org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver Java Examples

/**
 * @param queryString
 * @param issuer
 * @param alias
 * @param domainName
 * @return
 * @throws SecurityException
 * @throws IdentitySAML2SSOException
 */
@Override
public boolean validateSignature(String queryString, String issuer, String alias,
                                 String domainName) throws SecurityException,
        IdentitySAML2SSOException {
    byte[] signature = getSignature(queryString);
    byte[] signedContent = getSignedContent(queryString);
    String algorithmUri = getSigAlg(queryString);
    CriteriaSet criteriaSet = buildCriteriaSet(issuer);

    // creating the SAML2HTTPRedirectDeflateSignatureRule
    X509CredentialImpl credential =
            SAMLSSOUtil.getX509CredentialImplForTenant(domainName,
                    alias);

    List<Credential> credentials = new ArrayList<Credential>();
    credentials.add(credential);
    CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials);
    KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver();
    SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver);
    return engine.validate(signature, signedContent, algorithmUri, criteriaSet, null);
}
 

/**
 * Constructor.
 * 
 * @param newResolver resolver for data encryption keys.
 * @param newKEKResolver resolver for key encryption keys.
 * @param newEncKeyResolver resolver for EncryptedKey elements
 */
public Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver,
        EncryptedKeyResolver newEncKeyResolver) {
    resolver = newResolver;
    kekResolver = newKEKResolver;
    encKeyResolver = newEncKeyResolver;

    resolverCriteria = null;
    kekResolverCriteria = null;

    // Note: this is hopefully only temporary, until Xerces implements DOM 3 LSParser.parseWithContext().
    parserPool = new BasicParserPool();
    parserPool.setNamespaceAware(true);

    // Note: this is necessary due to an unresolved Xerces deferred DOM issue/bug
    HashMap<String, Boolean> features = new HashMap<String, Boolean>();
    features.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
    parserPool.setBuilderFeatures(features);

    unmarshallerFactory = Configuration.getUnmarshallerFactory();
    
    defaultRootInNewDocument = false;
}
 

/**
 * Constructor.
 * 
 * @param resolver credential resolver used to resolve trusted credentials.
 * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a
 *            Signature's KeyInfo element.
 * * @param pkixEvaluator the PKIX trust evaluator to use
 * @param nameEvaluator the X.509 credential name evaluator to use (may be null)
 */
public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver,
        KeyInfoCredentialResolver keyInfoResolver, PKIXTrustEvaluator pkixEvaluator, 
        X509CredentialNameEvaluator nameEvaluator) {

    super(keyInfoResolver);
    if (resolver == null) {
        throw new IllegalArgumentException("PKIX trust information resolver may not be null");
    }
    pkixResolver = resolver;

    if (pkixEvaluator == null) {
        throw new IllegalArgumentException("PKIX trust evaluator may not be null");
    }
    pkixTrustEvaluator = pkixEvaluator;
    credNameEvaluator = nameEvaluator;
}
 

/**
 * Constructor.
 * 
 * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a
 *            Signature's KeyInfo element.
 */
public BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver) {
    if (keyInfoResolver == null) {
        throw new IllegalArgumentException("KeyInfo credential resolver may not be null");
    }

    keyInfoCredentialResolver = keyInfoResolver;
}
 

@Override
public void afterPropertiesSet() throws Exception {

	KeyInfoCredentialResolver keyInfoCredResolver =
	Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();

	trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver,keyInfoCredResolver);		
}
 

/**
 * Constructor.
 * 
 * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p>
 * 
 * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p>
 * 
 * @param resolver credential resolver used to resolve trusted credentials.
 * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a
 *            Signature's KeyInfo element.
 */
public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver,
        KeyInfoCredentialResolver keyInfoResolver) {

    super(keyInfoResolver);
    if (resolver == null) {
        throw new IllegalArgumentException("PKIX trust information resolver may not be null");
    }
    pkixResolver = resolver;

    pkixTrustEvaluator = new CertPathPKIXTrustEvaluator();
    credNameEvaluator = new BasicX509CredentialNameEvaluator();
}
 

