Examples with StorageResolver org.apache.xml.security.keys.storage.StorageResolver used on opensource projects

Search in sources :

Example 1 with StorageResolver

use of org.apache.xml.security.keys.storage.StorageResolver in project OpenAM by OpenRock.

the class AMSignatureProvider method getX509PublicKey.

/**
     * Get the X509Certificate embedded in the KeyInfo
     * @param keyinfo KeyInfo
     * @return a X509Certificate
     */
protected PublicKey getX509PublicKey(Document doc, KeyInfo keyinfo) {
    PublicKey pk = null;
    try {
        if (keyinfo != null) {
            if (isJKSKeyStore) {
                StorageResolver storageResolver = new StorageResolver(new KeyStoreResolver(((JKSKeyProvider) keystore).getKeyStore()));
                keyinfo.addStorageResolver(storageResolver);
                keyinfo.registerInternalKeyResolver(new X509IssuerSerialResolver());
                keyinfo.registerInternalKeyResolver(new X509CertificateResolver());
                keyinfo.registerInternalKeyResolver(new X509SKIResolver());
                keyinfo.registerInternalKeyResolver(new X509SubjectNameResolver());
            }
            if (keyinfo.containsX509Data()) {
                if (SAMLUtilsCommon.debug.messageEnabled()) {
                    SAMLUtilsCommon.debug.message("Found X509Data" + " element in the KeyInfo");
                }
                X509Certificate certificate = keyinfo.getX509Certificate();
                // the validity of the cert. 
                if (checkCert) {
                    // validate the X509Certificate
                    if (keystore.getCertificateAlias(certificate) == null) {
                        SAMLUtilsCommon.debug.error("verifyXMLSignature:" + " certificate is not trusted.");
                        throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("untrustedCertificate"));
                    } else {
                        if (SAMLUtilsCommon.debug.messageEnabled()) {
                            SAMLUtilsCommon.debug.message("verifyXMLSignature:" + " certificate is trused.");
                        }
                    }
                } else {
                    if (SAMLUtilsCommon.debug.messageEnabled()) {
                        SAMLUtilsCommon.debug.message("Skip checking whether the" + " cert in the cert db.");
                    }
                }
                pk = getPublicKey(certificate);
            } else {
                // Do we need to check if the public key is in the
                // keystore!?
                pk = getWSSTokenProfilePublicKey(doc);
            }
        }
    } catch (Exception e) {
        SAMLUtilsCommon.debug.error("getX509Certificate(KeyInfo) Exception: ", e);
    }
    return pk;
}
Also used : KeyStoreResolver(org.apache.xml.security.keys.storage.implementations.KeyStoreResolver) X509CertificateResolver(org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver) StorageResolver(org.apache.xml.security.keys.storage.StorageResolver) X509SKIResolver(org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver) X509SubjectNameResolver(org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver) X509IssuerSerialResolver(org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver) TransformerException(javax.xml.transform.TransformerException)

Example 2 with StorageResolver

use of org.apache.xml.security.keys.storage.StorageResolver in project OpenAM by OpenRock.

the class WSFederationMetaSecurityUtils method verifySignature.

