Example 6 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSBrowserArtifactConsumerHandler method signSAMLRequest.
protected FSRequest signSAMLRequest(FSRequest samlRequest) throws SAMLException {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler.signSAMLRequest: Called");
if (samlRequest.isSigned()) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: the request is already signed.");
}
throw new SAMLException(FSUtils.bundle.getString("alreadySigned"));
}
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null || certAlias.length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: couldn't obtain this site's cert alias.");
}
throw new SAMLResponderException(FSUtils.bundle.getString("cannotFindCertAlias"));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: Provider's certAlias is found: " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: XMLString to be signed: " + samlRequest.toString(true, true));
}
String signatureString = manager.signXML(samlRequest.toString(true, true), certAlias);
Element signature = XMLUtils.toDOMDocument(signatureString, FSUtils.debug).getDocumentElement();
samlRequest.setSignature(signature);
return samlRequest;
}
Also used :
Element(org.w3c.dom.Element)
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
SAMLException(com.sun.identity.saml.common.SAMLException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 7 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSBrowserArtifactConsumerHandler method processSAMLRequest.
/**
* Builds <code>SAML</code> request (with artifact),
* sends <code>SAML</code> request to <code>IDP</code> through
* <code>SOAP</code>, receives <code>SAML</code> response, then
* processes the response.
*/
public void processSAMLRequest() {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler.processSAMLRequest: Called");
String baseURL = FSServiceUtils.getBaseURL(request);
String framedPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, relayState, null, request, baseURL);
try {
FSSOAPService soapHelper = FSSOAPService.getInstance();
samlRequest.setID(samlRequest.getRequestID());
SOAPMessage msg = soapHelper.bind(samlRequest.toXMLString(true, true));
//sign here
if (FSServiceUtils.isSigningOn()) {
Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
if (metaManager == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: could not create meta " + "instance");
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: couldn't obtain this site's cert" + " alias.");
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: certAlias: " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
int minorVersion = samlRequest.getMinorVersion();
if (minorVersion == IFSConstants.FF_11_SAML_PROTOCOL_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ID, samlRequest.getID(), false);
} else if (minorVersion == IFSConstants.FF_12_SAML_PROTOCOL_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.REQUEST_ID, samlRequest.getRequestID(), false, IFSConstants.ARTIFACT_XPATH);
} else {
FSUtils.debug.message("invalid minor version.");
}
msg = FSServiceUtils.convertDOMToSOAP(doc);
}
//call with saml request
SOAPMessage retMsg = soapHelper.doSyncCall(response, msg, idpDescriptor, false);
if (retMsg == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: " + FSUtils.bundle.getString("invalidSOAPResponse") + " Response SOAPMessage is null");
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
//getback response
samlResponseElt = soapHelper.parseSOAPMessage(retMsg);
if ((samlResponseElt != null) && (samlResponseElt.getLocalName().trim()).equals("Fault")) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: " + FSUtils.bundle.getString("invalidSOAPResponse") + " SOAPFault occured");
String[] data = { FSUtils.bundle.getString("invalidSOAPResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_SOAP_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
} else if ((samlResponseElt != null) && (samlResponseElt.getLocalName().trim()).equals("Response")) {
samlResponse = new FSResponse(samlResponseElt);
if (samlResponse == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: " + FSUtils.bundle.getString("invalidSOAPResponse") + " Could not create SAML Response");
String[] data = { FSUtils.bundle.getString("invalidSOAPResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_SOAP_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
} else {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: " + FSUtils.bundle.getString("invalidSOAPResponse") + " SOAP response does not contain samlp:Response");
String[] data = { FSUtils.bundle.getString("invalidSOAPResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_SOAP_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
//process saml response
processSAMLResponse((FSResponse) samlResponse);
return;
} catch (Exception e) {
StringWriter baos = new StringWriter();
e.printStackTrace(new PrintWriter(baos));
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: Exception occured: " + e.getMessage() + "\n" + baos.getBuffer().toString());
try {
FSUtils.forwardRequest(request, response, framedPageURL);
} catch (Exception ex) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLRequest: IOException occured: ", e);
}
return;
}
}
Also used :
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
FSResponse(com.sun.identity.federation.message.FSResponse)
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
FSSOAPService(com.sun.identity.federation.services.FSSOAPService)
Document(org.w3c.dom.Document)
SOAPMessage(javax.xml.soap.SOAPMessage)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
Example 8 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method verifyAssertionSignature.
