org.apache.rahas.impl.util.CommonUtil Maven / Gradle / Ivy
The newest version!
/*
* Copyright 2004,2005 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rahas.impl.util;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.dom.DOMMetaFactory;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.description.Parameter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasData;
import org.apache.rahas.TrustException;
import org.apache.rahas.impl.SAMLTokenIssuerConfig;
import org.apache.rahas.impl.TokenIssuerUtil;
import org.apache.ws.security.*;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.processor.EncryptedKeyProcessor;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.Loader;
import org.apache.xml.security.utils.EncryptionConstants;
import org.opensaml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.encryption.EncryptedKey;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.X509Data;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Properties;
import static org.apache.axiom.om.OMAbstractFactory.FEATURE_DOM;
/**
* This class implements some utility methods common to SAML1 and SAML2.
*/
public class CommonUtil {
private static Log log = LogFactory.getLog(CommonUtil.class);
/**
* This method creates a DOM compatible Axiom document.
* @return DOM compatible Axiom document
* @throws TrustException If an error occurred while creating the Document.
*/
public static Document getOMDOMDocument() throws TrustException {
DOMMetaFactory metaFactory = (DOMMetaFactory) OMAbstractFactory.getMetaFactory(FEATURE_DOM);
DocumentBuilderFactory dbf = metaFactory.newDocumentBuilderFactory();
try {
return dbf.newDocumentBuilder().newDocument();
} catch (ParserConfigurationException e) {
throw new TrustException("Error creating Axiom compatible DOM Document", e);
}
}
/**
* Gets the certificates chain by alias. Always returns the first certificate if a certificate chain is found.
* @param crypto Crypto to lookup certificate.
* @param alias Alias name.
* @return X509 certificate object.
* @throws org.apache.rahas.TrustException If an error occurred
* while retrieving the certificate or if no certificates are found for given alias.
*/
public static X509Certificate getCertificateByAlias(Crypto crypto, String alias) throws TrustException {
X509Certificate[] certificates = getCertificatesByAlias(crypto, alias);
if (certificates == null) {
log.error("Unable to retrieve certificate for alias " + alias);
throw new TrustException("issuerCertificateNotFound");
}
return certificates[0];
}
/**
* Gets the certificates chain by alias. If no certificates are found return an empty array.
* @param crypto Crypto to lookup certificate.
* @param alias Alias name.
* @return X509 certificates array.
* @throws org.apache.rahas.TrustException If an error occurred
* while retrieving the certificate.
*/
public static X509Certificate[] getCertificatesByAlias(Crypto crypto, String alias) throws TrustException {
// TODO are we always looking up by alias ? Dont we need to lookup by any other attribute ?
CryptoType type = new CryptoType(CryptoType.TYPE.ALIAS);
type.setAlias(alias);
try {
X509Certificate[] certificates = crypto.getX509Certificates(type);
if (certificates == null) {
log.debug("Unable to retrieve certificate for alias " + alias);
return new X509Certificate[0];
}
return certificates;
} catch (WSSecurityException e) {
log.error("Unable to retrieve certificate for alias " + alias, e);
throw new TrustException("issuerCertificateNotFound", e);
}
}
/**
* Decrypts the EncryptedKey element and returns the secret that was used.
* @param callbackHandler Callback handler to pass to WSS4J framework.
* @param crypto To get private key information.
* @param encryptedKeyElement The encrypted Key element.
* @return The secret as a byte stream.
* @throws WSSecurityException If an error is occurred while decrypting the element.
*/
public static byte[] getDecryptedBytes(CallbackHandler callbackHandler, Crypto crypto, Node encryptedKeyElement)
throws WSSecurityException {
EncryptedKeyProcessor encryptedKeyProcessor = new EncryptedKeyProcessor();
RequestData requestData = new RequestData();
requestData.setCallbackHandler(callbackHandler);
requestData.setDecCrypto(crypto);
final WSSConfig cfg = WSSConfig.getNewInstance();
requestData.setWssConfig(cfg);
WSDocInfo docInfo = new WSDocInfo(encryptedKeyElement.getOwnerDocument());
List resultList;
resultList = encryptedKeyProcessor.handleToken((Element) encryptedKeyElement, requestData, docInfo);
WSSecurityEngineResult wsSecurityEngineResult = resultList.get(0);
return (byte[]) wsSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
}
/**
* Constructs crypto configuration based on the given properties. Provider is instantiated using
* given class loader.
* @param properties Crypto configuration properties.
* @param classLoader Class loader used to create provider.
* @return A crypto object.
* @throws TrustException If an error occurred while creating the Crypto object.
*/
public static Crypto getCrypto(Properties properties, ClassLoader classLoader) throws TrustException {
try {
return CryptoFactory.getInstance(properties, classLoader);
} catch (WSSecurityException e) {
log.error("An error occurred while loading crypto properties", e);
throw new TrustException("errorLoadingCryptoProperties", e);
}
}
/**
* Constructs crypto configuration based on the given properties. Provider is instantiated using
* given class loader.
* @param propertiesFile Crypto configuration properties file name.
* @param classLoader Class loader used to create provider.
* @return A crypto object.
* @throws TrustException If an error occurred while creating the Crypto object.
*/
public static Crypto getCrypto(String propertiesFile, ClassLoader classLoader) throws TrustException {
try {
return CryptoFactory.getInstance(propertiesFile, classLoader);
} catch (WSSecurityException e) {
log.error("An error occurred while loading crypto properties with property file " + propertiesFile, e);
throw new TrustException("errorLoadingCryptoProperties", new Object[]{propertiesFile}, e);
}
}
/**
* Creates the token issuer configuration. The configuration is created in following order,
* 1. Try create token configuration using configuration OMElement
* 2. Try create token configuration using a configuration file name
* 3. Try create token configuration using a parameter name in message context.
* The issuer configuration would look like as follows,
*
* <saml-issuer-config>
* <issuerName>Test_STS</issuerName>
* <issuerKeyAlias>ip</issuerKeyAlias>
* <issuerKeyPassword>password</issuerKeyPassword>
* <cryptoProperties>
* <crypto provider="org.apache.ws.security.components.crypto.Merlin">
* <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
* <property name="org.apache.ws.security.crypto.merlin.file">META-INF/rahas-sts.jks</property>
* <property name="org.apache.ws.security.crypto.merlin.keystore.password">password</property>
* </crypto>
* </cryptoProperties>
* <timeToLive>300000</timeToLive>
* <keySize>256</keySize>
* <addRequestedAttachedRef />
* <addRequestedUnattachedRef />
* <keyComputation>2</keyComputation>
* <proofKeyType>BinarySecret</proofKeyType>
* <trusted-services>
* <service alias="bob">http://localhost:8080/axis2/services/STS</service>
* </trusted-services>
* </saml-issuer-config>
*
* @param configElement Configuration as an OMElement.
* @param configFile Configuration as a file.
* @param messageContextParameter Configuration as a message context parameter.
* @return Token issuer configuration as a SAMLTokenIssuerConfig object.
* @throws TrustException If an error occurred while creating SAMLTokenIssuerConfig object.
