Example 6 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class SamlIdPObjectSigner method getResolvedSigningCredential.
private AbstractCredential getResolvedSigningCredential(final Credential c, final PrivateKey privateKey, final SamlRegisteredService service) {
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
try {
final SamlIdPResponseProperties.SignatureCredentialTypes credType = SamlIdPResponseProperties.SignatureCredentialTypes.valueOf(StringUtils.defaultIfBlank(service.getSigningCredentialType(), samlIdp.getResponse().getCredentialType().name()).toUpperCase());
LOGGER.debug("Requested credential type [{}] is found for service [{}]", credType, service);
switch(credType) {
case BASIC:
LOGGER.debug("Building basic credential signing key [{}] based on requested credential type", credType);
return new BasicCredential(c.getPublicKey(), privateKey);
case X509:
default:
if (c instanceof BasicX509Credential) {
final X509Certificate certificate = BasicX509Credential.class.cast(c).getEntityCertificate();
LOGGER.debug("Locating signature signing certificate from credential [{}]", CertUtils.toString(certificate));
return new BasicX509Credential(certificate, privateKey);
}
final Resource signingCert = samlIdPMetadataLocator.getSigningCertificate();
LOGGER.debug("Locating signature signing certificate file from [{}]", signingCert);
final X509Certificate certificate = SamlUtils.readCertificate(signingCert);
return new BasicX509Credential(certificate, privateKey);
}
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
}
return null;
}
Also used :
SamlIdPResponseProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPResponseProperties)
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Resource(org.springframework.core.io.Resource)
FileSystemResource(org.springframework.core.io.FileSystemResource)
X509Certificate(java.security.cert.X509Certificate)
SamlException(org.apereo.cas.support.saml.SamlException)
SAMLException(org.opensaml.saml.common.SAMLException)
BasicCredential(org.opensaml.security.credential.BasicCredential)
Example 7 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class SamlObjectEncrypter method getKeyEncryptionCredential.
/**
* Gets key encryption credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @return the key encryption credential
* @throws Exception the exception
*/
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
}
if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
}
LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
final List<KeyInfoProvider> providers = new ArrayList<>();
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
final RoleDescriptorResolver roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, idp.getMetadata().isRequireValidMetadata());
kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EncryptionConfigurationCriterion(config));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
return kekCredentialResolver.resolveSingle(criteriaSet);
}
Also used :
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider)
EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion)
ArrayList(java.util.ArrayList)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver)
InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)
KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider)
BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)
KeyInfoProvider(org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider)
RoleDescriptorResolver(org.opensaml.saml.metadata.resolver.RoleDescriptorResolver)
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
BasicEncryptionConfiguration(org.opensaml.xmlsec.impl.BasicEncryptionConfiguration)
DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)
DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)
Example 8 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class BaseSamlObjectSigner method getSigningPrivateKey.
/**
* Gets signing private key.
*
* @return the signing private key
* @throws Exception the exception
*/
protected PrivateKey getSigningPrivateKey() throws Exception {
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
final PrivateKeyFactoryBean privateKeyFactoryBean = new PrivateKeyFactoryBean();
privateKeyFactoryBean.setLocation(new FileSystemResource(samlIdp.getMetadata().getSigningKeyFile().getFile()));
privateKeyFactoryBean.setAlgorithm(samlIdp.getMetadata().getPrivateKeyAlgName());
privateKeyFactoryBean.setSingleton(false);
LOGGER.debug("Locating signature signing key file from [{}]", samlIdp.getMetadata().getSigningKeyFile());
return privateKeyFactoryBean.getObject();
}
Also used :
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
PrivateKeyFactoryBean(org.apereo.cas.util.crypto.PrivateKeyFactoryBean)
FileSystemResource(org.springframework.core.io.FileSystemResource)
Example 9 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class TemplatedMetadataAndCertificatesGenerationService method buildSelfSignedEncryptionCert.
/**
* Build self signed encryption cert.
*
* @throws Exception the exception
*/
protected void buildSelfSignedEncryptionCert() throws Exception {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final SelfSignedCertificateGenerator generator = new SelfSignedCertificateGenerator();
generator.setHostName(getIdPHostName());
generator.setCertificateFile(idp.getMetadata().getEncryptionCertFile().getFile());
generator.setPrivateKeyFile(idp.getMetadata().getEncryptionKeyFile().getFile());
generator.setURISubjectAltNames(Arrays.asList(getIdPHostName().concat(URI_SUBJECT_ALTNAME_POSTFIX)));
generator.generate();
}
Also used :
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
SelfSignedCertificateGenerator(net.shibboleth.utilities.java.support.security.SelfSignedCertificateGenerator)
Example 10 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class TemplatedMetadataAndCertificatesGenerationService method buildSelfSignedSigningCert.
/**
* Build self signed signing cert.
*
* @throws Exception the exception
*/
protected void buildSelfSignedSigningCert() throws Exception {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final SelfSignedCertificateGenerator generator = new SelfSignedCertificateGenerator();
generator.setHostName(getIdPHostName());
generator.setCertificateFile(idp.getMetadata().getSigningCertFile().getFile());
generator.setPrivateKeyFile(idp.getMetadata().getSigningKeyFile().getFile());
generator.setURISubjectAltNames(Arrays.asList(getIdPHostName().concat(URI_SUBJECT_ALTNAME_POSTFIX)));
generator.generate();
}
Also used :
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
SelfSignedCertificateGenerator(net.shibboleth.utilities.java.support.security.SelfSignedCertificateGenerator)
Aggregations
SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)16
FileSystemResource (org.springframework.core.io.FileSystemResource)5
Resource (org.springframework.core.io.Resource)4
ArrayList (java.util.ArrayList)3
OpenSamlConfigBean (org.apereo.cas.support.saml.OpenSamlConfigBean)3
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)3
ConditionalOnMissingBean (org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)3
Bean (org.springframework.context.annotation.Bean)3
PrivateKey (java.security.PrivateKey)2
X509Certificate (java.security.cert.X509Certificate)2
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)2
SelfSignedCertificateGenerator (net.shibboleth.utilities.java.support.security.SelfSignedCertificateGenerator)2
PrivateKeyFactoryBean (org.apereo.cas.util.crypto.PrivateKeyFactoryBean)2
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)2
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)2
ResourceBackedMetadataResolver (org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver)2
MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)2
BasicCredential (org.opensaml.security.credential.BasicCredential)2
Credential (org.opensaml.security.credential.Credential)2
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)2