protected boolean verifyAssertionSignature(FSAssertion assertion) {
FSUtils.debug.message("FSAssertionArtifactHandler.verifyAssertionSignature: Called");
try {
if (!assertion.isSigned()) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "verifyAssertionSignature: Assertion is not signed");
}
return false;
}
X509Certificate cert = KeyUtil.getVerificationCert(idpDescriptor, idpEntityId, true);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "verifyAssertionSignature: couldn't obtain " + "this site's cert.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if (authnResponse != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHander." + "verifyAssertionSignature: xml string to be verified:" + XMLUtils.print((Node) authnResponse.getDOMElement().getOwnerDocument()));
}
return manager.verifyXMLSignature(authnResponse.getDOMElement().getOwnerDocument(), cert);
} else if (samlResponseElt != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHander." + "verifyAssertionSignature: xml string to be verified:" + XMLUtils.print((Node) samlResponseElt.getOwnerDocument()));
}
return manager.verifyXMLSignature(samlResponseElt.getOwnerDocument(), cert);
} else {
return false;
}
} catch (Exception e) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "verifyAssertionSignature: " + "Exception occured while verifying IDP's signature:", e);
return false;
}
}
Also used :
Node(org.w3c.dom.Node)
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
X509Certificate(java.security.cert.X509Certificate)
SessionException(com.sun.identity.plugin.session.SessionException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 9 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSAssertionConsumerService method verifyAuthnResponseSignature.
private boolean verifyAuthnResponseSignature(Document doc, IDPDescriptorType idpDescriptor, String idpEntityId) {
FSUtils.debug.message("FSAssertionConsumerService.verifyAuthnResponseSignature: Called");
try {
X509Certificate cert = KeyUtil.getVerificationCert(idpDescriptor, idpEntityId, true);
if (cert == null) {
FSUtils.debug.error("FSAssertionConsumerService." + "verifyAuthnResponseSignature: couldn't obtain " + "this site's cert.");
return false;
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
return manager.verifyXMLSignature(doc, cert);
} catch (Exception e) {
FSUtils.debug.error("FSAssertionConsumerService." + "verifyAuthnResponseSignature: Exception occurred while " + "verifying signature: ", e);
return false;
}
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
X509Certificate(java.security.cert.X509Certificate)
ServletException(javax.servlet.ServletException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
Example 10 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSNameRegistrationRequest method signXML.
/**
* Signs the <code>FSNameRegistrationRequest</code> object.
*
* @param certAlias the Certificate Alias.
* @throws SAMLException if this object cannot be signed.
*/
public void signXML(String certAlias) throws SAMLException {
FSUtils.debug.message("FSNameRegistrationRequest.signXML: Called");
if (signed) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSNameRegistrationRequest.signXML: " + "the assertion is already signed.");
}
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "alreadySigned", null);
}
if (certAlias == null || certAlias.length() == 0) {
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "cannotFindCertAlias", null);
}
try {
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if (minorVersion == IFSConstants.FF_11_PROTOCOL_MINOR_VERSION) {
signatureString = manager.signXML(this.toXMLString(true, true), certAlias, null, IFSConstants.ID, this.id, false);
} else if (minorVersion == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) {
signatureString = manager.signXML(this.toXMLString(true, true), certAlias, null, IFSConstants.REQUEST_ID, this.getRequestID(), false);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("invalid minor version.");
}
}
signature = XMLUtils.toDOMDocument(signatureString, FSUtils.debug).getDocumentElement();
signed = true;
xmlString = this.toXMLString(true, true);
} catch (Exception e) {
throw new SAMLResponderException(FSUtils.BUNDLE_NAME, "signFailed", null);
}
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
ParseException(java.text.ParseException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Aggregations
XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)34
SAMLException (com.sun.identity.saml.common.SAMLException)22
SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)22
Document (org.w3c.dom.Document)17
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15
ParseException (java.text.ParseException)10
FSException (com.sun.identity.federation.common.FSException)7
X509Certificate (java.security.cert.X509Certificate)7
SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5
IOException (java.io.IOException)5
FSAssertion (com.sun.identity.federation.message.FSAssertion)4
SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)3
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)3
SessionException (com.sun.identity.plugin.session.SessionException)3
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)2
FSNameIdentifierMappingResponse (com.sun.identity.federation.message.FSNameIdentifierMappingResponse)2
FSResponse (com.sun.identity.federation.message.FSResponse)2
IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)2
PrintWriter (java.io.PrintWriter)2
Iterator (java.util.Iterator)2
