Josh Cummings
parent
87cd1d73df
commit
56928f61f0
|
|
@ -0,0 +1,200 @@
|
|||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.saml2.core;
|
||||
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Objects;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import static java.util.Arrays.asList;
|
||||
import static org.springframework.util.Assert.notEmpty;
|
||||
import static org.springframework.util.Assert.notNull;
|
||||
import static org.springframework.util.Assert.state;
|
||||
|
||||
/**
|
||||
* An object for holding a public certificate, any associated private key, and its intended
|
||||
* <a href="https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf">
|
||||
* usages
|
||||
* </a>
|
||||
* (Line 584, Section 4.3 Credentials).
|
||||
*
|
||||
* @since 5.4
|
||||
* @author Filip Hanik
|
||||
* @author Josh Cummings
|
||||
*/
|
||||
public final class Saml2X509Credential {
|
||||
public enum Saml2X509CredentialType {
|
||||
VERIFICATION,
|
||||
ENCRYPTION,
|
||||
SIGNING,
|
||||
DECRYPTION,
|
||||
}
|
||||
|
||||
private final PrivateKey privateKey;
|
||||
private final X509Certificate certificate;
|
||||
private final Set<Saml2X509CredentialType> credentialTypes;
|
||||
|
||||
/**
|
||||
* Creates a {@link Saml2X509Credential} using the provided parameters
|
||||
*
|
||||
* @param certificate the credential's public certificiate
|
||||
* @param types the credential's intended usages, must be one of {@link Saml2X509CredentialType#VERIFICATION} or
|
||||
* {@link Saml2X509CredentialType#ENCRYPTION} or both.
|
||||
*/
|
||||
public Saml2X509Credential(X509Certificate certificate, Saml2X509CredentialType... types) {
|
||||
this(null, false, certificate, types);
|
||||
validateUsages(types, Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a {@link Saml2X509Credential} using the provided parameters
|
||||
*
|
||||
* @param privateKey the credential's private key
|
||||
* @param certificate the credential's public certificate
|
||||
* @param types the credential's intended usages, must be one of {@link Saml2X509CredentialType#SIGNING} or
|
||||
* {@link Saml2X509CredentialType#DECRYPTION} or both.
|
||||
*/
|
||||
public Saml2X509Credential(PrivateKey privateKey, X509Certificate certificate, Saml2X509CredentialType... types) {
|
||||
this(privateKey, true, certificate, types);
|
||||
validateUsages(types, Saml2X509CredentialType.SIGNING, Saml2X509CredentialType.DECRYPTION);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a {@link Saml2X509Credential} using the provided parameters
|
||||
*
|
||||
* @param privateKey the credential's private key
|
||||
* @param certificate the credential's public certificate
|
||||
* @param types the credential's intended usages
|
||||
*/
|
||||
public Saml2X509Credential(PrivateKey privateKey, X509Certificate certificate, Set<Saml2X509CredentialType> types) {
|
||||
Assert.notNull(certificate, "certificate cannot be null");
|
||||
Assert.notNull(types, "credentialTypes cannot be null");
|
||||
this.privateKey = privateKey;
|
||||
this.certificate = certificate;
|
||||
this.credentialTypes = types;
|
||||
}
|
||||
|
||||
private Saml2X509Credential(
|
||||
PrivateKey privateKey,
|
||||
boolean keyRequired,
|
||||
X509Certificate certificate,
|
||||
Saml2X509CredentialType... types) {
|
||||
notNull(certificate, "certificate cannot be null");
|
||||
notEmpty(types, "credentials types cannot be empty");
|
||||
if (keyRequired) {
|
||||
notNull(privateKey, "privateKey cannot be null");
|
||||
}
|
||||
this.privateKey = privateKey;
|
||||
this.certificate = certificate;
|
||||
this.credentialTypes = new LinkedHashSet<>(asList(types));
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the private key for this credential
|
||||
*
|
||||
* @return the private key, may be null
|
||||
* @see {@link #Saml2X509Credential(PrivateKey, X509Certificate, Saml2X509CredentialType...)}
|
||||
*/
|
||||
public PrivateKey getPrivateKey() {
|
||||
return this.privateKey;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the public certificate for this credential
|
||||
*
|
||||
* @return the public certificate
|
||||
*/
|
||||
public X509Certificate getCertificate() {
|
||||
return this.certificate;
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicate whether this credential can be used for signing
|
||||
*
|
||||
* @return true if the credential has a {@link Saml2X509CredentialType#SIGNING} type
|
||||
*/
|
||||
public boolean isSigningCredential() {
|
||||
return getCredentialTypes().contains(Saml2X509CredentialType.SIGNING);
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicate whether this credential can be used for decryption
|
||||
*
|
||||
* @return true if the credential has a {@link Saml2X509CredentialType#DECRYPTION} type
|
||||
*/
|
||||
public boolean isDecryptionCredential() {
|
||||
return getCredentialTypes().contains(Saml2X509CredentialType.DECRYPTION);
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicate whether this credential can be used for verification
|
||||
*
|
||||
* @return true if the credential has a {@link Saml2X509CredentialType#VERIFICATION} type
|
||||
*/
|
||||
public boolean isVerificationCredential() {
|
||||
return getCredentialTypes().contains(Saml2X509CredentialType.VERIFICATION);
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicate whether this credential can be used for encryption
|
||||
*
|
||||
* @return true if the credential has a {@link Saml2X509CredentialType#ENCRYPTION} type
|
||||
*/
|
||||
public boolean isEncryptionCredential() {
|
||||
return getCredentialTypes().contains(Saml2X509CredentialType.ENCRYPTION);
|
||||
}
|
||||
|
||||
/**
|
||||
* List all this credential's intended usages
|
||||
*
|
||||
* @return the set of this credential's intended usages
|
||||
*/
|
||||
public Set<Saml2X509CredentialType> getCredentialTypes() {
|
||||
return this.credentialTypes;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean equals(Object o) {
|
||||
if (this == o) return true;
|
||||
if (o == null || getClass() != o.getClass()) return false;
|
||||
Saml2X509Credential that = (Saml2X509Credential) o;
|
||||
return Objects.equals(this.privateKey, that.privateKey) &&
|
||||
this.certificate.equals(that.certificate) &&
|
||||
this.credentialTypes.equals(that.credentialTypes);
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return Objects.hash(this.privateKey, this.certificate, this.credentialTypes);
|
||||
}
|
||||
|
||||
private void validateUsages(Saml2X509CredentialType[] usages, Saml2X509CredentialType... validUsages) {
|
||||
for (Saml2X509CredentialType usage : usages) {
|
||||
boolean valid = false;
|
||||
for (Saml2X509CredentialType validUsage : validUsages) {
|
||||
if (usage == validUsage) {
|
||||
valid = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
state(valid, () -> usage +" is not a valid usage for this credential");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -18,8 +18,11 @@ package org.springframework.security.saml2.credentials;
|
|||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Objects;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import static java.util.Arrays.asList;
|
||||
import static org.springframework.util.Assert.notEmpty;
|
||||
import static org.springframework.util.Assert.notNull;
|
||||
|
|
@ -32,8 +35,14 @@ import static org.springframework.util.Assert.state;
|
|||
* Line: 584, Section 4.3 Credentials Used for both signing, signature verification and encryption/decryption
|
||||
*
|
||||
* @since 5.2
|
||||
* @deprecated Use {@link org.springframework.security.saml2.core.Saml2X509Credential} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public class Saml2X509Credential {
|
||||
/**
|
||||
* @deprecated Use {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public enum Saml2X509CredentialType {
|
||||
VERIFICATION,
|
||||
ENCRYPTION,
|
||||
|
|
@ -70,6 +79,14 @@ public class Saml2X509Credential {
|
|||
validateUsages(types, Saml2X509CredentialType.SIGNING, Saml2X509CredentialType.DECRYPTION);
|
||||
}
|
||||
|
||||
public Saml2X509Credential(PrivateKey privateKey, X509Certificate certificate, Set<Saml2X509CredentialType> types) {
|
||||
Assert.notNull(certificate, "certificate cannot be null");
|
||||
Assert.notEmpty(types, "credentialTypes cannot be empty");
|
||||
this.privateKey = privateKey;
|
||||
this.certificate = certificate;
|
||||
this.credentialTypes = types;
|
||||
}
|
||||
|
||||
private Saml2X509Credential(
|
||||
PrivateKey privateKey,
|
||||
boolean keyRequired,
|
||||
|
|
@ -147,6 +164,21 @@ public class Saml2X509Credential {
|
|||
return this.certificate;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean equals(Object o) {
|
||||
if (this == o) return true;
|
||||
if (o == null || getClass() != o.getClass()) return false;
|
||||
Saml2X509Credential that = (Saml2X509Credential) o;
|
||||
return Objects.equals(this.privateKey, that.privateKey) &&
|
||||
this.certificate.equals(that.certificate) &&
|
||||
this.credentialTypes.equals(that.credentialTypes);
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return Objects.hash(this.privateKey, this.certificate, this.credentialTypes);
|
||||
}
|
||||
|
||||
private void validateUsages(Saml2X509CredentialType[] usages, Saml2X509CredentialType... validUsages) {
|
||||
for (Saml2X509CredentialType usage : usages) {
|
||||
boolean valid = false;
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|||
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.CollectionUtils;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
|
@ -480,7 +480,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
|||
|
||||
private SignatureTrustEngine buildSignatureTrustEngine(Saml2AuthenticationToken token) {
|
||||
Set<Credential> credentials = new HashSet<>();
|
||||
for (Saml2X509Credential key : token.getRelyingPartyRegistration().getVerificationCredentials()) {
|
||||
Collection<Saml2X509Credential> keys = token.getRelyingPartyRegistration().getAssertingPartyDetails().getVerificationX509Credentials();
|
||||
for (Saml2X509Credential key : keys) {
|
||||
BasicX509Credential cred = new BasicX509Credential(key.getCertificate());
|
||||
cred.setUsageType(UsageType.SIGNING);
|
||||
cred.setEntityId(token.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId());
|
||||
|
|
@ -536,8 +537,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
|||
return encrypted -> {
|
||||
Saml2AuthenticationException last =
|
||||
authException(DECRYPTION_ERROR, "No valid decryption credentials found.");
|
||||
List<Saml2X509Credential> decryptionCredentials = token.getRelyingPartyRegistration().getDecryptionCredentials();
|
||||
for (Saml2X509Credential key : decryptionCredentials) {
|
||||
Collection<Saml2X509Credential> keys = token.getRelyingPartyRegistration().getDecryptionX509Credentials();
|
||||
for (Saml2X509Credential key : keys) {
|
||||
Decrypter decrypter = getDecrypter(key);
|
||||
try {
|
||||
return decrypter.decrypt(encrypted);
|
||||
|
|
@ -618,7 +619,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
|||
|
||||
private SignatureTrustEngine buildSignatureTrustEngine(Saml2AuthenticationToken token) {
|
||||
Set<Credential> credentials = new HashSet<>();
|
||||
for (Saml2X509Credential key : token.getRelyingPartyRegistration().getVerificationCredentials()) {
|
||||
Collection<Saml2X509Credential> keys = token.getRelyingPartyRegistration().getAssertingPartyDetails().getVerificationX509Credentials();
|
||||
for (Saml2X509Credential key : keys) {
|
||||
BasicX509Credential cred = new BasicX509Credential(key.getCertificate());
|
||||
cred.setUsageType(UsageType.SIGNING);
|
||||
cred.setEntityId(token.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId());
|
||||
|
|
@ -730,8 +732,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
|||
return encrypted -> {
|
||||
Saml2AuthenticationException last =
|
||||
authException(DECRYPTION_ERROR, "No valid decryption credentials found.");
|
||||
List<Saml2X509Credential> decryptionCredentials = token.getRelyingPartyRegistration().getDecryptionCredentials();
|
||||
for (Saml2X509Credential key : decryptionCredentials) {
|
||||
Collection<Saml2X509Credential> keys = token.getRelyingPartyRegistration().getDecryptionX509Credentials();
|
||||
for (Saml2X509Credential key : keys) {
|
||||
Decrypter decrypter = getDecrypter(key);
|
||||
try {
|
||||
return (NameID) decrypter.decrypt(encrypted);
|
||||
|
|
|
|||
|
|
@ -16,22 +16,36 @@
|
|||
|
||||
package org.springframework.security.saml2.provider.service.authentication;
|
||||
|
||||
import java.security.PrivateKey;
|
||||
import java.time.Clock;
|
||||
import java.time.Instant;
|
||||
import java.util.List;
|
||||
import java.util.Collection;
|
||||
import java.util.Map;
|
||||
import java.util.UUID;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.function.Function;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import org.joda.time.DateTime;
|
||||
import org.opensaml.core.xml.io.MarshallingException;
|
||||
import org.opensaml.saml.common.xml.SAMLConstants;
|
||||
import org.opensaml.saml.saml2.core.AuthnRequest;
|
||||
import org.opensaml.saml.saml2.core.Issuer;
|
||||
import org.opensaml.security.SecurityException;
|
||||
import org.opensaml.security.credential.BasicCredential;
|
||||
import org.opensaml.security.credential.Credential;
|
||||
import org.opensaml.security.credential.CredentialSupport;
|
||||
import org.opensaml.security.credential.UsageType;
|
||||
import org.opensaml.xmlsec.SignatureSigningParameters;
|
||||
import org.opensaml.xmlsec.signature.support.SignatureConstants;
|
||||
import org.opensaml.xmlsec.signature.support.SignatureException;
|
||||
import org.opensaml.xmlsec.signature.support.SignatureSupport;
|
||||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest.Builder;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import static java.nio.charset.StandardCharsets.UTF_8;
|
||||
|
|
@ -62,7 +76,14 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
|||
AuthnRequest authnRequest = createAuthnRequest(request.getIssuer(),
|
||||
request.getDestination(), request.getAssertionConsumerServiceUrl(),
|
||||
this.protocolBindingResolver.convert(null));
|
||||
return this.saml.serialize(authnRequest, request.getCredentials());
|
||||
for (org.springframework.security.saml2.credentials.Saml2X509Credential credential : request.getCredentials()) {
|
||||
if (credential.isSigningCredential()) {
|
||||
Credential cred = getSigningCredential(credential.getCertificate(), credential.getPrivateKey(), request.getIssuer());
|
||||
signAuthnRequest(authnRequest, cred);
|
||||
return this.saml.serialize(authnRequest);
|
||||
}
|
||||
}
|
||||
throw new IllegalArgumentException("No signing credential provided");
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -72,7 +93,7 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
|||
public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext context) {
|
||||
AuthnRequest authnRequest = createAuthnRequest(context);
|
||||
String xml = context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned() ?
