org.opensaml.xml.security.x509.X509Credential Java Examples

The following examples show how to use org.opensaml.xml.security.x509.X509Credential. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SSOAgentUtils.java    From carbon-identity with Apache License 2.0 7 votes vote down vote up
/**
 * Sign the SAML AuthnRequest message
 *
 * @param logoutRequest
 * @param signatureAlgorithm
 * @param cred
 * @return
 * @throws SSOAgentException
 */
public static LogoutRequest setSignature(LogoutRequest logoutRequest, String signatureAlgorithm,
                                         X509Credential cred) throws SSOAgentException {
    try {
        Signature signature = setSignatureRaw(signatureAlgorithm,cred);

        logoutRequest.setSignature(signature);

        List<Signature> signatureList = new ArrayList<Signature>();
        signatureList.add(signature);

        // Marshall and Sign
        MarshallerFactory marshallerFactory =
                org.opensaml.xml.Configuration.getMarshallerFactory();
        Marshaller marshaller = marshallerFactory.getMarshaller(logoutRequest);

        marshaller.marshall(logoutRequest);

        org.apache.xml.security.Init.init();
        Signer.signObjects(signatureList);
        return logoutRequest;

    } catch (Exception e) {
        throw new SSOAgentException("Error while signing the Logout Request message", e);
    }
}
 
Example #2
Source File: KeyStoreCredentialResolver.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Build an X509Credential from a keystore private key entry.
 * 
 * @param privateKeyEntry the entry being processed
 * @param entityID the entityID to set
 * @param usage the usage type to set
 * @return new X509Credential instance
 */
protected X509Credential processPrivateKeyEntry(KeyStore.PrivateKeyEntry privateKeyEntry, String entityID,
        UsageType usage) {

    log.debug("Processing PrivateKeyEntry from keystore");

    BasicX509Credential credential = new BasicX509Credential();
    credential.setEntityId(entityID);
    credential.setUsageType(usage);

    credential.setPrivateKey(privateKeyEntry.getPrivateKey());

    credential.setEntityCertificate((X509Certificate) privateKeyEntry.getCertificate());
    credential.setEntityCertificateChain(Arrays.asList((X509Certificate[]) privateKeyEntry.getCertificateChain()));

    return credential;
}
 
Example #3
Source File: SSOAgentUtils.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
public static void addDeflateSignatureToHTTPQueryString(StringBuilder httpQueryString,
                                                        X509Credential cred) throws SSOAgentException {
    doBootstrap();
    try {
        httpQueryString.append("&SigAlg="
                + URLEncoder.encode(XMLSignature.ALGO_ID_SIGNATURE_RSA, "UTF-8").trim());

        java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
        signature.initSign(cred.getPrivateKey());
        signature.update(httpQueryString.toString().getBytes(Charset.forName("UTF-8")));
        byte[] signatureByteArray = signature.sign();

        String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray,
                Base64.DONT_BREAK_LINES);
        httpQueryString.append("&Signature="
                + URLEncoder.encode(signatureBase64encodedString, "UTF-8").trim());
    } catch (Exception e) {
        throw new SSOAgentException("Error applying SAML2 Redirect Binding signature", e);
    }
}
 
Example #4
Source File: SSOAgentUtils.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
private static Signature setSignatureRaw(String signatureAlgorithm, X509Credential cred) throws SSOAgentException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        org.opensaml.xml.signature.X509Certificate cert =
                (org.opensaml.xml.signature.X509Certificate) buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
        String value =
                org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
        return signature;

    } catch (CertificateEncodingException e) {
        throw new SSOAgentException("Error getting certificate", e);
    }
}
 
Example #5
Source File: DefaultSSOSigner.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
@Override
public boolean validateXMLSignature(RequestAbstractType request, X509Credential cred,
                                    String alias) throws IdentityException {

    boolean isSignatureValid = false;

    if (request.getSignature() != null) {
        try {
            SignatureValidator validator = new SignatureValidator(cred);
            validator.validate(request.getSignature());
            isSignatureValid = true;
        } catch (ValidationException e) {
            throw IdentityException.error("Signature Validation Failed for the SAML Assertion : Signature is " +
                                        "invalid.", e);
        }
    }
    return isSignatureValid;
}
 
