Java tutorial
/* * Copyright 2004,2005 The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.rahas.impl.util; import org.apache.axiom.om.OMAbstractFactory; import org.apache.axiom.om.OMElement; import org.apache.axiom.om.dom.DOMMetaFactory; import org.apache.axis2.context.MessageContext; import org.apache.axis2.description.Parameter; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.rahas.RahasData; import org.apache.rahas.TrustException; import org.apache.rahas.impl.SAMLTokenIssuerConfig; import org.apache.rahas.impl.TokenIssuerUtil; import org.apache.ws.security.*; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoFactory; import org.apache.ws.security.components.crypto.CryptoType; import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.WSSecEncryptedKey; import org.apache.ws.security.processor.EncryptedKeyProcessor; import org.apache.ws.security.util.Base64; import org.apache.ws.security.util.Loader; import org.apache.xml.security.utils.EncryptionConstants; import org.opensaml.Configuration; import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilder; import org.opensaml.xml.encryption.EncryptedKey; import org.opensaml.xml.signature.KeyInfo; import org.opensaml.xml.signature.X509Data; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; import javax.security.auth.callback.CallbackHandler; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.List; import java.util.Properties; import static org.apache.axiom.om.OMAbstractFactory.FEATURE_DOM; /** * This class implements some utility methods common to SAML1 and SAML2. */ public class CommonUtil { private static Log log = LogFactory.getLog(CommonUtil.class); /** * This method creates a DOM compatible Axiom document. * @return DOM compatible Axiom document * @throws TrustException If an error occurred while creating the Document. */ public static Document getOMDOMDocument() throws TrustException { DOMMetaFactory metaFactory = (DOMMetaFactory) OMAbstractFactory.getMetaFactory(FEATURE_DOM); DocumentBuilderFactory dbf = metaFactory.newDocumentBuilderFactory(); try { return dbf.newDocumentBuilder().newDocument(); } catch (ParserConfigurationException e) { throw new TrustException("Error creating Axiom compatible DOM Document", e); } } /** * Gets the certificates chain by alias. Always returns the first certificate if a certificate chain is found. * @param crypto Crypto to lookup certificate. * @param alias Alias name. * @return X509 certificate object. * @throws org.apache.rahas.TrustException If an error occurred * while retrieving the certificate or if no certificates are found for given alias. */ public static X509Certificate getCertificateByAlias(Crypto crypto, String alias) throws TrustException { X509Certificate[] certificates = getCertificatesByAlias(crypto, alias); if (certificates == null) { log.error("Unable to retrieve certificate for alias " + alias); throw new TrustException("issuerCertificateNotFound"); } return certificates[0]; } /** * Gets the certificates chain by alias. If no certificates are found return an empty array. * @param crypto Crypto to lookup certificate. * @param alias Alias name. * @return X509 certificates array. * @throws org.apache.rahas.TrustException If an error occurred * while retrieving the certificate. */ public static X509Certificate[] getCertificatesByAlias(Crypto crypto, String alias) throws TrustException { // TODO are we always looking up by alias ? Dont we need to lookup by any other attribute ? CryptoType type = new CryptoType(CryptoType.TYPE.ALIAS); type.setAlias(alias); try { X509Certificate[] certificates = crypto.getX509Certificates(type); if (certificates == null) { log.debug("Unable to retrieve certificate for alias " + alias); return new X509Certificate[0]; } return certificates; } catch (WSSecurityException e) { log.error("Unable to retrieve certificate for alias " + alias, e); throw new TrustException("issuerCertificateNotFound", e); } } /** * Decrypts the EncryptedKey element and returns the secret that was used. * @param callbackHandler Callback handler to pass to WSS4J framework. * @param crypto To get private key information. * @param encryptedKeyElement The encrypted Key element. * @return The secret as a byte stream. * @throws WSSecurityException If an error is occurred while decrypting the element. */ public static byte[] getDecryptedBytes(CallbackHandler callbackHandler, Crypto crypto, Node encryptedKeyElement) throws WSSecurityException { EncryptedKeyProcessor encryptedKeyProcessor = new EncryptedKeyProcessor(); RequestData requestData = new RequestData(); requestData.setCallbackHandler(callbackHandler); requestData.setDecCrypto(crypto); final WSSConfig cfg = WSSConfig.getNewInstance(); requestData.setWssConfig(cfg); WSDocInfo docInfo = new WSDocInfo(encryptedKeyElement.getOwnerDocument()); List<WSSecurityEngineResult> resultList; resultList = encryptedKeyProcessor.handleToken((Element) encryptedKeyElement, requestData, docInfo); WSSecurityEngineResult wsSecurityEngineResult = resultList.get(0); return (byte[]) wsSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET); } /** * Constructs crypto configuration based on the given properties. Provider is instantiated using * given class loader. * @param properties Crypto configuration properties. * @param classLoader Class loader used to create provider. * @return A crypto object. * @throws TrustException If an error occurred while creating the Crypto object. */ public static Crypto getCrypto(Properties properties, ClassLoader