Repository: syncope Updated Branches: refs/heads/2_0_X 5160df7ba -> 6b3ace024
SYNCOPE-1194 - Sign the SAML SSO Service Provider Metadata Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/919584f3 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/919584f3 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/919584f3 Branch: refs/heads/2_0_X Commit: 919584f3f780a54b3447dd4f397a29eea438af94 Parents: 5160df7 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Aug 11 11:59:08 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Aug 11 13:15:33 2017 +0100 ---------------------------------------------------------------------- .../apache/syncope/core/logic/SAML2SPLogic.java | 1 + .../core/logic/saml2/SAML2ReaderWriter.java | 3 +-- .../org/apache/syncope/fit/core/SAML2ITCase.java | 18 ++++++++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/919584f3/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java ---------------------------------------------------------------------- diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java index 87b7eb6..31ef8c4 100644 --- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java +++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java @@ -200,6 +200,7 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> { } spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor); + saml2rw.sign(spEntityDescriptor); saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true); } catch (Exception e) { http://git-wip-us.apache.org/repos/asf/syncope/blob/919584f3/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java ---------------------------------------------------------------------- diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java index 62e90e7..22b0fd1 100644 --- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java +++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java @@ -151,14 +151,13 @@ public class SAML2ReaderWriter { return responseObject; } - public void sign(final RequestAbstractType request) throws SecurityException { + public void sign(final SignableSAMLObject signableObject) throws SecurityException { org.opensaml.xmlsec.signature.Signature signature = OpenSAMLUtil.buildSignature(); signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signature.setSignatureAlgorithm(sigAlgo); signature.setSigningCredential(loader.getCredential()); signature.setKeyInfo(keyInfoGenerator.generate(loader.getCredential())); - SignableSAMLObject signableObject = (SignableSAMLObject) request; signableObject.setSignature(signature); signableObject.releaseDOM(); signableObject.releaseChildrenDOM(true); http://git-wip-us.apache.org/repos/asf/syncope/blob/919584f3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java ---------------------------------------------------------------------- diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java index 6967e73..e8a5add 100644 --- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java +++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java @@ -30,9 +30,12 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.nio.charset.StandardCharsets; import java.security.KeyStore; +import java.security.cert.X509Certificate; import java.util.Collections; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; +import javax.xml.namespace.QName; + import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections4.IterableUtils; import org.apache.commons.collections4.Predicate; @@ -68,6 +71,7 @@ import org.apache.wss4j.common.util.DOM2Writer; import org.apache.wss4j.common.util.Loader; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSConfig; +import org.apache.xml.security.signature.XMLSignature; import org.joda.time.DateTime; import org.junit.AfterClass; import org.junit.Assume; @@ -75,6 +79,7 @@ import org.junit.BeforeClass; import org.junit.Test; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Status; +import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -143,6 +148,19 @@ public class SAML2ITCase extends AbstractITCase { new InputStreamReader((InputStream) response.getEntity(), StandardCharsets.UTF_8)); assertEquals("EntityDescriptor", responseDoc.getDocumentElement().getLocalName()); assertEquals("urn:oasis:names:tc:SAML:2.0:metadata", responseDoc.getDocumentElement().getNamespaceURI()); + + // Get the signature + QName signatureQName = new QName(SignatureConstants.XMLSIG_NS, "Signature"); + Element signatureElement = + DOMUtils.getFirstChildWithName(responseDoc.getDocumentElement(), signatureQName); + assertNotNull(signatureElement); + + // Validate the signature + XMLSignature signature = new XMLSignature(signatureElement, null); + KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(Loader.getResourceAsStream("keystore"), "changeit".toCharArray()); + assertTrue(signature.checkSignatureValue((X509Certificate)keystore.getCertificate("sp"))); + } catch (Exception e) { LOG.error("During SAML 2.0 SP metadata parsing", e); fail(e.getMessage());