Commit 6a4ac6e3 authored by michael.simon's avatar michael.simon
Browse files

Refactor Decrypter in own method an add standby private key

parent 1f0ef7b7
...@@ -12,6 +12,7 @@ package edu.kit.scc.webreg.service.saml; ...@@ -12,6 +12,7 @@ package edu.kit.scc.webreg.service.saml;
import java.io.IOException; import java.io.IOException;
import java.security.PrivateKey; import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
...@@ -31,6 +32,7 @@ import org.opensaml.saml2.encryption.Decrypter; ...@@ -31,6 +32,7 @@ import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.xml.encryption.DecryptionException; import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.security.x509.BasicX509Credential;
...@@ -96,7 +98,7 @@ public class Saml2AssertionService { ...@@ -96,7 +98,7 @@ public class Saml2AssertionService {
*/ */
if (encryptedAssertionList.size() > 0) { if (encryptedAssertionList.size() > 0) {
assertion = decryptAssertion( assertion = decryptAssertion(
encryptedAssertionList.get(0), spEntity.getPrivateKey()); encryptedAssertionList.get(0), spEntity.getPrivateKey(), spEntity.getStandbyPrivateKey());
} }
else if (assertionList.size() > 0) { else if (assertionList.size() > 0) {
assertion = assertionList.get(0); assertion = assertionList.get(0);
...@@ -143,7 +145,7 @@ public class Saml2AssertionService { ...@@ -143,7 +145,7 @@ public class Saml2AssertionService {
NameID nid; NameID nid;
if (assertion.getSubject().getEncryptedID() != null) { if (assertion.getSubject().getEncryptedID() != null) {
EncryptedID eid = assertion.getSubject().getEncryptedID(); EncryptedID eid = assertion.getSubject().getEncryptedID();
SAMLObject samlObject = decryptNameID(eid, spEntity.getPrivateKey()); SAMLObject samlObject = decryptNameID(eid, spEntity.getPrivateKey(), spEntity.getStandbyPrivateKey());
if (samlObject instanceof NameID) if (samlObject instanceof NameID)
nid = (NameID) samlObject; nid = (NameID) samlObject;
...@@ -167,51 +169,19 @@ public class Saml2AssertionService { ...@@ -167,51 +169,19 @@ public class Saml2AssertionService {
} }
public Assertion decryptAssertion(EncryptedAssertion encryptedAssertion, public Assertion decryptAssertion(EncryptedAssertion encryptedAssertion,
String privateKey) throws IOException, DecryptionException, SamlAuthenticationException { String privateKey, String standbyPrivateKey) throws IOException, DecryptionException, SamlAuthenticationException {
logger.debug("Decrypting assertion..."); logger.debug("Decrypting assertion...");
PrivateKey pk; Decrypter decrypter = buildDecrypter(privateKey, standbyPrivateKey);
try {
pk = cryptoHelper.getPrivateKey(privateKey);
} catch (IOException e) {
throw new SamlAuthenticationException("Private key is not set up properly", e);
}
if (pk == null) {
throw new SamlAuthenticationException("Private key is not set up properly (is null)");
}
BasicX509Credential decryptCredential = new BasicX509Credential();
decryptCredential.setPrivateKey(pk);
KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(decryptCredential);
InlineEncryptedKeyResolver encryptionKeyResolver = new InlineEncryptedKeyResolver();
Decrypter decrypter = new Decrypter(null, keyResolver, encryptionKeyResolver);
decrypter.setRootInNewDocument(true);
Assertion assertion = decrypter.decrypt(encryptedAssertion); Assertion assertion = decrypter.decrypt(encryptedAssertion);
return assertion; return assertion;
} }
public SAMLObject decryptNameID(EncryptedID encryptedID, public SAMLObject decryptNameID(EncryptedID encryptedID,
String privateKey) throws IOException, DecryptionException, SamlAuthenticationException { String privateKey, String standbyPrivateKey) throws IOException, DecryptionException, SamlAuthenticationException {
logger.debug("Decrypting nameID..."); logger.debug("Decrypting nameID...");
PrivateKey pk; Decrypter decrypter = buildDecrypter(privateKey, standbyPrivateKey);
try {
pk = cryptoHelper.getPrivateKey(privateKey);
} catch (IOException e) {
throw new SamlAuthenticationException("Private key is not set up properly", e);
}
if (pk == null) {
throw new SamlAuthenticationException("Private key is not set up properly");
}
BasicX509Credential decryptCredential = new BasicX509Credential();
decryptCredential.setPrivateKey(pk);
KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(decryptCredential);
InlineEncryptedKeyResolver encryptionKeyResolver = new InlineEncryptedKeyResolver();
Decrypter decrypter = new Decrypter(null, keyResolver, encryptionKeyResolver);
decrypter.setRootInNewDocument(true);
SAMLObject samlObject = decrypter.decrypt(encryptedID); SAMLObject samlObject = decrypter.decrypt(encryptedID);
return samlObject; return samlObject;
} }
...@@ -229,4 +199,40 @@ public class Saml2AssertionService { ...@@ -229,4 +199,40 @@ public class Saml2AssertionService {
return attributeMap; return attributeMap;
} }
private Decrypter buildDecrypter(String privateKey, String standbyPrivateKey)
throws SamlAuthenticationException {
PrivateKey pk;
try {
pk = cryptoHelper.getPrivateKey(privateKey);
} catch (IOException e) {
throw new SamlAuthenticationException("Private key is not set up properly", e);
}
if (pk == null) {
throw new SamlAuthenticationException("Private key is not set up properly (is null)");
}
List<Credential> decryptCredentialList = new ArrayList<Credential>();
BasicX509Credential decryptCredential = new BasicX509Credential();
decryptCredential.setPrivateKey(pk);
decryptCredentialList.add(decryptCredential);
if (standbyPrivateKey != null && (! standbyPrivateKey.equals(""))) {
try {
PrivateKey spk = cryptoHelper.getPrivateKey(standbyPrivateKey);
BasicX509Credential standbyDecryptCredential = new BasicX509Credential();
standbyDecryptCredential.setPrivateKey(spk);
decryptCredentialList.add(standbyDecryptCredential);
} catch (IOException e) {
logger.warn("Standby private Key is not set up properly: {}. I won't use it", e.getMessage());
}
}
KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(decryptCredentialList);
InlineEncryptedKeyResolver encryptionKeyResolver = new InlineEncryptedKeyResolver();
Decrypter decrypter = new Decrypter(null, keyResolver, encryptionKeyResolver);
decrypter.setRootInNewDocument(true);
return decrypter;
}
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment