Examples with SignatureProperties org.apache.cxf.sts.SignatureProperties used on opensource projects

Example 1 with SignatureProperties

use of org.apache.cxf.sts.SignatureProperties in project cxf by apache.

the class JWTTokenProviderTest method testCreateSignedPSJWT.

@org.junit.Test
public void testCreateSignedPSJWT() throws Exception {
    try {
        Security.addProvider(new BouncyCastleProvider());
        TokenProvider jwtTokenProvider = new JWTTokenProvider();
        ((JWTTokenProvider) jwtTokenProvider).setSignToken(true);
        TokenProviderParameters providerParameters = createProviderParameters();
        SignatureProperties sigProps = new SignatureProperties();
        sigProps.setSignatureAlgorithm(SignatureAlgorithm.PS256.name());
        providerParameters.getStsProperties().setSignatureProperties(sigProps);
        assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
        TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
        assertNotNull(providerResponse);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
        String token = (String) providerResponse.getToken();
        assertNotNull(token);
        assertTrue(token.split("\\.").length == 3);
        // Validate the token
        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
        JwtToken jwt = jwtConsumer.getJwtToken();
        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
        Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
        Assert.assertEquals(providerResponse.getCreated().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
        Assert.assertEquals(providerResponse.getExpires().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
        // Verify Signature
        Crypto crypto = providerParameters.getStsProperties().getSignatureCrypto();
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(providerParameters.getStsProperties().getSignatureUsername());
        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
        assertNotNull(certs);
        assertFalse(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
        assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.PS256));
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}

Example 2 with SignatureProperties

use of org.apache.cxf.sts.SignatureProperties in project cxf by apache.

the class SAMLProviderKeyTypeTest method testDefaultSaml2BearerDifferentSignatureDigestAlgorithm.

/**
 * Create a default Saml2 Bearer Assertion using a different Signature Digest algorithm
 */
@org.junit.Test
public void testDefaultSaml2BearerDifferentSignatureDigestAlgorithm() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();
    TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
    // Default
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    Element token = (Element) providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(WSS4JConstants.SHA256));
    // Supported alternative
    SignatureProperties signatureProperties = providerParameters.getStsProperties().getSignatureProperties();
    signatureProperties.setDigestAlgorithm(WSS4JConstants.SHA1);
    providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    token = (Element) providerResponse.getToken();
    tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(WSS4JConstants.SHA1));
}

Example 3 with SignatureProperties

use of org.apache.cxf.sts.SignatureProperties in project cxf by apache.

the class SAMLProviderKeyTypeTest method testDefaultSaml1SymmetricKeyAssertion.

/**
 * Create a default Saml1 SymmetricKey Assertion.
 */
@org.junit.Test
public void testDefaultSaml1SymmetricKeyAssertion() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();
    TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML_TOKEN_TYPE, STSConstants.SYMMETRIC_KEY_KEYTYPE);
    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML_TOKEN_TYPE));
    Entropy entropy = new Entropy();
    BinarySecret binarySecret = new BinarySecret();
    binarySecret.setBinarySecretValue(WSSecurityUtil.generateNonce(256 / 8));
    entropy.setBinarySecret(binarySecret);
    providerParameters.getKeyRequirements().setEntropy(entropy);
    binarySecret.setBinarySecretType("bad-type");
    try {
        samlTokenProvider.createToken(providerParameters);
        fail("Failure expected on a bad type");
    } catch (STSException ex) {
    // expected as no type is provided
    }
    binarySecret.setBinarySecretType(STSConstants.NONCE_TYPE);
    try {
        samlTokenProvider.createToken(providerParameters);
        fail("Failure expected on no computed key algorithm");
    } catch (STSException ex) {
    // expected as no computed key algorithm is provided
    }
    providerParameters.getKeyRequirements().setComputedKeyAlgorithm(STSConstants.COMPUTED_KEY_PSHA1);
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    Element token = (Element) providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(providerResponse.getTokenId()));
    assertTrue(tokenString.contains("AttributeStatement"));
    assertFalse(tokenString.contains("AuthenticationStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML1Constants.CONF_HOLDER_KEY));
    assertFalse(tokenString.contains(SAML1Constants.CONF_BEARER));
    // Test custom keySize
    SignatureProperties signatureProperties = providerParameters.getStsProperties().getSignatureProperties();
    signatureProperties.setMinimumKeySize(-8);
    providerParameters.getKeyRequirements().setKeySize(-8);
    try {
        samlTokenProvider.createToken(providerParameters);
        fail("Failure expected on a bad KeySize");
    } catch (STSException ex) {
    // expected on a bad KeySize
    }
    signatureProperties.setMinimumKeySize(128);
    providerParameters.getKeyRequirements().setKeySize(192);
    samlTokenProvider.createToken(providerParameters);
}

Example 4 with SignatureProperties

use of org.apache.cxf.sts.SignatureProperties in project cxf by apache.

the class AbstractSAMLTokenProvider method signToken.

protected void signToken(SamlAssertionWrapper assertion, RealmProperties samlRealm, STSPropertiesMBean stsProperties, KeyRequirements keyRequirements) throws Exception {
    // Initialise signature objects with defaults of STSPropertiesMBean
    Crypto signatureCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
    String alias = stsProperties.getSignatureUsername();
    if (samlRealm != null) {
        // callbackhandler and alias of STSPropertiesMBean is ignored
        if (samlRealm.getSignatureCrypto() != null) {
            LOG.fine("SAMLRealm signature keystore used");
            signatureCrypto = samlRealm.getSignatureCrypto();
            callbackHandler = samlRealm.getCallbackHandler();
            alias = samlRealm.getSignatureAlias();
        }
        // SignatureProperties can be defined independently of SignatureCrypto
        if (samlRealm.getSignatureProperties() != null) {
            signatureProperties = samlRealm.getSignatureProperties();
        }
    }
    // Get the signature algorithm to use
    String signatureAlgorithm = keyRequirements.getSignatureAlgorithm();
    if (signatureAlgorithm == null) {
        // If none then default to what is configured
        signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
    } else {
        List<String> supportedAlgorithms = signatureProperties.getAcceptedSignatureAlgorithms();
        if (!supportedAlgorithms.contains(signatureAlgorithm)) {
            signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("SignatureAlgorithm not supported, defaulting to: " + signatureAlgorithm);
            }
        }
    }
    // Get the c14n algorithm to use
    String c14nAlgorithm = keyRequirements.getC14nAlgorithm();
    if (c14nAlgorithm == null) {
        // If none then default to what is configured
        c14nAlgorithm = signatureProperties.getC14nAlgorithm();
    } else {
        List<String> supportedAlgorithms = signatureProperties.getAcceptedC14nAlgorithms();
        if (!supportedAlgorithms.contains(c14nAlgorithm)) {
            c14nAlgorithm = signatureProperties.getC14nAlgorithm();
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("C14nAlgorithm not supported, defaulting to: " + c14nAlgorithm);
            }
        }
    }
    // If alias not defined, get the default of the SignatureCrypto
    if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
        alias = signatureCrypto.getDefaultX509Identifier();
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Signature alias is null so using default alias: " + alias);
        }
    }
    // Get the password
    String password = null;
    if (callbackHandler != null) {
        WSPasswordCallback[] cb = { new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE) };
        LOG.fine("Creating SAML Token");
        callbackHandler.handle(cb);
        password = cb[0].getPassword();
    }
    LOG.fine("Signing SAML Token");
    boolean useKeyValue = signatureProperties.isUseKeyValue();
    assertion.signAssertion(alias, password, signatureCrypto, useKeyValue, c14nAlgorithm, signatureAlgorithm, signatureProperties.getDigestAlgorithm());
}

Example 5 with SignatureProperties

use of org.apache.cxf.sts.SignatureProperties in project cxf by apache.

the class IssueSamlUnitTest method testIssueSaml2DifferentSignatureToken.

/**
 * Test to successfully issue a Saml 2 token using a specified Signature Algorithm.
 */
@org.junit.Test
public void testIssueSaml2DifferentSignatureToken() throws Exception {
    if (!TestUtilities.checkUnrestrictedPoliciesInstalled()) {
        return;
    }
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    issueOperation.setTokenProviders(Collections.singletonList(new SAMLTokenProvider()));
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    SignatureProperties sigProperties = new SignatureProperties();
    final String signatureAlgorithm = WSS4JConstants.RSA_SHA256;
    sigProperties.setAcceptedSignatureAlgorithms(Arrays.asList(signatureAlgorithm, WSS4JConstants.RSA_SHA1));
    stsProperties.setSignatureProperties(sigProperties);
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    JAXBElement<String> signatureAlg = new JAXBElement<String>(QNameConstants.SIGNATURE_ALGORITHM, String.class, signatureAlgorithm);
    request.getAny().add(signatureAlg);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Issue a token
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, principal, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertFalse(securityTokenResponse.isEmpty());
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
    assertTrue(tokenString.contains(signatureAlgorithm));
}