Examples with Saml2X509Credential org.springframework.security.saml2.core.Saml2X509Credential used on opensource projects

Example 11 with Saml2X509Credential

use of org.springframework.security.saml2.core.Saml2X509Credential in project spring-security by spring-projects.

the class OpenSamlDecryptionUtils method decrypter.

private static Decrypter decrypter(RelyingPartyRegistration registration) {
    Collection<Credential> credentials = new ArrayList<>();
    for (Saml2X509Credential key : registration.getDecryptionX509Credentials()) {
        Credential cred = CredentialSupport.getSimpleCredential(key.getCertificate(), key.getPrivateKey());
        credentials.add(cred);
    }
    KeyInfoCredentialResolver resolver = new CollectionKeyInfoCredentialResolver(credentials);
    Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
    decrypter.setRootInNewDocument(true);
    return decrypter;
}

Example 12 with Saml2X509Credential

use of org.springframework.security.saml2.core.Saml2X509Credential in project midpoint by Evolveum.

the class SamlModuleWebSecurityConfiguration method createRelyingPartyRegistration.

private static void createRelyingPartyRegistration(RelyingPartyRegistration.Builder registrationBuilder, SamlAdditionalConfiguration.Builder additionalConfigBuilder, Saml2ProviderAuthenticationModuleType providerType, String publicHttpUrlPattern, SamlModuleWebSecurityConfiguration configuration, Saml2KeyAuthenticationModuleType keysType, Saml2ServiceProviderAuthenticationModuleType serviceProviderType, ServletRequest request) {
    String linkText = providerType.getLinkText() == null ? providerType.getEntityId() : providerType.getLinkText();
    additionalConfigBuilder.nameOfUsernameAttribute(providerType.getNameOfUsernameAttribute()).linkText(linkText);
    String registrationId = StringUtils.isNotEmpty(serviceProviderType.getAliasForPath()) ? serviceProviderType.getAliasForPath() : (StringUtils.isNotEmpty(serviceProviderType.getAlias()) ? serviceProviderType.getAlias() : serviceProviderType.getEntityId());
    UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(StringUtils.isNotBlank(publicHttpUrlPattern) ? publicHttpUrlPattern : getBasePath((HttpServletRequest) request));
    UriComponentsBuilder ssoBuilder = builder.cloneBuilder();
    ssoBuilder.pathSegment(AuthUtil.stripSlashes(configuration.getPrefixOfModule()) + SSO_LOCATION_URL_SUFFIX);
    UriComponentsBuilder logoutBuilder = builder.cloneBuilder();
    logoutBuilder.pathSegment(AuthUtil.stripSlashes(configuration.getPrefixOfModule()) + LOGOUT_LOCATION_URL_SUFFIX);
    registrationBuilder.registrationId(registrationId).entityId(serviceProviderType.getEntityId()).assertionConsumerServiceLocation(ssoBuilder.build().toUriString()).singleLogoutServiceLocation(logoutBuilder.build().toUriString()).assertingPartyDetails(party -> {
        party.entityId(providerType.getEntityId());
        if (serviceProviderType.isSignRequests() != null) {
            party.wantAuthnRequestsSigned(Boolean.TRUE.equals(serviceProviderType.isSignRequests()));
        }
        if (providerType.getVerificationKeys() != null && !providerType.getVerificationKeys().isEmpty()) {
            party.verificationX509Credentials(c -> providerType.getVerificationKeys().forEach(verKey -> {
                byte[] certbytes = new byte[0];
                try {
                    certbytes = protector.decryptString(verKey).getBytes();
                } catch (EncryptionException e) {
                    LOGGER.error("Couldn't obtain clear string for provider verification key");
                }
                try {
                    X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(certbytes));
                    c.add(new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.VERIFICATION));
                } catch (CertificateException e) {
                    LOGGER.error("Couldn't obtain certificate from " + verKey);
                }
            }));
        }
    });
    Saml2X509Credential activeCredential = null;
    ModuleSaml2SimpleKeyType simpleKeyType = keysType.getActiveSimpleKey();
    if (simpleKeyType != null) {
        activeCredential = getSaml2Credential(simpleKeyType, true);
    }
    ModuleSaml2KeyStoreKeyType storeKeyType = keysType.getActiveKeyStoreKey();
    if (storeKeyType != null) {
        activeCredential = getSaml2Credential(storeKeyType, true);
    }
    List<Saml2X509Credential> credentials = new ArrayList<>();
    if (activeCredential != null) {
        credentials.add(activeCredential);
    }
    if (keysType.getStandBySimpleKey() != null && !keysType.getStandBySimpleKey().isEmpty()) {
        for (ModuleSaml2SimpleKeyType standByKey : keysType.getStandBySimpleKey()) {
            Saml2X509Credential credential = getSaml2Credential(standByKey, false);
            if (credential != null) {
                credentials.add(credential);
            }
        }
    }
    if (keysType.getStandByKeyStoreKey() != null && !keysType.getStandByKeyStoreKey().isEmpty()) {
        for (ModuleSaml2KeyStoreKeyType standByKey : keysType.getStandByKeyStoreKey()) {
            Saml2X509Credential credential = getSaml2Credential(standByKey, false);
            if (credential != null) {
                credentials.add(credential);
            }
        }
    }
    if (!credentials.isEmpty()) {
        registrationBuilder.decryptionX509Credentials(c -> credentials.forEach(cred -> {
            if (cred.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION)) {
                c.add(cred);
            }
        }));
        registrationBuilder.signingX509Credentials(c -> credentials.forEach(cred -> {
            if (cred.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.SIGNING)) {
                c.add(cred);
            }
        }));
    }
}

