org.opensaml.xml.security.CriteriaSet Java Examples
The following examples show how to use
org.opensaml.xml.security.CriteriaSet.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: CarbonKeyStoreCredentialResolver.java From carbon-identity with Apache License 2.0 | 6 votes |
@Override public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException { try { credentialSet = new HashSet<Credential>(); Enumeration<String> en = keyStore.aliases(); while (en.hasMoreElements()) { String alias = en.nextElement(); X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias); Credential credential = new X509CredentialImpl(cert); if (criteriaSet.get(EntityIDCriteria.class) != null) { if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) { credentialSet.add(credential); break; } } else { credentialSet.add(credential); } } return credentialSet; } catch (KeyStoreException e) { log.error(e); throw new SecurityException("Error reading certificates from key store"); } }
Example #2
Source File: BasicProviderKeyInfoCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Resolve the key from any KeyValue or DEREncodedKeyValue element that may be present, and store the resulting * key in the resolution context. * * Each element is processed in turn in document order. Each element will be processed by each provider in * the ordered list of registered providers. The key from the first credential successfully resolved * will be stored in the resolution context. * * Note: This resolver implementation assumes that KeyInfo will not be abused via-a-vis the Signature * specificiation, and that therefore all elements (if there are even more than one) will all resolve to the * same key value. The KeyInfo might, for example have multiple KeyValue children, containing different * representations of the same key. Therefore, only the first credential derived will be be utilized. * * @param kiContext KeyInfo resolution context * @param criteriaSet the credential criteria used to resolve credentials * @param keyValues the KeyValue or DEREncodedKeyValue children to evaluate * @throws SecurityException thrown if there is an error resolving the key from the KeyValue */ protected void resolveKeyValue(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, List<? extends XMLObject> keyValues) throws SecurityException { for (XMLObject keyValue : keyValues) { if (!(keyValue instanceof KeyValue) && !(keyValue instanceof DEREncodedKeyValue)) { continue; } Collection<Credential> creds = processKeyInfoChild(kiContext, criteriaSet, keyValue); if (creds != null) { for (Credential cred : creds) { Key key = extractKeyValue(cred); if (key != null) { kiContext.setKey(key); log.debug("Found a credential based on a KeyValue/DEREncodedKeyValue having key type: {}", key.getAlgorithm()); return; } } } } }
Example #3
Source File: BasicProviderKeyInfoCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Initialize the resolution context that will be used by the providers. * * The supplied KeyInfo object is stored in the context, as well as the values of any {@link KeyName} children * present. Finally if a credential is resolveble by any registered provider from a plain {@link KeyValue} child, * the key from that credential is also stored in the context. * * @param kiContext KeyInfo resolution context * @param keyInfo the KeyInfo to evaluate * @param criteriaSet the credential criteria used to resolve credentials * @throws SecurityException thrown if there is an error processing the KeyValue children */ protected void initResolutionContext(KeyInfoResolutionContext kiContext, KeyInfo keyInfo, CriteriaSet criteriaSet) throws SecurityException { kiContext.setKeyInfo(keyInfo); // Extract all KeyNames kiContext.getKeyNames().addAll(KeyInfoHelper.getKeyNames(keyInfo)); log.debug("Found {} key names: {}", kiContext.getKeyNames().size(), kiContext.getKeyNames()); // Extract the Credential based on the (singular) key from an existing KeyValue(s). resolveKeyValue(kiContext, criteriaSet, keyInfo.getKeyValues()); // Extract the Credential based on the (singular) key from an existing DEREncodedKeyValue(s). resolveKeyValue(kiContext, criteriaSet, keyInfo.getXMLObjects(DEREncodedKeyValue.DEFAULT_ELEMENT_NAME)); }
Example #4
Source File: BasicProviderKeyInfoCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Process the given KeyInfo child with the registered providers. * * The child element is processed by each provider in the ordered list of providers. The credential or credentials * resolved by the first provider to successfully do so are returned and processing of the child element is * terminated. * * @param kiContext KeyInfo resolution context * @param criteriaSet the credential criteria used to resolve credentials * @param keyInfoChild the KeyInfo to evaluate * @return the collection of resolved credentials, or null * @throws SecurityException thrown if there is a provider error processing the KeyInfo child */ protected Collection<Credential> processKeyInfoChild(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, XMLObject keyInfoChild) throws SecurityException { for (KeyInfoProvider provider : getProviders()) { if (!provider.handles(keyInfoChild)) { log.debug("Provider {} doesn't handle objects of type {}, skipping", provider.getClass().getName(), keyInfoChild.getElementQName()); continue; } log.debug("Processing KeyInfo child {} with provider {}", keyInfoChild.getElementQName(), provider .getClass().getName()); Collection<Credential> creds = provider.process(this, keyInfoChild, criteriaSet, kiContext); if (creds != null && !creds.isEmpty()) { log.debug("Credentials successfully extracted from child {} by provider {}", keyInfoChild .getElementQName(), provider.getClass().getName()); return creds; } } return null; }
Example #5
Source File: BaseSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Check the signature and credential criteria for required values. * * @param signature the signature to be evaluated * @param content the data over which the signature was computed * @param algorithmURI the signing algorithm URI which was used * @param trustBasisCriteria the set of trusted credential criteria * @throws SecurityException thrown if required values are absent or otherwise invalid */ protected void checkParamsRaw(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria) throws SecurityException { if (signature == null || signature.length == 0) { throw new SecurityException("Signature byte array was null or empty"); } if (content == null || content.length == 0) { throw new SecurityException("Content byte array was null or empty"); } if (DatatypeHelper.isEmpty(algorithmURI)) { throw new SecurityException("Signature algorithm was null or empty"); } if (trustBasisCriteria == null) { throw new SecurityException("Trust basis criteria set was null"); } if (trustBasisCriteria.isEmpty()) { throw new SecurityException("Trust basis criteria set was empty"); } }
Example #6
Source File: PKIXSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Resolve and return a set of trusted validation information. * * @param trustBasisCriteria criteria used to describe and/or resolve the information which serves as the basis for * trust evaluation * @return a pair consisting of an optional set of trusted names, and an iterable of trusted * PKIXValidationInformation * @throws SecurityException thrown if there is an error resolving the information from the trusted resolver */ protected Pair<Set<String>, Iterable<PKIXValidationInformation>> resolveValidationInfo( CriteriaSet trustBasisCriteria) throws SecurityException { Set<String> trustedNames = null; if (pkixResolver.supportsTrustedNameResolution()) { trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria); } else { log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking"); } Iterable<PKIXValidationInformation> validationInfoSet = pkixResolver.resolve(trustBasisCriteria); Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair = new Pair<Set<String>, Iterable<PKIXValidationInformation>>(trustedNames, validationInfoSet); return validationPair; }
Example #7
Source File: LocalKeyInfoCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
/** {@inheritDoc} */ protected void postProcess(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, List<Credential> credentials) throws SecurityException { ArrayList<Credential> localCreds = new ArrayList<Credential>(); for (Credential cred : credentials) { if (isLocalCredential(cred)) { localCreds.add(cred); } else if (cred.getPublicKey() != null) { localCreds.addAll(resolveByPublicKey(cred.getPublicKey())); } } // Also resolve local creds based on any key names that are known for (String keyName : kiContext.getKeyNames()) { localCreds.addAll(resolveByKeyName(keyName)); } credentials.clear(); credentials.addAll(localCreds); }
Example #8
Source File: MetadataCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Check that all necessary credential criteria are available. * * @param criteriaSet the credential set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class); if (entityCriteria == null) { throw new IllegalArgumentException("Entity criteria must be supplied"); } if (mdCriteria == null) { throw new IllegalArgumentException("SAML metadata criteria must be supplied"); } if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) { throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied"); } if (mdCriteria.getRole() == null) { throw new IllegalArgumentException("Credential metadata role criteria value must be supplied"); } }
Example #9
Source File: BaseSAMLSimpleSignatureSecurityPolicyRule.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Build a criteria set suitable for input to the trust engine. * * @param entityID the candidate issuer entity ID which is being evaluated * @param samlContext the message context which is being evaluated * @return a newly constructly set of criteria suitable for the configured trust engine * @throws SecurityPolicyException thrown if criteria set can not be constructed */ protected CriteriaSet buildCriteriaSet(String entityID, SAMLMessageContext samlContext) throws SecurityPolicyException { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID)); } MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext .getInboundSAMLProtocol()); criteriaSet.add(mdCriteria); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
