You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/24 18:01:49 UTC
[1/5] cxf-fediz git commit: Updating certs
Repository: cxf-fediz
Updated Branches:
refs/heads/master 541d6297d -> c436aa7b0
Updating certs
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/5263f527
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/5263f527
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/5263f527
Branch: refs/heads/master
Commit: 5263f52769f8c651acfc405e625ace42a2bc6337
Parents: 541d629
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 24 14:28:40 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 24 14:28:40 2016 +0000
----------------------------------------------------------------------
.../fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java | 2 +-
systests/federation/oidc/src/test/resources/realmb.cert | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5263f527/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
index eef38ea..ea90193 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
@@ -155,7 +155,7 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
providers.add(new OAuthJSONProvider());
WebClient client =
- WebClient.create(address, providers, "consumer-id", "7c220ee6-77e2-43d3-b531-6ede8a581698", null);
+ WebClient.create(address, providers, "consumer-id", "90d5da25-e900-443f-a5d5-feb3bb060800", null);
ClientConfiguration config = WebClient.getConfig(client);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5263f527/systests/federation/oidc/src/test/resources/realmb.cert
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/realmb.cert b/systests/federation/oidc/src/test/resources/realmb.cert
index de19105..9bba7ad 100644
--- a/systests/federation/oidc/src/test/resources/realmb.cert
+++ b/systests/federation/oidc/src/test/resources/realmb.cert
@@ -1,3 +1,3 @@
-----BEGIN CERTIFICATE-----
-MIICmzCCAYMCBgFTDfCUaDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZyZWFsbWIwHhcNMTYwMjIzMTE0MTIzWhcNMjYwMjIzMTE0MzAzWjARMQ8wDQYDVQQDDAZyZWFsbWIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqFm0GlXs+y+Xhc6xcSPPUwRHXF5WxYIJWcBGS2ooMKHOTnq+js2/t3GBsKuUZiEudflu3q/O5GGHoFQXrib4JGw+y+QMOJhQ8OBg+Hj7iQPNI0xOy8lxUnEblt7ksPaZE1c4dOhqWZMDMt7TSsa90g2j2B+dOtdm1EJKMT9VVF/NpFQSYu6c15VDvvVm1tz0R+/BCkfWAtvU6MDrxWbDEcVTHqpCsrzZ2+n1+IgVuULtKyLgJS5fIRiquu0B51QehMVfko15zLY6UaNvlrq5FcVBHWJrM4pZdgXujfgXOxLSbIw1bzjM0yRnlMvJ05qTTdIq/8uLcUgjZ+VGoiKLLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEB0UAoWnUOwGFtjyWYs00WjMpfCf00jbZRzBakqfVmJwqFzCuP1D5hArL2L3floKsp50fspzJpWytoARcT+FYr/Xju/0CDTtbMoul6p6Lc+y+YFghd7tOD0rw26lRwsuZZwycc7gqRoqycy6NzUEnHee514UgSQM8nILyZT58CUYKYOhnNdKHcthjwE7IRWGvEMWJ09Pe8OvQMKUWnMU9jpxAk6jbmInapEGoiOT8HQtnsVGruWnIpHwwl1kYJXDRfrVtSi64DtbGEOTfC/+jbWsmH4LwX1LQRsD4HrDoAZUmSn7gI3jmUxckYAuX6gv9Ve4fZbGe9s09tirGQZ5lg=
+MIICmzCCAYMCBgFSnXNZEjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZyZWFsbWIwHhcNMTYwMjAxMTUyNzA4WhcNMjYwMjAxMTUyODQ4WjARMQ8wDQYDVQQDDAZyZWFsbWIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9pVG5cEMbRwtl/JqY4pTSgGmYSlltpbDSbFrUHBG4z5KUGxBD1qnHYAOqY2IMUzGnqbRQhQSjU7Zd/Ko//p41PVsZQnHWQLHgJerzBFyWAmgBZthX0lMYtdBLylj9Wl2mgHK8Cgy/AWO0zq+RG7qTeB7UKBLthRXX07ERnEJEcSRPCnc7Rzf2hopKa9oZPFlwDlS7nYDwkpFLua78XeF6vlrhQB9EymM1v6moB8rWGwf+aED+QLUSSAvbBZqsXD1vxFngmpYG3ABEWsUepgsKOlVmnyZtSV85V9AeSWYwzMLEd/huvoTMYNZHY1HykigWJAhJJ6dNzsm+dUdg1KsTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHW3Dufv7r+hMKjy3qf0x24OEtfqmcNiRqR+2t1I22PbclSxTsdWue17E9cxXPi6gLV/eiZ+Wl7fnnB+yJBeQv/HZYVeQKHL/aYZKVJZi+vprExn1n3clHqZqgrxfYJBNW24KEHw6Ag2v3/81PzHQV0VGclcngUc3s8BvJ2x+tUMUVmyKXmW++CZBZePuN+ozk0xfzTnyW85P6qkrOooSKL/JrSrHi8/VM+hYvHS4RQioIzur0UhGs+9mPVRdMmQ66BOT3FCw7WsoynI+/U/Q9bJyP7puZLD/ftpbM+SUKhAZnBYNvKo8rui8TkU9VA/RCpkHGWnA9utjRa60MH20us=
-----END CERTIFICATE-----
[3/5] cxf-fediz git commit: Fixing test following CXF update
Posted by co...@apache.org.
Fixing test following CXF update
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/88afda31
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/88afda31
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/88afda31
Branch: refs/heads/master
Commit: 88afda3150cdddce632f362f5d33d68dad2f5cab
Parents: f545ba0
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 24 15:38:57 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 24 15:38:57 2016 +0000
----------------------------------------------------------------------
.../src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/88afda31/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
index bbfc1fa..0079ade 100644
--- a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
+++ b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
@@ -736,7 +736,7 @@ public class OIDCTest {
JwtToken jwt = jwtConsumer.getJwtToken();
// Validate claims
- Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
+ Assert.assertEquals("alice", jwt.getClaim("preferred_username"));
Assert.assertEquals("accounts.fediz.com", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
Assert.assertEquals(audience, jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
[4/5] cxf-fediz git commit: Make things in the OIDC protocol handler
properly configurable
Posted by co...@apache.org.
Make things in the OIDC protocol handler properly configurable
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9375d3e5
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9375d3e5
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9375d3e5
Branch: refs/heads/master
Commit: 9375d3e5465ff157b1cb8a463f34ee64e2bee78f
Parents: 88afda3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 24 15:57:58 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 24 15:57:58 2016 +0000
----------------------------------------------------------------------
.../TrustedIdpOIDCProtocolHandler.java | 152 +++++++++++++++----
.../oidc/src/test/resources/entities-realma.xml | 22 +--
2 files changed, 124 insertions(+), 50 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9375d3e5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
index 52e007e..1e1c199 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
@@ -30,6 +30,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.List;
+import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
@@ -57,6 +58,7 @@ import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
@@ -81,6 +83,32 @@ import org.springframework.webflow.execution.RequestContext;
@Component
public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler {
+ /**
+ * The client_id value to send to the OIDC IdP.
+ */
+ public static final String CLIENT_ID = "client.id";
+
+ /**
+ * The secret associated with the client to authenticate to the OIDC IdP.
+ */
+ public static final String CLIENT_SECRET = "client.secret";
+
+ /**
+ * The Token endpoint. The authorization endpoint is specified by TrustedIdp.url.
+ */
+ public static final String TOKEN_ENDPOINT = "token.endpoint";
+
+ /**
+ * The signature algorithm to use in verifying the IdToken. The default is "RS256".
+ */
+ public static final String SIGNATURE_ALGORITHM = "signature.algorithm";
+
+ /**
+ * The Claim in which to extract the Subject username to insert into the generated SAML token.
+ * It defaults to "preferred_username", otherwise it falls back to the "sub" claim.
+ */
+ public static final String SUBJECT_CLAIM = "subject.claim";
+
public static final String PROTOCOL = "openid-connect-1.0";
private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpOIDCProtocolHandler.class);
@@ -99,15 +127,21 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
@Override
public URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
+ String clientId = getProperty(trustedIdp, CLIENT_ID);
+ if (clientId == null || clientId.isEmpty()) {
+ LOG.warn("A CLIENT_ID must be configured to use the OIDCProtocolHandler");
+ throw new IllegalStateException("No CLIENT_ID specified");
+ }
+
try {
StringBuilder sb = new StringBuilder();
sb.append(trustedIdp.getUrl());
sb.append("?");
sb.append("response_type").append('=');
- sb.append("code"); //TODO
+ sb.append("code");
sb.append("&");
sb.append("client_id").append('=');
- sb.append("consumer-id"); //TODO
+ sb.append(clientId);
sb.append("&");
sb.append("redirect_uri").append('=');
sb.append(URLEncoder.encode(idp.getIdpUrl().toString(), "UTF-8"));
@@ -121,13 +155,6 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
sb.append(wctx);
}
- /*
- String wfresh = context.getFlowScope().getString(FederationConstants.PARAM_FRESHNESS);
- if (wfresh != null) {
- sb.append("&").append(FederationConstants.PARAM_FRESHNESS).append('=');
- sb.append(URLEncoder.encode(wfresh, "UTF-8"));
- }
- */
return new URL(sb.toString());
} catch (MalformedURLException ex) {
LOG.error("Invalid Redirect URL for Trusted Idp", ex);
@@ -143,27 +170,41 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
String code = (String) WebUtils.getAttributeFromFlowScope(context,
OAuthConstants.CODE_RESPONSE_TYPE);
- if (code != null) {
- // Here we need to get the IdToken using the authorization code
- String address = "http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token";
+ if (code != null && !code.isEmpty()) {
+
+ String tokenEndpoint = getProperty(trustedIdp, TOKEN_ENDPOINT);
+ if (tokenEndpoint == null || tokenEndpoint.isEmpty()) {
+ LOG.warn("A TOKEN_ENDPOINT must be configured to use the OIDCProtocolHandler");
+ throw new IllegalStateException("No TOKEN_ENDPOINT specified");
+ }
+
+ String clientId = getProperty(trustedIdp, CLIENT_ID);
+ String clientSecret = getProperty(trustedIdp, CLIENT_SECRET);
+ if (clientSecret == null || clientSecret.isEmpty()) {
+ LOG.warn("A CLIENT_SECRET must be configured to use the OIDCProtocolHandler");
+ throw new IllegalStateException("No CLIENT_SECRET specified");
+ }
+ // Here we need to get the IdToken using the authorization code
List<Object> providers = new ArrayList<Object>();
providers.add(new OAuthJSONProvider());
WebClient client =
- WebClient.create(address, providers, "consumer-id", "90d5da25-e900-443f-a5d5-feb3bb060800", null);
+ WebClient.create(tokenEndpoint, providers, clientId, clientSecret, null);
ClientConfiguration config = WebClient.getConfig(client);
- config.getOutInterceptors().add(new LoggingOutInterceptor());
- config.getInInterceptors().add(new LoggingInInterceptor());
+ if (LOG.isDebugEnabled()) {
+ config.getOutInterceptors().add(new LoggingOutInterceptor());
+ config.getInInterceptors().add(new LoggingInInterceptor());
+ }
client.type("application/x-www-form-urlencoded").accept("application/json");
Form form = new Form();
form.param("grant_type", "authorization_code");
form.param("code", code);
- form.param("client_id", "consumer-id");
+ form.param("client_id", clientId);
form.param("redirect_uri", idp.getIdpUrl().toString());
Response response = client.post(form);
@@ -192,23 +233,24 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
JwtToken jwt = jwtConsumer.getJwtToken();
- if (!jwtConsumer.verifySignatureWith(validatingCert, SignatureAlgorithm.RS256)) {
+ // Validate the Signature
+ String sigAlgo = getProperty(trustedIdp, SIGNATURE_ALGORITHM);
+ if (sigAlgo == null || sigAlgo.isEmpty()) {
+ sigAlgo = "RS256";
+ }
+ if (!jwtConsumer.verifySignatureWith(validatingCert, SignatureAlgorithm.getAlgorithm(sigAlgo))) {
LOG.warn("Signature does not validate");
return null;
}
- Date created = new Date();
- if (jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) != null) {
- created = new Date((long)jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) * 1000L);
- }
- if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
- LOG.warn("No expiry in the token");
- return null;
- }
+ // Make sure the received token is valid according to the spec
+ validateToken(jwt, clientId);
+
+ Date created = new Date((long)jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) * 1000L);
Date expires = new Date((long)jwt.getClaim(JwtConstants.CLAIM_EXPIRY) * 1000L);
// Convert into a SAML Token
- SamlAssertionWrapper assertion = createSamlAssertion(idp, jwt, created, expires);
