use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.
the class SamlIdPObjectEncrypter method configureKeyEncryptionCredential.
/**
* Gets key encryption credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @param encryptionConfiguration the encryption configuration
* @return the key encryption credential
* @throws Exception the exception
*/
protected Credential configureKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicEncryptionConfiguration encryptionConfiguration) throws Exception {
val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
val providers = new ArrayList<KeyInfoProvider>(5);
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
mdCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EncryptionConfigurationCriterion(encryptionConfiguration));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
val credential = mdCredentialResolver.resolveSingle(criteriaSet);
if (credential == null || credential.getPublicKey() == null) {
if (service.isEncryptionOptional()) {
LOGGER.warn("Unable to resolve the encryption [public] key for entity id [{}]", peerEntityId);
return null;
}
throw new SamlException("Unable to resolve the encryption [public] key for entity id " + peerEntityId);
}
val encodedKey = EncodingUtils.encodeBase64(credential.getPublicKey().getEncoded());
LOGGER.debug("Found encryption public key: [{}]", encodedKey);
encryptionConfiguration.setKeyTransportEncryptionCredentials(CollectionUtils.wrapList(credential));
return credential;
}
use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.
the class DefaultSamlIdPObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
* The resolved used is {@link SamlIdPMetadataCredentialResolver} that
* allows the entire criteria set to be passed to the role descriptor resolver.
* This behavior allows the passing of {@link SamlIdPSamlRegisteredServiceCriterion}
* so signing configuration, etc can be fetched for a specific service as an override,
* if on is in fact defined for the service.
*
* @param service the service
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final SamlRegisteredService service) throws Exception {
val config = configureSignatureSigningSecurityConfiguration(service);
val samlIdp = casProperties.getAuthn().getSamlIdp();
val privateKey = getSigningPrivateKey(service);
val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(samlIdPMetadataResolver, samlIdp.getMetadata().getCore().isRequireValidMetadata());
mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
mdCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
mdCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
val entityIdCriteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.trace("Resolving entity id from SAML2 IdP metadata for signature signing configuration is [{}]", service.getName());
val entityId = Objects.requireNonNull(samlIdPMetadataResolver.resolveSingle(entityIdCriteriaSet)).getEntityID();
LOGGER.trace("Resolved entity id from SAML2 IdP metadata is [{}]", entityId);
criteriaSet.add(new EntityIdCriterion(entityId));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.trace("Resolved signing credentials based on criteria [{}]", criteriaSet);
val credentials = Sets.newLinkedHashSet(mdCredentialResolver.resolve(criteriaSet));
LOGGER.trace("Resolved [{}] signing credentials", credentials.size());
val finalCredentials = new ArrayList<Credential>();
credentials.stream().map(c -> getResolvedSigningCredential(c, privateKey, service)).filter(Objects::nonNull).filter(c -> doesCredentialFingerprintMatch(c, service)).forEach(finalCredentials::add);
if (finalCredentials.isEmpty()) {
LOGGER.error("Unable to locate any signing credentials for service [{}]", service.getName());
throw new IllegalArgumentException("Unable to locate signing credentials");
}
config.setSigningCredentials(finalCredentials);
LOGGER.trace("Signature signing credentials configured with [{}] credentials", finalCredentials.size());
return config;
}
use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.
the class SamlIdPObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
*
* @param roleDescriptor the role descriptor
* @param service the service
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final RoleDescriptor roleDescriptor, final SamlRegisteredService service) throws Exception {
final BasicSignatureSigningConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
if (this.overrideBlackListedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlackListedSignatureSigningAlgorithms().isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
}
if (this.overrideSignatureAlgorithms != null && !this.overrideSignatureAlgorithms.isEmpty()) {
config.setSignatureAlgorithms(this.overrideSignatureAlgorithms);
}
if (this.overrideSignatureReferenceDigestMethods != null && !this.overrideSignatureReferenceDigestMethods.isEmpty()) {
config.setSignatureReferenceDigestMethods(this.overrideSignatureReferenceDigestMethods);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (StringUtils.isNotBlank(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm())) {
config.setSignatureCanonicalizationAlgorithm(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm());
}
LOGGER.debug("Signature signing blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Signature signing signature algorithms: [{}]", config.getSignatureAlgorithms());
LOGGER.debug("Signature signing signature canonicalization algorithm: [{}]", config.getSignatureCanonicalizationAlgorithm());
LOGGER.debug("Signature signing whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
LOGGER.debug("Signature signing reference digest methods: [{}]", config.getSignatureReferenceDigestMethods());
final PrivateKey privateKey = getSigningPrivateKey();
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
kekCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, idp.getMetadata().isRequireValidMetadata()));
kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityIdCriterion(casProperties.getAuthn().getSamlIdp().getEntityId()));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
final Set<Credential> credentials = Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet));
final List<Credential> creds = new ArrayList<>();
credentials.forEach(c -> {
final AbstractCredential cred = getResolvedSigningCredential(c, privateKey, service);
if (cred != null) {
creds.add(cred);
}
});
config.setSigningCredentials(creds);
LOGGER.debug("Signature signing credentials configured with [{}] credentials", creds.size());
return config;
}
use of org.opensaml.security.criteria.UsageCriterion in project pac4j by pac4j.
the class SAML2LogoutResponseValidator method validateSignature.
/**
* Validate the given digital signature by checking its profile and value.
*
* @param signature the signature
* @param idpEntityId the idp entity id
* @param trustEngine the trust engine
*/
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
try {
validator.validate(signature);
} catch (final SignatureException e) {
throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
}
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(idpEntityId));
final boolean valid;
try {
valid = trustEngine.validate(signature, criteriaSet);
} catch (final SecurityException e) {
throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
}
if (!valid) {
throw new SAMLSignatureValidationException("Signature is not trusted");
}
}
use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.
the class SamlObjectSignatureValidator method getSigningCredential.
@SneakyThrows
private Set<Credential> getSigningCredential(final RoleDescriptorResolver resolver, final RequestAbstractType profileRequest) {
val kekCredentialResolver = new MetadataCredentialResolver();
val config = getSignatureValidationConfiguration();
kekCredentialResolver.setRoleDescriptorResolver(resolver);
kekCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
kekCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureValidationConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
buildEntityCriteriaForSigningCredential(profileRequest, criteriaSet);
return Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet));
}
Aggregations