*/
public static SAMLTokenIssuerConfig getTokenIssuerConfiguration(OMElement configElement, String configFile,
Parameter messageContextParameter) throws TrustException {
// First try using configuration element
SAMLTokenIssuerConfig tokenIssuerConfiguration = createTokenIssuerConfiguration(configElement);
if (tokenIssuerConfiguration == null) {
// Now try file
tokenIssuerConfiguration = createTokenIssuerConfiguration(configFile);
if (tokenIssuerConfiguration == null) {
// Finally try using the parameter
if (messageContextParameter != null) {
tokenIssuerConfiguration = createTokenIssuerConfiguration(messageContextParameter);
}
return tokenIssuerConfiguration;
} else {
return tokenIssuerConfiguration;
}
} else {
return tokenIssuerConfiguration;
}
}
protected static SAMLTokenIssuerConfig createTokenIssuerConfiguration(OMElement configElement)
throws TrustException {
if (configElement != null) {
log.debug("Creating token issuer configuration using OMElement");
return new SAMLTokenIssuerConfig(configElement
.getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
}
return null;
}
protected static SAMLTokenIssuerConfig createTokenIssuerConfiguration(String configFile) throws TrustException {
if (configFile != null) {
if (log.isDebugEnabled()) {
log.debug("Creating token issuer configuration using file " + configFile);
}
return new SAMLTokenIssuerConfig(configFile);
}
return null;
}
protected static SAMLTokenIssuerConfig createTokenIssuerConfiguration(Parameter messageContextParameter)
throws TrustException {
if (messageContextParameter != null && messageContextParameter.getParameterElement() != null) {
log.debug("Creating token issuer configuration using the config parameter");
return new SAMLTokenIssuerConfig(messageContextParameter
.getParameterElement().getFirstChildWithName(
SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
}
return null;
}
/**
* Builds the requested XMLObject.
*
* @param objectQName name of the XMLObject
* @return the build XMLObject
* @throws org.apache.rahas.TrustException If unable to find the appropriate builder.
*/
public static XMLObject buildXMLObject(QName objectQName) throws TrustException {
XMLObjectBuilder builder = Configuration.getBuilderFactory().getBuilder(objectQName);
if (builder == null) {
log.debug("Unable to find OpenSAML builder for object " + objectQName);
throw new TrustException("builderNotFound",new Object[]{objectQName});
}
return builder.buildObject(objectQName.getNamespaceURI(), objectQName.getLocalPart(), objectQName.getPrefix());
}
/**
* This method creates KeyInfo element of an assertion. This is a facade, in which it calls
* to other helper methods to create KeyInfo. The TokenIssuer will call this method to
* create the KeyInfo.
* @param doc An Axiom based DOM Document.
* @param data The ephemeral key which we use here need in encrypting the message also. Therefore
* we need to save the ephemeral key in RahasData passed here.
* @param serviceCert Public key used to encrypt the assertion is extracted from this certificate.
* @param keySize Size of the key to be used
* @param crypto The relevant private key
* @param keyComputation Key computation mechanism.
* @return OpenSAML KeyInfo representation.
* @throws WSSecurityException We use WSS4J to generate encrypted key. This exception will trigger if an
* error occurs while generating the encrypted key.
* @throws TrustException If an error occurred while creating KeyInfo object.
*/
public static KeyInfo getSymmetricKeyBasedKeyInfo(Document doc,
RahasData data,
X509Certificate serviceCert,
int keySize,
Crypto crypto,
int keyComputation) throws WSSecurityException, TrustException {
byte[] ephemeralKey = TokenIssuerUtil.getSharedSecret(
data, keyComputation, keySize);
WSSecEncryptedKey encryptedKey = getSymmetricKeyBasedKeyInfoContent(doc, ephemeralKey, serviceCert, crypto);
// Extract the base64 encoded secret value
byte[] tempKey = new byte[keySize / 8];
System.arraycopy(encryptedKey.getEphemeralKey(), 0, tempKey,
0, keySize / 8);
data.setEphmeralKey(tempKey);
EncryptedKey samlEncryptedKey = SAMLUtils.createEncryptedKey(serviceCert, encryptedKey);
return SAMLUtils.createKeyInfo(samlEncryptedKey);
}
static WSSecEncryptedKey getSymmetricKeyBasedKeyInfoContent(Document doc,
byte[] ephemeralKey,
X509Certificate serviceCert,
Crypto crypto) throws WSSecurityException,
TrustException {
// Create the encrypted key
WSSecEncryptedKey encryptedKeyBuilder = new WSSecEncryptedKey();
// Use thumbprint id
encryptedKeyBuilder
.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
// SEt the encryption cert
encryptedKeyBuilder.setUseThisCert(serviceCert);
encryptedKeyBuilder.setEphemeralKey(ephemeralKey);
// Set key encryption algo
encryptedKeyBuilder
.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
// Build
encryptedKeyBuilder.prepare(doc, crypto);
return encryptedKeyBuilder;
}
/**
* Creates the certificate based KeyInfo object.
