use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method symmetricSign.
private SignedJwt symmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, byte[] clientSecret) throws TokenCreationException {
if (!JwsAlgorithmType.HMAC.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not HMAC but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
return builder.done().claims(claimsSet).asJwt();
}
use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method encryptAttributeStatement.
@SuppressWarnings("unchecked")
private void encryptAttributeStatement(Assertion assertion, SAML2Config saml2Config, STSInstanceState stsInstanceState) throws TokenCreationException {
final PublicKey keyEncryptionKey = stsInstanceState.getSAML2CryptoProvider().getSPX509Certificate(saml2Config.getEncryptionKeyAlias()).getPublicKey();
final String encryptionAlgorithm = saml2Config.getEncryptionAlgorithm();
final int algorithmStrength = saml2Config.getEncryptionAlgorithmStrength();
final String spEntityID = saml2Config.getSpEntityId();
try {
List<AttributeStatement> originalAttributeStatements = assertion.getAttributeStatements();
if ((originalAttributeStatements != null) && (originalAttributeStatements.size() > 0)) {
List<AttributeStatement> encryptedAttributeStatements = new ArrayList<>(originalAttributeStatements.size());
for (AttributeStatement originalStatement : originalAttributeStatements) {
List<Attribute> originalAttributes = originalStatement.getAttribute();
if ((originalAttributes == null) || (originalAttributes.size() == 0)) {
continue;
}
List<EncryptedAttribute> encryptedAttributes = new ArrayList<>(originalAttributes.size());
for (Attribute originalAttribute : originalAttributes) {
EncryptedAttribute encryptedAttribute = originalAttribute.encrypt(keyEncryptionKey, encryptionAlgorithm, algorithmStrength, spEntityID);
if (encryptedAttribute == null) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, " + "attribute encryption invocation returned null.");
}
encryptedAttributes.add(encryptedAttribute);
}
originalStatement.setEncryptedAttribute(encryptedAttributes);
originalStatement.setAttribute(Collections.EMPTY_LIST);
encryptedAttributeStatements.add(originalStatement);
}
assertion.setAttributeStatements(encryptedAttributeStatements);
}
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, exception " + "caught encrypting assertion attributes: " + e, e);
}
}
use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method signAssertion.
private void signAssertion(Assertion assertion, STSInstanceState instanceState) throws TokenCreationException {
final SAML2CryptoProvider saml2CryptoProvider = instanceState.getSAML2CryptoProvider();
final SAML2Config saml2Config = instanceState.getConfig().getSaml2Config();
String signatureKeyPassword;
try {
signatureKeyPassword = new String(saml2Config.getSignatureKeyPassword(), AMSTSConstants.UTF_8_CHARSET_ID);
} catch (UnsupportedEncodingException e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Could not obtain string representation of signature key password in SAML2TokenGenerationImpl: ");
}
/*
Note: the cert alias and private-key alias are the same. If there is a key entry in the keystore, it seems like
they are represented by the same alias.
*/
PrivateKey privateKey = saml2CryptoProvider.getIDPPrivateKey(saml2Config.getSignatureKeyAlias(), signatureKeyPassword);
try {
assertion.sign(privateKey, saml2CryptoProvider.getIDPX509Certificate(saml2Config.getSignatureKeyAlias()));
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught signing assertion in SAML2TokenGenerationImpl: " + e, e);
}
}
use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.
the class DefaultAttributeStatementsProvider method get.
/**
* @see org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider#get(com.iplanet.sso.SSOToken,
* org.forgerock.openam.sts.config.user.SAML2Config, AttributeMapper)
*
*/
public List<AttributeStatement> get(SSOToken ssoToken, SAML2Config saml2Config, AttributeMapper mapper) throws TokenCreationException {
AttributeStatement attributeStatement = AssertionFactory.getInstance().createAttributeStatement();
try {
List<Attribute> attributeList = mapper.getAttributes(ssoToken, saml2Config.getAttributeMap());
if ((attributeList == null) || attributeList.isEmpty()) {
return Collections.emptyList();
} else {
attributeStatement.setAttribute(attributeList);
}
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting attributes in DefaultAttributeStatementsProvider: " + e, e);
}
List<AttributeStatement> attributeStatements = new ArrayList<AttributeStatement>(1);
attributeStatements.add(attributeStatement);
return attributeStatements;
}
use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.
the class DefaultSubjectProvider method get.
public Subject get(String subjectId, String spAcsUrl, SAML2Config saml2Config, SAML2SubjectConfirmation subjectConfirmation, Date assertionIssueInstant, ProofTokenState proofTokenState) throws TokenCreationException {
try {
Subject subject = AssertionFactory.getInstance().createSubject();
setNameIdentifier(subject, subjectId, saml2Config.getNameIdFormat());
SubjectConfirmation subConfirmation = AssertionFactory.getInstance().createSubjectConfirmation();
switch(subjectConfirmation) {
case BEARER:
subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER);
/*
see section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf -
Recipient attribute of SubjectConfirmation element must be set to the Service Provider
ACS url.
*/
SubjectConfirmationData bearerConfirmationData = AssertionFactory.getInstance().createSubjectConfirmationData();
bearerConfirmationData.setRecipient(spAcsUrl);
/*
see section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf - NotBefore cannot
be set, but NotOnOrAfter must be set.
*/
bearerConfirmationData.setNotOnOrAfter(new Date(assertionIssueInstant.getTime() + (saml2Config.getTokenLifetimeInSeconds() * 1000)));
subConfirmation.setSubjectConfirmationData(bearerConfirmationData);
break;
case SENDER_VOUCHES:
subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_SENDER_VOUCHES);
break;
case HOLDER_OF_KEY:
subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_HOLDER_OF_KEY);
subConfirmation.setSubjectConfirmationData(getHoKSubjectConfirmationData(proofTokenState.getX509Certificate()));
break;
default:
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Unexpected SubjectConfirmation value in DefaultSubjectProvider: " + subjectConfirmation);
}
List<SubjectConfirmation> subjectConfirmationList = new ArrayList<>();
subjectConfirmationList.add(subConfirmation);
subject.setSubjectConfirmation(subjectConfirmationList);
return subject;
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting subject confirmation state in DefaultSubjectProvider: " + e, e);
}
}
Aggregations