ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1581421 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/saml/ ws-security-dom/src/main/java/org/apache/wss4j/dom/action/ ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ext/ ws-security-stax/...
Date Tue, 25 Mar 2014 17:18:42 GMT
Author: coheigea
Date: Tue Mar 25 17:18:41 2014
New Revision: 1581421

URL: http://svn.apache.org/r1581421
Log:
[WSS-495] - Add support to configure the digest method used for SAML Assertions

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLCallback.java
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ext/AssertionSigningTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLCallback.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLCallback.java?rev=1581421&r1=1581420&r2=1581421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLCallback.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLCallback.java
Tue Mar 25 17:18:41 2014
@@ -94,6 +94,8 @@ public class SAMLCallback implements Cal
     private String canonicalizationAlgorithm;
 
     private String signatureAlgorithm;
+    
+    private String signatureDigestAlgorithm;
 
     /**
      * Constructor SAMLCallback creates a new SAMLCallback instance.
@@ -342,4 +344,12 @@ public class SAMLCallback implements Cal
     public void setSignatureAlgorithm(String signatureAlgorithm) {
         this.signatureAlgorithm = signatureAlgorithm;
     }
+
+    public String getSignatureDigestAlgorithm() {
+        return signatureDigestAlgorithm;
+    }
+
+    public void setSignatureDigestAlgorithm(String signatureDigestAlgorithm) {
+        this.signatureDigestAlgorithm = signatureDigestAlgorithm;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java?rev=1581421&r1=1581420&r2=1581421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
Tue Mar 25 17:18:41 2014
@@ -39,6 +39,7 @@ import org.apache.xml.security.stax.impl
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.common.SignableSAMLObject;
+import org.opensaml.common.impl.SAMLObjectContentReference;
 import org.opensaml.saml1.core.AttributeStatement;
 import org.opensaml.saml1.core.AuthenticationStatement;
 import org.opensaml.saml1.core.AuthorizationDecisionStatement;
@@ -125,6 +126,11 @@ public class SamlAssertionWrapper {
     private final String defaultDSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
     
     /**
+     * Default Signature Digest algorithm
+     */
+    private final String defaultSignatureDigestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
+    
+    /**
      * Whether this object was instantiated with a DOM Element or an XMLObject initially
      */
     private final boolean fromDOM;
@@ -422,9 +428,26 @@ public class SamlAssertionWrapper {
      * @param signature the signature of this SamlAssertionWrapper object.
      */
     public void setSignature(Signature signature) {
+        setSignature(signature, defaultSignatureDigestAlgorithm);
+    }
+    
+    /**
+     * Method setSignature sets the signature of this SamlAssertionWrapper object.
+     *
+     * @param signature the signature of this SamlAssertionWrapper object.
+     * @param signatureDigestAlgorithm the signature digest algorithm to use
+     */
+    public void setSignature(Signature signature, String signatureDigestAlgorithm) {
         if (xmlObject instanceof SignableSAMLObject) {
             SignableSAMLObject signableObject = (SignableSAMLObject) xmlObject;
             signableObject.setSignature(signature);
+            String digestAlg = signatureDigestAlgorithm;
+            if (digestAlg == null) {
+                digestAlg = defaultSignatureDigestAlgorithm;
+            }
+            SAMLObjectContentReference contentRef = 
+                (SAMLObjectContentReference)signature.getContentReferences().get(0);
+            contentRef.setDigestAlgorithm(digestAlg);
             signableObject.releaseDOM();
             signableObject.releaseChildrenDOM(true);
         } else {
@@ -447,7 +470,7 @@ public class SamlAssertionWrapper {
 
         signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto,
                 sendKeyValue, defaultCanonicalizationAlgorithm,
-                defaultRSASignatureAlgorithm);
+                defaultRSASignatureAlgorithm, defaultSignatureDigestAlgorithm);
     }
     
     /**
@@ -465,6 +488,27 @@ public class SamlAssertionWrapper {
             Crypto issuerCrypto, boolean sendKeyValue,
             String canonicalizationAlgorithm, String signatureAlgorithm)
             throws WSSecurityException {
+        signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto, sendKeyValue,
+                canonicalizationAlgorithm, signatureAlgorithm, defaultSignatureDigestAlgorithm);
+    }
+    
+    /**
+     * Create an enveloped signature on the assertion that has been created.
+     * 
+     * @param issuerKeyName the Issuer KeyName to use with the issuerCrypto argument
+     * @param issuerKeyPassword the Issuer Password to use with the issuerCrypto argument
+     * @param issuerCrypto the Issuer Crypto instance
+     * @param sendKeyValue whether to send the key value or not
+     * @param canonicalizationAlgorithm the canonicalization algorithm to be used for signing
+     * @param signatureAlgorithm the signature algorithm to be used for signing
+     * @param signatureDigestAlgorithm the signature Digest algorithm to use
+     * @throws WSSecurityException
+     */
+    public void signAssertion(String issuerKeyName, String issuerKeyPassword,
+            Crypto issuerCrypto, boolean sendKeyValue,
+            String canonicalizationAlgorithm, String signatureAlgorithm,
+            String signatureDigestAlgorithm)
+            throws WSSecurityException {
         //
         // Create the signature
         //
@@ -528,7 +572,7 @@ public class SamlAssertionWrapper {
         }
 
         // add the signature to the assertion
-        setSignature(signature);
+        setSignature(signature, signatureDigestAlgorithm);
     }
 
     /**

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java?rev=1581421&r1=1581420&r2=1581421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
Tue Mar 25 17:18:41 2014
@@ -82,7 +82,8 @@ public class SAMLTokenSignedAction imple
                 samlCallback.getIssuerCrypto(),
                 samlCallback.isSendKeyValue(),
                 samlCallback.getCanonicalizationAlgorithm(),
-                samlCallback.getSignatureAlgorithm()
+                samlCallback.getSignatureAlgorithm(),
+                samlCallback.getSignatureDigestAlgorithm()
             );
         }
         WSSecSignatureSAML wsSign = new WSSecSignatureSAML(reqData.getWssConfig());

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ext/AssertionSigningTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ext/AssertionSigningTest.java?rev=1581421&r1=1581420&r2=1581421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ext/AssertionSigningTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ext/AssertionSigningTest.java
Tue Mar 25 17:18:41 2014
@@ -22,19 +22,26 @@ package org.apache.wss4j.dom.saml.ext;
 import java.io.InputStream;
 import java.security.KeyStore;
 
+import javax.xml.parsers.DocumentBuilderFactory;
+
 import org.apache.wss4j.dom.WSSConfig;
 import org.apache.wss4j.dom.common.SAML2CallbackHandler;
 import org.apache.wss4j.dom.common.SecurityTestUtil;
 import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
 import org.apache.wss4j.common.crypto.Merlin;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.SAMLCallback;
 import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.common.util.Loader;
 import org.junit.Assert;
 import org.opensaml.xml.signature.Signature;
 import org.opensaml.xml.signature.SignatureConstants;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
 /**
  * A list of test-cases to test the functionality of signing with
@@ -51,9 +58,12 @@ public class AssertionSigningTest extend
     // Default DSA Signature algorithm used by SamlAssertionWrapper class.
     private final String defaultDSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
     // Custom Signature algorithm
-    private final String customSignatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+    private final String customSignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
     // Custom Canonicalization algorithm
     private final String customCanonicalizationAlgorithm = SignatureConstants.ALGO_ID_C14N_OMIT_COMMENTS;
+    // Custom Signature Digest algorithm
+    private final String customSignatureDigestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA256;
+    private final DocumentBuilderFactory dbf;
 
     @org.junit.AfterClass
     public static void cleanup() throws Exception {
@@ -70,6 +80,9 @@ public class AssertionSigningTest extend
                 "keys/client_keystore.jks");
         keyStore.load(input, "password".toCharArray());
         ((Merlin) issuerCrypto).setKeyStore(keyStore);
+        
+        dbf = DocumentBuilderFactory.newInstance();
+        dbf.setNamespaceAware(true);
     }
 
     /**
@@ -98,6 +111,20 @@ public class AssertionSigningTest extend
                         defaultDSASignatureAlgorithm));
         Assert.assertEquals(defaultCanonicalizationAlgorithm,
                 signature.getCanonicalizationAlgorithm());
+        
+        // Verify Signature
+        SAMLKeyInfo keyInfo = new SAMLKeyInfo();
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("client_certchain");
+        keyInfo.setCerts(issuerCrypto.getX509Certificates(cryptoType));
+        
+        Document doc = dbf.newDocumentBuilder().newDocument();
+        
+        Element assertionElement = samlAssertion.toDOM(doc);
+        doc.appendChild(assertionElement);
+        
+        samlAssertion = new SamlAssertionWrapper(assertionElement);
+        samlAssertion.verifySignature(keyInfo);
     }
 
     /**
@@ -118,11 +145,28 @@ public class AssertionSigningTest extend
         
         samlAssertion.signAssertion("client_certchain", "password", issuerCrypto,
                 false, customCanonicalizationAlgorithm,
-                customSignatureAlgorithm);
+                customSignatureAlgorithm, customSignatureDigestAlgorithm);
         Signature signature = samlAssertion.getSaml2().getSignature();
         Assert.assertEquals(customSignatureAlgorithm,
                 signature.getSignatureAlgorithm());
         Assert.assertEquals(customCanonicalizationAlgorithm,
                 signature.getCanonicalizationAlgorithm());
+        
+        Document doc = dbf.newDocumentBuilder().newDocument();
+        
+        Element assertionElement = samlAssertion.toDOM(doc);
+        doc.appendChild(assertionElement);
+        String assertionString = DOM2Writer.nodeToString(assertionElement);
+        Assert.assertTrue(assertionString.contains(customSignatureDigestAlgorithm));
+
+        // Verify Signature
+        SAMLKeyInfo keyInfo = new SAMLKeyInfo();
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("client_certchain");
+        keyInfo.setCerts(issuerCrypto.getX509Certificates(cryptoType));
+        
+        samlAssertion = new SamlAssertionWrapper(assertionElement);
+        samlAssertion.verifySignature(keyInfo);
     }
+    
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1581421&r1=1581420&r2=1581421&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
Tue Mar 25 17:18:41 2014
@@ -87,7 +87,8 @@ public class SAMLTokenOutputProcessor ex
                         samlCallback.getIssuerCrypto(),
                         samlCallback.isSendKeyValue(),
                         samlCallback.getCanonicalizationAlgorithm(),
-                        samlCallback.getSignatureAlgorithm()
+                        samlCallback.getSignatureAlgorithm(),
+                        samlCallback.getSignatureDigestAlgorithm()
                 );
             }
 



Mime
View raw message