public URI generateRedirectUri(String samlParameterName, String redirectUri, Document document) throws ConfigurationException, ProcessingException, IOException { KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(redirectUri) .replaceQuery(null) .queryParam(samlParameterName, base64Encoded(document)); if (relayState != null) { builder.queryParam("RelayState", relayState); } if (sign) { builder.queryParam( GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, signatureAlgorithm.getXmlSignatureMethod()); URI uri = builder.build(); String rawQuery = uri.getRawQuery(); Signature signature = signatureAlgorithm.createSignature(); byte[] sig = new byte[0]; try { signature.initSign(signingKeyPair.getPrivate()); signature.update(rawQuery.getBytes("UTF-8")); sig = signature.sign(); } catch (InvalidKeyException | UnsupportedEncodingException | SignatureException e) { throw new ProcessingException(e); } String encodedSig = RedirectBindingUtil.base64URLEncode(sig); builder.queryParam(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY, encodedSig); } return builder.build(); }
/** * Verifies the signature on this CertificationRequest, using the given public key and * CryptoToken. Does not indicate the CertificationRequest is valid at any specific time. */ public void verify(PublicKey key, CryptoToken token) throws NoSuchAlgorithmException, CertificateException, TokenException, SignatureException, InvalidKeyException { Signature sig = token.getSignatureContext(SignatureAlgorithm.fromOID(algId.getOID())); sig.initVerify(key); sig.update(infoEncoding); if (!sig.verify(signature)) { throw new CertificateException("Signature is invalid"); } }
/** * Creates and signs an X.509 CertificationRequest. * * @param info A CertificationRequestInfo (TBSCertificationRequest), which specifies the actual * information of the CertificationRequest. * @param privKey The private key with which to sign the certificat. * @param signingAlg The algorithm to use to sign the CertificationRequest. It must match the * algorithm specified in the CertificationRequestInfo. * @exception IOException If an error occurred while encoding the CertificationRequest. * @exception CryptoManager.NotInitializedException Because this operation involves cryptography * (signing), CryptoManager must be initialized before calling it. * @exception TokenException If an error occurs on a PKCS #11 token. * @exception NoSuchAlgorithmException If the OID for the signing algorithm cannot be located. * @exception CertificateException If the signing algorithm specified as a parameter does not * match the one in the CertificationRequest info. * @exception InvalidKeyException If the key does not match the signing algorithm. * @exception SignatureException If an error occurs while signing the CertificationRequest. */ public CertificationRequest( CertificationRequestInfo info, java.security.PrivateKey privKey, SignatureAlgorithm signingAlg) throws IOException, CryptoManager.NotInitializedException, TokenException, NoSuchAlgorithmException, CertificateException, InvalidKeyException, SignatureException { // make sure key is a Ninja private key if (!(privKey instanceof PrivateKey)) { throw new InvalidKeyException("Private Key is does not belong to" + " this provider"); } PrivateKey priv = (PrivateKey) privKey; // create algId if (signingAlg.getSigningAlg() == SignatureAlgorithm.RSASignature) { algId = new AlgorithmIdentifier(signingAlg.toOID(), null); } else { algId = new AlgorithmIdentifier(signingAlg.toOID()); } // encode the cert info this.info = info; infoEncoding = ASN1Util.encode(info); // sign the info encoding CryptoManager cm = CryptoManager.getInstance(); CryptoToken token = priv.getOwningToken(); Signature sig = token.getSignatureContext(signingAlg); sig.initSign(priv); sig.update(infoEncoding); signature = sig.sign(); // bundle everything into a SEQUENCE sequence = new SEQUENCE(); sequence.addElement(info); sequence.addElement(algId); sequence.addElement(new BIT_STRING(signature, 0)); }
public void signDocument(Document samlDocument) throws ProcessingException { String signatureMethod = signatureAlgorithm.getXmlSignatureMethod(); String signatureDigestMethod = signatureAlgorithm.getXmlSignatureDigestMethod(); SAML2Signature samlSignature = new SAML2Signature(); if (signatureMethod != null) { samlSignature.setSignatureMethod(signatureMethod); } if (signatureDigestMethod != null) { samlSignature.setDigestMethod(signatureDigestMethod); } Node nextSibling = samlSignature.getNextSiblingOfIssuer(samlDocument); samlSignature.setNextSibling(nextSibling); if (signingCertificate != null) { samlSignature.setX509Certificate(signingCertificate); } samlSignature.signSAMLDocument( samlDocument, signingKeyName, signingKeyPair, canonicalizationMethodType); }
/** {@inheritDoc} */ public void setVerifyKey(final PublicKey key) { if (!DSAPublicKey.class.isInstance(key)) { throw new IllegalArgumentException("DSA public key required."); } super.setVerifyKey(key); }
/** {@inheritDoc} */ public void setSignKey(final PrivateKey key) { if (!DSAPrivateKey.class.isInstance(key)) { throw new IllegalArgumentException("DSA private key required."); } super.setSignKey(key); }