Example 11 with UsageCriterion
use of org.opensaml.security.criteria.UsageCriterion in project cas by apereo.
the class WsFederationHelper method validateSignature.
/**
* validateSignature checks to see if the signature on an assertion is valid.
*
* @param resultPair a provided assertion
* @return true if the assertion's signature is valid, otherwise false
*/
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
if (resultPair == null) {
LOGGER.warn("No assertion or its configuration was provided to validate signatures");
return false;
}
val configuration = resultPair.getValue();
val assertion = resultPair.getKey();
if (assertion == null || configuration == null) {
LOGGER.warn("No signature or configuration was provided to validate signatures");
return false;
}
val signature = assertion.getSignature();
if (signature == null) {
LOGGER.warn("No signature is attached to the assertion to validate");
return false;
}
try {
LOGGER.debug("Validating the signature...");
val validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
val engine = buildSignatureTrustEngine(configuration);
LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
return engine.validate(signature, criteriaSet);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
}
SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
return false;
}
Also used :
lombok.val(lombok.val)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
Aggregations
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)11
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)9
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)9
ArrayList (java.util.ArrayList)5
lombok.val (lombok.val)5
ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4
MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)4
SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4
SneakyThrows (lombok.SneakyThrows)3
SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3
SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3
SecurityException (org.opensaml.security.SecurityException)3
BasicCredential (org.opensaml.security.credential.BasicCredential)3
BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3
DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3
DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3
InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)3
KeyInfoReferenceProvider (org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider)3
RSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider)3
