diff options
Diffstat (limited to 'id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java')
-rw-r--r-- | id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java | 936 |
1 files changed, 468 insertions, 468 deletions
diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java index 5e9c753ae..80796ea86 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java @@ -1,468 +1,468 @@ -/*
- * Licensed under the EUPL, Version 1.1 or – as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence. You may
- * obtain a copy of the Licence at:
- *
- * http://www.osor.eu/eupl/european-union-public-licence-eupl-v.1.1
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * Licence for the specific language governing permissions and limitations under
- * the Licence.
- */
-
-package eu.stork.peps.auth.engine.core.impl;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.Provider;
-import java.security.Security;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Enumeration;
-import java.util.InvalidPropertiesFormatException;
-import java.util.List;
-import java.util.Properties;
-
-import eu.stork.peps.auth.engine.X509PrincipalUtil;
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.NotImplementedException;
-import org.bouncycastle.jce.X509Principal;
-import org.opensaml.Configuration;
-import org.opensaml.common.SAMLObject;
-import org.opensaml.common.SignableSAMLObject;
-import org.opensaml.saml2.core.Assertion;
-import org.opensaml.saml2.core.LogoutResponse;
-import org.opensaml.saml2.core.Response;
-import org.opensaml.security.SAMLSignatureProfileValidator;
-import org.opensaml.xml.io.MarshallingException;
-import org.opensaml.xml.security.SecurityConfiguration;
-import org.opensaml.xml.security.SecurityException;
-import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
-import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
-import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;
-import org.opensaml.xml.security.keyinfo.KeyInfoHelper;
-import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
-import org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator;
-import org.opensaml.xml.security.x509.BasicX509Credential;
-import org.opensaml.xml.signature.KeyInfo;
-import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.SignatureConstants;
-import org.opensaml.xml.signature.SignatureException;
-import org.opensaml.xml.signature.SignatureValidator;
-import org.opensaml.xml.signature.Signer;
-import org.opensaml.xml.validation.ValidationException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-
-
-import eu.stork.peps.auth.engine.core.CustomAttributeQuery;
-import eu.stork.peps.auth.engine.core.SAMLEngineSignI;
-import eu.stork.peps.exceptions.SAMLEngineException;
-
-/**
- * The Class HWSign. Module of sign.
- *
- * @author fjquevedo
- */
-public final class SignHW implements SAMLEngineSignI {
-
- /** The Constant CONFIGURATION_FILE. */
- private static final String CONF_FILE = "configurationFile";
-
- /** The Constant KEYSTORE_TYPE.
- private static final String KEYSTORE_TYPE = "keystoreType" */
-
- /** The logger. */
- private static final Logger LOG = LoggerFactory.getLogger(SignHW.class
- .getName());
-
- /** The stork own key store. */
- private KeyStore storkOwnKeyStore = null;
-
- /**
- * Gets the stork own key store.
- *
- * @return the stork own key store
- */
- public KeyStore getStorkOwnKeyStore() {
- return storkOwnKeyStore;
- }
-
- /**
- * Gets the stork trustStore.
- *
- * @return the stork own key store
- */
- public KeyStore getTrustStore() {
- return storkOwnKeyStore;
- }
-
- /**
- * Sets the stork own key store.
- *
- * @param newkOwnKeyStore the new stork own key store
- */
- public void setStorkOwnKeyStore(final KeyStore newkOwnKeyStore) {
- this.storkOwnKeyStore = newkOwnKeyStore;
- }
-
- /**
- * Gets the properties.
- *
- * @return the properties
- */
- public Properties getProperties() {
- return properties;
- }
-
- /**
- * Sets the properties.
- *
- * @param newProperties the new properties
- */
- public void setProperties(final Properties newProperties) {
- this.properties = newProperties;
- }
-
- /** The HW sign prop. */
- private Properties properties = null;
-
- /**
- * @see
- * eu.stork.peps.auth.engine.core.SAMLEngineSignI#init(java.lang.String)
- * @param fileConf file of configuration
- * @throws SAMLEngineException error in read file
- */
- public void init(final String fileConf)
- throws SAMLEngineException {
- InputStream inputStr = null;
- try {
- inputStr = SignHW.class.getResourceAsStream("/"
- + fileConf);
- properties = new Properties();
-
- properties.loadFromXML(inputStr);
- } catch (final InvalidPropertiesFormatException e) {
- LOG.info("Exception: invalid properties format.");
- throw new SAMLEngineException(e);
- } catch (IOException e) {
- LOG.info("Exception: invalid file: " + fileConf);
- throw new SAMLEngineException(e);
- } finally {
- IOUtils.closeQuietly(inputStr);
- }
- }
-
-
- /**
- * @see eu.stork.peps.auth.engine.core.SAMLEngineSignI#getCertificate()
- * @return the X509Certificate.
