aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-01-21 13:00:34 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-01-21 13:00:34 +0100
commit51c45b375485399d36e33f1ab4cf76e9273222e3 (patch)
treeeef62835cd91d99cb3a942d66c89dc8d4c822329 /id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration
parentf51f447ed199dc1c3f5dc750d169462d42b2b6ad (diff)
downloadmoa-id-spss-51c45b375485399d36e33f1ab4cf76e9273222e3.tar.gz
moa-id-spss-51c45b375485399d36e33f1ab4cf76e9273222e3.tar.bz2
moa-id-spss-51c45b375485399d36e33f1ab4cf76e9273222e3.zip
implement SAML2 assertion encryption
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java2
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java29
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java8
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java53
4 files changed, 83 insertions, 9 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
index 8684b8cc1..7e00b8084 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
@@ -150,7 +150,7 @@ public class Authenticate extends HttpServlet {
redirectEndpoint = sss;
}
}
-
+
authReq.setDestination(redirectEndpoint.getLocation());
RequestedAuthnContext reqAuthContext =
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
index fa02443dc..cdb28922c 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
@@ -142,21 +142,38 @@ public class BuildMetadata extends HttpServlet {
entitiesSignKeyDescriptor.setUse(UsageType.SIGNING);
entitiesSignKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingcredential));
Signature entitiesSignature = getSignature(signingcredential);
-
+ spEntitiesDescriptor.setSignature(entitiesSignature);
+
+ //Set AuthRequest Signing certificate
X509Credential authcredential = new KeyStoreX509CredentialAdapter(
keyStore,
config.getPVP2KeystoreAuthRequestKeyAlias(),
- config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
-
-
- //Set AuthRequest Signing certificate
+ config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
KeyDescriptor signKeyDescriptor = SAML2Utils
.createSAMLObject(KeyDescriptor.class);
signKeyDescriptor.setUse(UsageType.SIGNING);
signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));
- spEntitiesDescriptor.setSignature(entitiesSignature);
spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+
+ //set AuthRequest encryption certificate
+ if (MiscUtil.isNotEmpty(config.getPVP2KeystoreAuthRequestEncryptionKeyAlias())) {
+ X509Credential authEncCredential = new KeyStoreX509CredentialAdapter(
+ keyStore,
+ config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
+ config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+ KeyDescriptor encryKeyDescriptor = SAML2Utils
+ .createSAMLObject(KeyDescriptor.class);
+ encryKeyDescriptor.setUse(UsageType.ENCRYPTION);
+ encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));
+ spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor);
+
+ } else {
+ log.warn("No Assertion Encryption-Key defined. This setting is not recommended!");
+
+ }
+
+
NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index fb468967c..6b30c0cfa 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -258,6 +258,14 @@ public class ConfigurationProvider {
return props.getProperty("general.login.pvp2.keystore.authrequest.key.password");
}
+ public String getPVP2KeystoreAuthRequestEncryptionKeyAlias() {
+ return props.getProperty("general.login.pvp2.keystore.authrequest.encryption.key.alias");
+ }
+
+ public String getPVP2KeystoreAuthRequestEncryptionKeyPassword() {
+ return props.getProperty("general.login.pvp2.keystore.authrequest.encryption.key.password");
+ }
+
public String getPVP2IDPMetadataURL() {
return props.getProperty("general.login.pvp2.idp.metadata.url");
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index c82746dbc..b5896aecf 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -1,5 +1,6 @@
package at.gv.egovernment.moa.id.configuration.struts.action;
+import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
@@ -23,18 +24,24 @@ import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.UsageType;
@@ -43,9 +50,12 @@ import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
@@ -261,8 +271,47 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
- List<org.opensaml.saml2.core.Assertion> saml2assertions = samlResponse.getAssertions();
-
+ List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+
+ //check encrypted Assertion
+ List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+ if (encryAssertionList != null && encryAssertionList.size() > 0) {
+ //decrypt assertions
+
+ log.debug("Found encryped assertion. Start decryption ...");
+
+ KeyStore keyStore = config.getPVP2KeyStore();
+
+ X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+ keyStore,
+ config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
+ config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+
+
+ StaticKeyInfoCredentialResolver skicr =
+ new StaticKeyInfoCredentialResolver(authDecCredential);
+
+ ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+ encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+
+ Decrypter samlDecrypter =
+ new Decrypter(null, skicr, encryptedKeyResolver);
+
+ for (EncryptedAssertion encAssertion : encryAssertionList) {
+ saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+
+ }
+
+ log.debug("Assertion decryption finished. ");
+
+ } else {
+ saml2assertions = samlResponse.getAssertions();
+
+ }
+
+
if (MiscUtil.isEmpty(authID)) {
log.info("NO AuthRequestID");
return Constants.STRUTS_ERROR;