Examples with SignatureException - ddf.security.samlp.SignatureException

Example 1 with SignatureException

use of ddf.security.samlp.SignatureException in project ddf by codice.

the class IdpHandler method serializeAndSign.

private String serializeAndSign(boolean isPost, boolean wantSigned, AuthnRequest authnRequest) throws AuthenticationFailureException {
    try {
        if (isPost && wantSigned) {
            simpleSign.signSamlObject(authnRequest);
        }
        Document doc = DOMUtils.createDocument();
        doc.appendChild(doc.createElement("root"));
        Element requestElement = OpenSAMLUtil.toDom(authnRequest, doc);
        String requestMessage = DOM2Writer.nodeToString(requestElement);
        LOGGER.trace(requestMessage);
        return requestMessage;
    } catch (WSSecurityException e) {
        LOGGER.info(UNABLE_TO_ENCODE_SAML_AUTHN_REQUEST, e);
        throw new AuthenticationFailureException(UNABLE_TO_ENCODE_SAML_AUTHN_REQUEST);
    } catch (SignatureException e) {
        LOGGER.info(UNABLE_TO_SIGN_SAML_AUTHN_REQUEST, e);
        throw new AuthenticationFailureException(UNABLE_TO_SIGN_SAML_AUTHN_REQUEST);
    }
}

Also used : Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException) SignatureException(ddf.security.samlp.SignatureException) Document(org.w3c.dom.Document)

Example 2 with SignatureException

use of ddf.security.samlp.SignatureException in project ddf by codice.

the class IdpHandler method doHttpRedirectBinding.

private void doHttpRedirectBinding(HttpServletRequest request, HttpServletResponse response) throws AuthenticationFailureException {
    String redirectUrl;
    String idpRequest = null;
    String relayState = createRelayState(request);
    try {
        IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
        if (idpssoDescriptor == null) {
            throw new AuthenticationFailureException(IDP_METADATA_MISSING);
        }
        StringBuilder queryParams = new StringBuilder("SAMLRequest=").append(encodeAuthnRequest(createAndSignAuthnRequest(false, idpssoDescriptor.getWantAuthnRequestsSigned()), false));
        if (relayState != null) {
            queryParams.append("&RelayState=").append(URLEncoder.encode(relayState, "UTF-8"));
        }
        idpRequest = idpMetadata.getSingleSignOnLocation() + "?" + queryParams;
        UriBuilder idpUri = new UriBuilderImpl(new URI(idpRequest));
        simpleSign.signUriString(queryParams.toString(), idpUri);
        redirectUrl = idpUri.build().toString();
    } catch (UnsupportedEncodingException e) {
        LOGGER.info("Unable to encode relay state: {}", relayState, e);
        throw new AuthenticationFailureException("Unable to create return location");
    } catch (SignatureException e) {
        String msg = "Unable to sign request";
        LOGGER.info(msg, e);
        throw new AuthenticationFailureException(msg);
    } catch (URISyntaxException e) {
        LOGGER.info("Unable to parse IDP request location: {}", idpRequest, e);
        throw new AuthenticationFailureException("Unable to determine IDP location.");
    }
    try {
        response.sendRedirect(redirectUrl);
        response.flushBuffer();
    } catch (IOException e) {
        LOGGER.info("Unable to redirect AuthnRequest to {}", redirectUrl, e);
        throw new AuthenticationFailureException("Unable to redirect to IdP");
    }
}

Also used : IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) UnsupportedEncodingException(java.io.UnsupportedEncodingException) AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException) SignatureException(ddf.security.samlp.SignatureException) URISyntaxException(java.net.URISyntaxException) IOException(java.io.IOException) UriBuilder(javax.ws.rs.core.UriBuilder) UriBuilderImpl(org.apache.cxf.jaxrs.impl.UriBuilderImpl) URI(java.net.URI)

Example 3 with SignatureException

use of ddf.security.samlp.SignatureException in project ddf by codice.

the class AttributeQueryClientTest method testRetrieveResponseSimpleSignSignatureException.

@Test(expected = AttributeQueryException.class)
public void testRetrieveResponseSimpleSignSignatureException() throws SignatureException {
    doThrow(new SignatureException()).when(spySimpleSign).signSamlObject(any(SignableSAMLObject.class));
    attributeQueryClient.query(USERNAME);
}

Also used : SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) SignatureException(ddf.security.samlp.SignatureException) Test(org.junit.Test)

Example 4 with SignatureException

use of ddf.security.samlp.SignatureException in project ddf by codice.

the class AuthnResponseValidator method validate.

public void validate(XMLObject xmlObject) throws ValidationException {
    if (!(xmlObject instanceof Response)) {
        throw new ValidationException("Invalid AuthN response XML.");
    }
    Response authnResponse = (Response) xmlObject;
    String status = authnResponse.getStatus().getStatusCode().getValue();
    if (!StatusCode.SUCCESS.equals(status)) {
        throw new ValidationException("AuthN request was unsuccessful.  Received status: " + status);
    }
    if (authnResponse.getAssertions().size() < 1) {
        throw new ValidationException("Assertion missing in AuthN response.");
    }
    if (authnResponse.getAssertions().size() > 1) {
        LOGGER.info("Received multiple assertions in AuthN response.  Only using the first assertion.");
    }
    if (wasRedirectSigned) {
        if (authnResponse.getDestination() == null) {
            throw new ValidationException("Invalid Destination attribute, must be not null for signed responses.");
        } else if (!authnResponse.getDestination().equals(getSpAssertionConsumerServiceUrl(getSpIssuerId()))) {
            throw new ValidationException("Invalid Destination attribute, does not match requested destination.");
        }
    }
    if (authnResponse.getSignature() != null) {
        try {
            simpleSign.validateSignature(authnResponse.getSignature(), authnResponse.getDOM().getOwnerDocument());
        } catch (SignatureException e) {
            throw new ValidationException("Invalid or untrusted signature.");
        }
    }
}

Also used : Response(org.opensaml.saml.saml2.core.Response) ValidationException(ddf.security.samlp.impl.ValidationException) SignatureException(ddf.security.samlp.SignatureException)

Example 5 with SignatureException

use of ddf.security.samlp.SignatureException in project ddf by codice.

the class LogoutRequestService method getSamlpSoapLogoutResponse.

private Response getSamlpSoapLogoutResponse(LogoutWrapper<LogoutResponse> samlResponse, String statusCode, String statusMessage) {
    if (samlResponse == null) {
        return Response.serverError().build();
    }
    LOGGER.debug("Configuring SAML Response for SOAP.");
    Document doc = DOMUtils.createDocument();
    doc.appendChild(doc.createElement(ROOT_NODE_NAME));
    LOGGER.debug("Setting SAML status on Response for SOAP");
    if (statusCode != null) {
        if (statusMessage != null) {
            samlResponse.getMessage().setStatus(SamlProtocol.createStatus(statusCode, statusMessage));
        } else {
            samlResponse.getMessage().setStatus(SamlProtocol.createStatus(statusCode));
        }
    }
    try {
        LOGGER.debug("Signing SAML Response for SOAP.");
        LogoutResponse logoutResponse = simpleSign.forceSignSamlObject(samlResponse.getMessage());
        Envelope soapMessage = SamlProtocol.createSoapMessage(logoutResponse);
        LOGGER.debug("Converting SAML Response to DOM");
        String assertionResponse = DOM2Writer.nodeToString(OpenSAMLUtil.toDom(soapMessage, doc));
        String encodedSamlResponse = Base64.getEncoder().encodeToString(assertionResponse.getBytes(StandardCharsets.UTF_8));
        return Response.ok(encodedSamlResponse).build();
    } catch (SignatureException | WSSecurityException | XMLStreamException e) {
        LOGGER.debug("Failure constructing SOAP LogoutResponse", e);
        return Response.serverError().build();
    }
}

Also used : LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) XMLStreamException(javax.xml.stream.XMLStreamException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SignatureException(ddf.security.samlp.SignatureException) Document(org.w3c.dom.Document) Envelope(org.opensaml.soap.soap11.Envelope)

Aggregations

SignatureException (ddf.security.samlp.SignatureException)12 X509Certificate (java.security.cert.X509Certificate)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)3 UnsupportedEncodingException (java.io.UnsupportedEncodingException)2 PrivateKey (java.security.PrivateKey)2 SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)2 AuthenticationFailureException (org.codice.ddf.platform.filter.AuthenticationFailureException)2 Response (org.opensaml.saml.saml2.core.Response)2 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)2 KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)2 Signature (org.opensaml.xmlsec.signature.Signature)2 Document (org.w3c.dom.Document)2 Element (org.w3c.dom.Element)2 ValidationException (ddf.security.samlp.impl.ValidationException)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 IOException (java.io.IOException)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 InvalidKeyException (java.security.InvalidKeyException)1