- */
- public X509Certificate getCertificate() {
- throw new NotImplementedException();
- }
-
- /**
- * @see
- * eu.stork.peps.auth.engine.core.SAMLEngineSignI#sign(SignableSAMLObject tokenSaml)
- * @param tokenSaml signable SAML Object
- * @return the SAMLObject signed.
- * @throws SAMLEngineException error in sign token saml
- */
- public SAMLObject sign(final SignableSAMLObject tokenSaml) throws SAMLEngineException {
-
- try {
- LOG.info("Star procces of sign");
- final char[] pin = properties.getProperty("keyPassword")
- .toCharArray();
-
- storkOwnKeyStore.load(null, pin);
-
- final String serialNumber = properties.getProperty("serialNumber");
- final String issuer = properties.getProperty("issuer");
-
- String alias = null;
- String aliasCert;
- X509Certificate certificate;
-
- boolean find = false;
- for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e
- .hasMoreElements() && !find;) {
- aliasCert = e.nextElement();
- certificate = (X509Certificate) storkOwnKeyStore
- .getCertificate(aliasCert);
- // Verified serial number, issuer
-
- final String serialNum = certificate.getSerialNumber()
- .toString(16);
- X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName());
- X509Principal issuerDNConf = new X509Principal(issuer);
-
- if(serialNum.equalsIgnoreCase(serialNumber)
- && X509PrincipalUtil.equals(issuerDN, issuerDNConf)){
- alias = aliasCert;
- find = true;
- }
-
- }
-
- if (!find) {
- throw new SAMLEngineException("Certificate cannot be found in keystore ");
- }
- certificate = (X509Certificate) storkOwnKeyStore.getCertificate(alias);
- final PrivateKey privateKey = (PrivateKey) storkOwnKeyStore.getKey(
- alias, pin);
-
- LOG.info("Recover BasicX509Credential.");
- final BasicX509Credential credential = new BasicX509Credential();
-
- LOG.debug("Load certificate");
- credential.setEntityCertificate(certificate);
-
- LOG.debug("Load privateKey");
- credential.setPrivateKey(privateKey);
-
- LOG.info("Star procces of sign");
- final Signature signature = (Signature) org.opensaml.xml.Configuration
- .getBuilderFactory().getBuilder(
- Signature.DEFAULT_ELEMENT_NAME).buildObject(
- Signature.DEFAULT_ELEMENT_NAME);
-
- LOG.debug("Begin signature with openSaml");
- signature.setSigningCredential(credential);
-
- /*signature.setSignatureAlgorithm(
- SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);*/
- signature.setSignatureAlgorithm(
- SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-
-
-
- final SecurityConfiguration securityConf =
- org.opensaml.xml.Configuration.getGlobalSecurityConfiguration();
- final NamedKeyInfoGeneratorManager keyInfoManager = securityConf
- .getKeyInfoGeneratorManager();
- final KeyInfoGeneratorManager keyInfoGenManager = keyInfoManager
- .getDefaultManager();
- final KeyInfoGeneratorFactory keyInfoGenFac = keyInfoGenManager
- .getFactory(credential);
- final KeyInfoGenerator keyInfoGenerator = keyInfoGenFac
- .newInstance();
-
- final KeyInfo keyInfo = keyInfoGenerator.generate(credential);
-
- signature.setKeyInfo(keyInfo);
-
- LOG.debug("Set Canonicalization Algorithm");
- signature.setCanonicalizationAlgorithm(
- SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
-
- //Create a second signature which will be used when signing assertion and response
- final Signature signature2 = (Signature) Configuration
- .getBuilderFactory().getBuilder(
- Signature.DEFAULT_ELEMENT_NAME).buildObject(
- Signature.DEFAULT_ELEMENT_NAME);
- final SecurityConfiguration secConfiguration2 = Configuration
- .getGlobalSecurityConfiguration();
- final NamedKeyInfoGeneratorManager keyInfoManager2 = secConfiguration2
- .getKeyInfoGeneratorManager();
- final KeyInfoGeneratorManager keyInfoGenManager2 = keyInfoManager2
- .getDefaultManager();
- final KeyInfoGeneratorFactory keyInfoGenFac2 = keyInfoGenManager2
- .getFactory(credential);
- final KeyInfoGenerator keyInfoGenerator2 = keyInfoGenFac2
- .newInstance();
-
- KeyInfo keyInfo2 = keyInfoGenerator2.generate(credential);
- signature2.setSigningCredential(credential);
- signature2.setSignatureAlgorithm(
- SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
- signature2.setKeyInfo(keyInfo2);
- signature2.setCanonicalizationAlgorithm(
- SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
-
-
- LOG.info("Marshall samlToken.");
- String qn = tokenSaml.getElementQName().toString();
-
- if (qn.endsWith(CustomAttributeQuery.DEFAULT_ELEMENT_LOCAL_NAME))
- {
- tokenSaml.setSignature(signature);
- CustomAttributeQueryMarshaller mars = new CustomAttributeQueryMarshaller();
- mars.marshall(tokenSaml);
- Signer.signObject(signature);
- }
- else if (qn.endsWith(Response.DEFAULT_ELEMENT_LOCAL_NAME) && !qn.contains(LogoutResponse.DEFAULT_ELEMENT_LOCAL_NAME))
- {
- Response res = (Response)tokenSaml;
- List<Assertion> asserts = res.getAssertions();
- //If multiple assertions we just sign the response and not the assertion
- if (asserts.size() > 1)
- {
- tokenSaml.setSignature(signature);
- Configuration.getMarshallerFactory().getMarshaller(tokenSaml)
- .marshall(tokenSaml);
- LOG.info("Sign samlToken.");
- Signer.signObject(signature);
- }
- //If single assertion we sign the assertion and response
- else
- {
- Assertion assertion = (Assertion)asserts.get(0);
- assertion.setSignature(signature);
- tokenSaml.setSignature(signature2);
- Configuration.getMarshallerFactory().getMarshaller(tokenSaml)
- .marshall(tokenSaml);
- LOG.info("Sign samlToken.");
- Signer.signObject(signature);
- Signer.signObject(signature2);
- }
- }
- //Normally we just sign the total saml response
- else
- {
- tokenSaml.setSignature(signature);
- Configuration.getMarshallerFactory().getMarshaller(tokenSaml)
- .marshall(tokenSaml);
- LOG.info("Sign samlToken.");
- Signer.signObject(signature);
- }
-
- } catch (final MarshallingException e) {
- LOG.error("MarshallingException");
- throw new SAMLEngineException(e);
- } catch (final NoSuchAlgorithmException e) {
- LOG.error("A 'xmldsig#rsa-sha1' cryptographic algorithm is requested but is not available in the environment.");
- throw new SAMLEngineException(e);
- } catch (final KeyStoreException e) {
- LOG.error("Generic KeyStore exception.");
- throw new SAMLEngineException(e);
- } catch (final SignatureException e) {
- LOG.error("Signature exception.");
- throw new SAMLEngineException(e);
- } catch (final SecurityException e) {
- LOG.error("Security exception.");
- throw new SAMLEngineException(e);
- } catch (final CertificateException e) {
- LOG.error("Certificate exception.");
- throw new SAMLEngineException(e);
- } catch (final IOException e) {
- LOG.error("IO exception.");
- throw new SAMLEngineException(e);
- } catch (final UnrecoverableKeyException e) {
- LOG.error("UnrecoverableKeyException exception.");
- throw new SAMLEngineException(e);
- }
-
- return tokenSaml;
- }
-
- /**
- * @see
- * eu.stork.peps.auth.engine.core.SAMLEngineSignI#validateSignature(SignableSAMLObject)
- * @param tokenSaml the token saml
- * @return the SAMLObject validated.
