Search in sources :

Example 16 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImpl method symmetricSign.

private SignedJwt symmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, byte[] clientSecret) throws TokenCreationException {
    if (!JwsAlgorithmType.HMAC.equals(jwsAlgorithm.getAlgorithmType())) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not HMAC but " + jwsAlgorithm.getAlgorithmType());
    }
    final SigningHandler signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
    JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
    JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
    return builder.done().claims(claimsSet).asJwt();
}
Also used : JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) JwsHeaderBuilder(org.forgerock.json.jose.builders.JwsHeaderBuilder) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler) SigningManager(org.forgerock.json.jose.jws.SigningManager)

Example 17 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method encryptAttributeStatement.

@SuppressWarnings("unchecked")
private void encryptAttributeStatement(Assertion assertion, SAML2Config saml2Config, STSInstanceState stsInstanceState) throws TokenCreationException {
    final PublicKey keyEncryptionKey = stsInstanceState.getSAML2CryptoProvider().getSPX509Certificate(saml2Config.getEncryptionKeyAlias()).getPublicKey();
    final String encryptionAlgorithm = saml2Config.getEncryptionAlgorithm();
    final int algorithmStrength = saml2Config.getEncryptionAlgorithmStrength();
    final String spEntityID = saml2Config.getSpEntityId();
    try {
        List<AttributeStatement> originalAttributeStatements = assertion.getAttributeStatements();
        if ((originalAttributeStatements != null) && (originalAttributeStatements.size() > 0)) {
            List<AttributeStatement> encryptedAttributeStatements = new ArrayList<>(originalAttributeStatements.size());
            for (AttributeStatement originalStatement : originalAttributeStatements) {
                List<Attribute> originalAttributes = originalStatement.getAttribute();
                if ((originalAttributes == null) || (originalAttributes.size() == 0)) {
                    continue;
                }
                List<EncryptedAttribute> encryptedAttributes = new ArrayList<>(originalAttributes.size());
                for (Attribute originalAttribute : originalAttributes) {
                    EncryptedAttribute encryptedAttribute = originalAttribute.encrypt(keyEncryptionKey, encryptionAlgorithm, algorithmStrength, spEntityID);
                    if (encryptedAttribute == null) {
                        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, " + "attribute encryption invocation returned null.");
                    }
                    encryptedAttributes.add(encryptedAttribute);
                }
                originalStatement.setEncryptedAttribute(encryptedAttributes);
                originalStatement.setAttribute(Collections.EMPTY_LIST);
                encryptedAttributeStatements.add(originalStatement);
            }
            assertion.setAttributeStatements(encryptedAttributeStatements);
        }
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, exception " + "caught encrypting assertion attributes: " + e, e);
    }
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) PublicKey(java.security.PublicKey) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement) ArrayList(java.util.ArrayList) TokenCreationException(org.forgerock.openam.sts.TokenCreationException)

Example 18 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method signAssertion.

private void signAssertion(Assertion assertion, STSInstanceState instanceState) throws TokenCreationException {
    final SAML2CryptoProvider saml2CryptoProvider = instanceState.getSAML2CryptoProvider();
    final SAML2Config saml2Config = instanceState.getConfig().getSaml2Config();
    String signatureKeyPassword;
    try {
        signatureKeyPassword = new String(saml2Config.getSignatureKeyPassword(), AMSTSConstants.UTF_8_CHARSET_ID);
    } catch (UnsupportedEncodingException e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Could not obtain string representation of signature key password in SAML2TokenGenerationImpl: ");
    }
    /*
        Note: the cert alias and private-key alias are the same. If there is a key entry in the keystore, it seems like
        they are represented by the same alias.
         */
    PrivateKey privateKey = saml2CryptoProvider.getIDPPrivateKey(saml2Config.getSignatureKeyAlias(), signatureKeyPassword);
    try {
        assertion.sign(privateKey, saml2CryptoProvider.getIDPX509Certificate(saml2Config.getSignatureKeyAlias()));
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught signing assertion in SAML2TokenGenerationImpl: " + e, e);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) SAML2CryptoProvider(org.forgerock.openam.sts.tokengeneration.saml2.xmlsig.SAML2CryptoProvider) PrivateKey(java.security.PrivateKey) UnsupportedEncodingException(java.io.UnsupportedEncodingException) TokenCreationException(org.forgerock.openam.sts.TokenCreationException)

Example 19 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class DefaultAttributeStatementsProvider method get.

/**
     * @see org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider#get(com.iplanet.sso.SSOToken,
     * org.forgerock.openam.sts.config.user.SAML2Config, AttributeMapper)
     *
     */
public List<AttributeStatement> get(SSOToken ssoToken, SAML2Config saml2Config, AttributeMapper mapper) throws TokenCreationException {
    AttributeStatement attributeStatement = AssertionFactory.getInstance().createAttributeStatement();
    try {
        List<Attribute> attributeList = mapper.getAttributes(ssoToken, saml2Config.getAttributeMap());
        if ((attributeList == null) || attributeList.isEmpty()) {
            return Collections.emptyList();
        } else {
            attributeStatement.setAttribute(attributeList);
        }
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting attributes in DefaultAttributeStatementsProvider: " + e, e);
    }
    List<AttributeStatement> attributeStatements = new ArrayList<AttributeStatement>(1);
    attributeStatements.add(attributeStatement);
    return attributeStatements;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Attribute(com.sun.identity.saml2.assertion.Attribute) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement) ArrayList(java.util.ArrayList) TokenCreationException(org.forgerock.openam.sts.TokenCreationException)

Example 20 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class DefaultSubjectProvider method get.

public Subject get(String subjectId, String spAcsUrl, SAML2Config saml2Config, SAML2SubjectConfirmation subjectConfirmation, Date assertionIssueInstant, ProofTokenState proofTokenState) throws TokenCreationException {
    try {
        Subject subject = AssertionFactory.getInstance().createSubject();
        setNameIdentifier(subject, subjectId, saml2Config.getNameIdFormat());
        SubjectConfirmation subConfirmation = AssertionFactory.getInstance().createSubjectConfirmation();
        switch(subjectConfirmation) {
            case BEARER:
                subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER);
                /*
                    see section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf -
                    Recipient attribute of SubjectConfirmation element must be set to the Service Provider
                    ACS url.
                     */
                SubjectConfirmationData bearerConfirmationData = AssertionFactory.getInstance().createSubjectConfirmationData();
                bearerConfirmationData.setRecipient(spAcsUrl);
                /*
                    see section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf - NotBefore cannot
                    be set, but NotOnOrAfter must be set.
                     */
                bearerConfirmationData.setNotOnOrAfter(new Date(assertionIssueInstant.getTime() + (saml2Config.getTokenLifetimeInSeconds() * 1000)));
                subConfirmation.setSubjectConfirmationData(bearerConfirmationData);
                break;
            case SENDER_VOUCHES:
                subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_SENDER_VOUCHES);
                break;
            case HOLDER_OF_KEY:
                subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_HOLDER_OF_KEY);
                subConfirmation.setSubjectConfirmationData(getHoKSubjectConfirmationData(proofTokenState.getX509Certificate()));
                break;
            default:
                throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Unexpected SubjectConfirmation value in DefaultSubjectProvider: " + subjectConfirmation);
        }
        List<SubjectConfirmation> subjectConfirmationList = new ArrayList<>();
        subjectConfirmationList.add(subConfirmation);
        subject.setSubjectConfirmation(subjectConfirmationList);
        return subject;
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting subject confirmation state in DefaultSubjectProvider: " + e, e);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2SubjectConfirmation(org.forgerock.openam.sts.token.SAML2SubjectConfirmation) SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) ArrayList(java.util.ArrayList) SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) Subject(com.sun.identity.saml2.assertion.Subject) Date(java.util.Date)

Aggregations

TokenCreationException (org.forgerock.openam.sts.TokenCreationException)23 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)12 ArrayList (java.util.ArrayList)6 Date (java.util.Date)4 IOException (java.io.IOException)3 ResourceException (org.forgerock.json.resource.ResourceException)3 CTSTokenPersistenceException (org.forgerock.openam.sts.CTSTokenPersistenceException)3 Element (org.w3c.dom.Element)3 SSOException (com.iplanet.sso.SSOException)2 IdRepoException (com.sun.identity.idm.IdRepoException)2 Attribute (com.sun.identity.saml2.assertion.Attribute)2 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)2 NameID (com.sun.identity.saml2.assertion.NameID)2 Subject (com.sun.identity.saml2.assertion.Subject)2 SubjectConfirmationData (com.sun.identity.saml2.assertion.SubjectConfirmationData)2 HashMap (java.util.HashMap)2 TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)2 JwsHeaderBuilder (org.forgerock.json.jose.builders.JwsHeaderBuilder)2 SigningManager (org.forgerock.json.jose.jws.SigningManager)2 SigningHandler (org.forgerock.json.jose.jws.handlers.SigningHandler)2