@Override public SignableXMLObject setSignature( SignableXMLObject signableXMLObject, String signatureAlgorithm, String digestAlgorithm, X509Credential cred) throws IdentityException { Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME); signature.setSigningCredential(cred); signature.setSignatureAlgorithm(signatureAlgorithm); signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME); X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME); X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME); String value; try { value = org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded()); } catch (CertificateEncodingException e) { throw IdentityException.error("Error occurred while retrieving encoded cert", e); } cert.setValue(value); data.getX509Certificates().add(cert); keyInfo.getX509Datas().add(data); signature.setKeyInfo(keyInfo); signableXMLObject.setSignature(signature); ((SAMLObjectContentReference) signature.getContentReferences().get(0)) .setDigestAlgorithm(digestAlgorithm); List<Signature> signatureList = new ArrayList<Signature>(); signatureList.add(signature); MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory(); Marshaller marshaller = marshallerFactory.getMarshaller(signableXMLObject); try { marshaller.marshall(signableXMLObject); } catch (MarshallingException e) { throw IdentityException.error("Unable to marshall the request", e); } org.apache.xml.security.Init.init(); try { Signer.signObjects(signatureList); } catch (SignatureException e) { throw IdentityException.error("Error occurred while signing request", e); } return signableXMLObject; }
/** * @param ppid * @throws IdentityException */ public void registerOAuthConsumer(OAuthConsumerDO consumer) throws IdentityException { Collection userResource = null; if (log.isDebugEnabled()) { log.debug("Creating or updating OAuth consumer value"); } try { boolean transactionStarted = Transaction.isStarted(); try { if (!transactionStarted) { registry.beginTransaction(); } if (!registry.resourceExists(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey())) { userResource = registry.newCollection(); registry.put(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey(), userResource); } else { userResource = (Collection) registry.get(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey()); userResource.removeProperty(IdentityRegistryResources.OAUTH_CONSUMER_PATH); } userResource.addProperty( IdentityRegistryResources.OAUTH_CONSUMER_PATH, consumer.getConsumerSecret()); registry.put(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey(), userResource); if (!transactionStarted) { registry.commitTransaction(); } } catch (Exception e) { if (!transactionStarted) { registry.rollbackTransaction(); } if (e instanceof RegistryException) { throw (RegistryException) e; } else { throw IdentityException.error("Error while creating or updating OAuth consumer", e); } } } catch (RegistryException e) { log.error("Error while creating or updating OAuth consumer", e); throw IdentityException.error("Error while creating or updating OAuth consumer", e); } }
/** * Builds SAML Elements * * @param objectQName * @return * @throws IdentityException */ private XMLObject buildXMLObject(QName objectQName) throws IdentityException { XMLObjectBuilder builder = org.opensaml.xml.Configuration.getBuilderFactory().getBuilder(objectQName); if (builder == null) { throw IdentityException.error("Unable to retrieve builder for object QName " + objectQName); } return builder.buildObject( objectQName.getNamespaceURI(), objectQName.getLocalPart(), objectQName.getPrefix()); }
/** * Validates the authentication request according to IdP Initiated SAML SSO Web Browser * Specification * * @return SAMLSSOSignInResponseDTO * @throws org.wso2.carbon.identity.base.IdentityException */ public SAMLSSOReqValidationResponseDTO validate() throws IdentityException { SAMLSSOReqValidationResponseDTO validationResponse = new SAMLSSOReqValidationResponseDTO(); try { // spEntityID MUST NOT be null if (StringUtils.isNotBlank(spEntityID)) { validationResponse.setIssuer(spEntityID); } else { String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "spEntityID parameter not found in request", null); if (log.isDebugEnabled()) { log.debug("spEntityID parameter not found in request"); } validationResponse.setResponse(errorResp); validationResponse.setValid(false); return validationResponse; } if (!SAMLSSOUtil.isSAMLIssuerExists( spEntityID, SAMLSSOUtil.getTenantDomainFromThreadLocal())) { String message = "A Service Provider with the Issuer '" + spEntityID + "' is not registered. Service " + "Provider should be registered in advance"; log.error(message); String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null); validationResponse.setResponse(errorResp); validationResponse.setValid(false); return validationResponse; } // If SP has multiple ACS if (StringUtils.isNotBlank(acs)) { validationResponse.setAssertionConsumerURL(acs); } if (StringUtils.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) { SAMLSSOUtil.setTenantDomainInThreadLocal(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); } validationResponse.setValid(true); if (log.isDebugEnabled()) { log.debug("IdP Initiated SSO request validation is successful"); } return validationResponse; } catch (Exception e) { throw IdentityException.error("Error validating the IdP Initiated SSO request", e); } }
@Override public boolean validateXMLSignature( RequestAbstractType request, X509Credential cred, String alias) throws IdentityException { boolean isSignatureValid = false; if (request.getSignature() != null) { try { SignatureValidator validator = new SignatureValidator(cred); validator.validate(request.getSignature()); isSignatureValid = true; } catch (ValidationException e) { throw IdentityException.error( "Signature Validation Failed for the SAML Assertion : Signature is " + "invalid.", e); } } return isSignatureValid; }
/** * @param ppid * @return * @throws IdentityException */ public String getOAuthConsumerSecret(String consumerKey) throws IdentityException { String path = null; Resource resource = null; if (log.isDebugEnabled()) { log.debug("Retreiving user for OAuth consumer key " + consumerKey); } try { path = RegistryConstants.PROFILES_PATH + consumerKey; if (registry.resourceExists(path)) { resource = registry.get(path); return resource.getProperty(IdentityRegistryResources.OAUTH_CONSUMER_PATH); } else { return null; } } catch (RegistryException e) { log.error("Error while retreiving user for OAuth consumer key " + consumerKey, e); throw IdentityException.error( "Error while retreiving user for OAuth consumer key " + consumerKey, e); } }