Convert test and export aggregates to SHA-256.

Make digest explicit in all signing operations rather than defaulting, for clarity. Switch over to requiring the java.security file to be *not* modified, instead referencing the Sun PKCS11 provider and the appropriate configuration file directly. Add a property defaulting system to allow things like the PKCS11 configuration file location property to be platform-specific, or specified by a non-source-controlled local override file (build.properties). This needs a little work to handle Linux for the Feitian card.
InCommon · Apr 19, 2013 · 62e85c5 · 62e85c5
1 parent 2c3660b
commit 62e85c5
Showing 4 changed files with 72 additions and 69 deletions.
diff --git a/build.xml b/build.xml
@@ -11,7 +11,39 @@
 -->
 <project default="process">
 
-	<!--
+    <!--
+        os.family
+        
+        Set a property representing the general kind of operating system
+        we're executing on.  We use this to decide which properties files
+        to load.
+        
+        Values: windows, macosx, other.
+    -->
+    <condition property="os.family" value="windows">
+        <os family="windows"/>
+    </condition>
+    <condition property="os.family" value="macosx">
+        <os family="mac"/>
+    </condition>
+    <property name="os.family" value="other"/>
+
+    <!--
+        External property files.
+        
+        Pull in properties from external files.  Because Ant properties are
+        immutable, the first file containing a particular property sets the
+        final value, and any of these files can override a property defined in
+        this file.
+        
+        The build.properties file is not source controlled, and should be used
+        to override properties for a particular deployment.   
+    -->
+    <property file="build.properties"/>
+    <property file="${os.family}.properties"/>
+    <property file="default.properties"/>
+
+    <!--
 		Accessing the remote system.
 		
 		Multiple remote systems are supported, each with its own ssh-accessable
@@ -87,11 +119,6 @@
 	<property name="md.back.signed"     value="ukfederation-back.xml"/>
 	<property name="md.wayf.signed"     value="ukfederation-wayf.xml"/>
 
-	<!--
-	    Name of default signing digest function.
-	-->
-	<property name="digest.default"     value="SHA-1"/>
-
 	<!--
 		Null device location.
 	-->
@@ -100,28 +127,6 @@
 		<os family="windows"/>
 	</condition>
 
-	<!--
-		Signing keystore type.
-		
-		On Windows, we use a hard token accessed through PKCS#11.
-		On Mac, we use a Java Keystore.
-	-->
-	<condition property="keystore.uk.sign.type"
-		value="PKCS11" else="JKS">
-		<os family="windows"/>
-	</condition>
-
-	<!--
-		Signing keystore location.
-		
-		On Windows, because we're using PKCS#11, we use an explicit NONE.
-		Otherwise, the keystore lives on the UK_KEYS volume.
-	-->
-	<condition property="keystore.uk.sign.loc"
-		value="NONE" else="/Volumes/UK_KEYS/ukfederation-sign.jks">
-		<os family="windows"/>
-	</condition>
-
 	<!--
 		Signing keystore alias.
 	-->
@@ -545,7 +550,7 @@
 	<macrodef name="XMLSECTOOL.SIGN.uk">
 		<attribute name="i"/><!-- input file, assumed to be in the XML directory -->
 		<attribute name="o"/><!-- output file, assumed to be in the XML directory -->
-		<attribute name="digest" default="${digest.default}"/><!-- digest function to use -->
+		<attribute name="digest"/><!-- digest function to use -->
 		<sequential>
 			<!-- delete the temporary file to be sure we don't use old data -->
 			<delete file="${xml.dir}/temp.xml" quiet="true" verbose="false"/>
@@ -562,38 +567,15 @@
 					<arg value="@{digest}"/>
 
 					<!--
-					    Token option 1: pkcs11Config with keystoreProvider
+					    Sign using pkcs11Config with keystoreProvider
 					   
-					    This only works with XmlSecTool 1.2.0.  It does not
-					    require the java.security file to be modified.
+					    This only works with XmlSecTool 1.2.0 and later.
+					    It requires the java.security file to be unmodified.
 					-->
-                    <!--
-                    <arg value="- -pkcs11Config"/>
-                    <arg value="C:\\pkcs11\\sdk18\\acs.cfg"/>
-                    <arg value="- -keystoreProvider"/>
+                    <arg value="--pkcs11Config"/>
+                    <arg value="${pkcs11.config}"/>
+                    <arg value="--keystoreProvider"/>
                     <arg value="sun.security.pkcs11.SunPKCS11"/>
-                    -->
-
-					<!--
-					    Token option 2: pkcs11Config without keystoreProvider
-					    
-					    This has been the traditional practice at SWITCH.
-					-->
-					<!--
-					<arg value="- -pkcs11Config"/>
-					<arg value="DUMMY"/>
-					-->
-
-					<!--
-					    Token option 3: keystore instead of pkcs11Config
-					    
-					    This has been the traditional practice at the UKf.
-					    It requires the java.security file to have been modified.
-					-->
-					<arg value="--keystore"/>
-					<arg value="${null.device}"/>
-					<arg value="--keystoreType"/>
-					<arg value="${keystore.uk.sign.type}"/>
 
 					<arg value="--key"/>
 					<arg value="${keystore.uk.sign.alias}"/>
@@ -725,7 +707,7 @@
 	<macrodef name="SIGN.uk">
 		<attribute name="i"/>
 		<attribute name="o"/>
-        <attribute name="digest" default="${digest.default}"/><!-- digest function to use -->
+        <attribute name="digest"/><!-- digest function to use -->
 		<sequential>
 			<XMLSECTOOL.SIGN.uk i="@{i}" o="@{o}" digest="@{digest}"/>
 		</sequential>
@@ -736,24 +718,19 @@
 	-->
 	<target name="sign">
 		<echo>Signing UK metadata.</echo>
-		<!-- [20] -->
-		<SIGN.uk i="${md.prod.unsigned}" o="${md.prod.signed}"/>
+		<SIGN.uk i="${md.prod.unsigned}" o="${md.prod.signed}" digest="SHA-1"/>
 
 		<echo>Signing UK WAYF metadata.</echo>
-		<!-- [26] -->
-		<SIGN.uk i="${md.wayf.unsigned}" o="${md.wayf.signed}"/>
+		<SIGN.uk i="${md.wayf.unsigned}" o="${md.wayf.signed}" digest="SHA-1"/>
 
 		<echo>Signing UK test metadata.</echo>
-		<!-- [28] -->
-		<SIGN.uk i="${md.test.unsigned}" o="${md.test.signed}"/>
+		<SIGN.uk i="${md.test.unsigned}" o="${md.test.signed}" digest="SHA-256"/>
 
 		<echo>Signing UK export metadata.</echo>
-		<!-- [30] -->
-		<SIGN.uk i="${md.export.unsigned}" o="${md.export.signed}"/>
+		<SIGN.uk i="${md.export.unsigned}" o="${md.export.signed}" digest="SHA-256"/>
 
 		<echo>Signing UK fallback metadata.</echo>
-		<!-- [32] -->
-		<SIGN.uk i="${md.back.unsigned}" o="${md.back.signed}"/>
+		<SIGN.uk i="${md.back.unsigned}" o="${md.back.signed}" digest="SHA-1"/>
 
 		<echo>Generated signed UK metadata.</echo>
 	</target>

diff --git a/default.properties b/default.properties
@@ -0,0 +1,7 @@
+#
+# default.properties
+#
+# Default properties for all builds.  Properties defined
+# here may be overridden in platform-specific properties files,
+# or in a machine-specific build.properties file.
+#
diff --git a/macosx.properties b/macosx.properties
@@ -0,0 +1,7 @@
+#
+# macosx.properties
+#
+# Properties for Mac OS X builds.  Properties defined here override
+# those defined in default.properties, but may be overridden by
+# properties defined in a machine-specific build.properties file.
+#
diff --git a/windows.properties b/windows.properties
@@ -0,0 +1,12 @@
+#
+# windows.properties
+#
+# Properties for Windows builds.  Properties defined here override
+# those defined in default.properties, but may be overridden by
+# properties defined in a machine-specific build.properties file.
+#
+
+#
+# Location of the PKCS#11 configuration file for an ACOS5 card.
+#
+pkcs11.config = C\:\\pkcs11\\sdk18\\acs.cfg