/**
   * Validate the signature of a SAML2 Response and Assertion
   *
   * @param response SAML2 Response
   * @return true, if signature is valid.
   */
  private void validateSignature(Response response, Assertion assertion) throws SAMLSSOException {

    if (SSOUtils.isAuthnResponseSigned(properties)) {

      if (identityProvider.getCertificate() == null
          || identityProvider.getCertificate().isEmpty()) {
        throw new SAMLSSOException(
            "SAMLResponse signing is enabled, but IdP doesn't have a certificate");
      }

      if (response.getSignature() == null) {
        throw new SAMLSSOException(
            "SAMLResponse signing is enabled, but signature element "
                + "not found in SAML Response element.");
      } else {
        try {
          X509Credential credential =
              new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
          SignatureValidator validator = new SignatureValidator(credential);
          validator.validate(response.getSignature());
        } catch (ValidationException e) {
          throw new SAMLSSOException("Signature validation failed for SAML Response", e);
        }
      }
    }
    if (SSOUtils.isAssertionSigningEnabled(properties)) {

      if (identityProvider.getCertificate() == null
          || identityProvider.getCertificate().isEmpty()) {
        throw new SAMLSSOException(
            "SAMLAssertion signing is enabled, but IdP doesn't have a certificate");
      }

      if (assertion.getSignature() == null) {
        throw new SAMLSSOException(
            "SAMLAssertion signing is enabled, but signature element "
                + "not found in SAML Assertion element.");
      } else {
        try {
          X509Credential credential =
              new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
          SignatureValidator validator = new SignatureValidator(credential);
          validator.validate(assertion.getSignature());
        } catch (ValidationException e) {
          throw new SAMLSSOException("Signature validation failed for SAML Assertion", e);
        }
      }
    }
  }
  /**
   * Validate the signature of a SAML2 Response and Assertion
   *
   * @param response SAML2 Response
   * @return true, if signature is valid.
   */
  protected void validateSignature(Response response, Assertion assertion)
      throws SSOAgentException {

    if (SSOAgentDataHolder.getInstance().getSignatureValidator() != null) {
      // Custom implemetation of signature validation
      SAMLSignatureValidator signatureValidatorUtility =
          (SAMLSignatureValidator) SSOAgentDataHolder.getInstance().getSignatureValidator();
      signatureValidatorUtility.validateSignature(response, assertion, ssoAgentConfig);
    } else {
      // If custom implementation not found, Execute the default implementation
      if (ssoAgentConfig.getSAML2().isResponseSigned()) {
        if (response.getSignature() == null) {
          throw new SSOAgentException(
              "SAML2 Response signing is enabled, but signature element not found in SAML2 Response element");
        } else {
          try {
            SignatureValidator validator =
                new SignatureValidator(
                    new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            validator.validate(response.getSignature());
          } catch (ValidationException e) {
            if (log.isDebugEnabled()) {
              log.debug("Validation exception : ", e);
            }
            throw new SSOAgentException("Signature validation failed for SAML2 Response");
          }
        }
      }
      if (ssoAgentConfig.getSAML2().isAssertionSigned()) {
        if (assertion.getSignature() == null) {
          throw new SSOAgentException(
              "SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element");
        } else {
          try {
            SignatureValidator validator =
                new SignatureValidator(
                    new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            validator.validate(assertion.getSignature());
          } catch (ValidationException e) {
            if (log.isDebugEnabled()) {
              log.debug("Validation exception : ", e);
            }
            throw new SSOAgentException("Signature validation failed for SAML2 Assertion");
          }
        }
      }
    }
  }
  @Override
  public boolean validateXMLSignature(
      RequestAbstractType request, X509Credential cred, String alias) throws IdentityException {

    boolean isSignatureValid = false;

    if (request.getSignature() != null) {
      try {
        SignatureValidator validator = new SignatureValidator(cred);
        validator.validate(request.getSignature());
        isSignatureValid = true;
      } catch (ValidationException e) {
        throw IdentityException.error(
            "Signature Validation Failed for the SAML Assertion : Signature is " + "invalid.", e);
      }
    }
    return isSignatureValid;
  }
예제 #4
0
 /**
  * This method validates the signature of the SAML Response.
  *
  * @param resp SAML Response
  * @return true, if signature is valid.
  */
 public static boolean validateSignature(
     Response resp,
     String keyStoreName,
     String keyStorePassword,
     String alias,
     int tenantId,
     String tenantDomain) {
   boolean isSigValid = false;
   try {
     KeyStore keyStore = null;
     java.security.cert.X509Certificate cert = null;
     if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {
       // get an instance of the corresponding Key Store Manager instance
       KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
       keyStore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain));
       cert = (java.security.cert.X509Certificate) keyStore.getCertificate(tenantDomain);
     } else {
       keyStore = KeyStore.getInstance("JKS");
       keyStore.load(new FileInputStream(new File(keyStoreName)), keyStorePassword.toCharArray());
       cert = (java.security.cert.X509Certificate) keyStore.getCertificate(alias);
     }
     if (log.isDebugEnabled()) {
       log.debug("Validating against " + cert.getSubjectDN().getName());
     }
     X509CredentialImpl credentialImpl = new X509CredentialImpl(cert);
     SignatureValidator signatureValidator = new SignatureValidator(credentialImpl);
     signatureValidator.validate(resp.getSignature());
     isSigValid = true;
     return isSigValid;
   } catch (Exception e) {
     if (log.isDebugEnabled()) {
       log.debug("Signature verification is failed for " + tenantDomain);
     }
     return isSigValid;
   }
 }