| /* |
| * Copyright 2004,2005 The Apache Software Foundation. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.rahas.impl; |
| |
| import java.security.Principal; |
| import java.security.SecureRandom; |
| import java.security.cert.X509Certificate; |
| import java.text.DateFormat; |
| import java.util.Arrays; |
| import java.util.Date; |
| |
| import org.apache.axiom.om.OMElement; |
| import org.apache.axiom.om.OMNode; |
| import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl; |
| import org.apache.axiom.soap.SOAPEnvelope; |
| import org.apache.axis2.context.MessageContext; |
| import org.apache.axis2.description.Parameter; |
| import org.apache.rahas.RahasConstants; |
| import org.apache.rahas.RahasData; |
| import org.apache.rahas.Token; |
| import org.apache.rahas.TokenIssuer; |
| import org.apache.rahas.TrustException; |
| import org.apache.rahas.TrustUtil; |
| import org.apache.rahas.impl.util.SAMLAttributeCallback; |
| import org.apache.rahas.impl.util.SAMLCallbackHandler; |
| import org.apache.rahas.impl.util.SAMLNameIdentifierCallback; |
| import org.apache.ws.security.WSConstants; |
| import org.apache.ws.security.WSSecurityException; |
| import org.apache.ws.security.WSUsernameTokenPrincipal; |
| import org.apache.ws.security.components.crypto.Crypto; |
| import org.apache.ws.security.components.crypto.CryptoFactory; |
| import org.apache.ws.security.message.WSSecEncryptedKey; |
| import org.apache.ws.security.util.Base64; |
| import org.apache.ws.security.util.XmlSchemaDateFormat; |
| import org.apache.xml.security.signature.XMLSignature; |
| import org.apache.xml.security.utils.EncryptionConstants; |
| import org.opensaml.SAMLAssertion; |
| import org.opensaml.SAMLAttribute; |
| import org.opensaml.SAMLAttributeStatement; |
| import org.opensaml.SAMLAuthenticationStatement; |
| import org.opensaml.SAMLException; |
| import org.opensaml.SAMLNameIdentifier; |
| import org.opensaml.SAMLStatement; |
| import org.opensaml.SAMLSubject; |
| import org.w3c.dom.Document; |
| import org.w3c.dom.Element; |
| import org.w3c.dom.Node; |
| import org.w3c.dom.Text; |
| |
| /** |
| * Issuer to issue SAMl tokens |
| */ |
| public class SAMLTokenIssuer implements TokenIssuer { |
| |
| private String configParamName; |
| |
| private OMElement configElement; |
| |
| private String configFile; |
| |
| public SOAPEnvelope issue(RahasData data) throws TrustException { |
| |
| try { |
| MessageContext inMsgCtx = data.getInMessageContext(); |
| |
| SAMLTokenIssuerConfig config = null; |
| if (this.configElement != null) { |
| config = new SAMLTokenIssuerConfig(configElement |
| .getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG)); |
| } |
| |
| // Look for the file |
| if (config == null && this.configFile != null) { |
| config = new SAMLTokenIssuerConfig(this.configFile); |
| } |
| |
| // Look for the param |
| if (config == null && this.configParamName != null) { |
| Parameter param = inMsgCtx.getParameter(this.configParamName); |
| if (param != null && param.getParameterElement() != null) { |
| config = new SAMLTokenIssuerConfig(param |
| .getParameterElement().getFirstChildWithName( |
| SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG)); |
| } else { |
| throw new TrustException("expectedParameterMissing", |
| new String[] { this.configParamName }); |
| } |
| } |
| |
| if (config == null) { |
| throw new TrustException("configurationIsNull"); |
| } |
| |
| // Set the DOM impl to DOOM |
| DocumentBuilderFactoryImpl.setDOOMRequired(true); |
| |
| SOAPEnvelope env = TrustUtil.createSOAPEnvelope(inMsgCtx |
| .getEnvelope().getNamespace().getNamespaceURI()); |
| |
| Crypto crypto; |
| if (config.cryptoElement != null) { // crypto props |
| // defined as |
| // elements |
| crypto = CryptoFactory.getInstance(TrustUtil |
| .toProperties(config.cryptoElement), inMsgCtx |
| .getAxisService().getClassLoader()); |
| } else { // crypto props defined in a properties file |
| crypto = CryptoFactory.getInstance(config.cryptoPropertiesFile, |
| inMsgCtx.getAxisService().getClassLoader()); |
| } |
| |
| // Creation and expiration times |
| Date creationTime = new Date(); |
| Date expirationTime = new Date(); |
| expirationTime.setTime(creationTime.getTime() + config.ttl); |
| |
| // Get the document |
| Document doc = ((Element) env).getOwnerDocument(); |
| |
| // Get the key size and create a new byte array of that size |
| int keySize = data.getKeysize(); |
| |
| keySize = (keySize == -1) ? config.keySize : keySize; |
| |
| /* |
| * Find the KeyType If the KeyType is SymmetricKey or PublicKey, |
| * issue a SAML HoK assertion. - In the case of the PublicKey, in |
| * coming security header MUST contain a certificate (maybe via |
| * signature) |
| * |
| * If the KeyType is Bearer then issue a Bearer assertion |
| * |
| * If the key type is missing we will issue a HoK assertion |
| */ |
| |
| String keyType = data.getKeyType(); |
| SAMLAssertion assertion; |
| if (keyType == null) { |
| throw new TrustException(TrustException.INVALID_REQUEST, |
| new String[] { "Requested KeyType is missing" }); |
| } |
| |
| if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) |
| || keyType.endsWith(RahasConstants.KEY_TYPE_PUBLIC_KEY)) { |
| assertion = createHoKAssertion(config, doc, crypto, |
| creationTime, expirationTime, data); |
| } else if (keyType.endsWith(RahasConstants.KEY_TYPE_BEARER)) { |
| assertion = createBearerAssertion(config, doc, crypto, |
| creationTime, expirationTime, data); |
| } else { |
| throw new TrustException("unsupportedKeyType"); |
| } |
| |
| OMElement rstrElem; |
| int wstVersion = data.getVersion(); |
| if (RahasConstants.VERSION_05_02 == wstVersion) { |
| rstrElem = TrustUtil.createRequestSecurityTokenResponseElement( |
| wstVersion, env.getBody()); |
| } else { |
| OMElement rstrcElem = TrustUtil |
| .createRequestSecurityTokenResponseCollectionElement( |
| wstVersion, env.getBody()); |
| rstrElem = TrustUtil.createRequestSecurityTokenResponseElement( |
| wstVersion, rstrcElem); |
| } |
| |
| TrustUtil.createTokenTypeElement(wstVersion, rstrElem).setText( |
| RahasConstants.TOK_TYPE_SAML_10); |
| |
| if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) { |
| TrustUtil.createKeySizeElement(wstVersion, rstrElem, keySize); |
| } |
| |
| if (config.addRequestedAttachedRef) { |
| TrustUtil.createRequestedAttachedRef(wstVersion, rstrElem, "#" |
| + assertion.getId(), RahasConstants.TOK_TYPE_SAML_10); |
| } |
| |
| if (config.addRequestedUnattachedRef) { |
| TrustUtil.createRequestedUnattachedRef(wstVersion, rstrElem, |
| assertion.getId(), RahasConstants.TOK_TYPE_SAML_10); |
| } |
| |
| if (data.getAppliesToAddress() != null) { |
| TrustUtil.createAppliesToElement(rstrElem, data |
| .getAppliesToAddress(), data.getAddressingNs()); |
| } |
| |
| // Use GMT time in milliseconds |
| DateFormat zulu = new XmlSchemaDateFormat(); |
| |
| // Add the Lifetime element |
| TrustUtil.createLifetimeElement(wstVersion, rstrElem, zulu |
| .format(creationTime), zulu.format(expirationTime)); |
| |
| // Create the RequestedSecurityToken element and add the SAML token |
| // to it |
| OMElement reqSecTokenElem = TrustUtil |
| .createRequestedSecurityTokenElement(wstVersion, rstrElem); |
| Token assertionToken; |
| try { |
| Node tempNode = assertion.toDOM(); |
| reqSecTokenElem.addChild((OMNode) ((Element) rstrElem) |
| .getOwnerDocument().importNode(tempNode, true)); |
| |
| // Store the token |
| assertionToken = new Token(assertion.getId(), |
| (OMElement) assertion.toDOM(), creationTime, |
| expirationTime); |
| |
| // At this point we definitely have the secret |
| // Otherwise it should fail with an exception earlier |
| assertionToken.setSecret(data.getEphmeralKey()); |
| TrustUtil.getTokenStore(inMsgCtx).add(assertionToken); |
| |
| } catch (SAMLException e) { |
| throw new TrustException("samlConverstionError", e); |
| } |
| |
| if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) |
| && config.keyComputation != SAMLTokenIssuerConfig.KeyComputation.KEY_COMP_USE_REQ_ENT) { |
| |
| // Add the RequestedProofToken |
| TokenIssuerUtil.handleRequestedProofToken(data, wstVersion, |
| config, rstrElem, assertionToken, doc); |
| } |
| |
| return env; |
| } finally { |
| // Unset the DOM impl to default |
| DocumentBuilderFactoryImpl.setDOOMRequired(false); |
| } |
| |
| } |
| |
| private SAMLAssertion createBearerAssertion(SAMLTokenIssuerConfig config, |
| Document doc, Crypto crypto, Date creationTime, |
| Date expirationTime, RahasData data) throws TrustException { |
| try { |
| Principal principal = data.getPrincipal(); |
| // In the case where the principal is a UT |
| if (principal instanceof WSUsernameTokenPrincipal) { |
| SAMLNameIdentifier nameId = null; |
| if(config.getCallbackHander() != null){ |
| SAMLNameIdentifierCallback cb = new SAMLNameIdentifierCallback(data); |
| cb.setUserId(principal.getName()); |
| SAMLCallbackHandler callbackHandler = config.getCallbackHander(); |
| callbackHandler.handle(cb); |
| nameId = cb.getNameId(); |
| }else{ |
| nameId = new SAMLNameIdentifier( |
| principal.getName(), null, SAMLNameIdentifier.FORMAT_EMAIL); |
| } |
| |
| return createAuthAssertion(doc, SAMLSubject.CONF_BEARER, |
| nameId, null, config, crypto, creationTime, |
| expirationTime); |
| } else { |
| throw new TrustException("samlUnsupportedPrincipal", |
| new String[] { principal.getClass().getName() }); |
| } |
| } catch (SAMLException e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| |
| private SAMLAssertion createHoKAssertion(SAMLTokenIssuerConfig config, |
| Document doc, Crypto crypto, Date creationTime, |
| Date expirationTime, RahasData data) throws TrustException { |
| |
| if (data.getKeyType().endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) { |
| Element encryptedKeyElem; |
| X509Certificate serviceCert = null; |
| try { |
| |
| // Get ApliesTo to figure out which service to issue the token |
| // for |
| serviceCert = getServiceCert(config, crypto, data |
| .getAppliesToAddress()); |
| |
| // Create the encrypted key |
| WSSecEncryptedKey encrKeyBuilder = new WSSecEncryptedKey(); |
| |
| // Use thumbprint id |
| encrKeyBuilder |
| .setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER); |
| |
| // SEt the encryption cert |
| encrKeyBuilder.setUseThisCert(serviceCert); |
| |
| // set keysize |
| int keysize = data.getKeysize(); |
| keysize = (keysize != -1) ? keysize : config.keySize; |
| encrKeyBuilder.setKeySize(keysize); |
| |
| encrKeyBuilder.setEphemeralKey(TokenIssuerUtil.getSharedSecret( |
| data, config.keyComputation, keysize)); |
| |
| // Set key encryption algo |
| encrKeyBuilder |
| .setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); |
| |
| // Build |
| encrKeyBuilder.prepare(doc, crypto); |
| |
| // Extract the base64 encoded secret value |
| byte[] tempKey = new byte[keysize / 8]; |
| System.arraycopy(encrKeyBuilder.getEphemeralKey(), 0, tempKey, |
| 0, keysize / 8); |
| |
| data.setEphmeralKey(tempKey); |
| |
| // Extract the Encryptedkey DOM element |
| encryptedKeyElem = encrKeyBuilder.getEncryptedKeyElement(); |
| } catch (WSSecurityException e) { |
| throw new TrustException( |
| "errorInBuildingTheEncryptedKeyForPrincipal", |
| new String[] { serviceCert.getSubjectDN().getName() }, |
| e); |
| } |
| return this.createAttributeAssertion(doc, data ,encryptedKeyElem, config, |
| crypto, creationTime, expirationTime); |
| } else { |
| try { |
| String subjectNameId = data.getPrincipal().getName(); |
| |
| SAMLNameIdentifier nameId = new SAMLNameIdentifier( |
