Search in sources :

Example 26 with XMLSignatureManager

use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.

the class FSNameRegistrationHandler method verifyResponseSignature.

/** 
     * Verifies the Name registration response received
     * from the IDP before processing locally.
     * @param msg the response message
     * @param isIDP whether the remote provider is an IDP or not
     * @return <code>true</code> if signature is valid; <code>false</code>
     *  otherwise.
     */
protected boolean verifyResponseSignature(SOAPMessage msg, boolean isIDP) {
    FSUtils.debug.message("Entered FSNameRegistrationHandler::verifyResponseSignature");
    try {
        X509Certificate cert = KeyUtil.getVerificationCert(remoteDescriptor, remoteEntityId, isIDP);
        if (cert == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("Registration.verifyResponseSignature" + "couldn't obtain this site's cert .");
            }
            throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("NameRegistration.verifyResponseSignature" + ": Provider's cert is found.");
        }
        XMLSignatureManager manager = XMLSignatureManager.getInstance();
        Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
        return manager.verifyXMLSignature(doc, cert);
    } catch (SAMLException e) {
        FSUtils.debug.error("Error in verifying response ", e);
        return false;
    }
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) SAMLException(com.sun.identity.saml.common.SAMLException) X509Certificate(java.security.cert.X509Certificate) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 27 with XMLSignatureManager

use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.

the class SecurityAssertion method isSignatureValid.

/**
     * Return whether the signature is valid.
     *
     * @return true if the signature is valid.
     */
public boolean isSignatureValid() {
    if (signed & !validationDone) {
        try {
            XMLSignatureManager manager = XMLSignatureManager.getInstance();
            valid = manager.verifyXMLSignature(xmlString, ASSERTION_ID_ATTRIBUTE, verifyingCertAlias);
        } catch (Exception e) {
            if (SAMLUtils.debug.warningEnabled()) {
                SAMLUtils.debug.warning("SecurityAssertion.isSignatureValid: " + " signature validation exception", e);
            }
            valid = false;
        }
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("SAMLUtils.checkSignatureValid:" + " valid = " + valid);
        }
        validationDone = true;
    }
    return valid;
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) SAMLException(com.sun.identity.saml.common.SAMLException) ParseException(java.text.ParseException)

Example 28 with XMLSignatureManager

use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.

the class FSSSOBrowserArtifactProfileHandler method verifySAMLRequestSignature.

protected boolean verifySAMLRequestSignature(Element samlRequestElement, SOAPMessage msg) {
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Called");
    }
    try {
        X509Certificate cert = KeyUtil.getVerificationCert(spDescriptor, spEntityId, false);
        if (cert == null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: couldn't obtain " + "this site's cert.");
            }
            throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT));
        }
        XMLSignatureManager manager = XMLSignatureManager.getInstance();
        Document doc = (Document) FSServiceUtils.createSOAPDOM(msg);
        return manager.verifyXMLSignature(doc, cert);
    } catch (Exception e) {
        FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "verifySAMLRequestSignature: Exception occured while " + "verifying IDP's signature:", e);
        return false;
    }
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) X509Certificate(java.security.cert.X509Certificate) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 29 with XMLSignatureManager

use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.

the class FSSSOBrowserPostProfileHandler method sendAuthnResponse.

protected void sendAuthnResponse(FSAuthnResponse authnResponse) {
    FSUtils.debug.message("FSSSOBrowserPostProfileHandler.sendAuthnResponse: Called");
    try {
        authnResponse.setProviderId(hostedEntityId);
        Document doc = XMLUtils.toDOMDocument(authnResponse.toXMLString(true, true), FSUtils.debug);
        //sign assertions
        if (FSServiceUtils.isSigningOn() || FSServiceUtils.isSigningOptional()) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: start signing assertions");
            }
            List assList = authnResponse.getAssertion();
            if (assList != null) {
                Iterator iter = assList.iterator();
                while (iter.hasNext()) {
                    FSAssertion assertion = (FSAssertion) iter.next();
                    String id = assertion.getID();
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: id attr is" + id);
                    }
                    String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
                    if (certAlias == null) {
                        FSUtils.debug.error("SOAPReceiver.onMessage: " + "couldn't obtain this site's cert alias.");
                        return;
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: Site's certAlias is " + certAlias);
                    }
                    XMLSignatureManager manager = XMLSignatureManager.getInstance();
                    int minorVersion = assertion.getMinorVersion();
                    if (minorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                        manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ID, id, false);
                    } else if (minorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || minorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
                        manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ASSERTION_ID, assertion.getAssertionID(), false);
                    } else {
                        FSUtils.debug.message("invalid minor version.");
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: SignatureManager " + "finished signing ");
                    }
                }
            }
        }
        String respStr = FSServiceUtils.printDocument(doc);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOBrowserPostProfileHandler." + "sendAuthnResponse: Signed AuthnResponse: " + respStr);
        }
        if (LogUtil.isAccessLoggable(Level.FINER)) {
            String[] data = { respStr };
            LogUtil.access(Level.FINER, LogUtil.CREATE_AUTHN_RESPONSE, data, ssoToken);
        } else {
            String[] data = { FSUtils.bundle.getString("responseID") + "=" + authnResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + authnResponse.getInResponseTo() };
            LogUtil.access(Level.INFO, LogUtil.CREATE_AUTHN_RESPONSE, data, ssoToken);
        }
        String b64Resp = Base64.encode(respStr.getBytes());
        String targetURL = FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID());
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        out.println("<HTML>");
        out.println("<BODY Onload=\"document.Response.submit()\">");
        out.println("<FORM NAME=\"Response\" METHOD=\"POST\" ACTION=\"" + targetURL + "\">");
        out.println("<INPUT TYPE=\"HIDDEN\" NAME=\"" + IFSConstants.POST_AUTHN_RESPONSE_PARAM + "\" " + "VALUE=\"" + b64Resp + "\"/>");
        out.println("</FORM>");
        out.println("</BODY></HTML>");
        out.close();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOBrowserPostProfileHandler:send" + "AuthnResponse: AuthnResponse sent successfully to: " + targetURL);
        }
        String[] data = { targetURL, FSUtils.bundle.getString("responseID") + "=" + authnResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + authnResponse.getInResponseTo() };
        LogUtil.access(Level.INFO, LogUtil.SENT_AUTHN_RESPONSE, data, ssoToken);
        return;
    } catch (Exception ex) {
        FSUtils.debug.error("FSSSOBrowserPostProfileHandler:sendAuthn" + "Response:", ex);
        return;
    }
}
Also used : FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) List(java.util.List) XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) FSException(com.sun.identity.federation.common.FSException) PrintWriter(java.io.PrintWriter)

Example 30 with XMLSignatureManager

use of com.sun.identity.saml.xmlsig.XMLSignatureManager in project OpenAM by OpenRock.

the class FSSSOWMLPostProfileHandler method sendAuthnResponse.

protected void sendAuthnResponse(FSAuthnResponse authnResponse) {
    FSUtils.debug.message("FSSSOWMLPostProfileHandler.sendAuthnResponse: Called");
    try {
        authnResponse.setProviderId(hostedEntityId);
        Document doc = XMLUtils.toDOMDocument(authnResponse.toXMLString(true, true), FSUtils.debug);
        //sign assertions
        if (FSServiceUtils.isSigningOn()) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: start signing assertions");
            }
            List assList = authnResponse.getAssertion();
            if (assList != null) {
                Iterator iter = assList.iterator();
                while (iter.hasNext()) {
                    FSAssertion assertion = (FSAssertion) iter.next();
                    String id = assertion.getID();
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: id attr is" + id);
                    }
                    String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
                    if (certAlias == null) {
                        FSUtils.debug.error("SOAPReceiver.onMessage: " + "couldn't obtain this site's cert alias.");
                        return;
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: Site's certAlias is " + certAlias);
                    }
                    XMLSignatureManager manager = XMLSignatureManager.getInstance();
                    int minorVersion = assertion.getMinorVersion();
                    if (minorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                        manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ID, id, false);
                    } else if (minorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || minorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
                        manager.signXML(doc, certAlias, SystemConfigurationUtil.getProperty(SAMLConstants.XMLSIG_ALGORITHM), IFSConstants.ASSERTION_ID, assertion.getAssertionID(), false);
                    } else {
                        FSUtils.debug.message("invalid minor version.");
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: SignatureManager" + " finished signing ");
                    }
                }
            }
        }
        String respStr = FSServiceUtils.printDocument(doc);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOWMLPostProfileHandler." + "sendAuthnResponse: Signed AuthnResponse: " + respStr);
        }
        String b64Resp = Base64.encode(respStr.getBytes());
        response.setContentType("text/vnd.wap.wml");
        response.setHeader("Pragma", "no-cache");
        response.setHeader("Cache-Control", "no-cache");
        PrintWriter out = response.getWriter();
        out.println("<!DOCTYPE wml PUBLIC \"-//WAPFORUM//DTD WML 1.1//EN\" " + "\"http://www.wapforum.org/DTD/wml_1.1.xml\">");
        out.println("<wml>");
        out.println("<card id=\"response\" title=\"IDP Response\">");
        out.println("<onevent type=\"onenterforward\">");
        out.println("<go method=\"post\" href=\"" + FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID()) + "\">");
        out.println("<postfield name=\"" + IFSConstants.POST_AUTHN_RESPONSE_PARAM + "\" " + "value=\"" + b64Resp + "\"/>");
        out.println("</go>");
        out.println("</onevent>");
        out.println("<onevent type=\"onenterbackward\">");
        out.println("<prev/>");
        out.println("</onevent>");
        out.println("</card>");
        out.println("</wml>");
        out.close();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOWMLPostProfileHandler:sendAuthnResponse: " + "AuthnResponse sent successfully to: " + FSServiceUtils.getAssertionConsumerServiceURL(spDescriptor, authnRequest.getAssertionConsumerServiceID()));
        }
    } catch (Exception ex) {
        FSUtils.debug.message("FSSSOWMLPostProfileHandler:sendAuthnResponse: " + "Failed to send AuthnResponse");
    }
}
Also used : FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) List(java.util.List) XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) PrintWriter(java.io.PrintWriter)

Aggregations

XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)34 SAMLException (com.sun.identity.saml.common.SAMLException)22 SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)22 Document (org.w3c.dom.Document)17 FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15 ParseException (java.text.ParseException)10 FSException (com.sun.identity.federation.common.FSException)7 X509Certificate (java.security.cert.X509Certificate)7 SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5 IOException (java.io.IOException)5 FSAssertion (com.sun.identity.federation.message.FSAssertion)4 SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)3 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)3 SessionException (com.sun.identity.plugin.session.SessionException)3 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)2 FSNameIdentifierMappingResponse (com.sun.identity.federation.message.FSNameIdentifierMappingResponse)2 FSResponse (com.sun.identity.federation.message.FSResponse)2 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)2 PrintWriter (java.io.PrintWriter)2 Iterator (java.util.Iterator)2