Example 56 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class FMSigProvider method sign.
/**
* Sign the xml document node whose identifying attribute value
* is as supplied, using enveloped signatures and use exclusive xml
* canonicalization. The resulting signature is inserted after the
* first child node (normally Issuer element for SAML2) of the node
* to be signed.
* @param xmlString String representing an XML document to be signed
* @param idValue id attribute value of the root node to be signed
* @param privateKey Signing key
* @param cert Certificate which contain the public key correlated to
* the signing key; It if is not null, then the signature
* will include the certificate; Otherwise, the signature
* will not include any certificate
* @return Element representing the signature element
* @throws SAML2Exception if the document could not be signed
*/
public Element sign(String xmlString, String idValue, PrivateKey privateKey, X509Certificate cert) throws SAML2Exception {
String classMethod = "FMSigProvider.sign: ";
if (xmlString == null || xmlString.length() == 0 || idValue == null || idValue.length() == 0 || privateKey == null) {
SAML2SDKUtils.debug.error(classMethod + "Either input xml string or id value or " + "private key is null.");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
Document doc = XMLUtils.toDOMDocument(xmlString, SAML2SDKUtils.debug);
if (doc == null) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
}
Element root = doc.getDocumentElement();
XMLSignature sig = null;
try {
ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, SAMLConstants.PREFIX_DS);
} catch (XMLSecurityException xse1) {
throw new SAML2Exception(xse1);
}
root.setIdAttribute(SAML2Constants.ID, true);
try {
if ((sigAlg == null) || (sigAlg.trim().length() == 0)) {
if (privateKey.getAlgorithm().equalsIgnoreCase(SAML2Constants.DSA)) {
sigAlg = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
if (privateKey.getAlgorithm().equalsIgnoreCase(SAML2Constants.RSA)) {
sigAlg = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
}
}
}
sig = new XMLSignature(doc, "", sigAlg, c14nMethod);
} catch (XMLSecurityException xse2) {
throw new SAML2Exception(xse2);
}
Node firstChild = root.getFirstChild();
while (firstChild != null && (firstChild.getLocalName() == null || !firstChild.getLocalName().equals("Issuer"))) {
firstChild = firstChild.getNextSibling();
}
Node nextSibling = null;
if (firstChild != null) {
nextSibling = firstChild.getNextSibling();
}
if (nextSibling == null) {
root.appendChild(sig.getElement());
} else {
root.insertBefore(sig.getElement(), nextSibling);
}
sig.getSignedInfo().addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
Transforms transforms = new Transforms(doc);
try {
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
} catch (TransformationException te1) {
throw new SAML2Exception(te1);
}
try {
transforms.addTransform(transformAlg);
} catch (TransformationException te2) {
throw new SAML2Exception(te2);
}
String ref = "#" + idValue;
try {
sig.addDocument(ref, transforms, Constants.ALGO_ID_DIGEST_SHA1);
} catch (XMLSignatureException sige1) {
throw new SAML2Exception(sige1);
}
if (cert != null) {
try {
sig.addKeyInfo(cert);
} catch (XMLSecurityException xse3) {
throw new SAML2Exception(xse3);
}
}
try {
sig.sign(privateKey);
} catch (XMLSignatureException sige2) {
throw new SAML2Exception(sige2);
}
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message(classMethod + "Signing is successful.");
}
return sig.getElement();
}
Also used :
TransformationException(org.apache.xml.security.transforms.TransformationException)
Element(org.w3c.dom.Element)
Node(org.w3c.dom.Node)
Transforms(org.apache.xml.security.transforms.Transforms)
Document(org.w3c.dom.Document)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
XMLSignature(org.apache.xml.security.signature.XMLSignature)
XMLSignatureException(org.apache.xml.security.signature.XMLSignatureException)
Example 57 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class QueryClient method processXACMLQuery.
/**
* Returns SAMLv2 <code>Response</code>.
* SAMLv2 request is sent enclosed in the body of a SOAP Message
* to a SOAP endpoint.
* Prior to sending the request query, attributes required for completeness
* of the SAMLv2 Request will be set (eg. Issuer) if not already set.
* Message will be signed if signing is enabled.
* SAMLv2 Query Request will be enclosed in the SOAP Body to create a SOAP
* message to send to the server.
*
* @param request the SAMLv2 <code>RequestAbstract</code> object.
* @param pepEntityID entity identifier of the hosted query requester.
* @param pdpEntityID entity identifier of the remote server.
* @return SAMLv2 <code>Response</code> received from the
* Query Responder.
* @throws SAML2Exception if there is an error processing the query.
*/
public static Response processXACMLQuery(RequestAbstract request, String pepEntityID, String pdpEntityID) throws SAML2Exception {
String classMethod = "QueryClient:processXACMLQuery";
String realm = "/";
Response samlResponse = null;
Response response = null;
// retreive pepEntityID metadata
if (pepEntityID == null || pepEntityID.length() == 0) {
debug.error(classMethod + "PEP Identifier is null");
String[] data = { pepEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_PEP_ID, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPEP"));
}
// retreive pdpEntityID metadata
if (pdpEntityID == null || pdpEntityID.length() == 0) {
debug.error(classMethod + "PDP Identifier is null");
String[] data = { pdpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_PDP_ID, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPDP"));
}
if (request != null) {
// set properties in the request.
XACMLAuthzDecisionQuery xacmlQuery = (XACMLAuthzDecisionQuery) request;
if (xacmlQuery != null) {
// set Issuer
Issuer issuer = createIssuer(pepEntityID);
xacmlQuery.setIssuer(issuer);
//generate ID
String requestID = SAML2SDKUtils.generateID();
xacmlQuery.setID(requestID);
xacmlQuery.setVersion(SAML2Constants.VERSION_2_0);
xacmlQuery.setIssueInstant(new Date());
XACMLPDPConfigElement pdpConfig = getPDPConfig(realm, pdpEntityID);
if (pdpConfig != null) {
String wantQuerySigned = getAttributeValueFromPDPConfig(pdpConfig, "wantXACMLAuthzDecisionQuerySigned");
if (wantQuerySigned != null && wantQuerySigned.equals("true")) {
signAttributeQuery(xacmlQuery, realm, pepEntityID, false);
}
}
String xmlString = xacmlQuery.toXMLString(true, true);
if (debug.messageEnabled()) {
debug.message(classMethod + "XACML Query XML String :" + xmlString);
}
// retrieve endpoint from meta data
String endPoint = null;
XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);
endPoint = getPDPEndPoint(pdpEntityID);
if (debug.messageEnabled()) {
debug.message(classMethod + " ResponseLocation is :" + endPoint);
}
// create SOAP message
try {
String soapMessage = SAML2SDKUtils.createSOAPMessageString(xmlString);
endPoint = SAML2SDKUtils.fillInBasicAuthInfo(pepConfig, endPoint);
String[] urls = { endPoint };
SOAPClient soapClient = new SOAPClient(urls);
if (debug.messageEnabled()) {
debug.message(classMethod + "soapMessage :" + soapMessage);
}
InputStream soapIn = soapClient.call(soapMessage, null, null);
StringBuffer reply = new StringBuffer();
String line;
BufferedReader reader = new BufferedReader(new InputStreamReader(soapIn, "UTF-8"));
while ((line = reader.readLine()) != null) {
reply.append(line).append("\n");
}
// check the SOAP message for any SOAP related errors
// before passing control to SAML processor
xmlString = reply.toString();
if (debug.messageEnabled()) {
debug.message("Response Message:\n" + xmlString);
}
samlResponse = getSAMLResponse(xmlString);
issuer = samlResponse.getIssuer();
String issuerID = null;
if (issuer != null) {
issuerID = issuer.getValue().trim();
}
boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);
if (!isTrusted) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Request is not valid.");
}
String[] args = { realm, pepEntityID, pdpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
throw new SAML2Exception("invalidIssuerInRequest");
}
if (samlResponse != null) {
xmlString = samlResponse.toXMLString(true, true);
if (debug.messageEnabled()) {
debug.message(classMethod + "Response: " + xmlString);
}
response = verifyResponse(realm, pepEntityID, samlResponse);
if (debug.messageEnabled()) {
debug.message(classMethod + "Response with decrypted Assertion: " + response.toXMLString(true, true));
}
}
} catch (SOAPException soae) {
if (debug.messageEnabled()) {
debug.message(classMethod + "SOAPException :", soae);
}
throw new SAML2Exception(soae.getMessage());
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Exception ", e);
}
throw new SAML2Exception(e.getMessage());
}
}
}
return response;
}
Also used :
InputStreamReader(java.io.InputStreamReader)
Issuer(com.sun.identity.saml2.assertion.Issuer)
InputStream(java.io.InputStream)
XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement)
Date(java.util.Date)
SOAPException(javax.xml.soap.SOAPException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Response(com.sun.identity.saml2.protocol.Response)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SOAPClient(com.sun.identity.shared.jaxrpc.SOAPClient)
SOAPException(javax.xml.soap.SOAPException)
BufferedReader(java.io.BufferedReader)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
Example 58 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class QueryClient method verifyResponse.
/**
* Returns SAMLv2 <code>Response</code> after validation of the
* response. A new <code>Response</code> object is created which
* contains decrypted assertion if the assertions were encrypted.
*
* @param realm the realm of the entity.
* @param pepEntityID entity identifier of the PEP.
* @param samlResponse the <code>Response</code>.
* @exception <code>SAML2Exception</code> if there is an error.
*/
private static Response verifyResponse(String realm, String pepEntityID, Response samlResponse) throws SAML2Exception {
Response response = samlResponse;
String classMethod = "QueryClient:verifyResponse";
if (samlResponse != null) {
//validate issuer trust.
Issuer issuer = samlResponse.getIssuer();
String issuerID = null;
if (issuer != null) {
issuerID = issuer.getValue().trim();
}
String pdpEntityID = issuerID;
boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);
if (!isTrusted) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Request is not valid.");
}
String[] args = { realm, pepEntityID, issuerID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "invalidIssuer", args);
}
// verify signed response
verifySignedResponse(pepEntityID, pdpEntityID, samlResponse);
try {
// check if assertion needs to be encrypted,signed.
XACMLAuthzDecisionQueryConfigElement pepConfig = saml2MetaManager.getPolicyEnforcementPointConfig(realm, pepEntityID);
String assertionEncrypted = getAttributeValueFromPEPConfig(pepConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
boolean wantAssertionEncrypted = (assertionEncrypted != null && assertionEncrypted.equalsIgnoreCase("true")) ? true : false;
boolean wantAssertionSigned = wantAssertionSigned(realm, pepEntityID);
String respID = samlResponse.getID();
List assertions = samlResponse.getAssertion();
if (wantAssertionEncrypted && (assertions != null && (assertions.size() != 0))) {
String[] data = { issuerID, respID };
LogUtil.error(Level.INFO, LogUtil.ASSERTION_FROM_PDP_NOT_ENCRYPTED, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("assertionNotEncrypted"));
}
Set<PrivateKey> decryptionKeys;
List<EncryptedAssertion> encAssertions = samlResponse.getEncryptedAssertion();
if (encAssertions != null) {
decryptionKeys = KeyUtil.getDecryptionKeys(pepConfig);
for (EncryptedAssertion encAssertion : encAssertions) {
Assertion assertion = encAssertion.decrypt(decryptionKeys);
if (assertions == null) {
assertions = new ArrayList<>();
}
assertions.add(assertion);
}
}
if (assertions == null || assertions.size() == 0) {
if (debug.messageEnabled()) {
debug.message(classMethod + "no assertion in the Response.");
}
String[] data = { issuerID, respID };
LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION_IN_PDP_RESPONSE, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missingAssertion"));
}
// validate Issuer in Assertion
Iterator assertionIter = assertions.iterator();
Set<X509Certificate> verificationCerts = null;
XACMLPDPDescriptorElement pdpDesc = null;
if (wantAssertionSigned) {
pdpDesc = saml2MetaManager.getPolicyDecisionPointDescriptor(realm, pdpEntityID);
verificationCerts = KeyUtil.getPDPVerificationCerts(pdpDesc, pdpEntityID);
}
while (assertionIter.hasNext()) {
Assertion assertion = (Assertion) assertionIter.next();
String assertionID = assertion.getID();
String assertionIssuer = assertion.getIssuer().getValue().trim();
isTrusted = verifyResponseIssuer(realm, pepEntityID, assertionIssuer);
if (!isTrusted) {
debug.error(classMethod + "Assertion's source site is not valid.");
String[] data = { assertionIssuer, assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_ASSERTION_FROM_PDP, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidIssuerInAssertion"));
}
String respIssuer = samlResponse.getIssuer().getValue().trim();
if (!respIssuer.equals(assertionIssuer)) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Assertion " + assertionIssuer + "doesn't match the Issuer in Response." + respIssuer);
}
String[] data = { pdpEntityID, assertionIssuer };
LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_IN_ASSERTION_FROM_PDP, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("mismatchIssuer"));
}
if (wantAssertionSigned) {
if (debug.messageEnabled()) {
debug.message(classMethod + "wantAssertionSigned " + wantAssertionSigned);
}
if (!assertion.isSigned() || !assertion.isSignatureValid(verificationCerts)) {
debug.error(classMethod + "Assertion is not signed or signature " + "is not valid.");
String[] data = { assertionIssuer, assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION_FROM_PDP, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidSignatureOnAssertion"));
}
}
}
//end while
if (wantAssertionEncrypted) {
response = createResponse(samlResponse, assertions);
}
if (debug.messageEnabled()) {
debug.message(classMethod + " Response : " + response.toXMLString(true, true));
}
} catch (SAML2MetaException sme) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Error retreiving meta", sme);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
}
}
return response;
}
Also used :
PrivateKey(java.security.PrivateKey)
Issuer(com.sun.identity.saml2.assertion.Issuer)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
Response(com.sun.identity.saml2.protocol.Response)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Iterator(java.util.Iterator)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
ArrayList(java.util.ArrayList)
NodeList(org.w3c.dom.NodeList)
List(java.util.List)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 59 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class QueryHandlerServlet method processSAMLRequest.
/**
* Returns the SAMLv2 <code>Response</code> received in response to
* the Request.
*
* @param realm the realm of the entity.
* @param pdpEntityID entity identifier of the Policy Decision Point.
* @param reqAbs the Document Element object.
* @param request the <code>HttpServletRequest</code> object.
* @param soapMsg the <code>SOAPMessage</code> object
* @return the <code>Response</code> object.
* @exception <code>SAML2Exception</code> if there is an error processing
* the request.
*/
Response processSAMLRequest(String realm, String pdpEntityID, Element reqAbs, HttpServletRequest request, SOAPMessage soapMsg) throws SAML2Exception {
String classMethod = "QueryHandlerServlet:processSAMLRequest";
Response samlResponse = null;
if (reqAbs != null) {
String xsiType = reqAbs.getAttribute(XSI_TYPE_ATTR);
if (debug.messageEnabled()) {
debug.message(classMethod + "xsi type is : " + xsiType);
}
if (xsiType != null && xsiType.indexOf(XACML_AUTHZ_QUERY) != -1) {
RequestAbstract samlRequest = ContextFactory.getInstance().createXACMLAuthzDecisionQuery(reqAbs);
String requestStr = samlRequest.toXMLString(true, true);
String[] data = { requestStr, pdpEntityID };
LogUtil.access(Level.FINE, LogUtil.REQUEST_MESSAGE, data);
Issuer issuer = samlRequest.getIssuer();
String pepEntityID = null;
if (issuer != null) {
pepEntityID = issuer.getValue().trim();
}
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer is:" + pepEntityID);
}
boolean isTrusted = false;
try {
isTrusted = SAML2Utils.getSAML2MetaManager().isTrustedXACMLProvider(realm, pdpEntityID, pepEntityID, SAML2Constants.PDP_ROLE);
} catch (SAML2MetaException sme) {
debug.error("Error retreiving meta", sme);
}
if (!isTrusted) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Request is not valid." + pepEntityID);
}
String[] args = { realm, pepEntityID, pdpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
throw new SAML2Exception("invalidIssuerInRequest");
}
samlResponse = processXACMLResponse(realm, pdpEntityID, samlRequest, request, soapMsg);
}
}
return samlResponse;
}
Also used :
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
RequestAbstract(com.sun.identity.saml2.protocol.RequestAbstract)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 60 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class XACMLRequestProcessor method createXACMLAuthzDecisionQuery.
//TODO: clean up and fix
private XACMLAuthzDecisionQuery createXACMLAuthzDecisionQuery(Request xacmlRequest) throws XACMLException, SAML2Exception {
XACMLAuthzDecisionQuery query = ContextFactory.getInstance().createXACMLAuthzDecisionQuery();
query.setID("query-1");
query.setVersion("2.0");
query.setIssueInstant(new Date());
query.setDestination("destination-uri");
query.setConsent("consent-uri");
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue("issuer-1");
issuer.setNameQualifier("name-qualifier");
//issuer.setSPProvidedID("sp-provided-id");
issuer.setSPNameQualifier("sp-name-qualifier");
issuer.setSPNameQualifier("sp-name-qualifier");
issuer.setFormat("format");
query.setIssuer(issuer);
query.setRequest(xacmlRequest);
return query;
}
Also used :
Issuer(com.sun.identity.saml2.assertion.Issuer)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
Date(java.util.Date)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)48
Issuer (com.sun.identity.saml2.assertion.Issuer)42
Date (java.util.Date)24
List (java.util.List)20
ArrayList (java.util.ArrayList)19
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15
Element (org.w3c.dom.Element)15
Assertion (com.sun.identity.saml2.assertion.Assertion)13
Response (com.sun.identity.saml2.protocol.Response)13
SessionException (com.sun.identity.plugin.session.SessionException)12
X509Certificate (java.security.cert.X509Certificate)12
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)11
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)11
HttpServletResponse (javax.servlet.http.HttpServletResponse)11
Node (org.w3c.dom.Node)10
NodeList (org.w3c.dom.NodeList)10
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)8
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)8
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)8
Status (com.sun.identity.saml2.protocol.Status)8
