summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java218
1 files changed, 128 insertions, 90 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
index f3e50e4e..97f0f225 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
@@ -19,14 +19,17 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;
-import org.opensaml.xml.encryption.EncryptionConstants;
-import org.opensaml.xml.security.BasicSecurityConfiguration;
-import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
-import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory;
-import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;
-import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
-import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
-import org.opensaml.xml.signature.SignatureConstants;
+import java.util.Arrays;
+import java.util.Collections;
+
+import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xmlsec.encryption.support.EncryptionConstants;
+import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters;
+import org.opensaml.xmlsec.impl.BasicDecryptionConfiguration;
+import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration;
+import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
+import org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
/**
* EAAF specific OpenSAML2 security configuration.
@@ -38,102 +41,137 @@ public class EaafDefaultSecurityConfigurationBootstrap
extends DefaultSecurityConfigurationBootstrap {
/**
- * Build EAAF security configuration for OpenSAML2.
+ * Set EAAF specific encryption configuration to OpenSAML 3.x.
*
* @return
*/
- public static BasicSecurityConfiguration buildDefaultConfig() {
- final BasicSecurityConfiguration config = new BasicSecurityConfiguration();
-
- populateSignatureParams(config);
- populateEncryptionParams(config);
- populateKeyInfoCredentialResolverParams(config);
- populateKeyInfoGeneratorManager(config);
- populateKeyParams(config);
+ public static BasicEncryptionConfiguration buildEaafEncryptionConfiguration() {
+ final BasicEncryptionConfiguration config = new BasicEncryptionConfiguration();
+
+ config.setBlacklistedAlgorithms(Arrays.asList(
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES,
+ EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES));
+
+ config.setDataEncryptionAlgorithms(Arrays.asList(
+ // The order of these is significant.
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
+
+ // register GCM algorithms
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM));
+
+ config.setKeyTransportEncryptionAlgorithms(Arrays.asList(
+ // The order of the RSA algos is significant.
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11,
+
+ // The order of these is not significant.
+ // These aren't really "preferences" per se. They just need to be registered
+ // so that they can be used if a credential with a key of that type and size is
+ // seen.
+ EncryptionConstants.ALGO_ID_KEYWRAP_AES128,
+ EncryptionConstants.ALGO_ID_KEYWRAP_AES192,
+ EncryptionConstants.ALGO_ID_KEYWRAP_AES256));
+
+ config.setRSAOAEPParameters(new RSAOAEPParameters(
+ SignatureConstants.ALGO_ID_DIGEST_SHA1,
+ EncryptionConstants.ALGO_ID_MGF1_SHA1,
+ null));
+
+ config.setDataKeyInfoGeneratorManager(buildDataEncryptionKeyInfoGeneratorManager());
+ config.setKeyTransportKeyInfoGeneratorManager(buildKeyTransportEncryptionKeyInfoGeneratorManager());
return config;
}
- protected static void populateKeyInfoGeneratorManager(final BasicSecurityConfiguration config) {
- final NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager();
- config.setKeyInfoGeneratorManager(namedManager);
-
- namedManager.setUseDefaultManager(true);
- final KeyInfoGeneratorManager defaultManager = namedManager.getDefaultManager();
+ /**
+ * Set EAAF specific decryption configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicDecryptionConfiguration buildEaaftDecryptionConfiguration() {
+ final BasicDecryptionConfiguration config = new BasicDecryptionConfiguration();
- final BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
- basicFactory.setEmitPublicKeyValue(true);
+ config.setBlacklistedAlgorithms(Collections.singletonList(
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
- final X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
- x509Factory.setEmitEntityCertificate(true);
+ config.setEncryptedKeyResolver(buildBasicEncryptedKeyResolver());
- defaultManager.registerFactory(basicFactory);
- defaultManager.registerFactory(x509Factory);
+ return config;
}
- protected static void populateSignatureParams(final BasicSecurityConfiguration config) {
-
- // use SHA256 instead of SHA1
- config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-
- config.registerSignatureAlgorithmURI("DSA", "http://www.w3.org/2000/09/xmldsig#dsa-sha1");
-
- // use SHA256 instead of SHA1
- config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
-
- // use SHA256 instead of SHA1
- config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
-
- config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
-
- config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
- config.setSignatureHMACOutputLength(null);
+ /**
+ * Set EAAF specific signature-creation configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicSignatureSigningConfiguration buildEaafSignatureSigningConfiguration() {
+ final BasicSignatureSigningConfiguration config = new BasicSignatureSigningConfiguration();
+
+ config.setBlacklistedAlgorithms(Arrays.asList(
+ SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
+ SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
+ SignatureConstants.ALGO_ID_DIGEST_SHA1));
+
+ config.setSignatureAlgorithms(Arrays.asList(
+ // The order within each key group is significant.
+ // The order of the key groups themselves is not significant.
+
+ // RSA
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512,
+
+ // ECDSA
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512
+
+ // HMAC (all symmetric keys)
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA256,
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA384,
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA512,
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA1
+ ));
+
+ config.setSignatureReferenceDigestMethods(Arrays.asList(
+ // The order of these is significant.
+ SignatureConstants.ALGO_ID_DIGEST_SHA256,
+ SignatureConstants.ALGO_ID_DIGEST_SHA384,
+ SignatureConstants.ALGO_ID_DIGEST_SHA512));
+
+ config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+
+ config.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
- // use SHA256 instead of SHA1
- config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+ return config;
}
- protected static void populateEncryptionParams(final BasicSecurityConfiguration config) {
- config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
- "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
- config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
- "http://www.w3.org/2001/04/xmlenc#aes192-cbc");
- config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
- "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
-
- // support GCM mode
- config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
- EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM);
-
- config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
- EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM);
-
- config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
- EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM);
-
- config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(168),
- "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
- config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(192),
- "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
-
- config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES",
- "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
-
- config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "DESede",
- "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
-
- config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(128), null,
- "http://www.w3.org/2001/04/xmlenc#kw-aes128");
- config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(192), null,
- "http://www.w3.org/2001/04/xmlenc#kw-aes192");
- config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(256), null,
- "http://www.w3.org/2001/04/xmlenc#kw-aes256");
- config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(168), null,
- "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
- config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(192), null,
- "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
-
- config.setAutoGeneratedDataEncryptionKeyAlgorithmURI(
- "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+ /**
+ * Set EAAF specific signature-verification configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicSignatureValidationConfiguration buildEaafSignatureValidationConfiguration() {
+ final BasicSignatureValidationConfiguration config = new BasicSignatureValidationConfiguration();
+
+ config.setBlacklistedAlgorithms(Arrays.asList(
+ SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
+ SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
+ SignatureConstants.ALGO_ID_DIGEST_SHA1));
+
+ return config;
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 21:14:04 +0000