/**
     * Verifies signatures in entity descriptor represented by the 
     * <code>Document</code>.
     * @param doc The document.
     * @throws WSFederationMetaException if unable to verify the entity 
     * descriptor. 
     */
public static void verifySignature(Document doc) throws WSFederationMetaException {
    String classMethod = "WSFederationMetaSecurityUtils.verifySignature: ";
    NodeList sigElements = null;
    try {
        Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
        sigElements = XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
    } catch (Exception ex) {
        debug.error(classMethod, ex);
        throw new WSFederationMetaException(ex);
    }
    int numSigs = sigElements.getLength();
    if (debug.messageEnabled()) {
        debug.message(classMethod + "# of signatures = " + numSigs);
    }
    if (numSigs == 0) {
        return;
    }
    initializeKeyStore();
    for (int i = 0; i < numSigs; i++) {
        Element sigElement = (Element) sigElements.item(i);
        String sigParentName = sigElement.getParentNode().getLocalName();
        Object[] objs = { sigParentName };
        if (debug.messageEnabled()) {
            debug.message(classMethod + "verifying signature under " + sigParentName);
        }
        try {
            XMLSignature signature = new XMLSignature(sigElement, "");
            signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
            KeyInfo ki = signature.getKeyInfo();
            X509Certificate x509cert = null;
            if (ki != null && ki.containsX509Data()) {
                if (keyStore != null) {
                    StorageResolver sr = new StorageResolver(new KeyStoreResolver(keyStore));
                    ki.addStorageResolver(sr);
                }
                x509cert = ki.getX509Certificate();
            }
            if (x509cert == null) {
                if (debug.messageEnabled()) {
                    debug.message(classMethod + "" + "try to find cert in KeyDescriptor");
                }
                String xpath = "following-sibling::*[local-name()=\"" + TAG_KEY_DESCRIPTOR + "\" and namespace-uri()=\"" + NS_META + "\"]";
                Node node = XPathAPI.selectSingleNode(sigElement, xpath);
                if (node != null) {
                    Element kd = (Element) node;
                    String use = kd.getAttributeNS(null, ATTR_USE);
                    if (use.equals("signing")) {
                        NodeList nl = kd.getChildNodes();
                        for (int j = 0; j < nl.getLength(); j++) {
                            Node child = nl.item(j);
                            if (child.getNodeType() == Node.ELEMENT_NODE) {
                                String localName = child.getLocalName();
                                String ns = child.getNamespaceURI();
                                if (TAG_KEY_INFO.equals(localName) && NS_XMLSIG.equals(ns)) {
                                    ki = new KeyInfo((Element) child, "");
                                    if (ki.containsX509Data()) {
                                        if (keyStore != null) {
                                            KeyStoreResolver ksr = new KeyStoreResolver(keyStore);
                                            StorageResolver sr = new StorageResolver(ksr);
                                            ki.addStorageResolver(sr);
                                        }
                                        x509cert = ki.getX509Certificate();
                                    }
                                }
                                break;
                            }
                        }
                    }
                }
            }
            if (x509cert == null) {
                throw new WSFederationMetaException("verify_no_cert", objs);
            }
            if (checkCert && ((keyProvider == null) || (keyProvider.getCertificateAlias(x509cert) == null))) {
                throw new WSFederationMetaException("untrusted_cert", objs);
            }
            PublicKey pk = x509cert.getPublicKey();
            if (!signature.checkSignatureValue(pk)) {
                throw new WSFederationMetaException("verify_fail", objs);
            }
        } catch (WSFederationMetaException sme) {
            throw sme;
        } catch (Exception ex) {
            debug.error(classMethod, ex);
            throw new WSFederationMetaException(Locale.getString(WSFederationMetaUtils.bundle, "verify_fail", objs) + "\n" + ex.getMessage());
        }
    }
}
Also used : StorageResolver(org.apache.xml.security.keys.storage.StorageResolver) PublicKey(java.security.PublicKey) NodeList(org.w3c.dom.NodeList) IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement) FederationConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement) FederationElement(com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) Element(org.w3c.dom.Element) TokenSigningKeyInfoElement(com.sun.identity.wsfederation.jaxb.wsfederation.TokenSigningKeyInfoElement) Node(org.w3c.dom.Node) JAXBException(javax.xml.bind.JAXBException) X509Certificate(java.security.cert.X509Certificate) KeyStoreResolver(org.apache.xml.security.keys.storage.implementations.KeyStoreResolver) KeyInfo(org.apache.xml.security.keys.KeyInfo) XMLSignature(org.apache.xml.security.signature.XMLSignature)

Example 3 with StorageResolver

use of org.apache.xml.security.keys.storage.StorageResolver in project OpenAM by OpenRock.

the class AMEncryptionProvider method getPrivateKey.