/**
 * Populate KeyInfoCredentialResolver-related parameters.
 * 
 * @param config the security configuration to populate
 */
protected static void populateKeyInfoCredentialResolverParams(BasicSecurityConfiguration config) {
    // Basic resolver for inline info
    ArrayList<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>();
    providers.add( new RSAKeyValueProvider() );
    providers.add( new DSAKeyValueProvider() );
    providers.add( new InlineX509DataProvider() );
    
    KeyInfoCredentialResolver resolver = new BasicProviderKeyInfoCredentialResolver(providers);
    config.setDefaultKeyInfoCredentialResolver(resolver);
}
 

/**
 * Constructor.
 * 
 * @param resolver credential resolver used to resolve trusted credentials.
 * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a
 *            Signature's KeyInfo element.
 */
public ExplicitKeySignatureTrustEngine(CredentialResolver resolver, KeyInfoCredentialResolver keyInfoResolver) {
    super(keyInfoResolver);
    if (resolver == null) {
        throw new IllegalArgumentException("Credential resolver may not be null");
    }
    credentialResolver = resolver;

    keyTrust = new ExplicitKeyTrustEvaluator();
}
 

/** Constructor. */
public BasicSecurityConfiguration() {
    signatureAlgorithms = new HashMap<String, String>();
    dataEncryptionAlgorithms = new HashMap<DataEncryptionIndex, String>();
    keyTransportEncryptionAlgorithms = new HashMap<KeyTransportEncryptionIndex, String>();
    keyInfoCredentialResolvers = new HashMap<String, KeyInfoCredentialResolver>();
    dsaParams = new HashMap<Integer, DSAParams>();
}
 

/**
 * Get a basic KeyInfo credential resolver which can process standard inline
 * data - RSAKeyValue, DSAKeyValue, DEREncodedKeyValue, X509Data.
 * 
 * @return a new KeyInfoCredentialResolver instance
 */
public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() {
    List<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>();
    providers.add( new RSAKeyValueProvider() );
    providers.add( new DSAKeyValueProvider() );
    providers.add( new DEREncodedKeyValueProvider() );
    providers.add( new InlineX509DataProvider() );
    return new BasicProviderKeyInfoCredentialResolver(providers);
}
 

/** {@inheritDoc} */
public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild,
        CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException {

    DEREncodedKeyValue keyValue = getDEREncodedKeyValue(keyInfoChild);
    if (keyValue == null) {
        return null;
    }

    log.debug("Attempting to extract credential from a DEREncodedKeyValue");
    
    PublicKey pubKey = null;
    try {
        pubKey = KeyInfoHelper.getKey(keyValue);
    } catch (KeyException e) {
        log.error("Error extracting DER-encoded key value", e);
        throw new SecurityException("Error extracting DER-encoded key value", e);
    }
    
    KeyAlgorithmCriteria algorithmCriteria = criteriaSet.get(KeyAlgorithmCriteria.class);
    if (algorithmCriteria != null && algorithmCriteria.getKeyAlgorithm() != null
            && !algorithmCriteria.getKeyAlgorithm().equals(pubKey.getAlgorithm())) {
        log.debug("Criteria specified key algorithm {}, actually {}, skipping",
                algorithmCriteria.getKeyAlgorithm(), pubKey.getAlgorithm());
        return null;
    }

    BasicCredential cred = new BasicCredential();
    cred.setPublicKey(pubKey);
    if (kiContext != null) {
        cred.getKeyNames().addAll(kiContext.getKeyNames());
    }
    
    CredentialContext credContext = buildCredentialContext(kiContext);
    if (credContext != null) {
        cred.getCredentalContextSet().add(credContext);
    }

    log.debug("Credential successfully extracted from DEREncodedKeyValue");
    LazySet<Credential> credentialSet = new LazySet<Credential>();
    credentialSet.add(cred);
    return credentialSet;
}
 

/** {@inheritDoc} */
public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild,
        CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException {

    KeyInfoReference ref = getKeyInfoReference(keyInfoChild);
    if (ref == null) {
        return null;
    }

    log.debug("Attempting to follow same-document KeyInfoReference");

