Search in sources :

Example 1 with SubjectConfirmation

use of org.opensaml.saml2.core.SubjectConfirmation in project cas by apereo.

the class AbstractSaml20ObjectBuilder method newSubject.

/**
     * New subject element.
     *
     * @param nameIdFormat the name id format
     * @param nameIdValue  the name id value
     * @param recipient    the recipient
     * @param notOnOrAfter the not on or after
     * @param inResponseTo the in response to
     * @return the subject
     */
public Subject newSubject(final String nameIdFormat, final String nameIdValue, final String recipient, final ZonedDateTime notOnOrAfter, final String inResponseTo) {
    final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class);
    confirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
    final SubjectConfirmationData data = newSamlObject(SubjectConfirmationData.class);
    data.setRecipient(recipient);
    data.setNotOnOrAfter(DateTimeUtils.dateTimeOf(notOnOrAfter));
    data.setInResponseTo(inResponseTo);
    confirmation.setSubjectConfirmationData(data);
    final Subject subject = newSamlObject(Subject.class);
    subject.setNameID(getNameID(nameIdFormat, nameIdValue));
    subject.getSubjectConfirmations().add(confirmation);
    return subject;
}
Also used : SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) Subject(org.opensaml.saml.saml2.core.Subject)

Example 2 with SubjectConfirmation

use of org.opensaml.saml2.core.SubjectConfirmation in project ddf by codice.

the class LoginFilter method validateHolderOfKeyConfirmation.

private void validateHolderOfKeyConfirmation(SamlAssertionWrapper assertion, X509Certificate[] x509Certs) throws SecurityServiceException {
    List<String> confirmationMethods = assertion.getConfirmationMethods();
    boolean hasHokMethod = false;
    for (String method : confirmationMethods) {
        if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
            hasHokMethod = true;
        }
    }
    if (hasHokMethod) {
        if (x509Certs != null && x509Certs.length > 0) {
            List<SubjectConfirmation> subjectConfirmations = assertion.getSaml2().getSubject().getSubjectConfirmations();
            for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
                if (OpenSAMLUtil.isMethodHolderOfKey(subjectConfirmation.getMethod())) {
                    Element dom = subjectConfirmation.getSubjectConfirmationData().getDOM();
                    Node keyInfo = dom.getFirstChild();
                    Node x509Data = keyInfo.getFirstChild();
                    Node dataNode = x509Data.getFirstChild();
                    Node dataText = dataNode.getFirstChild();
                    X509Certificate tlsCertificate = x509Certs[0];
                    if (dataNode.getLocalName().equals("X509Certificate")) {
                        String textContent = dataText.getTextContent();
                        byte[] byteValue = Base64.getMimeDecoder().decode(textContent);
                        try {
                            CertificateFactory cf = CertificateFactory.getInstance("X.509");
                            X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteValue));
                            //check that the certificate is still valid
                            cert.checkValidity();
                            //if the certs aren't the same, verify
                            if (!tlsCertificate.equals(cert)) {
                                //verify that the cert was signed by the same private key as the TLS cert
                                cert.verify(tlsCertificate.getPublicKey());
                            }
                        } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with certificate.");
                        }
                    } else if (dataNode.getLocalName().equals("X509SubjectName")) {
                        String textContent = dataText.getTextContent();
                        //If, however, the relying party does not trust the certificate issuer to issue such a DN, the attesting entity is not confirmed and the relying party SHOULD disregard the assertion.
                        if (!tlsCertificate.getSubjectDN().getName().equals(textContent)) {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject DN.");
                        }
                    } else if (dataNode.getLocalName().equals("X509IssuerSerial")) {
                        //we have no way to support this confirmation type so we have to throw an error
                        throw new SecurityServiceException("Unable to validate Holder of Key assertion with issuer serial. NOT SUPPORTED");
                    } else if (dataNode.getLocalName().equals("X509SKI")) {
                        String textContent = dataText.getTextContent();
                        byte[] tlsSKI = tlsCertificate.getExtensionValue("2.5.29.14");
                        byte[] assertionSKI = Base64.getMimeDecoder().decode(textContent);
                        if (tlsSKI != null && tlsSKI.length > 0) {
                            ASN1OctetString tlsOs = ASN1OctetString.getInstance(tlsSKI);
                            ASN1OctetString assertionOs = ASN1OctetString.getInstance(assertionSKI);
                            SubjectKeyIdentifier tlsSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(tlsOs.getOctets());
                            SubjectKeyIdentifier assertSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(assertionOs.getOctets());
                            //the attesting entity is not confirmed and the relying party SHOULD disregard the assertion.
                            if (!Arrays.equals(tlsSubjectKeyIdentifier.getKeyIdentifier(), assertSubjectKeyIdentifier.getKeyIdentifier())) {
                                throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
                            }
                        } else {
                            throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
                        }
                    }
                }
            }
        } else {
            throw new SecurityServiceException("Holder of Key assertion, must be used with 2-way TLS.");
        }
    }
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) SecurityServiceException(ddf.security.service.SecurityServiceException) Element(org.w3c.dom.Element) Node(org.w3c.dom.Node) CertificateException(java.security.cert.CertificateException) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SignatureException(java.security.SignatureException) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) InvalidKeyException(java.security.InvalidKeyException) CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) ByteArrayInputStream(java.io.ByteArrayInputStream) NoSuchProviderException(java.security.NoSuchProviderException)

