Java Code Examples for org.opensaml.xml.Configuration#getGlobalSecurityConfiguration()

The following examples show how to use org.opensaml.xml.Configuration#getGlobalSecurityConfiguration() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SecurityHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains a {@link KeyInfoGenerator} for the specified {@link Credential}.
 * 
 * <p>
 * The KeyInfoGenerator returned is based on the {@link NamedKeyInfoGeneratorManager} defined by the specified
 * security configuration via {@link SecurityConfiguration#getKeyInfoGeneratorManager()}, and is determined by the
 * type of the signing credential and an optional KeyInfo generator manager name. If the latter is ommited, the
 * default manager ({@link NamedKeyInfoGeneratorManager#getDefaultManager()}) of the security configuration's
 * named generator manager will be used.
 * </p>
 * 
 * <p>
 * The generator is determined by the specified {@link SecurityConfiguration}. If a security configuration is not
 * supplied, the global security configuration ({@link Configuration#getGlobalSecurityConfiguration()}) will be
 * used.
 * </p>
 * 
 * @param credential the credential for which a generator is desired
 * @param config the SecurityConfiguration to use (may be null)
 * @param keyInfoGenName the named KeyInfoGeneratorManager configuration to use (may be null)
 * @return a KeyInfoGenerator appropriate for the specified credential
 */
public static KeyInfoGenerator getKeyInfoGenerator(Credential credential, SecurityConfiguration config,
        String keyInfoGenName) {

    SecurityConfiguration secConfig;
    if (config != null) {
        secConfig = config;
    } else {
        secConfig = Configuration.getGlobalSecurityConfiguration();
    }

    NamedKeyInfoGeneratorManager kiMgr = secConfig.getKeyInfoGeneratorManager();
    if (kiMgr != null) {
        KeyInfoGeneratorFactory kiFactory = null;
        if (DatatypeHelper.isEmpty(keyInfoGenName)) {
            kiFactory = kiMgr.getDefaultManager().getFactory(credential);
        } else {
            kiFactory = kiMgr.getFactory(keyInfoGenName, credential);
        }
        if (kiFactory != null) {
            return kiFactory.newInstance();
        }
    }
    return null;
}
 
Example 2
Source File: SAMLObjectContentReference.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Constructor.
 * 
 * @param newSignableObject the SAMLObject this reference refers to
 */
public SAMLObjectContentReference(SignableSAMLObject newSignableObject) {
    signableObject = newSignableObject;
    transforms = new LazyList<String>();
    
    // Set defaults
    if (Configuration.getGlobalSecurityConfiguration() != null ) {
        digestAlgorithm = Configuration.getGlobalSecurityConfiguration().getSignatureReferenceDigestMethod();
    }
    if (digestAlgorithm == null) {
        digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
    }
    
    transforms.add(SignatureConstants.TRANSFORM_ENVELOPED_SIGNATURE);
    transforms.add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
}
 
Example 3
Source File: HTTPPostSimpleSignEncoder.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets the signature algorithm URI to use with the given signing credential.
 * 
 * @param credential the credential that will be used to sign the message
 * @param config the SecurityConfiguration to use (may be null)
 * 
 * @return signature algorithm to use with the given signing credential
 * 
 * @throws MessageEncodingException thrown if the algorithm URI could not be derived from the supplied credential
 */
protected String getSignatureAlgorithmURI(Credential credential, SecurityConfiguration config)
        throws MessageEncodingException {

    SecurityConfiguration secConfig;
    if (config != null) {
        secConfig = config;
    } else {
        secConfig = Configuration.getGlobalSecurityConfiguration();
    }

    String signAlgo = secConfig.getSignatureAlgorithmURI(credential);

    if (signAlgo == null) {
        throw new MessageEncodingException("The signing credential's algorithm URI could not be derived");
    }

    return signAlgo;
}
 
Example 4
Source File: HTTPRedirectDeflateEncoder.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets the signature algorithm URI to use with the given signing credential.
 * 
 * @param credential the credential that will be used to sign the message
 * @param config the SecurityConfiguration to use (may be null)
 * 
 * @return signature algorithm to use with the given signing credential
 * 
 * @throws MessageEncodingException thrown if the algorithm URI could not be derived from the supplied credential
 */
protected String getSignatureAlgorithmURI(Credential credential, SecurityConfiguration config)
        throws MessageEncodingException {

    SecurityConfiguration secConfig;
    if (config != null) {
        secConfig = config;
    } else {
        secConfig = Configuration.getGlobalSecurityConfiguration();
    }

