Example 1 with KeyDescriptorType
use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.
the class KeyUtil method getVerificationCerts.
/**
* Returns the partner entity's signature verification certificate.
*
* @param roleDescriptor <code>RoleDescriptor</code> for the partner entity.
* @param entityID Partner entity's ID.
* @param role Entity's role.
* @return The set of signing {@link X509Certificate} for verifying the partner entity's signature.
*/
public static Set<X509Certificate> getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID, String role) {
String classMethod = "KeyUtil.getVerificationCerts: ";
// first try to get it from cache
String index = entityID.trim() + "|" + role;
Set<X509Certificate> certificates = sigHash.get(index);
if (certificates != null) {
return certificates;
}
certificates = new LinkedHashSet<>(3);
// else get it from meta
if (roleDescriptor == null) {
SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
return null;
}
List<KeyDescriptorType> keyDescriptors = getKeyDescriptors(roleDescriptor, SAML2Constants.SIGNING);
if (keyDescriptors.isEmpty()) {
SAML2SDKUtils.debug.error(classMethod + "No signing KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
return certificates;
}
for (KeyDescriptorType keyDescriptor : keyDescriptors) {
certificates.add(getCert(keyDescriptor));
}
if (certificates.isEmpty()) {
SAML2SDKUtils.debug.error(classMethod + "No signing cert for entityID=" + entityID + " in " + role + " role.");
return null;
}
sigHash.put(index, certificates);
return certificates;
}
Also used :
KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)
X509Certificate(java.security.cert.X509Certificate)
Example 2 with KeyDescriptorType
use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.
the class KeyUtil method getEncInfo.
/**
* Returns the encryption information which will be used in
* encrypting messages intended for the partner entity.
* @param roled <code>RoleDescriptor</code> for the partner entity
* @param entityID partner entity's ID
* @param role entity's role
* @return <code>EncInfo</code> which includes partner entity's
* public key for wrapping the secret key, data encryption algorithm,
* and data encryption strength
*/
public static EncInfo getEncInfo(RoleDescriptorType roled, String entityID, String role) {
String classMethod = "KeyUtil.getEncInfo: ";
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message(classMethod + "Entering... \nEntityID=" + entityID + "\nRole=" + role);
}
// first try to get it from cache
String index = entityID.trim() + "|" + role;
EncInfo encInfo = (EncInfo) encHash.get(index);
if (encInfo != null) {
return encInfo;
}
// else get it from meta
if (roled == null) {
SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
return null;
}
KeyDescriptorType kd = getKeyDescriptor(roled, SAML2Constants.ENCRYPTION);
if (kd == null) {
SAML2SDKUtils.debug.error(classMethod + "No encryption KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
return null;
}
java.security.cert.X509Certificate cert = getCert(kd);
if (cert == null) {
SAML2SDKUtils.debug.error(classMethod + "No encryption cert for entityID=" + entityID + " in " + role + " role.");
return null;
}
List emList = kd.getEncryptionMethod();
EncryptionMethodType em = null;
String algorithm = null;
int keySize = 0;
if (emList != null && !emList.isEmpty()) {
em = (EncryptionMethodType) emList.get(0);
if (em != null) {
algorithm = em.getAlgorithm();
List cList = em.getContent();
if (cList != null) {
Iterator cIter = cList.iterator();
while (cIter.hasNext()) {
Object cObject = cIter.next();
if (cObject instanceof EncryptionMethodType.KeySize) {
keySize = ((EncryptionMethodType.KeySize) (cList.get(0))).getValue().intValue();
break;
}
}
}
}
}
if (algorithm == null || algorithm.length() == 0) {
algorithm = XMLCipher.AES_128;
keySize = 128;
}
PublicKey pk = cert.getPublicKey();
if (pk != null) {
encInfo = new EncInfo(pk, algorithm, keySize);
}
if (encInfo != null) {
encHash.put(index, encInfo);
}
return encInfo;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
PublicKey(java.security.PublicKey)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)
Example 3 with KeyDescriptorType
use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.
the class KeyUtil method getKeyDescriptors.
/**
* Returns the {@link KeyDescriptorType}s from {@link RoleDescriptorType} that matches the requested usage.
* KeyDescriptors without usage defined are also included in this list, as by definition they should be suitable for
* any purposes.
*
* @param roleDescriptor {@link RoleDescriptorType} which contains {@link KeyDescriptorType}s.
* @param usage Type of the {@link KeyDescriptorType}s to be retrieved. Its value is "encryption" or "signing".
* @return {@link KeyDescriptorType}s in {@link RoleDescriptorType} that matched the usage type.
*/
public static List<KeyDescriptorType> getKeyDescriptors(RoleDescriptorType roleDescriptor, String usage) {
List<KeyDescriptorType> keyDescriptors = roleDescriptor.getKeyDescriptor();
List<KeyDescriptorType> matches = new ArrayList<>(keyDescriptors.size());
List<KeyDescriptorType> keyDescriptorsWithoutUsage = new ArrayList<>(keyDescriptors.size());
for (KeyDescriptorType keyDescriptor : keyDescriptors) {
String use = keyDescriptor.getUse();
if (StringUtils.isBlank(use)) {
keyDescriptorsWithoutUsage.add(keyDescriptor);
} else if (use.trim().toLowerCase().equals(usage)) {
matches.add(keyDescriptor);
}
}
matches.addAll(keyDescriptorsWithoutUsage);
return matches;
}
Also used :
ArrayList(java.util.ArrayList)
KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)
Example 4 with KeyDescriptorType
use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.
the class SAML2MetaSecurityUtils method updateProviderKeyInfo.
