[picketlink-commits] Picketlink SVN: r1228 - in federation/trunk: picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2 and 1 other directories.

Author: anil.saldhana(a)jboss.com Date: 2011-09-19 12:19:19 -0400 (Mon, 19 Sep 2011) New Revision: 1228 Modified: federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java Log: PLFED-232: opportunities to not include keyinfo in signed document Modified: federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java =================================================================== --- federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2011-09-18 07:21:45 UTC (rev 1227) +++ federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2011-09-19 16:19:19 UTC (rev 1228) @@ -25,7 +25,7 @@ import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.PublicKey; - + import javax.xml.crypto.MarshalException; import javax.xml.crypto.dsig.DigestMethod; import javax.xml.crypto.dsig.SignatureMethod; @@ -40,7 +40,7 @@ import org.picketlink.identity.federation.core.exceptions.ProcessingException; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil; -import org.picketlink.identity.federation.core.util.XMLSignatureUtil; +import org.picketlink.identity.federation.core.util.XMLSignatureUtil; import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType; import org.picketlink.identity.federation.saml.v2.protocol.ResponseType; import org.w3c.dom.Document; @@ -55,9 +55,9 @@ public class SAML2Signature { private String signatureMethod = SignatureMethod.RSA_SHA1; - private String digestMethod = DigestMethod.SHA1; - + private String digestMethod = DigestMethod.SHA1; + public String getSignatureMethod() { return signatureMethod; @@ -77,8 +77,22 @@ { this.digestMethod = digestMethod; } - + /** + * Set to false, if you do not want to include keyinfo + * in the signature + * @param val + * @since v2.0.1 + */ + public void setSignatureIncludeKeyInfo(boolean val) + { + if (!val) + { + XMLSignatureUtil.setIncludeKeyInfoInSignature(false); + } + } + + /** * Sign an RequestType at the root * @param request * @param keypair Key Pair @@ -92,20 +106,18 @@ * @throws MarshalException * @throws GeneralSecurityException */ - public Document sign(RequestAbstractType request, KeyPair keypair) throws SAXException, IOException, ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException + public Document sign(RequestAbstractType request, KeyPair keypair) throws SAXException, IOException, + ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException { SAML2Request saml2Request = new SAML2Request(); Document doc = saml2Request.convert(request); doc.normalize(); - + String referenceURI = "#" + request.getID(); - - return XMLSignatureUtil.sign(doc, - keypair, - digestMethod, signatureMethod, - referenceURI); + + return XMLSignatureUtil.sign(doc, keypair, digestMethod, signatureMethod, referenceURI); } - + /** * Sign an ResponseType at the root * @param response @@ -118,15 +130,16 @@ * @throws MarshalException * @throws GeneralSecurityException */ - public Document sign(ResponseType response,KeyPair keypair) throws ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException + public Document sign(ResponseType response, KeyPair keypair) throws ParserConfigurationException, + GeneralSecurityException, MarshalException, XMLSignatureException { SAML2Response saml2Request = new SAML2Response(); Document doc = saml2Request.convert(response); doc.normalize(); - - return sign(doc, response.getID(), keypair); + + return sign(doc, response.getID(), keypair); } - + /** * Sign an Document at the root * @param response @@ -139,19 +152,14 @@ * @throws MarshalException * @throws GeneralSecurityException */ - public Document sign(Document doc, - String referenceID, - KeyPair keypair) throws - ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException - { + public Document sign(Document doc, String referenceID, KeyPair keypair) throws ParserConfigurationException, + GeneralSecurityException, MarshalException, XMLSignatureException + { String referenceURI = "#" + referenceID; - - return XMLSignatureUtil.sign(doc, - keypair, - digestMethod, signatureMethod, - referenceURI); + + return XMLSignatureUtil.sign(doc, keypair, digestMethod, signatureMethod, referenceURI); } - + /** * Sign an assertion whose id value is provided in the response type * @param response @@ -167,17 +175,16 @@ * @throws MarshalException * @throws GeneralSecurityException */ - public Document sign(ResponseType response, - String idValueOfAssertion, - KeyPair keypair, - String referenceURI) throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException + public Document sign(ResponseType response, String idValueOfAssertion, KeyPair keypair, String referenceURI) + throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, + TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException { SAML2Response saml2Response = new SAML2Response(); Document doc = saml2Response.convert(response); - - return sign(doc,idValueOfAssertion, keypair, referenceURI); + + return sign(doc, idValueOfAssertion, keypair, referenceURI); } - + /** * Sign