAQUFADBUMQwwCgYDVQQGEwNtY2IxDDAKBgNV
BAgTA21jYjEMMAoGA1UEBxMDbWNiMQwwCgYDVQQKEwNtY2IxDDAKBgNVBAsTA21jYjEMMAoGA1UE
AxMDbWNiMB4XDTExMDQxODA5MjAzMVoXDTExMDcxNzA5MjAzMVowVDEMMAoGA1UEBhMDbWNiMQww
CgYDVQQIEwNtY2IxDDAKBgNVBAcTA21jYjEMMAoGA1UEChMDbWNiMQwwCgYDVQQLEwNtY2IxDDAK
BgNVBAMTA21jYjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo3nuqqSaZ+5/vFub9vWoUM26
9klTmshTMXskPcs+UzQG0/S8O/cbi/uZpSK/z3ZYtD2P/E6PofdwgREXl1tYydgRn6iG48i7IIRX
QmoLk++GEWu1RLe0M5R9kyno5E0qMehtfoO37vLo9S09j+mperRYJDspi+1KmiiOb9zA5H8CAwEA
ATANBgkqhkiG9w0BAQUFAAOBgQCJr4T7o+4SSVFhJhW3e0bxxYNu0Qy0M0sw0bjDJKzuOOoq6RqG
nbXNlYfW+FINhrgSxQByyNER4yGC39nRjAECUkZcBMzZvQ2R9CCduTxxx67lNmtDm1VuW9GfwVKU
A+G3INKFxQ1L6wdrc7tpe5tUvR+NK2uVxVOczvgabkkPyA==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>


Thanks&Best Regards
Li Ji Xian


----- Original Message -----
From: Brent Putman []
To:
Sent: Wed, 20 Apr 2011 08:52:21 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion

You'll have to elaborate on what you mean by needing to digest the assertion.  If you are talking about XML Signature, the requirements there are a lot more complicated than just digesting some element(s).


On 4/20/11 4:02 AM, wrote:

Many thanks, Putmanb.

By the way, if I need digest assertion, should I digest signature info or digest only other assertion info except signature info?


Thanks&Best Regards
Li Ji Xian



Archive powered by MHonArc 2.6.16.

Top of Page