| Excerpt | ||
|---|---|---|
| ||
Demonstrates signing metadata documents using PKCS#11 tokens (such as smart cards or Hardware Security Modules). |
This command line configuration example:
reads a file
metadatapath/to/input/aggregate.xmlcontaining SAML metadatasigns that document using:
a PKCS#11 token determined by
a PKCS#11 configuration file specifying the
toketoken
a user password
an alias determining which of the token's keys to use
a separate certificate read from
certificatepath/to/secrets/self-signed.pem
writes the results into the file
path/to/output/output.xml
You can execute the example as follows:
| Code Block | ||
|---|---|---|
| ||
$ .../mda.sh configsign-using-token.xml main |
The example configuration file is as follows; it has been verified with MDA version 0.9.210.0-SNAPSHOT as of 2023-10-25:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<beans default-init-method="initialize"
xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<!-- Import the Standard bean definition resource. -->
<!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
<import resource="classpath:net/shibboleth/metadata/beans.xml"/>
<!-- First, we define the stages for our pipeline -->
<bean id="source" classparent="net.shibboleth.metadata.dommda.DOMFilesystemSourceStage">
<property name="id" value="source"/>
<property name="parserPool">
<bean classparent="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initialize"mda.BasicParserPool"/>
</property>
<property name="source">
<bean class="java.io.File">
<constructor-arg value="path/to/input/metadataaggregate.xml"/>
</bean>
</property>
</bean>
<bean id="generateContentReferenceId" classparent="net.shibboleth.metadata.dom.saml.mda.GenerateIdStage">
<property name="id" value="generateContentReferenceId" />
</bean>
<bean id="signMetadata" classparent="net.shibboleth.metadata.dommda.XMLSignatureSigningStage">
<property name="id" value="signMetadata"/>
<property name="certificates">
<bean classparent="net.shibboleth.ext.spring.factory.mda.X509CertificateFactoryBean">
<property name="resource" value="file:path/to/certificatesecrets/self-signed.pem"/>
</bean>
</property>
<property name="privateKey">
<bean classparent="net.shibboleth.metadata.util.mda.PKCS11PrivateKeyFactoryBean">
<property name="pkcs11Config" value="path/to/input/pkcs11-softhsm.cfg"/>
<property name="keyPassword" value="passwordHere12341234"/>
<property name="keyAlias" value="key10"/>
</bean>
</property>
</bean>
<bean id="serialize" classparent="net.shibboleth.metadata.pipeline.mda.SerializationStage">
<property name="id" value="serializeIdPs"/>
<property name="outputFile">
<bean class="java.io.File">
<constructor-arg value="path/to/output/signed-with-token.xml"/>
</bean>
</property>
<property name="serializer">
<bean id="domSerializer" classparent="net.shibboleth.metadata.dommda.DOMElementSerializer" />
</property>
</bean>
<!-- Next we define a pipeline with all the stages in it -->
<bean id="main" classparent="net.shibboleth.metadata.pipeline.SimplePipeline" init-method="initialize"mda.SimplePipeline">
<property name="id" value="main"/>
<property name="stages">
<list>
<ref bean="source"/>
<ref bean="generateContentReferenceId" />
<ref bean="signMetadata"/>
<ref bean="serialize" />
</list>
</property>
</bean>
</beans> |
The PKCS#11 configuration file configures the Sun PKCS#11 bridge. Its contents are specific to the token and operating environment. For example:
Example pkcs11-softhsm.cfg
| Code Block | ||||
|---|---|---|---|---|
| ||||
# PKCS#11 provider configuration for forsofthsm OpenSC running under MacAmazon OSLinux X name = OpenSCsofthsm library = /Libraryusr/OpenSC/liblib64/pkcs11/opensc-pkcs11libsofthsm2.so |