use of com.sun.identity.saml.xmlsig.KeyProvider in project OpenAM by OpenRock.
the class IDPArtifactResolution method onMessage.
/**
* This method generates a <code>SOAPMessage</code> containing the
* <code>ArtifactResponse</code> that is corresponding to the
* <code>ArtifactResolve</code> contained in the
* <code>SOAPMessage</code> passed in.
*
* @param message <code>SOAPMessage</code> contains a
* <code>ArtifactResolve</code>
* @param request the <code>HttpServletRequest</code> object
* @param realm the realm to where the identity provider belongs
* @param idpEntityID the entity id of the identity provider
*
* @return <code>SOAPMessage</code> contains the
* <code>ArtifactResponse</code>
* @exception SAML2Exception if the operation is not successful
*/
public static SOAPMessage onMessage(SOAPMessage message, HttpServletRequest request, HttpServletResponse response, String realm, String idpEntityID) throws SAML2Exception {
String classMethod = "IDPArtifactResolution.onMessage: ";
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Entering onMessage().");
}
Element reqElem = SOAPCommunicator.getInstance().getSamlpElement(message, "ArtifactResolve");
ArtifactResolve artResolve = ProtocolFactory.getInstance().createArtifactResolve(reqElem);
if (artResolve == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "no valid ArtifactResolve node found in SOAP body.");
}
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "noArtifactResolve", null);
}
String spEntityID = artResolve.getIssuer().getValue();
if (!SAML2Utils.isSourceSiteValid(artResolve.getIssuer(), realm, idpEntityID)) {
SAML2Utils.debug.error(classMethod + spEntityID + " is not trusted issuer.");
String[] data = { idpEntityID, realm, artResolve.getID() };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_REQUEST, data, null);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidIssuerInRequest", null);
}
SPSSODescriptorElement spSSODescriptor = null;
try {
spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, spEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod, sme);
spSSODescriptor = null;
}
if (spSSODescriptor == null) {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "metaDataError", null);
}
OrderedSet acsSet = SPSSOFederate.getACSUrl(spSSODescriptor, SAML2Constants.HTTP_ARTIFACT);
String acsURL = (String) acsSet.get(0);
//String protocolBinding = (String) acsSet.get(1);
String isArtifactResolveSigned = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.WANT_ARTIFACT_RESOLVE_SIGNED);
if ((isArtifactResolveSigned != null) && (isArtifactResolveSigned.equals(SAML2Constants.TRUE))) {
if (!artResolve.isSigned()) {
SAML2Utils.debug.error(classMethod + "The artifact resolve is not signed " + "when it is expected to be signed.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "ArtifactResolveNotSigned", null);
}
Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(spSSODescriptor, spEntityID, SAML2Constants.SP_ROLE);
if (!artResolve.isSignatureValid(verificationCerts)) {
SAML2Utils.debug.error(classMethod + "artifact resolve verification failed.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifact", null);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "artifact resolve signature verification is successful.");
}
}
Artifact art = artResolve.getArtifact();
if (art == null) {
SAML2Utils.debug.error(classMethod + "Unable to get an artifact from ArtifactResolve.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifactSignature", null);
}
String artStr = art.getArtifactValue();
Response res = (Response) IDPCache.responsesByArtifacts.remove(artStr);
String remoteArtURL = null;
boolean saml2FailoverEnabled = SAML2FailoverUtils.isSAML2FailoverEnabled();
if (res == null) {
// in LB case, artifact may reside on the other server.
String targetServerID = SAML2Utils.extractServerId(art.getMessageHandle());
if (targetServerID == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "target serverID is null");
}
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "InvalidArtifactId", null);
}
String localServerID = SAML2Utils.getLocalServerID();
boolean localTarget = localServerID.equals(targetServerID);
if (!localTarget) {
if (!SystemConfigurationUtil.isValidServerId(targetServerID)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "target serverID is not valid: " + targetServerID);
}
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "InvalidArtifactId", null);
}
try {
String remoteServiceURL = SystemConfigurationUtil.getServerFromID(targetServerID);
remoteArtURL = remoteServiceURL + SAML2Utils.removeDeployUri(request.getRequestURI());
SOAPConnection con = SOAPCommunicator.getInstance().openSOAPConnection();
SOAPMessage resMsg = con.call(message, remoteArtURL);
return resMsg;
} catch (Exception ex) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "unable to forward request to remote server. " + "remote url = " + remoteArtURL, ex);
}
if (!saml2FailoverEnabled) {
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "RemoteArtifactResolutionFailed", null);
}
// when the target server is running but the remote call was
// failed to this server (due to a network error)
// and the saml2failover is enabled, we can still find the
// artifact in the SAML2 repository.
// However the cached entry in the target server will not be
// deleted this way.
}
}
if (saml2FailoverEnabled) {
// Check the SAML2 Token Repository
try {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("Artifact=" + artStr);
}
String tmp = (String) SAML2FailoverUtils.retrieveSAML2Token(artStr);
res = ProtocolFactory.getInstance().createResponse(tmp);
} catch (SAML2Exception e) {
SAML2Utils.debug.error(classMethod + " SAML2 ERROR!!!", e);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "UnableToFindResponseInRepo", null);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + " There was a problem reading the response " + "from the SAML2 Token Repository using artStr:" + artStr, se);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "UnableToFindResponseInRepo", null);
}
}
}
if (res == null) {
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, saml2FailoverEnabled ? "UnableToFindResponseInRepo" : "UnableToFindResponse", null);
}
// Remove Response from SAML2 Token Repository
try {
if (saml2FailoverEnabled) {
SAML2FailoverUtils.deleteSAML2Token(artStr);
}
} catch (SAML2TokenRepositoryException e) {
SAML2Utils.debug.error(classMethod + " Error deleting the response from the SAML2 Token Repository using artStr:" + artStr, e);
}
Map props = new HashMap();
String nameIDString = SAML2Utils.getNameIDStringFromResponse(res);
if (nameIDString != null) {
props.put(LogUtil.NAME_ID, nameIDString);
}
// check if need to sign the assertion
boolean signAssertion = spSSODescriptor.isWantAssertionsSigned();
if (signAssertion) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "signing the assertion.");
}
}
// encrypt the assertion or its NameID and/or Attribute based
// on SP config setting and sign the assertion.
IDPSSOUtil.signAndEncryptResponseComponents(realm, spEntityID, idpEntityID, res, signAssertion);
ArtifactResponse artResponse = ProtocolFactory.getInstance().createArtifactResponse();
Status status = ProtocolFactory.getInstance().createStatus();
StatusCode statusCode = ProtocolFactory.getInstance().createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
// set the idp entity id as the response issuer
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(idpEntityID);
artResponse.setStatus(status);
artResponse.setID(SAML2Utils.generateID());
artResponse.setInResponseTo(artResolve.getID());
artResponse.setVersion(SAML2Constants.VERSION_2_0);
artResponse.setIssueInstant(new Date());
artResponse.setAny(res.toXMLString(true, true));
artResponse.setIssuer(issuer);
artResponse.setDestination(XMLUtils.escapeSpecialCharacters(acsURL));
String wantArtifactResponseSigned = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ARTIFACT_RESPONSE_SIGNED);
if ((wantArtifactResponseSigned != null) && (wantArtifactResponseSigned.equals(SAML2Constants.TRUE))) {
KeyProvider kp = KeyUtil.getKeyProviderInstance();
if (kp == null) {
SAML2Utils.debug.error(classMethod + "Unable to get a key provider instance.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "nullKeyProvider", null);
}
String idpSignCertAlias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (idpSignCertAlias == null) {
SAML2Utils.debug.error(classMethod + "Unable to get the hosted IDP signing certificate alias.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "missingSigningCertAlias", null);
}
String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
PrivateKey key;
if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
key = kp.getPrivateKey(idpSignCertAlias);
} else {
key = kp.getPrivateKey(idpSignCertAlias, encryptedKeyPass);
}
artResponse.sign(key, kp.getX509Certificate(idpSignCertAlias));
}
String str = artResponse.toXMLString(true, true);
String[] logdata = { idpEntityID, artStr, str };
LogUtil.access(Level.INFO, LogUtil.ARTIFACT_RESPONSE, logdata, null, props);
if (str != null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "ArtifactResponse message:\n" + str);
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Unable to print ArtifactResponse message.");
}
}
SOAPMessage msg = null;
try {
msg = SOAPCommunicator.getInstance().createSOAPMessage(str, false);
} catch (SOAPException se) {
SAML2Utils.debug.error(classMethod + "Unable to create a SOAPMessage and add a document ", se);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "unableToCreateSOAPMessage", null);
}
return msg;
}
use of com.sun.identity.saml.xmlsig.KeyProvider in project OpenAM by OpenRock.
the class IDPSSOUtil method signResponse.
/**
* Signs SAMLv2 Response.
*
* @param realm the realm name.
* @param idpEntityID the identity provider entity identifier
* @param response the SAMLv2 <code>Response</code>
* @throws <code>SAML2Exception</code> if there is an
* error signing the response.
