Example 26 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSNameRegistrationHandler method verifyResponseSignature.
/**
* Verifies the Name registration response received
* from the IDP before processing locally.
* @param msg the response message
* @param isIDP whether the remote provider is an IDP or not
* @return <code>true</code> if signature is valid; <code>false</code>
* otherwise.
*/
protected boolean verifyResponseSignature(SOAPMessage msg, boolean isIDP) {
FSUtils.debug.message("Entered FSNameRegistrationHandler::verifyResponseSignature");
try {
X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Registration.verifyResponseSignature" + "couldn't obtain this site's cert .");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("NameRegistration.verifyResponseSignature" + ": Provider's cert is found.");
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
return manager.verifyXMLSignature(doc, cert);
} catch (SAMLException e) {
FSUtils.debug.error("Error in verifying response ", e);
return false;
}
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
SAMLException(com.sun.identity.saml.common.SAMLException)
X509Certificate(java.security.cert.X509Certificate)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 27 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class SecurityAssertion method isSignatureValid.
/**
* Return whether the signature is valid.
*
* @return true if the signature is valid.
*/
public boolean isSignatureValid() {
if (signed & !validationDone) {
try {
XMLSignatureManager manager = XMLSignatureManager.getInstance();
valid = manager.verifyXMLSignature(xmlString, ASSERTION_ID_ATTRIBUTE, verifyingCertAlias);
} catch (Exception e) {
if (SAMLUtils.debug.warningEnabled()) {
SAMLUtils.debug.warning("SecurityAssertion.isSignatureValid: " + " signature validation exception", e);
}
valid = false;
}
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("SAMLUtils.checkSignatureValid:" + " valid = " + valid);
}
validationDone = true;
}
return valid;
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
SAMLException(com.sun.identity.saml.common.SAMLException)
ParseException(java.text.ParseException)
Example 28 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSSSOBrowserArtifactProfileHandler method verifySAMLRequestSignature.
protected boolean verifySAMLRequestSignature(Element samlRequestElement, SOAPMessage msg) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Called");
}
try {
X509Certificate cert = KeyUtil.getVerificationCert(spDescriptor, spEntityId, false);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: couldn't obtain " + "this site's cert.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
return manager.verifyXMLSignature(doc, cert);
} catch (Exception e) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Exception occured while " + "verifying IDP's signature:", e);
return false;
}
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
X509Certificate(java.security.cert.X509Certificate)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 29 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSSSOBrowserPostProfileHandler method sendAuthnResponse.
protected void sendAuthnResponse(FSAuthnResponse authnResponse) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler.sendAuthnResponse: Called");
try {
authnResponse.setProviderId(hostedEntityId);
Document doc = XMLUtils.toDOMDocument(authnResponse.toXMLString(true, true), FSUtils.debug);
//sign assertions
if (FSServiceUtils.isSigningOn() || FSServiceUtils.isSigningOptional()) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: start signing assertions");
}
List assList = authnResponse.getAssertion();
if (assList != null) {
Iterator iter = assList.iterator();
while (iter.hasNext()) {
FSAssertion assertion = (FSAssertion) iter.next();
String id = assertion.getID();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: id attr is" + id);
}
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null) {
FSUtils.debug.error("SOAPReceiver.onMessage: " + "couldn't obtain this site's cert alias.");
return;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: Site's certAlias is " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
int minorVersion = assertion.getMinorVersion();
if (minorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ID, id, false);
} else if (minorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || minorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ASSERTION_ID, assertion.getAssertionID(), false);
} else {
FSUtils.debug.message("invalid minor version.");
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: SignatureManager " + "finished signing ");
}
}
}
}
String respStr = FSServiceUtils.printDocument(doc);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: Signed AuthnResponse: " + respStr);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respStr };
LogUtil.access(Level.FINER, LogUtil.CREATE_AUTHN_RESPONSE, data, ssoToken);
} else {
String[] data = { FSUtils.bundle.getString("responseID") + "=" + authnResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + authnResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_AUTHN_RESPONSE, data, ssoToken);
}
String b64Resp = Base64.encode(respStr.getBytes());
String targetURL = FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID());
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<HTML>");
out.println("<BODY Onload=\"document.Response.submit()\">");
out.println("<FORM NAME=\"Response\" METHOD=\"POST\" ACTION=\"" + targetURL + "\">");
out.println("<INPUT TYPE=\"HIDDEN\" NAME=\"" + IFSConstants.POST_AUTHN_RESPONSE_PARAM + "\" " + "VALUE=\"" + b64Resp + "\"/>");
out.println("</FORM>");
out.println("</BODY></HTML>");
out.close();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserPostProfileHandler:send" + "AuthnResponse: AuthnResponse sent successfully to: " + targetURL);
}
String[] data = { targetURL, FSUtils.bundle.getString("responseID") + "=" + authnResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + authnResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.SENT_AUTHN_RESPONSE, data, ssoToken);
return;
} catch (Exception ex) {
FSUtils.debug.error("FSSSOBrowserPostProfileHandler:sendAuthn" + "Response:", ex);
return;
}
}
Also used :
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
List(java.util.List)
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
FSException(com.sun.identity.federation.common.FSException)
PrintWriter(java.io.PrintWriter)
Example 30 with XMLSignatureManager
use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.
