diff options
6 files changed, 73 insertions, 13 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml index ca112162..14bf50d5 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml @@ -14,6 +14,7 @@ <url>http://maven.apache.org</url> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <hsm-facade-provider.version>0.1.1-SNAPSHOT</hsm-facade-provider.version> </properties> <dependencies> @@ -22,7 +23,11 @@ <artifactId>eaaf-core</artifactId> <version>${egiz.eaaf.version}</version> </dependency> - + <dependency> + <groupId>at.asitplus.hsmfacade</groupId> + <artifactId>provider</artifactId> + <version>${hsm-facade-provider.version}</version> + </dependency> <dependency> <groupId>org.opensaml</groupId> <artifactId>opensaml-core</artifactId> @@ -76,6 +81,12 @@ <artifactId>mockwebserver</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>xml-apis</groupId> + <artifactId>xml-apis</artifactId> + <version>1.4.01</version> + <scope>test</scope> + </dependency> </dependencies> diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java index 6959b6bd..bf551c0e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java @@ -19,11 +19,15 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.Security; import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collections; @@ -33,6 +37,8 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; +import at.asitplus.hsmfacade.provider.HsmFacadeProvider; +import at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; @@ -45,6 +51,7 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter; import org.apache.commons.lang3.StringUtils; +import org.apache.xml.security.algorithms.JCEMapper; import org.opensaml.security.credential.UsageType; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Lazy; @@ -250,13 +257,48 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi } + private X509Certificate getRootCertificate() throws CertificateException { + String pem = "-----BEGIN CERTIFICATE-----\n" + + "MIIDFDCCAfygAwIBAgIEXIjqbjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARy\n" + + "b290MB4XDTE5MDMxMzExMzMwMloXDTIwMDMxMjExMzMwMlowDzENMAsGA1UEAwwE\n" + + "cm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKijWXfb7bvQ7CIw\n" + + "FuyuPUz+aN7uBgSSnpYamtzjagacdtGR2V2OVHfjVHhw+cSoNPaEEV2x0O9A+w8F\n" + + "FCatBT30l7/2scuJmrdXYlIhd17NU6HG/HKYvRYROkXrprsbdZobWqdF/zShLIvv\n" + + "0bwconAu7AxwlDgNJQz2pL0e94OkCT5rZyA4HFgzJ34XynXaCMbUbVXxVk6EuNaX\n" + + "hbyco0qhjOjSn7Rwk3iXp21V4vcYRVq44sG3ieU6jHq6LKmYSGJ1y0yv9ADYJwSp\n" + + "jCzRbOEKe/7QVvZIyzzqjhO3SAHONuFNX0V6zPCgMCjUOgHuOIEKLJR9p0YYYocX\n" + + "GBLcVuECAwEAAaN4MHYwDAYDVR0TBAUwAwEB/zA6BgNVHSMEMzAxgBQueuDUlVbB\n" + + "LBjP+iRFr6lUDBh58qETpBEwDzENMAsGA1UEAwwEcm9vdIIEXIjqbjAdBgNVHQ4E\n" + + "FgQULnrg1JVWwSwYz/okRa+pVAwYefIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB\n" + + "CwUAA4IBAQCEYSVpiKFO7FjCqTlkxNBY7e7891dq43DfX9i/Hb/AIvZDPe/RC46t\n" + + "EXd9LN7QYaXe35U5ZD1q7qmK7NoFJ9zp4D4mxA2iiBHz40GnRt+0abNdQiyw913W\n" + + "s/VIElAOv0tvCw+3SwzvLRU/AVCM1weW6IUbYv/Ty5zmLBsG3do3MmVF3cqXho2m\n" + + "pNaiubuaUsR8Ms1LqIr6R7Yf8MKSrgYWCOw60gj5O64RHnEJli52D+S/8Cue5GvG\n" + + "ECckmgLgGsRcWfFwRqqS7+XWt8Dv8xxD5vurvcs547Hn28kSHtF2i+KYLDVH2QjN\n" + + "dbO0qgEJlMPi7oGrsNjIkndrWseNrPA4\n" + + "-----END CERTIFICATE-----\n"; + return (java.security.cert.X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(pem.getBytes())); + } + @Lazy @PostConstruct private void initialize() throws Exception { try { - final Resource ressource = resourceLoader.getResource(getKeyStoreFilePath()); - final InputStream is = ressource.getInputStream(); - keyStore = KeyStoreUtils.loadKeyStore(is, getKeyStorePassword()); + final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance(); + String clientUsername = "shibboleth-idp"; + String clientPassword = "supersecret123"; + String host = "localhost"; + int port = 9000; + String hsmName = "software"; + String keyStoreName = "shibboleth"; + String keyStoreAlias = "shibboleth-sign"; + + provider.init(getRootCertificate(), clientUsername, clientPassword, host, port, hsmName); + Security.addProvider(provider); + //Security.insertProviderAt(provider, 1); + JCEMapper.setProviderId(provider.getName()); + keyStore = KeyStore.getInstance("RemoteKeyStore", "HsmFacade"); + keyStore.load(new RemoteKeyStoreLoadParameter(keyStoreName)); if (keyStore == null) { throw new EaafConfigurationException("module.00", diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java index 1183bb49..7d95204b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java @@ -34,9 +34,9 @@ public class CredentialProviderTest { private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks"; private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks"; - private static final String ALIAS_METADATA = "meta"; - private static final String ALIAS_SIGN = "sig"; - private static final String ALIAS_ENC = "meta"; + private static final String ALIAS_METADATA = "shibboleth-sign"; + private static final String ALIAS_SIGN = "shibboleth-sign"; + private static final String ALIAS_ENC = "shibboleth-sign"; private static final String PASSWORD = "password"; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props index 164b8807..60cecebb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props @@ -1,8 +1,8 @@ keystore.path=classpath:/data/junit.jks keystore.pass=password -key.metadata.alias=meta +key.metadata.alias=shibboleth-sign key.metadata.pass=password -key.sig.alias=sig +key.sig.alias=shibboleth-sign key.sig.pass=password key.enc.alias= key.enc.pass= diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props index 6324f190..5dea3d51 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props @@ -1,8 +1,8 @@ keystore.path=classpath:/data/junit.jks keystore.pass=password -key.metadata.alias=meta +key.metadata.alias=shibboleth-sign key.metadata.pass=password -key.sig.alias=sig +key.sig.alias=shibboleth-sign key.sig.pass=password key.enc.alias= key.enc.pass= @@ -49,7 +49,7 @@ <org.opensaml.version>3.4.3</org.opensaml.version> <org.apache.santuario.xmlsec.version>2.1.4</org.apache.santuario.xmlsec.version> <org.bouncycastle.bcprov-jdk15on.version>1.64</org.bouncycastle.bcprov-jdk15on.version> - + <org.slf4j.version>1.7.25</org.slf4j.version> <commons-codec.version>1.11</commons-codec.version> <org.apache.commons-lang3.version>3.8.1</org.apache.commons-lang3.version> @@ -103,6 +103,13 @@ </activation> <repositories> <repository> + <id>asit</id> + <url>https://dev.a-sit.at/repositories/snapshot</url> + <snapshots> + <enabled>true</enabled> + </snapshots> + </repository> + <repository> <id>egiz-commons</id> <url>https://apps.egiz.gv.at/maven/</url> <releases> @@ -476,7 +483,7 @@ <version>${egiz.eaaf.version}</version> <scope>test</scope> <type>test-jar</type> - </dependency> + </dependency> </dependencies> </dependencyManagement> <dependencies> |