Example 21 with DestroyFailedException
use of javax.security.auth.DestroyFailedException in project cxf by apache.
the class ModelEncryptionSupport method decryptAccessToken.
public static ServerAccessToken decryptAccessToken(OAuthDataProvider provider, String encodedToken, String encodedSecretKey, KeyProperties props) throws SecurityException {
SecretKey key = CryptoUtils.decodeSecretKey(encodedSecretKey, props.getKeyAlgo());
ServerAccessToken serverAccessToken = decryptAccessToken(provider, encodedToken, key, props);
// Clean the secret key from memory when we're done
try {
key.destroy();
} catch (DestroyFailedException ex) {
// ignore
}
return serverAccessToken;
}
Also used :
SecretKey(javax.crypto.SecretKey)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
DestroyFailedException(javax.security.auth.DestroyFailedException)
Example 22 with DestroyFailedException
use of javax.security.auth.DestroyFailedException in project cxf by apache.
the class ModelEncryptionSupport method decryptCodeGrant.
public static ServerAuthorizationCodeGrant decryptCodeGrant(OAuthDataProvider provider, String encodedToken, String encodedSecretKey, KeyProperties props) throws SecurityException {
SecretKey key = CryptoUtils.decodeSecretKey(encodedSecretKey, props.getKeyAlgo());
ServerAuthorizationCodeGrant authzCodeGrant = decryptCodeGrant(provider, encodedToken, key, props);
// Clean the secret key from memory when we're done
try {
key.destroy();
} catch (DestroyFailedException ex) {
// ignore
}
return authzCodeGrant;
}
Also used :
SecretKey(javax.crypto.SecretKey)
DestroyFailedException(javax.security.auth.DestroyFailedException)
ServerAuthorizationCodeGrant(org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)
Example 23 with DestroyFailedException
use of javax.security.auth.DestroyFailedException in project cxf by apache.
the class SamlPostBindingFilter method signAuthnRequest.
protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception {
Crypto crypto = getSignatureCrypto();
if (crypto == null) {
LOG.warning("No crypto instance of properties file configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
String signatureUser = getSignatureUsername();
if (signatureUser == null) {
LOG.warning("No user configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CallbackHandler callbackHandler = getCallbackHandler();
if (callbackHandler == null) {
LOG.warning("No CallbackHandler configured to supply a password for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(signatureUser);
X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the request using name: " + signatureUser);
}
String sigAlgo = getSignatureAlgorithm();
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
LOG.fine("automatic sig algo detection: " + pubKeyAlgo);
if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
sigAlgo = SSOConstants.DSA_SHA1;
}
LOG.fine("Using Signature algorithm " + sigAlgo);
// Get the password
WSPasswordCallback[] cb = { new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
String password = cb[0].getPassword();
// Get the private key
PrivateKey privateKey = crypto.getPrivateKey(signatureUser, password);
// Create the signature
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
SignableSAMLObject signableObject = authnRequest;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
// Clean the private key from memory when we're done
try {
privateKey.destroy();
} catch (DestroyFailedException ex) {
// ignore
}
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
DestroyFailedException(javax.security.auth.DestroyFailedException)
PrivateKey(java.security.PrivateKey)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
DestroyFailedException(javax.security.auth.DestroyFailedException)
IOException(java.io.IOException)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
Signature(org.opensaml.xmlsec.signature.Signature)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
Example 24 with DestroyFailedException
use of javax.security.auth.DestroyFailedException in project cxf by apache.
the class MetadataService method getMetadata.
