From 759ac5f42c6aff901dbeede4fbf1a1d2e08cad0f Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 4 Dec 2019 19:43:32 +0100
Subject: common EGIZ code-style refactoring

---
 .../EaafDefaultSecurityConfigurationBootstrap.java | 141 +++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
new file mode 100644
index 00000000..a1a7e9d2
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
@@ -0,0 +1,141 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;
+
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory;
+import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;
+import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.SignatureConstants;
+
+/**
+ * EAAF specific OpenSAML2 security configuration.
+ *
+ * @author tlenz
+ *
+ */
+public class EaafDefaultSecurityConfigurationBootstrap
+    extends DefaultSecurityConfigurationBootstrap {
+
+  /**
+   * Build EAAF security configuration for OpenSAML2.
+   *
+   * @return
+   */
+  public static BasicSecurityConfiguration buildDefaultConfig() {
+    final BasicSecurityConfiguration config = new BasicSecurityConfiguration();
+
+    populateSignatureParams(config);
+    populateEncryptionParams(config);
+    populateKeyInfoCredentialResolverParams(config);
+    populateKeyInfoGeneratorManager(config);
+    populateKeyParams(config);
+
+    return config;
+  }
+
+  protected static void populateKeyInfoGeneratorManager(final BasicSecurityConfiguration config) {
+    final NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager();
+    config.setKeyInfoGeneratorManager(namedManager);
+
+    namedManager.setUseDefaultManager(true);
+    final KeyInfoGeneratorManager defaultManager = namedManager.getDefaultManager();
+
+    final BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
+    basicFactory.setEmitPublicKeyValue(true);
+
+    final X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
+    x509Factory.setEmitEntityCertificate(true);
+
+    defaultManager.registerFactory(basicFactory);
+    defaultManager.registerFactory(x509Factory);
+  }
+
+  protected static void populateSignatureParams(final BasicSecurityConfiguration config) {
+
+    // use SHA256 instead of SHA1
+    config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+
+    config.registerSignatureAlgorithmURI("DSA", "http://www.w3.org/2000/09/xmldsig#dsa-sha1");
+
+    // use SHA256 instead of SHA1
+    config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
+
+    // use SHA256 instead of SHA1
+    config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
+
+
+    config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
+
+    config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
+    config.setSignatureHMACOutputLength(null);
+
+    // use SHA256 instead of SHA1
+    config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+  }
+
+  protected static void populateEncryptionParams(final BasicSecurityConfiguration config) {
+    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
+        "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
+        "http://www.w3.org/2001/04/xmlenc#aes192-cbc");
+    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
+        "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+
+    // support GCM mode
+    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM);
+
+    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM);
+
+    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM);
+
+
+    config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(168),
+        "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+    config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(192),
+        "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+
+    config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES",
+        "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+
+    config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "DESede",
+        "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+
+    config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(128), null,
+        "http://www.w3.org/2001/04/xmlenc#kw-aes128");
+    config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(192), null,
+        "http://www.w3.org/2001/04/xmlenc#kw-aes192");
+    config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(256), null,
+        "http://www.w3.org/2001/04/xmlenc#kw-aes256");
+    config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(168), null,
+        "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+    config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(192), null,
+        "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+
+    config.setAutoGeneratedDataEncryptionKeyAlgorithmURI(
+        "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+  }
+}
-- 
cgit v1.2.3