CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(openSAMLContext.entityId())); criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
private Credential resolveCredential(String entityId) { try { return keyManager.resolveSingle(new CriteriaSet(new EntityIDCriteria(entityId))); } catch (SecurityException e) { throw new RuntimeException(e); } }
CriteriaSet keyInfoCriteriaSet = new CriteriaSet(keyInfoCriteria);
/** * Resolve credentials from local resolver using key name criteria. * * @param keyName the key name criteria * @return collection of local credentials identified by the specified key name * @throws SecurityException thrown if there is a problem resolving credentials from the * local credential resolver */ protected Collection<? extends Credential> resolveByKeyName(String keyName) throws SecurityException { ArrayList<Credential> localCreds = new ArrayList<Credential>(); CriteriaSet criteriaSet = new CriteriaSet( new KeyNameCriteria(keyName) ); for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) { if (isLocalCredential(cred)) { localCreds.add(cred); } } return localCreds; }
/** * Resolve credentials from local resolver using key name criteria. * * @param keyName the key name criteria * @return collection of local credentials identified by the specified key name * @throws SecurityException thrown if there is a problem resolving credentials from the * local credential resolver */ protected Collection<? extends Credential> resolveByKeyName(String keyName) throws SecurityException { ArrayList<Credential> localCreds = new ArrayList<Credential>(); CriteriaSet criteriaSet = new CriteriaSet( new KeyNameCriteria(keyName) ); for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) { if (isLocalCredential(cred)) { localCreds.add(cred); } } return localCreds; }
/** * Resolve credentials from local resolver using public key criteria. * * @param publicKey the public key criteria * @return collection of local credentials which contain the private key * corresponding to the specified public key * @throws SecurityException thrown if there is a problem resolving credentials from the * local credential resolver */ protected Collection<? extends Credential> resolveByPublicKey(PublicKey publicKey) throws SecurityException { ArrayList<Credential> localCreds = new ArrayList<Credential>(); CriteriaSet criteriaSet = new CriteriaSet( new PublicKeyCriteria(publicKey) ); for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) { if (isLocalCredential(cred)) { localCreds.add(cred); } } return localCreds; }
/** * Resolve credentials from local resolver using public key criteria. * * @param publicKey the public key criteria * @return collection of local credentials which contain the private key * corresponding to the specified public key * @throws SecurityException thrown if there is a problem resolving credentials from the * local credential resolver */ protected Collection<? extends Credential> resolveByPublicKey(PublicKey publicKey) throws SecurityException { ArrayList<Credential> localCreds = new ArrayList<Credential>(); CriteriaSet criteriaSet = new CriteriaSet( new PublicKeyCriteria(publicKey) ); for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) { if (isLocalCredential(cred)) { localCreds.add(cred); } } return localCreds; }
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
/** * Returns Credential object used to sign the messages issued by this entity. * Public, X509 and Private keys are set in the credential. * * @param keyName name of the key to use, in case of null default key is used * @return credential */ public Credential getCredential(String keyName) { if (keyName == null) { keyName = defaultKey; } try { CriteriaSet cs = new CriteriaSet(); EntityIDCriteria criteria = new EntityIDCriteria(keyName); cs.add(criteria); return resolveSingle(cs); } catch (org.opensaml.xml.security.SecurityException e) { throw new SAMLRuntimeException("Can't obtain SP signing key", e); } }
/** * Build a criteria set suitable for input to the trust engine. * * @param issuer * @return * @throws SecurityPolicyException */ private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
/** * Build a criteria set suitable for input to the trust engine. * * @param issuer * @return * @throws SecurityPolicyException */ private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
protected void verifySignature(Signature signature, String IDPEntityID, SignatureTrustEngine trustEngine) throws org.opensaml.xml.security.SecurityException, ValidationException { if (trustEngine == null) { throw new SecurityException("Trust engine is not set, signature can't be verified"); } SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); validator.validate(signature); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(IDPEntityID)); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); log.debug("Verifying signature", signature); if (!trustEngine.validate(signature, criteriaSet)) { throw new ValidationException("Signature is not trusted or invalid"); } }
protected void verifySignature(Signature signature, String IDPEntityID) throws org.opensaml.xml.security.SecurityException, ValidationException { SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); validator.validate(signature); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(IDPEntityID)); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); System.out.println("Verifying signature"+ signature); trustEngine.validate(signature, criteriaSet); }
