/** * Gets the signature algorithm URI to use. * * @param signingParameters the signing parameters to use * * @return signature algorithm to use with the associated signing credential * * @throws MessageEncodingException thrown if the algorithm URI is not supplied explicitly and * could not be derived from the supplied credential */ protected String getSignatureAlgorithmURI(SignatureSigningParameters signingParameters) throws MessageEncodingException { if (signingParameters.getSignatureAlgorithm() != null) { return signingParameters.getSignatureAlgorithm(); } throw new MessageEncodingException("The signing algorithm URI could not be determined"); }
/** {@inheritDoc} */ protected void populateVelocityContext(VelocityContext velocityContext, MessageContext<SAMLObject> messageContext, String endpointURL) throws MessageEncodingException { super.populateVelocityContext(velocityContext, messageContext, endpointURL); SignatureSigningParameters signingParameters = SAMLMessageSecuritySupport.getContextSigningParameters(messageContext); if (signingParameters == null || signingParameters.getSigningCredential() == null) { log.debug("No signing credential was supplied, skipping HTTP-Post simple signing"); return; } String sigAlgURI = getSignatureAlgorithmURI(signingParameters); velocityContext.put("SigAlg", sigAlgURI); String formControlData = buildFormDataToSign(velocityContext, messageContext, sigAlgURI); velocityContext.put("Signature", generateSignature(signingParameters.getSigningCredential(), sigAlgURI, formControlData)); KeyInfoGenerator kiGenerator = signingParameters.getKeyInfoGenerator(); if (kiGenerator != null) { String kiBase64 = buildKeyInfo(signingParameters.getSigningCredential(), kiGenerator); if (!Strings.isNullOrEmpty(kiBase64)) { velocityContext.put("KeyInfo", kiBase64); } } }
public void signObject(SignableSAMLObject signable, SimpleKey key, AlgorithmMethod algorithm, DigestMethod digest) { KeyStoreCredentialResolver resolver = getCredentialsResolver(key); Credential credential = getCredential(key, resolver); XMLObjectBuilder<org.opensaml.xmlsec.signature.Signature> signatureBuilder = (XMLObjectBuilder<org.opensaml.xmlsec.signature.Signature>) getBuilderFactory() .getBuilder(org.opensaml.xmlsec.signature.Signature.DEFAULT_ELEMENT_NAME); org.opensaml.xmlsec.signature.Signature signature = signatureBuilder.buildObject(org.opensaml.xmlsec .signature.Signature.DEFAULT_ELEMENT_NAME); signable.setSignature(signature); SignatureSigningParameters parameters = new SignatureSigningParameters(); parameters.setSigningCredential(credential); parameters.setKeyInfoGenerator(getKeyInfoGenerator(credential)); parameters.setSignatureAlgorithm(algorithm.toString()); parameters.setSignatureReferenceDigestMethod(digest.toString()); parameters.setSignatureCanonicalizationAlgorithm( CanonicalizationMethod.ALGO_ID_C14N_EXCL_OMIT_COMMENTS.toString() ); try { SignatureSupport.prepareSignatureParams(signature, parameters); Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(signable); marshaller.marshall(signable); Signer.signObject(signature); } catch (SecurityException | MarshallingException | SignatureException e) { throw new SamlKeyException(e); } }
@Override protected void doEncode() throws MessageEncodingException { val messageContext = new MessageContext(); if (logoutRequest.isSigned()) { val signingContext = messageContext.getSubcontext(SecurityParametersContext.class, true); val signingParams = new SignatureSigningParameters(); val signature = logoutRequest.getSignature(); signingParams.setSigningCredential(signature.getSigningCredential()); signingParams.setSignatureAlgorithm(signature.getSignatureAlgorithm()); signingContext.setSignatureSigningParameters(signingParams); } removeSignature(logoutRequest); val encodedMessage = deflateAndBase64Encode(logoutRequest); messageContext.setMessage(logoutRequest); this.redirectUrl = buildRedirectURL(messageContext, endpointUrl, encodedMessage); }
/** * Build signature signing parameters signature signing parameters. * * @param descriptor the descriptor * @param service the service * @return the signature signing parameters */ @SneakyThrows protected SignatureSigningParameters buildSignatureSigningParameters(final RoleDescriptor descriptor, final SamlRegisteredService service) { val criteria = new CriteriaSet(); val signatureSigningConfiguration = getSignatureSigningConfiguration(descriptor, service); criteria.add(new SignatureSigningConfigurationCriterion(signatureSigningConfiguration)); criteria.add(new RoleDescriptorCriterion(descriptor)); val resolver = new SAMLMetadataSignatureSigningParametersResolver(); LOGGER.trace("Resolving signature signing parameters for [{}]", descriptor.getElementQName().getLocalPart()); @NonNull val params = resolver.resolveSingle(criteria); LOGGER.trace("Created signature signing parameters." + "\nSignature algorithm: [{}]" + "\nSignature canonicalization algorithm: [{}]" + "\nSignature reference digest methods: [{}]", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod()); return params; }
log.debug("Resolved signature algorithm URI from SAML metadata SigningMethod: {}", signingMethod.getAlgorithm()); params.setSigningCredential(credential); params.setSignatureAlgorithm(signingMethod.getAlgorithm()); return; } else {
if (signingParameters != null && signingParameters.getSigningCredential() != null) { String sigAlgURI = getSignatureAlgorithmURI(signingParameters); Pair<String, String> sigAlg = new Pair<>("SigAlg", sigAlgURI); signingParameters.getSigningCredential(), sigAlgURI, sigMaterial))); } else { log.debug("No signing credential was supplied, skipping HTTP-Redirect DEFLATE signing");
@Override public SignatureSigningParameters build(final SSODescriptor descriptor) { try { final CriteriaSet criteria = new CriteriaSet(); criteria.add(new SignatureSigningConfigurationCriterion( getSignatureSigningConfiguration())); criteria.add(new RoleDescriptorCriterion(descriptor)); final SAMLMetadataSignatureSigningParametersResolver resolver = new SAMLMetadataSignatureSigningParametersResolver(); final SignatureSigningParameters params = resolver.resolveSingle(criteria); augmentSignatureSigningParameters(params); if (params == null) { throw new SAMLException("Could not determine the signature parameters"); } logger.info("Created signature signing parameters." + "\nSignature algorithm: {}" + "\nSignature canonicalization algorithm: {}" + "\nSignature reference digest methods: {}", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod()); return params; } catch (final Exception e) { throw new SAMLException(e); } }
if (signingParameters != null && signingParameters.getSigningCredential() != null) { String sigAlgURI = getSignatureAlgorithmURI(signingParameters); Pair<String, String> sigAlg = new Pair<>("SigAlg", sigAlgURI); signingParameters.getSigningCredential(), sigAlgURI, sigMaterial))); } else { log.debug("No signing credential was supplied, skipping HTTP-Redirect DEFLATE signing");
/** * Gets the signature algorithm URI to use. * * @param signingParameters the signing parameters to use * * @return signature algorithm to use with the associated signing credential * * @throws MessageEncodingException thrown if the algorithm URI is not supplied explicitly and * could not be derived from the supplied credential */ protected String getSignatureAlgorithmURI(SignatureSigningParameters signingParameters) throws MessageEncodingException { if (signingParameters.getSignatureAlgorithm() != null) { return signingParameters.getSignatureAlgorithm(); } throw new MessageEncodingException("The signing algorithm URI could not be determined"); }
/** * Gets the signature algorithm URI to use. * * @param signingParameters the signing parameters to use * * @return signature algorithm to use with the associated signing credential * * @throws MessageEncodingException thrown if the algorithm URI is not supplied explicitly and * could not be derived from the supplied credential */ protected String getSignatureAlgorithmURI(SignatureSigningParameters signingParameters) throws MessageEncodingException { if (signingParameters.getSignatureAlgorithm() != null) { return signingParameters.getSignatureAlgorithm(); } throw new MessageEncodingException("The signing algorithm URI could not be determined"); }