/**
* Updates signing or encryption key info for SP or IDP.
* This will update both signing/encryption alias on extended metadata and
* certificates in standard metadata.
* @param realm Realm the entity resides.
* @param entityID ID of the entity to be updated.
* @param certAliases The set of certificate aliases to be set for the entity. If null or empty, existing key
* information will be removed from the SP or IDP.
* @param isSigning true if this is signing certificate alias, false if
* this is encryption certification alias.
* @param isIDP true if this is for IDP signing/encryption alias, false
* if this is for SP signing/encryption alias
* @param encAlgo Encryption algorithm URI, this is applicable for
* encryption cert only.
* @param keySize Encryption key size, this is applicable for
* encryption cert only.
* @throws SAML2MetaException if failed to update the certificate alias
* for the entity.
*/
public static void updateProviderKeyInfo(String realm, String entityID, Set<String> certAliases, boolean isSigning, boolean isIDP, String encAlgo, int keySize) throws SAML2MetaException {
SAML2MetaManager metaManager = new SAML2MetaManager();
EntityConfigElement config = metaManager.getEntityConfig(realm, entityID);
if (!config.isHosted()) {
String[] args = { entityID, realm };
throw new SAML2MetaException("entityNotHosted", args);
}
EntityDescriptorElement desp = metaManager.getEntityDescriptor(realm, entityID);
BaseConfigType baseConfig;
RoleDescriptorType descriptor;
if (isIDP) {
baseConfig = SAML2MetaUtils.getIDPSSOConfig(config);
descriptor = SAML2MetaUtils.getIDPSSODescriptor(desp);
if (baseConfig == null || descriptor == null) {
String[] args = { entityID, realm };
throw new SAML2MetaException("entityNotIDP", args);
}
} else {
baseConfig = SAML2MetaUtils.getSPSSOConfig(config);
descriptor = SAML2MetaUtils.getSPSSODescriptor(desp);
if (baseConfig == null || descriptor == null) {
String[] args = { entityID, realm };
throw new SAML2MetaException("entityNotSP", args);
}
}
// update standard metadata
if (CollectionUtils.isEmpty(certAliases)) {
// remove key info
removeKeyDescriptor(descriptor, isSigning);
if (isSigning) {
setExtendedAttributeValue(baseConfig, SAML2Constants.SIGNING_CERT_ALIAS, null);
} else {
setExtendedAttributeValue(baseConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, null);
}
} else {
Set<KeyDescriptorType> keyDescriptors = new LinkedHashSet<>(certAliases.size());
for (String certAlias : certAliases) {
keyDescriptors.add(getKeyDescriptor(certAlias, isSigning, encAlgo, keySize));
}
updateKeyDescriptor(descriptor, keyDescriptors);
// update extended metadata
if (isSigning) {
setExtendedAttributeValue(baseConfig, SAML2Constants.SIGNING_CERT_ALIAS, certAliases);
} else {
setExtendedAttributeValue(baseConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, certAliases);
}
}
metaManager.setEntityDescriptor(realm, desp);
metaManager.setEntityConfig(realm, config);
}
Also used :
BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)
LinkedHashSet(java.util.LinkedHashSet)
RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)
KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)
Example 5 with KeyDescriptorType
use of com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType in project OpenAM by OpenRock.
the class SAML2MetaSecurityUtils method updateKeyDescriptor.
private static void updateKeyDescriptor(RoleDescriptorType desp, Set<KeyDescriptorType> keyDescriptors) {
String use = keyDescriptors.iterator().next().getUse();
List<KeyDescriptorType> keys = desp.getKeyDescriptor();
Iterator<KeyDescriptorType> iterator = keys.iterator();
while (iterator.hasNext()) {
final KeyDescriptorType keyDescriptor = iterator.next();
if (keyDescriptor.getUse().equalsIgnoreCase(use)) {
iterator.remove();
}
}
desp.getKeyDescriptor().addAll(keyDescriptors);
}
Also used :
KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)
Aggregations
KeyDescriptorType (com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)7
X509Certificate (java.security.cert.X509Certificate)4
PublicKey (java.security.PublicKey)2
ArrayList (java.util.ArrayList)2
Iterator (java.util.Iterator)2
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)1
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)1
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)1
EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)1
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)1
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)1
RoleDescriptorType (com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)1
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)1
com.sun.identity.saml2.jaxb.xmlsig (com.sun.identity.saml2.jaxb.xmlsig)1
EncInfo (com.sun.identity.saml2.key.EncInfo)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
CertificateFactory (java.security.cert.CertificateFactory)1
LinkedHashSet (java.util.LinkedHashSet)1
List (java.util.List)1
