From e02aa41578ec3e08dd96fde9ef0342b69a051ba6 Mon Sep 17 00:00:00 2001
From: Christian Kollmann <christian.kollmann@a-sit.at>
Date: Mon, 10 Feb 2020 12:39:09 +0100
Subject: Hack: Integrate HsmFacade for signing operations

---
 .../impl/utils/AbstractCredentialProvider.java     | 48 ++++++++++++++++++++--
 1 file changed, 45 insertions(+), 3 deletions(-)

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index 6959b6bd..bf551c0e 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -19,11 +19,15 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.Security;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -33,6 +37,8 @@ import java.util.List;
 import javax.annotation.Nonnull;
 import javax.annotation.PostConstruct;
 
+import at.asitplus.hsmfacade.provider.HsmFacadeProvider;
+import at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter;
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
@@ -45,6 +51,7 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
 
 import org.apache.commons.lang3.StringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
 import org.opensaml.security.credential.UsageType;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Lazy;
@@ -250,13 +257,48 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
 
   }
 
+  private X509Certificate getRootCertificate() throws CertificateException {
+    String pem = "-----BEGIN CERTIFICATE-----\n" +
+            "MIIDFDCCAfygAwIBAgIEXIjqbjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARy\n" +
+            "b290MB4XDTE5MDMxMzExMzMwMloXDTIwMDMxMjExMzMwMlowDzENMAsGA1UEAwwE\n" +
+            "cm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKijWXfb7bvQ7CIw\n" +
+            "FuyuPUz+aN7uBgSSnpYamtzjagacdtGR2V2OVHfjVHhw+cSoNPaEEV2x0O9A+w8F\n" +
+            "FCatBT30l7/2scuJmrdXYlIhd17NU6HG/HKYvRYROkXrprsbdZobWqdF/zShLIvv\n" +
+            "0bwconAu7AxwlDgNJQz2pL0e94OkCT5rZyA4HFgzJ34XynXaCMbUbVXxVk6EuNaX\n" +
+            "hbyco0qhjOjSn7Rwk3iXp21V4vcYRVq44sG3ieU6jHq6LKmYSGJ1y0yv9ADYJwSp\n" +
+            "jCzRbOEKe/7QVvZIyzzqjhO3SAHONuFNX0V6zPCgMCjUOgHuOIEKLJR9p0YYYocX\n" +
+            "GBLcVuECAwEAAaN4MHYwDAYDVR0TBAUwAwEB/zA6BgNVHSMEMzAxgBQueuDUlVbB\n" +
+            "LBjP+iRFr6lUDBh58qETpBEwDzENMAsGA1UEAwwEcm9vdIIEXIjqbjAdBgNVHQ4E\n" +
+            "FgQULnrg1JVWwSwYz/okRa+pVAwYefIwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB\n" +
+            "CwUAA4IBAQCEYSVpiKFO7FjCqTlkxNBY7e7891dq43DfX9i/Hb/AIvZDPe/RC46t\n" +
+            "EXd9LN7QYaXe35U5ZD1q7qmK7NoFJ9zp4D4mxA2iiBHz40GnRt+0abNdQiyw913W\n" +
+            "s/VIElAOv0tvCw+3SwzvLRU/AVCM1weW6IUbYv/Ty5zmLBsG3do3MmVF3cqXho2m\n" +
+            "pNaiubuaUsR8Ms1LqIr6R7Yf8MKSrgYWCOw60gj5O64RHnEJli52D+S/8Cue5GvG\n" +
+            "ECckmgLgGsRcWfFwRqqS7+XWt8Dv8xxD5vurvcs547Hn28kSHtF2i+KYLDVH2QjN\n" +
+            "dbO0qgEJlMPi7oGrsNjIkndrWseNrPA4\n" +
+            "-----END CERTIFICATE-----\n";
+    return (java.security.cert.X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(pem.getBytes()));
+  }
+
   @Lazy
   @PostConstruct
   private void initialize() throws Exception {
     try {
-      final Resource ressource = resourceLoader.getResource(getKeyStoreFilePath());
-      final InputStream is = ressource.getInputStream();
-      keyStore = KeyStoreUtils.loadKeyStore(is, getKeyStorePassword());
+      final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance();
+      String clientUsername = "shibboleth-idp";
+      String clientPassword = "supersecret123";
+      String host = "localhost";
+      int port = 9000;
+      String hsmName = "software";
+      String keyStoreName = "shibboleth";
+      String keyStoreAlias = "shibboleth-sign";
+
+      provider.init(getRootCertificate(), clientUsername, clientPassword, host, port, hsmName);
+      Security.addProvider(provider);
+      //Security.insertProviderAt(provider, 1);
+      JCEMapper.setProviderId(provider.getName());
+      keyStore = KeyStore.getInstance("RemoteKeyStore", "HsmFacade");
+      keyStore.load(new RemoteKeyStoreLoadParameter(keyStoreName));
 
       if (keyStore == null) {
         throw new EaafConfigurationException("module.00",
-- 
cgit v1.2.3