Menu
▾
▴
[Unicore-cvs-commits] SF.net SVN: unicore: [769] securityLib
|
From: <go...@us...> - 2007-05-07 13:23:42
|
Revision: 769
http://svn.sourceforge.net/unicore/?rev=769&view=rev
Author: golbi
Date: 2007-05-07 06:23:37 -0700 (Mon, 07 May 2007)
Log Message:
-----------
Moved from C9m repository
Added Paths:
-----------
securityLib/lib/
securityLib/lib/SAML2XBeans.jar
securityLib/lib/dom.jar
securityLib/lib/jaxp-api.jar
securityLib/lib/xalan.jar
securityLib/lib/xercesImpl.jar
securityLib/lib/xmldsig.jar
securityLib/lib/xmlsec.jar
securityLib/pom.xml
securityLib/src/
securityLib/src/main/
securityLib/src/main/java/
securityLib/src/main/java/pl/
securityLib/src/main/java/pl/edu/
securityLib/src/main/java/pl/edu/icm/
securityLib/src/main/java/pl/edu/icm/unicore/
securityLib/src/main/java/pl/edu/icm/unicore/saml/
securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java
securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java
securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java
securityLib/src/main/java/pl/edu/icm/unicore/security/
securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java
securityLib/src/main/java/pl/edu/icm/unicore/security/consignor/
securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/
securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java
securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java
securityLib/src/main/java/pl/edu/icm/unicore/security/etd/
securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java
securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java
securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java
securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java
securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java
securityLib/src/main/schema/
securityLib/src/main/schema/REC-xmldsig-core-20020212/
securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
securityLib/src/main/schema/REC-xmlenc-core-20021210/
securityLib/src/main/schema/REC-xmlenc-core-20021210/xenc-schema.xsd
securityLib/src/main/schema/saml2/
securityLib/src/main/schema/saml2/saml-schema-assertion-2.0.xsd
securityLib/src/main/schema/xmlbeans_config.xsdconfig
securityLib/src/test/
securityLib/src/test/java/
securityLib/src/test/java/pl/
securityLib/src/test/java/pl/edu/
securityLib/src/test/java/pl/edu/icm/
securityLib/src/test/java/pl/edu/icm/unicore/
securityLib/src/test/java/pl/edu/icm/unicore/security/
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/GenerateAndVerifyTest.java
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/NegativeTest.java
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/ParseTest.java
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/SimpleGenerateTest.java
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/TDChainTest.java
securityLib/src/test/java/pl/edu/icm/unicore/security/etd/TestBase.java
securityLib/src/test/resources/
securityLib/src/test/resources/keystoreDSA1.jks
securityLib/src/test/resources/keystoreDSA2.jks
securityLib/src/test/resources/keystoreRSA1.jks
securityLib/src/test/resources/keystoreRSA2.jks
Added: securityLib/lib/SAML2XBeans.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/SAML2XBeans.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/lib/dom.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/dom.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/lib/jaxp-api.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/jaxp-api.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/lib/xalan.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/xalan.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/lib/xercesImpl.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/xercesImpl.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/lib/xmldsig.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/xmldsig.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/lib/xmlsec.jar
===================================================================
(Binary files differ)
Property changes on: securityLib/lib/xmlsec.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: securityLib/pom.xml
===================================================================
--- securityLib/pom.xml (rev 0)
+++ securityLib/pom.xml 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,132 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>pl.edu.icm.unicore.security</groupId>
+ <artifactId>etd</artifactId>
+ <packaging>jar</packaging>
+ <version>1.0-SNAPSHOT</version>
+ <name>etd</name>
+ <url>http://www.unicore.eu</url>
+
+ <dependencies>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>3.8.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>1.2.13</version>
+ </dependency>
+ <dependency>
+ <groupId>xmlbeans</groupId>
+ <artifactId>xbean</artifactId>
+ <version>2.2.0</version>
+ </dependency>
+ <dependency>
+ <groupId>xmlbeans</groupId>
+ <artifactId>xmlbeans-jsr173-api</artifactId>
+ <version>2.0-dev</version>
+ </dependency>
+
+ <!-- only for tests... is there nicer way to add it?? -->
+ <dependency>
+ <groupId>mybeans</groupId>
+ <artifactId>mybeans</artifactId>
+ <version>1.0</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/SAML2XBeans.jar</systemPath>
+ </dependency>
+
+
+ <!-- xmldsig and friends - boundled as it is hard to get them from repository -->
+ <dependency>
+ <groupId>javax.xml</groupId>
+ <artifactId>xmldsig</artifactId>
+ <version>1.0</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/xmldsig.jar</systemPath>
+ </dependency>
+ <dependency>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ <version>2.5.2</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/xalan.jar</systemPath>
+ </dependency>
+ <dependency>
+ <groupId>xerces</groupId>
+ <artifactId>xercesImpl</artifactId>
+ <version>2.5.0</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/xalan.jar</systemPath>
+ </dependency>
+ <dependency>
+ <groupId>dom</groupId>
+ <artifactId>dom</artifactId>
+ <version>1.0</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/dom.jar</systemPath>
+ </dependency>
+ <dependency>
+ <groupId>xml-apis</groupId>
+ <artifactId>jaxp-api</artifactId>
+ <version>1.3.1</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/jaxp-api.jar</systemPath>
+ </dependency>
+ <dependency>
+ <groupId>xml-sec</groupId>
+ <artifactId>xml-sec</artifactId>
+ <version>1.0</version>
+ <scope>system</scope>
+ <systemPath>${basedir}/lib/xmlsec.jar</systemPath>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>xmlbeans-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>xmlbeans</goal>
+ </goals>
+ </execution>
+ </executions>
+ <inherited>true</inherited>
+ <configuration>
+ <schemaDirectory>src/main/schema/saml2</schemaDirectory>
+ <xmlConfigs>
+ <xmlConfig implementation="java.io.File">
+ src/main/schema/xmlbeans_config.xsdconfig
+ </xmlConfig>
+ </xmlConfigs>
+ <noUpa>false</noUpa>
+ <outputJar>lib/SAML2XBeans.jar</outputJar>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.5</source>
+ <target>1.5</target>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <!-- <skip>true</skip> -->
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
Added: securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLAssertion.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,371 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on May 6, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.saml;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.Random;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.log4j.Logger;
+import org.apache.xmlbeans.XmlCursor;
+import org.apache.xmlbeans.XmlException;
+import org.apache.xmlbeans.XmlObject;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import pl.edu.icm.unicore.security.dsig.DSigException;
+import pl.edu.icm.unicore.security.dsig.DigSignatureUtil;
+
+import com.sun.org.apache.xml.security.utils.RFC2253Parser;
+
+import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
+import xmlbeans.org.oasis.saml2.assertion.AssertionType;
+import xmlbeans.org.oasis.saml2.assertion.AttributeStatementType;
+import xmlbeans.org.oasis.saml2.assertion.AttributeType;
+import xmlbeans.org.oasis.saml2.assertion.ConditionsType;
+import xmlbeans.org.oasis.saml2.assertion.NameIDType;
+import xmlbeans.org.oasis.saml2.assertion.ProxyRestrictionType;
+import xmlbeans.org.oasis.saml2.assertion.SubjectType;
+import xmlbeans.org.w3.x2000.x09.xmldsig.KeyInfoType;
+import xmlbeans.org.w3.x2000.x09.xmldsig.SignatureType;
+import xmlbeans.org.w3.x2000.x09.xmldsig.X509DataType;
+
+/**
+ * SAML v2 assertion. It is generic, i.e. can represent any kind of assertion
+ * (identity, attribute, ...)