- * @throws SAMLEngineException exception in validate signature
- */
- public SAMLObject validateSignature(final SignableSAMLObject tokenSaml)
- throws SAMLEngineException {
- LOG.info("Start signature validation.");
- try {
-
- // Validate structure signature
- final SAMLSignatureProfileValidator signProfValidator =
- new SAMLSignatureProfileValidator();
-
- // Indicates signature id conform to SAML Signature profile
- signProfValidator.validate(tokenSaml.getSignature());
-
- String aliasCert;
- X509Certificate certificate;
-
- final List<Credential> trustedCred = new ArrayList<Credential>();
-
- for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e
- .hasMoreElements();) {
- aliasCert = e.nextElement();
- final BasicX509Credential credential = new BasicX509Credential();
- certificate = (X509Certificate) storkOwnKeyStore
- .getCertificate(aliasCert);
- credential.setEntityCertificate(certificate);
- trustedCred.add(credential);
- }
-
- final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo();
- final List<X509Certificate> listCertificates = KeyInfoHelper
- .getCertificates(keyInfo);
-
- if (listCertificates.size() != 1) {
- throw new SAMLEngineException("Only must be one certificate");
- }
-
- // Exist only one certificate
- final BasicX509Credential entityX509Cred = new BasicX509Credential();
- entityX509Cred.setEntityCertificate(listCertificates.get(0));
-
- final ExplicitKeyTrustEvaluator keyTrustEvaluator =
- new ExplicitKeyTrustEvaluator();
- if (!keyTrustEvaluator.validate(entityX509Cred, trustedCred)) {
- throw new SAMLEngineException("Certificate it is not trusted.");
- }
-
- final SignatureValidator sigValidator = new SignatureValidator(
- entityX509Cred);
-
- sigValidator.validate(tokenSaml.getSignature());
-
- } catch (final ValidationException e) {
- LOG.error("ValidationException.", e);
- throw new SAMLEngineException(e);
- } catch (final KeyStoreException e) {
- LOG.error("ValidationException.", e);
- throw new SAMLEngineException(e);
- } catch (final CertificateException e) {
- LOG.error("CertificateException.", e);
- throw new SAMLEngineException(e);
- }
- return tokenSaml;
- }
-
- /**
- * load cryptographic service provider.
- *
- * @throws SAMLEngineException the SAML engine exception
- * Note this class was using pkcs11Provider
- * final Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(inputStream)
- * if (Security.getProperty(pkcs11Provider.getName()) == null) {
- * Security.insertProviderAt(pkcs11Provider, Security .getProviders().length)
- * }
- * storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE))
- */
- public void loadCryptServiceProvider() throws SAMLEngineException {
- LOG.info("Load Cryptographic Service Provider");
- InputStream inputStream = null;
-
- try {
- inputStream = SignHW.class.getResourceAsStream("/"
- + properties.getProperty(CONF_FILE));
-
- } catch (final Exception e) {
- throw new SAMLEngineException(
- "Error loading CryptographicServiceProvider", e);
- } finally {
- IOUtils.closeQuietly(inputStream);
- }
- }
-
-}
+/* + * Licensed under the EUPL, Version 1.1 or – as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. You may + * obtain a copy of the Licence at: + * + * http://www.osor.eu/eupl/european-union-public-licence-eupl-v.1.1 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * Licence for the specific language governing permissions and limitations under + * the Licence. + */ + +package eu.stork.peps.auth.engine.core.impl; + +import java.io.IOException; +import java.io.InputStream; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.Security; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.InvalidPropertiesFormatException; +import java.util.List; +import java.util.Properties; + +import eu.stork.peps.auth.engine.X509PrincipalUtil; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.NotImplementedException; +import org.bouncycastle.jce.X509Principal; +import org.opensaml.Configuration; +import org.opensaml.common.SAMLObject; +import org.opensaml.common.SignableSAMLObject; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.Response; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityConfiguration; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager; +import org.opensaml.xml.security.keyinfo.KeyInfoHelper; +import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; +import org.opensaml.xml.security.x509.BasicX509Credential; +import org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator; +import org.opensaml.xml.signature.KeyInfo; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.SignatureValidator; +import org.opensaml.xml.signature.Signer; +import org.opensaml.xml.validation.ValidationException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + + +import eu.stork.peps.auth.engine.core.CustomAttributeQuery; +import eu.stork.peps.auth.engine.core.SAMLEngineSignI; +import eu.stork.peps.exceptions.SAMLEngineException; + +/** + * The Class HWSign. Module of sign. + * + * @author fjquevedo + */ +public final class SignHW implements SAMLEngineSignI { + + /** The Constant CONFIGURATION_FILE. */ + private static final String CONF_FILE = "configurationFile"; + + /** The Constant KEYSTORE_TYPE. + private static final String KEYSTORE_TYPE = "keystoreType" */ + + /** The logger. */ + private static final Logger LOG = LoggerFactory.getLogger(SignHW.class + .getName()); + + /** The stork own key store. */ + private KeyStore storkOwnKeyStore = null; + + /** + * Gets the stork own key store. + * + * @return the stork own key store + */ + public KeyStore getStorkOwnKeyStore() { + return storkOwnKeyStore; + } + + /** + * Gets the stork trustStore. + * + * @return the stork own key store + */ + public KeyStore getTrustStore() { + return storkOwnKeyStore; + } + + /** + * Sets the stork own key store. + * + * @param newkOwnKeyStore the new stork own key store + */ + public void setStorkOwnKeyStore(final KeyStore newkOwnKeyStore) { + this.storkOwnKeyStore = newkOwnKeyStore; + } + + /** + * Gets the properties. + * + * @return the properties + */ + public Properties getProperties() { + return properties; + } + + /** + * Sets the properties. + * + * @param newProperties the new properties + */ + public void setProperties(final Properties newProperties) { + this.properties = newProperties; + } + + /** The HW sign prop. */ + private Properties properties = null; + + /** + * @see + * eu.stork.peps.auth.engine.core.SAMLEngineSignI#init(java.lang.String) + * @param fileConf file of configuration + * @throws SAMLEngineException error in read file + */ + public void init(final String fileConf) + throws SAMLEngineException { + InputStream inputStr = null; + try { + inputStr = SignHW.class.getResourceAsStream("/" + + fileConf); + properties = new Properties(); + + properties.loadFromXML(inputStr); + } catch (final InvalidPropertiesFormatException e) { + LOG.info("Exception: invalid properties format."); + throw new SAMLEngineException(e); + } catch (IOException e) { + LOG.info("Exception: invalid file: " + fileConf); + throw new SAMLEngineException(e); + } finally { + IOUtils.closeQuietly(inputStr); + } + } + + + /** + * @see eu.stork.peps.auth.engine.core.SAMLEngineSignI#getCertificate() + * @return the X509Certificate. + */ + public X509Certificate getCertificate() { + throw new NotImplementedException(); + } + + /** + * @see + * eu.stork.peps.auth.engine.core.SAMLEngineSignI#sign(SignableSAMLObject tokenSaml) + * @param tokenSaml signable SAML Object + * @return the SAMLObject signed. + * @throws SAMLEngineException error in sign token saml + */ + public SAMLObject sign(final SignableSAMLObject tokenSaml) throws SAMLEngineException { + + try { + LOG.info("Star procces of sign"); + final char[] pin = properties.getProperty("keyPassword") + .toCharArray(); + + storkOwnKeyStore.load(null, pin); + + final String serialNumber = properties.getProperty("serialNumber"); + final String issuer = properties.getProperty("issuer"); + + String alias = null; + String aliasCert; + X509Certificate certificate; + + boolean find = false; + for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e + .hasMoreElements() && !find;) { + aliasCert = e.nextElement(); + certificate = (X509Certificate) storkOwnKeyStore + .getCertificate(aliasCert); + // Verified serial number, issuer + + final String serialNum = certificate.getSerialNumber() + .toString(16); + X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); + X509Principal issuerDNConf = new X509Principal(issuer); + + if(serialNum.equalsIgnoreCase(serialNumber) + && X509PrincipalUtil.equals(issuerDN, issuerDNConf)){ + alias = aliasCert; + find = true; + } + + } + + if (!find) { + throw new SAMLEngineException("Certificate cannot be found in keystore "); + } + certificate = (X509Certificate) storkOwnKeyStore.getCertificate(alias); + final PrivateKey privateKey = (PrivateKey) storkOwnKeyStore.getKey( + alias, pin); + + LOG.info("Recover BasicX509Credential."); + final BasicX509Credential credential = new BasicX509Credential(); + + LOG.debug("Load certificate"); + credential.setEntityCertificate(certificate); + + LOG.debug("Load privateKey"); + credential.setPrivateKey(privateKey); + + LOG.info("Star procces of sign"); + final Signature signature = (Signature) org.opensaml.xml.Configuration + .getBuilderFactory().getBuilder( + Signature.DEFAULT_ELEMENT_NAME).buildObject( + Signature.DEFAULT_ELEMENT_NAME); + + LOG.debug("Begin signature with openSaml"); + signature.setSigningCredential(credential); + + /*signature.setSignatureAlgorithm( + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);*/ + signature.setSignatureAlgorithm( + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + + + + final SecurityConfiguration securityConf = + org.opensaml.xml.Configuration.getGlobalSecurityConfiguration(); + final NamedKeyInfoGeneratorManager keyInfoManager = securityConf + .getKeyInfoGeneratorManager(); + final KeyInfoGeneratorManager keyInfoGenManager = keyInfoManager + .getDefaultManager(); + final KeyInfoGeneratorFactory keyInfoGenFac = keyInfoGenManager + .getFactory(credential); + final KeyInfoGenerator keyInfoGenerator = keyInfoGenFac + .newInstance(); + + final KeyInfo keyInfo = keyInfoGenerator.generate(credential); + + signature.setKeyInfo(keyInfo); + + LOG.debug("Set Canonicalization Algorithm"); + signature.setCanonicalizationAlgorithm( + SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + + //Create a second signature which will be used when signing assertion and response + final Signature signature2 = (Signature) Configuration + .getBuilderFactory().getBuilder( + Signature.DEFAULT_ELEMENT_NAME).buildObject( + Signature.DEFAULT_ELEMENT_NAME); + final SecurityConfiguration secConfiguration2 = Configuration + .getGlobalSecurityConfiguration(); + final NamedKeyInfoGeneratorManager keyInfoManager2 = secConfiguration2 + .getKeyInfoGeneratorManager(); + final KeyInfoGeneratorManager keyInfoGenManager2 = keyInfoManager2 + .getDefaultManager(); + final KeyInfoGeneratorFactory keyInfoGenFac2 = keyInfoGenManager2 + .getFactory(credential); + final KeyInfoGenerator keyInfoGenerator2 = keyInfoGenFac2 + .newInstance(); + + KeyInfo keyInfo2 = keyInfoGenerator2.generate(credential); + signature2.setSigningCredential(credential); + signature2.setSignatureAlgorithm( + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + signature2.setKeyInfo(keyInfo2); + signature2.setCanonicalizationAlgorithm( + SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + + + LOG.info("Marshall samlToken."); + String qn = tokenSaml.getElementQName().toString(); + + if (qn.endsWith(CustomAttributeQuery.DEFAULT_ELEMENT_LOCAL_NAME)) + { + tokenSaml.setSignature(signature); + CustomAttributeQueryMarshaller mars = new CustomAttributeQueryMarshaller(); + mars.marshall(tokenSaml); + Signer.signObject(signature); + } + else if (qn.endsWith(Response.DEFAULT_ELEMENT_LOCAL_NAME) && !qn.contains(LogoutResponse.DEFAULT_ELEMENT_LOCAL_NAME)) + { + Response res = (Response)tokenSaml; + List<Assertion> asserts = res.getAssertions(); + //If multiple assertions we just sign the response and not the assertion + if (asserts.size() > 1) + { + tokenSaml.setSignature(signature); + Configuration.getMarshallerFactory().getMarshaller(tokenSaml) + .marshall(tokenSaml); + LOG.info("Sign samlToken."); + Signer.signObject(signature); + } + //If single assertion we sign the assertion and response + else + { + Assertion assertion = (Assertion)asserts.get(0); + assertion.setSignature(signature); + tokenSaml.setSignature(signature2); + Configuration.getMarshallerFactory().getMarshaller(tokenSaml) + .marshall(tokenSaml); + LOG.info("Sign samlToken."); + Signer.signObject(signature); + Signer.signObject(signature2); + } + } + //Normally we just sign the total saml response + else + { + tokenSaml.setSignature(signature); + Configuration.getMarshallerFactory().getMarshaller(tokenSaml) + .marshall(tokenSaml); + LOG.info("Sign