/** * Evaluate trust. * * @param untrustedCredential the untrusted X509Credential to evaluate * @param trustedCredential basis for trust * @return true if trust can be established, false otherwise */ public boolean validate(X509Credential untrustedCredential, X509Credential trustedCredential) { X509Certificate untrustedCertificate = untrustedCredential.getEntityCertificate(); X509Certificate trustedCertificate = trustedCredential.getEntityCertificate(); if (untrustedCertificate == null) { log.debug("Untrusted credential contained no entity certificate, unable to evaluate"); return false; } else if (trustedCertificate == null) { log.debug("Trusted credential contained no entity certificate, unable to evaluate"); return false; } if (validate(untrustedCertificate, trustedCertificate)) { log.debug("Successfully validated untrusted credential against trusted certificate"); return true; } log.debug("Failed to validate untrusted credential against trusted certificate"); return false; }
/** * Credential used for authentication of the server/client. * * @param credential credential or null for manager returning always empty values */ public X509KeyManager(X509Credential credential) { if (credential != null) { this.privateKey = credential.getPrivateKey(); this.chain = credential.getEntityCertificateChain().toArray(new X509Certificate[credential.getEntityCertificateChain().size()]); this.alias = ALIAS_NAME; this.aliases = ALIAS; } else { this.privateKey = null; this.chain = null; this.alias = null; this.aliases = null; } }
List<Object> storeMaterial = new ArrayList<Object>(untrustedCredential.getEntityCertificateChain()); if (log.isTraceEnabled()) { for (X509Certificate cert : untrustedCredential.getEntityCertificateChain()) { log.trace(String.format("Added X509Certificate from entity cert chain to cert store " + "with subject name '%s' issued by '%s' with serial number '%s'", if (untrustedCredential.getCRLs() != null && !untrustedCredential.getCRLs().isEmpty() && options.isProcessCredentialCRLs()) { log.trace("Processing CRL's from untrusted credential"); addCRLsToStoreMaterial(storeMaterial, untrustedCredential.getCRLs(), now);
x500DNHandler = new InternalX500DNHandler(); X500Principal x500Principal = credential.getEntityCertificate().getSubjectX500Principal(); StringBuilder builder = new StringBuilder(); builder.append('['); builder.append(String.format("subjectName='%s'", x500DNHandler.getName(x500Principal))); if (!DatatypeHelper.isEmpty(credential.getEntityId())) { builder.append(String.format(" |credential entityID='%s'", DatatypeHelper.safeTrimOrNullString(credential .getEntityId())));
public static void addDeflateSignatureToHTTPQueryString(StringBuilder httpQueryString, X509Credential cred) throws SSOAgentException { doBootstrap(); try { httpQueryString.append("&SigAlg=" + URLEncoder.encode(XMLSignature.ALGO_ID_SIGNATURE_RSA, "UTF-8").trim()); java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA"); signature.initSign(cred.getPrivateKey()); signature.update(httpQueryString.toString().getBytes(Charset.forName("UTF-8"))); byte[] signatureByteArray = signature.sign(); String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray, Base64.DONT_BREAK_LINES); httpQueryString.append("&Signature=" + URLEncoder.encode(signatureBase64encodedString, "UTF-8").trim()); } catch (Exception e) { throw new SSOAgentException("Error applying SAML2 Redirect Binding signature", e); } }
/** Process the value of {@link X509Credential#getEntityCertificateChain()}. * * @param keyInfo the KeyInfo that is being built * @param x509Data the X509Data that is being built * @param credential the Credential that is being processed * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object */ protected void processEntityCertificateChain(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) throws SecurityException { if (options.emitEntityCertificateChain && credential.getEntityCertificateChain() != null) { for (java.security.cert.X509Certificate javaCert : credential.getEntityCertificateChain()) { try { X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert); x509Data.getX509Certificates().add(xmlCert); } catch (CertificateEncodingException e) { throw new SecurityException("Error generating X509Certificate element " + "from a certificate in credential's certificate chain", e); } } } }
/** Process the value of {@link X509Credential#getCRLs()}. * * @param keyInfo the KeyInfo that is being built * @param x509Data the X509Data that is being built * @param credential the Credential that is being processed * @throws SecurityException thrown if the CRL data can not be encoded from the Java certificate object */ protected void processCRLs(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) throws SecurityException { if (options.emitCRLs && credential.getCRLs() != null) { for (java.security.cert.X509CRL javaCRL : credential.getCRLs()) { try { X509CRL xmlCRL = KeyInfoHelper.buildX509CRL(javaCRL); x509Data.getX509CRLs().add(xmlCRL); } catch (CRLException e) { throw new SecurityException("Error generating X509CRL element " + "from a CRL in credential's CRL list", e); } } } }
x500DNHandler = new InternalX500DNHandler(); X500Principal x500Principal = credential.getEntityCertificate().getSubjectX500Principal(); StringBuilder builder = new StringBuilder(); builder.append('['); builder.append(String.format("subjectName='%s'", x500DNHandler.getName(x500Principal))); if (!DatatypeHelper.isEmpty(credential.getEntityId())) { builder.append(String.format(" |credential entityID='%s'", DatatypeHelper.safeTrimOrNullString(credential .getEntityId())));
public static void addDeflateSignatureToHTTPQueryString(StringBuilder httpQueryString, X509Credential cred) throws SSOAgentException { doBootstrap(); try { httpQueryString.append("&SigAlg=" + URLEncoder.encode(XMLSignature.ALGO_ID_SIGNATURE_RSA, "UTF-8").trim()); java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA"); signature.initSign(cred.getPrivateKey()); signature.update(httpQueryString.toString().getBytes(Charset.forName("UTF-8"))); byte[] signatureByteArray = signature.sign(); String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray, Base64.DONT_BREAK_LINES); httpQueryString.append("&Signature=" + URLEncoder.encode(signatureBase64encodedString, "UTF-8").trim()); } catch (Exception e) { throw new SSOAgentException("Error applying SAML2 Redirect Binding signature", e); } }
