SAML2MetaSecurityUtils.java revision 905b8e215b24a1b5d547692cef530c0d2ab545c9
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SAML2MetaSecurityUtils.java,v 1.6 2009/06/08 23:43:18 madan_ranganath Exp $
*
* Portions Copyrighted 2010-2016 ForgeRock AS.
*/
/**
* The <code>SAML2MetaUtils</code> provides metadata security related util
* methods.
*/
public final class SAML2MetaSecurityUtils {
private static boolean checkCert = true;
private static boolean keyProviderInitialized = false;
public static final String NS_MD_QUERY =
"urn:oasis:names:tc:SAML:metadata:ext:query";
private SAML2MetaSecurityUtils() {
}
private static void initializeKeyStore() {
if (keyProviderInitialized) {
return;
}
if (keyProvider != null) {
}
try {
} catch (Exception e) {
checkCert = true;
}
keyProviderInitialized = true;
}
/**
* Signs the entity descriptor root element by the following rules:
* <ul>
* <li>Hosted Entity</li>
* <ul>
* <li>If there is a signature already on the EntityDescriptor, removes it, then signs the EntityDescriptor.
* </li>
* <li>Simply signs the EntityDescriptor otherwise.</li>
* </ul>
* <li>Remote Entity</li>
* <ul>
* <li>If there is a signature already on the EntityDescriptor, then does not change it, but returns the
* Document with the original signature.
* </li>
* <li>Simply signs the EntityDescriptor otherwise</li>
* </ul>
* </ul>
* If there is no extended metadata for the entity, the entity is considered as remote.
*
* @param realm The realm where the EntityDescriptor belongs to.
* @param descriptor The entity descriptor.
* @return Signed <code>Document</code> for the entity descriptor or null if no metadata signing key is found in
* the configuration.
* @throws SAML2MetaException if unable to sign the entity descriptor.
* @throws JAXBException if the entity descriptor is invalid.
*/
throws JAXBException, SAML2MetaException {
if (descriptor == null) {
throw new SAML2MetaException("Unable to sign null descriptor");
}
boolean isHosted;
//if there is no EntityConfig, this is considered as a remote entity
isHosted = false;
} else {
}
if (signingCert == null) {
return null;
}
if (isHosted) {
break;
} else {
//one signature found for this remote entity on the root element,
//in this case returning the entry with the original signature
//as that may be judged more accurately
return doc;
}
}
}
//we need to sign or re-sign the document, let's generate a new ID
try {
+ "\" and namespace-uri()=\"" + NS_META
+ "\"]/*[1]";
sigManager.signXMLUsingKeyPass(doc, signingCert, getRealmSetting(METADATA_SIGNING_KEY_PASS, realm), null,
} catch (XMLSignatureException xmlse) {
if (debug.messageEnabled()) {
}
}
return doc;
}
/**
* Verifies signatures in entity descriptor represented by the
* <code>Document</code>.
* @param doc The document.
* @throws SAML2MetaException if unable to verify the entity descriptor.
*/
throws SAML2MetaException
{
try {
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
" # of signatures = " + numSigs);
}
if (numSigs == 0) {
return;
}
// If there are signatures then explicitly identify the ID Attribute, See comments section of
for(int i = 0; i < numSigs; i++) {
if (debug.messageEnabled()) {
"verifying signature under " + sigParentName);
}
try {
}
}
if (debug.messageEnabled()) {
+ " try to find cert in KeyDescriptor");
}
"\" and namespace-uri()=\"" + NS_META +
"\"]";
if (ki.containsX509Data()) {
new KeyStoreResolver(keyStore);
new StorageResolver(ksr);
}
}
}
break;
}
}
}
}
}
}
}
}
} catch (SAML2MetaException sme) {
throw sme;
throw new SAML2MetaException(
ex.getMessage());
}
}
}
/**
* Restores Base64 encoded format.
* JAXB will change
* <ds:X509Data>
* <ds:X509Certificate>
* .........
* .........
* </ds:X509Certificate>
* </ds:X509Data>
* to
* <ds:X509Data>
* <ds:X509Certificate>..................</ds:X509Certificate>
* </ds:X509Data>
*
* This method will restore the format.
* @param xmlstr The xml string containing element 'X509Certificate'.
* @return the restored xmls string.
*/
int from = 0;
while (index != -1) {
int i;
}
}
}
throws SAML2MetaException
{
return null;
}
try {
if (debug.messageEnabled()) {
"SAML2MetaSecurityUtils.buildX509Certificate:", ex);
}
}
}
}
/**
* Updates signing or encryption key info for SP or IDP.
* This will update both signing/encryption alias on extended metadata and
* certificates in standard metadata.
* @param realm Realm the entity resides.
* @param entityID ID of the entity to be updated.
* @param certAliases The set of certificate aliases to be set for the entity. If null or empty, existing key
* information will be removed from the SP or IDP.
* @param isSigning true if this is signing certificate alias, false if
* this is encryption certification alias.
* @param isIDP true if this is for IDP signing/encryption alias, false
* if this is for SP signing/encryption alias
* @param encAlgo Encryption algorithm URI, this is applicable for
* encryption cert only.
* @param keySize Encryption key size, this is applicable for
* encryption cert only.
* @throws SAML2MetaException if failed to update the certificate alias
* for the entity.
*/
}
if (isIDP) {
}
} else {
}
}
// update standard metadata
// remove key info
if (isSigning) {
} else {
}
} else {
}
// update extended metadata
if (isSigning) {
} else {
}
}
}
private static void updateKeyDescriptor(RoleDescriptorType desp, Set<KeyDescriptorType> keyDescriptors) {
}
}
}
boolean isSigningUse) {
if (isSigningUse) {
keyUse = "signing";
}
}
}
}
private static void setExtendedAttributeValue(
try {
}
}
}
} catch (JAXBException e) {
throw new SAML2MetaException(e);
}
}
private static KeyDescriptorElement getKeyDescriptor(
throws SAML2MetaException {
try {
if (isSigning) {
} else {
}
.append("<KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n")
.append("<X509Data>\n")
.append("<X509Certificate>\n")
.append("</X509Certificate>")
.append("</X509Data>")
.append("</KeyInfo>");
.append("\">\n");
.append("</EncryptionMethod>");
}
return (KeyDescriptorElement)
} catch (JAXBException e) {
throw new SAML2MetaException(e);
}
}
/**
* Retrieves the Metadata signing key/pass configured either in the realm, or if that is not present (the SAML
* service is not added to the realm), the globally configured signing key alias/password will be used.
*
* @param attribute The name of the attribute that needs to be retrieved
* @return The requested attribute configured in the realm or in the global settings.
*/
}
}