From 9cb68043945f53246928443cea723b58ee2b1c24 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 21 Jan 2014 14:38:35 +0100 Subject: updated samlengine --- .../stork/peps/auth/engine/core/impl/SignHW.java | 85 ++++++++++++++++++++-- 1 file changed, 77 insertions(+), 8 deletions(-) (limited to 'id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java') diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java index 2db14f543..5e9c753ae 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java @@ -36,8 +36,12 @@ import eu.stork.peps.auth.engine.X509PrincipalUtil; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.NotImplementedException; import org.bouncycastle.jce.X509Principal; +import org.opensaml.Configuration; import org.opensaml.common.SAMLObject; import org.opensaml.common.SignableSAMLObject; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.Response; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.SecurityConfiguration; @@ -62,6 +66,7 @@ import org.slf4j.LoggerFactory; +import eu.stork.peps.auth.engine.core.CustomAttributeQuery; import eu.stork.peps.auth.engine.core.SAMLEngineSignI; import eu.stork.peps.exceptions.SAMLEngineException; @@ -237,8 +242,10 @@ public final class SignHW implements SAMLEngineSignI { LOG.debug("Begin signature with openSaml"); signature.setSigningCredential(credential); + /*signature.setSignatureAlgorithm( + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);*/ signature.setSignatureAlgorithm( - SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); @@ -261,14 +268,76 @@ public final class SignHW implements SAMLEngineSignI { signature.setCanonicalizationAlgorithm( SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); - tokenSaml.setSignature(signature); - - LOG.debug("Marshall samlToken."); - org.opensaml.xml.Configuration.getMarshallerFactory() - .getMarshaller(tokenSaml).marshall(tokenSaml); + //Create a second signature which will be used when signing assertion and response + final Signature signature2 = (Signature) Configuration + .getBuilderFactory().getBuilder( + Signature.DEFAULT_ELEMENT_NAME).buildObject( + Signature.DEFAULT_ELEMENT_NAME); + final SecurityConfiguration secConfiguration2 = Configuration + .getGlobalSecurityConfiguration(); + final NamedKeyInfoGeneratorManager keyInfoManager2 = secConfiguration2 + .getKeyInfoGeneratorManager(); + final KeyInfoGeneratorManager keyInfoGenManager2 = keyInfoManager2 + .getDefaultManager(); + final KeyInfoGeneratorFactory keyInfoGenFac2 = keyInfoGenManager2 + .getFactory(credential); + final KeyInfoGenerator keyInfoGenerator2 = keyInfoGenFac2 + .newInstance(); + + KeyInfo keyInfo2 = keyInfoGenerator2.generate(credential); + signature2.setSigningCredential(credential); + signature2.setSignatureAlgorithm( + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + signature2.setKeyInfo(keyInfo2); + signature2.setCanonicalizationAlgorithm( + SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + - LOG.info("Sign samlToken."); - Signer.signObject(signature); + LOG.info("Marshall samlToken."); + String qn = tokenSaml.getElementQName().toString(); + + if (qn.endsWith(CustomAttributeQuery.DEFAULT_ELEMENT_LOCAL_NAME)) + { + tokenSaml.setSignature(signature); + CustomAttributeQueryMarshaller mars = new CustomAttributeQueryMarshaller(); + mars.marshall(tokenSaml); + Signer.signObject(signature); + } + else if (qn.endsWith(Response.DEFAULT_ELEMENT_LOCAL_NAME) && !qn.contains(LogoutResponse.DEFAULT_ELEMENT_LOCAL_NAME)) + { + Response res = (Response)tokenSaml; + List asserts = res.getAssertions(); + //If multiple assertions we just sign the response and not the assertion + if (asserts.size() > 1) + { + tokenSaml.setSignature(signature); + Configuration.getMarshallerFactory().getMarshaller(tokenSaml) + .marshall(tokenSaml); + LOG.info("Sign samlToken."); + Signer.signObject(signature); + } + //If single assertion we sign the assertion and response + else + { + Assertion assertion = (Assertion)asserts.get(0); + assertion.setSignature(signature); + tokenSaml.setSignature(signature2); + Configuration.getMarshallerFactory().getMarshaller(tokenSaml) + .marshall(tokenSaml); + LOG.info("Sign samlToken."); + Signer.signObject(signature); + Signer.signObject(signature2); + } + } + //Normally we just sign the total saml response + else + { + tokenSaml.setSignature(signature); + Configuration.getMarshallerFactory().getMarshaller(tokenSaml) + .marshall(tokenSaml); + LOG.info("Sign samlToken."); + Signer.signObject(signature); + } } catch (final MarshallingException e) { LOG.error("MarshallingException"); -- cgit v1.2.3