/** {@inheritDoc} */ protected Object createInstance() throws Exception { StaticCredentialResolver credResolver = new StaticCredentialResolver(getCredentials()); List<KeyInfoProvider> keyInfoProviders = new ArrayList<KeyInfoProvider>(); keyInfoProviders.add(new DSAKeyValueProvider()); keyInfoProviders.add(new RSAKeyValueProvider()); keyInfoProviders.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoCredResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviders); return new ExplicitKeySignatureTrustEngine(credResolver, keyInfoCredResolver); } }
/** {@inheritDoc} */ public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { checkParams(signature, trustBasisCriteria); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.addAll(trustBasisCriteria); if (!criteriaSet.contains(UsageCriteria.class)) { criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); } String jcaAlgorithm = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm()); if (!DatatypeHelper.isEmpty(jcaAlgorithm)) { criteriaSet.add(new KeyAlgorithmCriteria(jcaAlgorithm), true); } Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet); if (validate(signature, trustedCredentials)) { return true; } // If the credentials extracted from Signature's KeyInfo (if any) did not verify the // signature and/or establish trust, as a fall back attempt to verify the signature with // the trusted credentials directly. log.debug("Attempting to verify signature using trusted credentials"); for (Credential trustedCredential : trustedCredentials) { if (verifySignature(signature, trustedCredential)) { log.debug("Successfully verified signature using resolved trusted credential"); return true; } } log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials"); return false; }
Credential candidateCredential) throws SecurityException { checkParamsRaw(signature, content, algorithmURI, trustBasisCriteria); Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet); log.debug("Successfully verified signature using supplied candidate credential"); log.debug("Attempting to establish trust of supplied candidate credential"); if (evaluateTrust(candidateCredential, trustedCredentials)) { log.debug("Successfully established trust of supplied candidate credential"); return true;
protected void verifySignature(Signature signature, String IDPEntityID) throws org.opensaml.xml.security.SecurityException, ValidationException { SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); validator.validate(signature); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(IDPEntityID)); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); System.out.println("Verifying signature"+ signature); trustEngine.validate(signature, criteriaSet); }
/** {@inheritDoc} */ protected Object createInstance() throws Exception { MetadataCredentialResolverFactory mcrFactory = MetadataCredentialResolverFactory.getFactory(); MetadataCredentialResolver credResolver = mcrFactory.getInstance(getMetadataProvider()); List<KeyInfoProvider> keyInfoProviders = new ArrayList<KeyInfoProvider>(); keyInfoProviders.add(new DSAKeyValueProvider()); keyInfoProviders.add(new RSAKeyValueProvider()); keyInfoProviders.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoCredResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviders); return new ExplicitKeySignatureTrustEngine(credResolver, keyInfoCredResolver); } }
/** {@inheritDoc} */ public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { checkParams(signature, trustBasisCriteria); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.addAll(trustBasisCriteria); if (!criteriaSet.contains(UsageCriteria.class)) { criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); } String jcaAlgorithm = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm()); if (!DatatypeHelper.isEmpty(jcaAlgorithm)) { criteriaSet.add(new KeyAlgorithmCriteria(jcaAlgorithm), true); } Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet); if (validate(signature, trustedCredentials)) { return true; } // If the credentials extracted from Signature's KeyInfo (if any) did not verify the // signature and/or establish trust, as a fall back attempt to verify the signature with // the trusted credentials directly. log.debug("Attempting to verify signature using trusted credentials"); for (Credential trustedCredential : trustedCredentials) { if (verifySignature(signature, trustedCredential)) { log.debug("Successfully verified signature using resolved trusted credential"); return true; } } log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials"); return false; }
Credential candidateCredential) throws SecurityException { checkParamsRaw(signature, content, algorithmURI, trustBasisCriteria); Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet); log.debug("Successfully verified signature using supplied candidate credential"); log.debug("Attempting to establish trust of supplied candidate credential"); if (evaluateTrust(candidateCredential, trustedCredentials)) { log.debug("Successfully established trust of supplied candidate credential"); return true;
CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials); KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver(); SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver); try { return engine.validate(sigBytes, signedContent, sigAlg, criteriaSet, null);
CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials); KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver(); SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver); return engine.validate(signature, signedContent, algorithmUri, criteriaSet, null);
new ExplicitKeySignatureTrustEngine( _chainingCredentialResolver, _keyInfoCredResolver);
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. * * @param samlContext context to populate */ protected void populateTrustEngine(SAMLMessageContext samlContext) { SignatureTrustEngine engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) { engine = new PKIXSignatureTrustEngine(pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitKeySignatureTrustEngine(metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } samlContext.setLocalTrustEngine(engine); }
CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials); KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver(); SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver); return engine.validate(signature, signedContent, algorithmUri, criteriaSet, null);