    String signAlgo = secConfig.getSignatureAlgorithmURI(credential);

    if (signAlgo == null) {
        throw new MessageEncodingException("The signing credential's algorithm URI could not be derived");
    }

    return signAlgo;
}
 
Example 5
Source File: SamlHelper.java    From secure-data-service with Apache License 2.0 6 votes vote down vote up
public Signature getDigitalSignature(KeyStore.PrivateKeyEntry keystoreEntry) {
    Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME)
            .buildObject(Signature.DEFAULT_ELEMENT_NAME);

    Credential signingCredential = initializeCredentialsFromKeystore(keystoreEntry);
    signature.setSigningCredential(signingCredential);

    signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

    SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration();
    try {
        SecurityHelper.prepareSignatureParams(signature, signingCredential, secConfig, null);
    } catch (org.opensaml.xml.security.SecurityException  ex) {
        LOG.error("Error composing artifact resolution request: Failed to generate digital signature");
        throw new IllegalArgumentException("Couldn't compose artifact resolution request", ex);
    }

    return signature;
}
 
Example 6
Source File: SecurityHelper.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Compare the supplied public and private keys, and determine if they correspond to the same key pair.
 * 
 * @param pubKey the public key
 * @param privKey the private key
 * @return true if the public and private are from the same key pair, false if not
 * @throws SecurityException if the keys can not be evaluated, or if the key algorithm is unsupported or unknown
 */
public static boolean matchKeyPair(PublicKey pubKey, PrivateKey privKey) throws SecurityException {
    Logger log = getLogger();
    // This approach attempts to match the keys by signing and then validating some known data.

    if (pubKey == null || privKey == null) {
        throw new SecurityException("Either public or private key was null");
    }

    // Need to dynamically determine the JCA signature algorithm ID to use from the key algorithm.
    // Don't currently have a direct mapping, so have to map to XML Signature algorithm URI first,
    // then map that to JCA algorithm ID.
    SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration();
    if (secConfig == null) {
        throw new SecurityException("Global security configuration was null, could not resolve signing algorithm");
    }
    String algoURI = secConfig.getSignatureAlgorithmURI(privKey.getAlgorithm());
    if (algoURI == null) {
        throw new SecurityException("Can't determine algorithm URI from key algorithm: " + privKey.getAlgorithm());
    }
    String jcaAlgoID = getAlgorithmIDFromURI(algoURI);
    if (jcaAlgoID == null) {
        throw new SecurityException("Can't determine JCA algorithm ID from algorithm URI: " + algoURI);
    }

    if (log.isDebugEnabled()) {
        log.debug("Attempting to match key pair containing key algorithms public '{}' private '{}', "
                + "using JCA signature algorithm '{}'", new Object[] { pubKey.getAlgorithm(),
                privKey.getAlgorithm(), jcaAlgoID, });
    }

    byte[] data = "This is the data to sign".getBytes();
    byte[] signature = SigningUtil.sign(privKey, jcaAlgoID, data);
    return SigningUtil.verify(pubKey, jcaAlgoID, signature, data);
}
 
Example 7
Source File: SecurityHelper.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Prepare a {@link Signature} with necessary additional information prior to signing.
 * 
 * <p>
 * <strong>NOTE:</strong>Since this operation modifies the specified Signature object, it should be called
 * <strong>prior</strong> to marshalling the Signature object.
 * </p>
 * 
 * <p>
 * The following Signature values will be added:
 * <ul>
 * <li>signature algorithm URI</li>
 * <li>canonicalization algorithm URI</li>
 * <li>HMAC output length (if applicable and a value is configured)</li>
 * <li>a {@link KeyInfo} element representing the signing credential</li>
 * </ul>
 * </p>
 * 
 * <p>
 * Existing (non-null) values of these parameters on the specified signature will <strong>NOT</strong> be
 * overwritten, however.
 * </p>
 * 
 * <p>
 * All values are determined by the specified {@link SecurityConfiguration}. If a security configuration is not
 * supplied, the global security configuration ({@link Configuration#getGlobalSecurityConfiguration()}) will be
 * used.
 * </p>
 * 
 * <p>
 * The signature algorithm URI and optional HMAC output length are derived from the signing credential.
 * </p>
 * 
 * <p>
 * The KeyInfo to be generated is based on the {@link NamedKeyInfoGeneratorManager} defined in the security
 * configuration, and is determined by the type of the signing credential and an optional KeyInfo generator manager
 * name. If the latter is ommited, the default manager ({@link NamedKeyInfoGeneratorManager#getDefaultManager()})
 * of the security configuration's named generator manager will be used.
 * </p>
 * 
 * @param signature the Signature to be updated
 * @param signingCredential the credential with which the Signature will be computed
 * @param config the SecurityConfiguration to use (may be null)
 * @param keyInfoGenName the named KeyInfoGeneratorManager configuration to use (may be null)
 * @throws SecurityException thrown if there is an error generating the KeyInfo from the signing credential
 */
public static void prepareSignatureParams(Signature signature, Credential signingCredential,
        SecurityConfiguration config, String keyInfoGenName) throws SecurityException {
    Logger log = getLogger();

