Search in sources :

Example 6 with EncInfo

use of com.sun.identity.saml2.key.EncInfo in project OpenAM by OpenRock.

the class QueryHandlerServlet method processXACMLResponse.

/**
     * Returns the received Response to the Requester.
     * Validates the message signature if signed and invokes the
     * Request Handler to pass the request for futher processing.
     *
     * @param realm realm of the entity.
     * @param pdpEntityID entity identifier of Policy Decision Point (PDP).
     * @param samlRequest the <code>RequestAbstract</code> object.
     * @param request the <code>HttpServletRequest</code> object.
     * @param soapMsg the <code>SOAPMessage</code> object.
     * @exception <code>SAML2Exception</code> if there is an error processing
     *            the request and returning a  response.
     */
Response processXACMLResponse(String realm, String pdpEntityID, RequestAbstract samlRequest, HttpServletRequest request, SOAPMessage soapMsg) throws SAML2Exception {
    String classMethod = "QueryHandlerServlet:processXACMLResponse";
    Response samlResponse = null;
    String path = request.getPathInfo();
    String key = path.substring(path.indexOf(METAALIAS_KEY) + 10);
    String pepEntityID = samlRequest.getIssuer().getValue();
    if (debug.messageEnabled()) {
        debug.message(classMethod + "SOAPMessage KEY . :" + key);
        debug.message(classMethod + "pepEntityID is :" + pepEntityID);
    }
    //Retreive metadata
    boolean pdpWantAuthzQuerySigned = SAML2Utils.getWantXACMLAuthzDecisionQuerySigned(realm, pdpEntityID, SAML2Constants.PDP_ROLE);
    if (debug.messageEnabled()) {
        debug.message(classMethod + "PDP wantAuthzQuerySigned:" + pdpWantAuthzQuerySigned);
    }
    if (pdpWantAuthzQuerySigned) {
        if (samlRequest.isSigned()) {
            XACMLAuthzDecisionQueryDescriptorElement pep = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
            Set<X509Certificate> verificationCerts = KeyUtil.getPEPVerificationCerts(pep, pepEntityID);
            if (verificationCerts.isEmpty() || !samlRequest.isSignatureValid(verificationCerts)) {
                // error
                debug.error(classMethod + "Invalid signature in message");
                throw new SAML2Exception("invalidQuerySignature");
            } else {
                debug.message(classMethod + "Valid signature found");
            }
        } else {
            debug.error("Request not signed");
            throw new SAML2Exception("nullSig");
        }
    }
    //getRequestHandlerClass
    RequestHandler handler = (RequestHandler) SOAPBindingService.handlers.get(key);
    if (handler != null) {
        if (debug.messageEnabled()) {
            debug.message(classMethod + "Found handler");
        }
        samlResponse = handler.handleQuery(pdpEntityID, pepEntityID, samlRequest, soapMsg);
        // set response attributes
        samlResponse.setID(SAML2Utils.generateID());
        samlResponse.setVersion(SAML2Constants.VERSION_2_0);
        samlResponse.setIssueInstant(new Date());
        Issuer issuer = AssertionFactory.getInstance().createIssuer();
        issuer.setValue(pdpEntityID);
        samlResponse.setIssuer(issuer);
        // end set Response Attributes
        //set Assertion attributes
        List assertionList = samlResponse.getAssertion();
        Assertion assertion = (Assertion) assertionList.get(0);
        assertion.setID(SAML2Utils.generateID());
        assertion.setVersion(SAML2Constants.VERSION_2_0);
        assertion.setIssueInstant(new Date());
        assertion.setIssuer(issuer);
        // end assertion set attributes
        // check if assertion needs to be encrypted,signed.
        String wantAssertionEncrypted = SAML2Utils.getAttributeValueFromXACMLConfig(realm, SAML2Constants.PEP_ROLE, pepEntityID, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
        XACMLAuthzDecisionQueryDescriptorElement pepDescriptor = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
        EncInfo encInfo = null;
        boolean wantAssertionSigned = pepDescriptor.isWantAssertionsSigned();
        if (debug.messageEnabled()) {
            debug.message(classMethod + " wantAssertionSigned :" + wantAssertionSigned);
        }
        if (wantAssertionSigned) {
            signAssertion(realm, pdpEntityID, assertion);
        }
        if (wantAssertionEncrypted != null && wantAssertionEncrypted.equalsIgnoreCase(SAML2Constants.TRUE)) {
            encInfo = KeyUtil.getPEPEncInfo(pepDescriptor, pepEntityID);
            // encrypt the Assertion
            EncryptedAssertion encryptedAssertion = assertion.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), pepEntityID);
            if (encryptedAssertion == null) {
                debug.error(classMethod + "Assertion encryption failed.");
                throw new SAML2Exception("FailedToEncryptAssertion");
            }
            assertionList = new ArrayList();
            assertionList.add(encryptedAssertion);
            samlResponse.setEncryptedAssertion(assertionList);
            //reset Assertion list
            samlResponse.setAssertion(new ArrayList());
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Assertion encrypted.");
            }
        } else {
            List assertionsList = new ArrayList();
            assertionsList.add(assertion);
            samlResponse.setAssertion(assertionsList);
        }
        signResponse(samlResponse, realm, pepEntityID, pdpEntityID);
    } else {
        // error -  missing request handler.
        debug.error(classMethod + "RequestHandler not found");
        throw new SAML2Exception("missingRequestHandler");
    }
    return samlResponse;
}
Also used : Issuer(com.sun.identity.saml2.assertion.Issuer) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncInfo(com.sun.identity.saml2.key.EncInfo) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) ArrayList(java.util.ArrayList) List(java.util.List) XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement)