Example 13 with Saml2X509Credential

use of org.springframework.security.saml2.core.Saml2X509Credential in project midpoint by Evolveum.

the class MidpointAssertingPartyMetadataConverter method convert.

public RelyingPartyRegistration.Builder convert(InputStream inputStream, Saml2ProviderAuthenticationModuleType providerConfig) {
    EntityDescriptor descriptor = entityDescriptor(inputStream);
    IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (idpssoDescriptor == null) {
        throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
    }
    List<Saml2X509Credential> verification = new ArrayList<>();
    List<Saml2X509Credential> encryption = new ArrayList<>();
    for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
        defineKeys(keyDescriptor, verification, encryption);
    }
    if (verification.isEmpty()) {
        throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
    }
    RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withRegistrationId(descriptor.getEntityID()).assertingPartyDetails((party) -> party.entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption)));
    List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
    for (SigningMethod method : signingMethods) {
        builder.assertingPartyDetails((party) -> party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm())));
    }
    defineSingleSingOnService(idpssoDescriptor, providerConfig.getAuthenticationRequestBinding(), builder);
    defineSingleLogoutService(idpssoDescriptor, builder);
    return builder;
}

Example 14 with Saml2X509Credential

use of org.springframework.security.saml2.core.Saml2X509Credential in project spring-boot by spring-projects.

the class Saml2RelyingPartyRegistrationConfiguration method asDecryptionCredential.

private Saml2X509Credential asDecryptionCredential(Decryption.Credential properties) {
    RSAPrivateKey privateKey = readPrivateKey(properties.getPrivateKeyLocation());
    X509Certificate certificate = readCertificate(properties.getCertificateLocation());
    return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.DECRYPTION);
}

Example 15 with Saml2X509Credential

use of org.springframework.security.saml2.core.Saml2X509Credential in project midpoint by Evolveum.

the class SamlModuleWebSecurityConfiguration method getSaml2Credential.

public static Saml2X509Credential getSaml2Credential(ModuleSaml2SimpleKeyType key, boolean isActive) {
    if (key == null) {
        return null;
    }
    PrivateKey pkey;
    try {
        pkey = getPrivateKey(key, protector);
    } catch (IOException | OperatorCreationException | PKCSException | EncryptionException e) {
        throw new Saml2Exception("Unable get key from " + key, e);
    }
    Certificate certificate;
    try {
        certificate = getCertificate(key, protector);
    } catch (Base64Exception | EncryptionException | CertificateException e) {
        throw new Saml2Exception("Unable get certificate from " + key, e);
    }
    List<Saml2X509Credential.Saml2X509CredentialType> types = getTypesForKey(isActive, key.getType());
    return new Saml2X509Credential(pkey, (X509Certificate) certificate, types.toArray(new Saml2X509Credential.Saml2X509CredentialType[0]));
}