*/
private static void signResponse(String realm, String idpEntityID, Response response) throws SAML2Exception {
String classMethod = "IDPSSOUtil:signResponse";
KeyProvider kp = KeyUtil.getKeyProviderInstance();
if (kp == null) {
SAML2Utils.debug.error(classMethod + "Unable to get a key provider instance.");
throw new SAML2Exception(SAML2Utils.bundle.getString("nullKeyProvider"));
}
String idpSignCertAlias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (idpSignCertAlias == null) {
SAML2Utils.debug.error(classMethod + "Unable to get the hosted IDP signing certificate alias.");
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
PrivateKey key;
if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
key = kp.getPrivateKey(idpSignCertAlias);
} else {
key = kp.getPrivateKey(idpSignCertAlias, encryptedKeyPass);
}
response.sign(key, kp.getX509Certificate(idpSignCertAlias));
}
use of com.sun.identity.saml.xmlsig.KeyProvider in project OpenAM by OpenRock.
the class QueryClient method signAttributeQuery.
/**
*
* @param xacmlQuery XACML Query
* @param realm the entity's realm.
* @param pepEntityID entity identifier of PEP.
* @param pdpEntityID entity identifier of PDP.
* @throws <code>SAML2Exception</code> if error in verifying
* the signature.
*/
private static void signAttributeQuery(XACMLAuthzDecisionQuery xacmlQuery, String realm, String pepEntityID, boolean includeCert) throws SAML2Exception {
KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);
String alias = getAttributeValueFromPEPConfig(pepConfig, "signingCertAlias");
PrivateKey signingKey = keyProvider.getPrivateKey(alias);
if (signingKey == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
X509Certificate signingCert = null;
if (includeCert) {
signingCert = keyProvider.getX509Certificate(alias);
}
if (signingKey != null) {
xacmlQuery.sign(signingKey, signingCert);
}
}
use of com.sun.identity.saml.xmlsig.KeyProvider in project OpenAM by OpenRock.
the class SPACSUtils method getResponseFromArtifact.
// Retrieves response using artifact profile.
private static Response getResponseFromArtifact(String samlArt, String hostEntityId, HttpServletRequest request, HttpServletResponse response, String orgName, SAML2MetaManager sm) throws SAML2Exception, IOException {
// decide which IDP and which artifact resolution service
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPACSUtils.getResponseFromArtifact: " + "samlArt = " + samlArt);
}
Artifact art = null;
try {
art = ProtocolFactory.getInstance().createArtifact(samlArt.trim());
String[] data = { samlArt.trim() };
LogUtil.access(Level.INFO, LogUtil.RECEIVED_ARTIFACT, data, null);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("SPACSUtils.getResponseFromArtifact: " + "Unable to decode and parse artifact string:" + samlArt);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "errorObtainArtifact", SAML2Utils.bundle.getString("errorObtainArtifact"));
throw se;
}
String idpEntityID = getIDPEntityID(art, request, response, orgName, sm);
IDPSSODescriptorElement idp = null;
try {
idp = sm.getIDPSSODescriptor(orgName, idpEntityID);
} catch (SAML2MetaException se) {
String[] data = { orgName, idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_META_NOT_FOUND, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "failedToGetIDPSSODescriptor", se.getMessage());
throw se;
}
String location = getIDPArtifactResolutionServiceUrl(art.getEndpointIndex(), idpEntityID, idp, request, response);
// create ArtifactResolve message
ArtifactResolve resolve = null;
SOAPMessage resMsg = null;
try {
resolve = ProtocolFactory.getInstance().createArtifactResolve();
resolve.setID(SAML2Utils.generateID());
resolve.setVersion(SAML2Constants.VERSION_2_0);
resolve.setIssueInstant(new Date());
resolve.setArtifact(art);
resolve.setDestination(XMLUtils.escapeSpecialCharacters(location));
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(hostEntityId);
resolve.setIssuer(issuer);
String needArtiResolveSigned = SAML2Utils.getAttributeValueFromSSOConfig(orgName, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.WANT_ARTIFACT_RESOLVE_SIGNED);
if (needArtiResolveSigned != null && needArtiResolveSigned.equals("true")) {
// or save it somewhere?
