org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver Java Examples
The following examples show how to use
org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SAML2HTTPRedirectDeflateSignatureValidator.java From carbon-identity with Apache License 2.0 | 6 votes |
/** * @param queryString * @param issuer * @param alias * @param domainName * @return * @throws SecurityException * @throws IdentitySAML2SSOException */ @Override public boolean validateSignature(String queryString, String issuer, String alias, String domainName) throws SecurityException, IdentitySAML2SSOException { byte[] signature = getSignature(queryString); byte[] signedContent = getSignedContent(queryString); String algorithmUri = getSigAlg(queryString); CriteriaSet criteriaSet = buildCriteriaSet(issuer); // creating the SAML2HTTPRedirectDeflateSignatureRule X509CredentialImpl credential = SAMLSSOUtil.getX509CredentialImplForTenant(domainName, alias); List<Credential> credentials = new ArrayList<Credential>(); credentials.add(credential); CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials); KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver(); SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver); return engine.validate(signature, signedContent, algorithmUri, criteriaSet, null); }
Example #2
Source File: Decrypter.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Constructor. * * @param newResolver resolver for data encryption keys. * @param newKEKResolver resolver for key encryption keys. * @param newEncKeyResolver resolver for EncryptedKey elements */ public Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, EncryptedKeyResolver newEncKeyResolver) { resolver = newResolver; kekResolver = newKEKResolver; encKeyResolver = newEncKeyResolver; resolverCriteria = null; kekResolverCriteria = null; // Note: this is hopefully only temporary, until Xerces implements DOM 3 LSParser.parseWithContext(). parserPool = new BasicParserPool(); parserPool.setNamespaceAware(true); // Note: this is necessary due to an unresolved Xerces deferred DOM issue/bug HashMap<String, Boolean> features = new HashMap<String, Boolean>(); features.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE); parserPool.setBuilderFeatures(features); unmarshallerFactory = Configuration.getUnmarshallerFactory(); defaultRootInNewDocument = false; }
Example #3
Source File: PKIXSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Constructor. * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. * * @param pkixEvaluator the PKIX trust evaluator to use * @param nameEvaluator the X.509 credential name evaluator to use (may be null) */ public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver, PKIXTrustEvaluator pkixEvaluator, X509CredentialNameEvaluator nameEvaluator) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; if (pkixEvaluator == null) { throw new IllegalArgumentException("PKIX trust evaluator may not be null"); } pkixTrustEvaluator = pkixEvaluator; credNameEvaluator = nameEvaluator; }
Example #4
Source File: BaseSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Constructor. * * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver) { if (keyInfoResolver == null) { throw new IllegalArgumentException("KeyInfo credential resolver may not be null"); } keyInfoCredentialResolver = keyInfoResolver; }
Example #5
Source File: SignatureSecurityPolicyRule.java From MaxKey with Apache License 2.0 | 5 votes |
@Override public void afterPropertiesSet() throws Exception { KeyInfoCredentialResolver keyInfoCredResolver = Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(); trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver,keyInfoCredResolver); }
Example #6
Source File: PKIXSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
Example #7
Source File: DefaultSecurityConfigurationBootstrap.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Populate KeyInfoCredentialResolver-related parameters. * * @param config the security configuration to populate */ protected static void populateKeyInfoCredentialResolverParams(BasicSecurityConfiguration config) { // Basic resolver for inline info ArrayList<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>(); providers.add( new RSAKeyValueProvider() ); providers.add( new DSAKeyValueProvider() ); providers.add( new InlineX509DataProvider() ); KeyInfoCredentialResolver resolver = new BasicProviderKeyInfoCredentialResolver(providers); config.setDefaultKeyInfoCredentialResolver(resolver); }
Example #8
Source File: ExplicitKeySignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Constructor. * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public ExplicitKeySignatureTrustEngine(CredentialResolver resolver, KeyInfoCredentialResolver keyInfoResolver) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("Credential resolver may not be null"); } credentialResolver = resolver; keyTrust = new ExplicitKeyTrustEvaluator(); }
Example #9
Source File: BasicSecurityConfiguration.java From lams with GNU General Public License v2.0 | 5 votes |
/** Constructor. */ public BasicSecurityConfiguration() { signatureAlgorithms = new HashMap<String, String>(); dataEncryptionAlgorithms = new HashMap<DataEncryptionIndex, String>(); keyTransportEncryptionAlgorithms = new HashMap<KeyTransportEncryptionIndex, String>(); keyInfoCredentialResolvers = new HashMap<String, KeyInfoCredentialResolver>(); dsaParams = new HashMap<Integer, DSAParams>(); }
Example #10
Source File: SecurityHelper.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Get a basic KeyInfo credential resolver which can process standard inline * data - RSAKeyValue, DSAKeyValue, DEREncodedKeyValue, X509Data. * * @return a new KeyInfoCredentialResolver instance */ public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() { List<KeyInfoProvider> providers = new ArrayList<KeyInfoProvider>(); providers.add( new RSAKeyValueProvider() ); providers.add( new DSAKeyValueProvider() ); providers.add( new DEREncodedKeyValueProvider() ); providers.add( new InlineX509DataProvider() ); return new BasicProviderKeyInfoCredentialResolver(providers); }
Example #11
Source File: DEREncodedKeyValueProvider.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild, CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException { DEREncodedKeyValue keyValue = getDEREncodedKeyValue(keyInfoChild); if (keyValue == null) { return null; } log.debug("Attempting to extract credential from a DEREncodedKeyValue"); PublicKey pubKey = null; try { pubKey = KeyInfoHelper.getKey(keyValue); } catch (KeyException e) { log.error("Error extracting DER-encoded key value", e); throw new SecurityException("Error extracting DER-encoded key value", e); } KeyAlgorithmCriteria algorithmCriteria = criteriaSet.get(KeyAlgorithmCriteria.class); if (algorithmCriteria != null && algorithmCriteria.getKeyAlgorithm() != null && !algorithmCriteria.getKeyAlgorithm().equals(pubKey.getAlgorithm())) { log.debug("Criteria specified key algorithm {}, actually {}, skipping", algorithmCriteria.getKeyAlgorithm(), pubKey.getAlgorithm()); return null; } BasicCredential cred = new BasicCredential(); cred.setPublicKey(pubKey); if (kiContext != null) { cred.getKeyNames().addAll(kiContext.getKeyNames()); } CredentialContext credContext = buildCredentialContext(kiContext); if (credContext != null) { cred.getCredentalContextSet().add(credContext); } log.debug("Credential successfully extracted from DEREncodedKeyValue"); LazySet<Credential> credentialSet = new LazySet<Credential>(); credentialSet.add(cred); return credentialSet; }
Example #12
Source File: KeyInfoReferenceProvider.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild, CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException { KeyInfoReference ref = getKeyInfoReference(keyInfoChild); if (ref == null) { return null; } log.debug("Attempting to follow same-document KeyInfoReference"); XMLObject target = ref.resolveIDFromRoot(ref.getURI().substring(1)); if (target == null) { log.warn("KeyInfoReference URI could not be dereferenced"); return null; } else if (!(target instanceof KeyInfo)) { log.warn("The product of dereferencing the KeyInfoReference was not a KeyInfo"); return null; } else if (!((KeyInfo) target).getXMLObjects(KeyInfoReference.DEFAULT_ELEMENT_NAME).isEmpty()) { log.warn("The dereferenced KeyInfo contained a KeyInfoReference, cannot process"); return null; } log.debug("Recursively processing KeyInfoReference referent"); // Copy the existing CriteriaSet, excluding the KeyInfoCriteria, which is reset to the target. CriteriaSet newCriteria = new CriteriaSet(); newCriteria.add(new KeyInfoCriteria((KeyInfo) target)); for (Criteria crit : criteriaSet) { if (!(crit instanceof KeyInfoCriteria)) { newCriteria.add(crit); } } // Resolve the new target and copy the results into a collection to return. Iterable<Credential> creds = resolver.resolve(newCriteria); if (creds != null) { Collection<Credential> result = new ArrayList<Credential>(); for (Credential c : creds) { result.add(c); } return result; } return null; }
