Search in sources :

Example 6 with SAMLKeyInfo

use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.

the class IssueUnitTest method testSymmetricKeySaml1.

/**
 * Test the Symmetric Key SAML1 case
 */
@org.junit.Test
public void testSymmetricKeySaml1() throws Exception {
    createBus(getClass().getResource("cxf-client.xml").toString());
    // Get a token
    SecurityToken token = requestSecurityToken(SAML1_TOKEN_TYPE, SYMMETRIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS);
    assertTrue(token.getSecret() != null && token.getSecret().length > 0);
    assertEquals(SAML1_TOKEN_TYPE, token.getTokenType());
    assertNotNull(token.getToken());
    // Process the token
    List<WSSecurityEngineResult> results = processToken(token);
    assertTrue(results != null && results.size() == 1);
    SamlAssertionWrapper assertion = (SamlAssertionWrapper) results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
    assertNotNull(assertion);
    assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
    assertTrue(assertion.isSigned());
    List<String> methods = assertion.getConfirmationMethods();
    String confirmMethod = null;
    if (methods != null && !methods.isEmpty()) {
        confirmMethod = methods.get(0);
    }
    assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
    SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
    assertNotNull(subjectKeyInfo.getSecret());
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 7 with SAMLKeyInfo

use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.

the class STSRESTTest method testIssueSymmetricKeySaml1.

@org.junit.Test
public void testIssueSymmetricKeySaml1() throws Exception {
    WebClient client = webClient().path("saml1.1").query("keyType", STSConstants.SYMMETRIC_KEY_KEYTYPE).accept(MediaType.APPLICATION_XML);
    Document assertionDoc = client.get(Document.class);
    SamlAssertionWrapper assertion = validateSAMLToken(assertionDoc);
    assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
    List<String> methods = assertion.getConfirmationMethods();
    String confirmMethod = null;
    if (methods != null && !methods.isEmpty()) {
        confirmMethod = methods.get(0);
    }
    assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
    SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
    assertNotNull(subjectKeyInfo.getSecret());
}
Also used : SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Document(org.w3c.dom.Document) WebClient(org.apache.cxf.jaxrs.client.WebClient)

Example 8 with SAMLKeyInfo

use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.

the class AbstractBindingPolicyValidator method findCorrespondingToken.

/**
 * Find the token corresponding to either the X509Certificate or PublicKey used to sign
 * the "signatureResult" argument.
 */
private WSSecurityEngineResult findCorrespondingToken(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
    // See what was used to sign this result
    X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    for (WSSecurityEngineResult token : results) {
        Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt == WSConstants.SIGN) {
            continue;
        }
        BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
            X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (foundCert.equals(cert)) {
                return token;
            }
        } else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (samlKeyInfo != null) {
                X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
                PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
                if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
                    return token;
                }
            }
        } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
            return token;
        }
    }
    return null;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Example 9 with SAMLKeyInfo

use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.

the class AbstractSupportingTokenPolicyValidator method checkSignatureOrEncryptionResult.

/**
 * Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same
 * signing/encrypting credential as one of the tokens.
 * @param result a WSSecurityEngineResult corresponding to a signature or encryption
 * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
 * @return
 */
private boolean checkSignatureOrEncryptionResult(WSSecurityEngineResult result, List<WSSecurityEngineResult> tokenResult) {
    // See what was used to sign/encrypt this result
    X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    byte[] secret = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
    PublicKey publicKey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
    // Now see if the same credential exists in the tokenResult list
    for (WSSecurityEngineResult token : tokenResult) {
        Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
        BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
            X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (foundCert.equals(cert)) {
                return true;
            }
        } else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
            if (samlKeyInfo != null) {
                X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
                byte[] subjectSecretKey = samlKeyInfo.getSecret();
                PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
                if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
                    return true;
                }
            }
        } else if (publicKey != null) {
            PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
            if (publicKey.equals(foundPublicKey)) {
                return true;
            }
        } else {
            byte[] foundSecret = (byte[]) token.get(WSSecurityEngineResult.TAG_SECRET);
            byte[] derivedKey = (byte[]) token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
            if ((foundSecret != null && Arrays.equals(foundSecret, secret)) || (derivedKey != null && Arrays.equals(derivedKey, secret))) {
                return true;
            }
        }
    }
    return false;
}
Also used : BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) PublicKey(java.security.PublicKey) PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) X509Security(org.apache.wss4j.common.token.X509Security)

Example 10 with SAMLKeyInfo

use of org.apache.wss4j.common.saml.SAMLKeyInfo in project ddf by codice.

the class SimpleSign method validateSignature.

public void validateSignature(Signature signature, Document doc) throws SignatureException {
    RequestData requestData = new RequestData();
    requestData.setWsDocInfo(new WSDocInfo(doc));
    requestData.setSigVerCrypto(crypto.getSignatureCrypto());
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    SAMLKeyInfo samlKeyInfo = null;
    KeyInfo keyInfo = signature.getKeyInfo();
    if (keyInfo != null) {
        try {
            samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), crypto.getSignatureCrypto());
        } catch (WSSecurityException e) {
            throw new SignatureException("Unable to get KeyInfo.", e);
        }
    }
    if (samlKeyInfo == null) {
        throw new SignatureException("No KeyInfo supplied in the signature");
    }
    validateSignatureAndSamlKey(signature, samlKeyInfo);
    Credential trustCredential = new Credential();
    trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
    trustCredential.setCertificates(samlKeyInfo.getCerts());
    Validator signatureValidator = new SignatureTrustValidator();
    try {
        signatureValidator.validate(trustCredential, requestData);
    } catch (WSSecurityException e) {
        throw new SignatureException("Error validating signature", e);
    }
}
Also used : WSDocInfo(org.apache.wss4j.dom.WSDocInfo) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) Credential(org.apache.wss4j.dom.validate.Credential) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) RequestData(org.apache.wss4j.dom.handler.RequestData) SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SignatureException(ddf.security.samlp.SignatureException) WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor) SignatureValidator(org.opensaml.xmlsec.signature.support.SignatureValidator) SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator) Validator(org.apache.wss4j.dom.validate.Validator) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)

Aggregations

SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)23 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)12 WSSSAMLKeyInfoProcessor (org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)10 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9 WSDocInfo (org.apache.wss4j.dom.WSDocInfo)9 RequestData (org.apache.wss4j.dom.handler.RequestData)9 WSSConfig (org.apache.wss4j.dom.engine.WSSConfig)8 Credential (org.apache.wss4j.dom.validate.Credential)8 X509Certificate (java.security.cert.X509Certificate)7 KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)7 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)5 Document (org.w3c.dom.Document)5 WebClient (org.apache.cxf.jaxrs.client.WebClient)4 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)4 Signature (org.opensaml.xmlsec.signature.Signature)4 IOException (java.io.IOException)3 PublicKey (java.security.PublicKey)3 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3 Crypto (org.apache.wss4j.common.crypto.Crypto)3