org.opensaml.xml.signature.X509Data Java Examples

The following examples show how to use org.opensaml.xml.signature.X509Data. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SSOAgentUtils.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
private static Signature setSignatureRaw(String signatureAlgorithm, X509Credential cred) throws SSOAgentException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        org.opensaml.xml.signature.X509Certificate cert =
                (org.opensaml.xml.signature.X509Certificate) buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
        String value =
                org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
        return signature;

    } catch (CertificateEncodingException e) {
        throw new SSOAgentException("Error getting certificate", e);
    }
}
 
Example #2
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** Process the value of {@link X509Credential#getEntityCertificate()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object
 */
protected void processEntityCertificate(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (credential.getEntityCertificate() == null) {
        return;
    }
    
    java.security.cert.X509Certificate javaCert = credential.getEntityCertificate();
    
    processCertX509DataOptions(x509Data, javaCert);
    processCertKeyNameOptions(keyInfo, javaCert);
    
    // The cert chain includes the entity cert, so don't add a duplicate
    if (options.emitEntityCertificate && ! options.emitEntityCertificateChain) {
        try {
            X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert);
            x509Data.getX509Certificates().add(xmlCert);
        } catch (CertificateEncodingException e) {
            throw new SecurityException("Error generating X509Certificate element " 
                    + "from credential's end-entity certificate", e);
        }
    }
    
}
 
Example #3
Source File: SAML1TokenBuilder.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Error while getting the encoded certificate", e);
        throw new IdentityProviderException("Error while getting the encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 
Example #4
Source File: SAML2TokenBuilder.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Failed to get encoded certificate", e);
        throw new IdentityProviderException("Error while getting encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 
Example #5
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** Process the value of {@link X509Credential#getEntityCertificateChain()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the certificate data can not be encoded from the Java certificate object
 */
protected void processEntityCertificateChain(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (options.emitEntityCertificateChain && credential.getEntityCertificateChain() != null) {
        for (java.security.cert.X509Certificate javaCert : credential.getEntityCertificateChain()) {
            try {
                X509Certificate xmlCert = KeyInfoHelper.buildX509Certificate(javaCert);
                x509Data.getX509Certificates().add(xmlCert);
            } catch (CertificateEncodingException e) {
                throw new SecurityException("Error generating X509Certificate element " 
                        + "from a certificate in credential's certificate chain", e);
            }
        }
    }
}
 
Example #6
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** Process the value of {@link X509Credential#getCRLs()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param x509Data the X509Data that is being built
 * @param credential the Credential that is being processed
 * @throws SecurityException thrown if the CRL data can not be encoded from the Java certificate object
 */
protected void processCRLs(KeyInfo keyInfo, X509Data x509Data, X509Credential credential) 
        throws SecurityException {
    
    if (options.emitCRLs && credential.getCRLs() != null) {
        for (java.security.cert.X509CRL javaCRL : credential.getCRLs()) {
            try {
                X509CRL xmlCRL = KeyInfoHelper.buildX509CRL(javaCRL);
                x509Data.getX509CRLs().add(xmlCRL);
            } catch (CRLException e) {
                throw new SecurityException("Error generating X509CRL element " 
                        + "from a CRL in credential's CRL list", e);
            }
        }
    }
}
 
Example #7
Source File: KeyInfoHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get a list of the Java {@link java.security.cert.X509Certificate} within the given KeyInfo.
 * 
 * @param keyInfo key info to extract the certificates from
 * 
 * @return a list of Java {@link java.security.cert.X509Certificate}s
 * 
 * @throws CertificateException thrown if there is a problem converting the 
 *          X509 data into {@link java.security.cert.X509Certificate}s.
 */
public static List<X509Certificate> getCertificates(KeyInfo keyInfo) throws CertificateException {
    List<X509Certificate> certList = new LinkedList<X509Certificate>();

    if (keyInfo == null) {
        return certList;
    }

    List<X509Data> x509Datas = keyInfo.getX509Datas();
    for (X509Data x509Data : x509Datas) {
        if (x509Data != null) {
            certList.addAll(getCertificates(x509Data));
        }
    }

    return certList;
}
 
Example #8
Source File: KeyInfoHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get a list of the Java {@link java.security.cert.X509Certificate} within the given {@link X509Data}.
 * 
 * @param x509Data {@link X509Data} from which to extract the certificate
 * 
 * @return a list of Java {@link java.security.cert.X509Certificate}s
 * 
 * @throws CertificateException thrown if there is a problem converting the 
 *          X509 data into {@link java.security.cert.X509Certificate}s.
 */
public static List<X509Certificate> getCertificates(X509Data x509Data) throws CertificateException {
    List<X509Certificate> certList = new LinkedList<X509Certificate>();

    if (x509Data == null) {
        return certList;
    }

    for (org.opensaml.xml.signature.X509Certificate xmlCert : x509Data.getX509Certificates()) {
        if (xmlCert != null && xmlCert.getValue() != null) {
            X509Certificate newCert = getCertificate(xmlCert);
            certList.add(newCert);
        }
    }

    return certList;
}
 
Example #9
Source File: KeyInfoHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link KeyInfo}.
 * 
 * @param keyInfo the {@link KeyInfo} to extract the CRL's from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(KeyInfo keyInfo) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (keyInfo == null) {
        return crlList;
    }

    List<X509Data> x509Datas = keyInfo.getX509Datas();
    for (X509Data x509Data : x509Datas) {
        if (x509Data != null) {
            crlList.addAll(getCRLs(x509Data));
        }
    }

    return crlList;
}
 
Example #10
Source File: KeyInfoHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link X509Data}.
 * 
 * @param x509Data {@link X509Data} to extract the CRLs from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(X509Data x509Data) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (x509Data == null) {
        return crlList;
    }

    for (org.opensaml.xml.signature.X509CRL xmlCRL : x509Data.getX509CRLs()) {
        if (xmlCRL != null && xmlCRL.getValue() != null) {
            X509CRL newCRL = getCRL(xmlCRL);
            crlList.add(newCRL);
        }
    }

    return crlList;
}
 
Example #11
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** {@inheritDoc} */
public KeyInfo generate(Credential credential) throws SecurityException {
    if ( ! (credential instanceof X509Credential) ) {
        log.warn("X509KeyInfoGenerator was passed a credential that was not an instance of X509Credential: {}",
                credential.getClass().getName());
        return null;
    }
    X509Credential x509Credential = (X509Credential) credential;
    
    KeyInfo keyInfo =  super.generate(credential);
    if (keyInfo == null) {
        keyInfo = keyInfoBuilder.buildObject();
    }
    X509Data x509Data = x509DataBuilder.buildObject();
    
    processEntityCertificate(keyInfo, x509Data, x509Credential);
    processEntityCertificateChain(keyInfo, x509Data, x509Credential);
    processCRLs(keyInfo, x509Data, x509Credential);
    
    List<XMLObject> x509DataChildren = x509Data.getOrderedChildren();
    if (x509DataChildren != null && x509DataChildren.size() > 0) {
        keyInfo.getX509Datas().add(x509Data);
    }
    
    List<XMLObject> keyInfoChildren = keyInfo.getOrderedChildren();
    if (keyInfoChildren != null && keyInfoChildren.size() > 0) {
        return keyInfo;
    } else {
        return null;
    }
}
 
Example #12
Source File: X509DataUnmarshaller.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** {@inheritDoc} */
protected void processChildElement(XMLObject parentXMLObject, XMLObject childXMLObject)
        throws UnmarshallingException {
    X509Data x509Data = (X509Data) parentXMLObject;

    // X509Data contains a range of specific types, but also
    // support <any>, with an unbounded choice over all (no ordering)
    // so no need to distinguish.
    x509Data.getXMLObjects().add(childXMLObject);
}
 
Example #13
Source File: X509DataSchemaValidator.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Validate that all children are either ones defined within the XML Signature schema,
 * or are from another namespace.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException thrown if the object is invalid
 */
protected void validateChildrenNamespaces(X509Data xmlObject) throws ValidationException {
    // Validate that any children are either the ones from the dsig schema,
    // or are from another namespace.
    for (XMLObject child : xmlObject.getXMLObjects()) {
        QName childName = child.getElementQName();
        if (! getValidDSChildNames().contains(childName) 
                && XMLConstants.XMLSIG_NS.equals(childName.getNamespaceURI())) {
            throw new ValidationException("X509Data contains an illegal child extension element: " + childName);
        }
    }
}
 
Example #14
Source File: InlineX509DataProvider.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Extract certificates from the X509Data.
 * 
 * @param x509Data the X509Data element
 * @return a list of X509Certificates
 * @throws SecurityException thrown if there is an error extracting certificates
 */
private List<X509Certificate> extractCertificates(X509Data x509Data) throws SecurityException {
    List<X509Certificate> certs = null;
    try {
        certs = KeyInfoHelper.getCertificates(x509Data);
    } catch (CertificateException e) {
        log.error("Error extracting certificates from X509Data", e);
        throw new SecurityException("Error extracting certificates from X509Data", e);
    }
    log.debug("Found {} X509Certificates", certs.size());
    return certs;
}
 
Example #15
Source File: InlineX509DataProvider.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Extract CRL's from the X509Data.
 * 
 * @param x509Data the X509Data element
 * @return a list of X509CRLs
 * @throws SecurityException thrown if there is an error extracting CRL's
 */
private List<X509CRL> extractCRLs(X509Data x509Data) throws SecurityException {
    List<X509CRL> crls = null;
    try {
        crls = KeyInfoHelper.getCRLs(x509Data);
    } catch (CRLException e) {
        log.error("Error extracting CRL's from X509Data", e);
        throw new SecurityException("Error extracting CRL's from X509Data", e);
    }
    
    log.debug("Found {} X509CRLs", crls.size());
    return crls;
}
 
Example #16
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Process the options related to generation of the X509SKI child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */ 
protected void processCertX509SKI(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509SKI) {
        X509SKI xmlSKI = KeyInfoHelper.buildX509SKI(cert);
        if (xmlSKI != null) {
            x509Data.getX509SKIs().add(xmlSKI);
        }
    }
}
 
Example #17
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Process the options related to generation of the X509IssuerSerial child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */ 
protected void processCertX509IssuerSerial(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509IssuerSerial) {
        String issuerNameValue = getIssuerName(cert);
        if (! DatatypeHelper.isEmpty(issuerNameValue)) {
            x509Data.getX509IssuerSerials().add( 
                    KeyInfoHelper.buildX509IssuerSerial(issuerNameValue, cert.getSerialNumber()) );
        }
    }
}
 
Example #18
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Process the options related to generation of the X509SubjectDN child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */
protected void processCertX509SubjectName(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509SubjectName) {
        String subjectNameValue = getSubjectName(cert);
        if (! DatatypeHelper.isEmpty(subjectNameValue)) {
            x509Data.getX509SubjectNames().add( KeyInfoHelper.buildX509SubjectName(subjectNameValue));
        }
    }
}
 
Example #19
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Process the options related to generation of child elements of X509Data based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */
protected void processCertX509DataOptions(X509Data x509Data, java.security.cert.X509Certificate cert) {
    processCertX509SubjectName(x509Data, cert);
    processCertX509IssuerSerial(x509Data, cert);
    processCertX509SKI(x509Data, cert);
    processCertX509Digest(x509Data, cert);
}
 
Example #20
Source File: X509KeyInfoGeneratorFactory.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor.
 * 
 * @param newOptions the options to be used by the generator
 */
protected X509KeyInfoGenerator(X509Options newOptions) {
    super(newOptions);
    options = newOptions;
    
    keyInfoBuilder = 
        (KeyInfoBuilder) Configuration.getBuilderFactory().getBuilder(KeyInfo.DEFAULT_ELEMENT_NAME);
    x509DataBuilder = 
        (X509DataBuilder) Configuration.getBuilderFactory().getBuilder(X509Data.DEFAULT_ELEMENT_NAME);
}
 
