1 files changed, 77 insertions, 8 deletions

diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
index 2db14f543..5e9c753ae 100644
--- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
+++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
@@ -36,8 +36,12 @@ import eu.stork.peps.auth.engine.X509PrincipalUtil;
 import org.apache.commons.io.IOUtils;

 import org.apache.commons.lang.NotImplementedException;

 import org.bouncycastle.jce.X509Principal;

+import org.opensaml.Configuration;

 import org.opensaml.common.SAMLObject;

 import org.opensaml.common.SignableSAMLObject;

+import org.opensaml.saml2.core.Assertion;

+import org.opensaml.saml2.core.LogoutResponse;

+import org.opensaml.saml2.core.Response;

 import org.opensaml.security.SAMLSignatureProfileValidator;

 import org.opensaml.xml.io.MarshallingException;

 import org.opensaml.xml.security.SecurityConfiguration;

@@ -62,6 +66,7 @@ import org.slf4j.LoggerFactory;
 

 

 

+import eu.stork.peps.auth.engine.core.CustomAttributeQuery;

 import eu.stork.peps.auth.engine.core.SAMLEngineSignI;

 import eu.stork.peps.exceptions.SAMLEngineException;

 

@@ -237,8 +242,10 @@ public final class SignHW implements SAMLEngineSignI {
 	    LOG.debug("Begin signature with openSaml");

 	    signature.setSigningCredential(credential);

 

+	    /*signature.setSignatureAlgorithm(

+	    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);*/

 	    signature.setSignatureAlgorithm(

-		    	SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

+		    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

 

 	 

 

@@ -261,14 +268,76 @@ public final class SignHW implements SAMLEngineSignI {
 	    signature.setCanonicalizationAlgorithm(

 		    SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

 

-	    tokenSaml.setSignature(signature);

-

-	    LOG.debug("Marshall samlToken.");

-	    org.opensaml.xml.Configuration.getMarshallerFactory()

-		    .getMarshaller(tokenSaml).marshall(tokenSaml);

+	  //Create a second signature which will be used when signing assertion and response

+	    final Signature signature2 = (Signature) Configuration

+	    .getBuilderFactory().getBuilder(

+		    Signature.DEFAULT_ELEMENT_NAME).buildObject(

+		    Signature.DEFAULT_ELEMENT_NAME);

+	    final SecurityConfiguration secConfiguration2 = Configuration

+	    .getGlobalSecurityConfiguration();

+	    final NamedKeyInfoGeneratorManager keyInfoManager2 = secConfiguration2

+		    .getKeyInfoGeneratorManager();

+	    final KeyInfoGeneratorManager keyInfoGenManager2 = keyInfoManager2

+		    .getDefaultManager();

+	    final KeyInfoGeneratorFactory keyInfoGenFac2 = keyInfoGenManager2

+		    .getFactory(credential);

+	    final KeyInfoGenerator keyInfoGenerator2 = keyInfoGenFac2

+		    .newInstance();

+	    

+	    KeyInfo keyInfo2 = keyInfoGenerator2.generate(credential);

+	    signature2.setSigningCredential(credential);

+	    signature2.setSignatureAlgorithm(

+			    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

+	    signature2.setKeyInfo(keyInfo2);

+	    signature2.setCanonicalizationAlgorithm(

+		    SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

+	    	 	    

 

-	    LOG.info("Sign samlToken.");

-	    Signer.signObject(signature);

+	    LOG.info("Marshall samlToken.");

+	    String qn = tokenSaml.getElementQName().toString();

+	    

+	    if (qn.endsWith(CustomAttributeQuery.DEFAULT_ELEMENT_LOCAL_NAME))

+	    {	    

+	  		tokenSaml.setSignature(signature);

+	    	CustomAttributeQueryMarshaller mars = new CustomAttributeQueryMarshaller();

+	    	mars.marshall(tokenSaml);

+	    	Signer.signObject(signature);

+	    }

+	    else if (qn.endsWith(Response.DEFAULT_ELEMENT_LOCAL_NAME) && !qn.contains(LogoutResponse.DEFAULT_ELEMENT_LOCAL_NAME))

+	    {

+	    	Response res = (Response)tokenSaml;

+	    	List<Assertion> asserts = res.getAssertions();

+	    	//If multiple assertions we just sign the response and not the assertion

+	    	if (asserts.size() > 1)

+	    	{	    		

+	    		tokenSaml.setSignature(signature);

+	    		Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+			    .marshall(tokenSaml);

+	    		LOG.info("Sign samlToken.");

+	    	    Signer.signObject(signature);

+	    	}

+	    	//If single assertion we sign the assertion and response

+	    	else

+	    	{

+			    Assertion assertion = (Assertion)asserts.get(0);

+			    assertion.setSignature(signature);			    

+			    tokenSaml.setSignature(signature2);

+			    Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+			    .marshall(tokenSaml);

+			    LOG.info("Sign samlToken.");

+			    Signer.signObject(signature);

+			    Signer.signObject(signature2);

+	    	}

+	    }

+	    //Normally we just sign the total saml response

+	    else

+	    {

+	    	tokenSaml.setSignature(signature);

+	    	Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+		    .marshall(tokenSaml);

+	    	LOG.info("Sign samlToken.");

+		    Signer.signObject(signature);

+	    }

 

 	} catch (final MarshallingException e) {

 	    LOG.error("MarshallingException");