org.keycloak.protocol.saml.SamlProtocolUtils 連携図

静的公開メンバ関数
static void	verifyDocumentSignature (ClientModel client, Document document) throws VerificationException

static void	verifyDocumentSignature (Document document, KeyLocator keyLocator) throws VerificationException

static PublicKey	getSignatureValidationKey (ClientModel client) throws VerificationException

static PublicKey	getEncryptionKey (ClientModel client) throws VerificationException

static PublicKey	getPublicKey (ClientModel client, String attribute) throws VerificationException

static void	verifyRedirectSignature (SAMLDocumentHolder documentHolder, KeyLocator locator, UriInfo uriInformation, String paramKey) throws VerificationException

静的非公開メンバ関数
static PublicKey	getPublicKey (String certPem) throws VerificationException

static String	getMessageSigningKeyId (SAML2Object doc)

詳解

著者: Bill Burke

バージョン

Revision: 1

関数詳解

◆ getEncryptionKey()

static PublicKey org.keycloak.protocol.saml.SamlProtocolUtils.getEncryptionKey ( ClientModel client ) throws VerificationException

inlinestatic

Returns public part of SAML encryption key from the client settings.

引数

client

戻り値: Public key for encryption.

例外

VerificationException

                                                                                               {
         return getPublicKey(client, SamlConfigAttributes.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE);
     }

◆ getMessageSigningKeyId()

static String org.keycloak.protocol.saml.SamlProtocolUtils.getMessageSigningKeyId ( SAML2Object doc )

inlinestaticprivate

                                                                   {
         final ExtensionsType extensions;
         if (doc instanceof RequestAbstractType) {
             extensions = ((RequestAbstractType) doc).getExtensions();
         } else if (doc instanceof StatusResponseType) {
             extensions = ((StatusResponseType) doc).getExtensions();
         } else {
             return null;
         }
 
         if (extensions == null) {
             return null;
         }
 
         for (Object ext : extensions.getAny()) {
             if (! (ext instanceof Element)) {
                 continue;
             }
 
             String res = KeycloakKeySamlExtensionGenerator.getMessageSigningKeyIdFromElement((Element) ext);
 
             if (res != null) {
                 return res;
             }
         }
 
         return null;
     }

◆ getPublicKey() [1/2]

static PublicKey org.keycloak.protocol.saml.SamlProtocolUtils.getPublicKey	(	ClientModel	client,
		String	attribute
	)		throws VerificationException

inlinestatic

                                                                                                             {
         String certPem = client.getAttribute(attribute);
         return getPublicKey(certPem);
     }

◆ getPublicKey() [2/2]

static PublicKey org.keycloak.protocol.saml.SamlProtocolUtils.getPublicKey ( String certPem ) throws VerificationException

inlinestaticprivate

                                                                                        {
         if (certPem == null) throw new VerificationException("Client does not have a public key.");
         X509Certificate cert = null;
         try {
             cert = PemUtils.decodeCertificate(certPem);
             cert.checkValidity();
         } catch (CertificateException ex) {
             throw new VerificationException("Certificate is not valid.");
         } catch (Exception e) {
             throw new VerificationException("Could not decode cert", e);
         }
         return cert.getPublicKey();
     }

◆ getSignatureValidationKey()

static PublicKey org.keycloak.protocol.saml.SamlProtocolUtils.getSignatureValidationKey ( ClientModel client ) throws VerificationException

inlinestatic

Returns public part of SAML signing key from the client settings.

引数

client

戻り値: Public key for signature validation.

例外

VerificationException

                                                                                                        {
         return getPublicKey(new SamlClient(client).getClientSigningCertificate());
     }

◆ verifyDocumentSignature() [1/2]

static void org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature	(	ClientModel	client,
		Document	document
	)		throws VerificationException

inlinestatic

Verifies a signature of the given SAML document using settings for the given client. Throws an exception if the client signature is expected to be present as per the client settings and it is invalid, otherwise returns back to the caller.

引数

client
document

例外

VerificationException

                                                                                                                    {
         SamlClient samlClient = new SamlClient(client);
         if (!samlClient.requiresClientSignature()) {
             return;
         }
         PublicKey publicKey = getSignatureValidationKey(client);
         verifyDocumentSignature(document, new HardcodedKeyLocator(publicKey));
     }

◆ verifyDocumentSignature() [2/2]

static void org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature	(	Document	document,
		KeyLocator	keyLocator
	)		throws VerificationException

inlinestatic

Verifies a signature of the given SAML document using keys obtained from the given key locator. Throws an exception if the client signature is invalid, otherwise returns back to the caller.

引数

document
keyLocator

例外

VerificationException

                                                                                                                       {
         SAML2Signature saml2Signature = new SAML2Signature();
         try {
             if (!saml2Signature.validate(document, keyLocator)) {
                 throw new VerificationException("Invalid signature on document");
             }
         } catch (ProcessingException e) {
             throw new VerificationException("Error validating signature", e);
         }
     }

◆ verifyRedirectSignature()

static void org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature	(	SAMLDocumentHolder	documentHolder,
		KeyLocator	locator,
		UriInfo	uriInformation,
		String	paramKey
	)		throws VerificationException

inlinestatic

                                                                                                                                                                             {
         MultivaluedMap<String, String> encodedParams = uriInformation.getQueryParameters(false);
         String request = encodedParams.getFirst(paramKey);
         String algorithm = encodedParams.getFirst(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
         String signature = encodedParams.getFirst(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
         String relayState = encodedParams.getFirst(GeneralConstants.RELAY_STATE);
         String decodedAlgorithm = uriInformation.getQueryParameters(true).getFirst(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
 
         if (request == null) throw new VerificationException("SAM was null");
         if (algorithm == null) throw new VerificationException("SigAlg was null");
         if (signature == null) throw new VerificationException("Signature was null");
 
         String keyId = getMessageSigningKeyId(documentHolder.getSamlObject());
 
         // Shibboleth doesn't sign the document for redirect binding.
         // todo maybe a flag?
 
         StringBuilder rawQueryBuilder = new StringBuilder().append(paramKey).append("=").append(request);
         if (encodedParams.containsKey(GeneralConstants.RELAY_STATE)) {
             rawQueryBuilder.append("&" + GeneralConstants.RELAY_STATE + "=").append(relayState);
         }
         rawQueryBuilder.append("&" + GeneralConstants.SAML_SIG_ALG_REQUEST_KEY + "=").append(algorithm);
         String rawQuery = rawQueryBuilder.toString();
 
         try {
             byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
 
             SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
             Signature validator = signatureAlgorithm.createSignature(); // todo plugin signature alg
             Key key = locator.getKey(keyId);
             if (key instanceof PublicKey) {
                 validator.initVerify((PublicKey) key);
                 validator.update(rawQuery.getBytes("UTF-8"));
             } else {
                 throw new VerificationException("Invalid key locator for signature verification");
             }
             if (!validator.verify(decodedSignature)) {
                 throw new VerificationException("Invalid query param signature");
             }
         } catch (Exception e) {
             throw new VerificationException(e);
         }
     }

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java

静的公開メンバ関数

静的非公開メンバ関数

詳解

関数詳解

◆ getEncryptionKey()

◆ getMessageSigningKeyId()

◆ getPublicKey() [1/2]

◆ getPublicKey() [2/2]

◆ getSignatureValidationKey()

◆ verifyDocumentSignature() [1/2]

◆ verifyDocumentSignature() [2/2]

◆ verifyRedirectSignature()