| /* |
| * Copyright 2004,2005 The Apache Software Foundation. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.rahas.impl; |
| |
| import org.apache.axiom.om.OMElement; |
| import org.apache.axiom.om.OMNode; |
| import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl; |
| import org.apache.axiom.soap.SOAPEnvelope; |
| import org.apache.axis2.context.MessageContext; |
| import org.apache.axis2.description.Parameter; |
| import org.apache.rahas.RahasConstants; |
| import org.apache.rahas.RahasData; |
| import org.apache.rahas.Token; |
| import org.apache.rahas.TokenIssuer; |
| import org.apache.rahas.TrustException; |
| import org.apache.rahas.TrustUtil; |
| import org.apache.ws.security.WSConstants; |
| import org.apache.ws.security.WSSecurityException; |
| import org.apache.ws.security.WSUsernameTokenPrincipal; |
| import org.apache.ws.security.components.crypto.Crypto; |
| import org.apache.ws.security.components.crypto.CryptoFactory; |
| import org.apache.ws.security.message.WSSecEncryptedKey; |
| import org.apache.ws.security.util.Base64; |
| import org.apache.ws.security.util.XmlSchemaDateFormat; |
| import org.apache.xml.security.signature.XMLSignature; |
| import org.apache.xml.security.utils.EncryptionConstants; |
| import org.opensaml.SAMLAssertion; |
| import org.opensaml.SAMLAttribute; |
| import org.opensaml.SAMLAttributeStatement; |
| import org.opensaml.SAMLAuthenticationStatement; |
| import org.opensaml.SAMLException; |
| import org.opensaml.SAMLNameIdentifier; |
| import org.opensaml.SAMLStatement; |
| import org.opensaml.SAMLSubject; |
| import org.w3c.dom.Document; |
| import org.w3c.dom.Element; |
| import org.w3c.dom.Node; |
| import org.w3c.dom.Text; |
| |
| import java.security.Principal; |
| import java.security.SecureRandom; |
| import java.security.cert.CertificateEncodingException; |
| import java.security.cert.X509Certificate; |
| import java.text.DateFormat; |
| import java.util.Arrays; |
| import java.util.Date; |
| |
| /** |
| * Issuer to issue SAMl tokens |
| */ |
| public class SAMLTokenIssuer implements TokenIssuer { |
| |
| private String configParamName; |
| private OMElement configElement; |
| private String configFile; |
| |
| public SOAPEnvelope issue(RahasData data) throws TrustException { |
| |
| MessageContext inMsgCtx = data.getInMessageContext(); |
| |
| SAMLTokenIssuerConfig config = null; |
| if (this.configElement != null) { |
| config = SAMLTokenIssuerConfig |
| .load(configElement |
| .getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG)); |
| } |
| |
| //Look for the file |
| if (config == null && this.configFile != null) { |
| config = SAMLTokenIssuerConfig.load(this.configFile); |
| } |
| |
| //Look for the param |
| if (config == null && this.configParamName != null) { |
| Parameter param = inMsgCtx.getParameter(this.configParamName); |
| if (param != null && param.getParameterElement() != null) { |
| config = SAMLTokenIssuerConfig.load(param.getParameterElement() |
| .getFirstChildWithName( |
| SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG)); |
| } else { |
| throw new TrustException("expectedParameterMissing", |
| new String[]{this.configParamName}); |
| } |
| } |
| |
| if (config == null) { |
| throw new TrustException("configurationIsNull"); |
| } |
| |
| //Set the DOM impl to DOOM |
| DocumentBuilderFactoryImpl.setDOOMRequired(true); |
| |
| SOAPEnvelope env = |
| TrustUtil. |
| createSOAPEnvelope(inMsgCtx.getEnvelope().getNamespace().getNamespaceURI()); |
| |
| Crypto crypto; |
| if (config.cryptoPropertiesElement != null) { // crypto props defined as elements |
| crypto = CryptoFactory.getInstance(TrustUtil.toProperties(config.cryptoPropertiesElement), |
| inMsgCtx.getAxisService().getClassLoader()); |
| } else { // crypto props defined in a properties file |
| crypto = CryptoFactory.getInstance(config.cryptoPropertiesFile, |
| inMsgCtx.getAxisService().getClassLoader()); |
| } |
| |
| //Creation and expiration times |
| Date creationTime = new Date(); |
| Date expirationTime = new Date(); |
| expirationTime.setTime(creationTime.getTime() + config.ttl); |
| |
| // Get the document |
| Document doc = ((Element) env).getOwnerDocument(); |
| |
| //Get the key size and create a new byte array of that size |
| int keySize = data.getKeysize(); |
| |
| keySize = (keySize == -1) ? config.keySize : keySize; |
| |
| /* |
| * Find the KeyType |
| * If the KeyType is SymmetricKey or PublicKey, issue a SAML HoK |
| * assertion. |
| * - In the case of the PublicKey, in coming security header |
| * MUST contain a certificate (maybe via signature) |
| * |
| * If the KeyType is Bearer then issue a Bearer assertion |
| * |
| * If the key type is missing we will issue a HoK asserstion |
| */ |
| |
| String keyType = data.getKeyType(); |
| SAMLAssertion assertion; |
| if (keyType == null) { |
| throw new TrustException(TrustException.INVALID_REQUEST, |
| new String[]{"Requested KeyType is missing"}); |
| } |
| |
| if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) || |
| keyType.endsWith(RahasConstants.KEY_TYPE_PUBLIC_KEY)) { |
| assertion = createHoKAssertion(config, doc, crypto, creationTime, expirationTime, data); |
| } else if (keyType.endsWith(RahasConstants.KEY_TYPE_BEARER)) { |
| assertion = createBearerAssertion(config, doc, crypto, creationTime, expirationTime, data); |
| } else { |
| throw new TrustException("unsupportedKeyType"); |
| } |
| |
| OMElement rstrElem; |
| int wstVersion = data.getVersion(); |
| if (RahasConstants.VERSION_05_02 == wstVersion) { |
| rstrElem = |
| TrustUtil.createRequestSecurityTokenResponseElement(wstVersion, env.getBody()); |
| } else { |
| OMElement rstrcElem = |
| TrustUtil.createRequestSecurityTokenResponseCollectionElement(wstVersion, |
| env.getBody()); |
| rstrElem = TrustUtil.createRequestSecurityTokenResponseElement(wstVersion, rstrcElem); |
| } |
| |
| TrustUtil.createTokenTypeElement(wstVersion, |
| rstrElem).setText(RahasConstants.TOK_TYPE_SAML_10); |
| |
| if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) { |
| TrustUtil.createKeySizeElement(wstVersion, rstrElem, keySize); |
| } |
| |
| if (config.addRequestedAttachedRef) { |
| TrustUtil.createRequestedAttachedRef(wstVersion, |
| rstrElem, |
| "#" + assertion.getId(), |
| RahasConstants.TOK_TYPE_SAML_10); |
| } |
| |
| if (config.addRequestedUnattachedRef) { |
| TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem, assertion.getId(), |
| RahasConstants.TOK_TYPE_SAML_10); |
| } |
| |
| if (data.getAppliesToAddress() != null) { |
| TrustUtil.createAppliesToElement(rstrElem, data |
| .getAppliesToAddress(), data.getAddressingNs()); |
| } |
| |
| // Use GMT time in milliseconds |
| DateFormat zulu = new XmlSchemaDateFormat(); |
| |
| // Add the Lifetime element |
| TrustUtil.createLifetimeElement(wstVersion, rstrElem, zulu |
| .format(creationTime), zulu.format(expirationTime)); |
| |
| //Create the RequestedSecurityToken element and add the SAML token to it |
| OMElement reqSecTokenElem = TrustUtil |
| .createRequestedSecurityTokenElement(wstVersion, rstrElem); |
| Token assertionToken; |
| try { |
| Node tempNode = assertion.toDOM(); |
| reqSecTokenElem. |
| addChild((OMNode) ((Element) rstrElem).getOwnerDocument().importNode(tempNode, |
| true)); |
| |
| // Store the token |
| assertionToken = new Token(assertion.getId(), |
| (OMElement) assertion.toDOM(), |
| creationTime, |
| expirationTime); |
| |
| // At this point we definitely have the secret |
| // Otherwise it should fail with an exception earlier |
| assertionToken.setSecret(data.getEphmeralKey()); |
