/
Sign using PKCS#11 token

Sign using PKCS#11 token

Owned by Ian Young
Last updated: Apr 26, 2024
2 min read

This command line configuration example:

  • reads a file path/to/input/aggregate.xml containing SAML metadata

  • signs that document using:

    • a PKCS#11 token determined by

      • a PKCS#11 configuration file specifying the token

      • a user password

      • an alias determining which of the token's keys to use

    • a separate certificate read from path/to/secrets/self-signed.pem 

  • writes the results into the file path/to/output/output.xml

You can execute the example as follows:

$ .../mda.sh sign-using-token.xml main

The example configuration file is as follows; it has been verified with MDA version 0.10.0-SNAPSHOT as of 2023-10-25:

<?xml version="1.0" encoding="UTF-8"?> <beans default-init-method="initialize" xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> <!-- Import the Standard bean definition resource. --> <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource --> <import resource="classpath:net/shibboleth/metadata/beans.xml"/> <!-- First, we define the stages for our pipeline --> <bean id="source" parent="mda.DOMFilesystemSourceStage"> <property name="id" value="source"/> <property name="parserPool"> <bean parent="mda.BasicParserPool"/> </property> <property name="source"> <bean class="java.io.File"> <constructor-arg value="path/to/input/aggregate.xml"/> </bean> </property> </bean> <bean id="generateContentReferenceId" parent="mda.GenerateIdStage"> <property name="id" value="generateContentReferenceId" /> </bean> <bean id="signMetadata" parent="mda.XMLSignatureSigningStage"> <property name="id" value="signMetadata"/> <property name="certificates"> <bean parent="mda.X509CertificateFactoryBean"> <property name="resource" value="file:path/to/secrets/self-signed.pem"/> </bean> </property> <property name="privateKey"> <bean parent="mda.PKCS11PrivateKeyFactoryBean"> <property name="pkcs11Config" value="path/to/input/pkcs11-softhsm.cfg"/> <property name="keyPassword" value="12341234"/> <property name="keyAlias" value="key10"/> </bean> </property> </bean> <bean id="serialize" parent="mda.SerializationStage"> <property name="id" value="serializeIdPs"/> <property name="outputFile"> <bean class="java.io.File"> <constructor-arg value="path/to/output/signed-with-token.xml"/> </bean> </property> <property name="serializer"> <bean id="domSerializer" parent="mda.DOMElementSerializer"/> </property> </bean> <!-- Next we define a pipeline with all the stages in it --> <bean id="main" parent="mda.SimplePipeline"> <property name="id" value="main"/> <property name="stages"> <list> <ref bean="source"/> <ref bean="generateContentReferenceId" /> <ref bean="signMetadata"/> <ref bean="serialize" /> </list> </property> </bean> </beans>

The PKCS#11 configuration file configures the Sun PKCS#11 bridge. Its contents are specific to the token and operating environment. For example:

Example pkcs11-softhsm.cfg
# PKCS#11 provider configuration for softhsm running under Amazon Linux name = softhsm library = /usr/lib64/pkcs11/libsofthsm2.so

Related content

Per-entity Output
Per-entity Output
Metadata Aggregator 1
More like this
Multiple Credentials
Multiple Credentials
Service Provider 3
Read with this
samlsign
samlsign
Service Provider 3
More like this
Version 0.9.x
Version 0.9.x
Metadata Aggregator 1
Read with this
Signing SAML Metadata
Signing SAML Metadata
xmlsectool V3
More like this
Filter Aggregate
Filter Aggregate
Metadata Aggregator 1
Read with this