public static boolean validateSignature(String queryString, PublicKey validatingKey, byte[] sigValue) throws UnsupportedEncodingException, GeneralSecurityException { // Construct the url again StringBuilder sb = new StringBuilder(); if (isRequestQueryString(queryString)) { addParameter(sb, GeneralConstants.SAML_REQUEST_KEY, RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY)); } else { addParameter(sb, GeneralConstants.SAML_RESPONSE_KEY, RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_RESPONSE_KEY)); } String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.RELAY_STATE); if (isNotNull(relayStateFromURL)) { addParameter(sb, GeneralConstants.RELAY_STATE, relayStateFromURL); } addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY)); return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), sigValue, validatingKey); }
/** * Given an url-encoded saml request and relay state and a private key, compute the url * * @param urlEncodedRequest * @param urlEncodedRelayState * @param signingKey * @return * @throws GeneralSecurityException * @throws IOException */ public static String getSAMLRequestURLWithSignature(String urlEncodedRequest, String urlEncodedRelayState, PrivateKey signingKey) throws IOException, GeneralSecurityException { byte[] sigValue = computeSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState, signingKey); return getRequestRedirectURLWithSignature(urlEncodedRequest, urlEncodedRelayState, sigValue, signingKey.getAlgorithm()); }
private static String getResponseRedirectURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState, byte[] signature, String sigAlgo) throws IOException { return getRedirectURLWithSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState, signature, sigAlgo); }
/** * From the query string that contains key/value pairs, get the value of a key <b>Note:</b> if the token is null, a null * value is returned * * @param queryString * @param token * @return */ public static String getTokenValue(String queryString, String token) { return getTokenValue(getToken(queryString, token)); }
/** * Given an url-encoded saml response and relay state and a private key, compute the url * @param urlEncodedResponse * @param urlEncodedRelayState * @param signingKey * @return * @throws GeneralSecurityException * @throws IOException */ public static String getSAMLResponseURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState, PrivateKey signingKey) throws IOException, GeneralSecurityException { byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState, signingKey); return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue, signingKey.getAlgorithm()); }
/** * <p> * Validates the signature for SAML tokens received via HTTP Redirect Binding. * </p> * * @param httpContext * @throws org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException * @throws ProcessingException */ private boolean verifyRedirectBindingSignature(HTTPContext httpContext, PublicKey publicKey) throws ProcessingException { try { String queryString = httpContext.getRequest().getQueryString(); // Check if there is a signature byte[] sigValue; sigValue = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString); if (sigValue == null) { throw logger.samlHandlerSignatureNotPresentError(); } return RedirectBindingSignatureUtil.validateSignature(queryString, publicKey, sigValue); } catch (Exception e) { throw logger.samlHandlerSignatureValidationError(e); } }
private static boolean isRequestQueryString(String queryString) { return RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY) != null; }
sb.append(RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(urlEncodedSamlMessage, urlEncodedRelayState, signingKey));
url = RedirectBindingSignatureUtil.getSAMLRequestURLWithSignature(base64Request, relayState, signingKey); } else { url = RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(base64Request, relayState, signingKey);
private static String getRedirectURLWithSignature(String samlParameter, String urlEncoded, String urlEncodedRelayState, byte[] signature, String sigAlgo) throws IOException { StringBuilder sb = new StringBuilder(); addParameter(sb, samlParameter, urlEncoded); if (isNotNull(urlEncodedRelayState)) { addParameter(sb, GeneralConstants.RELAY_STATE, urlEncodedRelayState); } // SigAlg String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(sigAlgo); sigAlg = URLEncoder.encode(sigAlg, "UTF-8"); addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, sigAlg); // Encode the signature value String encodedSig = RedirectBindingUtil.base64URLEncode(signature); addParameter(sb, GeneralConstants.SAML_SIGNATURE_REQUEST_KEY, encodedSig); return sb.toString(); }
/** * Given an url-encoded saml response and relay state and a private key, compute the url * * @param urlEncodedResponse * @param urlEncodedRelayState * @param signingKey * @return * @throws GeneralSecurityException * @throws IOException */ public static String getSAMLResponseURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState, PrivateKey signingKey) throws IOException, GeneralSecurityException { byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState, signingKey); return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue, signingKey.getAlgorithm()); }