+ *
+ * TODO authN & authZ decission code. Also add code for custom conditions.
+ *
+ * @author K. Benedyczak
+ */
+public class SAMLAssertion
+{
+ private static final Logger log = Logger.getLogger(SAMLAssertion.class);
+
+ private AssertionType assertion;
+ private AssertionDocument assertionDoc;
+ private ConditionsType conditions;
+ ProxyRestrictionType proxyRestriction;
+ private boolean modified;
+
+ private String issuerDN, subjectDN;
+
+ public SAMLAssertion()
+ {
+ this("_SAMLassertion_");
+ }
+
+ public SAMLAssertion(String prefix)
+ {
+ modified = true;
+ conditions = null;
+ proxyRestriction = null;
+
+ assertionDoc = AssertionDocument.Factory.newInstance();
+
+ assertion = AssertionType.Factory.newInstance();
+ assertion.setVersion(SAMLConstants.VERSION);
+ assertion.setIssueInstant(Calendar.getInstance());
+ Random r = new Random(new Date().getTime());
+ StringBuffer id = new StringBuffer(prefix);
+ for (int i=0; i<3; i++)
+ id.append(Long.toHexString(r.nextLong()));
+ assertion.setID(id.toString());
+
+ conditions = ConditionsType.Factory.newInstance();
+ }
+
+ public SAMLAssertion(AssertionDocument doc) throws SAMLParseException, XmlException, IOException
+ {
+ modified = true;
+ assertionDoc = AssertionDocument.Factory.parse(
+ doc.newReader());
+ assertion = assertionDoc.getAssertion();
+ if (assertion == null)
+ assertion = AssertionType.Factory.newInstance();
+ conditions = assertion.getConditions();
+
+ proxyRestriction = (conditions == null) ? null :
+ conditions.getProxyRestrictionArray(0);
+ NameIDType n1 = assertion.getIssuer();
+ if (n1 != null)
+ {
+ if (SAMLConstants.DN_FORMAT.equals(n1.getFormat()))
+ {
+ XmlCursor cur = n1.newCursor();
+ cur.toFirstContentToken();
+ issuerDN = cur.getTextValue();
+ } else
+ throw new SAMLParseException("Unsupported " +
+ "issuer format: " + n1.getFormat());
+ }
+ SubjectType s = assertion.getSubject();
+ if (s != null && s.getNameID() != null)
+ {
+ n1 = s.getNameID();
+ if (SAMLConstants.DN_FORMAT.equals(n1.getFormat()))
+ {
+ XmlCursor cur = n1.newCursor();
+ cur.toFirstContentToken();
+ subjectDN = cur.getTextValue();
+ } else
+ throw new SAMLParseException("Unsupported " +
+ "subject format: " + n1.getFormat());
+ }
+ }
+
+ public void setX509Issuer(String issuerName)
+ {
+ String dn = RFC2253Parser.rfc2253toXMLdsig(issuerName);
+ NameIDType issuerN = NameIDType.Factory.newInstance();
+ issuerN.setFormat(SAMLConstants.DN_FORMAT);
+ issuerN.setStringValue(dn);
+ assertion.setIssuer(issuerN);
+ issuerDN = dn;
+ modified = true;
+ }
+
+ public void setX509Subject(String subjectName)
+ {
+ String dn = RFC2253Parser.rfc2253toXMLdsig(subjectName);
+ NameIDType subjectN = NameIDType.Factory.newInstance();
+ subjectN.setFormat(SAMLConstants.DN_FORMAT);
+ subjectN.setStringValue(dn);
+
+ SubjectType subjectT = SubjectType.Factory.newInstance();
+ subjectT.setNameID(subjectN);
+ assertion.setSubject(subjectT);
+ subjectDN = dn;
+ modified = true;
+ }
+
+ public void updateIssueTime()
+ {
+ assertion.setIssueInstant(Calendar.getInstance());
+ }
+
+ public void setTimeConditions(Date notBefore, Date notOnOrAfter)
+ {
+ Calendar c = Calendar.getInstance();
+ if (notBefore != null)
+ {
+ c.setTime(notBefore);
+ conditions.setNotBefore(c);
+ }
+ if (notOnOrAfter != null)
+ {
+ c.setTime(notOnOrAfter);
+ conditions.setNotOnOrAfter(c);
+ }
+
+ modified = true;
+ }
+
+ /**
+ *
+ * @param value use negative value to remove proxy restriction
+ */
+ public void setProxyRestriction(int value)
+ {
+ if (value > 0)
+ {
+ if (proxyRestriction == null)
+ proxyRestriction = conditions.addNewProxyRestriction();
+ proxyRestriction.setCount(BigInteger.valueOf(value));
+ } else
+ {
+ if (proxyRestriction != null)
+ {
+ conditions.removeProxyRestriction(0);
+ proxyRestriction = null;
+ }
+ }
+ modified = true;
+ }
+
+ public void addAttribute(String name, String format, XmlObject[] values)
+ {
+ AttributeType attribute = AttributeType.Factory.newInstance();
+ attribute.setName(name);
+ attribute.setNameFormat(format);
+ AttributeStatementType attrStatement =
+ assertion.addNewAttributeStatement();
+ attribute.setAttributeValueArray(values);
+ attrStatement.setAttributeArray(new AttributeType[] {attribute});
+ }
+
+ public void removeAttribute(int num)
+ {
+ assertion.removeAttributeStatement(num);
+ }
+
+ public void sign(PrivateKey pk) throws DSigException,
+ XmlException, ParserConfigurationException, SAXException, IOException
+ {
+ sign(pk, null);
+ }
+
+ public void sign(PrivateKey pk, X509Certificate cert) throws DSigException
+ {
+ DigSignatureUtil sign = new DigSignatureUtil();
+ AssertionDocument unsignedDoc = getXML();
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setNamespaceAware(true);
+ Document docToSign;
+ try
+ {
+ DocumentBuilder builder = dbf.newDocumentBuilder();
+ docToSign = builder.parse(unsignedDoc.newInputStream());
+ } catch (ParserConfigurationException e)
+ {
+ throw new DSigException("Can't configure DOM parser", e);
+ } catch (SAXException e)
+ {
+ throw new DSigException("DOM parse exception", e);
+ } catch (IOException e)
+ {
+ throw new DSigException("IO Exception while parsing DOM ??", e);
+ }
+
+ NodeList nodes = docToSign.getFirstChild().getChildNodes();
+ Node sibling = null;
+ for (int i=0; i<nodes.getLength(); i++)
+ {
+ Node n = nodes.item(i);
+ if (n.getLocalName().equals("Subject"))
+ {
+ sibling = n;
+ break;
+ }
+ }
+
+ sign.genEnvelopedSignature(pk, null, cert,
+ docToSign, sibling);
+ try
+ {
+ assertionDoc = AssertionDocument.Factory.parse(docToSign);
+ } catch (XmlException e)
+ {
+ throw new DSigException("Parsing signed document failed", e);
+ }
+ assertion = assertionDoc.getAssertion();
+ }
+
+ public boolean isCorrectlySigned(PublicKey key) throws DSigException
+ {
+ DigSignatureUtil sign = new DigSignatureUtil();
+ return sign.verifyEnvelopedSignature(
+ (Document) getXML().getDomNode(), key);
+ }
+
+ public X509Certificate getIssuerFromSignature()
+ {
+ SignatureType signature = assertion.getSignature();
+ if (signature == null)
+ return null;
+ KeyInfoType ki = signature.getKeyInfo();
+ if (ki == null)
+ return null;
+ X509DataType[] x509Data = ki.getX509DataArray();
+ if (x509Data == null)
+ return null;
+ for (int i=0; i<x509Data.length; i++)
+ if (x509Data[i].getX509CertificateArray().length > 0)
+ return deserializeCertificate(
+ x509Data[i].getX509CertificateArray(0));
+ return null;
+ }
+
+ private X509Certificate deserializeCertificate(byte []encodedCert)
+ {
+ CertificateFactory cf;
+ try
+ {
+ cf = CertificateFactory.getInstance("X.509");
+ } catch (CertificateException e1)
+ {
+ log.error("Can't initialize certificate factory for X509 certificates");
+ return null;
+ }
+ ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert);
+ try
+ {
+ X509Certificate cert = (X509Certificate) cf.generateCertificate(bais);
+ return cert;
+ } catch (CertificateException e)
+ {
+ log.warn("Error while deserializing certificate from key info: " + e);
+ return null;
+ } catch (ClassCastException e)
+ {
+ log.warn("Unknown type of certificate in key info");
+ return null;
+ }
+ }
+
+ public AssertionDocument getXML()
+ {
+ if (modified)
+ {
+ assertion.setConditions(conditions);
+ assertionDoc.setAssertion(assertion);
+ modified = false;
+ }
+ return assertionDoc;
+ }
+
+ public String getIssuer()
+ {
+ return issuerDN;
+ }
+
+ public String getSubject()
+ {
+ return subjectDN;
+ }
+
+ public int getProxyRestriction()
+ {
+ if (proxyRestriction == null)
+ return -1;
+ return proxyRestriction.getCount().intValue();
+ }
+
+ public Date getNotBefore()
+ {
+ Calendar c = conditions.getNotBefore();
+ return c == null ? null : c.getTime();
+ }
+
+ public Date getNotOnOrAfter()
+ {
+ Calendar c = conditions.getNotOnOrAfter();
+ return c == null ? null : c.getTime();
+ }
+
+ public AttributeStatementType[] getAttributes()
+ {
+ return assertion.getAttributeStatementArray();
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLConstants.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on May 6, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.saml;
+
+/**
+ * Various SAML 2 constants.
+ * @author K. Benedyczak
+ */
+public class SAMLConstants
+{
+ public static final String DN_FORMAT =
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";
+ public static final String VERSION = "2.0";
+
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/saml/SAMLParseException.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on May 6, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.saml;
+
+/**
+ * @author K. Benedyczak
+ */
+public class SAMLParseException extends Exception
+{
+ private static final long serialVersionUID = -2502318709756670849L;
+
+ public SAMLParseException(String arg)
+ {
+ super(arg);
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/UnicoreSecurityFactory.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on May 7, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security;
+
+import pl.edu.icm.unicore.security.etd.ETDApi;
+import pl.edu.icm.unicore.security.etd.ETDImpl;
+
+/**
+ * Used to obtain various security related implementations.
+ * @author K. Benedyczak
+ */
+public class UnicoreSecurityFactory
+{
+ private static ETDImpl etdImpl = null;
+
+ public static ETDApi getETDEngine()
+ {
+ if (etdImpl == null)
+ etdImpl = new ETDImpl();
+ return etdImpl;
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DSigException.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on May 6, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.dsig;
+
+/**
+ * Generic class that is used when there is any kind of the problem with digital
+ * signature creation or checking it.
