use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class WsFederationHelper method validateSignature.
/**
* validateSignature checks to see if the signature on an assertion is valid.
*
* @param assertion a provided assertion
* @param wsFederationConfiguration WS-Fed configuration provided.
* @return true if the assertion's signature is valid, otherwise false
*/
public boolean validateSignature(final Assertion assertion, final WsFederationConfiguration wsFederationConfiguration) {
if (assertion == null) {
LOGGER.warn("No assertion was provided to validate signatures");
return false;
}
boolean valid = false;
if (assertion.getSignature() != null) {
final SignaturePrevalidator validator = new SAMLSignatureProfileValidator();
try {
validator.validate(assertion.getSignature());
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(wsFederationConfiguration.getIdentityProviderIdentifier()));
try {
final SignatureTrustEngine engine = buildSignatureTrustEngine(wsFederationConfiguration);
valid = engine.validate(assertion.getSignature(), criteriaSet);
} catch (final SecurityException e) {
LOGGER.warn(e.getMessage(), e);
} finally {
if (!valid) {
LOGGER.warn("Signature doesn't match any signing credential.");
}
}
} catch (final SignatureException e) {
LOGGER.warn("Failed to validate assertion signature", e);
}
}
SamlUtils.logSamlObject(this.configBean, assertion);
return valid;
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlIdPObjectSignatureValidator method buildEntityCriteriaForSigningCredential.
@Override
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
criteriaSet.add(new EntityIdCriterion(casSamlIdPMetadataResolver.getId()));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlObjectEncrypter method getKeyEncryptionCredential.
/**
* Gets key encryption credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @return the key encryption credential
* @throws Exception the exception
*/
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
}
if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
}
LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
final List<KeyInfoProvider> providers = new ArrayList<>();
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
final RoleDescriptorResolver roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, idp.getMetadata().isRequireValidMetadata());
kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EncryptionConfigurationCriterion(config));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
return kekCredentialResolver.resolveSingle(criteriaSet);
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method validateSignature.
/**
* Validate the given digital signature by checking its profile and value.
*
* @param signature the signature
* @param idpEntityId the idp entity id
* @param trustEngine the trust engine
*/
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
try {
validator.validate(signature);
} catch (final SignatureException e) {
throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
}
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(idpEntityId));
final boolean valid;
try {
valid = trustEngine.validate(signature, criteriaSet);
} catch (final SecurityException e) {
throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
}
if (!valid) {
throw new SAMLSignatureValidationException("Signature is not trusted");
}
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlObjectSignatureValidatorTests method setupTestContextFor.
private void setupTestContextFor(final String spMetadataPath, final String spEntityId) throws Exception {
val idpMetadata = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
saml2ClientConfiguration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
saml2ClientConfiguration.setServiceProviderEntityId(spEntityId);
saml2ClientConfiguration.setServiceProviderMetadataPath(spMetadataPath);
saml2ClientConfiguration.init();
val saml2Client = new SAML2Client(saml2ClientConfiguration);
saml2Client.setCallbackUrl("http://callback.example.org");
saml2Client.init();
samlContext = new MessageContext();
saml2MessageContext = new SAML2MessageContext();
saml2MessageContext.setSaml2Configuration(saml2ClientConfiguration);
saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
assertNotNull(peer);
peer.setEntityId("https://cas.example.org/idp");
val md = peer.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(md);
val idpResolver = SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, true);
md.setRoleDescriptor(idpResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
assertNotNull(self);
self.setEntityId(saml2ClientConfiguration.getServiceProviderEntityId());
val sp = self.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(sp);
val spRes = new InMemoryResourceMetadataResolver(saml2ClientConfiguration.getServiceProviderMetadataResource(), openSamlConfigBean);
spRes.setId(getClass().getSimpleName());
spRes.initialize();
val spResolver = SamlIdPUtils.getRoleDescriptorResolver(spRes, true);
sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val service = new SamlRegisteredService();
service.setName("Sample");
service.setServiceId(saml2ClientConfiguration.getServiceProviderEntityId());
service.setId(100);
service.setDescription("SAML Service");
service.setMetadataLocation(spMetadataPath);
val facade = SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, service, service.getServiceId());
this.adaptor = facade.get();
}
Aggregations