public List<SignatureSigningConfiguration> apply(ProfileRequestContext input) { return Collections.singletonList( SecurityConfigurationSupport.getGlobalSignatureSigningConfiguration()); } };
public List<EncryptionConfiguration> apply(final ProfileRequestContext input) { return Collections.singletonList(SecurityConfigurationSupport.getGlobalEncryptionConfiguration()); } };
public List<SignatureValidationConfiguration> apply(ProfileRequestContext input) { return Collections.singletonList( SecurityConfigurationSupport.getGlobalSignatureValidationConfiguration()); } };
Assertion assertion = createAssertion(); // Assume this contains a recipient's RSA public key Credential keyEncryptionCredential = getKEKCredential(); EncryptionParameters encParams = new EncryptionParameters(); encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); KeyEncryptionParameters kekParams = new KeyEncryptionParameters(); kekParams.setEncryptionCredential(keyEncryptionCredential); kekParams.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() .getKeyInfoGeneratorManager().getDefaultManager() .getFactory(keyEncryptionCredential); kekParams.setKeyInfoGenerator(kigf.newInstance()); Encrypter samlEncrypter = new Encrypter(encParams, kekParams); samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
@Override protected void doEncode() throws MessageEncodingException { val messageContext = new MessageContext(); if (logoutRequest.isSigned()) { val signingContext = messageContext.getSubcontext(SecurityParametersContext.class, true); val signingParams = new SignatureSigningParameters(); val signature = logoutRequest.getSignature(); signingParams.setSigningCredential(signature.getSigningCredential()); signingParams.setSignatureAlgorithm(signature.getSignatureAlgorithm()); signingContext.setSignatureSigningParameters(signingParams); } removeSignature(logoutRequest); val encodedMessage = deflateAndBase64Encode(logoutRequest); messageContext.setMessage(logoutRequest); this.redirectUrl = buildRedirectURL(messageContext, endpointUrl, encodedMessage); }
sigConfigs.add(SecurityConfigurationSupport.getGlobalSignatureValidationConfiguration()); paramsResolver = new BasicSignatureValidationParametersResolver(); new SignatureValidationConfigurationCriterion(sigConfigs)); final SignatureValidationParameters params = paramsResolver.resolveSingle(configCriteria); criteriaSet.add(new SignatureValidationParametersCriterion(params), true);
@Override public SignatureSigningParameters build(final SSODescriptor descriptor) { try { final CriteriaSet criteria = new CriteriaSet(); criteria.add(new SignatureSigningConfigurationCriterion( getSignatureSigningConfiguration())); criteria.add(new RoleDescriptorCriterion(descriptor)); final SAMLMetadataSignatureSigningParametersResolver resolver = new SAMLMetadataSignatureSigningParametersResolver(); final SignatureSigningParameters params = resolver.resolveSingle(criteria); augmentSignatureSigningParameters(params); if (params == null) { throw new SAMLException("Could not determine the signature parameters"); } logger.info("Created signature signing parameters." + "\nSignature algorithm: {}" + "\nSignature canonicalization algorithm: {}" + "\nSignature reference digest methods: {}", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod()); return params; } catch (final Exception e) { throw new SAMLException(e); } }
BasicEncryptionConfiguration selfConfig = new BasicEncryptionConfiguration(); selfConfig.setKeyTransportEncryptionCredentials(Collections.singletonList(cred)); if (input.getSecond() != null && input.getSecond().getDataEncryptionAlgorithm() != null) { selfConfig.setDataEncryptionAlgorithms(Collections.singletonList( input.getSecond().getDataEncryptionAlgorithm())); Iterables.addAll(encParams, encParamsresolver.resolve( new CriteriaSet(new EncryptionConfigurationCriterion(configs)))); } catch (ResolverException e) { log.error("Error resolving self-encryption parameters for Credential '{}', "
/** * Gets the signature algorithm URI to use. * * @param signingParameters the signing parameters to use * * @return signature algorithm to use with the associated signing credential * * @throws MessageEncodingException thrown if the algorithm URI is not supplied explicitly and * could not be derived from the supplied credential */ protected String getSignatureAlgorithmURI(SignatureSigningParameters signingParameters) throws MessageEncodingException { if (signingParameters.getSignatureAlgorithm() != null) { return signingParameters.getSignatureAlgorithm(); } throw new MessageEncodingException("The signing algorithm URI could not be determined"); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final Object theMessage = messageLookupStrategy.apply(profileRequestContext); if (theMessage == null) { log.debug("{} No message was returned by lookup strategy", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return false; } else if (!(theMessage instanceof SAMLObject)) { log.debug("{} Message was not a SAML construct, nothing to do", getLogPrefix()); return false; } message = (SAMLObject) theMessage; final SecurityParametersContext paramsCtx = securityParamsLookupStrategy.apply(profileRequestContext); if (paramsCtx == null || paramsCtx.getDecryptionParameters() == null) { log.debug("{} No security parameter context or decryption parameters", getLogPrefix()); } else { final DecryptionParameters params = paramsCtx.getDecryptionParameters(); decrypter = new Decrypter(params.getDataKeyInfoCredentialResolver(), params.getKEKKeyInfoCredentialResolver(), params.getEncryptedKeyResolver()); } return super.doPreExecute(profileRequestContext); }
/** {@inheritDoc} */ protected void populateVelocityContext(VelocityContext velocityContext, MessageContext<SAMLObject> messageContext, String endpointURL) throws MessageEncodingException { super.populateVelocityContext(velocityContext, messageContext, endpointURL); SignatureSigningParameters signingParameters = SAMLMessageSecuritySupport.getContextSigningParameters(messageContext); if (signingParameters == null || signingParameters.getSigningCredential() == null) { log.debug("No signing credential was supplied, skipping HTTP-Post simple signing"); return; } String sigAlgURI = getSignatureAlgorithmURI(signingParameters); velocityContext.put("SigAlg", sigAlgURI); String formControlData = buildFormDataToSign(velocityContext, messageContext, sigAlgURI); velocityContext.put("Signature", generateSignature(signingParameters.getSigningCredential(), sigAlgURI, formControlData)); KeyInfoGenerator kiGenerator = signingParameters.getKeyInfoGenerator(); if (kiGenerator != null) { String kiBase64 = buildKeyInfo(signingParameters.getSigningCredential(), kiGenerator); if (!Strings.isNullOrEmpty(kiBase64)) { velocityContext.put("KeyInfo", kiBase64); } } }
accepted = keyTransportPredicate.apply(new KeyTransportAlgorithmPredicate.SelectionInput( algorithm, dataEncryptionAlgorithm, keyTransportCredential)); super.resolveKeyTransportAlgorithm(keyTransportCredential, criteria, whitelistBlacklistPredicate, dataEncryptionAlgorithm), null);
/** {@inheritDoc} */ @Override @Nullable protected TrustEngine<Signature> resolveTrustEngine(@Nonnull final MessageContext messageContext) { final SecurityParametersContext secParams = messageContext.getSubcontext(SecurityParametersContext.class); if (secParams == null || secParams.getSignatureValidationParameters() == null) { return null; } else { return secParams.getSignatureValidationParameters().getSignatureTrustEngine(); } }
public List<DecryptionConfiguration> apply(ProfileRequestContext input) { return Collections.singletonList(SecurityConfigurationSupport.getGlobalDecryptionConfiguration()); } };
/** * Resolve the list of effective base {@link EncryptionConfiguration} for self-encryption. * * @param profileRequestContext the current profile request context * * @return the resolved configurations */ @Nonnull protected List<EncryptionConfiguration> resolveBaseConfigurations( @Nonnull final ProfileRequestContext profileRequestContext) { List<EncryptionConfiguration> baseConfigs = null; if (configurationLookupStrategy != null) { log.debug("Self-encryption EncryptionConfiguration lookup strategy was non-null"); baseConfigs = configurationLookupStrategy.apply(profileRequestContext); } else { log.debug("Self-encryption EncryptionConfiguration lookup strategy was null"); } if (baseConfigs != null) { return baseConfigs; } else { log.debug("No self-encryption EncryptionConfigurations were resolved, returning global configuration"); return Collections.singletonList(SecurityConfigurationSupport.getGlobalEncryptionConfiguration()); } }
/** * Gets the signature algorithm URI to use. * * @param signingParameters the signing parameters to use * * @return signature algorithm to use with the associated signing credential * * @throws MessageEncodingException thrown if the algorithm URI is not supplied explicitly and * could not be derived from the supplied credential */ protected String getSignatureAlgorithmURI(SignatureSigningParameters signingParameters) throws MessageEncodingException { if (signingParameters.getSignatureAlgorithm() != null) { return signingParameters.getSignatureAlgorithm(); } throw new MessageEncodingException("The signing algorithm URI could not be determined"); }
/** {@inheritDoc} */ @Override @Nullable public List<SignatureValidationConfiguration> apply(@Nullable final MessageContext input) { final List<SignatureValidationConfiguration> configs = new ArrayList<>(); final RelyingPartyContext rpc = getRelyingPartyContextLookupStrategy().apply(input); if (rpc != null) { final ProfileConfiguration pc = rpc.getProfileConfig(); if (pc != null && pc.getSecurityConfiguration() != null) { configs.add(pc.getSecurityConfiguration().getSignatureValidationConfiguration()); } // Check for a per-profile default (relying party independent) config. if (pc != null && rpResolver != null) { final SecurityConfiguration defaultConfig = rpResolver.getDefaultSecurityConfiguration(pc.getId()); if (defaultConfig != null && defaultConfig.getSignatureValidationConfiguration() != null) { configs.add(defaultConfig.getSignatureValidationConfiguration()); } } } configs.add(SecurityConfigurationSupport.getGlobalSignatureValidationConfiguration()); return configs; }
/** {@inheritDoc} */ @Override protected boolean doPreInvoke(@Nonnull final MessageContext messageContext) throws MessageHandlerException { if (!super.doPreInvoke(messageContext)) { return false; } peerContext = messageContext.getSubcontext(SAMLPeerEntityContext.class); if (peerContext == null || peerContext.getRole() == null) { throw new MessageHandlerException("SAMLPeerEntityContext was missing or unpopulated"); } samlProtocolContext = messageContext.getSubcontext(SAMLProtocolContext.class); if (samlProtocolContext == null || samlProtocolContext.getProtocol() == null) { throw new MessageHandlerException("SAMLProtocolContext was missing or unpopulated"); } final SecurityParametersContext secParams = messageContext.getSubcontext(SecurityParametersContext.class); if (secParams == null || secParams.getSignatureValidationParameters() == null || secParams.getSignatureValidationParameters().getSignatureTrustEngine() == null) { throw new MessageHandlerException("No SignatureTrustEngine was available from the MessageContext"); } else { trustEngine = secParams.getSignatureValidationParameters().getSignatureTrustEngine(); } return true; }
/** {@inheritDoc} */ @Override @Nullable public List<EncryptionConfiguration> apply(@Nullable final ProfileRequestContext input) { final List<EncryptionConfiguration> configs = new ArrayList<>(); if (selfConfig != null) { configs.add(selfConfig); } // Check for a per-profile default config. if (includeProfileDefaultConfiguration && input != null && rpResolver != null) { final SecurityConfiguration defaultConfig = rpResolver.getDefaultSecurityConfiguration(input.getProfileId()); if (defaultConfig != null && defaultConfig.getEncryptionConfiguration() != null) { configs.add(defaultConfig.getEncryptionConfiguration()); } } configs.add(SecurityConfigurationSupport.getGlobalEncryptionConfiguration()); return configs; }
/** * Gets the signature algorithm URI to use. * * @param signingParameters the signing parameters to use * * @return signature algorithm to use with the associated signing credential * * @throws MessageEncodingException thrown if the algorithm URI is not supplied explicitly and * could not be derived from the supplied credential */ protected String getSignatureAlgorithmURI(SignatureSigningParameters signingParameters) throws MessageEncodingException { if (signingParameters.getSignatureAlgorithm() != null) { return signingParameters.getSignatureAlgorithm(); } throw new MessageEncodingException("The signing algorithm URI could not be determined"); }