@GET
@Produces("text/xml")
public Document getMetadata() {
try {
MetadataWriter metadataWriter = new MetadataWriter();
Crypto crypto = getSignatureCrypto();
if (crypto == null) {
LOG.fine("No crypto instance of properties file configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
String signatureUser = getSignatureUsername();
if (signatureUser == null) {
LOG.fine("No user configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CallbackHandler callbackHandler = getCallbackHandler();
if (callbackHandler == null) {
LOG.fine("No CallbackHandler configured to supply a password for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(signatureUser);
X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the request using name: " + signatureUser);
}
// Get the password
WSPasswordCallback[] cb = { new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
String password = cb[0].getPassword();
// Get the private key
PrivateKey privateKey = crypto.getPrivateKey(signatureUser, password);
if (addEndpointAddressToContext) {
Message message = JAXRSUtils.getCurrentMessage();
String rawPath = (String) message.get("http.base.path");
return metadataWriter.getMetaData(rawPath + serviceAddress, rawPath + assertionConsumerServiceAddress, rawPath + logoutServiceAddress, privateKey, issuerCerts[0], true);
}
Document metadata = metadataWriter.getMetaData(serviceAddress, assertionConsumerServiceAddress, logoutServiceAddress, privateKey, issuerCerts[0], true);
// Clean the private key from memory when we're done
try {
privateKey.destroy();
} catch (DestroyFailedException ex) {
// ignore
}
return metadata;
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw ExceptionUtils.toInternalServerErrorException(ex, null);
}
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
DestroyFailedException(javax.security.auth.DestroyFailedException)
PrivateKey(java.security.PrivateKey)
Message(org.apache.cxf.message.Message)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
Document(org.w3c.dom.Document)
X509Certificate(java.security.cert.X509Certificate)
DestroyFailedException(javax.security.auth.DestroyFailedException)
Crypto(org.apache.wss4j.common.crypto.Crypto)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 25 with DestroyFailedException
use of javax.security.auth.DestroyFailedException in project cxf by apache.
the class XmlSigOutInterceptor method createSignature.
// enveloping & detached sigs will be supported too
private Document createSignature(Message message, Document doc) throws Exception {
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
CryptoLoader loader = new CryptoLoader();
Crypto crypto = loader.getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
String user = RSSecurityUtils.getUserName(message, crypto, userNameKey);
if (StringUtils.isEmpty(user) || RSSecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(user)) {
throw new Exception("User name is not available");
}
String password = RSSecurityUtils.getSignaturePassword(message, user, this.getClass());
X509Certificate[] issuerCerts = RSSecurityUtils.getCertificates(crypto, user);
String sigAlgo = sigProps.getSignatureAlgo() == null ? SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1 : sigProps.getSignatureAlgo();
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
}
final PrivateKey privateKey;
try {
privateKey = crypto.getPrivateKey(user, password);
} catch (Exception ex) {
String errorMessage = "Private key can not be loaded, user:" + user;
LOG.severe(errorMessage);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
String id = "_" + UUID.randomUUID().toString();
String referenceId = "#" + id;
String digestAlgo = sigProps.getSignatureDigestAlgo() == null ? Constants.ALGO_ID_DIGEST_SHA1 : sigProps.getSignatureDigestAlgo();
final XMLSignature sig;
if (ENVELOPING_SIG.equals(sigStyle)) {
sig = prepareEnvelopingSignature(doc, id, referenceId, sigAlgo, digestAlgo);
} else if (DETACHED_SIG.equals(sigStyle)) {
sig = prepareDetachedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
} else {
sig = prepareEnvelopedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
}
if (this.keyInfoMustBeAvailable) {
sig.addKeyInfo(issuerCerts[0]);
sig.addKeyInfo(issuerCerts[0].getPublicKey());
}
sig.sign(privateKey);
// Clean the private key from memory when we're done
try {
privateKey.destroy();
} catch (DestroyFailedException ex) {
// ignore
}
return sig.getElement().getOwnerDocument();
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
DestroyFailedException(javax.security.auth.DestroyFailedException)
PrivateKey(java.security.PrivateKey)
XMLSignature(org.apache.xml.security.signature.XMLSignature)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
DestroyFailedException (javax.security.auth.DestroyFailedException)30
SecretKey (javax.crypto.SecretKey)9
PrivateKey (java.security.PrivateKey)5
X509Certificate (java.security.cert.X509Certificate)4
CallbackHandler (javax.security.auth.callback.CallbackHandler)4
Crypto (org.apache.wss4j.common.crypto.Crypto)4
SecretKeySpec (javax.crypto.spec.SecretKeySpec)3
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)3
CryptoType (org.apache.wss4j.common.crypto.CryptoType)3
WSPasswordCallback (org.apache.wss4j.common.ext.WSPasswordCallback)3
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)3
IOException (java.io.IOException)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
XMLCipher (org.apache.xml.security.encryption.XMLCipher)2
XMLEncryptionException (org.apache.xml.security.encryption.XMLEncryptionException)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
java.io (java.io)1
Signature (java.security.Signature)1
AlgorithmParameterSpec (java.security.spec.AlgorithmParameterSpec)1
Cipher (javax.crypto.Cipher)1
