diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-02-11 08:09:48 +0100 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-02-11 08:09:48 +0100 | 
| commit | f86ebab09aad5971c86dce3827d46a0d41003994 (patch) | |
| tree | 9ab10654c325e5ddcc8154b60e5115f8de81600f /id/server/idserverlib/src | |
| parent | 9b67dbb64ed665be5430c213607854c8c7e3584b (diff) | |
| download | moa-id-spss-f86ebab09aad5971c86dce3827d46a0d41003994.tar.gz moa-id-spss-f86ebab09aad5971c86dce3827d46a0d41003994.tar.bz2 moa-id-spss-f86ebab09aad5971c86dce3827d46a0d41003994.zip | |
customize OpenSAML bootstrap to use SHA256 by default
Diffstat (limited to 'id/server/idserverlib/src')
2 files changed, 190 insertions, 0 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java new file mode 100644 index 000000000..80789cd12 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java @@ -0,0 +1,61 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.Configuration; +import org.opensaml.DefaultBootstrap; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder; +import org.opensaml.xml.ConfigurationException; + +/** + * @author tlenz + * + */ +public class MOADefaultBootstrap extends DefaultBootstrap { + +    public static synchronized void bootstrap() throws ConfigurationException { + +        initializeXMLSecurity(); + +        initializeXMLTooling(); + +        initializeArtifactBuilderFactories(); + +        initializeGlobalSecurityConfiguration(); +         +        initializeParserPool(); +         +        initializeESAPI(); +         +    } +   +     +     +    /** +     * Initializes the default global security configuration. +     */ +    protected static void initializeGlobalSecurityConfiguration() { +        Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig()); +    } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java new file mode 100644 index 000000000..1563ba9be --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java @@ -0,0 +1,129 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.security.BasicSecurityConfiguration; +import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; +import org.opensaml.xml.signature.SignatureConstants; + +/** + * @author tlenz + * + */ +public class MOADefaultSecurityConfigurationBootstrap extends +		DefaultSecurityConfigurationBootstrap { +	 +	public static BasicSecurityConfiguration buildDefaultConfig() { +		BasicSecurityConfiguration config = new BasicSecurityConfiguration(); + +		populateSignatureParams(config); +		populateEncryptionParams(config); +		populateKeyInfoCredentialResolverParams(config); +		populateKeyInfoGeneratorManager(config); +		populateKeyParams(config); + +		return config; +	} + +	protected static void populateSignatureParams( +			BasicSecurityConfiguration config) { +		 +		//use SHA256 instead of SHA1 +		config.registerSignatureAlgorithmURI("RSA", +				SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); +	 +		config.registerSignatureAlgorithmURI("DSA", +				"http://www.w3.org/2000/09/xmldsig#dsa-sha1"); +		 +		//use SHA256 instead of SHA1 +		config.registerSignatureAlgorithmURI("EC", +				SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); + +		//use SHA256 instead of SHA1 +		config.registerSignatureAlgorithmURI("AES", +				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); +		 +		 +		config.registerSignatureAlgorithmURI("DESede", +				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); + +		config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); +		config.setSignatureHMACOutputLength(null); +		 +		//use SHA256 instead of SHA1 +		config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); +	} + +	protected static void populateEncryptionParams( +			BasicSecurityConfiguration config) { +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), +				"http://www.w3.org/2001/04/xmlenc#aes128-cbc"); +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), +				"http://www.w3.org/2001/04/xmlenc#aes192-cbc"); +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), +				"http://www.w3.org/2001/04/xmlenc#aes256-cbc"); +		 +		//support GCM mode +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),  +				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM); +		 +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),  +				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM); +		 +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),  +				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM); +		 +		 +		config.registerDataEncryptionAlgorithmURI("DESede", +				Integer.valueOf(168), +				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); +		config.registerDataEncryptionAlgorithmURI("DESede", +				Integer.valueOf(192), +				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); + +		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", +				"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); +		 +		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, +				"DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); + +		config.registerKeyTransportEncryptionAlgorithmURI("AES", +				Integer.valueOf(128), null, +				"http://www.w3.org/2001/04/xmlenc#kw-aes128"); +		config.registerKeyTransportEncryptionAlgorithmURI("AES", +				Integer.valueOf(192), null, +				"http://www.w3.org/2001/04/xmlenc#kw-aes192"); +		config.registerKeyTransportEncryptionAlgorithmURI("AES", +				Integer.valueOf(256), null, +				"http://www.w3.org/2001/04/xmlenc#kw-aes256"); +		config.registerKeyTransportEncryptionAlgorithmURI("DESede", +				Integer.valueOf(168), null, +				"http://www.w3.org/2001/04/xmlenc#kw-tripledes"); +		config.registerKeyTransportEncryptionAlgorithmURI("DESede", +				Integer.valueOf(192), null, +				"http://www.w3.org/2001/04/xmlenc#kw-tripledes"); + +		config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); +	} +} | 
