Java Code Examples for org.apache.wss4j.common.crypto.Crypto#getX509Certificates()

The following examples show how to use org.apache.wss4j.common.crypto.Crypto#getX509Certificates() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SamlCallbackHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected KeyInfoBean createKeyInfo() throws Exception {
    Crypto crypto =
        CryptoFactory.getInstance(cryptoPropertiesFile);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(cryptoAlias);
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);

    KeyInfoBean keyInfo = new KeyInfoBean();
    keyInfo.setCertIdentifer(keyInfoIdentifier);
    if (keyInfoIdentifier == CERT_IDENTIFIER.X509_CERT) {
        keyInfo.setCertificate(certs[0]);
    } else if (keyInfoIdentifier == CERT_IDENTIFIER.KEY_VALUE) {
        keyInfo.setPublicKey(certs[0].getPublicKey());
    }

    return keyInfo;
}
 
Example 2
Source File: CertsUtils.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
/**
 * Load an X.509 Certificate from a WSS4J Crypto instance using a keystore alias
 */
public static X509Certificate getX509CertificateFromCrypto(Crypto crypto, String keyAlias)
    throws WSSecurityException {
    if (keyAlias == null || "".equals(keyAlias)) {
        keyAlias = crypto.getDefaultX509Identifier();
    }

    if (keyAlias == null) {
        throw new RuntimeException("No keystore alias was specified to sign the metadata");
    }

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(keyAlias);
    X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
    if (issuerCerts == null || issuerCerts.length == 0) {
        throw new RuntimeException(
                "No issuer certs were found to sign the metadata using issuer name: "
                        + keyAlias);
    }
    return issuerCerts[0];
}
 
Example 3
Source File: SamlCallbackHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected KeyInfoBean createKeyInfo() throws Exception {
    Crypto crypto =
        CryptoFactory.getInstance(cryptoPropertiesFile);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(cryptoAlias);
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);

    KeyInfoBean keyInfo = new KeyInfoBean();
    keyInfo.setCertIdentifer(keyInfoIdentifier);
    if (keyInfoIdentifier == CERT_IDENTIFIER.X509_CERT) {
        keyInfo.setCertificate(certs[0]);
    } else if (keyInfoIdentifier == CERT_IDENTIFIER.KEY_VALUE) {
        keyInfo.setPublicKey(certs[0].getPublicKey());
    }

    return keyInfo;
}
 
Example 4
Source File: SimpleBatchSTSClient.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected X509Certificate getCert(Crypto crypto) throws Exception {
    String alias = (String)getProperty(SecurityConstants.STS_TOKEN_USERNAME);
    if (alias == null) {
        alias = crypto.getDefaultX509Identifier();
    }
    if (alias == null) {
        throw new Fault("No alias specified for retrieving PublicKey", LOG);
    }
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(alias);

    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    if (certs == null || certs.length == 0) {
        throw new Fault("Could not get X509Certificate for alias " + alias, LOG);
    }
    return certs[0];
}
 
Example 5
Source File: SamlRoleCallbackHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected KeyInfoBean createKeyInfo() throws Exception {
    Crypto crypto =
        CryptoFactory.getInstance("alice.properties");
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("alice");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);

    KeyInfoBean keyInfo = new KeyInfoBean();
    keyInfo.setCertIdentifer(keyInfoIdentifier);
    if (keyInfoIdentifier == CERT_IDENTIFIER.X509_CERT) {
        keyInfo.setCertificate(certs[0]);
    } else if (keyInfoIdentifier == CERT_IDENTIFIER.KEY_VALUE) {
        keyInfo.setPublicKey(certs[0].getPublicKey());
    }

    return keyInfo;
}
 
Example 6
Source File: AbstractSTSClient.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected X509Certificate getCert(Crypto crypto) throws Exception {
    if (crypto == null) {
        throw new Fault("No Crypto token properties are available to retrieve a certificate",
                        LOG);
    }

    String alias = (String)getProperty(SecurityConstants.STS_TOKEN_USERNAME);
    if (alias == null) {
        alias = crypto.getDefaultX509Identifier();
    }
    if (alias == null) {
        throw new Fault("No alias specified for retrieving PublicKey", LOG);
    }
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(alias);

    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    if (certs == null || certs.length == 0) {
        throw new Fault("Could not get X509Certificate for alias " + alias, LOG);
    }
    return certs[0];
}
 
Example 7
Source File: IssueSamlUnitTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private UseKeyType createUseKey(Crypto crypto, String alias) throws Exception {
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(alias);
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    Document doc = DOMUtils.getEmptyDocument();
    Element x509Data = doc.createElementNS(WSS4JConstants.SIG_NS, "ds:X509Data");
    x509Data.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:ds", WSS4JConstants.SIG_NS);
    Element x509Cert = doc.createElementNS(WSS4JConstants.SIG_NS, "ds:X509Certificate");
    Text certText = doc.createTextNode(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
    x509Cert.appendChild(certText);
    x509Data.appendChild(x509Cert);

