Example 1 with X509KeyInfoGeneratorFactory
use of org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory in project syncope by apache.
the class SAML2SPLogic method getMetadata.
@PreAuthorize("isAuthenticated()")
public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) {
check();
try {
EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
spEntityDescriptor.setEntityID(spEntityID);
SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
spSSODescriptor.setWantAssertionsSigned(true);
spSSODescriptor.setAuthnRequestsSigned(true);
spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
keyInfoGenerator.generate(loader.getCredential());
KeyDescriptor keyDescriptor = new KeyDescriptorBuilder().buildObject();
keyDescriptor.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
spSSODescriptor.getKeyDescriptors().add(keyDescriptor);
NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
nameIDFormat.setFormat(NameIDType.PERSISTENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
nameIDFormat = new NameIDFormatBuilder().buildObject();
nameIDFormat.setFormat(NameIDType.TRANSIENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
for (SAML2BindingType bindingType : SAML2BindingType.values()) {
AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
assertionConsumerService.setIndex(bindingType.ordinal());
assertionConsumerService.setBinding(bindingType.getUri());
assertionConsumerService.setLocation(getAssertionConsumerURL(spEntityID, urlContext));
spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
String sloUrl = spEntityID + urlContext + "/logout";
validateUrl(sloUrl);
SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
singleLogoutService.setBinding(bindingType.getUri());
singleLogoutService.setLocation(sloUrl);
singleLogoutService.setResponseLocation(sloUrl);
spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
}
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
saml2rw.sign(spEntityDescriptor);
saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true);
} catch (Exception e) {
LOG.error("While getting SP metadata", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
}
Also used :
SAML2BindingType(org.apache.syncope.common.lib.types.SAML2BindingType)
SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder)
XSString(org.opensaml.core.xml.schema.XSString)
EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
KeyInfoGenerator(org.opensaml.xmlsec.keyinfo.KeyInfoGenerator)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
OutputStreamWriter(java.io.OutputStreamWriter)
KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 2 with X509KeyInfoGeneratorFactory
use of org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory in project ddf by codice.
the class SamlAssertionValidatorImplTest method createHolderOfKeyAssertion.
private Assertion createHolderOfKeyAssertion() throws Exception {
Assertion assertion = new AssertionBuilder().buildObject();
assertion.setID(UUID.randomUUID().toString());
assertion.setIssueInstant(new DateTime());
Issuer issuer = new IssuerBuilder().buildObject();
issuer.setValue(ISSUER);
assertion.setIssuer(issuer);
NameID nameID = new NameIDBuilder().buildObject();
nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
nameID.setNameQualifier("http://cxf.apache.org/sts");
nameID.setValue("admin");
X509SubjectName x509SubjectName = new X509SubjectNameBuilder().buildObject();
x509SubjectName.setValue("EMAILADDRESS=localhost@example.org, CN=localhost, OU=Dev, O=DDF, ST=AZ, C=US");
org.opensaml.xmlsec.signature.X509Certificate x509Certificate = new X509CertificateBuilder().buildObject();
byte[] certBytes = certificate.getEncoded();
String certString = new String(Base64.encode(certBytes));
x509Certificate.setValue(certString);
X509Data x509Data = new X509DataBuilder().buildObject();
x509Data.getX509SubjectNames().add(x509SubjectName);
x509Data.getX509Certificates().add(x509Certificate);
KeyInfo keyInfo = new KeyInfoBuilder().buildObject();
keyInfo.getX509Datas().add(x509Data);
KeyInfoConfirmationDataType keyInfoConfirmationDataType = new KeyInfoConfirmationDataTypeBuilder().buildObject();
keyInfoConfirmationDataType.getKeyInfos().add(keyInfo);
SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
subjectConfirmation.setSubjectConfirmationData(keyInfoConfirmationDataType);
Subject subject = new SubjectBuilder().buildObject();
subject.setNameID(nameID);
subject.getSubjectConfirmations().add(subjectConfirmation);
assertion.setSubject(subject);
Conditions conditions = new ConditionsBuilder().buildObject();
conditions.setNotBefore(new DateTime().minusDays(3));
conditions.setNotOnOrAfter(new DateTime().plusDays(3));
assertion.setConditions(conditions);
AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
authnStatement.setAuthnInstant(new DateTime());
AuthnContext authnContext = new AuthnContextBuilder().buildObject();
AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
authnContext.setAuthnContextClassRef(authnContextClassRef);
authnStatement.setAuthnContext(authnContext);
assertion.getAuthnStatements().add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
Attribute attribute = new AttributeBuilder().buildObject();
AttributeValueType attributeValue = new AttributeValueTypeImplBuilder().buildObject();
attributeValue.setValue("admin");
attribute.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
attribute.getAttributeValues().add(attributeValue);
attributeStatement.getAttributes().add(attribute);
assertion.getAttributeStatements().add(attributeStatement);
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(WSS4JConstants.RSA);
BasicX509Credential signingCredential;
signingCredential = new BasicX509Credential(certificate);
signingCredential.setPrivateKey(privateKey);
signature.setSigningCredential(signingCredential);
X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfo signatureKeyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(signatureKeyInfo);
assertion.setSignature(signature);
return assertion;
}
Also used :
Issuer(org.opensaml.saml.saml2.core.Issuer)
KeyInfoBuilder(org.opensaml.xmlsec.signature.impl.KeyInfoBuilder)
Attribute(org.opensaml.saml.saml2.core.Attribute)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
AuthnStatementBuilder(org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder)
AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)
X509Data(org.opensaml.xmlsec.signature.X509Data)
DateTime(org.joda.time.DateTime)
Conditions(org.opensaml.saml.saml2.core.Conditions)
AuthnContext(org.opensaml.saml.saml2.core.AuthnContext)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
X509DataBuilder(org.opensaml.xmlsec.signature.impl.X509DataBuilder)
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SubjectBuilder(org.opensaml.saml.saml2.core.impl.SubjectBuilder)
