Commit a08b1ddf authored by michael.simon's avatar michael.simon
Browse files

much to change

parent 8d3d3704
......@@ -12,6 +12,7 @@ package edu.kit.scc.webreg.service.saml;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
......@@ -21,21 +22,21 @@ import java.util.Map.Entry;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.EncryptedID;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity;
......@@ -98,7 +99,8 @@ public class Saml2AssertionService {
*/
if (encryptedAssertionList.size() > 0) {
assertion = decryptAssertion(
encryptedAssertionList.get(0), spEntity.getPrivateKey(), spEntity.getStandbyPrivateKey());
encryptedAssertionList.get(0), spEntity.getCertificate(), spEntity.getPrivateKey(),
spEntity.getStandbyCertificate(), spEntity.getStandbyPrivateKey());
}
else if (assertionList.size() > 0) {
assertion = assertionList.get(0);
......@@ -145,7 +147,8 @@ public class Saml2AssertionService {
NameID nid;
if (assertion.getSubject().getEncryptedID() != null) {
EncryptedID eid = assertion.getSubject().getEncryptedID();
SAMLObject samlObject = decryptNameID(eid, spEntity.getPrivateKey(), spEntity.getStandbyPrivateKey());
SAMLObject samlObject = decryptNameID(eid, spEntity.getCertificate(), spEntity.getPrivateKey(),
spEntity.getStandbyCertificate(), spEntity.getStandbyPrivateKey());
if (samlObject instanceof NameID)
nid = (NameID) samlObject;
......@@ -169,19 +172,19 @@ public class Saml2AssertionService {
}
public Assertion decryptAssertion(EncryptedAssertion encryptedAssertion,
String privateKey, String standbyPrivateKey) throws IOException, DecryptionException, SamlAuthenticationException {
String cert, String privateKey, String standbyCert, String standbyPrivateKey) throws IOException, DecryptionException, SamlAuthenticationException {
logger.debug("Decrypting assertion...");
Decrypter decrypter = buildDecrypter(privateKey, standbyPrivateKey);
Decrypter decrypter = buildDecrypter(cert, privateKey, standbyCert, standbyPrivateKey);
Assertion assertion = decrypter.decrypt(encryptedAssertion);
return assertion;
}
public SAMLObject decryptNameID(EncryptedID encryptedID,
String privateKey, String standbyPrivateKey) throws IOException, DecryptionException, SamlAuthenticationException {
String cert, String privateKey, String standbyCert, String standbyPrivateKey) throws IOException, DecryptionException, SamlAuthenticationException {
logger.debug("Decrypting nameID...");
Decrypter decrypter = buildDecrypter(privateKey, standbyPrivateKey);
Decrypter decrypter = buildDecrypter(cert, privateKey, standbyCert, standbyPrivateKey);
SAMLObject samlObject = decrypter.decrypt(encryptedID);
return samlObject;
}
......@@ -200,11 +203,13 @@ public class Saml2AssertionService {
return attributeMap;
}
private Decrypter buildDecrypter(String privateKey, String standbyPrivateKey)
private Decrypter buildDecrypter(String cert, String privateKey, String standbyCert, String standbyPrivateKey)
throws SamlAuthenticationException {
PrivateKey pk;
X509Certificate c;
try {
pk = cryptoHelper.getPrivateKey(privateKey);
c = cryptoHelper.getCertificate(cert);
} catch (IOException e) {
throw new SamlAuthenticationException("Private key is not set up properly", e);
}
......@@ -214,15 +219,14 @@ public class Saml2AssertionService {
}
List<Credential> decryptCredentialList = new ArrayList<Credential>();
BasicX509Credential decryptCredential = new BasicX509Credential();
decryptCredential.setPrivateKey(pk);
BasicX509Credential decryptCredential = new BasicX509Credential(c, pk);
decryptCredentialList.add(decryptCredential);
if (standbyPrivateKey != null && (! standbyPrivateKey.equals(""))) {
try {
PrivateKey spk = cryptoHelper.getPrivateKey(standbyPrivateKey);
BasicX509Credential standbyDecryptCredential = new BasicX509Credential();
standbyDecryptCredential.setPrivateKey(spk);
X509Certificate sc = cryptoHelper.getCertificate(standbyCert);
BasicX509Credential standbyDecryptCredential = new BasicX509Credential(sc, spk);
decryptCredentialList.add(standbyDecryptCredential);
} catch (IOException e) {
logger.warn("Standby private Key is not set up properly: {}. I won't use it", e.getMessage());
......
