Author: dimuthul
Date: Wed Feb 20 20:52:25 2008
New Revision: 13924
Log:
Fixing a bug in SAML implementation. Regulating the implementation.
Added:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/X509CredentialImpl.java
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/X509CredentialUtil.java
Removed:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SelfSignVerficationKeyHolder.java
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SignVerificationKeyHolder.java
Modified:
trunk/solutions/identity/modules/samples/access-control/src/main/webapp/WEB-INF/web.xml
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyData.java
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/IssuerCertificateUtil.java
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenConsumer.java
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenVerifier.java
trunk/solutions/identity/modules/user-ui/src/main/webapp/WEB-INF/web.xml
Modified:
trunk/solutions/identity/modules/samples/access-control/src/main/webapp/WEB-INF/web.xml
==============================================================================
---
trunk/solutions/identity/modules/samples/access-control/src/main/webapp/WEB-INF/web.xml
(original)
+++
trunk/solutions/identity/modules/samples/access-control/src/main/webapp/WEB-INF/web.xml
Wed Feb 20 20:52:25 2008
@@ -27,6 +27,18 @@
<param-value>JKS</param-value>
</init-param>
<init-param>
+ <param-name>TrustedIdP.KeyStore</param-name>
+ <param-value>../../../../conf/wso2is.jks</param-value>
+ </init-param>
+ <init-param>
+ <param-name>TrustedIdP.StorePass</param-name>
+ <param-value>wso2is</param-value>
+ </init-param>
+ <init-param>
+ <param-name>TrustedIdP.StoreType</param-name>
+ <param-value>JKS</param-value>
+ </init-param>
+ <init-param>
<param-name>MultiValueClaimsPolicy</param-name>
<param-value>MultiValueClaimsAllowed</param-value>
</init-param>
Modified:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyData.java
==============================================================================
---
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyData.java
(original)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyData.java
Wed Feb 20 20:52:25 2008
@@ -1,5 +1,6 @@
package org.wso2.solutions.identity.relyingparty.servletfilter;
+import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
@@ -13,6 +14,8 @@
public class RelyingPartyData {
+ private KeyStore systemStore = null;
+
private PrivateKey privateKey = null;
private String validatePolicy = null;
@@ -21,6 +24,7 @@
private KeyStore trustStore = null;
+
/**
* One array contains one DN name
*/
@@ -31,10 +35,6 @@
*/
private List[] whiteList = null;
- /**
- * jre/lib/security/cacert keystore's password
- */
- private String defaultStorePass = null;
/**
@@ -124,16 +124,38 @@
trustStore.load(new FileInputStream(realPath), IdPStorePass
.toCharArray());
} catch (Exception e) {
- // TODO
+ throw new ServletException("Cannot load truted store"+
IdPstoreFilePath +" and "+IdPStorePass);
}
- defaultStorePass = filterConfig
+ String defaultStorePass = filterConfig
.getInitParameter(TokenVerifierConstants.SYSTEM_KEY_STORE_PASS);
-
if (defaultStorePass == null) {
// assume that it hasn't been changed
defaultStorePass = "changeit";
}
+
+
+ String javaHome = System.getenv("JAVA_HOME");
+ if (javaHome == null) {
+ throw new ServletException("Cannot find JAVA_HOME");
+ }
+ String relativePath = null;
+
+ if (File.separator.equals("/")) {
+ relativePath = TokenVerifierConstants.CACERTS_STORE_UNIX;
+ } else {
+ relativePath = TokenVerifierConstants.CACERTS_STORE_WIN;
+ }
+ String defaultKeyStore = javaHome + relativePath;
+
+ try {
+ FileInputStream is = new FileInputStream(defaultKeyStore);
+ KeyStore sysKS = KeyStore.getInstance("JKS");
+ sysKS.load(is, defaultStorePass.toCharArray());
+ } catch (Exception e) {
+ throw new ServletException("Cannot load system key store");
+ }
+
}
}
@@ -184,16 +206,15 @@
public void setWhiteList(List[] whiteList) {
this.whiteList = whiteList;
}
-
- public String getDefaultStorePass() {
- return defaultStorePass;
+
+ public KeyStore getSystemStore() {
+ return systemStore;
}
- public void setDefaultStorePass(String defaultStorePass) {
- this.defaultStorePass = defaultStorePass;
+ public void setSystemStore(KeyStore systemStore) {
+ this.systemStore = systemStore;
}
-
-
+
private List[] readBlackWhiteList(String paramString) {
List[] dnList = null;
String[] array = paramString.split("\\},\\{");
Modified:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/IssuerCertificateUtil.java
==============================================================================
---
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/IssuerCertificateUtil.java
(original)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/IssuerCertificateUtil.java
Wed Feb 20 20:52:25 2008
@@ -1,8 +1,5 @@
package org.wso2.solutions.identity.saml.relyingparty;
-import java.io.File;
-import java.io.FileInputStream;
-import java.net.URI;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -11,10 +8,11 @@
import org.apache.ws.security.components.crypto.X509NameTokenizer;
import org.wso2.solutions.identity.relyingparty.RelyingPartyException;
-import org.wso2.solutions.identity.relyingparty.TokenVerifierConstants;
public class IssuerCertificateUtil {
+
+
/**
* This method is suppose to do the certificate validation. It should check
* for four things
@@ -28,57 +26,25 @@
* 4) Does the domain name specified in the server's DN match the server's
* actual DN?
