You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/08/18 17:54:41 UTC
svn commit: r1159288 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
test/java/org/apache/ws/security/saml/ext/
test/java/org/apache/ws/security/saml/ext/AssertionSigningTest.java
Author: coheigea
Date: Thu Aug 18 15:54:41 2011
New Revision: 1159288
URL: http://svn.apache.org/viewvc?rev=1159288&view=rev
Log:
[WSS-309] - Improve the configurability of the SAML signature creation in AssertionWrapper
- Patch applied, thanks!
Added:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/ext/
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/ext/AssertionSigningTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java?rev=1159288&r1=1159287&r2=1159288&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/ext/AssertionWrapper.java Thu Aug 18 15:54:41 2011
@@ -126,6 +126,21 @@ public class AssertionWrapper {
private SAMLKeyInfo signatureKeyInfo;
/**
+ * Default Canonicalization algorithm used for signing.
+ */
+ private final String defaultCanonicalizationAlgorithm = SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
+
+ /**
+ * Default RSA Signature algorithm used for signing.
+ */
+ private final String defaultRSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+
+ /**
+ * Default DSA Signature algorithm used for signing.
+ */
+ private final String defaultDSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
+
+ /**
* Constructor AssertionWrapper creates a new AssertionWrapper instance.
*
* @param element of type Element
@@ -510,39 +525,55 @@ public class AssertionWrapper {
* @param sendKeyValue whether to send the key value or not
* @throws WSSecurityException
*/
- public void signAssertion(
- String issuerKeyName,
- String issuerKeyPassword,
- Crypto issuerCrypto,
- boolean sendKeyValue
- ) throws WSSecurityException {
+ public void signAssertion(String issuerKeyName, String issuerKeyPassword,
+ Crypto issuerCrypto, boolean sendKeyValue)
+ throws WSSecurityException {
+
+ signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto,
+ sendKeyValue, defaultCanonicalizationAlgorithm,
+ defaultRSASignatureAlgorithm);
+ }
+
+ /**
+ * Create an enveloped signature on the assertion that has been created.
+ *
+ * @param issuerKeyName the Issuer KeyName to use with the issuerCrypto argument
+ * @param issuerKeyPassword the Issuer Password to use with the issuerCrypto argument
+ * @param issuerCrypto the Issuer Crypto instance
+ * @param sendKeyValue whether to send the key value or not
+ * @param canonicalizationAlgorithm the canonicalization algorithm to be used for signing
+ * @param signatureAlgorithm the signature algorithm to be used for signing
+ * @throws WSSecurityException
+ */
+ public void signAssertion(String issuerKeyName, String issuerKeyPassword,
+ Crypto issuerCrypto, boolean sendKeyValue,
+ String canonicalizationAlgorithm, String signatureAlgorithm)
+ throws WSSecurityException {
//
// Create the signature
//
Signature signature = OpenSAMLUtil.buildSignature();
- signature.setCanonicalizationAlgorithm(
- SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS
- );
-
+ signature.setCanonicalizationAlgorithm(canonicalizationAlgorithm);
+ log.debug("Using Canonicalization algorithm " + canonicalizationAlgorithm);
// prepare to sign the SAML token
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(issuerKeyName);
X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
if (issuerCerts == null) {
throw new WSSecurityException(
- "No issuer certs were found to sign the SAML Assertion using issuer name: "
- + issuerKeyName
- );
+ "No issuer certs were found to sign the SAML Assertion using issuer name: "
+ + issuerKeyName);
}
- String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+ String sigAlgo = signatureAlgorithm;
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if (log.isDebugEnabled()) {
log.debug("automatic sig algo detection: " + pubKeyAlgo);
}
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
+ sigAlgo = defaultDSASignatureAlgorithm;
}
+ log.debug("Using Signature algorithm " + sigAlgo);
PrivateKey privateKey = null;
try {
privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
@@ -565,12 +596,12 @@ public class AssertionWrapper {
kiFactory.setEmitEntityCertificate(true);
}
try {
- KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
+ KeyInfo keyInfo = kiFactory.newInstance().generate(
+ signingCredential);
signature.setKeyInfo(keyInfo);
} catch (org.opensaml.xml.security.SecurityException ex) {
throw new WSSecurityException(
- "Error generating KeyInfo from signing credential", ex
- );
+ "Error generating KeyInfo from signing credential", ex);
}
// add the signature to the assertion
Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/ext/AssertionSigningTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/ext/AssertionSigningTest.java?rev=1159288&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/ext/AssertionSigningTest.java (added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/saml/ext/AssertionSigningTest.java Thu Aug 18 15:54:41 2011
@@ -0,0 +1,115 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.saml.ext;
+
+import java.io.InputStream;
+import java.security.KeyStore;
+
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.common.SAML2CallbackHandler;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.Merlin;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
+import org.apache.ws.security.util.Loader;
+import org.junit.Assert;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+
+/**
+ * A list of test-cases to test the functionality of signing with
+ * AssertionWrapper class implementation.
