org.opensaml.saml2.core.EncryptedAssertion Java Examples

@Test
public void testIsAssertionEncrypted() {
    Response samlResponse = Mockito.mock(Response.class);
    Mockito.when(samlResponse.getEncryptedAssertions()).thenReturn(null);

    boolean result = samlHelper.isAssertionEncrypted(samlResponse);
    Assert.assertFalse(result);

    Mockito.when(samlResponse.getEncryptedAssertions()).thenReturn(new ArrayList<EncryptedAssertion>());
    result = samlHelper.isAssertionEncrypted(samlResponse);
    Assert.assertFalse(result);

    EncryptedAssertion encryptedAssertion = Mockito.mock(EncryptedAssertion.class);
    List<EncryptedAssertion> assertionList = new ArrayList<EncryptedAssertion>();
    assertionList.add(encryptedAssertion);

    Mockito.when(samlResponse.getEncryptedAssertions()).thenReturn(assertionList);
    result = samlHelper.isAssertionEncrypted(samlResponse);
    Assert.assertTrue(result);
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException {
    Evidence evidence = (Evidence) parentObject;

    if (childObject instanceof AssertionIDRef) {
        evidence.getAssertionIDReferences().add((AssertionIDRef) childObject);
    } else if (childObject instanceof AssertionURIRef) {
        evidence.getAssertionURIReferences().add((AssertionURIRef) childObject);
    } else if (childObject instanceof Assertion) {
        evidence.getAssertions().add((Assertion) childObject);
    } else if (childObject instanceof EncryptedAssertion) {
        evidence.getEncryptedAssertions().add((EncryptedAssertion) childObject);
    } else {
        super.processChildElement(parentObject, childObject);
    }
}
 

protected Assertion decryptAssertion(EncryptedAssertion encryptedAssertion, KeyStore.PrivateKeyEntry keystoreEntry) {
    BasicX509Credential decryptionCredential = new BasicX509Credential();

    decryptionCredential.setPrivateKey(keystoreEntry.getPrivateKey());

    StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(decryptionCredential);

    ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver();
    keyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
    keyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
    keyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());

    Decrypter decrypter = new Decrypter(null, resolver, keyResolver);
    decrypter.setRootInNewDocument(true);
    Assertion assertion = null;
    try {
        assertion = decrypter.decrypt(encryptedAssertion);
    } catch (DecryptionException e) {
        raiseSamlValidationError("Unable to decrypt SAML assertion", null);
    }
    return assertion;
}
 

/**
 * Decrypt an assertion using the privkey stored in SPConfig.
 */
private Assertion decrypt(EncryptedAssertion encrypted)
    throws DecryptionException
{
    if (spConfig.getPrivateKey() == null)
        throw new DecryptionException("Encrypted assertion found but no SP key available");
    BasicCredential cred = new BasicCredential();
    cred.setPrivateKey(spConfig.getPrivateKey());
    StaticKeyInfoCredentialResolver resolver =
        new StaticKeyInfoCredentialResolver(cred);
    Decrypter decrypter =
        new Decrypter(null, resolver, new InlineEncryptedKeyResolver());
    decrypter.setRootInNewDocument(true);

    return decrypter.decrypt(encrypted);
}
 

@Test
public void testPeerDecryption() {
    Resource peerAssertionResource = new ClassPathResource("saml/peerEncryptedAssertion.xml");
    EncryptedAssertion encAssertion = createAssertion(peerAssertionResource);

    Assertion assertion = samlHelper.decryptAssertion(encAssertion, encryptPKEntry);
    verifyAssertion(assertion);
}
 

/** {@inheritDoc} */
protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject)
        throws UnmarshallingException {
    Response resp = (Response) parentSAMLObject;

    if (childSAMLObject instanceof Assertion) {
        resp.getAssertions().add((Assertion) childSAMLObject);
    } else if (childSAMLObject instanceof EncryptedAssertion) {
        resp.getEncryptedAssertions().add((EncryptedAssertion) childSAMLObject);
    } else {
        super.processChildElement(parentSAMLObject, childSAMLObject);
    }
}
 

@Test
public void testInlineDecryption() {
    Resource inlineAssertionResource = new ClassPathResource("saml/inlineEncryptedAssertion.xml");
    EncryptedAssertion encAssertion = createAssertion(inlineAssertionResource);

    Assertion assertion = samlHelper.decryptAssertion(encAssertion, encryptPKEntry);
    verifyAssertion(assertion);
}
 

/**
 * Retrieve all supplied assertions, decrypting any encrypted
 * assertions if necessary.
 */
private List<Assertion> getAssertions(Response response)
    throws DecryptionException
{
    List<Assertion> assertions = new ArrayList<Assertion>();
    assertions.addAll(response.getAssertions());

    for (EncryptedAssertion e : response.getEncryptedAssertions()) {
        assertions.add(decrypt(e));
    }

    return assertions;
}
 

/**
 * Build SAML response using IdP configuration & user name
 *
 * @param ssoIdPConfigs
 * @param userName
 * @return SAML Response object
 * @throws IdentityException
 */
public Response buildSAMLResponse(SAMLSSOServiceProviderDO ssoIdPConfigs, String userName)
        throws IdentityException {
    if (log.isDebugEnabled()) {
        log.debug("Building SAML Response for the consumer '" +
                ssoIdPConfigs.getAssertionConsumerUrl() + "'");
    }
    Response response = new org.opensaml.saml2.core.impl.ResponseBuilder().buildObject();
    response.setIssuer(SAMLSSOUtil.getIssuer());
    response.setID(SAMLSSOUtil.createID());
    response.setDestination(ssoIdPConfigs.getAssertionConsumerUrl());
    response.setStatus(buildStatus(SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null));
    response.setVersion(SAMLVersion.VERSION_20);
    DateTime issueInstant = new DateTime();
    DateTime notOnOrAfter =
            new DateTime(issueInstant.getMillis() +
                    SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 *
                            1000);
    response.setIssueInstant(issueInstant);
    Assertion assertion = buildSAMLAssertion(ssoIdPConfigs, notOnOrAfter, userName);
    if (ssoIdPConfigs.isDoEnableEncryptedAssertion()) {
        String domainName = MultitenantUtils.getTenantDomain(userName);
        String alias = ssoIdPConfigs.getCertAlias();
        if (alias != null) {
            EncryptedAssertion encryptedAssertion =
                    SAMLSSOUtil.setEncryptedAssertion(assertion,
                            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
                            alias,
                            domainName);
            response.getEncryptedAssertions().add(encryptedAssertion);
        }
    } else {
        response.getAssertions().add(assertion);
    }
    if (ssoIdPConfigs.isDoSignResponse()) {
        SAMLSSOUtil.setSignature(response, ssoIdPConfigs.getSigningAlgorithmUri(), ssoIdPConfigs
                .getDigestAlgorithmUri(), new SignKeyDataHolder(userName));
    }
    return response;
}
 

/**
 * Decrypt the specified EncryptedAssertion.
 * 
 * @param encryptedAssertion the EncryptedAssertion to decrypt
 * @return an Assertion 
 * @throws DecryptionException thrown when decryption generates an error
 */
public Assertion decrypt(EncryptedAssertion encryptedAssertion) throws DecryptionException {
    SAMLObject samlObject = decryptData(encryptedAssertion);
    if (! (samlObject instanceof Assertion)) {
        throw new DecryptionException("Decrypted SAMLObject was not an instance of Assertion");
    }
    return (Assertion) samlObject;
}
 

@Override
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String encryptionAlgorithm) throws IdentityException {
    try {

        Credential symmetricCredential = SecurityHelper.getSimpleCredential(
                SecurityHelper.generateSymmetricKey(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));

        EncryptionParameters encParams = new EncryptionParameters();
        encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
        encParams.setEncryptionCredential(symmetricCredential);

        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
        keyEncryptionParameters.setEncryptionCredential(cred);

        Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters);
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);

        EncryptedAssertion encrypted = encrypter.encrypt(assertion);
        return encrypted;
    } catch (Exception e) {
        throw IdentityException.error("Error while Encrypting Assertion", e);
    }
}
 

@Override
public Response buildResponse(SAMLSSOAuthnReqDTO authReqDTO, String sessionId)
        throws IdentityException {

    if (log.isDebugEnabled()) {
        log.debug("Building SAML Response for the consumer '"
                + authReqDTO.getAssertionConsumerURL() + "'");
    }
    Response response = new org.opensaml.saml2.core.impl.ResponseBuilder().buildObject();
    response.setIssuer(SAMLSSOUtil.getIssuer());
    response.setID(SAMLSSOUtil.createID());
    if (!authReqDTO.isIdPInitSSOEnabled()) {
        response.setInResponseTo(authReqDTO.getId());
    }
    response.setDestination(authReqDTO.getAssertionConsumerURL());
    response.setStatus(buildStatus(SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null));
    response.setVersion(SAMLVersion.VERSION_20);
    DateTime issueInstant = new DateTime();
    DateTime notOnOrAfter = new DateTime(issueInstant.getMillis()
            + SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 * 1000L);
    response.setIssueInstant(issueInstant);
    Assertion assertion = SAMLSSOUtil.buildSAMLAssertion(authReqDTO, notOnOrAfter, sessionId);

    if (authReqDTO.isDoEnableEncryptedAssertion()) {

        String domainName = authReqDTO.getTenantDomain();
        String alias = authReqDTO.getCertAlias();
        if (alias != null) {
            EncryptedAssertion encryptedAssertion = SAMLSSOUtil.setEncryptedAssertion(assertion,
                    EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256, alias, domainName);
            response.getEncryptedAssertions().add(encryptedAssertion);
        }
    } else {
        response.getAssertions().add(assertion);
    }

    if (authReqDTO.isDoSignResponse()) {
        SAMLSSOUtil.setSignature(response, authReqDTO.getSigningAlgorithmUri(), authReqDTO.getDigestAlgorithmUri
                (), new SignKeyDataHolder(authReqDTO.getUser().getAuthenticatedSubjectIdentifier()));
    }
    return response;
}
 

protected void processSSOResponse(HttpServletRequest request) throws SSOAgentException {

        LoggedInSessionBean sessionBean = new LoggedInSessionBean();
        sessionBean.setSAML2SSO(sessionBean.new SAML2SSO());

        String saml2ResponseString =
                new String(Base64.decode(request.getParameter(
                        SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_RESP)), Charset.forName("UTF-8"));
        Response saml2Response = (Response) SSOAgentUtils.unmarshall(saml2ResponseString);
        sessionBean.getSAML2SSO().setResponseString(saml2ResponseString);
        sessionBean.getSAML2SSO().setSAMLResponse(saml2Response);

        Assertion assertion = null;
        if (ssoAgentConfig.getSAML2().isAssertionEncrypted()) {
            List<EncryptedAssertion> encryptedAssertions = saml2Response.getEncryptedAssertions();
            EncryptedAssertion encryptedAssertion = null;
            if (!CollectionUtils.isEmpty(encryptedAssertions)) {
                encryptedAssertion = encryptedAssertions.get(0);
                try {
                    assertion = getDecryptedAssertion(encryptedAssertion);
                } catch (Exception e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Assertion decryption failure : ", e);
                    }
                    throw new SSOAgentException("Unable to decrypt the SAML2 Assertion");
                }
            }
        } else {
            List<Assertion> assertions = saml2Response.getAssertions();
            if (assertions != null && !assertions.isEmpty()) {
                assertion = assertions.get(0);
            }
        }
        if (assertion == null) {
            if (isNoPassive(saml2Response)) {
                LOGGER.log(Level.FINE, "Cannot authenticate in passive mode");
                return;
            }
            throw new SSOAgentException("SAML2 Assertion not found in the Response");
        }

        String idPEntityIdValue = assertion.getIssuer().getValue();
        if (idPEntityIdValue == null || idPEntityIdValue.isEmpty()) {
            throw new SSOAgentException("SAML2 Response does not contain an Issuer value");
        } else if (!idPEntityIdValue.equals(ssoAgentConfig.getSAML2().getIdPEntityId())) {
            throw new SSOAgentException("SAML2 Response Issuer verification failed");
        }
        sessionBean.getSAML2SSO().setAssertion(assertion);
        // Cannot marshall SAML assertion here, before signature validation due to a weird issue in OpenSAML

        // Get the subject name from the Response Object and forward it to login_action.jsp
        String subject = null;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            subject = assertion.getSubject().getNameID().getValue();
        }

        if (subject == null) {
            throw new SSOAgentException("SAML2 Response does not contain the name of the subject");
        }


        sessionBean.getSAML2SSO().setSubjectId(subject); // set the subject
        request.getSession().setAttribute(SSOAgentConstants.SESSION_BEAN_NAME, sessionBean);

        // validate audience restriction
        validateAudienceRestriction(assertion);

        // validate signature
        validateSignature(saml2Response, assertion);

        // Marshalling SAML2 assertion after signature validation due to a weird issue in OpenSAML
        sessionBean.getSAML2SSO().setAssertionString(marshall(assertion));

        ((LoggedInSessionBean) request.getSession().getAttribute(
                SSOAgentConstants.SESSION_BEAN_NAME)).getSAML2SSO().
                setSubjectAttributes(getAssertionStatements(assertion));

        //For removing the session when the single sign out request made by the SP itself
        if (ssoAgentConfig.getSAML2().isSLOEnabled()) {
            String sessionId = assertion.getAuthnStatements().get(0).getSessionIndex();
            if (sessionId == null) {
                throw new SSOAgentException("Single Logout is enabled but IdP Session ID not found in SAML2 Assertion");
            }
            ((LoggedInSessionBean) request.getSession().getAttribute(
                    SSOAgentConstants.SESSION_BEAN_NAME)).getSAML2SSO().setSessionIndex(sessionId);
            SSOAgentSessionManager.addAuthenticatedSession(request.getSession(false));
        }

        request.getSession().setAttribute(SSOAgentConstants.SESSION_BEAN_NAME, sessionBean);

    }
 

private void processSSOResponse(HttpServletRequest request) throws SAMLSSOException {

        Response samlResponse = (Response) unmarshall(new String(Base64.decode(request.getParameter(
                SSOConstants.HTTP_POST_PARAM_SAML2_RESP))));

        Assertion assertion = null;

        if (SSOUtils.isAssertionEncryptionEnabled(properties)) {
            List<EncryptedAssertion> encryptedAssertions = samlResponse.getEncryptedAssertions();
            EncryptedAssertion encryptedAssertion = null;
            if (CollectionUtils.isNotEmpty(encryptedAssertions)) {
                encryptedAssertion = encryptedAssertions.get(0);
                try {
                    assertion = getDecryptedAssertion(encryptedAssertion);
                } catch (Exception e) {
                    throw new SAMLSSOException("Unable to decrypt the SAML Assertion", e);
                }
            }
        } else {
            List<Assertion> assertions = samlResponse.getAssertions();
            if (CollectionUtils.isNotEmpty(assertions)) {
                assertion = assertions.get(0);
            }
        }

        if (assertion == null) {
            if (samlResponse.getStatus() != null &&
                    samlResponse.getStatus().getStatusCode() != null &&
                    samlResponse.getStatus().getStatusCode().getValue().equals(
                            SSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR) &&
                    samlResponse.getStatus().getStatusCode().getStatusCode() != null &&
                    samlResponse.getStatus().getStatusCode().getStatusCode().getValue().equals(
                            SSOConstants.StatusCodes.NO_PASSIVE)) {
                return;
            }
            throw new SAMLSSOException("SAML Assertion not found in the Response");
        }

        // Get the subject name from the Response Object and forward it to login_action.jsp
        String subject = null;
        String nameQualifier = null;
        String spNameQualifier = null;
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            subject = assertion.getSubject().getNameID().getValue();
        }

        if (subject == null) {
            throw new SAMLSSOException("SAML Response does not contain the name of the subject");
        }

        request.getSession().setAttribute("username", subject); // get the subject
        nameQualifier = assertion.getSubject().getNameID().getNameQualifier();
        spNameQualifier = assertion.getSubject().getNameID().getSPNameQualifier();

        // validate audience restriction
        validateAudienceRestriction(assertion);

        // validate signature this SP only looking for assertion signature
        validateSignature(samlResponse, assertion);

        request.getSession(false).setAttribute("samlssoAttributes", getAssertionStatements(assertion));

        //For removing the session when the single sign out request made by the SP itself
        if (SSOUtils.isLogoutEnabled(properties)) {
            String sessionId = assertion.getAuthnStatements().get(0).getSessionIndex();
            if (sessionId == null) {
                throw new SAMLSSOException("Single Logout is enabled but IdP Session ID not found in SAML Assertion");
            }
            request.getSession().setAttribute(SSOConstants.IDP_SESSION, sessionId);
            request.getSession().setAttribute(SSOConstants.LOGOUT_USERNAME, nameQualifier);
            request.getSession().setAttribute(SSOConstants.SP_NAME_QUALIFIER, spNameQualifier);
        }

    }
 

public Response generateAuthnResponse(  AppsSAML20Details saml20Details,
										AuthnRequestInfo authnRequestInfo,
										HashMap<String,String>attributeMap, 
										BindingAdapter bindingAdapter){
	
	Response authResponse = new ResponseBuilder().buildObject();
	//builder Assertion
	Assertion assertion = assertionGenerator.generateAssertion( 
										saml20Details,
										bindingAdapter,
										saml20Details.getSpAcsUrl(),
										authnRequestInfo.getAuthnRequestID(),
										saml20Details.getAudience(),
										Integer.parseInt(saml20Details.getValidityInterval()), 
										attributeMap);
	
	//Encrypt 
	if(Boolean.isTrue(saml20Details.getEncrypted())) {
		logger.info("begin to encrypt assertion");
		try {
			// Assume this contains a recipient's RSA public
			EncryptionParameters encryptionParameters = new EncryptionParameters();
			encryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
			logger.info("encryption assertion Algorithm : "+EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
			KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
			keyEncryptionParameters.setEncryptionCredential(bindingAdapter.getSpSigningCredential());
			// kekParams.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
			keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
			logger.info("keyEncryption  Algorithm : "+EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
			KeyInfoGeneratorFactory keyInfoGeneratorFactory = Configuration
													.getGlobalSecurityConfiguration()
													.getKeyInfoGeneratorManager().getDefaultManager()
													.getFactory(bindingAdapter.getSpSigningCredential());
			keyEncryptionParameters.setKeyInfoGenerator(keyInfoGeneratorFactory.newInstance());
			Encrypter encrypter = new Encrypter(encryptionParameters, keyEncryptionParameters);
			encrypter.setKeyPlacement(KeyPlacement.PEER);
			EncryptedAssertion encryptedAssertion = encrypter.encrypt(assertion);
			authResponse.getEncryptedAssertions().add(encryptedAssertion);
		}catch(Exception e) {
			logger.info("Unable to encrypt assertion .",e);
		}
	}else { 
		authResponse.getAssertions().add(assertion);
	}
	
	authResponse.setIssuer(issuerGenerator.generateIssuer());
	authResponse.setID(idService.generateID());
	authResponse.setIssueInstant(timeService.getCurrentDateTime());
	authResponse.setInResponseTo(authnRequestInfo.getAuthnRequestID());
	authResponse.setDestination(saml20Details.getSpAcsUrl());
	authResponse.setStatus(statusGenerator.generateStatus(StatusCode.SUCCESS_URI));
	logger.debug("authResponse.isSigned "+authResponse.isSigned());
	return authResponse;
}
 

/** {@inheritDoc} */
public EncryptedAssertion buildObject(String namespaceURI, String localName, String namespacePrefix) {
    return new EncryptedAssertionImpl(namespaceURI, localName, namespacePrefix);
}
 

/** {@inheritDoc} */
public EncryptedAssertion buildObject() {
    return buildObject(SAMLConstants.SAML20_NS, EncryptedAssertion.DEFAULT_ELEMENT_LOCAL_NAME,
            SAMLConstants.SAML20_PREFIX);
}
 

/** {@inheritDoc} */
public List<EncryptedAssertion> getEncryptedAssertions() {
    return (List<EncryptedAssertion>) evidence.subList(EncryptedAssertion.DEFAULT_ELEMENT_NAME);
}
 

/** {@inheritDoc} */
public List<EncryptedAssertion> getEncryptedAssertions() {
    return (List<EncryptedAssertion>) indexedChildren.subList(EncryptedAssertion.DEFAULT_ELEMENT_NAME);
}
 

/** {@inheritDoc} */
public List<EncryptedAssertion> getEncryptedAssertions() {
    return (List<EncryptedAssertion>) indexedChildren.subList(EncryptedAssertion.DEFAULT_ELEMENT_NAME);
}
 

/**
 * Encrypt the SAML assertion
 *
 * @param assertion           SAML assertion to be encrypted
 * @param cred                Encrypting credential
 * @param alias               Certificate alias against which use to Encrypt the assertion.
 * @param encryptionAlgorithm Encryption algorithm
 * @return SAML EncryptedAssertion
 * @throws IdentityException
 */
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias,
                                               String encryptionAlgorithm) throws IdentityException;
 

/**
 * Encrypt the specified Assertion.
 * 
 * @param assertion the Assertion to encrypt
 * @return an EncryptedAssertion 
 * @throws EncryptionException thrown when encryption generates an error
 */
public EncryptedAssertion encrypt(Assertion assertion) throws EncryptionException {
    return (EncryptedAssertion) encrypt(assertion, EncryptedAssertion.DEFAULT_ELEMENT_NAME);
}