Search in sources :

Example 1 with SAMLSignatureProfileValidator

use of org.opensaml.security.SAMLSignatureProfileValidator in project product-is by wso2.

the class SAML2SSOTestBase method validateSignature.

private void validateSignature(XMLObject signature, X509Credential x509Credential) throws Exception {
    SignatureImpl signImpl = (SignatureImpl) signature;
    try {
        SAMLSignatureProfileValidator signatureProfileValidator = new SAMLSignatureProfileValidator();
        signatureProfileValidator.validate(signImpl);
    } catch (ValidationException ex) {
        String logMsg = "Signature do not confirm to SAML signature profile. Possible XML Signature " + "Wrapping  Attack!";
        if (log.isDebugEnabled()) {
            log.debug(logMsg, ex);
        }
        throw new Exception(logMsg, ex);
    }
    try {
        SignatureValidator validator = new SignatureValidator(x509Credential);
        validator.validate(signImpl);
    } catch (ValidationException e) {
        if (log.isDebugEnabled()) {
            log.debug("Validation exception : ", e);
        }
        throw new Exception("Signature validation failed for SAML2 Element");
    }
}
Also used : ValidationException(org.opensaml.xml.validation.ValidationException) SAMLSignatureProfileValidator(org.opensaml.security.SAMLSignatureProfileValidator) SignatureImpl(org.opensaml.xml.signature.impl.SignatureImpl) SignatureValidator(org.opensaml.xml.signature.SignatureValidator) IOException(java.io.IOException) XPathExpressionException(javax.xml.xpath.XPathExpressionException) ValidationException(org.opensaml.xml.validation.ValidationException) IdentitySAMLSSOConfigServiceIdentityException(org.wso2.carbon.identity.sso.saml.stub.IdentitySAMLSSOConfigServiceIdentityException) RemoteException(java.rmi.RemoteException) SAXException(org.xml.sax.SAXException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException)

Example 2 with SAMLSignatureProfileValidator

use of org.opensaml.security.SAMLSignatureProfileValidator in project entcore by opendigitaleducation.

the class SamlValidator method validateSignature.

public boolean validateSignature(String assertion) throws Exception {
    final Response response = SamlUtils.unmarshallResponse(assertion);
    final SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
    Signature signature = response.getSignature();
    if (signature == null) {
        if (response.getAssertions() != null && !response.getAssertions().isEmpty()) {
            for (Assertion a : response.getAssertions()) {
                signature = a.getSignature();
            }
        } else if (response.getEncryptedAssertions() != null && !response.getEncryptedAssertions().isEmpty()) {
            Assertion a = decryptAssertion(response);
            if (a != null) {
                signature = a.getSignature();
            }
        } else {
            logger.error("Assertions not founds.");
            throw new ValidationException("Assertions not founds.");
        }
    }
    if (signature == null) {
        logger.error("Signature not found.");
        throw new ValidationException("Signature not found.");
    }
    profileValidator.validate(signature);
    SignatureTrustEngine sigTrustEngine = getSignatureTrustEngine(response);
    CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new EntityIDCriteria(SamlUtils.getIssuer(response)));
    criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
    return sigTrustEngine.validate(signature, criteriaSet);
}
Also used : EntityIDCriteria(org.opensaml.xml.security.criteria.EntityIDCriteria) ValidationException(org.opensaml.xml.validation.ValidationException) MetadataCriteria(org.opensaml.security.MetadataCriteria) ExplicitKeySignatureTrustEngine(org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine) SignatureTrustEngine(org.opensaml.xml.signature.SignatureTrustEngine) UsageCriteria(org.opensaml.xml.security.criteria.UsageCriteria) SAMLSignatureProfileValidator(org.opensaml.security.SAMLSignatureProfileValidator) Signature(org.opensaml.xml.signature.Signature) CriteriaSet(org.opensaml.xml.security.CriteriaSet)

Aggregations

SAMLSignatureProfileValidator (org.opensaml.security.SAMLSignatureProfileValidator)2 ValidationException (org.opensaml.xml.validation.ValidationException)2 IOException (java.io.IOException)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 RemoteException (java.rmi.RemoteException)1 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)1 XPathExpressionException (javax.xml.xpath.XPathExpressionException)1 MetadataCriteria (org.opensaml.security.MetadataCriteria)1 ConfigurationException (org.opensaml.xml.ConfigurationException)1 CriteriaSet (org.opensaml.xml.security.CriteriaSet)1 EntityIDCriteria (org.opensaml.xml.security.criteria.EntityIDCriteria)1 UsageCriteria (org.opensaml.xml.security.criteria.UsageCriteria)1 Signature (org.opensaml.xml.signature.Signature)1 SignatureTrustEngine (org.opensaml.xml.signature.SignatureTrustEngine)1 SignatureValidator (org.opensaml.xml.signature.SignatureValidator)1 ExplicitKeySignatureTrustEngine (org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine)1 SignatureImpl (org.opensaml.xml.signature.impl.SignatureImpl)1 IdentitySAMLSSOConfigServiceIdentityException (org.wso2.carbon.identity.sso.saml.stub.IdentitySAMLSSOConfigServiceIdentityException)1 SAXException (org.xml.sax.SAXException)1