+ */
+
+public class AssertionSigningTest extends org.junit.Assert {
+
+ private Crypto issuerCrypto = null;
+ // Default Canonicalization algorithm used by AssertionWrapper class.
+ private final String defaultCanonicalizationAlgorithm = SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
+ // Default RSA Signature algorithm used by AssertionWrapper class.
+ private final String defaultRSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+ // Default DSA Signature algorithm used by AssertionWrapper class.
+ private final String defaultDSASignatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
+ // Custom Signature algorithm
+ private final String customSignatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+ // Custom Canonicalization algorithm
+ private final String customCanonicalizationAlgorithm = SignatureConstants.ALGO_ID_C14N_OMIT_COMMENTS;
+
+ public AssertionSigningTest() throws Exception {
+ WSSConfig.init();
+ // Load the issuer keystore
+ issuerCrypto = new Merlin();
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ ClassLoader loader = Loader.getClassLoader(AssertionSigningTest.class);
+ InputStream input = Merlin.loadInputStream(loader,
+ "keys/client_keystore.jks");
+ keyStore.load(input, "password".toCharArray());
+ ((Merlin) issuerCrypto).setKeyStore(keyStore);
+ }
+
+ /**
+ * Test that creates an AssertionWrapper object and signs using default
+ * signature and canonicalization algorithms. The defaults should match
+ * otherwise the test-case fails.
+ */
+ @org.junit.Test
+ public void testSigningWithDefaultAlgorithms() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler
+ .setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+ callbackHandler.setIssuer("www.example.com");
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+ assertion.signAssertion("client_certchain", "password", issuerCrypto,
+ false);
+ Signature signature = assertion.getSaml2().getSignature();
+ Assert.assertTrue(signature.getSignatureAlgorithm().equalsIgnoreCase(
+ defaultRSASignatureAlgorithm)
+ || signature.getSignatureAlgorithm().equalsIgnoreCase(
+ defaultDSASignatureAlgorithm));
+ Assert.assertEquals(defaultCanonicalizationAlgorithm,
+ signature.getCanonicalizationAlgorithm());
+ }
+
+ /**
+ * Test that creates an AssertionWrapper object and signs using custom
+ * signature and canonicalization algorithms.
+ */
+ @org.junit.Test
+ public void testSigningWithCustomAlgorithms() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+ callbackHandler
+ .setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+ callbackHandler.setIssuer("www.example.com");
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+ assertion.signAssertion("client_certchain", "password", issuerCrypto,
+ false, customCanonicalizationAlgorithm,
+ customSignatureAlgorithm);
+ Signature signature = assertion.getSaml2().getSignature();
+ Assert.assertEquals(customSignatureAlgorithm,
+ signature.getSignatureAlgorithm());
+ Assert.assertEquals(customCanonicalizationAlgorithm,
+ signature.getCanonicalizationAlgorithm());
+ }
+}