*/
- public static void doCertValidation(X509Certificate signedCert,
- String tokenIssuerName, String defaultStorePass, KeyStore
trustStore)
+ public static boolean checkSystemStoree(X509Certificate signedCert,
+ KeyStore trustStore, KeyStore systemStore)
throws Exception {
boolean isCertValid = false;
- URI uri = new URI(tokenIssuerName);
- String tokenIssuerHostName = uri.getHost();
- if (tokenIssuerHostName == null) {
- throw new RelyingPartyException("invalidIssuerName");
- }
-
String certIssuerName = signedCert.getIssuerDN().getName();
// validity period
signedCert.checkValidity();
// is Trusted? checking in System store.
- boolean isContained = false;
try {
- String javaHome = System.getenv("JAVA_HOME");
- if (javaHome == null) {
- throw new Exception("Cannot find JAVA_HOME");
- }
- String relativePath = null;
-
- if (File.separator.equals("/")) {
- relativePath = TokenVerifierConstants.CACERTS_STORE_UNIX;
- } else {
- relativePath = TokenVerifierConstants.CACERTS_STORE_WIN;
- }
- String defaultKeyStore = javaHome + relativePath;
-
- FileInputStream is = new FileInputStream(defaultKeyStore);
- KeyStore sysKS = KeyStore.getInstance("JKS");
- sysKS.load(is, defaultStorePass.toCharArray());
- if (sysKS != null) {
- isContained = sysKS.containsAlias(certIssuerName);
- }
+ isCertValid = systemStore.containsAlias(certIssuerName);
} catch (Exception e) {
throw new RelyingPartyException("errorLoadingTrustedKeystore", e);
}
- // is Trusted? checking in our store
- if (!isContained) {
- isContained = trustStore.containsAlias(tokenIssuerHostName);
- }
-
- if (isContained == false) {
- throw new RelyingPartyException("certificateNotTrusted");
- }
+ return isCertValid;
/*
* if (isContained) { //is Subject dn match the issuer name extracted
Modified:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenConsumer.java
==============================================================================
---
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenConsumer.java
(original)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenConsumer.java
Wed Feb 20 20:52:25 2008
@@ -74,7 +74,7 @@
boolean isAllSuccess = false;
- if (verifier.verifyDecryptedToken(plainTokenElem,
data.getTrustStore())) {
+ if (verifier.verifyDecryptedToken(plainTokenElem, data)) {
if (validateIssuerInfoPolicy(verifier, data)) {
isAllSuccess = true;
}
@@ -115,30 +115,7 @@
} else if (issuerPolicy.equals(TokenVerifierConstants.SELF_ONLY)) {
// not a self issued card when self only
validated = false;
- } else if (validatePolicy
- .equals(TokenVerifierConstants.PROMISCUOUS)) {
- validated = true;
- } else if
(validatePolicy.equals(TokenVerifierConstants.BLACK_LIST)) {
- X509Certificate signedCert = verifier.getSigningCert();
- IssuerCertificateUtil.doCertValidation(signedCert, issuerName,
- data.getDefaultStorePass(), data.getTrustStore());
- if (IssuerCertificateUtil.doBlackListCheck(data.getBlackList(),
- verifier.getSigningCert())) {
- validated = true;
- }
- } else if
(validatePolicy.equals(TokenVerifierConstants.WHITE_LIST)) {
- X509Certificate signedCert = verifier.getSigningCert();
- IssuerCertificateUtil.doCertValidation(signedCert, issuerName,
- data.getDefaultStorePass(), data.getTrustStore());
- if (IssuerCertificateUtil.doWhiteListCheck(data.getWhiteList(),
- verifier.getSigningCert())) {
- validated = true;
- }
- } else if (validatePolicy
- .equals(TokenVerifierConstants.CERT_VALIDATE)) {
- X509Certificate signedCert = verifier.getSigningCert();
- IssuerCertificateUtil.doCertValidation(signedCert, issuerName,
- data.getDefaultStorePass(), data.getTrustStore());
+ } else {
validated = true;
}
} catch (Exception e) {
Modified:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenVerifier.java
==============================================================================
---
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenVerifier.java
(original)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/SAMLTokenVerifier.java
Wed Feb 20 20:52:25 2008
@@ -20,7 +20,6 @@
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
-import java.math.BigInteger;
import java.net.URI;
import java.security.KeyStore;
import java.security.PrivateKey;
@@ -40,13 +39,7 @@
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.Init;
import org.apache.xml.security.encryption.XMLCipher;
-import org.apache.xml.security.utils.Base64;
import org.apache.xml.security.utils.EncryptionConstants;
-import org.opensaml.xml.security.x509.X509Credential;
-import org.opensaml.xml.signature.Exponent;
-import org.opensaml.xml.signature.KeyValue;
-import org.opensaml.xml.signature.Modulus;
-import org.opensaml.xml.signature.RSAKeyValue;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.w3c.dom.Document;
@@ -55,13 +48,14 @@
import org.wso2.solutions.identity.i18n.Messages;
import org.wso2.solutions.identity.relyingparty.RelyingPartyException;
import org.wso2.solutions.identity.relyingparty.TokenVerifierConstants;
+import org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyData;
import org.wso2.solutions.identity.saml.relyingparty.tokens.SAML1TokenHolder;
import org.wso2.solutions.identity.saml.relyingparty.tokens.SAML2TokenHolder;
import org.wso2.solutions.identity.saml.relyingparty.tokens.TokenHolder;
/**
- * A SAML token is sent to a web application in a CardSpace login attempt
- * and this can be used for decryption and verification of those tokens.
+ * A SAML token is sent to a web application in a CardSpace login attempt and
+ * this can be used for decryption and verification of those tokens.
*/
public class SAMLTokenVerifier {
@@ -87,10 +81,13 @@
}
/**
- * Decrypt the given token (as a <code>java.lang.String</code> with the
+ * Decrypt the given token (as a <code>java.lang.String</code> with the
* given private key.
- * @param token Serialized SAML token
- * @param serviceKey Private key to be used for decryption.
+ *
+ * @param token
+ * Serialized SAML token
+ * @param serviceKey
+ * Private key to be used for decryption.
* @return Decrypted SAML token element.
* @throws RelyingPartyException
*/
@@ -121,24 +118,26 @@
}
/**
- * This method performs two actions
- * 1) Decrypt the token
- * 2) Verify the token
- * @param decryptedElem SAML token element
+ * This method performs two actions 1) Decrypt the token 2) Verify the
token
+ *
+ * @param decryptedElem
+ * SAML token element
* @return true if verification is successful and false if unsuccessful.
