/** * Constructor. * * @param criteria the criteria which is the basis for evaluation */ public EvaluableEntityIDCredentialCriteria(EntityIDCriteria criteria) { if (criteria == null) { throw new NullPointerException("Criteria instance may not be null"); } entityID = criteria.getEntityID(); }
/** * Constructor. * * @param criteria the criteria which is the basis for evaluation */ public EvaluableEntityIDCredentialCriteria(EntityIDCriteria criteria) { if (criteria == null) { throw new NullPointerException("Criteria instance may not be null"); } entityID = criteria.getEntityID(); }
@Override public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { try { credentialSet = new HashSet<Credential>(); Enumeration<String> en = keyStore.aliases(); while (en.hasMoreElements()) { String alias = en.nextElement(); X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias); Credential credential = new X509CredentialImpl(cert); if (criteriaSet.get(EntityIDCriteria.class) != null) { if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) { credentialSet.add(credential); break; } } else { credentialSet.add(credential); } } return credentialSet; } catch (KeyStoreException e) { log.error(e); throw new SecurityException("Error reading certificates from key store"); } } }
@Override public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { try { credentialSet = new HashSet<Credential>(); Enumeration<String> en = keyStore.aliases(); while (en.hasMoreElements()) { String alias = en.nextElement(); X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias); Credential credential = new X509CredentialImpl(cert); if (criteriaSet.get(EntityIDCriteria.class) != null) { if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) { credentialSet.add(credential); break; } } else { credentialSet.add(credential); } } return credentialSet; } catch (KeyStoreException e) { log.error(e); throw new SecurityException("Error reading certificates from key store"); } } }
/** * Check that all necessary credential criteria are available. * * @param criteriaSet the credential set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Credential metadata role criteria value must be supplied"); } }
/** * Check that all necessary criteria are available. * * @param criteriaSet the criteria set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Metadata role criteria value must be supplied"); } }
/** * Check that all necessary credential criteria are available. * * @param criteriaSet the credential set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Credential metadata role criteria value must be supplied"); } }
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { if (x509Certificates == null || x509Certificates.length == 0) { throw new IllegalArgumentException("Null or empty certificates list"); } BasicX509Credential credential = new BasicX509Credential(); X509Certificate x509Certificate = x509Certificates[0]; credential.setEntityCertificate(x509Certificate); credential.setEntityCertificateChain(Arrays.asList(x509Certificates)); credential.setUsageType(UsageType.UNSPECIFIED); EntityIDCriteria entityIDCriteria = criteriaSet.get(EntityIDCriteria.class); if (entityIDCriteria != null) { credential.setEntityId(entityIDCriteria.getEntityID()); } try { log.debug("Checking server trust"); if (trustEngine.validate(credential, criteriaSet)) { log.debug("Server certificate trust verified"); } else { Principal issuerDN = x509Certificate.getIssuerDN(); Principal subjectDN = x509Certificate.getSubjectDN(); StringBuilder sb = new StringBuilder(120); sb.append("Peer SSL/TLS certificate '").append(subjectDN).append("' "); sb.append("issued by '").append(issuerDN).append("' "); sb.append("is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in extended metadata with the certificate's alias"); throw new UntrustedCertificateException(sb.toString(), x509Certificates); } } catch (org.opensaml.xml.security.SecurityException e) { throw new CertificateException("Error validating certificate", e); } }
/** * Method loads credentials satisfying the criteriaSet from the metadata of the related entity. * * @param criteriaSet criteria set * @param anchors pkix anchors * @param crls CRLs for the anchors * @throws SecurityException thrown if the key, certificate, or CRL information is represented in an unsupported format */ protected void populateMetadataAnchors(CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls) throws SecurityException { String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); log.debug("Attempting to retrieve PKIX trust anchors from metadata configuration for entity: {}", entityID); Iterable<Credential> metadataCredentials = metadataResolver.resolve(criteriaSet); for (Credential key : metadataCredentials) { if (key instanceof X509Credential) { X509Credential cred = (X509Credential) key; log.debug("Using key {} as a trust anchor", cred.getEntityCertificate().getSubjectDN()); anchors.add(cred.getEntityCertificate()); } else { log.debug("Key {} is not of X509Credential type, skipping", key.getEntityId()); } } }
