OpenSAML user discussion

[Chad La Joie <>]

Well, signing occurs on the DOM (NodeSet technically).  If you have a 
service then that is signing stuff you would need to take the OpenSAML 
object tree and marshall it (to get the DOM).  At that point OpenSAML is 
out of the picture.  You send the DOM, or whatever is required, to the 
signing service and you get back whatever it sends back.

If, after the document is signed you want to read it back in to OpenSAML 
(perhaps because you want to take the signed blob and insert it in to 
another XMLObject you can safely unmarshall the DOM into OpenSAML object 
without destroying the signature.  Note, if you make ANY changes to ANY 
of the XMLObjects covered by the signature then you will destroy the 
signature.  If you dump the DOM via XMLObject#releaseDOM you will also 
destroy the signature.

López Hernández-Ardieta, Jorge wrote:
> Hi all,
>
>  
>
> We need to sign the SAML tokens by using private keys stored in a Hardware 
> Cryptograhic Module. The access to the HSM is provided by an external entity, 
> which offers a signing interface by means of a Web Service. As a result, the 
> XML signature calculation is carried out externally to OpenSAML library.
>
>  
>
> The question is: Is it possible to calculate the signature externally, and 
> afterwards append the signature node to the SAML Token? I guess it must be 
> easy to perform, but I don't know if the marshalling would break the 
> signature integrity...
>
>  
>
> Thanks in advance,
>
>  
>
> Best,
>
>  
>
> Jorge López Hernández-Ardieta
> Senior Engineer
>
> Security Division
>
>  
>
> Parque Empresarial La Finca. Edificio 4. Pº del Club Deportivo, 1. 
> 28223 - Pozuelo de Alarcón (Madrid)
>
> 91 257 91 59
>
>  <mailto:> 
> www.indra.es <http://www.indra.es> 
>
>  
>
>  
>
>  

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch