Exemplo n.º 1
0
  /**
   * Verify the signature in <code>Response</code>.
   *
   * @param pepEntityID entity identifier of PEP.
   * @param pdpEntityID entity identifier of PDP.
   * @param response <code>Response</code> to be verified
   * @return true if signature is valid.
   * @throws <code>SAML2Exception</code> if error in verifying the signature.
   */
  public static boolean verifySignedResponse(
      String pepEntityID, String pdpEntityID, Response response) throws SAML2Exception {
    String classMethod = "QueryClient:verifySignedResponse: ";

    String realm = "/";
    XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);

    String wantResponseSigned =
        getAttributeValueFromPEPConfig(pepConfig, "wantXACMLAuthzDecisionResponseSigned");

    boolean valid = false;
    if (wantResponseSigned != null && wantResponseSigned.equalsIgnoreCase("true")) {
      XACMLPDPDescriptorElement pdpDescriptor =
          saml2MetaManager.getPolicyDecisionPointDescriptor(null, pdpEntityID);
      X509Certificate signingCert = KeyUtil.getPDPVerificationCert(pdpDescriptor, pdpEntityID);
      if (signingCert != null) {
        valid = response.isSignatureValid(signingCert);
        if (debug.messageEnabled()) {
          debug.message(classMethod + "Signature is valid :" + valid);
        }
      } else {
        debug.error(classMethod + "Incorrect configuration for Signing Certificate.");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
      }
    } else {
      if (debug.messageEnabled()) {
        debug.message(classMethod + "Response doesn't need to be verified.");
      }
      valid = true;
    }
    return valid;
  }
Exemplo n.º 2
0
  public static String buildX509Certificate(String certAlias) throws SAML2MetaException {
    if ((certAlias == null) || (certAlias.trim().length() == 0)) {
      return null;
    }

    X509Certificate cert = KeyUtil.getKeyProviderInstance().getX509Certificate(certAlias);

    if (cert != null) {
      try {
        return Base64.encode(cert.getEncoded(), true);
      } catch (Exception ex) {
        if (debug.messageEnabled()) {
          debug.message("SAML2MetaSecurityUtils.buildX509Certificate:", ex);
        }
      }
    }

    Object[] objs = {certAlias};
    throw new SAML2MetaException("invalid_cert_alias", objs);
  }
Exemplo n.º 3
0
  private static void initializeKeyStore() {
    if (keyProviderInitialized) {
      return;
    }

    org.apache.xml.security.Init.init();

    keyProvider = KeyUtil.getKeyProviderInstance();
    if (keyProvider != null) {
      keyStore = keyProvider.getKeyStore();
    }

    try {
      String valCert = SystemPropertiesManager.get("com.sun.identity.saml.checkcert", "on");

      checkCert = valCert.trim().equalsIgnoreCase("on");
    } catch (Exception e) {
      checkCert = true;
    }

    keyProviderInitialized = true;
  }
Exemplo n.º 4
0
  /**
   * @param xacmlQuery XACML Query
   * @param realm the entity's realm.
   * @param pepEntityID entity identifier of PEP.
   * @param pdpEntityID entity identifier of PDP.
   * @throws <code>SAML2Exception</code> if error in verifying the signature.
   */
  private static void signAttributeQuery(
      XACMLAuthzDecisionQuery xacmlQuery, String realm, String pepEntityID, boolean includeCert)
      throws SAML2Exception {

    KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
    XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);

    String alias = getAttributeValueFromPEPConfig(pepConfig, "signingCertAlias");

    PrivateKey signingKey = keyProvider.getPrivateKey(alias);
    if (signingKey == null) {
      throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }

    X509Certificate signingCert = null;
    if (includeCert) {
      signingCert = keyProvider.getX509Certificate(alias);
    }

    if (signingKey != null) {
      xacmlQuery.sign(signingKey, signingCert);
    }
  }
Exemplo n.º 5
0
  /**
   * Returns SAMLv2 <code>Response</code> after validation of the response. A new <code>Response
   * </code> object is created which contains decrypted assertion if the assertions were encrypted.
   *
   * @param realm the realm of the entity.
   * @param pepEntityID entity identifier of the PEP.
   * @param samlResponse the <code>Response</code>.
   * @exception <code>SAML2Exception</code> if there is an error.
   */
  private static Response verifyResponse(String realm, String pepEntityID, Response samlResponse)
      throws SAML2Exception {

    Response response = samlResponse;
    String classMethod = "QueryClient:verifyResponse";
    if (samlResponse != null) {
      // validate issuer trust.
      Issuer issuer = samlResponse.getIssuer();
      String issuerID = null;
      if (issuer != null) {
        issuerID = issuer.getValue().trim();
      }
      String pdpEntityID = issuerID;
      boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);

      if (!isTrusted) {
        if (debug.messageEnabled()) {
          debug.message(classMethod + "Issuer in Request is not valid.");
        }
        String[] args = {realm, pepEntityID, issuerID};

        LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
        throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "invalidIssuer", args);
      }
      // verify signed response
      verifySignedResponse(pepEntityID, pdpEntityID, samlResponse);
      try {
        // check if assertion needs to be encrypted,signed.
        XACMLAuthzDecisionQueryConfigElement pepConfig =
            saml2MetaManager.getPolicyEnforcementPointConfig(realm, pepEntityID);
        String assertionEncrypted =
            getAttributeValueFromPEPConfig(pepConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
        boolean wantAssertionEncrypted =
            (assertionEncrypted != null && assertionEncrypted.equalsIgnoreCase("true"))
                ? true
                : false;
        boolean wantAssertionSigned = wantAssertionSigned(realm, pepEntityID);

        String respID = samlResponse.getID();
        List assertions = samlResponse.getAssertion();
        if (wantAssertionEncrypted && (assertions != null && (assertions.size() != 0))) {
          String[] data = {issuerID, respID};
          LogUtil.error(Level.INFO, LogUtil.ASSERTION_FROM_PDP_NOT_ENCRYPTED, data);
          throw new SAML2Exception(SAML2SDKUtils.bundle.getString("assertionNotEncrypted"));
        }
        PrivateKey decryptionKey = null;
        List encAssertions = samlResponse.getEncryptedAssertion();
        List decAssertions = null;
        if (encAssertions != null) {
          Iterator encIter = encAssertions.iterator();
          while (encIter.hasNext()) {
            if (decryptionKey == null) {
              decryptionKey = KeyUtil.getDecryptionKey(pepConfig);
            }
            Assertion assertion = ((EncryptedAssertion) encIter.next()).decrypt(decryptionKey);
            if (assertions == null) {
              assertions = new ArrayList();
            }
            assertions.add(assertion);
          }
        }

        if (assertions == null || assertions.size() == 0) {
          if (debug.messageEnabled()) {
            debug.message(classMethod + "no assertion in the Response.");
          }
          String[] data = {issuerID, respID};
          LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION_IN_PDP_RESPONSE, data);
          throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missingAssertion"));
        }

        // validate Issuer  in Assertion
        Iterator assertionIter = assertions.iterator();
        X509Certificate cert = null;
        XACMLPDPDescriptorElement pdpDesc = null;
        if (wantAssertionSigned) {
          pdpDesc = saml2MetaManager.getPolicyDecisionPointDescriptor(realm, pdpEntityID);
          cert = KeyUtil.getPDPVerificationCert(pdpDesc, pdpEntityID);
        }

        while (assertionIter.hasNext()) {
          Assertion assertion = (Assertion) assertionIter.next();
          String assertionID = assertion.getID();
          String assertionIssuer = assertion.getIssuer().getValue().trim();
          isTrusted = verifyResponseIssuer(realm, pepEntityID, assertionIssuer);
          if (!isTrusted) {
            debug.error(classMethod + "Assertion's source site is not valid.");
            String[] data = {assertionIssuer, assertionID};
            LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_ASSERTION_FROM_PDP, data);
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidIssuerInAssertion"));
          }
          String respIssuer = samlResponse.getIssuer().getValue().trim();
          if (!respIssuer.equals(assertionIssuer)) {
            if (debug.messageEnabled()) {
              debug.message(
                  classMethod
                      + "Issuer in Assertion "
                      + assertionIssuer
                      + "doesn't match the Issuer in Response."
                      + respIssuer);
            }
            String[] data = {pdpEntityID, assertionIssuer};
            LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_IN_ASSERTION_FROM_PDP, data);
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("mismatchIssuer"));
          }
          if (wantAssertionSigned) {
            if (debug.messageEnabled()) {
              debug.message(classMethod + "wantAssertionSigned " + wantAssertionSigned);
            }
            if (!assertion.isSigned() || !assertion.isSignatureValid(cert)) {
              debug.error(classMethod + "Assertion is not signed or signature " + "is not valid.");
              String[] data = {assertionIssuer, assertionID};
              LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION_FROM_PDP, data);
              throw new SAML2Exception(
                  SAML2SDKUtils.bundle.getString("invalidSignatureOnAssertion"));
            }
          }
        } // end while
        if (wantAssertionEncrypted) {
          response = createResponse(samlResponse, assertions);
        }
        if (debug.messageEnabled()) {
          debug.message(classMethod + " Response : " + response.toXMLString(true, true));
        }
      } catch (SAML2MetaException sme) {
        if (debug.messageEnabled()) {
          debug.message(classMethod + "Error retreiving meta", sme);
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
      }
    }
    return response;
  }