alternate-mdx
Alternate MDX research project
Usage
- apt install swig
- Create python virtualenv
- Activate virtualenv (
. bin/activate) pip install -r requirements.txt- Create (self-signed) metadata signing cert (
meta.crt/meta.key) - Create output directory (
mkdir output) - Download metadata file(s)
- Run one or more of the tools below
mdsigner.py [mdfile] [mdfile] [mdfile] ...
Reads source metadata file(s) and outputs them signed to filesystem
mdserver.py
Starts a metadata signer server. Reads source metadata files(s) from mdsigner.yaml configuration, see example. Reloads metadata on inotify CLOSE_WRITE of metadata file. Serves and caches signed by realm signer from memory, on request
mdproxy.py
Reads config from mdproxy.yaml configuration, see example.
Caches signed and cached mdserver.py metadata requests
Queries
MDQ Queries can then be pointed at
http://mdserver:5001/<realm>/entities/<entityid>http://mdproxy:5002/<realm>/entities/<entityid>
Bootstrap softHSM2
This is a very brief summary of the successive commands to initialize softHSM2 for testing. Tested on Ubuntu 21.10.
# apt install softhsm opensc libengine-pkcs11-openssl
# softhsm2-util --show-slots
# softhsm2-util --init-token --slot 0 --label "My token 1" --pin "secret" --so-pin "secret"
# softhsm2-util --show-slots
# pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type rsa:1024 --slot-index 0 --id a1b2 --label test --pin secret
# pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --pin secret -O
# openssl req -new -x509 -subj "/CN=Test Signer" -engine pkcs11 -keyform engine -key label_test -passin 'pass:secret' -out hsm.crt
# openssl x509 -inform PEM -outform DER -in hsm.crt -out hsm.der
# pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --slot-index 0 --id a1b2 --label test -y cert -w hsm.der --pin secret
# pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --pin secret -O