the class FSSSOWMLPostProfileHandler method sendAuthnResponse.
protected void sendAuthnResponse(FSAuthnResponse authnResponse) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler.sendAuthnResponse: Called");
try {
authnResponse.setProviderId(hostedEntityId);
Document doc = XMLUtils.toDOMDocument(authnResponse.toXMLString(true, true), FSUtils.debug);
//sign assertions
if (FSServiceUtils.isSigningOn()) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: start signing assertions");
}
List assList = authnResponse.getAssertion();
if (assList != null) {
Iterator iter = assList.iterator();
while (iter.hasNext()) {
FSAssertion assertion = (FSAssertion) iter.next();
String id = assertion.getID();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: id attr is" + id);
}
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null) {
FSUtils.debug.error("SOAPReceiver.onMessage: " + "couldn't obtain this site's cert alias.");
return;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: Site's certAlias is " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
int minorVersion = assertion.getMinorVersion();
if (minorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ID, id, false);
} else if (minorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || minorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ASSERTION_ID, assertion.getAssertionID(), false);
} else {
FSUtils.debug.message("invalid minor version.");
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: SignatureManager" + " finished signing ");
}
}
}
}
String respStr = FSServiceUtils.printDocument(doc);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: Signed AuthnResponse: " + respStr);
}
String b64Resp = Base64.encode(respStr.getBytes());
response.setContentType("text/vnd.wap.wml");
response.setHeader("Pragma", "no-cache");
response.setHeader("Cache-Control", "no-cache");
PrintWriter out = response.getWriter();
out.println("<!DOCTYPE wml PUBLIC \"-//WAPFORUM//DTD WML 1.1//EN\" " + "\"http://www.wapforum.org/DTD/wml_1.1.xml\">");
out.println("<wml>");
out.println("<card id=\"response\" title=\"IDP Response\">");
out.println("<onevent type=\"onenterforward\">");
out.println("<go method=\"post\" href=\"" + FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID()) + "\">");
out.println("<postfield name=\"" + IFSConstants.POST_AUTHN_RESPONSE_PARAM + "\" " + "value=\"" + b64Resp + "\"/>");
out.println("</go>");
out.println("</onevent>");
out.println("<onevent type=\"onenterbackward\">");
out.println("<prev/>");
out.println("</onevent>");
out.println("</card>");
out.println("</wml>");
out.close();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler:sendAuthnResponse: " + "AuthnResponse sent successfully to: " + FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID()));
}
} catch (Exception ex) {
FSUtils.debug.message("FSSSOWMLPostProfileHandler:sendAuthnResponse: " + "Failed to send AuthnResponse");
}
}
Also used :
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
List(java.util.List)
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
PrintWriter(java.io.PrintWriter)
Aggregations
XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)34
SAMLException (com.sun.identity.saml.common.SAMLException)22
SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)22
Document (org.w3c.dom.Document)17
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15
ParseException (java.text.ParseException)10
FSException (com.sun.identity.federation.common.FSException)7
X509Certificate (java.security.cert.X509Certificate)7
SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5
IOException (java.io.IOException)5
FSAssertion (com.sun.identity.federation.message.FSAssertion)4
SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)3
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)3
SessionException (com.sun.identity.plugin.session.SessionException)3
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)2
FSNameIdentifierMappingResponse (com.sun.identity.federation.message.FSNameIdentifierMappingResponse)2
FSResponse (com.sun.identity.federation.message.FSResponse)2
IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)2
PrintWriter (java.io.PrintWriter)2
Iterator (java.util.Iterator)2
