Search in sources :

Example 1 with X509CredentialImpl

use of org.wso2.carbon.identity.oauth2.util.X509CredentialImpl in project carbon-identity-framework by wso2.

the class WSXACMLMessageReceiver method getPublicX509CredentialImpl.

/**
 * get a org.wso2.carbon.identity.entitlement.wsxacml.X509CredentialImpl using RegistryService
 *
 * @return created X509Credential
 */
private X509CredentialImpl getPublicX509CredentialImpl() throws Exception {
    X509CredentialImpl credentialImpl;
    KeyStoreManager keyStoreManager;
    try {
        keyStoreManager = KeyStoreManager.getInstance(-1234);
        // load the default pub. cert using the configuration in carbon.xml
        java.security.cert.X509Certificate cert = keyStoreManager.getDefaultPrimaryCertificate();
        credentialImpl = new X509CredentialImpl(cert);
        return credentialImpl;
    } catch (Exception e) {
        log.error("Error instantiating an org.wso2.carbon.identity.entitlement.wsxacml.X509CredentialImpl " + "object for the public cert.", e);
        throw new Exception("Error instantiating an org.wso2.carbon.identity.entitlement.wsxacml.X509CredentialImpl " + "object for the public cert.", e);
    }
}
Also used : KeyStoreManager(org.wso2.carbon.core.util.KeyStoreManager) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) CertificateEncodingException(java.security.cert.CertificateEncodingException) EntitlementException(org.wso2.carbon.identity.entitlement.EntitlementException)

Example 2 with X509CredentialImpl

use of org.wso2.carbon.identity.oauth2.util.X509CredentialImpl in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML2BearerGrantHandler method validateSignatureAgainstSAMLSignKeyStoreCertificate.

/**
 * Validate the signature against the certificate obtained from SAML Sign KeyStore which is defined under
 * Security.SAMLSignKeyStore in carbon.xml.
 *
 * @param assertion assertion.
 * @throws IdentityOAuth2Exception
 */
protected void validateSignatureAgainstSAMLSignKeyStoreCertificate(Assertion assertion) throws IdentityOAuth2Exception {
    try {
        X509Certificate x509Certificate = getCertificateFromSAMLSignKeyStore();
        X509Credential x509Credential = new X509CredentialImpl(x509Certificate);
        SignatureValidator.validate(assertion.getSignature(), x509Credential);
    } catch (SignatureException e) {
        if (StringUtils.isNotEmpty(assertion.getIssuer().getValue())) {
            throw new IdentityOAuth2Exception("Error while validating the signature from SAML sign keystore for SAML Token Issuer: " + assertion.getIssuer().getValue(), e);
        } else {
            throw new IdentityOAuth2Exception("Error while validating the signature from SAML sign keystore, SAML Token Issuer is null.", e);
        }
    }
}
Also used : X509Credential(org.opensaml.security.x509.X509Credential) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) X509Certificate(java.security.cert.X509Certificate)

Example 3 with X509CredentialImpl

use of org.wso2.carbon.identity.oauth2.util.X509CredentialImpl in project identity-inbound-auth-oauth by wso2-extensions.

the class CarbonKeyStoreCredentialResolver method resolveFromSource.

@Override
public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException {
    try {
        Set<Credential> credentialSet = new HashSet<>();
        Enumeration<String> en = keyStore.aliases();
        while (en.hasMoreElements()) {
            String alias = en.nextElement();
            X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
            Credential credential = new X509CredentialImpl(cert);
            if (criteriaSet.get(EntityIdCriterion.class) != null) {
                if (criteriaSet.get(EntityIdCriterion.class).getEntityId().equals(alias)) {
                    credentialSet.add(credential);
                    break;
                }
            } else {
                credentialSet.add(credential);
            }
        }
        return credentialSet;
    } catch (KeyStoreException e) {
        log.error(e);
        throw new SecurityException("Error reading certificates from key store");
    }
}
Also used : Credential(org.opensaml.security.credential.Credential) X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) KeyStoreException(java.security.KeyStoreException) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 4 with X509CredentialImpl

use of org.wso2.carbon.identity.oauth2.util.X509CredentialImpl in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML1BearerGrantHandler method validateGrant.

