Search in sources :

Example 6 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class DoManageNameID method getNameIDFromMNIRequest.

private static NameID getNameIDFromMNIRequest(ManageNameIDRequest request, String realm, String hostEntity, String hostEntityRole) throws SAML2Exception {
    String method = "DoManageNameID.getNameIDFromMNIRequest: ";
    boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm, hostEntity, hostEntityRole);
    if (!needDecryptIt) {
        if (debug.messageEnabled()) {
            debug.message(method + "NamID doesn't need to be decrypted.");
        }
        return request.getNameID();
    }
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "hostEntity is : " + hostEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
    }
    EncryptedID encryptedID = request.getEncryptedID();
    return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntity, hostEntityRole));
}
Also used : NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)

Example 7 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class NameIDMappingRequestImpl method parseDOMChileElements.

/**
     * Parses child elements of the Docuemnt Element for this object.
     *
     * @param iter the child elements iterator.
     * @throws SAML2Exception if error parsing the Document Element.
     */
protected void parseDOMChileElements(ListIterator iter) throws SAML2Exception {
    super.parseDOMChileElements(iter);
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    if (iter.hasNext()) {
        Element childElement = (Element) iter.next();
        String localName = childElement.getLocalName();
        if (SAML2Constants.BASEID.equals(localName)) {
            baseID = assertionFactory.createBaseID(childElement);
        } else if (SAML2Constants.NAMEID.equals(localName)) {
            nameID = assertionFactory.createNameID(childElement);
        } else if (SAML2Constants.ENCRYPTEDID.equals(localName)) {
            encryptedID = assertionFactory.createEncryptedID(childElement);
        } else {
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqWrongID"));
        }
    } else {
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqWrongID"));
    }
    if (iter.hasNext()) {
        Element childElement = (Element) iter.next();
        String localName = childElement.getLocalName();
        if (SAML2Constants.NAMEID_POLICY.equals(localName)) {
            nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy(childElement);
        } else {
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqMissingNameIDPolicy"));
        }
    } else {
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqMissingNameIDPolicy"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) Element(org.w3c.dom.Element)

Example 8 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class IDPSSOUtil method signAndEncryptResponseComponents.

/**
     * Signs and encrypts the components of a <code>SAML Response</code>
     * based on the service provider meta data. If the flag of
     * encrypting <code>Assertion</code> is on, then the embedded
     * <code>Assertion</code> object will be encrypted; if the flag
     * of encrypting <code>Assertion</code> is off and the flag of
     * encrypting <code>NameID</code> is on, then the <code>NameID</code>
     * embedded in the <code>Assertion</code> will be encrypted; if the
     * flag of encrypting <code>Assertion</code> is off and the flag of
     * encrypting <code>Attribute</code> is on, then the
     * <code>Attribute</code> embedded in the <code>Assertion</code>
     * will be encrypted. If the flag signAssertion is on, then the
     * <code>Assertion</code> will be signed. It will be signed before
     * it is encrypted and after its embedded <code>NameID</code> or
     * <code>Attribute</code> is encrypted.
     *
     * @param realm         the realm name of the identity provider
     * @param spEntityID    the entity id of the service provider
     * @param idpEntityID   the entity id of the identity provider
     * @param res           The <code>Response</code> whose components may be
     *                      encrypted based on the service provider meta data setting
     * @param signAssertion A flag to indicate if <code>Assertion</code>
     *                      signing is required
     */
static void signAndEncryptResponseComponents(String realm, String spEntityID, String idpEntityID, Response res, boolean signAssertion) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.signAndEncryptResponseComponents: ";
    boolean toEncryptAssertion = false;
    boolean toEncryptNameID = false;
    boolean toEncryptAttribute = false;
    if (res == null) {
        return;
    }
    List assertions = res.getAssertion();
    if ((assertions == null) || (assertions.size() == 0)) {
        return;
    }
    Assertion assertion = (Assertion) assertions.get(0);
    // get the encryption related flags from the SP Entity Config
    String wantAssertionEncrypted = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
    toEncryptAssertion = (wantAssertionEncrypted != null) && (wantAssertionEncrypted.equals(SAML2Constants.TRUE));
    if (!toEncryptAssertion) {
        String wantNameIDEncrypted = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_NAMEID_ENCRYPTED);
        toEncryptNameID = (wantNameIDEncrypted != null) && (wantNameIDEncrypted.equals(SAML2Constants.TRUE));
        String wantAttributeEncrypted = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ATTRIBUTE_ENCRYPTED);
        toEncryptAttribute = (wantAttributeEncrypted != null) && (wantAttributeEncrypted.equals(SAML2Constants.TRUE));
    }
    if ((!toEncryptAssertion) && (!toEncryptNameID) && (!toEncryptAttribute)) {
        // all encryption flags are off, no encryption needed
        if (signAssertion) {
            signAssertion(realm, idpEntityID, assertion);
            List assertionList = new ArrayList();
            assertionList.add(assertion);
            res.setAssertion(assertionList);
        }
        return;
    }
    SPSSODescriptorElement spSSODescriptorElement = getSPSSODescriptor(realm, spEntityID, classMethod);
    // get the encryption information
    EncInfo encInfo = KeyUtil.getEncInfo(spSSODescriptorElement, spEntityID, SAML2Constants.SP_ROLE);
    if (encInfo == null) {
        SAML2Utils.debug.error(classMethod + "failed to get service provider encryption key info.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
    }
    if (toEncryptAssertion) {
        // sign assertion first, then encrypt the assertion
        if (signAssertion) {
            signAssertion(realm, idpEntityID, assertion);
        }
        // we only encrypt the Assertion
        EncryptedAssertion encryptedAssertion = assertion.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), spEntityID);
        if (encryptedAssertion == null) {
            SAML2Utils.debug.error(classMethod + "failed to encrypt the assertion.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptAssertion"));
        }
        List assertionList = new ArrayList();
        assertionList.add(encryptedAssertion);
        res.setEncryptedAssertion(assertionList);
        // reset assertion list
        res.setAssertion(new ArrayList());
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Assertion encrypted.");
        }
    } else {
        // assertion if applicable
        if (toEncryptNameID) {
            // we need to encrypt the NameID            
            Subject subject = assertion.getSubject();
            if (subject == null) {
                return;
            }
            NameID nameID = subject.getNameID();
            if (nameID == null) {
                return;
            }
            EncryptedID encryptedNameID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), spEntityID);
            if (encryptedNameID == null) {
                SAML2Utils.debug.error(classMethod + "failed to encrypt the NameID.");
                throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptNameID"));
            }
            subject.setEncryptedID(encryptedNameID);
            // reset NameID
            subject.setNameID(null);
            assertion.setSubject(subject);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "NameID encrypted.");
            }
        }
        if (toEncryptAttribute) {
            // we need to encrypt the Attribute
            List attributeStatements = assertion.getAttributeStatements();
            if ((attributeStatements != null) && (attributeStatements.size() > 0)) {
                int asSize = attributeStatements.size();
                // to hold all the AttributeStatements
                List stmts = new ArrayList();
                for (int i = 0; i < asSize; i++) {
                    AttributeStatement attributeStatement = (AttributeStatement) attributeStatements.get(i);
                    List attributes = attributeStatement.getAttribute();
                    if ((attributes == null) || (attributes.size() == 0)) {
                        continue;
                    }
                    int aSize = attributes.size();
                    // holds all the encrypted Attributes in this statement
                    List eaList = new ArrayList();
                    for (int j = 0; j < aSize; j++) {
                        Attribute attribute = (Attribute) attributes.get(j);
                        EncryptedAttribute encryptedAttribute = attribute.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), spEntityID);
                        if (encryptedAttribute == null) {
                            SAML2Utils.debug.error(classMethod + "failed to encrypt the Attribute.");
                            throw new SAML2Exception(SAML2Utils.bundle.getString("FailedToEncryptAttribute"));
                        }
                        eaList.add(encryptedAttribute);
                    }
                    attributeStatement.setEncryptedAttribute(eaList);
                    attributeStatement.setAttribute(new ArrayList());
                    stmts.add(attributeStatement);
                }
                assertion.setAttributeStatements(stmts);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(classMethod + "Attribute encrypted.");
                }
            }
        }
        if (signAssertion) {
            signAssertion(realm, idpEntityID, assertion);
        }
        List assertionList = new ArrayList();
        assertionList.add(assertion);
        res.setAssertion(assertionList);
    }
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) NameID(com.sun.identity.saml2.assertion.NameID) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) ArrayList(java.util.ArrayList) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) Subject(com.sun.identity.saml2.assertion.Subject) EncInfo(com.sun.identity.saml2.key.EncInfo) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement) List(java.util.List) ArrayList(java.util.ArrayList)