classLoader) throws TrustException { try { return CryptoFactory.getInstance(properties, classLoader); } catch (WSSecurityException e) { log.error("An error occurred while loading crypto properties", e); throw new TrustException("errorLoadingCryptoProperties", e); } } /** * Constructs crypto configuration based on the given properties. Provider is instantiated using * given class loader. * @param propertiesFile Crypto configuration properties file name. * @param classLoader Class loader used to create provider. * @return A crypto object. * @throws TrustException If an error occurred while creating the Crypto object. */ public static Crypto getCrypto(String propertiesFile, ClassLoader classLoader) throws TrustException { try { return CryptoFactory.getInstance(propertiesFile, classLoader); } catch (WSSecurityException e) { log.error("An error occurred while loading crypto properties with property file " + propertiesFile, e); throw new TrustException("errorLoadingCryptoProperties", new Object[] { propertiesFile }, e); } } /** * Creates the token issuer configuration. The configuration is created in following order, * 1. Try create token configuration using configuration OMElement * 2. Try create token configuration using a configuration file name * 3. Try create token configuration using a parameter name in message context. * The issuer configuration would look like as follows, * * <saml-issuer-config> * <issuerName>Test_STS</issuerName> * <issuerKeyAlias>ip</issuerKeyAlias> * <issuerKeyPassword>password</issuerKeyPassword> * <cryptoProperties> * <crypto provider="org.apache.ws.security.components.crypto.Merlin"> * <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property> * <property name="org.apache.ws.security.crypto.merlin.file">META-INF/rahas-sts.jks</property> * <property name="org.apache.ws.security.crypto.merlin.keystore.password">password</property> * </crypto> * </cryptoProperties> * <timeToLive>300000</timeToLive> * <keySize>256</keySize> * <addRequestedAttachedRef /> * <addRequestedUnattachedRef /> * <keyComputation>2</keyComputation> * <proofKeyType>BinarySecret</proofKeyType> * <trusted-services> * <service alias="bob">http://localhost:8080/axis2/services/STS</service> * </trusted-services> * </saml-issuer-config> * * @param configElement Configuration as an OMElement. * @param configFile Configuration as a file. * @param messageContextParameter Configuration as a message context parameter. * @return Token issuer configuration as a SAMLTokenIssuerConfig object. * @throws TrustException If an error occurred while creating SAMLTokenIssuerConfig object. */ public static SAMLTokenIssuerConfig getTokenIssuerConfiguration(OMElement configElement, String configFile, Parameter messageContextParameter) throws TrustException { // First try using configuration element SAMLTokenIssuerConfig tokenIssuerConfiguration = createTokenIssuerConfiguration(configElement); if (tokenIssuerConfiguration == null) { // Now try file tokenIssuerConfiguration = createTokenIssuerConfiguration(configFile); if (tokenIssuerConfiguration == null) { // Finally try using the parameter if (messageContextParameter != null) { tokenIssuerConfiguration = createTokenIssuerConfiguration(messageContextParameter); } return tokenIssuerConfiguration; } else { return tokenIssuerConfiguration; } } else { return tokenIssuerConfiguration; } } protected static SAMLTokenIssuerConfig createTokenIssuerConfiguration(OMElement configElement) throws TrustException { if (configElement != null) { log.debug("Creating token issuer configuration using OMElement"); return new SAMLTokenIssuerConfig( configElement.getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG)); } return null; } protected static SAMLTokenIssuerConfig createTokenIssuerConfiguration(String configFile) throws TrustException { if (configFile != null) { if (log.isDebugEnabled()) { log.debug("Creating token issuer configuration using file " + configFile); } return new SAMLTokenIssuerConfig(configFile); } return null; } protected static SAMLTokenIssuerConfig createTokenIssuerConfiguration(Parameter messageContextParameter) throws TrustException { if (messageContextParameter != null && messageContextParameter.getParameterElement() != null) { log.debug("Creating token issuer configuration using the config parameter"); return new SAMLTokenIssuerConfig(messageContextParameter.getParameterElement() .getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG)); } return null; } /** * Builds the requested XMLObject. * * @param objectQName name of the XMLObject * @return the build XMLObject * @throws org.apache.rahas.TrustException If unable to find the appropriate builder. */ public static XMLObject buildXMLObject(QName objectQName) throws TrustException { XMLObjectBuilder builder = Configuration.getBuilderFactory().getBuilder(objectQName); if (builder == null) { log.debug("Unable to find OpenSAML builder for object " + objectQName); throw new TrustException("builderNotFound", new Object[] { objectQName }); } return builder.buildObject(objectQName.getNamespaceURI(), objectQName.getLocalPart(), objectQName.getPrefix()); } /** * This method creates KeyInfo element of an assertion. This is a facade, in which it calls * to other helper methods to create KeyInfo. The TokenIssuer will call this method to * create the KeyInfo. * @param doc An Axiom based DOM Document. * @param data The ephemeral key which we use here need in encrypting the message also. Therefore * we need to save the ephemeral