Examples with Merlin org.apache.wss4j.common.crypto.Merlin used on opensource projects

Search in sources :

Example 1 with Merlin

use of org.apache.wss4j.common.crypto.Merlin in project ddf by codice.

the class TestPKITokenValidator method setup.

@Before
public void setup() {
    pkiTokenValidator = new PKITokenValidator();
    pkiTokenValidator.setSignaturePropertiesPath(TestPKITokenValidator.class.getResource("/signature.properties").getPath());
    pkiTokenValidator.setRealms(Arrays.asList("karaf"));
    pkiTokenValidator.init();
    try {
        KeyStore trustStore = KeyStore.getInstance(System.getProperty("javax.net.ssl.keyStoreType"));
        InputStream trustFIS = TestPKITokenValidator.class.getResourceAsStream("/serverKeystore.jks");
        try {
            trustStore.load(trustFIS, "changeit".toCharArray());
        } catch (CertificateException e) {
            fail(e.getMessage());
        } finally {
            IOUtils.closeQuietly(trustFIS);
        }
        Certificate[] certs = trustStore.getCertificateChain("localhost");
        certificates = new X509Certificate[certs.length];
        for (int i = 0; i < certs.length; i++) {
            certificates[i] = (X509Certificate) certs[i];
        }
        trustStore = KeyStore.getInstance(System.getProperty(SecurityConstants.KEYSTORE_TYPE));
        trustFIS = TestPKITokenValidator.class.getResourceAsStream("/badKeystore.jks");
        try {
            trustStore.load(trustFIS, "changeit".toCharArray());
        } catch (CertificateException e) {
            fail(e.getMessage());
        } finally {
            IOUtils.closeQuietly(trustFIS);
        }
        certs = trustStore.getCertificateChain("badhost");
        badCertificates = new X509Certificate[certs.length];
        for (int i = 0; i < certs.length; i++) {
            badCertificates[i] = (X509Certificate) certs[i];
        }
        merlin = new Merlin(PropertiesLoader.loadProperties(TestPKITokenValidator.class.getResource("/signature.properties").getPath()), PKITokenValidator.class.getClassLoader(), null);
    } catch (Exception e) {
        fail(e.getMessage());
    }
}
Also used : InputStream(java.io.InputStream) CertificateException(java.security.cert.CertificateException) KeyStore(java.security.KeyStore) Merlin(org.apache.wss4j.common.crypto.Merlin) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) Before(org.junit.Before)

Example 2 with Merlin

use of org.apache.wss4j.common.crypto.Merlin in project syncope by apache.

the class SAML2ITCase method createResponse.

private org.opensaml.saml.saml2.core.Response createResponse(final String inResponseTo, final boolean signAssertion, final String subjectConfMethod, final String issuer) throws Exception {
    Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
    org.opensaml.saml.saml2.core.Response response = SAML2PResponseComponentBuilder.createSAMLResponse(inResponseTo, issuer, status);
    response.setDestination("http://recipient.apache.org");
    // Create an AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setIssuer(issuer);
    callbackHandler.setSubjectName("puccini");
    callbackHandler.setSubjectConfirmationMethod(subjectConfMethod);
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo(inResponseTo);
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org/saml2sp/assertion-consumer");
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("http://recipient.apache.org/"));
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(conditions);
    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    if (signAssertion) {
        Crypto issuerCrypto = new Merlin();
        KeyStore keyStore = KeyStore.getInstance("JKS");
        InputStream input = Files.newInputStream(keystorePath);
        keyStore.load(input, "security".toCharArray());
        ((Merlin) issuerCrypto).setKeyStore(keyStore);
        assertion.signAssertion("subject", "security", issuerCrypto, false);
    }
    response.getAssertions().add(assertion.getSaml2());
    return response;
}
Also used : Status(org.opensaml.saml.saml2.core.Status) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) InputStream(java.io.InputStream) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) KeyStore(java.security.KeyStore) DateTime(org.joda.time.DateTime) Crypto(org.apache.wss4j.common.crypto.Crypto) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) Merlin(org.apache.wss4j.common.crypto.Merlin)