/** Process the value of {@link X509Credential#getEntityCertificateChain()}. * * @param keyInfo the KeyInfo that is being built * @param x509Data the X509Data that is being built * @param credential the Credential that is being processed * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object */ protected void processEntityCertificateChain(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) throws SecurityException { if (options.emitEntityCertificateChain && credential.getEntityCertificateChain() != null) { for (java.security.cert.X509Certificate javaCert : credential.getEntityCertificateChain()) { try { X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert); x509Data.getX509Certificates().add(xmlCert); } catch (CertificateEncodingException e) { throw new SecurityException("Error generating X509Certificate element " + "from a certificate in credential's certificate chain", e); } } } }
/** Process the value of {@link X509Credential#getCRLs()}. * * @param keyInfo the KeyInfo that is being built * @param x509Data the X509Data that is being built * @param credential the Credential that is being processed * @throws SecurityException thrown if the CRL data can not be encoded from the Java certificate object */ protected void processCRLs(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) throws SecurityException { if (options.emitCRLs && credential.getCRLs() != null) { for (java.security.cert.X509CRL javaCRL : credential.getCRLs()) { try { X509CRL xmlCRL = KeyInfoHelper.buildX509CRL(javaCRL); x509Data.getX509CRLs().add(xmlCRL); } catch (CRLException e) { throw new SecurityException("Error generating X509CRL element " + "from a CRL in credential's CRL list", e); } } } }
/** * Evaluate trust. * * @param untrustedCredential the untrusted X509Credential to evaluate * @param trustedCredential basis for trust * @return true if trust can be established, false otherwise */ public boolean validate(X509Credential untrustedCredential, X509Credential trustedCredential) { X509Certificate untrustedCertificate = untrustedCredential.getEntityCertificate(); X509Certificate trustedCertificate = trustedCredential.getEntityCertificate(); if (untrustedCertificate == null) { log.debug("Untrusted credential contained no entity certificate, unable to evaluate"); return false; } else if (trustedCertificate == null) { log.debug("Trusted credential contained no entity certificate, unable to evaluate"); return false; } if (validate(untrustedCertificate, trustedCertificate)) { log.debug("Successfully validated untrusted credential against trusted certificate"); return true; } log.debug("Failed to validate untrusted credential against trusted certificate"); return false; }
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, null); for (X509Certificate c : trustCredential.getEntityCertificateChain()) { keystore.setCertificateEntry("ldap_tls_trust_" + c.getSerialNumber(), c); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, null); keystore.setKeyEntry("ldap_tls_client_auth", connectionCredential.getPrivateKey(), "changeit" .toCharArray(), connectionCredential.getEntityCertificateChain() .toArray(new X509Certificate[0])); kmf.init(keystore, "changeit".toCharArray());
List<Object> storeMaterial = new ArrayList<Object>(untrustedCredential.getEntityCertificateChain()); if (log.isTraceEnabled()) { for (X509Certificate cert : untrustedCredential.getEntityCertificateChain()) { log.trace(String.format("Added X509Certificate from entity cert chain to cert store " + "with subject name '%s' issued by '%s' with serial number '%s'", if (untrustedCredential.getCRLs() != null && !untrustedCredential.getCRLs().isEmpty() && options.isProcessCredentialCRLs()) { log.trace("Processing CRL's from untrusted credential"); addCRLsToStoreMaterial(storeMaterial, untrustedCredential.getCRLs(), now);
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (!(target instanceof X509Credential)) { log.info("Credential is not an X509Credential, does not satisfy subject name criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, does not satisfy criteria"); return Boolean.FALSE; } Boolean result = entityCert.getSubjectX500Principal().equals(subjectName); return result; }
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (!(target instanceof X509Credential)) { log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria"); return Boolean.FALSE; } Boolean result = certSelector.match(entityCert); return result; }
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (!(target instanceof X509Credential)) { log.info("Credential is not an X509Credential, does not satisfy subject name criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, does not satisfy criteria"); return Boolean.FALSE; } Boolean result = entityCert.getSubjectX500Principal().equals(subjectName); return result; }
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (!(target instanceof X509Credential)) { log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria"); return Boolean.FALSE; } Boolean result = certSelector.match(entityCert); return result; }
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (!(target instanceof X509Credential)) { log.info("Credential is not an X509Credential, does not satisfy issuer name and serial number criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, does not satisfy criteria"); return Boolean.FALSE; } if (!entityCert.getIssuerX500Principal().equals(issuer)) { return false; } Boolean result = entityCert.getSerialNumber().equals(serialNumber); return result; }
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (! (target instanceof X509Credential)) { log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, does not satisfy criteria"); return Boolean.FALSE; } byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert); if (credSKI == null || credSKI.length == 0) { log.info("Could not evaluate criteria, certificate contained no subject key identifier extension"); return null; } Boolean result = Arrays.equals(ski, credSKI); return result; }