* @throws SAMLException
*/
public boolean verifyDecryptedToken(Element decryptedElem,
- KeyStore trustStore) throws RelyingPartyException {
+ RelyingPartyData rpData) throws RelyingPartyException {
+ boolean isValid = true;
if (log.isDebugEnabled()) {
log.debug(messages.getMessage("verifyingDecryptedToken"));
}
- if (true) {
+ if (log.isDebugEnabled()) {
try {
String val = DOM2Writer.nodeToString(decryptedElem);
- FileWriter writer = new FileWriter(new File("stuff.xml"));
+ log.debug(val);
+ FileWriter writer = new FileWriter(new File("last_msg.xml"));
writer.write(val.toCharArray());
writer.flush();
writer.close();
@@ -151,10 +150,9 @@
String version = decryptedElem.getNamespaceURI();
TokenHolder holder = null;
- if (version.equals(IdentityConstants.SAML10_URL)) {
+ if (version.equals(IdentityConstants.SAML10_URL)
+ || version.equals(IdentityConstants.SAML11_URL)) {
holder = new SAML1TokenHolder();
- } else if (version.equals(IdentityConstants.SAML11_URL)) {
-
} else if (version.equals(IdentityConstants.SAML20_URL)) {
holder = new SAML2TokenHolder();
}
@@ -166,57 +164,83 @@
}
Signature sig = holder.getSAMLSignature();
- X509Credential credential = null;
+ X509CredentialImpl credential = null;
if (issuerName.equals(IdentityConstants.SELF_ISSUED_ISSUER)) {
+ credential = (X509CredentialImpl) X509CredentialUtil
+ .loadCredentialFromSignature(sig);
+ this.keyInfoElement = sig.getKeyInfo().getDOM();
+ } else {
- List<KeyValue> keyValueList = sig.getKeyInfo().getKeyValues();
-
- // TODO : with the latest code it
- // does not set the value of keyInfoElement - which prevents
- // users registering self-issued infocards and signing up
- // with self-issued infocards.
- keyInfoElement = sig.getKeyInfo().getDOM();
+ String alias = null;
+ URI uri = new URI(issuerName);
+ alias = uri.getHost();
- if (keyValueList.size() > 1) {
- throw new RelyingPartyException("invalidKeyValueCount");
- }
+ KeyStore trustStore = rpData.getTrustStore();
+ KeyStore systemStore = rpData.getSystemStore();
- KeyValue val = (KeyValue) keyValueList.get(0);
- RSAKeyValue rsaKey = val.getRSAKeyValue();
+ credential = (X509CredentialImpl) X509CredentialUtil
+ .loadCredentialFromTrustStore(alias, trustStore);
- Element elem = rsaKey.getDOM();
+ String validationPolicy = rpData.getValidatePolicy();
- Element modElem = (Element) elem.getElementsByTagName(
- Modulus.DEFAULT_ELEMENT_LOCAL_NAME).item(0);
- Element expElem = (Element) elem.getElementsByTagName(
- Exponent.DEFAULT_ELEMENT_LOCAL_NAME).item(0);
-
- BigInteger mod = Base64.decodeBigIntegerFromElement(modElem);
- BigInteger exp = Base64.decodeBigIntegerFromElement(expElem);
-
- credential = new SelfSignVerficationKeyHolder();
- ((SelfSignVerficationKeyHolder) credential).setPublicKey(mod,
- exp);
+ boolean isLoadedFromMessage = false;
+ if (credential == null) {
+ credential = (X509CredentialImpl) X509CredentialUtil
+ .loadCredentialFromSignature(sig);
- } else {
- String alias = null;
- URI uri = new URI(issuerName);
- alias = uri.getHost();
- credential = new SignVerificationKeyHolder(trustStore, alias);
- }
+ if (credential == null)
+ throw new Exception("");
+
+ isLoadedFromMessage = true;
+ }
- SignatureValidator validator = new SignatureValidator(credential);
- validator.validate(sig);
+ this.signingCert = credential.getSigningCert();
- if (!issuerName.equals(IdentityConstants.SELF_ISSUED_ISSUER)) {
- this.signingCert = credential.getEntityCertificate();
- this.certificates = (List) credential
- .getEntityCertificateChain();
+ if (!validationPolicy
+ .equals(TokenVerifierConstants.PROMISCUOUS)) {
+
+ if (signingCert == null)
+ throw new Exception("");
+
+ /*
+ do certificate validation
+ for blacklist, whitelist and cert-validity
+ */
+
+ signingCert.checkValidity();
+
+ if (isLoadedFromMessage) {
+
if(!IssuerCertificateUtil.checkSystemStoree(signingCert,
+ trustStore, systemStore)){
+ isValid = false;
+ }
+ }
+
+ if (validationPolicy
+ .equals(TokenVerifierConstants.BLACK_LIST)) {
+ if(!IssuerCertificateUtil.doBlackListCheck(rpData
+ .getBlackList(), signingCert)){
+ isValid = false;
+ }
+ }
+
+ if (validationPolicy
+ .equals(TokenVerifierConstants.WHITE_LIST)) {
+ if(!IssuerCertificateUtil.doWhiteListCheck(rpData
+ .getWhiteList(), signingCert)){
+ isValid = false;
+ }
+ }
+ }
}
- holder.populateAttributeTable(this.attributeTable);
-
+ if(isValid){
+ SignatureValidator validator = new
SignatureValidator(credential);
+ validator.validate(sig);
+ holder.populateAttributeTable(this.attributeTable);
+ }
+
} catch (Exception e) {
log.debug(e);
throw new RelyingPartyException("errorInTokenVerification",
@@ -227,8 +251,8 @@
log.debug(messages.getMessage("verifyingDecryptedTokenDone"));
}
- // If we reach this point ... everything is fine :D
- return true;
+ // everything is fine :D
+ return isValid;
}
private Element decryptElement(PrivateKey privKey, Element encryptedToken)
@@ -270,7 +294,8 @@
/**
* Returns the list of attributes extracted from the
SAMLAttributeStatements
* in the verified SAML assertion.