/**
 * We're validating the SAML token that we receive from the request. Through the assertion parameter is the POST
 * request. A request format that we handle here looks like,
 * <p/>
 * POST /token.oauth2 HTTP/1.1
 * Host: as.example.com
 * Content-Type: application/x-www-form-urlencoded
 * <p/>
 * grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml1-bearer&
 * assertion=PHNhbWxwOl...[omitted for brevity]...ZT4
 *
 * @param tokReqMsgCtx Token message request context
 * @return true if validation is successful, false otherwise
 * @throws org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception
 */
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
    boolean validGrant = super.validateGrant(tokReqMsgCtx);
    Assertion assertion;
    IdentityProvider identityProvider = null;
    String tokenEndpointAlias = null;
    String tenantDomain = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getTenantDomain();
    if (tenantDomain == null || "".equals(tenantDomain)) {
        tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
    }
    RequestParameter[] requestParameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
    for (RequestParameter requestParameter : requestParameters) {
        if (requestParameter.getKey().equals("assertion")) {
            String[] values = requestParameter.getValue();
            tokReqMsgCtx.getOauth2AccessTokenReqDTO().setAssertion(values[0]);
            break;
        }
    }
    if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.SAML_ASSERTION)) {
        log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
    }
    try {
        XMLObject samlObject = UnmarshallUtils.unmarshall(new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
        // Validating for multiple assertions
        NodeList assertionList = samlObject.getDOM().getElementsByTagNameNS(SAMLConstants.SAML1_NS, "Assertion");
        if (assertionList.getLength() > 0) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid schema for SAML Assertion. Nested assertions detected.");
            }
            return false;
        }
        if (samlObject instanceof Assertion) {
            assertion = (Assertion) samlObject;
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Only Assertion objects are validated in SAML1Bearer Grant Type");
            }
            return false;
        }
    } catch (IdentityUnmarshallingException e) {
        if (log.isDebugEnabled()) {
            log.debug("Error occurred while unmarshalling SAML1.0 assertion", e);
        }
        return false;
    }
    /*
         * The Assertion MUST contain a <Subject> element.  The subject MAY identify the resource owner for whom
         * the access token is being requested.  For client authentication, the Subject MUST be the "client_id"
         * of the OAuth client.  When using an Assertion as an authorization grant, the Subject SHOULD identify
         * an authorized accessor for whom the access token is being requested (typically the resource owner, or
         * an authorized delegate).  Additional information identifying the subject/principal of the transaction
         * MAY be included in an <AttributeStatement>.
         */
    List<AuthenticationStatement> authenticationStatements = assertion.getAuthenticationStatements();
    Subject subject;
    if (authenticationStatements != null && authenticationStatements.size() > 0) {
        AuthenticationStatement authenticationStatement = authenticationStatements.get(0);
        subject = authenticationStatement.getSubject();
        if (subject != null) {
            String resourceOwnerUserName = subject.getNameIdentifier().getNameIdentifier();
            if (resourceOwnerUserName == null || resourceOwnerUserName.equals("")) {
                if (log.isDebugEnabled()) {
                    log.debug("NameID in Assertion cannot be empty");
                }
                return false;
            }
            AuthenticatedUser user = OAuth2Util.getUserFromUserName(resourceOwnerUserName);
            user.setAuthenticatedSubjectIdentifier(resourceOwnerUserName);
            user.setFederatedUser(true);
            tokReqMsgCtx.setAuthorizedUser(user);
            if (log.isDebugEnabled()) {
                log.debug("Resource Owner User Name is set to " + resourceOwnerUserName);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Subject element cannot be empty.");
            }
            return false;
        }
    } else {
        if (log.isDebugEnabled()) {
            log.debug("Authentication Statement cannot be empty");
        }
        return false;
    }
    if (assertion.getIssuer() == null || assertion.getIssuer().isEmpty()) {
        if (log.isDebugEnabled()) {
            log.debug("Issuer is empty in the SAML assertion");
        }
        return false;
    } else {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Issuer is :" + assertion.getIssuer());
            }
            identityProvider = IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue("IdPEntityId", assertion.getIssuer(), tenantDomain, false);
            // resident IDP entitiID == issuer
            if (identityProvider != null) {
                if (IdentityApplicationConstants.RESIDENT_IDP_RESERVED_NAME.equals(identityProvider.getIdentityProviderName())) {
                    identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
                    FederatedAuthenticatorConfig[] fedAuthnConfigs = identityProvider.getFederatedAuthenticatorConfigs();
                    String idpEntityId = null;
                    // Get SAML authenticator
                    FederatedAuthenticatorConfig samlAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.SAML2SSO.NAME);
                    // Get Entity ID from SAML authenticator
                    Property samlProperty = IdentityApplicationManagementUtil.getProperty(samlAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.SAML2SSO.IDP_ENTITY_ID);
                    if (samlProperty != null) {
                        idpEntityId = samlProperty.getValue();
                    }
                    if (idpEntityId == null || !assertion.getIssuer().equals(idpEntityId)) {
                        if (log.isDebugEnabled()) {
                            log.debug("SAML Token Issuer verification failed or Issuer not registered");
                        }
                        return false;
                    }
                    // Get OpenIDConnect authenticator == OAuth
                    // authenticator
                    FederatedAuthenticatorConfig oauthAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.OIDC.NAME);
                    // Get OAuth token endpoint
                    Property oauthProperty = IdentityApplicationManagementUtil.getProperty(oauthAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_TOKEN_URL);
                    if (oauthProperty != null) {
                        tokenEndpointAlias = oauthProperty.getValue();
                    }
                } else {
                    // Get Alias from Federated IDP
                    tokenEndpointAlias = identityProvider.getAlias();
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Token Issuer verification failed or Issuer not registered");
                }
                return false;
            }
        } catch (IdentityProviderManagementException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while getting Federated Identity Provider ", e);
            }
        }
    }
    if (audienceRestrictionValidationEnabled) {
        if (tokenEndpointAlias == null || tokenEndpointAlias.equals("")) {
            String errorMsg = "Token Endpoint alias of the local Identity Provider has not been " + "configured for " + identityProvider.getIdentityProviderName();
            if (log.isDebugEnabled()) {
                log.debug(errorMsg);
            }
            return false;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            List<AudienceRestrictionCondition> audienceRestrictions = conditions.getAudienceRestrictionConditions();
            if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
                boolean audienceFound = false;
                for (AudienceRestrictionCondition audienceRestriction : audienceRestrictions) {
                    if (audienceRestriction.getAudiences() != null && audienceRestriction.getAudiences().size() > 0) {
                        for (Audience audience : audienceRestriction.getAudiences()) {
                            if (audience.getUri().equals(tokenEndpointAlias)) {
                                audienceFound = true;
                                break;
                            }
                        }
                    }
                    if (audienceFound) {
                        break;
                    }
                }
                if (!audienceFound) {
                    if (log.isDebugEnabled()) {
                        log.debug("SAML Assertion Audience Restriction validation failed");
                    }
                    return false;
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Assertion doesn't contain AudienceRestrictions");
                }
                return false;
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("SAML Assertion doesn't contain Conditions");
            }
            return false;
        }
    }
    /*
         * The Assertion MUST have an expiry that limits the time window during which it can be used.  The expiry
         * can be expressed either as the NotOnOrAfter attribute of the <Conditions> element or as the NotOnOrAfter
         * attribute of a suitable <SubjectConfirmationData> element.
         */
    /*
         * The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the
         * authorization server to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation> element MUST
         * have a Method attribute with a value of "urn:oasis:names:tc:SAML:1.0:cm:bearer".  The
         * <SubjectConfirmation> element MUST contain a <SubjectConfirmationData> element, unless the Assertion
         * has a suitable NotOnOrAfter attribute on the <Conditions> element, in which case the
         * <SubjectConfirmationData> element MAY be omitted.
         * The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the window during
         * which the Assertion can be confirmed.  The <SubjectConfirmationData> element MAY also contain an Address
         * attribute limiting the client address from which the Assertion can be delivered.  Verification of the
         * Address is at the discretion of the authorization server.
         */
    DateTime notOnOrAfterFromConditions = null;
    Set<DateTime> notOnOrAfterFromSubjectConfirmations = new HashSet<DateTime>();
    boolean bearerFound = false;
    if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
        notOnOrAfterFromConditions = assertion.getConditions().getNotOnOrAfter();
    }
    SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmation();
    List<ConfirmationMethod> confirmationMethods = subjectConfirmation.getConfirmationMethods();
    for (ConfirmationMethod confirmationMethod : confirmationMethods) {
        if (OAuthConstants.OAUTH_SAML1_BEARER_METHOD.equals(confirmationMethod.getConfirmationMethod())) {
            bearerFound = true;
        }
    }
    if (!bearerFound) {
        if (log.isDebugEnabled()) {
            log.debug("Cannot find a subject confirmation with method " + OAuthConstants.OAUTH_SAML1_BEARER_METHOD + " in subject confirmation " + subject.getSubjectConfirmation());
        }
        return false;
    }
    XMLObject confirmationData = subject.getSubjectConfirmation().getSubjectConfirmationData();
    if (confirmationData == null) {
        log.warn("Subject confirmation data is missing.");
    }
    /*
         * The authorization server MUST verify that the NotOnOrAfter instant has not passed, subject to allowable
         * clock skew between systems.  An invalid NotOnOrAfter instant on the <Conditions> element invalidates
         * the entire Assertion.  An invalid NotOnOrAfter instant on a <SubjectConfirmationData> element only
         * invalidates the individual <SubjectConfirmation>.  The authorization server MAY reject Assertions with
         * a NotOnOrAfter instant that is unreasonably far in the future.  The authorization server MAY ensure
         * that Bearer Assertions are not replayed, by maintaining the set of used ID values for the length of
         * time for which the Assertion would be considered valid based on the applicable NotOnOrAfter instant.
         */
    long timestampSkewInMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
    if (notOnOrAfterFromConditions != null && notOnOrAfterFromConditions.plus(timestampSkewInMillis).isBeforeNow()) {
        // notOnOrAfter is an expired timestamp
        if (log.isDebugEnabled()) {
            log.debug("NotOnOrAfter is having an expired timestamp in Conditions element");
        }
        return false;
    }
    boolean validSubjectConfirmationDataExists = false;
    if (!notOnOrAfterFromSubjectConfirmations.isEmpty()) {
        for (DateTime entry : notOnOrAfterFromSubjectConfirmations) {
            if (entry.plus(timestampSkewInMillis).isAfterNow()) {
                validSubjectConfirmationDataExists = true;
            }
        }
    }
    if (notOnOrAfterFromConditions == null && !validSubjectConfirmationDataExists) {
        if (log.isDebugEnabled()) {
            log.debug("No valid NotOnOrAfter element found in SubjectConfirmations");
        }
        return false;
    }
    try {
        profileValidator.validate(assertion.getSignature());
    } catch (SignatureException e) {
        // Indicates signature did not conform to SAML1.0 Signature profile
        if (log.isDebugEnabled()) {
            log.debug("Signature did not conform to SAML1.0 Signature profile", e);
        }
        return false;
    }
    X509Certificate x509Certificate = null;
    try {
        x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
    } catch (CertificateException e) {
        String message = "Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain;
        throw new IdentityOAuth2Exception(message, e);
    }
    try {
        X509Credential x509Credential = new X509CredentialImpl(x509Certificate);
        SignatureValidator.validate(assertion.getSignature(), x509Credential);
        if (log.isDebugEnabled()) {
            log.debug("Signature validation successful");
        }
    } catch (SignatureException e) {
        if (log.isDebugEnabled()) {
            log.debug("Signature validation failure:" + e.getMessage(), e);
        }
        return false;
    }
    tokReqMsgCtx.setScope(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getScope());
    // Storing the Assertion. This will be used in OpenID Connect for example
    tokReqMsgCtx.addProperty(OAuthConstants.OAUTH_SAML2_ASSERTION, assertion);
    // Invoking extension
    SAML2TokenCallbackHandler callback = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
    if (callback != null) {
        if (log.isDebugEnabled()) {
            log.debug("Invoking the SAML2 Token callback handler");
        }
        callback.handleSAML2Token(tokReqMsgCtx);
    }
    return validGrant;
}
Also used : FederatedAuthenticatorConfig(org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig) ConfirmationMethod(org.opensaml.saml.saml1.core.ConfirmationMethod) CertificateException(java.security.cert.CertificateException) IdentityUnmarshallingException(org.wso2.carbon.identity.saml.common.util.exception.IdentityUnmarshallingException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser) AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement) Conditions(org.opensaml.saml.saml1.core.Conditions) DateTime(org.joda.time.DateTime) SubjectConfirmation(org.opensaml.saml.saml1.core.SubjectConfirmation) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl) AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition) Property(org.wso2.carbon.identity.application.common.model.Property) HashSet(java.util.HashSet) Audience(org.opensaml.saml.saml1.core.Audience) RequestParameter(org.wso2.carbon.identity.oauth2.model.RequestParameter) NodeList(org.w3c.dom.NodeList) Assertion(org.opensaml.saml.saml1.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject) IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider) Subject(org.opensaml.saml.saml1.core.Subject) X509Certificate(java.security.cert.X509Certificate) X509Credential(org.opensaml.security.x509.X509Credential) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)