Example 3 with SubjectConfirmation

use of org.opensaml.saml2.core.SubjectConfirmation in project cas by apereo.

the class Saml10ObjectBuilder method newSubject.

/**
     * New subject element with given confirmation method.
     *
     * @param identifier the identifier
     * @param confirmationMethod the confirmation method
     * @return the subject
     */
public Subject newSubject(final String identifier, final String confirmationMethod) {
    final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class);
    final ConfirmationMethod method = newSamlObject(ConfirmationMethod.class);
    method.setConfirmationMethod(confirmationMethod);
    confirmation.getConfirmationMethods().add(method);
    final NameIdentifier nameIdentifier = newSamlObject(NameIdentifier.class);
    nameIdentifier.setNameIdentifier(identifier);
    final Subject subject = newSamlObject(Subject.class);
    subject.setNameIdentifier(nameIdentifier);
    subject.setSubjectConfirmation(confirmation);
    return subject;
}
Also used : SubjectConfirmation(org.opensaml.saml.saml1.core.SubjectConfirmation) NameIdentifier(org.opensaml.saml.saml1.core.NameIdentifier) ConfirmationMethod(org.opensaml.saml.saml1.core.ConfirmationMethod) Subject(org.opensaml.saml.saml1.core.Subject)

Example 4 with SubjectConfirmation

use of org.opensaml.saml2.core.SubjectConfirmation in project OpenAttestation by OpenAttestation.

the class SamlGenerator method createSubjectConfirmation.

// create the Subject and Subject Confirmation
private SubjectConfirmation createSubjectConfirmation(TxtHost host) throws ConfigurationException, UnknownHostException {
    SAMLObjectBuilder subjectConfirmationBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmationBuilder.buildObject();
    subjectConfirmation.setMethod(SubjectConfirmation.METHOD_SENDER_VOUCHES);
    subjectConfirmation.setSubjectConfirmationData(createSubjectConfirmationData(host));
    // Create the NameIdentifier
    SAMLObjectBuilder nameIdBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
    NameID nameId = (NameID) nameIdBuilder.buildObject();
    nameId.setValue(issuerServiceName);
    //            nameId.setNameQualifier(input.getStrNameQualifier()); optional:  
    // !!! CAN ALSO USE X509 SUBJECT FROM HOST CERTIFICATE instead of host name in database   
    nameId.setFormat(NameID.UNSPECIFIED);
    subjectConfirmation.setNameID(nameId);
    return subjectConfirmation;
}
Also used : SubjectConfirmation(org.opensaml.saml2.core.SubjectConfirmation) SAMLObjectBuilder(org.opensaml.common.SAMLObjectBuilder) NameID(org.opensaml.saml2.core.NameID)

Aggregations

SubjectConfirmation (org.opensaml.saml.saml2.core.SubjectConfirmation)2 SecurityServiceException (ddf.security.service.SecurityServiceException)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 InvalidKeyException (java.security.InvalidKeyException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 SignatureException (java.security.SignatureException)1 CertificateException (java.security.cert.CertificateException)1 CertificateFactory (java.security.cert.CertificateFactory)1 X509Certificate (java.security.cert.X509Certificate)1 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)1 SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)1 SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)1 ConfirmationMethod (org.opensaml.saml.saml1.core.ConfirmationMethod)1 NameIdentifier (org.opensaml.saml.saml1.core.NameIdentifier)1 Subject (org.opensaml.saml.saml1.core.Subject)1 SubjectConfirmation (org.opensaml.saml.saml1.core.SubjectConfirmation)1 Subject (org.opensaml.saml.saml2.core.Subject)1 SubjectConfirmationData (org.opensaml.saml.saml2.core.SubjectConfirmationData)1 NameID (org.opensaml.saml2.core.NameID)1