- * @return List of attributes as a <code>java.util.Hashtable</code>
+ *
+ * @return List of attributes as a <code>java.util.Hashtable</code>
*/
public Hashtable getAttributeTable() {
return attributeTable;
Added:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/X509CredentialImpl.java
==============================================================================
--- (empty file)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/X509CredentialImpl.java
Wed Feb 20 20:52:25 2008
@@ -0,0 +1,115 @@
+package org.wso2.solutions.identity.saml.relyingparty;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.RSAPublicKeySpec;
+import java.util.Collection;
+
+import javax.crypto.SecretKey;
+
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.CredentialContextSet;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.x509.X509Credential;
+
+/**
+ * X509Credential implementation for signature verification of self issued
tokens.
+ * The key is constructed from modulus and exponent
+ */
+public class X509CredentialImpl implements X509Credential {
+
+ private PublicKey publicKey = null;
+ private X509Certificate signingCert = null;
+ //cert chain
+
+ /**
+ * The key is constructed form modulus and exponent.
+ * @param modulus
+ * @param publicExponent
+ * @throws NoSuchAlgorithmException
+ * @throws InvalidKeySpecException
+ */
+ public X509CredentialImpl(BigInteger modulus, BigInteger publicExponent)
+ throws NoSuchAlgorithmException, InvalidKeySpecException {
+ RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, publicExponent);
+ KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+ publicKey = keyFactory.generatePublic(spec);
+ }
+
+ public X509CredentialImpl(X509Certificate cert) {
+ publicKey = cert.getPublicKey();
+ signingCert = cert;
+ }
+
+ /**
+ * Retrieves the publicKey
+ */
+ public PublicKey getPublicKey() {
+ return publicKey;
+ }
+
+
+ public X509Certificate getSigningCert() {
+ return signingCert;
+ }
+
+ public X509Certificate getEntityCertificate() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ // ********** Not implemented
**************************************************************
+ public Collection<X509CRL> getCRLs() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+
+
+ public Collection<X509Certificate> getEntityCertificateChain() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public CredentialContextSet getCredentalContextSet() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public Class<? extends Credential> getCredentialType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public String getEntityId() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public Collection<String> getKeyNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public PrivateKey getPrivateKey() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public SecretKey getSecretKey() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public UsageType getUsageType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+}
Added:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/X509CredentialUtil.java
==============================================================================
--- (empty file)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/saml/relyingparty/X509CredentialUtil.java
Wed Feb 20 20:52:25 2008
@@ -0,0 +1,91 @@
+package org.wso2.solutions.identity.saml.relyingparty;
+
+import java.io.ByteArrayInputStream;
+import java.math.BigInteger;
+import java.security.KeyStore;
+import java.security.cert.CertificateFactory;
+import java.util.Iterator;
+import java.util.List;
+
+import org.apache.xml.security.utils.Base64;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Exponent;