+ *
+ * @author K. Benedyczak
+ */
+public class DSigException extends Exception
+{
+ private static final long serialVersionUID = -3162396183055439683L;
+
+ public DSigException(String msg, Throwable reason)
+ {
+ super(msg, reason);
+ }
+
+ public DSigException(Throwable reason)
+ {
+ super("XML digital signature problem", reason);
+ }
+
+ public DSigException(String msg)
+ {
+ super(msg);
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/dsig/DigSignatureUtil.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on Apr 24, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.dsig;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.Collections;
+import java.util.Vector;
+
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.dom.DOMValidateContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.KeyValue;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+
+/**
+ * Provides high-level API for signing and verifying XML signatures.
+ * Only implements those kind of signatures that are relevant for
+ * UNICORE security infractructure.
+ * @author K. Benedyczak
+ */
+public class DigSignatureUtil
+{
+ private final static String PROVIDER = "org.jcp.xml.dsig.internal.dom.XMLDSigRI";
+ private static XMLSignatureFactory fac = null;
+
+ public DigSignatureUtil() throws DSigException
+ {
+ try
+ {
+ fac = XMLSignatureFactory.getInstance("DOM",
+ (Provider) Class.forName(PROVIDER).newInstance());
+ } catch (Exception e)
+ {
+ throw new DSigException("Initialization of digital signature " +
+ "engine failed", e);
+ }
+ }
+
+ public void genEnvelopedSignature(PrivateKey privKey, PublicKey pubKey,
+ X509Certificate cert, Document docToSign, Node insertBefore)
+ throws DSigException
+ {
+ try
+ {
+ genEnvelopedSignatureInternal(privKey, pubKey, cert, docToSign, insertBefore);
+ } catch (Exception e)
+ {
+ throw new DSigException("Creation of enveloped signature " +
+ "failed", e);
+ }
+ }
+
+ private void genEnvelopedSignatureInternal(PrivateKey privKey, PublicKey pubKey,
+ X509Certificate cert, Document docToSign, Node insertBefore)
+ throws MarshalException, XMLSignatureException, NoSuchAlgorithmException,
+ InvalidAlgorithmParameterException, KeyException
+ {
+ DigestMethod digistMethod = fac.newDigestMethod(DigestMethod.SHA1, null);
+ Vector<Transform> transforms = new Vector<Transform>();
+
+ transforms.add(fac.newTransform(Transform.ENVELOPED,
+ (TransformParameterSpec) null));
+ transforms.add(fac.newTransform(CanonicalizationMethod.EXCLUSIVE,
+ (TransformParameterSpec) null));
+ CanonicalizationMethod canMethod = fac.newCanonicalizationMethod(
+ CanonicalizationMethod.EXCLUSIVE,
+ (C14NMethodParameterSpec) null);
+
+ SignatureMethod sigMethod;
+ if (privKey instanceof RSAPrivateKey)
+ sigMethod = fac.newSignatureMethod(
+ SignatureMethod.RSA_SHA1, null);
+ else if (privKey instanceof DSAPrivateKey)
+ sigMethod = fac.newSignatureMethod(
+ SignatureMethod.DSA_SHA1, null);
+ else
+ throw new KeyException("Unsupported private key algorithm " +
+ "(must be DSA or RSA) :" + privKey.getAlgorithm());
+
+ NamedNodeMap attrs = docToSign.getDocumentElement().getAttributes();
+ Node idNode = attrs.getNamedItem("ID");
+ String id = null;
+ if (idNode != null)
+ id = "#" + idNode.getNodeValue();
+
+ Reference ref = fac.newReference(id,
+ digistMethod,
+ transforms,
+ null, null);
+ SignedInfo si = fac.newSignedInfo(canMethod, sigMethod,
+ Collections.singletonList(ref));
+
+ DOMSignContext dsc = null;
+ if (insertBefore == null)
+ dsc = new DOMSignContext(privKey,
+ docToSign.getDocumentElement());
+ else
+ dsc = new DOMSignContext(privKey,
+ docToSign.getDocumentElement(), insertBefore);
+ KeyInfo ki = null;
+ KeyInfoFactory kif = fac.getKeyInfoFactory();
+ Vector<Object> kiVals = new Vector<Object>();
+ if (pubKey != null)
+ {
+ KeyValue kv = kif.newKeyValue(pubKey);
+ kiVals.add(kv);
+ }
+ if (cert != null)
+ {
+ X509Data x509Data = kif.newX509Data(Collections.singletonList(cert));
+ kiVals.add(x509Data);
+ }
+ if (kiVals.size() > 0)
+ ki = kif.newKeyInfo(kiVals);
+
+ XMLSignature signature = fac.newXMLSignature(si, ki);
+
+ signature.sign(dsc);
+ }
+
+ public boolean verifyEnvelopedSignature(Document signedDocument, PublicKey validatingKey)
+ throws DSigException
+ {
+ try
+ {
+ return verifyEnvelopedSignatureInternal(signedDocument, validatingKey);
+ } catch (Exception e)
+ {
+ throw new DSigException("Verification of enveloped signature " +
+ "failed", e);
+ }
+ }
+
+ private boolean verifyEnvelopedSignatureInternal(Document signedDocument, PublicKey validatingKey)
+ throws MarshalException, XMLSignatureException
+ {
+ NodeList nl = signedDocument.getElementsByTagNameNS(
+ XMLSignature.XMLNS, "Signature");
+ if (nl.getLength() == 0)
+ throw new XMLSignatureException("Document not signed");
+
+ DOMValidateContext valContext = new DOMValidateContext(validatingKey,
+ nl.item(0));
+
+ XMLSignature signature = fac.unmarshalXMLSignature(valContext);
+
+ boolean coreValidity = signature.validate(valContext);
+
+ /*if (coreValidity == false)
+ {
+ System.err.println("Signature failed core validation");
+ boolean sv = signature.getSignatureValue().validate(valContext);
+ System.out.println("signature validation status: " + sv);
+ Iterator i = signature.getSignedInfo().getReferences().iterator();
+ for (int j=0; i.hasNext(); j++)
+ {
+ Reference ref = (Reference) i.next();
+ boolean refValid = ref.validate(valContext);
+
+ System.out.println("ref["+j+"] validity status: " + refValid);
+ String s = new String(Base64.encode(ref.getDigestValue()));
+ System.out.println("ref["+j+"] digest: " + s);
+ s = new String(Base64.encode(ref.getCalculatedDigestValue()));
+ System.out.println("ref["+j+"] calculated digest: " + s);
+ }
+ }
+ */
+ return coreValidity;
+ }
+
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/DelegationRestrictions.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on Apr 25, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.etd;
+
+import java.util.Calendar;
+import java.util.Date;
+
+/**
+ * @author K. Benedyczak
+ */
+public class DelegationRestrictions
+{
+ private Date notBefore;
+ private Date notOnOrAfter;
+ private int maxProxyCount;
+
+ public DelegationRestrictions(Date notBefore, Date notOnOrAfter, int maxProxyCount)
+ {
+ this.notBefore = notBefore;
+ this.notOnOrAfter = notOnOrAfter;
+ this.maxProxyCount = maxProxyCount;
+ }
+
+ public DelegationRestrictions(Date notBefore, int validDays, int maxProxyCount)
+ {
+ this.notBefore = notBefore;
+ Calendar c = Calendar.getInstance();
+ if (notBefore != null)
+ c.setTime(notBefore);
+ c.add(Calendar.DATE, validDays);
+ this.notOnOrAfter = c.getTime();
+ this.maxProxyCount = maxProxyCount;
+ }
+
+ public int getMaxProxyCount()
+ {
+ return maxProxyCount;
+ }
+
+ public void setMaxProxyCount(int maxProxyCount)
+ {
+ this.maxProxyCount = maxProxyCount;
+ }
+
+ public Date getNotBefore()
+ {
+ return notBefore;
+ }
+
+ public void setNotBefore(Date notBefore)
+ {
+ this.notBefore = notBefore;
+ }
+
+ public Date getNotOnOrAfter()
+ {
+ return notOnOrAfter;
+ }
+
+ public void setNotOnOrAfter(Date notOnOrAfter)
+ {
+ this.notOnOrAfter = notOnOrAfter;
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDApi.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on Apr 24, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.etd;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import pl.edu.icm.unicore.security.dsig.DSigException;
+
+/**
+ * ETD external interface.
+ * @author K. Benedyczak
+ */
+public interface ETDApi
+{
+ /**
+ * Extends existing delegation chain by adding the next entry, that further delegates trust
+ * to subject. Issuer certificate won't be hold in the newly added delegation assertion and
+ * issuer's DN will be taken from the last element of existing chain.
+ * @param chain
+ * @param pk
+ * @param subject
+ * @param restrictions
+ * @return
+ * @throws DSigException
+ */
+ public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain,
+ PrivateKey pk, String subject, DelegationRestrictions restrictions)
+ throws DSigException;
+
+ /**
+ * Extends existing delegation chain by adding the next entry, that further delegates trust
+ * to subject. Issuer certificate will be hold in the newly added delegation assertion.
+ * @param chain
+ * @param issuer
+ * @param pk
+ * @param subject
+ * @param restrictions
+ * @return
+ * @throws DSigException
+ */
+ public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain,
+ X509Certificate issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException;
+
+ /**
+ * Generates trust delegation. Generated assertion won't hold issuer certificate.
+ * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain
+ * it is equal to issuer)
+ * @param issuer Actual DN of issuer of this trust delegation
+ * @param pk Private key of issuer
+ * @param subject DN of the receiver of this trust delegation
+ * @param restrictions Set of restrictions (can be null)
+ * @return The new trust delegation
+ * @throws DSigException
+ */
+ public TrustDelegation generateTD(String custodian, String issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException;
+
+
+ /**
+ * Generates trust delegation. Generated assertion will hold issuer certificate.
+ * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain
+ * it is equal to issuer)
+ * @param issuer Actual issuer certificate of this trust delegation
+ * @param pk Private key of issuer
+ * @param subject DN of the receiver of this trust delegation
+ * @param restrictions Set of restrictions (can be null)
+ * @return The new trust delegation
+ * @throws DSigException
+ */
+ public TrustDelegation generateTD(String custodian, X509Certificate issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException;
+
+ /**
+ * Validate single trust delegation assertion. Checks if receiver has trust of custodian
+ * delegated by issuer.
+ *
+ * @param td
+ * @param custodian
+ * @param issuer
+ * @param receiver
+ * @param availableCertificates list of known certificates - if delegation doesn't posses
+ * issuer certificate, the certificate matching delegation issuer DN must be in this array.
+ * @return
+ */
+ public ValidationResult validateTD(TrustDelegation td, String custodian,
+ String issuer, String receiver, X509Certificate availableCertificates[]);
+
+ /**
+ * Tests if the specified trust delegation chain delegates the trust from user to
+ * subject. Please note that if the subject is the receiver of the assertion that is not
+ * the last one in the chain, then the rest of the chain is not checked at all.
+ * @param td
+ * @param subject
+ * @param user
+ * @param availableCertificates additional known certificates
+ * @return validation result
+ */
+ public ValidationResult isTrustDelegated(List<TrustDelegation> td, String subject,
+ String user, X509Certificate availableCertificates[]);
+
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ETDImpl.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,267 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on Apr 24, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.etd;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+
+import com.sun.org.apache.xml.security.utils.RFC2253Parser;
+
+import pl.edu.icm.unicore.security.dsig.DSigException;
+
+/**
+ * Implements logic to generate trust delegation assertions.
+ * @author K. Benedyczak
+ */
+public class ETDImpl implements ETDApi
+{
+ public static final int DEFAULT_VALIDITY_DAYS = 14;
+
+
+ /**
+ * Extends existing delegation chain by adding the next entry, that further delegates trust
+ * to subject. Issuer certificate won't be hold in the newly added delegation assertion and
+ * issuer's DN will be taken from the last element of existing chain.
+ * @param chain
+ * @param pk
+ * @param subject
+ * @param restrictions
+ * @return
+ * @throws DSigException
+ */
+ public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain,
+ PrivateKey pk, String subject, DelegationRestrictions restrictions)
+ throws DSigException
+ {
+ return issueChainedTD(chain, null, pk, subject, restrictions);
+ }
+
+ /**
+ * Extends existing delegation chain by adding the next entry, that further delegates trust
+ * to subject. Issuer certificate will be hold in the newly added delegation assertion.
+ * @param chain
+ * @param issuer
+ * @param pk
+ * @param subject
+ * @param restrictions
+ * @return
+ * @throws DSigException
+ */
+ public List<TrustDelegation> issueChainedTD(List<TrustDelegation> chain,
+ X509Certificate issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException
+ {
+ if (issuer != null)
+ chain.add(generateTD(chain.get(0).getCustodian(), issuer,
+ pk, subject, restrictions));
+ else
+ chain.add(generateTD(chain.get(0).getCustodian(),
+ chain.get(chain.size()-1).getIssuer(),
+ pk, subject, restrictions));
+ return chain;
+ }
+
+ /**
+ * Generates trust delegation. Generated assertion won't hold issuer certificate.
+ * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain
+ * it is equal to issuer)
+ * @param issuer Actual DN of issuer of this trust delegation
+ * @param pk Private key of issuer
+ * @param subject DN of the receiver of this trust delegation
+ * @param restrictions Set of restrictions (can be null)
+ * @return The new trust delegation
+ * @throws DSigException
+ */
+ public TrustDelegation generateTD(String custodian, String issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException
+ {
+ return generateTD(custodian, issuer, null, pk, subject, restrictions);
+ }
+
+
+ /**
+ * Generates trust delegation. Generated assertion will hold issuer certificate.
+ * @param custodian DN of initial trust delegation issuer (if not in trust delegation chain
+ * it is equal to issuer)
+ * @param issuer Actual issuer certificate of this trust delegation
+ * @param pk Private key of issuer
+ * @param subject DN of the receiver of this trust delegation
+ * @param restrictions Set of restrictions (can be null)
+ * @return The new trust delegation
+ * @throws DSigException
+ */
+ public TrustDelegation generateTD(String custodian, X509Certificate issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException
+ {
+ return generateTD(custodian, issuer.getSubjectX500Principal().getName(),
+ issuer, pk, subject, restrictions);
+ }
+
+ private TrustDelegation generateTD(String custodian, String issuerDN,
+ X509Certificate issuer, PrivateKey pk,
+ String subject, DelegationRestrictions restrictions)
+ throws DSigException
+ {
+ TrustDelegation td = new TrustDelegation(custodian);
+ td.setX509Issuer(issuerDN);
+ td.setX509Subject(subject);
+ if (restrictions == null)
+ {
+ Calendar c = Calendar.getInstance();
+ c.add(Calendar.DATE, DEFAULT_VALIDITY_DAYS);
+ restrictions = new DelegationRestrictions(new Date(),
+ c.getTime(), 1);
+ }
+ td.setTimeConditions(restrictions.getNotBefore(),
+ restrictions.getNotOnOrAfter());
+ td.setProxyRestriction(restrictions.getMaxProxyCount());
+ td.sign(pk, issuer);
+ return td;
+ }
+
+ /**
+ * Validate single trust delegation assertion. Checks if receiver has trust of custodian
+ * delegated by issuer.
+ *
+ * @param td
+ * @param custodian
+ * @param issuer
+ * @param receiver
+ * @param availableCertificates list of known certificates - if delegation doesn't posses
+ * issuer certificate, the certificate matching delegation issuer DN must be in this array.
+ * @return
+ */
+ public ValidationResult validateTD(TrustDelegation td, String custodian,
+ String issuer, String receiver, X509Certificate availableCertificates[])
+ {
+ String c1 = td.getCustodian();
+ String c2 = RFC2253Parser.rfc2253toXMLdsig(custodian);
+ if (!c1.equals(c2))
+ return new ValidationResult(false, "Wrong custodian (is " + c1 +
+ " should be " + c2);
+ String i1 = td.getIssuer();
+ String i2 = RFC2253Parser.rfc2253toXMLdsig(issuer);
+ if (!i1.equals(i2))
+ return new ValidationResult(false, "Wrong issuer");
+ String r1 = td.getSubject();
+ String r2 = RFC2253Parser.rfc2253toXMLdsig(receiver);
+ if (!r1.equals(r2))
+ return new ValidationResult(false, "Wrong receiver");
+
+ X509Certificate issuerCert = td.getIssuerFromSignature();
+ if (issuerCert == null)
+ issuerCert = findCertificate(issuer, availableCertificates);
+ if (issuerCert == null)
+ return new ValidationResult(false, "Lack of issuer certificate " +
+ "(neither in KeyInfo element nor in available certificates list)");
+ try
+ {
+ issuerCert.checkValidity();
+ } catch (Exception e)
+ {
+ return new ValidationResult(false, "Issuer certificate is not valid");
+ }
+
+ try
+ {
+ if (!td.isCorrectlySigned(issuerCert.getPublicKey()))
+ return new ValidationResult(false, "Signature is incorrect");
+ } catch (DSigException e)
+ {
+ return new ValidationResult(false, "Signature is incorrect: " +
+ e.getCause());
+ }
+
+ Date notBefore = td.getNotBefore();
+ Date now = new Date();
+ if (now.before(notBefore))
+ return new ValidationResult(false, "Delegation is not yet valid");
+ Date notOnOrAfter = td.getNotOnOrAfter();
+ if (now.after(notOnOrAfter) || now.equals(notOnOrAfter))
+ return new ValidationResult(false, "Delegation is no more valid");
+
+ return new ValidationResult(true, "Validation OK");
+ }
+
+ private X509Certificate findCertificate(String dn,
+ X509Certificate availableCertificates[])
+ {
+ if (availableCertificates == null)
+ return null;
+ for (int i=0; i<availableCertificates.length; i++)
+ if (availableCertificates[i].getSubjectX500Principal().getName().
+ equals(dn))
+ return availableCertificates[i];
+ return null;
+ }
+
+ /**
+ * Tests if the specified trust delegation chain delegates the trust from user to
+ * subject. Please note that if the subject is the receiver of the assertion that is not
+ * the last one in the chain, then the rest of the chain is not checked at all.
+ * @param td
+ * @param subject
+ * @param user
+ * @param availableCertificates
+ * @return
+ */
+ public ValidationResult isTrustDelegated(List<TrustDelegation> td, String subject,
+ String user, X509Certificate availableCertificates[])
+ {
+ if (td == null || subject == null || user == null)
+ return new ValidationResult(false, "Some of arguments are null");
+ if (td.size() == 0)
+ return new ValidationResult(false, "Delegation chain is empty");
+ String custodian = td.get(0).getCustodian();
+ String u = RFC2253Parser.rfc2253toXMLdsig(user);
+ if (!u.equals(custodian))
+ return new ValidationResult(false, "Wrong user");
+ String s = RFC2253Parser.rfc2253toXMLdsig(subject);
+ int i=0;
+ int []maxProxies = new int[td.size()];
+ for (; i<td.size(); i++)
+ {
+ TrustDelegation cur = td.get(i);
+ if (i + 1 < td.size())
+ if (!cur.getSubject().equals(td.get(i+1).getIssuer()))
+ return new ValidationResult(
+ false, "Chain is not consistant at position " + i);
+ String receiver = subject;
+ if (i + 1 < td.size())
+ receiver = td.get(i+1).getIssuer();
+
+ ValidationResult singleTD = validateTD(cur, custodian,
+ cur.getIssuer(), receiver, availableCertificates);
+ if (!singleTD.isValid())
+ return new ValidationResult(false,
+ "Chain has invalid entry at position "
+ + i + ": " + singleTD.getInvalidResaon());
+
+ maxProxies[i] = cur.getProxyRestriction();
+ if (s.equals(cur.getSubject()))
+ break;
+ }
+ if (i == td.size())
+ return new ValidationResult(false, "Wrong subject");
+
+ for (int j=0; j<i; j++)
+ if (maxProxies[j] > 0 && maxProxies[j] < (i-j+1))
+ return new ValidationResult(false, "Chain length " +
+ "exceedes maximum proxy restriction of " +
+ "assertion at position " + j);
+
+ return new ValidationResult(true, "Validation OK");
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/TrustDelegation.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on Apr 24, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.etd;
+
+import java.io.IOException;
+
+import org.apache.xmlbeans.XmlCursor;
+import org.apache.xmlbeans.XmlException;
+import org.apache.xmlbeans.XmlObject;
+import org.apache.xmlbeans.XmlString;
+
+import pl.edu.icm.unicore.saml.SAMLAssertion;
+import pl.edu.icm.unicore.saml.SAMLParseException;
+import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
+import xmlbeans.org.oasis.saml2.assertion.AttributeStatementType;
+import xmlbeans.org.oasis.saml2.assertion.AttributeType;
+
+import com.sun.org.apache.xml.security.utils.RFC2253Parser;
+
+/**
+ * Java representation of trust delegation token.
+ * @author K. Benedyczak
+ */
+public class TrustDelegation extends SAMLAssertion
+{
+ public static final String CUSTODIAN_NAME = "TrustDelegationOfUser";
+ public static final String CUSTODIAN_NAME_FORMAT = "urn:unicore:trust-delegation";
+
+ private String custodianDN;
+
+ public TrustDelegation(String custodian)
+ {
+ super("_trustDelegation_");
+ String dn = RFC2253Parser.rfc2253toXMLdsig(custodian);
+ custodianDN = dn;
+ XmlString value = XmlString.Factory.newInstance();
+ value.setStringValue(dn);
+ addAttribute(CUSTODIAN_NAME, CUSTODIAN_NAME_FORMAT,
+ new XmlObject[] {value});
+ }
+
+ public TrustDelegation(AssertionDocument doc) throws SAMLParseException, XmlException, IOException
+ {
+ super(doc);
+ AttributeStatementType[] attrSs = getAttributes();
+ custodianDN = null;
+ if (attrSs == null)
+ throw new SAMLParseException("No attribute statement in SAML assertion");
+ for (int i=0; i<attrSs.length; i++)
+ {
+ AttributeType []attrs = attrSs[i].getAttributeArray();
+ for (int j=0; j<attrs.length; j++)
+ if (attrs[j].getName().equals(CUSTODIAN_NAME) &&
+ attrs[j].getNameFormat().equals(CUSTODIAN_NAME_FORMAT))
+ {
+ XmlCursor cur = attrs[j].getAttributeValueArray(0)
+ .newCursor();
+ cur.toFirstContentToken();
+ custodianDN = cur.getTextValue();
+ }
+ }
+ if (custodianDN == null)
+ throw new SAMLParseException("SAML assertion does'nt contain trust " +
+ "delegation attribute");
+ }
+
+ public String getCustodian()
+ {
+ return custodianDN;
+ }
+}
Added: securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java
===================================================================
--- securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java (rev 0)
+++ securityLib/src/main/java/pl/edu/icm/unicore/security/etd/ValidationResult.java 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2007, 2008 ICM Uniwersytet Warszawski All rights reserved.
+ * See LICENCE file for licencing information.
+ *
+ * Created on Apr 25, 2007
+ * Author: K. Benedyczak <go...@ma...>
+ */
+
+package pl.edu.icm.unicore.security.etd;
+
+/**
+ * Represents trust delegation verification result.
+ * @author K. Benedyczak
+ */
+public class ValidationResult
+{
+ private boolean valid;
+ private String invalidResaon;
+
+ public ValidationResult(boolean valid, String invalidResaon)
+ {
+ super();
+ this.valid = valid;
+ this.invalidResaon = invalidResaon;
+ }
+
+ public String getInvalidResaon()
+ {
+ return invalidResaon;
+ }
+
+ public void setInvalidResaon(String invalidResaon)
+ {
+ this.invalidResaon = invalidResaon;
+ }
+
+ public boolean isValid()
+ {
+ return valid;
+ }
+
+ public void setValid(boolean valid)
+ {
+ this.valid = valid;
+ }
+}
Added: securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
===================================================================
--- securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd (rev 0)
+++ securityLib/src/main/schema/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd 2007-05-07 13:23:37 UTC (rev 769)
@@ -0,0 +1,318 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE schema
+ PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
+ [
+ <!ATTLIST schema
+ xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
+ <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
+ <!ENTITY % p ''>
+ <!ENTITY % s ''>
+ ]>
+
+<!-- Schema for XML Signatures
+ http://www.w3.org/2000/09/xmldsig#
+ $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
+
+ Copyright 2001 The Internet Society and W3C (Massachusetts Institute
+ of Technology, Institut National de Recherche en Informatique et en
+ Automatique, Keio University). All Rights Reserved.
+ http://www.w3.org/Consortium/Legal/
+
+ This document is governed by the W3C Software License [1] as described
+ in the FAQ [2].
+
+ [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
+ [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
+-->
+
+
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ targetNamespace="http://www.w3.org/2000/09/xmldsig#"
+ version="0.1" elementFormDefault="qualified">
+
+<!-- Basic Types Defined for Signatures -->
+
+<simpleType name="CryptoBinary">
+ <restriction base="base64Binary">
+ </restriction>
+</simpleType>
+
+<!-- Start Signature -->
+
+<element name="Signature" type="ds:SignatureType"/>
+<complexType name="SignatureType">
+ <sequence>
+ <element ref="ds:SignedInfo"/>
+ <element ref="ds:SignatureValue"/>
+ <element ref="ds:KeyInfo" minOccurs="0"/>
+ <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="SignatureValue" type="ds:SignatureValueType"/>
+ <complexType name="SignatureValueType">
+ <simpleContent>
+ <extension base="base64Binary">
+ <attribute name="Id" type="ID" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+<!-- Start SignedInfo -->
+
+<element name="SignedInfo" type="ds:SignedInfoType"/>
+<complexType name="SignedInfoType">
+ <sequence>
+ <element ref="ds:CanonicalizationMethod"/>
+ <element ref="ds:SignatureMethod"/>
+ <element ref="ds:Reference" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
+ <complexType name="CanonicalizationMethodType" mixed="true">
+ <sequence>
+ <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+ <!-- (0,unbounded) elements from (1,1) namespace -->
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+ <element name="SignatureMethod" type="ds:SignatureMethodType"/>
+ <complexType name="SignatureMethodType" mixed="true">
+ <sequence>
+ <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
+ <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+ <!-- (0,unbounded) elements from (1,1) external namespace -->
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+<!-- Start Reference -->
+
+<element name="Reference" type="ds:ReferenceType"/>
+<complexType name="ReferenceType">
+ <sequence>
+ <element ref="ds:Transforms" minOccurs="0"/>
+ <element ref="ds:DigestMethod"/>
+ <element ref="ds:DigestValue"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+ <attribute name="URI" type="anyURI" use="optional"/>
+ <attribute name="Type" type="anyURI" use="optional"/>
+</complexType>
+
+ <element name="Transforms" type="ds:TransformsType"/>
+ <complexType name="TransformsType">
+ <sequence>
+ <element ref="ds:Transform" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <element name="Transform" type="ds:TransformType"/>
+ <complexType name="TransformType" mixed="true">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <any namespace="##other" processContents="lax"/>
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
+ <element name="XPath" type="string"/>
+ </choice>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+<!-- End Reference -->
+
+<element name="DigestMethod" type="ds:DigestMethodType"/>
+<complexType name="DigestMethodType" mixed="true">
+ <sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+</complexType>
+
+<element name="DigestValue" type="ds:DigestValueType"/>
+<simpleType name="DigestValueType">
+ <restriction base="base64Binary"/>
+</simpleType>
+
+<!-- End SignedInfo -->
+
+<!-- Start KeyInfo -->
+
+<element name="KeyInfo" type="ds:KeyInfoType"/>
+<complexType name="KeyInfoType" mixed="true">
+ <choice maxOccurs="unbounded">
+ <element ref="ds:KeyName"/>
+ <element ref="ds:KeyValue"/>
+ <element ref="ds:RetrievalMethod"/>
+ <element ref="ds:X509Data"/>
+ <element ref="ds:PGPData"/>
+ <element ref="ds:SPKIData"/>
+ <element ref="ds:MgmtData"/>
+ <any processContents="lax" namespace="##other"/>
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
+ </choice>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="KeyName" type="string"/>
+ <element name="MgmtData" type="string"/>
+
+ <element name="KeyValue" type="ds:KeyValueType"/>
+ <complexType name="KeyValueType" mixed="true">
+ <choice>
+ <element ref="ds:DSAKeyValue"/>
+ <element ref="ds:RSAKeyValue"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+
+ <element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
+ <complexType name="RetrievalMethodType">
+ <sequence>
+ <element ref="ds:Transforms" minOccurs="0"/>
+ </sequence>
+ <attribute name="URI" type="anyURI"/>
+ <attribute name="Type" type="anyURI" use="optional"/>
+ </complexType>
+
+<!-- Start X509Data -->
+
+<element name="X509Data" type="ds:X509DataType"/>
+<complexType name="X509DataType">
+ <sequence maxOccurs="unbounded">
+ <choice>
+ <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
+ <element name="X509SKI" type="base64Binary"/>
+ <element name="X509SubjectName" type="string"/>
+ <element name="X509Certificate" type="base64Binary"/>
+ <element name="X509CRL" type="base64Binary"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </sequence>
+</complexType>
+
+<complexType name="X509IssuerSerialType">
+ <sequence>
+ <element name="X509IssuerName" type="string"/>
+ <element name="X509SerialNumber" type="integer"/>
+ </sequence>
+</complexType>
+
+<!-- End X509Data -->
+
+<!-- Begin PGPData -->
+
+<element name="PGPData" type="ds:PGPDataType"/>
+<complexType name="PGPDataType">
+ <choice>
+ <sequence>
+ <element name="PGPKeyID" type="base64Binary"/>
+ <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
+ <any namespace="##other" processContents="lax" minOccurs="0"
+ maxOccurs="unbounded"/>
+ </sequence>
+ <sequence>
+ <element name="PGPKeyPacket" type="base64Binary"/>
+ <any namespace="##other" processContents="lax" minOccurs="0"
+ maxOccurs="unbounded"/>
+ </sequence>
+ </choice>
+</complexType>
+
+<!-- End PGPData -->
+
+<!-- Begin SPKIData -->
+
+<element name="SPKIData" type="ds:SPKIDataType"/>
+<complexType name="SPKIDataType">
+ <sequence maxOccurs="unbounded">
+ <element name="SPKISexp" type="base64Binary"/>
+ <any namespace="##other" processContents="lax" minOccurs="0"/>
+ </sequence>
+</complexType>
+
+<!-- End SPKIData -->
+
+<!-- End KeyInfo -->
+
+<!-- Start Object (Manifest, SignatureProperty) -->
+
+<element name="Object" type="ds:ObjectType"/>
+<complexType name="ObjectType" mixed="true">
+ <sequence minOccurs="0" maxOccurs="unbounded">
+ <any namespace="##any" processContents="lax"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+ <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
+ <attribute name="Encoding" type="anyURI" use="optional"/>
+</complexType>
+
+<element name="Manifest" type="ds:ManifestType"/>
+<complexType name="ManifestType">
+ <sequence>
+ <element ref="ds:Reference" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="...
[truncated message content] |