aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-03-17 18:50:19 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-03-17 18:50:19 +0100
commit9aa438639862ccdc4f9523195df04131cc1913b8 (patch)
treeea7c6d5882c3ed70ec2884368db5f26764083ab1
parenta59a9af21d2bfa5200db09b168ed92af0fe3fca4 (diff)
downloadmoa-id-spss-9aa438639862ccdc4f9523195df04131cc1913b8.tar.gz
moa-id-spss-9aa438639862ccdc4f9523195df04131cc1913b8.tar.bz2
moa-id-spss-9aa438639862ccdc4f9523195df04131cc1913b8.zip
Add KeyInfo element with certificate to SAML2 signature
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java52
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java14
6 files changed, 93 insertions, 9 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java
new file mode 100644
index 000000000..81afcfbc1
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.opemsaml;
+
+import java.security.KeyStore;
+
+import org.opensaml.xml.security.x509.X509Credential;
+
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAKeyStoreX509CredentialAdapter extends
+ org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter {
+
+ /**
+ * @param store
+ * @param alias
+ * @param password
+ */
+ public MOAKeyStoreX509CredentialAdapter(KeyStore store, String alias,
+ char[] password) {
+ super(store, alias, password);
+ }
+
+ public Class<? extends X509Credential> getCredentialType() {
+ return X509Credential.class;
+ }
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 1668c31ce..9a5623ca0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -46,6 +46,7 @@ import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.NameIDFormat;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
@@ -114,7 +115,10 @@ public class MetadataAction implements IAction {
Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();
Signature signature = CredentialProvider
.getIDPSignature(metadataSigningCredential);
-
+
+ //set KeyInfo Element
+ SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null);
+
idpEntitiesDescriptor.setSignature(signature);
// //set SignatureMethode
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index d00b1cc16..aebd94a29 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -45,6 +45,8 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
@@ -65,7 +67,7 @@ public class PostBinding implements IDecoder, IEncoder {
throws MessageEncodingException, SecurityException {
try {
- Credential credentials = CredentialProvider
+ X509Credential credentials = CredentialProvider
.getIDPAssertionSigningCredential();
Logger.debug("create SAML POSTBinding response");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index f09178f55..5155d6958 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -48,6 +48,7 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.x509.X509Credential;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
@@ -69,7 +70,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
StatusResponseType response, String targetLocation)
throws MessageEncodingException, SecurityException {
try {
- Credential credentials = CredentialProvider
+ X509Credential credentials = CredentialProvider
.getIDPAssertionSigningCredential();
Logger.debug("create SAML RedirectBinding response");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
index 1563ba9be..f878b95d3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
@@ -25,6 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config;
import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory;
+import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;
+import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.SignatureConstants;
/**
@@ -46,6 +50,25 @@ public class MOADefaultSecurityConfigurationBootstrap extends
return config;
}
+ protected static void populateKeyInfoGeneratorManager(
+ BasicSecurityConfiguration config) {
+ NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager();
+ config.setKeyInfoGeneratorManager(namedManager);
+
+ namedManager.setUseDefaultManager(true);
+ KeyInfoGeneratorManager defaultManager = namedManager
+ .getDefaultManager();
+
+ BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
+ basicFactory.setEmitPublicKeyValue(true);
+
+ X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
+ x509Factory.setEmitEntityCertificate(true);
+
+ defaultManager.registerFactory(basicFactory);
+ defaultManager.registerFactory(x509Factory);
+ }
+
protected static void populateSignatureParams(
BasicSecurityConfiguration config) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
index e3e25b1a9..d95e21a0e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
@@ -30,9 +30,11 @@ import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
+import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
@@ -42,7 +44,7 @@ public class CredentialProvider {
private static KeyStore keyStore = null;
- public static Credential getIDPMetaDataSigningCredential()
+ public static X509Credential getIDPMetaDataSigningCredential()
throws CredentialsNotAvailableException {
PVPConfiguration config = PVPConfiguration.getInstance();
try {
@@ -51,7 +53,7 @@ public class CredentialProvider {
keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
config.getIDPKeyStorePassword());
- KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(
+ MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
keyStore, config.getIDPKeyAliasMetadata(), config
.getIDPKeyPasswordMetadata().toCharArray());
@@ -64,7 +66,7 @@ public class CredentialProvider {
}
}
- public static Credential getIDPAssertionSigningCredential()
+ public static X509Credential getIDPAssertionSigningCredential()
throws CredentialsNotAvailableException {
PVPConfiguration config = PVPConfiguration.getInstance();
try {
@@ -72,12 +74,12 @@ public class CredentialProvider {
keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
config.getIDPKeyStorePassword());
- KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(
+ MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
keyStore, config.getIDPKeyAliasAssertionSign(), config
.getIDPKeyPasswordAssertionSign().toCharArray());
-
+
credentials.setUsageType(UsageType.SIGNING);
- return credentials;
+ return (X509Credential) credentials;
} catch (Exception e) {
Logger.error("Failed to generate IDP Assertion Signing credentials");
e.printStackTrace();