WSFederationMetaSecurityUtils.java revision 9e34f70f789dbd049eed2b273ca9b7d2cd26fd51
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * The contents of this file are subject to the terms
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * of the Common Development and Distribution License
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * (the License). You may not use this file except in
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * compliance with the License.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * You can obtain a copy of the License at
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * https://opensso.dev.java.net/public/CDDLv1.0.html or
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * See the License for the specific language governing
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * permission and limitations under the License.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * When distributing Covered Code, include this CDDL
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * Header Notice in each file and include the License file
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * If applicable, add the following below the CDDL Header,
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * with the fields enclosed by brackets [] replaced by
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * your own identifying information:
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * "Portions Copyrighted [year] [name of copyright owner]"
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * $Id: WSFederationMetaSecurityUtils.java,v 1.6 2009/10/28 23:58:59 exu Exp $
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * Portions Copyrighted 2011-2016 ForgeRock AS
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherpackage com.sun.identity.wsfederation.meta;
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagherimport org.apache.xml.security.keys.KeyInfo;
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagherimport org.apache.xml.security.keys.storage.implementations.KeyStoreResolver;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport org.apache.xml.security.keys.storage.StorageResolver;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport org.apache.xml.security.signature.XMLSignature;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport org.apache.xml.security.utils.Constants;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.shared.debug.Debug;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.shared.locale.Locale;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.shared.configuration.SystemPropertiesManager;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.shared.encode.Base64;
8126906ab783494204dc853c814b0882d2a76523Stephen Gallagherimport com.sun.identity.shared.xml.XPathAPI;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.saml.xmlsig.KeyProvider;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.saml2.common.SAML2Constants;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.entityconfig.AttributeType;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.entityconfig.ObjectFactory;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.wsfederation.TokenSigningKeyInfoElement;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherimport com.sun.identity.wsfederation.jaxb.entityconfig.BaseConfigType;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * The <code>WSFederationMetaUtils</code> provides metadata security related
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * utility methods.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagherpublic final class WSFederationMetaSecurityUtils {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher private static Debug debug = WSFederationMetaUtils.debug;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher private static KeyProvider keyProvider = null;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher private static boolean checkCert = true;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher private static boolean keyProviderInitialized = false;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String NS_META = "http://schemas.xmlsoap.org/ws/2006/12/federation";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String NS_XMLSIG = "http://www.w3.org/2000/09/xmldsig#";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String NS_XMLENC = "http://www.w3.org/2001/04/xmlenc#";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String PREFIX_XMLSIG = "ds";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String PREFIX_XMLENC = "xenc";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String TAG_KEY_INFO = "KeyInfo";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String TAG_KEY_DESCRIPTOR = "KeyDescriptor";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String TAG_SP_SSO_DESCRIPTOR = "SPSSODescriptor";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String TAG_IDP_SSO_DESCRIPTOR = "IDPSSODescriptor";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String ATTR_USE = "use";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static final String ATTR_ID = "ID";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * Private constructor ensure that no instance is ever created
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher private static void initializeKeyStore() {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher keyProvider = KeyUtil.getKeyProviderInstance();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher SystemPropertiesManager.get("com.sun.identity.saml.checkcert",
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher checkCert = valCert.trim().equalsIgnoreCase("on");
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * Signs service provider descriptor under entity descriptor if an cert
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * alias is found in service provider config and identity provider
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * descriptor under entity descriptor if an cert alias is found in
8bf65dbab8703697c85b033beb5c189fce17b036Michal Zidek * identity provider config.
8bf65dbab8703697c85b033beb5c189fce17b036Michal Zidek * @param descriptor The entity descriptor.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @param spconfig The service provider config.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @param idpconfig The identity provider config.
684405758a96bd9fb47480d44f2e1a2f038f8defMichal Zidek * @return Signed <code>Document</code> for the entity descriptor or null
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * if both cert aliases are not found.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @throws WSFederationMetaException if unable to sign the entity
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @throws JAXBException if the entity descriptor is invalid.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher ) throws JAXBException, WSFederationMetaException
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher/* JUST GET IT TO COMPILE!!!
