From 9aa438639862ccdc4f9523195df04131cc1913b8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 17 Mar 2014 18:50:19 +0100 Subject: Add KeyInfo element with certificate to SAML2 signature --- .../opemsaml/MOAKeyStoreX509CredentialAdapter.java | 52 ++++++++++++++++++++++ .../moa/id/protocols/pvp2x/MetadataAction.java | 6 ++- .../id/protocols/pvp2x/binding/PostBinding.java | 4 +- .../protocols/pvp2x/binding/RedirectBinding.java | 3 +- .../MOADefaultSecurityConfigurationBootstrap.java | 23 ++++++++++ .../protocols/pvp2x/signer/CredentialProvider.java | 14 +++--- 6 files changed, 93 insertions(+), 9 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java new file mode 100644 index 000000000..81afcfbc1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java @@ -0,0 +1,52 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.opemsaml; + +import java.security.KeyStore; + +import org.opensaml.xml.security.x509.X509Credential; + + +/** + * @author tlenz + * + */ +public class MOAKeyStoreX509CredentialAdapter extends + org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter { + + /** + * @param store + * @param alias + * @param password + */ + public MOAKeyStoreX509CredentialAdapter(KeyStore store, String alias, + char[] password) { + super(store, alias, password); + } + + public Class getCredentialType() { + return X509Credential.class; + } + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 1668c31ce..9a5623ca0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -46,6 +46,7 @@ import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; @@ -114,7 +115,10 @@ public class MetadataAction implements IAction { Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); Signature signature = CredentialProvider .getIDPSignature(metadataSigningCredential); - + + //set KeyInfo Element + SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null); + idpEntitiesDescriptor.setSignature(signature); // //set SignatureMethode diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index d00b1cc16..aebd94a29 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -45,6 +45,8 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; @@ -65,7 +67,7 @@ public class PostBinding implements IDecoder, IEncoder { throws MessageEncodingException, SecurityException { try { - Credential credentials = CredentialProvider + X509Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); Logger.debug("create SAML POSTBinding response"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f09178f55..5155d6958 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -48,6 +48,7 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; @@ -69,7 +70,7 @@ public class RedirectBinding implements IDecoder, IEncoder { StatusResponseType response, String targetLocation) throws MessageEncodingException, SecurityException { try { - Credential credentials = CredentialProvider + X509Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); Logger.debug("create SAML RedirectBinding response"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java index 1563ba9be..f878b95d3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java @@ -25,6 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config; import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.security.BasicSecurityConfiguration; import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; +import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager; +import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; +import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.SignatureConstants; /** @@ -46,6 +50,25 @@ public class MOADefaultSecurityConfigurationBootstrap extends return config; } + protected static void populateKeyInfoGeneratorManager( + BasicSecurityConfiguration config) { + NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager(); + config.setKeyInfoGeneratorManager(namedManager); + + namedManager.setUseDefaultManager(true); + KeyInfoGeneratorManager defaultManager = namedManager + .getDefaultManager(); + + BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory(); + basicFactory.setEmitPublicKeyValue(true); + + X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory(); + x509Factory.setEmitEntityCertificate(true); + + defaultManager.registerFactory(basicFactory); + defaultManager.registerFactory(x509Factory); + } + protected static void populateSignatureParams( BasicSecurityConfiguration config) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index e3e25b1a9..d95e21a0e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -30,9 +30,11 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; +import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -42,7 +44,7 @@ public class CredentialProvider { private static KeyStore keyStore = null; - public static Credential getIDPMetaDataSigningCredential() + public static X509Credential getIDPMetaDataSigningCredential() throws CredentialsNotAvailableException { PVPConfiguration config = PVPConfiguration.getInstance(); try { @@ -51,7 +53,7 @@ public class CredentialProvider { keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), config.getIDPKeyStorePassword()); - KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( + MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( keyStore, config.getIDPKeyAliasMetadata(), config .getIDPKeyPasswordMetadata().toCharArray()); @@ -64,7 +66,7 @@ public class CredentialProvider { } } - public static Credential getIDPAssertionSigningCredential() + public static X509Credential getIDPAssertionSigningCredential() throws CredentialsNotAvailableException { PVPConfiguration config = PVPConfiguration.getInstance(); try { @@ -72,12 +74,12 @@ public class CredentialProvider { keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), config.getIDPKeyStorePassword()); - KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( + MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( keyStore, config.getIDPKeyAliasAssertionSign(), config .getIDPKeyPasswordAssertionSign().toCharArray()); - + credentials.setUsageType(UsageType.SIGNING); - return credentials; + return (X509Credential) credentials; } catch (Exception e) { Logger.error("Failed to generate IDP Assertion Signing credentials"); e.printStackTrace(); -- cgit v1.2.3