| TrustUtil.getTokenStore(inMsgCtx).add(assertionToken); |
| |
| } catch (SAMLException e) { |
| throw new TrustException("samlConverstionError", e); |
| } |
| |
| if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) && |
| config.keyComputation != SAMLTokenIssuerConfig.KeyComputation.KEY_COMP_USE_REQ_ENT) { |
| |
| //Add the RequestedProofToken |
| TokenIssuerUtil.handleRequestedProofToken(data, |
| wstVersion, |
| config, |
| rstrElem, |
| assertionToken, |
| doc); |
| } |
| |
| // Unset the DOM impl to default |
| DocumentBuilderFactoryImpl.setDOOMRequired(false); |
| |
| return env; |
| } |
| |
| |
| private SAMLAssertion createBearerAssertion(SAMLTokenIssuerConfig config, |
| Document doc, |
| Crypto crypto, |
| Date creationTime, |
| Date expirationTime, |
| RahasData data) throws TrustException { |
| try { |
| Principal principal = data.getPrincipal(); |
| // In the case where the principal is a UT |
| if (principal instanceof WSUsernameTokenPrincipal) { |
| // TODO: Find the email address |
| String subjectNameId = "ruchithf@apache.org"; |
| SAMLNameIdentifier nameId = new SAMLNameIdentifier( |
| subjectNameId, null, SAMLNameIdentifier.FORMAT_EMAIL); |
| return createAuthAssertion(doc, SAMLSubject.CONF_BEARER, |
| nameId, null, config, crypto, creationTime, |
| expirationTime); |
| } else { |
| throw new TrustException("samlUnsupportedPrincipal", |
| new String[]{principal.getClass().getName()}); |
| } |
| } catch (SAMLException e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| |
| private SAMLAssertion createHoKAssertion(SAMLTokenIssuerConfig config, |
| Document doc, |
| Crypto crypto, |
| Date creationTime, |
| Date expirationTime, |
| RahasData data) throws TrustException { |
| |
| |
| if (data.getKeyType().endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) { |
| Element encryptedKeyElem; |
| X509Certificate serviceCert = null; |
| try { |
| |
| //Get ApliesTo to figureout which service to issue the token for |
| serviceCert = getServiceCert(config, |
| crypto, |
| data.getAppliesToAddress()); |
| |
| //Ceate the encrypted key |
| WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey(); |
| |
| //Use thumbprint id |
| encrKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER); |
| |
| //SEt the encryption cert |
| encrKeyBuilder.setUseThisCert(serviceCert); |
| |
| //set keysize |
| int keysize = data.getKeysize(); |
| keysize = (keysize != -1) ? keysize : config.keySize; |
| encrKeyBuilder.setKeySize(keysize); |
| |
| encrKeyBuilder. |
| setEphemeralKey(TokenIssuerUtil.getSharedSecret(data, |
| config.keyComputation, |
| keysize)); |
| |
| //Set key encryption algo |
| encrKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); |
| |
| //Build |
| encrKeyBuilder.prepare(doc, crypto); |
| |
| //Extract the base64 encoded secret value |
| byte[] tempKey = new byte[keysize / 8]; |
| System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, tempKey, 0, keysize / 8); |
| |
| data.setEphmeralKey(tempKey); |
| |
| //Extract the Encryptedkey DOM element |
| encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement(); |
| } catch (WSSecurityException e) { |
| throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal", |
| new String[]{serviceCert.getSubjectDN().getName()}, e); |
| } |
| return this.createAttributeAssertion(doc, encryptedKeyElem, |
| config, crypto, creationTime, expirationTime); |
| } else { |
| try { |
| String subjectNameId = data.getPrincipal().getName(); |
| SAMLNameIdentifier nameId = new SAMLNameIdentifier(subjectNameId, |
| null, |
| SAMLNameIdentifier.FORMAT_EMAIL); |
| |
| //Create the ds:KeyValue element with the ds:X509Data |
| byte[] clientCertBytes = data.getClientCert().getEncoded(); |
| String base64Cert = Base64.encode(clientCertBytes); |
| |
| Text base64CertText = doc.createTextNode(base64Cert); |
| Element x509CertElem = doc.createElementNS(WSConstants.SIG_NS, "X509Certificate"); |
| x509CertElem.appendChild(base64CertText); |
| Element x509DataElem = doc.createElementNS(WSConstants.SIG_NS, "X509Data"); |
| x509DataElem.appendChild(x509CertElem); |
| Element keyValueElem = doc.createElementNS(WSConstants.SIG_NS, "KeyValue"); |
| keyValueElem.appendChild(x509DataElem); |
| |
| return this.createAuthAssertion(doc, |
| SAMLSubject.CONF_HOLDER_KEY, |
| nameId, |
| keyValueElem, |
| config, |
| crypto, |
| creationTime, |
| expirationTime); |
| } catch (SAMLException e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } catch (CertificateEncodingException e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| } |
| |
| /** |
| * Uses the <code>wst:AppliesTo</code> to figure out the certificate to |
| * encrypt the secret in the SAML token |
| * |
| * @param config |
| * @param crypto |
| * @param serviceAddress The address of the service |
| * @return |
| * @throws WSSecurityException |
| */ |
| private X509Certificate getServiceCert(SAMLTokenIssuerConfig config, |
| Crypto crypto, |
| String serviceAddress) throws WSSecurityException { |
| |
| if (serviceAddress != null && !"".equals(serviceAddress)) { |
| String alias = (String) config.trustedServices.get(serviceAddress); |
| if (alias != null) { |
| return crypto.getCertificates(alias)[0]; |
| } else { |
| alias = (String) config.trustedServices.get("*"); |
| return crypto.getCertificates(alias)[0]; |
| } |
| } else { |
| String alias = (String) config.trustedServices.get("*"); |
| return crypto.getCertificates(alias)[0]; |
| } |
| |
| } |
| |
| /** |
| * Create the SAML assertion with the secret held in an |
| * <code>xenc:EncryptedKey</code> |
| * |
| * @param doc |
| * @param keyInfoContent |
| * @param config |
| * @param crypto |
| * @param notBefore |
| * @param notAfter |
| * @return |
| * @throws TrustException |
| */ |
| private SAMLAssertion createAttributeAssertion(Document doc, |
| Element keyInfoContent, |
| SAMLTokenIssuerConfig config, |
| Crypto crypto, |
| Date notBefore, |
| Date notAfter) throws TrustException { |
| try { |
| String[] confirmationMethods = new String[]{SAMLSubject.CONF_HOLDER_KEY}; |
| |
| Element keyInfoElem = doc.createElementNS(WSConstants.SIG_NS, "KeyInfo"); |
| ((OMElement) keyInfoContent).declareNamespace(WSConstants.SIG_NS, WSConstants.SIG_PREFIX); |
| ((OMElement) keyInfoContent).declareNamespace(WSConstants.ENC_NS, WSConstants.ENC_PREFIX); |
| |
| keyInfoElem.appendChild(keyInfoContent); |
| |
| SAMLSubject subject = new SAMLSubject(null, |
| Arrays.asList(confirmationMethods), |
| null, |
| keyInfoElem); |
| |
| SAMLAttribute attribute = new SAMLAttribute("Name", |
| "https://rahas.apache.org/saml/attrns", |
| null, |
| -1, |
| Arrays.asList(new String[]{"Colombo/Rahas"})); |
| SAMLAttributeStatement attrStmt = new SAMLAttributeStatement( |
| subject, Arrays.asList(new SAMLAttribute[]{attribute})); |
| |
| SAMLStatement[] statements = {attrStmt}; |
| |
| SAMLAssertion assertion = new SAMLAssertion(config.issuerName, |
| notBefore, |
| notAfter, |
| null, |
| null, |
| Arrays.asList(statements)); |
| |
| //sign the assertion |
| X509Certificate[] issuerCerts = |
| crypto.getCertificates(config.issuerKeyAlias); |
| |
| String sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA; |
| String pubKeyAlgo = |
| issuerCerts[0].getPublicKey().getAlgorithm(); |
| if (pubKeyAlgo.equalsIgnoreCase("DSA")) { |
| sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA; |
| } |
| java.security.Key issuerPK = |
| crypto.getPrivateKey(config.issuerKeyAlias, |
| config.issuerKeyPassword); |
| assertion.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts)); |
| |
| |
| return assertion; |
| } catch (Exception e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| |
| /** |
| * @param doc |
| * @param confMethod |
| * @param subjectNameId |
| * @param keyInfoContent |
| * @param config |
| * @param crypto |
| * @param notBefore |
| * @param notAfter |
| * @return |
| * @throws TrustException |
| */ |
| private SAMLAssertion createAuthAssertion(Document doc, |
| String confMethod, |
| SAMLNameIdentifier subjectNameId, |
| Element keyInfoContent, |
| SAMLTokenIssuerConfig config, |
| Crypto crypto, |
| Date notBefore, |
| Date notAfter) throws TrustException { |
| try { |
| String[] confirmationMethods = new String[]{confMethod}; |
| |
| Element keyInfoElem = null; |
| if (keyInfoContent != null) { |
| keyInfoElem = doc.createElementNS(WSConstants.SIG_NS, "KeyInfo"); |
| ((OMElement) keyInfoContent).declareNamespace(WSConstants.SIG_NS, |
| WSConstants.SIG_PREFIX); |
| ((OMElement) keyInfoContent).declareNamespace(WSConstants.ENC_NS, |
| WSConstants.ENC_PREFIX); |
| |
| keyInfoElem.appendChild(keyInfoContent); |
| } |
| |
| SAMLSubject subject = new SAMLSubject(subjectNameId, |
| Arrays.asList(confirmationMethods), |
| null, |
| keyInfoElem); |
| |
| SAMLAuthenticationStatement authStmt = |
| new SAMLAuthenticationStatement(subject, |
| SAMLAuthenticationStatement. |
| AuthenticationMethod_Password, |
| notBefore, |
| null, null, null); |
| SAMLStatement[] statements = {authStmt}; |
| |
| SAMLAssertion assertion = new SAMLAssertion(config.issuerName, |
| notBefore, |
| notAfter, null, null, |
| Arrays.asList(statements)); |
| |
| //sign the assertion |
| X509Certificate[] issuerCerts = |
| crypto.getCertificates(config.issuerKeyAlias); |
| |
| String sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA; |
| String pubKeyAlgo = |
| issuerCerts[0].getPublicKey().getAlgorithm(); |
| if (pubKeyAlgo.equalsIgnoreCase("DSA")) { |
| sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA; |
| } |
| java.security.Key issuerPK = |
| crypto.getPrivateKey(config.issuerKeyAlias, |
| config.issuerKeyPassword); |
| assertion.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts)); |
| |
| |
| return assertion; |
| } catch (Exception e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see org.apache.rahas.TokenIssuer#getResponseAction(org.apache.axiom.om.OMElement, |
| * org.apache.axis2.context.MessageContext) |
| */ |
| public String getResponseAction(RahasData data) throws TrustException { |
| return TrustUtil.getActionValue(data.getVersion(), RahasConstants.RSTR_ACTION_ISSUE); |
| } |
| |
| |
| /** |
| * Create an ephemeral key |
| * |
| * @return The generated key as a byte array |
| * @throws TrustException |
| */ |
| protected byte[] generateEphemeralKey(int keySize) throws TrustException { |
| try { |
| SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); |
| byte[] temp = new byte[keySize / 8]; |
| random.nextBytes(temp); |
| return temp; |
| } catch (Exception e) { |
| throw new TrustException( |
| "Error in creating the ephemeral key", e); |
| } |
| } |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see org.apache.rahas.TokenIssuer#setConfigurationFile(java.lang.String) |
| */ |
| public void setConfigurationFile(String configFile) { |
| // TODO TODO SAMLTokenIssuer setConfigurationFile |
| |
| } |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see org.apache.rahas.TokenIssuer#setConfigurationElement(org.apache.axiom.om.OMElement) |
| */ |
| public void setConfigurationElement(OMElement configElement) { |
| // TODO TODO SAMLTokenIssuer setConfigurationElement |
| } |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see org.apache.rahas.TokenIssuer#setConfigurationParamName(java.lang.String) |
| */ |
| public void setConfigurationParamName(String configParamName) { |
| this.configParamName = configParamName; |
| } |
| |
| } |
