/** * @deprecated * Get a basic KeyInfo credential resolver which can process standard inline * data - RSAKeyValue, DSAKeyValue, X509Data. * * @return a new KeyInfoCredentialResolver instance */ public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() { return SecurityHelper.buildBasicInlineKeyInfoResolver(); } }
protected KeyInfo generateKeyInfoForCredential(Credential credential) { try { String keyInfoGeneratorName = org.springframework.security.saml.SAMLConstants.SAML_METADATA_KEY_INFO_GENERATOR; if (extendedMetadata != null && extendedMetadata.getKeyInfoGeneratorName() != null) { keyInfoGeneratorName = extendedMetadata.getKeyInfoGeneratorName(); } KeyInfoGenerator keyInfoGenerator = SecurityHelper.getKeyInfoGenerator(credential, null, keyInfoGeneratorName); return keyInfoGenerator.generate(credential); } catch (org.opensaml.xml.security.SecurityException e) { log.error("Can't obtain key from the keystore or generate key info for credential: " + credential, e); throw new SAMLRuntimeException("Can't obtain key from keystore or generate key info", e); } }
private void signAssertion(Assertion assertion, Credential credential) throws SecurityException, MarshallingException, SignatureException { SignatureBuilder signatureBuilder = (SignatureBuilder) builderFactory .getBuilder(Signature.DEFAULT_ELEMENT_NAME); Signature signature = signatureBuilder.buildObject(); signature.setSigningCredential(credential); SecurityHelper.prepareSignatureParams(signature, credential, null, null); assertion.setSignature(signature); Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(assertion); marshaller.marshall(assertion); Signer.signObject(signature); }
@Override public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String encryptionAlgorithm) throws IdentityException { try { Credential symmetricCredential = SecurityHelper.getSimpleCredential( SecurityHelper.generateSymmetricKey(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256)); EncryptionParameters encParams = new EncryptionParameters(); encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); encParams.setEncryptionCredential(symmetricCredential); KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters(); keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); keyEncryptionParameters.setEncryptionCredential(cred); Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters); encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE); EncryptedAssertion encrypted = encrypter.encrypt(assertion); return encrypted; } catch (Exception e) { throw IdentityException.error("Error while Encrypting Assertion", e); } } }
Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate()); StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential);
Logger log = getLogger(); encParams.setAlgorithm(secConfig.getDataEncryptionAlgorithmURI(encryptionCredential)); KeyInfoGenerator kiGenerator = getKeyInfoGenerator(encryptionCredential, secConfig, keyInfoGenName); if (kiGenerator != null) { encParams.setKeyInfoGenerator(kiGenerator);
Logger log = getLogger(); if (SecurityHelper.isHMAC(signAlgo)) { if (signature.getHMACOutputLength() == null) { signature.setHMACOutputLength(secConfig.getSignatureHMACOutputLength()); KeyInfoGenerator kiGenerator = getKeyInfoGenerator(signingCredential, secConfig, keyInfoGenName); if (kiGenerator != null) { try {
/** {@inheritDoc} */ public String getKeyTransportEncryptionAlgorithmURI(Credential credential, String wrappedKeyAlgorithm) { Key key = SecurityHelper.extractEncryptionKey(credential); if (key == null) { log.debug("Could not extract key transport encryption key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null){ log.debug("Key transport encryption key algorithm value was not available, unable to map to algorithm URI"); return null; } Integer length = SecurityHelper.getKeyLength(key); return getKeyTransportEncryptionAlgorithmURI(key.getAlgorithm(), length, wrappedKeyAlgorithm); }
/** * Check the encryption parameters and key encryption parameters for valid combinations of options. * * @param encParams the encryption parameters to use * @param kekParamsList the key encryption parameters to use * @throws EncryptionException exception thrown on encryption errors */ protected void checkParams(EncryptionParameters encParams, List<KeyEncryptionParameters> kekParamsList) throws EncryptionException { checkParams(encParams); checkParams(kekParamsList, true); if (SecurityHelper.extractEncryptionKey(encParams.getEncryptionCredential()) == null && (kekParamsList == null || kekParamsList.isEmpty())) { log.error("Using a generated encryption key requires a KeyEncryptionParameters " + "object and key encryption key"); throw new EncryptionException("Using a generated encryption key requires a KeyEncryptionParameters " + "object and key encryption key"); } }
/** {@inheritDoc} */ public String getSignatureAlgorithmURI(Credential credential) { Key key = SecurityHelper.extractSigningKey(credential); if (key == null) { log.debug("Could not extract signing key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null) { log.debug("Signing key algorithm value was not available, unable to map to algorithm URI"); return null; } return getSignatureAlgorithmURI(key.getAlgorithm()); }
credential.setPublicKey(publicKey); } else if (privateKey != null) { credential.setPublicKey(SecurityHelper.derivePublicKey(privateKey)); boolean matched = false; try { matched = SecurityHelper.matchKeyPair(credential.getPublicKey(), credential.getPrivateKey()); } catch (SecurityException e) { log.warn("Could not perform sanity check against credential public and private key: {}",
/** * Generate a random symmetric encryption key. * * @param encryptionAlgorithmURI the encryption algorithm URI * @return a randomly generated symmetric key * @throws EncryptionException thrown if the key can not be generated based on the specified algorithm URI */ protected SecretKey generateEncryptionKey(String encryptionAlgorithmURI) throws EncryptionException { try { log.debug("Generating random symmetric data encryption key from algorithm URI: {}", encryptionAlgorithmURI); return SecurityHelper.generateSymmetricKey(encryptionAlgorithmURI); } catch (NoSuchAlgorithmException e) { log.error("Could not generate encryption key, algorithm URI was invalid: " + encryptionAlgorithmURI); throw new EncryptionException("Could not generate encryption key, algorithm URI was invalid: " + encryptionAlgorithmURI); } catch (KeyException e) { log.error("Could not generate encryption key from algorithm URI: " + encryptionAlgorithmURI); throw new EncryptionException("Could not generate encryption key from algorithm URI: " + encryptionAlgorithmURI); } }
/** * Build Java private key from base64 encoding. The key should have no password. * * @param base64EncodedKey base64-encoded private key * @return a native Java PrivateKey * @throws KeyException thrown if there is an error constructing key */ public static PrivateKey buildJavaPrivateKey(String base64EncodedKey) throws KeyException { return SecurityHelper.decodePrivateKey(Base64.decode(base64EncodedKey), null); }
PublicKey publicKey = SecurityHelper.derivePublicKey(privateKey); if (publicKey != null) { basicCred.setPublicKey(publicKey);
@Override public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String encryptionAlgorithm) throws IdentityException { try { Credential symmetricCredential = SecurityHelper.getSimpleCredential( SecurityHelper.generateSymmetricKey(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256)); EncryptionParameters encParams = new EncryptionParameters(); encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256); encParams.setEncryptionCredential(symmetricCredential); KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters(); keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); keyEncryptionParameters.setEncryptionCredential(cred); Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters); encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE); EncryptedAssertion encrypted = encrypter.encrypt(assertion); return encrypted; } catch (Exception e) { throw IdentityException.error("Error while Encrypting Assertion", e); } } }
Credential signingCredential = SecurityHelper.getSimpleCredential(issuerPublicKey, issuerPrivateKey);
Logger log = getLogger(); encParams.setAlgorithm(secConfig.getDataEncryptionAlgorithmURI(encryptionCredential)); KeyInfoGenerator kiGenerator = getKeyInfoGenerator(encryptionCredential, secConfig, keyInfoGenName); if (kiGenerator != null) { encParams.setKeyInfoGenerator(kiGenerator);
Logger log = getLogger(); if (SecurityHelper.isHMAC(signAlgo)) { if (signature.getHMACOutputLength() == null) { signature.setHMACOutputLength(secConfig.getSignatureHMACOutputLength()); KeyInfoGenerator kiGenerator = getKeyInfoGenerator(signingCredential, secConfig, keyInfoGenName); if (kiGenerator != null) { try {
/** {@inheritDoc} */ public String getKeyTransportEncryptionAlgorithmURI(Credential credential, String wrappedKeyAlgorithm) { Key key = SecurityHelper.extractEncryptionKey(credential); if (key == null) { log.debug("Could not extract key transport encryption key from credential, unable to map to algorithm URI"); return null; } else if (key.getAlgorithm() == null){ log.debug("Key transport encryption key algorithm value was not available, unable to map to algorithm URI"); return null; } Integer length = SecurityHelper.getKeyLength(key); return getKeyTransportEncryptionAlgorithmURI(key.getAlgorithm(), length, wrappedKeyAlgorithm); }
/** * Check the encryption parameters and key encryption parameters for valid combinations of options. * * @param encParams the encryption parameters to use * @param kekParamsList the key encryption parameters to use * @throws EncryptionException exception thrown on encryption errors */ protected void checkParams(EncryptionParameters encParams, List<KeyEncryptionParameters> kekParamsList) throws EncryptionException { checkParams(encParams); checkParams(kekParamsList, true); if (SecurityHelper.extractEncryptionKey(encParams.getEncryptionCredential()) == null && (kekParamsList == null || kekParamsList.isEmpty())) { log.error("Using a generated encryption key requires a KeyEncryptionParameters " + "object and key encryption key"); throw new EncryptionException("Using a generated encryption key requires a KeyEncryptionParameters " + "object and key encryption key"); } }