syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/5] syncope git commit: SYNCOPE-1194 - Sign the SAML SSO Service Provider Metadata
Date Fri, 11 Aug 2017 12:39:52 GMT
Repository: syncope
Updated Branches:
  refs/heads/2_0_X 5160df7ba -> 6b3ace024


SYNCOPE-1194 - Sign the SAML SSO Service Provider Metadata


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/919584f3
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/919584f3
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/919584f3

Branch: refs/heads/2_0_X
Commit: 919584f3f780a54b3447dd4f397a29eea438af94
Parents: 5160df7
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Aug 11 11:59:08 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Aug 11 13:15:33 2017 +0100

----------------------------------------------------------------------
 .../apache/syncope/core/logic/SAML2SPLogic.java   |  1 +
 .../core/logic/saml2/SAML2ReaderWriter.java       |  3 +--
 .../org/apache/syncope/fit/core/SAML2ITCase.java  | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/919584f3/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 87b7eb6..31ef8c4 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -200,6 +200,7 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean>
{
             }
 
             spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+            saml2rw.sign(spEntityDescriptor);
 
             saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true);
         } catch (Exception e) {

http://git-wip-us.apache.org/repos/asf/syncope/blob/919584f3/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index 62e90e7..22b0fd1 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -151,14 +151,13 @@ public class SAML2ReaderWriter {
         return responseObject;
     }
 
-    public void sign(final RequestAbstractType request) throws SecurityException {
+    public void sign(final SignableSAMLObject signableObject) throws SecurityException {
         org.opensaml.xmlsec.signature.Signature signature = OpenSAMLUtil.buildSignature();
         signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
         signature.setSignatureAlgorithm(sigAlgo);
         signature.setSigningCredential(loader.getCredential());
         signature.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
 
-        SignableSAMLObject signableObject = (SignableSAMLObject) request;
         signableObject.setSignature(signature);
         signableObject.releaseDOM();
         signableObject.releaseChildrenDOM(true);

http://git-wip-us.apache.org/repos/asf/syncope/blob/919584f3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
index 6967e73..e8a5add 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SAML2ITCase.java
@@ -30,9 +30,12 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyStore;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import javax.xml.namespace.QName;
+
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.collections4.IterableUtils;
 import org.apache.commons.collections4.Predicate;
@@ -68,6 +71,7 @@ import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.common.util.Loader;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.xml.security.signature.XMLSignature;
 import org.joda.time.DateTime;
 import org.junit.AfterClass;
 import org.junit.Assume;
@@ -75,6 +79,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -143,6 +148,19 @@ public class SAML2ITCase extends AbstractITCase {
                     new InputStreamReader((InputStream) response.getEntity(), StandardCharsets.UTF_8));
             assertEquals("EntityDescriptor", responseDoc.getDocumentElement().getLocalName());
             assertEquals("urn:oasis:names:tc:SAML:2.0:metadata", responseDoc.getDocumentElement().getNamespaceURI());
+
+            // Get the signature
+            QName signatureQName = new QName(SignatureConstants.XMLSIG_NS, "Signature");
+            Element signatureElement =
+                DOMUtils.getFirstChildWithName(responseDoc.getDocumentElement(), signatureQName);
+            assertNotNull(signatureElement);
+
+            // Validate the signature
+            XMLSignature signature = new XMLSignature(signatureElement, null);
+            KeyStore keystore = KeyStore.getInstance("JKS");
+            keystore.load(Loader.getResourceAsStream("keystore"), "changeit".toCharArray());
+            assertTrue(signature.checkSignatureValue((X509Certificate)keystore.getCertificate("sp")));
+
         } catch (Exception e) {
             LOG.error("During SAML 2.0 SP metadata parsing", e);
             fail(e.getMessage());


Mime
View raw message