a document * @param doc @@ -193,24 +200,17 @@ * @throws MarshalException * @throws XMLSignatureException */ - public Document sign(Document doc, - String idValueOfAssertion, - KeyPair keypair, - String referenceURI) throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException + public Document sign(Document doc, String idValueOfAssertion, KeyPair keypair, String referenceURI) + throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, + TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException { - Node assertionNode = DocumentUtil.getNodeWithAttribute(doc, - JBossSAMLURIConstants.ASSERTION_NSURI.get(), - "Assertion", - "ID", - idValueOfAssertion); - - return XMLSignatureUtil.sign(doc, assertionNode, - keypair, - digestMethod, signatureMethod, - referenceURI); + Node assertionNode = DocumentUtil.getNodeWithAttribute(doc, JBossSAMLURIConstants.ASSERTION_NSURI.get(), + "Assertion", "ID", idValueOfAssertion); + + return XMLSignatureUtil.sign(doc, assertionNode, keypair, digestMethod, signatureMethod, referenceURI); } - + /** * Sign a SAML Document * @param samlDocument @@ -228,9 +228,9 @@ catch (Exception e) { throw new ProcessingException(e); - } + } } - + /** * Validate the SAML2 Document * @param signedDocument @@ -242,13 +242,13 @@ { try { - return XMLSignatureUtil.validate(signedDocument, publicKey); + return XMLSignatureUtil.validate(signedDocument, publicKey); } - catch(MarshalException me) + catch (MarshalException me) { throw new ProcessingException(me.getLocalizedMessage()); } - catch(XMLSignatureException xse) + catch (XMLSignatureException xse) { throw new ProcessingException(xse.getLocalizedMessage()); } Modified: federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java =================================================================== --- federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java 2011-09-18 07:21:45 UTC (rev 1227) +++ federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java 2011-09-19 16:19:19 UTC (rev 1228) @@ -80,12 +80,48 @@ ss.setSignatureMethod(SignatureMethod.DSA_SHA1); Document signedDoc = ss.sign(authnRequest, kp); + System.out.println("Signed Doc:" + DocumentUtil.asString(signedDoc)); + // Validate the signature boolean isValid = XMLSignatureUtil.validate(signedDoc, kp.getPublic()); assertTrue(isValid); } /** + * Test the creation of AuthnRequestType with signature creation with a private key and then validate the signature + * with a public key. We test that the signature does not contain the keyinfo + * + * @throws Exception + */ + @Test + public void testNoKeyInfo() throws Exception + { + SAML2Request saml2Request = new SAML2Request(); + String id = IDGenerator.create("ID_"); + String assertionConsumerURL = "http://sp"; + String destination = "http://idp"; + String issuerValue = "http://sp"; + AuthnRequestType authnRequest = saml2Request.createAuthnRequestType(id, assertionConsumerURL, destination, + issuerValue); + + KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA"); + KeyPair kp = kpg.genKeyPair(); + + SAML2Signature ss = new SAML2Signature(); + ss.setSignatureIncludeKeyInfo(false); + + ss.setSignatureMethod(SignatureMethod.DSA_SHA1); + Document signedDoc = ss.sign(authnRequest, kp); + + System.out.println("Signed Doc:" + DocumentUtil.asString(signedDoc)); + + // Validate the signature + boolean isValid = XMLSignatureUtil.validate(signedDoc, kp.getPublic()); + assertTrue(isValid); + XMLSignatureUtil.setIncludeKeyInfoInSignature(true); + } + + /** * Test the signature for ResponseType * * @throws Exception Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java 2011-09-18 07:21:45 UTC (rev 1227) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java 2011-09-19 16:19:19 UTC (rev 1228) @@ -84,6 +84,11 @@ private static XMLSignatureFactory fac = getXMLSignatureFactory(); + /** + * By default, we include the keyinfo in the signature + */ + private static boolean includeKeyInfoInSignature = true; + private static XMLSignatureFactory getXMLSignatureFactory() { XMLSignatureFactory xsf = null; @@ -104,6 +109,11 @@ static { SystemPropertiesUtil.ensure(); + String keyInfoProp = SecurityActions.getSystemProperty("picketlink.xmlsig.includeKeyInfo", null); + if (StringUtil.isNotNull(keyInfoProp)) + { + includeKeyInfoInSignature = Boolean.parseBoolean(keyInfoProp); + } }; /** @@ -118,6 +128,16 @@ } /** + * Use this method to not include the KeyInfo in the signature + * @param includeKeyInfoInSignature + * @since v2.0.1 + */ + public static void setIncludeKeyInfoInSignature(boolean includeKeyInfoInSignature) + { + XMLSignatureUtil.includeKeyInfoInSignature = includeKeyInfoInSignature; + } + + /** * Precheck whether the document that will be validated has the right signedinfo * * @param doc @@ -267,6 +287,10 @@ KeyValue kv = kif.newKeyValue(publicKey); KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv)); + if (!includeKeyInfoInSignature) + { + ki = null; + } XMLSignature signature = fac.newXMLSignature(si, ki); signature.sign(dsc); @@ -378,5 +402,4 @@ } return cert; } - } \ No newline at end of file