| subjectNameId, null, SAMLNameIdentifier.FORMAT_EMAIL); |
| |
| // Create the ds:KeyValue element with the ds:X509Data |
| X509Certificate clientCert = data.getClientCert(); |
| |
| if(clientCert == null) { |
| X509Certificate[] certs = crypto.getCertificates( |
| data.getPrincipal().getName()); |
| clientCert = certs[0]; |
| } |
| |
| byte[] clientCertBytes = clientCert.getEncoded(); |
| |
| String base64Cert = Base64.encode(clientCertBytes); |
| |
| Text base64CertText = doc.createTextNode(base64Cert); |
| Element x509CertElem = doc.createElementNS(WSConstants.SIG_NS, |
| "X509Certificate"); |
| x509CertElem.appendChild(base64CertText); |
| Element x509DataElem = doc.createElementNS(WSConstants.SIG_NS, |
| "X509Data"); |
| x509DataElem.appendChild(x509CertElem); |
| |
| return this.createAuthAssertion(doc, |
| SAMLSubject.CONF_HOLDER_KEY, nameId, x509DataElem, |
| config, crypto, creationTime, expirationTime); |
| } catch (Exception e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| } |
| |
| /** |
| * Uses the <code>wst:AppliesTo</code> to figure out the certificate to |
| * encrypt the secret in the SAML token |
| * |
| * @param config |
| * @param crypto |
| * @param serviceAddress |
| * The address of the service |
| * @return |
| * @throws WSSecurityException |
| */ |
| private X509Certificate getServiceCert(SAMLTokenIssuerConfig config, |
| Crypto crypto, String serviceAddress) throws WSSecurityException { |
| |
| if (serviceAddress != null && !"".equals(serviceAddress)) { |
| String alias = (String) config.trustedServices.get(serviceAddress); |
| if (alias != null) { |
| return crypto.getCertificates(alias)[0]; |
| } else { |
| alias = (String) config.trustedServices.get("*"); |
| return crypto.getCertificates(alias)[0]; |
| } |
| } else { |
| String alias = (String) config.trustedServices.get("*"); |
| return crypto.getCertificates(alias)[0]; |
| } |
| |
| } |
| |
| /** |
| * Create the SAML assertion with the secret held in an |
| * <code>xenc:EncryptedKey</code> |
| * |
| * @param doc |
| * @param keyInfoContent |
| * @param config |
| * @param crypto |
| * @param notBefore |
| * @param notAfter |
| * @return |
| * @throws TrustException |
| */ |
| private SAMLAssertion createAttributeAssertion(Document doc, RahasData data, |
| Element keyInfoContent, SAMLTokenIssuerConfig config, |
| Crypto crypto, Date notBefore, Date notAfter) throws TrustException { |
| try { |
| String[] confirmationMethods = new String[] { SAMLSubject.CONF_HOLDER_KEY }; |
| |
| Element keyInfoElem = doc.createElementNS(WSConstants.SIG_NS, |
| "KeyInfo"); |
| ((OMElement) keyInfoContent).declareNamespace(WSConstants.SIG_NS, |
| WSConstants.SIG_PREFIX); |
| ((OMElement) keyInfoContent).declareNamespace(WSConstants.ENC_NS, |
| WSConstants.ENC_PREFIX); |
| |
| keyInfoElem.appendChild(keyInfoContent); |
| |
| SAMLSubject subject = new SAMLSubject(null, Arrays |
| .asList(confirmationMethods), null, keyInfoElem); |
| |
| |
| SAMLAttribute[] attrs = null; |
| if(config.getCallbackHander() != null){ |
| SAMLAttributeCallback cb = new SAMLAttributeCallback(data); |
| SAMLCallbackHandler handler = config.getCallbackHander(); |
| handler.handle(cb); |
| attrs = cb.getAttributes(); |
| }else{ |
| //TODO Remove this after discussing |
| SAMLAttribute attribute = new SAMLAttribute("Name", |
| "https://rahas.apache.org/saml/attrns", null, -1, Arrays |
| .asList(new String[] { "Colombo/Rahas" })); |
| attrs = new SAMLAttribute[]{attribute}; |
| } |
| |
| SAMLAttributeStatement attrStmt = new SAMLAttributeStatement( |
| subject, Arrays.asList(attrs )); |
| |
| SAMLStatement[] statements = { attrStmt }; |
| |
| SAMLAssertion assertion = new SAMLAssertion(config.issuerName, |
| notBefore, notAfter, null, null, Arrays.asList(statements)); |
| |
| // sign the assertion |
| X509Certificate[] issuerCerts = crypto |
| .getCertificates(config.issuerKeyAlias); |
| |
| String sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA; |
| String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm(); |
| if (pubKeyAlgo.equalsIgnoreCase("DSA")) { |
| sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA; |
| } |
| java.security.Key issuerPK = crypto.getPrivateKey( |
| config.issuerKeyAlias, config.issuerKeyPassword); |
| assertion.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts)); |
| |
| return assertion; |
| } catch (Exception e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| |
| /** |
| * @param doc |
| * @param confMethod |
| * @param subjectNameId |
| * @param keyInfoContent |
| * @param config |
| * @param crypto |
| * @param notBefore |
| * @param notAfter |
| * @return |
| * @throws TrustException |
| */ |
| private SAMLAssertion createAuthAssertion(Document doc, String confMethod, |
| SAMLNameIdentifier subjectNameId, Element keyInfoContent, |
| SAMLTokenIssuerConfig config, Crypto crypto, Date notBefore, |
| Date notAfter) throws TrustException { |
| try { |
| String[] confirmationMethods = new String[] { confMethod }; |
| |
| Element keyInfoElem = null; |
| if (keyInfoContent != null) { |
| keyInfoElem = doc |
| .createElementNS(WSConstants.SIG_NS, "KeyInfo"); |
| ((OMElement) keyInfoContent).declareNamespace( |
| WSConstants.SIG_NS, WSConstants.SIG_PREFIX); |
| ((OMElement) keyInfoContent).declareNamespace( |
| WSConstants.ENC_NS, WSConstants.ENC_PREFIX); |
| |
| keyInfoElem.appendChild(keyInfoContent); |
| } |
| |
| SAMLSubject subject = new SAMLSubject(subjectNameId, Arrays |
| .asList(confirmationMethods), null, keyInfoElem); |
| |
| SAMLAuthenticationStatement authStmt = new SAMLAuthenticationStatement( |
| subject, |
| SAMLAuthenticationStatement.AuthenticationMethod_Password, |
| notBefore, null, null, null); |
| SAMLStatement[] statements = { authStmt }; |
| |
| SAMLAssertion assertion = new SAMLAssertion(config.issuerName, |
| notBefore, notAfter, null, null, Arrays.asList(statements)); |
| |
| // sign the assertion |
| X509Certificate[] issuerCerts = crypto |
| .getCertificates(config.issuerKeyAlias); |
| |
| String sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA; |
| String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm(); |
| if (pubKeyAlgo.equalsIgnoreCase("DSA")) { |
| sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA; |
| } |
| java.security.Key issuerPK = crypto.getPrivateKey( |
| config.issuerKeyAlias, config.issuerKeyPassword); |
| assertion.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts)); |
| |
| return assertion; |
| } catch (Exception e) { |
| throw new TrustException("samlAssertionCreationError", e); |
| } |
| } |
| |
| /** |
| * {@inheritDoc} |
| */ |
| public String getResponseAction(RahasData data) throws TrustException { |
| return TrustUtil.getActionValue(data.getVersion(), |
| RahasConstants.RSTR_ACTION_ISSUE); |
| } |
| |
| /** |
| * Create an ephemeral key |
| * |
| * @return The generated key as a byte array |
| * @throws TrustException |
| */ |
| protected byte[] generateEphemeralKey(int keySize) throws TrustException { |
| try { |
| SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); |
| byte[] temp = new byte[keySize / 8]; |
| random.nextBytes(temp); |
| return temp; |
| } catch (Exception e) { |
| throw new TrustException("Error in creating the ephemeral key", e); |
| } |
| } |
| |
| /** |
| * {@inheritDoc} |
| */ |
| public void setConfigurationFile(String configFile) { |
| this.configFile = configFile; |
| |
| } |
| |
| /** |
| * {@inheritDoc} |
| */ |
| public void setConfigurationElement(OMElement configElement) { |
| this.configElement = configElement; |
| } |
| |
| /** |
| * {@inheritDoc} |
| */ |
| public void setConfigurationParamName(String configParamName) { |
| this.configParamName = configParamName; |
| } |
| |
| } |
