Author: ruchith
Date: Mon Mar 31 09:21:46 2008
New Revision: 15403
Log:
Making sure we validate the signature information of the SAML token issued
based on the self issued card, against the
information stored. This will ensure the verified signature on the SAML token
is generated using the key associated with the personal card.
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/resources.properties
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/sts/IdentityProviderData.java
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/resources.properties
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/resources.properties
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/resources.properties
Mon Mar 31 09:21:46 2008
@@ -65,6 +65,10 @@
requredAttributeMissing=Required attribute,openid.identity, is missing
noUsersFound=No users found, corresponding to the given OpenID
invalidOpenIDReturnTo=Invalid OpenID return_to url
+errorParsignStoredKeyInfo = Error parsing stored key info : {0}
+unknownStoredKeyInfoType = Processing this type of ds:KeyInfo (Stored)
sections not supported : {0}
+unknownReceivedKeyInfoType = Processing this type of ds:KeyInfo (Received)
sections not supported : {0}
+errorComparingStoredAndReceivedKeyInfo = Error comparing stored and received
ds:Keyinfo : {0} , {1}
#db errors
createDuplicateEntity = Duplcate entity exist
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/sts/IdentityProviderData.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/sts/IdentityProviderData.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/sts/IdentityProviderData.java
Mon Mar 31 09:21:46 2008
@@ -31,8 +31,13 @@
import java.util.Vector;
import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axiom.om.impl.dom.factory.OMDOMFactory;
+import org.apache.axiom.om.impl.exception.XMLComparisonException;
+import org.apache.axiom.om.impl.llom.util.XMLComparator;
import org.apache.axis2.context.MessageContext;
import org.apache.rahas.RahasData;
import org.apache.ws.security.WSConstants;
@@ -40,10 +45,17 @@
import org.apache.ws.security.components.crypto.X509NameTokenizer;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.util.DOM2Writer;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.keys.KeyInfo;
+import org.apache.xml.security.keys.content.KeyValue;
+import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Base64;
+import org.apache.xml.security.utils.Constants;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
+import org.w3c.dom.Element;
import org.wso2.solutions.identity.IdentityConstants;
import org.wso2.solutions.identity.IdentityProviderConstants;
import org.wso2.solutions.identity.IdentityProviderException;
@@ -405,20 +417,16 @@
RegisteredInfoCardInfoAdmin admin = new
RegisteredInfoCardInfoAdmin();
RegisteredInfoCardInfoDO info = admin.getInfo(ppidValue);
if (info != null) {
- System.out.println(info.getIssuerInfo());
- // XMLSignature sigObject = (XMLSignature)
- // assertion.getNativeSignature();
- // KeyInfo keyinfo = sigObject.getKeyInfo();
- // String kiValue =
- // DOM2Writer.nodeToString(keyinfo.getElement());
- // if(info.getIssuerInfo().equals(kiValue)) {
- userIdentifier = info.getUserId();
- // } else {
- // throw new
- // IdentityProviderException("signatureInfoMismatch",
- // new String[] { ppidValue });
- // }
-
+ XMLSignature sigObject = (XMLSignature)
+ assertion.getNativeSignature();
+ KeyInfo keyInfo = sigObject.getKeyInfo();
+ if(validateKeyInfo(info.getIssuerInfo(),
keyInfo.getElement())) {
+ userIdentifier = info.getUserId();
+ } else {
+ throw new IdentityProviderException(
+ "signatureInfoMismatch",
+ new String[] { ppidValue });
+ }
} else {
throw new IdentityProviderException("alianPPID",
new String[] { ppidValue });
@@ -435,6 +443,81 @@
}
}
+
+ /**
+ * Validate the given ds:KeyInfo element against the stored ds:KeyInfo
+ * element.
+ * @param issuerInfo Stored ds:KeyInfo element as a
<code>java.lang.String</code>.
+ * @param keyInfo The incoming ds:KeyInfo element as a
+ * <code>org.w3c.dom.Element</code>.
+ * @return true if the information matches, otherwise false.
+ */
+ private boolean validateKeyInfo(String issuerInfo, Element keyInfo) throws
IdentityProviderException {
+ try {
+ OMElement elem = new StAXOMBuilder(new ByteArrayInputStream(
+ issuerInfo.getBytes())).getDocumentElement();
+
+ OMElement keyValueElem = elem.getFirstElement();
+ if (keyValueElem != null && keyValueElem.getQName().equals(
+ new QName(WSConstants.SIG_NS, Constants._TAG_KEYVALUE))) {
+ //KeyValue structure : expect an RSAKeyValue
+ OMElement rsaKeyValueElem = keyValueElem.getFirstElement();
+ if (rsaKeyValueElem != null
+ && rsaKeyValueElem.getQName().equals(
+ new QName(WSConstants.SIG_NS,
+ Constants._TAG_RSAKEYVALUE))) {
+ String modulus = rsaKeyValueElem.getFirstChildWithName(
+ new QName(WSConstants.SIG_NS,
+ Constants._TAG_MODULUS)).getText().trim();
+ String exponent = rsaKeyValueElem.getFirstChildWithName(
+ new QName(WSConstants.SIG_NS,
+ Constants._TAG_EXPONENT)).getText().trim();
+
+ //Now process the incoming element to check for
ds:RSAKeyValue
+
+ OMElement receivedKeyInfoElem = (OMElement) new
OMDOMFactory()
+ .getDocument().importNode(keyInfo, true);
+
+ OMElement receivedKeyValueElem =
receivedKeyInfoElem.getFirstElement();
+ if(receivedKeyValueElem != null &&
receivedKeyValueElem.getQName().equals(new QName(WSConstants.SIG_NS,
Constants._TAG_KEYVALUE))) {
+ OMElement receivedRsaKeyValueElem =
receivedKeyValueElem.getFirstChildWithName(new QName(WSConstants.SIG_NS,
Constants._TAG_RSAKEYVALUE));
+ if(receivedRsaKeyValueElem != null) {
+ //Obtain incoming mod and exp
+ String receivedModulus =
receivedRsaKeyValueElem.getFirstChildWithName(
+ new QName(WSConstants.SIG_NS,
+
Constants._TAG_MODULUS)).getText().trim();
+ String receivedExponent =
receivedRsaKeyValueElem.getFirstChildWithName(
+ new QName(WSConstants.SIG_NS,
+
Constants._TAG_EXPONENT)).getText().trim();
+
+ //Compare
+ return modulus.equals(receivedModulus) &&
+ exponent.equals(receivedExponent);
+ } else {
+ throw new IdentityProviderException(
+ "unknownReceivedKeyInfoType",
+ new String[] {
receivedKeyInfoElem.toString() });
+ }
+
+ } else {
+ throw new IdentityProviderException(
+ "unknownReceivedKeyInfoType",
+ new String[] { receivedKeyInfoElem.toString()
});
+ }
+ } else {
+ throw new
IdentityProviderException("unknownStoredKeyInfoType",
+ new String[] { issuerInfo });
+ }
+ } else {
+ throw new IdentityProviderException("unknownStoredKeyInfoType",
+ new String[] { issuerInfo });
+ }
+ } catch (XMLStreamException e) {
+ throw new IdentityProviderException("errorParsignStoredKeyInfo",
+ new String[] { issuerInfo }, e);
+ }
+ }
+
public String getDisplayName(String URI) {
ClaimDO temp = (ClaimDO) claimObjs.get(URI);
return temp.getDisplayTag();
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
