/******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; import java.security.KeyStore; import java.security.PrivateKey; import java.security.interfaces.ECPrivateKey; import java.security.interfaces.RSAPrivateKey; import org.apache.commons.lang3.StringUtils; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.KeyStoreX509CredentialAdapter; public abstract class AbstractCredentialProvider { private static final Logger log = LoggerFactory.getLogger(AbstractCredentialProvider.class); private KeyStore keyStore = null; /** * Get a friendlyName for this keyStore implementation * This friendlyName is used for logging * * @return keyStore friendlyName */ public abstract String getFriendlyName(); /** * Get KeyStore * * @return URL to the keyStore * @throws EAAFException */ public abstract String getKeyStoreFilePath() throws EAAFException; /** * Get keyStore password * * @return Password of the keyStore */ public abstract String getKeyStorePassword(); /** * Get alias of key for metadata signing * * @return key alias */ public abstract String getMetadataKeyAlias(); /** * Get password of key for metadata signing * * @return key password */ public abstract String getMetadataKeyPassword(); /** * Get alias of key for request/response signing * * @return key alias */ public abstract String getSignatureKeyAlias(); /** * Get password of key for request/response signing * * @return key password */ public abstract String getSignatureKeyPassword(); /** * Get alias of key for IDP response encryption * * @return key alias */ public abstract String getEncryptionKeyAlias(); /** * Get password of key for IDP response encryption * * @return key password */ public abstract String getEncryptionKeyPassword(); public X509Credential getIDPMetaDataSigningCredential() throws CredentialsNotAvailableException { try { if (keyStore == null) keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword()); KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( keyStore, getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray()); credentials.setUsageType(UsageType.SIGNING); if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { log.error(getFriendlyName() + " Metadata Signing credentials is not found or contains no PrivateKey."); throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Signing credentials (Alias: " + getMetadataKeyAlias() + ") is not found or contains no PrivateKey."}); } return credentials; } catch (Exception e) { log.error("Failed to generate " + getFriendlyName() + " Metadata Signing credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e); } } public X509Credential getIDPAssertionSigningCredential() throws CredentialsNotAvailableException { try { if (keyStore == null) keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword()); KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( keyStore, getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray()); credentials.setUsageType(UsageType.SIGNING); if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { log.error(getFriendlyName() + " Assertion Signing credentials is not found or contains no PrivateKey."); throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Signing credentials (Alias: " + getSignatureKeyAlias() + ") is not found or contains no PrivateKey."}); } return (X509Credential) credentials; } catch (Exception e) { log.error("Failed to generate " + getFriendlyName() + " Assertion Signing credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e); } } public X509Credential getIDPAssertionEncryptionCredential() throws CredentialsNotAvailableException { try { if (keyStore == null) keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword()); //if no encryption key is configured return null if (StringUtils.isEmpty(getEncryptionKeyAlias())) return null; KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( keyStore, getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray()); credentials.setUsageType(UsageType.ENCRYPTION); if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { log.error(getFriendlyName() + " Assertion Encryption credentials is not found or contains no PrivateKey."); throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Encryption credentials (Alias: " + getEncryptionKeyAlias() + ") is not found or contains no PrivateKey."}); } return (X509Credential) credentials; } catch (Exception e) { log.error("Failed to generate " + getFriendlyName() + " Assertion Encryption credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e); } } public static Signature getIDPSignature(Credential credentials) { PrivateKey privatekey = credentials.getPrivateKey(); Signature signer = SAML2Utils.createSAMLObject(Signature.class); if (privatekey instanceof RSAPrivateKey) { signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); } else if (privatekey instanceof ECPrivateKey) { signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); } else { log.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential."); } signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signer.setSigningCredential(credentials); return signer; } }