/** * Populates X509 Credential used to authenticate this machine against peer servers. Uses key with * alias specified in extended metadata under TlsKey, when not set uses the default credential. * * @param samlContext context to populate */ protected void populateSSLCredential(SAMLMessageContext samlContext) { X509Credential tlsCredential; if (samlContext.getLocalExtendedMetadata().getTlsKey() != null) { tlsCredential = (X509Credential) keyManager.getCredential(samlContext.getLocalExtendedMetadata().getTlsKey()); } else { tlsCredential = null; } samlContext.setLocalSSLCredential(tlsCredential); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted * keys specified in the extended metadata as anchors or (by default) an explicit trust engine * using data from the metadata or from the values overridden in the ExtendedMetadata. The trust * engine is used to verify SSL connections. * * @param samlContext context to populate */ protected void populateSSLTrustEngine(SAMLMessageContext samlContext) { TrustEngine<X509Credential> engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) { engine = new PKIXX509CredentialTrustEngine(pkixResolver); } else { engine = new ExplicitX509CertificateTrustEngine(metadataResolver); } samlContext.setLocalSSLTrustEngine(engine); }
/** * Populates a decrypter based on settings in the extended metadata or using a default credential * when no encryption credential is specified in the extended metadata. * * @param samlContext context to populate decryptor for. */ protected void populateDecrypter(SAMLMessageContext samlContext) { // Locate encryption key for this entity Credential encryptionCredential; if (samlContext.getLocalExtendedMetadata().getEncryptionKey() != null) { encryptionCredential = keyManager.getCredential(samlContext.getLocalExtendedMetadata().getEncryptionKey()); } else { encryptionCredential = keyManager.getDefaultCredential(); } // Entity used for decrypting of encrypted XML parts // Extracts EncryptedKey from the encrypted XML using the encryptedKeyResolver and attempts to // decrypt it // using private keys supplied by the resolver. KeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(encryptionCredential); Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver); decrypter.setRootInNewDocument(true); samlContext.setLocalDecrypter(decrypter); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted * keys specified in the extended metadata as anchors or (by default) an explicit trust engine * using data from the metadata or from the values overridden in the ExtendedMetadata. * * @param samlContext context to populate */ protected void populateTrustEngine(SAMLMessageContext samlContext) { SignatureTrustEngine engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) { engine = new PKIXSignatureTrustEngine( pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } else { engine = new ExplicitKeySignatureTrustEngine( metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } samlContext.setLocalTrustEngine(engine); }