Search in sources :

Example 1 with MetadataCredentialResolver

use of org.opensaml.saml.security.impl.MetadataCredentialResolver in project cas by apereo.

the class SamlObjectEncrypter method getKeyEncryptionCredential.

/**
     * Gets key encryption credential.
     *
     * @param peerEntityId the peer entity id
     * @param adaptor      the adaptor
     * @param service      the service
     * @return the key encryption credential
     * @throws Exception the exception
     */
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
    final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
    final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
    if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
        config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
    }
    if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
        config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
    }
    if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
        config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
    }
    if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
        config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
    }
    LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
    LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
    LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
    LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
    final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
    final List<KeyInfoProvider> providers = new ArrayList<>();
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver(adaptor.getMetadataResolver());
    roleDescriptorResolver.setSatisfyAnyPredicates(true);
    roleDescriptorResolver.setUseDefaultPredicateRegistry(true);
    roleDescriptorResolver.setRequireValidMetadata(idp.getMetadata().isRequireValidMetadata());
    roleDescriptorResolver.initialize();
    kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    kekCredentialResolver.initialize();
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new EncryptionConfigurationCriterion(config));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
    return kekCredentialResolver.resolveSingle(criteriaSet);
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) PredicateRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) KeyInfoProvider(org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) BasicEncryptionConfiguration(org.opensaml.xmlsec.impl.BasicEncryptionConfiguration) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)

Example 2 with MetadataCredentialResolver

use of org.opensaml.saml.security.impl.MetadataCredentialResolver in project cas by apereo.

the class SamlObjectSignatureValidator method getSigningCredential.

private Credential getSigningCredential(final RoleDescriptorResolver resolver, final RequestAbstractType profileRequest) {
    try {
        final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
        final SignatureValidationConfiguration config = getSignatureValidationConfiguration();
        kekCredentialResolver.setRoleDescriptorResolver(resolver);
        kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        kekCredentialResolver.initialize();
        final CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new SignatureValidationConfigurationCriterion(config));
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        buildEntityCriteriaForSigningCredential(profileRequest, criteriaSet);
        return kekCredentialResolver.resolveSingle(criteriaSet);
    } catch (final Exception e) {
        throw Throwables.propagate(e);
    }
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) BasicSignatureValidationConfiguration(org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration) SignatureValidationConfiguration(org.opensaml.xmlsec.SignatureValidationConfiguration) SignatureValidationConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureValidationConfigurationCriterion) SamlException(org.apereo.cas.support.saml.SamlException)

Aggregations

CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)2 MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)2 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)2 ArrayList (java.util.ArrayList)1 SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)1 SamlException (org.apereo.cas.support.saml.SamlException)1 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1 PredicateRoleDescriptorResolver (org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver)1 SignatureValidationConfiguration (org.opensaml.xmlsec.SignatureValidationConfiguration)1 EncryptionConfigurationCriterion (org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion)1 SignatureValidationConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureValidationConfigurationCriterion)1 BasicEncryptionConfiguration (org.opensaml.xmlsec.impl.BasicEncryptionConfiguration)1 BasicSignatureValidationConfiguration (org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration)1 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)1 KeyInfoProvider (org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider)1 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)1 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)1 InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)1 KeyInfoReferenceProvider (org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider)1