Search in sources :

Example 1 with UsageCriterion

use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.

the class WsFederationHelper method validateSignature.

/**
     * validateSignature checks to see if the signature on an assertion is valid.
     *
     * @param assertion                 a provided assertion
     * @param wsFederationConfiguration WS-Fed configuration provided.
     * @return true if the assertion's signature is valid, otherwise false
     */
public boolean validateSignature(final Assertion assertion, final WsFederationConfiguration wsFederationConfiguration) {
    if (assertion == null) {
        LOGGER.warn("No assertion was provided to validate signatures");
        return false;
    }
    boolean valid = false;
    if (assertion.getSignature() != null) {
        final SignaturePrevalidator validator = new SAMLSignatureProfileValidator();
        try {
            validator.validate(assertion.getSignature());
            final CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
            criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
            criteriaSet.add(new EntityIdCriterion(wsFederationConfiguration.getIdentityProviderIdentifier()));
            try {
                final SignatureTrustEngine engine = buildSignatureTrustEngine(wsFederationConfiguration);
                valid = engine.validate(assertion.getSignature(), criteriaSet);
            } catch (final SecurityException e) {
                LOGGER.warn(e.getMessage(), e);
            } finally {
                if (!valid) {
                    LOGGER.warn("Signature doesn't match any signing credential.");
                }
            }
        } catch (final SignatureException e) {
            LOGGER.warn("Failed to validate assertion signature", e);
        }
    }
    SamlUtils.logSamlObject(this.configBean, assertion);
    return valid;
}
Also used : SignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 2 with UsageCriterion

use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.

the class SamlObjectEncrypter method getKeyEncryptionCredential.

/**
 * Gets key encryption credential.
 *
 * @param peerEntityId the peer entity id
 * @param adaptor      the adaptor
 * @param service      the service
 * @return the key encryption credential
 * @throws Exception the exception
 */
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
    final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
    final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
    if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
        config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
    }
    if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
        config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
    }
    if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
        config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
    }
    if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
        config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
    }
    LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
    LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
    LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
    LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
    final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
    final List<KeyInfoProvider> providers = new ArrayList<>();
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    final RoleDescriptorResolver roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, idp.getMetadata().isRequireValidMetadata());
    kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    kekCredentialResolver.initialize();
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new EncryptionConfigurationCriterion(config));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
    return kekCredentialResolver.resolveSingle(criteriaSet);
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) KeyInfoProvider(org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider) RoleDescriptorResolver(org.opensaml.saml.metadata.resolver.RoleDescriptorResolver) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) BasicEncryptionConfiguration(org.opensaml.xmlsec.impl.BasicEncryptionConfiguration) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)

Example 3 with UsageCriterion

use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.

the class SamlObjectSignatureValidator method getSigningCredential.

@SneakyThrows
private Set<Credential> getSigningCredential(final RoleDescriptorResolver resolver, final RequestAbstractType profileRequest) {
    final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
    final SignatureValidationConfiguration config = getSignatureValidationConfiguration();
    kekCredentialResolver.setRoleDescriptorResolver(resolver);
    kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
    kekCredentialResolver.initialize();
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new SignatureValidationConfigurationCriterion(config));
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    buildEntityCriteriaForSigningCredential(profileRequest, criteriaSet);
    return Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet));
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) BasicSignatureValidationConfiguration(org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration) SignatureValidationConfiguration(org.opensaml.xmlsec.SignatureValidationConfiguration) SignatureValidationConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureValidationConfigurationCriterion) SneakyThrows(lombok.SneakyThrows)

Example 4 with UsageCriterion

use of org.opensaml.security.criteria.UsageCriterion in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method validateSignature.

/**
 * Validate the given digital signature by checking its profile and value.
 *
 * @param signature   the signature
 * @param idpEntityId the idp entity id
 * @param trustEngine the trust engine
 */
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
    final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    try {
        validator.validate(signature);
    } catch (final SignatureException e) {
        throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
    }
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
    criteriaSet.add(new EntityIdCriterion(idpEntityId));
    final boolean valid;
    try {
        valid = trustEngine.validate(signature, criteriaSet);
    } catch (final SecurityException e) {
        throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
    }
    if (!valid) {
        throw new SAMLSignatureValidationException("Signature is not trusted");
    }
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureValidationException(org.pac4j.saml.exceptions.SAMLSignatureValidationException) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 5 with UsageCriterion

use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.

the class SamlIdPObjectEncrypter method configureKeyDecryptionCredential.

/**
 * Configure key decryption credential credential.
 *
 * @param peerEntityId            the peer entity id
 * @param adaptor                 the adaptor
 * @param service                 the service
 * @param decryptionConfiguration the decryption configuration
 * @return the credential
 * @throws Exception the exception
 */
protected Credential configureKeyDecryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicDecryptionConfiguration decryptionConfiguration) throws Exception {
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val providers = new ArrayList<KeyInfoProvider>(5);
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new DecryptionConfigurationCriterion(decryptionConfiguration));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.debug("Attempting to resolve the decryption key for entity id [{}]", peerEntityId);
    val credential = Objects.requireNonNull(mdCredentialResolver.resolveSingle(criteriaSet));
    val encryptinKey = samlIdPMetadataLocator.resolveEncryptionKey(Optional.ofNullable(service));
    val bean = new PrivateKeyFactoryBean();
    bean.setSingleton(false);
    bean.setLocation(encryptinKey);
    val privateKey = Objects.requireNonNull(bean.getObject());
    val basicCredential = new BasicCredential(Objects.requireNonNull(credential.getPublicKey()), privateKey);
    decryptionConfiguration.setKEKKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(basicCredential));
    val list = new ArrayList<EncryptedKeyResolver>(3);
    list.add(new InlineEncryptedKeyResolver());
    list.add(new EncryptedElementTypeEncryptedKeyResolver());
    list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
    val encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
    decryptionConfiguration.setEncryptedKeyResolver(encryptedKeyResolver);
    return credential;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) DecryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.DecryptionConfigurationCriterion) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) PrivateKeyFactoryBean(org.apereo.cas.util.crypto.PrivateKeyFactoryBean) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) BasicCredential(org.opensaml.security.credential.BasicCredential)

Aggregations

CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)11 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)9 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)9 ArrayList (java.util.ArrayList)5 lombok.val (lombok.val)5 ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4 MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)4 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4 SneakyThrows (lombok.SneakyThrows)3 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3 SecurityException (org.opensaml.security.SecurityException)3 BasicCredential (org.opensaml.security.credential.BasicCredential)3 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3 InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)3 KeyInfoReferenceProvider (org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider)3 RSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider)3