    XMLObject target = ref.resolveIDFromRoot(ref.getURI().substring(1));
    if (target == null) {
        log.warn("KeyInfoReference URI could not be dereferenced");
        return null;
    } else if (!(target instanceof KeyInfo)) {
        log.warn("The product of dereferencing the KeyInfoReference was not a KeyInfo");
        return null;
    } else if (!((KeyInfo) target).getXMLObjects(KeyInfoReference.DEFAULT_ELEMENT_NAME).isEmpty()) {
        log.warn("The dereferenced KeyInfo contained a KeyInfoReference, cannot process");
        return null;
    }
    
    log.debug("Recursively processing KeyInfoReference referent");
    
    // Copy the existing CriteriaSet, excluding the KeyInfoCriteria, which is reset to the target.
    CriteriaSet newCriteria = new CriteriaSet();
    newCriteria.add(new KeyInfoCriteria((KeyInfo) target));
    for (Criteria crit : criteriaSet) {
        if (!(crit instanceof KeyInfoCriteria)) {
            newCriteria.add(crit);
        }
    }
    
    // Resolve the new target and copy the results into a collection to return.
    Iterable<Credential> creds = resolver.resolve(newCriteria);
    if (creds != null) {
        Collection<Credential> result = new ArrayList<Credential>();
        for (Credential c : creds) {
            result.add(c);
        }
        return result;
    }
    
    return null;
}
 

public void loadTrustEngine(){
	KeyInfoCredentialResolver keyInfoCredResolver =
			Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();

			trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver,keyInfoCredResolver);	
}
 

/** {@inheritDoc} */
public KeyInfoCredentialResolver getDefaultKeyInfoCredentialResolver() {
    return keyInfoCredentialResolvers.get(KEYINFO_RESOLVER_DEFAULT_CONFIG);
}
 

/** {@inheritDoc} */
public KeyInfoCredentialResolver getKeyInfoResolver() {
    // Chaining signature trust engine does not support an attached KeyInfoResolver
    return null;
}
 

/** {@inheritDoc} */
public KeyInfoCredentialResolver getKeyInfoResolver() {
    return keyInfoCredentialResolver;
}
 

/** {@inheritDoc} */
public KeyInfoCredentialResolver getKeyInfoCredentialResolver(String name) {
    return keyInfoCredentialResolvers.get(name);
}
 

/** {@inheritDoc} */
public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild, 
        CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException {
    
    DSAKeyValue keyValue = getDSAKeyValue(keyInfoChild);
    if (keyValue == null) {
        return null;
    }
    
    KeyAlgorithmCriteria algorithmCriteria = criteriaSet.get(KeyAlgorithmCriteria.class);
    if (algorithmCriteria != null 
            && algorithmCriteria.getKeyAlgorithm() != null 
            && ! algorithmCriteria.getKeyAlgorithm().equals("DSA")) {
        log.debug("Criteria specified non-DSA key algorithm, skipping");
        return null;
    }
    
    log.debug("Attempting to extract credential from a DSAKeyValue");
    
    PublicKey pubKey = null;
    try {
        //TODO deal with case of incomplete DSAParams, need hook to resolve those
        pubKey = KeyInfoHelper.getDSAKey(keyValue);
    } catch (KeyException e) {
        log.error("Error extracting DSA key value", e);
        throw new SecurityException("Error extracting DSA key value", e);
    }
    BasicCredential cred = new BasicCredential();
    cred.setPublicKey(pubKey);
    if (kiContext != null) {
        cred.getKeyNames().addAll(kiContext.getKeyNames());
    }
    
    CredentialContext credContext = buildCredentialContext(kiContext);
    if (credContext != null) {
        cred.getCredentalContextSet().add(credContext);
    }
    
    log.debug("Credential successfully extracted from DSAKeyValue");
    LazySet<Credential> credentialSet = new LazySet<Credential>();
    credentialSet.add(cred);
    return credentialSet;
}
 

/** {@inheritDoc} */
public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild,
        CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException {

    RSAKeyValue keyValue = getRSAKeyValue(keyInfoChild);
    if (keyValue == null) {
        return null;
    }

    KeyAlgorithmCriteria algorithmCriteria = criteriaSet.get(KeyAlgorithmCriteria.class);
    if (algorithmCriteria != null && algorithmCriteria.getKeyAlgorithm() != null
            && !algorithmCriteria.getKeyAlgorithm().equals("RSA")) {
        log.debug("Criteria specified non-RSA key algorithm, skipping");
        return null;
    }

    log.debug("Attempting to extract credential from an RSAKeyValue");

