You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2014/09/12 17:16:35 UTC
[01/10] git commit: updated refs/heads/master to d46e459
Repository: cloudstack
Updated Branches:
refs/heads/master aeec24b2c -> d46e45991
saml2: WIP X509 certificate auth stuff
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
(cherry picked from commit f7d409e0f4d2b6f56ec82ae339eff5f477e4a832)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f1440819
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f1440819
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f1440819
Branch: refs/heads/master
Commit: f1440819582ca4c30d337af53a17f31065405585
Parents: aeec24b
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Sat Aug 30 21:38:59 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 14:31:21 2014 +0200
----------------------------------------------------------------------
.../command/SAML2LoginAPIAuthenticatorCmd.java | 14 +++++---
.../cloudstack/saml/SAML2AuthManagerImpl.java | 38 ++++++++++++++++++++
2 files changed, 48 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1440819/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
index b279977..b204e72 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -55,7 +55,8 @@ import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.x509.BasicX509Credential;
-import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.xml.sax.SAXException;
@@ -68,6 +69,10 @@ import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.FactoryConfigurationError;
import java.io.IOException;
import java.net.URLEncoder;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Signature;
import java.util.List;
import java.util.Map;
@@ -134,8 +139,9 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
try {
DefaultBootstrap.bootstrap();
AuthnRequest authnRequest = SAMLUtils.buildAuthnRequestObject(spId, identityProviderUrl, consumerUrl);
- redirectUrl = identityProviderUrl + "?SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest);
- } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException e) {
+ redirectUrl = "SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest);
+ redirectUrl = identityProviderUrl + "?" + SAMLUtils.generateSAMLRequestSignature(redirectUrl, privateKey);
+ } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | SignatureException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
s_logger.error("SAML AuthnRequest message building error: " + e.getMessage());
}
return redirectUrl;
@@ -176,7 +182,7 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
}
if (_samlAuthManager.getIdpSigningKey() != null) {
- Signature sig = processedSAMLResponse.getSignature();
+ org.opensaml.xml.signature.Signature sig = processedSAMLResponse.getSignature();
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(_samlAuthManager.getIdpSigningKey());
SignatureValidator validator = new SignatureValidator(credential);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1440819/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index aa06320..fa4a695 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -23,6 +23,9 @@ import org.apache.cloudstack.api.command.GetServiceProviderMetaDataCmd;
import org.apache.cloudstack.api.command.SAML2LoginAPIAuthenticatorCmd;
import org.apache.cloudstack.api.command.SAML2LogoutAPIAuthenticatorCmd;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.security.keystore.KeystoreDao;
+import org.apache.cloudstack.framework.security.keystore.KeystoreVO;
+import org.apache.cloudstack.utils.auth.SAMLUtils;
import org.apache.log4j.Logger;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.xml.SAMLConstants;
@@ -42,8 +45,17 @@ import org.springframework.stereotype.Component;
import javax.ejb.Local;
import javax.inject.Inject;
import javax.xml.stream.FactoryConfigurationError;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.spec.RSAPrivateKeySpec;
import java.util.ArrayList;
import java.util.List;
@@ -69,6 +81,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
@Inject
ConfigurationDao _configDao;
+ @Inject
+ private KeystoreDao _ksDao;
+
@Override
public boolean start() {
if (isSAMLPluginEnabled()) {
@@ -80,6 +95,29 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
private boolean setup() {
// TODO: In future if need added logic to get SP X509 cert for Idps that need signed requests
+ KeystoreVO keyStoreVO = _ksDao.findByName(SAMLUtils.CERTIFICATE_NAME);
+ if (keyStoreVO == null) {
+ try {
+ KeyPair keyPair = SAMLUtils.generateRandomKeyPair();
+ _ksDao.save(SAMLUtils.CERTIFICATE_NAME, keyPair.getPrivate().getEncoded().toString(), keyPair.getPublic().getEncoded().toString(), "saml-sp");
+ keyStoreVO = _ksDao.findByName(SAMLUtils.CERTIFICATE_NAME);
+ } catch (NoSuchProviderException | NoSuchAlgorithmException e) {
+ s_logger.error("Unable to create and save SAML keypair");
+ }
+ }
+
+ if (keyStoreVO != null) {
+ PrivateKey privateKey = new RSAPrivateKeySpec();
+ KeyPair keyPair = new KeyPair();
+ }
+
+ try {
+
+ X509Certificate spCert = SAMLUtils.generateRandomX509Certificate();
+ } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException | SignatureException | InvalidKeyException e) {
