Improve metadata generation of signature & digest methods supported (#…

…1255) * Improve metadata generation of signature & digest methods supported * Use SignatureConstants
pac4j · Feb 15, 2019 · 3b76ce9 · 3b76ce9
1 parent ab6f7d5
commit 3b76ce9
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 39 deletions.
diff --git a/pac4j-saml/src/main/java/org/pac4j/saml/config/SAML2Configuration.java b/pac4j-saml/src/main/java/org/pac4j/saml/config/SAML2Configuration.java
@@ -18,6 +18,7 @@
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
 import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
 import org.pac4j.core.context.HttpConstants;
 import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.core.logout.handler.DefaultLogoutHandler;
@@ -774,7 +775,7 @@ private void initSignatureSigningConfiguration() {
             this.signatureReferenceDigestMethods = new ArrayList<>(
                 config.getSignatureReferenceDigestMethods());
             this.signatureReferenceDigestMethods
-                .remove("http://www.w3.org/2001/04/xmlenc#sha512");
+                .remove(SignatureConstants.ALGO_ID_DIGEST_SHA512);
             LOGGER.info("Bootstrapped Signature Reference Digest Methods");
         }
         if (this.signatureCanonicalizationAlgorithm == null) {

diff --git a/pac4j-saml/src/main/java/org/pac4j/saml/metadata/SAML2MetadataGenerator.java b/pac4j-saml/src/main/java/org/pac4j/saml/metadata/SAML2MetadataGenerator.java
@@ -8,6 +8,7 @@
 import org.opensaml.saml.common.SAMLObjectBuilder;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.ext.saml2alg.DigestMethod;
+import org.opensaml.saml.ext.saml2alg.SigningMethod;
 import org.opensaml.saml.ext.saml2mdreqinit.RequestInitiator;
 import org.opensaml.saml.metadata.resolver.MetadataResolver;
 import org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver;
@@ -24,6 +25,10 @@
 import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml.saml2.metadata.SingleLogoutService;
 import org.opensaml.security.credential.UsageType;
+import org.opensaml.xmlsec.SignatureSigningConfiguration;
+import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
+import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
+import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
 import org.opensaml.xmlsec.signature.KeyInfo;
 import org.pac4j.saml.crypto.CredentialProvider;
 import org.pac4j.saml.util.Configuration;
@@ -36,6 +41,7 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * Generates metadata object with standard values and overriden user defined values.
@@ -52,6 +58,8 @@ public class SAML2MetadataGenerator implements SAMLMetadataGenerator {
 
     protected final MarshallerFactory marshallerFactory = Configuration.getMarshallerFactory();
 
+    protected final AlgorithmRegistry globalAlgorithmRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
+
     protected CredentialProvider credentialProvider;
 
     protected String entityId;
@@ -72,6 +80,15 @@ public class SAML2MetadataGenerator implements SAMLMetadataGenerator {
 
     protected List<SAML2ServiceProvicerRequestedAttribute> requestedAttributes = new ArrayList<>();
 
+    protected SignatureSigningConfiguration defaultSignatureSigningConfiguration =
+            DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
+
+    protected List<String> blackListedSignatureSigningAlgorithms = null;
+
+    protected List<String> signatureAlgorithms = null;
+
+    protected List<String> signatureReferenceDigestMethods = null;
+
     @Override
     public final MetadataResolver buildMetadataResolver(final Resource metadataResource) throws Exception {
         final AbstractBatchMetadataResolver resolver;
@@ -115,50 +132,29 @@ protected final Extensions generateMetadataExtensions() {
             this.builderFactory.getBuilder(Extensions.DEFAULT_ELEMENT_NAME);
 
         final Extensions extensions = builderExt.buildObject();
+        extensions.getNamespaceManager().registerAttributeName(SigningMethod.TYPE_NAME);
         extensions.getNamespaceManager().registerAttributeName(DigestMethod.TYPE_NAME);
 
-        final SAMLObjectBuilder<DigestMethod> builder = (SAMLObjectBuilder<DigestMethod>)
+        List<String> filteredSignatureAlgorithms = filterSignatureAlgorithms(getSignatureAlgorithms());
-            this.builderFactory.getBuilder(DigestMethod.DEFAULT_ELEMENT_NAME);
+        List<String> filteredSignatureReferenceDigestMethods = filterSignatureAlgorithms(getSignatureReferenceDigestMethods());
-
-        DigestMethod method = builder.buildObject();
-        method.setAlgorithm("http://www.w3.org/2001/04/xmlenc#sha512");
-        extensions.getUnknownXMLObjects().add(method);
-
-        method = builder.buildObject();
-        method.setAlgorithm("http://www.w3.org/2001/04/xmldsig-more#sha384");
-        extensions.getUnknownXMLObjects().add(method);
-
-        method = builder.buildObject();
-        method.setAlgorithm("http://www.w3.org/2001/04/xmlenc#sha256");
-        extensions.getUnknownXMLObjects().add(method);
 
-        method = builder.buildObject();
+        final SAMLObjectBuilder<SigningMethod> signingMethodBuilder = (SAMLObjectBuilder<SigningMethod>)
-        method.setAlgorithm("http://www.w3.org/2001/04/xmldsig-more#sha224");
+                this.builderFactory.getBuilder(SigningMethod.DEFAULT_ELEMENT_NAME);
-        extensions.getUnknownXMLObjects().add(method);
 
-        method = builder.buildObject();
+        for (String signingMethod : filteredSignatureAlgorithms) {
-        method.setAlgorithm("http://www.w3.org/2000/09/xmldsig#sha1");
+            SigningMethod method = signingMethodBuilder.buildObject();
-        extensions.getUnknownXMLObjects().add(method);
+            method.setAlgorithm(signingMethod);
-
+            extensions.getUnknownXMLObjects().add(method);
-        method = builder.buildObject();
+        }
-        method.setAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
-        extensions.getUnknownXMLObjects().add(method);
-
-        method = builder.buildObject();
-        method.setAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384");
-        extensions.getUnknownXMLObjects().add(method);
-
-        method = builder.buildObject();
-        method.setAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
-        extensions.getUnknownXMLObjects().add(method);
 
-        method = builder.buildObject();
+        final SAMLObjectBuilder<DigestMethod> digestMethodBuilder = (SAMLObjectBuilder<DigestMethod>)
-        method.setAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
+            this.builderFactory.getBuilder(DigestMethod.DEFAULT_ELEMENT_NAME);
-        extensions.getUnknownXMLObjects().add(method);
 
-        method = builder.buildObject();
+        for (String digestMethod : filteredSignatureReferenceDigestMethods) {
-        method.setAlgorithm("http://www.w3.org/2000/09/xmldsig#dsa-sha1");
+            DigestMethod method = digestMethodBuilder.buildObject();
-        extensions.getUnknownXMLObjects().add(method);
+            method.setAlgorithm(digestMethod);
+            extensions.getUnknownXMLObjects().add(method);
+        }
 
         return extensions;
     }
@@ -354,4 +350,51 @@ public List<SAML2ServiceProvicerRequestedAttribute> getRequestedAttributes() {
     public void setRequestedAttributes(final List<SAML2ServiceProvicerRequestedAttribute> requestedAttributes) {
         this.requestedAttributes = requestedAttributes;
     }
+
+    public List<String> getBlackListedSignatureSigningAlgorithms() {
+        if (blackListedSignatureSigningAlgorithms == null) {
+            this.blackListedSignatureSigningAlgorithms =
+              new ArrayList<>(defaultSignatureSigningConfiguration.getBlacklistedAlgorithms());
+        }
+
+        return blackListedSignatureSigningAlgorithms;
+    }
+
+    public void setBlackListedSignatureSigningAlgorithms(List<String> blackListedSignatureSigningAlgorithms) {
+        this.blackListedSignatureSigningAlgorithms = blackListedSignatureSigningAlgorithms;
+    }
+
+    public List<String> getSignatureAlgorithms() {
+        if (signatureAlgorithms == null) {
+            this.signatureAlgorithms = defaultSignatureSigningConfiguration.getSignatureAlgorithms();
+        }
+
+        return signatureAlgorithms;
+    }
+
+    public void setSignatureAlgorithms(List<String> signatureAlgorithms) {
+        this.signatureAlgorithms = signatureAlgorithms;
+    }
+
+    public List<String> getSignatureReferenceDigestMethods() {
+        if (signatureReferenceDigestMethods == null) {
+            this.signatureReferenceDigestMethods = defaultSignatureSigningConfiguration.getSignatureReferenceDigestMethods();
+        }
+        return signatureReferenceDigestMethods;
+    }
+
+    public void setSignatureReferenceDigestMethods(List<String> signatureReferenceDigestMethods) {
+        this.signatureReferenceDigestMethods = signatureReferenceDigestMethods;
+    }
+
+    private List<String> filterForRuntimeSupportedAlgorithms(final List<String> algorithms) {
+        final List<String> filteredAlgorithms = new ArrayList<>(algorithms);
+        return filteredAlgorithms.stream().filter(uri -> globalAlgorithmRegistry.isRuntimeSupported(uri)).collect(Collectors.toList());
+    }
+
+    private List<String> filterSignatureAlgorithms(final List<String> algorithms) {
+        final List<String> filteredAlgorithms = filterForRuntimeSupportedAlgorithms(algorithms);
+        this.signatureAlgorithms.removeAll(this.blackListedSignatureSigningAlgorithms);
+        return filteredAlgorithms;
+    }
 }
diff --git a/pac4j-saml/src/main/java/org/pac4j/saml/metadata/SAML2ServiceProviderMetadataResolver.java b/pac4j-saml/src/main/java/org/pac4j/saml/metadata/SAML2ServiceProviderMetadataResolver.java
@@ -95,6 +95,13 @@ private MetadataResolver prepareServiceProviderMetadata() {
             // the logout URL is callback URL with an extra parameter
             metadataGenerator.setSingleLogoutServiceUrl(logoutUrl);
 
+            // Algorithm support
+            metadataGenerator.setBlackListedSignatureSigningAlgorithms(
+                new ArrayList<>(configuration.getBlackListedSignatureSigningAlgorithms())
+            );
+            metadataGenerator.setSignatureAlgorithms(configuration.getSignatureAlgorithms());
+            metadataGenerator.setSignatureReferenceDigestMethods(configuration.getSignatureReferenceDigestMethods());
+
             // Initialize metadata provider for our SP and get the XML as a String
             final EntityDescriptor entity = metadataGenerator.buildEntityDescriptor();
             final String tempMetadata = metadataGenerator.getMetadata(entity);