Examples with KeyInfoCredentialResolver org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver used on opensource projects

Search in sources :

Example 1 with KeyInfoCredentialResolver

use of org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver in project pac4j by pac4j.

the class KeyStoreDecryptionProvider method build.

@Override
public final Decrypter build() {
    final Credential encryptionCredential = this.credentialProvider.getCredential();
    final KeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(encryptionCredential);
    final Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
    decrypter.setRootInNewDocument(true);
    return decrypter;
}
Also used : Credential(org.opensaml.security.credential.Credential) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)

Example 2 with KeyInfoCredentialResolver

use of org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver in project spring-security by spring-projects.

the class LogoutRequestEncryptedIdUtils method decrypter.

private static Decrypter decrypter(RelyingPartyRegistration registration) {
    Collection<Credential> credentials = new ArrayList<>();
    for (Saml2X509Credential key : registration.getDecryptionX509Credentials()) {
        Credential cred = CredentialSupport.getSimpleCredential(key.getCertificate(), key.getPrivateKey());
        credentials.add(cred);
    }
    KeyInfoCredentialResolver resolver = new CollectionKeyInfoCredentialResolver(credentials);
    Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
    decrypter.setRootInNewDocument(true);
    return decrypter;
}
Also used : Credential(org.opensaml.security.credential.Credential) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) ArrayList(java.util.ArrayList) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) CollectionKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) CollectionKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver)

Example 3 with KeyInfoCredentialResolver

use of org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver in project spring-security by spring-projects.

the class OpenSamlDecryptionUtils method decrypter.

private static Decrypter decrypter(RelyingPartyRegistration registration) {
    Collection<Credential> credentials = new ArrayList<>();
    for (Saml2X509Credential key : registration.getDecryptionX509Credentials()) {
        Credential cred = CredentialSupport.getSimpleCredential(key.getCertificate(), key.getPrivateKey());
        credentials.add(cred);
    }
    KeyInfoCredentialResolver resolver = new CollectionKeyInfoCredentialResolver(credentials);
    Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
    decrypter.setRootInNewDocument(true);
    return decrypter;
}
Also used : Credential(org.opensaml.security.credential.Credential) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) ArrayList(java.util.ArrayList) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) CollectionKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) CollectionKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver)

Example 4 with KeyInfoCredentialResolver

use of org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.

private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    final SAML2HTTPRedirectDeflateSignatureSecurityHandler handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
    final SAMLPeerEntityContext peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
    peer.setEntityId(SamlIdPUtils.getIssuerFromSamlRequest(profileRequest));
    LOGGER.debug("Validating request signature for [{}] via [{}]...", peer.getEntityId(), handler.getClass().getSimpleName());
    LOGGER.debug("Resolving role descriptor for [{}]", peer.getEntityId());
    final RoleDescriptor roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peer.getEntityId()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
    peer.setRole(roleDescriptor.getElementQName());
    final SAMLProtocolContext protocol = context.getSubcontext(SAMLProtocolContext.class, true);
    protocol.setProtocol(SAMLConstants.SAML20P_NS);
    LOGGER.debug("Building security parameters context for signature validation of [{}]", peer.getEntityId());
    final SecurityParametersContext secCtx = context.getSubcontext(SecurityParametersContext.class, true);
    final SignatureValidationParameters validationParams = new SignatureValidationParameters();
    if (overrideBlackListedSignatureAlgorithms != null && !overrideBlackListedSignatureAlgorithms.isEmpty()) {
        validationParams.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
        LOGGER.debug("Validation override blacklisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
    }
    if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
        validationParams.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
        LOGGER.debug("Validation override whitelisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
    }
    LOGGER.debug("Resolving signing credentials for [{}]", peer.getEntityId());
    final Set<Credential> credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credentials == null || credentials.isEmpty()) {
        throw new SamlException("Signing credentials for validation could not be resolved");
    }
    boolean foundValidCredential = false;
    final Iterator<Credential> it = credentials.iterator();
    while (!foundValidCredential && it.hasNext()) {
        try {
            final Credential c = it.next();
            final CredentialResolver resolver = new StaticCredentialResolver(c);
            final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(c);
            final SignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
            validationParams.setSignatureTrustEngine(trustEngine);
            secCtx.setSignatureValidationParameters(validationParams);
            handler.setHttpServletRequest(request);
            LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
            handler.initialize();
            LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
            handler.invoke(context);
            LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
            foundValidCredential = true;
        } catch (final Exception e) {
            LOGGER.debug(e.getMessage(), e);
        } finally {
            handler.destroy();
        }
    }
    if (!foundValidCredential) {
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }
}
Also used : Credential(org.opensaml.security.credential.Credential) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler) SamlException(org.apereo.cas.support.saml.SamlException) SamlException(org.apereo.cas.support.saml.SamlException) SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) SAMLProtocolContext(org.opensaml.saml.common.messaging.context.SAMLProtocolContext) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SecurityParametersContext(org.opensaml.xmlsec.context.SecurityParametersContext) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) CredentialResolver(org.opensaml.security.credential.CredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)

Example 5 with KeyInfoCredentialResolver

use of org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver in project pac4j by pac4j.

the class ExplicitSignatureTrustEngineProvider method build.

@Override
public SignatureTrustEngine build() {
    final MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
    final BasicRoleDescriptorResolver roleResolver = new BasicRoleDescriptorResolver(metadataResolver);
    final KeyInfoCredentialResolver keyResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver();
    metadataCredentialResolver.setKeyInfoCredentialResolver(keyResolver);
    metadataCredentialResolver.setRoleDescriptorResolver(roleResolver);
    try {
        metadataCredentialResolver.initialize();
        roleResolver.initialize();
    } catch (final ComponentInitializationException e) {
        throw new SAMLException(e);
    }
    return new ExplicitKeySignatureTrustEngine(metadataCredentialResolver, keyResolver);
}
Also used : ComponentInitializationException(net.shibboleth.utilities.java.support.component.ComponentInitializationException) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) BasicRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Aggregations

KeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)5 Credential (org.opensaml.security.credential.Credential)4 Decrypter (org.opensaml.saml.saml2.encryption.Decrypter)3 ArrayList (java.util.ArrayList)2 MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)2 CollectionKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver)2 StaticKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)2 ExplicitKeySignatureTrustEngine (org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)2 Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)2 ComponentInitializationException (net.shibboleth.utilities.java.support.component.ComponentInitializationException)1 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1 SamlException (org.apereo.cas.support.saml.SamlException)1 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1 SAMLPeerEntityContext (org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext)1 SAMLProtocolContext (org.opensaml.saml.common.messaging.context.SAMLProtocolContext)1 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1 BasicRoleDescriptorResolver (org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver)1 SAML2HTTPRedirectDeflateSignatureSecurityHandler (org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)1 RoleDescriptor (org.opensaml.saml.saml2.metadata.RoleDescriptor)1 CredentialResolver (org.opensaml.security.credential.CredentialResolver)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial