/**
* Populates X509 Credential used to authenticate this machine against peer servers. Uses key with
* alias specified in extended metadata under TlsKey, when not set uses the default credential.
*
* @param samlContext context to populate
*/
protected void populateSSLCredential(SAMLMessageContext samlContext) {
X509Credential tlsCredential;
if (samlContext.getLocalExtendedMetadata().getTlsKey() != null) {
tlsCredential =
(X509Credential)
keyManager.getCredential(samlContext.getLocalExtendedMetadata().getTlsKey());
} else {
tlsCredential = null;
}
samlContext.setLocalSSLCredential(tlsCredential);
}
/**
* Based on the settings in the extended metadata either creates a PKIX trust engine with trusted
* keys specified in the extended metadata as anchors or (by default) an explicit trust engine
* using data from the metadata or from the values overridden in the ExtendedMetadata. The trust
* engine is used to verify SSL connections.
*
* @param samlContext context to populate
*/
protected void populateSSLTrustEngine(SAMLMessageContext samlContext) {
TrustEngine<X509Credential> engine;
if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) {
engine = new PKIXX509CredentialTrustEngine(pkixResolver);
} else {
engine = new ExplicitX509CertificateTrustEngine(metadataResolver);
}
samlContext.setLocalSSLTrustEngine(engine);
}
/**
* Populates a decrypter based on settings in the extended metadata or using a default credential
* when no encryption credential is specified in the extended metadata.
*
* @param samlContext context to populate decryptor for.
*/
protected void populateDecrypter(SAMLMessageContext samlContext) {
// Locate encryption key for this entity
Credential encryptionCredential;
if (samlContext.getLocalExtendedMetadata().getEncryptionKey() != null) {
encryptionCredential =
keyManager.getCredential(samlContext.getLocalExtendedMetadata().getEncryptionKey());
} else {
encryptionCredential = keyManager.getDefaultCredential();
}
// Entity used for decrypting of encrypted XML parts
// Extracts EncryptedKey from the encrypted XML using the encryptedKeyResolver and attempts to
// decrypt it
// using private keys supplied by the resolver.
KeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(encryptionCredential);
Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
decrypter.setRootInNewDocument(true);
samlContext.setLocalDecrypter(decrypter);
}
/**
* Based on the settings in the extended metadata either creates a PKIX trust engine with trusted
* keys specified in the extended metadata as anchors or (by default) an explicit trust engine
* using data from the metadata or from the values overridden in the ExtendedMetadata.
*
* @param samlContext context to populate
*/
protected void populateTrustEngine(SAMLMessageContext samlContext) {
SignatureTrustEngine engine;
if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) {
engine =
new PKIXSignatureTrustEngine(
pkixResolver,
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver());
} else {
engine =
new ExplicitKeySignatureTrustEngine(
metadataResolver,
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver());
}
samlContext.setLocalTrustEngine(engine);
}