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String spId = null;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String idpId = null;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String spCertAlias = null;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String idpCertAlias = null;
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (spconfig != null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher Map map = WSFederationMetaUtils.getAttributes(spconfig);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher List list = (List)map.get(SAML2Constants.SIGNING_CERT_ALIAS);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (list != null && !list.isEmpty()) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher spCertAlias = ((String)list.get(0)).trim();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (spCertAlias.length() > 0) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher SPSSODescriptorElement spDesc =
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher WSFederationMetaUtils.getSPSSODescriptor(descriptor);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (spDesc != null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher spId = SAMLUtils.generateID();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher spDesc.setID(spId);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (idpconfig != null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher Map map = WSFederationMetaUtils.getAttributes(idpconfig);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher List list = (List)map.get(SAML2Constants.SIGNING_CERT_ALIAS);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (list != null && !list.isEmpty()) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher idpCertAlias = ((String)list.get(0)).trim();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (idpCertAlias.length() > 0) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher IDPSSODescriptorElement idpDesc =
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek WSFederationMetaUtils.getIDPSSODescriptor(descriptor);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (idpDesc != null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher idpId = SAMLUtils.generateID();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher idpDesc.setID(idpId);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (spId == null && idpId == null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher initializeKeyStore();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String xmlstr = WSFederationMetaUtils.convertJAXBToString(descriptor);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher xmlstr = formatBase64BinaryElement(xmlstr);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher Document doc = XMLUtils.toDOMDocument(xmlstr, debug);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher XMLSignatureManager sigManager = XMLSignatureManager.getInstance();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (spId != null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String xpath = "//*[local-name()=\"" + TAG_SP_SSO_DESCRIPTOR +
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher "\" and namespace-uri()=\"" + NS_META +
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher sigManager.signXML(doc, spCertAlias, null, "ID", spId, true,
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher } catch (XMLSignatureException xmlse) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (debug.messageEnabled()) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher debug.message("WSFederationMetaSecurityUtils.sign:", xmlse);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher throw new WSFederationMetaException(xmlse.getMessage());
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (idpId != null) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String xpath = "//*[local-name()=\"" + TAG_IDP_SSO_DESCRIPTOR +
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher "\" and namespace-uri()=\"" + NS_META +
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher sigManager.signXML(doc, idpCertAlias, null, "ID", idpId, true,
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher } catch (XMLSignatureException xmlse) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (debug.messageEnabled()) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher debug.message("WSFederationMetaSecurityUtils.sign:", xmlse);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher throw new WSFederationMetaException(xmlse.getMessage());
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * Verifies signatures in entity descriptor represented by the
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * <code>Document</code>.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @param doc The document.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @throws WSFederationMetaException if unable to verify the entity
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher public static void verifySignature(Document doc)
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String classMethod = "WSFederationMetaSecurityUtils.verifySignature: ";
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher .createDSctx (doc,"ds", Constants.SignatureSpecNS);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher debug.message(classMethod + "# of signatures = " + numSigs);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher Element sigElement = (Element)sigElements.item(i);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String sigParentName = sigElement.getParentNode().getLocalName();
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher debug.message(classMethod + "verifying signature under " +
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher XMLSignature signature = new XMLSignature(sigElement, "");
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher new com.sun.identity.saml.xmlsig.OfflineResolver());
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher new StorageResolver(new KeyStoreResolver(keyStore));
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher "try to find cert in KeyDescriptor");
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String xpath = "following-sibling::*[local-name()=\"" +
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher Node node = XPathAPI.selectSingleNode(sigElement, xpath);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher String use = kd.getAttributeNS(null, ATTR_USE);
188f9e1e646b0bed530913ca76bbcdf0f342cc66Jakub Hrozek if (child.getNodeType() == Node.ELEMENT_NODE) {
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek throw new WSFederationMetaException("verify_no_cert", objs);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher if (checkCert && ((keyProvider == null) ||
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher (keyProvider.getCertificateAlias(x509cert) == null))) {
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher throw new WSFederationMetaException("verify_fail", objs);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher Locale.getString(WSFederationMetaUtils.bundle,
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher "verify_fail", objs) + "\n" + ex.getMessage());
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * Restores Base64 encoded format.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * JAXB will change
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * <ds:X509Data>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * <ds:X509Certificate>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * </ds:X509Certificate>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * </ds:X509Data>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * <ds:X509Data>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * <ds:X509Certificate>..................</ds:X509Certificate>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * </ds:X509Data>
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * This method will restore the format.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * @param xmlstr The xml string containing element 'X509Certificate'.
