You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by co...@apache.org on 2017/08/30 13:10:16 UTC
syncope git commit: SYNCOPE-1198 - Make the signature algorithm
configurable for SAML SSO
Repository: syncope
Updated Branches:
refs/heads/master 43d3792fc -> f15efd5b3
SYNCOPE-1198 - Make the signature algorithm configurable for SAML SSO
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/f15efd5b
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/f15efd5b
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/f15efd5b
Branch: refs/heads/master
Commit: f15efd5b33f583aab967d7deaf6da255a2aa33b8
Parents: 43d3792
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Aug 30 13:08:50 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Aug 30 13:08:50 2017 +0100
----------------------------------------------------------------------
.../common/lib/types/SignatureAlgorithm.java | 59 ++++++++++++++++++++
.../syncope/core/logic/init/SAML2SPLoader.java | 7 +++
.../core/logic/saml2/SAML2ReaderWriter.java | 32 ++++++++---
.../src/main/resources/saml2sp-logic.properties | 1 +
.../main/resources/all/saml2sp-logic.properties | 1 +
5 files changed, 93 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/f15efd5b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SignatureAlgorithm.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SignatureAlgorithm.java b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SignatureAlgorithm.java
new file mode 100644
index 0000000..315d239
--- /dev/null
+++ b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SignatureAlgorithm.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.types;
+
+public enum SignatureAlgorithm {
+
+ RSA_SHA1("http://www.w3.org/2000/09/xmldsig#rsa-sha1"),
+ RSA_SHA224("http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"),
+ RSA_SHA256("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"),
+ RSA_SHA384("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"),
+ RSA_SHA512("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"),
+
+ RSA_SHA1_MGF1("http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1"),
+ RSA_SHA224_MGF1("http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1"),
+ RSA_SHA256_MGF1("http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"),
+ RSA_SHA384_MGF1("http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1"),
+ RSA_SHA512_MGF1("http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1"),
+
+ EC_SHA1("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"),
+ EC_SHA224("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"),
+ EC_SHA256("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"),
+ EC_SHA384("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"),
+ EC_SHA512("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"),
+
+ HMAC_SHA1("http://www.w3.org/2000/09/xmldsig#hmac-sha1"),
+ HMAC_SHA224("http://www.w3.org/2001/04/xmldsig-more#hmac-sha224"),
+ HMAC_SHA256("http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"),
+ HMAC_SHA384("http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"),
+ HMAC_SHA512("http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"),
+
+ DSA_SHA1("http://www.w3.org/2000/09/xmldsig#dsa-sha1");
+
+ private final String algorithm;
+
+ SignatureAlgorithm(final String algorithm) {
+ this.algorithm = algorithm;
+ }
+
+ public String getAlgorithm() {
+ return algorithm;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/syncope/blob/f15efd5b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
index a4230b2..308b95e 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
@@ -71,6 +71,8 @@ public class SAML2SPLoader implements SyncopeLoader {
private Credential credential;
+ private String signatureAlgorithm;
+
@Override
public Integer getPriority() {
return 1000;
@@ -96,6 +98,7 @@ public class SAML2SPLoader implements SyncopeLoader {
assertNotNull(keyPass, "<keystore.keypass>");
String certAlias = props.getProperty("sp.cert.alias");
assertNotNull(certAlias, "<sp.cert.alias>");
+ signatureAlgorithm = props.getProperty("signature.algorithm");
LOG.debug("Attempting to load the provided keystore...");
try {
@@ -142,4 +145,8 @@ public class SAML2SPLoader implements SyncopeLoader {
return credential;
}
+ public String getSignatureAlgorithm() {
+ return signatureAlgorithm;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/f15efd5b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index 8bf0c47..090009c 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -48,6 +48,7 @@ import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.syncope.common.lib.SSOConstants;
import org.apache.syncope.common.lib.types.SAML2BindingType;
+import org.apache.syncope.common.lib.types.SignatureAlgorithm;
import org.apache.syncope.core.logic.init.SAML2SPLoader;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
@@ -99,14 +100,31 @@ public class SAML2ReaderWriter {
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
- sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
- String pubKeyAlgo = loader.getCredential().getPublicKey().getAlgorithm();
- if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1;
- } else if (pubKeyAlgo.equalsIgnoreCase("EC")) {
- sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1;
+ // Try to load a signature algorithm
+ if (loader.getSignatureAlgorithm() != null) {
+ SignatureAlgorithm loadedSignatureAlgorithm =
+ SignatureAlgorithm.valueOf(loader.getSignatureAlgorithm());
+ if (loadedSignatureAlgorithm != null) {
+ sigAlgo = loadedSignatureAlgorithm.getAlgorithm();
+ jceSigAlgo = JCEMapper.translateURItoJCEID(sigAlgo);
+ }
+ if (jceSigAlgo == null) {
+ LOG.warn("Signature algorithm {} is not valid. Using default algorithm instead.",
+ loader.getSignatureAlgorithm());
+ sigAlgo = null;
+ }
+ }
+
+ if (sigAlgo == null) {
+ sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+ String pubKeyAlgo = loader.getCredential().getPublicKey().getAlgorithm();
+ if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+ sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1;
+ } else if (pubKeyAlgo.equalsIgnoreCase("EC")) {
+ sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1;
+ }
+ jceSigAlgo = JCEMapper.translateURItoJCEID(sigAlgo);
}
- jceSigAlgo = JCEMapper.translateURItoJCEID(sigAlgo);
callbackHandler = new SAMLSPCallbackHandler(loader.getKeyPass());
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/f15efd5b/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties b/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
index 2d7e918..f64d6b0 100644
--- a/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
+++ b/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
@@ -21,3 +21,4 @@ keystore.type=jks
keystore.storepass=changeit
keystore.keypass=changeit
sp.cert.alias=sp
+signature.algorithm=RSA_SHA1
http://git-wip-us.apache.org/repos/asf/syncope/blob/f15efd5b/fit/core-reference/src/main/resources/all/saml2sp-logic.properties
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/main/resources/all/saml2sp-logic.properties b/fit/core-reference/src/main/resources/all/saml2sp-logic.properties
index 2d7e918..fc99f62 100644
--- a/fit/core-reference/src/main/resources/all/saml2sp-logic.properties
+++ b/fit/core-reference/src/main/resources/all/saml2sp-logic.properties
@@ -21,3 +21,4 @@ keystore.type=jks
keystore.storepass=changeit
keystore.keypass=changeit
sp.cert.alias=sp
+signature.algorithm=RSA_SHA1
\ No newline at end of file