/**
     * Returns the private key for X509Certificate embedded in the KeyInfo
     * @param keyinfo KeyInfo
     * @return a private key for X509Certificate
     */
protected java.security.PrivateKey getPrivateKey(KeyInfo keyinfo) {
    PrivateKey pk = null;
    try {
        if (keyinfo != null) {
            StorageResolver storageResolver = new StorageResolver(new KeyStoreResolver(keyProvider.getKeyStore()));
            keyinfo.addStorageResolver(storageResolver);
            keyinfo.registerInternalKeyResolver(new X509IssuerSerialResolver());
            keyinfo.registerInternalKeyResolver(new X509CertificateResolver());
            keyinfo.registerInternalKeyResolver(new X509SKIResolver());
            keyinfo.registerInternalKeyResolver(new X509SubjectNameResolver());
            if (keyinfo.containsX509Data()) {
                if (EncryptionUtils.debug.messageEnabled()) {
                    EncryptionUtils.debug.message("Found X509Data" + " element in the KeyInfo");
                }
                X509Certificate certificate = keyinfo.getX509Certificate();
                String certAlias = keyProvider.getCertificateAlias(certificate);
                pk = keyProvider.getPrivateKey(certAlias);
            }
        }
    } catch (Exception e) {
        EncryptionUtils.debug.error("getPrivateKey(KeyInfo) Exception: ", e);
    }
    return pk;
}
Also used : PrivateKey(java.security.PrivateKey) KeyStoreResolver(org.apache.xml.security.keys.storage.implementations.KeyStoreResolver) X509CertificateResolver(org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver) StorageResolver(org.apache.xml.security.keys.storage.StorageResolver) X509SKIResolver(org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver) X509SubjectNameResolver(org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver) X509IssuerSerialResolver(org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver) X509Certificate(java.security.cert.X509Certificate) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 4 with StorageResolver

use of org.apache.xml.security.keys.storage.StorageResolver in project OpenAM by OpenRock.

the class SAML2MetaSecurityUtils method verifySignature.

