use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class SAMLResponseValidatorTest method testSignedResponse.
@org.junit.Test
public void testSignedResponse() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
response.getAssertions().add(assertion.getSaml2());
signResponse(response, "alice", "password", issuerCrypto, true);
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
try {
validator.validateSamlResponse(marshalledResponse, null, new KeystorePasswordCallback());
fail("Expected failure on no Signature Crypto");
} catch (WSSecurityException ex) {
// expected
}
// Validate the Response
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
}
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class SAMLResponseValidatorTest method testResponseModifiedSignedAssertion.
@org.junit.Test
public void testResponseModifiedSignedAssertion() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
assertion.signAssertion("alice", "password", issuerCrypto, false);
response.getAssertions().add(assertion.getSaml2());
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
List<Element> assertions = DOMUtils.findAllElementsByTagNameNS(policyElement, SAMLConstants.SAML20_NS, "Assertion");
assertNotNull(assertions);
assertTrue(assertions.size() == 1);
assertions.get(0).setAttributeNS(null, "newattr", "http://apache.org");
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
try {
// Validate the Response
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
fail("Expected failure on a bad signature");
} catch (WSSecurityException ex) {
// expected
}
}
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class JWTTokenProvider method encryptToken.
private String encryptToken(String token, JweHeaders jweHeaders, STSPropertiesMBean stsProperties, EncryptionProperties encryptionProperties, KeyRequirements keyRequirements) throws Exception {
Properties encProperties = new Properties();
String name = encryptionProperties.getEncryptionName();
if (name == null) {
name = stsProperties.getEncryptionUsername();
}
if (name == null) {
LOG.fine("No encryption alias is configured");
return token;
}
encProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, name);
// Get the encryption algorithm to use - for now we don't allow the client to ask
// for a particular encryption algorithm, as with SAML
String encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
try {
ContentAlgorithm.getAlgorithm(encryptionAlgorithm);
} catch (IllegalArgumentException ex) {
encryptionAlgorithm = ContentAlgorithm.A128GCM.name();
}
encProperties.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, encryptionAlgorithm);
// Get the key-wrap algorithm to use - for now we don't allow the client to ask
// for a particular encryption algorithm, as with SAML
String keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
try {
KeyAlgorithm.getAlgorithm(keyWrapAlgorithm);
} catch (IllegalArgumentException ex) {
keyWrapAlgorithm = KeyAlgorithm.RSA_OAEP.name();
}
encProperties.put(JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM, keyWrapAlgorithm);
// Initialise encryption objects with defaults of STSPropertiesMBean
Crypto encryptionCrypto = stsProperties.getEncryptionCrypto();
if (!(encryptionCrypto instanceof Merlin)) {
throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
}
KeyStore keystore = ((Merlin) encryptionCrypto).getKeyStore();
encProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
JweEncryptionProvider encProvider = JweUtils.loadEncryptionProvider(encProperties, jweHeaders);
return encProvider.encrypt(StringUtils.toBytesUTF8(token), null);
}
use of org.apache.wss4j.common.crypto.Merlin in project ddf by codice.
the class UPBSTValidatorTest method setup.
@Before
public void setup() {
niceValidator.setContextName("realm");
meanValidator.setContextName("realm");
stsPropertiesMBean = mock(STSPropertiesMBean.class);
when(stsPropertiesMBean.getSignatureCrypto()).thenReturn(new Merlin());
when(stsPropertiesMBean.getCallbackHandler()).thenReturn(callbacks -> {
});
UPAuthenticationToken upAuthenticationToken = new UPAuthenticationToken("good", "password", "realm");
BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
binarySecurityTokenType.setValueType(UPAuthenticationToken.UP_TOKEN_VALUE_TYPE);
binarySecurityTokenType.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenType.setId(UPAuthenticationToken.BST_USERNAME_LN);
binarySecurityTokenType.setValue(upAuthenticationToken.getEncodedCredentials());
upbstToken = new JAXBElement<>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenType);
failedLoginDelayer = mock(FailedLoginDelayer.class);
}
use of org.apache.wss4j.common.crypto.Merlin in project syncope by apache.
the class SAML2ReaderWriter method sign.
public String sign(final String request, final String relayState) throws NoSuchAlgorithmException, WSSecurityException, InvalidKeyException, UnsupportedEncodingException, SignatureException {
Merlin crypto = new Merlin();
crypto.setKeyStore(loader.getKeyStore());
PrivateKey privateKey = crypto.getPrivateKey(loader.getCredential().getPublicKey(), callbackHandler);
java.security.Signature signature = java.security.Signature.getInstance(jceSigAlgo);
signature.initSign(privateKey);
String requestToSign = SSOConstants.SAML_REQUEST + "=" + request + "&" + SSOConstants.RELAY_STATE + "=" + relayState + "&" + SSOConstants.SIG_ALG + "=" + URLEncoder.encode(sigAlgo, StandardCharsets.UTF_8.name());
signature.update(requestToSign.getBytes(StandardCharsets.UTF_8));
return Base64.getEncoder().encodeToString(signature.sign());
}
Aggregations