/** * <p> * Validates the signature for SAML tokens received via HTTP Redirect Binding. * </p> * * @param httpContext * * @throws org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException * @throws ProcessingException */ private boolean verifyRedirectBindingSignature(HTTPContext httpContext, PublicKey publicKey) throws ProcessingException { try { String queryString = httpContext.getRequest().getQueryString(); // Check if there is a signature byte[] sigValue; sigValue = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString); if (sigValue == null) { throw logger.samlHandlerSignatureNotPresentError(); } return RedirectBindingSignatureUtil.validateSignature(queryString, publicKey, sigValue); } catch (Exception e) { throw logger.samlHandlerSignatureValidationError(e); } }
/** * From the query string that contains key/value pairs, get the value of a key * <b>Note:</b> if the token is null, a null value is returned * @param queryString * @param token * @return */ public static String getTokenValue(String queryString, String token) { return getTokenValue(getToken(queryString, token)); }
private static boolean isRequestQueryString(String queryString) { return RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY) != null; }
sb.append(RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(urlEncodedResponse, urlEncodedRelayState, keyManager.getSigningKey()));
private String signRedirect(Document samlDocument, String relayState, KeyPair keypair, boolean willSendRequest) throws ProcessingException { try { String samlMessage = DocumentUtil.getDocumentAsString(samlDocument); String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMessage.getBytes("UTF-8")); PrivateKey signingKey = keypair.getPrivate(); String url; // Encode relayState before signing if (isNotNull(relayState)) relayState = RedirectBindingUtil.urlEncode(relayState); if (willSendRequest) { url = RedirectBindingSignatureUtil.getSAMLRequestURLWithSignature(base64Request, relayState, signingKey); } else { url = RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(base64Request, relayState, signingKey); } return url; } catch (ConfigurationException ce) { logger.samlHandlerErrorSigningRedirectBindingMessage(ce); throw logger.samlHandlerSigningRedirectBindingMessageError(ce); } catch (GeneralSecurityException ce) { logger.samlHandlerErrorSigningRedirectBindingMessage(ce); throw logger.samlHandlerSigningRedirectBindingMessageError(ce); } catch (IOException ce) { logger.samlHandlerErrorSigningRedirectBindingMessage(ce); throw logger.samlHandlerSigningRedirectBindingMessageError(ce); } }
private static String getRedirectURLWithSignature(String samlParameter, String urlEncoded, String urlEncodedRelayState, byte[] signature, String sigAlgo) throws IOException { StringBuilder sb = new StringBuilder(); addParameter(sb, samlParameter, urlEncoded); if (isNotNull(urlEncodedRelayState)) { addParameter(sb, GeneralConstants.RELAY_STATE, urlEncodedRelayState); } // SigAlg String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(sigAlgo); sigAlg = URLEncoder.encode(sigAlg, "UTF-8"); addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, sigAlg); // Encode the signature value String encodedSig = RedirectBindingUtil.base64URLEncode(signature); addParameter(sb, GeneralConstants.SAML_SIGNATURE_REQUEST_KEY, encodedSig); return sb.toString(); }
public static boolean validateSignature(String queryString, PublicKey validatingKey, byte[] sigValue) throws UnsupportedEncodingException, GeneralSecurityException { // Construct the url again StringBuilder sb = new StringBuilder(); if (isRequestQueryString(queryString)) { addParameter(sb, GeneralConstants.SAML_REQUEST_KEY, RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY)); } else { addParameter(sb, GeneralConstants.SAML_RESPONSE_KEY, RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_RESPONSE_KEY)); } String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.RELAY_STATE); if (isNotNull(relayStateFromURL)) { addParameter(sb, GeneralConstants.RELAY_STATE, relayStateFromURL); } addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY)); return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), sigValue, validatingKey); }
/** * Given an url-encoded saml request and relay state and a private key, compute the url * @param urlEncodedRequest * @param urlEncodedRelayState * @param signingKey * @return * @throws GeneralSecurityException * @throws IOException */ public static String getSAMLRequestURLWithSignature(String urlEncodedRequest, String urlEncodedRelayState, PrivateKey signingKey) throws IOException, GeneralSecurityException { byte[] sigValue = computeSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState, signingKey); return getRequestRedirectURLWithSignature(urlEncodedRequest, urlEncodedRelayState, sigValue, signingKey.getAlgorithm()); }
/** * Given an url-encoded saml response and relay state and a private key, compute the url * @param urlEncodedResponse * @param urlEncodedRelayState * @param signingKey * @return * @throws GeneralSecurityException * @throws IOException */ public static String getSAMLResponseURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState, PrivateKey signingKey) throws IOException, GeneralSecurityException { byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState, signingKey); return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue, signingKey.getAlgorithm()); }