root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 13 Packages Projects Releases Wiki Activity

Polish Saml2X509Credential Factories 

Issue gh-8789
This commit is contained in:
Josh Cummings 2020-07-20 15:47:58 -06:00
parent 3978cc591f
commit 97ccbe5df2
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
5 changed files with 237 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java
View File

@ -91,6 +91,40 @@ public final class Saml2X509Credential {
this.credentialTypes = types; this.credentialTypes = types;
} }
/**
* Create a {@link Saml2X509Credential} that can be used for encryption.
* @param certificate the certificate to use for encryption
*/
public static Saml2X509Credential encryption(X509Certificate certificate) {
return new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION);
}
/**
* Create a {@link Saml2X509Credential} that can be used for verification.
* @param certificate the certificate to use for verification
*/
public static Saml2X509Credential verification(X509Certificate certificate) {
return new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
}
/**
* Create a {@link Saml2X509Credential} that can be used for decryption.
* @param privateKey the private key to use for decryption
* @param certificate the certificate to use for decryption
*/
public static Saml2X509Credential decryption(PrivateKey privateKey, X509Certificate certificate) {
return new Saml2X509Credential(privateKey, certificate, Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
}
/**
* Create a {@link Saml2X509Credential} that can be used for signing.
* @param privateKey the private key to use for signing
* @param certificate the certificate to use for signing
*/
public static Saml2X509Credential signing(PrivateKey privateKey, X509Certificate certificate) {
return new Saml2X509Credential(privateKey, certificate, Saml2X509Credential.Saml2X509CredentialType.SIGNING);
}
private Saml2X509Credential( private Saml2X509Credential(
PrivateKey privateKey, PrivateKey privateKey,
boolean keyRequired, boolean keyRequired,

34
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java
View File

@ -54,40 +54,6 @@ public class Saml2X509Credential {
private final X509Certificate certificate; private final X509Certificate certificate;
private final Set<Saml2X509CredentialType> credentialTypes; private final Set<Saml2X509CredentialType> credentialTypes;
/**
* Create a {@link Saml2X509Credential} that can be used for encryption.
* @param certificate the certificate to use for encryption
*/
public static Saml2X509Credential encryption(X509Certificate certificate) {
return new Saml2X509Credential(certificate, Saml2X509CredentialType.ENCRYPTION);
}
/**
* Create a {@link Saml2X509Credential} that can be used for verification.
* @param certificate the certificate to use for verification
*/
public static Saml2X509Credential verification(X509Certificate certificate) {
return new Saml2X509Credential(certificate, Saml2X509CredentialType.VERIFICATION);
}
/**
* Create a {@link Saml2X509Credential} that can be used for decryption.
* @param privateKey the private key to use for decryption
* @param certificate the certificate to use for decryption
*/
public static Saml2X509Credential decryption(PrivateKey privateKey, X509Certificate certificate) {
return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.DECRYPTION);
}
/**
* Create a {@link Saml2X509Credential} that can be used for signing.
* @param privateKey the private key to use for signing
* @param certificate the certificate to use for signing
*/
public static Saml2X509Credential signing(PrivateKey privateKey, X509Certificate certificate) {
return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.SIGNING);
}
/** /**
* Creates a Saml2X509Credentials representing Identity Provider credentials for * Creates a Saml2X509Credentials representing Identity Provider credentials for
* verification, encryption or both. * verification, encryption or both.

198
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2X509CredentialTests.java Normal file
View File