    PublicKey pubKey = null;
    try {
        pubKey = KeyInfoHelper.getRSAKey(keyValue);
    } catch (KeyException e) {
        log.error("Error extracting RSA key value", e);
        throw new SecurityException("Error extracting RSA key value", e);
    }
    BasicCredential cred = new BasicCredential();
    cred.setPublicKey(pubKey);
    if (kiContext != null) {
        cred.getKeyNames().addAll(kiContext.getKeyNames());
    }

    CredentialContext credContext = buildCredentialContext(kiContext);
    if (credContext != null) {
        cred.getCredentalContextSet().add(credContext);
    }

    log.debug("Credential successfully extracted from RSAKeyValue");
    LazySet<Credential> credentialSet = new LazySet<Credential>();
    credentialSet.add(cred);
    return credentialSet;
}
 

/**
 * Constructor.
 * 
 * @param engine the trust engine to use
 * @param parserPool the parser pool used to parse the KeyInfo request parameter
 * @param keyInfoCredResolver the KeyInfo credential resovler to use to extract credentials from the KeyInfo request
 *            parameter
 */
public SAML2HTTPPostSimpleSignRule(SignatureTrustEngine engine, ParserPool parserPool,
        KeyInfoCredentialResolver keyInfoCredResolver) {
    super(engine);
    parser = parserPool;
    keyInfoResolver = keyInfoCredResolver;
}
 

/**
 * @deprecated
 * Get a basic KeyInfo credential resolver which can process standard inline
 * data - RSAKeyValue, DSAKeyValue, X509Data.
 * 
 * @return a new KeyInfoCredentialResolver instance
 */
public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() {
    return SecurityHelper.buildBasicInlineKeyInfoResolver();
}
 

/**
 * Register a named KeyInfoCredentialResolver configuration.
 * 
 * @param name the name of the configuration
 * @param resolver the KeyInfoCredentialResolver to register
 */
public void registerKeyInfoCredentialResolver(String name, KeyInfoCredentialResolver resolver) {
    keyInfoCredentialResolvers.put(name, resolver);
}
 

/**
 * Get the default KeyInfoCredentialResolver configuration.
 * 
 * @return the default KeyInfoCredentialResolver
 */
public KeyInfoCredentialResolver getDefaultKeyInfoCredentialResolver();
 

/**
 * Get the data encryption key credential resolver.
 * 
 * @return the data encryption key resolver
 */
public KeyInfoCredentialResolver getKeyResolver() {
    return resolver;
}
 

/**
 * Set a new data encryption key credential resolver.
 * 
 * @param newResolver the new data encryption key resolver
 */
public void setKeyResolver(KeyInfoCredentialResolver newResolver) {
    resolver = newResolver;
}
 

/**
 * Get the key encryption key credential resolver.
 * 
 * @return the key encryption key resolver
 */
public KeyInfoCredentialResolver getKEKResolver() {
    return kekResolver;
}
 

/**
 * Set a new key encryption key credential resolver.
 * 
 * @param newKEKResolver the new key encryption key resolver
 */
public void setKEKResolver(KeyInfoCredentialResolver newKEKResolver) {
    kekResolver = newKEKResolver;
}
 

/**
 * Get the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.
 * 
 * @return KeyInfo credential resolver
 */
public KeyInfoCredentialResolver getKeyInfoCredentialResolver() {
    return keyInfoCredentialResolver;
}
 

/**
 * Set the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.
 * 
 * @param keyInfoResolver the new KeyInfoCredentialResolver to use
 */
public void setKeyInfoCredentialResolver(KeyInfoCredentialResolver keyInfoResolver) {
    keyInfoCredentialResolver = keyInfoResolver;
}
 

/**
 * Constructor.
 *
 * @param newResolver resolver for data encryption keys.
 * @param newKEKResolver resolver for key encryption keys.
 * @param newEncKeyResolver resolver for EncryptedKey elements
 */
public Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, 
        EncryptedKeyResolver newEncKeyResolver) {
    super(newResolver, newKEKResolver, newEncKeyResolver);
}