Example 16 with Merlin
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class JWTTokenProvider method signToken.
private String signToken(JwtClaims claims, RealmProperties jwtRealm, STSPropertiesMBean stsProperties) throws Exception {
if (signToken) {
// Initialise signature objects with defaults of STSPropertiesMBean
Crypto signatureCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
String alias = stsProperties.getSignatureUsername();
if (jwtRealm != null) {
// callbackhandler and alias of STSPropertiesMBean is ignored
if (jwtRealm.getSignatureCrypto() != null) {
LOG.fine("SAMLRealm signature keystore used");
signatureCrypto = jwtRealm.getSignatureCrypto();
callbackHandler = jwtRealm.getCallbackHandler();
alias = jwtRealm.getSignatureAlias();
}
// SignatureProperties can be defined independently of SignatureCrypto
if (jwtRealm.getSignatureProperties() != null) {
signatureProperties = jwtRealm.getSignatureProperties();
}
}
// Get the signature algorithm to use - for now we don't allow the client to ask
// for a particular signature algorithm, as with SAML
String signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
try {
SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
} catch (IllegalArgumentException ex) {
signatureAlgorithm = SignatureAlgorithm.RS256.name();
}
// If alias not defined, get the default of the SignatureCrypto
if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
alias = signatureCrypto.getDefaultX509Identifier();
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Signature alias is null so using default alias: " + alias);
}
}
// Get the password
String password = null;
if (callbackHandler != null) {
WSPasswordCallback[] cb = { new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
password = cb[0].getPassword();
}
Properties signingProperties = new Properties();
signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm);
if (alias != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, alias);
}
if (password != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, password);
} else {
throw new STSException("Can't get the password", STSException.REQUEST_FAILED);
}
if (!(signatureCrypto instanceof Merlin)) {
throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
}
KeyStore keystore = ((Merlin) signatureCrypto).getKeyStore();
signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
return jws.signWith(sigProvider);
}
JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
return jws.getSignedEncodedJws();
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
Properties(java.util.Properties)
RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)
KeyStore(java.security.KeyStore)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Example 17 with Merlin
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class CombinedValidatorTest method testEnforceResponseSigned.
@org.junit.Test
public void testEnforceResponseSigned() throws Exception {
Document doc = DOMUtils.createDocument();
Response response = createResponse(doc);
Element responseElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(responseElement);
assertNotNull(responseElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(responseElement);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
// Validate the Response
SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
ssoValidator.setRequestId("12345");
ssoValidator.setSpIdentifier("http://service.apache.org");
ssoValidator.setEnforceResponseSigned(true);
// Parse the response
try {
ssoValidator.validateSamlResponse(marshalledResponse, false);
fail("Failure expected on an unsigned Response");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
Crypto(org.apache.wss4j.common.crypto.Crypto)
InputStream(java.io.InputStream)
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
KeyStore(java.security.KeyStore)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 18 with Merlin
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testSignedResponseInvalidDestination.
@org.junit.Test
public void testSignedResponseInvalidDestination() throws Exception {
Document doc = DOMUtils.createDocument();
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
Response response = SAML2PResponseComponentBuilder.createSAMLResponse("http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status);
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
callbackHandler.setIssuer("http://cxf.apache.org/issuer");
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://service.apache.org"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
response.getAssertions().add(assertion.getSaml2());
response.setDestination("xyz");
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(SAMLResponseValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
signResponse(response, "alice", "password", issuerCrypto, true);
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);
assertNotNull(policyElement);
Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(policyElement);
// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(marshalledResponse, false);
fail("Expected failure on bad response");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Status(org.opensaml.saml.saml2.core.Status)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
InputStream(java.io.InputStream)
Element(org.w3c.dom.Element)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Response(org.opensaml.saml.saml2.core.Response)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 19 with Merlin
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class SAMLSSOResponseValidatorTest method testEnforceAssertionsSigned.
@org.junit.Test
public void testEnforceAssertionsSigned() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org");
Response response = createResponse(subjectConfirmationData);
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
InputStream input = Merlin.loadInputStream(loader, "alice.jks");
keyStore.load(input, "password".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
// Test SSO validation
SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
ssoValidator.setClientAddress("http://apache.org");
ssoValidator.setRequestId("12345");
ssoValidator.setSpIdentifier("http://service.apache.org");
// Parse the response
try {
ssoValidator.validateSamlResponse(response, false);
fail("Failure expected on an unsigned Assertion");
} catch (WSSecurityException ex) {
// expected
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
InputStream(java.io.InputStream)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 20 with Merlin
use of org.apache.wss4j.common.crypto.Merlin in project cxf by apache.
the class RSSecurityUtils method loadX509Certificate.
public static X509Certificate loadX509Certificate(Crypto crypto, Element certNode) throws Exception {
String base64Value = certNode.getTextContent().trim();
byte[] certBytes = Base64Utility.decode(base64Value);
Crypto certCrypto = crypto;
if (certCrypto == null) {
certCrypto = new Merlin();
}
return certCrypto.loadCertificate(new ByteArrayInputStream(certBytes));
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Aggregations
Merlin (org.apache.wss4j.common.crypto.Merlin)24
KeyStore (java.security.KeyStore)20
Crypto (org.apache.wss4j.common.crypto.Crypto)20
InputStream (java.io.InputStream)14
Response (org.opensaml.saml.saml2.core.Response)12
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)11
Element (org.w3c.dom.Element)11
Document (org.w3c.dom.Document)10
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)8
Status (org.opensaml.saml.saml2.core.Status)8
Properties (java.util.Properties)6
SignatureProperties (org.apache.cxf.sts.SignatureProperties)5
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)5
JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)4
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)4
SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)4
DateTime (org.joda.time.DateTime)4
JweDecryptionOutput (org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput)3
JweDecryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider)3