+ e.printStackTrace();
+ }
+
this.serviceProviderId = _configDao.getValue(Config.SAMLServiceProviderID.key());
this.identityProviderId = _configDao.getValue(Config.SAMLIdentityProviderID.key());
[08/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
SAML2LoginAPIAuthenticatorCmd: add signature on redirect url
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/394e6130
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/394e6130
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/394e6130
Branch: refs/heads/master
Commit: 394e6130e0657ad4323d9c26dc2f2a2605e8d0fa
Parents: 67f97df
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 16:31:16 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 16:31:16 2014 +0200
----------------------------------------------------------------------
.../api/command/SAML2LoginAPIAuthenticatorCmd.java | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/394e6130/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
index b204e72..0257ecf 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -55,8 +55,6 @@ import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.x509.BasicX509Credential;
-import org.opensaml.xml.signature.SignatureConstants;
-import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.xml.sax.SAXException;
@@ -72,7 +70,6 @@ import java.net.URLEncoder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
-import java.security.Signature;
import java.util.List;
import java.util.Map;
@@ -139,9 +136,12 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
try {
DefaultBootstrap.bootstrap();
AuthnRequest authnRequest = SAMLUtils.buildAuthnRequestObject(spId, identityProviderUrl, consumerUrl);
- redirectUrl = "SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest);
- redirectUrl = identityProviderUrl + "?" + SAMLUtils.generateSAMLRequestSignature(redirectUrl, privateKey);
- } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | SignatureException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
+ PrivateKey privateKey = null;
+ if (_samlAuthManager.getSpKeyPair() != null) {
+ privateKey = _samlAuthManager.getSpKeyPair().getPrivate();
+ }
+ redirectUrl = identityProviderUrl + "?" + SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest), privateKey);
+ } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
s_logger.error("SAML AuthnRequest message building error: " + e.getMessage());
}
return redirectUrl;
[09/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
SAML2LoginAPIAuthenticatorCmd: Don't support HTTP artifact binding
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/fecc6b6e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/fecc6b6e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/fecc6b6e
Branch: refs/heads/master
Commit: fecc6b6e48a623197053a66758071b86fbf3fef1
Parents: 394e613
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 16:47:40 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 16:47:40 2014 +0200
----------------------------------------------------------------------
.../cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/fecc6b6e/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
index 0257ecf..0f316a8 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -162,7 +162,7 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, final String remoteAddress, final String responseType, final StringBuilder auditTrailSb, final HttpServletResponse resp) throws ServerApiException {
try {
- if (!params.containsKey("SAMLResponse")) {
+ if (!params.containsKey("SAMLResponse") && !params.containsKey("SAMLart")) {
String idpUrl = null;
final String[] idps = (String[])params.get(ApiConstants.IDP_URL);
if (idps != null && idps.length > 0) {
@@ -171,6 +171,10 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
String redirectUrl = this.buildAuthnRequestUrl(idpUrl);
resp.sendRedirect(redirectUrl);
return "";
+ } if (params.containsKey("SAMLart")) {
+ throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.UNSUPPORTED_ACTION_ERROR.getHttpCode(),
+ "SAML2 HTTP Artifact Binding is not supported",
+ params, responseType));
} else {
final String samlResponse = ((String[])params.get(SAMLUtils.SAML_RESPONSE))[0];
Response processedSAMLResponse = this.processSAMLResponse(samlResponse);
[06/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
SAML2AuthManagerImpl: create or load keystore dao
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5e947e2b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5e947e2b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5e947e2b
Branch: refs/heads/master
Commit: 5e947e2b24ace3df4e913942c6e9a7fee35f1d63
Parents: aaa4b60
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 16:28:02 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 16:28:02 2014 +0200
----------------------------------------------------------------------
.../cloudstack/saml/SAML2AuthManagerImpl.java | 37 ++++++++++++--------
