swedenconnect / opensaml-security-ext Goto Github PK

View Code? Open in Web Editor NEW

5.0 11.0 4.0 2.94 MB

Security and crypto extensions to OpenSAML

License: Apache License 2.0

Java 100.00%

opensaml

opensaml-security-ext's Introduction

opensaml-security-ext

Security extensions for OpenSAML

The opensaml-security-ext was originally created to introduce algorithm support that was missing from OpenSAML. Now, when OpenSAML 5.x has implemented all these algorithm, the library has been reduced to implement a workaround for using RSA-OAEP and RSA-PSS with HSM protected keys since the Sun PKCS#11 provider does not support RSA-OAEP and RSA-PSS padding.

Well, not only. The library also offers some utility methods for encryption/decryption and signing as well as initializing and security configuration helpers.

Java API documentation of the opensaml-security-ext library is found here.

Maven and opensaml-security-ext

The opensaml-security-ext project artifacts are published to Maven central.

Include the following snippet in your Maven POM to add opensaml-security-ext as a dependency for your project.

<dependency>
  <groupId>se.swedenconnect.opensaml</groupId>
  <artifactId>opensaml-security-ext</artifactId>
  <version>${opensaml-security-ext.version}</version>
</dependency>

Initializing support

OpenSAML needs to be initialized in order to function. The opensaml-security-ext provides the singleton class OpenSAMLInitializer for this purpose.

One or more OpenSAMLInitializerConfig instances may be supplied as arguments to the OpenSAMLInitializer.initialize method in order to add customized configuration.

In order to utilize the extensions from this library, the OpenSAMLSecurityExtensionConfig should be supplied in the initialize-call.

It is also possible to configure other algorithm defaults than what is the OpenSAML defaults. This is done by using the OpenSAMLSecurityDefaultsConfig class that takes a SecurityConfiguration instance. In the example below the security configuration is set up according to SAML2Int.

// Initialize OpenSAML and the security extensions.
// We also configure algorithm defaults according to SAML2Int ...
//
OpenSAMLInitializer.getInstance().initialize(
  new OpenSAMLSecurityDefaultsConfig(new SAML2IntSecurityConfiguration()),
  new OpenSAMLSecurityExtensionConfig());

For our test cases we had to add the Bouncy Castle crypto provider manually in order to implement ECDH. It should be sufficient to have it in the class path, but to be safe, the preInitialize method of the OpenSAMLSecurityExtensionConfig checks whether this provider is installed and does so if it isn't already installed.

Note: The eidas-opensaml library uses opensaml-security-ext. It defines SecurityConfiguration classes for eIDAS security configuration, one "strict" will small chances of interoperability and one "relaxed" that will actually work against a node using the CEF-software.

Workarounds for the Sun PKCS#11 provider

The standard Sun Java PKCS#11 provider does not support RSA-OAEP decryption which is a problem if the decryption key is stored in a HSM accessed through a PKCS#11 API. See this Stack Overflow article.

The Pkcs11Decrypter extends OpenSAML's Decrypter implementation with a work-around for this problem. This work-around comprises of:

Performing a raw RSA decryption on the encrypted data.
Performing OAEP padding processing on the decrypted data outside of the HSM to extract the decrypted plaintext.

Furthermore, the Sun PKCS#11 provider does not implement PSS-padding, making it impossible to sign using RSA-PSS if the signing key is stored on a HSM and the Sun PKCS#11 provider is used. The opensaml-security-ext library solves this by overriding OpenSAML's standard SignerProvider (ApacheSantuarioSignerProviderImpl) with an extension, ExtendedSignerProvider. This extension handles padding in software and only the raw RSA transform is performed on the HSM.

By adding the opensaml-security-ext library to your classpath, the ExtendedSignerProvider will be made the default OpenSAML signer provider, and when RSA-PSS signing is ordered and the current crypto provider is the Sun PKCS#11 provider, the above described workaround will kick in. Otherwise, the default provider handles the operation.

If you, for some reason, want to disable the ExtendedSignerProvider functionality, set the system property se.swedenconnect.opensaml.xmlsec.signature.support.provider.ExtendedSignerProvider.disabled to true. You can also force the provider to execute all RSA-based signatures by setting the property se.swedenconnect.opensaml.xmlsec.signature.support.provider.ExtendedSignerProvider.testmode to true. This is for testing purposes.

opensaml-security-ext's People

Contributors

Stargazers

Watchers

Forkers

zhiqinghuang azure-hu bussef pkoenig10

opensaml-security-ext's Issues

Add support for RSA-PSS to OpenSAML

The eIDAS crypto specifications mandate that RSA-PSS is supported. We should add support for http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1, http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 and http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1.

See
2019_05_21_eIDAS Crypto Requirements_v1.2_Final2.pdf.

Incompatibility with Java 17.0.10

When using Java 17.0.10 and a PKCS11 HSM, signatures can no longer be created. This is a stacktrace from the German eIDAS Middleware when it tries to sign the metadata:

