signing responses

Fri, Mar 11, 2005

SAMUEL, which Guanxi uses to compose SAML messages, uses JAXP to get an XML parser. I decided to use JAXP as it doesn’t tie a user of SAMUEL to a particular parser but it creates a problem when trying to sign SAML Responses, when the AA sends Assertions back to the SP:

<samlp:Response InResponseTo=“a825424eaebb5885a906cd5e5a5c5e09” IssueInstant=“2005-03-11T11:36:00Z” MajorVersion=“1” MinorVersion=“1” ResponseID=“666”>

To sign either a whole document, or an element within a document, you must be able to identify an ID attribute, which the signature will work on:

XMLSignature sig = new XMLSignature(doc, “”, XMLSignature.ALGO_ID_SIGNATURE_DSA); sig.addDocument(“#666”, transforms, org.apache.xml.security.utils.Constants.ALGO_ID_DIGEST_SHA1);

The “standard” way of identifying an ID attribute is to prefix it with “id”: < … id=“666” … > I say “standard” as it’s the one that will work, although it breaks if you import another document fragment that also contains an ID attribute identified by “id”. In short, there’s no standard!

Shibboleth uses the ResponseID attribute as it’s ID attribute and the only way to set that as the ID attribute is to use: Element.setIdAttributeNS(null, “ResponseID”, true) but that’s only available in DOM3, and the current Xerces DOM3 implmentation is in beta2.

So, what to do? The only way to sign Responses is to use DOM3 but loaded via JAXP. If JAXP finds a DOM3 compliant parser then we can sign Responses but if not, we can’t. You can still send Responses to the SP without signatures but I’d rather sign them, so I’ll have to move to DOM3, beta2!

Hold on though, this is Java. You don’t get a choice as JAXP doesn’t support DOM3. You have to hard wire DOM3 jars to the application. So, I’ll have to wait until JAXP supports DOM3 before signing Responses.

Hold on again, I hear you shout, JAXP 1.3 is out and supports DOM3. Well, read this, from Sun:

“JAXP 1.3 would not be legally usable with J2SE 1.4 because J2SE 1.4 has JAXP 1.2 in it…”

As I’m developing on OS X and I want to support SAMUEL on OS X I’m stuffed until Apple release Tiger and their JDK1.5 implementation. As usual, there’s a workaround for us who lack JDK1.5.

In the meantime, the W3C are starting to work on this.

comments powered by Disqus