Example 7 with EncInfo

use of com.sun.identity.saml2.key.EncInfo in project OpenAM by OpenRock.

the class KeyUtil method getPEPEncInfo.

/**
     * Returns the encryption information which will be used in
     * encrypting messages intended for the partner entity.
     *
     * @param pepDesc <code>XACMLAuthzDecisionQueryDescriptorElement</code> 
     * for the partner entity
     * @param pepEntityID partner entity's ID
     * @return <code>EncInfo</code> which includes partner entity's
     * public key for wrapping the secret key, data encryption algorithm,
     * and data encryption strength 
     */
public static EncInfo getPEPEncInfo(XACMLAuthzDecisionQueryDescriptorElement pepDesc, String pepEntityID) {
    String classMethod = "KeyUtil.getEncInfo: ";
    String role = SAML2Constants.PEP_ROLE;
    if (SAML2SDKUtils.debug.messageEnabled()) {
        SAML2SDKUtils.debug.message(classMethod + "Entering... \nEntityID=" + pepEntityID + "\nRole=" + role);
    }
    // first try to get it from cache
    String index = pepEntityID.trim() + "|" + role;
    EncInfo encInfo = (EncInfo) encHash.get(index);
    if (encInfo != null) {
        return encInfo;
    }
    // else get it from meta
    if (pepDesc == null) {
        SAML2SDKUtils.debug.error(classMethod + "Null PEP Descriptor input for entityID=" + pepEntityID + " in " + role + " role.");
        return null;
    }
    KeyDescriptorType kd = getKeyDescriptor(pepDesc, SAML2Constants.ENCRYPTION);
    if (kd == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption KeyDescriptor for entityID=" + pepEntityID + " in " + role + " role.");
        return null;
    }
    return getEncryptionInfo(kd, pepEntityID, role);
}
Also used : KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)

Example 8 with EncInfo

use of com.sun.identity.saml2.key.EncInfo in project OpenAM by OpenRock.

the class DiscoveryBootstrap method getResourceOffering.