String signAlias = getAttributeValueFromSPSSOConfig(orgName, hostEntityId, sm, SAML2Constants.SIGNING_CERT_ALIAS);
if (signAlias == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
KeyProvider kp = KeyUtil.getKeyProviderInstance();
if (kp == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullKeyProvider"));
}
resolve.sign(kp.getPrivateKey(signAlias), kp.getX509Certificate(signAlias));
}
String resolveString = resolve.toXMLString(true, true);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPACSUtils.getResponseFromArtifact: " + "ArtifactResolve=" + resolveString);
}
SOAPConnection con = SOAPCommunicator.getInstance().openSOAPConnection();
SOAPMessage msg = SOAPCommunicator.getInstance().createSOAPMessage(resolveString, true);
IDPSSOConfigElement config = null;
config = sm.getIDPSSOConfig(orgName, idpEntityID);
location = SAML2Utils.fillInBasicAuthInfo(config, location);
resMsg = con.call(msg, location);
} catch (SAML2Exception s2e) {
SAML2Utils.debug.error("SPACSUtils.getResponseFromArtifact: " + "couldn't create ArtifactResolve:", s2e);
String[] data = { hostEntityId, art.getArtifactValue() };
LogUtil.error(Level.INFO, LogUtil.CANNOT_CREATE_ARTIFACT_RESOLVE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "errorCreateArtifactResolve", SAML2Utils.bundle.getString("errorCreateArtifactResolve"));
throw s2e;
} catch (SOAPException se) {
SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: " + "couldn't get ArtifactResponse. SOAP error:", se);
String[] data = { hostEntityId, location };
LogUtil.error(Level.INFO, LogUtil.CANNOT_GET_SOAP_RESPONSE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "errorInSOAPCommunication", SAML2Utils.bundle.getString("errorInSOAPCommunication"));
throw new SAML2Exception(se.getMessage());
}
Response result = getResponseFromSOAP(resMsg, resolve, request, response, idpEntityID, idp, orgName, hostEntityId, sm);
String[] data = { hostEntityId, idpEntityID, art.getArtifactValue(), "" };
if (LogUtil.isAccessLoggable(Level.FINE)) {
data[3] = result.toXMLString();
}
LogUtil.access(Level.INFO, LogUtil.GOT_RESPONSE_FROM_ARTIFACT, data, null);
return result;
}
use of com.sun.identity.saml.xmlsig.KeyProvider in project OpenAM by OpenRock.
the class WebServicesClients method getValidValues.
/**
* Returns certificate subject DNs in the KeyStore as possible values.
*
* @param token the <code>SSOToken</code>
* @param pattern the pattern to match with valid values.
*
* @return <code>ValidValues</code> object wiht certificate subject DNs.
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if unable to get the list of valid names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
// TODO: ignoring the pattern for now. Do we need to take care of it?
// probably we can ignore for this subject.
Set subjects = new HashSet();
try {
KeyProvider kp = null;
try {
kp = (KeyProvider) Class.forName(SystemConfigurationUtil.getProperty(SAMLConstants.KEY_PROVIDER_IMPL_CLASS, SAMLConstants.JKS_KEY_PROVIDER)).newInstance();
} catch (ClassNotFoundException cnfe) {
debug.error("WebServicesClients.getValidValues(): " + " Couldn't find the class.", cnfe);
kp = null;
} catch (InstantiationException ie) {
debug.error("WebServicesClients.getValidValues(): " + " Couldn't instantiate the key provider instance.", ie);
kp = null;
} catch (IllegalAccessException iae) {
debug.error("WebServicesClients.getValidValues(): " + " Couldn't access the default constructor.", iae);
kp = null;
}
if (kp != null) {
KeyStore ks = kp.getKeyStore();
if (ks != null) {
Enumeration aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (debug.messageEnabled()) {
debug.message("WSClient.getValidValues: alias=" + alias);
}
// TODO: need to take care of certificate chaining
if (ks.isCertificateEntry(alias)) {
debug.message("WSClient.getValidValues: " + "alias is trusted.");
X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
if (cert != null) {
debug.message("WSClient.getValidValues:cert " + "not null");
String name = CertUtils.getSubjectName(cert);
if (name != null && name.length() != 0) {
subjects.add(name);
}
} else {
debug.message("WSClient.getValidValues: " + "cert is null");
}
} else {
debug.message("WSClient.getValidValues:alias " + "not trusted.");
}
}
}
}
} catch (KeyStoreException kse) {
if (debug.warningEnabled()) {
debug.warning("WebServicesClients: couldn't get subjects", kse);
}
String[] objs = { kse.getMessage() };
throw (new PolicyException(ResBundleUtils.rbName, "can_not_get_subject_values", objs, kse));
}
return (new ValidValues(ValidValues.SUCCESS, subjects));
}
Aggregations