......@@ -13,6 +13,8 @@ package edu.kit.scc.webreg.service.saml;
import javax.enterprise.context.ApplicationScoped;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder;
......@@ -26,15 +28,15 @@ import edu.kit.scc.webreg.exc.SamlAuthenticationException;
public class Saml2DecoderService {
public Response decodePostMessage(HttpServletRequest request)
throws MessageDecodingException, SecurityException, SamlAuthenticationException {
throws MessageDecodingException, SecurityException, SamlAuthenticationException, ComponentInitializationException {
HTTPPostDecoder decoder = new HTTPPostDecoder();
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> messageContext =
new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
HttpServletRequestAdapter adapter = new HttpServletRequestAdapter(request);
messageContext.setInboundMessageTransport(adapter);
decoder.decode(messageContext);
SAMLObject obj = messageContext.getInboundSAMLMessage();
decoder.setHttpServletRequest(request);
decoder.initialize();
decoder.decode();
SAMLObject obj = decoder.getMessageContext().getMessage();
if (obj instanceof Response)
return (Response) obj;
else
......@@ -42,15 +44,15 @@ public class Saml2DecoderService {
}
public AttributeQuery decodeAttributeQuery(HttpServletRequest request)
throws MessageDecodingException, SecurityException, SamlAuthenticationException {
throws MessageDecodingException, SecurityException, SamlAuthenticationException, ComponentInitializationException {
HTTPSOAP11Decoder decoder = new HTTPSOAP11Decoder();
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> messageContext =
new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
HttpServletRequestAdapter adapter = new HttpServletRequestAdapter(request);
messageContext.setInboundMessageTransport(adapter);
decoder.decode(messageContext);
SAMLObject obj = messageContext.getInboundSAMLMessage();
decoder.setHttpServletRequest(request);
decoder.initialize();
decoder.decode();
SAMLObject obj = decoder.getMessageContext().getMessage();
if (obj instanceof AttributeQuery)
return (AttributeQuery) obj;
else
......
......@@ -14,32 +14,27 @@ import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.joda.time.Duration;
import org.joda.time.Instant;
import org.opensaml.Configuration;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.DOMMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity;
......@@ -94,12 +89,12 @@ public class Saml2ResponseValidationService {
Status status = samlResponse.getStatus();
if (status.getStatusCode().getStatusCode() != null &&
StatusCode.UNKNOWN_PRINCIPAL_URI.equals(status.getStatusCode().getStatusCode().getValue())) {
StatusCode.UNKNOWN_PRINCIPAL.equals(status.getStatusCode().getStatusCode().getValue())) {
String s = samlHelper.prettyPrint(status);
logger.info("SAML Response Status: {}", s);
throw new SamlUnknownPrincipalException("SAML Response: Unknown Principal " + status.getStatusCode().getValue());
}
else if (! status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
else if (! status.getStatusCode().getValue().equals(StatusCode.SUCCESS)) {
String s = samlHelper.prettyPrint(status);
logger.info("SAML Response Status: {}", s);
throw new SamlAuthenticationException("SAML Response: Login was not successful " + status.getStatusCode().getValue());
......@@ -127,16 +122,13 @@ public class Saml2ResponseValidationService {
if (signableSamlObject.getSignature() == null)
throw new SamlAuthenticationException("No Signature on SignableSamlObject");
DOMMetadataProvider mp = new DOMMetadataProvider(entityDescriptor.getDOM());
try {
mp.initialize();
} catch (MetadataProviderException e) {
throw new SamlAuthenticationException("Metadata for IDP " + entityDescriptor.getEntityID() + " could not be established");
}
DOMMetadataResolver mp = new DOMMetadataResolver(entityDescriptor.getDOM());
mp.initialize();
MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver(mp);
MetadataCredentialResolver mdCredResolver = new MetadataCredentialResolver();
KeyInfoCredentialResolver keyInfoCredResolver =
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
ConfigurationService.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(mdCredResolver, keyInfoCredResolver);
SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
......@@ -147,9 +139,9 @@ public class Saml2ResponseValidationService {
}
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(issuer.getValue()));
criteriaSet.add(new MetadataCriteria(role, protocol));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
criteriaSet.add(new EntityIdCriterion(issuer.getValue()));
criteriaSet.add(new EntityRoleCriterion(role));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
try {
if (trustEngine.validate(signableSamlObject.getSignature(), criteriaSet))
......
......@@ -22,12 +22,11 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.slf4j.Logger;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment