Search in sources :

Example 1 with KeyDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.

the class KeyUtil method getVerificationCerts.

/**
     * Returns the partner entity's signature verification certificate.
     *
     * @param roleDescriptor <code>RoleDescriptor</code> for the partner entity.
     * @param entityID Partner entity's ID.
     * @param role Entity's role.
     * @return The set of signing {@link X509Certificate} for verifying the partner entity's signature.
     */
public static Set<X509Certificate> getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID, String role) {
    String classMethod = "KeyUtil.getVerificationCerts: ";
    // first try to get it from cache
    String index = entityID.trim() + "|" + role;
    Set<X509Certificate> certificates = sigHash.get(index);
    if (certificates != null) {
        return certificates;
    }
    certificates = new LinkedHashSet<>(3);
    // else get it from meta
    if (roleDescriptor == null) {
        SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    List<KeyDescriptorType> keyDescriptors = getKeyDescriptors(roleDescriptor, SAML2Constants.SIGNING);
    if (keyDescriptors.isEmpty()) {
        SAML2SDKUtils.debug.error(classMethod + "No signing KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
        return certificates;
    }
    for (KeyDescriptorType keyDescriptor : keyDescriptors) {
        certificates.add(getCert(keyDescriptor));
    }
    if (certificates.isEmpty()) {
        SAML2SDKUtils.debug.error(classMethod + "No signing cert for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    sigHash.put(index, certificates);
    return certificates;
}
Also used : KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType) X509Certificate(java.security.cert.X509Certificate)

Example 2 with KeyDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.

the class KeyUtil method getEncInfo.

/**
     * Returns the encryption information which will be used in
     * encrypting messages intended for the partner entity.
     * @param roled <code>RoleDescriptor</code> for the partner entity
     * @param entityID partner entity's ID
     * @param role entity's role
     * @return <code>EncInfo</code> which includes partner entity's
     * public key for wrapping the secret key, data encryption algorithm,
     * and data encryption strength 
     */
public static EncInfo getEncInfo(RoleDescriptorType roled, String entityID, String role) {
    String classMethod = "KeyUtil.getEncInfo: ";
    if (SAML2SDKUtils.debug.messageEnabled()) {
        SAML2SDKUtils.debug.message(classMethod + "Entering... \nEntityID=" + entityID + "\nRole=" + role);
    }
    // first try to get it from cache
    String index = entityID.trim() + "|" + role;
    EncInfo encInfo = (EncInfo) encHash.get(index);
    if (encInfo != null) {
        return encInfo;
    }
    // else get it from meta
    if (roled == null) {
        SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    KeyDescriptorType kd = getKeyDescriptor(roled, SAML2Constants.ENCRYPTION);
    if (kd == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    java.security.cert.X509Certificate cert = getCert(kd);
    if (cert == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption cert for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    List emList = kd.getEncryptionMethod();
    EncryptionMethodType em = null;
    String algorithm = null;
    int keySize = 0;
    if (emList != null && !emList.isEmpty()) {
        em = (EncryptionMethodType) emList.get(0);
        if (em != null) {
            algorithm = em.getAlgorithm();
            List cList = em.getContent();
            if (cList != null) {
                Iterator cIter = cList.iterator();
                while (cIter.hasNext()) {
                    Object cObject = cIter.next();
                    if (cObject instanceof EncryptionMethodType.KeySize) {
                        keySize = ((EncryptionMethodType.KeySize) (cList.get(0))).getValue().intValue();
                        break;
                    }
                }
            }
        }
    }
    if (algorithm == null || algorithm.length() == 0) {
        algorithm = XMLCipher.AES_128;
        keySize = 128;
    }
    PublicKey pk = cert.getPublicKey();
    if (pk != null) {
        encInfo = new EncInfo(pk, algorithm, keySize);
    }
    if (encInfo != null) {
        encHash.put(index, encInfo);
    }
    return encInfo;
}
Also used : X509Certificate(java.security.cert.X509Certificate) PublicKey(java.security.PublicKey) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)

Example 3 with KeyDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.

the class KeyUtil method getKeyDescriptors.

/**
     * Returns the {@link KeyDescriptorType}s from {@link RoleDescriptorType} that matches the requested usage.
     * KeyDescriptors without usage defined are also included in this list, as by definition they should be suitable for
     * any purposes.
     *
     * @param roleDescriptor {@link RoleDescriptorType} which contains {@link KeyDescriptorType}s.
     * @param usage Type of the {@link KeyDescriptorType}s to be retrieved. Its value is "encryption" or "signing".
     * @return {@link KeyDescriptorType}s in {@link RoleDescriptorType} that matched the usage type.
     */
public static List<KeyDescriptorType> getKeyDescriptors(RoleDescriptorType roleDescriptor, String usage) {
    List<KeyDescriptorType> keyDescriptors = roleDescriptor.getKeyDescriptor();
    List<KeyDescriptorType> matches = new ArrayList<>(keyDescriptors.size());
    List<KeyDescriptorType> keyDescriptorsWithoutUsage = new ArrayList<>(keyDescriptors.size());
    for (KeyDescriptorType keyDescriptor : keyDescriptors) {
        String use = keyDescriptor.getUse();
        if (StringUtils.isBlank(use)) {
            keyDescriptorsWithoutUsage.add(keyDescriptor);
        } else if (use.trim().toLowerCase().equals(usage)) {
            matches.add(keyDescriptor);
        }
    }
    matches.addAll(keyDescriptorsWithoutUsage);
    return matches;
}
Also used : ArrayList(java.util.ArrayList) KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)

Example 4 with KeyDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.

the class SAML2MetaSecurityUtils method updateProviderKeyInfo.

/**
     * Updates signing or encryption key info for SP or IDP. 
     * This will update both signing/encryption alias on extended metadata and
     * certificates in standard metadata. 
     * @param realm Realm the entity resides.
     * @param entityID ID of the entity to be updated.  
     * @param certAliases The set of certificate aliases to be set for the entity. If null or empty, existing key
     *                    information will be removed from the SP or IDP.
     * @param isSigning true if this is signing certificate alias, false if 
     *        this is encryption certification alias.
     * @param isIDP true if this is for IDP signing/encryption alias, false
     *        if this is for SP signing/encryption alias
     * @param encAlgo Encryption algorithm URI, this is applicable for
     *        encryption cert only.
     * @param keySize Encryption key size, this is applicable for
     *        encryption cert only. 
     * @throws SAML2MetaException if failed to update the certificate alias 
     *        for the entity.
     */
public static void updateProviderKeyInfo(String realm, String entityID, Set<String> certAliases, boolean isSigning, boolean isIDP, String encAlgo, int keySize) throws SAML2MetaException {
    SAML2MetaManager metaManager = new SAML2MetaManager();
    EntityConfigElement config = metaManager.getEntityConfig(realm, entityID);
    if (!config.isHosted()) {
        String[] args = { entityID, realm };
        throw new SAML2MetaException("entityNotHosted", args);
    }
    EntityDescriptorElement desp = metaManager.getEntityDescriptor(realm, entityID);
    BaseConfigType baseConfig;
    RoleDescriptorType descriptor;
    if (isIDP) {
        baseConfig = SAML2MetaUtils.getIDPSSOConfig(config);
        descriptor = SAML2MetaUtils.getIDPSSODescriptor(desp);
        if (baseConfig == null || descriptor == null) {
            String[] args = { entityID, realm };
            throw new SAML2MetaException("entityNotIDP", args);
        }
    } else {
        baseConfig = SAML2MetaUtils.getSPSSOConfig(config);
        descriptor = SAML2MetaUtils.getSPSSODescriptor(desp);
        if (baseConfig == null || descriptor == null) {
            String[] args = { entityID, realm };
            throw new SAML2MetaException("entityNotSP", args);
        }
    }
    // update standard metadata
    if (CollectionUtils.isEmpty(certAliases)) {
        // remove key info
        removeKeyDescriptor(descriptor, isSigning);
        if (isSigning) {
            setExtendedAttributeValue(baseConfig, SAML2Constants.SIGNING_CERT_ALIAS, null);
        } else {
            setExtendedAttributeValue(baseConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, null);
        }
    } else {
        Set<KeyDescriptorType> keyDescriptors = new LinkedHashSet<>(certAliases.size());
        for (String certAlias : certAliases) {
            keyDescriptors.add(getKeyDescriptor(certAlias, isSigning, encAlgo, keySize));
        }
        updateKeyDescriptor(descriptor, keyDescriptors);
        // update extended metadata
        if (isSigning) {
            setExtendedAttributeValue(baseConfig, SAML2Constants.SIGNING_CERT_ALIAS, certAliases);
        } else {
            setExtendedAttributeValue(baseConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, certAliases);
        }
    }
    metaManager.setEntityDescriptor(realm, desp);
    metaManager.setEntityConfig(realm, config);
}
Also used : BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) LinkedHashSet(java.util.LinkedHashSet) RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType) KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)

Example 5 with KeyDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.

the class SAML2MetaSecurityUtils method updateKeyDescriptor.

private static void updateKeyDescriptor(RoleDescriptorType desp, Set<KeyDescriptorType> keyDescriptors) {
    String use = keyDescriptors.iterator().next().getUse();
    List<KeyDescriptorType> keys = desp.getKeyDescriptor();
    Iterator<KeyDescriptorType> iterator = keys.iterator();
    while (iterator.hasNext()) {
        final KeyDescriptorType keyDescriptor = iterator.next();
        if (keyDescriptor.getUse().equalsIgnoreCase(use)) {
            iterator.remove();
        }
    }
    desp.getKeyDescriptor().addAll(keyDescriptors);
}
Also used : KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)

Aggregations

KeyDescriptorType (com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)7 X509Certificate (java.security.cert.X509Certificate)4 PublicKey (java.security.PublicKey)2 ArrayList (java.util.ArrayList)2 Iterator (java.util.Iterator)2 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)1 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)1 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)1 EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)1 EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)1 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)1 RoleDescriptorType (com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)1 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)1 com.sun.identity.saml2.jaxb.xmlsig (com.sun.identity.saml2.jaxb.xmlsig)1 EncInfo (com.sun.identity.saml2.key.EncInfo)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 CertificateFactory (java.security.cert.CertificateFactory)1 LinkedHashSet (java.util.LinkedHashSet)1 List (java.util.List)1