Search in sources :

Example 1 with ChainingEncryptedKeyResolver

use of org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver in project cas by apereo.

the class SamlIdPObjectEncrypter method configureKeyDecryptionCredential.

/**
 * Configure key decryption credential credential.
 *
 * @param peerEntityId            the peer entity id
 * @param adaptor                 the adaptor
 * @param service                 the service
 * @param decryptionConfiguration the decryption configuration
 * @return the credential
 * @throws Exception the exception
 */
protected Credential configureKeyDecryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicDecryptionConfiguration decryptionConfiguration) throws Exception {
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val providers = new ArrayList<KeyInfoProvider>(5);
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new DecryptionConfigurationCriterion(decryptionConfiguration));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.debug("Attempting to resolve the decryption key for entity id [{}]", peerEntityId);
    val credential = Objects.requireNonNull(mdCredentialResolver.resolveSingle(criteriaSet));
    val encryptinKey = samlIdPMetadataLocator.resolveEncryptionKey(Optional.ofNullable(service));
    val bean = new PrivateKeyFactoryBean();
    bean.setSingleton(false);
    bean.setLocation(encryptinKey);
    val privateKey = Objects.requireNonNull(bean.getObject());
    val basicCredential = new BasicCredential(Objects.requireNonNull(credential.getPublicKey()), privateKey);
    decryptionConfiguration.setKEKKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(basicCredential));
    val list = new ArrayList<EncryptedKeyResolver>(3);
    list.add(new InlineEncryptedKeyResolver());
    list.add(new EncryptedElementTypeEncryptedKeyResolver());
    list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
    val encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
    decryptionConfiguration.setEncryptedKeyResolver(encryptedKeyResolver);
    return credential;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) DecryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.DecryptionConfigurationCriterion) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) PrivateKeyFactoryBean(org.apereo.cas.util.crypto.PrivateKeyFactoryBean) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) BasicCredential(org.opensaml.security.credential.BasicCredential)

Example 2 with ChainingEncryptedKeyResolver

use of org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver in project cas by apereo.

the class WsFederationHelper method buildAssertionDecrypter.

private static Decrypter buildAssertionDecrypter(final WsFederationConfiguration config) {
    val list = new ArrayList<EncryptedKeyResolver>(3);
    list.add(new InlineEncryptedKeyResolver());
    list.add(new EncryptedElementTypeEncryptedKeyResolver());
    list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
    LOGGER.trace("Built a list of encrypted key resolvers: [{}]", list);
    val encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
    LOGGER.trace("Building credential instance to decrypt data");
    val encryptionCredential = getEncryptionCredential(config);
    val resolver = new StaticKeyInfoCredentialResolver(encryptionCredential);
    val decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
    decrypter.setRootInNewDocument(true);
    return decrypter;
}
Also used : lombok.val(lombok.val) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) ArrayList(java.util.ArrayList) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver)

Aggregations

ArrayList (java.util.ArrayList)2 lombok.val (lombok.val)2 EncryptedElementTypeEncryptedKeyResolver (org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver)2 ChainingEncryptedKeyResolver (org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver)2 InlineEncryptedKeyResolver (org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)2 SimpleRetrievalMethodEncryptedKeyResolver (org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver)2 StaticKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)2 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)1 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)1 PrivateKeyFactoryBean (org.apereo.cas.util.crypto.PrivateKeyFactoryBean)1 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1 Decrypter (org.opensaml.saml.saml2.encryption.Decrypter)1 BasicCredential (org.opensaml.security.credential.BasicCredential)1 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)1 DecryptionConfigurationCriterion (org.opensaml.xmlsec.criterion.DecryptionConfigurationCriterion)1 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)1 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)1 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)1