|
||||
this.saml.serialize(authnRequest, context.getRelyingPartyRegistration().getSigningCredentials()) :
|
||||
signThenSerialize(authnRequest, context.getRelyingPartyRegistration()) :
|
||||
this.saml.serialize(authnRequest);
|
||||
|
||||
return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(context)
|
||||
|
|
@ -93,7 +114,7 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
|||
.relayState(context.getRelayState());
|
||||
|
||||
if (context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
|
||||
List<Saml2X509Credential> signingCredentials = context.getRelyingPartyRegistration().getSigningCredentials();
|
||||
Collection<Saml2X509Credential> signingCredentials = context.getRelyingPartyRegistration().getSigningX509Credentials();
|
||||
Map<String, String> signedParams = this.saml.signQueryParameters(
|
||||
signingCredentials,
|
||||
deflatedAndEncoded,
|
||||
|
|
@ -178,4 +199,34 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
|||
}
|
||||
this.protocolBindingResolver = context -> protocolBinding;
|
||||
}
|
||||
|
||||
private String signThenSerialize(AuthnRequest authnRequest, RelyingPartyRegistration relyingPartyRegistration) {
|
||||
for (Saml2X509Credential credential : relyingPartyRegistration.getSigningX509Credentials()) {
|
||||
Credential cred = getSigningCredential(
|
||||
credential.getCertificate(), credential.getPrivateKey(), relyingPartyRegistration.getEntityId());
|
||||
signAuthnRequest(authnRequest, cred);
|
||||
return this.saml.serialize(authnRequest);
|
||||
}
|
||||
throw new IllegalArgumentException("No signing credential provided");
|
||||
}
|
||||
|
||||
private void signAuthnRequest(AuthnRequest authnRequest, Credential credential) {
|
||||
SignatureSigningParameters parameters = new SignatureSigningParameters();
|
||||
parameters.setSigningCredential(credential);
|
||||
parameters.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
|
||||
parameters.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
|
||||
parameters.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
|
||||
try {
|
||||
SignatureSupport.signObject(authnRequest, parameters);
|
||||
} catch (MarshallingException | SignatureException | SecurityException e) {
|
||||
throw new Saml2Exception(e);
|
||||
}
|
||||
}
|
||||
|
||||
private Credential getSigningCredential(X509Certificate certificate, PrivateKey privateKey, String entityId) {
|
||||
BasicCredential cred = CredentialSupport.getSimpleCredential(certificate, privateKey);
|
||||
cred.setEntityId(entityId);
|
||||
cred.setUsageType(UsageType.SIGNING);
|
||||
return cred;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,9 +19,9 @@ package org.springframework.security.saml2.provider.service.authentication;
|
|||
import java.io.ByteArrayInputStream;
|
||||
import java.nio.charset.Charset;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.namespace.QName;
|
||||
|
|
@ -62,7 +62,7 @@ import org.w3c.dom.Document;
|
|||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.util.UriUtils;
|
||||
|
||||
|
|
@ -187,13 +187,6 @@ final class OpenSamlImplementation {
|
|||
}
|
||||
}
|
||||
|
||||
String serialize(AuthnRequest authnRequest, List<Saml2X509Credential> signingCredentials) {
|
||||
if (hasSigningCredential(signingCredentials) != null) {
|
||||
signAuthnRequest(authnRequest, signingCredentials);
|
||||
}
|
||||
return serialize(authnRequest);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns query parameter after creating a Query String signature
|
||||
* All return values are unencoded and will need to be encoded prior to sending
|
||||
|
|
@ -205,7 +198,7 @@ final class OpenSamlImplementation {
|
|||
*
|
||||
*/
|
||||
Map<String, String> signQueryParameters(
|
||||
List<Saml2X509Credential> signingCredentials,
|
||||
Collection<Saml2X509Credential> signingCredentials,
|
||||
String samlRequest,
|
||||
String relayState) {
|
||||
Assert.notNull(samlRequest, "samlRequest cannot be null");
|
||||
|
|
@ -280,7 +273,7 @@ final class OpenSamlImplementation {
|
|||
}
|
||||
|
||||
|
||||
private Saml2X509Credential hasSigningCredential(List<Saml2X509Credential> credentials) {
|
||||
private Saml2X509Credential hasSigningCredential(Collection<Saml2X509Credential> credentials) {
|
||||
for (Saml2X509Credential c : credentials) {
|
||||
if (c.isSigningCredential()) {
|
||||
return c;
|
||||
|
|
@ -289,7 +282,7 @@ final class OpenSamlImplementation {
|
|||
return null;
|
||||
}
|
||||
|
||||
private Credential getSigningCredential(List<Saml2X509Credential> signingCredential,
|
||||
private Credential getSigningCredential(Collection<Saml2X509Credential> signingCredential,
|
||||
String localSpEntityId
|
||||
) {
|
||||
Saml2X509Credential credential = hasSigningCredential(signingCredential);
|
||||
|
|
@ -302,7 +295,7 @@ final class OpenSamlImplementation {
|
|||
return cred;
|
||||
}
|
||||
|
||||
private void signAuthnRequest(AuthnRequest authnRequest, List<Saml2X509Credential> signingCredentials) {
|
||||
private void signAuthnRequest(AuthnRequest authnRequest, Collection<Saml2X509Credential> signingCredentials) {
|
||||
SignatureSigningParameters parameters = new SignatureSigningParameters();
|
||||
Credential credential = getSigningCredential(signingCredentials, authnRequest.getIssuer().getValue());
|
||||
parameters.setSigningCredential(credential);
|
||||
|
|
|
|||
|
|
@ -16,12 +16,12 @@
|
|||
|
||||
package org.springframework.security.saml2.provider.service.authentication;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
|
||||
import static org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequest.withAuthenticationRequestContext;
|
||||
import static org.springframework.security.saml2.provider.service.authentication.Saml2Utils.samlDeflate;
|
||||
import static org.springframework.security.saml2.provider.service.authentication.Saml2Utils.samlEncode;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -16,15 +16,18 @@
|
|||
|
||||
package org.springframework.security.saml2.provider.service.registration;
|
||||
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.function.Function;
|
||||
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
|
|
@ -51,11 +54,11 @@ import org.springframework.util.Assert;
|
|||
* RelyingPartyRegistration rp = RelyingPartyRegistration.withRegistrationId(registrationId)
|
||||
* .entityId(relyingPartyEntityId)
|
||||
* .assertionConsumerServiceLocation(assertingConsumerServiceLocation)
|
||||
* .credentials(c -> c.add(relyingPartySigningCredential))
|
||||
* .signingX509Credentials(c -> c.add(relyingPartySigningCredential))
|
||||
* .assertingPartyDetails(details -> details
|
||||
* .entityId(assertingPartyEntityId));
|
||||
* .singleSignOnServiceLocation(singleSignOnServiceLocation))
|
||||
* .credentials(c -> c.add(assertingPartyVerificationCredential))
|
||||
* .verifyingX509Credentials(c -> c.add(assertingPartyVerificationCredential))
|
||||
* .build();
|
||||
* </pre>
|
||||
*
|
||||
|
|
@ -70,7 +73,9 @@ public class RelyingPartyRegistration {
|
|||
private final String assertionConsumerServiceLocation;
|
||||
private final Saml2MessageBinding assertionConsumerServiceBinding;
|
||||
private final ProviderDetails providerDetails;
|
||||
private final List<Saml2X509Credential> credentials;
|
||||
private final List<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials;
|
||||
private final Collection<Saml2X509Credential> decryptionX509Credentials;
|
||||
private final Collection<Saml2X509Credential> signingX509Credentials;
|
||||
|
||||
private RelyingPartyRegistration(
|
||||
String registrationId,
|
||||
|
|
@ -78,7 +83,9 @@ public class RelyingPartyRegistration {
|
|||
String assertionConsumerServiceLocation,
|
||||
Saml2MessageBinding assertionConsumerServiceBinding,
|
||||
ProviderDetails providerDetails,
|
||||
List<Saml2X509Credential> credentials) {
|
||||
Collection<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials,
|
||||
Collection<Saml2X509Credential> decryptionX509Credentials,
|
||||
Collection<Saml2X509Credential> signingX509Credentials) {
|
||||
|
||||
Assert.hasText(registrationId, "registrationId cannot be empty");
|
||||
Assert.hasText(entityId, "entityId cannot be empty");
|
||||
|
|
@ -86,15 +93,29 @@ public class RelyingPartyRegistration {
|
|||
Assert.notNull(assertionConsumerServiceBinding, "assertionConsumerServiceBinding cannot be null");
|
||||
Assert.notNull(providerDetails, "providerDetails cannot be null");
|
||||
Assert.notEmpty(credentials, "credentials cannot be empty");
|
||||
for (Saml2X509Credential c : credentials) {
|
||||
for (org.springframework.security.saml2.credentials.Saml2X509Credential c : credentials) {
|
||||
Assert.notNull(c, "credentials cannot contain null elements");
|
||||
}
|
||||
Assert.notNull(decryptionX509Credentials, "decryptionX509Credentials cannot be null");
|
||||
for (Saml2X509Credential c : decryptionX509Credentials) {
|
||||
Assert.notNull(c, "decryptionX509Credentials cannot contain null elements");
|
||||
Assert.isTrue(c.isDecryptionCredential(),
|
||||
"All decryptionX509Credentials must have a usage of DECRYPTION set");
|
||||
}
|
||||
Assert.notNull(signingX509Credentials, "signingX509Credentials cannot be null");
|
||||
for (Saml2X509Credential c : signingX509Credentials) {
|
||||
Assert.notNull(c, "signingX509Credentials cannot contain null elements");
|
||||
Assert.isTrue(c.isSigningCredential(),
|
||||
"All signingX509Credentials must have a usage of SIGNING set");
|
||||
}
|
||||
this.registrationId = registrationId;
|
||||
this.entityId = entityId;
|
||||
this.assertionConsumerServiceLocation = assertionConsumerServiceLocation;
|
||||
this.assertionConsumerServiceBinding = assertionConsumerServiceBinding;
|
||||
this.providerDetails = providerDetails;
|
||||
this.credentials = Collections.unmodifiableList(new LinkedList<>(credentials));
|
||||
this.decryptionX509Credentials = Collections.unmodifiableList(new LinkedList<>(decryptionX509Credentials));
|
||||
this.signingX509Credentials = Collections.unmodifiableList(new LinkedList<>(signingX509Credentials));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -154,6 +175,26 @@ public class RelyingPartyRegistration {
|
|||
return this.assertionConsumerServiceBinding;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the {@link Collection} of decryption {@link Saml2X509Credential}s associated with this relying party
|
||||
*
|
||||
* @return the {@link Collection} of decryption {@link Saml2X509Credential}s associated with this relying party
|
||||
* @since 5.4
|
||||
*/
|
||||
public Collection<Saml2X509Credential> getDecryptionX509Credentials() {
|
||||
return this.decryptionX509Credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the {@link Collection} of signing {@link Saml2X509Credential}s associated with this relying party
|
||||
*
|
||||
* @return the {@link Collection} of signing {@link Saml2X509Credential}s associated with this relying party
|
||||
* @since 5.4
|
||||
*/
|
||||
public Collection<Saml2X509Credential> getSigningX509Credentials() {
|
||||
return this.signingX509Credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the configuration details for the Asserting Party
|
||||
*
|
||||
|
|
@ -225,50 +266,62 @@ public class RelyingPartyRegistration {
|
|||
* Returns a list of configured credentials to be used in message exchanges between relying party, SP, and
|
||||
* asserting party, IDP.
|
||||
* @return a list of credentials
|
||||
* @deprecated Instead of retrieving all credentials, use the appropriate method for obtaining the correct type
|
||||
*/
|
||||
public List<Saml2X509Credential> getCredentials() {
|
||||
@Deprecated
|
||||
public List<org.springframework.security.saml2.credentials.Saml2X509Credential> getCredentials() {
|
||||
return this.credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return a filtered list containing only credentials of type
|
||||
* {@link Saml2X509CredentialType#VERIFICATION}.
|
||||
* {@link org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType#VERIFICATION}.
|
||||
* Returns an empty list of credentials are not found
|
||||
* @deprecated Use {@link #getAssertingPartyDetails().getSigningX509Credentials()} instead
|
||||
*/
|
||||
public List<Saml2X509Credential> getVerificationCredentials() {
|
||||
return filterCredentials(c -> c.isSignatureVerficationCredential());
|
||||
@Deprecated
|
||||
public List<org.springframework.security.saml2.credentials.Saml2X509Credential> getVerificationCredentials() {
|
||||
return filterCredentials(org.springframework.security.saml2.credentials.Saml2X509Credential::isSignatureVerficationCredential);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return a filtered list containing only credentials of type
|
||||
* {@link Saml2X509CredentialType#SIGNING}.
|
||||
* {@link org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType#SIGNING}.
|
||||
* Returns an empty list of credentials are not found
|
||||
* @deprecated Use {@link #getSigningX509Credentials()} instead
|
||||
*/
|
||||
public List<Saml2X509Credential> getSigningCredentials() {
|
||||
return filterCredentials(c -> c.isSigningCredential());
|
||||
@Deprecated
|
||||
public List<org.springframework.security.saml2.credentials.Saml2X509Credential> getSigningCredentials() {
|
||||
return filterCredentials(org.springframework.security.saml2.credentials.Saml2X509Credential::isSigningCredential);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return a filtered list containing only credentials of type
|
||||
* {@link Saml2X509CredentialType#ENCRYPTION}.
|
||||
* {@link org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType#ENCRYPTION}.
|
||||
* Returns an empty list of credentials are not found
|
||||
* @deprecated Use {@link AssertingPartyDetails#getEncryptionX509Credentials()} instead
|
||||
*/
|
||||
public List<Saml2X509Credential> getEncryptionCredentials() {
|
||||
return filterCredentials(c -> c.isEncryptionCredential());
|
||||
@Deprecated
|
||||
public List<org.springframework.security.saml2.credentials.Saml2X509Credential> getEncryptionCredentials() {
|
||||
return filterCredentials(org.springframework.security.saml2.credentials.Saml2X509Credential::isEncryptionCredential);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return a filtered list containing only credentials of type
|
||||
* {@link Saml2X509CredentialType#DECRYPTION}.
|
||||
* {@link org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType#DECRYPTION}.
|
||||
* Returns an empty list of credentials are not found
|
||||
* @deprecated Use {@link #getDecryptionX509Credentials()} instead
|
||||
*/
|
||||
public List<Saml2X509Credential> getDecryptionCredentials() {
|
||||
return filterCredentials(c -> c.isDecryptionCredential());
|
||||
@Deprecated
|
||||
public List<org.springframework.security.saml2.credentials.Saml2X509Credential> getDecryptionCredentials() {
|
||||
return filterCredentials(org.springframework.security.saml2.credentials.Saml2X509Credential::isDecryptionCredential);
|
||||
}
|
||||
|
||||
private List<Saml2X509Credential> filterCredentials(Function<Saml2X509Credential, Boolean> filter) {
|
||||
List<Saml2X509Credential> result = new LinkedList<>();
|
||||
for (Saml2X509Credential c : getCredentials()) {
|
||||
private List<org.springframework.security.saml2.credentials.Saml2X509Credential> filterCredentials(
|
||||
Function<org.springframework.security.saml2.credentials.Saml2X509Credential, Boolean> filter) {
|
||||
|
||||
List<org.springframework.security.saml2.credentials.Saml2X509Credential> result = new LinkedList<>();
|
||||
for (org.springframework.security.saml2.credentials.Saml2X509Credential c : this.credentials) {
|
||||
if (filter.apply(c)) {
|
||||
result.add(c);
|
||||
}
|
||||
|
|
@ -295,15 +348,18 @@ public class RelyingPartyRegistration {
|
|||
Assert.notNull(registration, "registration cannot be null");
|
||||
return withRegistrationId(registration.getRegistrationId())
|
||||
.entityId(registration.getEntityId())
|
||||
.signingX509Credentials(c -> c.addAll(registration.getSigningX509Credentials()))
|
||||
.decryptionX509Credentials(c -> c.addAll(registration.getDecryptionX509Credentials()))
|
||||
.assertionConsumerServiceLocation(registration.getAssertionConsumerServiceLocation())
|
||||
.assertionConsumerServiceBinding(registration.getAssertionConsumerServiceBinding())
|
||||
.assertingPartyDetails(c -> c
|
||||
.assertingPartyDetails(assertingParty -> assertingParty
|
||||
.entityId(registration.getAssertingPartyDetails().getEntityId())
|
||||
.wantAuthnRequestsSigned(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned())
|
||||
.verificationX509Credentials(c -> c.addAll(registration.getAssertingPartyDetails().getVerificationX509Credentials()))
|
||||
.encryptionX509Credentials(c -> c.addAll(registration.getAssertingPartyDetails().getEncryptionX509Credentials()))
|
||||
.singleSignOnServiceLocation(registration.getAssertingPartyDetails().getSingleSignOnServiceLocation())
|
||||
.singleSignOnServiceBinding(registration.getAssertingPartyDetails().getSingleSignOnServiceBinding())
|
||||
)
|
||||
.credentials(c -> c.addAll(registration.getCredentials()));
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -315,20 +371,38 @@ public class RelyingPartyRegistration {
|
|||
public final static class AssertingPartyDetails {
|
||||
private final String entityId;
|
||||
private final boolean wantAuthnRequestsSigned;
|
||||
private final Collection<Saml2X509Credential> verificationX509Credentials;
|
||||
private final Collection<Saml2X509Credential> encryptionX509Credentials;
|
||||
private final String singleSignOnServiceLocation;
|
||||
private final Saml2MessageBinding singleSignOnServiceBinding;
|
||||
|
||||
private AssertingPartyDetails(
|
||||
String entityId,
|
||||
boolean wantAuthnRequestsSigned,
|
||||
Collection<Saml2X509Credential> verificationX509Credentials,
|
||||
Collection<Saml2X509Credential> encryptionX509Credentials,
|
||||
String singleSignOnServiceLocation,
|
||||
Saml2MessageBinding singleSignOnServiceBinding) {
|
||||
|
||||
Assert.hasText(entityId, "entityId cannot be null or empty");
|
||||
Assert.notNull(verificationX509Credentials, "verificationX509Credentials cannot be null");
|
||||
for (Saml2X509Credential credential : verificationX509Credentials) {
|
||||
Assert.notNull(credential, "verificationX509Credentials cannot have null values");
|
||||
Assert.isTrue(credential.isVerificationCredential(),
|
||||
"All verificationX509Credentials must have a usage of VERIFICATION set");
|
||||
}
|
||||
Assert.notNull(encryptionX509Credentials, "encryptionX509Credentials cannot be null");
|
||||
for (Saml2X509Credential credential : encryptionX509Credentials) {
|
||||
Assert.notNull(credential, "encryptionX509Credentials cannot have null values");
|
||||
Assert.isTrue(credential.isEncryptionCredential(),
|
||||
"All encryptionX509Credentials must have a usage of ENCRYPTION set");
|
||||
}
|
||||
Assert.notNull(singleSignOnServiceLocation, "singleSignOnServiceLocation cannot be null");
|
||||
Assert.notNull(singleSignOnServiceBinding, "singleSignOnServiceBinding cannot be null");
|
||||
this.entityId = entityId;
|
||||
this.wantAuthnRequestsSigned = wantAuthnRequestsSigned;
|
||||
this.verificationX509Credentials = verificationX509Credentials;
|
||||
this.encryptionX509Credentials = encryptionX509Credentials;
|
||||
this.singleSignOnServiceLocation = singleSignOnServiceLocation;
|
||||
this.singleSignOnServiceBinding = singleSignOnServiceBinding;
|
||||
}
|
||||
|
|
@ -362,6 +436,26 @@ public class RelyingPartyRegistration {
|
|||
return this.wantAuthnRequestsSigned;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get all verification {@link Saml2X509Credential}s associated with this asserting party
|
||||
*
|
||||
* @return all verification {@link Saml2X509Credential}s associated with this asserting party
|
||||
* @since 5.4
|
||||
*/
|
||||
public Collection<Saml2X509Credential> getVerificationX509Credentials() {
|
||||
return this.verificationX509Credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get all encryption {@link Saml2X509Credential}s associated with this asserting party
|
||||
*
|
||||
* @return all encryption {@link Saml2X509Credential}s associated with this asserting party
|
||||
* @since 5.4
|
||||
*/
|
||||
public Collection<Saml2X509Credential> getEncryptionX509Credentials() {
|
||||
return this.encryptionX509Credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the
|
||||
* <a href="https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForIdP#MetadataForIdP-SingleSign-OnServices">SingleSignOnService</a>
|
||||
|
|
@ -395,6 +489,8 @@ public class RelyingPartyRegistration {
|
|||
public final static class Builder {
|
||||
private String entityId;
|
||||
private boolean wantAuthnRequestsSigned = true;
|
||||
private Collection<Saml2X509Credential> verificationX509Credentials = new HashSet<>();
|
||||
private Collection<Saml2X509Credential> encryptionX509Credentials = new HashSet<>();
|
||||
private String singleSignOnServiceLocation;
|
||||
private Saml2MessageBinding singleSignOnServiceBinding = Saml2MessageBinding.REDIRECT;
|
||||
|
||||
|
|
@ -424,6 +520,30 @@ public class RelyingPartyRegistration {
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply this {@link Consumer} to the list of {@link Saml2X509Credential}s
|
||||
*
|
||||
* @param credentialsConsumer a {@link Consumer} of the {@link List} of {@link Saml2X509Credential}s
|
||||
* @return the {@link RelyingPartyRegistration.Builder} for further configuration
|
||||
* @since 5.4
|
||||
*/
|
||||
public Builder verificationX509Credentials(Consumer<Collection<Saml2X509Credential>> credentialsConsumer) {
|
||||
credentialsConsumer.accept(this.verificationX509Credentials);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply this {@link Consumer} to the list of {@link Saml2X509Credential}s
|
||||
*
|
||||
* @param credentialsConsumer a {@link Consumer} of the {@link List} of {@link Saml2X509Credential}s
|
||||
* @return the {@link RelyingPartyRegistration.Builder} for further configuration
|
||||
* @since 5.4
|
||||
*/
|
||||
public Builder encryptionX509Credentials(Consumer<Collection<Saml2X509Credential>> credentialsConsumer) {
|
||||
credentialsConsumer.accept(this.encryptionX509Credentials);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the
|
||||
* <a href="https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForIdP#MetadataForIdP-SingleSign-OnServices">SingleSignOnService</a>
|
||||
|
|
@ -466,6 +586,8 @@ public class RelyingPartyRegistration {
|
|||
return new AssertingPartyDetails(
|
||||
this.entityId,
|
||||
this.wantAuthnRequestsSigned,
|
||||
this.verificationX509Credentials,
|
||||
this.encryptionX509Credentials,
|
||||
this.singleSignOnServiceLocation,
|
||||
this.singleSignOnServiceBinding
|
||||
);
|
||||
|
|
@ -591,10 +713,12 @@ public class RelyingPartyRegistration {
|
|||
public final static class Builder {
|
||||
private String registrationId;
|
||||
private String entityId = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
|
||||
private Collection<Saml2X509Credential> signingX509Credentials = new HashSet<>();
|
||||
private Collection<Saml2X509Credential> decryptionX509Credentials = new HashSet<>();
|
||||
private String assertionConsumerServiceLocation;
|
||||
private Saml2MessageBinding assertionConsumerServiceBinding = Saml2MessageBinding.POST;
|
||||
private ProviderDetails.Builder providerDetails = new ProviderDetails.Builder();
|
||||
private List<Saml2X509Credential> credentials = new LinkedList<>();
|
||||
private Collection<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials = new HashSet<>();
|
||||
|
||||
private Builder(String registrationId) {
|
||||
this.registrationId = registrationId;
|
||||
|
|
@ -629,6 +753,32 @@ public class RelyingPartyRegistration {
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply this {@link Consumer} to the {@link Collection} of {@link Saml2X509Credential}s
|
||||
* for the purposes of modifying the {@link Collection}
|
||||
*
|
||||
* @param credentialsConsumer - the {@link Consumer} for modifying the {@link Collection}
|
||||
* @return the {@link Builder} for further configuration
|
||||
* @since 5.4
|
||||
*/
|
||||
public Builder signingX509Credentials(Consumer<Collection<Saml2X509Credential>> credentialsConsumer) {
|
||||
credentialsConsumer.accept(this.signingX509Credentials);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply this {@link Consumer} to the {@link Collection} of {@link Saml2X509Credential}s
|
||||
* for the purposes of modifying the {@link Collection}
|
||||
*
|
||||
* @param credentialsConsumer - the {@link Consumer} for modifying the {@link Collection}
|
||||
* @return the {@link Builder} for further configuration
|
||||
* @since 5.4
|
||||
*/
|
||||
public Builder decryptionX509Credentials(Consumer<Collection<Saml2X509Credential>> credentialsConsumer) {
|
||||
credentialsConsumer.accept(this.decryptionX509Credentials);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the <a href="https://wiki.shibboleth.net/confluence/display/CONCEPT/AssertionConsumerService">AssertionConsumerService</a>
|
||||
* Location.
|
||||
|
|
@ -693,8 +843,12 @@ public class RelyingPartyRegistration {
|
|||
* </code>
|
||||
* @param credentials - a consumer that can modify the collection of credentials
|
||||
* @return this object
|
||||
* @deprecated Use {@link #signingX509Credentials} or {@link #decryptionX509Credentials} instead
|
||||
* for relying party keys or {@link AssertingPartyDetails.Builder#verificationX509Credentials} or
|
||||
* {@link AssertingPartyDetails.Builder#encryptionX509Credentials} for asserting party keys
|
||||
*/
|
||||
public Builder credentials(Consumer<Collection<Saml2X509Credential>> credentials) {
|
||||
@Deprecated
|
||||
public Builder credentials(Consumer<Collection<org.springframework.security.saml2.credentials.Saml2X509Credential>> credentials) {
|
||||
credentials.accept(this.credentials);
|
||||
return this;
|
||||
}
|
||||
|
|
@ -769,15 +923,85 @@ public class RelyingPartyRegistration {
|
|||
* @return a RelyingPartyRegistration instance
|
||||
*/
|
||||
public RelyingPartyRegistration build() {
|
||||
for (org.springframework.security.saml2.credentials.Saml2X509Credential credential : this.credentials) {
|
||||
Saml2X509Credential mapped = fromDeprecated(credential);
|
||||
if (credential.isSigningCredential()) {
|
||||
signingX509Credentials(c -> c.add(mapped));
|
||||
}
|
||||
if (credential.isDecryptionCredential()) {
|
||||
decryptionX509Credentials(c -> c.add(mapped));
|
||||
}
|
||||
if (credential.isSignatureVerficationCredential()) {
|
||||
this.providerDetails.assertingPartyDetailsBuilder
|
||||
.verificationX509Credentials(c -> c.add(mapped));
|
||||
}
|
||||
if (credential.isEncryptionCredential()) {
|
||||
this.providerDetails.assertingPartyDetailsBuilder
|
||||
.encryptionX509Credentials(c -> c.add(mapped));
|
||||
}
|
||||
}
|
||||
|
||||
for (Saml2X509Credential credential : this.signingX509Credentials) {
|
||||
this.credentials.add(toDeprecated(credential));
|
||||
}
|
||||
for (Saml2X509Credential credential : this.decryptionX509Credentials) {
|
||||
this.credentials.add(toDeprecated(credential));
|
||||
}
|
||||
for (Saml2X509Credential credential : this.providerDetails.assertingPartyDetailsBuilder.verificationX509Credentials) {
|
||||
this.credentials.add(toDeprecated(credential));
|
||||
}
|
||||
for (Saml2X509Credential credential : this.providerDetails.assertingPartyDetailsBuilder.encryptionX509Credentials) {
|
||||
this.credentials.add(toDeprecated(credential));
|
||||
}
|
||||
|
||||
return new RelyingPartyRegistration(
|
||||
this.registrationId,
|
||||
this.entityId,
|
||||
this.assertionConsumerServiceLocation,
|
||||
this.assertionConsumerServiceBinding,
|
||||
this.providerDetails.build(),
|
||||
this.credentials
|
||||
this.credentials,
|
||||
this.decryptionX509Credentials,
|
||||
this.signingX509Credentials
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
private static Saml2X509Credential fromDeprecated(org.springframework.security.saml2.credentials.Saml2X509Credential credential) {
|
||||
PrivateKey privateKey = credential.getPrivateKey();
|
||||
X509Certificate certificate = credential.getCertificate();
|
||||
Set<Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new HashSet<>();
|
||||
if (credential.isSigningCredential()) {
|
||||
credentialTypes.add(Saml2X509Credential.Saml2X509CredentialType.SIGNING);
|
||||
}
|
||||
if (credential.isSignatureVerficationCredential()) {
|
||||
credentialTypes.add(Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
|
||||
}
|
||||
if (credential.isEncryptionCredential()) {
|
||||
credentialTypes.add(Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION);
|
||||
}
|
||||
if (credential.isDecryptionCredential()) {
|
||||
credentialTypes.add(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
|
||||
}
|
||||
return new Saml2X509Credential(privateKey, certificate, credentialTypes);
|
||||
}
|
||||
|
||||
private static org.springframework.security.saml2.credentials.Saml2X509Credential toDeprecated(Saml2X509Credential credential) {
|
||||
PrivateKey privateKey = credential.getPrivateKey();
|
||||
X509Certificate certificate = credential.getCertificate();
|
||||
Set<org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new HashSet<>();
|
||||
if (credential.isSigningCredential()) {
|
||||
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.SIGNING);
|
||||
}
|
||||
if (credential.isVerificationCredential()) {
|
||||
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
|
||||
}
|
||||
if (credential.isEncryptionCredential()) {
|
||||
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION);
|
||||
}
|
||||
if (credential.isDecryptionCredential()) {
|
||||
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
|
||||
}
|
||||
return new org.springframework.security.saml2.credentials.Saml2X509Credential(privateKey, certificate, credentialTypes);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,179 @@
|
|||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.saml2.core;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.security.KeyException;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import org.opensaml.security.crypto.KeySupport;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
|
||||
import static java.nio.charset.StandardCharsets.UTF_8;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.SIGNING;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION;
|
||||
|
||||
public final class TestSaml2X509Credentials {
|
||||
public static Saml2X509Credential assertingPartySigningCredential() {
|
||||
return new Saml2X509Credential(idpPrivateKey(), idpCertificate(), SIGNING);
|
||||
}
|
||||
|
||||
public static Saml2X509Credential assertingPartyEncryptingCredential() {
|
||||
return new Saml2X509Credential(spCertificate(), ENCRYPTION);
|
||||
}
|
||||
|
||||
public static Saml2X509Credential assertingPartyPrivateCredential() {
|
||||
return new Saml2X509Credential(idpPrivateKey(), idpCertificate(), SIGNING, DECRYPTION);
|
||||
}
|
||||
|
||||
public static Saml2X509Credential relyingPartyVerifyingCredential() {
|
||||
return new Saml2X509Credential(idpCertificate(), VERIFICATION);
|
||||
}
|
||||
|
||||
public static Saml2X509Credential relyingPartySigningCredential() {
|
||||
return new Saml2X509Credential(spPrivateKey(), spCertificate(), SIGNING);
|
||||
}
|
||||
|
||||
public static Saml2X509Credential relyingPartyDecryptingCredential() {
|
||||
return new Saml2X509Credential(spPrivateKey(), spCertificate(), DECRYPTION);
|
||||
}
|
||||
|
||||
private static X509Certificate certificate(String cert) {
|
||||
ByteArrayInputStream certBytes = new ByteArrayInputStream(cert.getBytes());
|
||||
try {
|
||||
return (X509Certificate) CertificateFactory
|
||||
.getInstance("X.509")
|
||||
.generateCertificate(certBytes);
|
||||
}
|
||||
catch (CertificateException e) {
|
||||
throw new Saml2Exception(e);
|
||||
}
|
||||
}
|
||||
|
||||
private static PrivateKey privateKey(String key) {
|
||||
try {
|
||||
return KeySupport.decodePrivateKey(key.getBytes(UTF_8), new char[0]);
|
||||
}
|
||||
catch (KeyException e) {
