From adad2da9645f7638cfa27597dc8ba71ce8094ee3 Mon Sep 17 00:00:00 2001 From: Filip Hanik Date: Thu, 13 May 2021 10:34:12 -0700 Subject: [PATCH] Provide KeyInfo in Signature for AuthnRequests Closes gh-9856 --- .../OpenSamlSigningUtilsTests.java | 56 +++++++++++++++++++ .../authentication/OpenSamlSigningUtils.java | 20 +++++++ 2 files changed, 76 insertions(+) create mode 100644 saml2/saml2-service-provider/core/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtilsTests.java diff --git a/saml2/saml2-service-provider/core/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtilsTests.java b/saml2/saml2-service-provider/core/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtilsTests.java new file mode 100644 index 0000000000..1c85e74955 --- /dev/null +++ b/saml2/saml2-service-provider/core/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtilsTests.java @@ -0,0 +1,56 @@ +/* + * Copyright 2002-2021 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.provider.service.authentication; + +import org.junit.Before; +import org.junit.Test; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.xmlsec.signature.Signature; + +import org.springframework.security.saml2.core.TestSaml2X509Credentials; +import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Test open SAML signatures + */ +public class OpenSamlSigningUtilsTests { + + private RelyingPartyRegistration registration; + + @Before + public void setup() { + this.registration = RelyingPartyRegistration.withRegistrationId("saml-idp") + .entityId("https://some.idp.example.com/entity-id").signingX509Credentials((c) -> { + c.add(TestSaml2X509Credentials.relyingPartySigningCredential()); + c.add(TestSaml2X509Credentials.assertingPartySigningCredential()); + }).assertingPartyDetails((c) -> c.entityId("https://some.idp.example.com/entity-id") + .singleSignOnServiceLocation("https://some.idp.example.com/service-location")) + .build(); + } + + @Test + public void whenSigningAnObjectThenKeyInfoIsPartOfTheSignature() throws Exception { + Response response = TestOpenSamlObjects.response(); + OpenSamlSigningUtils.sign(response, this.registration); + Signature signature = response.getSignature(); + assertThat(signature).isNotNull(); + assertThat(signature.getKeyInfo()).isNotNull(); + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.java index f177a866b4..4e9fbe20a9 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.java @@ -42,6 +42,9 @@ import org.opensaml.xmlsec.SignatureSigningParametersResolver; import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion; import org.opensaml.xmlsec.crypto.XMLSigningUtil; import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration; +import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager; +import org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager; +import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory; import org.opensaml.xmlsec.signature.SignableXMLObject; import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.opensaml.xmlsec.signature.support.SignatureSupport; @@ -102,6 +105,7 @@ final class OpenSamlSigningUtils { signingConfiguration.setSignatureAlgorithms(algorithms); signingConfiguration.setSignatureReferenceDigestMethods(digests); signingConfiguration.setSignatureCanonicalizationAlgorithm(canonicalization); + signingConfiguration.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager()); criteria.add(new SignatureSigningConfigurationCriterion(signingConfiguration)); try { SignatureSigningParameters parameters = resolver.resolveSingle(criteria); @@ -113,6 +117,22 @@ final class OpenSamlSigningUtils { } } + private static NamedKeyInfoGeneratorManager buildSignatureKeyInfoGeneratorManager() { + final NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager(); + + namedManager.setUseDefaultManager(true); + final KeyInfoGeneratorManager defaultManager = namedManager.getDefaultManager(); + + // Generator for X509Credentials + final X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory(); + x509Factory.setEmitEntityCertificate(true); + x509Factory.setEmitEntityCertificateChain(true); + + defaultManager.registerFactory(x509Factory); + + return namedManager; + } + private static List resolveSigningCredentials(RelyingPartyRegistration relyingPartyRegistration) { List credentials = new ArrayList<>(); for (Saml2X509Credential x509Credential : relyingPartyRegistration.getSigningX509Credentials()) {