2024-03-11T13:50:35.518Z ERROR 7 --- [nio-8443-exec-1] d.g.e.e.MetadataServiceImpl              : Cannot create metadata for this middleware
 org.opensaml.xmlsec.signature.support.SignatureException: Signature computation error
 	at org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:67) ~[opensaml-xmlsec-impl-5.0.0.jar!/:?]
 	at se.swedenconnect.opensaml.xmlsec.signature.support.provider.ExtendedSignerProvider.signObject(ExtendedSignerProvider.java:111) ~[opensaml-security-ext-4.0.0.jar!/:?]
 	at org.opensaml.xmlsec.signature.support.Signer.signObjects(Signer.java:64) ~[opensaml-xmlsec-api-5.0.0.jar!/:?]
 	at de.governikus.eumw.eidasstarterkit.EidasMetadataService.generate(EidasMetadataService.java:438) ~[eidas-starterkit-3.2.1-SNAPSHOT.jar!/:?]
 	at de.governikus.eumw.eidasstarterkit.EidasSaml.createMetaDataService(EidasSaml.java:342) ~[eidas-starterkit-3.2.1-SNAPSHOT.jar!/:?]
 	at de.governikus.eumw.eidasmiddleware.MetadataServiceImpl.getMetadata(MetadataServiceImpl.java:98) ~[classes!/:?]
 	at de.governikus.eumw.eidasmiddleware.controller.Metadata.sendMetadata(Metadata.java:61) ~[classes!/:?]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
 	at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
 	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150) ~[spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:118) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:884) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:527) ~[jakarta.servlet-api-6.0.0.jar!/:6.0.0]
 	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614) ~[jakarta.servlet-api-6.0.0.jar!/:6.0.0]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-embed-websocket-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at de.governikus.eumw.eidasmiddleware.projectconfig.PortFilter.doFilterInternal(PortFilter.java:71) ~[classes!/:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.14.jar!/:6.0.14]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.springframework.web.servlet.resource.ResourceUrlEncodingFilter.doFilter(ResourceUrlEncodingFilter.java:66) ~[spring-webmvc-6.0.14.jar!/:6.0.14]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.16.jar!/:?]
 	at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) ~[spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) [spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) [spring-security-web-6.1.5.jar!/:6.1.5]
 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [tomcat-embed-core-10.1.16.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) [spring-web-6.0.14.jar!/:6.0.14]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [tomcat-embed-core-10.1.16.jar!/:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-6.0.14.jar!/:6.0.14]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) [spring-web-6.0.14.jar!/:6.0.14]
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) [tomcat-embed-core-10.1.16.jar!/:?]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:735) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) [tomcat-embed-core-10.1.16.jar!/:?]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) [tomcat-embed-core-10.1.16.jar!/:?]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) [tomcat-embed-core-10.1.16.jar!/:?]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-10.1.16.jar!/:?]
 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-10.1.16.jar!/:?]
 	at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
 Caused by: org.apache.xml.security.signature.XMLSignatureException: Supplied key is not a RSAPrivateKey instance
 	at org.apache.xml.security.algorithms.SignatureAlgorithmSpi.engineInitSign(SignatureAlgorithmSpi.java:217) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:131) ~[xmlsec-4.0.0.jar!/:4.0.0]
	at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:137) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:274) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:794) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:64) ~[opensaml-xmlsec-impl-5.0.0.jar!/:?]
 	... 99 more
Caused by: java.security.InvalidKeyException: Supplied key is not a RSAPrivateKey instance
 	at org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi.engineInitSign(Unknown Source) ~[bcprov-jdk18on-1.77.jar!/:1.77.00.0]
 	at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1370) ~[?:?]
 	at java.base/java.security.Signature.initSign(Signature.java:635) ~[?:?]
 	at org.apache.xml.security.algorithms.SignatureAlgorithmSpi.engineInitSign(SignatureAlgorithmSpi.java:212) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:131) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:137) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:274) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:794) ~[xmlsec-4.0.0.jar!/:4.0.0]
 	at org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:64) ~[opensaml-xmlsec-impl-5.0.0.jar!/:?]
 	... 99 more

We suspect this is because of this change introduced in Java 17.0.10: openjdk/jdk17u-dev@9165f77

We verified that that it is working with Java 17.0.8.1, we did not test with 17.0.9.

Upgrade to OpenSAML 3.4.3

The current version has dependencies to OpenSAML 3.4.2. We should update to OpenSAML 3.4.3.

Remove registration of named curves

OpenSAML 5 (opensaml-security-api) has support for these ...

eIDAS and ECDH support

Some additions should be made to enhance support for eIDAS usage as well as for generic ECDH support.

One of the issues with ECDH is that default OpenSAML implementation fails unless recipient metadata contains explicit list of key wrap algorithm. Just providing a list of data encryption algorithms is not sufficient. This can be fixed by amending the encryption configuration, but this is a bit tricky.

The following should be done

Add unit tests for ECDH
Add generic encryption configuration help for peers with absent key wrap configuration in metadata
Add encryption configuration profile for eIDAS that complies with the eIDAS algorithm requirements

Upgrade to OpenSAML 5.1.2

Upgrade to OpenSAML 5.1.2.

Make a version for OpenSAML 4

OpenSAML 3.X is end-of-life 31/12 2020, so we should introduce a version for OpenSAML 4.

Since OpenSAML 3 will be used for a while longer, we'll create the opensaml4 branch in which we support OpenSAML 4 (until OpenSAML 3 is retired).

Change ConcatKDFParamaters to work with unpadded bit data

Currently, the ConcatKDFParameters class assumes that the parameters it receives in its ctor and setters are padded according to the rules for ConcatKDF. We should change this ...

Security bootstrap classes for SAML2Int and eIDAS

SAML2Int and eIDAS suggest default algorithms for signing and encryption. OpenSAML's DefaultSecurityConfigurationBootstrap class declares OpenSAML-defaults. We should make corresponding classes for SAML2Int and eIDAS.

Wrong RSA mode in RSA-PSS implementation for HSM

RSA mode used for RSS-PSS signing operation is using RSA Encrypt mode.

This works with SoftHSM but recent tests has demonstrated problem with other HSM vendors. This is caused by the fact that encrypt operation is the operation of RSA using the public key while decrypt is the equivalent operation with the private key. Since signing is an operation with the private key, the raw RSA transform must be done in decrypt mode.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble