criteriaSet.add(new EntityIDCriteria(openSAMLContext.entityId())); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); try {
/** * Constructor. * * @param criteria the criteria which is the basis for evaluation */ public EvaluableEntityIDCredentialCriteria(EntityIDCriteria criteria) { if (criteria == null) { throw new NullPointerException("Criteria instance may not be null"); } entityID = criteria.getEntityID(); }
/** * Constructor. * * @param entity the entity ID represented by the criteria */ public EntityIDCriteria(String entity) { setEntityID(entity); }
private Credential resolveCredential(String entityId) { try { return keyManager.resolveSingle(new CriteriaSet(new EntityIDCriteria(entityId))); } catch (SecurityException e) { throw new RuntimeException(e); } }
/** * Constructor. * * @param criteria the criteria which is the basis for evaluation */ public EvaluableEntityIDCredentialCriteria(EntityIDCriteria criteria) { if (criteria == null) { throw new NullPointerException("Criteria instance may not be null"); } entityID = criteria.getEntityID(); }
/** * Constructor. * * @param entity the entity ID represented by the criteria */ public EntityIDCriteria(String entity) { setEntityID(entity); }
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
@Override public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { try { credentialSet = new HashSet<Credential>(); Enumeration<String> en = keyStore.aliases(); while (en.hasMoreElements()) { String alias = en.nextElement(); X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias); Credential credential = new X509CredentialImpl(cert); if (criteriaSet.get(EntityIDCriteria.class) != null) { if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) { credentialSet.add(credential); break; } } else { credentialSet.add(credential); } } return credentialSet; } catch (KeyStoreException e) { log.error(e); throw new SecurityException("Error reading certificates from key store"); } } }
private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
@Override public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { try { credentialSet = new HashSet<Credential>(); Enumeration<String> en = keyStore.aliases(); while (en.hasMoreElements()) { String alias = en.nextElement(); X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias); Credential credential = new X509CredentialImpl(cert); if (criteriaSet.get(EntityIDCriteria.class) != null) { if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) { credentialSet.add(credential); break; } } else { credentialSet.add(credential); } } return credentialSet; } catch (KeyStoreException e) { log.error(e); throw new SecurityException("Error reading certificates from key store"); } } }
/** * Build a criteria set suitable for input to the trust engine. * * @param issuer * @return * @throws SecurityPolicyException */ private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
/** * Check that all necessary credential criteria are available. * * @param criteriaSet the credential set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Credential metadata role criteria value must be supplied"); } }
/** * Returns Credential object used to sign the messages issued by this entity. * Public, X509 and Private keys are set in the credential. * * @param keyName name of the key to use, in case of null default key is used * @return credential */ public Credential getCredential(String keyName) { if (keyName == null) { keyName = defaultKey; } try { CriteriaSet cs = new CriteriaSet(); EntityIDCriteria criteria = new EntityIDCriteria(keyName); cs.add(criteria); return resolveSingle(cs); } catch (org.opensaml.xml.security.SecurityException e) { throw new SAMLRuntimeException("Can't obtain SP signing key", e); } }
/** * Check that all necessary criteria are available. * * @param criteriaSet the criteria set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Metadata role criteria value must be supplied"); } }
/** * Build a criteria set suitable for input to the trust engine. * * @param issuer * @return * @throws SecurityPolicyException */ private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
/** * Check that all necessary credential criteria are available. * * @param criteriaSet the credential set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Credential metadata role criteria value must be supplied"); } }
protected void verifySignature(Signature signature, String IDPEntityID, SignatureTrustEngine trustEngine) throws org.opensaml.xml.security.SecurityException, ValidationException { if (trustEngine == null) { throw new SecurityException("Trust engine is not set, signature can't be verified"); } SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); validator.validate(signature); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(IDPEntityID)); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); log.debug("Verifying signature", signature); if (!trustEngine.validate(signature, criteriaSet)) { throw new ValidationException("Signature is not trusted or invalid"); } }
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { if (x509Certificates == null || x509Certificates.length == 0) { throw new IllegalArgumentException("Null or empty certificates list"); } BasicX509Credential credential = new BasicX509Credential(); X509Certificate x509Certificate = x509Certificates[0]; credential.setEntityCertificate(x509Certificate); credential.setEntityCertificateChain(Arrays.asList(x509Certificates)); credential.setUsageType(UsageType.UNSPECIFIED); EntityIDCriteria entityIDCriteria = criteriaSet.get(EntityIDCriteria.class); if (entityIDCriteria != null) { credential.setEntityId(entityIDCriteria.getEntityID()); } try { log.debug("Checking server trust"); if (trustEngine.validate(credential, criteriaSet)) { log.debug("Server certificate trust verified"); } else { Principal issuerDN = x509Certificate.getIssuerDN(); Principal subjectDN = x509Certificate.getSubjectDN(); StringBuilder sb = new StringBuilder(120); sb.append("Peer SSL/TLS certificate '").append(subjectDN).append("' "); sb.append("issued by '").append(issuerDN).append("' "); sb.append("is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in extended metadata with the certificate's alias"); throw new UntrustedCertificateException(sb.toString(), x509Certificates); } } catch (org.opensaml.xml.security.SecurityException e) { throw new CertificateException("Error validating certificate", e); } }
protected void verifySignature(Signature signature, String IDPEntityID) throws org.opensaml.xml.security.SecurityException, ValidationException { SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); validator.validate(signature); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(IDPEntityID)); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); System.out.println("Verifying signature"+ signature); trustEngine.validate(signature, criteriaSet); }
/** * Method loads credentials satisfying the criteriaSet from the metadata of the related entity. * * @param criteriaSet criteria set * @param anchors pkix anchors * @param crls CRLs for the anchors * @throws SecurityException thrown if the key, certificate, or CRL information is represented in an unsupported format */ protected void populateMetadataAnchors(CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls) throws SecurityException { String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); log.debug("Attempting to retrieve PKIX trust anchors from metadata configuration for entity: {}", entityID); Iterable<Credential> metadataCredentials = metadataResolver.resolve(criteriaSet); for (Credential key : metadataCredentials) { if (key instanceof X509Credential) { X509Credential cred = (X509Credential) key; log.debug("Using key {} as a trust anchor", cred.getEntityCertificate().getSubjectDN()); anchors.add(cred.getEntityCertificate()); } else { log.debug("Key {} is not of X509Credential type, skipping", key.getEntityId()); } } }