Example #10
Source File: BaseSAMLXMLSignatureSecurityPolicyRule.java From lams with GNU General Public License v2.0 | 6 votes |
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters"); throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext"); } SAMLMessageContext samlContext = (SAMLMessageContext) messageContext; CriteriaSet criteriaSet = new CriteriaSet(); if (! DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID) ); } MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol()); criteriaSet.add(mdCriteria); criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); return criteriaSet; }
Example #11
Source File: SAMLMDClientCertAuthRule.java From lams with GNU General Public License v2.0 | 6 votes |
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters"); throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext"); } SAMLMessageContext samlContext = (SAMLMessageContext) messageContext; CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext); MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol()); criteriaSet.add(mdCriteria); return criteriaSet; }
Example #12
Source File: AbstractCriteriaFilteringCredentialResolver.java From lams with GNU General Public License v2.0 | 6 votes |
/** * Extract the evaluable credential criteria from the criteria set. * * @param criteriaSet the set of credential criteria to process. * @return a set of evaluable Credential criteria * @throws SecurityException thrown if there is an error obtaining an instance of EvaluableCredentialCriteria * from the EvaluableCredentialCriteriaRegistry */ private Set<EvaluableCriteria<Credential>> getEvaluableCriteria(CriteriaSet criteriaSet) throws SecurityException { Set<EvaluableCriteria<Credential>> evaluable = new HashSet<EvaluableCriteria<Credential>>(criteriaSet.size()); for (Criteria criteria : criteriaSet) { if (criteria instanceof EvaluableCredentialCriteria) { evaluable.add((EvaluableCredentialCriteria) criteria); } else { EvaluableCredentialCriteria evaluableCriteria = EvaluableCredentialCriteriaRegistry.getEvaluator(criteria); if (evaluableCriteria != null) { evaluable.add(evaluableCriteria); } } } return evaluable; }
Example #13
Source File: SignatureSecurityPolicyRule.java From MaxKey with Apache License 2.0 | 6 votes |
private void checkMessageSignature(MessageContext messageContext,SignableSAMLObject samlMessage) throws SecurityPolicyException { CriteriaSet criteriaSet = new CriteriaSet(); logger.debug("Inbound issuer is {}", messageContext.getInboundMessageIssuer()); // System.out.println("Inbound issuer is {} "+ messageContext.getInboundMessageIssuer()); //https://localhost-dev-ed.my.salesforce.com criteriaSet.add( new EntityIDCriteria(messageContext.getInboundMessageIssuer())); //criteriaSet.add( new EntityIDCriteria("https://localhost-dev-ed.my.salesforce.com")); criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); try { if (!trustEngine.validate( samlMessage.getSignature(), criteriaSet)) { throw new SecurityPolicyException("Signature was either invalid or signing key could not be established as trusted"); } } catch (SecurityException se) { // System.out.println("Error evaluating the signature"+se.toString()); throw new SecurityPolicyException("Error evaluating the signature",se); } }
Example #14
Source File: ConsumerEndpoint.java From MaxKey with Apache License 2.0 | 6 votes |
public void afterPropertiesSet() throws Exception { authnRequestGenerator = new AuthnRequestGenerator(keyStoreLoader.getEntityName(), timeService, idService); endpointGenerator = new EndpointGenerator(); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(keyStoreLoader.getEntityName())); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); try { signingCredential = credentialResolver.resolveSingle(criteriaSet); } catch (SecurityException e) { logger.error("证书解析出错", e); throw new Exception(e); } Validate.notNull(signingCredential); }
Example #15
Source File: PostBindingAdapter.java From MaxKey with Apache License 2.0 | 6 votes |
public Credential buildSPSigningCredential() throws Exception{ KeyStore trustKeyStore = KeyStoreUtil.bytes2KeyStore(getSaml20Details().getKeyStore(), getKeyStoreLoader().getKeyStore().getType(), getKeyStoreLoader().getKeystorePassword()); TrustResolver trustResolver=new TrustResolver(); KeyStoreCredentialResolver credentialResolver =trustResolver.buildKeyStoreCredentialResolver( trustKeyStore, getSaml20Details().getEntityId(), getKeyStoreLoader().getKeystorePassword()); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(getSaml20Details().getEntityId())); criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION)); try { spSigningCredential = credentialResolver.resolveSingle(criteriaSet); } catch (SecurityException e) { logger.error("Credential Resolver error . ", e); throw new Exception(e); } Validate.notNull(spSigningCredential); return spSigningCredential; }
Example #16
Source File: PKIXX509CredentialTrustEngine.java From lams with GNU General Public License v2.0 | 6 votes |
