/** * Signs the specified {@link SignableSAMLObject} with the specified {@link Credential} and * {@code signatureAlgorithm}. */ static void sign(SignableSAMLObject signableObj, Credential signingCredential, String signatureAlgorithm) { requireNonNull(signableObj, "signableObj"); requireNonNull(signingCredential, "signingCredential"); requireNonNull(signatureAlgorithm, "signatureAlgorithm"); final Signature signature = signatureBuilder.buildObject(); signature.setSignatureAlgorithm(signatureAlgorithm); signature.setSigningCredential(signingCredential); signature.setCanonicalizationAlgorithm(ALGO_ID_C14N_EXCL_OMIT_COMMENTS); try { signature.setKeyInfo(keyInfoGenerator.generate(signingCredential)); } catch (SecurityException e) { throw new SamlException("failed to create a key info of signing credential", e); } signableObj.setSignature(signature); serialize(signableObj); try { Signer.signObject(signature); } catch (SignatureException e) { throw new SamlException("failed to sign a SAML object", e); } }
KeyInfo keyInfo=(KeyInfo)Configuration.getBuilderFactory().getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME).buildObject(KeyInfo.DEFAULT_ELEMENT_NAME); X509Data data=(X509Data)Configuration.getBuilderFactory().getBuilder(X509Data.DEFAULT_ELEMENT_NAME).buildObject(X509Data.DEFAULT_ELEMENT_NAME); X509Certificate cert=(X509Certificate)Configuration.getBuilderFactory().getBuilder(X509Certificate.DEFAULT_ELEMENT_NAME).buildObject(X509Certificate.DEFAULT_ELEMENT_NAME); signature.setSigningCredential(signingCredential); value=org.apache.xml.security.utils.Base64.encode(signingCredential.getEntityCertificate().getEncoded()); cert.setValue(value); data.getX509Certificates().add(cert); keyInfo.getX509Datas().add(data); signature.setKeyInfo(keyInfo);
/** * {@inheritDoc} * * When a signature is added, a default content reference that uses the ID of this object will be * created and added to the signature at the time of signing. See {@link SAMLObjectContentReference} * for the default digest algorithm and transforms that will be used. These default values may be * changed prior to marshalling this object. */ public void setSignature(@Nullable final Signature newSignature) { if(newSignature != null && newSignature.getContentReferences().isEmpty()) { newSignature.getContentReferences().add(new SAMLObjectContentReference(this)); } super.setSignature(newSignature); }
digestAlgorithm, X509Credential cred) throws IdentitySAML2QueryException { Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME); signature.setSigningCredential(cred); signature.setSignatureAlgorithm(signatureAlgorithm); signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); try { KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME); X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME); String value = org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded()); cert.setValue(value); data.getX509Certificates().add(cert); keyInfo.getX509Datas().add(data); signature.setKeyInfo(keyInfo); } catch (CertificateEncodingException e) { log.error("Error occurred while retrieving encoded cert", e); throw new IdentitySAML2QueryException("Error occurred while retrieving encoded cert"); signableXMLObject.setSignature(signature); ((SAMLObjectContentReference) signature.getContentReferences().get(0)).setDigestAlgorithm(digestAlgorithm); Signer.signObjects(signatureList); } catch (SignatureException e) { log.error("Error occurred while signing request", e);
/** * Generates an XML Object representing a digital signature. * * @param signatureAlgorithm the algorithm used to compute the signature * @param credential the signature signing credentials * @return an XML Object representing an enveloped or detached XML Digital Signature * @throws SSOException if an error occurs while getting the signature */ private static Signature setSignatureRaw(String signatureAlgorithm, X509Credential credential) throws SSOException { Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME); signature.setSigningCredential(credential); signature.setSignatureAlgorithm(signatureAlgorithm); signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); try { KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME); X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME); X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME); String value = org.apache.xml.security.utils.Base64.encode(credential.getEntityCertificate().getEncoded()); cert.setValue(value); data.getX509Certificates().add(cert); keyInfo.getX509Datas().add(data); signature.setKeyInfo(keyInfo); return signature; } catch (CertificateEncodingException e) { throw new SSOException("Error getting certificate", e); } }
public void sign(final SignableSAMLObject signableObject) throws SecurityException { org.opensaml.xmlsec.signature.Signature signature = OpenSAMLUtil.buildSignature(); signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signature.setSignatureAlgorithm(sigAlgo); signature.setSigningCredential(loader.getCredential()); signature.setKeyInfo(keyInfoGenerator.generate(loader.getCredential())); signableObject.setSignature(signature); signableObject.releaseDOM(); signableObject.releaseChildrenDOM(true); }
/** * Verify the signature of this assertion * * @throws ValidationException */ public void verifySignature( SAMLKeyInfoProcessor keyInfoProcessor, Crypto sigCrypto ) throws WSSecurityException { Signature sig = getSignature(); if (sig != null) { KeyInfo keyInfo = sig.getKeyInfo(); if (keyInfo == null) { throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[] {"cannot get certificate or key"} ); } SAMLKeyInfo samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), keyInfoProcessor, sigCrypto); verifySignature(samlKeyInfo); } else { LOG.debug("SamlAssertionWrapper: no signature to validate"); } }
protected List<SimpleKey> getKeyFromDescriptor(KeyDescriptor desc) { List<SimpleKey> result = new LinkedList<>(); if (desc.getKeyInfo() == null) { return null; } KeyType type = desc.getUse() != null ? KeyType.valueOf(desc.getUse().name()) : KeyType.UNSPECIFIED; int index = 0; for (X509Data x509 : ofNullable(desc.getKeyInfo().getX509Datas()).orElse(emptyList())) { for (X509Certificate cert : ofNullable(x509.getX509Certificates()).orElse(emptyList())) { result.add(new SimpleKey(type.getTypeName() + "-" + (index++), null, cert.getValue(), null, type )); } } return result; }
public void resignAssertion(Assertion assertion) throws SignatureException { final Signature signature = assertion.getSignature(); if (signature == null) { signSamlObject(assertion); return; } final String digestAlgorithm = ((SAMLObjectContentReference) signature.getContentReferences().get(0)).getDigestAlgorithm(); signSamlObject( assertion, signature.getSignatureAlgorithm(), signature.getCanonicalizationAlgorithm(), digestAlgorithm); }
private byte[] getSignatureValue(Signature signature) throws WSSecurityException { Element signatureElement = signature.getDOM(); if (signatureElement != null) { Element signedInfoElem = XMLUtils.getNextElement(signatureElement.getFirstChild()); if (signedInfoElem != null) { Element signatureValueElement = XMLUtils.getNextElement(signedInfoElem.getNextSibling()); if (signatureValueElement != null) { String base64Input = XMLUtils.getFullTextChildrenFromElement(signatureValueElement); return XMLUtils.decode(base64Input); } } } return null; }
/** * Method setSignature sets the signature of this SamlAssertionWrapper object. * * @param signature the signature of this SamlAssertionWrapper object. * @param signatureDigestAlgorithm the signature digest algorithm to use */ public void setSignature(Signature signature, String signatureDigestAlgorithm) { if (samlObject instanceof SignableSAMLObject) { SignableSAMLObject signableObject = (SignableSAMLObject) samlObject; signableObject.setSignature(signature); String digestAlg = signatureDigestAlgorithm; if (digestAlg == null) { digestAlg = defaultSignatureDigestAlgorithm; } SAMLObjectContentReference contentRef = (SAMLObjectContentReference)signature.getContentReferences().get(0); contentRef.setDigestAlgorithm(digestAlg); signableObject.releaseDOM(); signableObject.releaseChildrenDOM(true); } else { LOG.error("Attempt to sign an unsignable object " + samlObject.getClass().getName()); } }
/** * Link a single EncryptedKey to the EncryptedData according to guidelines in SAML Errata E43. * * @param encData the EncryptedData * @param encKey the EncryptedKey */ protected void linkSinglePeerKey(EncryptedData encData, EncryptedKey encKey) { log.debug("Linking single peer EncryptedKey with RetrievalMethod and DataReference"); // Forward reference from EncryptedData to the EncryptedKey RetrievalMethod rm = retrievalMethodBuilder.buildObject(); rm.setURI("#" + encKey.getID()); rm.setType(EncryptionConstants.TYPE_ENCRYPTED_KEY); encData.getKeyInfo().getRetrievalMethods().add(rm); // Back reference from the EncryptedKey to the EncryptedData DataReference dr = dataReferenceBuilder.buildObject(); dr.setURI("#" + encData.getID()); encKey.getReferenceList().getDataReferences().add(dr); }
log.debug("Linking multiple peer EncryptedKeys with CarriedKeyName and DataReference"); List<KeyName> dataEncKeyNames = encData.getKeyInfo().getKeyNames(); String carriedKeyNameValue; if (dataEncKeyNames.size() == 0 || Strings.isNullOrEmpty(dataEncKeyNames.get(0).getValue())) { keyName = keyNameBuilder.buildObject(); dataEncKeyNames.add(keyName); keyName.setValue(keyNameValue); carriedKeyNameValue = keyNameValue; } else { carriedKeyNameValue = dataEncKeyNames.get(0).getValue();
@Override protected void doEncode() throws MessageEncodingException { val messageContext = new MessageContext(); if (logoutRequest.isSigned()) { val signingContext = messageContext.getSubcontext(SecurityParametersContext.class, true); val signingParams = new SignatureSigningParameters(); val signature = logoutRequest.getSignature(); signingParams.setSigningCredential(signature.getSigningCredential()); signingParams.setSignatureAlgorithm(signature.getSignatureAlgorithm()); signingContext.setSignatureSigningParameters(signingParams); } removeSignature(logoutRequest); val encodedMessage = deflateAndBase64Encode(logoutRequest); messageContext.setMessage(logoutRequest); this.redirectUrl = buildRedirectURL(messageContext, endpointUrl, encodedMessage); }
/** * Place the EncryptedKey elements inside the KeyInfo element within the EncryptedData element. * * Although operationally trivial, this method is provided so that subclasses may override or augment as desired. * * @param encElement the EncryptedElementType instance which will hold the encrypted data and keys * @param encData the EncryptedData object * @param encKeys the list of EncryptedKey objects * @return the processed EncryptedElementType instance */ protected EncryptedElementType placeKeysInline(EncryptedElementType encElement, EncryptedData encData, List<EncryptedKey> encKeys) { log.debug("Placing EncryptedKey elements inline inside EncryptedData"); encData.getKeyInfo().getEncryptedKeys().addAll(encKeys); encElement.setEncryptedData(encData); return encElement; }
if (matchesKeyValue(key, keyInfo.getKeyValues())) { return true; if (matchesDEREncodedKeyValue(key, keyInfo.getDEREncodedKeyValues())) { return true;
/** * A helper function for derived classes that checks to see if the old and new value are equal and if so releases * the cached dom. Derived classes are expected to use this thus: <code> * this.foo = prepareForAssignment(this.foo, foo); * </code> * * This method will do a (null) safe compare of the objects and will also invalidate the DOM if appropriate * * @param oldValue - current value * @param newValue - proposed new value * * @return The value to assign to the saved Object */ @Nullable protected DateTime prepareForAssignment(@Nullable final DateTime oldValue, @Nullable final DateTime newValue) { DateTime utcValue = null; if (newValue != null) { utcValue = newValue.withZone(DateTimeZone.UTC); } return super.prepareForAssignment(oldValue, utcValue); } }
if (!signableMetadata.isSigned()){ if (getRequireSignedRoot()) { log.warn("Metadata root element was unsigned and signatures are required, "
KeyInfo keyInfo = signature.getKeyInfo(); if (keyInfo != null) { try { samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo( keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), crypto.getSignatureCrypto());
List<X509Data> x509Datas = keyInfo.getX509Datas(); if (x509Datas == null || x509Datas.isEmpty()) { log.debug("KeyInfo contained no X509Data children, skipping certificate match"); xmlCertificates = data.getX509Certificates(); if (xmlCertificates == null || xmlCertificates.isEmpty()) { log.debug("X509Data contained no X509Certificate children, skipping certificate match");