/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.signer; import java.security.KeyStore; import java.security.PrivateKey; import java.security.interfaces.RSAPrivateKey; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; import at.gv.egovernment.moa.util.MiscUtil; public class CredentialProvider { private static KeyStore keyStore = null; public static X509Credential getIDPMetaDataSigningCredential() throws CredentialsNotAvailableException { PVPConfiguration config = PVPConfiguration.getInstance(); try { if (keyStore == null) keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), config.getIDPKeyStorePassword()); MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( keyStore, config.getIDPKeyAliasMetadata(), config .getIDPKeyPasswordMetadata().toCharArray()); credentials.setUsageType(UsageType.SIGNING); if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { Logger.error("IDP Metadata Signing credentials is not found or contains no PrivateKey."); throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: " + config.getIDPKeyAliasMetadata() + ") is not found or contains no PrivateKey.", null); } return credentials; } catch (Exception e) { Logger.error("Failed to generate IDP Metadata Signing credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException(e.getMessage(), null); } } public static X509Credential getIDPAssertionSigningCredential() throws CredentialsNotAvailableException { PVPConfiguration config = PVPConfiguration.getInstance(); try { if (keyStore == null) keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), config.getIDPKeyStorePassword()); MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( keyStore, config.getIDPKeyAliasAssertionSign(), config .getIDPKeyPasswordAssertionSign().toCharArray()); credentials.setUsageType(UsageType.SIGNING); if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { Logger.error("IDP Assertion Signing credentials is not found or contains no PrivateKey."); throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: " + config.getIDPKeyAliasAssertionSign() + ") is not found or contains no PrivateKey.", null); } return (X509Credential) credentials; } catch (Exception e) { Logger.error("Failed to generate IDP Assertion Signing credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException(e.getMessage(), null); } } public static X509Credential getIDPAssertionEncryptionCredential() throws CredentialsNotAvailableException { PVPConfiguration config = PVPConfiguration.getInstance(); try { if (keyStore == null) keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), config.getIDPKeyStorePassword()); //if no encryption key is configured return null if (MiscUtil.isEmpty(config.getIDPKeyAliasAssertionEncryption())) return null; MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( keyStore, config.getIDPKeyAliasAssertionEncryption(), config .getIDPKeyPasswordAssertionEncryption().toCharArray()); credentials.setUsageType(UsageType.ENCRYPTION); if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { Logger.error("IDP Assertion Encryption credentials is not found or contains no PrivateKey."); throw new CredentialsNotAvailableException("IDP Assertion Encryption credentials (Alias: " + config.getIDPKeyAliasAssertionEncryption() + ") is not found or contains no PrivateKey.", null); } return (X509Credential) credentials; } catch (Exception e) { Logger.error("Failed to generate IDP Assertion Encryption credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException(e.getMessage(), null); } } public static Signature getIDPSignature(Credential credentials) { PrivateKey privatekey = credentials.getPrivateKey(); Signature signer = SAML2Utils.createSAMLObject(Signature.class); if (privatekey instanceof RSAPrivateKey) { signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); } else { Logger.warn("Could NOT evaluate the Private-Key type from PVP credential."); } signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signer.setSigningCredential(credentials); return signer; } public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException { iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() .getTrustEntityCertificate(entityID); if (cert == null) { throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); } BasicX509Credential credential = new BasicX509Credential(); credential.setEntityId(entityID); credential.setUsageType(UsageType.SIGNING); credential.setPublicKey(cert.getPublicKey()); return credential; } /* * public static Credential getTrustedCredential() throws * CredentialsNotAvailableException { String filename = * PVPConfiguration.getInstance().getTrustEntityCertificate("sp.crt"); * * iaik.x509.X509Certificate cert; try { cert = new X509Certificate(new * FileInputStream(new File(filename))); } catch (CertificateException e) { * e.printStackTrace(); throw new * CredentialsNotAvailableException(e.getMessage(), null); } catch * (FileNotFoundException e) { e.printStackTrace(); throw new * CredentialsNotAvailableException(e.getMessage(), null); } catch * (IOException e) { e.printStackTrace(); throw new * CredentialsNotAvailableException(e.getMessage(), null); } * * BasicX509Credential credential = new BasicX509Credential(); * credential.setEntityId("sp.crt"); * credential.setUsageType(UsageType.SIGNING); * credential.setPublicKey(cert.getPublicKey()); * * return credential; } */ }