Example 5 with X509CredentialImpl

use of org.wso2.carbon.identity.oauth2.util.X509CredentialImpl in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML2BearerGrantHandler method validateSignatureAgainstIdpCertificate.

protected void validateSignatureAgainstIdpCertificate(Assertion assertion, String tenantDomain, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
    boolean isExceptionThrown = false;
    SignatureException signatureException = null;
    CertificateInfo[] certificateInfos = identityProvider.getCertificateInfoArray();
    if (log.isDebugEnabled()) {
        log.debug(certificateInfos.length + " certificates found for Identity Provider " + identityProvider.getIdentityProviderName());
    }
    if (ArrayUtils.isEmpty(certificateInfos)) {
        // when signature validation was done only for one certificate.
        throw new IdentityOAuth2Exception("No certificates found for Identity Provider " + identityProvider.getIdentityProviderName() + " of tenant domain " + tenantDomain);
    }
    try {
        /*
              The process mentioned below is done because OpenSAML3 does not support OSGi refer
              https://shibboleth.1660669.n2.nabble.com/Null-Pointer-Exception-from-UnmarshallerFactory-while-migrating
              -from-OpenSAML2-x-to-OpenSAML3-x-td7643903.html
              and https://stackoverflow.com/questions/37948303/opensaml3-resource-not-found-default-config-xml-in-osgi
              -container
            */
        Thread thread = Thread.currentThread();
        ClassLoader originalClassLoader = thread.getContextClassLoader();
        thread.setContextClassLoader(SignatureValidationProvider.class.getClassLoader());
        try {
            int index = 0;
            for (CertificateInfo certificateInfo : certificateInfos) {
                X509Certificate x509Certificate = getIdpCertificate(tenantDomain, identityProvider, certificateInfo);
                X509Credential x509Credential = new X509CredentialImpl(x509Certificate);
                try {
                    if (log.isDebugEnabled()) {
                        log.debug("Validating the signature with certificate " + certificateInfo.getThumbPrint() + " at index: " + index);
                    }
                    SignatureValidator.validate(assertion.getSignature(), x509Credential);
                    isExceptionThrown = false;
                    break;
                } catch (SignatureException e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Signature validation failed with certificate " + certificateInfo.getThumbPrint() + " at index: " + index);
                    }
                    isExceptionThrown = true;
                    if (signatureException == null) {
                        signatureException = e;
                    } else {
                        signatureException.addSuppressed(e);
                    }
                }
                index++;
            }
            // If all the certification validation fails, then throw the exception.
            if (isExceptionThrown) {
                throw signatureException;
            }
        } finally {
            thread.setContextClassLoader(originalClassLoader);
        }
    } catch (SignatureException e) {
        throw new IdentityOAuth2Exception("Error while validating the signature.", e);
    }
}
Also used : X509Credential(org.opensaml.security.x509.X509Credential) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl) SignatureValidationProvider(org.opensaml.xmlsec.signature.support.SignatureValidationProvider) CertificateInfo(org.wso2.carbon.identity.application.common.model.CertificateInfo) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) X509Certificate(java.security.cert.X509Certificate)

Aggregations

X509Certificate (java.security.cert.X509Certificate)4 SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)4 X509CredentialImpl (org.wso2.carbon.identity.oauth2.util.X509CredentialImpl)4 X509Credential (org.opensaml.security.x509.X509Credential)3 IdentityOAuth2Exception (org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception)3 HashSet (java.util.HashSet)2 KeyStoreException (java.security.KeyStoreException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CertificateException (java.security.cert.CertificateException)1 DateTime (org.joda.time.DateTime)1 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1 XMLObject (org.opensaml.core.xml.XMLObject)1 Assertion (org.opensaml.saml.saml1.core.Assertion)1 Audience (org.opensaml.saml.saml1.core.Audience)1 AudienceRestrictionCondition (org.opensaml.saml.saml1.core.AudienceRestrictionCondition)1 AuthenticationStatement (org.opensaml.saml.saml1.core.AuthenticationStatement)1 Conditions (org.opensaml.saml.saml1.core.Conditions)1 ConfirmationMethod (org.opensaml.saml.saml1.core.ConfirmationMethod)1 Subject (org.opensaml.saml.saml1.core.Subject)1 SubjectConfirmation (org.opensaml.saml.saml1.core.SubjectConfirmation)1