[jboss-cvs] Picketlink SVN: r1228 - in federation/trunk: picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2 and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Sep 19 12:19:20 EDT 2011
Author: anil.saldhana at jboss.com
Date: 2011-09-19 12:19:19 -0400 (Mon, 19 Sep 2011)
New Revision: 1228
Modified:
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java
federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java
Log:
PLFED-232: opportunities to not include keyinfo in signed document
Modified: federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java
===================================================================
--- federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2011-09-18 07:21:45 UTC (rev 1227)
+++ federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2011-09-19 16:19:19 UTC (rev 1228)
@@ -25,7 +25,7 @@
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PublicKey;
-
+
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.SignatureMethod;
@@ -40,7 +40,7 @@
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
-import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
+import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.w3c.dom.Document;
@@ -55,9 +55,9 @@
public class SAML2Signature
{
private String signatureMethod = SignatureMethod.RSA_SHA1;
- private String digestMethod = DigestMethod.SHA1;
-
+ private String digestMethod = DigestMethod.SHA1;
+
public String getSignatureMethod()
{
return signatureMethod;
@@ -77,8 +77,22 @@
{
this.digestMethod = digestMethod;
}
-
+
/**
+ * Set to false, if you do not want to include keyinfo
+ * in the signature
+ * @param val
+ * @since v2.0.1
+ */
+ public void setSignatureIncludeKeyInfo(boolean val)
+ {
+ if (!val)
+ {
+ XMLSignatureUtil.setIncludeKeyInfoInSignature(false);
+ }
+ }
+
+ /**
* Sign an RequestType at the root
* @param request
* @param keypair Key Pair
@@ -92,20 +106,18 @@
* @throws MarshalException
* @throws GeneralSecurityException
*/
- public Document sign(RequestAbstractType request, KeyPair keypair) throws SAXException, IOException, ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException
+ public Document sign(RequestAbstractType request, KeyPair keypair) throws SAXException, IOException,
+ ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException
{
SAML2Request saml2Request = new SAML2Request();
Document doc = saml2Request.convert(request);
doc.normalize();
-
+
String referenceURI = "#" + request.getID();
-
- return XMLSignatureUtil.sign(doc,
- keypair,
- digestMethod, signatureMethod,
- referenceURI);
+
+ return XMLSignatureUtil.sign(doc, keypair, digestMethod, signatureMethod, referenceURI);
}
-
+
/**
* Sign an ResponseType at the root
* @param response
@@ -118,15 +130,16 @@
* @throws MarshalException
* @throws GeneralSecurityException
*/
- public Document sign(ResponseType response,KeyPair keypair) throws ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException
+ public Document sign(ResponseType response, KeyPair keypair) throws ParserConfigurationException,
+ GeneralSecurityException, MarshalException, XMLSignatureException
{
SAML2Response saml2Request = new SAML2Response();
Document doc = saml2Request.convert(response);
doc.normalize();
-
- return sign(doc, response.getID(), keypair);
+
+ return sign(doc, response.getID(), keypair);
}
-
+
/**
* Sign an Document at the root
* @param response
@@ -139,19 +152,14 @@
* @throws MarshalException
* @throws GeneralSecurityException
*/
- public Document sign(Document doc,
- String referenceID,
- KeyPair keypair) throws
- ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException
- {
+ public Document sign(Document doc, String referenceID, KeyPair keypair) throws ParserConfigurationException,
+ GeneralSecurityException, MarshalException, XMLSignatureException
+ {
String referenceURI = "#" + referenceID;
-
- return XMLSignatureUtil.sign(doc,
- keypair,
- digestMethod, signatureMethod,
- referenceURI);
+
+ return XMLSignatureUtil.sign(doc, keypair, digestMethod, signatureMethod, referenceURI);
}
-
+
/**
* Sign an assertion whose id value is provided in the response type
* @param response
@@ -167,17 +175,16 @@
* @throws MarshalException
* @throws GeneralSecurityException
*/
- public Document sign(ResponseType response,
- String idValueOfAssertion,
- KeyPair keypair,
- String referenceURI) throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException
+ public Document sign(ResponseType response, String idValueOfAssertion, KeyPair keypair, String referenceURI)
+ throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError,
+ TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException
{
SAML2Response saml2Response = new SAML2Response();
Document doc = saml2Response.convert(response);
-
- return sign(doc,idValueOfAssertion, keypair, referenceURI);
+
+ return sign(doc, idValueOfAssertion, keypair, referenceURI);
}
-
+
/**
* Sign a document
* @param doc
@@ -193,24 +200,17 @@
