Search in sources :

Example 21 with Credential

use of org.opensaml.security.credential.Credential in project pac4j by pac4j.

the class KeyStoreCredentialProvider method getKeyInfoGenerator.

@Override
public final KeyInfoGenerator getKeyInfoGenerator() {
    final NamedKeyInfoGeneratorManager mgmr = DefaultSecurityConfigurationBootstrap.buildBasicKeyInfoGeneratorManager();
    final Credential credential = getCredential();
    return mgmr.getDefaultManager().getFactory(credential).newInstance();
}
Also used : X509Credential(org.opensaml.security.x509.X509Credential) Credential(org.opensaml.security.credential.Credential) NamedKeyInfoGeneratorManager(org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager)

Example 22 with Credential

use of org.opensaml.security.credential.Credential in project pac4j by pac4j.

the class KeyStoreCredentialProvider method getKeyInfo.

@Override
public KeyInfo getKeyInfo() {
    final Credential serverCredential = getCredential();
    final KeyInfo keyInfo = generateKeyInfoForCredential(serverCredential);
    return keyInfo;
}
Also used : X509Credential(org.opensaml.security.x509.X509Credential) Credential(org.opensaml.security.credential.Credential) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)

Example 23 with Credential

use of org.opensaml.security.credential.Credential in project cas by apereo.

the class WsFederationHelper method createCredentialFromToken.

/**
 * createCredentialFromToken converts a SAML 1.1 assertion to a WSFederationCredential.
 *
 * @param assertion the provided assertion
 * @return an equivalent credential.
 */
public WsFederationCredential createCredentialFromToken(final Assertion assertion) {
    val retrievedOn = ZonedDateTime.now(clock);
    LOGGER.trace("Retrieved on [{}]", retrievedOn);
    val credential = new WsFederationCredential();
    credential.setRetrievedOn(retrievedOn);
    credential.setId(assertion.getID());
    credential.setIssuer(assertion.getIssuer());
    credential.setIssuedOn(DateTimeUtils.zonedDateTimeOf(assertion.getIssueInstant()));
    val conditions = assertion.getConditions();
    if (conditions != null) {
        credential.setNotBefore(DateTimeUtils.zonedDateTimeOf(conditions.getNotBefore()));
        credential.setNotOnOrAfter(DateTimeUtils.zonedDateTimeOf(conditions.getNotOnOrAfter()));
        if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
            credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getURI());
        }
    }
    if (!assertion.getAuthenticationStatements().isEmpty()) {
        credential.setAuthenticationMethod(assertion.getAuthenticationStatements().get(0).getAuthenticationMethod());
    }
    val attributes = new HashMap<String, List<Object>>();
    assertion.getAttributeStatements().stream().flatMap(attributeStatement -> attributeStatement.getAttributes().stream()).forEach(item -> {
        LOGGER.trace("Processed attribute: [{}]", item.getAttributeName());
        final List<Object> itemList = item.getAttributeValues().stream().map(xmlObject -> ((XSAny) xmlObject).getTextContent()).collect(Collectors.toList());
        if (!itemList.isEmpty()) {
            attributes.put(item.getAttributeName(), itemList);
        }
    });
    credential.setAttributes(attributes);
    LOGGER.debug("WsFederation Credential retrieved as: [{}]", credential);
    return credential;
}
Also used : lombok.val(lombok.val) WsFederationCertificateProvider(org.apereo.cas.support.wsfederation.authentication.crypto.WsFederationCertificateProvider) XSAny(org.opensaml.core.xml.schema.XSAny) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) SneakyThrows(lombok.SneakyThrows) Assertion(org.opensaml.saml.saml1.core.Assertion) ZonedDateTime(java.time.ZonedDateTime) RequiredArgsConstructor(lombok.RequiredArgsConstructor) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) Security(java.security.Security) StringUtils(org.apache.commons.lang3.StringUtils) SamlUtils(org.apereo.cas.support.saml.SamlUtils) LoggingUtils(org.apereo.cas.util.LoggingUtils) FunctionUtils(org.apereo.cas.util.function.FunctionUtils) Pair(org.apache.commons.lang3.tuple.Pair) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) ByteArrayInputStream(java.io.ByteArrayInputStream) PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) Unchecked(org.jooq.lambda.Unchecked) UsageType(org.opensaml.security.credential.UsageType) DateTimeUtils(org.apereo.cas.util.DateTimeUtils) PEMParser(org.bouncycastle.openssl.PEMParser) Collection(java.util.Collection) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken) EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) EncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver) Setter(lombok.Setter) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RegisteredServiceProperty(org.apereo.cas.services.RegisteredServiceProperty) RegisteredServiceAccessStrategyUtils(org.apereo.cas.services.RegisteredServiceAccessStrategyUtils) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder) X509CertParser(org.bouncycastle.jce.provider.X509CertParser) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) Predicates(com.google.common.base.Predicates) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) XMLObject(org.opensaml.core.xml.XMLObject) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) ServicesManager(org.apereo.cas.services.ServicesManager) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse) Credential(org.opensaml.security.credential.Credential) lombok.val(lombok.val) InputStreamReader(java.io.InputStreamReader) RegexUtils(org.apereo.cas.util.RegexUtils) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Service(org.apereo.cas.authentication.principal.Service) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) Clock(java.time.Clock) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) BufferedReader(java.io.BufferedReader) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver) HashMap(java.util.HashMap) XMLObject(org.opensaml.core.xml.XMLObject) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) XSAny(org.opensaml.core.xml.schema.XSAny)