    SecurityConfiguration secConfig;
    if (config != null) {
        secConfig = config;
    } else {
        secConfig = Configuration.getGlobalSecurityConfiguration();
    }

    // The algorithm URI is derived from the credential
    String signAlgo = signature.getSignatureAlgorithm();
    if (signAlgo == null) {
        signAlgo = secConfig.getSignatureAlgorithmURI(signingCredential);
        signature.setSignatureAlgorithm(signAlgo);
    }

    // If we're doing HMAC, set the output length
    if (SecurityHelper.isHMAC(signAlgo)) {
        if (signature.getHMACOutputLength() == null) {
            signature.setHMACOutputLength(secConfig.getSignatureHMACOutputLength());
        }
    }

    if (signature.getCanonicalizationAlgorithm() == null) {
        signature.setCanonicalizationAlgorithm(secConfig.getSignatureCanonicalizationAlgorithm());
    }

    if (signature.getKeyInfo() == null) {
        KeyInfoGenerator kiGenerator = getKeyInfoGenerator(signingCredential, secConfig, keyInfoGenName);
        if (kiGenerator != null) {
            try {
                KeyInfo keyInfo = kiGenerator.generate(signingCredential);
                signature.setKeyInfo(keyInfo);
            } catch (SecurityException e) {
                log.error("Error generating KeyInfo from credential", e);
                throw e;
            }
        } else {
            log.info("No factory for named KeyInfoGenerator {} was found for credential type {}", keyInfoGenName,
                    signingCredential.getCredentialType().getName());
            log.info("No KeyInfo will be generated for Signature");
        }
    }
}
 
Example 8
Source File: SecurityHelper.java    From lams with GNU General Public License v2.0 3 votes vote down vote up
/**
 * Build an instance of {@link EncryptionParameters} suitable for passing to an
 * {@link org.opensaml.xml.encryption.Encrypter}.
 * 
 * <p>
 * The following parameter values will be added:
 * <ul>
 * <li>the encryption credential (optional)</li>
 * <li>encryption algorithm URI</li>
 * <li>an appropriate {@link KeyInfoGenerator} instance which will be used to generate a {@link KeyInfo} element
 * from the encryption credential</li>
 * </ul>
 * </p>
 * 
 * <p>
 * All values are determined by the specified {@link SecurityConfiguration}. If a security configuration is not
 * supplied, the global security configuration ({@link Configuration#getGlobalSecurityConfiguration()}) will be
 * used.
 * </p>
 * 
 * <p>
 * The encryption algorithm URI is derived from the optional supplied encryption credential. If omitted, the value
 * of {@link SecurityConfiguration#getAutoGeneratedDataEncryptionKeyAlgorithmURI()} will be used.
 * </p>
 * 
 * <p>
 * The KeyInfoGenerator to be used is based on the {@link NamedKeyInfoGeneratorManager} defined in the security
 * configuration, and is determined by the type of the signing credential and an optional KeyInfo generator manager
 * name. If the latter is ommited, the default manager ({@link NamedKeyInfoGeneratorManager#getDefaultManager()})
 * of the security configuration's named generator manager will be used.
 * </p>
 * 
 * @param encryptionCredential the credential with which the data will be encrypted (may be null)
 * @param config the SecurityConfiguration to use (may be null)
 * @param keyInfoGenName the named KeyInfoGeneratorManager configuration to use (may be null)
 * @return a new instance of EncryptionParameters
 */
public static EncryptionParameters buildDataEncryptionParams(Credential encryptionCredential,
        SecurityConfiguration config, String keyInfoGenName) {
    Logger log = getLogger();

    SecurityConfiguration secConfig;
    if (config != null) {
        secConfig = config;
    } else {
        secConfig = Configuration.getGlobalSecurityConfiguration();
    }