Example #6
Source File: SAML1TokenBuilder.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Error while getting the encoded certificate", e);
        throw new IdentityProviderException("Error while getting the encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 
Example #7
Source File: SAML2TokenBuilder.java    From carbon-identity with Apache License 2.0 6 votes vote down vote up
@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Failed to get encoded certificate", e);
        throw new IdentityProviderException("Error while getting encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 
Example #8
Source File: KeyStoreCredentialResolver.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Build an X509Credential from a keystore trusted certificate entry.
 * 
 * @param trustedCertEntry the entry being processed
 * @param entityID the entityID to set
 * @param usage the usage type to set
 * @return new X509Credential instance
 */
protected X509Credential processTrustedCertificateEntry(KeyStore.TrustedCertificateEntry trustedCertEntry,
        String entityID, UsageType usage) {

    log.debug("Processing TrustedCertificateEntry from keystore");

    BasicX509Credential credential = new BasicX509Credential();
    credential.setEntityId(entityID);
    credential.setUsageType(usage);

    X509Certificate cert = (X509Certificate) trustedCertEntry.getTrustedCertificate();

    credential.setEntityCertificate(cert);

    ArrayList<X509Certificate> certChain = new ArrayList<X509Certificate>();
    certChain.add(cert);
    credential.setEntityCertificateChain(certChain);

    return credential;
}
 
Example #9
Source File: EvaluableX509CertSelectorCredentialCriteria.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria");
        return Boolean.FALSE;
    }

    Boolean result = certSelector.match(entityCert);
    return result;
}
 
Example #10
Source File: EvaluableX509IssuerSerialCredentialCriteria.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy issuer name and serial number criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }

    if (!entityCert.getIssuerX500Principal().equals(issuer)) {
        return false;
    }
    Boolean result = entityCert.getSerialNumber().equals(serialNumber);
    return result;
}
 
Example #11
Source File: EvaluableX509SubjectNameCredentialCriteria.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy subject name criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }

    Boolean result = entityCert.getSubjectX500Principal().equals(subjectName);
    return result;
}
 
Example #12
Source File: ExplicitX509CertificateTrustEvaluator.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Evaluate trust.
 * 
 * @param untrustedCredential the untrusted X509Credential to evaluate
 * @param trustedCredentials basis for trust
 * @return true if trust can be established, false otherwise
 */
public boolean validate(X509Credential untrustedCredential, Iterable<Credential> trustedCredentials) {

    for (Credential trustedCredential : trustedCredentials) {
        if (!(trustedCredential instanceof X509Credential)) {
            log.debug("Skipping evaluation against trusted, non-X509Credential");
            continue;
        }
        X509Credential trustedX509Credential = (X509Credential) trustedCredential;
        if (validate(untrustedCredential, trustedX509Credential)) {
            return true;
        }
    }

    return false;
}
 
Example #13
Source File: ExplicitX509CertificateTrustEvaluator.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Evaluate trust.
 * 
 * @param untrustedCredential the untrusted X509Credential to evaluate
 * @param trustedCredential basis for trust
 * @return true if trust can be established, false otherwise
 */
public boolean validate(X509Credential untrustedCredential, X509Credential trustedCredential) {

    X509Certificate untrustedCertificate = untrustedCredential.getEntityCertificate();
    X509Certificate trustedCertificate = trustedCredential.getEntityCertificate();
    if (untrustedCertificate == null) {
        log.debug("Untrusted credential contained no entity certificate, unable to evaluate");
        return false;
    } else if (trustedCertificate == null) {
        log.debug("Trusted credential contained no entity certificate, unable to evaluate");
        return false;
    }

    if (validate(untrustedCertificate, trustedCertificate)) {
        log.debug("Successfully validated untrusted credential against trusted certificate");
        return true;
    }
    
    log.debug("Failed to validate untrusted credential against trusted certificate");
    return false;
}
 
Example #14
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Evaluate the presenter entity ID as derived from the cert subject DN.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectDN(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter as cert subject DN");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    String candidatePresenter = getSubjectName(certificate);
    if (candidatePresenter != null) {
        if (evaluate(requestCredential, candidatePresenter, messageContext)) {
            log.info("Authentication succeeded for presenter entity ID derived from subject DN {}",
                    candidatePresenter);
            return candidatePresenter;
        }
    }
    return null;
}
 
Example #15
Source File: ExplicitX509CertificateTrustEngine.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the parameters for required values.
 * 
 * @param untrustedCredential the signature to be evaluated
 * @param trustBasisCriteria the set of trusted credential criteria
 * @throws SecurityException thrown if required values are absent or otherwise invalid
 */
protected void checkParams(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)
        throws SecurityException {

    if (untrustedCredential == null) {
        throw new SecurityException("Untrusted credential was null");
    }
    if (trustBasisCriteria == null) {
        throw new SecurityException("Trust basis criteria set was null");
    }
    if (trustBasisCriteria.isEmpty()) {
        throw new SecurityException("Trust basis criteria set was empty");
    }
}
 
Example #16
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** {@inheritDoc} */
public void evaluate(MessageContext messageContext) throws SecurityPolicyException {

    Credential peerCredential = messageContext.getInboundMessageTransport().getPeerCredential();

    if (peerCredential == null) {
        log.info("Inbound message transport did not contain a peer credential, "
                + "skipping client certificate authentication");
        return;
    }
    if (!(peerCredential instanceof X509Credential)) {
        log.info("Inbound message transport did not contain an X509Credential, "
                + "skipping client certificate authentication");
        return;
    }

    X509Credential requestCredential = (X509Credential) peerCredential;
    if (log.isDebugEnabled()) {
        try {
            log.debug("Attempting to authenticate inbound connection that presented the certificate:");
            log.debug(Base64.encodeBytes(requestCredential.getEntityCertificate().getEncoded()));
        } catch (CertificateEncodingException e) {
            // do nothing
        }
    }
    doEvaluate(requestCredential, messageContext);
}
 
Example #17
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Evaluate the request credential.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @throws SecurityPolicyException thrown if a certificate presenter entity ID available from the message context
 *             and the client certificate token can not be establishd as trusted on that basis, or if there is error
 *             during evaluation processing
 */
protected void doEvaluate(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    String presenterEntityID = getCertificatePresenterEntityID(messageContext);

    if (presenterEntityID != null) {
        log.debug("Attempting client certificate authentication using context presenter entity ID: {}",
                presenterEntityID);
        if (evaluate(requestCredential, presenterEntityID, messageContext)) {
            log.info("Authentication via client certificate succeeded for context presenter entity ID: {}",
                    presenterEntityID);
            messageContext.getInboundMessageTransport().setAuthenticated(true);
        } else {
            log.error("Authentication via client certificate failed for context presenter entity ID {}",
                    presenterEntityID);
            throw new SecurityPolicyException(
                    "Client certificate authentication failed for context presenter entity ID");
        }
        return;
    }

    String derivedPresenter = evaluateCertificateNameDerivedPresenters(requestCredential, messageContext);
    if (derivedPresenter != null) {
        log.info("Authentication via client certificate succeeded for certificate-derived presenter entity ID {}",
                derivedPresenter);
        setAuthenticatedCertificatePresenterEntityID(messageContext, derivedPresenter);
        messageContext.getInboundMessageTransport().setAuthenticated(true);
        return;
    }

    derivedPresenter = evaluateDerivedPresenters(requestCredential, messageContext);
    if (derivedPresenter != null) {
        log.info("Authentication via client certificate succeeded for derived presenter entity ID {}",
                derivedPresenter);
        setAuthenticatedCertificatePresenterEntityID(messageContext, derivedPresenter);
        messageContext.getInboundMessageTransport().setAuthenticated(true);
        return;
    }
}
 
Example #18
Source File: SSOAgentUtils.java    From carbon-identity with Apache License 2.0 5 votes vote down vote up
/**
 * Sign the SAML AuthnRequest message
 *
 * @param authnRequest
 * @param signatureAlgorithm
 * @param cred
 * @return
 * @throws org.wso2.carbon.identity.sso.agent.SSOAgentException
 */
public static AuthnRequest setSignature(AuthnRequest authnRequest, String signatureAlgorithm,
                                    X509Credential cred) throws SSOAgentException {
    doBootstrap();
    try {
        Signature signature = setSignatureRaw(signatureAlgorithm,cred);


        authnRequest.setSignature(signature);

        List<Signature> signatureList = new ArrayList<Signature>();
        signatureList.add(signature);

        // Marshall and Sign
        MarshallerFactory marshallerFactory =
                org.opensaml.xml.Configuration.getMarshallerFactory();
        Marshaller marshaller = marshallerFactory.getMarshaller(authnRequest);

        marshaller.marshall(authnRequest);

        org.apache.xml.security.Init.init();
        Signer.signObjects(signatureList);
        return authnRequest;

    } catch (Exception e) {
        throw new SSOAgentException("Error while signing the SAML Request message", e);
    }
}
 
Example #19
Source File: DefaultSSOEncrypter.java    From carbon-identity with Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String encryptionAlgorithm) throws IdentityException {
    try {

        Credential symmetricCredential = SecurityHelper.getSimpleCredential(
                SecurityHelper.generateSymmetricKey(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));

        EncryptionParameters encParams = new EncryptionParameters();
        encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
        encParams.setEncryptionCredential(symmetricCredential);

        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
        keyEncryptionParameters.setEncryptionCredential(cred);

        Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters);
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);

        EncryptedAssertion encrypted = encrypter.encrypt(assertion);
        return encrypted;
    } catch (Exception e) {
        throw IdentityException.error("Error while Encrypting Assertion", e);
    }
}
 
Example #20
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Evaluate candidate presenter entity ID's which may be derived from the request credential's entity certificate
 * according to the options supplied via {@link CertificateNameOptions}.
 * 
 * <p>
 * Configured certificate name types are derived as candidate presenter entity ID's and processed in the following
 * order:
 * <ol>
 * <li>The certificate subject DN string as serialized by the X500DNHandler obtained via
 * {@link CertificateNameOptions#getX500DNHandler()} and using the output format indicated by
 * {@link CertificateNameOptions#getX500SubjectDNFormat()}.</li>
 * <li>Subject alternative names of the types configured via {@link CertificateNameOptions#getSubjectAltNames()}.
 * Note that this is a LinkedHashSet, so the order of evaluation is the order of insertion.</li>
 * <li>The first common name (CN) value appearing in the certificate subject DN.</li>
 * </ol>
 * </p>
 * 
 * <p>
 * The first one of the above which is successfully evaluated by the trust engine using criteria built from
 * {@link BaseTrustEngineRule#buildCriteriaSet(String, MessageContext)} will be returned.
 * </p>
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a certificate presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateCertificateNameDerivedPresenters(X509Credential requestCredential,
        MessageContext messageContext) throws SecurityPolicyException {

    String candidatePresenter = null;

    if (certNameOptions.evaluateSubjectDN()) {
        candidatePresenter = evaluateSubjectDN(requestCredential, messageContext);
        if (candidatePresenter != null) {
            return candidatePresenter;
        }
    }

    if (!certNameOptions.getSubjectAltNames().isEmpty()) {
        candidatePresenter = evaluateSubjectAltNames(requestCredential, messageContext);
        if (candidatePresenter != null) {
            return candidatePresenter;
        }
    }

    if (certNameOptions.evaluateSubjectCommonName()) {
        candidatePresenter = evaluateSubjectCommonName(requestCredential, messageContext);
        if (candidatePresenter != null) {
            return candidatePresenter;
        }
    }

    return null;
}
 
Example #21
Source File: PKIXSignatureTrustEngine.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Evaluate the credential against the set of trusted names.
 * 
 * <p>Evaluates to true if no intsance of {@link X509CredentialNameEvaluator} is configured.</p>
 * 
 * @param trustedNames set of trusted names
 * @param untrustedCredential the credential being evaluated
 * @return true if evaluation is successful, false otherwise
 * @throws SecurityException thrown if there is an error evaluation the credential
 */
protected boolean checkNames(Set<String> trustedNames, X509Credential untrustedCredential) 
        throws SecurityException {
    
    if (credNameEvaluator == null) {
        log.debug("No credential name evaluator was available, skipping trusted name evaluation");
       return true; 
    } else {
        return credNameEvaluator.evaluate(untrustedCredential, trustedNames);
    }

}
 
Example #22
Source File: ExplicitX509CertificateTrustEngine.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** {@inheritDoc} */
public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)
        throws SecurityException {

    checkParams(untrustedCredential, trustBasisCriteria);

    log.debug("Attempting to validate untrusted credential");
    Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(trustBasisCriteria);

    return trustEvaluator.validate(untrustedCredential, trustedCredentials);
}
 
Example #23
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Evaluate the presenter entity ID as derived from the cert subject alternative names specified by types enumerated
 * in {@link CertificateNameOptions#getSubjectAltNames()}.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectAltNames(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter from subject alt names");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    for (Integer altNameType : certNameOptions.getSubjectAltNames()) {
        log.debug("Evaluating alt names of type: {}", altNameType.toString());
        List<String> altNames = getAltNames(certificate, altNameType);
        for (String altName : altNames) {
            if (evaluate(requestCredential, altName, messageContext)) {
                log.info("Authentication succeeded for presenter entity ID derived from subject alt name {}",
                        altName);
                return altName;
            }
        }
    }
    return null;
}
 
Example #24
Source File: EvaluableX509SubjectKeyIdentifierCredentialCriteria.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (! (target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;
    
    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }
    
    byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert);
    if (credSKI == null || credSKI.length == 0) {
        log.info("Could not evaluate criteria, certificate contained no subject key identifier extension");
        return null;
    }
    
    Boolean result = Arrays.equals(ski, credSKI);
    return result;
}
 
Example #25
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Evaluate the presenter entity ID as derived from the cert subject common name (CN).
 * 
 * Only the first CN value from the subject DN is evaluated.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectCommonName(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter as cert CN");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    String candidatePresenter = getCommonName(certificate);
    if (candidatePresenter != null) {
        if (evaluate(requestCredential, candidatePresenter, messageContext)) {
            log.info("Authentication succeeded for presenter entity ID derived from CN {}", candidatePresenter);
            return candidatePresenter;
        }
    }
    return null;
}
 
Example #26
Source File: PKIXSignatureTrustEngine.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** {@inheritDoc} */
protected boolean evaluateTrust(Credential untrustedCredential,
        Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair) throws SecurityException {

    if (!(untrustedCredential instanceof X509Credential)) {
        log.debug("Can not evaluate trust of non-X509Credential");
        return false;
    }
    X509Credential untrustedX509Credential = (X509Credential) untrustedCredential;

    Set<String> trustedNames = validationPair.getFirst();
    Iterable<PKIXValidationInformation> validationInfoSet = validationPair.getSecond();
    
    if (!checkNames(trustedNames, untrustedX509Credential)) {
        log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation");
        return false;
    }

    for (PKIXValidationInformation validationInfo : validationInfoSet) {
        try {
            if (pkixTrustEvaluator.validate(validationInfo, untrustedX509Credential)) {
                log.debug("Signature trust established via PKIX validation of signing credential");
                return true;
            }
        } catch (SecurityException e) {
            // log the operational error, but allow other validation info sets to be tried
            log.debug("Error performing PKIX validation on untrusted credential", e);
        }
    }

    log.debug("Signature trust could not be established via PKIX validation of signing credential");
    return false;
}
 
Example #27
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 2 votes vote down vote up
/**
 * Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context
 * information.
 * 
 * <p>
 * This serves primarily as an extension point for subclasses to implement application-specific logic.
 * </p>
 * 
 * <p>
 * If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to
 * return as the canonical presenter entity ID value is implementation-specific.
 * </p>
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateDerivedPresenters(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    return null;
}
 
Example #28
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 2 votes vote down vote up
/**
 * Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context
 * information.
 * 
 * <p>
 * This serves primarily as an extension point for subclasses to implement application-specific logic.
 * </p>
 * 
 * <p>
 * If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to
 * return as the canonical presenter entity ID value is implementation-specific.
 * </p>
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 * @deprecated Use {@link #evaluateDerivedPresenters(X509Credential,MessageContext)} instead
 */
protected String evaluateDerivedIssuers(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {
    return evaluateDerivedPresenters(requestCredential, messageContext);
}
 
Example #29
Source File: SSOEncrypter.java    From carbon-identity with Apache License 2.0 2 votes vote down vote up
/**
 * Encrypt the SAML assertion
 *
 * @param assertion           SAML assertion to be encrypted
 * @param cred                Encrypting credential
 * @param alias               Certificate alias against which use to Encrypt the assertion.
 * @param encryptionAlgorithm Encryption algorithm
 * @return SAML EncryptedAssertion
 * @throws IdentityException
 */
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias,
                                               String encryptionAlgorithm) throws IdentityException;
 
Example #30
Source File: SSOSigner.java    From carbon-identity with Apache License 2.0 2 votes vote down vote up
/**
 * Set the signature to XML object
 *
 * @param request
 * @param signatureAlgorithm
 * @param digestAlgorithm
 * @param cred
 * @return
 * @throws IdentityException
 */
public SignableXMLObject setSignature(SignableXMLObject signableXMLObject, String signatureAlgorithm, String
        digestAlgorithm, X509Credential cred) throws IdentityException;