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher * @return the restored xmls string.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher public static String formatBase64BinaryElement(String xmlstr) {
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher int index = xmlstr.indexOf("<ds:X509Certificate>");
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher StringBuffer sb = new StringBuffer(xmlLength + 100);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher int indexEnd = xmlstr.indexOf("</ds:X509Certificate>", index);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher String encoded = xmlstr.substring(index + 20, indexEnd);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher sb.append(encoded.substring(i, i + 76)).append("\n");
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher int nlIndex = xmlstr.lastIndexOf('\n', index);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher String indention = xmlstr.substring(nlIndex + 1, index);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher sb.append(encoded.substring(i, encodedLength))
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher .append("\n").append(indention).append("</ds:X509Certificate>");
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek index = xmlstr.indexOf("<ds:X509Certificate>", from);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher sb.append(xmlstr.substring(from, xmlLength));
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * Base64 encodes a certificate from the key store.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * @param certAlias alias of certificate to be encoded.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * @return Base64 encoded certificate
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher public static String buildX509Certificate(String certAlias)
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher String classMethod = "WSFederationMetaSecurityUtils." +
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher "buildX509Certificate: ";
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher if ((certAlias == null) || (certAlias.trim().length() == 0)) {
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher KeyUtil.getKeyProviderInstance().getX509Certificate(certAlias);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher return Base64.encode(cert.getEncoded(), true);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher throw new WSFederationMetaException("invalid_cert_alias", objs);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * Updates signing or encryption key info for SP or IDP.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * This will update both signing/encryption alias on extended metadata and
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * certificates in standard metadata.
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek * @param realm Realm the entity resides.
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek * @param entityID ID of the entity to be updated.
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek * @param certAlias Alias of the certificate to be set to the entity. If
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * null, will remove existing key information from the SP or IDP.
a171d77f40aa92e240e91aa4bafe5a392a98b5a2Michal Zidek * @param isIDP true if this is for IDP signing/encryption alias, false
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * if this is for SP signing/encryption alias
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * @throws WSFederationMetaException if failed to update the certificate
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher * alias for the entity.
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher public static void updateProviderKeyInfo(String realm,
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher String entityID, String certAlias, boolean isIDP)
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher WSFederationMetaManager metaManager = new WSFederationMetaManager();
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher metaManager.getEntityConfig(realm, entityID);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher throw new WSFederationMetaException("entityNotHosted", args);
cc7ee57f3adada83ac657e69636ca995d5b6948eStephen Gallagher metaManager.getEntityDescriptor(realm, entityID);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher metaManager.getIDPSSOConfig(realm, entityID);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher if ((idpConfig == null) || (desp == null)) {
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher throw new WSFederationMetaException("entityNotIDP", args);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher // update standard metadata
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher if ((certAlias == null) || (certAlias.length() == 0)) {
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher // remove key info
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher TokenSigningKeyInfoElement kde = getKeyDescriptor(certAlias);
cff6bb5f8ee424b0e3aff74247e103e44075b16aStephen Gallagher // update extended metadata
if (o instanceof TokenSigningKeyInfoElement) {
if (o instanceof TokenSigningKeyInfoElement) {
} catch (JAXBException e) {
throw new WSFederationMetaException(e);
throws WSFederationMetaException {
return (TokenSigningKeyInfoElement)
} catch (JAXBException e) {
throw new WSFederationMetaException(e);