Examples with SubjectConfirmation org.opensaml.saml.saml2.core.SubjectConfirmation used on opensource projects

Example 1 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project cas by apereo.

the class AbstractSaml20ObjectBuilder method newSubject.

/**
     * New subject element.
     *
     * @param nameIdFormat the name id format
     * @param nameIdValue  the name id value
     * @param recipient    the recipient
     * @param notOnOrAfter the not on or after
     * @param inResponseTo the in response to
     * @return the subject
     */
public Subject newSubject(final String nameIdFormat, final String nameIdValue, final String recipient, final ZonedDateTime notOnOrAfter, final String inResponseTo) {
    final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class);
    confirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
    final SubjectConfirmationData data = newSamlObject(SubjectConfirmationData.class);
    data.setRecipient(recipient);
    data.setNotOnOrAfter(DateTimeUtils.dateTimeOf(notOnOrAfter));
    data.setInResponseTo(inResponseTo);
    confirmation.setSubjectConfirmationData(data);
    final Subject subject = newSamlObject(Subject.class);
    subject.setNameID(getNameID(nameIdFormat, nameIdValue));
    subject.getSubjectConfirmations().add(confirmation);
    return subject;
}

Example 2 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project ddf by codice.

the class LoginFilter method validateHolderOfKeyConfirmation.

private void validateHolderOfKeyConfirmation(SamlAssertionWrapper assertion, X509Certificate[] x509Certs) throws SecurityServiceException {
    List<String> confirmationMethods = assertion.getConfirmationMethods();
    boolean hasHokMethod = false;
    for (String method : confirmationMethods) {
        if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
            hasHokMethod = true;
        }
    }
    if (hasHokMethod) {
        if (x509Certs != null && x509Certs.length > 0) {
            List<SubjectConfirmation> subjectConfirmations = assertion.getSaml2().getSubject().getSubjectConfirmations();
            for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
                if (OpenSAMLUtil.isMethodHolderOfKey(subjectConfirmation.getMethod())) {
                    Element dom = subjectConfirmation.getSubjectConfirmationData().getDOM();
                    Node keyInfo = dom.getFirstChild();
                    Node x509Data = keyInfo.getFirstChild();
                    Node dataNode = x509Data.getFirstChild();
                    Node dataText = dataNode.getFirstChild();
                    X509Certificate tlsCertificate = x509Certs[0];
                    if (dataNode.getLocalName().equals("X509Certificate")) {
                        String textContent = dataText.getTextContent();
                        byte[] byteValue = Base64.getMimeDecoder().decode(textContent);
                        try {
                            CertificateFactory cf = CertificateFactory.getInstance("X.509");
                            X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteValue));
                            //check that the certificate is still valid
                            cert.checkValidity();
                            //if the certs aren't the same, verify
                            if (!tlsCertificate.equals(cert)) {
                                //verify that the cert was signed by the same private key as the TLS cert
                                cert.verify(tlsCertificate.getPublicKey());
                            }
                        } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with certificate.");
                        }
                    } else if (dataNode.getLocalName().equals("X509SubjectName")) {
                        String textContent = dataText.getTextContent();
                        //If, however, the relying party does not trust the certificate issuer to issue such a DN, the attesting entity is not confirmed and the relying party SHOULD disregard the assertion.
                        if (!tlsCertificate.getSubjectDN().getName().equals(textContent)) {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject DN.");
                        }
                    } else if (dataNode.getLocalName().equals("X509IssuerSerial")) {
                        //we have no way to support this confirmation type so we have to throw an error
                        throw new SecurityServiceException("Unable to validate Holder of Key assertion with issuer serial. NOT SUPPORTED");
                    } else if (dataNode.getLocalName().equals("X509SKI")) {
                        String textContent = dataText.getTextContent();
                        byte[] tlsSKI = tlsCertificate.getExtensionValue("2.5.29.14");
                        byte[] assertionSKI = Base64.getMimeDecoder().decode(textContent);
                        if (tlsSKI != null && tlsSKI.length > 0) {
                            ASN1OctetString tlsOs = ASN1OctetString.getInstance(tlsSKI);
                            ASN1OctetString assertionOs = ASN1OctetString.getInstance(assertionSKI);
                            SubjectKeyIdentifier tlsSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(tlsOs.getOctets());
                            SubjectKeyIdentifier assertSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(assertionOs.getOctets());
                            //the attesting entity is not confirmed and the relying party SHOULD disregard the assertion.
                            if (!Arrays.equals(tlsSubjectKeyIdentifier.getKeyIdentifier(), assertSubjectKeyIdentifier.getKeyIdentifier())) {
                                throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
                            }
                        } else {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
                        }
                    }
                }
            }
        } else {
            throw new SecurityServiceException("Holder of Key assertion, must be used with 2-way TLS.");
        }
    }
}

Example 3 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project cxf by apache.

the class CombinedValidatorTest method testWrappingAttack3.

@org.junit.Test
public void testWrappingAttack3() throws Exception {
    Document doc = DOMUtils.createDocument();
    Response response = createResponse(doc);
    Element responseElement = OpenSAMLUtil.toDom(response, doc);
    doc.appendChild(responseElement);
    assertNotNull(responseElement);
    // Get Assertion Element
    Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
    assertNotNull(assertionElement);
    // Clone it, strip the Signature, modify the Subject, change Subj Conf
    Element clonedAssertion = (Element) assertionElement.cloneNode(true);
    clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
    Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSS4JConstants.SIG_NS, "Signature").item(0);
    clonedAssertion.removeChild(sigElement);
    Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
    Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
    subjNameIdElement.setTextContent("bob");
    Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
    subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
    // Now insert the modified cloned Assertion into the Response before actual assertion
    responseElement.insertBefore(clonedAssertion, assertionElement);
    // System.out.println(DOM2Writer.nodeToString(responseElement));
    Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(responseElement);
    Crypto issuerCrypto = new Merlin();
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
    InputStream input = Merlin.loadInputStream(loader, "alice.jks");
    keyStore.load(input, "password".toCharArray());
    ((Merlin) issuerCrypto).setKeyStore(keyStore);
    // Validate the Response
    SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
    validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
    // Test SSO validation
    SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
    ssoValidator.setEnforceAssertionsSigned(false);
    ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
    ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
    ssoValidator.setClientAddress("http://apache.org");
    ssoValidator.setRequestId("12345");
    ssoValidator.setSpIdentifier("http://service.apache.org");
    // Parse the response
    SSOValidatorResponse ssoResponse = ssoValidator.validateSamlResponse(marshalledResponse, false);
    SamlAssertionWrapper parsedAssertion = new SamlAssertionWrapper(ssoResponse.getAssertionElement());
    assertEquals("alice", parsedAssertion.getSubjectName());
}

Example 4 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project spring-security by spring-projects.

the class TestOpenSamlObjects method assertion.

static Assertion assertion(String username, String issuerEntityId, String recipientEntityId, String recipientUri) {
    Assertion assertion = build(Assertion.DEFAULT_ELEMENT_NAME);
    assertion.setID("A" + UUID.randomUUID().toString());
    assertion.setVersion(SAMLVersion.VERSION_20);
    assertion.setIssuer(issuer(issuerEntityId));
    assertion.setSubject(subject(username));
    assertion.setConditions(conditions());
    SubjectConfirmation subjectConfirmation = subjectConfirmation();
    subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
    SubjectConfirmationData confirmationData = subjectConfirmationData(recipientEntityId);
    confirmationData.setRecipient(recipientUri);
    subjectConfirmation.setSubjectConfirmationData(confirmationData);
    assertion.getSubject().getSubjectConfirmations().add(subjectConfirmation);
    AuthnStatement statement = build(AuthnStatement.DEFAULT_ELEMENT_NAME);
    statement.setSessionIndex("session-index");
    assertion.getAuthnStatements().add(statement);
    return assertion;
}

Example 5 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project ddf by codice.

the class SamlAssertionValidatorImplTest method createHolderOfKeyAssertion.

private Assertion createHolderOfKeyAssertion() throws Exception {
    Assertion assertion = new AssertionBuilder().buildObject();
    assertion.setID(UUID.randomUUID().toString());
    assertion.setIssueInstant(new DateTime());
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue(ISSUER);
    assertion.setIssuer(issuer);
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
    nameID.setNameQualifier("http://cxf.apache.org/sts");
    nameID.setValue("admin");
    X509SubjectName x509SubjectName = new X509SubjectNameBuilder().buildObject();
    x509SubjectName.setValue("EMAILADDRESS=localhost@example.org, CN=localhost, OU=Dev, O=DDF, ST=AZ, C=US");
    org.opensaml.xmlsec.signature.X509Certificate x509Certificate = new X509CertificateBuilder().buildObject();
    byte[] certBytes = certificate.getEncoded();
    String certString = new String(Base64.encode(certBytes));
    x509Certificate.setValue(certString);
    X509Data x509Data = new X509DataBuilder().buildObject();
    x509Data.getX509SubjectNames().add(x509SubjectName);
    x509Data.getX509Certificates().add(x509Certificate);
    KeyInfo keyInfo = new KeyInfoBuilder().buildObject();
    keyInfo.getX509Datas().add(x509Data);
    KeyInfoConfirmationDataType keyInfoConfirmationDataType = new KeyInfoConfirmationDataTypeBuilder().buildObject();
    keyInfoConfirmationDataType.getKeyInfos().add(keyInfo);
    SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
    subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
    subjectConfirmation.setSubjectConfirmationData(keyInfoConfirmationDataType);
    Subject subject = new SubjectBuilder().buildObject();
    subject.setNameID(nameID);
    subject.getSubjectConfirmations().add(subjectConfirmation);
    assertion.setSubject(subject);
    Conditions conditions = new ConditionsBuilder().buildObject();
    conditions.setNotBefore(new DateTime().minusDays(3));
    conditions.setNotOnOrAfter(new DateTime().plusDays(3));
    assertion.setConditions(conditions);
    AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
    authnStatement.setAuthnInstant(new DateTime());
    AuthnContext authnContext = new AuthnContextBuilder().buildObject();
    AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
    authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
    authnContext.setAuthnContextClassRef(authnContextClassRef);
    authnStatement.setAuthnContext(authnContext);
    assertion.getAuthnStatements().add(authnStatement);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    Attribute attribute = new AttributeBuilder().buildObject();
    AttributeValueType attributeValue = new AttributeValueTypeImplBuilder().buildObject();
    attributeValue.setValue("admin");
    attribute.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
    attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
    attribute.getAttributeValues().add(attributeValue);
    attributeStatement.getAttributes().add(attribute);
    assertion.getAttributeStatements().add(attributeStatement);
    Signature signature = OpenSAMLUtil.buildSignature();
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
    signature.setSignatureAlgorithm(WSS4JConstants.RSA);
    BasicX509Credential signingCredential;
    signingCredential = new BasicX509Credential(certificate);
    signingCredential.setPrivateKey(privateKey);
    signature.setSigningCredential(signingCredential);
    X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
    x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
    KeyInfo signatureKeyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
    signature.setKeyInfo(signatureKeyInfo);
    assertion.setSignature(signature);
    return assertion;
}