Search in sources :

Example 1 with RoleDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType in project OpenAM by OpenRock.

the class KeyUtil method getVerificationCerts.

/**
     * Returns the partner entity's signature verification certificate.
     *
     * @param roleDescriptor <code>RoleDescriptor</code> for the partner entity.
     * @param entityID Partner entity's ID.
     * @param role Entity's role.
     * @return The set of signing {@link X509Certificate} for verifying the partner entity's signature.
     */
public static Set<X509Certificate> getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID, String role) {
    String classMethod = "KeyUtil.getVerificationCerts: ";
    // first try to get it from cache
    String index = entityID.trim() + "|" + role;
    Set<X509Certificate> certificates = sigHash.get(index);
    if (certificates != null) {
        return certificates;
    }
    certificates = new LinkedHashSet<>(3);
    // else get it from meta
    if (roleDescriptor == null) {
        SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    List<KeyDescriptorType> keyDescriptors = getKeyDescriptors(roleDescriptor, SAML2Constants.SIGNING);
    if (keyDescriptors.isEmpty()) {
        SAML2SDKUtils.debug.error(classMethod + "No signing KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
        return certificates;
    }
    for (KeyDescriptorType keyDescriptor : keyDescriptors) {
        certificates.add(getCert(keyDescriptor));
    }
    if (certificates.isEmpty()) {
        SAML2SDKUtils.debug.error(classMethod + "No signing cert for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    sigHash.put(index, certificates);
    return certificates;
}
Also used : KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType) X509Certificate(java.security.cert.X509Certificate)

Example 2 with RoleDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType in project OpenAM by OpenRock.

the class KeyUtil method getEncInfo.

/**
     * Returns the encryption information which will be used in
     * encrypting messages intended for the partner entity.
     * @param roled <code>RoleDescriptor</code> for the partner entity
     * @param entityID partner entity's ID
     * @param role entity's role
     * @return <code>EncInfo</code> which includes partner entity's
     * public key for wrapping the secret key, data encryption algorithm,
     * and data encryption strength 
     */
public static EncInfo getEncInfo(RoleDescriptorType roled, String entityID, String role) {
    String classMethod = "KeyUtil.getEncInfo: ";
    if (SAML2SDKUtils.debug.messageEnabled()) {
        SAML2SDKUtils.debug.message(classMethod + "Entering... \nEntityID=" + entityID + "\nRole=" + role);
    }
    // first try to get it from cache
    String index = entityID.trim() + "|" + role;
    EncInfo encInfo = (EncInfo) encHash.get(index);
    if (encInfo != null) {
        return encInfo;
    }
    // else get it from meta
    if (roled == null) {
        SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    KeyDescriptorType kd = getKeyDescriptor(roled, SAML2Constants.ENCRYPTION);
    if (kd == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    java.security.cert.X509Certificate cert = getCert(kd);
    if (cert == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption cert for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    List emList = kd.getEncryptionMethod();
    EncryptionMethodType em = null;
    String algorithm = null;
    int keySize = 0;
    if (emList != null && !emList.isEmpty()) {
        em = (EncryptionMethodType) emList.get(0);
        if (em != null) {
            algorithm = em.getAlgorithm();
            List cList = em.getContent();
            if (cList != null) {
                Iterator cIter = cList.iterator();
                while (cIter.hasNext()) {
                    Object cObject = cIter.next();
                    if (cObject instanceof EncryptionMethodType.KeySize) {
                        keySize = ((EncryptionMethodType.KeySize) (cList.get(0))).getValue().intValue();
                        break;
                    }
                }
            }
        }
    }
    if (algorithm == null || algorithm.length() == 0) {
        algorithm = XMLCipher.AES_128;
        keySize = 128;
    }
    PublicKey pk = cert.getPublicKey();
    if (pk != null) {
        encInfo = new EncInfo(pk, algorithm, keySize);
    }
    if (encInfo != null) {
        encHash.put(index, encInfo);
    }
    return encInfo;
}
Also used : X509Certificate(java.security.cert.X509Certificate) PublicKey(java.security.PublicKey) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)

Example 3 with RoleDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType in project OpenAM by OpenRock.

the class KeyUtil method getKeyDescriptors.

/**
     * Returns the {@link KeyDescriptorType}s from {@link RoleDescriptorType} that matches the requested usage.
     * KeyDescriptors without usage defined are also included in this list, as by definition they should be suitable for
     * any purposes.
     *
     * @param roleDescriptor {@link RoleDescriptorType} which contains {@link KeyDescriptorType}s.
     * @param usage Type of the {@link KeyDescriptorType}s to be retrieved. Its value is "encryption" or "signing".
     * @return {@link KeyDescriptorType}s in {@link RoleDescriptorType} that matched the usage type.
     */
public static List<KeyDescriptorType> getKeyDescriptors(RoleDescriptorType roleDescriptor, String usage) {
    List<KeyDescriptorType> keyDescriptors = roleDescriptor.getKeyDescriptor();
    List<KeyDescriptorType> matches = new ArrayList<>(keyDescriptors.size());
    List<KeyDescriptorType> keyDescriptorsWithoutUsage = new ArrayList<>(keyDescriptors.size());
    for (KeyDescriptorType keyDescriptor : keyDescriptors) {
        String use = keyDescriptor.getUse();
        if (StringUtils.isBlank(use)) {
            keyDescriptorsWithoutUsage.add(keyDescriptor);
        } else if (use.trim().toLowerCase().equals(usage)) {
            matches.add(keyDescriptor);
        }
    }
    matches.addAll(keyDescriptorsWithoutUsage);
    return matches;
}
Also used : ArrayList(java.util.ArrayList) KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)

Example 4 with RoleDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType in project OpenAM by OpenRock.

the class SAML2MetaSecurityUtils method removeKeyDescriptor.

private static void removeKeyDescriptor(RoleDescriptorType desp, boolean isSigningUse) {
    List keys = desp.getKeyDescriptor();
    for (Iterator iter = keys.iterator(); iter.hasNext(); ) {
        KeyDescriptorElement key = (KeyDescriptorElement) iter.next();
        String keyUse = "encryption";
        if (isSigningUse) {
            keyUse = "signing";
        }
        if ((key.getUse() != null) && key.getUse().equalsIgnoreCase(keyUse)) {
            iter.remove();
        }
    }
}
Also used : Iterator(java.util.Iterator) NodeList(org.w3c.dom.NodeList) List(java.util.List) KeyDescriptorElement(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorElement)

Example 5 with RoleDescriptorType

use of com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType in project OpenAM by OpenRock.

the class AssertionIDRequestUtil method getRoleDescriptorAndLocation.

private static RoleDescriptorType getRoleDescriptorAndLocation(String samlAuthorityEntityID, String role, String realm, String binding, StringBuffer location) throws SAML2Exception {
    List aIDReqServices = null;
    RoleDescriptorType roled = null;
    try {
        if (role == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedRole"));
        } else if (role.equals(SAML2Constants.IDP_ROLE)) {
            IDPSSODescriptorElement idpd = metaManager.getIDPSSODescriptor(realm, samlAuthorityEntityID);
            if (idpd == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("idpNotFound"));
            }
            aIDReqServices = idpd.getAssertionIDRequestService();
            roled = idpd;
        } else if (role.equals(SAML2Constants.AUTHN_AUTH_ROLE)) {
            AuthnAuthorityDescriptorElement attrd = metaManager.getAuthnAuthorityDescriptor(realm, samlAuthorityEntityID);
            if (attrd == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("authnAuthorityNotFound"));
            }
            aIDReqServices = attrd.getAssertionIDRequestService();
            roled = attrd;
        } else if (role.equals(SAML2Constants.ATTR_AUTH_ROLE)) {
            AttributeAuthorityDescriptorElement aad = metaManager.getAttributeAuthorityDescriptor(realm, samlAuthorityEntityID);
            if (aad == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
            }
            aIDReqServices = aad.getAssertionIDRequestService();
            roled = aad;
        } else {
            throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedRole"));
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AssertionIDRequest.getRoleDescriptorAndLocation:", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    if (binding == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    if ((aIDReqServices == null) || (aIDReqServices.isEmpty())) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("aIDReqServiceNotFound"));
    }
    for (Iterator iter = aIDReqServices.iterator(); iter.hasNext(); ) {
        AssertionIDRequestServiceElement aIDReqService = (AssertionIDRequestServiceElement) iter.next();
        if (binding.equalsIgnoreCase(aIDReqService.getBinding())) {
            location.append(aIDReqService.getLocation());
            break;
        }
    }
    if (location.length() == 0) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    return roled;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) AssertionIDRequestServiceElement(com.sun.identity.saml2.jaxb.metadata.AssertionIDRequestServiceElement) RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)6 KeyDescriptorType (com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)5 RoleDescriptorType (com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)5 ArrayList (java.util.ArrayList)4 Iterator (java.util.Iterator)4 List (java.util.List)4 X509Certificate (java.security.cert.X509Certificate)3 Issuer (com.sun.identity.saml2.assertion.Issuer)2 AssertionIDRequestServiceElement (com.sun.identity.saml2.jaxb.metadata.AssertionIDRequestServiceElement)2 AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)2 AuthnAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)2 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)2 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)2 Response (com.sun.identity.saml2.protocol.Response)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Assertion (com.sun.identity.saml2.assertion.Assertion)1 AssertionIDRef (com.sun.identity.saml2.assertion.AssertionIDRef)1 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)1 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)1 EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)1