SubjectConfirmationBuilder(org.opensaml.saml.saml2.core.impl.SubjectConfirmationBuilder)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
AttributeStatementBuilder(org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder)
AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder)
X509SubjectNameBuilder(org.opensaml.xmlsec.signature.impl.X509SubjectNameBuilder)
KeyInfoConfirmationDataTypeBuilder(org.opensaml.saml.saml2.core.impl.KeyInfoConfirmationDataTypeBuilder)
NameID(org.opensaml.saml.saml2.core.NameID)
AttributeValueType(org.opensaml.xacml.ctx.AttributeValueType)
AuthnContextBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextBuilder)
Assertion(org.opensaml.saml.saml2.core.Assertion)
X509CertificateBuilder(org.opensaml.xmlsec.signature.impl.X509CertificateBuilder)
KeyInfoConfirmationDataType(org.opensaml.saml.saml2.core.KeyInfoConfirmationDataType)
AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)
AssertionBuilder(org.opensaml.saml.saml2.core.impl.AssertionBuilder)
Subject(org.opensaml.saml.saml2.core.Subject)
ConditionsBuilder(org.opensaml.saml.saml2.core.impl.ConditionsBuilder)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Signature(org.opensaml.xmlsec.signature.Signature)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
X509SubjectName(org.opensaml.xmlsec.signature.X509SubjectName)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
AttributeValueTypeImplBuilder(org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder)
Example 3 with X509KeyInfoGeneratorFactory
use of org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory in project cxf by apache.
the class SAMLResponseValidatorTest method signResponse.
/**
* Sign a SAML Response
* @throws Exception
*/
private void signResponse(Response response, String issuerKeyName, String issuerKeyPassword, Crypto issuerCrypto, boolean useKeyInfo) throws Exception {
//
// Create the signature
//
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
// prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(issuerKeyName);
X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
}
String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
}
PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
if (useKeyInfo) {
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
}
// add the signature to the assertion
SignableSAMLObject signableObject = response;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
}
Also used :
PrivateKey(java.security.PrivateKey)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
Signature(org.opensaml.xmlsec.signature.Signature)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
Example 4 with X509KeyInfoGeneratorFactory
use of org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory in project cxf by apache.
the class SAMLSSOResponseValidatorTest method signResponse.
/**
* Sign a SAML Response
* @throws Exception
*/
private void signResponse(Response response, String issuerKeyName, String issuerKeyPassword, Crypto issuerCrypto, boolean useKeyInfo) throws Exception {
//
// Create the signature
//
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
// prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(issuerKeyName);
X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
}
String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
}
PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
if (useKeyInfo) {
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
}
// add the signature to the assertion
SignableSAMLObject signableObject = response;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
}
Also used :
PrivateKey(java.security.PrivateKey)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
Signature(org.opensaml.xmlsec.signature.Signature)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
Example 5 with X509KeyInfoGeneratorFactory
use of org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory in project ddf by codice.
the class SimpleSign method signSamlObject.
public void signSamlObject(SignableSAMLObject samlObject) throws SignatureException {
X509Certificate[] certificates = getSignatureCertificates();
String sigAlgo = getSignatureAlgorithm(certificates[0]);
PrivateKey privateKey = getSignaturePrivateKey();
// Create the signature
Signature signature = OpenSAMLUtil.buildSignature();
if (signature == null) {
throw new SignatureException("Unable to build signature.");
}
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(certificates[0]);
signingCredential.setPrivateKey(privateKey);
signature.setSigningCredential(signingCredential);
X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException e) {
throw new SignatureException("Error generating KeyInfo from signing credential", e);
}
if (samlObject instanceof Response) {
List<Assertion> assertions = ((Response) samlObject).getAssertions();
for (Assertion assertion : assertions) {
assertion.getSignature().setSigningCredential(signingCredential);
}
}
samlObject.setSignature(signature);
SAMLObjectContentReference contentRef = (SAMLObjectContentReference) signature.getContentReferences().get(0);
contentRef.setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA1);
samlObject.releaseDOM();
samlObject.releaseChildrenDOM(true);
}
Also used :
PrivateKey(java.security.PrivateKey)
Assertion(org.opensaml.saml.saml2.core.Assertion)
X509Certificate(java.security.cert.X509Certificate)
Response(org.opensaml.saml.saml2.core.Response)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
Signature(org.opensaml.xmlsec.signature.Signature)
SAMLObjectContentReference(org.opensaml.saml.common.SAMLObjectContentReference)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
Aggregations
X509KeyInfoGeneratorFactory (org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)13
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)8
KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)8
Signature (org.opensaml.xmlsec.signature.Signature)8
X509Certificate (java.security.cert.X509Certificate)7
PrivateKey (java.security.PrivateKey)6
CryptoType (org.apache.wss4j.common.crypto.CryptoType)4
SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)4
Assertion (org.opensaml.saml.saml2.core.Assertion)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)3
KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager)3
NamedKeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager)3
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)2
DateTime (org.joda.time.DateTime)2
SAMLObjectContentReference (org.opensaml.saml.common.SAMLObjectContentReference)2
Attribute (org.opensaml.saml.saml2.core.Attribute)2
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)2
AuthnContext (org.opensaml.saml.saml2.core.AuthnContext)2
AuthnContextClassRef (org.opensaml.saml.saml2.core.AuthnContextClassRef)2
AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)2
