ARTICLE AD BOX
I am attempting to sign the OpenSAML response using Azure KeyVault but the default keyvault behaviour does not allow me to sign the payload because KeyVaultJcaProvider has KeyVaultKeylessRsa256Signature for the "SHA256withRSA" signature.
There are no straightforward ways to overwrite this behaviour in KeyVaultJcaProvider
Ideally, i want to set the service with following, so that OpenSAML Signer uses RSASignature without using KeyVaultKeylessRsa256Signature, but there is no way I found to enforce this.
putService ("Signature.SHA256withRSA","sun.security.rsa.RSASignature$SHA256withRSA")Alternatively, is there a simpler way to sign a SAML with OpenSAML by passing the JCAProvider?
I have the following in my code :
Application.java
Security.insertProviderAt(new KeyVaultJcaProvider(), 1); // working as expected SpringApplication.run(Application.class, args);Config which sets the signing credential as a BasicX509Certificate
@Bean public Credential samlCredential(...) { // working as expected ... X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias); PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, password.toCharArray()); BasicX509Credential credential = new BasicX509Credential(certificate); credential.setPrivateKey(privateKey); return credential; }SAML Code >>
samlObject.setSignature(signature); XMLObjectProviderRegistrySupport.getMarshallerFactory() .getMarshaller(samlObject) .marshall(samlObject); Signer.signObject(signature); // BREAKS because of the JCA returning AzureKeyLessSignature which doesnt work with OpenSAML (I think?)This is the error stack trace :
engineInitSign() not supported which private key is not instance of KeyVaultPrivateKey at com.azure.security.keyvault.jca.implementation.signature.AbstractKeyVaultKeylessSignature.engineInitSign(AbstractKeyVaultKeylessSignature.java:77) at com.azure.security.keyvault.jca.implementation.signature.AbstractKeyVaultKeylessSignature.engineInitSign(AbstractKeyVaultKeylessSignature.java:83) at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1357) at java.base/java.security.Signature.initSign(Signature.java:636) at org.apache.xml.security.algorithms.SignatureAlgorithmSpi.engineInitSign(SignatureAlgorithmSpi.java:212) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:130) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:136) at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:273) at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:793) at org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:59) at org.opensaml.xmlsec.signature.support.Signer.signObject(Signer.java:76)