Merge pull request #56 from shingo78/feature/embedded-metadata-signing-certificates

Embed metadata signing certificates

Author: shingo78

auth-proxy/Dockerfile

@@ -147,6 +147,30 @@ ENV PATH=/opt/venv/bin:$PATH
 # Install config template files
 COPY resources/etc/templates /etc/templates
 
+# Metadata signing cerfiticates
+ENV SIGNING_CERT_DIR=/var/www/simplesamlphp/signing-cert \
+    GAKUNIN_SIGNER_FILENAME=gakunin-signer.cer \
+    GAKUNIN_SIGNER_SHA256=5E:D6:A8:C5:E9:30:49:3F:B4:BA:77:54:6A:FB:66:BA:14:7D:CB:50:5B:EF:0F:D9:7C:26:04:C2:D9:36:FD:81 \
+    GAKUNINTEST_SIGNER_FILENAME=gakunintest-signer.cer \
+    GAKUNINTEST_SIGNER_SHA256=FA:11:11:5B:EC:13:4D:55:85:AF:60:32:E1:6C:01:01:EF:9C:A0:6B:17:8C:8B:9C:7F:2B:69:41:EB:68:30:1E \
+    ORTHROS_SIGNER_FILENAME=orhtoros-signer.cer \
+    ORTHROS_SIGNER_SHA256=C7:AE:69:98:AC:E7:6A:C2:83:CC:5F:99:0A:C1:3C:A1:62:3D:F6:84:AA:7B:08:30:37:2D:DA:6B:82:AB:BA:44 \
+    ORTHROSSTG_SIGNER_FILENAME=orthrosstg-signer.cer \
+    ORTHROSSTG_SIGNER_SHA256=A3:AF:64:82:1B:BF:C9:28:E9:E7:0D:5E:7C:04:41:1C:2D:87:47:1F:45:1D:24:32:B6:31:FF:91:B5:71:53:0D
+RUN mkdir -p $SIGNING_CERT_DIR && \
+    curl -q -L -o ${SIGNING_CERT_DIR}/${GAKUNIN_SIGNER_FILENAME} https://metadata.gakunin.nii.ac.jp/gakunin-signer-2017.cer && \
+    curl -q -L -o ${SIGNING_CERT_DIR}/${GAKUNINTEST_SIGNER_FILENAME} https://metadata.gakunin.nii.ac.jp/gakunin-test-signer-2020.cer && \
+    curl -q -L -o ${SIGNING_CERT_DIR}/${ORTHROS_SIGNER_FILENAME} https://core.orthros.gakunin.nii.ac.jp/metadata/orthros-signer-2025.cer && \
+    curl -q -L -o ${SIGNING_CERT_DIR}/${ORTHROSSTG_SIGNER_FILENAME} https://core-stg.orthros.gakunin.nii.ac.jp/metadata/orthrosstg-signer-2025.cer && \
+    test "${GAKUNIN_SIGNER_SHA256}" = \
+         "$(openssl x509 -fingerprint -sha256 -noout -in ${SIGNING_CERT_DIR}/${GAKUNIN_SIGNER_FILENAME} | awk -F = '{print $2}')" && \
+    test "${GAKUNINTEST_SIGNER_SHA256}" = \
+         "$(openssl x509 -fingerprint -sha256 -noout -in ${SIGNING_CERT_DIR}/${GAKUNINTEST_SIGNER_FILENAME} | awk -F = '{print $2}')" && \
+    test "${ORTHROS_SIGNER_SHA256}" = \
+         "$(openssl x509 -fingerprint -sha256 -noout -in ${SIGNING_CERT_DIR}/${ORTHROS_SIGNER_FILENAME} | awk -F = '{print $2}')" && \
+    test "${ORTHROSSTG_SIGNER_SHA256}" = \
+         "$(openssl x509 -fingerprint -sha256 -noout -in ${SIGNING_CERT_DIR}/${ORTHROSSTG_SIGNER_FILENAME} | awk -F = '{print $2}')"
+
 # Set the current working directory
 WORKDIR /var/www/html
 

auth-proxy/resources/etc/templates/federation/module_metarefresh-test.php.j2

@@ -8,9 +8,9 @@ $config = [
                 [
                     'src' => 'https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml',
                     'certificates' => [
-                        'gakunin-signer.cer'
+                        '{{ environ("SIGNING_CERT_DIR") }}/{{ environ("GAKUNINTEST_SIGNER_FILENAME") }}'
                     ],
-                    'validateFingerprint' => 'FA:11:11:5B:EC:13:4D:55:85:AF:60:32:E1:6C:01:01:EF:9C:A0:6B:17:8C:8B:9C:7F:2B:69:41:EB:68:30:1E',
+                    'validateFingerprint' => '{{ environ("GAKUNINTEST_SIGNER_SHA256") }}',
                     'validateFingerprintAlgorithm' => 'XMLSecurityDSig::SHA256'
                 ]
             ],
@@ -23,6 +23,11 @@ $config = [
             'sources' => [
                 [
                     'src' => 'https://core-stg.orthros.gakunin.nii.ac.jp/metadata/orthrosstg-idp-metadata.xml',
+                    'certificates' => [
+                        '{{ environ("SIGNING_CERT_DIR") }}/{{ environ("ORTHROSSTG_SIGNER_FILENAME") }}'
+                    ],
+                    'validateFingerprint' => '{{ environ("ORTHROSSTG_SIGNER_SHA256") }}',
+                    'validateFingerprintAlgorithm' => 'XMLSecurityDSig::SHA256'
                 ]
             ],
             'outputDir' => 'metadata/orthros-metadata/',

auth-proxy/resources/etc/templates/federation/module_metarefresh.php.j2

@@ -8,9 +8,9 @@ $config = [
                 [
                     'src' => 'https://metadata.gakunin.nii.ac.jp/gakunin-metadata.xml?generation=2',
                     'certificates' => [
-                        'gakunin-signer.cer'
+                        '{{ environ("SIGNING_CERT_DIR") }}/{{ environ("GAKUNIN_SIGNER_FILENAME") }}'
                     ],
-                    'validateFingerprint' => '5E:D6:A8:C5:E9:30:49:3F:B4:BA:77:54:6A:FB:66:BA:14:7D:CB:50:5B:EF:0F:D9:7C:26:04:C2:D9:36:FD:81',
+                    'validateFingerprint' => '{{ environ("GAKUNIN_SIGNER_SHA256") }}',
                     'validateFingerprintAlgorithm' => 'XMLSecurityDSig::SHA256'
                 ]
             ],
@@ -34,6 +34,11 @@ $config = [
             'sources' => [
                 [
                     'src' => 'https://core.orthros.gakunin.nii.ac.jp/metadata/orthros-idp-metadata.xml',
+                    'certificates' => [
+                        '{{ environ("SIGNING_CERT_DIR") }}/{{ environ("ORTHROS_SIGNER_FILENAME") }}'
+                    ],
+                    'validateFingerprint' => '{{ environ("ORTHROS_SIGNER_SHA256") }}',
+                    'validateFingerprintAlgorithm' => 'XMLSecurityDSig::SHA256'
                 ]
             ],
             'outputDir' => 'metadata/orthros-metadata/',