[OpenSAML] adding custom ContentReference to a signature
243 views
Skip to first unread message
Jason Countryman
Apr 9, 2010, 2:02:26 PM4/9/10
to mace-open...@internet2.edu
Hello,
______________________________
Jason T. Countryman
Programmer
Community Computer Service
This message has been scanned for viruses and dangerous content by MailScanner, SpamAssassin & ClamAV. I'm trying to add a custom SAMLObjectContentReference to my signature. Here is the code I am using to generate the content reference:
SAMLObjectContentReference contentReference = new SAMLObjectContentReference(assertion);
contentReference.setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
contentReference.getTransforms().add(SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE);
contentReference.getTransforms().add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
signature.getContentReferences().add(contentReference);
When I run this code, the following error occurs when marshalling the assertion:
java.lang.ArrayIndexOutOfBoundsException: 3
at org.apache.xml.security.transforms.Transforms.item(Unknown Source)
at org.opensaml.common.impl.SAMLObjectContentReference.createReference(SAMLObjectContentReference.java:143)
at org.opensaml.xml.signature.impl.SignatureMarshaller.createSignatureElement(SignatureMarshaller.java:114)
at org.opensaml.xml.signature.impl.SignatureMarshaller.marshall(SignatureMarshaller.java:69)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:316)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:224)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:130)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:86)
There should only be 2 transforms, where is it getting the index of 3?
Thanks,
Jason
Jason T. Countryman
Programmer
Community Computer Service
This message and any attachments may contain information that is protected by law as privileged and confidential, and
is transmitted for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby notified
that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited.
If you received this e-mail in error, please immediately notify the sender by e-mail, and permanently delete this e-mail.
Brent Putman
Apr 9, 2010, 2:46:51 PM4/9/10
to mace-open...@internet2.edu
On 4/9/2010 2:02 PM, Jason Countryman wrote:
Hello,
I'm trying to add a custom SAMLObjectContentReference to my signature. Here is the code I am using to generate the content reference:
SAMLObjectContentReference contentReference = new SAMLObjectContentReference(assertion);contentReference.setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);contentReference.getTransforms().add(SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE);contentReference.getTransforms().add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);signature.getContentReferences().add(contentReference);
Well 2 things going on here, I think. First: Be mindful of the
defaults. A SAMLObjectContentReference when it is created already has
2 transforms in it,
SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE and SignatureConstants.TRANSFORM_C14N_EXCL_WITH_COMMENTS. See the Javadocs:
http://svn.middleware.georgetown.edu/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/common/impl/SAMLObjectContentReference.java?revision=1377&view=markup
So if you want to change the transforms, you need to clear the list first and add what you want, or at least manipulate that list in some way. But unless you really care about the difference between the exclusive c14 with vs. without comments, the defaults are exactly what you have above.
And second: The AbstractSignableSAMLObject overrides setSignature such that it automatically adds a SAMLObjectContentReference to the Signature.
http://svn.middleware.georgetown.edu/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/common/impl/AbstractSignableSAMLObject.java?revision=1303&view=markup
So effectively above, in the last line, you are adding a second one to the SignableSAMLObject, which is actually an error vis-a-vis the SAML XML Signature profile.
If you really want to change the defaults, you need to either: 1) get the SAMLContentReference that is automatically added, after you call setSignature on the SAMLObject, by using signature.getContentReferences(), and then modify it or else 2) just clear that list and create your own and and add it before you sign.
SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE and SignatureConstants.TRANSFORM_C14N_EXCL_WITH_COMMENTS. See the Javadocs:
http://svn.middleware.georgetown.edu/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/common/impl/SAMLObjectContentReference.java?revision=1377&view=markup
So if you want to change the transforms, you need to clear the list first and add what you want, or at least manipulate that list in some way. But unless you really care about the difference between the exclusive c14 with vs. without comments, the defaults are exactly what you have above.
And second: The AbstractSignableSAMLObject overrides setSignature such that it automatically adds a SAMLObjectContentReference to the Signature.
http://svn.middleware.georgetown.edu/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/common/impl/AbstractSignableSAMLObject.java?revision=1303&view=markup
So effectively above, in the last line, you are adding a second one to the SignableSAMLObject, which is actually an error vis-a-vis the SAML XML Signature profile.
If you really want to change the defaults, you need to either: 1) get the SAMLContentReference that is automatically added, after you call setSignature on the SAMLObject, by using signature.getContentReferences(), and then modify it or else 2) just clear that list and create your own and and add it before you sign.
When I run this code, the following error occurs when marshalling the assertion:
java.lang.ArrayIndexOutOfBoundsException: 3at org.apache.xml.security.transforms.Transforms.item(Unknown Source)
That's coming from Apache xmlsec. Not sure exactly why that is
happening, why it's tripping an array bounds, but it's undoubtedly due
to one or both of the above issues.
--Brent
--Brent
Scott Cantor
Apr 9, 2010, 2:50:56 PM4/9/10
to mace-open...@internet2.edu
> So if you want to change the transforms, you need to clear the list first
> and add what you want, or at least manipulate that list in some way. But
> unless you really care about the difference between the exclusive c14 with
> vs. without comments, the defaults are exactly what you have above.
> and add what you want, or at least manipulate that list in some way. But
> unless you really care about the difference between the exclusive c14 with
> vs. without comments, the defaults are exactly what you have above.
The distinction on that actually will have no effect and comments will never be signed in either case. The reasons why are esoteric, but just trust me on it.
-- Scott
Brent Putman
Apr 9, 2010, 3:05:19 PM4/9/10
to mace-open...@internet2.edu
On 4/9/2010 2:50 PM, Scott Cantor wrote:
>> But
>> unless you really care about the difference between the exclusive c14 with
>> vs. without comments, the defaults are exactly what you have above.
>>
> The distinction on that actually will have no effect and comments will never be signed in either case. The reasons why are esoteric, but just trust me on it.
>
Ok. Of course our xmltooling code doesn't preserve comments anyway, so
I guess the distinction is doubly moot.
Jason Countryman
Apr 9, 2010, 4:19:05 PM4/9/10
to mace-open...@internet2.edu
Thank you all for your help. I decided not to use custom ContentReference.
Thanks
______________________________
Jason T. Countryman
Programmer
Community Computer Service
Jason T. Countryman
Programmer
Community Computer Service
------- End of Original Message
-------
Reply all
Reply to author
Forward
0 new messages