Search in sources :

Example 1 with EncryptedAttribute

use of com.sun.identity.saml2.assertion.EncryptedAttribute in project OpenAM by OpenRock.

the class IDPSSOUtil method signAndEncryptResponseComponents.

/**
     * Signs and encrypts the components of a <code>SAML Response</code>
     * based on the service provider meta data. If the flag of
     * encrypting <code>Assertion</code> is on, then the embedded
     * <code>Assertion</code> object will be encrypted; if the flag
     * of encrypting <code>Assertion</code> is off and the flag of
     * encrypting <code>NameID</code> is on, then the <code>NameID</code>
     * embedded in the <code>Assertion</code> will be encrypted; if the
     * flag of encrypting <code>Assertion</code> is off and the flag of
     * encrypting <code>Attribute</code> is on, then the
     * <code>Attribute</code> embedded in the <code>Assertion</code>
     * will be encrypted. If the flag signAssertion is on, then the
     * <code>Assertion</code> will be signed. It will be signed before
     * it is encrypted and after its embedded <code>NameID</code> or
     * <code>Attribute</code> is encrypted.
     *
     * @param realm         the realm name of the identity provider
     * @param spEntityID    the entity id of the service provider
     * @param idpEntityID   the entity id of the identity provider
     * @param res           The <code>Response</code> whose components may be
     *                      encrypted based on the service provider meta data setting
     * @param signAssertion A flag to indicate if <code>Assertion</code>
     *                      signing is required
     */
static void signAndEncryptResponseComponents(String realm, String spEntityID, String idpEntityID, Response res, boolean signAssertion) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.signAndEncryptResponseComponents: ";
    boolean toEncryptAssertion = false;
    boolean toEncryptNameID = false;
    boolean toEncryptAttribute = false;
    if (res == null) {
        return;
    }
    List assertions = res.getAssertion();
    if ((assertions == null) || (assertions.size() == 0)) {
        return;
    }
    Assertion assertion = (Assertion) assertions.get(0);
    // get the encryption related flags from the SP Entity Config
    String wantAssertionEncrypted = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
    toEncryptAssertion = (wantAssertionEncrypted != null) && (wantAssertionEncrypted.equals(SAML2Constants.TRUE));
    if (!toEncryptAssertion) {
        String wantNameIDEncrypted = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_NAMEID_ENCRYPTED);
        toEncryptNameID = (wantNameIDEncrypted != null) && (wantNameIDEncrypted.equals(SAML2Constants.TRUE));
        String wantAttributeEncrypted = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ATTRIBUTE_ENCRYPTED);
        toEncryptAttribute = (wantAttributeEncrypted != null) && (wantAttributeEncrypted.equals(SAML2Constants.TRUE));
    }
    if ((!toEncryptAssertion) && (!toEncryptNameID) && (!toEncryptAttribute)) {
        // all encryption flags are off, no encryption needed
        if (signAssertion) {
            signAssertion(realm, idpEntityID, assertion);
            List assertionList = new ArrayList();
            assertionList.add(assertion);
            res.setAssertion(assertionList);
        }
        return;
    }
    SPSSODescriptorElement spSSODescriptorElement = getSPSSODescriptor(realm, spEntityID, classMethod);
    // get the encryption information
    EncInfo encInfo = KeyUtil.getEncInfo(spSSODescriptorElement, spEntityID, SAML2Constants.SP_ROLE);
    if (encInfo == null) {
        SAML2Utils.debug.error(classMethod + "failed to get service provider encryption key info.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
    }
    if (toEncryptAssertion) {
        // sign assertion first, then encrypt the assertion
        if (signAssertion) {
            signAssertion(realm, idpEntityID, assertion);
        }
        // we only encrypt the Assertion
        EncryptedAssertion encryptedAssertion = assertion.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), spEntityID);
        if (encryptedAssertion == null) {
            SAML2Utils.debug.error(classMethod + "failed to encrypt the assertion.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptAssertion"));
        }
        List assertionList = new ArrayList();
        assertionList.add(encryptedAssertion);
        res.setEncryptedAssertion(assertionList);
        // reset assertion list
        res.setAssertion(new ArrayList());
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Assertion encrypted.");
        }
    } else {
        // assertion if applicable
        if (toEncryptNameID) {
            // we need to encrypt the NameID            
            Subject subject = assertion.getSubject();
            if (subject == null) {
                return;
            }
            NameID nameID = subject.getNameID();
            if (nameID == null) {
                return;
            }
            EncryptedID encryptedNameID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), spEntityID);
            if (encryptedNameID == null) {
                SAML2Utils.debug.error(classMethod + "failed to encrypt the NameID.");
                throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptNameID"));
            }
            subject.setEncryptedID(encryptedNameID);
            // reset NameID
            subject.setNameID(null);
            assertion.setSubject(subject);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "NameID encrypted.");
            }
        }
        if (toEncryptAttribute) {
            // we need to encrypt the Attribute
            List attributeStatements = assertion.getAttributeStatements();
            if ((attributeStatements != null) && (attributeStatements.size() > 0)) {
                int asSize = attributeStatements.size();
                // to hold all the AttributeStatements
                List stmts = new ArrayList();
                for (int i = 0; i < asSize; i++) {
                    AttributeStatement attributeStatement = (AttributeStatement) attributeStatements.get(i);
                    List attributes = attributeStatement.getAttribute();
                    if ((attributes == null) || (attributes.size() == 0)) {
                        continue;
                    }
                    int aSize = attributes.size();
                    // holds all the encrypted Attributes in this statement
                    List eaList = new ArrayList();
                    for (int j = 0; j < aSize; j++) {
                        Attribute attribute = (Attribute) attributes.get(j);
                        EncryptedAttribute encryptedAttribute = attribute.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), spEntityID);
                        if (encryptedAttribute == null) {
                            SAML2Utils.debug.error(classMethod + "failed to encrypt the Attribute.");
                            throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptAttribute"));
                        }
                        eaList.add(encryptedAttribute);
                    }
                    attributeStatement.setEncryptedAttribute(eaList);
                    attributeStatement.setAttribute(new ArrayList());
                    stmts.add(attributeStatement);
                }
                assertion.setAttributeStatements(stmts);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(classMethod + "Attribute encrypted.");
                }
            }
        }
        if (signAssertion) {
            signAssertion(realm, idpEntityID, assertion);
        }
        List assertionList = new ArrayList();
        assertionList.add(assertion);
        res.setAssertion(assertionList);
    }
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) NameID(com.sun.identity.saml2.assertion.NameID) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) ArrayList(java.util.ArrayList) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) Subject(com.sun.identity.saml2.assertion.Subject) EncInfo(com.sun.identity.saml2.key.EncInfo) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement) List(java.util.List) ArrayList(java.util.ArrayList)