/** {@inheritDoc} */ public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria) throws SecurityException { log.debug("Attempting PKIX validation of untrusted credential"); if (untrustedCredential == null) { log.error("X.509 credential was null, unable to perform validation"); return false; } if (untrustedCredential.getEntityCertificate() == null) { log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation"); return false; } Set<String> trustedNames = null; if (pkixResolver.supportsTrustedNameResolution()) { trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria); } else { log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking"); } return validate(untrustedCredential, trustedNames, pkixResolver.resolve(trustBasisCriteria)); }
Example #17
Source File: SAML2HTTPRedirectDeflateSignatureValidator.java From carbon-identity with Apache License 2.0 | 6 votes |
/** * @param queryString * @param issuer * @param alias * @param domainName * @return * @throws SecurityException * @throws IdentitySAML2SSOException */ @Override public boolean validateSignature(String queryString, String issuer, String alias, String domainName) throws SecurityException, IdentitySAML2SSOException { byte[] signature = getSignature(queryString); byte[] signedContent = getSignedContent(queryString); String algorithmUri = getSigAlg(queryString); CriteriaSet criteriaSet = buildCriteriaSet(issuer); // creating the SAML2HTTPRedirectDeflateSignatureRule X509CredentialImpl credential = SAMLSSOUtil.getX509CredentialImplForTenant(domainName, alias); List<Credential> credentials = new ArrayList<Credential>(); credentials.add(credential); CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials); KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver(); SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver); return engine.validate(signature, signedContent, algorithmUri, criteriaSet, null); }
Example #18
Source File: SAML2HTTPRedirectDeflateSignatureValidator.java From carbon-identity with Apache License 2.0 | 5 votes |
/** * Build a criteria set suitable for input to the trust engine. * * @param issuer * @return * @throws SecurityPolicyException */ private static CriteriaSet buildCriteriaSet(String issuer) { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(issuer)) { criteriaSet.add(new EntityIDCriteria(issuer)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
Example #19
Source File: BaseSAMLSimpleSignatureSecurityPolicyRule.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Validate the simple signature. * * @param signature the signature value * @param signedContent the content that was signed * @param algorithmURI the signature algorithm URI which was used to sign the content * @param criteriaSet criteria used to describe and/or resolve the information which serves as the basis for trust * evaluation * @param candidateCredentials the request-derived candidate credential(s) containing the validation key for the * signature (optional) * @return true if signature can be verified successfully, false otherwise * * @throws SecurityPolicyException thrown if there are errors during the signature validation process * */ protected boolean validateSignature(byte[] signature, byte[] signedContent, String algorithmURI, CriteriaSet criteriaSet, List<Credential> candidateCredentials) throws SecurityPolicyException { SignatureTrustEngine engine = getTrustEngine(); // Some bindings allow candidate signing credentials to be supplied (e.g. via ds:KeyInfo), some do not. // So have 2 slightly different cases. try { if (candidateCredentials == null || candidateCredentials.isEmpty()) { if (engine.validate(signature, signedContent, algorithmURI, criteriaSet, null)) { log.debug("Simple signature validation (with no request-derived credentials) was successful"); return true; } else { log.warn("Simple signature validation (with no request-derived credentials) failed"); return false; } } else { for (Credential cred : candidateCredentials) { if (engine.validate(signature, signedContent, algorithmURI, criteriaSet, cred)) { log.debug("Simple signature validation succeeded with a request-derived credential"); return true; } } log.warn("Signature validation using request-derived credentials failed"); return false; } } catch (SecurityException e) { log.warn("There was an error evaluating the request's simple signature using the trust engine", e); throw new SecurityPolicyException("Error during trust engine evaluation of the simple signature", e); } }
Example #20
