Merge branch 'develop' into master

README.md

@@ -62,24 +62,30 @@ An example of a configuration file is provided [here](src/test/resources/mock_ei
 
 | Parameter        | Mandatory | Description, example |
 | :---------------- | :---------- | :----------------|
-| `eidas.connector.responder-metadata.key-store` | Yes | Path to key store. Example: file:/etc/eidasconf/keystore/responder-metadata-keystore.p12 |
+| `eidas.connector.hsm.enabled` | No | Whether to enable Hardware Security Module (HSM). Default value: `false` |
+| `eidas.connector.hsm.pin` | Yes<sup>1</sup> | Password to access partition. |
+| `eidas.connector.hsm.library` | Yes <sup>1</sup> | Vendor specific PKCS#11 library path. Example: `/usr/lib/softhsm/libsofthsm2.so` for testing SoftHSM or vendor specific library. |
+| `eidas.connector.hsm.slot` | Yes <sup>1,2</sup> | Slot id. Example: `636432988` |
+| `eidas.connector.hsm.slot-list-index` | Yes <sup>1,2</sup> | Slot index. Example: `0` |
+| `eidas.connector.hsm.certificates-from-hsm` | No <sup>3</sup> | Denotes if certificates should be loaded from HSM. Default value: `false` |
+| `eidas.connector.responder-metadata.key-store` | Yes | Path to key store. Example: `file:/etc/eidasconf/keystore/responder-metadata-keystore.p12` |
 | `eidas.connector.responder-metadata.key-store-password` | Yes | Key store password |
-| `eidas.connector.responder-metadata.key-store-type` | No | Key store type. Default value: PKCS12 |
-| `eidas.connector.responder-metadata.key-alias` | Yes | Key alias in key store |
-| `eidas.connector.responder-metadata.key-password` | Yes | Key password in key store |
-| `eidas.connector.responder-metadata.trust-store` | Yes | Path to key store. Example: file:/etc/eidasconf/keystore/responder-metadata-truststore.p12 |
+| `eidas.connector.responder-metadata.key-store-type` | No | Key store type. Default value: `PKCS12` |
+| `eidas.connector.responder-metadata.key-alias` | Yes <sup>5</sup> | Key alias in key store |
+| `eidas.connector.responder-metadata.key-password` | Yes <sup>4</sup> | Key password in key store |
+| `eidas.connector.responder-metadata.trust-store` | Yes | Path to key store. Example: `file:/etc/eidasconf/keystore/responder-metadata-truststore.p12` |
 | `eidas.connector.responder-metadata.trust-store-password` | Yes | Trust store password |
-| `eidas.connector.responder-metadata.trust-store-type` | No | Trust store type. Default value: PKCS12 |
-| `eidas.connector.responder-metadata.signature-algorithm` | No | Signature algorithm used to sign published metadata, SAML response objects and assertions (defined by RFC 4051). Default value: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 |
-| `eidas.connector.responder-metadata.key-transport-algorithm` | No | Key transport algorithm used in SAML response assertions encryption. Default value: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p |
-| `eidas.connector.responder-metadata.encryption-algorithm` | No | Algorithm used in SAML response assertions encryption. Default value: http://www.w3.org/2009/xmlenc11#aes256-gcm |
+| `eidas.connector.responder-metadata.trust-store-type` | No | Trust store type. Default value: `PKCS12` |
+| `eidas.connector.responder-metadata.signature-algorithm` | No | Signature algorithm used to sign published metadata, SAML response objects and assertions (defined by RFC 4051). Default value: `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` |
+| `eidas.connector.responder-metadata.key-transport-algorithm` | No | Key transport algorithm used in SAML response assertions encryption. Default value: `http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p` |
+| `eidas.connector.responder-metadata.encryption-algorithm` | No | Algorithm used in SAML response assertions encryption. Default value: `http://www.w3.org/2009/xmlenc11#aes256-gcm` |
 | `eidas.connector.responder-metadata.path` | No | Metadata endpoint path. https://eidas-specificconnector:8443/SpecificConnector/{eidas.connector.responder-metadata.path}. Default value: `ConnectorResponderMetadata` |
-| `eidas.connector.responder-metadata.entity-id` | Yes | Exact HTTPS URL where metadata is published. Examlpe: https://eidas-specificconnector:8443/SpecificConnector/ConnectorResponderMetadata |
-| `eidas.connector.responder-metadata.sso-service-url` | Yes | Exact HTTPS URL where authentication endpoint for service providers is located. Example: https://eidas-specificconnector:8443/SpecificConnector/ServiceProvider |
+| `eidas.connector.responder-metadata.entity-id` | Yes | Exact HTTPS URL where metadata is published. Examlpe: `https://eidas-specificconnector:8443/SpecificConnector/ConnectorResponderMetadata` |
+| `eidas.connector.responder-metadata.sso-service-url` | Yes | Exact HTTPS URL where authentication endpoint for service providers is located. Example: `https://eidas-specificconnector:8443/SpecificConnector/ServiceProvider` |
 | `eidas.connector.responder-metadata.name-id-format` | No | Possible values: `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`,`urn:oasis:names:tc:SAML:2.0:nameid-format:transient`,`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` |
 | `eidas.connector.responder-metadata.sp-type` | No | Public or private sector service provider. Possible values: `public`, `private` |
-| `eidas.connector.responder-metadata.validity-interval` | No | Metadata validity duration. [Defined as standard ISO-8601 format used by java.time.Duration](https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-external-config-conversion-duration) Default value: 1d |
-| `eidas.connector.responder-metadata.assertion-validity-interval` | No | Authentication response assertion validity duration. [Defined as standard ISO-8601 format used by java.time.Duration](https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-external-config-conversion-duration) Default value: 5m |
+| `eidas.connector.responder-metadata.validity-interval` | No | Metadata validity duration. [Defined as standard ISO-8601 format used by java.time.Duration](https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-external-config-conversion-duration) Default value: `1d` |
+| `eidas.connector.responder-metadata.assertion-validity-interval` | No | Authentication response assertion validity duration. [Defined as standard ISO-8601 format used by java.time.Duration](https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-external-config-conversion-duration) Default value: `5m` |
 | `eidas.connector.responder-metadata.supported-member-states` | Yes | Supported member states for authentication (defined by ISO 3166-1 alpha-2) |
 | `eidas.connector.responder-metadata.supported-bindings` | No | Possible values: `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`, `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`. Default value:`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect` |
 | `eidas.connector.responder-metadata.digest-methods` | No | Supported digest methods. Default value: `http://www.w3.org/2001/04/xmlenc#sha256,http://www.w3.org/2001/04/xmlenc#sha512` |
@@ -100,8 +106,20 @@ An example of a configuration file is provided [here](src/test/resources/mock_ei
 
