From e23226c47807be597bbbae3891dbb94069d56836 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 14 Feb 2020 08:46:52 +0100
Subject: Integrate HSM Facade from A-SIT+ The EaafKeyStoreFactory can be used
 to build KeyStores from differend providers and types

---
 .../impl/utils/AbstractCredentialProvider.java     | 119 ++++++++-------------
 1 file changed, 43 insertions(+), 76 deletions(-)

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index bf551c0e..6477d8ff 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -19,15 +19,9 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
-import java.security.Security;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -37,27 +31,24 @@ import java.util.List;
 import javax.annotation.Nonnull;
 import javax.annotation.PostConstruct;
 
-import at.asitplus.hsmfacade.provider.HsmFacadeProvider;
-import at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
+import org.opensaml.security.credential.UsageType;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.ResourceLoader;
+
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
 import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
 import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
 import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
 import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.xml.security.algorithms.JCEMapper;
-import org.opensaml.security.credential.UsageType;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Lazy;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
@@ -70,6 +61,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
   @Autowired
   protected IConfiguration basicConfig;
 
+  @Autowired
+  private EaafKeyStoreFactory keyStoreFactory;
+
   private KeyStore keyStore = null;
 
   /**
@@ -78,23 +72,18 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
    *
    * @return keyStore friendlyName
    */
-  public abstract String getFriendlyName();
+  public final String getFriendlyName() {
+    return getBasicKeyStoreConfig().getFriendlyName();
 
-  /**
-   * Get KeyStore.
-   *
-   * @return URL to the keyStore
-   * @throws EaafException In case of an invalid filepath
-   */
-  @Nonnull
-  public abstract String getKeyStoreFilePath() throws EaafException;
+  }
 
   /**
-   * Get keyStore password.
+   * Get the basic KeyStore configuration object for this SAML2 credential.
    *
-   * @return Password of the keyStore
+   * @return KeyStore configuration object
    */
-  public abstract String getKeyStorePassword();
+  @Nonnull
+  public abstract KeyStoreConfiguration getBasicKeyStoreConfig();
 
   /**
    * Get alias of key for metadata signing.
@@ -161,8 +150,6 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
     }
   }
 
-
-
   /**
    * Get Credentials to sign SAML2 messages, like AuthnRequest, Response,
    * Assertions as some examples.
@@ -257,56 +244,36 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
 
   }
 
-  private X509Certificate getRootCertificate() throws CertificateException {
-    String pem = "-----BEGIN CERTIFICATE-----\n" +
-            "MIIDFDCCAfygAwIBAgIEXIjqbjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARy\n" +
-            "b290MB4XDTE5MDMxMzExMzMwMloXDTIwMDMxMjExMzMwMlowDzENMAsGA1UEAwwE\n" +
-            "cm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKijWXfb7bvQ7CIw\n" +
-            "FuyuPUz+aN7uBgSSnpYamtzjagacdtGR2V2OVHfjVHhw+cSoNPaEEV2x0O9A+w8F\n" +
-            "FCatBT30l7/2scuJmrdXYlIhd17NU6HG/HKYvRYROkXrprsbdZobWqdF/zShLIvv\n" +
-            "0bwconAu7AxwlDgNJQz2pL0e94OkCT5rZyA4HFgzJ34XynXaCMbUbVXxVk6EuNaX\n" +
-            "hbyco0qhjOjSn7Rwk3iXp21V4vcYRVq44sG3ieU6jHq6LKmYSGJ1y0yv9ADYJwSp\n" +
-            "jCzRbOEKe/7QVvZIyzzqjhO3SAHONuFNX0V6zPCgMCjUOgHuOIEKLJR9p0YYYocX\n" +
-            "GBLcVuECAwEAAaN4MHYwDAYDVR0TBAUwAwEB/zA6BgNVHSMEMzAxgBQueuDUlVbB\n" +
-            "LBjP+iRFr6lUDBh58qETpBEwDzENMAsGA1UEAwwEcm9vdIIEXIjqbjAdBgNVHQ4E\n" +
-            "FgQULnrg1JVWwSwYz/okRa+pVAwYefIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB\n" +
-            "CwUAA4IBAQCEYSVpiKFO7FjCqTlkxNBY7e7891dq43DfX9i/Hb/AIvZDPe/RC46t\n" +
-            "EXd9LN7QYaXe35U5ZD1q7qmK7NoFJ9zp4D4mxA2iiBHz40GnRt+0abNdQiyw913W\n" +
-            "s/VIElAOv0tvCw+3SwzvLRU/AVCM1weW6IUbYv/Ty5zmLBsG3do3MmVF3cqXho2m\n" +
-            "pNaiubuaUsR8Ms1LqIr6R7Yf8MKSrgYWCOw60gj5O64RHnEJli52D+S/8Cue5GvG\n" +
-            "ECckmgLgGsRcWfFwRqqS7+XWt8Dv8xxD5vurvcs547Hn28kSHtF2i+KYLDVH2QjN\n" +
-            "dbO0qgEJlMPi7oGrsNjIkndrWseNrPA4\n" +
-            "-----END CERTIFICATE-----\n";
-    return (java.security.cert.X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(pem.getBytes()));
-  }
-
-  @Lazy
   @PostConstruct
   private void initialize() throws Exception {
     try {
-      final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance();
-      String clientUsername = "shibboleth-idp";
-      String clientPassword = "supersecret123";
-      String host = "localhost";
-      int port = 9000;
-      String hsmName = "software";
-      String keyStoreName = "shibboleth";
-      String keyStoreAlias = "shibboleth-sign";
-
-      provider.init(getRootCertificate(), clientUsername, clientPassword, host, port, hsmName);
-      Security.addProvider(provider);
-      //Security.insertProviderAt(provider, 1);
-      JCEMapper.setProviderId(provider.getName());
-      keyStore = KeyStore.getInstance("RemoteKeyStore", "HsmFacade");
-      keyStore.load(new RemoteKeyStoreLoadParameter(keyStoreName));
-
-      if (keyStore == null) {
-        throw new EaafConfigurationException("module.00",
-            new Object[] { getFriendlyName(), "KeyStore initialization failed. Maybe wrong password" });
+      final KeyStoreConfiguration keyStoreConfig = getBasicKeyStoreConfig();
+      keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+
+      if (JCEMapper.getProviderId() != null
+          && !JCEMapper.getProviderId().equals(keyStore.getProvider().getName())) {
+        log.error("OpenSAML3.x can ONLY use a single type of CryptoProvider in an application. "
+            + "Can NOT set: {}, because {} was already set", keyStore.getProvider().getName(),
+            JCEMapper.getProviderId());
+        throw new EaafConfigurationException(EaafKeyStoreFactory.ERRORCODE_06,
+            new Object[] { keyStoreConfig.getFriendlyName(),
+                "OpenSAML3.x can ONLY use a single type of CryptoProvider" });
+
+      }
+
+      // Set JCEMapper only in case of HSM based KeyStores because Software KeyStores
+      // can use
+      // the default SecurityProvider system in OpenSAML3.x signing engine
+      if (!KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType())
+          && !KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType())
+          && JCEMapper.getProviderId() == null) {
+        log.info("Register CryptoProvider: {} as defaut for OpenSAML3.x",
+            keyStore.getProvider().getName());
+        JCEMapper.setProviderId(keyStore.getProvider().getName());
 
       }
 
-    } catch (IOException | KeyStoreException | EaafException e) {
+    } catch (final EaafException e) {
       log.error("Can not initialize KeyStore for eIDAS authentication client.", e);
       throw e;
 
-- 
cgit v1.2.3