org.opensaml.xml.signature.SignatureConstants Java Examples

The following examples show how to use org.opensaml.xml.signature.SignatureConstants. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DefaultSecurityConfigurationBootstrap.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Populate signature-related parameters.
 * 
 * @param config the security configuration to populate
 */
protected static void populateSignatureParams(BasicSecurityConfiguration config) {
    // Asymmetric key algorithms
    config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
    config.registerSignatureAlgorithmURI("DSA", SignatureConstants.ALGO_ID_SIGNATURE_DSA);
    config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
    
    // HMAC algorithms
    config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1);
    config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA1);
    
    // Other signature-related params
    config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
    config.setSignatureHMACOutputLength(null);
    config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1);
}
 
Example #2
Source File: Decrypter.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Preprocess the EncryptedKey. For example, check for supported algorithms.
 * 
 * @param encryptedKey encrypted key element containing the encrypted key to be decrypted
 * @param algorithm the algorithm associated with the decrypted key
 * @param kek the key encryption key with which to attempt decryption of the encrypted key
 * 
 * @throws DecryptionException exception indicating a decryption error
 */
protected void preProcessEncryptedKey(EncryptedKey encryptedKey, String algorithm, Key kek) 
        throws DecryptionException {
    
    // Apache XML-Security currently only supports an internal, hard-coded default
    // SHA-1 digest method with RSA-OAEP key transport.
    String keyTransportAlgorithm = encryptedKey.getEncryptionMethod().getAlgorithm();
    if (EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP.equals(keyTransportAlgorithm)) {
        List<XMLObject> digestMethods = 
            encryptedKey.getEncryptionMethod().getUnknownXMLObjects(DigestMethod.DEFAULT_ELEMENT_NAME);
        if (!digestMethods.isEmpty()) {
            DigestMethod dm = (DigestMethod) digestMethods.get(0);
            if (! SignatureConstants.ALGO_ID_DIGEST_SHA1
                    .equals(DatatypeHelper.safeTrimOrNullString(dm.getAlgorithm())) ) {
                log.error("EncryptedKey/EncryptionMethod/DigestMethod contains unsupported algorithm URI: {}",
                        dm.getAlgorithm());
                throw new DecryptionException(
                        "EncryptedKey/EncryptionMethod/DigestMethod contains unsupported algorithm URI");
            }
        }
    }
    
}
 
Example #3
Source File: SAMLObjectContentReference.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Constructor.
 * 
 * @param newSignableObject the SAMLObject this reference refers to
 */
public SAMLObjectContentReference(SignableSAMLObject newSignableObject) {
    signableObject = newSignableObject;
    transforms = new LazyList<String>();
    
    // Set defaults
    if (Configuration.getGlobalSecurityConfiguration() != null ) {
        digestAlgorithm = Configuration.getGlobalSecurityConfiguration().getSignatureReferenceDigestMethod();
    }
    if (digestAlgorithm == null) {
        digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
    }
    
    transforms.add(SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE);
    transforms.add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
}
 
Example #4
Source File: SAMLObjectHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Examines the {@link SignableSAMLObject} for the need to declare non-visible namespaces 
 * before marshalling and signing, and if required, performs the declarations.
 * 
 * <p>
 * If the object does not already have a cached DOM, does have a signature attached,
 * and the signature contains a {@link SAMLObjectContentReference} with a transform of either 
 * {@link SignatureConstants#TRANSFORM_C14N_EXCL_OMIT_COMMENTS}
 * or {@link SignatureConstants#TRANSFORM_C14N_EXCL_WITH_COMMENTS}, 
 * it declares on the object all non-visible namespaces
 * as determined by {@link NamespaceManager#getNonVisibleNamespaces()}.
 * </p>
 * 
 * @param signableObject the signable SAML object to evaluate
 */
public static void declareNonVisibleNamespaces(SignableSAMLObject signableObject) {
    Logger log = getLogger();
    if (signableObject.getDOM() == null && signableObject.getSignature() != null) {
        log.debug("Examing signed object for content references with exclusive canonicalization transform");
        boolean sawExclusive = false;
        for (ContentReference cr : signableObject.getSignature().getContentReferences()) {
            if (cr instanceof SAMLObjectContentReference) {
                List<String> transforms = ((SAMLObjectContentReference)cr).getTransforms();
                if (transforms.contains(SignatureConstants.TRANSFORM_C14N_EXCL_WITH_COMMENTS) 
                        || transforms.contains(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS)) {
                    sawExclusive = true;
                    break;
                }
            }
        }
        
        if (sawExclusive) {
            log.debug("Saw exclusive transform, declaring non-visible namespaces on signed object");
            for (Namespace ns : signableObject.getNamespaceManager().getNonVisibleNamespaces()) {
                signableObject.getNamespaceManager().registerNamespaceDeclaration(ns);
            }
        }
    }
}
 
Example #5
Source File: SamlHelper.java    From secure-data-service with Apache License 2.0 6 votes vote down vote up
public Signature getDigitalSignature(KeyStore.PrivateKeyEntry keystoreEntry) {
    Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME)
            .buildObject(Signature.DEFAULT_ELEMENT_NAME);

