[OpenSAML] Change Default Transform Algo?

375 views
Skip to first unread message

christop...@ubs.com

unread,
Apr 29, 2011, 12:44:54 PM4/29/11
to mace-open...@internet2.edu
Hi All,

Is there an easy way in the OpenSAML Java API to update the Transform
algorithm when building a SAML Response?

For example, in the snippet below:

<samlp:Response ... >
...
<ds:SignedInfo>
...
<ds:Reference ... >
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
samlp"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
...
</samlp:Response>


I'd like to change

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
samlp"></ec:InclusiveNamespaces></ds:Transform>

to

<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

----

I could be way off here, but I made an attempt to create a Transform object. I
have no idea where to add it.

XMLObjectBuilderFactory builderFactory;
...
XMLObjectBuilder tbuilder =
builderFactory.getBuilder(Transform.DEFAULT_ELEMENT_NAME);
TransformImpl t =
(TransformImpl)tbuilder.buildObject(Transform.DEFAULT_ELEMENT_NAME);
t.setAlgorithm(SignatureConstants.TRANSFORM_C14N_OMIT_COMMENTS);

----

If there is any assistance you can provide or if there is documentation on
this topic anywhere, I would greatly appreciate any help.

Thank you!

-C

Brent Putman

unread,
Apr 29, 2011, 1:16:42 PM4/29/11
to mace-open...@internet2.edu

On 4/29/11 12:44 PM, christop...@ubs.com wrote:
> Hi All,
>
> Is there an easy way in the OpenSAML Java API to update the Transform
> algorithm when building a SAML Response?

No, not easily really, because the transforms to use are mandated by the
SAML spec as a "SHOULD NOT contain transforms other than..." enveloped
and exclusive. See SAML core 5.4.4.


> I could be way off here, but I made an attempt to create a Transform object. I
> have no idea where to add it.
>

No, that's just the XMLObject provider to represent the XML. Has
nothing to do with the signing process.

> If there is any assistance you can provide or if there is documentation on
> this topic anywhere, I would greatly appreciate any help.

If you really want to know how to do it, you need to manipulate the
transforms that are on the Signature's ContentReference, specifically
the SAMLObjectContentReference. The latter is auto-added to the
Signature when you call response.setSignature(signature). After calling
this, you can obtain the content reference and from that the list of
transforms like so:

List<String> transforms =
((SAMLObjectContentReference)signature.getContentReferences().get(0)).getTransforms();

Then just mutate the list.


--Brent

christop...@ubs.com

unread,
Apr 29, 2011, 1:33:38 PM4/29/11
to mace-open...@internet2.edu
Thank you Brent for your prompt reply, that answered my question.

-C


--Brent

Please visit our website at
http://financialservicesinc.ubs.com/wealth/E-maildisclaimer.html
for important disclosures and information about our e-mail
policies. For your protection, please do not transmit orders
or instructions by e-mail or include account numbers, Social
Security numbers, credit card numbers, passwords, or other
personal information.

Reply all
Reply to author
Forward
0 new messages