|
||||
throw new Saml2Exception(e);
|
||||
}
|
||||
}
|
||||
|
||||
private static X509Certificate idpCertificate() {
|
||||
return certificate("-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD\n"
|
||||
+ "VQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYD\n"
|
||||
+ "VQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwX\n"
|
||||
+ "c2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0Bw\n"
|
||||
+ "aXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJ\n"
|
||||
+ "BgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAa\n"
|
||||
+ "BgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQD\n"
|
||||
+ "DBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlr\n"
|
||||
+ "QHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62\n"
|
||||
+ "E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz\n"
|
||||
+ "2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWW\n"
|
||||
+ "RDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQ\n"
|
||||
+ "nX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5\n"
|
||||
+ "cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gph\n"
|
||||
+ "iJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5\n"
|
||||
+ "ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTAD\n"
|
||||
+ "AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduO\n"
|
||||
+ "nRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+v\n"
|
||||
+ "ZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLu\n"
|
||||
+ "xbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6z\n"
|
||||
+ "V9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3\n"
|
||||
+ "lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk\n"
|
||||
+ "-----END CERTIFICATE-----\n");
|
||||
}
|
||||
|
||||
|
||||
private static PrivateKey idpPrivateKey() {
|
||||
return privateKey("-----BEGIN PRIVATE KEY-----\n"
|
||||
+ "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4cn62E1xLqpN3\n"
|
||||
+ "4PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZX\n"
|
||||
+ "W+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHE\n"
|
||||
+ "fDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7h\n"
|
||||
+ "Z6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/T\n"
|
||||
+ "Xy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7\n"
|
||||
+ "I+J5lS8VAgMBAAECggEBAKyxBlIS7mcp3chvq0RF7B3PHFJMMzkwE+t3pLJcs4cZ\n"
|
||||
+ "nezh/KbREfP70QjXzk/llnZCvxeIs5vRu24vbdBm79qLHqBuHp8XfHHtuo2AfoAQ\n"
|
||||
+ "l4h047Xc/+TKMivnPQ0jX9qqndKDLqZDf5wnbslDmlskvF0a/MjsLU0TxtOfo+dB\n"
|
||||
+ "t55FW11cGqxZwhS5Gnr+cbw3OkHz23b9gEOt9qfwPVepeysbmm9FjU+k4yVa7rAN\n"
|
||||
+ "xcbzVb6Y7GCITe2tgvvEHmjB9BLmWrH3mZ3Af17YU/iN6TrpPd6Sj3QoS+2wGtAe\n"
|
||||
+ "HbUs3CKJu7bIHcj4poal6Kh8519S+erJTtqQ8M0ZiEECgYEA43hLYAPaUueFkdfh\n"
|
||||
+ "9K/7ClH6436CUH3VdizwUXi26fdhhV/I/ot6zLfU2mgEHU22LBECWQGtAFm8kv0P\n"
|
||||
+ "zPn+qjaR3e62l5PIlSYbnkIidzoDZ2ztu4jF5LgStlTJQPteFEGgZVl5o9DaSZOq\n"
|
||||
+ "Yd7G3XqXuQ1VGMW58G5FYJPtA1cCgYEAz5TPUtK+R2KXHMjUwlGY9AefQYRYmyX2\n"
|
||||
+ "Tn/OFgKvY8lpAkMrhPKONq7SMYc8E9v9G7A0dIOXvW7QOYSapNhKU+np3lUafR5F\n"
|
||||
+ "4ZN0bxZ9qjHbn3AMYeraKjeutHvlLtbHdIc1j3sxe/EzltRsYmiqLdEBW0p6hwWg\n"
|
||||
+ "tyGhYWVyaXMCgYAfDOKtHpmEy5nOCLwNXKBWDk7DExfSyPqEgSnk1SeS1HP5ctPK\n"
|
||||
+ "+1st6sIhdiVpopwFc+TwJWxqKdW18tlfT5jVv1E2DEnccw3kXilS9xAhWkfwrEvf\n"
|
||||
+ "V5I74GydewFl32o+NZ8hdo9GL1I8zO1rIq/et8dSOWGuWf9BtKu/vTGTTQKBgFxU\n"
|
||||
+ "VjsCnbvmsEwPUAL2hE/WrBFaKocnxXx5AFNt8lEyHtDwy4Sg1nygGcIJ4sD6koQk\n"
|
||||
+ "RdClT3LkvR04TAiSY80bN/i6ZcPNGUwSaDGZEWAIOSWbkwZijZNFnSGOEgxZX/IG\n"
|
||||
+ "yd39766vREEMTwEeiMNEOZQ/dmxkJm4OOVe25cLdAoGACOtPnq1Fxay80UYBf4rQ\n"
|
||||
+ "+bJ9yX1ulB8WIree1hD7OHSB2lRHxrVYWrglrTvkh63Lgx+EcsTV788OsvAVfPPz\n"
|
||||
+ "BZrn8SdDlQqalMxUBYEFwnsYD3cQ8yOUnijFVC4xNcdDv8OIqVgSk4KKxU5AshaA\n" + "xk6Mox+u8Cc2eAK12H13i+8=\n"
|
||||
+ "-----END PRIVATE KEY-----\n");
|
||||
}
|
||||
|
||||
private static X509Certificate spCertificate() {
|
||||
|
||||
return certificate("-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICgTCCAeoCCQCuVzyqFgMSyDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC\n" +
|
||||
"VVMxEzARBgNVBAgMCldhc2hpbmd0b24xEjAQBgNVBAcMCVZhbmNvdXZlcjEdMBsG\n" +
|
||||
"A1UECgwUU3ByaW5nIFNlY3VyaXR5IFNBTUwxCzAJBgNVBAsMAnNwMSAwHgYDVQQD\n" +
|
||||
"DBdzcC5zcHJpbmcuc2VjdXJpdHkuc2FtbDAeFw0xODA1MTQxNDMwNDRaFw0yODA1\n" +
|
||||
"MTExNDMwNDRaMIGEMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjES\n" +
|
||||
"MBAGA1UEBwwJVmFuY291dmVyMR0wGwYDVQQKDBRTcHJpbmcgU2VjdXJpdHkgU0FN\n" +
|
||||
"TDELMAkGA1UECwwCc3AxIDAeBgNVBAMMF3NwLnNwcmluZy5zZWN1cml0eS5zYW1s\n" +
|
||||
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRu7/EI0BlNzMEBFVAcbx+lLos\n" +
|
||||
"vzIWU+01dGTY8gBdhMQNYKZ92lMceo2CuVJ66cUURPym3i7nGGzoSnAxAre+0YIM\n" +
|
||||
"+U0razrWtAUE735bkcqELZkOTZLelaoOztmWqRbe5OuEmpewH7cx+kNgcVjdctOG\n" +
|
||||
"y3Q6x+I4qakY/9qhBQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAeViTvHOyQopWEi\n" +
|
||||
"XOfI2Z9eukwrSknDwq/zscR0YxwwqDBMt/QdAODfSwAfnciiYLkmEjlozWRtOeN+\n" +
|
||||
"qK7UFgP1bRl5qksrYX5S0z2iGJh0GvonLUt3e20Ssfl5tTEDDnAEUMLfBkyaxEHD\n" +
|
||||
"RZ/nbTJ7VTeZOSyRoVn5XHhpuJ0B\n" +
|
||||
"-----END CERTIFICATE-----");
|
||||
}
|
||||
|
||||
private static PrivateKey spPrivateKey() {
|
||||
return privateKey("-----BEGIN PRIVATE KEY-----\n" +
|
||||
"MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANG7v8QjQGU3MwQE\n" +
|
||||
"VUBxvH6Uuiy/MhZT7TV0ZNjyAF2ExA1gpn3aUxx6jYK5UnrpxRRE/KbeLucYbOhK\n" +
|
||||
"cDECt77Rggz5TStrOta0BQTvfluRyoQtmQ5Nkt6Vqg7O2ZapFt7k64Sal7AftzH6\n" +
|
||||
"Q2BxWN1y04bLdDrH4jipqRj/2qEFAgMBAAECgYEAj4ExY1jjdN3iEDuOwXuRB+Nn\n" +
|
||||
"x7pC4TgntE2huzdKvLJdGvIouTArce8A6JM5NlTBvm69mMepvAHgcsiMH1zGr5J5\n" +
|
||||
"wJz23mGOyhM1veON41/DJTVG+cxq4soUZhdYy3bpOuXGMAaJ8QLMbQQoivllNihd\n" +
|
||||
"vwH0rNSK8LTYWWPZYIECQQDxct+TFX1VsQ1eo41K0T4fu2rWUaxlvjUGhK6HxTmY\n" +
|
||||
"8OMJptunGRJL1CUjIb45Uz7SP8TPz5FwhXWsLfS182kRAkEA3l+Qd9C9gdpUh1uX\n" +
|
||||
"oPSNIxn5hFUrSTW1EwP9QH9vhwb5Vr8Jrd5ei678WYDLjUcx648RjkjhU9jSMzIx\n" +
|
||||
"EGvYtQJBAMm/i9NR7IVyyNIgZUpz5q4LI21rl1r4gUQuD8vA36zM81i4ROeuCly0\n" +
|
||||
"KkfdxR4PUfnKcQCX11YnHjk9uTFj75ECQEFY/gBnxDjzqyF35hAzrYIiMPQVfznt\n" +
|
||||
"YX/sDTE2AdVBVGaMj1Cb51bPHnNC6Q5kXKQnj/YrLqRQND09Q7ParX0CQQC5NxZr\n" +
|
||||
"9jKqhHj8yQD6PlXTsY4Occ7DH6/IoDenfdEVD5qlet0zmd50HatN2Jiqm5ubN7CM\n" +
|
||||
"INrtuLp4YHbgk1mi\n" +
|
||||
"-----END PRIVATE KEY-----");
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -22,7 +22,7 @@ import java.util.Map;
|
|||
import org.junit.Test;
|
||||
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
|
||||
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.web.util.UriUtils;
|
||||
|
||||
import static java.nio.charset.StandardCharsets.ISO_8859_1;
|
||||
|
|
@ -30,8 +30,8 @@ import static java.nio.charset.StandardCharsets.UTF_8;
|
|||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.opensaml.xmlsec.signature.support.SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
|
||||
import static org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects.getSigningCredential;
|
||||
import static org.springframework.security.saml2.credentials.TestSaml2X509Credentials.assertingPartySigningCredential;
|
||||
import static org.springframework.security.saml2.credentials.TestSaml2X509Credentials.relyingPartyVerifyingCredential;
|
||||
import static org.springframework.security.saml2.core.TestSaml2X509Credentials.assertingPartySigningCredential;
|
||||
import static org.springframework.security.saml2.core.TestSaml2X509Credentials.relyingPartyVerifyingCredential;
|
||||
|
||||
public class OpenSamlImplementationTests {
|
||||
|
||||
|
|
|
|||
|
|
@ -74,7 +74,7 @@ import org.opensaml.xmlsec.signature.support.SignatureException;
|
|||
import org.opensaml.xmlsec.signature.support.SignatureSupport;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
|
||||
final class TestOpenSamlObjects {
|
||||
private static OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
|
||||
|
|
@ -178,6 +178,13 @@ final class TestOpenSamlObjects {
|
|||
return cred;
|
||||
}
|
||||
|
||||
static Credential getSigningCredential(org.springframework.security.saml2.credentials.Saml2X509Credential credential, String entityId) {
|
||||
BasicCredential cred = getBasicCredential(credential);
|
||||
cred.setEntityId(entityId);
|
||||
cred.setUsageType(UsageType.SIGNING);
|
||||
return cred;
|
||||
}
|
||||
|
||||
static BasicCredential getBasicCredential(Saml2X509Credential credential) {
|
||||
return CredentialSupport.getSimpleCredential(
|
||||
credential.getCertificate(),
|
||||
|
|
@ -185,6 +192,13 @@ final class TestOpenSamlObjects {
|
|||
);
|
||||
}
|
||||
|
||||
static BasicCredential getBasicCredential(org.springframework.security.saml2.credentials.Saml2X509Credential credential) {
|
||||
return CredentialSupport.getSimpleCredential(
|
||||
credential.getCertificate(),
|
||||
credential.getPrivateKey()
|
||||
);
|
||||
}
|
||||
|
||||
static <T extends SignableSAMLObject> T signed(T signable, Saml2X509Credential credential, String entityId) {
|
||||
SignatureSigningParameters parameters = new SignatureSigningParameters();
|
||||
Credential signingCredential = getSigningCredential(credential, entityId);
|
||||
|
|
@ -201,6 +215,22 @@ final class TestOpenSamlObjects {
|
|||
return signable;
|
||||
}
|
||||
|
||||
static <T extends SignableSAMLObject> T signed(T signable, org.springframework.security.saml2.credentials.Saml2X509Credential credential, String entityId) {
|
||||
SignatureSigningParameters parameters = new SignatureSigningParameters();
|
||||
Credential signingCredential = getSigningCredential(credential, entityId);
|
||||
parameters.setSigningCredential(signingCredential);
|
||||
parameters.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
|
||||
parameters.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
|
||||
parameters.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
|
||||
try {
|
||||
SignatureSupport.signObject(signable, parameters);
|
||||
} catch (MarshallingException | SignatureException | SecurityException e) {
|
||||
throw new Saml2Exception(e);
|
||||
}
|
||||
|
||||
return signable;
|
||||
}
|
||||
|
||||
static EncryptedAssertion encrypted(Assertion assertion, Saml2X509Credential credential) {
|
||||
X509Certificate certificate = credential.getCertificate();
|
||||
Encrypter encrypter = getEncrypter(certificate);
|
||||
|
|
@ -212,6 +242,17 @@ final class TestOpenSamlObjects {
|
|||
}
|
||||
}
|
||||
|
||||
static EncryptedAssertion encrypted(Assertion assertion, org.springframework.security.saml2.credentials.Saml2X509Credential credential) {
|
||||
X509Certificate certificate = credential.getCertificate();
|
||||
Encrypter encrypter = getEncrypter(certificate);
|
||||
try {
|
||||
return encrypter.encrypt(assertion);
|
||||
}
|
||||
catch (EncryptionException e) {
|
||||
throw new Saml2Exception("Unable to encrypt assertion.", e);
|
||||
}
|
||||
}
|
||||
|
||||
static EncryptedID encrypted(NameID nameId, Saml2X509Credential credential) {
|
||||
X509Certificate certificate = credential.getCertificate();
|
||||
Encrypter encrypter = getEncrypter(certificate);
|
||||
|
|
@ -223,6 +264,17 @@ final class TestOpenSamlObjects {
|
|||
}
|
||||
}
|
||||
|
||||
static EncryptedID encrypted(NameID nameId, org.springframework.security.saml2.credentials.Saml2X509Credential credential) {
|
||||
X509Certificate certificate = credential.getCertificate();
|
||||
Encrypter encrypter = getEncrypter(certificate);
|
||||
try {
|
||||
return encrypter.encrypt(nameId);
|
||||
}
|
||||
catch (EncryptionException e) {
|
||||
throw new Saml2Exception("Unable to encrypt nameID.", e);
|
||||
}
|
||||
}
|
||||
|
||||
private static Encrypter getEncrypter(X509Certificate certificate) {
|
||||
String dataAlgorithm = XMLCipherParameters.AES_256;
|
||||
String keyAlgorithm = XMLCipherParameters.RSA_1_5;
|
||||
|
|
|
|||
|
|
@ -81,6 +81,14 @@ public class RelyingPartyRegistrationTests {
|
|||
.isFalse();
|
||||
assertThat(copy.getAssertionConsumerServiceBinding())
|
||||
.isEqualTo(registration.getAssertionConsumerServiceBinding());
|
||||
assertThat(copy.getDecryptionX509Credentials())
|
||||
.isEqualTo(registration.getDecryptionX509Credentials());
|
||||
assertThat(copy.getSigningX509Credentials())
|
||||
.isEqualTo(registration.getSigningX509Credentials());
|
||||
assertThat(copy.getAssertingPartyDetails().getEncryptionX509Credentials())
|
||||
.isEqualTo(registration.getAssertingPartyDetails().getEncryptionX509Credentials());
|
||||
assertThat(copy.getAssertingPartyDetails().getVerificationX509Credentials())
|
||||
.isEqualTo(registration.getAssertingPartyDetails().getVerificationX509Credentials());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -26,14 +26,14 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.converter.RsaKeyConverters;
|
||||
import org.springframework.security.saml2.credentials.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
|
||||
|
||||
import static org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION;
|
||||
import static org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.SIGNING;
|
||||
import static org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.SIGNING;
|
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION;
|
||||
|
||||
@EnableWebSecurity
|
||||
@EnableGlobalMethodSecurity(prePostEnabled = true)
|
||||
|
|
@ -56,11 +56,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
return RelyingPartyRegistration.withRegistrationId(registrationId)
|
||||
.entityId(localEntityIdTemplate)
|
||||
.assertionConsumerServiceLocation(acsUrlTemplate)
|
||||
.credentials(c -> c.add(signingCredential))
|
||||
.signingX509Credentials(c -> c.add(signingCredential))
|
||||
.assertingPartyDetails(config -> config
|
||||
.entityId(idpEntityId)
|
||||
.singleSignOnServiceLocation(webSsoEndpoint))
|
||||
.credentials(c -> c.add(idpVerificationCertificate))
|
||||
.singleSignOnServiceLocation(webSsoEndpoint)
|
||||
.verificationX509Credentials(c -> c.add(idpVerificationCertificate)))
|
||||
.build();
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue