Use signing key on HSM to sign assertions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Use signing key on HSM to sign assertions

ofaklintrafo
Hi,

I need to configure/modify my shibboleth IDP to use a signing key on a
Safenet HSM to sign the assertions.

I have the Safenet HSM, documentation and JCA/JCE  drivers and access to a
Safenet HSM partition with the signing key.

But what is the best way to inject this configuration into the Shibboleth
IDP. And if I need to implement a custom bean, which interface should it
implement and where should it be injected ?

Any guidance and help would be appreciated.



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Use signing key on HSM to sign assertions

Tom Scavo
On Sat, May 5, 2018 at 9:06 PM, ofaklintrafo <[hidden email]> wrote:

>
> I need to configure/modify my shibboleth IDP to use a signing key on a
> Safenet HSM to sign the assertions.
>
> I have the Safenet HSM, documentation and JCA/JCE  drivers and access to a
> Safenet HSM partition with the signing key.
>
> But what is the best way to inject this configuration into the Shibboleth
> IDP. And if I need to implement a custom bean, which interface should it
> implement and where should it be injected ?

Have you searched the archives? This thread will get you started:

https://marc.info/?t=151381710100001&r=1&w=2

Unfortunately there is no cookbook AFAIK.

Tom
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Use signing key on HSM to sign assertions

Peter Schober
* Tom Scavo <[hidden email]> [2018-05-06 17:35]:
> Have you searched the archives? This thread will get you started:

That's from the same OP, of course.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Use signing key on HSM to sign assertions

ofaklintrafo
In reply to this post by Tom Scavo
Yes I know about this thread in the archive. It was initiated by me and the
topic was the general HSM integration between a HSM and the Shibboleth IdP.

Now I am ask more specifically about which configurations/customizations are
required to integrate to an HSM only to perform the assertion signing.

Basically I would like to customized the code/bean which does the assertion
signing. This bean I would then customize to perform this signing using the
private key on a HSM.

The question is what configuration changes are required to only replace the
functionality which does the assertion signing? Which bean/beans need to be
customized ?




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Use signing key on HSM to sign assertions

Cantor, Scott E.
> Basically I would like to customized the code/bean which does the assertion
> signing. This bean I would then customize to perform this signing using the
> private key on a HSM.

It doesn't work that way. That's much high layer stuff. Using an HSM is something generally done at the layer of the JCE and generally through PKCS-12. There would have to be code added to abstract the credential objects through a provider that also implements the RSA algorithm through the hardware. It isn't something anybody has done to my knowledge, and certainly not something anybody has ever documented, for the IdP itself.

I believe xmlsectool has some tested support for using PKCS12 keystores for signing, and that's more or less what would have to be done for the IdP, a JCE configured and then Java classes written to supply the credential interfaces the IdP relies on from such a keystore. We don't even formally have keystore support at all right now based on a review I did of the code recently.

It may be that the actual amount of new code needed is very small, but the path to getting to that code is not, if I were to guess. And configuring that stuff tends to be incredibly hard, and is inherently specific to each HSM, so impossible to effectively cover in any documentation, it's a ton of trial and error.

> The question is what configuration changes are required to only replace the
> functionality which does the assertion signing? Which bean/beans need to
> be customized ?

It is not that simple, not by a long shot. It's an enhancement request at best.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Use signing key on HSM to sign assertions

Cantor, Scott E.
s/PKCS12/PKCS11.

-- Scott

> -----Original Message-----
> From: Cantor, Scott
> Sent: Monday, May 7, 2018 9:37 AM
> To: Shib Users <[hidden email]>
> Subject: RE: Use signing key on HSM to sign assertions
>
> > Basically I would like to customized the code/bean which does the
> > assertion signing. This bean I would then customize to perform this
> > signing using the private key on a HSM.
>
> It doesn't work that way. That's much high layer stuff. Using an HSM is
> something generally done at the layer of the JCE and generally through PKCS-
> 12. There would have to be code added to abstract the credential objects
> through a provider that also implements the RSA algorithm through the
> hardware. It isn't something anybody has done to my knowledge, and
> certainly not something anybody has ever documented, for the IdP itself.
>
> I believe xmlsectool has some tested support for using PKCS12 keystores for
> signing, and that's more or less what would have to be done for the IdP, a JCE
> configured and then Java classes written to supply the credential interfaces
> the IdP relies on from such a keystore. We don't even formally have keystore
> support at all right now based on a review I did of the code recently.
>
> It may be that the actual amount of new code needed is very small, but the
> path to getting to that code is not, if I were to guess. And configuring that
> stuff tends to be incredibly hard, and is inherently specific to each HSM, so
> impossible to effectively cover in any documentation, it's a ton of trial and
> error.
>
> > The question is what configuration changes are required to only
> > replace the functionality which does the assertion signing? Which
> > bean/beans need to be customized ?
>
> It is not that simple, not by a long shot. It's an enhancement request at best.
>
> -- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Use signing key on HSM to sign assertions

Peter Schober
In reply to this post by Cantor, Scott E.
* Cantor, Scott <[hidden email]> [2018-05-07 15:37]:
> I believe xmlsectool has some tested support for using PKCS11 for
> signing

That should work fine, IIRC. Rainer published some examples at
https://github.com/identinetics/keymgmt/blob/master/install/tests/test_hsm_token.sh#L346

But maybe the IDP (and XmlSecTool, while we're at it) should grow
support for the pyeleven "API"? https://github.com/IdentityPython/pyeleven

HSM integration is limited to the proxy that way, and the client only
sends the digest and receives the signed digest via JSON over HTTP.
(Securing that HTTP connection is left to the deployer.)

That may serve as yet another reason to standardize the pyeleven API a
bit (cf. https://github.com/wayf-dk/goeleven).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Use signing key on HSM to sign assertions

Cantor, Scott E.
> HSM integration is limited to the proxy that way, and the client only sends
> the digest and receives the signed digest via JSON over HTTP.
> (Securing that HTTP connection is left to the deployer.)

Perhaps, but that's obviously a matter of changing fairly core code and would not be possible from a deployer point of view.

In theory, PKCS11 would be something that just works given a bit of additional code, but that's theory.

Xmlsectool doesn't use the OpenSAML APIs at all, so that's why it supporting PKCS11 doesn't directly translate into making the IdP work.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Use signing key on HSM to sign assertions

Ian Young-3
In reply to this post by Peter Schober

> On 7 May 2018, at 15:19, Peter Schober <[hidden email]> wrote:
>
> * Cantor, Scott <[hidden email]> [2018-05-07 15:37]:
>> I believe xmlsectool has some tested support for using PKCS11 for
>> signing
>
> That should work fine, IIRC. Rainer published some examples at
> https://github.com/identinetics/keymgmt/blob/master/install/tests/test_hsm_token.sh#L346
>
> But maybe the IDP (and XmlSecTool, while we're at it) should grow
> support for the pyeleven "API"? https://github.com/IdentityPython/pyeleven

The way almost all Java applications (including OpenSAML, the IdP, the MDA and XMLSecTool) do cryptography is in in terms of cryptographic objects like PublicKey and KeyStore provided by the Java API. There's a provider mechanism allowing people to plug in specific implementations. Sometimes HSM vendors allow you to plug something in at this level. If someone wanted to write a Java provider that talked to pyeleven, we could probably use it (that's the whole point of this abstraction layer), but I think it's very unlikely that we'd ever write something like that ourselves. It's not a simple thing, as PKCS#11's idea of what tokens can do doesn't map trivially across to the Java primitives. (I still have the scars)

As Scott says, the _other_ problem going in at this level is that the business of configuring which providers to be used in which context isn't necessarily as fine-grained in OpenSAML and the IdP as they would have to be to allow "only replace the functionality which does the assertion signing". XMLSecTool and the MDA don't have this problem, the former because it's only ever doing one thing at a time and the second because each Stage is separately configured and it's easy to just use different factory beans to generate the credentials to use.

The main way Java applications talk to native PKCS#11 libraries (and HSM vendors often supply one of these as well) is through a built-in provider that implements a PKCS#11 bridge. Again, if pyeleven provides an actual native PKCS#11 library, all of our products could in principle talk to it through the bridge. Again, I think that absent some real use case people need us to support, we're very unlikely to write such a native library ourselves.

The third thing I think it's vanishingly likely we'd want to get into would be having the actual applications grow support for a separate cryptographic framework that wasn't mediated by the Java crypto API. We rely on things like Santuario for XML DSIG that would make those essentially rewrites.

Cheers,

   -- Ian
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Use signing key on HSM to sign assertions

Peter Schober
Ian,

Thanks for your explanations.

* Ian Young <[hidden email]> [2018-05-08 12:33]:
> Again, if pyeleven provides an actual native PKCS#11 library, all of
> our products could in principle talk to it through the
> bridge.

Just to clarify: pyeleven's whole raison d'ĂȘtre is avoiding the need
for native PKCS#11 support in applications.

So clearly the IDP (or XmlSecTool, or Java as a platform) is not a
suitable target for a pyeleven client (unless someone wrote some stub
code that only did JSON-over-HTTP in the backend).
Forget I ever mentioned it. ;)

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Use signing key on HSM to sign assertions

Cantor, Scott E.
In reply to this post by Ian Young-3
> The third thing I think it's vanishingly likely we'd want to get into would be
> having the actual applications grow support for a separate cryptographic
> framework that wasn't mediated by the Java crypto API. We rely on things
> like Santuario for XML DSIG that would make those essentially rewrites.

Yes, that's a good point, I doubt there's any practical way we could isolate specific operations to offload in that fashion, since we aren't even actually performing them in most cases. It's JCE or nothing.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Use signing key on HSM to sign assertions

ofaklintrafo
In reply to this post by Cantor, Scott E.
Thank you for all the feed back on my questions.

I understand that a general configuration of Shibboleth to support
integration to a HSM would be require a lot of work and does not fit well
into the design of Shibboleth and OpenSAML.

And this will make this difficult to inject custom configuration to do the
assertion signing using a private key on a HSM.

But what if I instead of signing the assertions could sign the response
document.

My IDP is configured to handle SAML 2 SP-Initiated SSO.

In shibboleth.DefaultRelyingParty profileConfigurations I would then
configure the SAML2.SSO bean to only encrypt the assertions using the
encryption key provided in the credentials/idp-encryption.key-file.

Shibboleth would not be configured to sign the assertions or the response
(signAssertions=false and signResponses=false)

Before the final XML response is returned to the service provider I would
need to have the document signed by the HSM. I have the Java code which can
properly sign the XML document and which should be able to produce the same
signature format as the opensaml ApacheSantuarioSignerProviderImpl.

My questions are:
  * If I configure Shibboleth to neither sign the assertions or  the
response, can I inject my document signer implementation as an outbound
interceptor (as mentioned here:
https://wiki.shibboleth.net/confluence/display/IDP30/ProfileHandling#ProfileHandling-OutboundInterceptContract).
If this is so, it there an example of an outbound interceptor ? I can only
find examples of inbound and post authentication interceptors in the
Shibboleth code.
   * Or how to I best intercept the response from the SAML2.SSO flow so that
I can use my custom java code to sign the document before it is returned to
the service provider?
 



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Use signing key on HSM to sign assertions

Cantor, Scott E.
>   * If I configure Shibboleth to neither sign the assertions or  the response, can I
> inject my document signer implementation as an outbound interceptor (as
> mentioned here:
> https://wiki.shibboleth.net/confluence/display/IDP30/ProfileHandling#Profile
> Handling-OutboundInterceptContract).

Conceptually I suppose. That would certainly be an interesting workaround.

> If this is so, it there an example of an outbound interceptor ? I can only find
> examples of inbound and post authentication interceptors in the Shibboleth
> code.

There is no difference, all interceptors are the same, just webflows.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]