String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); UsageCriteria usageCriteria = criteriaSet.get(UsageCriteria.class); UsageType usage;
String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); UsageCriteria usageCriteria = criteriaSet.get(UsageCriteria.class); UsageType usage;
/** * Method add trusted anchors which include all trusted certificates configuration * in the ExtendedMetadata. In case no trusted certificates were configured all certificates in the KeyManager * are considered as trusted and added to the anchor list. * * @param criteriaSet criteria set * @param anchors pkix anchors * @param crls CRLs for the anchors * @throws SecurityException thrown if the key, certificate, or CRL information is represented in an unsupported * format */ protected void populateTrustedKeysAnchors(CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls) throws SecurityException { try { String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); log.debug("Attempting to retrieve credentials from metadata configuration for entity: {}", entityID); Set<String> trustedKeys; ExtendedMetadata extendedMetadata = metadata.getExtendedMetadata(entityID); if (extendedMetadata.getTrustedKeys() != null) { trustedKeys = extendedMetadata.getTrustedKeys(); } else { trustedKeys = keyManager.getAvailableCredentials(); } for (String key : trustedKeys) { anchors.add(keyManager.getCertificate(key)); } } catch (MetadataProviderException e) { throw new SecurityException("Error loading extended metadata", e); } }
String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); QName role = mdCriteria.getRole();
/** {@inheritDoc} */ protected Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { checkCriteriaRequirements(criteriaSet); String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); QName role = mdCriteria.getRole(); String protocol = mdCriteria.getProtocol(); UsageCriteria usageCriteria = criteriaSet.get(UsageCriteria.class); UsageType usage = null; if (usageCriteria != null) { usage = usageCriteria.getUsage(); } else { usage = UsageType.UNSPECIFIED; } // See Jira issue SIDP-229. log.debug("Forcing on-demand metadata provider refresh if necessary"); try { metadata.getMetadata(); } catch (MetadataProviderException e) { // don't care about errors at this level } MetadataCacheKey cacheKey = new MetadataCacheKey(entityID, role, protocol, usage); Collection<Credential> credentials = retrieveFromCache(cacheKey); if (credentials == null) { credentials = retrieveFromMetadata(entityID, role, protocol, usage); cacheCredentials(cacheKey, credentials); } return credentials; }
protected Iterable<PKIXValidationInformation> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { checkCriteriaRequirements(criteriaSet); String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); QName role = mdCriteria.getRole(); String protocol = mdCriteria.getProtocol(); UsageCriteria usageCriteria = criteriaSet.get(UsageCriteria.class); UsageType usage; if (usageCriteria != null) { usage = usageCriteria.getUsage(); } else { usage = UsageType.UNSPECIFIED; } // See Jira issue SIDP-229. log.debug("Forcing on-demand metadata provider refresh if necessary"); try { metadata.getMetadata(); } catch (MetadataProviderException e) { // don't care about errors at this level } MetadataCacheKey cacheKey = new MetadataCacheKey(entityID, role, protocol, usage); Collection<PKIXValidationInformation> credentials = retrieveFromCache(cacheKey); if (credentials == null) { credentials = populateCredentials(criteriaSet); cacheCredentials(cacheKey, credentials); } return credentials; }
/** {@inheritDoc} */ public Iterable<PKIXValidationInformation> resolve(CriteriaSet criteriaSet) throws SecurityException { checkCriteriaRequirements(criteriaSet); String entityID = criteriaSet.get(EntityIDCriteria.class).getEntityID(); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); QName role = mdCriteria.getRole(); String protocol = mdCriteria.getProtocol(); UsageCriteria usageCriteria = criteriaSet.get(UsageCriteria.class); UsageType usage = null; if (usageCriteria != null) { usage = usageCriteria.getUsage(); } else { usage = UsageType.UNSPECIFIED; } // See Jira issue SIDP-229. log.debug("Forcing on-demand metadata provider refresh if necessary"); try { metadata.getMetadata(); } catch (MetadataProviderException e) { // don't care about errors at this level } MetadataCacheKey cacheKey = new MetadataCacheKey(entityID, role, protocol, usage); List<PKIXValidationInformation> pkixInfoSet = retrievePKIXInfoFromCache(cacheKey); if (pkixInfoSet == null) { pkixInfoSet = retrievePKIXInfoFromMetadata(entityID, role, protocol, usage); cachePKIXInfo(cacheKey, pkixInfoSet); } return pkixInfoSet; }