    UseKeyType useKey = new UseKeyType();
    useKey.setAny(x509Data);

    return useKey;
}
 
Example 8
Source File: AbstractBindingBuilder.java    From cxf with Apache License 2.0 5 votes vote down vote up
public Crypto getEncryptionCrypto() throws WSSecurityException {
    Crypto crypto =
        getCrypto(SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
    boolean enableRevocation = false;
    String enableRevStr =
        (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
    if (enableRevStr != null) {
        enableRevocation = Boolean.parseBoolean(enableRevStr);
    }
    if (enableRevocation && crypto != null) {
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        String encrUser =
            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (encrUser == null) {
            try {
                encrUser = crypto.getDefaultX509Identifier();
            } catch (WSSecurityException e1) {
                throw new Fault(e1);
            }
        }
        cryptoType.setAlias(encrUser);
        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
        if (certs != null && certs.length > 0) {
            crypto.verifyTrust(certs, enableRevocation, null, null);
        }
    }
    if (crypto != null) {
        this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
    }
    return crypto;

}
 
Example 9
Source File: SAML2CallbackHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
public SAML2CallbackHandler() throws Exception {
    if (certs == null) {
        Crypto crypto = CryptoFactory.getInstance("alice.properties");
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias("alice");
        certs = crypto.getX509Certificates(cryptoType);
    }

    subjectName = "uid=alice,ou=people,ou=saml-demo,o=example.com";
    subjectQualifier = "www.example.com";
    confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
}
 
Example 10
Source File: JWTTokenProviderTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testCreateSignedJWT() throws Exception {
    TokenProvider jwtTokenProvider = new JWTTokenProvider();
    ((JWTTokenProvider)jwtTokenProvider).setSignToken(true);

    TokenProviderParameters providerParameters = createProviderParameters();

    assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
    TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    String token = (String)providerResponse.getToken();
    assertNotNull(token);
    assertTrue(token.split("\\.").length == 3);

    // Validate the token
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
    JwtToken jwt = jwtConsumer.getJwtToken();
    Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
    Assert.assertEquals(providerResponse.getCreated().getEpochSecond(),
                        jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    Assert.assertEquals(providerResponse.getExpires().getEpochSecond(),
                        jwt.getClaim(JwtConstants.CLAIM_EXPIRY));

    // Verify Signature
    Crypto crypto = providerParameters.getStsProperties().getSignatureCrypto();
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(providerParameters.getStsProperties().getSignatureUsername());
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertNotNull(certs);

    assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
}
 
Example 11
Source File: RSSecurityUtils.java    From cxf with Apache License 2.0 5 votes vote down vote up
public static X509Certificate[] getCertificates(Crypto crypto, String user)
    throws Exception {
    if (crypto == null) {
        throw new Exception("Crypto instance is null");
    }
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(user);
    X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
    if (issuerCerts == null || issuerCerts.length == 0) {
        throw new Exception(
            "No issuer certs were found using issuer name: " + user);
    }
    return issuerCerts;
}
 
Example 12
Source File: X509TokenValidatorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
/**
 * Test an invalid certificate
 */
@org.junit.Test
public void testInvalidCertificate() throws Exception {
    TokenValidator x509TokenValidator = new X509TokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of an X509Certificate
    BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
    JAXBElement<BinarySecurityTokenType> tokenType =
        new JAXBElement<BinarySecurityTokenType>(
            QNameConstants.BINARY_SECURITY_TOKEN, BinarySecurityTokenType.class, binarySecurityToken
        );

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("eve");
    Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);

    binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
    binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
    binarySecurityToken.setEncodingType(WSS4JConstants.SOAPMESSAGE_NS + "#Base64Binary");

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(x509TokenValidator.canHandleToken(validateTarget));

    TokenValidatorResponse validatorResponse = x509TokenValidator.validateToken(validatorParameters);
    assertNotNull(validatorResponse);
    assertNotNull(validatorResponse.getToken());
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
 
Example 13
Source File: IssueJWTRealmUnitTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private void validateToken(String token, String issuer, String sigUsername, Crypto sigCrypto) throws Exception {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
    JwtToken jwt = jwtConsumer.getJwtToken();
    Assert.assertEquals(issuer, jwt.getClaim(JwtConstants.CLAIM_ISSUER));

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(sigUsername);
    X509Certificate[] certs = sigCrypto.getX509Certificates(cryptoType);
    assertNotNull(certs);

    assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
}
 
Example 14
Source File: SAML2CallbackHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
public SAML2CallbackHandler() throws Exception {
    if (certs == null) {
        Crypto crypto = CryptoFactory.getInstance("alice.properties");
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias("alice");
        certs = crypto.getX509Certificates(cryptoType);
    }

    subjectName = "uid=joe,ou=people,ou=saml-demo,o=example.com";
    subjectQualifier = "www.example.com";
    confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
}
 
Example 15
Source File: SAMLResponseValidatorTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Sign a SAML Response
 * @throws Exception
 */
private void signResponse(
    Response response,
    String issuerKeyName,
    String issuerKeyPassword,
    Crypto issuerCrypto,
    boolean useKeyInfo
) throws Exception {
    //
    // Create the signature
    //
    Signature signature = OpenSAMLUtil.buildSignature();
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    // prepare to sign the SAML token
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(issuerKeyName);
    X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
    if (issuerCerts == null) {
        throw new Exception(
                "No issuer certs were found to sign the SAML Assertion using issuer name: "
                        + issuerKeyName);
    }

    String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
    String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();

    if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
        sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
    }

    PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);

    signature.setSignatureAlgorithm(sigAlgo);

    BasicX509Credential signingCredential =
        new BasicX509Credential(issuerCerts[0], privateKey);
    signature.setSigningCredential(signingCredential);

    if (useKeyInfo) {
        X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
        kiFactory.setEmitEntityCertificate(true);

        try {
            KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
            signature.setKeyInfo(keyInfo);
        } catch (org.opensaml.security.SecurityException ex) {
            throw new Exception(
                    "Error generating KeyInfo from signing credential", ex);
        }
    }

    // add the signature to the assertion
    SignableSAMLObject signableObject = response;
    signableObject.setSignature(signature);
    signableObject.releaseDOM();
    signableObject.releaseChildrenDOM(true);
}
 
Example 16
Source File: SamlRedirectBindingFilter.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Sign a request according to the redirect binding spec for Web SSO
 */
private void signRequest(
    String authnRequest,
    String relayState,
    UriBuilder ub
) throws Exception {
    Crypto crypto = getSignatureCrypto();
    if (crypto == null) {
        LOG.warning("No crypto instance of properties file configured for signature");
        throw ExceptionUtils.toInternalServerErrorException(null, null);
    }
    String signatureUser = getSignatureUsername();
    if (signatureUser == null) {
        LOG.warning("No user configured for signature");
        throw ExceptionUtils.toInternalServerErrorException(null, null);
    }
    CallbackHandler callbackHandler = getCallbackHandler();
    if (callbackHandler == null) {
        LOG.warning("No CallbackHandler configured to supply a password for signature");
        throw ExceptionUtils.toInternalServerErrorException(null, null);
    }

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(signatureUser);
    X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType);
    if (issuerCerts == null) {
        throw new Exception(
            "No issuer certs were found to sign the request using name: " + signatureUser
        );
    }

    String sigAlgo = getSignatureAlgorithm();
    String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
    LOG.fine("automatic sig algo detection: " + pubKeyAlgo);
    if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
        sigAlgo = SSOConstants.DSA_SHA1;
    }

    LOG.fine("Using Signature algorithm " + sigAlgo);
    ub.queryParam(SSOConstants.SIG_ALG, URLEncoder.encode(sigAlgo, StandardCharsets.UTF_8.name()));

    // Get the password
    WSPasswordCallback[] cb = {new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE)};
    callbackHandler.handle(cb);
    String password = cb[0].getPassword();

    // Get the private key
    PrivateKey privateKey = crypto.getPrivateKey(signatureUser, password);

    // Sign the request
    String jceSigAlgo = JCEMapper.translateURItoJCEID(sigAlgo);
    Signature signature = Signature.getInstance(jceSigAlgo);
    signature.initSign(privateKey);

    String requestToSign =
        SSOConstants.SAML_REQUEST + "=" + authnRequest + "&"
        + SSOConstants.RELAY_STATE + "=" + relayState + "&"
        + SSOConstants.SIG_ALG + "=" + URLEncoder.encode(sigAlgo, StandardCharsets.UTF_8.name());

    signature.update(requestToSign.getBytes(StandardCharsets.UTF_8));
    byte[] signBytes = signature.sign();

    String encodedSignature = Base64.getEncoder().encodeToString(signBytes);

    // Clean the private key from memory when we're done
    try {
        privateKey.destroy();
    } catch (DestroyFailedException ex) {
        // ignore
    }

    ub.queryParam(SSOConstants.SIGNATURE, URLEncoder.encode(encodedSignature, StandardCharsets.UTF_8.name()));

}
 
Example 17
Source File: IssueJWTOnbehalfofUnitTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
private TokenProviderParameters createProviderParameters(
        String tokenType, String keyType, Crypto crypto,
        String signatureUsername, CallbackHandler callbackHandler
) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();

