Geek Answers Handbook

How to install Signature DigestMethod algorithm using OpenSAML

We can set the signature algorithm as follows:

signature.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");

I am trying to find a way to install the DigestMethod algorithm. Is this possible using the OpenSAML API? Any input is greatly appreciated.

UPDATE: adding a signature sample for clarity. This question is about this DigestMethod element.

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="#_884D49DAD03AD60748547F8322C11AA0">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>...</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>...</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:KeyName>...</ds:KeyName>
    </ds:KeyInfo>
  </ds:Signature>

UPDATE: Vladimir is responding. However, does this solution seem unsafe? In my application, we download opensaml only once, and then use different streams with different configurations - like different signature algorithms. Is there a way to do this in a thread-safe way?

UPDATE: Shibboleth IdP opensaml, Shibboleth IdP Wiki . , IdP SP , , opensaml SAML. :

/ IdP . , . , , (),

UPDATE: . .

+4
3

, [1].

.

authnRequest.setSignature(signature);

((SAMLObjectContentReference)signature.getContentReferences().get(0))
           .setDigestAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);

[1] https://lists.internet2.edu/sympa/arc/mace-opensaml-users/2007-10/msg00003.html

+5

- :

  BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
  config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+6

OpenSAML, DefaultBootstrap DefaultSecurityConfigurationBootstrap, SAML.

DefaultSamlBootstrap CustomSamlBootstrap.

:

import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.xml.ConfigurationException;    
public class CustomSamlBootstrap extends DefaultBootstrap {
    public static synchronized void bootstrap() throws ConfigurationException {

        initializeXMLSecurity();

        initializeXMLTooling();

        initializeArtifactBuilderFactories();

        initializeGlobalSecurityConfiguration();

        initializeParserPool();

        initializeESAPI();

        initializeHttpClient();
    }

    protected static void initializeGlobalSecurityConfiguration() {
        Configuration.setGlobalSecurityConfiguration(YourCustomSecurityConfigurationBootstrap.buildDefaultConfig());
    }

}


import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xml.signature.SignatureConstants;


public class YourCustomSecurityConfigurationBootstrap extends DefaultSecurityConfigurationBootstrap {
    public static BasicSecurityConfiguration buildDefaultConfig() {
        BasicSecurityConfiguration config = new BasicSecurityConfiguration();

        populateSignatureParams(config);
        populateEncryptionParams(config);
        populateKeyInfoCredentialResolverParams(config);
        populateKeyInfoGeneratorManager(config);
        populateKeyParams(config);

        return config;
    }

    /**
     * Populate signature-related parameters.
     *
     * @param config the security configuration to populate
     */
    protected static void populateSignatureParams(BasicSecurityConfiguration config) {
        // Asymmetric key algorithms
        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
        config.registerSignatureAlgorithmURI("DSA", SignatureConstants.ALGO_ID_SIGNATURE_DSA);
        config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);

        // HMAC algorithms
        config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1);
        config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1);

        // Other signature-related params
        config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        config.setSignatureHMACOutputLength(null);
        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1);
    }

}

: , .

To do this, you can extend the appropriate subclass of BaseSAML2MessageEncoder to override the signMessage function. Then pass YourCustomSecurityConfigurationBootstrap as needed to SecurityHelper.prepareSignatureParams (signature signature, Credential signatureCredential, SecurityConfiguration config, String keyInfoGenName).

0
source

More articles:


All Articles