Child pages
  • Example: Sign using PKCS#11 token
Skip to end of metadata
Go to start of metadata

This command line configuration example:

  • reads a file path/to/metadata.xml containing SAML metadata
  • signs that document using:
    • a PKCS#11 token determined by
      • a PKCS#11 configuration file specifying the toke
      • a user password
      • an alias determining which of the token's keys to use
    • a separate certificate read from path/to/certificate.pem 
  • writes the results into the file path/to/output.xml

You can execute the example as follows:

$ .../mda.sh config.xml main

The example configuration file is as follows; it has been verified with MDA version 0.9.2:

<?xml version="1.0" encoding="UTF-8"?>
<beans default-init-method="initialize"
       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
    <!-- First, we define the stages for our pipeline -->
    <bean id="source" class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage">
        <property name="id" value="source"/>
        <property name="parserPool">
            <bean class="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initialize"/>
        </property>
        <property name="source">
            <bean class="java.io.File">
                <constructor-arg value="path/to/metadata.xml"/>
            </bean>
        </property>
    </bean>
 
    <bean id="generateContentReferenceId" class="net.shibboleth.metadata.dom.saml.GenerateIdStage">
        <property name="id" value="generateContentReferenceId" />
    </bean>
 
    <bean id="signMetadata" class="net.shibboleth.metadata.dom.XMLSignatureSigningStage">
        <property name="id" value="signMetadata"/>
        <property name="certificates">
            <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
                <property name="resource" value="file:path/to/certificate.pem"/>
            </bean>
        </property>
        <property name="privateKey">
            <bean class="net.shibboleth.metadata.util.PKCS11PrivateKeyFactoryBean">
                <property name="pkcs11Config" value="path/to/pkcs11.cfg"/>
                <property name="keyPassword" value="passwordHere"/>
                <property name="keyAlias" value="key10"/>
            </bean>
        </property>
    </bean>
 
    <bean id="serialize" class="net.shibboleth.metadata.pipeline.SerializationStage">
        <property name="id" value="serializeIdPs"/>
        <property name="outputFile">
            <bean class="java.io.File">
                <constructor-arg value="path/to/output.xml"/>
            </bean>
        </property>
        <property name="serializer">
            <bean id="domSerializer" class="net.shibboleth.metadata.dom.DOMElementSerializer" />
        </property>
    </bean>
 
    <!-- Next we define a pipeline with all the stages in it -->
    <bean id="main" class="net.shibboleth.metadata.pipeline.SimplePipeline" init-method="initialize">
        <property name="id" value="main"/>
        <property name="stages">
            <list>
                <ref bean="source"/>
                <ref bean="generateContentReferenceId" />
                <ref bean="signMetadata"/>
                <ref bean="serialize" />
            </list>
        </property>
    </bean>
</beans>

The PKCS#11 configuration file configures the Sun PKCS#11 bridge. Its contents are specific to the token and operating environment. For example:

Example pkcs11.cfg
# PKCS#11 provider configuration for for OpenSC running under Mac OS X
name = OpenSC
library = /Library/OpenSC/lib/pkcs11/opensc-pkcs11.so
  • No labels