Example 3 with Merlin

use of org.apache.wss4j.common.crypto.Merlin in project syncope by apache.

the class SAML2ReaderWriter method validate.

public SSOValidatorResponse validate(final Response samlResponse, final SAML2IdPEntity idp, final String assertionConsumerURL, final String requestId, final String spEntityID) throws WSSecurityException {
    // validate the SAML response and, if needed, decrypt the provided assertion(s)
    Merlin crypto = new Merlin();
    crypto.setKeyStore(loader.getKeyStore());
    crypto.setTrustStore(idp.getTrustStore());
    SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
    protocolValidator.setKeyInfoMustBeAvailable(true);
    protocolValidator.validateSamlResponse(samlResponse, crypto, callbackHandler);
    SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
    ssoResponseValidator.setAssertionConsumerURL(assertionConsumerURL);
    ssoResponseValidator.setIssuerIDP(idp.getId());
    ssoResponseValidator.setRequestId(requestId);
    ssoResponseValidator.setSpIdentifier(spEntityID);
    SSOValidatorResponse validatorResponse = ssoResponseValidator.validateSamlResponse(samlResponse, idp.getBindingType() == SAML2BindingType.POST);
    if (LOG.isDebugEnabled()) {
        try {
            StringWriter writer = new StringWriter();
            write(writer, samlResponse, false);
            writer.close();
            LOG.debug("SAML response with decrypted assertions: {}", writer.toString());
        } catch (Exception e) {
            LOG.error("Could not log the SAML response with decrypted assertions", e);
        }
    }
    return validatorResponse;
}
Also used : SAMLProtocolResponseValidator(org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator) SAMLSSOResponseValidator(org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator) StringWriter(java.io.StringWriter) Merlin(org.apache.wss4j.common.crypto.Merlin) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) SecurityException(org.opensaml.security.SecurityException) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) TransformerException(javax.xml.transform.TransformerException) DataFormatException(java.util.zip.DataFormatException) TransformerConfigurationException(javax.xml.transform.TransformerConfigurationException) IOException(java.io.IOException) SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)

Example 4 with Merlin

use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.

the class JWTTokenProviderTest method testCreateUnsignedEncryptedCBCJWT.

@org.junit.Test
public void testCreateUnsignedEncryptedCBCJWT() throws Exception {
    try {
        Security.addProvider(new BouncyCastleProvider());
        TokenProvider jwtTokenProvider = new JWTTokenProvider();
        ((JWTTokenProvider) jwtTokenProvider).setSignToken(false);
        TokenProviderParameters providerParameters = createProviderParameters();
        providerParameters.setEncryptToken(true);
        providerParameters.getEncryptionProperties().setEncryptionAlgorithm(ContentAlgorithm.A128CBC_HS256.name());
        assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
        TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
        assertNotNull(providerResponse);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
        String token = (String) providerResponse.getToken();
        assertNotNull(token);
        assertTrue(token.split("\\.").length == 5);
        if (unrestrictedPoliciesInstalled) {
            // Validate the token
            JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(token);
            Properties decProperties = new Properties();
            Crypto decryptionCrypto = CryptoFactory.getInstance(getDecryptionProperties());
            KeyStore keystore = ((Merlin) decryptionCrypto).getKeyStore();
            decProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
            decProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myservicekey");
            decProperties.put(JoseConstants.RSSEC_KEY_PSWD, "skpass");
            decProperties.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, ContentAlgorithm.A128CBC_HS256.name());
            JweDecryptionProvider decProvider = JweUtils.loadDecryptionProvider(decProperties, jwtConsumer.getHeaders());
            JweDecryptionOutput decOutput = decProvider.decrypt(token);
            String decToken = decOutput.getContentText();
            JwsJwtCompactConsumer jwtJwsConsumer = new JwsJwtCompactConsumer(decToken);
            JwtToken jwt = jwtJwsConsumer.getJwtToken();
            Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
            Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
            Assert.assertEquals(providerResponse.getCreated().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
            Assert.assertEquals(providerResponse.getExpires().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
        }
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}
Also used : StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) SignatureProperties(org.apache.cxf.sts.SignatureProperties) Properties(java.util.Properties) KeyStore(java.security.KeyStore) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider) Crypto(org.apache.wss4j.common.crypto.Crypto) JweDecryptionOutput(org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput) JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JweJwtCompactConsumer(org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer) Merlin(org.apache.wss4j.common.crypto.Merlin) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)