+import org.opensaml.xml.signature.KeyInfo;
+import org.opensaml.xml.signature.KeyValue;
+import org.opensaml.xml.signature.Modulus;
+import org.opensaml.xml.signature.RSAKeyValue;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.X509Certificate;
+import org.opensaml.xml.signature.X509Data;
+import org.w3c.dom.Element;
+import org.wso2.solutions.identity.relyingparty.RelyingPartyException;
+
+public class X509CredentialUtil {
+
+ public static KeyStore systemKeyStore = null;
+
+ public static X509Credential loadCredentialFromTrustStore(String alias,
KeyStore trustStore) throws Exception{
+ X509Credential credential = null;
+ java.security.cert.X509Certificate cert = null;
+ if(trustStore.containsAlias(alias)){
+ cert =
(java.security.cert.X509Certificate)trustStore.getCertificate(alias);
+ credential = new X509CredentialImpl(cert);
+ }
+ return credential;
+ }
+
+ public static X509Credential loadCredentialFromSignature(
+ Signature signature) throws Exception {
+ X509Credential credential = null;
+ KeyInfo kinfo = signature.getKeyInfo();
+
+ if(kinfo == null){
+ // log.debug(); xxxx
+ return null;
+ }
+
+ List<X509Data> dataList = kinfo.getX509Datas();
+ List<KeyValue> keyValueList = kinfo.getKeyValues();
+
+ if (dataList.size() > 0) {
+ if (dataList.size() > 1) {
+ throw new RelyingPartyException("invalidKeyValueCount");
+ }
+ X509Data data = dataList.get(0);
+ List<X509Certificate> certList = data.getX509Certificates();
+ Iterator ite = certList.iterator();
+ while(ite.hasNext()){
+ X509Certificate certElem = (X509Certificate)ite.next();
+ String certValue = certElem.getValue();
+ byte[] certInBytes = Base64.decode(certValue);
+ ByteArrayInputStream bis = new
ByteArrayInputStream(certInBytes);
+ CertificateFactory factory =
CertificateFactory.getInstance("X509");
+ java.security.cert.X509Certificate x509Cert =
(java.security.cert.X509Certificate)factory.generateCertificate(bis);
+ credential = new X509CredentialImpl(x509Cert);
+ }
+ } else if (keyValueList.size() > 0) {
+ if (keyValueList.size() > 1) {
+ throw new RelyingPartyException("invalidKeyValueCount");
+ }
+
+ KeyValue val = (KeyValue) keyValueList.get(0);
+ RSAKeyValue rsaKey = val.getRSAKeyValue();
+
+ Element elem = rsaKey.getDOM();
+
+ Element modElem = (Element) elem.getElementsByTagName(
+ Modulus.DEFAULT_ELEMENT_LOCAL_NAME).item(0);
+ Element expElem = (Element) elem.getElementsByTagName(
+ Exponent.DEFAULT_ELEMENT_LOCAL_NAME).item(0);
+
+ BigInteger mod = Base64.decodeBigIntegerFromElement(modElem);
+ BigInteger exp = Base64.decodeBigIntegerFromElement(expElem);
+ credential = new X509CredentialImpl(mod, exp);
+ }else{
+ // log.error("Unknow key "); log stuff xxxx
+ }
+
+ return credential;
+ }
+
+}
Modified:
trunk/solutions/identity/modules/user-ui/src/main/webapp/WEB-INF/web.xml
==============================================================================
--- trunk/solutions/identity/modules/user-ui/src/main/webapp/WEB-INF/web.xml
(original)
+++ trunk/solutions/identity/modules/user-ui/src/main/webapp/WEB-INF/web.xml
Wed Feb 20 20:52:25 2008
@@ -32,6 +32,18 @@
<param-value>JKS</param-value>
</init-param>
<init-param>
+ <param-name>TrustedIdP.KeyStore</param-name>
+ <param-value>../../../../conf/wso2is.jks</param-value>
+ </init-param>
+ <init-param>
+ <param-name>TrustedIdP.StorePass</param-name>
+ <param-value>wso2is</param-value>
+ </init-param>
+ <init-param>
+ <param-name>TrustedIdP.StoreType</param-name>
+ <param-value>JKS</param-value>
+ </init-param>
+ <init-param>
<param-name>MultiValueClaimsPolicy</param-name>
<param-value>MultiValueClaimsAllowed</param-value>
</init-param>
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