+ SamlAssertionWrapper assertion = createSamlAssertion(idp, trustedIdp, jwt, created, expires);
Document doc = DOMUtils.createDocument();
Element token = assertion.toDOM(doc);
@@ -234,6 +276,33 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
return null;
}
+ protected void validateToken(JwtToken jwt, String clientId) {
+ // We must have the following claims
+ if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null
+ || jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null
+ || jwt.getClaim(JwtConstants.CLAIM_AUDIENCE) == null
+ || jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null
+ || jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) == null) {
+ LOG.warn("The IdToken is missing a required claim");
+ throw new IllegalStateException("The IdToken is missing a required claim");
+ }
+
+ // The audience must match the client_id of this client
+ boolean match = false;
+ for (String audience : jwt.getClaims().getAudiences()) {
+ if (clientId.equals(audience)) {
+ match = true;
+ break;
+ }
+ }
+ if (!match) {
+ LOG.warn("The audience of the token does not match this client");
+ throw new IllegalStateException("The audience of the token does not match this client");
+ }
+
+ JwtUtils.validateTokenClaims(jwt.getClaims(), 300, 0, false);
+ }
+
private Crypto getCrypto(String certificate) throws ProcessingException {
if (certificate == null) {
return null;
@@ -292,16 +361,29 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
}
}
- private SamlAssertionWrapper createSamlAssertion(Idp idp, JwtToken token,
+ protected SamlAssertionWrapper createSamlAssertion(Idp idp, TrustedIdp trustedIdp, JwtToken token,
Date created,
Date expires) throws Exception {
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
- callbackHandler.setIssuer(idp.getServiceDisplayName());
+ String issuer = idp.getServiceDisplayName();
+ if (issuer == null) {
+ issuer = idp.getRealm();
+ }
+ if (issuer != null) {
+ callbackHandler.setIssuer(issuer);
+ }
// Subject
- // TODO
+ String subjectName = getProperty(trustedIdp, SUBJECT_CLAIM);
+ if (subjectName == null || token.getClaim(subjectName) == null) {
+ subjectName = "preferred_username";
+ if (subjectName == null || token.getClaim(subjectName) == null) {
+ subjectName = JwtConstants.CLAIM_SUBJECT;
+ }
+ }
+
SubjectBean subjectBean =
- new SubjectBean((String)token.getClaim("preferred_username"),
+ new SubjectBean((String)token.getClaim(subjectName),
SAML2Constants.NAMEID_FORMAT_UNSPECIFIED,
SAML2Constants.CONF_BEARER);
callbackHandler.setSubjectBean(subjectBean);
@@ -329,6 +411,16 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
return assertion;
}
+ private String getProperty(TrustedIdp trustedIdp, String property) {
+ Map<String, String> parameters = trustedIdp.getParameters();
+
+ if (parameters != null && parameters.containsKey(property)) {
+ return parameters.get(property);
+ }
+
+ return null;
+ }
+
private static class SamlCallbackHandler implements CallbackHandler {
private ConditionsBean conditionsBean;
private SubjectBean subjectBean;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9375d3e5/systests/federation/oidc/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/entities-realma.xml b/systests/federation/oidc/src/test/resources/entities-realma.xml
index ab17601..54a2855 100644
--- a/systests/federation/oidc/src/test/resources/entities-realma.xml
+++ b/systests/federation/oidc/src/test/resources/entities-realma.xml
@@ -73,7 +73,6 @@
<property name="trustedIdps">
<util:list>
<ref bean="trusted-idp-realmB" />
- <ref bean="trusted-idp-realmC" />
</util:list>
</property>
<property name="claimTypesOffered">
@@ -100,25 +99,8 @@
<property name="description" value="Realm B description" />
<property name="parameters">
<util:map>
- </util:map>
- </property>
- </bean>
-
- <bean id="trusted-idp-realmC"
- class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
- <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-C" />
- <property name="cacheTokens" value="true" />
- <property name="url" value="https://localhost:${idp.samlsso.https.port}/idp/samlsso" />
- <property name="certificate" value="realmb.cert" />
- <property name="trustType" value="PEER_TRUST" />
- <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" />
- <property name="federationType" value="FEDERATE_IDENTITY" />
- <property name="name" value="Realm C" />
- <property name="description" value="SAML Web Profile - Response POST Binding" />
- <property name="parameters">
- <util:map>
- <entry key="sign.request" value="true" />
- <entry key="support.deflate.encoding" value="true" />
+ <entry key="client.id" value="consumer-id"/>
+ <entry key="token.endpoint" value="http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token"/>
</util:map>
</property>
</bean>
[5/5] cxf-fediz git commit: Minor changes
Posted by co...@apache.org.
Minor changes
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/c436aa7b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/c436aa7b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/c436aa7b
Branch: refs/heads/master
Commit: c436aa7b0a9e853124e692488018b32267466841
Parents: 9375d3e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 24 17:01:35 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 24 17:01:35 2016 +0000
----------------------------------------------------------------------
.../main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java | 4 ++--
systests/federation/oidc/src/test/resources/entities-realma.xml | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c436aa7b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
index f19cac8..d382184 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
@@ -210,7 +210,7 @@ public class Idp implements Serializable {
public Application findApplication(String realmApplication) {
for (Application item : applications) {
- if (realmApplication.equals(item.getRealm())) {
+ if (item.getRealm().equals(realmApplication)) {
return item;
}
}
@@ -229,7 +229,7 @@ public class Idp implements Serializable {
public TrustedIdp findTrustedIdp(String realmTrustedIdp) {
for (TrustedIdp item : trustedIdpList) {
- if (realmTrustedIdp.equals(item.getRealm())) {
+ if (item.getRealm().equals(realmTrustedIdp)) {
return item;
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c436aa7b/systests/federation/oidc/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/entities-realma.xml b/systests/federation/oidc/src/test/resources/entities-realma.xml
index 54a2855..43c36ef 100644
--- a/systests/federation/oidc/src/test/resources/entities-realma.xml
+++ b/systests/federation/oidc/src/test/resources/entities-realma.xml
@@ -100,6 +100,7 @@
<property name="parameters">
<util:map>
<entry key="client.id" value="consumer-id"/>
+ <entry key="client.secret" value="90d5da25-e900-443f-a5d5-feb3bb060800"/>
<entry key="token.endpoint" value="http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token"/>
</util:map>
</property>
[2/5] cxf-fediz git commit: Consolidating Crypto/Certificate loading
in the IdP
Posted by co...@apache.org.