Example 5 with Merlin

use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.

the class JWTTokenValidator method validateToken.

/**
 * Validate a Token using the given TokenValidatorParameters.
 */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOG.fine("Validating JWT Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    String token = ((Element) validateTarget.getToken()).getTextContent();
    if (token == null || "".equals(token)) {
        return response;
    }
    if (token.split("\\.").length != 3) {
        LOG.log(Level.WARNING, "JWT Token appears not to be signed. Validation has failed");
        return response;
    }
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
    JwtToken jwt = jwtConsumer.getJwtToken();
    // Verify the signature
    Properties verificationProperties = new Properties();
    Crypto signatureCrypto = stsProperties.getSignatureCrypto();
    String alias = stsProperties.getSignatureUsername();
    if (alias != null) {
        verificationProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, alias);
    }
    if (!(signatureCrypto instanceof Merlin)) {
        throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
    }
    KeyStore keystore = ((Merlin) signatureCrypto).getKeyStore();
    verificationProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
    JwsSignatureVerifier signatureVerifier = JwsUtils.loadSignatureVerifier(verificationProperties, jwt.getJwsHeaders());
    if (!jwtConsumer.verifySignatureWith(signatureVerifier)) {
        return response;
    }
    try {
        validateToken(jwt);
    } catch (RuntimeException ex) {
        LOG.log(Level.WARNING, "JWT token validation failed", ex);
        return response;
    }
    // Get the realm of the JWT Token
    if (realmCodec != null) {
        String tokenRealm = realmCodec.getRealmFromToken(jwt);
        response.setTokenRealm(tokenRealm);
    }
    if (isVerifiedWithAPublicKey(jwt)) {
        Principal principal = new SimplePrincipal(jwt.getClaims().getSubject());
        response.setPrincipal(principal);
        // Parse roles from the validated token
        if (roleParser != null) {
            Set<Principal> roles = roleParser.parseRolesFromToken(principal, null, jwt);
            response.setRoles(roles);
        }
    }
    validateTarget.setState(STATE.VALID);
    LOG.fine("JWT Token successfully validated");
    return response;
}
Also used : Element(org.w3c.dom.Element) STSException(org.apache.cxf.ws.security.sts.provider.STSException) Properties(java.util.Properties) KeyStore(java.security.KeyStore) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Merlin(org.apache.wss4j.common.crypto.Merlin) SimplePrincipal(org.apache.cxf.common.security.SimplePrincipal) Principal(java.security.Principal) SimplePrincipal(org.apache.cxf.common.security.SimplePrincipal)

Aggregations

Merlin (org.apache.wss4j.common.crypto.Merlin)24 KeyStore (java.security.KeyStore)20 Crypto (org.apache.wss4j.common.crypto.Crypto)20 InputStream (java.io.InputStream)14 Response (org.opensaml.saml.saml2.core.Response)12 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)11 Element (org.w3c.dom.Element)11 Document (org.w3c.dom.Document)10 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)8 Status (org.opensaml.saml.saml2.core.Status)8 Properties (java.util.Properties)6 SignatureProperties (org.apache.cxf.sts.SignatureProperties)5 EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)5 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)4 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)4 SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)4 DateTime (org.joda.time.DateTime)4 JweDecryptionOutput (org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput)3 JweDecryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial