/**
* Validate the signature of a SAML2 Response and Assertion
*
* @param response SAML2 Response
* @return true, if signature is valid.
*/
private void validateSignature(Response response, Assertion assertion) throws SAMLSSOException {
if (SSOUtils.isAuthnResponseSigned(properties)) {
if (identityProvider.getCertificate() == null
|| identityProvider.getCertificate().isEmpty()) {
throw new SAMLSSOException(
"SAMLResponse signing is enabled, but IdP doesn't have a certificate");
}
if (response.getSignature() == null) {
throw new SAMLSSOException(
"SAMLResponse signing is enabled, but signature element "
+ "not found in SAML Response element.");
} else {
try {
X509Credential credential =
new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(response.getSignature());
} catch (ValidationException e) {
throw new SAMLSSOException("Signature validation failed for SAML Response", e);
}
}
}
if (SSOUtils.isAssertionSigningEnabled(properties)) {
if (identityProvider.getCertificate() == null
|| identityProvider.getCertificate().isEmpty()) {
throw new SAMLSSOException(
"SAMLAssertion signing is enabled, but IdP doesn't have a certificate");
}
if (assertion.getSignature() == null) {
throw new SAMLSSOException(
"SAMLAssertion signing is enabled, but signature element "
+ "not found in SAML Assertion element.");
} else {
try {
X509Credential credential =
new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(assertion.getSignature());
} catch (ValidationException e) {
throw new SAMLSSOException("Signature validation failed for SAML Assertion", e);
}
}
}
}
/**
* Validate the signature of a SAML2 Response and Assertion
*
* @param response SAML2 Response
* @return true, if signature is valid.
*/
protected void validateSignature(Response response, Assertion assertion)
throws SSOAgentException {
if (SSOAgentDataHolder.getInstance().getSignatureValidator() != null) {
// Custom implemetation of signature validation
SAMLSignatureValidator signatureValidatorUtility =
(SAMLSignatureValidator) SSOAgentDataHolder.getInstance().getSignatureValidator();
signatureValidatorUtility.validateSignature(response, assertion, ssoAgentConfig);
} else {
// If custom implementation not found, Execute the default implementation
if (ssoAgentConfig.getSAML2().isResponseSigned()) {
if (response.getSignature() == null) {
throw new SSOAgentException(
"SAML2 Response signing is enabled, but signature element not found in SAML2 Response element");
} else {
try {
SignatureValidator validator =
new SignatureValidator(
new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
validator.validate(response.getSignature());
} catch (ValidationException e) {
if (log.isDebugEnabled()) {
log.debug("Validation exception : ", e);
}
throw new SSOAgentException("Signature validation failed for SAML2 Response");
}
}
}
if (ssoAgentConfig.getSAML2().isAssertionSigned()) {
if (assertion.getSignature() == null) {
throw new SSOAgentException(
"SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element");
} else {
try {
SignatureValidator validator =
new SignatureValidator(
new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
validator.validate(assertion.getSignature());
} catch (ValidationException e) {
if (log.isDebugEnabled()) {
log.debug("Validation exception : ", e);
}
throw new SSOAgentException("Signature validation failed for SAML2 Assertion");
}
}
}
}
}
@Override
public boolean validateXMLSignature(
RequestAbstractType request, X509Credential cred, String alias) throws IdentityException {
boolean isSignatureValid = false;
if (request.getSignature() != null) {
try {
SignatureValidator validator = new SignatureValidator(cred);
validator.validate(request.getSignature());
isSignatureValid = true;
} catch (ValidationException e) {
throw IdentityException.error(
"Signature Validation Failed for the SAML Assertion : Signature is " + "invalid.", e);
}
}
return isSignatureValid;
}
/**
* This method validates the signature of the SAML Response.
*
* @param resp SAML Response
* @return true, if signature is valid.
*/
public static boolean validateSignature(
Response resp,
String keyStoreName,
String keyStorePassword,
String alias,
int tenantId,
String tenantDomain) {
boolean isSigValid = false;
try {
KeyStore keyStore = null;
java.security.cert.X509Certificate cert = null;
if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {
// get an instance of the corresponding Key Store Manager instance
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
keyStore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain));
cert = (java.security.cert.X509Certificate) keyStore.getCertificate(tenantDomain);
} else {
keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(new File(keyStoreName)), keyStorePassword.toCharArray());
cert = (java.security.cert.X509Certificate) keyStore.getCertificate(alias);
}
if (log.isDebugEnabled()) {
log.debug("Validating against " + cert.getSubjectDN().getName());
}
X509CredentialImpl credentialImpl = new X509CredentialImpl(cert);
SignatureValidator signatureValidator = new SignatureValidator(credentialImpl);
signatureValidator.validate(resp.getSignature());
isSigValid = true;
return isSigValid;
} catch (Exception e) {
if (log.isDebugEnabled()) {
log.debug("Signature verification is failed for " + tenantDomain);
}
return isSigValid;
}
}
