customize OpenSAML bootstrap to use SHA256 by default

2 files changed, 190 insertions, 0 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java
new file mode 100644
index 000000000..80789cd12
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.config;
+
+import org.opensaml.Configuration;
+import org.opensaml.DefaultBootstrap;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder;
+import org.opensaml.xml.ConfigurationException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOADefaultBootstrap extends DefaultBootstrap {
+
+    public static synchronized void bootstrap() throws ConfigurationException {
+
+        initializeXMLSecurity();
+
+        initializeXMLTooling();
+
+        initializeArtifactBuilderFactories();
+
+        initializeGlobalSecurityConfiguration();
+        
+        initializeParserPool();
+        
+        initializeESAPI();
+        
+    }
+  
+    
+    
+    /**
+     * Initializes the default global security configuration.
+     */
+    protected static void initializeGlobalSecurityConfiguration() {
+        Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig());
+    }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
new file mode 100644
index 000000000..1563ba9be
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.config;
+
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xml.signature.SignatureConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOADefaultSecurityConfigurationBootstrap extends
+		DefaultSecurityConfigurationBootstrap {
+	
+	public static BasicSecurityConfiguration buildDefaultConfig() {
+		BasicSecurityConfiguration config = new BasicSecurityConfiguration();
+
+		populateSignatureParams(config);
+		populateEncryptionParams(config);
+		populateKeyInfoCredentialResolverParams(config);
+		populateKeyInfoGeneratorManager(config);
+		populateKeyParams(config);
+
+		return config;
+	}
+
+	protected static void populateSignatureParams(
+			BasicSecurityConfiguration config) {
+		
+		//use SHA256 instead of SHA1
+		config.registerSignatureAlgorithmURI("RSA",
+				SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+	
+		config.registerSignatureAlgorithmURI("DSA",
+				"http://www.w3.org/2000/09/xmldsig#dsa-sha1");
+		
+		//use SHA256 instead of SHA1
+		config.registerSignatureAlgorithmURI("EC",
+				SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
+
+		//use SHA256 instead of SHA1
+		config.registerSignatureAlgorithmURI("AES",
+				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
+		
+		
+		config.registerSignatureAlgorithmURI("DESede",
+				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
+
+		config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
+		config.setSignatureHMACOutputLength(null);
+		
+		//use SHA256 instead of SHA1
+		config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+	}
+
+	protected static void populateEncryptionParams(
+			BasicSecurityConfiguration config) {
+		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
+				"http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
+				"http://www.w3.org/2001/04/xmlenc#aes192-cbc");
+		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
+				"http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+		
+		//support GCM mode
+		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), 
+				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM);
+		
+		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), 
+				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM);
+		
+		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), 
+				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM);
+		
+		
+		config.registerDataEncryptionAlgorithmURI("DESede",
+				Integer.valueOf(168),
+				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+		config.registerDataEncryptionAlgorithmURI("DESede",
+				Integer.valueOf(192),
+				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+
+		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES",
+				"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+		
+		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null,
+				"DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+
+		config.registerKeyTransportEncryptionAlgorithmURI("AES",
+				Integer.valueOf(128), null,
+				"http://www.w3.org/2001/04/xmlenc#kw-aes128");
+		config.registerKeyTransportEncryptionAlgorithmURI("AES",
+				Integer.valueOf(192), null,
+				"http://www.w3.org/2001/04/xmlenc#kw-aes192");
+		config.registerKeyTransportEncryptionAlgorithmURI("AES",
+				Integer.valueOf(256), null,
+				"http://www.w3.org/2001/04/xmlenc#kw-aes256");
+		config.registerKeyTransportEncryptionAlgorithmURI("DESede",
+				Integer.valueOf(168), null,
+				"http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+		config.registerKeyTransportEncryptionAlgorithmURI("DESede",
+				Integer.valueOf(192), null,
+				"http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+
+		config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+	}
+}