/**
     * Gets the discovery bootstrap resource offering for the user.
     * @return Discovery Resource Offering String
     * @exception  SAML2Exception if there's any failure.
     */
private String getResourceOffering(String authnContextClassRef, Subject subject, String wscID, String realm) throws SAML2Exception {
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering:Init");
    }
    DiscoEntryElement discoEntry = DiscoServiceManager.getBootstrappingDiscoEntry();
    if (discoEntry == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingUnivID"));
    }
    String[] values = null;
    try {
        values = SessionManager.getProvider().getProperty(session, Constants.UNIVERSAL_IDENTIFIER);
    } catch (SessionException se) {
        throw new SAML2Exception(se);
    }
    if ((values == null) || (values.length == 0)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingDiscoOffering"));
    }
    String univID = values[0];
    try {
        ResourceOfferingType offering = discoEntry.getResourceOffering();
        ServiceInstanceType serviceInstance = offering.getServiceInstance();
        String providerID = serviceInstance.getProviderID();
        if (!DiscoServiceManager.useImpliedResource()) {
            ResourceIDMapper idMapper = DiscoServiceManager.getResourceIDMapper(providerID);
            if (idMapper == null) {
                idMapper = DiscoServiceManager.getDefaultResourceIDMapper();
            }
            ObjectFactory fac = new ObjectFactory();
            ResourceIDType resourceID = fac.createResourceIDType();
            String resourceIDValue = idMapper.getResourceID(providerID, univID);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering: " + "ResourceID Value:" + resourceIDValue);
            }
            resourceID.setValue(resourceIDValue);
            offering.setResourceID(resourceID);
        } else {
            ObjectFactory fac = new com.sun.identity.liberty.ws.disco.jaxb.ObjectFactory();
            ResourceIDType resourceID = fac.createResourceIDType();
            resourceID.setValue(DiscoConstants.IMPLIED_RESOURCE);
            offering.setResourceID(resourceID);
        }
        List discoEntryList = new ArrayList();
        discoEntryList.add(discoEntry);
        SessionSubject sessionSubject = null;
        if (DiscoServiceManager.encryptNIinSessionContext()) {
            IDPSSODescriptorElement idpSSODesc = SAML2Utils.getSAML2MetaManager().getIDPSSODescriptor(realm, providerID);
            EncInfo encInfo = KeyUtil.getEncInfo(idpSSODesc, wscID, SAML2Constants.IDP_ROLE);
            NameIdentifier ni = EncryptedNameIdentifier.getEncryptedNameIdentifier(convertSPNameID(subject.getNameID()), providerID, encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength());
            sessionSubject = new SessionSubject(ni, convertSC(subject.getSubjectConfirmation()), convertIDPNameID(subject.getNameID()));
        } else {
            sessionSubject = new SessionSubject(convertSPNameID(subject.getNameID()), convertSC(subject.getSubjectConfirmation()), convertIDPNameID(subject.getNameID()));
        }
        AuthnContext authnContext = new AuthnContext(authnContextClassRef, null);
        authnContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        SessionContext invocatorSession = new SessionContext(sessionSubject, authnContext, providerID);
        Map map = DiscoUtils.checkPolicyAndHandleDirectives(univID, null, discoEntryList, null, invocatorSession, wscID, session);
        List offerings = (List) map.get(DiscoUtils.OFFERINGS);
        if (offerings.isEmpty()) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering:" + "no ResourceOffering");
            }
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingDiscoOffering"));
        }
        ResourceOffering resourceOffering = (ResourceOffering) offerings.get(0);
        assertions = (List) map.get(DiscoUtils.CREDENTIALS);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering: " + "Resource Offering:" + resourceOffering);
        }
        return resourceOffering.toString();
    } catch (Exception ex) {
        SAML2Utils.debug.error("DiscoveryBootstrap.getResourceOffering:" + "Exception while creating resource offering.", ex);
        throw new SAML2Exception(ex);
    }
}
Also used : ResourceOffering(com.sun.identity.liberty.ws.disco.ResourceOffering) SessionSubject(com.sun.identity.liberty.ws.security.SessionSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier) ResourceOfferingType(com.sun.identity.liberty.ws.disco.jaxb.ResourceOfferingType) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) DiscoEntryElement(com.sun.identity.liberty.ws.disco.plugins.jaxb.DiscoEntryElement) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncInfo(com.sun.identity.saml2.key.EncInfo) ServiceInstanceType(com.sun.identity.liberty.ws.disco.jaxb.ServiceInstanceType) ResourceIDMapper(com.sun.identity.liberty.ws.interfaces.ResourceIDMapper) ObjectFactory(com.sun.identity.liberty.ws.disco.jaxb.ObjectFactory) SessionContext(com.sun.identity.liberty.ws.security.SessionContext) ArrayList(java.util.ArrayList) List(java.util.List) ResourceIDType(com.sun.identity.liberty.ws.disco.jaxb.ResourceIDType) Map(java.util.Map) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 9 with EncInfo

use of com.sun.identity.saml2.key.EncInfo in project OpenAM by OpenRock.

the class LogoutUtil method setNameIDForSLORequest.

public static void setNameIDForSLORequest(LogoutRequest request, NameID nameID, String realm, String hostEntity, String hostEntityRole, String remoteEntity) throws SAML2Exception, SessionException {
    String method = "setNameIDForSLORequest: ";
    boolean needEncryptIt = false;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (needEncryptIt == false) {
        if (debug.messageEnabled()) {
            debug.message(method + "NamID doesn't need to be encrypted.");
        }
        request.setNameID(nameID);
        return;
    }
    EncInfo encryptInfo = null;
    KeyDescriptorType keyDescriptor = null;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
        keyDescriptor = KeyUtil.getKeyDescriptor(spSSODesc, "encryption");
        encryptInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
        keyDescriptor = KeyUtil.getKeyDescriptor(idpSSODesc, "encryption");
        encryptInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "hostEntity is : " + hostEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
        debug.message(method + "remoteEntity is : " + remoteEntity);
    }
    if (encryptInfo == null) {
        debug.error("NO meta data for encrypt Info.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    X509Certificate certificate = KeyUtil.getCert(keyDescriptor);
    PublicKey recipientPublicKey = certificate.getPublicKey();
    EncryptedID encryptedID = nameID.encrypt(recipientPublicKey, encryptInfo.getDataEncAlgorithm(), encryptInfo.getDataEncStrength(), remoteEntity);
    request.setEncryptedID(encryptedID);
}
Also used : EncInfo(com.sun.identity.saml2.key.EncInfo) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) PublicKey(java.security.PublicKey) KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) X509Certificate(java.security.cert.X509Certificate) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 10 with EncInfo

use of com.sun.identity.saml2.key.EncInfo in project OpenAM by OpenRock.

the class NameIDMapping method getEncryptedID.

static EncryptedID getEncryptedID(NameID nameID, String realm, String entityID, String role) throws SAML2Exception {
    RoleDescriptorType roled = null;
    if (role.equals(SAML2Constants.SP_ROLE)) {
        roled = metaManager.getSPSSODescriptor(realm, entityID);
    } else {
        roled = metaManager.getIDPSSODescriptor(realm, entityID);
    }
    EncInfo encInfo = KeyUtil.getEncInfo(roled, entityID, role);
    if (encInfo == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
    }
    EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), entityID);
    return encryptedID;
}
Also used : EncInfo(com.sun.identity.saml2.key.EncInfo) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)

Aggregations

EncInfo (com.sun.identity.saml2.key.EncInfo)8 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)6 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)5 ArrayList (java.util.ArrayList)5 List (java.util.List)5 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)3 KeyDescriptorType (com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)3 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)3 X509Certificate (java.security.cert.X509Certificate)3 Assertion (com.sun.identity.saml2.assertion.Assertion)2 Attribute (com.sun.identity.saml2.assertion.Attribute)2 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)2 Issuer (com.sun.identity.saml2.assertion.Issuer)2 NameID (com.sun.identity.saml2.assertion.NameID)2 Subject (com.sun.identity.saml2.assertion.Subject)2 AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)2 PublicKey (java.security.PublicKey)2 Date (java.util.Date)2 AuthnContext (com.sun.identity.federation.message.common.AuthnContext)1 EncryptedNameIdentifier (com.sun.identity.federation.message.common.EncryptedNameIdentifier)1