Examples with SamlIdPMetadataCredentialResolver org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver used on opensource projects

Search in sources :

Example 1 with SamlIdPMetadataCredentialResolver

use of org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver in project cas by apereo.

the class SamlIdPObjectEncrypter method configureKeyDecryptionCredential.

/**
 * Configure key decryption credential credential.
 *
 * @param peerEntityId            the peer entity id
 * @param adaptor                 the adaptor
 * @param service                 the service
 * @param decryptionConfiguration the decryption configuration
 * @return the credential
 * @throws Exception the exception
 */
protected Credential configureKeyDecryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicDecryptionConfiguration decryptionConfiguration) throws Exception {
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val providers = new ArrayList<KeyInfoProvider>(5);
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new DecryptionConfigurationCriterion(decryptionConfiguration));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.debug("Attempting to resolve the decryption key for entity id [{}]", peerEntityId);
    val credential = Objects.requireNonNull(mdCredentialResolver.resolveSingle(criteriaSet));
    val encryptinKey = samlIdPMetadataLocator.resolveEncryptionKey(Optional.ofNullable(service));
    val bean = new PrivateKeyFactoryBean();
    bean.setSingleton(false);
    bean.setLocation(encryptinKey);
    val privateKey = Objects.requireNonNull(bean.getObject());
    val basicCredential = new BasicCredential(Objects.requireNonNull(credential.getPublicKey()), privateKey);
    decryptionConfiguration.setKEKKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(basicCredential));
    val list = new ArrayList<EncryptedKeyResolver>(3);
    list.add(new InlineEncryptedKeyResolver());
    list.add(new EncryptedElementTypeEncryptedKeyResolver());
    list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
    val encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
    decryptionConfiguration.setEncryptedKeyResolver(encryptedKeyResolver);
    return credential;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) DecryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.DecryptionConfigurationCriterion) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) PrivateKeyFactoryBean(org.apereo.cas.util.crypto.PrivateKeyFactoryBean) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) BasicCredential(org.opensaml.security.credential.BasicCredential)

Example 2 with SamlIdPMetadataCredentialResolver

use of org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver in project cas by apereo.

the class SamlIdPObjectEncrypter method configureKeyEncryptionCredential.

/**
 * Gets key encryption credential.
 *
 * @param peerEntityId            the peer entity id
 * @param adaptor                 the adaptor
 * @param service                 the service
 * @param encryptionConfiguration the encryption configuration
 * @return the key encryption credential
 * @throws Exception the exception
 */
protected Credential configureKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicEncryptionConfiguration encryptionConfiguration) throws Exception {
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val providers = new ArrayList<KeyInfoProvider>(5);
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new EncryptionConfigurationCriterion(encryptionConfiguration));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
    val credential = mdCredentialResolver.resolveSingle(criteriaSet);
    if (credential == null || credential.getPublicKey() == null) {
        if (service.isEncryptionOptional()) {
            LOGGER.warn("Unable to resolve the encryption [public] key for entity id [{}]", peerEntityId);
            return null;
        }
        throw new SamlException("Unable to resolve the encryption [public] key for entity id " + peerEntityId);
    }
    val encodedKey = EncodingUtils.encodeBase64(credential.getPublicKey().getEncoded());
    LOGGER.debug("Found encryption public key: [{}]", encodedKey);
    encryptionConfiguration.setKeyTransportEncryptionCredentials(CollectionUtils.wrapList(credential));
    return credential;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SamlException(org.apereo.cas.support.saml.SamlException) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)

Example 3 with SamlIdPMetadataCredentialResolver

use of org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver in project cas by apereo.

the class DefaultSamlIdPObjectSigner method getSignatureSigningConfiguration.

/**
 * Gets signature signing configuration.
 * The resolved used is {@link SamlIdPMetadataCredentialResolver} that
 * allows the entire criteria set to be passed to the role descriptor resolver.
 * This behavior allows the passing of {@link SamlIdPSamlRegisteredServiceCriterion}
 * so signing configuration, etc can be fetched for a specific service as an override,
 * if on is in fact defined for the service.
 *
 * @param service the service
 * @return the signature signing configuration
 * @throws Exception the exception
 */
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final SamlRegisteredService service) throws Exception {
    val config = configureSignatureSigningSecurityConfiguration(service);
    val samlIdp = casProperties.getAuthn().getSamlIdp();
    val privateKey = getSigningPrivateKey(service);
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(samlIdPMetadataResolver, samlIdp.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    val entityIdCriteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.trace("Resolving entity id from SAML2 IdP metadata for signature signing configuration is [{}]", service.getName());
    val entityId = Objects.requireNonNull(samlIdPMetadataResolver.resolveSingle(entityIdCriteriaSet)).getEntityID();
    LOGGER.trace("Resolved entity id from SAML2 IdP metadata is [{}]", entityId);
    criteriaSet.add(new EntityIdCriterion(entityId));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.trace("Resolved signing credentials based on criteria [{}]", criteriaSet);
    val credentials = Sets.newLinkedHashSet(mdCredentialResolver.resolve(criteriaSet));
    LOGGER.trace("Resolved [{}] signing credentials", credentials.size());
    val finalCredentials = new ArrayList<Credential>();
    credentials.stream().map(c -> getResolvedSigningCredential(c, privateKey, service)).filter(Objects::nonNull).filter(c -> doesCredentialFingerprintMatch(c, service)).forEach(finalCredentials::add);
    if (finalCredentials.isEmpty()) {
        LOGGER.error("Unable to locate any signing credentials for service [{}]", service.getName());
        throw new IllegalArgumentException("Unable to locate signing credentials");
    }
    config.setSigningCredentials(finalCredentials);
    LOGGER.trace("Signature signing credentials configured with [{}] credentials", finalCredentials.size());
    return config;
}
Also used : lombok.val(lombok.val) CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties) MessageContext(org.opensaml.messaging.context.MessageContext) SneakyThrows(lombok.SneakyThrows) RequiredArgsConstructor(lombok.RequiredArgsConstructor) SignatureSigningConfiguration(org.opensaml.xmlsec.SignatureSigningConfiguration) StringUtils(org.apache.commons.lang3.StringUtils) PrivateKeyFactoryBean(org.apereo.cas.util.crypto.PrivateKeyFactoryBean) SamlUtils(org.apereo.cas.support.saml.SamlUtils) SignatureSigningParameters(org.opensaml.xmlsec.SignatureSigningParameters) LoggingUtils(org.apereo.cas.util.LoggingUtils) Pair(org.apache.commons.lang3.tuple.Pair) SamlException(org.apereo.cas.support.saml.SamlException) BasicCredential(org.opensaml.security.credential.BasicCredential) SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver) UsageType(org.opensaml.security.credential.UsageType) SAMLOutboundDestinationHandler(org.opensaml.saml.common.binding.impl.SAMLOutboundDestinationHandler) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) SamlIdPUtils(org.apereo.cas.support.saml.SamlIdPUtils) Sets(com.google.common.collect.Sets) AbstractCredential(org.opensaml.security.credential.AbstractCredential) Objects(java.util.Objects) Slf4j(lombok.extern.slf4j.Slf4j) SAMLObject(org.opensaml.saml.common.SAMLObject) PrivateKey(java.security.PrivateKey) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion) EndpointURLSchemeSecurityHandler(org.opensaml.saml.common.binding.security.impl.EndpointURLSchemeSecurityHandler) SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) MutableCredential(org.opensaml.security.credential.MutableCredential) SAMLOutboundProtocolMessageSigningHandler(org.opensaml.saml.common.binding.security.impl.SAMLOutboundProtocolMessageSigningHandler) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) Getter(lombok.Getter) DigestUtils(org.apereo.cas.util.DigestUtils) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) ArrayList(java.util.ArrayList) HttpServletRequest(javax.servlet.http.HttpServletRequest) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) SecurityParametersContext(org.opensaml.xmlsec.context.SecurityParametersContext) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) SamlIdPResponseProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPResponseProperties) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) BasicAlgorithmPolicyConfiguration(org.opensaml.xmlsec.impl.BasicAlgorithmPolicyConfiguration) RoleDescriptorCriterion(org.opensaml.saml.criterion.RoleDescriptorCriterion) DefaultSecurityConfigurationBootstrap(org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap) Credential(org.opensaml.security.credential.Credential) lombok.val(lombok.val) HttpServletResponse(javax.servlet.http.HttpServletResponse) RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor) RegexUtils(org.apereo.cas.util.RegexUtils) CertUtils(org.apereo.cas.util.crypto.CertUtils) SamlIdPMetadataLocator(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataLocator) EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) ArrayList(java.util.ArrayList) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) Objects(java.util.Objects) SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)

Aggregations

ArrayList (java.util.ArrayList)3 lombok.val (lombok.val)3 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)3 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)3 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)3 SamlException (org.apereo.cas.support.saml.SamlException)2 PrivateKeyFactoryBean (org.apereo.cas.util.crypto.PrivateKeyFactoryBean)2 BasicCredential (org.opensaml.security.credential.BasicCredential)2 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)2 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)2 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)2 InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)2 KeyInfoReferenceProvider (org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider)2 RSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider)2 Sets (com.google.common.collect.Sets)1 PrivateKey (java.security.PrivateKey)1 Objects (java.util.Objects)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial