@Override public void afterPropertiesSet() throws Exception { BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); switch (signatureAlgorithm) { case SHA1: config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1); break; case SHA256: config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); break; case SHA512: config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA512); break; } }
@Test public void testSHA256SignatureAlgorithm() throws Exception { SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA256); samlConfigurationBean.afterPropertiesSet(); BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA256, config.getSignatureReferenceDigestMethod()); assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, config.getSignatureAlgorithmURI("RSA")); }
/** * Populate signature-related parameters. * * @param config the security configuration to populate */ protected static void populateSignatureParams(BasicSecurityConfiguration config) { // Asymmetric key algorithms config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); config.registerSignatureAlgorithmURI("DSA", SignatureConstants.ALGO_ID_SIGNATURE_DSA); config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); // HMAC algorithms config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1); config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1); // Other signature-related params config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); config.setSignatureHMACOutputLength(null); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1); }
/** * Populate encryption-related parameters. * * @param config the security configuration to populate */ protected static void populateEncryptionParams(BasicSecurityConfiguration config) { // Data encryption URI's config.registerDataEncryptionAlgorithmURI("AES", 128, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); config.registerDataEncryptionAlgorithmURI("AES", 192, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192); config.registerDataEncryptionAlgorithmURI("AES", 256, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); config.registerDataEncryptionAlgorithmURI("DESede", 168, EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES); config.registerDataEncryptionAlgorithmURI("DESede", 192, EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES); // Key encryption URI's // Asymmetric key transport algorithms config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "DESede", EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); // Symmetric key wrap algorithms config.registerKeyTransportEncryptionAlgorithmURI("AES", 128, null, EncryptionConstants.ALGO_ID_KEYWRAP_AES128); config.registerKeyTransportEncryptionAlgorithmURI("AES", 192, null, EncryptionConstants.ALGO_ID_KEYWRAP_AES192); config.registerKeyTransportEncryptionAlgorithmURI("AES", 256, null, EncryptionConstants.ALGO_ID_KEYWRAP_AES256); config.registerKeyTransportEncryptionAlgorithmURI("DESede", 168, null, EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES); config.registerKeyTransportEncryptionAlgorithmURI("DESede", 192, null, EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES); // Other encryption-related params config.setAutoGeneratedDataEncryptionKeyAlgorithmURI(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); }
public void setSignatureAlgorithm(String signatureAlgorithm) { this.signatureAlgorithm = signatureAlgorithm; BasicSecurityConfiguration.class.cast(Configuration.getGlobalSecurityConfiguration()).registerSignatureAlgorithmURI("RSA", signatureAlgorithm); } }
secConfig.setSignatureReferenceDigestMethod(digestMethodAlgorithm);
/** {@inheritDoc} */ public String getSignatureAlgorithmURI(Credential credential) { Key key = SecurityHelper.extractSigningKey(credential); if (key == null) { log.debug("Could not extract signing key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null) { log.debug("Signing key algorithm value was not available, unable to map to algorithm URI"); return null; } return getSignatureAlgorithmURI(key.getAlgorithm()); }
/** {@inheritDoc} */ public String getKeyTransportEncryptionAlgorithmURI(Credential credential, String wrappedKeyAlgorithm) { Key key = SecurityHelper.extractEncryptionKey(credential); if (key == null) { log.debug("Could not extract key transport encryption key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null){ log.debug("Key transport encryption key algorithm value was not available, unable to map to algorithm URI"); return null; } Integer length = SecurityHelper.getKeyLength(key); return getKeyTransportEncryptionAlgorithmURI(key.getAlgorithm(), length, wrappedKeyAlgorithm); }
/** * Populate KeyInfoCredentialResolver-related parameters. * * @param config the security configuration to populate */ protected static void populateKeyInfoCredentialResolverParams(BasicSecurityConfiguration config) { // Basic resolver for inline info ArrayList<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>(); providers.add( new RSAKeyValueProvider() ); providers.add( new DSAKeyValueProvider() ); providers.add( new InlineX509DataProvider() ); KeyInfoCredentialResolver resolver = new BasicProviderKeyInfoCredentialResolver(providers); config.setDefaultKeyInfoCredentialResolver(resolver); }
/** {@inheritDoc} */ public String getDataEncryptionAlgorithmURI(Credential credential) { Key key = SecurityHelper.extractEncryptionKey(credential); if (key == null) { log.debug("Could not extract data encryption key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null){ log.debug("Data encryption key algorithm value was not available, unable to map to algorithm URI"); return null; } Integer length = SecurityHelper.getKeyLength(key); return getDataEncryptionAlgorithmURI(key.getAlgorithm(), length); }
/** * Build and return a default configuration. * * @return a new basic security configuration with reasonable default values */ public static BasicSecurityConfiguration buildDefaultConfig() { BasicSecurityConfiguration config = new BasicSecurityConfiguration(); populateSignatureParams(config); populateEncryptionParams(config); populateKeyInfoCredentialResolverParams(config); populateKeyInfoGeneratorManager(config); populateKeyParams(config); return config; }
/** * Populate signature-related parameters. * * @param config the security configuration to populate */ protected static void populateSignatureParams(BasicSecurityConfiguration config) { // Asymmetric key algorithms config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); config.registerSignatureAlgorithmURI("DSA", SignatureConstants.ALGO_ID_SIGNATURE_DSA); config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); // HMAC algorithms config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1); config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1); // Other signature-related params config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); config.setSignatureHMACOutputLength(null); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1); }
/** * Populate encryption-related parameters. * * @param config the security configuration to populate */ protected static void populateEncryptionParams(BasicSecurityConfiguration config) { // Data encryption URI's config.registerDataEncryptionAlgorithmURI("AES", 128, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); config.registerDataEncryptionAlgorithmURI("AES", 192, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192); config.registerDataEncryptionAlgorithmURI("AES", 256, EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); config.registerDataEncryptionAlgorithmURI("DESede", 168, EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES); config.registerDataEncryptionAlgorithmURI("DESede", 192, EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES); // Key encryption URI's // Asymmetric key transport algorithms config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "DESede", EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); // Symmetric key wrap algorithms config.registerKeyTransportEncryptionAlgorithmURI("AES", 128, null, EncryptionConstants.ALGO_ID_KEYWRAP_AES128); config.registerKeyTransportEncryptionAlgorithmURI("AES", 192, null, EncryptionConstants.ALGO_ID_KEYWRAP_AES192); config.registerKeyTransportEncryptionAlgorithmURI("AES", 256, null, EncryptionConstants.ALGO_ID_KEYWRAP_AES256); config.registerKeyTransportEncryptionAlgorithmURI("DESede", 168, null, EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES); config.registerKeyTransportEncryptionAlgorithmURI("DESede", 192, null, EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES); // Other encryption-related params config.setAutoGeneratedDataEncryptionKeyAlgorithmURI(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); }
/** {@inheritDoc} */ public String getSignatureAlgorithmURI(Credential credential) { Key key = SecurityHelper.extractSigningKey(credential); if (key == null) { log.debug("Could not extract signing key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null) { log.debug("Signing key algorithm value was not available, unable to map to algorithm URI"); return null; } return getSignatureAlgorithmURI(key.getAlgorithm()); }
/** {@inheritDoc} */ public String getKeyTransportEncryptionAlgorithmURI(Credential credential, String wrappedKeyAlgorithm) { Key key = SecurityHelper.extractEncryptionKey(credential); if (key == null) { log.debug("Could not extract key transport encryption key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null){ log.debug("Key transport encryption key algorithm value was not available, unable to map to algorithm URI"); return null; } Integer length = SecurityHelper.getKeyLength(key); return getKeyTransportEncryptionAlgorithmURI(key.getAlgorithm(), length, wrappedKeyAlgorithm); }
/** * Populate KeyInfoCredentialResolver-related parameters. * * @param config the security configuration to populate */ protected static void populateKeyInfoCredentialResolverParams(BasicSecurityConfiguration config) { // Basic resolver for inline info ArrayList<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>(); providers.add( new RSAKeyValueProvider() ); providers.add( new DSAKeyValueProvider() ); providers.add( new InlineX509DataProvider() ); KeyInfoCredentialResolver resolver = new BasicProviderKeyInfoCredentialResolver(providers); config.setDefaultKeyInfoCredentialResolver(resolver); }
/** {@inheritDoc} */ public String getDataEncryptionAlgorithmURI(Credential credential) { Key key = SecurityHelper.extractEncryptionKey(credential); if (key == null) { log.debug("Could not extract data encryption key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null){ log.debug("Data encryption key algorithm value was not available, unable to map to algorithm URI"); return null; } Integer length = SecurityHelper.getKeyLength(key); return getDataEncryptionAlgorithmURI(key.getAlgorithm(), length); }
/** * Build and return a default configuration. * * @return a new basic security configuration with reasonable default values */ public static BasicSecurityConfiguration buildDefaultConfig() { BasicSecurityConfiguration config = new BasicSecurityConfiguration(); populateSignatureParams(config); populateEncryptionParams(config); populateKeyInfoCredentialResolverParams(config); populateKeyInfoGeneratorManager(config); populateKeyParams(config); return config; }
@Override public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) { super.postProcessBeanFactory(beanFactory); BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); } }
@Test public void testSHA512SignatureAlgorithm() throws Exception { SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA512); samlConfigurationBean.afterPropertiesSet(); BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA512, config.getSignatureReferenceDigestMethod()); assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512, config.getSignatureAlgorithmURI("RSA")); }