use of com.sun.identity.saml2.protocol.NewEncryptedID in project OpenAM by OpenRock.
the class DoManageNameID method setNameIDForMNIRequest.
private static void setNameIDForMNIRequest(ManageNameIDRequest mniRequest, NameID nameID, boolean changeID, String realm, String hostEntity, String hostEntityRole, String remoteEntity) throws SAML2Exception {
String method = "DoManageNameID.setNameIDForMNIRequest: ";
boolean needEncryptIt = false;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.SP_ROLE);
} else {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.IDP_ROLE);
}
NewID newID = null;
if (changeID) {
String newIDValue = SAML2Utils.createNameIdentifier();
newID = ProtocolFactory.getInstance().createNewID(newIDValue);
mniRequest.setNewID(newID);
}
mniRequest.setNameID(nameID);
if (!needEncryptIt) {
if (debug.messageEnabled()) {
debug.message(method + "NamID doesn't need to be encrypted.");
}
return;
}
EncInfo encInfo = null;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
encInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
encInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "hostEntity is : " + hostEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
debug.message(method + "remoteEntity is : " + remoteEntity);
}
if (encInfo == null) {
logError("UnableToFindEncryptKeyInfo", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
}
EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), remoteEntity);
// This non-encrypted NameID will be removed just
// after saveMNIRequestInfo and just before it send to
mniRequest.setEncryptedID(encryptedID);
if (newID != null) {
NewEncryptedID newEncID = newID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), remoteEntity);
// This non-encrypted newID will be removed just
// after saveMNIRequestInfo and just before it send to
mniRequest.setNewEncryptedID(newEncID);
}
}
use of com.sun.identity.saml2.protocol.NewEncryptedID in project OpenAM by OpenRock.
the class DoManageNameID method getNewIDFromMNIRequest.
private static NewID getNewIDFromMNIRequest(ManageNameIDRequest request, String realm, String hostEntityID, String hostEntityRole) throws SAML2Exception {
boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm, hostEntityID, hostEntityRole);
if (!needDecryptIt) {
if (debug.messageEnabled()) {
debug.message("DoManageNameID.getNewIDFromMNIRequest: " + "NamID doesn't need to be decrypted.");
debug.message("DoManageNameID.getNewIDFromMNIRequest: " + "request is " + request);
}
NewID newID = null;
if (request != null) {
newID = request.getNewID();
debug.message("DoManageNameID.getNewIDFromMNIRequest: " + "newid is " + newID.getValue());
}
return newID;
}
NewEncryptedID encryptedID = request.getNewEncryptedID();
return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntityID, hostEntityRole));
}
use of com.sun.identity.saml2.protocol.NewEncryptedID in project OpenAM by OpenRock.
the class DoManageNameID method saveMNIRequestInfo.
private static void saveMNIRequestInfo(HttpServletRequest request, HttpServletResponse response, Map paramsMap, ManageNameIDRequest mniRequest, String relayState, String hostEntityRole, Object session) throws SAML2Exception {
String method = "saveMNIRequestInfo: ";
if (debug.messageEnabled()) {
debug.message(method + "hostEntityRole : " + hostEntityRole);
}
ManageNameIDRequest reqForSave = mniRequest;
NameID nameID = mniRequest.getNameID();
EncryptedID encryptedID = mniRequest.getEncryptedID();
if (encryptedID != null) {
NewEncryptedID newEncryptedID = mniRequest.getNewEncryptedID();
mniRequest.setEncryptedID(null);
mniRequest.setNewEncryptedID(null);
reqForSave = (ManageNameIDRequest) pf.createManageNameIDRequest(mniRequest.toXMLString(true, true));
mniRequest.setNameID(null);
mniRequest.setNewID(null);
mniRequest.setEncryptedID(encryptedID);
mniRequest.setNewEncryptedID(newEncryptedID);
}
paramsMap.put(SAML2Constants.SESSION, session);
ManageNameIDRequestInfo reqInfo = new ManageNameIDRequestInfo(request, response, reqForSave, relayState, paramsMap, session);
reqInfo.setNameID(nameID);
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
SPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
} else {
IDPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
}
}
use of com.sun.identity.saml2.protocol.NewEncryptedID in project OpenAM by OpenRock.
the class ManageNameIDRequestImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement: " + "Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement:" + "not ManageNameIDRequest.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
requestId = element.getAttribute("ID");
validateID(requestId);
version = element.getAttribute(SAML2Constants.VERSION);
validateVersion(version);
String issueInstantStr = element.getAttribute("IssueInstant");
validateIssueInstant(issueInstantStr);
destinationURI = element.getAttribute("Destination");
consent = element.getAttribute("Consent");
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals("Issuer")) {
nameID = assertionFactory.createIssuer((Element) childNode);
} else if (cName.equals("Signature")) {
signatureString = XMLUtils.getElementString((Element) childNode);
isSigned = true;
} else if (cName.equals("Extensions")) {
extensions = protocolFactory.createExtensions((Element) childNode);
} else if (cName.equals("NameID")) {
nameid = assertionFactory.createNameID((Element) childNode);
} else if (cName.equals("EncryptedID")) {
encryptedID = assertionFactory.createEncryptedID((Element) childNode);
} else if (cName.equals("NewID")) {
newID = protocolFactory.createNewID((Element) childNode);
} else if (cName.equals("NewEncryptedID")) {
newEncryptedID = protocolFactory.createNewEncryptedID((Element) childNode);
} else if (cName.equals("Terminate")) {
terminate = true;
}
}
}
}
}
use of com.sun.identity.saml2.protocol.NewEncryptedID in project OpenAM by OpenRock.
the class FMEncProvider method encrypt.
/**
* Encrypts the root element of the given XML document.
* @param xmlString String representing an XML document whose root
* element is to be encrypted.
* @param recipientPublicKey Public key used to encrypt the data encryption
* (secret) key, it is the public key of the
* recipient of the XML document to be encrypted.
* @param secretKey the secret key used to encrypted data.
* @param dataEncAlgorithm Data encryption algorithm.
* @param dataEncStrength Data encryption strength.
* @param recipientEntityID Unique identifier of the recipient, it is used
* as the index to the cached secret key so that
* the key can be reused for the same recipient;
* It can be null in which case the secret key will
* be generated every time and will not be cached
* and reused. Note that the generation of a secret
* key is a relatively expensive operation.
* @param outerElementName Name of the element that will wrap around the
* encrypted data and encrypted key(s) sub-elements
* @return org.w3c.dom.Element Root element of the encypted document; The
* name of this root element is indicated by
* the last input parameter
* @exception SAML2Exception if there is an error during the encryption
* process
*/
public Element encrypt(String xmlString, Key recipientPublicKey, SecretKey secretKey, String dataEncAlgorithm, int dataEncStrength, String recipientEntityID, String outerElementName) throws SAML2Exception {
String classMethod = "FMEncProvider.encrypt: ";
// checking the input parameters
if (xmlString == null || xmlString.length() == 0 || recipientPublicKey == null || dataEncAlgorithm == null || dataEncAlgorithm.length() == 0 || outerElementName == null || outerElementName.length() == 0) {
SAML2SDKUtils.debug.error(classMethod + "Null input parameter(s).");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
if (!dataEncAlgorithm.equals(XMLCipher.AES_128) && !dataEncAlgorithm.equals(XMLCipher.AES_192) && !dataEncAlgorithm.equals(XMLCipher.AES_256) && !dataEncAlgorithm.equals(XMLCipher.TRIPLEDES)) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unsupportedKeyAlg"));
}
if ((dataEncAlgorithm.equals(XMLCipher.AES_128) && dataEncStrength != 128) || (dataEncAlgorithm.equals(XMLCipher.AES_192) && dataEncStrength != 192) || (dataEncAlgorithm.equals(XMLCipher.AES_256) && dataEncStrength != 256)) {
SAML2SDKUtils.debug.error(classMethod + "Data encryption algorithm " + dataEncAlgorithm + "and strength " + dataEncStrength + " mismatch.");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("algSizeMismatch"));
}
Document doc = XMLUtils.toDOMDocument(xmlString, SAML2SDKUtils.debug);
if (doc == null) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
}
if (dataEncStrength <= 0) {
dataEncStrength = 128;
}
Element rootElement = doc.getDocumentElement();
if (rootElement == null) {
SAML2SDKUtils.debug.error(classMethod + "Empty document.");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("emptyDoc"));
}
// start of obtaining secret key
if (secretKey == null) {
if (recipientEntityID != null) {
if (cachedKeys.containsKey(recipientEntityID)) {