Consolidating Crypto/Certificate loading in the IdP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f545ba0c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f545ba0c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f545ba0c
Branch: refs/heads/master
Commit: f545ba0c03ca60907ca78942d31ff9afbc00d0d5
Parents: 5263f52
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Feb 24 15:17:05 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Feb 24 15:17:05 2016 +0000
----------------------------------------------------------------------
.../cxf/fediz/core/config/FedizContext.java | 4 +
.../apache/cxf/fediz/core/util/CertsUtils.java | 30 ++++-
.../TrustedIdpOIDCProtocolHandler.java | 131 +++++++------------
.../TrustedIdpSAMLProtocolHandler.java | 48 +++----
.../TrustedIdpWSFedProtocolHandler.java | 23 +---
5 files changed, 104 insertions(+), 132 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f545ba0c/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
index f94ac4a..bb352f8 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
@@ -23,6 +23,7 @@ import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
+import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
@@ -120,6 +121,9 @@ public class FedizContext implements Closeable {
} catch (WSSecurityException e) {
LOG.error("Failed to load keystore '" + tm.getName() + "'", e);
throw new IllegalConfigurationException("Failed to load keystore '" + tm.getName() + "'");
+ } catch (CertificateException ex) {
+ LOG.error("Failed to read keystore", ex);
+ throw new RuntimeException("Failed to read keystore");
}
}
return certificateStores;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f545ba0c/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java
index 0737ea1..038de09 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/CertsUtils.java
@@ -20,9 +20,11 @@
package org.apache.cxf.fediz.core.util;
import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Properties;
@@ -32,6 +34,8 @@ import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.xml.security.exceptions.Base64DecodingException;
+import org.apache.xml.security.utils.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -43,12 +47,17 @@ public final class CertsUtils {
super();
}
- public static X509Certificate getX509Certificate(String filename) {
+ public static X509Certificate getX509Certificate(String filename) throws CertificateException {
return getX509Certificate(filename,
Thread.currentThread().getContextClassLoader());
}
- public static X509Certificate getX509Certificate(String filename, ClassLoader classLoader) {
+ public static X509Certificate getX509Certificate(String filename, ClassLoader classLoader)
+ throws CertificateException {
+ if (filename == null) {
+ return null;
+ }
+
ClassLoader cl = classLoader;
if (cl == null) {
cl = Thread.currentThread().getContextClassLoader();
@@ -74,9 +83,12 @@ public final class CertsUtils {
LOG.error("No bytes can be read in certificate file " + filename);
throw new RuntimeException("No bytes can be read in certificate file " + filename);
}
- } catch (Exception ex) {
+ } catch (WSSecurityException ex) {
LOG.error("Failed to read certificate file " + filename, ex);
throw new RuntimeException("Failed to read certificate file " + filename, ex);
+ } catch (IOException ex) {
+ LOG.error("Failed to read keystore", ex);
+ throw new RuntimeException("Failed to read keystore");
}
}
@@ -113,4 +125,16 @@ public final class CertsUtils {
}
return issuerCerts[0];
}
+
+ public static X509Certificate parseCertificate(String certificate)
+ throws CertificateException, Base64DecodingException, IOException {
+
+ //before decoding we need to get rod off the prefix and suffix
+ byte[] decoded = Base64.decode(certificate.replaceAll("-----BEGIN CERTIFICATE-----", "").
+ replaceAll("-----END CERTIFICATE-----", ""));
+
+ try (InputStream is = new ByteArrayInputStream(decoded)) {
+ return (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(is);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f545ba0c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
index ea90193..52e007e 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
@@ -19,17 +19,15 @@
package org.apache.cxf.fediz.service.idp.protocols;
-import java.io.ByteArrayInputStream;
import java.io.IOException;
-import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.Date;
import java.util.List;
@@ -65,7 +63,6 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.crypto.CertificateStore;
import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
@@ -75,7 +72,6 @@ import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.xml.security.exceptions.Base64DecodingException;
-import org.apache.xml.security.utils.Base64;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -179,7 +175,7 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
}
try {
- X509Certificate validatingCert = getCertificate(trustedIdp);
+ X509Certificate validatingCert = getCertificate(trustedIdp.getCertificate());
if (validatingCert == null) {
LOG.warn("No X.509 Certificate configured for signature validation");
return null;
@@ -238,53 +234,61 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
return null;
}
-
- private X509Certificate getCertificate(TrustedIdp trustedIdp)
- throws CertificateException, Base64DecodingException, IOException {
- String certificate = trustedIdp.getCertificate();
- if (certificate != null) {
- boolean isCertificateLocation = !certificate.startsWith("-----BEGIN CERTIFICATE");
- if (isCertificateLocation) {
- InputStream is = null;
- try {
- is = Merlin.loadInputStream(Thread.currentThread().getContextClassLoader(), certificate);
-
- CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
- return (X509Certificate) certFactory.generateCertificate(is);
- } catch (WSSecurityException ex) {
- LOG.error("Failed to load keystore " + certificate, ex);
- throw new RuntimeException("Failed to load keystore " + certificate);
- } catch (IOException ex) {
- LOG.error("Failed to read keystore", ex);
- throw new RuntimeException("Failed to read keystore");
- } catch (CertificateException ex) {
- // This is ok as it could be a WSS4J properties file
- } finally {
- if (is != null) {
- try {
- is.close();
- } catch (IOException e) {
- // Do nothing
- }
- }
+ private Crypto getCrypto(String certificate) throws ProcessingException {
+ if (certificate == null) {
+ return null;
+ }
+
+ boolean isCertificateLocation = !certificate.startsWith("-----BEGIN CERTIFICATE");
+ if (isCertificateLocation) {
+ try {
+ X509Certificate cert = CertsUtils.getX509Certificate(certificate);
+ if (cert == null) {
+ return null;
}
- } else {
- return parseCertificate(certificate);
+ return new CertificateStore(new X509Certificate[]{cert});
+ } catch (CertificateException ex) {
+ // Maybe it's a WSS4J properties file...
+ return CertsUtils.createCrypto(certificate);
}
}
- return null;
+ // Here the certificate is encoded in the configuration file
+ X509Certificate cert;
+ try {
+ cert = CertsUtils.parseCertificate(certificate);
+ } catch (Exception ex) {
+ LOG.error("Failed to parse trusted certificate", ex);
+ throw new ProcessingException("Failed to parse trusted certificate");
+ }
+ return new CertificateStore(Collections.singletonList(cert).toArray(new X509Certificate[0]));
}
- private X509Certificate parseCertificate(String certificate)
- throws CertificateException, Base64DecodingException, IOException {
+ private X509Certificate getCertificate(String certificate)
+ throws CertificateException, WSSecurityException, ProcessingException, Base64DecodingException, IOException {
+ if (certificate == null) {
+ return null;
+ }
- //before decoding we need to get rod off the prefix and suffix
- byte [] decoded = Base64.decode(certificate.replaceAll("-----BEGIN CERTIFICATE-----", "").
- replaceAll("-----END CERTIFICATE-----", ""));
-
- try (InputStream is = new ByteArrayInputStream(decoded)) {
- return (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(is);
+ boolean isCertificateLocation = !certificate.startsWith("-----BEGIN CERTIFICATE");
+ if (isCertificateLocation) {
+ try {
+ return CertsUtils.getX509Certificate(certificate);
+ } catch (CertificateException ex) {
+ // Maybe it's a WSS4J properties file...
+ Crypto crypto = CertsUtils.createCrypto(certificate);
+ if (crypto != null) {
+ return CertsUtils.getX509Certificate(crypto, null);
+ }
+ }
+ }
+
+ // Here the certificate is encoded in the configuration file
+ try {
+ return CertsUtils.parseCertificate(certificate);
+ } catch (Exception ex) {
+ LOG.error("Failed to parse trusted certificate", ex);
+ throw new ProcessingException("Failed to parse trusted certificate");
}
}
@@ -325,41 +329,6 @@ public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler
return assertion;
}
- private Crypto getCrypto(String certificate) throws ProcessingException {
- if (certificate == null) {
- return null;
- }
-
- // First see if it's a certificate file
- InputStream is = null;
- try {
- is = Merlin.loadInputStream(Thread.currentThread().getContextClassLoader(), certificate);
-
- CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate) certFactory.generateCertificate(is);
- return new CertificateStore(new X509Certificate[]{cert});
- } catch (WSSecurityException ex) {
- LOG.error("Failed to load keystore " + certificate, ex);
- throw new RuntimeException("Failed to load keystore " + certificate);
- } catch (IOException ex) {
- LOG.error("Failed to read keystore", ex);
- throw new RuntimeException("Failed to read keystore");
- } catch (CertificateException ex) {
- // This is ok as it could be a WSS4J properties file
- } finally {
- if (is != null) {
- try {
- is.close();
- } catch (IOException e) {
- // Do nothing
- }
- }
- }
-
- // Maybe it's a WSS4J properties file...
- return CertsUtils.createCrypto(certificate);
- }
-
private static class SamlCallbackHandler implements CallbackHandler {
private ConditionsBean conditionsBean;
private SubjectBean subjectBean;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f545ba0c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index adc85d1..f128467 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -30,8 +30,8 @@ import java.net.URLEncoder;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.util.Collections;
import java.util.Map;
import java.util.zip.DataFormatException;
@@ -67,7 +67,6 @@ import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.crypto.CertificateStore;
import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.util.DOM2Writer;
@@ -308,34 +307,29 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
return null;
}
- // First see if it's a certificate file
- InputStream is = null;
- try {
- is = Merlin.loadInputStream(Thread.currentThread().getContextClassLoader(), certificate);
-
- CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate) certFactory.generateCertificate(is);
- return new CertificateStore(new X509Certificate[]{cert});
- } catch (WSSecurityException ex) {
- LOG.error("Failed to load keystore " + certificate, ex);
- throw new RuntimeException("Failed to load keystore " + certificate);
- } catch (IOException ex) {
- LOG.error("Failed to read keystore", ex);
- throw new RuntimeException("Failed to read keystore");
- } catch (CertificateException ex) {
- // This is ok as it could be a WSS4J properties file
- } finally {
- if (is != null) {
- try {
- is.close();
- } catch (IOException e) {
- // Do nothing
+ boolean isCertificateLocation = !certificate.startsWith("-----BEGIN CERTIFICATE");
+ if (isCertificateLocation) {
+ try {
+ X509Certificate cert = CertsUtils.getX509Certificate(certificate);
+ if (cert == null) {
+ return null;
}
+ return new CertificateStore(new X509Certificate[]{cert});
+ } catch (CertificateException ex) {
+ // Maybe it's a WSS4J properties file...
+ return CertsUtils.createCrypto(certificate);
}
- }
+ }
- // Maybe it's a WSS4J properties file...
- return CertsUtils.createCrypto(certificate);
+ // Here the certificate is encoded in the configuration file
+ X509Certificate cert;
+ try {
+ cert = CertsUtils.parseCertificate(certificate);
+ } catch (Exception ex) {
+ LOG.error("Failed to parse trusted certificate", ex);
+ throw new ProcessingException("Failed to parse trusted certificate");
+ }
+ return new CertificateStore(Collections.singletonList(cert).toArray(new X509Certificate[0]));
}
private org.opensaml.saml.saml2.core.Response readSAMLResponse(String samlResponse, TrustedIdp trustedIdp) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f545ba0c/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
index 4ac9605..946ab61 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
@@ -19,15 +19,10 @@
package org.apache.cxf.fediz.service.idp.protocols;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
@@ -51,15 +46,14 @@ import org.apache.cxf.fediz.core.processor.FederationProcessorImpl;
import org.apache.cxf.fediz.core.processor.FedizProcessor;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.core.processor.FedizResponse;
+import org.apache.cxf.fediz.core.util.CertsUtils;
import org.apache.cxf.fediz.service.idp.domain.Idp;
import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
import org.apache.cxf.fediz.service.idp.spi.TrustedIdpProtocolHandler;
import org.apache.cxf.fediz.service.idp.util.WebUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.crypto.CertificateStore;
-import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.utils.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@@ -222,7 +216,7 @@ public class TrustedIdpWSFedProtocolHandler implements TrustedIdpProtocolHandler
X509Certificate cert;
try {
- cert = parseCertificate(trustedIdpConfig.getCertificate());
+ cert = CertsUtils.parseCertificate(trustedIdpConfig.getCertificate());
} catch (Exception ex) {
LOG.error("Failed to parse trusted certificate", ex);
throw new ProcessingException("Failed to parse trusted certificate");
@@ -237,17 +231,4 @@ public class TrustedIdpWSFedProtocolHandler implements TrustedIdpProtocolHandler
return fedContext;
}
- private X509Certificate parseCertificate(String certificate)
- throws CertificateException, Base64DecodingException, IOException {
-
- //before decoding we need to get rod off the prefix and suffix
- byte [] decoded = Base64.decode(certificate.replaceAll("-----BEGIN CERTIFICATE-----", "").
- replaceAll("-----END CERTIFICATE-----", ""));
-
- try (InputStream is = new ByteArrayInputStream(decoded)) {
- return (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(is);
- }
- }
-
-
}