federation/key/KeyUtil.java

a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: KeyUtil.java,v 1.5 2009/06/08 23:41:03 madan_ranganath Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper * Portions Copyrighted 2013-2014 ForgeRock AS
87d8fe7bb0310573817363029054851860d4d5e0Mark de Reeper */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.federation.key;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Map;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Hashtable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Iterator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.io.ByteArrayInputStream;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.cert.CertificateFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.PublicKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.PrivateKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.cert.X509Certificate;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.encryption.XMLCipher;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.IFSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.jaxb.xmlsig.KeyInfoType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.jaxb.xmlsig.X509DataElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.KeyDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The <code>KeyUtil</code> provides methods to obtain
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the hosting entity's signing key and decryption key, and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to obtain a partner entity's signature verification key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and encryption related information
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class KeyUtil {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private static KeyProvider kp = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    // key is EntityID|Role
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    // value is EncInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static Hashtable encHash = new Hashtable();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    // key is EntityID|Role
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    // value is X509Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    protected static Hashtable sigHash = new Hashtable();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    static {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            kp = (KeyProvider)Class.forName(SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                SAMLConstants.KEY_PROVIDER_IMPL_CLASS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                SAMLConstants.JKS_KEY_PROVIDER)).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (ClassNotFoundException cnfe) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "KeyUtil static block:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                " Couldn't find the class.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                cnfe);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            kp = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (InstantiationException ie) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "KeyUtil static block:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                " Couldn't instantiate the key provider instance.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                ie);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            kp = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (IllegalAccessException iae) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "KeyUtil static block:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                " Couldn't access the default constructor.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                iae);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            kp = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private KeyUtil() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the instance of <code>KeyProvider</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return <code>KeyProvider</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static KeyProvider getKeyProviderInstance() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return kp;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the host entity's signing certificate alias.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param baseConfig <code>BaseConfigType</code> for the host entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return <code>String</code> for host entity's signing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * certificate alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static String getSigningCertAlias(BaseConfigType baseConfig) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Map map = IDFFMetaUtils.getAttributes(baseConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        List list = (List)map.get(IFSConstants.SIGNING_CERT_ALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ((list != null) && (!list.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String alias = (String)list.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if ((alias != null) && (alias.length() != 0) && (kp != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                return alias;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the host entity's decryption key.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param baseConfig <code>BaseConfigType</code> for the host entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return <code>PrivateKey</code> for decrypting a message received
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * by the host entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static PrivateKey getDecryptionKey(BaseConfigType baseConfig) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Map map = IDFFMetaUtils.getAttributes(baseConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        List list = (List)map.get(IFSConstants.ENCRYPTION_CERT_ALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        PrivateKey decryptionKey = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ((list != null) && (!list.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String alias = (String)list.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if ((alias != null) && (alias.length() != 0) && (kp != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                decryptionKey = kp.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return decryptionKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the partner entity's signature verification certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param providerDescriptor <code>ProviderDescriptorType</code> for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     the partner entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param entityID partner entity's ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param isIDP whether partner entity's role is IDP or SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return <code>X509Certificate</code> for verifying the partner
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * entity's signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static X509Certificate getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        ProviderDescriptorType providerDescriptor, String entityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        boolean isIDP) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String role = (isIDP) ? "idp":"sp";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.message("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Entering... \nEntityID=" + entityID + "\nRole=" + role);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // first try to get it from cache
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String index = entityID.trim() + "|" + role;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        X509Certificate cert = (X509Certificate)sigHash.get(index);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (cert != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return cert;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // else get it from meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (providerDescriptor == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Null ProviderDescriptorType input for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                entityID + " in " + role + " role.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        KeyDescriptorType kd =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            getKeyDescriptor(providerDescriptor, "signing");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (kd == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "No signing KeyDescriptor for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                entityID + " in " + role + " role.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        cert = getCert(kd);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (cert == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "No signing cert for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                entityID + " in " + role + " role.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        sigHash.put(index, cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return cert;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the encryption information which will be used in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * encrypting messages intended for the partner entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param providerDescriptor <code>ProviderDescriptorType</code> for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     the partner entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param entityID partner entity's ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param isIDP whether partner entity's role is IDP or SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return <code>EncInfo</code> which includes partner entity's
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * public key for wrapping the secret key, data encryption algorithm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * and data encryption strength
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static EncInfo getEncInfo(ProviderDescriptorType providerDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String entityID, boolean isIDP) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String role = (isIDP) ? "idp":"sp";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.message("KeyUtil.getEncInfo: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Entering... \nEntityID=" + entityID + "\nRole="+role);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // first try to get it from cache
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String index = entityID.trim()+"|"+role;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        EncInfo encInfo = (EncInfo)encHash.get(index);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (encInfo != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return encInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // else get it from meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (providerDescriptor == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getEncInfo: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Null ProviderDescriptorType input for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                entityID + " in " + role + " role.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        KeyDescriptorType kd =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            getKeyDescriptor(providerDescriptor, "encryption");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (kd == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getEncInfo: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "No encryption KeyDescriptor for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                entityID + " in " + role + " role.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        X509Certificate cert = getCert(kd);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (cert == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getEncInfo: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "No encryption cert for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                entityID + " in " + role + " role.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String algorithm = kd.getEncryptionMethod();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        int keySize = kd.getKeySize().intValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ((algorithm == null) || (algorithm.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            algorithm = XMLCipher.AES_128;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            keySize = 128;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        PublicKey pk = cert.getPublicKey();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (pk != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            encInfo = new EncInfo(pk, algorithm, keySize);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (encInfo != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            encHash.put(index, encInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return encInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns <code>KeyDescriptorType</code> from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * <code>ProviderDescriptorType</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param providerDescriptor <code>ProviderDescriptorType</code> which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     contains <code>KeyDescriptor</code>s.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param usage type of the <code>KeyDescriptorType</code> to be retrieved.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     Its value is "encryption" or "signing".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return KeyDescriptorType in <code>ProviderDescriptorType</code> that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     matched the usage type.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static KeyDescriptorType getKeyDescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        ProviderDescriptorType providerDescriptor, String usage) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (providerDescriptor == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        List list = providerDescriptor.getKeyDescriptor();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Iterator iter = list.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        KeyDescriptorType kd = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String use = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        KeyDescriptorType noUsageKD = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        while (iter.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            kd = (KeyDescriptorType)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            use = kd.getUse();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if ((use == null) || (use.trim().length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (noUsageKD == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    noUsageKD = kd;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                }
87d8fe7bb0310573817363029054851860d4d5e0Mark de Reeper                continue;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (use.trim().toLowerCase().equals(usage)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                kd = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (kd != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return kd;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return noUsageKD;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns certificate stored in <code>KeyDescriptorType</code> in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * <code>ProviderDescriptorType</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param providerDescriptor <code>ProviderDescriptorType</code> which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     contains <code>KeyDescriptor</code>s.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param usage type of the <code>KeyDescriptorType</code> to be retrieved.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     Its value is "encryption" or "signing".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return X509Certificate contained in <code>KeyDescriptorType</code>; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     <code>null</code> if no certificate is included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static X509Certificate getCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        ProviderDescriptorType providerDescriptor, String usage) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return getCert(getKeyDescriptor(providerDescriptor, usage));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns certificate stored in <code>KeyDescriptorType</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param kd <code>KeyDescriptorType</code> which contains certificate info
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return X509Certificate contained in <code>KeyDescriptorType</code>; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *     <code>null</code> if no certificate is included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static X509Certificate getCert(KeyDescriptorType kd) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (kd == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        KeyInfoType ki = kd.getKeyInfo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (ki == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getCert: No KeyInfo.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        X509DataElement data = (X509DataElement) ki.getContent().get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        byte[] bt =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            ((com.sun.identity.liberty.ws.common.jaxb.xmlsig.X509DataType.X509Certificate)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster             data.getX509IssuerSerialOrX509SKIOrX509SubjectName().get(0)).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        CertificateFactory cf = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            cf = CertificateFactory.getInstance("X.509");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (java.security.cert.CertificateException ce) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Unable to get CertificateFactory for X.509 type", ce);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        ByteArrayInputStream bais = new ByteArrayInputStream(bt);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        X509Certificate retCert = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            while (bais.available() > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                retCert = (X509Certificate)cf.generateCertificate(bais);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (java.security.cert.CertificateException ce) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FSUtils.debug.error("KeyUtil.getCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Unable to generate certificate from byte "+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "array input stream.", ce);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return retCert;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}