 * Where X is index starting from zero and incremented for each new signing method, contact, supported attribute.
 
+<sup>1</sup> Mandatory only when `eidas.connector.hsm.enabled=true`
+
+<sup>2</sup> When `eidas.connector.hsm.slot` is set, then `eidas.connector.hsm.slot-list-index` value is ignored and is not mandatory.
+
+<sup>3</sup> When `eidas.connector.hsm.certificates-from-hsm=false`, then certificates must be found from software key store `eidas.connector.responder-metadata.key-store` by the same aliases
+
+<sup>4</sup> When `eidas.connector.hsm.enabled=true`, then this property is ignored.
+
+<sup>5</sup> Applies to both software and hardware key stores.
+
 | Default values        |
 | :---------------- |
+| `eidas.connector.hsm.enabled=false`
+| `eidas.connector.hsm.certificates-from-hsm=false`
 | `eidas.connector.responder-metadata.path=ConnectorResponderMetadata` |
 | `eidas.connector.responder-metadata.sp-type=public` |
 | `eidas.connector.responder-metadata.validity-in-days=1` |
@@ -325,10 +343,10 @@ If there is a problem connecting to service provider metadata, then `eidas.conne
 
 | Parameter        | Mandatory | Description, example |
 | :---------------- | :---------- | :----------------|
-| `eidas.connector.service-provider-metadata-min-refresh-delay` | No | Sets the minimum amount of time, in milliseconds, between refreshes. Default value: 60000 (60 seconds) |
-| `eidas.connector.service-provider-metadata-max-refresh-delay` | No |  Refresh interval used when metadata does not contain any validUntil or cacheDuration information. Default value: 14400000 (4 hours) |
-| `eidas.connector.service-provider-metadata-refresh-delay-factor` | No | Sets the delay factor used to compute the next refresh time. The delay must be between 0.0 and 1.0 exclusive. |
-| `eidas.connector.add-saml-error-assertion` | No | Backwards compatibility option for eIDAS-Client to add encrypted assertion, when authentication fails. Default value: false |
+| `eidas.connector.service-provider-metadata-min-refresh-delay` | No | Sets the minimum amount of time, in milliseconds, between refreshes. Default value: `60000` (60 seconds) |
+| `eidas.connector.service-provider-metadata-max-refresh-delay` | No |  Refresh interval used when metadata does not contain any validUntil or cacheDuration information. Default value: `14400000` (4 hours) |
+| `eidas.connector.service-provider-metadata-refresh-delay-factor` | No | Sets the delay factor used to compute the next refresh time. The delay must be between `0.0` and `1.0` exclusive. |
+| `eidas.connector.add-saml-error-assertion` | No | Backwards compatibility option for eIDAS-Client to add encrypted assertion, when authentication fails. Default value: `false` |
 
