Shibboleth Developers

[Scott Cantor <>]

Mentioned to a select group that I've been playing with a Rainbow
Cryptoswift card trying to offload the RSA signing the HS does into
hardware. This has been a "challenge", not helped by the cluenessness of the
vendors about what they really support. ;-p

Anyway, I'm still in process of trying to test the Phaos JCE for Cryptoswift
on Linux, but during my frustration I happened across the Mozilla JSS code,
which is a JCE provider that sits on the NSS code that underlies all the
crypto in their project.

What's interesting about it is that it's a PKCS11 design that implements
everything in native C codde by default using the Netscape software token,
but should automagically support PKCS11 hardware using the NSS support for
those tokens, which is way below the Java layer.

The cool news is that I was able to modify the xmlsec library's config file
to recognize the Mozilla JCE and have been able to run a modified version of
the SiteSigner utility to digitally sign an XML file using a keypair stored
in the Netscape key/cert db format. The crypto is thus in C and about twice
as fast or so. I compared the output of the signature to the native Sun JCE
output and they match (using the same key/cert).

The not so cool news is that it took serious hacking on the top layer of
Java code to use the Mozilla stuff, because there are too many mismatches
and gaps, such as no support for keys in Java keystores. It should be
possible to build a modified HS that can use this software and then by
extension the card without paying Phaos any money. The gain in performance
and cost is enough to make it worth my time, I think.

The more cool news is that I think once Walter and I work out this new
key/cert resolver layer in the code, it may be more seamless to plug in the
JSS layer as a source for keys and then the other changes should be fairly
minimal for people that want to try this.

-- Scott