secretKey = (SecretKey) cachedKeys.get(recipientEntityID);
} else {
secretKey = generateSecretKey(dataEncAlgorithm, dataEncStrength);
cachedKeys.put(recipientEntityID, secretKey);
}
} else {
secretKey = generateSecretKey(dataEncAlgorithm, dataEncStrength);
}
if (secretKey == null) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorGenerateKey"));
}
}
// end of obtaining secret key
XMLCipher cipher = null;
// start of encrypting the secret key with public key
String publicKeyEncAlg = recipientPublicKey.getAlgorithm();
/* note that the public key encryption algorithm could only
* have three possible values here: "RSA", "AES", "DESede"
*/
try {
if (publicKeyEncAlg.equals(EncryptionConstants.RSA)) {
cipher = XMLCipher.getInstance(XMLCipher.RSA_v1dot5);
} else if (publicKeyEncAlg.equals(EncryptionConstants.TRIPLEDES)) {
cipher = XMLCipher.getInstance(XMLCipher.TRIPLEDES_KeyWrap);
} else if (publicKeyEncAlg.equals(EncryptionConstants.AES)) {
cipher = XMLCipher.getInstance(XMLCipher.AES_128_KeyWrap);
} else {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unsupportedKeyAlg"));
}
} catch (XMLEncryptionException xe1) {
SAML2SDKUtils.debug.error(classMethod + "Unable to obtain cipher with public key algorithm.", xe1);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("noCipherForPublicKeyAlg"));
}
try {
cipher.init(XMLCipher.WRAP_MODE, recipientPublicKey);
} catch (XMLEncryptionException xe2) {
SAML2SDKUtils.debug.error(classMethod + "Failed to initialize cipher with public key", xe2);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("failedInitCipherWithPublicKey"));
}
EncryptedKey encryptedKey = null;
try {
encryptedKey = cipher.encryptKey(doc, secretKey);
} catch (XMLEncryptionException xe3) {
SAML2SDKUtils.debug.error(classMethod + "Failed to encrypt secret key with public key", xe3);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("failedEncryptingSecretKeyWithPublicKey"));
}
// start of doing data encryption
try {
cipher = XMLCipher.getInstance(dataEncAlgorithm);
} catch (XMLEncryptionException xe4) {
SAML2SDKUtils.debug.error(classMethod + "Failed to obtain a cipher for " + "data encryption algorithm" + dataEncAlgorithm, xe4);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("cipherNotAvailableForDataEncAlg"));
}
try {
cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
} catch (XMLEncryptionException xe5) {
SAML2SDKUtils.debug.error(classMethod + "Failed to initialize cipher with secret key.", xe5);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("failedInitCipherWithSecretKey"));
}
Document resultDoc = null;
try {
resultDoc = cipher.doFinal(doc, rootElement);
} catch (Exception e) {
SAML2SDKUtils.debug.error(classMethod + "Failed to do the final data encryption.", e);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("failedEncryptingData"));
}
// end of doing data encryption
// add the EncryptedKey element
Element ek = null;
try {
ek = cipher.martial(doc, encryptedKey);
} catch (Exception xe6) {
SAML2SDKUtils.debug.error(classMethod + "Failed to martial the encrypted key", xe6);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("failedMartialingEncryptedKey"));
}
String outerElemNS = SAML2Constants.ASSERTION_NAMESPACE_URI;
String outerElemPrefix = "saml";
if (outerElementName.equals("NewEncryptedID")) {
outerElemNS = SAML2Constants.PROTOCOL_NAMESPACE;
outerElemPrefix = "samlp";
}
Element outerElement = resultDoc.createElementNS(outerElemNS, outerElemPrefix + ":" + outerElementName);
outerElement.setAttributeNS(SAML2Constants.NS_XML, "xmlns:" + outerElemPrefix, outerElemNS);
Element ed = resultDoc.getDocumentElement();
resultDoc.replaceChild(outerElement, ed);
outerElement.appendChild(ed);
if (encryptedKeyInKeyInfo) {
// create a ds:KeyInfo Element to include the EncryptionKey
Element dsElement = resultDoc.createElementNS(SAML2Constants.NS_XMLSIG, "ds:KeyInfo");
dsElement.setAttributeNS(SAML2Constants.NS_XML, "xmlns:ds", SAML2Constants.NS_XMLSIG);
dsElement.appendChild(ek);
// find the xenc:CipherData Element inside the encrypted data
NodeList nl = ed.getElementsByTagNameNS(SAML2Constants.NS_XMLENC, "CipherData");
if ((nl == null) || (nl.getLength() == 0)) {
SAML2SDKUtils.debug.error(classMethod + "Unable to find required xenc:CipherData Element.");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("failedEncryptingData"));
}
Element cipherDataElement = (Element) nl.item(0);
// insert the EncryptedKey before the xenc:CipherData Element
ed.insertBefore(dsElement, cipherDataElement);
} else {
outerElement.appendChild(ek);
}
return resultDoc.getDocumentElement();
}
Aggregations