Example 2 with EncryptedAttribute

use of com.sun.identity.saml2.assertion.EncryptedAttribute in project OpenAM by OpenRock.

the class DefaultLibrarySPAccountMapper method getAttribute.

private Set<String> getAttribute(AttributeStatement statement, String attributeName, Set<PrivateKey> decryptionKeys) {
    if (debug.messageEnabled()) {
        debug.message("DefaultLibrarySPAccountMapper.getAttribute: attribute Name =" + attributeName);
    }
    // check it if the attribute needs to be encrypted?
    List<Attribute> list = statement.getAttribute();
    List<EncryptedAttribute> encList = statement.getEncryptedAttribute();
    if (encList != null && !encList.isEmpty()) {
        // a new list to hold the union of clear and encrypted attributes
        List<Attribute> allList = new ArrayList<>();
        if (list != null) {
            allList.addAll(list);
        }
        list = allList;
        for (EncryptedAttribute encryptedAttribute : encList) {
            try {
                list.add(encryptedAttribute.decrypt(decryptionKeys));
            } catch (SAML2Exception se) {
                debug.error("Decryption error:", se);
                return null;
            }
        }
    }
    for (Attribute attribute : list) {
        if (!attributeName.equalsIgnoreCase(attribute.getName())) {
            continue;
        }
        List<String> values = attribute.getAttributeValueString();
        if (values == null || values.isEmpty()) {
            return null;
        }
        return new HashSet<>(values);
    }
    return null;
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet)

Example 3 with EncryptedAttribute

use of com.sun.identity.saml2.assertion.EncryptedAttribute in project OpenAM by OpenRock.

the class SPACSUtils method getSAMLAttributes.

/**
     * Gets the attributes from an assert's AttributeStates.
     *
     * @param assertion The assertion from which to pull the AttributeStates.
     * @param needAttributeEncrypted Whether attributes must be encrypted (or else rejected).
     * @param privateKeys Private keys used to decrypt those encrypted attributes.
     * @return a list of attributes pulled from the provided assertion.
     */
public static List<Attribute> getSAMLAttributes(Assertion assertion, boolean needAttributeEncrypted, Set<PrivateKey> privateKeys) {
    List<Attribute> attrList = null;
    if (assertion != null) {
        List<AttributeStatement> statements = assertion.getAttributeStatements();
        if (CollectionUtils.isNotEmpty(statements)) {
            for (AttributeStatement statement : statements) {
                List<Attribute> attributes = statement.getAttribute();
                if (needAttributeEncrypted && attributes != null && !attributes.isEmpty()) {
                    SAML2Utils.debug.error("Attribute not encrypted.");
                    return null;
                }
                if (attributes != null) {
                    if (attrList == null) {
                        attrList = new ArrayList<>();
                    }
                    attrList.addAll(attributes);
                }
                List<EncryptedAttribute> encAttrs = statement.getEncryptedAttribute();
                if (encAttrs != null) {
                    for (EncryptedAttribute encAttr : encAttrs) {
                        if (attrList == null) {
                            attrList = new ArrayList<>();
                        }
                        try {
                            attrList.add((encAttr).decrypt(privateKeys));
                        } catch (SAML2Exception se) {
                            SAML2Utils.debug.error("Decryption error:", se);
                            return null;
                        }
                    }
                }
            }
        }
    }
    return attrList;
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)

Example 4 with EncryptedAttribute

use of com.sun.identity.saml2.assertion.EncryptedAttribute in project OpenAM by OpenRock.

the class AttributeStatementImpl method parseElement.