1 file changed, 23 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5e947e2b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index fa4a695..3178f31 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -50,12 +50,11 @@ import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
+import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.spec.RSAPrivateKeySpec;
import java.util.ArrayList;
import java.util.List;
@@ -69,6 +68,8 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
private X509Certificate idpSigningKey;
private X509Certificate idpEncryptionKey;
+ private X509Certificate spX509Key;
+ private KeyPair spKeyPair;
private String spSingleSignOnUrl;
private String idpSingleSignOnUrl;
@@ -93,13 +94,11 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
}
private boolean setup() {
- // TODO: In future if need added logic to get SP X509 cert for Idps that need signed requests
-
KeystoreVO keyStoreVO = _ksDao.findByName(SAMLUtils.CERTIFICATE_NAME);
if (keyStoreVO == null) {
try {
KeyPair keyPair = SAMLUtils.generateRandomKeyPair();
- _ksDao.save(SAMLUtils.CERTIFICATE_NAME, keyPair.getPrivate().getEncoded().toString(), keyPair.getPublic().getEncoded().toString(), "saml-sp");
+ _ksDao.save(SAMLUtils.CERTIFICATE_NAME, SAMLUtils.savePrivateKey(keyPair.getPrivate()), SAMLUtils.savePublicKey(keyPair.getPublic()), "saml-sp");
keyStoreVO = _ksDao.findByName(SAMLUtils.CERTIFICATE_NAME);
} catch (NoSuchProviderException | NoSuchAlgorithmException e) {
s_logger.error("Unable to create and save SAML keypair");
@@ -107,15 +106,16 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
}
if (keyStoreVO != null) {
- PrivateKey privateKey = new RSAPrivateKeySpec();
- KeyPair keyPair = new KeyPair();
- }
-
- try {
-
- X509Certificate spCert = SAMLUtils.generateRandomX509Certificate();
- } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException | SignatureException | InvalidKeyException e) {
- e.printStackTrace();
+ PrivateKey privateKey = SAMLUtils.loadPrivateKey(keyStoreVO.getCertificate());
+ PublicKey publicKey = SAMLUtils.loadPublicKey(keyStoreVO.getKey());
+ if (privateKey != null && publicKey != null) {
+ spKeyPair = new KeyPair(publicKey, privateKey);
+ try {
+ spX509Key = SAMLUtils.generateRandomX509Certificate(spKeyPair);
+ } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException | SignatureException | InvalidKeyException e) {
+ s_logger.error("SAML Plugin won't be able to use X509 signed authentication");
+ }
+ }
}
this.serviceProviderId = _configDao.getValue(Config.SAMLServiceProviderID.key());
@@ -233,4 +233,13 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
public Boolean isSAMLPluginEnabled() {
return Boolean.valueOf(_configDao.getValue(Config.SAMLIsPluginEnabled.key()));
}
+
+ public X509Certificate getSpX509Key() {
+ return spX509Key;
+ }
+
+ @Override
+ public KeyPair getSpKeyPair() {
+ return spKeyPair;
+ }
}
[07/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
GetServiceProviderMetaDataCmd: in metadata use SP's own X509 certs
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/67f97df0
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/67f97df0
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/67f97df0
Branch: refs/heads/master
Commit: 67f97df00f9de386e8eb79d3f6b3819aa47119ec
Parents: 5e947e2
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 16:30:52 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 16:30:52 2014 +0200
----------------------------------------------------------------------
.../api/command/GetServiceProviderMetaDataCmd.java | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/67f97df0/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
index 437f4a3..194d94f 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
@@ -134,14 +134,14 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
signKeyDescriptor.setUse(UsageType.SIGNING);
BasicX509Credential credential = new BasicX509Credential();
- credential.setEntityCertificate(_samlAuthManager.getIdpSigningKey());
+ credential.setEntityCertificate(_samlAuthManager.getSpX509Key());
try {
encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
- //TODO: generate own pub/priv keys
- //spSSODescriptor.getKeyDescriptors().add(encKeyDescriptor);
- //spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
- } catch (SecurityException ignored) {
+ spSSODescriptor.getKeyDescriptors().add(encKeyDescriptor);
+ spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+ } catch (SecurityException e) {
+ s_logger.warn("Unable to add SP X509 descriptors:" + e.getMessage());
}
NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
[03/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
SAMLUtils: Fix NPE incase signature is generated with a null privateKey
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5a0ed876
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5a0ed876
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5a0ed876
Branch: refs/heads/master
Commit: 5a0ed8764be12cbf028f829d2db1d1af01a8a283
Parents: a66127d
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 15:46:44 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 15:46:44 2014 +0200
----------------------------------------------------------------------
utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5a0ed876/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index 82e840a..b085e49 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -218,6 +218,9 @@ public class SAMLUtils {
public static String generateSAMLRequestSignature(String urlEncodedString, PrivateKey signingKey)
throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnsupportedEncodingException {
+ if (signingKey == null || urlEncodedString == null) {
+ return null;
+ }
String url = urlEncodedString + "&SigAlg=" + URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, HttpUtils.UTF_8);
Signature signature = Signature.getInstance("SHA1withRSA");
signature.initSign(signingKey);
[04/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
utils: add missing string to the url in generate saml signature method
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/84b0e9e9
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/84b0e9e9
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/84b0e9e9
Branch: refs/heads/master
Commit: 84b0e9e96fb7e47fd5df55e54440b49de3befbf3
Parents: 5a0ed87
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 16:26:13 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 16:26:13 2014 +0200
----------------------------------------------------------------------
utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/84b0e9e9/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index b085e49..e2c77b9 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -218,14 +218,14 @@ public class SAMLUtils {
public static String generateSAMLRequestSignature(String urlEncodedString, PrivateKey signingKey)
throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnsupportedEncodingException {
- if (signingKey == null || urlEncodedString == null) {
- return null;
+ if (signingKey == null) {
+ return urlEncodedString;
}
String url = urlEncodedString + "&SigAlg=" + URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, HttpUtils.UTF_8);
Signature signature = Signature.getInstance("SHA1withRSA");
signature.initSign(signingKey);
signature.update(url.getBytes());
- return URLEncoder.encode(Base64.encodeBytes(signature.sign(), Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
+ return url + "&Signature=" + URLEncoder.encode(Base64.encodeBytes(signature.sign(), Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
}
public static KeyFactory getKeyFactory() {
[05/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
SAML2AuthManager: add new methods to the interface
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/aaa4b60b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/aaa4b60b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/aaa4b60b
Branch: refs/heads/master
Commit: aaa4b60b23569fff4d27210098a238c38ab2264c
Parents: 84b0e9e
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 16:27:11 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 16:27:11 2014 +0200
----------------------------------------------------------------------
.../saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aaa4b60b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
index 507fa04..3ee7522 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.saml;
import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
+import java.security.KeyPair;
import java.security.cert.X509Certificate;
public interface SAML2AuthManager extends PluggableAPIAuthenticator {
@@ -27,6 +28,8 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
public X509Certificate getIdpSigningKey();
public X509Certificate getIdpEncryptionKey();
+ public X509Certificate getSpX509Key();
+ public KeyPair getSpKeyPair();
public String getSpSingleSignOnUrl();
public String getIdpSingleSignOnUrl();
[10/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
SAMLUtils: put name id policy on authnrequest
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d46e4599
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d46e4599
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d46e4599
Branch: refs/heads/master
Commit: d46e45991de29919e03f5f60250d4e9c4d7d06b0
Parents: fecc6b6
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 17:11:06 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 17:11:06 2014 +0200
----------------------------------------------------------------------
utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d46e4599/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index e2c77b9..b08fa24 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -154,8 +154,8 @@ public class SAMLUtils {
authnRequest.setIssueInstant(new DateTime());
authnRequest.setProtocolBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
authnRequest.setAssertionConsumerServiceURL(consumerUrl);
- //authnRequest.setProviderName(spId);
- //authnRequest.setNameIDPolicy(nameIdPolicy);
+ authnRequest.setProviderName(spId);
+ authnRequest.setNameIDPolicy(nameIdPolicy);
//authnRequest.setRequestedAuthnContext(requestedAuthnContext);
return authnRequest;
[02/10] git commit: updated refs/heads/master to d46e459
Posted by bh...@apache.org.
