summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/pom.xml13
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java48
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java6
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props4
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props4
-rw-r--r--pom.xml11
6 files changed, 73 insertions, 13 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index ca112162..14bf50d5 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -14,6 +14,7 @@
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <hsm-facade-provider.version>0.1.1-SNAPSHOT</hsm-facade-provider.version>
</properties>
<dependencies>
@@ -22,7 +23,11 @@
<artifactId>eaaf-core</artifactId>
<version>${egiz.eaaf.version}</version>
</dependency>
-
+ <dependency>
+ <groupId>at.asitplus.hsmfacade</groupId>
+ <artifactId>provider</artifactId>
+ <version>${hsm-facade-provider.version}</version>
+ </dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-core</artifactId>
@@ -76,6 +81,12 @@
<artifactId>mockwebserver</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>xml-apis</groupId>
+ <artifactId>xml-apis</artifactId>
+ <version>1.4.01</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index 6959b6bd..bf551c0e 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -19,11 +19,15 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.Security;
import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
@@ -33,6 +37,8 @@ import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
+import at.asitplus.hsmfacade.provider.HsmFacadeProvider;
+import at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
@@ -45,6 +51,7 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
import org.apache.commons.lang3.StringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
import org.opensaml.security.credential.UsageType;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
@@ -250,13 +257,48 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
}
+ private X509Certificate getRootCertificate() throws CertificateException {
+ String pem = "-----BEGIN CERTIFICATE-----\n" +
+ "MIIDFDCCAfygAwIBAgIEXIjqbjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARy\n" +
+ "b290MB4XDTE5MDMxMzExMzMwMloXDTIwMDMxMjExMzMwMlowDzENMAsGA1UEAwwE\n" +
+ "cm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKijWXfb7bvQ7CIw\n" +
+ "FuyuPUz+aN7uBgSSnpYamtzjagacdtGR2V2OVHfjVHhw+cSoNPaEEV2x0O9A+w8F\n" +
+ "FCatBT30l7/2scuJmrdXYlIhd17NU6HG/HKYvRYROkXrprsbdZobWqdF/zShLIvv\n" +
+ "0bwconAu7AxwlDgNJQz2pL0e94OkCT5rZyA4HFgzJ34XynXaCMbUbVXxVk6EuNaX\n" +
+ "hbyco0qhjOjSn7Rwk3iXp21V4vcYRVq44sG3ieU6jHq6LKmYSGJ1y0yv9ADYJwSp\n" +
+ "jCzRbOEKe/7QVvZIyzzqjhO3SAHONuFNX0V6zPCgMCjUOgHuOIEKLJR9p0YYYocX\n" +
+ "GBLcVuECAwEAAaN4MHYwDAYDVR0TBAUwAwEB/zA6BgNVHSMEMzAxgBQueuDUlVbB\n" +
+ "LBjP+iRFr6lUDBh58qETpBEwDzENMAsGA1UEAwwEcm9vdIIEXIjqbjAdBgNVHQ4E\n" +
+ "FgQULnrg1JVWwSwYz/okRa+pVAwYefIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB\n" +
+ "CwUAA4IBAQCEYSVpiKFO7FjCqTlkxNBY7e7891dq43DfX9i/Hb/AIvZDPe/RC46t\n" +
+ "EXd9LN7QYaXe35U5ZD1q7qmK7NoFJ9zp4D4mxA2iiBHz40GnRt+0abNdQiyw913W\n" +
+ "s/VIElAOv0tvCw+3SwzvLRU/AVCM1weW6IUbYv/Ty5zmLBsG3do3MmVF3cqXho2m\n" +
+ "pNaiubuaUsR8Ms1LqIr6R7Yf8MKSrgYWCOw60gj5O64RHnEJli52D+S/8Cue5GvG\n" +
+ "ECckmgLgGsRcWfFwRqqS7+XWt8Dv8xxD5vurvcs547Hn28kSHtF2i+KYLDVH2QjN\n" +
+ "dbO0qgEJlMPi7oGrsNjIkndrWseNrPA4\n" +
+ "-----END CERTIFICATE-----\n";
+ return (java.security.cert.X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(pem.getBytes()));
+ }
+
@Lazy
@PostConstruct
private void initialize() throws Exception {
try {
- final Resource ressource = resourceLoader.getResource(getKeyStoreFilePath());
- final InputStream is = ressource.getInputStream();
- keyStore = KeyStoreUtils.loadKeyStore(is, getKeyStorePassword());
+ final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance();
+ String clientUsername = "shibboleth-idp";
+ String clientPassword = "supersecret123";
+ String host = "localhost";
+ int port = 9000;
+ String hsmName = "software";
+ String keyStoreName = "shibboleth";
+ String keyStoreAlias = "shibboleth-sign";
+
+ provider.init(getRootCertificate(), clientUsername, clientPassword, host, port, hsmName);
+ Security.addProvider(provider);
+ //Security.insertProviderAt(provider, 1);
+ JCEMapper.setProviderId(provider.getName());
+ keyStore = KeyStore.getInstance("RemoteKeyStore", "HsmFacade");
+ keyStore.load(new RemoteKeyStoreLoadParameter(keyStoreName));
if (keyStore == null) {
throw new EaafConfigurationException("module.00",
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
index 1183bb49..7d95204b 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
@@ -34,9 +34,9 @@ public class CredentialProviderTest {
private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks";
private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks";
- private static final String ALIAS_METADATA = "meta";
- private static final String ALIAS_SIGN = "sig";
- private static final String ALIAS_ENC = "meta";
+ private static final String ALIAS_METADATA = "shibboleth-sign";
+ private static final String ALIAS_SIGN = "shibboleth-sign";
+ private static final String ALIAS_ENC = "shibboleth-sign";
private static final String PASSWORD = "password";
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props
index 164b8807..60cecebb 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props
@@ -1,8 +1,8 @@
keystore.path=classpath:/data/junit.jks
keystore.pass=password
-key.metadata.alias=meta
+key.metadata.alias=shibboleth-sign
key.metadata.pass=password
-key.sig.alias=sig
+key.sig.alias=shibboleth-sign
key.sig.pass=password
key.enc.alias=
key.enc.pass=
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props
index 6324f190..5dea3d51 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/config/config_1.props
@@ -1,8 +1,8 @@
keystore.path=classpath:/data/junit.jks
keystore.pass=password
-key.metadata.alias=meta
+key.metadata.alias=shibboleth-sign
key.metadata.pass=password
-key.sig.alias=sig
+key.sig.alias=shibboleth-sign
key.sig.pass=password
key.enc.alias=
key.enc.pass=
diff --git a/pom.xml b/pom.xml
index 6ac68e6d..669d9da2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,7 +49,7 @@
<org.opensaml.version>3.4.3</org.opensaml.version>
<org.apache.santuario.xmlsec.version>2.1.4</org.apache.santuario.xmlsec.version>
<org.bouncycastle.bcprov-jdk15on.version>1.64</org.bouncycastle.bcprov-jdk15on.version>
-
+
<org.slf4j.version>1.7.25</org.slf4j.version>
<commons-codec.version>1.11</commons-codec.version>
<org.apache.commons-lang3.version>3.8.1</org.apache.commons-lang3.version>
@@ -103,6 +103,13 @@
</activation>
<repositories>
<repository>
+ <id>asit</id>
+ <url>https://dev.a-sit.at/repositories/snapshot</url>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ <repository>
<id>egiz-commons</id>
<url>https://apps.egiz.gv.at/maven/</url>
<releases>
@@ -476,7 +483,7 @@
<version>${egiz.eaaf.version}</version>
<scope>test</scope>
<type>test-jar</type>
- </dependency>
+ </dependency>
</dependencies>
</dependencyManagement>
<dependencies>