[OpenSAML] Remove Namespace from Signature

463 views
Skip to first unread message

anyz

unread,
Jun 2, 2010, 7:06:47 AM6/2/10
to mace-open...@internet2.edu
I have successfully signed assertion as given at https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG. The output of signed assertion is like given below:
 
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#ID31445821-713c-4d49-a090-26d57e3b9ecc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="adfs ds saml xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qAvhr4f4/MzaLHUbXbDgwa9xWjc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>blahblablbah</ds:SignatureValue>
<ds:KeyInfo>
 <ds:KeyValue>
  <ds:RSAKeyValue>
   <ds:Modulus>blahbalahblah</ds:Modulus>
   <ds:Exponent>AQAB</ds:Exponent>
  </ds:RSAKeyValue>
 </ds:KeyValue>
 <ds:X509Data>
  <ds:X509Certificate>blahblahblab</ds:X509Certificate>
 </ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
 
Is it possible to remvoe the name space in Signature tag and hence the prefix "ds" from all the child tags. I tried creating Signature object with custom name space and prefix through builder but it didn't effect the out put. I want to remove namespace and hence prefix "ds" from all child tags.
 
Thanks

Chad La Joie

unread,
Jun 2, 2010, 7:12:20 AM6/2/10
to mace-open...@internet2.edu
No, the OpenSAML library isn't responsible for creating those
signatures, that is delegated to the Apache XML security library. And
to the best of my knowledge there is no way to change the prefix.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

anyz

unread,
Jun 2, 2010, 7:16:09 AM6/2/10
to mace-open...@internet2.edu
Thanks for explaing the things.

Brent Putman

unread,
Jun 2, 2010, 5:42:32 PM6/2/10
to mace-open...@internet2.edu

On 6/2/2010 7:12 AM, Chad La Joie wrote:
> No, the OpenSAML library isn't responsible for creating those
> signatures, that is delegated to the Apache XML security library. And
> to the best of my knowledge there is no way to change the prefix.
>


I vaguely remembered something about this coming up on the xmlsec list
and looked it up.

It's largely undocumented, but (supposedly, I haven't tested) you can
control this either:

- declaratively, by editing the PrefixMappings section in their
config.xml - which by default in the xmlsec jar at
org/apache/xml/security/resource/config.xml, but you can point to a
different one via a system property

- programatically, by calling their static method
org.apache.xml.security.utils.ElementProxy.setDefaultPrefix(namespaceURI, prefix).
The latter has to be done after the Apache Init.init(), which in
OpenSAML means after you call the DefaultBootstrap.bootstrap(), which
calls Apache init. There are some comments to that effect in their
default config.xml.

See:
http://permalink.gmane.org/gmane.text.xml.security.devel/684

I have never tried with OpenSAML, so no promises that it will work as
expected ... good luck!

--Brent

Reply all
Reply to author
Forward
0 new messages