samlToken."); + Signer.signObject(signature); + } + + } catch (final MarshallingException e) { + LOG.error("MarshallingException"); + throw new SAMLEngineException(e); + } catch (final NoSuchAlgorithmException e) { + LOG.error("A 'xmldsig#rsa-sha1' cryptographic algorithm is requested but is not available in the environment."); + throw new SAMLEngineException(e); + } catch (final KeyStoreException e) { + LOG.error("Generic KeyStore exception."); + throw new SAMLEngineException(e); + } catch (final SignatureException e) { + LOG.error("Signature exception."); + throw new SAMLEngineException(e); + } catch (final SecurityException e) { + LOG.error("Security exception."); + throw new SAMLEngineException(e); + } catch (final CertificateException e) { + LOG.error("Certificate exception."); + throw new SAMLEngineException(e); + } catch (final IOException e) { + LOG.error("IO exception."); + throw new SAMLEngineException(e); + } catch (final UnrecoverableKeyException e) { + LOG.error("UnrecoverableKeyException exception."); + throw new SAMLEngineException(e); + } + + return tokenSaml; + } + + /** + * @see + * eu.stork.peps.auth.engine.core.SAMLEngineSignI#validateSignature(SignableSAMLObject) + * @param tokenSaml the token saml + * @return the SAMLObject validated. + * @throws SAMLEngineException exception in validate signature + */ + public SAMLObject validateSignature(final SignableSAMLObject tokenSaml) + throws SAMLEngineException { + LOG.info("Start signature validation."); + try { + + // Validate structure signature + final SAMLSignatureProfileValidator signProfValidator = + new SAMLSignatureProfileValidator(); + + // Indicates signature id conform to SAML Signature profile + signProfValidator.validate(tokenSaml.getSignature()); + + String aliasCert; + X509Certificate certificate; + + final List<Credential> trustedCred = new ArrayList<Credential>(); + + for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e + .hasMoreElements();) { + aliasCert = e.nextElement(); + final BasicX509Credential credential = new BasicX509Credential(); + certificate = (X509Certificate) storkOwnKeyStore + .getCertificate(aliasCert); + credential.setEntityCertificate(certificate); + trustedCred.add(credential); + } + + final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo(); + final List<X509Certificate> listCertificates = KeyInfoHelper + .getCertificates(keyInfo); + + if (listCertificates.size() != 1) { + throw new SAMLEngineException("Only must be one certificate"); + } + + // Exist only one certificate + final BasicX509Credential entityX509Cred = new BasicX509Credential(); + entityX509Cred.setEntityCertificate(listCertificates.get(0)); + + final ExplicitKeyTrustEvaluator keyTrustEvaluator = + new ExplicitKeyTrustEvaluator(); + if (!keyTrustEvaluator.validate(entityX509Cred, trustedCred)) { + throw new SAMLEngineException("Certificate it is not trusted."); + } + + final SignatureValidator sigValidator = new SignatureValidator( + entityX509Cred); + + sigValidator.validate(tokenSaml.getSignature()); + + } catch (final ValidationException e) { + LOG.error("ValidationException.", e); + throw new SAMLEngineException(e); + } catch (final KeyStoreException e) { + LOG.error("ValidationException.", e); + throw new SAMLEngineException(e); + } catch (final CertificateException e) { + LOG.error("CertificateException.", e); + throw new SAMLEngineException(e); + } + return tokenSaml; + } + + /** + * load cryptographic service provider. + * + * @throws SAMLEngineException the SAML engine exception + * Note this class was using pkcs11Provider + * final Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(inputStream) + * if (Security.getProperty(pkcs11Provider.getName()) == null) { + * Security.insertProviderAt(pkcs11Provider, Security .getProviders().length) + * } + * storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE)) + */ + public void loadCryptServiceProvider() throws SAMLEngineException { + LOG.info("Load Cryptographic Service Provider"); + InputStream inputStream = null; + + try { + inputStream = SignHW.class.getResourceAsStream("/" + + properties.getProperty(CONF_FILE)); + + } catch (final Exception e) { + throw new SAMLEngineException( + "Error loading CryptographicServiceProvider", e); + } finally { + IOUtils.closeQuietly(inputStream); + } + } + +} |