Example 11 with SAMLKeyInfo
use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.
the class IssuedTokenPolicyValidator method createSecurityToken.
private SecurityToken createSecurityToken(SamlAssertionWrapper assertionWrapper) {
SecurityToken token = new SecurityToken(assertionWrapper.getId());
SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (subjectKeyInfo != null) {
token.setSecret(subjectKeyInfo.getSecret());
X509Certificate[] certs = subjectKeyInfo.getCerts();
if (certs != null && certs.length > 0) {
token.setX509Certificate(certs[0], null);
}
if (subjectKeyInfo.getPublicKey() != null) {
token.setKey(subjectKeyInfo.getPublicKey());
}
}
if (assertionWrapper.getSaml1() != null) {
token.setTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
} else if (assertionWrapper.getSaml2() != null) {
token.setTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
}
token.setToken(assertionWrapper.getElement());
return token;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
X509Certificate(java.security.cert.X509Certificate)
Example 12 with SAMLKeyInfo
use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.
the class LayoutPolicyValidator method findCorrespondingTokenIndex.
/**
* Find the index of the token corresponding to either the X509Certificate or PublicKey used
* to sign the "signatureResult" argument.
*/
private int findCorrespondingTokenIndex(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
// See what was used to sign this result
X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
for (int i = 0; i < results.size(); i++) {
WSSecurityEngineResult token = results.get(i);
Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt == WSConstants.SIGN) {
continue;
}
BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (foundCert.equals(cert)) {
return i;
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
return i;
}
}
} else if (publicKey != null && publicKey.equals(foundPublicKey)) {
return i;
}
}
return -1;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
PublicKey(java.security.PublicKey)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 13 with SAMLKeyInfo
use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.
the class Saml2BearerGrantHandler method validateToken.
protected void validateToken(Message message, SamlAssertionWrapper assertion) {
try {
RequestData data = new RequestData();
if (assertion.isSigned()) {
WSSConfig cfg = WSSConfig.getNewInstance();
data.setWssConfig(cfg);
data.setCallbackHandler(RSSecurityUtils.getCallbackHandler(message, this.getClass()));
try {
data.setSigVerCrypto(new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES));
} catch (IOException ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
boolean enableRevocation = false;
String enableRevocationStr = (String) org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
if (enableRevocationStr != null) {
enableRevocation = Boolean.parseBoolean(enableRevocationStr);
}
data.setEnableRevocation(enableRevocation);
Signature sig = assertion.getSignature();
WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
data.setWsDocInfo(docInfo);
KeyInfo keyInfo = sig.getKeyInfo();
SAMLKeyInfo samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
assertion.verifySignature(samlKeyInfo);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler());
} else if (getTLSCertificates(message) == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
if (samlValidator != null) {
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
samlValidator.validate(credential, data);
}
samlOAuthValidator.validate(message, assertion);
} catch (Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
Credential(org.apache.wss4j.dom.validate.Credential)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
IOException(java.io.IOException)
Base64Exception(org.apache.cxf.common.util.Base64Exception)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
IOException(java.io.IOException)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Signature(org.opensaml.xmlsec.signature.Signature)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Example 14 with SAMLKeyInfo
use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.
the class SAMLProtocolResponseValidator method validateAssertion.
/**
* Validate an internal Assertion
*/
private void validateAssertion(SamlAssertionWrapper assertion, Crypto sigCrypto, CallbackHandler callbackHandler, Document doc, boolean signedResponse) throws WSSecurityException {
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
requestData.setCallbackHandler(callbackHandler);
if (assertion.isSigned()) {
if (assertion.getSaml1() != null) {
assertion.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true);
} else {
assertion.getSaml2().getDOM().setIdAttributeNS(null, "ID", true);
}
// Verify the signature
try {
Signature sig = assertion.getSignature();
WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
requestData.setWsDocInfo(docInfo);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = sig.getKeyInfo();
if (keyInfo != null) {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), sigCrypto);
} else if (!keyInfoMustBeAvailable) {
samlKeyInfo = createKeyInfoFromDefaultAlias(sigCrypto);
}
if (samlKeyInfo == null) {
LOG.warning("No KeyInfo supplied in the SAMLResponse assertion signature");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
assertion.verifySignature(samlKeyInfo);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Assertion failed signature validation", e);
throw e;
}
}
// Validate the Assertion & verify trust in the signature
try {
SamlSSOAssertionValidator assertionValidator = new SamlSSOAssertionValidator(signedResponse);
assertionValidator.validate(credential, requestData);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, "Assertion validation failed: " + ex.getMessage(), ex);
throw ex;
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
BasicCredential(org.opensaml.security.credential.BasicCredential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Credential(org.apache.wss4j.dom.validate.Credential)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Signature(org.opensaml.xmlsec.signature.Signature)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Example 15 with SAMLKeyInfo
use of org.apache.wss4j.common.saml.SAMLKeyInfo in project cxf by apache.
the class SAMLProtocolResponseValidator method createKeyInfoFromDefaultAlias.
protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto sigCrypto) throws WSSecurityException {
try {
X509Certificate[] certs = RSSecurityUtils.getCertificates(sigCrypto, sigCrypto.getDefaultX509Identifier());
SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo(new X509Certificate[] { certs[0] });
samlKeyInfo.setPublicKey(certs[0].getPublicKey());
return samlKeyInfo;
} catch (Exception ex) {
LOG.log(Level.FINE, "Error in loading the certificates: " + ex.getMessage(), ex);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, ex);
}
}
Also used :
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
X509Certificate(java.security.cert.X509Certificate)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
Base64Exception(org.apache.cxf.common.util.Base64Exception)
XMLEncryptionException(org.apache.xml.security.encryption.XMLEncryptionException)
Aggregations
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)23
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)12
WSSSAMLKeyInfoProcessor (org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)10
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9
WSDocInfo (org.apache.wss4j.dom.WSDocInfo)9
RequestData (org.apache.wss4j.dom.handler.RequestData)9
WSSConfig (org.apache.wss4j.dom.engine.WSSConfig)8
Credential (org.apache.wss4j.dom.validate.Credential)8
X509Certificate (java.security.cert.X509Certificate)7
KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)7
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)5
Document (org.w3c.dom.Document)5
WebClient (org.apache.cxf.jaxrs.client.WebClient)4
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)4
Signature (org.opensaml.xmlsec.signature.Signature)4
IOException (java.io.IOException)3
PublicKey (java.security.PublicKey)3
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3
Crypto (org.apache.wss4j.common.crypto.Crypto)3