// used by the constructors.
private void parseElement(Element element) throws SAML2Exception {
    // make sure that the input xml block is not null
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("AttributeStatementImpl." + "parseElement: Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    // Make sure this is an AttributeStatement.
    if (!SAML2SDKUtils.checkStatement(element, "AttributeStatement")) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("AttributeStatementImpl." + "parseElement: not AttributeStatement.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
    }
    // handle the sub elementsof the AuthnStatment
    NodeList nl = element.getChildNodes();
    Node child;
    String childName;
    int length = nl.getLength();
    for (int i = 0; i < length; i++) {
        child = nl.item(i);
        if ((childName = child.getLocalName()) != null) {
            if (childName.equals("Attribute")) {
                Attribute attr = AssertionFactory.getInstance().createAttribute((Element) child);
                if (attrs == null) {
                    attrs = new ArrayList();
                }
                attrs.add(attr);
            } else if (childName.equals("EncryptedAttribute")) {
                EncryptedAttribute encAttr = AssertionFactory.getInstance().createEncryptedAttribute((Element) child);
                if (encAttrs == null) {
                    encAttrs = new ArrayList();
                }
                encAttrs.add(encAttr);
            } else {
                if (SAML2SDKUtils.debug.messageEnabled()) {
                    SAML2SDKUtils.debug.message("AttributeStatementImpl." + "parse Element: Invalid element:" + childName);
                }
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElement"));
            }
        }
    }
    validateData();
    if (attrs != null) {
        attrs = Collections.unmodifiableList(attrs);
    }
    if (encAttrs != null) {
        encAttrs = Collections.unmodifiableList(encAttrs);
    }
    mutable = false;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList)

Example 5 with EncryptedAttribute

use of com.sun.identity.saml2.assertion.EncryptedAttribute in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method encryptAttributeStatement.

@SuppressWarnings("unchecked")
private void encryptAttributeStatement(Assertion assertion, SAML2Config saml2Config, STSInstanceState stsInstanceState) throws TokenCreationException {
    final PublicKey keyEncryptionKey = stsInstanceState.getSAML2CryptoProvider().getSPX509Certificate(saml2Config.getEncryptionKeyAlias()).getPublicKey();
    final String encryptionAlgorithm = saml2Config.getEncryptionAlgorithm();
    final int algorithmStrength = saml2Config.getEncryptionAlgorithmStrength();
    final String spEntityID = saml2Config.getSpEntityId();
    try {
        List<AttributeStatement> originalAttributeStatements = assertion.getAttributeStatements();
        if ((originalAttributeStatements != null) && (originalAttributeStatements.size() > 0)) {
            List<AttributeStatement> encryptedAttributeStatements = new ArrayList<>(originalAttributeStatements.size());
            for (AttributeStatement originalStatement : originalAttributeStatements) {
                List<Attribute> originalAttributes = originalStatement.getAttribute();
                if ((originalAttributes == null) || (originalAttributes.size() == 0)) {
                    continue;
                }
                List<EncryptedAttribute> encryptedAttributes = new ArrayList<>(originalAttributes.size());
                for (Attribute originalAttribute : originalAttributes) {
                    EncryptedAttribute encryptedAttribute = originalAttribute.encrypt(keyEncryptionKey, encryptionAlgorithm, algorithmStrength, spEntityID);
                    if (encryptedAttribute == null) {
                        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, " + "attribute encryption invocation returned null.");
                    }
                    encryptedAttributes.add(encryptedAttribute);
                }
                originalStatement.setEncryptedAttribute(encryptedAttributes);
                originalStatement.setAttribute(Collections.EMPTY_LIST);
                encryptedAttributeStatements.add(originalStatement);
            }
            assertion.setAttributeStatements(encryptedAttributeStatements);
        }
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, exception " + "caught encrypting assertion attributes: " + e, e);
    }
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) PublicKey(java.security.PublicKey) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement) ArrayList(java.util.ArrayList) TokenCreationException(org.forgerock.openam.sts.TokenCreationException)

Aggregations

Attribute (com.sun.identity.saml2.assertion.Attribute)5 EncryptedAttribute (com.sun.identity.saml2.assertion.EncryptedAttribute)5 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)5 ArrayList (java.util.ArrayList)4 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)3 Assertion (com.sun.identity.saml2.assertion.Assertion)1 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)1 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)1 NameID (com.sun.identity.saml2.assertion.NameID)1 Subject (com.sun.identity.saml2.assertion.Subject)1 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)1 EncInfo (com.sun.identity.saml2.key.EncInfo)1 PublicKey (java.security.PublicKey)1 HashSet (java.util.HashSet)1 List (java.util.List)1 TokenCreationException (org.forgerock.openam.sts.TokenCreationException)1 Element (org.w3c.dom.Element)1 Node (org.w3c.dom.Node)1 NodeList (org.w3c.dom.NodeList)1