Search in sources :

Example 1 with SamlIdPProperties

use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.

the class SamlIdPConfiguration method casSamlIdPMetadataResolver.

@Bean
public MetadataResolver casSamlIdPMetadataResolver() {
    try {
        final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
        final ResourceBackedMetadataResolver resolver = new ResourceBackedMetadataResolver(ResourceHelper.of(new FileSystemResource(idp.getMetadata().getMetadataFile())));
        resolver.setParserPool(this.openSamlConfigBean.getParserPool());
        resolver.setFailFastInitialization(idp.getMetadata().isFailFast());
        resolver.setRequireValidMetadata(idp.getMetadata().isRequireValidMetadata());
        resolver.setId(idp.getEntityId());
        resolver.initialize();
        return resolver;
    } catch (final Exception e) {
        throw new BeanCreationException(e.getMessage(), e);
    }
}
Also used : BeanCreationException(org.springframework.beans.factory.BeanCreationException) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) ResourceBackedMetadataResolver(org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver) FileSystemResource(org.springframework.core.io.FileSystemResource) BeanCreationException(org.springframework.beans.factory.BeanCreationException) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean) Bean(org.springframework.context.annotation.Bean)

Example 2 with SamlIdPProperties

use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.

the class BaseSamlObjectSigner method getSignatureSigningConfiguration.

/**
     * Gets signature signing configuration.
     *
     * @return the signature signing configuration
     * @throws Exception the exception
     */
protected SignatureSigningConfiguration getSignatureSigningConfiguration() throws Exception {
    final BasicSignatureSigningConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
    final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
    if (this.overrideBlackListedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlackListedSignatureSigningAlgorithms().isEmpty()) {
        config.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
    }
    if (this.overrideSignatureAlgorithms != null && !this.overrideSignatureAlgorithms.isEmpty()) {
        config.setSignatureAlgorithms(this.overrideSignatureAlgorithms);
    }
    if (this.overrideSignatureReferenceDigestMethods != null && !this.overrideSignatureReferenceDigestMethods.isEmpty()) {
        config.setSignatureReferenceDigestMethods(this.overrideSignatureReferenceDigestMethods);
    }
    if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
        config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
    }
    if (StringUtils.isNotBlank(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm())) {
        config.setSignatureCanonicalizationAlgorithm(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm());
    }
    LOGGER.debug("Signature signing blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
    LOGGER.debug("Signature signing signature algorithms: [{}]", config.getSignatureAlgorithms());
    LOGGER.debug("Signature signing signature canonicalization algorithm: [{}]", config.getSignatureCanonicalizationAlgorithm());
    LOGGER.debug("Signature signing whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
    LOGGER.debug("Signature signing reference digest methods: [{}]", config.getSignatureReferenceDigestMethods());
    final PrivateKey privateKey = getSigningPrivateKey();
    final X509Certificate certificate = getSigningCertificate();
    final List<Credential> creds = new ArrayList<>();
    creds.add(new BasicX509Credential(certificate, privateKey));
    config.setSigningCredentials(creds);
    LOGGER.debug("Signature signing credentials configured");
    return config;
}
Also used : Credential(org.opensaml.security.credential.Credential) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) PrivateKey(java.security.PrivateKey) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) ArrayList(java.util.ArrayList) BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration) X509Certificate(java.security.cert.X509Certificate)

Example 3 with SamlIdPProperties

use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.

the class SamlObjectEncrypter method getKeyEncryptionCredential.

/**
     * Gets key encryption credential.
     *
     * @param peerEntityId the peer entity id
     * @param adaptor      the adaptor
     * @param service      the service
     * @return the key encryption credential
     * @throws Exception the exception
     */
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
    final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
    final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
    if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
        config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
    }
    if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
        config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
    }
    if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
        config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
    }
    if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
        config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
    }
    LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
    LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
    LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
    LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
    final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
    final List<KeyInfoProvider> providers = new ArrayList<>();
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver(adaptor.getMetadataResolver());
    roleDescriptorResolver.setSatisfyAnyPredicates(true);
    roleDescriptorResolver.setUseDefaultPredicateRegistry(true);
    roleDescriptorResolver.setRequireValidMetadata(idp.getMetadata().isRequireValidMetadata());
    roleDescriptorResolver.initialize();
    kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    kekCredentialResolver.initialize();
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new EncryptionConfigurationCriterion(config));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
    return kekCredentialResolver.resolveSingle(criteriaSet);
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) PredicateRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) KeyInfoProvider(org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) BasicEncryptionConfiguration(org.opensaml.xmlsec.impl.BasicEncryptionConfiguration) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)

Example 4 with SamlIdPProperties

use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.

the class BaseSamlObjectSigner method getSigningCertificate.

/**
     * Gets signing certificate.
     *
     * @return the signing certificate
     * @throws Exception the exception
     */
protected X509Certificate getSigningCertificate() throws Exception {
    final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
    LOGGER.debug("Locating signature signing certificate file from [{}]", samlIdp.getMetadata().getSigningCertFile());
    return SamlUtils.readCertificate(new FileSystemResource(samlIdp.getMetadata().getSigningCertFile().getFile()));
}
Also used : SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) FileSystemResource(org.springframework.core.io.FileSystemResource)

Example 5 with SamlIdPProperties

use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.

the class TemplatedMetadataAndCertificatesGenerationService method initialize.

/**
     * Initializes a new Generate saml metadata.
     */
@PostConstruct
public void initialize() {
    try {
        final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
        final Resource metadataLocation = idp.getMetadata().getLocation();
        if (!metadataLocation.exists()) {
            if (!metadataLocation.getFile().mkdir()) {
                throw new IllegalArgumentException("Metadata directory location " + metadataLocation + " cannot be located/created");
            }
        }
        LOGGER.info("Metadata directory location is at [{}] with entityID [{}]", metadataLocation, idp.getEntityId());
    } catch (final Exception e) {
        throw Throwables.propagate(e);
    }
}
Also used : SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) Resource(org.springframework.core.io.Resource) PostConstruct(javax.annotation.PostConstruct)

Aggregations

SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)11 FileSystemResource (org.springframework.core.io.FileSystemResource)3 ArrayList (java.util.ArrayList)2 SelfSignedCertificateGenerator (net.shibboleth.utilities.java.support.security.SelfSignedCertificateGenerator)2 Resource (org.springframework.core.io.Resource)2 StringWriter (java.io.StringWriter)1 PrivateKey (java.security.PrivateKey)1 X509Certificate (java.security.cert.X509Certificate)1 PostConstruct (javax.annotation.PostConstruct)1 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1 OpenSamlConfigBean (org.apereo.cas.support.saml.OpenSamlConfigBean)1 PrivateKeyFactoryBean (org.apereo.cas.util.crypto.PrivateKeyFactoryBean)1 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1 PredicateRoleDescriptorResolver (org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver)1 ResourceBackedMetadataResolver (org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver)1 MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)1 Credential (org.opensaml.security.credential.Credential)1 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)1 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)1