Example 24 with Credential

use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.

the class AuthnResponseFactory method aFraudResponseFromIdpBuilder.

public ResponseBuilder aFraudResponseFromIdpBuilder(String idpEntityId, String persistentId) {
    TestCredentialFactory idpSigningCredentialFactory = new TestCredentialFactory(publicSigningCerts.get(idpEntityId), privateSigningKeys.get(idpEntityId));
    String requestId = generateId();
    final Subject mdsAssertionSubject = SubjectBuilder.aSubject().withPersistentId(persistentId).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(requestId).build()).build()).build();
    final Subject authnAssertionSubject = SubjectBuilder.aSubject().withNameId(buildNameID(persistentId)).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(requestId).build()).build()).build();
    final AttributeStatement matchingDatasetAttributeStatement = MatchingDatasetAttributeStatementBuilder_1_1.aMatchingDatasetAttributeStatement_1_1().build();
    final Credential encryptingCredential = hubEncryptionCredentialFactory.getEncryptingCredential();
    final Credential signingCredential = idpSigningCredentialFactory.getSigningCredential();
    final AssertionBuilder mdsAssertion = AssertionBuilder.anAssertion().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSubject(mdsAssertionSubject).addAttributeStatement(matchingDatasetAttributeStatement);
    final AssertionBuilder authnAssertion = AssertionBuilder.anAssertion().withId(generateId()).addAttributeStatement(anAttributeStatement().addAttribute(IdpFraudEventIdAttributeBuilder.anIdpFraudEventIdAttribute().withValue("a-fraud-event").build()).addAttribute(Gpg45StatusAttributeBuilder.aGpg45StatusAttribute().withValue("IT01").build()).addAttribute(anIPAddress().build()).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSubject(authnAssertionSubject).addAuthnStatement(AuthnStatementBuilder.anAuthnStatement().withAuthnContext(AuthnContextBuilder.anAuthnContext().withAuthnContextClassRef(AuthnContextClassRefBuilder.anAuthnContextClassRef().withAuthnContextClasRefValue(IdaAuthnContext.LEVEL_X_AUTHN_CTX).build()).build()).build());
    ResponseBuilder responseBuilder = ResponseBuilder.aResponse().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withInResponseTo(requestId).addEncryptedAssertion(mdsAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential)).addEncryptedAssertion(authnAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential));
    return responseBuilder;
}
Also used : TestCredentialFactory(uk.gov.ida.saml.core.test.TestCredentialFactory) BasicCredential(org.opensaml.security.credential.BasicCredential) Credential(org.opensaml.security.credential.Credential) AttributeStatementBuilder.anAttributeStatement(uk.gov.ida.saml.core.test.builders.AttributeStatementBuilder.anAttributeStatement) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) AssertionBuilder(uk.gov.ida.saml.core.test.builders.AssertionBuilder) ResponseBuilder(uk.gov.ida.saml.core.test.builders.ResponseBuilder) Subject(org.opensaml.saml.saml2.core.Subject)

Example 25 with Credential

use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.

the class MatchingServiceRequestSenderTest method createMsaResponse.

private static String createMsaResponse() throws MarshallingException, SignatureException {
    Credential signingCredential = msaSigningCredential;
    org.opensaml.saml.saml2.core.Response response = aResponse().withIssuer(IssuerBuilder.anIssuer().withIssuerId(TEST_RP_MS).build()).withSigningCredential(signingCredential).build();
    Document soapEnvelope = new SoapMessageManager().wrapWithSoapEnvelope(new XmlObjectToElementTransformer<>().apply(response));
    return XmlUtils.writeToString(soapEnvelope);
}
Also used : Credential(org.opensaml.security.credential.Credential) XmlObjectToElementTransformer(uk.gov.ida.saml.serializers.XmlObjectToElementTransformer) Document(org.w3c.dom.Document) SoapMessageManager(uk.gov.ida.hub.samlsoapproxy.soap.SoapMessageManager)

Aggregations

Credential (org.opensaml.security.credential.Credential)35 BasicCredential (org.opensaml.security.credential.BasicCredential)14 Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)13 ArrayList (java.util.ArrayList)12 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)8 BasicSignatureSigningConfiguration (org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration)8 PrivateKey (java.security.PrivateKey)7 X509Certificate (java.security.cert.X509Certificate)6 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)6 SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)6 MarshallingException (org.opensaml.core.xml.io.MarshallingException)5 SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)5 Decrypter (org.opensaml.saml.saml2.encryption.Decrypter)4 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)4 SecurityException (org.opensaml.security.SecurityException)4 SignatureSigningParametersResolver (org.opensaml.xmlsec.SignatureSigningParametersResolver)4 Saml2Exception (org.springframework.security.saml2.Saml2Exception)4 SneakyThrows (lombok.SneakyThrows)3 SamlException (org.apereo.cas.support.saml.SamlException)3 Test (org.junit.jupiter.api.Test)3