    EncryptionParameters encParams = new EncryptionParameters();
    encParams.setEncryptionCredential(encryptionCredential);

    if (encryptionCredential == null) {
        encParams.setAlgorithm(secConfig.getAutoGeneratedDataEncryptionKeyAlgorithmURI());
    } else {
        encParams.setAlgorithm(secConfig.getDataEncryptionAlgorithmURI(encryptionCredential));

        KeyInfoGenerator kiGenerator = getKeyInfoGenerator(encryptionCredential, secConfig, keyInfoGenName);
        if (kiGenerator != null) {
            encParams.setKeyInfoGenerator(kiGenerator);
        } else {
            log.info("No factory for named KeyInfoGenerator {} was found for credential type{}", keyInfoGenName,
                    encryptionCredential.getCredentialType().getName());
            log.info("No KeyInfo will be generated for EncryptedData");
        }
    }

    return encParams;
}
 
Example 9
Source File: SecurityHelper.java    From lams with GNU General Public License v2.0 3 votes vote down vote up
/**
 * Build an instance of {@link KeyEncryptionParameters} suitable for passing to an
 * {@link org.opensaml.xml.encryption.Encrypter}.
 * 
 * <p>
 * The following parameter values will be added:
 * <ul>
 * <li>the key encryption credential</li>
 * <li>key transport encryption algorithm URI</li>
 * <li>an appropriate {@link KeyInfoGenerator} instance which will be used to generate a {@link KeyInfo} element
 * from the key encryption credential</li>
 * <li>intended recipient of the resultant encrypted key (optional)</li>
 * </ul>
 * </p>
 * 
 * <p>
 * All values are determined by the specified {@link SecurityConfiguration}. If a security configuration is not
 * supplied, the global security configuration ({@link Configuration#getGlobalSecurityConfiguration()}) will be
 * used.
 * </p>
 * 
 * <p>
 * The encryption algorithm URI is derived from the optional supplied encryption credential. If omitted, the value
 * of {@link SecurityConfiguration#getAutoGeneratedDataEncryptionKeyAlgorithmURI()} will be used.
 * </p>
 * 
 * <p>
 * The KeyInfoGenerator to be used is based on the {@link NamedKeyInfoGeneratorManager} defined in the security
 * configuration, and is determined by the type of the signing credential and an optional KeyInfo generator manager
 * name. If the latter is ommited, the default manager ({@link NamedKeyInfoGeneratorManager#getDefaultManager()})
 * of the security configuration's named generator manager will be used.
 * </p>
 * 
 * @param encryptionCredential the credential with which the key will be encrypted
 * @param wrappedKeyAlgorithm the JCA key algorithm name of the key to be encrypted (may be null)
 * @param config the SecurityConfiguration to use (may be null)
 * @param keyInfoGenName the named KeyInfoGeneratorManager configuration to use (may be null)
 * @param recipient the intended recipient of the resultant encrypted key, typically the owner of the key encryption
 *            key (may be null)
 * @return a new instance of KeyEncryptionParameters
 * @throws SecurityException if encryption credential is not supplied
 * 
 */
public static KeyEncryptionParameters buildKeyEncryptionParams(Credential encryptionCredential,
        String wrappedKeyAlgorithm, SecurityConfiguration config, String keyInfoGenName, String recipient)
        throws SecurityException {
    Logger log = getLogger();

    SecurityConfiguration secConfig;
    if (config != null) {
        secConfig = config;
    } else {
        secConfig = Configuration.getGlobalSecurityConfiguration();
    }

    KeyEncryptionParameters kekParams = new KeyEncryptionParameters();
    kekParams.setEncryptionCredential(encryptionCredential);

    if (encryptionCredential == null) {
        throw new SecurityException("Key encryption credential may not be null");
    }

    kekParams.setAlgorithm(secConfig.getKeyTransportEncryptionAlgorithmURI(encryptionCredential,
            wrappedKeyAlgorithm));

    KeyInfoGenerator kiGenerator = getKeyInfoGenerator(encryptionCredential, secConfig, keyInfoGenName);
    if (kiGenerator != null) {
        kekParams.setKeyInfoGenerator(kiGenerator);
    } else {
        log.info("No factory for named KeyInfoGenerator {} was found for credential type {}", keyInfoGenName,
                encryptionCredential.getCredentialType().getName());
        log.info("No KeyInfo will be generated for EncryptedKey");
    }

    kekParams.setRecipient(recipient);

    return kekParams;
}