[GitHub] [cxf-fediz] amergey opened a new pull request #55: Support for encryted assertion in tokens

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] amergey opened a new pull request #55: Support for encryted assertion in tokens

GitBox

amergey opened a new pull request #55:
URL: https://github.com/apache/cxf-fediz/pull/55


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] coheigea commented on a change in pull request #55: Support for encryted assertion in tokens

GitBox

coheigea commented on a change in pull request #55:
URL: https://github.com/apache/cxf-fediz/pull/55#discussion_r440033469



##########
File path: plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
##########
@@ -254,6 +269,62 @@ protected FedizResponse processSignInRequest(FedizRequest request, FedizContext
         return fedResponse;
     }
 
+    private void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response responseObject, FedizContext config)
+            throws ProcessingException {
+        if (responseObject.getEncryptedAssertions() != null && !responseObject.getEncryptedAssertions().isEmpty()) {
+            KeyManager decryptionKeyManager = config.getDecryptionKey();
+            if (decryptionKeyManager == null || decryptionKeyManager.getCrypto() == null) {
+                LOG.debug("We must have a decryption Crypto instance configured to decrypt encrypted tokens");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+            String keyPassword = decryptionKeyManager.getKeyPassword();
+            if (keyPassword == null) {
+                LOG.debug("We must have a decryption key password to decrypt encrypted tokens");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+    
+            String keyAlias = decryptionKeyManager.getKeyAlias();
+            if (keyAlias == null) {
+                LOG.debug("No alias configured for decrypt");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+            
+            try {
+                // Get the private key
+                PrivateKey privateKey = decryptionKeyManager.getCrypto().getPrivateKey(keyAlias, keyPassword);
+                if (privateKey == null) {
+                    LOG.debug("No private key available");
+                    throw new ProcessingException(TYPE.BAD_REQUEST);
+                }
+                
+                BasicX509Credential cred = new BasicX509Credential(
+                    CertsUtils.getX509CertificateFromCrypto(decryptionKeyManager.getCrypto(), keyAlias));
+                cred.setPrivateKey(privateKey);
+                
+                StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(cred);
+                
+                ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver(
+                        Arrays.<EncryptedKeyResolver>asList(
+                                new InlineEncryptedKeyResolver(),
+                                new EncryptedElementTypeEncryptedKeyResolver(),
+                                new SimpleRetrievalMethodEncryptedKeyResolver(),
+                                new SimpleKeyInfoReferenceEncryptedKeyResolver()));
+                
+                Decrypter decrypter = new Decrypter(null, resolver, keyResolver);
+                
+                for (EncryptedAssertion encryptedAssertion : responseObject.getEncryptedAssertions()) {
+                
+                    Assertion decrypted = decrypter.decrypt(encryptedAssertion);
+                    LOG.debug("Decrypted:" + DOM2Writer.nodeToString(decrypted.getDOM()));

Review comment:
       Better to wrap this in a LOG.isDebugEnabled() if statement, as otherwise it will cause a performance problem by calling nodeToString even when debug is not enabled.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] amergey commented on a change in pull request #55: Support for encryted assertion in tokens

GitBox
In reply to this post by GitBox

amergey commented on a change in pull request #55:
URL: https://github.com/apache/cxf-fediz/pull/55#discussion_r440346630



##########
File path: plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
##########
@@ -254,6 +269,62 @@ protected FedizResponse processSignInRequest(FedizRequest request, FedizContext
         return fedResponse;
     }
 
+    private void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response responseObject, FedizContext config)
+            throws ProcessingException {
+        if (responseObject.getEncryptedAssertions() != null && !responseObject.getEncryptedAssertions().isEmpty()) {
+            KeyManager decryptionKeyManager = config.getDecryptionKey();
+            if (decryptionKeyManager == null || decryptionKeyManager.getCrypto() == null) {
+                LOG.debug("We must have a decryption Crypto instance configured to decrypt encrypted tokens");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+            String keyPassword = decryptionKeyManager.getKeyPassword();
+            if (keyPassword == null) {
+                LOG.debug("We must have a decryption key password to decrypt encrypted tokens");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+    
+            String keyAlias = decryptionKeyManager.getKeyAlias();
+            if (keyAlias == null) {
+                LOG.debug("No alias configured for decrypt");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+            
+            try {
+                // Get the private key
+                PrivateKey privateKey = decryptionKeyManager.getCrypto().getPrivateKey(keyAlias, keyPassword);
+                if (privateKey == null) {
+                    LOG.debug("No private key available");
+                    throw new ProcessingException(TYPE.BAD_REQUEST);
+                }
+                
+                BasicX509Credential cred = new BasicX509Credential(
+                    CertsUtils.getX509CertificateFromCrypto(decryptionKeyManager.getCrypto(), keyAlias));
+                cred.setPrivateKey(privateKey);
+                
+                StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(cred);
+                
+                ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver(
+                        Arrays.<EncryptedKeyResolver>asList(
+                                new InlineEncryptedKeyResolver(),
+                                new EncryptedElementTypeEncryptedKeyResolver(),
+                                new SimpleRetrievalMethodEncryptedKeyResolver(),
+                                new SimpleKeyInfoReferenceEncryptedKeyResolver()));
+                
+                Decrypter decrypter = new Decrypter(null, resolver, keyResolver);
+                
+                for (EncryptedAssertion encryptedAssertion : responseObject.getEncryptedAssertions()) {
+                
+                    Assertion decrypted = decrypter.decrypt(encryptedAssertion);
+                    LOG.debug("Decrypted:" + DOM2Writer.nodeToString(decrypted.getDOM()));

Review comment:
       Makes sense, done !




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] coheigea merged pull request #55: Support for encryted assertion in tokens

GitBox
In reply to this post by GitBox

coheigea merged pull request #55:
URL: https://github.com/apache/cxf-fediz/pull/55


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]