Versions Compared

Old Version 3

changes.mady.by.user Ian Young

Saved on

compared with

New Version Current

changes.mady.by.user Ian Young

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
hiddentrue

Demonstrates signing metadata documents using PKCS#11 tokens (such as smart cards or Hardware Security Modules).

This command line configuration example:

  • reads a file path/to/input/

    metadata

    aggregate.xml containing SAML metadata

  • signs

    the

    that document using:

    • a PKCS#11 token determined by

      • a PKCS#11

      token 

      • configuration file specifying the token

      • a user password

      • an alias determining which of the token's keys to use

    • a separate certificate read from path/to/secrets/

      certificate

      self-signed.pem 

  • writes the results into the file path/to/output/output.xml

You can execute the example as follows:

Code Block
languagebash
$ .../mda.sh configsign-using-token.xml main

The example configuration file is as follows; it has been verified with MDA version 0.9.110.0-SNAPSHOT as of 2023-10-25:

Code Block
languagexmllinenumberstrue
<?xml version="1.0" encoding="UTF-8"?>
<beans default-init-method="initialize"
       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

    <!-- Import the Standard bean definition resource. -->
    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>

    <!-- First, we define the stages for our pipeline -->
    <bean id="source" classparent="net.shibboleth.metadata.dom.mda.DOMFilesystemSourceStage">
        <property name="id" value="source"/>
        <property name="parserPool">
            <bean classparent="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initializemda.BasicParserPool"/>
        </property>
        <property name="source">
            <bean class="java.io.File">
                <constructor-arg value="path/to/input/metadataaggregate.xml"/>
            </bean>
        </property>
    </bean>

    <bean id="removeInvalidContactPersongenerateContentReferenceId" classparent="net.shibboleth.metadata.dom.saml.ContactPersonFilterStagemda.GenerateIdStage">
        <property name="id" value="removeInvalidContactPerson"/>
        <property name="whitelistingTypes" value="false"generateContentReferenceId" />
    </bean>

    <bean id="removeOrganizationsignMetadata" classparent="net.shibboleth.metadata.dom.saml.RemoveOrganizationStagemda.XMLSignatureSigningStage">
        <property name="id" value="removeOrganizationsignMetadata"/>
    </bean>    <property  <bean idname="createEntitiesDescriptorcertificates" class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage">>
           <property name="id" value<bean parent="createEntitiesDescriptormda.X509CertificateFactoryBean"/>
 
  </bean>      <bean id="generateContentReferenceId" class="net.shibboleth.metadata.dom.saml.GenerateIdStage">         <property name="idresource" value="generateContentReferenceId" file:path/to/secrets/self-signed.pem"/>
    </bean>      <bean id="signMetadata" class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"> </bean>
        <property name="id" value="signMetadata"/></property>
        <property name="privateKey">
            <bean classparent="net.shibboleth.ext.spring.factory.PrivateKeyFactoryBeanmda.PKCS11PrivateKeyFactoryBean">
                <property name="resourcepkcs11Config">
                    <bean class="org.springframework.core.io.FileSystemResource" value="path/to/input/pkcs11-softhsm.cfg"/>
                <property        <constructor-arg>
                            <bean class="java.io.File"name="keyPassword" value="12341234"/>
                                <constructor-arg value="path/to/private-key.pem"/>
            <property name="keyAlias" value="key10"/>
               </bean>
                        </constructor-arg>
                    </bean>
                </property>
  
         </bean>
    

  </property>     </bean>

    <bean id="serialize" classparent="net.shibboleth.metadata.pipeline.mda.SerializationStage">
        <property name="id" value="serializeIdPs"/>
        <property name="outputFile">
            <bean class="java.io.File">
                <constructor-arg value="path/to/output/signed-with-token.xml"/>
            </bean>
        </property>
        <property name="serializer">
            <bean id="domSerializer" classparent="net.shibboleth.metadata.dom.mda.DOMElementSerializer" />
        </property>
    </bean>

    <!-- Next we define a pipeline with all the stages in it -->
    <bean id="main" classparent="net.shibboleth.metadata.pipeline.SimplePipeline" init-method="initialize"mda.SimplePipeline">
        <property name="id" value="main"/>
        <property name="stages">
            <list>
                <ref bean="source"/>
                <ref bean="removeInvalidContactPersongenerateContentReferenceId" />
                <ref bean="removeOrganizationsignMetadata"/>
                <ref bean="createEntitiesDescriptorserialize" />
                <ref bean="generateContentReferenceId" /></list>
        </property>
    </bean>

 <ref bean="signMetadata"/>
                <ref bean="serialize" />
            </list>
        </property>
    </bean>
</beans></beans>

The PKCS#11 configuration file configures the Sun PKCS#11 bridge. Its contents are specific to the token and operating environment. For example:

Example pkcs11-softhsm.cfg
Code Block
languagenone
# PKCS#11 provider configuration for softhsm running under Amazon Linux
name = softhsm
library = /usr/lib64/pkcs11/libsofthsm2.so