Search in sources :

Example 11 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project verify-hub by alphagov.

the class ExecuteAttributeQueryRequestTest method run_shouldThrowCertChainValidationExceptionOnResponse.

@Test
public void run_shouldThrowCertChainValidationExceptionOnResponse() throws Exception {
    when(attributeQueryRequestClient.sendQuery(any(Element.class), anyString(), any(SessionId.class), any(URI.class))).thenReturn(matchingServiceResponse);
    final BasicX509Credential x509Credential = new BasicX509Credential(new X509CertificateFactory().createCertificate(UNCHAINED_PUBLIC_CERT), new PrivateKeyFactory().createPrivateKey(Base64.decode(UNCHAINED_PRIVATE_KEY.getBytes())));
    Response response = aResponse().withSigningCredential(x509Credential).withIssuer(anIssuer().withIssuerId("issuer-id").build()).build();
    when(elementToResponseTransformer.apply(matchingServiceResponse)).thenReturn(response);
    executeAttributeQueryRequest.execute(sessionId, attributeQueryContainerDto);
    verify(matchingResponseSignatureValidator).validate(response, AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
}
Also used : X509CertificateFactory(uk.gov.ida.common.shared.security.X509CertificateFactory) Response(org.opensaml.saml.saml2.core.Response) ResponseBuilder.aResponse(uk.gov.ida.saml.core.test.builders.ResponseBuilder.aResponse) SamlValidationResponse(uk.gov.ida.saml.core.validation.SamlValidationResponse) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) PrivateKeyFactory(uk.gov.ida.common.shared.security.PrivateKeyFactory) Element(org.w3c.dom.Element) SessionId(uk.gov.ida.common.SessionId) URI(java.net.URI) Test(org.junit.Test)

Example 12 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cxf by apache.

the class SAMLProtocolResponseValidator method validateSignatureAgainstProfiles.

/**
 * Validate a signature against the profiles
 */
private void validateSignatureAgainstProfiles(Signature signature, SAMLKeyInfo samlKeyInfo) throws WSSecurityException {
    // Validate Signature against profiles
    SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    try {
        validator.validate(signature);
    } catch (SignatureException ex) {
        LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex);
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    BasicCredential credential = null;
    if (samlKeyInfo.getCerts() != null) {
        credential = new BasicX509Credential(samlKeyInfo.getCerts()[0]);
    } else if (samlKeyInfo.getPublicKey() != null) {
        credential = new BasicCredential(samlKeyInfo.getPublicKey());
    } else {
        LOG.fine("Can't get X509Certificate or PublicKey to verify signature");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    try {
        SignatureValidationProvider responseSignatureValidator = new ApacheSantuarioSignatureValidationProviderImpl();
        responseSignatureValidator.validate(signature, credential);
    } catch (SignatureException ex) {
        LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex);
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
}
Also used : BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) SignatureValidationProvider(org.opensaml.xmlsec.signature.support.SignatureValidationProvider) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) BasicCredential(org.opensaml.security.credential.BasicCredential) ApacheSantuarioSignatureValidationProviderImpl(org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl)

Example 13 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cxf by apache.

the class SamlPostBindingFilter method signAuthnRequest.

protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception {
    Crypto crypto = getSignatureCrypto();
    if (crypto == null) {
        LOG.fine("No crypto instance of properties file configured for signature");
        throw ExceptionUtils.toInternalServerErrorException(null, null);
    }
    String signatureUser = getSignatureUsername();
    if (signatureUser == null) {
        LOG.fine("No user configured for signature");
        throw ExceptionUtils.toInternalServerErrorException(null, null);
    }
    CallbackHandler callbackHandler = getCallbackHandler();
    if (callbackHandler == null) {
        LOG.fine("No CallbackHandler configured to supply a password for signature");
        throw ExceptionUtils.toInternalServerErrorException(null, null);
    }
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(signatureUser);
    X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
    if (issuerCerts == null) {
        throw new Exception("No issuer certs were found to sign the request using name: " + signatureUser);
    }
    String sigAlgo = SSOConstants.RSA_SHA1;
    String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
    LOG.fine("automatic sig algo detection: " + pubKeyAlgo);
    if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
        sigAlgo = SSOConstants.DSA_SHA1;
    }
    LOG.fine("Using Signature algorithm " + sigAlgo);
    // Get the password
    WSPasswordCallback[] cb = { new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE) };
    callbackHandler.handle(cb);
    String password = cb[0].getPassword();
    // Get the private key
    PrivateKey privateKey = crypto.getPrivateKey(signatureUser, password);
    // Create the signature
    Signature signature = OpenSAMLUtil.buildSignature();
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
    signature.setSignatureAlgorithm(sigAlgo);
    BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
    signature.setSigningCredential(signingCredential);
    X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
    kiFactory.setEmitEntityCertificate(true);
    try {
        KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
        signature.setKeyInfo(keyInfo);
    } catch (org.opensaml.security.SecurityException ex) {
        throw new Exception("Error generating KeyInfo from signing credential", ex);
    }
    SignableSAMLObject signableObject = authnRequest;
    signableObject.setSignature(signature);
    signableObject.releaseDOM();
    signableObject.releaseChildrenDOM(true);
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) PrivateKey(java.security.PrivateKey) CryptoType(org.apache.wss4j.common.crypto.CryptoType) X509Certificate(java.security.cert.X509Certificate) IOException(java.io.IOException) Crypto(org.apache.wss4j.common.crypto.Crypto) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) Signature(org.opensaml.xmlsec.signature.Signature) WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback) X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)

Example 14 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cxf by apache.

the class CombinedValidatorTest method signResponse.

private void signResponse(Response response, String issuerKeyName, String issuerKeyPassword, Crypto issuerCrypto, boolean useKeyInfo) throws Exception {
    // 
    // Create the signature
    // 
    Signature signature = OpenSAMLUtil.buildSignature();
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
    // prepare to sign the SAML token
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(issuerKeyName);
    X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
    if (issuerCerts == null) {
        throw new Exception("No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
    }
    String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
    String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
    if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
        sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
    }
    PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
    signature.setSignatureAlgorithm(sigAlgo);
    BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
    signature.setSigningCredential(signingCredential);
    if (useKeyInfo) {
        X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
        kiFactory.setEmitEntityCertificate(true);
        try {
            KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
            signature.setKeyInfo(keyInfo);
        } catch (org.opensaml.security.SecurityException ex) {
            throw new Exception("Error generating KeyInfo from signing credential", ex);
        }
    }
    // add the signature to the assertion
    SignableSAMLObject signableObject = response;
    signableObject.setSignature(signature);
    signableObject.releaseDOM();
    signableObject.releaseChildrenDOM(true);
}
Also used : PrivateKey(java.security.PrivateKey) CryptoType(org.apache.wss4j.common.crypto.CryptoType) X509Certificate(java.security.cert.X509Certificate) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) Signature(org.opensaml.xmlsec.signature.Signature) X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)

Aggregations

BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)12 X509Certificate (java.security.cert.X509Certificate)8 PrivateKey (java.security.PrivateKey)6 X509KeyInfoGeneratorFactory (org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)5 KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)5 Signature (org.opensaml.xmlsec.signature.Signature)5 CryptoType (org.apache.wss4j.common.crypto.CryptoType)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)4 IOException (java.io.IOException)3 ServerApiException (org.apache.cloudstack.api.ServerApiException)2 SAMLProviderMetadata (org.apache.cloudstack.saml.SAMLProviderMetadata)2 SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)2 Response (org.opensaml.saml.saml2.core.Response)2 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)2 ApacheSantuarioSignatureValidationProviderImpl (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl)2 CloudAuthenticationException (com.cloud.exception.CloudAuthenticationException)1 UserAccount (com.cloud.user.UserAccount)1 UserAccountVO (com.cloud.user.UserAccountVO)1 BufferedReader (java.io.BufferedReader)1