    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);

    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    receivedCredential.setX509Cert(certs[0]);
    keyRequirements.setReceivedCredential(receivedCredential);

    parameters.setKeyRequirements(keyRequirements);

    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);

    parameters.setAppliesToAddress("http://dummy-service.com/dummy");

    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setEncryptionCrypto(crypto);
    parameters.setStsProperties(stsProperties);

    parameters.setEncryptionProperties(new EncryptionProperties());

    return parameters;
}
 
Example 18
Source File: SAMLSSOResponseValidatorTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Sign a SAML Response
 * @throws Exception
 */
private void signResponse(
    Response response,
    String issuerKeyName,
    String issuerKeyPassword,
    Crypto issuerCrypto,
    boolean useKeyInfo
) throws Exception {
    //
    // Create the signature
    //
    Signature signature = OpenSAMLUtil.buildSignature();
    signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    // prepare to sign the SAML token
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(issuerKeyName);
    X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
    if (issuerCerts == null) {
        throw new Exception(
                "No issuer certs were found to sign the SAML Assertion using issuer name: "
                        + issuerKeyName);
    }

    String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
    String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();

    if ("DSA".equalsIgnoreCase(pubKeyAlgo)) {
        sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
    }

    PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);

    signature.setSignatureAlgorithm(sigAlgo);

    BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey);

    signature.setSigningCredential(signingCredential);

    if (useKeyInfo) {
        X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
        kiFactory.setEmitEntityCertificate(true);

        try {
            KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
            signature.setKeyInfo(keyInfo);
        } catch (org.opensaml.security.SecurityException ex) {
            throw new Exception(
                    "Error generating KeyInfo from signing credential", ex);
        }
    }

    // add the signature to the assertion
    SignableSAMLObject signableObject = response;
    signableObject.setSignature(signature);
    signableObject.releaseDOM();
    signableObject.releaseChildrenDOM(true);
}
 
Example 19
Source File: JWTTokenProviderTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testCreateSignedPSJWT() throws Exception {
    try {
        Security.addProvider(new BouncyCastleProvider());

        TokenProvider jwtTokenProvider = new JWTTokenProvider();
        ((JWTTokenProvider)jwtTokenProvider).setSignToken(true);

        TokenProviderParameters providerParameters = createProviderParameters();
        SignatureProperties sigProps = new SignatureProperties();
        sigProps.setSignatureAlgorithm(SignatureAlgorithm.PS256.name());
        providerParameters.getStsProperties().setSignatureProperties(sigProps);

        assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
        TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
        assertNotNull(providerResponse);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

        String token = (String)providerResponse.getToken();
        assertNotNull(token);
        assertTrue(token.split("\\.").length == 3);

        // Validate the token
        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
        JwtToken jwt = jwtConsumer.getJwtToken();
        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
        Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
        Assert.assertEquals(providerResponse.getCreated().getEpochSecond(),
                            jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
        Assert.assertEquals(providerResponse.getExpires().getEpochSecond(),
                            jwt.getClaim(JwtConstants.CLAIM_EXPIRY));

        // Verify Signature
        Crypto crypto = providerParameters.getStsProperties().getSignatureCrypto();
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(providerParameters.getStsProperties().getSignatureUsername());
        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
        assertNotNull(certs);

        assertFalse(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
        assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.PS256));
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}
 
Example 20
Source File: ValidateX509TokenUnitTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Test to successfully validate an X.509 token
 */
@org.junit.Test
public void testValidateX509Token() throws Exception {
    TokenValidateOperation validateOperation = new TokenValidateOperation();

    // Add Token Validator
    List<TokenValidator> validatorList = new ArrayList<>();
    validatorList.add(new X509TokenValidator());
    validateOperation.setTokenValidators(validatorList);

    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    validateOperation.setStsProperties(stsProperties);

    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType =
        new JAXBElement<String>(
            QNameConstants.TOKEN_TYPE, String.class, STSConstants.STATUS
        );
    request.getAny().add(tokenType);

    // Create a BinarySecurityToken
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);

    JAXBElement<BinarySecurityTokenType> binarySecurityTokenType =
        createBinarySecurityToken(certs[0]);
    ValidateTargetType validateTarget = new ValidateTargetType();
    validateTarget.setAny(binarySecurityTokenType);

    JAXBElement<ValidateTargetType> validateTargetType =
        new JAXBElement<ValidateTargetType>(
            QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget
        );
    request.getAny().add(validateTargetType);

    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(
        SecurityContext.class.getName(),
        createSecurityContext(principal)
    );

    // Validate a token
    RequestSecurityTokenResponseType response =
        validateOperation.validate(request, principal, msgCtx);
    assertTrue(validateResponse(response));
}