We can set the signature algorithm as following:
signature.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
I'm trying to find a way to set the DigestMethod algorithm like that. Is it possible via OpenSAML APIs? Any input is much appreciated.
UPDATE: Adding a sample Signature for the clarity. What this question concerned about is the DigestMethod element in it.
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_884D49DAD03AD60748547F8322C11AA0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
UPDATE: Vladimír's answer works. However, that solution seems to be thread unsafe? In my application we bootstrap opensaml only once and then used by different threads with different configurations - like different signature algorithms. Is there a way to do this in a thread-safe manner?
UPDATE: Shibboleth IdP uses opensaml, and according to Shibboleth IdP Wiki this currently is a global configuration. So, regardless of IdP or SP side, this limitation should be there if opensaml is used to process SAML messages. Following is an excerpt from that article:
Changing the IdP signature/digest algorithm and related settings is currently a global operation. The algorithm will be changed for all relying parties it interacts with. Do not make this change until you have verified that all your relying parties can handle responses using the new algorithm(s) you choose
UPDATE: Finally found a way to get this done. Have added it as an answer.
This could be done thread safely by modifying the Signature's content references after setting the signature [1].
e.g.
authnRequest.setSignature(signature);
((SAMLObjectContentReference)signature.getContentReferences().get(0))
.setDigestAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);
[1] https://lists.internet2.edu/sympa/arc/mace-opensaml-users/2007-10/msg00003.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With