 <a name="logging"></a>
 ## 5. Logging
@@ -411,7 +429,7 @@ Custom fields related to authentication
 | `authn_request` | No | Fields related to SAML 2.0 AuthnRequest |
 | `saml_response` | No | Fields related to SAML 2.0 SAML Response |
 
-Example log message containing Autentication initialization event (authn_request):
+Example log message containing Authentication initialization event (authn_request):
 
 ```json
 {
@@ -495,7 +513,7 @@ Example log message containing Autentication initialization event (authn_request
 }
 ```
 
-Example log message containing successful Autentication end event (saml_response):
+Example log message containing successful Authentication end event (saml_response):
 
 ```json
 {
@@ -596,7 +614,7 @@ Example log message containing successful Autentication end event (saml_response
 }
 ```
 
-Example log message containing failed Autentication end event (saml_response): 
+Example log message containing failed Authentication end event (saml_response): 
 ```json
 {
   "@timestamp": "2020-10-23T14:36:09.447Z",
@@ -680,7 +698,7 @@ Example log message containing failed Autentication end event (saml_response):
 
 ### 6.2 Custom application health endpoint configuration
 
-`SpecificConnector` webapp implements [custom health endpoint](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-custom) with id `heartbeat` and [custom health indicators](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#writing-custom-healthindicators) with id's `igniteCluster`, `connectorMetadata`, `truststore`, `sp-%{service-provider-id}-metadata`. This endpoint is disabled by default.
+`SpecificConnector` webapp implements [custom health endpoint](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-custom) with id `heartbeat` and [custom health indicators](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#writing-custom-healthindicators) with id's `igniteCluster`, `connectorMetadata`, `responderMetadata`, `truststore`, `sp-%{service-provider-id}-metadata`. This endpoint is disabled by default.
 
 Request:
 
@@ -716,6 +734,10 @@ Response:
     {
       "name": "connectorMetadata",
       "status": "UP"
+    },
+    {
+      "name": "responderMetadata",
+      "status": "UP"
     }
   ]
 }
@@ -731,7 +753,13 @@ Response:
 | `management.health.defaults.enabled` | No | Whether to enable default Spring Boot Actuator health indicators. Recommended value `false` |
 | `management.info.git.mode` | No | Mode to use to expose git information. Recommended value `full` |
 | `eidas.connector.health.dependencies.connect-timeout` | No | Timeout for `connectorMetadata` health indicators. Defaults to `3s` |
-| `eidas.connector.health.trust-store-expiration-warning` | No | Certificate expiration warning period for `truststore` health indicator. Default value `30d` |
+| `eidas.connector.health.hsm-test-interval` | No<sup>1</sup> | Minimum interval for testing hardware security module for `responderMetadata` health indicator.<sup>2</sup> Defaults to `60s` |
+| `eidas.connector.health.key-store-expiration-warning` | No | Responder metadata certificate expiration warning period for `responderMetadata` health indicator. Default value `30d` |
+| `eidas.connector.health.trust-store-expiration-warning` | No | Trusted certificates expiration warning period for `truststore` health indicator. Default value `30d` |
+
+<sup>1</sup> Applicable only when `eidas.connector.hsm.enabled=true`
+
+<sup>2</sup> Hardware security module test is only executed when `heartbeat` endpoint is requested. To minimize impact on HSM `eidas.connector.health.hsm-test-interval` denotes time interval before next test can be executed. If the interval is not due, the previous test result is used instead unless an exception occurs somewhere in the application when using keys from HSM. When an exception occurs using keys from HSM, every request to `heartbeat` endpoint executes testing until the error resolves.  
 
 <a name="security"></a>
 ## 7. Security

pom.xml

@@ -10,11 +10,19 @@
     </parent>
     <groupId>ee.ria.eidas.connector.specific</groupId>
     <artifactId>ee-specific-connector</artifactId>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <packaging>war</packaging>
     <name>ee-specific-connector</name>
     <description>EE specific eIDAS connector</description>
 
+    <repositories>
+        <repository>
+            <id>nexus-eidas-local</id>
+            <name>nexus-eidas-local</name>
+            <url>https://nexus.ria.ee/repository/eidas-node-maven-local/</url>
+        </repository>
+    </repositories>
+
     <properties>
         <java.version>1.8</java.version>
         <eidas.node.version>2.5.0</eidas.node.version>