* @param certificate The public key certificate used to create the KeyInfo object.
* @return OpenSAML representation of KeyInfo object.
* @throws TrustException If an error occurred while creating the KeyInfo
*/
public static KeyInfo getCertificateBasedKeyInfo(X509Certificate certificate) throws TrustException {
X509Data x509Data = CommonUtil.createX509Data(certificate);
return SAMLUtils.createKeyInfo(x509Data);
}
/**
* Creates the X509 data element in a SAML issuer token. Should create an element similar to following,
*
*
* MIICNTCCAZ6gAwIB...
*
*
* @param clientCert Client certificate to be used when generating X509 data
* @return SAML X509Data representation.
* @throws TrustException If an error occurred while creating X509Data and X509Certificate.
*/
static X509Data createX509Data(X509Certificate clientCert) throws TrustException {
byte[] clientCertBytes;
try {
clientCertBytes = clientCert.getEncoded();
} catch (CertificateEncodingException e) {
log.error("An error occurred while encoding certificate.", e);
throw new TrustException("An error occurred while encoding certificate.", e);
}
String base64Cert = Base64.encode(clientCertBytes);
org.opensaml.xml.signature.X509Certificate x509Certificate
= (org.opensaml.xml.signature.X509Certificate)CommonUtil.buildXMLObject
(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
x509Certificate.setValue(base64Cert);
X509Data x509Data = (X509Data)CommonUtil.buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
x509Data.getX509Certificates().add(x509Certificate);
return x509Data;
}
/**
* Gets the SAML callback handler. First checks whether there is a registered callback handler in token
* issuer configuration. If not this will check whether there is a callback class configured in token issuer
* configuration. If class name is specified this method will create an object of the class and will return.
* If class name is also not specified this method will return null.
* @param tokenIssuerConfiguration The SAML token issuer configuration.
* @param data The RahasData.
* @return The SAMLCallbackHandler if configured in token issuer configuration, else null.
* @throws TrustException If an error occurred while loading class from class loader
*/
public static SAMLCallbackHandler getSAMLCallbackHandler(SAMLTokenIssuerConfig tokenIssuerConfiguration,
RahasData data) throws TrustException {
if (tokenIssuerConfiguration.getCallbackHandler() != null) {
return tokenIssuerConfiguration.getCallbackHandler();
} else if (tokenIssuerConfiguration.getCallbackHandlerName() != null
&& tokenIssuerConfiguration.getCallbackHandlerName().trim().length() > 0) {
SAMLCallbackHandler handler;
MessageContext msgContext = data.getInMessageContext();
ClassLoader classLoader = msgContext.getAxisService().getClassLoader();
Class cbClass;
try {
cbClass = Loader.loadClass(classLoader, tokenIssuerConfiguration.getCallbackHandlerName());
} catch (ClassNotFoundException e) {
throw new TrustException("cannotLoadPWCBClass", new String[]{tokenIssuerConfiguration
.getCallbackHandlerName()}, e);
}
try {
handler = (SAMLCallbackHandler) cbClass.newInstance();
} catch (java.lang.Exception e) {
throw new TrustException("cannotCreatePWCBInstance", new String[]{tokenIssuerConfiguration
.getCallbackHandlerName()}, e);
}
return handler;
}
return null;
}
}