use of org.opensaml.security.credential.Credential in project spring-security by spring-projects.
the class OpenSamlDecryptionUtils method decrypter.
private static Decrypter decrypter(RelyingPartyRegistration registration) {
Collection<Credential> credentials = new ArrayList<>();
for (Saml2X509Credential key : registration.getDecryptionX509Credentials()) {
Credential cred = CredentialSupport.getSimpleCredential(key.getCertificate(), key.getPrivateKey());
credentials.add(cred);
}
KeyInfoCredentialResolver resolver = new CollectionKeyInfoCredentialResolver(credentials);
Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
decrypter.setRootInNewDocument(true);
return decrypter;
}
use of org.opensaml.security.credential.Credential in project cas by apereo.
the class DefaultSamlIdPObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
* The resolved used is {@link SamlIdPMetadataCredentialResolver} that
* allows the entire criteria set to be passed to the role descriptor resolver.
* This behavior allows the passing of {@link SamlIdPSamlRegisteredServiceCriterion}
* so signing configuration, etc can be fetched for a specific service as an override,
* if on is in fact defined for the service.
*
* @param service the service
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final SamlRegisteredService service) throws Exception {
val config = configureSignatureSigningSecurityConfiguration(service);
val samlIdp = casProperties.getAuthn().getSamlIdp();
val privateKey = getSigningPrivateKey(service);
val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(samlIdPMetadataResolver, samlIdp.getMetadata().getCore().isRequireValidMetadata());
mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
mdCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
mdCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
val entityIdCriteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.trace("Resolving entity id from SAML2 IdP metadata for signature signing configuration is [{}]", service.getName());
val entityId = Objects.requireNonNull(samlIdPMetadataResolver.resolveSingle(entityIdCriteriaSet)).getEntityID();
LOGGER.trace("Resolved entity id from SAML2 IdP metadata is [{}]", entityId);
criteriaSet.add(new EntityIdCriterion(entityId));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.trace("Resolved signing credentials based on criteria [{}]", criteriaSet);
val credentials = Sets.newLinkedHashSet(mdCredentialResolver.resolve(criteriaSet));
LOGGER.trace("Resolved [{}] signing credentials", credentials.size());
val finalCredentials = new ArrayList<Credential>();
credentials.stream().map(c -> getResolvedSigningCredential(c, privateKey, service)).filter(Objects::nonNull).filter(c -> doesCredentialFingerprintMatch(c, service)).forEach(finalCredentials::add);
if (finalCredentials.isEmpty()) {
LOGGER.error("Unable to locate any signing credentials for service [{}]", service.getName());
throw new IllegalArgumentException("Unable to locate signing credentials");
}
config.setSigningCredentials(finalCredentials);
LOGGER.trace("Signature signing credentials configured with [{}] credentials", finalCredentials.size());
return config;
}
use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.
the class AuthnResponseFactory method aResponseFromIdpBuilder.
public ResponseBuilder aResponseFromIdpBuilder(String idpEntityId, String ipAddressSeenByIdp, String requestId, DateTime issueInstant, String authnStatementAssertionId, String authnAssertionSubjectPid, String authnAssertionIssuer, String authnAssertionInResponseTo, String mdsStatementAssertionId, String mdsAssertionSubjectPid, String mdsAssertionIssuer, String mdsAssertionInResponseTo, Optional<BasicCredential> basicCredential) {
TestCredentialFactory idpSigningCredentialFactory = new TestCredentialFactory(publicSigningCerts.get(idpEntityId), privateSigningKeys.get(idpEntityId));
final Subject mdsAssertionSubject = SubjectBuilder.aSubject().withPersistentId(mdsAssertionSubjectPid).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(mdsAssertionInResponseTo).build()).build()).build();
final Subject authnAssertionSubject = SubjectBuilder.aSubject().withNameId(buildNameID(authnAssertionSubjectPid)).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(authnAssertionInResponseTo).build()).build()).build();
final Conditions mdsAssertionConditions = ConditionsBuilder.aConditions().validFor(new Duration(1000 * 60 * 60)).build();
final AttributeStatement matchingDatasetAttributeStatement = MatchingDatasetAttributeStatementBuilder_1_1.aMatchingDatasetAttributeStatement_1_1().build();
final Credential encryptingCredential;
if (basicCredential.isPresent()) {
encryptingCredential = basicCredential.get();
} else {
encryptingCredential = hubEncryptionCredentialFactory.getEncryptingCredential();
}
final Credential signingCredential = idpSigningCredentialFactory.getSigningCredential();
final AssertionBuilder mdsAssertion = AssertionBuilder.anAssertion().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(mdsAssertionIssuer).build()).withSubject(mdsAssertionSubject).withConditions(mdsAssertionConditions).withId(mdsStatementAssertionId).addAttributeStatement(matchingDatasetAttributeStatement);
final AssertionBuilder authnAssertion = AssertionBuilder.anAssertion().withId(generateId()).addAttributeStatement(anAttributeStatement().addAttribute(anIPAddress().withValue(ipAddressSeenByIdp).build()).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(authnAssertionIssuer).build()).withSubject(authnAssertionSubject).withId(authnStatementAssertionId).withIssueInstant(issueInstant).addAuthnStatement(AuthnStatementBuilder.anAuthnStatement().build());
ResponseBuilder responseBuilder = ResponseBuilder.aResponse().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSigningCredential(signingCredential).withInResponseTo(requestId).addEncryptedAssertion(mdsAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential)).addEncryptedAssertion(authnAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential));
return responseBuilder;
}
use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.
the class HubTransformersFactory method getAuthnRequestToAuthnRequestFromTransactionTransformer.
public AuthnRequestToIdaRequestFromRelyingPartyTransformer getAuthnRequestToAuthnRequestFromTransactionTransformer(final URI expectedDestinationHost, final SigningKeyStore signingKeyStore, final IdaKeyStore decryptionKeyStore, final IdExpirationCache duplicateIds, final SamlDuplicateRequestValidationConfiguration samlDuplicateRequestValidationConfiguration, final SamlAuthnRequestValidityDurationConfiguration samlAuthnRequestValidityDurationConfiguration) {
List<Credential> credential = new IdaKeyStoreCredentialRetriever(decryptionKeyStore).getDecryptingCredentials();
Decrypter decrypter = decrypterFactory.createDecrypter(credential);
return new AuthnRequestToIdaRequestFromRelyingPartyTransformer(new AuthnRequestFromRelyingPartyUnmarshaller(decrypter), coreTransformersFactory.getSamlRequestSignatureValidator(signingKeyStore), new DestinationValidator(expectedDestinationHost, Endpoints.SSO_REQUEST_ENDPOINT), new AuthnRequestFromTransactionValidator(new IssuerValidator(), new DuplicateAuthnRequestValidator(duplicateIds, samlDuplicateRequestValidationConfiguration), new AuthnRequestIssueInstantValidator(samlAuthnRequestValidityDurationConfiguration)));
}
use of org.opensaml.security.credential.Credential in project cas by apereo.
the class SamlIdPObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
*
* @param roleDescriptor the role descriptor
* @param service the service
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final RoleDescriptor roleDescriptor, final SamlRegisteredService service) throws Exception {
final BasicSignatureSigningConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
if (this.overrideBlackListedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlackListedSignatureSigningAlgorithms().isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
}
if (this.overrideSignatureAlgorithms != null && !this.overrideSignatureAlgorithms.isEmpty()) {
config.setSignatureAlgorithms(this.overrideSignatureAlgorithms);
}
if (this.overrideSignatureReferenceDigestMethods != null && !this.overrideSignatureReferenceDigestMethods.isEmpty()) {
config.setSignatureReferenceDigestMethods(this.overrideSignatureReferenceDigestMethods);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (StringUtils.isNotBlank(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm())) {
config.setSignatureCanonicalizationAlgorithm(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm());
}
LOGGER.debug("Signature signing blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Signature signing signature algorithms: [{}]", config.getSignatureAlgorithms());
LOGGER.debug("Signature signing signature canonicalization algorithm: [{}]", config.getSignatureCanonicalizationAlgorithm());
LOGGER.debug("Signature signing whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
LOGGER.debug("Signature signing reference digest methods: [{}]", config.getSignatureReferenceDigestMethods());
final PrivateKey privateKey = getSigningPrivateKey();
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
kekCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, idp.getMetadata().isRequireValidMetadata()));
kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityIdCriterion(casProperties.getAuthn().getSamlIdp().getEntityId()));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
final Set<Credential> credentials = Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet));
final List<Credential> creds = new ArrayList<>();
credentials.forEach(c -> {
final AbstractCredential cred = getResolvedSigningCredential(c, privateKey, service);
if (cred != null) {
creds.add(cred);
}
});
config.setSigningCredentials(creds);
LOGGER.debug("Signature signing credentials configured with [{}] credentials", creds.size());
return config;
}
Aggregations