@ -0,0 +1,198 @@
/*
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.saml2.core;
import java.io.ByteArrayInputStream;
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.springframework.security.converter.RsaKeyConverters;
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION;
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION;
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.SIGNING;
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION;
public class Saml2X509CredentialTests {
@Rule
public ExpectedException exception = ExpectedException.none();
private PrivateKey key;
private X509Certificate certificate;
@Before
public void setup() throws Exception {
String keyData = "-----BEGIN PRIVATE KEY-----\n" +
"MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANG7v8QjQGU3MwQE\n" +
"VUBxvH6Uuiy/MhZT7TV0ZNjyAF2ExA1gpn3aUxx6jYK5UnrpxRRE/KbeLucYbOhK\n" +
"cDECt77Rggz5TStrOta0BQTvfluRyoQtmQ5Nkt6Vqg7O2ZapFt7k64Sal7AftzH6\n" +
"Q2BxWN1y04bLdDrH4jipqRj/2qEFAgMBAAECgYEAj4ExY1jjdN3iEDuOwXuRB+Nn\n" +
"x7pC4TgntE2huzdKvLJdGvIouTArce8A6JM5NlTBvm69mMepvAHgcsiMH1zGr5J5\n" +
"wJz23mGOyhM1veON41/DJTVG+cxq4soUZhdYy3bpOuXGMAaJ8QLMbQQoivllNihd\n" +
"vwH0rNSK8LTYWWPZYIECQQDxct+TFX1VsQ1eo41K0T4fu2rWUaxlvjUGhK6HxTmY\n" +
"8OMJptunGRJL1CUjIb45Uz7SP8TPz5FwhXWsLfS182kRAkEA3l+Qd9C9gdpUh1uX\n" +
"oPSNIxn5hFUrSTW1EwP9QH9vhwb5Vr8Jrd5ei678WYDLjUcx648RjkjhU9jSMzIx\n" +
"EGvYtQJBAMm/i9NR7IVyyNIgZUpz5q4LI21rl1r4gUQuD8vA36zM81i4ROeuCly0\n" +
"KkfdxR4PUfnKcQCX11YnHjk9uTFj75ECQEFY/gBnxDjzqyF35hAzrYIiMPQVfznt\n" +
"YX/sDTE2AdVBVGaMj1Cb51bPHnNC6Q5kXKQnj/YrLqRQND09Q7ParX0CQQC5NxZr\n" +
"9jKqhHj8yQD6PlXTsY4Occ7DH6/IoDenfdEVD5qlet0zmd50HatN2Jiqm5ubN7CM\n" +
"INrtuLp4YHbgk1mi\n" +
"-----END PRIVATE KEY-----";
key = RsaKeyConverters.pkcs8().convert(new ByteArrayInputStream(keyData.getBytes(UTF_8)));
final CertificateFactory factory = CertificateFactory.getInstance("X.509");
String certificateData = "-----BEGIN CERTIFICATE-----\n" +
"MIICgTCCAeoCCQCuVzyqFgMSyDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC\n" +
"VVMxEzARBgNVBAgMCldhc2hpbmd0b24xEjAQBgNVBAcMCVZhbmNvdXZlcjEdMBsG\n" +
"A1UECgwUU3ByaW5nIFNlY3VyaXR5IFNBTUwxCzAJBgNVBAsMAnNwMSAwHgYDVQQD\n" +
"DBdzcC5zcHJpbmcuc2VjdXJpdHkuc2FtbDAeFw0xODA1MTQxNDMwNDRaFw0yODA1\n" +
"MTExNDMwNDRaMIGEMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjES\n" +
"MBAGA1UEBwwJVmFuY291dmVyMR0wGwYDVQQKDBRTcHJpbmcgU2VjdXJpdHkgU0FN\n" +
"TDELMAkGA1UECwwCc3AxIDAeBgNVBAMMF3NwLnNwcmluZy5zZWN1cml0eS5zYW1s\n" +
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRu7/EI0BlNzMEBFVAcbx+lLos\n" +
"vzIWU+01dGTY8gBdhMQNYKZ92lMceo2CuVJ66cUURPym3i7nGGzoSnAxAre+0YIM\n" +
"+U0razrWtAUE735bkcqELZkOTZLelaoOztmWqRbe5OuEmpewH7cx+kNgcVjdctOG\n" +
"y3Q6x+I4qakY/9qhBQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAeViTvHOyQopWEi\n" +
"XOfI2Z9eukwrSknDwq/zscR0YxwwqDBMt/QdAODfSwAfnciiYLkmEjlozWRtOeN+\n" +
"qK7UFgP1bRl5qksrYX5S0z2iGJh0GvonLUt3e20Ssfl5tTEDDnAEUMLfBkyaxEHD\n" +
"RZ/nbTJ7VTeZOSyRoVn5XHhpuJ0B\n" +
"-----END CERTIFICATE-----";
certificate = (X509Certificate) factory
.generateCertificate(new ByteArrayInputStream(certificateData.getBytes(UTF_8)));
}
@Test
public void constructorWhenRelyingPartyWithCredentialsThenItSucceeds() {
new Saml2X509Credential(key, certificate, SIGNING);
new Saml2X509Credential(key, certificate, SIGNING, DECRYPTION);
new Saml2X509Credential(key, certificate, DECRYPTION);
Saml2X509Credential.signing(key, certificate);
Saml2X509Credential.decryption(key, certificate);
}
@Test
public void constructorWhenAssertingPartyWithCredentialsThenItSucceeds() {
new Saml2X509Credential(certificate, VERIFICATION);
new Saml2X509Credential(certificate, VERIFICATION, ENCRYPTION);
new Saml2X509Credential(certificate, ENCRYPTION);
Saml2X509Credential.verification(certificate);
Saml2X509Credential.encryption(certificate);
}
@Test
public void constructorWhenRelyingPartyWithoutCredentialsThenItFails() {
exception.expect(IllegalArgumentException.class);
new Saml2X509Credential(null, (X509Certificate) null, SIGNING);
}
@Test
public void constructorWhenRelyingPartyWithoutPrivateKeyThenItFails() {
exception.expect(IllegalArgumentException.class);
new Saml2X509Credential(null, certificate, SIGNING);
}
@Test
public void constructorWhenRelyingPartyWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
new Saml2X509Credential(key, null, SIGNING);
}
@Test
public void constructorWhenAssertingPartyWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
new Saml2X509Credential(null, SIGNING);
}
@Test
public void constructorWhenRelyingPartyWithEncryptionUsageThenItFails() {
exception.expect(IllegalStateException.class);
new Saml2X509Credential(key, certificate, ENCRYPTION);
}
@Test
public void constructorWhenRelyingPartyWithVerificationUsageThenItFails() {
exception.expect(IllegalStateException.class);
new Saml2X509Credential(key, certificate, VERIFICATION);
}
@Test
public void constructorWhenAssertingPartyWithSigningUsageThenItFails() {
exception.expect(IllegalStateException.class);
new Saml2X509Credential(certificate, SIGNING);
}
@Test
public void constructorWhenAssertingPartyWithDecryptionUsageThenItFails() {
exception.expect(IllegalStateException.class);
new Saml2X509Credential(certificate, DECRYPTION);
}
@Test
public void factoryWhenRelyingPartyForSigningWithoutCredentialsThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.signing(null, null);
}
@Test
public void factoryWhenRelyingPartyForSigningWithoutPrivateKeyThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.signing(null, certificate);
}
@Test
public void factoryWhenRelyingPartyForSigningWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.signing(key, null);
}
@Test
public void factoryWhenRelyingPartyForDecryptionWithoutCredentialsThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.decryption(null, null);
}
@Test
public void factoryWhenRelyingPartyForDecryptionWithoutPrivateKeyThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.decryption(null, certificate);
}
@Test
public void factoryWhenRelyingPartyForDecryptionWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.decryption(key, null);
}
@Test
public void factoryWhenAssertingPartyForVerificationWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.verification(null);
}
@Test
public void factoryWhenAssertingPartyForEncryptionWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.encryption(null);
}
}

