Class ExtendedSignerProvider

java.lang.Object
org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl
se.swedenconnect.opensaml.xmlsec.signature.support.provider.ExtendedSignerProvider
All Implemented Interfaces:
org.opensaml.xmlsec.signature.support.SignerProvider

public class ExtendedSignerProvider extends org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl
The Sun PKCS#11 crypto provider does not have support for PSS padding which makes HSM RSA-PSS signing impossible using the standard OpenSAML signer provider (ApacheSantuarioSignerProviderImpl). Therefore, the ExtendedSignerProvider overrides ApacheSantuarioSignerProviderImpl with functionality that performs the PSS padding in software and only the raw RSA encryption operation is done in the HSM. This enables RSA-PSS signing with RSA keys in HSM even when RSA-PSS is not supported by the PKCS#11 API.
Author:
Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
See Also:
  • ApacheSantuarioSignerProviderImpl
  • Constructor Details

    • ExtendedSignerProvider

      public ExtendedSignerProvider()
      Default constructor.
  • Method Details

    • signObject

      public void signObject(@Nonnull org.opensaml.xmlsec.signature.Signature signature) throws org.opensaml.xmlsec.signature.support.SignatureException
      Tests if the signing key is a SUN PKCS#11 key and the signing algorithm is RSA-PSS. If this is the case, then PSS padding is performed in software and only the raw RSA encryption operation is done in the HSM. This enables RSA-PSS signing with RSA keys in HSM even when RSA-PSS is not supported by the PKCS#11 API.
      Specified by:
      signObject in interface org.opensaml.xmlsec.signature.support.SignerProvider
      Overrides:
      signObject in class org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl
      Throws:
      org.opensaml.xmlsec.signature.support.SignatureException