Пример #1
0
 /**
  * Updates signing or encryption key info for SP or IDP. This will update both signing/encryption
  * alias on extended metadata and certificates in standard metadata.
  *
  * @param realm Realm the entity resides.
  * @param entityID ID of the entity to be updated.
  * @param certAlias Alias of the certificate to be set to the entity. If null, will remove
  *     existing key information from the SP or IDP.
  * @param isSigning true if this is signing certificate alias, false if this is encryption
  *     certification alias.
  * @param isIDP true if this is for IDP signing/encryption alias, false if this is for SP
  *     signing/encryption alias
  * @param encAlgo Encryption algorithm URI, this is applicable for encryption cert only.
  * @param keySize Encryption key size, this is applicable for encryption cert only.
  * @throws SAML2MetaException if failed to update the certificate alias for the entity.
  */
 public static void updateProviderKeyInfo(
     String realm,
     String entityID,
     String certAlias,
     boolean isSigning,
     boolean isIDP,
     String encAlgo,
     int keySize)
     throws SAML2MetaException {
   SAML2MetaManager metaManager = new SAML2MetaManager();
   EntityConfigElement config = metaManager.getEntityConfig(realm, entityID);
   if (!config.isHosted()) {
     String[] args = {entityID, realm};
     throw new SAML2MetaException("entityNotHosted", args);
   }
   EntityDescriptorElement desp = metaManager.getEntityDescriptor(realm, entityID);
   if (isIDP) {
     IDPSSOConfigElement idpConfig = SAML2MetaUtils.getIDPSSOConfig(config);
     IDPSSODescriptorElement idpDesp = SAML2MetaUtils.getIDPSSODescriptor(desp);
     if ((idpConfig == null) || (idpDesp == null)) {
       String[] args = {entityID, realm};
       throw new SAML2MetaException("entityNotIDP", args);
     }
     // update standard metadata
     if ((certAlias == null) || (certAlias.length() == 0)) {
       // remove key info
       removeKeyDescriptor(idpDesp, isSigning);
       if (isSigning) {
         setExtendedAttributeValue(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS, null);
       } else {
         setExtendedAttributeValue(idpConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, null);
       }
     } else {
       KeyDescriptorElement kde = getKeyDescriptor(certAlias, isSigning, encAlgo, keySize);
       updateKeyDescriptor(idpDesp, kde);
       // update extended metadata
       Set value = new HashSet();
       value.add(certAlias);
       if (isSigning) {
         setExtendedAttributeValue(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS, value);
       } else {
         setExtendedAttributeValue(idpConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, value);
       }
     }
     metaManager.setEntityDescriptor(realm, desp);
     metaManager.setEntityConfig(realm, config);
   } else {
     SPSSOConfigElement spConfig = SAML2MetaUtils.getSPSSOConfig(config);
     SPSSODescriptorElement spDesp = SAML2MetaUtils.getSPSSODescriptor(desp);
     if ((spConfig == null) || (spDesp == null)) {
       String[] args = {entityID, realm};
       throw new SAML2MetaException("entityNotSP", args);
     }
     // update standard metadata
     if ((certAlias == null) || (certAlias.length() == 0)) {
       // remove key info
       removeKeyDescriptor(spDesp, isSigning);
       if (isSigning) {
         setExtendedAttributeValue(spConfig, SAML2Constants.SIGNING_CERT_ALIAS, null);
       } else {
         setExtendedAttributeValue(spConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, null);
       }
     } else {
       KeyDescriptorElement kde = getKeyDescriptor(certAlias, isSigning, encAlgo, keySize);
       updateKeyDescriptor(spDesp, kde);
       // update extended metadata
       Set value = new HashSet();
       value.add(certAlias);
       if (isSigning) {
         setExtendedAttributeValue(spConfig, SAML2Constants.SIGNING_CERT_ALIAS, value);
       } else {
         setExtendedAttributeValue(spConfig, SAML2Constants.ENCRYPTION_CERT_ALIAS, value);
       }
     }
     metaManager.setEntityDescriptor(realm, desp);
     metaManager.setEntityConfig(realm, config);
   }
 }
Пример #2
0
  /**
   * Signs the entity descriptor root element by the following rules:
   *
   * <ul>
   *   <li>Hosted Entity
   *       <ul>
   *         <li>If there is a signature already on the EntityDescriptor, removes it, then signs the
   *             EntityDescriptor.
   *         <li>Simply signs the EntityDescriptor otherwise.
   *       </ul>
   *   <li>Remote Entity
   *       <ul>
   *         <li>If there is a signature already on the EntityDescriptor, then does not change it,
   *             but returns the Document with the original signature.
   *         <li>Simply signs the EntityDescriptor otherwise
   *       </ul>
   * </ul>
   *
   * If there is no extended metadata for the entity, the entity is considered as remote.
   *
   * @param realm The realm where the EntityDescriptor belongs to.
   * @param descriptor The entity descriptor.
   * @return Signed <code>Document</code> for the entity descriptor or null if no metadata signing
   *     key is found in the configuration.
   * @throws SAML2MetaException if unable to sign the entity descriptor.
   * @throws JAXBException if the entity descriptor is invalid.
   */
  public static Document sign(String realm, EntityDescriptorElement descriptor)
      throws JAXBException, SAML2MetaException {
    if (descriptor == null) {
      throw new SAML2MetaException("Unable to sign null descriptor");
    }

    SAML2MetaManager metaManager = new SAML2MetaManager();
    EntityConfigElement cfgElem = metaManager.getEntityConfig(realm, descriptor.getEntityID());
    boolean isHosted;
    if (cfgElem == null) {
      // if there is no EntityConfig, this is considered as a remote entity
      isHosted = false;
    } else {
      isHosted = cfgElem.isHosted();
    }

    String signingCert = getRealmSetting(METADATA_SIGNING_KEY, realm);
    if (signingCert == null) {
      return null;
    }

    initializeKeyStore();

    String xmlstr = SAML2MetaUtils.convertJAXBToString(descriptor);
    xmlstr = formatBase64BinaryElement(xmlstr);

    Document doc = XMLUtils.toDOMDocument(xmlstr, debug);
    NodeList childNodes = doc.getDocumentElement().getChildNodes();
    for (int i = 0; i < childNodes.getLength(); i++) {
      Node node = childNodes.item(i);
      if (node.getLocalName() != null
          && node.getLocalName().equals("Signature")
          && node.getNamespaceURI().equals(NS_XMLSIG)) {
        if (isHosted) {
          node.getParentNode().removeChild(node);
          break;
        } else {
          // one signature found for this remote entity on the root element,
          // in this case returning the entry with the original signature
          // as that may be judged more accurately
          return doc;
        }
      }
    }

    // we need to sign or re-sign the document, let's generate a new ID
    String descriptorId = SAMLUtils.generateID();
    doc.getDocumentElement().setAttribute(ATTR_ID, descriptorId);

    XMLSignatureManager sigManager = XMLSignatureManager.getInstance();
    try {
      String xpath =
          "//*[local-name()=\""
              + TAG_ENTITY_DESCRIPTOR
              + "\" and namespace-uri()=\""
              + NS_META
              + "\"]/*[1]";
      sigManager.signXMLUsingKeyPass(
          doc,
          signingCert,
          getRealmSetting(METADATA_SIGNING_KEY_PASS, realm),
          null,
          SAML2Constants.ID,
          descriptorId,
          true,
          xpath);
    } catch (XMLSignatureException xmlse) {
      if (debug.messageEnabled()) {
        debug.message("SAML2MetaSecurityUtils.sign:", xmlse);
      }
    }

    return doc;
  }