WSFederationMetaSecurityUtils.java revision 272ac8a1a482b3baeff7293aac5de828cfd1ee69
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: WSFederationMetaSecurityUtils.java,v 1.6 2009/10/28 23:58:59 exu Exp $
*
* Portions Copyrighted 2011-2014 ForgeRock AS
*/
/**
* The <code>WSFederationMetaUtils</code> provides metadata security related
* utility methods.
*/
public final class WSFederationMetaSecurityUtils {
private static boolean checkCert = true;
private static boolean keyProviderInitialized = false;
/*
* Private constructor ensure that no instance is ever created
*/
private WSFederationMetaSecurityUtils() {
}
private static void initializeKeyStore() {
if (keyProviderInitialized) {
return;
}
if (keyProvider != null) {
}
try {
"on");
} catch (Exception e) {
checkCert = true;
}
keyProviderInitialized = true;
}
/**
* Signs service provider descriptor under entity descriptor if an cert
* alias is found in service provider config and identity provider
* descriptor under entity descriptor if an cert alias is found in
* identity provider config.
* @param descriptor The entity descriptor.
* @param spconfig The service provider config.
* @param idpconfig The identity provider config.
* @return Signed <code>Document</code> for the entity descriptor or null
* if both cert aliases are not found.
* @throws WSFederationMetaException if unable to sign the entity
* descriptor.
* @throws JAXBException if the entity descriptor is invalid.
*/
) throws JAXBException, WSFederationMetaException
{
/* JUST GET IT TO COMPILE!!!
String spId = null;
String idpId = null;
String spCertAlias = null;
String idpCertAlias = null;
if (spconfig != null) {
Map map = WSFederationMetaUtils.getAttributes(spconfig);
List list = (List)map.get(SAML2Constants.SIGNING_CERT_ALIAS);
if (list != null && !list.isEmpty()) {
spCertAlias = ((String)list.get(0)).trim();
if (spCertAlias.length() > 0) {
SPSSODescriptorElement spDesc =
WSFederationMetaUtils.getSPSSODescriptor(descriptor);
if (spDesc != null) {
spId = SAMLUtils.generateID();
spDesc.setID(spId);
}
}
}
}
if (idpconfig != null) {
Map map = WSFederationMetaUtils.getAttributes(idpconfig);
List list = (List)map.get(SAML2Constants.SIGNING_CERT_ALIAS);
if (list != null && !list.isEmpty()) {
idpCertAlias = ((String)list.get(0)).trim();
if (idpCertAlias.length() > 0) {
IDPSSODescriptorElement idpDesc =
WSFederationMetaUtils.getIDPSSODescriptor(descriptor);
if (idpDesc != null) {
idpId = SAMLUtils.generateID();
idpDesc.setID(idpId);
}
}
}
}
if (spId == null && idpId == null) {
return null;
}
initializeKeyStore();
String xmlstr = WSFederationMetaUtils.convertJAXBToString(descriptor);
xmlstr = formatBase64BinaryElement(xmlstr);
Document doc = XMLUtils.toDOMDocument(xmlstr, debug);
XMLSignatureManager sigManager = XMLSignatureManager.getInstance();
if (spId != null) {
try {
String xpath = "//*[local-name()=\"" + TAG_SP_SSO_DESCRIPTOR +
"\" and namespace-uri()=\"" + NS_META +
"\"]/*[1]";
sigManager.signXML(doc, spCertAlias, null, "ID", spId, true,
xpath);
} catch (XMLSignatureException xmlse) {
if (debug.messageEnabled()) {
debug.message("WSFederationMetaSecurityUtils.sign:", xmlse);
}
throw new WSFederationMetaException(xmlse.getMessage());
}
}
if (idpId != null) {
try {
String xpath = "//*[local-name()=\"" + TAG_IDP_SSO_DESCRIPTOR +
"\" and namespace-uri()=\"" + NS_META +
"\"]/*[1]";
sigManager.signXML(doc, idpCertAlias, null, "ID", idpId, true,
xpath);
} catch (XMLSignatureException xmlse) {
if (debug.messageEnabled()) {
debug.message("WSFederationMetaSecurityUtils.sign:", xmlse);
}
throw new WSFederationMetaException(xmlse.getMessage());
}
}
return doc;
*/
return null;
}
/**
* Verifies signatures in entity descriptor represented by the
* <code>Document</code>.
* @param doc The document.
* @throws WSFederationMetaException if unable to verify the entity
* descriptor.
*/
throws WSFederationMetaException
{
try {
throw new WSFederationMetaException(ex);
}
if (debug.messageEnabled()) {
}
if (numSigs == 0) {
return;
}
for(int i = 0; i < numSigs; i++) {
if (debug.messageEnabled()) {
}
try {
}
}
if (debug.messageEnabled()) {
"try to find cert in KeyDescriptor");
}
"\" and namespace-uri()=\"" + NS_META +
"\"]";
if (ki.containsX509Data()) {
new KeyStoreResolver(keyStore);
new StorageResolver(ksr);
}
}
}
break;
}
}
}
}
}
}
throw new WSFederationMetaException(
"untrusted_cert", objs);
}
}
} catch (WSFederationMetaException sme) {
throw sme;
throw new WSFederationMetaException(
}
}
}
/**
* Restores Base64 encoded format.
* JAXB will change
* <ds:X509Data>
* <ds:X509Certificate>
* .........
* .........
* </ds:X509Certificate>
* </ds:X509Data>
* to
* <ds:X509Data>
* <ds:X509Certificate>..................</ds:X509Certificate>
* </ds:X509Data>
*
* This method will restore the format.
* @param xmlstr The xml string containing element 'X509Certificate'.
* @return the restored xmls string.
*/
int from = 0;
while (index != -1) {
int i;
}
}
}
/**
* Base64 encodes a certificate from the key store.
* @param certAlias alias of certificate to be encoded.
* @return Base64 encoded certificate
*/
throws WSFederationMetaException
{
"buildX509Certificate: ";
return null;
}
try {
if (debug.messageEnabled()) {
}
}
}
}
/**
* Updates signing or encryption key info for SP or IDP.
* This will update both signing/encryption alias on extended metadata and
* certificates in standard metadata.
* @param realm Realm the entity resides.
* @param entityID ID of the entity to be updated.
* @param certAlias Alias of the certificate to be set to the entity. If
* null, will remove existing key information from the SP or IDP.
* @param isIDP true if this is for IDP signing/encryption alias, false
* if this is for SP signing/encryption alias
* @throws WSFederationMetaException if failed to update the certificate
* alias for the entity.
*/
throws WSFederationMetaException {
}
if (isIDP) {
}
// update standard metadata
// remove key info
} else {
// update extended metadata
}
} else {
}
// update standard metadata
// remove key info
} else {
// update extended metadata
}
}
}
// NOTE : we only support one signing and one encryption key right now
// the code need to be change if we need to support multiple signing
if (o instanceof TokenSigningKeyInfoElement) {
}
}
}
// NOTE : we only support one signing and one encryption key right now
// the code need to be change if we need to support multiple signing
if (o instanceof TokenSigningKeyInfoElement) {
}
}
}
try {
}
}
}
} catch (JAXBException e) {
throw new WSFederationMetaException(e);
}
}
throws WSFederationMetaException {
try {
.append("\">\n");
.append("<X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n")
.append("<X509Certificate>\n")
.append("</X509Certificate>\n")
.append("</X509Data>\n")
.append("</SecurityTokenReference>\n");
return (TokenSigningKeyInfoElement)
} catch (JAXBException e) {
throw new WSFederationMetaException(e);
}
}
}