Search in sources :

Example 6 with Credential

use of org.opensaml.security.credential.Credential in project cas by apereo.

the class WsFederationHelperTests method verifyGetSigningCredential.

@Test
public void verifyGetSigningCredential() throws Exception {
    final Credential result = wsFedConfig.getSigningCertificates().iterator().next();
    assertNotNull("testGetSigningCredential() - Not Null", result);
}
Also used : Credential(org.opensaml.security.credential.Credential) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) Test(org.junit.Test)

Example 7 with Credential

use of org.opensaml.security.credential.Credential in project cas by apereo.

the class SamlObjectEncrypter method encode.

/**
     * Encode a given saml object by invoking a number of outbound security handlers on the context.
     *
     * @param samlObject the saml object
     * @param service    the service
     * @param adaptor    the adaptor
     * @param response   the response
     * @param request    the request
     * @return the t
     * @throws SamlException the saml exception
     */
public EncryptedAssertion encode(final Assertion samlObject, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final HttpServletResponse response, final HttpServletRequest request) throws SamlException {
    try {
        LOGGER.debug("Attempting to encrypt [{}] for [{}]", samlObject.getClass().getName(), adaptor.getEntityId());
        final Credential credential = getKeyEncryptionCredential(adaptor.getEntityId(), adaptor, service);
        LOGGER.info("Found encryption public key: [{}]", EncodingUtils.encodeBase64(credential.getPublicKey().getEncoded()));
        final KeyEncryptionParameters keyEncParams = getKeyEncryptionParameters(samlObject, service, adaptor, credential);
        LOGGER.debug("Key encryption algorithm for [{}] is [{}]", keyEncParams.getRecipient(), keyEncParams.getAlgorithm());
        final DataEncryptionParameters dataEncParams = getDataEncryptionParameters(samlObject, service, adaptor);
        LOGGER.debug("Data encryption algorithm for [{}] is [{}]", adaptor.getEntityId(), dataEncParams.getAlgorithm());
        final Encrypter encrypter = getEncrypter(samlObject, service, adaptor, keyEncParams, dataEncParams);
        LOGGER.debug("Attempting to encrypt [{}] for [{}] with key placement of [{}]", samlObject.getClass().getName(), adaptor.getEntityId(), encrypter.getKeyPlacement());
        return encrypter.encrypt(samlObject);
    } catch (final Exception e) {
        throw new SamlException(e.getMessage(), e);
    }
}
Also used : Encrypter(org.opensaml.saml.saml2.encryption.Encrypter) KeyEncryptionParameters(org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters) Credential(org.opensaml.security.credential.Credential) SamlException(org.apereo.cas.support.saml.SamlException) DataEncryptionParameters(org.opensaml.xmlsec.encryption.support.DataEncryptionParameters) SamlException(org.apereo.cas.support.saml.SamlException)

Example 8 with Credential

use of org.opensaml.security.credential.Credential in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.

private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    final SAML2HTTPRedirectDeflateSignatureSecurityHandler handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
    final SAMLPeerEntityContext peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
    peer.setEntityId(SamlIdPUtils.getIssuerFromSamlRequest(profileRequest));
    LOGGER.debug("Validating request signature for [{}] via [{}]...", peer.getEntityId(), handler.getClass().getSimpleName());
    LOGGER.debug("Resolving role descriptor for [{}]", peer.getEntityId());
    final RoleDescriptor roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peer.getEntityId()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
    peer.setRole(roleDescriptor.getElementQName());
    final SAMLProtocolContext protocol = context.getSubcontext(SAMLProtocolContext.class, true);
    protocol.setProtocol(SAMLConstants.SAML20P_NS);
    LOGGER.debug("Building security parameters context for signature validation of [{}]", peer.getEntityId());
    final SecurityParametersContext secCtx = context.getSubcontext(SecurityParametersContext.class, true);
    final SignatureValidationParameters validationParams = new SignatureValidationParameters();
    if (overrideBlackListedSignatureAlgorithms != null && !overrideBlackListedSignatureAlgorithms.isEmpty()) {
        validationParams.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
        LOGGER.debug("Validation override blacklisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
    }
    if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
        validationParams.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
        LOGGER.debug("Validation override whitelisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
    }
    LOGGER.debug("Resolving signing credentials for [{}]", peer.getEntityId());
    final Credential credential = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credential == null) {
        throw new SamlException("Signing credential for validation could not be resolved");
    }
    final CredentialResolver resolver = new StaticCredentialResolver(credential);
    final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential);
    final SignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
    validationParams.setSignatureTrustEngine(trustEngine);
    secCtx.setSignatureValidationParameters(validationParams);
    handler.setHttpServletRequest(request);
    LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
    handler.initialize();
    LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
    handler.invoke(context);
    LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
}
Also used : Credential(org.opensaml.security.credential.Credential) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler) SamlException(org.apereo.cas.support.saml.SamlException) SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) SAMLProtocolContext(org.opensaml.saml.common.messaging.context.SAMLProtocolContext) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SecurityParametersContext(org.opensaml.xmlsec.context.SecurityParametersContext) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) CredentialResolver(org.opensaml.security.credential.CredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)

Example 9 with Credential

use of org.opensaml.security.credential.Credential in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnProfileRequest.

private void validateSignatureOnProfileRequest(final RequestAbstractType profileRequest, final Signature signature, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    LOGGER.debug("Validating profile signature for [{}] via [{}]...", profileRequest.getIssuer(), validator.getClass().getSimpleName());
    validator.validate(signature);
    LOGGER.debug("Successfully validated profile signature for [{}].", profileRequest.getIssuer());
    final Credential credential = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credential == null) {
        throw new SamlException("Signing credential for validation could not be resolved");
    }
    LOGGER.debug("Validating signature using credentials for [{}]", credential.getEntityId());
    SignatureValidator.validate(signature, credential);
    LOGGER.info("Successfully validated the request signature.");
}
Also used : Credential(org.opensaml.security.credential.Credential) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) SamlException(org.apereo.cas.support.saml.SamlException)

Aggregations

Credential (org.opensaml.security.credential.Credential)9 ArrayList (java.util.ArrayList)4 WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)4 SamlException (org.apereo.cas.support.saml.SamlException)3 KeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)3 StaticKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)3 InputStream (java.io.InputStream)2 X509Certificate (java.security.cert.X509Certificate)2 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)2 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)2 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)2 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)2 CredentialResolver (org.opensaml.security.credential.CredentialResolver)2 StaticCredentialResolver (org.opensaml.security.credential.impl.StaticCredentialResolver)2 SignatureTrustEngine (org.opensaml.xmlsec.signature.support.SignatureTrustEngine)2 ExplicitKeySignatureTrustEngine (org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)2 Throwables (com.google.common.base.Throwables)1 BufferedReader (java.io.BufferedReader)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1