Example #13
Source File: SignatureSecurityPolicyRule.java From MaxKey with Apache License 2.0 | 4 votes |
public void loadTrustEngine(){ KeyInfoCredentialResolver keyInfoCredResolver = Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(); trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver,keyInfoCredResolver); }
Example #14
Source File: BasicSecurityConfiguration.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public KeyInfoCredentialResolver getDefaultKeyInfoCredentialResolver() { return keyInfoCredentialResolvers.get(KEYINFO_RESOLVER_DEFAULT_CONFIG); }
Example #15
Source File: ChainingSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public KeyInfoCredentialResolver getKeyInfoResolver() { // Chaining signature trust engine does not support an attached KeyInfoResolver return null; }
Example #16
Source File: BaseSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public KeyInfoCredentialResolver getKeyInfoResolver() { return keyInfoCredentialResolver; }
Example #17
Source File: BasicSecurityConfiguration.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public KeyInfoCredentialResolver getKeyInfoCredentialResolver(String name) { return keyInfoCredentialResolvers.get(name); }
Example #18
Source File: DSAKeyValueProvider.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild, CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException { DSAKeyValue keyValue = getDSAKeyValue(keyInfoChild); if (keyValue == null) { return null; } KeyAlgorithmCriteria algorithmCriteria = criteriaSet.get(KeyAlgorithmCriteria.class); if (algorithmCriteria != null && algorithmCriteria.getKeyAlgorithm() != null && ! algorithmCriteria.getKeyAlgorithm().equals("DSA")) { log.debug("Criteria specified non-DSA key algorithm, skipping"); return null; } log.debug("Attempting to extract credential from a DSAKeyValue"); PublicKey pubKey = null; try { //TODO deal with case of incomplete DSAParams, need hook to resolve those pubKey = KeyInfoHelper.getDSAKey(keyValue); } catch (KeyException e) { log.error("Error extracting DSA key value", e); throw new SecurityException("Error extracting DSA key value", e); } BasicCredential cred = new BasicCredential(); cred.setPublicKey(pubKey); if (kiContext != null) { cred.getKeyNames().addAll(kiContext.getKeyNames()); } CredentialContext credContext = buildCredentialContext(kiContext); if (credContext != null) { cred.getCredentalContextSet().add(credContext); } log.debug("Credential successfully extracted from DSAKeyValue"); LazySet<Credential> credentialSet = new LazySet<Credential>(); credentialSet.add(cred); return credentialSet; }
Example #19
Source File: RSAKeyValueProvider.java From lams with GNU General Public License v2.0 | 4 votes |
/** {@inheritDoc} */ public Collection<Credential> process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild, CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) throws SecurityException { RSAKeyValue keyValue = getRSAKeyValue(keyInfoChild); if (keyValue == null) { return null; } KeyAlgorithmCriteria algorithmCriteria = criteriaSet.get(KeyAlgorithmCriteria.class); if (algorithmCriteria != null && algorithmCriteria.getKeyAlgorithm() != null && !algorithmCriteria.getKeyAlgorithm().equals("RSA")) { log.debug("Criteria specified non-RSA key algorithm, skipping"); return null; } log.debug("Attempting to extract credential from an RSAKeyValue"); PublicKey pubKey = null; try { pubKey = KeyInfoHelper.getRSAKey(keyValue); } catch (KeyException e) { log.error("Error extracting RSA key value", e); throw new SecurityException("Error extracting RSA key value", e); } BasicCredential cred = new BasicCredential(); cred.setPublicKey(pubKey); if (kiContext != null) { cred.getKeyNames().addAll(kiContext.getKeyNames()); } CredentialContext credContext = buildCredentialContext(kiContext); if (credContext != null) { cred.getCredentalContextSet().add(credContext); } log.debug("Credential successfully extracted from RSAKeyValue"); LazySet<Credential> credentialSet = new LazySet<Credential>(); credentialSet.add(cred); return credentialSet; }
Example #20
Source File: SAML2HTTPPostSimpleSignRule.java From lams with GNU General Public License v2.0 | 3 votes |
/** * Constructor. * * @param engine the trust engine to use * @param parserPool the parser pool used to parse the KeyInfo request parameter * @param keyInfoCredResolver the KeyInfo credential resovler to use to extract credentials from the KeyInfo request * parameter */ public SAML2HTTPPostSimpleSignRule(SignatureTrustEngine engine, ParserPool parserPool, KeyInfoCredentialResolver keyInfoCredResolver) { super(engine); parser = parserPool; keyInfoResolver = keyInfoCredResolver; }
Example #21
Source File: SecurityTestHelper.java From lams with GNU General Public License v2.0 | 2 votes |
/** * @deprecated * Get a basic KeyInfo credential resolver which can process standard inline * data - RSAKeyValue, DSAKeyValue, X509Data. * * @return a new KeyInfoCredentialResolver instance */ public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() { return SecurityHelper.buildBasicInlineKeyInfoResolver(); }
Example #22
Source File: BasicSecurityConfiguration.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Register a named KeyInfoCredentialResolver configuration. * * @param name the name of the configuration * @param resolver the KeyInfoCredentialResolver to register */ public void registerKeyInfoCredentialResolver(String name, KeyInfoCredentialResolver resolver) { keyInfoCredentialResolvers.put(name, resolver); }
Example #23
Source File: SecurityConfiguration.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Get the default KeyInfoCredentialResolver configuration. * * @return the default KeyInfoCredentialResolver */ public KeyInfoCredentialResolver getDefaultKeyInfoCredentialResolver();
Example #24
Source File: Decrypter.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Get the data encryption key credential resolver. * * @return the data encryption key resolver */ public KeyInfoCredentialResolver getKeyResolver() { return resolver; }
Example #25
Source File: Decrypter.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Set a new data encryption key credential resolver. * * @param newResolver the new data encryption key resolver */ public void setKeyResolver(KeyInfoCredentialResolver newResolver) { resolver = newResolver; }
Example #26
Source File: Decrypter.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Get the key encryption key credential resolver. * * @return the key encryption key resolver */ public KeyInfoCredentialResolver getKEKResolver() { return kekResolver; }
Example #27
Source File: Decrypter.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Set a new key encryption key credential resolver. * * @param newKEKResolver the new key encryption key resolver */ public void setKEKResolver(KeyInfoCredentialResolver newKEKResolver) { kekResolver = newKEKResolver; }
Example #28
Source File: MetadataCredentialResolver.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Get the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements. * * @return KeyInfo credential resolver */ public KeyInfoCredentialResolver getKeyInfoCredentialResolver() { return keyInfoCredentialResolver; }
Example #29
Source File: MetadataCredentialResolver.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Set the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements. * * @param keyInfoResolver the new KeyInfoCredentialResolver to use */ public void setKeyInfoCredentialResolver(KeyInfoCredentialResolver keyInfoResolver) { keyInfoCredentialResolver = keyInfoResolver; }
Example #30
Source File: Decrypter.java From lams with GNU General Public License v2.0 | 2 votes |
/** * Constructor. * * @param newResolver resolver for data encryption keys. * @param newKEKResolver resolver for key encryption keys. * @param newEncKeyResolver resolver for EncryptedKey elements */ public Decrypter(KeyInfoCredentialResolver newResolver, KeyInfoCredentialResolver newKEKResolver, EncryptedKeyResolver newEncKeyResolver) { super(newResolver, newKEKResolver, newEncKeyResolver); }