OpenSAML user discussion

[Scott Cantor <>]

> 2) Add new provider as the 1st provider to 2 Signature Algorithms 
> under <!-- Signature Algorithms -->

You would also probably want to register the provider for the actual hashing
algorithms, like SHA-1 or MD5.

I think that the order is basically what controls it, yes. I had success
putting new providers at the top of the lists.

> Is there any documentation on how to configure JCE provider 
> in OpenSAML? In the above configuration how can I actually 
> confirm that new JCE provider is used for signatures?

As I assume you can see, this has nothing to do with OpenSAML, and you'd
probably be better off asking on the xml-security list. OpenSAML does
nothing except call into that library for signing, it exerts no influence on
it. AFAIK, there's no way to externally control the JCE used except by
editing that file.

The way you can tell though is to configure the logging level in the
config.xml file to output xmlsec debug messages to a file, and make sure
your application can write to that file. Xmlsec dumps a ton of tracing data,
and you can see it when it gets algorithms to use.

You may also want to look at the code that was done to support signing with
OpenSSL. http://cvs.internet2.edu/cgi-bin/viewcvs.cgi/NativeJCE/

Internet2 has donated the code to Apache for further development by the
xmlsec developers, who are fairly interested in it. The Java code is just
death on signing, so truth is, it doesn't matter what JCE you use. If it's
in Java, it's too slow.

-- Scott