Example 6 with SignatureException
use of ddf.security.samlp.SignatureException in project ddf by codice.
the class SimpleSign method signUriString.
public void signUriString(String queryParams, UriBuilder uriBuilder) throws SignatureException {
X509Certificate[] certificates = getSignatureCertificates();
String sigAlgo = getSignatureAlgorithmURI(certificates[0]);
PrivateKey privateKey = getSignaturePrivateKey();
java.security.Signature signature = initSign(certificates[0], privateKey);
String requestToSign;
try {
requestToSign = queryParams + "&" + SSOConstants.SIG_ALG + "=" + URLEncoder.encode(sigAlgo, UTF_8);
} catch (UnsupportedEncodingException e) {
throw new SignatureException(e);
}
try {
signature.update(requestToSign.getBytes(UTF_8));
} catch (java.security.SignatureException | UnsupportedEncodingException e) {
throw new SignatureException(e);
}
byte[] signatureBytes;
try {
signatureBytes = signature.sign();
} catch (java.security.SignatureException e) {
throw new SignatureException(e);
}
try {
uriBuilder.queryParam(SSOConstants.SIG_ALG, URLEncoder.encode(sigAlgo, UTF_8));
uriBuilder.queryParam(SSOConstants.SIGNATURE, URLEncoder.encode(Base64.getEncoder().encodeToString(signatureBytes), UTF_8));
} catch (UnsupportedEncodingException e) {
throw new SignatureException(e);
}
}
Also used :
PrivateKey(java.security.PrivateKey)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
SignatureException(ddf.security.samlp.SignatureException)
X509Certificate(java.security.cert.X509Certificate)
Example 7 with SignatureException
use of ddf.security.samlp.SignatureException in project ddf by codice.
the class SimpleSign method getSignatureCertificates.
private X509Certificate[] getSignatureCertificates() throws SignatureException {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(crypto.getSignatureAlias());
X509Certificate[] issuerCerts;
try {
issuerCerts = crypto.getSignatureCrypto().getX509Certificates(cryptoType);
} catch (WSSecurityException e) {
throw new SignatureException(e);
}
if (issuerCerts == null) {
throw new SignatureException("No certs were found to sign the request using name: " + crypto.getSignatureAlias());
}
return issuerCerts;
}
Also used :
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
SignatureException(ddf.security.samlp.SignatureException)
X509Certificate(java.security.cert.X509Certificate)
Example 8 with SignatureException
use of ddf.security.samlp.SignatureException in project ddf by codice.
the class SimpleSign method validateSignature.
public void validateSignature(Signature signature, Document doc) throws SignatureException {
RequestData requestData = new RequestData();
requestData.setWsDocInfo(new WSDocInfo(doc));
requestData.setSigVerCrypto(crypto.getSignatureCrypto());
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
try {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), crypto.getSignatureCrypto());
} catch (WSSecurityException e) {
throw new SignatureException("Unable to get KeyInfo.", e);
}
}
if (samlKeyInfo == null) {
throw new SignatureException("No KeyInfo supplied in the signature");
}
validateSignatureAndSamlKey(signature, samlKeyInfo);
Credential trustCredential = new Credential();
trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
trustCredential.setCertificates(samlKeyInfo.getCerts());
Validator signatureValidator = new SignatureTrustValidator();
try {
signatureValidator.validate(trustCredential, requestData);
} catch (WSSecurityException e) {
throw new SignatureException("Error validating signature", e);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Credential(org.apache.wss4j.dom.validate.Credential)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignatureException(ddf.security.samlp.SignatureException)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
SignatureValidator(org.opensaml.xmlsec.signature.support.SignatureValidator)
SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)
Validator(org.apache.wss4j.dom.validate.Validator)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
Example 9 with SignatureException
use of ddf.security.samlp.SignatureException in project ddf by codice.
the class SimpleSign method validateSignature.
public boolean validateSignature(String sigAlg, String queryParamsToValidate, String encodedSignature, @Nullable String encodedPublicKey) throws SignatureException {
if (encodedPublicKey == null) {
LOGGER.warn("Could not verify the signature of request because there was no signing certificate. Ensure that the IdP Metadata includes a signing certificate.");
return false;
}
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.getMimeDecoder().decode(encodedPublicKey)));
java.security.Signature sig;
String jceSigAlg = JCEMapper.translateURItoJCEID(sigAlg);
if (jceSigAlg == null) {
throw new SignatureException(new NoSuchAlgorithmException(String.format("The Signature Algorithm %s is not supported.", sigAlg)));
}
try {
sig = java.security.Signature.getInstance(jceSigAlg);
} catch (NoSuchAlgorithmException e) {
throw new SignatureException(e);
}
sig.initVerify(certificate.getPublicKey());
sig.update(queryParamsToValidate.getBytes(StandardCharsets.UTF_8));
return sig.verify(Base64.getMimeDecoder().decode(encodedSignature));
} catch (InvalidKeyException | CertificateException | java.security.SignatureException | IllegalArgumentException e) {
throw new SignatureException(e);
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
SignatureException(ddf.security.samlp.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateFactory(java.security.cert.CertificateFactory)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 10 with SignatureException
use of ddf.security.samlp.SignatureException in project ddf by codice.
the class AuthnResponseValidator method validate.
public void validate(XMLObject xmlObject) throws ValidationException {
if (!(xmlObject instanceof Response)) {
throw new ValidationException("Invalid AuthN response XML.");
}
Response authnResponse = (Response) xmlObject;
String status = authnResponse.getStatus().getStatusCode().getValue();
if (!StatusCode.SUCCESS.equals(status)) {
throw new ValidationException("AuthN request was unsuccessful. Received status: " + status);
}
if (authnResponse.getAssertions().size() < 1) {
throw new ValidationException("Assertion missing in AuthN response.");
}
if (authnResponse.getAssertions().size() > 1) {
LOGGER.info("Received multiple assertions in AuthN response. Only using the first assertion.");
}
if (wasRedirectSigned) {
if (authnResponse.getDestination() == null) {
throw new ValidationException("Invalid Destination attribute, must be not null for signed responses.");
} else if (!authnResponse.getDestination().equals(getSpAssertionConsumerServiceUrl(getSpIssuerId()))) {
throw new ValidationException("Invalid Destination attribute, does not match requested destination.");
}
}
if (authnResponse.getSignature() != null) {
try {
simpleSign.validateSignature(authnResponse.getSignature(), authnResponse.getDOM().getOwnerDocument());
} catch (SignatureException e) {
throw new ValidationException("Invalid or untrusted signature.");
}
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
ValidationException(ddf.security.samlp.impl.ValidationException)
SignatureException(ddf.security.samlp.SignatureException)
Aggregations
SignatureException (ddf.security.samlp.SignatureException)12
X509Certificate (java.security.cert.X509Certificate)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)3
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
PrivateKey (java.security.PrivateKey)2
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)2
AuthenticationFailureException (org.codice.ddf.platform.filter.AuthenticationFailureException)2
Response (org.opensaml.saml.saml2.core.Response)2
SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)2
KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)2
Signature (org.opensaml.xmlsec.signature.Signature)2
Document (org.w3c.dom.Document)2
Element (org.w3c.dom.Element)2
ValidationException (ddf.security.samlp.impl.ValidationException)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
IOException (java.io.IOException)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
InvalidKeyException (java.security.InvalidKeyException)1