Example #21
Source File: InlineX509DataProvider.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/** {@inheritDoc} */
public boolean handles(XMLObject keyInfoChild) {
    return keyInfoChild instanceof X509Data;
}
 
Example #22
Source File: InlineX509DataProvider.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Find the end-entity cert in the list of certs contained in the X509Data.
 * 
 * @param certs list of {@link java.security.cert.X509Certificate}
 * @param x509Data X509Data element which might contain other info helping to finding the end-entity cert
 * @param resolvedKey a key which might have previously been resolved from a KeyValue
 * @return the end-entity certificate, if found
 */
protected X509Certificate findEntityCert(List<X509Certificate> certs, X509Data x509Data, PublicKey resolvedKey) {
    if (certs == null || certs.isEmpty()) {
        return null;
    }
    
    // If there is only 1 certificate, treat it as the end-entity certificate
    if (certs.size() == 1) {
        log.debug("Single certificate was present, treating as end-entity certificate");
        return certs.get(0);
    }
    
    X509Certificate cert = null;
    
    //Check against public key already resolved in resolution context
    cert = findCertFromKey(certs, resolvedKey);
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching previously resolved public key");
        return cert;
    }
 
    //Check against any subject names
    cert = findCertFromSubjectNames(certs, x509Data.getX509SubjectNames());
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509SubjectName");
        return cert;
    }

    //Check against issuer serial
    cert = findCertFromIssuerSerials(certs, x509Data.getX509IssuerSerials());
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509IssuerSerial");
        return cert;
    }

    //Check against any subject key identifiers
    cert = findCertFromSubjectKeyIdentifier(certs, x509Data.getX509SKIs());
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509SKI");
        return cert;
    }
    
    cert = findCertFromDigest(certs, x509Data.getXMLObjects(X509Digest.DEFAULT_ELEMENT_NAME));
    if (cert != null) {
        log.debug("End-entity certificate resolved by matching X509Digest");
        return cert;
    }
    
    // TODO use some heuristic algorithm to try and figure it out based on the cert list alone.
    //      This would be in X509Utils or somewhere else external to this class.
    
    // As a final fallback, treat the first cert in the X509Data element as the entity cert
    log.debug("Treating the first certificate in the X509Data as the end-entity certificate");
    return certs.get(0);
}
 
Example #23
Source File: X509DataSchemaValidator.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/** {@inheritDoc} */
public void validate(X509Data xmlObject) throws ValidationException {
    validateChildrenPresence(xmlObject);
    validateChildrenNamespaces(xmlObject);
}
 
Example #24
Source File: X509DataBuilder.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/** {@inheritDoc} */
public X509Data buildObject(String namespaceURI, String localName, String namespacePrefix) {
    return new X509DataImpl(namespaceURI, localName, namespacePrefix);
}
 
Example #25
Source File: X509DataBuilder.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/** {@inheritDoc} */
public X509Data buildObject() {
    return buildObject(XMLConstants.XMLSIG_NS, X509Data.DEFAULT_ELEMENT_LOCAL_NAME, XMLConstants.XMLSIG_PREFIX);
}
 
Example #26
Source File: KeyInfoTypeImpl.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/** {@inheritDoc} */
public List<X509Data> getX509Datas() {
    return (List<X509Data>) indexedChildren.subList(X509Data.DEFAULT_ELEMENT_NAME);
}
 
Example #27
Source File: X509DataSchemaValidator.java    From lams with GNU General Public License v2.0 2 votes vote down vote up
/**
 * Validate that at least child is present.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException  thrown if the object is invalid
 */
protected void validateChildrenPresence(X509Data xmlObject) throws ValidationException {
    if (xmlObject.getXMLObjects().isEmpty()) {
        throw new ValidationException("No children were present in the X509Data object");
    }
}