use of org.opensaml.xml.security.x509.BasicX509Credential in project verify-hub by alphagov.
the class ExecuteAttributeQueryRequestTest method run_shouldThrowCertChainValidationExceptionOnResponse.
@Test
public void run_shouldThrowCertChainValidationExceptionOnResponse() throws Exception {
when(attributeQueryRequestClient.sendQuery(any(Element.class), anyString(), any(SessionId.class), any(URI.class))).thenReturn(matchingServiceResponse);
final BasicX509Credential x509Credential = new BasicX509Credential(new X509CertificateFactory().createCertificate(UNCHAINED_PUBLIC_CERT), new PrivateKeyFactory().createPrivateKey(Base64.decode(UNCHAINED_PRIVATE_KEY.getBytes())));
Response response = aResponse().withSigningCredential(x509Credential).withIssuer(anIssuer().withIssuerId("issuer-id").build()).build();
when(elementToResponseTransformer.apply(matchingServiceResponse)).thenReturn(response);
executeAttributeQueryRequest.execute(sessionId, attributeQueryContainerDto);
verify(matchingResponseSignatureValidator).validate(response, AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
}
use of org.opensaml.xml.security.x509.BasicX509Credential in project cxf by apache.
the class SAMLProtocolResponseValidator method validateSignatureAgainstProfiles.
/**
* Validate a signature against the profiles
*/
private void validateSignatureAgainstProfiles(Signature signature, SAMLKeyInfo samlKeyInfo) throws WSSecurityException {
// Validate Signature against profiles
SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
try {
validator.validate(signature);
} catch (SignatureException ex) {
LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
BasicCredential credential = null;
if (samlKeyInfo.getCerts() != null) {
credential = new BasicX509Credential(samlKeyInfo.getCerts()[0]);
} else if (samlKeyInfo.getPublicKey() != null) {
credential = new BasicCredential(samlKeyInfo.getPublicKey());
} else {
LOG.fine("Can't get X509Certificate or PublicKey to verify signature");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
try {
SignatureValidationProvider responseSignatureValidator = new ApacheSantuarioSignatureValidationProviderImpl();
responseSignatureValidator.validate(signature, credential);
} catch (SignatureException ex) {
LOG.log(Level.FINE, "Error in validating the SAML Signature: " + ex.getMessage(), ex);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
use of org.opensaml.xml.security.x509.BasicX509Credential in project cxf by apache.
the class SamlPostBindingFilter method signAuthnRequest.
protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception {
Crypto crypto = getSignatureCrypto();
if (crypto == null) {
LOG.fine("No crypto instance of properties file configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
String signatureUser = getSignatureUsername();
if (signatureUser == null) {
LOG.fine("No user configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CallbackHandler callbackHandler = getCallbackHandler();
if (callbackHandler == null) {
LOG.fine("No CallbackHandler configured to supply a password for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(signatureUser);
X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the request using name: " + signatureUser);
}
String sigAlgo = SSOConstants.RSA_SHA1;
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
LOG.fine("automatic sig algo detection: " + pubKeyAlgo);
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
sigAlgo = SSOConstants.DSA_SHA1;
}
LOG.fine("Using Signature algorithm " + sigAlgo);
// Get the password
WSPasswordCallback[] cb = { new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
String password = cb[0].getPassword();
// Get the private key
PrivateKey privateKey = crypto.getPrivateKey(signatureUser, password);
// Create the signature
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
SignableSAMLObject signableObject = authnRequest;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
}
use of org.opensaml.xml.security.x509.BasicX509Credential in project cxf by apache.
the class CombinedValidatorTest method signResponse.
private void signResponse(Response response, String issuerKeyName, String issuerKeyPassword, Crypto issuerCrypto, boolean useKeyInfo) throws Exception {
//
// Create the signature
//
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
// prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(issuerKeyName);
X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
}
String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
}
PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
if (useKeyInfo) {
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
}
// add the signature to the assertion
SignableSAMLObject signableObject = response;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
}
Aggregations