use of org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine in project cas by apereo.
the class SamlUtils method buildSignatureValidationFilter.
/**
* Build signature validation filter if needed.
*
* @param signatureResourceLocation the signature resource location
* @return the metadata filter
* @throws Exception the exception
*/
public static SignatureValidationFilter buildSignatureValidationFilter(final Resource signatureResourceLocation) throws Exception {
if (!ResourceUtils.doesResourceExist(signatureResourceLocation)) {
LOGGER.warn("Resource [{}] cannot be located", signatureResourceLocation);
return null;
}
final List<KeyInfoProvider> keyInfoProviderList = new ArrayList<>();
keyInfoProviderList.add(new RSAKeyValueProvider());
keyInfoProviderList.add(new DSAKeyValueProvider());
keyInfoProviderList.add(new DEREncodedKeyValueProvider());
keyInfoProviderList.add(new InlineX509DataProvider());
LOGGER.debug("Attempting to resolve credentials from [{}]", signatureResourceLocation);
final BasicCredential credential = buildCredentialForMetadataSignatureValidation(signatureResourceLocation);
LOGGER.info("Successfully resolved credentials from [{}]", signatureResourceLocation);
LOGGER.debug("Configuring credential resolver for key signature trust engine @ [{}]", credential.getCredentialType().getSimpleName());
final StaticCredentialResolver resolver = new StaticCredentialResolver(credential);
final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviderList);
final ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyInfoResolver);
LOGGER.debug("Adding signature validation filter based on the configured trust engine");
final SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(trustEngine);
signatureValidationFilter.setRequireSignedRoot(false);
LOGGER.debug("Added metadata SignatureValidationFilter with signature from [{}]", signatureResourceLocation);
return signatureValidationFilter;
}
use of org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine in project cas by apereo.
the class WsFederationHelper method buildSignatureTrustEngine.
/**
* Build signature trust engine.
*
* @param wsFederationConfiguration the ws federation configuration
* @return the signature trust engine
*/
private static SignatureTrustEngine buildSignatureTrustEngine(final WsFederationConfiguration wsFederationConfiguration) {
try {
final CredentialResolver resolver = new StaticCredentialResolver(wsFederationConfiguration.getSigningCertificates());
final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(wsFederationConfiguration.getSigningCertificates());
return new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
} catch (final Exception e) {
throw Throwables.propagate(e);
}
}
use of org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.
private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
final SAML2HTTPRedirectDeflateSignatureSecurityHandler handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
final SAMLPeerEntityContext peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
peer.setEntityId(SamlIdPUtils.getIssuerFromSamlRequest(profileRequest));
LOGGER.debug("Validating request signature for [{}] via [{}]...", peer.getEntityId(), handler.getClass().getSimpleName());
LOGGER.debug("Resolving role descriptor for [{}]", peer.getEntityId());
final RoleDescriptor roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peer.getEntityId()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
peer.setRole(roleDescriptor.getElementQName());
final SAMLProtocolContext protocol = context.getSubcontext(SAMLProtocolContext.class, true);
protocol.setProtocol(SAMLConstants.SAML20P_NS);
LOGGER.debug("Building security parameters context for signature validation of [{}]", peer.getEntityId());
final SecurityParametersContext secCtx = context.getSubcontext(SecurityParametersContext.class, true);
final SignatureValidationParameters validationParams = new SignatureValidationParameters();
if (overrideBlackListedSignatureAlgorithms != null && !overrideBlackListedSignatureAlgorithms.isEmpty()) {
validationParams.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
LOGGER.debug("Validation override blacklisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
}
if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
validationParams.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
LOGGER.debug("Validation override whitelisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
}
LOGGER.debug("Resolving signing credentials for [{}]", peer.getEntityId());
final Credential credential = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credential == null) {
throw new SamlException("Signing credential for validation could not be resolved");
}
final CredentialResolver resolver = new StaticCredentialResolver(credential);
final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential);
final SignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
validationParams.setSignatureTrustEngine(trustEngine);
secCtx.setSignatureValidationParameters(validationParams);
handler.setHttpServletRequest(request);
LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
handler.initialize();
LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
handler.invoke(context);
LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
}
Aggregations