use of org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver in project cas by apereo.
the class SamlObjectEncrypter method getKeyEncryptionCredential.
/**
* Gets key encryption credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @return the key encryption credential
* @throws Exception the exception
*/
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
}
if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
}
LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
final List<KeyInfoProvider> providers = new ArrayList<>();
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver(adaptor.getMetadataResolver());
roleDescriptorResolver.setSatisfyAnyPredicates(true);
roleDescriptorResolver.setUseDefaultPredicateRegistry(true);
roleDescriptorResolver.setRequireValidMetadata(idp.getMetadata().isRequireValidMetadata());
roleDescriptorResolver.initialize();
kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EncryptionConfigurationCriterion(config));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
return kekCredentialResolver.resolveSingle(criteriaSet);
}
use of org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver in project cas by apereo.
the class SamlUtils method buildSignatureValidationFilter.
/**
* Build signature validation filter if needed.
*
* @param signatureResourceLocation the signature resource location
* @return the metadata filter
* @throws Exception the exception
*/
public static SignatureValidationFilter buildSignatureValidationFilter(final Resource signatureResourceLocation) throws Exception {
if (!ResourceUtils.doesResourceExist(signatureResourceLocation)) {
LOGGER.warn("Resource [{}] cannot be located", signatureResourceLocation);
return null;
}
final List<KeyInfoProvider> keyInfoProviderList = new ArrayList<>();
keyInfoProviderList.add(new RSAKeyValueProvider());
keyInfoProviderList.add(new DSAKeyValueProvider());
keyInfoProviderList.add(new DEREncodedKeyValueProvider());
keyInfoProviderList.add(new InlineX509DataProvider());
LOGGER.debug("Attempting to resolve credentials from [{}]", signatureResourceLocation);
final BasicCredential credential = buildCredentialForMetadataSignatureValidation(signatureResourceLocation);
LOGGER.info("Successfully resolved credentials from [{}]", signatureResourceLocation);
LOGGER.debug("Configuring credential resolver for key signature trust engine @ [{}]", credential.getCredentialType().getSimpleName());
final StaticCredentialResolver resolver = new StaticCredentialResolver(credential);
final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviderList);
final ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyInfoResolver);
LOGGER.debug("Adding signature validation filter based on the configured trust engine");
final SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(trustEngine);
signatureValidationFilter.setRequireSignedRoot(false);
LOGGER.debug("Added metadata SignatureValidationFilter with signature from [{}]", signatureResourceLocation);
return signatureValidationFilter;
}
Aggregations