Source File: SignatureValidationFilter.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Build the criteria set which will be used as input to the configured trust engine. * * @param signedMetadata the metadata element whose signature is being verified * @param metadataEntryName the EntityDescriptor entityID, EntitiesDescriptor Name, * AffiliationDescriptor affiliationOwnerID, * or RoleDescriptor {@link #getRoleIDToken(String, RoleDescriptor)} * corresponding to the element whose signature is being evaluated. * This is used exclusively for logging/debugging purposes and * should not be used operationally (e.g. for building the criteria set). * @param isEntityGroup flag indicating whether the signed object is a metadata group (EntitiesDescriptor) * @return the newly constructed criteria set */ protected CriteriaSet buildCriteriaSet(SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) { CriteriaSet newCriteriaSet = new CriteriaSet(); if (getDefaultCriteria() != null) { newCriteriaSet.addAll( getDefaultCriteria() ); } if (!newCriteriaSet.contains(UsageCriteria.class)) { newCriteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); } // TODO how to handle adding dynamic entity ID and/or other criteria for trust engine consumption? // // Have 4 signed metadata types: // 1) EntitiesDescriptor // 2) EntityDescriptor // 3) RoleDescriptor // 4) AffiliationDescriptor // // Logic will likely vary for how to specify criteria to trust engine for different types + specific use cases, // e.g. for federation metadata publishers of EntitiesDescriptors vs. "self-signed" EntityDescriptors. // May need to delegate to more specialized subclasses. return newCriteriaSet; }
Example #21
Source File: SignatureValidationFilter.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Evaluate the signature on the signed metadata instance. * * @param signedMetadata the metadata object whose signature is to be verified * @param metadataEntryName the EntityDescriptor entityID, EntitiesDescriptor Name, * AffiliationDescriptor affiliationOwnerID, * or RoleDescriptor {@link #getRoleIDToken(String, RoleDescriptor)} * corresponding to the element whose signature is being evaluated. * This is used exclusively for logging/debugging purposes and * should not be used operationally (e.g. for building a criteria set). * @param isEntityGroup flag indicating whether the signed object is a metadata group (EntitiesDescriptor), * primarily useful for constructing a criteria set for the trust engine * @throws FilterException thrown if the metadata entry's signature can not be established as trusted, * or if an error occurs during the signature verification process */ protected void verifySignature(SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) throws FilterException { log.debug("Verifying signature on metadata entry: {}", metadataEntryName); Signature signature = signedMetadata.getSignature(); if (signature == null) { // We shouldn't ever be calling this on things that aren't actually signed, but just to be safe... log.warn("Signature was null, skipping processing on metadata entry: {}", metadataEntryName); return; } performPreValidation(signature, metadataEntryName); CriteriaSet criteriaSet = buildCriteriaSet(signedMetadata, metadataEntryName, isEntityGroup); try { if ( getSignatureTrustEngine().validate(signature, criteriaSet) ) { log.trace("Signature trust establishment succeeded for metadata entry {}", metadataEntryName); return; } else { log.error("Signature trust establishment failed for metadata entry {}", metadataEntryName); throw new FilterException("Signature trust establishment failed for metadata entry"); } } catch (SecurityException e) { // Treat evaluation errors as fatal log.error("Error processing signature verification for metadata entry '{}': {} ", metadataEntryName, e.getMessage()); throw new FilterException("Error processing signature verification for metadata entry", e); } }
Example #22
Source File: PostBindingAdapter.java From MaxKey with Apache License 2.0 | 5 votes |
public void buildCredentialResolver(CredentialResolver credentialResolver) throws Exception{ this.credentialResolver=credentialResolver; CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EntityIDCriteria(getKeyStoreLoader().getEntityName())); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); try { signingCredential = credentialResolver.resolveSingle(criteriaSet); } catch (SecurityException e) { logger.error("Credential Resolver error . ", e); throw new Exception(e); } Validate.notNull(signingCredential); }
Example #23
Source File: ChainingSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** {@inheritDoc} */ public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException { for (SignatureTrustEngine engine : engines) { if (engine.validate(token, trustBasisCriteria)) { log.debug("Signature was trusted by chain member: {}", engine.getClass().getName()); return true; } } return false; }
Example #24
Source File: ChainingCredentialResolver.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Constructor. * * @param resolver the chaining parent of this iterable * @param criteriaSet the set of criteria which is input to the underyling resolvers */ public CredentialIterator(ChainingCredentialResolver resolver, CriteriaSet criteriaSet) { parent = resolver; critSet = criteriaSet; resolverIterator = parent.getResolverChain().iterator(); credentialIterator = getNextCredentialIterator(); nextCredential = null; }
Example #25
Source File: KeyStoreCredentialResolver.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Check that required credential criteria are available. * * @param criteriaSet the credential criteria set to evaluate */ protected void checkCriteriaRequirements(CriteriaSet criteriaSet) { EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class); if (entityCriteria == null) { log.error("EntityIDCriteria was not specified in the criteria set, resolution can not be attempted"); throw new IllegalArgumentException("No EntityIDCriteria was available in criteria set"); } }
