Example 16 with KeyInfo
use of org.opensaml.xmlsec.signature.KeyInfo in project cxf by apache.
the class Saml2BearerGrantHandler method validateToken.
protected void validateToken(Message message, SamlAssertionWrapper assertion) {
try {
RequestData data = new RequestData();
if (assertion.isSigned()) {
WSSConfig cfg = WSSConfig.getNewInstance();
data.setWssConfig(cfg);
data.setCallbackHandler(RSSecurityUtils.getCallbackHandler(message, this.getClass()));
try {
data.setSigVerCrypto(new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES));
} catch (IOException ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
boolean enableRevocation = false;
String enableRevocationStr = (String) org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
if (enableRevocationStr != null) {
enableRevocation = Boolean.parseBoolean(enableRevocationStr);
}
data.setEnableRevocation(enableRevocation);
Signature sig = assertion.getSignature();
WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
data.setWsDocInfo(docInfo);
KeyInfo keyInfo = sig.getKeyInfo();
SAMLKeyInfo samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
assertion.verifySignature(samlKeyInfo);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler());
} else if (getTLSCertificates(message) == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
if (samlValidator != null) {
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
samlValidator.validate(credential, data);
}
samlOAuthValidator.validate(message, assertion);
} catch (Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
Credential(org.apache.wss4j.dom.validate.Credential)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
IOException(java.io.IOException)
Base64Exception(org.apache.cxf.common.util.Base64Exception)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
IOException(java.io.IOException)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Signature(org.opensaml.xmlsec.signature.Signature)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Example 17 with KeyInfo
use of org.opensaml.xmlsec.signature.KeyInfo in project cxf by apache.
the class AbstractSamlInHandler method validateToken.
protected void validateToken(Message message, SamlAssertionWrapper assertion) {
try {
RequestData data = new RequestData();
data.setMsgContext(message);
// Add Audience Restrictions for SAML
configureAudienceRestriction(message, data);
if (assertion.isSigned()) {
WSSConfig cfg = WSSConfig.getNewInstance();
data.setWssConfig(cfg);
data.setCallbackHandler(RSSecurityUtils.getCallbackHandler(message, this.getClass()));
try {
data.setSigVerCrypto(new CryptoLoader().getCrypto(message, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES));
} catch (IOException ex) {
throwFault("Crypto can not be loaded", ex);
}
boolean enableRevocation = false;
String enableRevocationStr = (String) org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
if (enableRevocationStr != null) {
enableRevocation = Boolean.parseBoolean(enableRevocationStr);
}
data.setEnableRevocation(enableRevocation);
Signature sig = assertion.getSignature();
WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
data.setWsDocInfo(docInfo);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = sig.getKeyInfo();
if (keyInfo != null) {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
} else if (!keyInfoMustBeAvailable) {
samlKeyInfo = createKeyInfoFromDefaultAlias(data.getSigVerCrypto());
}
assertion.verifySignature(samlKeyInfo);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler());
} else if (getTLSCertificates(message) == null) {
throwFault("Assertion must be signed", null);
}
if (samlValidator != null) {
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
samlValidator.validate(credential, data);
}
checkSubjectConfirmationData(message, assertion);
setSecurityContext(message, assertion);
} catch (Exception ex) {
throwFault("Assertion can not be validated", ex);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
Credential(org.apache.wss4j.dom.validate.Credential)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
IOException(java.io.IOException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Signature(org.opensaml.xmlsec.signature.Signature)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Example 18 with KeyInfo
use of org.opensaml.xmlsec.signature.KeyInfo in project cxf by apache.
the class CombinedValidatorTest method signResponse.
private void signResponse(Response response, String issuerKeyName, String issuerKeyPassword, Crypto issuerCrypto, boolean useKeyInfo) throws Exception {
//
// Create the signature
//
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
// prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(issuerKeyName);
X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName);
}
String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
}
PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
if (useKeyInfo) {
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
}
// add the signature to the assertion
SignableSAMLObject signableObject = response;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
}
Also used :
PrivateKey(java.security.PrivateKey)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
Signature(org.opensaml.xmlsec.signature.Signature)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
Example 19 with KeyInfo
use of org.opensaml.xmlsec.signature.KeyInfo in project cxf by apache.
the class SamlPostBindingFilter method signAuthnRequest.
protected void signAuthnRequest(AuthnRequest authnRequest) throws Exception {
Crypto crypto = getSignatureCrypto();
if (crypto == null) {
LOG.warning("No crypto instance of properties file configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
String signatureUser = getSignatureUsername();
if (signatureUser == null) {
LOG.warning("No user configured for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CallbackHandler callbackHandler = getCallbackHandler();
if (callbackHandler == null) {
LOG.warning("No CallbackHandler configured to supply a password for signature");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(signatureUser);
X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new Exception("No issuer certs were found to sign the request using name: " + signatureUser);
}
String sigAlgo = getSignatureAlgorithm();
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
LOG.fine("automatic sig algo detection: " + pubKeyAlgo);
if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
sigAlgo = SSOConstants.DSA_SHA1;
}
LOG.fine("Using Signature algorithm " + sigAlgo);
// Get the password
WSPasswordCallback[] cb = { new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
String password = cb[0].getPassword();
// Get the private key
PrivateKey privateKey = crypto.getPrivateKey(signatureUser, password);
// Create the signature
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(sigAlgo);
BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);
signature.setSigningCredential(signingCredential);
X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
kiFactory.setEmitEntityCertificate(true);
try {
KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.security.SecurityException ex) {
throw new Exception("Error generating KeyInfo from signing credential", ex);
}
SignableSAMLObject signableObject = authnRequest;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
// Clean the private key from memory when we're done
try {
privateKey.destroy();
} catch (DestroyFailedException ex) {
// ignore
}
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
DestroyFailedException(javax.security.auth.DestroyFailedException)
PrivateKey(java.security.PrivateKey)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
DestroyFailedException(javax.security.auth.DestroyFailedException)
IOException(java.io.IOException)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
Signature(org.opensaml.xmlsec.signature.Signature)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
Example 20 with KeyInfo
use of org.opensaml.xmlsec.signature.KeyInfo in project cxf by apache.
the class SAMLProtocolResponseValidator method validateAssertion.
/**
* Validate an internal Assertion
*/
private void validateAssertion(SamlAssertionWrapper assertion, Crypto sigCrypto, CallbackHandler callbackHandler, Document doc, boolean signedResponse) throws WSSecurityException {
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
requestData.setCallbackHandler(callbackHandler);
if (assertion.isSigned()) {
if (assertion.getSaml1() != null) {
assertion.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true);
} else {
assertion.getSaml2().getDOM().setIdAttributeNS(null, "ID", true);
}
// Verify the signature
try {
Signature sig = assertion.getSignature();
WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
requestData.setWsDocInfo(docInfo);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = sig.getKeyInfo();
if (keyInfo != null) {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), sigCrypto);
} else if (!keyInfoMustBeAvailable) {
samlKeyInfo = createKeyInfoFromDefaultAlias(sigCrypto);
}
if (samlKeyInfo == null) {
LOG.warning("No KeyInfo supplied in the SAMLResponse assertion signature");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
assertion.verifySignature(samlKeyInfo);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Assertion failed signature validation", e);
throw e;
}
}
// Validate the Assertion & verify trust in the signature
try {
SamlSSOAssertionValidator assertionValidator = new SamlSSOAssertionValidator(signedResponse);
assertionValidator.validate(credential, requestData);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, "Assertion validation failed: " + ex.getMessage(), ex);
throw ex;
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
BasicCredential(org.opensaml.security.credential.BasicCredential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Credential(org.apache.wss4j.dom.validate.Credential)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Signature(org.opensaml.xmlsec.signature.Signature)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Aggregations
KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)24
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)12
Signature (org.opensaml.xmlsec.signature.Signature)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)9
X509Data (org.opensaml.xmlsec.signature.X509Data)9
X509Certificate (java.security.cert.X509Certificate)8
X509KeyInfoGeneratorFactory (org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)8
X509Certificate (org.opensaml.xmlsec.signature.X509Certificate)8
WSDocInfo (org.apache.wss4j.dom.WSDocInfo)7
WSSConfig (org.apache.wss4j.dom.engine.WSSConfig)7
RequestData (org.apache.wss4j.dom.handler.RequestData)7
WSSSAMLKeyInfoProcessor (org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)7
Credential (org.apache.wss4j.dom.validate.Credential)7
PrivateKey (java.security.PrivateKey)6
KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)5
CryptoType (org.apache.wss4j.common.crypto.CryptoType)4
SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)4
Assertion (org.opensaml.saml.saml2.core.Assertion)4
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)4
