/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SecureAttrs.java,v 1.12 2009/03/31 17:18:10 exu Exp $
*
* Portions Copyrighted 2016 ForgeRock AS.
*/
/**
* <code>SecureAttrs</code> class forms the core api of "Secure Attributes
* Exchange" (SAE) feature. The class uses off the shelf digital
* signing and encryption algorithms to generate tamperproof/nonrepudiable
* strings representing attribute maps and to verify these strings.
* Typical SAE usage is to securely send attributes (authentication &
* use profile data) from an asserting application (eg running on an IDP) to
* a relying application (eg running on an SP). In this scenario the
* asserting party uses the "signing" interfaces to generate secure
* data and the relying application uses "verification" interfaces
* to ascertain the authenticity of the data.
* Current implementation provides two mechanisms to secure attributes :
* Symmetric : uses simple shared secrets between the two ends.
* Asymmetric : uses PKI based signing using public-private keys.
* Freshness is provided by a varying seed generated from the
* current timestamp and a configurable expiry period within which
* the relying party must validate the token.
* @supported.api
*/
public class SecureAttrs
{
/**
* HTTP parameter name used to send and receive secure attribute data.
* IDP : sends secure attrs in this parameter.
* SP : receives secure attrs in this parameter.
* @supported.api
*/
/**
* SAE Parameter representing a command.
* Currently only "logout" needs to be explicitly provided. SSO is implied.
* IDP : Uses this parameter to instruct FM to issue a global logout.
* SP : Receives this parameter from FM.
* @supported.api
*/
/**
* SAE Parameter representing the authenticated user.
* IDP : Uses this parameter to send authenticated userid to FM.
* SP : Receives userid in this parameter.
* @supported.api
*/
/**
* SAE Parameter representing the session's authentication level.
* IDP : Uses this parameter to send authentication level to FM.
* SP : Receives authentication level in this parameter.
* @supported.api
*/
/**
* SAE Parameter used to pass IDP entity ID to SP app.
* IDP: Not Applicable
* SP: populates this parameter to identify IDP used in SSO.
*/
/**
* SAE Parameter used to pass SP entity ID to SP app.
* IDP: Not Applicable
* SP: populates this parameter to identify SP used in SSO.
*/
/**
* SAE Parameter representing the requested SP app to be invoked.
* IDP : populates this parameter with SP side app to be invoked.
* SP : Not Applicable.
* @supported.api
*/
/**
* SAE Parameter used to identify the IDP app (Asserting party)
* IDP : populates this parameter to identify itself.
* SP : Not Applicable.
* @supported.api
*/
/**
* SAE Parameter : Deprecated.
* @supported.api
*/
/**
* SAE Parameter internally used by FM for storing token timestamp.
* @supported.api
*/
/**
* SAE Parameter internally used by FM for storing signature data.
* @supported.api
*/
/**
* SAE Parameter used to comunicate errors.
* @supported.api
*/
/**
* SAE Parameter used to communicate to SP to return to specified url
* upon Logout completion.
* IDP : Not applicable
* SP : expected to redirect to the value upon processing logout req.
* @supported.api
*/
/**
* SAE Parameter used to comunicate to FM where to redirect after a
* global logout is completed.
* IDP : sends this param as part of logout command.
* SP : N/A.
* @supported.api
*/
/**
* SAE command <code>SAE_PARAM_CMD</code>
* @supported.api
*/
/**
* Crypto types supported.
* @supported.api
*/
/**
* Crypto type : Symmetric : shared secret based trust between parties.
* @supported.api
*/
/**
* Crypto type : Asymmetric : PKI based trust.
* @supported.api
*/
/**
* SAE Config : classame implementing <code>Cert</code>.
* If not specified, a JKS keystore default impl is used.
*/
/**
* SAE Config : Location of the keystore to access keys from for
* asymmetric crypto.
* @supported.api
*/
/**
* SAE Config : keystore type. Default : JKS
* @supported.api
*/
/**
* SAE Config : Password to open the keystrore.
* @supported.api
*/
/**
* SAE Config : Private key alias for asymmetric signing. Alias
* is used to retrive the key from the keystore.
* @supported.api
*/
/**
* SAE Config : Public key for asymmetric signature verification. Alias
* is used to retrive the key from the keystore.
* @supported.api
*/
/**
* SAE Config : Private key for asymmetric signing.
* @supported.api
*/
/**
* SAE Config : Password to access the private key.
* @supported.api
*/
/**
* SAE Config : Flag to indicate whether keys should be cached in memory
* once retrieved from the keystore.
* @supported.api
*/
/**
* SAE Config : shared secret constant - used internally in FM.
* @supported.api
*/
/**
* SAE Config : data encryption algorithm.
* @supported.api
*/
"encryptionalgorithm";
/**
* SAE Config : data encryption key strength.
* @supported.api
*/
"encryptionkeystrength";
/**
* SAE Config : Signature validity : since timetamp on signature.
* @supported.api
*/
"saesigvalidityduration";
/**
* Debug : true | false
*/
public static boolean dbg = false;
private boolean asymsigning = false;
private boolean asymencryption = false;
/**
* Returns an instance to perform crypto operations.
* @param name
* @return <code>SecureAttrs</code> instance.
* @supported.api
*/
{
}
/**
* Initializes a SecureAttrs instance specified by <code>name</code>.
* If the instance already exists, it replaces it with the new instance.
* Use <code>SecureAttrs.getIstance(name)</code> to obtain the instance.
* @param name Name of the <code>SecureAttrs</code> instance.
* @param type Cryptographic key type. Possible values are
* <code>SecureAttrs.SAE_CRYPTO_TYPE_SYM<code>, and
* <code>SecureAttrs.SAE_CRYPTO_TYPE_ASYM</code>
* @param properties : please see SAE_CONFIG_* constants for configurable
* values.
* @throws Exception rethrows underlying exception.
* @supported.api
*/
synchronized public static void init(
{
}
/**
* Creates two instances of <code>SecureAttrs</code> named
* "symmetric" and "asymmetric" representing the two suppported
* crytp types.
* @param properties : please see SAE_CONFIG_* constants for configurable
* values.
* @throws Exception rethrows underlying exception.
* @supported.api
* @deprecated For backward compatability with older releases of this api.
* Replaced by {@link #init(String,String,Properties)}
*/
{
}
/**
* Returns a Base64 encoded string comprising a signed set of attributes.
*
* @param attrs Attribute Value pairs to be processed.
* @param secret Shared secret (symmetric) Private key alias (asymmetric)
*
* @return Base64 encoded token String to be passed to a relying party.
* @supported.api
*/
{
}
/**
* Returns encrypted string for the given attributes. The encrypted
* data is Base64 encoded string encrypted with supplied encryption
* secret and signs using shared secret.
* @param attrs Attribute Value pairs to be processed.
* @param secret Shared secret (symmetric) Private key alias (asymmetric) * @param encSecret The encryption secret (symmetric) or Public
* Key alias (asymmetric)
* @return Base64 encoded token String to be passed to a relying party.
* @supported.api
*/
throws Exception {
}
if(asymencryption) {
encKey);
} else {
secret);
}
if(dbg) {
}
return encryptedString;
}
return null;
}
}
}
/**
* Verifies a Base64 encoded string for authenticity based on the
* shared secret supplied.
* @param str Base64 encoded string containing attribute
* @param secret Shared secret (symmmetric) or Public Key (asymmetric)
*
* @return Decoded, verified and parsed attrbute name-valie pairs.
* @supported.api
*/
{
return null;
}
if (dbg)
return null;
}
return map;
}
/**
* Verifies the encrypted data string using encryption secret and
* shared secret that was used for signing.
* @param str Base64 encoded string containing attribute
* @param secret Shared secret (symmmetric) or Public Key (asymmetric)
* @param encSecret The encryption secret (symmetric) or Public
* Key alias (asymmetric)
* @return Decoded, verified and parsed attrbute name-valie pairs.
* @supported.api
*/
throws Exception {
}
if(!isEncrypted(str)) {
}
}
if(asymencryption) {
dataEncAlg, pKey);
} else {
}
if (dbg) {
"decrypted string " + decryptStr);
}
}
}
byte[] encString = new byte[9];
for (int i=0; i < 9; i++) {
}
return true;
}
return false;
}
/**
* Returns a decoded <code>Map</code> of attribute-value pairs.
* No verification is performed. Useful when retrieving data before
* verifying contents for authenticity.
* @param str Base64 encoded string containing attribute
*
* @return Decoded and parsed attrbute name-value pairs.
* @supported.api
*/
{
return null;
}
return null;
}
while(tokenizer.hasMoreTokens()) {
if(index == -1) {
continue;
}
}
return map;
}
/**
* Returns a decoded <code>Map</code> of attribute-value pairs.
* No verification is performed. Useful when retrieving data before
* verifying contents for authenticity.
* @param str Base64 encoded string containing attribute
* @param encSecret The encryption secret (symmetric) or Public
* Key alias (asymmetric)
* @return Decoded and parsed attrbute name-value pairs.
* @supported.api
*/
throws Exception {
return getRawAttributesFromEncodedData(str);
}
}
if(!isEncrypted(str)) {
return getRawAttributesFromEncodedData(str);
}
if(asymencryption) {
dataEncAlg, pKey);
} else {
}
if(dbg) {
" string" + decryptStr);
}
}
/**
* This interface allows to set the private to be used for signing
* as an alternative to passing down <code>SAE_CONFIG_PRIVATE_KEY_ALIAS</a>
* via <code>init</code>. Use this interface if you do not want
* SecureAttr to obtain the signing key from a configured keystore.
* To use this key during signing, specify secret as null.
* @param privatekey
* @supported.api
*/
{
}
/**
* This interface allows to register a public key to be used for signature
* verification. Use this interface if you do not want SecureAttrs to
* obtain public keys from a configured keystore.
* @param pubkeyalias
* @param x509certificate instance.
* @supported.api
*/
public void addPublicKey(
{
}
{
}
/**
* Returns a String representing data in the attrs argument.
* The String generated can be one of the following depending
* on configuration :
* SHA1 digest based on a shared secret and current timestamp.
* or
* Digital signature based on a configured certificate key.
*
* @param attrs List of attribute Value pairs to be processed.
* @param secret Shared secret (symmmetric) or Private Key (asymmetric)
*
* @return token String to be passed to a relying party.
* @supported.api
*/
{
// Normalize
// Setup a fresh timestamp
if(asymsigning)
{
} else
{
// Create seed : TIMESTAMP + shared secret
// Encrypt
}
return null;
}
}
/**
* Verifies the authenticity of data the attrs argument based
* on the token presented. Both attrs and token is sent by
* a asserting party.
* @param attrs List of attribute Value pairs to be processed.
* @param token token represnting attrs provided by asserting party.
* @param secret Shared secret (symmmetric) or Public Key (asymmetric)
*
* @return true if attrs and token verify okay, else returns false.
* @supported.api
*/
throws Exception
{
// Normalize
// Retrieve timestamp
// Check timestamp validity
return false;
if(asymsigning)
{
}
// Create seed : TIMESTAMP + shared secret
// Encrypt
return true;
else
return false;
}
{
asymsigning = true;
asymencryption = true;
}
//"com.sun.identity.sae.api.FMCerts").newInstance();
else
certs = new DefaultCerts();
}
}
{
// Sort the Map
// Flatten to a single String
}
return str;
}
{
try
{
} catch(NoSuchAlgorithmException e) {
throw new Exception(e.getMessage());
}
try
{
} catch(UnsupportedEncodingException e) {
throw new Exception(e.getMessage());
}
return hash; //step 6
}
{
if (dbg)
return null;
}
try
{
}
{
return null;
}
else
{
try
{
}
catch(Exception exception1)
{
return null;
}
} else
{
return null;
}
try
{
}
catch(Exception exception2)
{
return null;
}
try
{
}
catch(Exception exception3)
{
return null;
}
try
{
}
catch(Exception exception4)
{
return null;
}
{
return null;
} else
{
return s4;
}
}
{
{
if (dbg)
return false;
}
if (dbg)
try
{
}
{
return false;
}
else
{
try
{
}
catch(Exception exception1)
{
return false;
}
} else
{
return false;
}
try
{
}
catch(Exception exception2)
{
return false;
}
try
{
}
catch(Exception exception3)
{
return false;
}
boolean flag = false;
try
{
}
catch(Exception exception4)
{
return false;
}
return flag;
}
{
try
{
SecureAttrs.dbg = true;
String s = "YnJhbmNoPTAwNXxtYWlsPXVzZXI1QG1haWwuY29tfHN1bi51c2VyaWQ9dXNlcjV8U2lnbmF0dXJlPVRTMTE3NDI3ODY1OTM2NlRTbzI2MkhoL3R1dDRJc0U1V3ZqWjVSLzZkM0FzPQ==";
else
else
s1 = "test";
else
else
else
s1 = "secret";
else
s1 = "test";
else
s1 = "test";
else
s1 = "secret";
else
}
{
}
}
public interface Certs {
public void addPublicKey(
}
{
private boolean cacheKeys = true;
{
{
SAE_CONFIG_KEYSTORE_TYPE, "JKS");
pkpass.toCharArray());
}
cacheKeys = false;
}
}
{
try {
return privateKey;
pkpass.toCharArray());
return null;
}
}
{
try
{
}
{
}
}
return x509certificate;
}
{
}
public void addPublicKey(
{
}
throws Exception
{
if(cacheKeys)
return x509certificate;
}
}
}