Example #26
Source File: BaseSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Check the signature and credential criteria for required values. * * @param signature the signature to be evaluated * @param trustBasisCriteria the set of trusted credential criteria * @throws SecurityException thrown if required values are absent or otherwise invalid */ protected void checkParams(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { if (signature == null) { throw new SecurityException("Signature was null"); } if (trustBasisCriteria == null) { throw new SecurityException("Trust basis criteria set was null"); } if (trustBasisCriteria.isEmpty()) { throw new SecurityException("Trust basis criteria set was empty"); } }
Example #27
Source File: ClientCertAuthRule.java From lams with GNU General Public License v2.0 | 5 votes |
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { CriteriaSet criteriaSet = new CriteriaSet(); if (!DatatypeHelper.isEmpty(entityID)) { criteriaSet.add(new EntityIDCriteria(entityID)); } criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); return criteriaSet; }
Example #28
Source File: BaseSignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** * Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo. If any * credentials so resolved correctly verify the signature, attempt to establish trust using subclass-specific trust * logic against trusted information as implemented in {@link #evaluateTrust(Credential, Object)}. * * @param signature the Signature to evaluate * @param trustBasis the information which serves as the basis for trust evaluation * @return true if the signature is verified by any KeyInfo-derived credential which can be established as trusted, * otherwise false * @throws SecurityException if an error occurs during signature verification or trust processing */ protected boolean validate(Signature signature, TrustBasisType trustBasis) throws SecurityException { log.debug("Attempting to verify signature and establish trust using KeyInfo-derived credentials"); if (signature.getKeyInfo() != null) { KeyInfoCriteria keyInfoCriteria = new KeyInfoCriteria(signature.getKeyInfo()); CriteriaSet keyInfoCriteriaSet = new CriteriaSet(keyInfoCriteria); for (Credential kiCred : getKeyInfoResolver().resolve(keyInfoCriteriaSet)) { if (verifySignature(signature, kiCred)) { log.debug("Successfully verified signature using KeyInfo-derived credential"); log.debug("Attempting to establish trust of KeyInfo-derived credential"); if (evaluateTrust(kiCred, trustBasis)) { log.debug("Successfully established trust of KeyInfo-derived credential"); return true; } else { log.debug("Failed to establish trust of KeyInfo-derived credential"); } } } } else { log.debug("Signature contained no KeyInfo element, could not resolve verification credentials"); } log.debug("Failed to verify signature and/or establish trust using any KeyInfo-derived credentials"); return false; }
Example #29
Source File: ExplicitKeySignatureTrustEngine.java From lams with GNU General Public License v2.0 | 5 votes |
/** {@inheritDoc} */ public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { checkParams(signature, trustBasisCriteria); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.addAll(trustBasisCriteria); if (!criteriaSet.contains(UsageCriteria.class)) { criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); } String jcaAlgorithm = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm()); if (!DatatypeHelper.isEmpty(jcaAlgorithm)) { criteriaSet.add(new KeyAlgorithmCriteria(jcaAlgorithm), true); } Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet); if (validate(signature, trustedCredentials)) { return true; } // If the credentials extracted from Signature's KeyInfo (if any) did not verify the // signature and/or establish trust, as a fall back attempt to verify the signature with // the trusted credentials directly. log.debug("Attempting to verify signature using trusted credentials"); for (Credential trustedCredential : trustedCredentials) { if (verifySignature(signature, trustedCredential)) { log.debug("Successfully verified signature using resolved trusted credential"); return true; } } log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials"); return false; }
Example #30
Source File: AbstractCriteriaFilteringCredentialResolver.java From lams with GNU General Public License v2.0 | 5 votes |
/** {@inheritDoc} */ public Iterable<Credential> resolve(CriteriaSet criteriaSet) throws SecurityException { Iterable<Credential> storeCandidates = resolveFromSource(criteriaSet); Set<EvaluableCriteria<Credential>> evaluableCriteria = getEvaluableCriteria(criteriaSet); if (evaluableCriteria.isEmpty()) { return storeCandidates; } else { return new CriteriaFilteringIterable<Credential>(storeCandidates, evaluableCriteria, meetAllCriteria, unevaluableSatisfies); } }