/**
     * Verifies signatures in entity descriptor represented by the 
     * <code>Document</code>.
     * @param doc The document.
     * @throws SAML2MetaException if unable to verify the entity descriptor. 
     */
public static void verifySignature(Document doc) throws SAML2MetaException {
    NodeList sigElements = null;
    try {
        Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
        sigElements = XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
    } catch (Exception ex) {
        if (debug.messageEnabled()) {
            debug.message("SAML2MetaSecurityUtils.verifySignature:", ex);
            throw new SAML2MetaException(ex.getMessage());
        }
    }
    int numSigs = sigElements.getLength();
    if (debug.messageEnabled()) {
        debug.message("SAML2MetaSecurityUtils.verifySignature:" + " # of signatures = " + numSigs);
    }
    if (numSigs == 0) {
        return;
    }
    // If there are signatures then explicitly identify the ID Attribute, See comments section of
    // http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8017265
    doc.getDocumentElement().setIdAttribute(SAML2Constants.ID, true);
    initializeKeyStore();
    for (int i = 0; i < numSigs; i++) {
        Element sigElement = (Element) sigElements.item(i);
        String sigParentName = sigElement.getParentNode().getLocalName();
        Object[] objs = { sigParentName };
        if (debug.messageEnabled()) {
            debug.message("SAML2MetaSecurityUtils.verifySignature: " + "verifying signature under " + sigParentName);
        }
        try {
            XMLSignature signature = new XMLSignature(sigElement, "");
            signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
            KeyInfo ki = signature.getKeyInfo();
            X509Certificate x509cert = null;
            if (ki != null && ki.containsX509Data()) {
                if (keyStore != null) {
                    StorageResolver sr = new StorageResolver(new KeyStoreResolver(keyStore));
                    ki.addStorageResolver(sr);
                }
                x509cert = ki.getX509Certificate();
            }
            if (x509cert == null) {
                if (debug.messageEnabled()) {
                    debug.message("SAML2MetaSecurityUtils.verifySignature:" + " try to find cert in KeyDescriptor");
                }
                String xpath = "following-sibling::*[local-name()=\"" + TAG_KEY_DESCRIPTOR + "\" and namespace-uri()=\"" + NS_META + "\"]";
                Node node = XPathAPI.selectSingleNode(sigElement, xpath);
                if (node != null) {
                    Element kd = (Element) node;
                    String use = kd.getAttributeNS(null, ATTR_USE);
                    if ((use.length() == 0) || use.equals("signing")) {
                        NodeList nl = kd.getChildNodes();
                        for (int j = 0; j < nl.getLength(); j++) {
                            Node child = nl.item(j);
                            if (child.getNodeType() == Node.ELEMENT_NODE) {
                                String localName = child.getLocalName();
                                String ns = child.getNamespaceURI();
                                if (TAG_KEY_INFO.equals(localName) && NS_XMLSIG.equals(ns)) {
                                    ki = new KeyInfo((Element) child, "");
                                    if (ki.containsX509Data()) {
                                        if (keyStore != null) {
                                            KeyStoreResolver ksr = new KeyStoreResolver(keyStore);
                                            StorageResolver sr = new StorageResolver(ksr);
                                            ki.addStorageResolver(sr);
                                        }
                                        x509cert = ki.getX509Certificate();
                                    }
                                }
                                break;
                            }
                        }
                    }
                }
            }
            if (x509cert == null) {
                throw new SAML2MetaException("verify_no_cert", objs);
            }
            if (checkCert && ((keyProvider == null) || (keyProvider.getCertificateAlias(x509cert) == null))) {
                throw new SAML2MetaException("untrusted_cert", objs);
            }
            PublicKey pk = x509cert.getPublicKey();
            if (!signature.checkSignatureValue(pk)) {
                throw new SAML2MetaException("verify_fail", objs);
            }
        } catch (SAML2MetaException sme) {
            throw sme;
        } catch (Exception ex) {
            debug.error("SAML2MetaSecurityUtils.verifySignature: ", ex);
            throw new SAML2MetaException(Locale.getString(SAML2MetaUtils.resourceBundle, "verify_fail", objs) + "\n" + ex.getMessage());
        }
    }
}
Also used : StorageResolver(org.apache.xml.security.keys.storage.StorageResolver) PublicKey(java.security.PublicKey) NodeList(org.w3c.dom.NodeList) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) Element(org.w3c.dom.Element) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement) IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement) EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement) KeyDescriptorElement(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorElement) Node(org.w3c.dom.Node) XMLSignatureException(com.sun.identity.saml.xmlsig.XMLSignatureException) JAXBException(javax.xml.bind.JAXBException) X509Certificate(java.security.cert.X509Certificate) KeyStoreResolver(org.apache.xml.security.keys.storage.implementations.KeyStoreResolver) KeyInfo(org.apache.xml.security.keys.KeyInfo) XMLSignature(org.apache.xml.security.signature.XMLSignature)

Aggregations

StorageResolver (org.apache.xml.security.keys.storage.StorageResolver)4 KeyStoreResolver (org.apache.xml.security.keys.storage.implementations.KeyStoreResolver)4 X509Certificate (java.security.cert.X509Certificate)3 PublicKey (java.security.PublicKey)2 JAXBException (javax.xml.bind.JAXBException)2 KeyInfo (org.apache.xml.security.keys.KeyInfo)2 X509CertificateResolver (org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver)2 X509IssuerSerialResolver (org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver)2 X509SKIResolver (org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver)2 X509SubjectNameResolver (org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver)2 XMLSignature (org.apache.xml.security.signature.XMLSignature)2 Element (org.w3c.dom.Element)2 Node (org.w3c.dom.Node)2 NodeList (org.w3c.dom.NodeList)2 XMLSignatureException (com.sun.identity.saml.xmlsig.XMLSignatureException)1 EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)1 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)1 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)1 EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)1 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial