Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Adopt v5 CloudHSM provider and factory bean
  • Loading branch information
iay committed Apr 8, 2024
1 parent 2ab829d commit 8e689cf
Show file tree
Hide file tree
Showing 10 changed files with 19 additions and 26 deletions.
29 changes: 11 additions & 18 deletions build.xml
Expand Up @@ -1674,8 +1674,6 @@
<sequential>
<java classname="net.shibboleth.metadata.cli.SimpleCommandLine"
fork="true" failonerror="true" maxmemory="${java.max.memory}">
<sysproperty key="java.library.path" path="${mda.jni.path}"
if:set="mda.jni.path"/>
<classpath>
<!-- Spring "classpath:" imports can be under the MDX directory -->
<pathelement path="${mdx.dir}"/>
Expand Down Expand Up @@ -1720,9 +1718,8 @@
</fileset>

<!-- Include a per-target directory if set. -->
<fileset dir="${tools.dir}">
<include name="${mda.classpath.extra}/*.jar"
if="mda.classpath.extra"/>
<fileset dir="${mda.classpath.extra}" if:set="mda.classpath.extra">
<include name="*.jar"/>
</fileset>
</classpath>
<syspropertyset>
Expand Down Expand Up @@ -3058,11 +3055,10 @@
Generate the InCommon import aggregate signed using AWS CloudHSM
-->
<target name="inc.generate.import_sign">
<property name="mda.sign.keyHandle" value="${sign.keyHandle}"/>
<property name="mda.sign.keyLabel" value="${sign.keyLabel}"/>
<property name="mda.sign.keyPassword" value="${sign.keyPassword}"/>
<property name="mda.sign.keyUser" value="${sign.keyUser}"/>
<property name="mda.classpath.extra" value="inc-mda-cloudhsm"/>
<property name="mda.jni.path" value="/opt/cloudhsm/lib"/>
<property name="mda.classpath.extra" value="/opt/cloudhsm/java"/>

<echo>Generating InCommon signed import aggregate in ${mda.inc.imported.xml}</echo>
<echo> (IdP-only aggregate in ${mda.inc.imported-idp.xml})</echo>
Expand All @@ -3079,11 +3075,10 @@
Sign an aggregate using CloudHSM
-->
<target name="inc.generate.sign">
<property name="mda.sign.keyHandle" value="${sign.keyHandle}"/>
<property name="mda.sign.keyLabel" value="${sign.keyLabel}"/>
<property name="mda.sign.keyPassword" value="${sign.keyPassword}"/>
<property name="mda.sign.keyUser" value="${sign.keyUser}"/>
<property name="mda.classpath.extra" value="inc-mda-cloudhsm"/>
<property name="mda.jni.path" value="/opt/cloudhsm/lib"/>
<property name="mda.classpath.extra" value="/opt/cloudhsm/java"/>

<echo>Generating signed aggregate in ${mda.inc.imported.xml}</echo>
<echo> from aggregate in ${mda.inc.production.xml}</echo>
Expand Down Expand Up @@ -3156,18 +3151,17 @@
Properties:
Set sign.keyHandle to indicate the key to be used for signing.
Set sign.keyLabel to indicate the key to be used for signing.
Set sign.keyUser and sign.keyPassword with credentials for the HSM user
accessing the key.
-->
<target name="inc.mdq.generate.cloudhsm">
<property name="mda.mdq.input" value="${mda.inc.imported.xml}"/>
<property name="mda.sign.keyHandle" value="${sign.keyHandle}"/>
<property name="mda.sign.keyLabel" value="${sign.keyLabel}"/>
<property name="mda.sign.keyUser" value="${sign.keyUser}"/>
<property name="mda.sign.keyPassword" value="${sign.keyPassword}"/>
<property name="mda.classpath.extra" value="inc-mda-cloudhsm"/>
<property name="mda.jni.path" value="/opt/cloudhsm/lib"/>
<property name="mda.classpath.extra" value="/opt/cloudhsm/java"/>
<echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
<echo> from unsigned aggregate in ${mda.mdq.input}</echo>
<delete dir="${mdq.output.dir}" quiet="true"/>
Expand All @@ -3188,10 +3182,9 @@
accessing the key.
-->
<target name="inc.mdq.generate.all.cloudhsm">
<property name="mda.classpath.extra" value="inc-mda-cloudhsm"/>
<property name="mda.jni.path" value="/opt/cloudhsm/lib"/>
<property name="mda.classpath.extra" value="/opt/cloudhsm/java"/>
<property name="mda.mdq.input" value="${mda.inc.imported.xml}"/>
<property name="mda.sign.keyHandle" value="${sign.keyHandle}"/>
<property name="mda.sign.keyLabel" value="${sign.keyLabel}"/>
<property name="mda.sign.keyPassword" value="${sign.keyPassword}"/>
<property name="mda.sign.keyUser" value="${sign.keyUser}"/>
<echo>Generating MDQ metadata in ${mda.mdq.output}</echo>
Expand Down
4 changes: 2 additions & 2 deletions mdx/incommon/import_sign.xml
Expand Up @@ -208,8 +208,8 @@
<!-- MD SIGNING MOVE TO AWS (TIO-118) -->

<!-- Define a private key factory (based on AWS CloudHSM) -->
<bean id="hsmPrivateKeyFactory" class="uk.org.iay.incommon.mda.cloudhsm.CaviumPrivateKeyFactoryBean"
p:username="${sign.keyUser}" p:password="${sign.keyPassword}" p:keyHandle="${sign.keyHandle}" />
<bean id="hsmPrivateKeyFactory" class="uk.org.iay.incommon.mda.cloudhsm.CloudHSMPrivateKeyFactoryBean"
p:username="${sign.keyUser}" p:password="${sign.keyPassword}" p:keyLabel="${sign.keyLabel}" />

<!-- Signs items using a provided privateKeyFactory -->
<bean id="signItems" parent="mda.XMLSignatureSigningStage">
Expand Down
4 changes: 2 additions & 2 deletions mdx/incommon/mdq-all-cloudhsm.xml
Expand Up @@ -12,8 +12,8 @@
<import resource="classpath:incommon/mdq-all.xml" />

<!-- Define a private key factory (based on AWS CloudHSM) to be used by the generateAll stage -->
<bean id="privateKeyFactory" class="uk.org.iay.incommon.mda.cloudhsm.CaviumPrivateKeyFactoryBean"
p:username="${sign.keyUser}" p:password="${sign.keyPassword}" p:keyHandle="${sign.keyHandle}" />
<bean id="privateKeyFactory" class="uk.org.iay.incommon.mda.cloudhsm.CloudHSMPrivateKeyFactoryBean"
p:username="${sign.keyUser}" p:password="${sign.keyPassword}" p:keyLabel="${sign.keyLabel}" />

<!-- Generate all signed metadata required by the InCommon MDQ service -->
<bean id="mdq-all-cloudhsm" parent="mda.SimplePipeline">
Expand Down
4 changes: 2 additions & 2 deletions mdx/incommon/mdq-multisign-cloudhsm.xml
Expand Up @@ -71,10 +71,10 @@
<!-- Sign each item. -->
<bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
<property name="privateKey">
<bean class="uk.org.iay.incommon.mda.cloudhsm.CaviumPrivateKeyFactoryBean"
<bean class="uk.org.iay.incommon.mda.cloudhsm.CloudHSMPrivateKeyFactoryBean"
p:username="${sign.keyUser}"
p:password="${sign.keyPassword}"
p:keyHandle="${sign.keyHandle}"
p:keyLabel="${sign.keyLabel}"
/>
</property>
</bean>
Expand Down
4 changes: 2 additions & 2 deletions mdx/incommon/sign.xml
Expand Up @@ -208,8 +208,8 @@
<!-- MD SIGNING MOVE TO AWS (TIO-118) -->

<!-- Define a private key factory (based on AWS CloudHSM) -->
<bean id="hsmPrivateKeyFactory" class="uk.org.iay.incommon.mda.cloudhsm.CaviumPrivateKeyFactoryBean"
p:username="${sign.keyUser}" p:password="${sign.keyPassword}" p:keyHandle="${sign.keyHandle}" />
<bean id="hsmPrivateKeyFactory" class="uk.org.iay.incommon.mda.cloudhsm.CloudHSMPrivateKeyFactoryBean"
p:username="${sign.keyUser}" p:password="${sign.keyPassword}" p:keyLabel="${sign.keyLabel}" />

<!-- Signs items using a provided privateKeyFactory -->
<bean id="signItems" parent="mda.XMLSignatureSigningStage">
Expand Down
Binary file removed tools/inc-mda-cloudhsm/cloudhsm-3.1.1.jar
Binary file not shown.
Binary file removed tools/inc-mda-cloudhsm/inc-mda-cloudhsm-1.1.0.jar
Binary file not shown.
Binary file removed tools/inc-mda-cloudhsm/log4j-api-2.11.0.jar
Binary file not shown.
Binary file removed tools/inc-mda-cloudhsm/log4j-core-2.11.0.jar
Binary file not shown.
Binary file added tools/inc-mda/inc-mda-cloudhsm-5.11.0.jar
Binary file not shown.

0 comments on commit 8e689cf

Please sign in to comment.