Search in sources :

Example 26 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project pac4j by pac4j.

the class SAML2LogoutResponseValidator method validateSignature.

/**
 * Validate the given digital signature by checking its profile and value.
 *
 * @param signature the signature
 * @param idpEntityId the idp entity id
 * @param trustEngine the trust engine
 */
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
    final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    try {
        validator.validate(signature);
    } catch (final SignatureException e) {
        throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
    }
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
    criteriaSet.add(new EntityIdCriterion(idpEntityId));
    final boolean valid;
    try {
        valid = trustEngine.validate(signature, criteriaSet);
    } catch (final SecurityException e) {
        throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
    }
    if (!valid) {
        throw new SAMLSignatureValidationException("Signature is not trusted");
    }
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureValidationException(org.pac4j.saml.exceptions.SAMLSignatureValidationException) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 27 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project pac4j by pac4j.

the class SAML2IdentityProviderMetadataResolverTest method resolveMetadataEntityId.

@Test
public void resolveMetadataEntityId() throws Exception {
    MetadataResolver resolver = metadataResolver.resolve();
    CriteriaSet criteria = new CriteriaSet(new EntityIdCriterion("mmoayyed.example.net"));
    final EntityDescriptor entity = resolver.resolveSingle(criteria);
    assertEquals(entity.getEntityID(), "mmoayyed.example.net");
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) Test(org.junit.Test)

Example 28 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.

the class SamlIdPObjectSignatureValidator method buildEntityCriteriaForSigningCredential.

@Override
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
    criteriaSet.add(new EntityIdCriterion(casSamlIdPMetadataResolver.getId()));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
Also used : EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)

Example 29 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.

the class SamlObjectSignatureValidator method buildEntityCriteriaForSigningCredential.

/**
 * Build entity criteria for signing credential.
 *
 * @param profileRequest the profile request
 * @param criteriaSet    the criteria set
 */
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
    criteriaSet.add(new EntityIdCriterion(SamlIdPUtils.getIssuerFromSamlObject(profileRequest)));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
Also used : EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)

Example 30 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.

private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    val peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
    peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest));
    val peerEntityId = Objects.requireNonNull(peer.getEntityId());
    LOGGER.debug("Validating request signature for [{}]...", peerEntityId);
    val roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
    peer.setRole(roleDescriptor.getElementQName());
    val protocol = context.getSubcontext(SAMLProtocolContext.class, true);
    protocol.setProtocol(SAMLConstants.SAML20P_NS);
    LOGGER.debug("Building security parameters context for signature validation of [{}]", peerEntityId);
    val secCtx = context.getSubcontext(SecurityParametersContext.class, true);
    val validationParams = new SignatureValidationParameters();
    if (overrideBlockedSignatureAlgorithms != null && !overrideBlockedSignatureAlgorithms.isEmpty()) {
        validationParams.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
        LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
    }
    if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
        validationParams.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
        LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
    }
    LOGGER.debug("Resolving signing credentials for [{}]", peerEntityId);
    val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credentials.isEmpty()) {
        throw new SamlException("Signing credentials for validation could not be resolved");
    }
    var foundValidCredential = false;
    val it = credentials.iterator();
    while (!foundValidCredential && it.hasNext()) {
        val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
        try {
            val credential = it.next();
            val resolver = new StaticCredentialResolver(credential);
            val keyResolver = new StaticKeyInfoCredentialResolver(credential);
            val trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
            validationParams.setSignatureTrustEngine(trustEngine);
            secCtx.setSignatureValidationParameters(validationParams);
            handler.setHttpServletRequest(request);
            LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
            handler.initialize();
            LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
            handler.invoke(context);
            LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
            foundValidCredential = true;
        } catch (final Exception e) {
            LOGGER.debug(e.getMessage(), e);
        } finally {
            handler.destroy();
        }
    }
    if (!foundValidCredential) {
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }
}
Also used : lombok.val(lombok.val) SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler) SamlException(org.apereo.cas.support.saml.SamlException) SamlException(org.apereo.cas.support.saml.SamlException)

Aggregations

EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)44 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)39 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)30 lombok.val (lombok.val)25 Test (org.junit.jupiter.api.Test)9 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)9 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)7 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)7 ArrayList (java.util.ArrayList)5 File (java.io.File)4 SamlException (org.apereo.cas.support.saml.SamlException)4 ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)4 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4 ResolverException (net.shibboleth.utilities.java.support.resolver.ResolverException)3 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3