From: <go...@us...> - 2007-05-07 13:23:42
|
Revision: 769 http://svn.sourceforge.net/unicore/?rev=769&view=rev Author: golbi Date: 2007-05-07 06:23:37 -0700 (Mon, 07 May 2007) Log Message: ----------- Moved from C9m repository Added Paths: ----------- securityLib/lib/ securityLib/lib/SAML2XBeans.jar securityLib/lib/dom.jar securityLib/lib/jaxp-api.jar securityLib/lib/xalan.jar securityLib/lib/xercesImpl.jar securityLib/lib/xmldsig.jar securityLib/lib/xmlsec.jar securityLib/pom.xml securityLib/src/ securityLib/src/main/ securityLib/src/main/java/ securityLib/src/main/java/pl/ securityLib/src/main/java/pl/edu/ securityLib/src/main/java/pl/edu/icm/ securityLib/src/main/java/pl/edu/icm/unicore/ securityLib/src/main/java/pl/edu/icm/unicore/saml/ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java securityLib/src/main/java/pl/edu/icm/unicore/security/ securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java securityLib/src/main/java/pl/edu/icm/unicore/security/consignor/ securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/ securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java securityLib/src/main/schema/ securityLib/src/main/schema/REC-xmldsig-core-20020212/ securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd securityLib/src/main/schema/REC-xmlenc-core-20021210/ securityLib/src/main/schema/REC-xmlenc-core-20021210/xenc-schema.xsd securityLib/src/main/schema/saml2/ securityLib/src/main/schema/saml2/saml-schema-assertion-2.0.xsd securityLib/src/main/schema/xmlbeans_config.xsdconfig securityLib/src/test/ securityLib/src/test/java/ securityLib/src/test/java/pl/ securityLib/src/test/java/pl/edu/ securityLib/src/test/java/pl/edu/icm/ securityLib/src/test/java/pl/edu/icm/unicore/ securityLib/src/test/java/pl/edu/icm/unicore/security/ securityLib/src/test/java/pl/edu/icm/unicore/security/etd/ securityLib/src/test/java/pl/edu/icm/unicore/security/etd/GenerateAndVerifyTest.java securityLib/src/test/java/pl/edu/icm/unicore/security/etd/NegativeTest.java securityLib/src/test/java/pl/edu/icm/unicore/security/etd/ParseTest.java securityLib/src/test/java/pl/edu/icm/unicore/security/etd/SimpleGenerateTest.java securityLib/src/test/java/pl/edu/icm/unicore/security/etd/TDChainTest.java securityLib/src/test/java/pl/edu/icm/unicore/security/etd/TestBase.java securityLib/src/test/resources/ securityLib/src/test/resources/keystoreDSA1.jks securityLib/src/test/resources/keystoreDSA2.jks securityLib/src/test/resources/keystoreRSA1.jks securityLib/src/test/resources/keystoreRSA2.jks Added: securityLib/lib/SAML2XBeans.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/SAML2XBeans.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/lib/dom.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/dom.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/lib/jaxp-api.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/jaxp-api.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/lib/xalan.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/xalan.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/lib/xercesImpl.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/xercesImpl.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/lib/xmldsig.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/xmldsig.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/lib/xmlsec.jar =================================================================== (Binary files differ) Property changes on: securityLib/lib/xmlsec.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: securityLib/pom.xml =================================================================== --- securityLib/pom.xml (rev 0) +++ securityLib/pom.xml 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,132 @@ +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + <modelVersion>4.0.0</modelVersion> + <groupId>pl.edu.icm.unicore.security</groupId> + <artifactId>etd</artifactId> + <packaging>jar</packaging> + <version>1.0-SNAPSHOT</version> + <name>etd</name> + <url>http://www.unicore.eu</url> + + <dependencies> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>3.8.1</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + <version>1.2.13</version> + </dependency> + <dependency> + <groupId>xmlbeans</groupId> + <artifactId>xbean</artifactId> + <version>2.2.0</version> + </dependency> + <dependency> + <groupId>xmlbeans</groupId> + <artifactId>xmlbeans-jsr173-api</artifactId> + <version>2.0-dev</version> + </dependency> + + <!-- only for tests... is there nicer way to add it?? --> + <dependency> + <groupId>mybeans</groupId> + <artifactId>mybeans</artifactId> + <version>1.0</version> + <scope>system</scope> + <systemPath>${basedir}/lib/SAML2XBeans.jar</systemPath> + </dependency> + + + <!-- xmldsig and friends - boundled as it is hard to get them from repository --> + <dependency> + <groupId>javax.xml</groupId> + <artifactId>xmldsig</artifactId> + <version>1.0</version> + <scope>system</scope> + <systemPath>${basedir}/lib/xmldsig.jar</systemPath> + </dependency> + <dependency> + <groupId>xalan</groupId> + <artifactId>xalan</artifactId> + <version>2.5.2</version> + <scope>system</scope> + <systemPath>${basedir}/lib/xalan.jar</systemPath> + </dependency> + <dependency> + <groupId>xerces</groupId> + <artifactId>xercesImpl</artifactId> + <version>2.5.0</version> + <scope>system</scope> + <systemPath>${basedir}/lib/xalan.jar</systemPath> + </dependency> + <dependency> + <groupId>dom</groupId> + <artifactId>dom</artifactId> + <version>1.0</version> + <scope>system</scope> + <systemPath>${basedir}/lib/dom.jar</systemPath> + </dependency> + <dependency> + <groupId>xml-apis</groupId> + <artifactId>jaxp-api</artifactId> + <version>1.3.1</version> + <scope>system</scope> + <systemPath>${basedir}/lib/jaxp-api.jar</systemPath> + </dependency> + <dependency> + <groupId>xml-sec</groupId> + <artifactId>xml-sec</artifactId> + <version>1.0</version> + <scope>system</scope> + <systemPath>${basedir}/lib/xmlsec.jar</systemPath> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>xmlbeans-maven-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>xmlbeans</goal> + </goals> + </execution> + </executions> + <inherited>true</inherited> + <configuration> + <schemaDirectory>src/main/schema/saml2</schemaDirectory> + <xmlConfigs> + <xmlConfig implementation="java.io.File"> + src/main/schema/xmlbeans_config.xsdconfig + </xmlConfig> + </xmlConfigs> + <noUpa>false</noUpa> + <outputJar>lib/SAML2XBeans.jar</outputJar> + </configuration> + </plugin> + + <plugin> + <artifactId>maven-compiler-plugin</artifactId> + <configuration> + <source>1.5</source> + <target>1.5</target> + </configuration> + </plugin> + + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-surefire-plugin</artifactId> + <configuration> + <!-- <skip>true</skip> --> + </configuration> + </plugin> + </plugins> + </build> +</project> Added: securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,371 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on May 6, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.saml; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Date; +import java.util.Random; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.apache.log4j.Logger; +import org.apache.xmlbeans.XmlCursor; +import org.apache.xmlbeans.XmlException; +import org.apache.xmlbeans.XmlObject; +import org.w3c.dom.Document; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.xml.sax.SAXException; + +import pl.edu.icm.unicore.security.dsig.DSigException; +import pl.edu.icm.unicore.security.dsig.DigSignatureUtil; + +import com.sun.org.apache.xml.security.utils.RFC2253Parser; + +import xmlbeans.org.oasis.saml2.assertion.AssertionDocument; +import xmlbeans.org.oasis.saml2.assertion.AssertionType; +import xmlbeans.org.oasis.saml2.assertion.AttributeStatementType; +import xmlbeans.org.oasis.saml2.assertion.AttributeType; +import xmlbeans.org.oasis.saml2.assertion.ConditionsType; +import xmlbeans.org.oasis.saml2.assertion.NameIDType; +import xmlbeans.org.oasis.saml2.assertion.ProxyRestrictionType; +import xmlbeans.org.oasis.saml2.assertion.SubjectType; +import xmlbeans.org.w3.x2000.x09.xmldsig.KeyInfoType; +import xmlbeans.org.w3.x2000.x09.xmldsig.SignatureType; +import xmlbeans.org.w3.x2000.x09.xmldsig.X509DataType; + +/** + * SAML v2 assertion. It is generic, i.e. can represent any kind of assertion + * (identity, attribute, ...) + * + * TODO authN & authZ decission code. Also add code for custom conditions. + * + * @author K. Benedyczak + */ +public class SAMLAssertion +{ + private static final Logger log = Logger.getLogger(SAMLAssertion.class); + + private AssertionType assertion; + private AssertionDocument assertionDoc; + private ConditionsType conditions; + ProxyRestrictionType proxyRestriction; + private boolean modified; + + private String issuerDN, subjectDN; + + public SAMLAssertion() + { + this("_SAMLassertion_"); + } + + public SAMLAssertion(String prefix) + { + modified = true; + conditions = null; + proxyRestriction = null; + + assertionDoc = AssertionDocument.Factory.newInstance(); + + assertion = AssertionType.Factory.newInstance(); + assertion.setVersion(SAMLConstants.VERSION); + assertion.setIssueInstant(Calendar.getInstance()); + Random r = new Random(new Date().getTime()); + StringBuffer id = new StringBuffer(prefix); + for (int i=0; i<3; i++) + id.append(Long.toHexString(r.nextLong())); + assertion.setID(id.toString()); + + conditions = ConditionsType.Factory.newInstance(); + } + + public SAMLAssertion(AssertionDocument doc) throws SAMLParseException, XmlException, IOException + { + modified = true; + assertionDoc = AssertionDocument.Factory.parse( + doc.newReader()); + assertion = assertionDoc.getAssertion(); + if (assertion == null) + assertion = AssertionType.Factory.newInstance(); + conditions = assertion.getConditions(); + + proxyRestriction = (conditions == null) ? null : + conditions.getProxyRestrictionArray(0); + NameIDType n1 = assertion.getIssuer(); + if (n1 != null) + { + if (SAMLConstants.DN_FORMAT.equals(n1.getFormat())) + { + XmlCursor cur = n1.newCursor(); + cur.toFirstContentToken(); + issuerDN = cur.getTextValue(); + } else + throw new SAMLParseException("Unsupported " + + "issuer format: " + n1.getFormat()); + } + SubjectType s = assertion.getSubject(); + if (s != null && s.getNameID() != null) + { + n1 = s.getNameID(); + if (SAMLConstants.DN_FORMAT.equals(n1.getFormat())) + { + XmlCursor cur = n1.newCursor(); + cur.toFirstContentToken(); + subjectDN = cur.getTextValue(); + } else + throw new SAMLParseException("Unsupported " + + "subject format: " + n1.getFormat()); + } + } + + public void setX509Issuer(String issuerName) + { + String dn = RFC2253Parser.rfc2253toXMLdsig(issuerName); + NameIDType issuerN = NameIDType.Factory.newInstance(); + issuerN.setFormat(SAMLConstants.DN_FORMAT); + issuerN.setStringValue(dn); + assertion.setIssuer(issuerN); + issuerDN = dn; + modified = true; + } + + public void setX509Subject(String subjectName) + { + String dn = RFC2253Parser.rfc2253toXMLdsig(subjectName); + NameIDType subjectN = NameIDType.Factory.newInstance(); + subjectN.setFormat(SAMLConstants.DN_FORMAT); + subjectN.setStringValue(dn); + + SubjectType subjectT = SubjectType.Factory.newInstance(); + subjectT.setNameID(subjectN); + assertion.setSubject(subjectT); + subjectDN = dn; + modified = true; + } + + public void updateIssueTime() + { + assertion.setIssueInstant(Calendar.getInstance()); + } + + public void setTimeConditions(Date notBefore, Date notOnOrAfter) + { + Calendar c = Calendar.getInstance(); + if (notBefore != null) + { + c.setTime(notBefore); + conditions.setNotBefore(c); + } + if (notOnOrAfter != null) + { + c.setTime(notOnOrAfter); + conditions.setNotOnOrAfter(c); + } + + modified = true; + } + + /** + * + * @param value use negative value to remove proxy restriction + */ + public void setProxyRestriction(int value) + { + if (value > 0) + { + if (proxyRestriction == null) + proxyRestriction = conditions.addNewProxyRestriction(); + proxyRestriction.setCount(BigInteger.valueOf(value)); + } else + { + if (proxyRestriction != null) + { + conditions.removeProxyRestriction(0); + proxyRestriction = null; + } + } + modified = true; + } + + public void addAttribute(String name, String format, XmlObject[] values) + { + AttributeType attribute = AttributeType.Factory.newInstance(); + attribute.setName(name); + attribute.setNameFormat(format); + AttributeStatementType attrStatement = + assertion.addNewAttributeStatement(); + attribute.setAttributeValueArray(values); + attrStatement.setAttributeArray(new AttributeType[] {attribute}); + } + + public void removeAttribute(int num) + { + assertion.removeAttributeStatement(num); + } + + public void sign(PrivateKey pk) throws DSigException, + XmlException, ParserConfigurationException, SAXException, IOException + { + sign(pk, null); + } + + public void sign(PrivateKey pk, X509Certificate cert) throws DSigException + { + DigSignatureUtil sign = new DigSignatureUtil(); + AssertionDocument unsignedDoc = getXML(); + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + Document docToSign; + try + { + DocumentBuilder builder = dbf.newDocumentBuilder(); + docToSign = builder.parse(unsignedDoc.newInputStream()); + } catch (ParserConfigurationException e) + { + throw new DSigException("Can't configure DOM parser", e); + } catch (SAXException e) + { + throw new DSigException("DOM parse exception", e); + } catch (IOException e) + { + throw new DSigException("IO Exception while parsing DOM ??", e); + } + + NodeList nodes = docToSign.getFirstChild().getChildNodes(); + Node sibling = null; + for (int i=0; i<nodes.getLength(); i++) + { + Node n = nodes.item(i); + if (n.getLocalName().equals("Subject")) + { + sibling = n; + break; + } + } + + sign.genEnvelopedSignature(pk, null, cert, + docToSign, sibling); + try + { + assertionDoc = AssertionDocument.Factory.parse(docToSign); + } catch (XmlException e) + { + throw new DSigException("Parsing signed document failed", e); + } + assertion = assertionDoc.getAssertion(); + } + + public boolean isCorrectlySigned(PublicKey key) throws DSigException + { + DigSignatureUtil sign = new DigSignatureUtil(); + return sign.verifyEnvelopedSignature( + (Document) getXML().getDomNode(), key); + } + + public X509Certificate getIssuerFromSignature() + { + SignatureType signature = assertion.getSignature(); + if (signature == null) + return null; + KeyInfoType ki = signature.getKeyInfo(); + if (ki == null) + return null; + X509DataType[] x509Data = ki.getX509DataArray(); + if (x509Data == null) + return null; + for (int i=0; i<x509Data.length; i++) + if (x509Data[i].getX509CertificateArray().length > 0) + return deserializeCertificate( + x509Data[i].getX509CertificateArray(0)); + return null; + } + + private X509Certificate deserializeCertificate(byte []encodedCert) + { + CertificateFactory cf; + try + { + cf = CertificateFactory.getInstance("X.509"); + } catch (CertificateException e1) + { + log.error("Can't initialize certificate factory for X509 certificates"); + return null; + } + ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert); + try + { + X509Certificate cert = (X509Certificate) cf.generateCertificate(bais); + return cert; + } catch (CertificateException e) + { + log.warn("Error while deserializing certificate from key info: " + e); + return null; + } catch (ClassCastException e) + { + log.warn("Unknown type of certificate in key info"); + return null; + } + } + + public AssertionDocument getXML() + { + if (modified) + { + assertion.setConditions(conditions); + assertionDoc.setAssertion(assertion); + modified = false; + } + return assertionDoc; + } + + public String getIssuer() + { + return issuerDN; + } + + public String getSubject() + { + return subjectDN; + } + + public int getProxyRestriction() + { + if (proxyRestriction == null) + return -1; + return proxyRestriction.getCount().intValue(); + } + + public Date getNotBefore() + { + Calendar c = conditions.getNotBefore(); + return c == null ? null : c.getTime(); + } + + public Date getNotOnOrAfter() + { + Calendar c = conditions.getNotOnOrAfter(); + return c == null ? null : c.getTime(); + } + + public AttributeStatementType[] getAttributes() + { + return assertion.getAttributeStatementArray(); + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on May 6, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.saml; + +/** + * Various SAML 2 constants. + * @author K. Benedyczak + */ +public class SAMLConstants +{ + public static final String DN_FORMAT = + "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"; + public static final String VERSION = "2.0"; + +} Added: securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on May 6, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.saml; + +/** + * @author K. Benedyczak + */ +public class SAMLParseException extends Exception +{ + private static final long serialVersionUID = -2502318709756670849L; + + public SAMLParseException(String arg) + { + super(arg); + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on May 7, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security; + +import pl.edu.icm.unicore.security.etd.ETDApi; +import pl.edu.icm.unicore.security.etd.ETDImpl; + +/** + * Used to obtain various security related implementations. + * @author K. Benedyczak + */ +public class UnicoreSecurityFactory +{ + private static ETDImpl etdImpl = null; + + public static ETDApi getETDEngine() + { + if (etdImpl == null) + etdImpl = new ETDImpl(); + return etdImpl; + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on May 6, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.dsig; + +/** + * Generic class that is used when there is any kind of the problem with digital + * signature creation or checking it. + * + * @author K. Benedyczak + */ +public class DSigException extends Exception +{ + private static final long serialVersionUID = -3162396183055439683L; + + public DSigException(String msg, Throwable reason) + { + super(msg, reason); + } + + public DSigException(Throwable reason) + { + super("XML digital signature problem", reason); + } + + public DSigException(String msg) + { + super(msg); + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,204 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on Apr 24, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.dsig; + +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.security.interfaces.DSAPrivateKey; +import java.security.interfaces.RSAPrivateKey; +import java.util.Collections; +import java.util.Vector; + +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.dsig.CanonicalizationMethod; +import javax.xml.crypto.dsig.DigestMethod; +import javax.xml.crypto.dsig.Reference; +import javax.xml.crypto.dsig.SignatureMethod; +import javax.xml.crypto.dsig.SignedInfo; +import javax.xml.crypto.dsig.Transform; +import javax.xml.crypto.dsig.XMLSignature; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.crypto.dsig.XMLSignatureFactory; +import javax.xml.crypto.dsig.dom.DOMSignContext; +import javax.xml.crypto.dsig.dom.DOMValidateContext; +import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory; +import javax.xml.crypto.dsig.keyinfo.KeyValue; +import javax.xml.crypto.dsig.keyinfo.X509Data; +import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; +import javax.xml.crypto.dsig.spec.TransformParameterSpec; + +import org.w3c.dom.Document; +import org.w3c.dom.NamedNodeMap; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; + + +/** + * Provides high-level API for signing and verifying XML signatures. + * Only implements those kind of signatures that are relevant for + * UNICORE security infractructure. + * @author K. Benedyczak + */ +public class DigSignatureUtil +{ + private final static String PROVIDER = "org.jcp.xml.dsig.internal.dom.XMLDSigRI"; + private static XMLSignatureFactory fac = null; + + public DigSignatureUtil() throws DSigException + { + try + { + fac = XMLSignatureFactory.getInstance("DOM", + (Provider) Class.forName(PROVIDER).newInstance()); + } catch (Exception e) + { + throw new DSigException("Initialization of digital signature " + + "engine failed", e); + } + } + + public void genEnvelopedSignature(PrivateKey privKey, PublicKey pubKey, + X509Certificate cert, Document docToSign, Node insertBefore) + throws DSigException + { + try + { + genEnvelopedSignatureInternal(privKey, pubKey, cert, docToSign, insertBefore); + } catch (Exception e) + { + throw new DSigException("Creation of enveloped signature " + + "failed", e); + } + } + + private void genEnvelopedSignatureInternal(PrivateKey privKey, PublicKey pubKey, + X509Certificate cert, Document docToSign, Node insertBefore) + throws MarshalException, XMLSignatureException, NoSuchAlgorithmException, + InvalidAlgorithmParameterException, KeyException + { + DigestMethod digistMethod = fac.newDigestMethod(DigestMethod.SHA1, null); + Vector<Transform> transforms = new Vector<Transform>(); + + transforms.add(fac.newTransform(Transform.ENVELOPED, + (TransformParameterSpec) null)); + transforms.add(fac.newTransform(CanonicalizationMethod.EXCLUSIVE, + (TransformParameterSpec) null)); + CanonicalizationMethod canMethod = fac.newCanonicalizationMethod( + CanonicalizationMethod.EXCLUSIVE, + (C14NMethodParameterSpec) null); + + SignatureMethod sigMethod; + if (privKey instanceof RSAPrivateKey) + sigMethod = fac.newSignatureMethod( + SignatureMethod.RSA_SHA1, null); + else if (privKey instanceof DSAPrivateKey) + sigMethod = fac.newSignatureMethod( + SignatureMethod.DSA_SHA1, null); + else + throw new KeyException("Unsupported private key algorithm " + + "(must be DSA or RSA) :" + privKey.getAlgorithm()); + + NamedNodeMap attrs = docToSign.getDocumentElement().getAttributes(); + Node idNode = attrs.getNamedItem("ID"); + String id = null; + if (idNode != null) + id = "#" + idNode.getNodeValue(); + + Reference ref = fac.newReference(id, + digistMethod, + transforms, + null, null); + SignedInfo si = fac.newSignedInfo(canMethod, sigMethod, + Collections.singletonList(ref)); + + DOMSignContext dsc = null; + if (insertBefore == null) + dsc = new DOMSignContext(privKey, + docToSign.getDocumentElement()); + else + dsc = new DOMSignContext(privKey, + docToSign.getDocumentElement(), insertBefore); + KeyInfo ki = null; + KeyInfoFactory kif = fac.getKeyInfoFactory(); + Vector<Object> kiVals = new Vector<Object>(); + if (pubKey != null) + { + KeyValue kv = kif.newKeyValue(pubKey); + kiVals.add(kv); + } + if (cert != null) + { + X509Data x509Data = kif.newX509Data(Collections.singletonList(cert)); + kiVals.add(x509Data); + } + if (kiVals.size() > 0) + ki = kif.newKeyInfo(kiVals); + + XMLSignature signature = fac.newXMLSignature(si, ki); + + signature.sign(dsc); + } + + public boolean verifyEnvelopedSignature(Document signedDocument, PublicKey validatingKey) + throws DSigException + { + try + { + return verifyEnvelopedSignatureInternal(signedDocument, validatingKey); + } catch (Exception e) + { + throw new DSigException("Verification of enveloped signature " + + "failed", e); + } + } + + private boolean verifyEnvelopedSignatureInternal(Document signedDocument, PublicKey validatingKey) + throws MarshalException, XMLSignatureException + { + NodeList nl = signedDocument.getElementsByTagNameNS( + XMLSignature.XMLNS, "Signature"); + if (nl.getLength() == 0) + throw new XMLSignatureException("Document not signed"); + + DOMValidateContext valContext = new DOMValidateContext(validatingKey, + nl.item(0)); + + XMLSignature signature = fac.unmarshalXMLSignature(valContext); + + boolean coreValidity = signature.validate(valContext); + + /*if (coreValidity == false) + { + System.err.println("Signature failed core validation"); + boolean sv = signature.getSignatureValue().validate(valContext); + System.out.println("signature validation status: " + sv); + Iterator i = signature.getSignedInfo().getReferences().iterator(); + for (int j=0; i.hasNext(); j++) + { + Reference ref = (Reference) i.next(); + boolean refValid = ref.validate(valContext); + + System.out.println("ref["+j+"] validity status: " + refValid); + String s = new String(Base64.encode(ref.getDigestValue())); + System.out.println("ref["+j+"] digest: " + s); + s = new String(Base64.encode(ref.getCalculatedDigestValue())); + System.out.println("ref["+j+"] calculated digest: " + s); + } + } + */ + return coreValidity; + } + +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,70 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on Apr 25, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.etd; + +import java.util.Calendar; +import java.util.Date; + +/** + * @author K. Benedyczak + */ +public class DelegationRestrictions +{ + private Date notBefore; + private Date notOnOrAfter; + private int maxProxyCount; + + public DelegationRestrictions(Date notBefore, Date notOnOrAfter, int maxProxyCount) + { + this.notBefore = notBefore; + this.notOnOrAfter = notOnOrAfter; + this.maxProxyCount = maxProxyCount; + } + + public DelegationRestrictions(Date notBefore, int validDays, int maxProxyCount) + { + this.notBefore = notBefore; + Calendar c = Calendar.getInstance(); + if (notBefore != null) + c.setTime(notBefore); + c.add(Calendar.DATE, validDays); + this.notOnOrAfter = c.getTime(); + this.maxProxyCount = maxProxyCount; + } + + public int getMaxProxyCount() + { + return maxProxyCount; + } + + public void setMaxProxyCount(int maxProxyCount) + { + this.maxProxyCount = maxProxyCount; + } + + public Date getNotBefore() + { + return notBefore; + } + + public void setNotBefore(Date notBefore) + { + this.notBefore = notBefore; + } + + public Date getNotOnOrAfter() + { + return notOnOrAfter; + } + + public void setNotOnOrAfter(Date notOnOrAfter) + { + this.notOnOrAfter = notOnOrAfter; + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on Apr 24, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.etd; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.List; + +import pl.edu.icm.unicore.security.dsig.DSigException; + +/** + * ETD external interface. + * @author K. Benedyczak + */ +public interface ETDApi +{ + /** + * Extends existing delegation chain by adding the next entry, that further delegates trust + * to subject. Issuer certificate won't be hold in the newly added delegation assertion and + * issuer's DN will be taken from the last element of existing chain. + * @param chain + * @param pk + * @param subject + * @param restrictions + * @return + * @throws DSigException + */ + public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain, + PrivateKey pk, String subject, DelegationRestrictions restrictions) + throws DSigException; + + /** + * Extends existing delegation chain by adding the next entry, that further delegates trust + * to subject. Issuer certificate will be hold in the newly added delegation assertion. + * @param chain + * @param issuer + * @param pk + * @param subject + * @param restrictions + * @return + * @throws DSigException + */ + public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain, + X509Certificate issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException; + + /** + * Generates trust delegation. Generated assertion won't hold issuer certificate. + * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain + * it is equal to issuer) + * @param issuer Actual DN of issuer of this trust delegation + * @param pk Private key of issuer + * @param subject DN of the receiver of this trust delegation + * @param restrictions Set of restrictions (can be null) + * @return The new trust delegation + * @throws DSigException + */ + public TrustDelegation generateTD(String custodian, String issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException; + + + /** + * Generates trust delegation. Generated assertion will hold issuer certificate. + * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain + * it is equal to issuer) + * @param issuer Actual issuer certificate of this trust delegation + * @param pk Private key of issuer + * @param subject DN of the receiver of this trust delegation + * @param restrictions Set of restrictions (can be null) + * @return The new trust delegation + * @throws DSigException + */ + public TrustDelegation generateTD(String custodian, X509Certificate issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException; + + /** + * Validate single trust delegation assertion. Checks if receiver has trust of custodian + * delegated by issuer. + * + * @param td + * @param custodian + * @param issuer + * @param receiver + * @param availableCertificates list of known certificates - if delegation doesn't posses + * issuer certificate, the certificate matching delegation issuer DN must be in this array. + * @return + */ + public ValidationResult validateTD(TrustDelegation td, String custodian, + String issuer, String receiver, X509Certificate availableCertificates[]); + + /** + * Tests if the specified trust delegation chain delegates the trust from user to + * subject. Please note that if the subject is the receiver of the assertion that is not + * the last one in the chain, then the rest of the chain is not checked at all. + * @param td + * @param subject + * @param user + * @param availableCertificates additional known certificates + * @return validation result + */ + public ValidationResult isTrustDelegated(List<TrustDelegation> td, String subject, + String user, X509Certificate availableCertificates[]); + +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,267 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on Apr 24, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.etd; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Date; +import java.util.List; + +import com.sun.org.apache.xml.security.utils.RFC2253Parser; + +import pl.edu.icm.unicore.security.dsig.DSigException; + +/** + * Implements logic to generate trust delegation assertions. + * @author K. Benedyczak + */ +public class ETDImpl implements ETDApi +{ + public static final int DEFAULT_VALIDITY_DAYS = 14; + + + /** + * Extends existing delegation chain by adding the next entry, that further delegates trust + * to subject. Issuer certificate won't be hold in the newly added delegation assertion and + * issuer's DN will be taken from the last element of existing chain. + * @param chain + * @param pk + * @param subject + * @param restrictions + * @return + * @throws DSigException + */ + public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain, + PrivateKey pk, String subject, DelegationRestrictions restrictions) + throws DSigException + { + return issueChainedTD(chain, null, pk, subject, restrictions); + } + + /** + * Extends existing delegation chain by adding the next entry, that further delegates trust + * to subject. Issuer certificate will be hold in the newly added delegation assertion. + * @param chain + * @param issuer + * @param pk + * @param subject + * @param restrictions + * @return + * @throws DSigException + */ + public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain, + X509Certificate issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException + { + if (issuer != null) + chain.add(generateTD(chain.get(0).getCustodian(), issuer, + pk, subject, restrictions)); + else + chain.add(generateTD(chain.get(0).getCustodian(), + chain.get(chain.size()-1).getIssuer(), + pk, subject, restrictions)); + return chain; + } + + /** + * Generates trust delegation. Generated assertion won't hold issuer certificate. + * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain + * it is equal to issuer) + * @param issuer Actual DN of issuer of this trust delegation + * @param pk Private key of issuer + * @param subject DN of the receiver of this trust delegation + * @param restrictions Set of restrictions (can be null) + * @return The new trust delegation + * @throws DSigException + */ + public TrustDelegation generateTD(String custodian, String issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException + { + return generateTD(custodian, issuer, null, pk, subject, restrictions); + } + + + /** + * Generates trust delegation. Generated assertion will hold issuer certificate. + * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain + * it is equal to issuer) + * @param issuer Actual issuer certificate of this trust delegation + * @param pk Private key of issuer + * @param subject DN of the receiver of this trust delegation + * @param restrictions Set of restrictions (can be null) + * @return The new trust delegation + * @throws DSigException + */ + public TrustDelegation generateTD(String custodian, X509Certificate issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException + { + return generateTD(custodian, issuer.getSubjectX500Principal().getName(), + issuer, pk, subject, restrictions); + } + + private TrustDelegation generateTD(String custodian, String issuerDN, + X509Certificate issuer, PrivateKey pk, + String subject, DelegationRestrictions restrictions) + throws DSigException + { + TrustDelegation td = new TrustDelegation(custodian); + td.setX509Issuer(issuerDN); + td.setX509Subject(subject); + if (restrictions == null) + { + Calendar c = Calendar.getInstance(); + c.add(Calendar.DATE, DEFAULT_VALIDITY_DAYS); + restrictions = new DelegationRestrictions(new Date(), + c.getTime(), 1); + } + td.setTimeConditions(restrictions.getNotBefore(), + restrictions.getNotOnOrAfter()); + td.setProxyRestriction(restrictions.getMaxProxyCount()); + td.sign(pk, issuer); + return td; + } + + /** + * Validate single trust delegation assertion. Checks if receiver has trust of custodian + * delegated by issuer. + * + * @param td + * @param custodian + * @param issuer + * @param receiver + * @param availableCertificates list of known certificates - if delegation doesn't posses + * issuer certificate, the certificate matching delegation issuer DN must be in this array. + * @return + */ + public ValidationResult validateTD(TrustDelegation td, String custodian, + String issuer, String receiver, X509Certificate availableCertificates[]) + { + String c1 = td.getCustodian(); + String c2 = RFC2253Parser.rfc2253toXMLdsig(custodian); + if (!c1.equals(c2)) + return new ValidationResult(false, "Wrong custodian (is " + c1 + + " should be " + c2); + String i1 = td.getIssuer(); + String i2 = RFC2253Parser.rfc2253toXMLdsig(issuer); + if (!i1.equals(i2)) + return new ValidationResult(false, "Wrong issuer"); + String r1 = td.getSubject(); + String r2 = RFC2253Parser.rfc2253toXMLdsig(receiver); + if (!r1.equals(r2)) + return new ValidationResult(false, "Wrong receiver"); + + X509Certificate issuerCert = td.getIssuerFromSignature(); + if (issuerCert == null) + issuerCert = findCertificate(issuer, availableCertificates); + if (issuerCert == null) + return new ValidationResult(false, "Lack of issuer certificate " + + "(neither in KeyInfo element nor in available certificates list)"); + try + { + issuerCert.checkValidity(); + } catch (Exception e) + { + return new ValidationResult(false, "Issuer certificate is not valid"); + } + + try + { + if (!td.isCorrectlySigned(issuerCert.getPublicKey())) + return new ValidationResult(false, "Signature is incorrect"); + } catch (DSigException e) + { + return new ValidationResult(false, "Signature is incorrect: " + + e.getCause()); + } + + Date notBefore = td.getNotBefore(); + Date now = new Date(); + if (now.before(notBefore)) + return new ValidationResult(false, "Delegation is not yet valid"); + Date notOnOrAfter = td.getNotOnOrAfter(); + if (now.after(notOnOrAfter) || now.equals(notOnOrAfter)) + return new ValidationResult(false, "Delegation is no more valid"); + + return new ValidationResult(true, "Validation OK"); + } + + private X509Certificate findCertificate(String dn, + X509Certificate availableCertificates[]) + { + if (availableCertificates == null) + return null; + for (int i=0; i<availableCertificates.length; i++) + if (availableCertificates[i].getSubjectX500Principal().getName(). + equals(dn)) + return availableCertificates[i]; + return null; + } + + /** + * Tests if the specified trust delegation chain delegates the trust from user to + * subject. Please note that if the subject is the receiver of the assertion that is not + * the last one in the chain, then the rest of the chain is not checked at all. + * @param td + * @param subject + * @param user + * @param availableCertificates + * @return + */ + public ValidationResult isTrustDelegated(List<TrustDelegation> td, String subject, + String user, X509Certificate availableCertificates[]) + { + if (td == null || subject == null || user == null) + return new ValidationResult(false, "Some of arguments are null"); + if (td.size() == 0) + return new ValidationResult(false, "Delegation chain is empty"); + String custodian = td.get(0).getCustodian(); + String u = RFC2253Parser.rfc2253toXMLdsig(user); + if (!u.equals(custodian)) + return new ValidationResult(false, "Wrong user"); + String s = RFC2253Parser.rfc2253toXMLdsig(subject); + int i=0; + int []maxProxies = new int[td.size()]; + for (; i<td.size(); i++) + { + TrustDelegation cur = td.get(i); + if (i + 1 < td.size()) + if (!cur.getSubject().equals(td.get(i+1).getIssuer())) + return new ValidationResult( + false, "Chain is not consistant at position " + i); + String receiver = subject; + if (i + 1 < td.size()) + receiver = td.get(i+1).getIssuer(); + + ValidationResult singleTD = validateTD(cur, custodian, + cur.getIssuer(), receiver, availableCertificates); + if (!singleTD.isValid()) + return new ValidationResult(false, + "Chain has invalid entry at position " + + i + ": " + singleTD.getInvalidResaon()); + + maxProxies[i] = cur.getProxyRestriction(); + if (s.equals(cur.getSubject())) + break; + } + if (i == td.size()) + return new ValidationResult(false, "Wrong subject"); + + for (int j=0; j<i; j++) + if (maxProxies[j] > 0 && maxProxies[j] < (i-j+1)) + return new ValidationResult(false, "Chain length " + + "exceedes maximum proxy restriction of " + + "assertion at position " + j); + + return new ValidationResult(true, "Validation OK"); + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on Apr 24, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.etd; + +import java.io.IOException; + +import org.apache.xmlbeans.XmlCursor; +import org.apache.xmlbeans.XmlException; +import org.apache.xmlbeans.XmlObject; +import org.apache.xmlbeans.XmlString; + +import pl.edu.icm.unicore.saml.SAMLAssertion; +import pl.edu.icm.unicore.saml.SAMLParseException; +import xmlbeans.org.oasis.saml2.assertion.AssertionDocument; +import xmlbeans.org.oasis.saml2.assertion.AttributeStatementType; +import xmlbeans.org.oasis.saml2.assertion.AttributeType; + +import com.sun.org.apache.xml.security.utils.RFC2253Parser; + +/** + * Java representation of trust delegation token. + * @author K. Benedyczak + */ +public class TrustDelegation extends SAMLAssertion +{ + public static final String CUSTODIAN_NAME = "TrustDelegationOfUser"; + public static final String CUSTODIAN_NAME_FORMAT = "urn:unicore:trust-delegation"; + + private String custodianDN; + + public TrustDelegation(String custodian) + { + super("_trustDelegation_"); + String dn = RFC2253Parser.rfc2253toXMLdsig(custodian); + custodianDN = dn; + XmlString value = XmlString.Factory.newInstance(); + value.setStringValue(dn); + addAttribute(CUSTODIAN_NAME, CUSTODIAN_NAME_FORMAT, + new XmlObject[] {value}); + } + + public TrustDelegation(AssertionDocument doc) throws SAMLParseException, XmlException, IOException + { + super(doc); + AttributeStatementType[] attrSs = getAttributes(); + custodianDN = null; + if (attrSs == null) + throw new SAMLParseException("No attribute statement in SAML assertion"); + for (int i=0; i<attrSs.length; i++) + { + AttributeType []attrs = attrSs[i].getAttributeArray(); + for (int j=0; j<attrs.length; j++) + if (attrs[j].getName().equals(CUSTODIAN_NAME) && + attrs[j].getNameFormat().equals(CUSTODIAN_NAME_FORMAT)) + { + XmlCursor cur = attrs[j].getAttributeValueArray(0) + .newCursor(); + cur.toFirstContentToken(); + custodianDN = cur.getTextValue(); + } + } + if (custodianDN == null) + throw new SAMLParseException("SAML assertion does'nt contain trust " + + "delegation attribute"); + } + + public String getCustodian() + { + return custodianDN; + } +} Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java =================================================================== --- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java (rev 0) +++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved. + * See LICENCE file for licencing information. + * + * Created on Apr 25, 2007 + * Author: K. Benedyczak <go...@ma...> + */ + +package pl.edu.icm.unicore.security.etd; + +/** + * Represents trust delegation verification result. + * @author K. Benedyczak + */ +public class ValidationResult +{ + private boolean valid; + private String invalidResaon; + + public ValidationResult(boolean valid, String invalidResaon) + { + super(); + this.valid = valid; + this.invalidResaon = invalidResaon; + } + + public String getInvalidResaon() + { + return invalidResaon; + } + + public void setInvalidResaon(String invalidResaon) + { + this.invalidResaon = invalidResaon; + } + + public boolean isValid() + { + return valid; + } + + public void setValid(boolean valid) + { + this.valid = valid; + } +} Added: securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd =================================================================== --- securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd (rev 0) +++ securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd 2007-05-07 13:23:37 UTC (rev 769) @@ -0,0 +1,318 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE schema + PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd" + [ + <!ATTLIST schema + xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#"> + <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'> + <!ENTITY % p ''> + <!ENTITY % s ''> + ]> + +<!-- Schema for XML Signatures + http://www.w3.org/2000/09/xmldsig# + $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $ + + Copyright 2001 The Internet Society and W3C (Massachusetts Institute + of Technology, Institut National de Recherche en Informatique et en + Automatique, Keio University). All Rights Reserved. + http://www.w3.org/Consortium/Legal/ + + This document is governed by the W3C Software License [1] as described + in the FAQ [2]. + + [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720 + [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD +--> + + +<schema xmlns="http://www.w3.org/2001/XMLSchema" + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" + targetNamespace="http://www.w3.org/2000/09/xmldsig#" + version="0.1" elementFormDefault="qualified"> + +<!-- Basic Types Defined for Signatures --> + +<simpleType name="CryptoBinary"> + <restriction base="base64Binary"> + </restriction> +</simpleType> + +<!-- Start Signature --> + +<element name="Signature" type="ds:SignatureType"/> +<complexType name="SignatureType"> + <sequence> + <element ref="ds:SignedInfo"/> + <element ref="ds:SignatureValue"/> + <element ref="ds:KeyInfo" minOccurs="0"/> + <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="SignatureValue" type="ds:SignatureValueType"/> + <complexType name="SignatureValueType"> + <simpleContent> + <extension base="base64Binary"> + <attribute name="Id" type="ID" use="optional"/> + </extension> + </simpleContent> + </complexType> + +<!-- Start SignedInfo --> + +<element name="SignedInfo" type="ds:SignedInfoType"/> +<complexType name="SignedInfoType"> + <sequence> + <element ref="ds:CanonicalizationMethod"/> + <element ref="ds:SignatureMethod"/> + <element ref="ds:Reference" maxOccurs="unbounded"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> + <complexType name="CanonicalizationMethodType" mixed="true"> + <sequence> + <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> + <!-- (0,unbounded) elements from (1,1) namespace --> + </sequence> + <attribute name="Algorithm" type="anyURI" use="required"/> + </complexType> + + <element name="SignatureMethod" type="ds:SignatureMethodType"/> + <complexType name="SignatureMethodType" mixed="true"> + <sequence> + <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/> + <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> + <!-- (0,unbounded) elements from (1,1) external namespace --> + </sequence> + <attribute name="Algorithm" type="anyURI" use="required"/> + </complexType> + +<!-- Start Reference --> + +<element name="Reference" type="ds:ReferenceType"/> +<complexType name="ReferenceType"> + <sequence> + <element ref="ds:Transforms" minOccurs="0"/> + <element ref="ds:DigestMethod"/> + <element ref="ds:DigestValue"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> + <attribute name="URI" type="anyURI" use="optional"/> + <attribute name="Type" type="anyURI" use="optional"/> +</complexType> + + <element name="Transforms" type="ds:TransformsType"/> + <complexType name="TransformsType"> + <sequence> + <element ref="ds:Transform" maxOccurs="unbounded"/> + </sequence> + </complexType> + + <element name="Transform" type="ds:TransformType"/> + <complexType name="TransformType" mixed="true"> + <choice minOccurs="0" maxOccurs="unbounded"> + <any namespace="##other" processContents="lax"/> + <!-- (1,1) elements from (0,unbounded) namespaces --> + <element name="XPath" type="string"/> + </choice> + <attribute name="Algorithm" type="anyURI" use="required"/> + </complexType> + +<!-- End Reference --> + +<element name="DigestMethod" type="ds:DigestMethodType"/> +<complexType name="DigestMethodType" mixed="true"> + <sequence> + <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <attribute name="Algorithm" type="anyURI" use="required"/> +</complexType> + +<element name="DigestValue" type="ds:DigestValueType"/> +<simpleType name="DigestValueType"> + <restriction base="base64Binary"/> +</simpleType> + +<!-- End SignedInfo --> + +<!-- Start KeyInfo --> + +<element name="KeyInfo" type="ds:KeyInfoType"/> +<complexType name="KeyInfoType" mixed="true"> + <choice maxOccurs="unbounded"> + <element ref="ds:KeyName"/> + <element ref="ds:KeyValue"/> + <element ref="ds:RetrievalMethod"/> + <element ref="ds:X509Data"/> + <element ref="ds:PGPData"/> + <element ref="ds:SPKIData"/> + <element ref="ds:MgmtData"/> + <any processContents="lax" namespace="##other"/> + <!-- (1,1) elements from (0,unbounded) namespaces --> + </choice> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="KeyName" type="string"/> + <element name="MgmtData" type="string"/> + + <element name="KeyValue" type="ds:KeyValueType"/> + <complexType name="KeyValueType" mixed="true"> + <choice> + <element ref="ds:DSAKeyValue"/> + <element ref="ds:RSAKeyValue"/> + <any namespace="##other" processContents="lax"/> + </choice> + </complexType> + + <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> + <complexType name="RetrievalMethodType"> + <sequence> + <element ref="ds:Transforms" minOccurs="0"/> + </sequence> + <attribute name="URI" type="anyURI"/> + <attribute name="Type" type="anyURI" use="optional"/> + </complexType> + +<!-- Start X509Data --> + +<element name="X509Data" type="ds:X509DataType"/> +<complexType name="X509DataType"> + <sequence maxOccurs="unbounded"> + <choice> + <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/> + <element name="X509SKI" type="base64Binary"/> + <element name="X509SubjectName" type="string"/> + <element name="X509Certificate" type="base64Binary"/> + <element name="X509CRL" type="base64Binary"/> + <any namespace="##other" processContents="lax"/> + </choice> + </sequence> +</complexType> + +<complexType name="X509IssuerSerialType"> + <sequence> + <element name="X509IssuerName" type="string"/> + <element name="X509SerialNumber" type="integer"/> + </sequence> +</complexType> + +<!-- End X509Data --> + +<!-- Begin PGPData --> + +<element name="PGPData" type="ds:PGPDataType"/> +<complexType name="PGPDataType"> + <choice> + <sequence> + <element name="PGPKeyID" type="base64Binary"/> + <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> + <any namespace="##other" processContents="lax" minOccurs="0" + maxOccurs="unbounded"/> + </sequence> + <sequence> + <element name="PGPKeyPacket" type="base64Binary"/> + <any namespace="##other" processContents="lax" minOccurs="0" + maxOccurs="unbounded"/> + </sequence> + </choice> +</complexType> + +<!-- End PGPData --> + +<!-- Begin SPKIData --> + +<element name="SPKIData" type="ds:SPKIDataType"/> +<complexType name="SPKIDataType"> + <sequence maxOccurs="unbounded"> + <element name="SPKISexp" type="base64Binary"/> + <any namespace="##other" processContents="lax" minOccurs="0"/> + </sequence> +</complexType> + +<!-- End SPKIData --> + +<!-- End KeyInfo --> + +<!-- Start Object (Manifest, SignatureProperty) --> + +<element name="Object" type="ds:ObjectType"/> +<complexType name="ObjectType" mixed="true"> + <sequence minOccurs="0" maxOccurs="unbounded"> + <any namespace="##any" processContents="lax"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> + <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet --> + <attribute name="Encoding" type="anyURI" use="optional"/> +</complexType> + +<element name="Manifest" type="ds:ManifestType"/> +<complexType name="ManifestType"> + <sequence> + <element ref="ds:Reference" maxOccurs="unbounded"/> + </sequence> + <attribute name="... [truncated message content] |