Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] External calculation of XML Signature

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] External calculation of XML Signature


Chronological Thread 
  • From: "López Hernández-Ardieta, Jorge" <>
  • To: <>
  • Cc: "Heppe, John" <>, "Alcalde-Moraño Jensen, Joaquín" <>
  • Subject: RE: [OpenSAML] External calculation of XML Signature
  • Date: Fri, 10 Jul 2009 11:19:13 +0200

That solution sounds good. Thanks Chad.

Best,

Jorge López Hernández-Ardieta
Senior Engineer
Security Division

Parque Empresarial La Finca. Edificio 4. Pº del Club Deportivo, 1. 
28223 - Pozuelo de Alarcón (Madrid)
91 257 91 59


www.indra.es




-----Mensaje original-----
De: Chad La Joie
[mailto:]

Enviado el: viernes, 10 de julio de 2009 11:14
Para:

Asunto: Re: [OpenSAML] External calculation of XML Signature

Well, signing occurs on the DOM (NodeSet technically). If you have a
service then that is signing stuff you would need to take the OpenSAML
object tree and marshall it (to get the DOM). At that point OpenSAML is
out of the picture. You send the DOM, or whatever is required, to the
signing service and you get back whatever it sends back.

If, after the document is signed you want to read it back in to OpenSAML
(perhaps because you want to take the signed blob and insert it in to
another XMLObject you can safely unmarshall the DOM into OpenSAML object
without destroying the signature. Note, if you make ANY changes to ANY
of the XMLObjects covered by the signature then you will destroy the
signature. If you dump the DOM via XMLObject#releaseDOM you will also
destroy the signature.

López Hernández-Ardieta, Jorge wrote:
> Hi all,
>
>
>
> We need to sign the SAML tokens by using private keys stored in a Hardware
> Cryptograhic Module. The access to the HSM is provided by an external
> entity, which offers a signing interface by means of a Web Service. As a
> result, the XML signature calculation is carried out externally to OpenSAML
> library.
>
>
>
> The question is: Is it possible to calculate the signature externally, and
> afterwards append the signature node to the SAML Token? I guess it must be
> easy to perform, but I don't know if the marshalling would break the
> signature integrity...
>
>
>
> Thanks in advance,
>
>
>
> Best,
>
>
>
> Jorge López Hernández-Ardieta
> Senior Engineer
>
> Security Division
>
>
>
> Parque Empresarial La Finca. Edificio 4. Pº del Club Deportivo, 1.
> 28223 - Pozuelo de Alarcón (Madrid)
>
> 91 257 91 59
>
>
>
> <mailto:>
>
> www.indra.es <http://www.indra.es>
>
>
>
>
>
>
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page