Examples with Issuer org.opensaml.saml.saml2.core.Issuer used on opensource projects

Example 1 with Issuer

use of org.opensaml.saml.saml2.core.Issuer in project OpenAttestation by OpenAttestation.

the class SamlGenerator method createIssuer.

// create the issuer
private Issuer createIssuer() {
    // Create Issuer
    SAMLObjectBuilder issuerBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    Issuer issuer = (Issuer) issuerBuilder.buildObject();
    issuer.setValue(this.issuerName);
    return issuer;
}

Example 2 with Issuer

use of org.opensaml.saml.saml2.core.Issuer in project ddf by codice.

the class LoginFilter method createSamlResponse.

/**
     * Creates the SAML response that we use for validation against the CXF
     * code.
     *
     * @param inResponseTo
     * @param issuer
     * @param status
     * @return Response
     */
private static Response createSamlResponse(String inResponseTo, String issuer, Status status) {
    if (responseBuilder == null) {
        responseBuilder = (SAMLObjectBuilder<Response>) builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME);
    }
    Response response = responseBuilder.buildObject();
    response.setID(UUID.randomUUID().toString());
    response.setIssueInstant(new DateTime());
    response.setInResponseTo(inResponseTo);
    response.setIssuer(createIssuer(issuer));
    response.setStatus(status);
    response.setVersion(SAMLVersion.VERSION_20);
    return response;
}

Example 3 with Issuer

use of org.opensaml.saml.saml2.core.Issuer in project ddf by codice.

the class LoginFilter method validateHolderOfKeyConfirmation.

private void validateHolderOfKeyConfirmation(SamlAssertionWrapper assertion, X509Certificate[] x509Certs) throws SecurityServiceException {
    List<String> confirmationMethods = assertion.getConfirmationMethods();
    boolean hasHokMethod = false;
    for (String method : confirmationMethods) {
        if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
            hasHokMethod = true;
        }
    }
    if (hasHokMethod) {
        if (x509Certs != null && x509Certs.length > 0) {
            List<SubjectConfirmation> subjectConfirmations = assertion.getSaml2().getSubject().getSubjectConfirmations();
            for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
                if (OpenSAMLUtil.isMethodHolderOfKey(subjectConfirmation.getMethod())) {
                    Element dom = subjectConfirmation.getSubjectConfirmationData().getDOM();
                    Node keyInfo = dom.getFirstChild();
                    Node x509Data = keyInfo.getFirstChild();
                    Node dataNode = x509Data.getFirstChild();
                    Node dataText = dataNode.getFirstChild();
                    X509Certificate tlsCertificate = x509Certs[0];
                    if (dataNode.getLocalName().equals("X509Certificate")) {
                        String textContent = dataText.getTextContent();
                        byte[] byteValue = Base64.getMimeDecoder().decode(textContent);
                        try {
                            CertificateFactory cf = CertificateFactory.getInstance("X.509");
                            X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteValue));
                            //check that the certificate is still valid
                            cert.checkValidity();
                            //if the certs aren't the same, verify
                            if (!tlsCertificate.equals(cert)) {
                                //verify that the cert was signed by the same private key as the TLS cert
                                cert.verify(tlsCertificate.getPublicKey());
                            }
                        } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with certificate.");
                        }
                    } else if (dataNode.getLocalName().equals("X509SubjectName")) {
                        String textContent = dataText.getTextContent();
                        //If, however, the relying party does not trust the certificate issuer to issue such a DN, the attesting entity is not confirmed and the relying party SHOULD disregard the assertion.
                        if (!tlsCertificate.getSubjectDN().getName().equals(textContent)) {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject DN.");
                        }
                    } else if (dataNode.getLocalName().equals("X509IssuerSerial")) {
                        //we have no way to support this confirmation type so we have to throw an error
                        throw new SecurityServiceException("Unable to validate Holder of Key assertion with issuer serial. NOT SUPPORTED");
                    } else if (dataNode.getLocalName().equals("X509SKI")) {
                        String textContent = dataText.getTextContent();
                        byte[] tlsSKI = tlsCertificate.getExtensionValue("2.5.29.14");
                        byte[] assertionSKI = Base64.getMimeDecoder().decode(textContent);
                        if (tlsSKI != null && tlsSKI.length > 0) {
                            ASN1OctetString tlsOs = ASN1OctetString.getInstance(tlsSKI);
                            ASN1OctetString assertionOs = ASN1OctetString.getInstance(assertionSKI);
                            SubjectKeyIdentifier tlsSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(tlsOs.getOctets());
                            SubjectKeyIdentifier assertSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(assertionOs.getOctets());
                            //the attesting entity is not confirmed and the relying party SHOULD disregard the assertion.
                            if (!Arrays.equals(tlsSubjectKeyIdentifier.getKeyIdentifier(), assertSubjectKeyIdentifier.getKeyIdentifier())) {
                                throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
                            }
                        } else {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
                        }
                    }
                }
            }
        } else {
            throw new SecurityServiceException("Holder of Key assertion, must be used with 2-way TLS.");
        }
    }
}

Example 4 with Issuer

use of org.opensaml.saml.saml2.core.Issuer in project ddf by codice.

the class SamlProtocol method createIssuer.

public static Issuer createIssuer(String issuerValue) {
    Issuer issuer = issuerBuilder.buildObject();
    issuer.setValue(issuerValue);
    return issuer;
}

Example 5 with Issuer

use of org.opensaml.saml.saml2.core.Issuer in project ddf by codice.

the class SamlProtocol method createAttributeQuery.

public static AttributeQuery createAttributeQuery(Issuer issuer, Subject subject, String destination) {
    AttributeQuery attributeQuery = attributeQueryBuilder.buildObject();
    attributeQuery.setID(UUID.randomUUID().toString());
    attributeQuery.setIssueInstant(new DateTime());
    attributeQuery.setIssuer(issuer);
    attributeQuery.setSubject(subject);
    attributeQuery.setVersion(SAMLVersion.VERSION_20);
    if (StringUtils.isNotBlank(destination)) {
        attributeQuery.setDestination(destination);
    }
    return attributeQuery;
}