    Credential signingCredential = initializeCredentialsFromKeystore(keystoreEntry);
    signature.setSigningCredential(signingCredential);

    signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

    SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration();
    try {
        SecurityHelper.prepareSignatureParams(signature, signingCredential, secConfig, null);
    } catch (org.opensaml.xml.security.SecurityException  ex) {
        LOG.error("Error composing artifact resolution request: Failed to generate digital signature");
        throw new IllegalArgumentException("Couldn't compose artifact resolution request", ex);
    }

    return signature;
}
 
Example #6
Source File: Encrypter.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 *  
 * Post-process the Apache EncryptedKey, prior to marshalling to DOM and unmarshalling into an XMLObject.
 *  
 * @param apacheEncryptedKey the Apache EncryptedKeyObject to post-process
 * @param targetKey the key to encrypt
 * @param encryptionKey the key with which to encrypt the target key
 * @param encryptionAlgorithmURI the XML Encryption algorithm URI corresponding to the encryption key
 * @param containingDocument the document that will own the resulting element
 * 
 * @throws EncryptionException exception thrown on encryption errors
 */
protected void postProcessApacheEncryptedKey(org.apache.xml.security.encryption.EncryptedKey apacheEncryptedKey,
        Key targetKey, Key encryptionKey, String encryptionAlgorithmURI, Document containingDocument)
        throws EncryptionException {
    
    // Workaround for XML-Security library issue.  To maximize interop, explicitly express the library
    // default of SHA-1 digest method input parameter to RSA-OAEP key transport algorithm.
    // Check and only add if the library hasn't already done so, which it currently doesn't.
    if (EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP.equals(encryptionAlgorithmURI)) {
        boolean sawDigestMethod = false;
        Iterator childIter = apacheEncryptedKey.getEncryptionMethod().getEncryptionMethodInformation();
        while (childIter.hasNext()) {
            Element child = (Element) childIter.next();
            if (DigestMethod.DEFAULT_ELEMENT_NAME.equals(XMLHelper.getNodeQName(child))) {
                sawDigestMethod = true;
                break;
            }
        }
        if (! sawDigestMethod) {
            Element digestMethodElem = XMLHelper.constructElement(containingDocument,
                    DigestMethod.DEFAULT_ELEMENT_NAME);
            XMLHelper.appendNamespaceDeclaration(digestMethodElem, 
                    XMLConstants.XMLSIG_NS, XMLConstants.XMLSIG_PREFIX);
            digestMethodElem.setAttributeNS(null, DigestMethod.ALGORITHM_ATTRIB_NAME, 
                    SignatureConstants.ALGO_ID_DIGEST_SHA1);
            apacheEncryptedKey.getEncryptionMethod().addEncryptionMethodInformation(digestMethodElem);
        }
    }
    
}
 
Example #7
Source File: Auth0SSODemoApplication.java    From spring-boot-security-saml-samples with MIT License 5 votes vote down vote up
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
    super.postProcessBeanFactory(beanFactory);
    BasicSecurityConfiguration config = (BasicSecurityConfiguration) org.opensaml.Configuration.getGlobalSecurityConfiguration();
    config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
    config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
 
Example #8
Source File: SHA256SAMLBootstrap.java    From sakai with Educational Community License v2.0 5 votes vote down vote up
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
    super.postProcessBeanFactory(beanFactory);
    BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
    config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
    config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
 
Example #9
Source File: SamlAssertionProducer.java    From saml-generator with Apache License 2.0 5 votes vote down vote up
private Signature createSignature() throws Throwable {
	if (publicKeyLocation != null && privateKeyLocation != null) {
		SignatureBuilder builder = new SignatureBuilder();
		Signature signature = builder.buildObject();
		signature.setSigningCredential(certManager.getSigningCredential(publicKeyLocation, privateKeyLocation));
		signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
		signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
		
		return signature;
	}
	
	return null;
}
 
Example #10
Source File: SHA256SAMLBootstrap.java    From sakai with Educational Community License v2.0 5 votes vote down vote up
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
    super.postProcessBeanFactory(beanFactory);
    BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
    config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
    config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
 
Example #11
Source File: SAMLUtils.java    From cloudstack with Apache License 2.0 5 votes vote down vote up
public static String generateSAMLRequestSignature(final String urlEncodedString, final PrivateKey signingKey, final String sigAlgorithmName)
        throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnsupportedEncodingException {
    if (signingKey == null) {
        return urlEncodedString;
    }

    String opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
    String javaSignatureAlgorithmName = "SHA1withRSA";

    if (sigAlgorithmName.equalsIgnoreCase("SHA256")) {
        opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
        javaSignatureAlgorithmName = "SHA256withRSA";
    } else if (sigAlgorithmName.equalsIgnoreCase("SHA384")) {
        opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384;
        javaSignatureAlgorithmName = "SHA384withRSA";
    } else if (sigAlgorithmName.equalsIgnoreCase("SHA512")) {
        opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
        javaSignatureAlgorithmName = "SHA512withRSA";
    }

    String url = urlEncodedString + "&SigAlg=" + URLEncoder.encode(opensamlAlgoIdSignature, HttpUtils.UTF_8);
    Signature signature = Signature.getInstance(javaSignatureAlgorithmName);
    signature.initSign(signingKey);
    signature.update(url.getBytes(Charset.forName("UTF-8")));
    String signatureString = Base64.encodeBytes(signature.sign(), Base64.DONT_BREAK_LINES);
    if (signatureString != null) {
        return url + "&Signature=" + URLEncoder.encode(signatureString, HttpUtils.UTF_8);
    }
    return url;
}