OpenSAML user discussion

["Konstantin Shmakov" <>]

Correct, I confirmed that desired provider for the actual hashing
algorithm should be registred in addition to signature algorthm; that is
I had to add provider to both algorithms in config.xml:

         <Algorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
                    Description="RSA Signature with SHA-1 message
digest"
                    AlgorithmClass="Signature"
                    RequirementLevel="RECOMMENDED">
            <ProviderAlgo ProviderId="JsafeJCE"
                          JCEName="SHA1withRSA" />
            ...
         </Algorithm>

And

         <Algorithm URI="http://www.w3.org/2000/09/xmldsig#sha1";
                    Description="SHA-1 message digest"
                    AlgorithmClass="MessageDigest"
                    RequirementLevel="REQUIRED">
            <ProviderAlgo ProviderId="JsafeJCE"
                          JCEName="SHA-1" />
            ...
         </Algorithm>


Obviously these 2 algorithms are used when SAMLAsserion.sign() method is
called with XMLSignature.ALGO_ID_SIGNATURE_RSA as debug output shows:

>DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm - Create
URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class
"org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$Sig
natureRSASHA1" 
>DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1 
>DEBUG org.apache.xml.security.algorithms.JCEMapper - Found SHA1withRSA
from provider JsafeJCE ...
...
>DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI
http://www.w3.org/2000/09/xmldsig#sha1 
>DEBUG org.apache.xml.security.algorithms.JCEMapper - Found SHA-1 from
provider JsafeJCE 



As for performance I don't care now; it is just beneficial to control
security providers and to have a single security provider for all
cryptographic operations.  

Thanks for all help

Konstantin

-----Original Message-----
From: Scott Cantor 
[mailto:]
 
Sent: Friday, March 19, 2004 8:09 PM
To: Konstantin Shmakov; 

Subject: RE: RE: How to add new JCE provider - modify config.xml?


> 2) Add new provider as the 1st provider to 2 Signature Algorithms
> under <!-- Signature Algorithms -->

You would also probably want to register the provider for the actual
hashing algorithms, like SHA-1 or MD5.

I think that the order is basically what controls it, yes. I had success
putting new providers at the top of the lists.

> Is there any documentation on how to configure JCE provider
> in OpenSAML? In the above configuration how can I actually 
> confirm that new JCE provider is used for signatures?

As I assume you can see, this has nothing to do with OpenSAML, and you'd
probably be better off asking on the xml-security list. OpenSAML does
nothing except call into that library for signing, it exerts no
influence on it. AFAIK, there's no way to externally control the JCE
used except by editing that file.

The way you can tell though is to configure the logging level in the
config.xml file to output xmlsec debug messages to a file, and make sure
your application can write to that file. Xmlsec dumps a ton of tracing
data, and you can see it when it gets algorithms to use.

You may also want to look at the code that was done to support signing
with OpenSSL. http://cvs.internet2.edu/cgi-bin/viewcvs.cgi/NativeJCE/

Internet2 has donated the code to Apache for further development by the
xmlsec developers, who are fairly interested in it. The Java code is
just death on signing, so truth is, it doesn't matter what JCE you use.
If it's in Java, it's too slow.

-- Scott