You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by co...@apache.org on 2017/08/11 12:15:15 UTC
[3/3] syncope git commit: SYNCOPE-1194 - Sign the SAML SSO Service
Provider Metadata
SYNCOPE-1194 - Sign the SAML SSO Service Provider Metadata
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a22a6b55
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a22a6b55
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a22a6b55
Branch: refs/heads/master
Commit: a22a6b55f83846bf06bbb322e9acc234a9425ea5
Parents: 5da5326
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Aug 11 11:59:08 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Aug 11 13:15:07 2017 +0100
----------------------------------------------------------------------
.../apache/syncope/core/logic/SAML2SPLogic.java | 1 +
.../core/logic/saml2/SAML2ReaderWriter.java | 3 +--
.../org/apache/syncope/fit/core/SAML2ITCase.java | 18 ++++++++++++++++++
3 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/a22a6b55/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 87b7eb6..31ef8c4 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -200,6 +200,7 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
}
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+ saml2rw.sign(spEntityDescriptor);
saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true);
} catch (Exception e) {
http://git-wip-us.apache.org/repos/asf/syncope/blob/a22a6b55/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index e83af5e..fa48e77 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -152,14 +152,13 @@ public class SAML2ReaderWriter {
return responseObject;
}
- public void sign(final RequestAbstractType request) throws SecurityException {
+ public void sign(final SignableSAMLObject signableObject) throws SecurityException {
org.opensaml.xmlsec.signature.Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(sigAlgo);
signature.setSigningCredential(loader.getCredential());
signature.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
- SignableSAMLObject signableObject = (SignableSAMLObject) request;
signableObject.setSignature(signature);
signableObject.releaseDOM();
signableObject.releaseChildrenDOM(true);
http://git-wip-us.apache.org/repos/asf/syncope/blob/a22a6b55/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
index b87db1b..93608c2 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
@@ -30,10 +30,13 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
+import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Optional;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
+import javax.xml.namespace.QName;
+
import org.apache.commons.codec.binary.Base64;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.client.WebClient;
@@ -67,6 +70,7 @@ import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.xml.security.signature.XMLSignature;
import org.joda.time.DateTime;
import org.junit.AfterClass;
import org.junit.Assume;
@@ -74,6 +78,7 @@ import org.junit.BeforeClass;
import org.junit.Test;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -142,6 +147,19 @@ public class SAML2ITCase extends AbstractITCase {
new InputStreamReader((InputStream) response.getEntity(), StandardCharsets.UTF_8));
assertEquals("EntityDescriptor", responseDoc.getDocumentElement().getLocalName());
assertEquals("urn:oasis:names:tc:SAML:2.0:metadata", responseDoc.getDocumentElement().getNamespaceURI());
+
+ // Get the signature
+ QName signatureQName = new QName(SignatureConstants.XMLSIG_NS, "Signature");
+ Element signatureElement =
+ DOMUtils.getFirstChildWithName(responseDoc.getDocumentElement(), signatureQName);
+ assertNotNull(signatureElement);
+
+ // Validate the signature
+ XMLSignature signature = new XMLSignature(signatureElement, null);
+ KeyStore keystore = KeyStore.getInstance("JKS");
+ keystore.load(Loader.getResourceAsStream("keystore"), "changeit".toCharArray());
+ assertTrue(signature.checkSignatureValue((X509Certificate)keystore.getCertificate("sp")));
+
} catch (Exception e) {
LOG.error("During SAML 2.0 SP metadata parsing", e);
fail(e.getMessage());