Example 1 with AbstractCredential
use of org.opensaml.security.credential.AbstractCredential in project cas by apereo.
the class SamlIdPObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
*
* @param roleDescriptor the role descriptor
* @param service the service
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final RoleDescriptor roleDescriptor, final SamlRegisteredService service) throws Exception {
final BasicSignatureSigningConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
if (this.overrideBlackListedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlackListedSignatureSigningAlgorithms().isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
}
if (this.overrideSignatureAlgorithms != null && !this.overrideSignatureAlgorithms.isEmpty()) {
config.setSignatureAlgorithms(this.overrideSignatureAlgorithms);
}
if (this.overrideSignatureReferenceDigestMethods != null && !this.overrideSignatureReferenceDigestMethods.isEmpty()) {
config.setSignatureReferenceDigestMethods(this.overrideSignatureReferenceDigestMethods);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (StringUtils.isNotBlank(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm())) {
config.setSignatureCanonicalizationAlgorithm(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm());
}
LOGGER.debug("Signature signing blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Signature signing signature algorithms: [{}]", config.getSignatureAlgorithms());
LOGGER.debug("Signature signing signature canonicalization algorithm: [{}]", config.getSignatureCanonicalizationAlgorithm());
LOGGER.debug("Signature signing whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
LOGGER.debug("Signature signing reference digest methods: [{}]", config.getSignatureReferenceDigestMethods());
final PrivateKey privateKey = getSigningPrivateKey();
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
kekCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, idp.getMetadata().isRequireValidMetadata()));
kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityIdCriterion(casProperties.getAuthn().getSamlIdp().getEntityId()));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
final Set<Credential> credentials = Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet));
final List<Credential> creds = new ArrayList<>();
credentials.forEach(c -> {
final AbstractCredential cred = getResolvedSigningCredential(c, privateKey, service);
if (cred != null) {
creds.add(cred);
}
});
config.setSigningCredentials(creds);
LOGGER.debug("Signature signing credentials configured with [{}] credentials", creds.size());
return config;
}
Also used :
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
BasicCredential(org.opensaml.security.credential.BasicCredential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
AbstractCredential(org.opensaml.security.credential.AbstractCredential)
Credential(org.opensaml.security.credential.Credential)
PrivateKey(java.security.PrivateKey)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
ArrayList(java.util.ArrayList)
MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver)
AbstractCredential(org.opensaml.security.credential.AbstractCredential)
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)
BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration)
Aggregations
PrivateKey (java.security.PrivateKey)1
ArrayList (java.util.ArrayList)1
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1
SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)1
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1
MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)1
AbstractCredential (org.opensaml.security.credential.AbstractCredential)1
BasicCredential (org.opensaml.security.credential.BasicCredential)1
Credential (org.opensaml.security.credential.Credential)1
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)1
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)1
SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)1
BasicSignatureSigningConfiguration (org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration)1