53
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/credentials/Saml2X509CredentialTests.java
View File

@ -16,11 +16,12 @@
package org.springframework.security.saml2.credentials; package org.springframework.security.saml2.credentials;
import org.springframework.security.converter.RsaKeyConverters;
import org.junit.Before; import org.junit.Before;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.ExpectedException; import org.junit.rules.ExpectedException;
import org.springframework.security.converter.RsaKeyConverters;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.security.PrivateKey; import java.security.PrivateKey;
@ -87,8 +88,6 @@ public class Saml2X509CredentialTests {
new Saml2X509Credential(key, certificate, SIGNING); new Saml2X509Credential(key, certificate, SIGNING);
new Saml2X509Credential(key, certificate, SIGNING, DECRYPTION); new Saml2X509Credential(key, certificate, SIGNING, DECRYPTION);
new Saml2X509Credential(key, certificate, DECRYPTION); new Saml2X509Credential(key, certificate, DECRYPTION);
Saml2X509Credential.signing(key, certificate);
Saml2X509Credential.decryption(key, certificate);
} }
@Test @Test
@ -96,8 +95,6 @@ public class Saml2X509CredentialTests {
new Saml2X509Credential(certificate, VERIFICATION); new Saml2X509Credential(certificate, VERIFICATION);
new Saml2X509Credential(certificate, VERIFICATION, ENCRYPTION); new Saml2X509Credential(certificate, VERIFICATION, ENCRYPTION);
new Saml2X509Credential(certificate, ENCRYPTION); new Saml2X509Credential(certificate, ENCRYPTION);
Saml2X509Credential.verification(certificate);
Saml2X509Credential.encryption(certificate);
} }
@Test @Test
@ -148,51 +145,5 @@ public class Saml2X509CredentialTests {
new Saml2X509Credential(certificate, DECRYPTION); new Saml2X509Credential(certificate, DECRYPTION);
} }
@Test
public void factoryWhenRelyingPartyForSigningWithoutCredentialsThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.signing(null, null);
}
@Test
public void factoryWhenRelyingPartyForSigningWithoutPrivateKeyThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.signing(null, certificate);
}
@Test
public void factoryWhenRelyingPartyForSigningWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.signing(key, null);
}
@Test
public void factoryWhenRelyingPartyForDecryptionWithoutCredentialsThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.decryption(null, null);
}
@Test
public void factoryWhenRelyingPartyForDecryptionWithoutPrivateKeyThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.decryption(null, certificate);
}
@Test
public void factoryWhenRelyingPartyForDecryptionWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.decryption(key, null);
}
@Test
public void factoryWhenAssertingPartyForVerificationWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.verification(null);
}
@Test
public void factoryWhenAssertingPartyForEncryptionWithoutCertificateThenItFails() {
exception.expect(IllegalArgumentException.class);
Saml2X509Credential.encryption(null);
}
} }

9
samples/javaconfig/saml2login/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -33,7 +33,7 @@ import org.springframework.security.saml2.provider.service.servlet.filter.Saml2W
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION; import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION;
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.SIGNING; import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.SIGNING;
import static org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION; import static org.springframework.security.saml2.core.Saml2X509Credential.verification;
@EnableWebSecurity @EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) @EnableGlobalMethodSecurity(prePostEnabled = true)
@ -107,10 +107,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
"V9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3\n" + "V9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3\n" +
"lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk\n" + "lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk\n" +
"-----END CERTIFICATE-----"; "-----END CERTIFICATE-----";
return new Saml2X509Credential( return verification(x509Certificate(certificate));
x509Certificate(certificate),
VERIFICATION
);
} }
private X509Certificate x509Certificate(String source) { private X509Certificate x509Certificate(String source) {