utils: add methods to save and load public and private keys
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a66127df
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a66127df
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a66127df
Branch: refs/heads/master
Commit: a66127dfb12476d098dfbdcc12dbc0beb29c92ee
Parents: f144081
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Sep 12 15:40:49 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Sep 12 15:40:49 2014 +0200
----------------------------------------------------------------------
.../apache/cloudstack/utils/auth/SAMLUtils.java | 69 ++++++++++++++++++++
.../cloudstack/utils/auth/SAMLUtilsTest.java | 18 +++++
2 files changed, 87 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a66127df/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index 55c2ee2..82e840a 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -72,17 +72,22 @@ import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.net.URLEncoder;
import java.security.InvalidKeyException;
+import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
+import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
import java.util.Date;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
@@ -220,6 +225,70 @@ public class SAMLUtils {
return URLEncoder.encode(Base64.encodeBytes(signature.sign(), Base64.DONT_BREAK_LINES), HttpUtils.UTF_8);
}
+ public static KeyFactory getKeyFactory() {
+ KeyFactory keyFactory = null;
+ try {
+ Security.addProvider(new BouncyCastleProvider());
+ keyFactory = KeyFactory.getInstance("RSA", "BC");
+ } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+ s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+ }
+ return keyFactory;
+ }
+
+ public static String savePublicKey(PublicKey key) {
+ try {
+ KeyFactory keyFactory = SAMLUtils.getKeyFactory();
+ if (keyFactory == null) return null;
+ X509EncodedKeySpec spec = keyFactory.getKeySpec(key, X509EncodedKeySpec.class);
+ return new String(org.bouncycastle.util.encoders.Base64.encode(spec.getEncoded()));
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+ }
+ return null;
+ }
+
+ public static String savePrivateKey(PrivateKey key) {
+ try {
+ KeyFactory keyFactory = SAMLUtils.getKeyFactory();
+ if (keyFactory == null) return null;
+ PKCS8EncodedKeySpec spec = keyFactory.getKeySpec(key,
+ PKCS8EncodedKeySpec.class);
+ return new String(org.bouncycastle.util.encoders.Base64.encode(spec.getEncoded()));
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+ }
+ return null;
+ }
+
+ public static PublicKey loadPublicKey(String publicKey) {
+ byte[] sigBytes = org.bouncycastle.util.encoders.Base64.decode(publicKey);
+ X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(sigBytes);
+ KeyFactory keyFact = SAMLUtils.getKeyFactory();
+ if (keyFact == null)
+ return null;
+ try {
+ return keyFact.generatePublic(x509KeySpec);
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create PrivateKey from privateKey string:" + e.getMessage());
+ }
+ return null;
+ }
+
+ public static PrivateKey loadPrivateKey(String privateKey) {
+ byte[] sigBytes = org.bouncycastle.util.encoders.Base64.decode(privateKey);
+ PKCS8EncodedKeySpec pkscs8KeySpec = new PKCS8EncodedKeySpec(sigBytes);
+ KeyFactory keyFact = SAMLUtils.getKeyFactory();
+ if (keyFact == null)
+ return null;
+ try {
+ return keyFact.generatePrivate(pkscs8KeySpec);
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create PrivateKey from privateKey string:" + e.getMessage());
+ }
+ return null;
+ }
+
public static KeyPair generateRandomKeyPair() throws NoSuchProviderException, NoSuchAlgorithmException {
Security.addProvider(new BouncyCastleProvider());
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a66127df/utils/test/org/apache/cloudstack/utils/auth/SAMLUtilsTest.java
----------------------------------------------------------------------
diff --git a/utils/test/org/apache/cloudstack/utils/auth/SAMLUtilsTest.java b/utils/test/org/apache/cloudstack/utils/auth/SAMLUtilsTest.java
index f7aaeae..85be2ef 100644
--- a/utils/test/org/apache/cloudstack/utils/auth/SAMLUtilsTest.java
+++ b/utils/test/org/apache/cloudstack/utils/auth/SAMLUtilsTest.java
@@ -26,6 +26,10 @@ import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.impl.NameIDBuilder;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
public class SAMLUtilsTest extends TestCase {
@Test
@@ -64,4 +68,18 @@ public class SAMLUtilsTest extends TestCase {
assertEquals(req.getNameID().getValue(), nameIdString);
assertEquals(req.getSessionIndexes().get(0).getSessionIndex(), sessionIndex);
}
+
+ @Test
+ public void testX509Helpers() throws Exception {
+ KeyPair keyPair = SAMLUtils.generateRandomKeyPair();
+
+ String privateKeyString = SAMLUtils.savePrivateKey(keyPair.getPrivate());
+ String publicKeyString = SAMLUtils.savePublicKey(keyPair.getPublic());
+
+ PrivateKey privateKey = SAMLUtils.loadPrivateKey(privateKeyString);
+ PublicKey publicKey = SAMLUtils.loadPublicKey(publicKeyString);
+
+ assertTrue(privateKey.equals(keyPair.getPrivate()));
+ assertTrue(publicKey.equals(keyPair.getPublic()));
+ }
}
\ No newline at end of file