key in RahasData passed here. * @param serviceCert Public key used to encrypt the assertion is extracted from this certificate. * @param keySize Size of the key to be used * @param crypto The relevant private key * @param keyComputation Key computation mechanism. * @return OpenSAML KeyInfo representation. * @throws WSSecurityException We use WSS4J to generate encrypted key. This exception will trigger if an * error occurs while generating the encrypted key. * @throws TrustException If an error occurred while creating KeyInfo object. */ public static KeyInfo getSymmetricKeyBasedKeyInfo(Document doc, RahasData data, X509Certificate serviceCert, int keySize, Crypto crypto, int keyComputation) throws WSSecurityException, TrustException { byte[] ephemeralKey = TokenIssuerUtil.getSharedSecret(data, keyComputation, keySize); WSSecEncryptedKey encryptedKey = getSymmetricKeyBasedKeyInfoContent(doc, ephemeralKey, serviceCert, crypto); // Extract the base64 encoded secret value byte[] tempKey = new byte[keySize / 8]; System.arraycopy(encryptedKey.getEphemeralKey(), 0, tempKey, 0, keySize / 8); data.setEphmeralKey(tempKey); EncryptedKey samlEncryptedKey = SAMLUtils.createEncryptedKey(serviceCert, encryptedKey); return SAMLUtils.createKeyInfo(samlEncryptedKey); } static WSSecEncryptedKey getSymmetricKeyBasedKeyInfoContent(Document doc, byte[] ephemeralKey, X509Certificate serviceCert, Crypto crypto) throws WSSecurityException, TrustException { // Create the encrypted key WSSecEncryptedKey encryptedKeyBuilder = new WSSecEncryptedKey(); // Use thumbprint id encryptedKeyBuilder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER); // SEt the encryption cert encryptedKeyBuilder.setUseThisCert(serviceCert); encryptedKeyBuilder.setEphemeralKey(ephemeralKey); // Set key encryption algo encryptedKeyBuilder.setKeyEncAlgo(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15); // Build encryptedKeyBuilder.prepare(doc, crypto); return encryptedKeyBuilder; } /** * Creates the certificate based KeyInfo object. * @param certificate The public key certificate used to create the KeyInfo object. * @return OpenSAML representation of KeyInfo object. * @throws TrustException If an error occurred while creating the KeyInfo */ public static KeyInfo getCertificateBasedKeyInfo(X509Certificate certificate) throws TrustException { X509Data x509Data = CommonUtil.createX509Data(certificate); return SAMLUtils.createKeyInfo(x509Data); } /** * Creates the X509 data element in a SAML issuer token. Should create an element similar to following, * <X509Data xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" * xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> * <X509Certificate> * MIICNTCCAZ6gAwIB... * </X509Certificate> * </X509Data> * @param clientCert Client certificate to be used when generating X509 data * @return SAML X509Data representation. * @throws TrustException If an error occurred while creating X509Data and X509Certificate. */ static X509Data createX509Data(X509Certificate clientCert) throws TrustException { byte[] clientCertBytes; try { clientCertBytes = clientCert.getEncoded(); } catch (CertificateEncodingException e) { log.error("An error occurred while encoding certificate.", e); throw new TrustException("An error occurred while encoding certificate.", e); } String base64Cert = Base64.encode(clientCertBytes); org.opensaml.xml.signature.X509Certificate x509Certificate = (org.opensaml.xml.signature.X509Certificate) CommonUtil .buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME); x509Certificate.setValue(base64Cert); X509Data x509Data = (X509Data) CommonUtil.buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME); x509Data.getX509Certificates().add(x509Certificate); return x509Data; } /** * Gets the SAML callback handler. First checks whether there is a registered callback handler in token * issuer configuration. If not this will check whether there is a callback class configured in token issuer * configuration. If class name is specified this method will create an object of the class and will return. * If class name is also not specified this method will return null. * @param tokenIssuerConfiguration The SAML token issuer configuration. * @param data The RahasData. * @return The SAMLCallbackHandler if configured in token issuer configuration, else null. * @throws TrustException If an error occurred while loading class from class loader */ public static SAMLCallbackHandler getSAMLCallbackHandler(SAMLTokenIssuerConfig tokenIssuerConfiguration, RahasData data) throws TrustException { if (tokenIssuerConfiguration.getCallbackHandler() != null) { return tokenIssuerConfiguration.getCallbackHandler(); } else if (tokenIssuerConfiguration.getCallbackHandlerName() != null && tokenIssuerConfiguration.getCallbackHandlerName().trim().length() > 0) { SAMLCallbackHandler handler; MessageContext msgContext = data.getInMessageContext(); ClassLoader classLoader = msgContext.getAxisService().getClassLoader(); Class cbClass; try { cbClass = Loader.loadClass(classLoader, tokenIssuerConfiguration.getCallbackHandlerName()); } catch (ClassNotFoundException e) { throw new TrustException("cannotLoadPWCBClass", new String[] { tokenIssuerConfiguration.getCallbackHandlerName() }, e); } try { handler = (SAMLCallbackHandler) cbClass.newInstance(); } catch (java.lang.Exception e) { throw new TrustException("cannotCreatePWCBInstance", new String[] { tokenIssuerConfiguration.getCallbackHandlerName() }, e); } return handler; } return null; } }