a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: KeyUtil.java,v 1.5 2009/06/08 23:41:03 madan_ranganath Exp $
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeper * Portions Copyrighted 2013-2014 ForgeRock AS
272ac8a1a482b3baeff7293aac5de828cfd1ee69Mark de Reeperimport org.apache.xml.security.encryption.XMLCipher;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.IFSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.jaxb.xmlsig.KeyInfoType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.jaxb.xmlsig.X509DataElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.KeyDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The <code>KeyUtil</code> provides methods to obtain
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the hosting entity's signing key and decryption key, and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to obtain a partner entity's signature verification key
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and encryption related information
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // key is EntityID|Role
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // value is EncInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Hashtable encHash = new Hashtable();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // key is EntityID|Role
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // value is X509Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected static Hashtable sigHash = new Hashtable();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster kp = (KeyProvider)Class.forName(SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.JKS_KEY_PROVIDER)).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "KeyUtil static block:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Couldn't find the class.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "KeyUtil static block:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Couldn't instantiate the key provider instance.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "KeyUtil static block:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Couldn't access the default constructor.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the instance of <code>KeyProvider</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>KeyProvider</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static KeyProvider getKeyProviderInstance() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the host entity's signing certificate alias.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param baseConfig <code>BaseConfigType</code> for the host entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>String</code> for host entity's signing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * certificate alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getSigningCertAlias(BaseConfigType baseConfig) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map map = IDFFMetaUtils.getAttributes(baseConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = (List)map.get(IFSConstants.SIGNING_CERT_ALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((alias != null) && (alias.length() != 0) && (kp != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the host entity's decryption key.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param baseConfig <code>BaseConfigType</code> for the host entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>PrivateKey</code> for decrypting a message received
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * by the host entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static PrivateKey getDecryptionKey(BaseConfigType baseConfig) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map map = IDFFMetaUtils.getAttributes(baseConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = (List)map.get(IFSConstants.ENCRYPTION_CERT_ALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((alias != null) && (alias.length() != 0) && (kp != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the partner entity's signature verification certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param providerDescriptor <code>ProviderDescriptorType</code> for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the partner entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityID partner entity's ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param isIDP whether partner entity's role is IDP or SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>X509Certificate</code> for verifying the partner
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * entity's signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static X509Certificate getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProviderDescriptorType providerDescriptor, String entityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Entering... \nEntityID=" + entityID + "\nRole=" + role);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // first try to get it from cache
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = (X509Certificate)sigHash.get(index);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // else get it from meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Null ProviderDescriptorType input for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getKeyDescriptor(providerDescriptor, "signing");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "No signing KeyDescriptor for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("KeyUtil.getVerificationCert: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "No signing cert for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the encryption information which will be used in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * encrypting messages intended for the partner entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param providerDescriptor <code>ProviderDescriptorType</code> for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the partner entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityID partner entity's ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param isIDP whether partner entity's role is IDP or SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>EncInfo</code> which includes partner entity's
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * public key for wrapping the secret key, data encryption algorithm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and data encryption strength
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static EncInfo getEncInfo(ProviderDescriptorType providerDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Entering... \nEntityID=" + entityID + "\nRole="+role);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // first try to get it from cache
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // else get it from meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Null ProviderDescriptorType input for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getKeyDescriptor(providerDescriptor, "encryption");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "No encryption KeyDescriptor for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "No encryption cert for entityID=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((algorithm == null) || (algorithm.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns <code>KeyDescriptorType</code> from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ProviderDescriptorType</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param providerDescriptor <code>ProviderDescriptorType</code> which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * contains <code>KeyDescriptor</code>s.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param usage type of the <code>KeyDescriptorType</code> to be retrieved.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Its value is "encryption" or "signing".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return KeyDescriptorType in <code>ProviderDescriptorType</code> that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * matched the usage type.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static KeyDescriptorType getKeyDescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProviderDescriptorType providerDescriptor, String usage) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = providerDescriptor.getKeyDescriptor();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((use == null) || (use.trim().length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns certificate stored in <code>KeyDescriptorType</code> in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ProviderDescriptorType</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param providerDescriptor <code>ProviderDescriptorType</code> which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * contains <code>KeyDescriptor</code>s.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param usage type of the <code>KeyDescriptorType</code> to be retrieved.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Its value is "encryption" or "signing".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return X509Certificate contained in <code>KeyDescriptorType</code>; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>null</code> if no certificate is included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProviderDescriptorType providerDescriptor, String usage) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getCert(getKeyDescriptor(providerDescriptor, usage));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns certificate stored in <code>KeyDescriptorType</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param kd <code>KeyDescriptorType</code> which contains certificate info
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return X509Certificate contained in <code>KeyDescriptorType</code>; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>null</code> if no certificate is included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static X509Certificate getCert(KeyDescriptorType kd) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("KeyUtil.getCert: No KeyInfo.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509DataElement data = (X509DataElement) ki.getContent().get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((com.sun.identity.liberty.ws.common.jaxb.xmlsig.X509DataType.X509Certificate)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data.getX509IssuerSerialOrX509SKIOrX509SubjectName().get(0)).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (java.security.cert.CertificateException ce) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get CertificateFactory for X.509 type", ce);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ByteArrayInputStream bais = new ByteArrayInputStream(bt);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retCert = (X509Certificate)cf.generateCertificate(bais);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (java.security.cert.CertificateException ce) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to generate certificate from byte "+