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters"); throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext"); } SAMLMessageContext samlContext = (SAMLMessageContext) messageContext; CriteriaSet criteriaSet = new CriteriaSet(); if (! DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID) ); } MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol()); criteriaSet.add(mdCriteria); criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); return criteriaSet; }
/** * Initializes internal SocketFactory used to create all sockets. By default uses PKIX algorithm with * configured trusted keys as trust anchors. * * @return socket factory */ protected SecureProtocolSocketFactory initializeDelegate() { CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); PKIXValidationInformationResolver pkixResolver = getPKIXResolver(); CertPathPKIXTrustEvaluator pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(pkixOptions); TrustEngine<X509Credential> trustEngine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); X509KeyManager keyManager = new X509KeyManager((X509Credential) this.keyManager.getDefaultCredential()); X509TrustManager trustManager = new X509TrustManager(new CriteriaSet(), trustEngine); HostnameVerifier hostnameVerifier = SAMLUtil.getHostnameVerifier(sslHostnameVerification); if (isHostnameVerificationSupported()) { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager, hostnameVerifier); } else { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager); } }
/** {@inheritDoc} */ public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { checkParams(signature, trustBasisCriteria); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.addAll(trustBasisCriteria); if (!criteriaSet.contains(UsageCriteria.class)) { criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); } String jcaAlgorithm = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm()); if (!DatatypeHelper.isEmpty(jcaAlgorithm)) { criteriaSet.add(new KeyAlgorithmCriteria(jcaAlgorithm), true); } Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet); if (validate(signature, trustedCredentials)) { return true; } // If the credentials extracted from Signature's KeyInfo (if any) did not verify the // signature and/or establish trust, as a fall back attempt to verify the signature with // the trusted credentials directly. log.debug("Attempting to verify signature using trusted credentials"); for (Credential trustedCredential : trustedCredentials) { if (verifySignature(signature, trustedCredential)) { log.debug("Successfully verified signature using resolved trusted credential"); return true; } } log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials"); return false; }
/** * Utility method to build a new set of credential criteria based on the KeyInfo of an EncryptedData or * EncryptedKey, and any additional static criteria which might have been supplied to the decrypter. * * @param encryptedType an EncryptedData or EncryptedKey for which to resolve decryption credentials * @param staticCriteria static set of credential criteria to add to the new criteria set * @return the new credential criteria set */ private CriteriaSet buildCredentialCriteria(EncryptedType encryptedType, CriteriaSet staticCriteria) { CriteriaSet newCriteriaSet = new CriteriaSet(); // This is the main criteria based on the encrypted type's KeyInfo newCriteriaSet.add(new KeyInfoCriteria(encryptedType.getKeyInfo())); // Also attemtpt to dynamically construct key criteria based on information // in the encrypted object Set<Criteria> keyCriteria = buildKeyCriteria(encryptedType); if (keyCriteria != null && !keyCriteria.isEmpty()) { newCriteriaSet.addAll(keyCriteria); } // Add any static criteria which may have been supplied to the decrypter if (staticCriteria != null && !staticCriteria.isEmpty()) { newCriteriaSet.addAll(staticCriteria); } // If don't have a usage criteria yet from static criteria, add encryption usage if (!newCriteriaSet.contains(UsageCriteria.class)) { newCriteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION)); } return newCriteriaSet; }
/** * Build a criteria set suitable for input to the trust engine. * * @param entityID the candidate issuer entity ID which is being evaluated * @param samlContext the message context which is being evaluated * @return a newly constructly set of criteria suitable for the configured trust engine * @throws SecurityPolicyException thrown if criteria set can not be constructed */ protected CriteriaSet buildCriteriaSet(String entityID, SAMLMessageContext samlContext) throws SecurityPolicyException { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID)); } MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext .getInboundSAMLProtocol()); criteriaSet.add(mdCriteria); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
Credential credential = keyManager.resolveSingle(new CriteriaSet(new EntityIDCriteria(idpConfiguration.getEntityId()))); signature.setSigningCredential(credential); signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);