summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java177
1 files changed, 177 insertions, 0 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
new file mode 100644
index 00000000..97f0f225
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
@@ -0,0 +1,177 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;
+
+import java.util.Arrays;
+import java.util.Collections;
+
+import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xmlsec.encryption.support.EncryptionConstants;
+import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters;
+import org.opensaml.xmlsec.impl.BasicDecryptionConfiguration;
+import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration;
+import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
+import org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+
+/**
+ * EAAF specific OpenSAML2 security configuration.
+ *
+ * @author tlenz
+ *
+ */
+public class EaafDefaultSecurityConfigurationBootstrap
+ extends DefaultSecurityConfigurationBootstrap {
+
+ /**
+ * Set EAAF specific encryption configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicEncryptionConfiguration buildEaafEncryptionConfiguration() {
+ final BasicEncryptionConfiguration config = new BasicEncryptionConfiguration();
+
+ config.setBlacklistedAlgorithms(Arrays.asList(
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES,
+ EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES));
+
+ config.setDataEncryptionAlgorithms(Arrays.asList(
+ // The order of these is significant.
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
+
+ // register GCM algorithms
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM,
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM));
+
+ config.setKeyTransportEncryptionAlgorithms(Arrays.asList(
+ // The order of the RSA algos is significant.
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11,
+
+ // The order of these is not significant.
+ // These aren't really "preferences" per se. They just need to be registered
+ // so that they can be used if a credential with a key of that type and size is
+ // seen.
+ EncryptionConstants.ALGO_ID_KEYWRAP_AES128,
+ EncryptionConstants.ALGO_ID_KEYWRAP_AES192,
+ EncryptionConstants.ALGO_ID_KEYWRAP_AES256));
+
+ config.setRSAOAEPParameters(new RSAOAEPParameters(
+ SignatureConstants.ALGO_ID_DIGEST_SHA1,
+ EncryptionConstants.ALGO_ID_MGF1_SHA1,
+ null));
+
+ config.setDataKeyInfoGeneratorManager(buildDataEncryptionKeyInfoGeneratorManager());
+ config.setKeyTransportKeyInfoGeneratorManager(buildKeyTransportEncryptionKeyInfoGeneratorManager());
+
+ return config;
+ }
+
+ /**
+ * Set EAAF specific decryption configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicDecryptionConfiguration buildEaaftDecryptionConfiguration() {
+ final BasicDecryptionConfiguration config = new BasicDecryptionConfiguration();
+
+ config.setBlacklistedAlgorithms(Collections.singletonList(
+ EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
+
+ config.setEncryptedKeyResolver(buildBasicEncryptedKeyResolver());
+
+ return config;
+ }
+
+ /**
+ * Set EAAF specific signature-creation configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicSignatureSigningConfiguration buildEaafSignatureSigningConfiguration() {
+ final BasicSignatureSigningConfiguration config = new BasicSignatureSigningConfiguration();
+
+ config.setBlacklistedAlgorithms(Arrays.asList(
+ SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
+ SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
+ SignatureConstants.ALGO_ID_DIGEST_SHA1));
+
+ config.setSignatureAlgorithms(Arrays.asList(
+ // The order within each key group is significant.
+ // The order of the key groups themselves is not significant.
+
+ // RSA
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512,
+
+ // ECDSA
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512
+
+ // HMAC (all symmetric keys)
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA256,
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA384,
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA512,
+ // SignatureConstants.ALGO_ID_MAC_HMAC_SHA1
+ ));
+
+ config.setSignatureReferenceDigestMethods(Arrays.asList(
+ // The order of these is significant.
+ SignatureConstants.ALGO_ID_DIGEST_SHA256,
+ SignatureConstants.ALGO_ID_DIGEST_SHA384,
+ SignatureConstants.ALGO_ID_DIGEST_SHA512));
+
+ config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+
+ config.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
+
+ return config;
+ }
+
+ /**
+ * Set EAAF specific signature-verification configuration to OpenSAML 3.x.
+ *
+ * @return
+ */
+ public static BasicSignatureValidationConfiguration buildEaafSignatureValidationConfiguration() {
+ final BasicSignatureValidationConfiguration config = new BasicSignatureValidationConfiguration();
+
+ config.setBlacklistedAlgorithms(Arrays.asList(
+ SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
+ SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
+ SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
+ SignatureConstants.ALGO_ID_DIGEST_SHA1));
+
+ return config;
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-27 09:37:23 +0000