Example 9 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class DoManageNameID method getNewIDFromMNIRequest.

private static NewID getNewIDFromMNIRequest(ManageNameIDRequest request, String realm, String hostEntityID, String hostEntityRole) throws SAML2Exception {
    boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm, hostEntityID, hostEntityRole);
    if (!needDecryptIt) {
        if (debug.messageEnabled()) {
            debug.message("DoManageNameID.getNewIDFromMNIRequest: " + "NamID doesn't need to be decrypted.");
            debug.message("DoManageNameID.getNewIDFromMNIRequest: " + "request is " + request);
        }
        NewID newID = null;
        if (request != null) {
            newID = request.getNewID();
            debug.message("DoManageNameID.getNewIDFromMNIRequest: " + "newid is " + newID.getValue());
        }
        return newID;
    }
    NewEncryptedID encryptedID = request.getNewEncryptedID();
    return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntityID, hostEntityRole));
}
Also used : NewID(com.sun.identity.saml2.protocol.NewID) NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID)

Example 10 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class SubjectConfirmationImpl method processElement.

private void processElement(Element element) throws SAML2Exception {
    if (element == null) {
        SAML2SDKUtils.debug.error("SubjectConfirmationImpl." + "processElement(): invalid root element");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_element"));
    }
    String elemName = element.getLocalName();
    if (elemName == null) {
        SAML2SDKUtils.debug.error("SubjectConfirmationImpl.processElement(): local name missing");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_local_name"));
    }
    if (!elemName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
        SAML2SDKUtils.debug.error("SubjectConfirmationImpl.processElement(): invalid local name " + elemName);
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_local_name"));
    }
    // starts processing attributes
    String attrValue = element.getAttribute(METHOD_ATTR);
    if ((attrValue == null) || (attrValue.length() == 0)) {
        SAML2SDKUtils.debug.error("SubjectConfirmationImpl.processElement(): method missing");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_confirmation_method"));
    }
    method = attrValue;
    // starts processing subelements
    NodeList nodes = element.getChildNodes();
    int numOfNodes = nodes.getLength();
    if (numOfNodes < 1) {
        return;
    }
    int nextElem = 0;
    Node child = (Node) nodes.item(nextElem);
    while (child.getNodeType() != Node.ELEMENT_NODE) {
        if (++nextElem >= numOfNodes) {
            return;
        }
        child = (Node) nodes.item(nextElem);
    }
    String childName = child.getLocalName();
    if (childName != null) {
        if (childName.equals(SUBJECT_CONFIRMATION_DATA_ELEMENT)) {
            subjectConfirmationData = AssertionFactory.getInstance().createSubjectConfirmationData((Element) child);
        } else if (childName.equals(BASE_ID_ELEMENT)) {
            baseId = AssertionFactory.getInstance().createBaseID((Element) child);
        } else if (childName.equals(NAME_ID_ELEMENT)) {
            nameId = AssertionFactory.getInstance().createNameID((Element) child);
        } else if (childName.equals(ENCRYPTED_ID_ELEMENT)) {
            encryptedId = AssertionFactory.getInstance().createEncryptedID((Element) child);
        } else {
            SAML2SDKUtils.debug.error("SubjectConfirmationImpl.processElement(): " + "unexpected subelement " + childName);
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
        }
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Aggregations

EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)19 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)19 NameID (com.sun.identity.saml2.assertion.NameID)13 ArrayList (java.util.ArrayList)7 Element (org.w3c.dom.Element)7 Subject (com.sun.identity.saml2.assertion.Subject)6 EncInfo (com.sun.identity.saml2.key.EncInfo)6 List (java.util.List)6 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)5 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)5 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)5 ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)5 Node (org.w3c.dom.Node)5 NodeList (org.w3c.dom.NodeList)5 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)4 NewEncryptedID (com.sun.identity.saml2.protocol.NewEncryptedID)4 PrivateKey (java.security.PrivateKey)4 Assertion (com.sun.identity.saml2.assertion.Assertion)3 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)3 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)3