* @throws MarshalException
* @throws XMLSignatureException
*/
- public Document sign(Document doc,
- String idValueOfAssertion,
- KeyPair keypair,
- String referenceURI) throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException
+ public Document sign(Document doc, String idValueOfAssertion, KeyPair keypair, String referenceURI)
+ throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError,
+ TransformerException, GeneralSecurityException, MarshalException, XMLSignatureException
{
- Node assertionNode = DocumentUtil.getNodeWithAttribute(doc,
- JBossSAMLURIConstants.ASSERTION_NSURI.get(),
- "Assertion",
- "ID",
- idValueOfAssertion);
-
- return XMLSignatureUtil.sign(doc, assertionNode,
- keypair,
- digestMethod, signatureMethod,
- referenceURI);
+ Node assertionNode = DocumentUtil.getNodeWithAttribute(doc, JBossSAMLURIConstants.ASSERTION_NSURI.get(),
+ "Assertion", "ID", idValueOfAssertion);
+
+ return XMLSignatureUtil.sign(doc, assertionNode, keypair, digestMethod, signatureMethod, referenceURI);
}
-
+
/**
* Sign a SAML Document
* @param samlDocument
@@ -228,9 +228,9 @@
catch (Exception e)
{
throw new ProcessingException(e);
- }
+ }
}
-
+
/**
* Validate the SAML2 Document
* @param signedDocument
@@ -242,13 +242,13 @@
{
try
{
- return XMLSignatureUtil.validate(signedDocument, publicKey);
+ return XMLSignatureUtil.validate(signedDocument, publicKey);
}
- catch(MarshalException me)
+ catch (MarshalException me)
{
throw new ProcessingException(me.getLocalizedMessage());
}
- catch(XMLSignatureException xse)
+ catch (XMLSignatureException xse)
{
throw new ProcessingException(xse.getLocalizedMessage());
}
Modified: federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java 2011-09-18 07:21:45 UTC (rev 1227)
+++ federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/api/saml/v2/SignatureValidationUnitTestCase.java 2011-09-19 16:19:19 UTC (rev 1228)
@@ -80,12 +80,48 @@
ss.setSignatureMethod(SignatureMethod.DSA_SHA1);
Document signedDoc = ss.sign(authnRequest, kp);
+ System.out.println("Signed Doc:" + DocumentUtil.asString(signedDoc));
+
// Validate the signature
boolean isValid = XMLSignatureUtil.validate(signedDoc, kp.getPublic());
assertTrue(isValid);
}
/**
+ * Test the creation of AuthnRequestType with signature creation with a private key and then validate the signature
+ * with a public key. We test that the signature does not contain the keyinfo
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testNoKeyInfo() throws Exception
+ {
+ SAML2Request saml2Request = new SAML2Request();
+ String id = IDGenerator.create("ID_");
+ String assertionConsumerURL = "http://sp";
+ String destination = "http://idp";
+ String issuerValue = "http://sp";
+ AuthnRequestType authnRequest = saml2Request.createAuthnRequestType(id, assertionConsumerURL, destination,
+ issuerValue);
+
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
+ KeyPair kp = kpg.genKeyPair();
+
+ SAML2Signature ss = new SAML2Signature();
+ ss.setSignatureIncludeKeyInfo(false);
+
+ ss.setSignatureMethod(SignatureMethod.DSA_SHA1);
+ Document signedDoc = ss.sign(authnRequest, kp);
+
+ System.out.println("Signed Doc:" + DocumentUtil.asString(signedDoc));
+
+ // Validate the signature
+ boolean isValid = XMLSignatureUtil.validate(signedDoc, kp.getPublic());
+ assertTrue(isValid);
+ XMLSignatureUtil.setIncludeKeyInfoInSignature(true);
+ }
+
+ /**
* Test the signature for ResponseType
*
* @throws Exception
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java 2011-09-18 07:21:45 UTC (rev 1227)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java 2011-09-19 16:19:19 UTC (rev 1228)
@@ -84,6 +84,11 @@
private static XMLSignatureFactory fac = getXMLSignatureFactory();
+ /**
+ * By default, we include the keyinfo in the signature
+ */
+ private static boolean includeKeyInfoInSignature = true;
+
private static XMLSignatureFactory getXMLSignatureFactory()
{
XMLSignatureFactory xsf = null;
@@ -104,6 +109,11 @@
static
{
SystemPropertiesUtil.ensure();
+ String keyInfoProp = SecurityActions.getSystemProperty("picketlink.xmlsig.includeKeyInfo", null);
+ if (StringUtil.isNotNull(keyInfoProp))
+ {
+ includeKeyInfoInSignature = Boolean.parseBoolean(keyInfoProp);
+ }
};
/**
@@ -118,6 +128,16 @@
}
/**
+ * Use this method to not include the KeyInfo in the signature
+ * @param includeKeyInfoInSignature
+ * @since v2.0.1
+ */
+ public static void setIncludeKeyInfoInSignature(boolean includeKeyInfoInSignature)
+ {
+ XMLSignatureUtil.includeKeyInfoInSignature = includeKeyInfoInSignature;
+ }
+
+ /**
* Precheck whether the document that will be validated has the right signedinfo
*
* @param doc
@@ -267,6 +287,10 @@
KeyValue kv = kif.newKeyValue(publicKey);
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
+ if (!includeKeyInfoInSignature)
+ {
+ ki = null;
+ }
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
@@ -378,5 +402,4 @@
}
return cert;
}
-
}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list