SamlKeyManagerFactory.java example

Explorer
uaa-master
/*******************************************************************************
 *     Cloud Foundry
 *     Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
 *
 *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
 *     You may not use this product except in compliance with the License.
 *
 *     This product includes a number of subcomponents with
 *     separate copyright notices and license terms. Your use of these
 *     subcomponents is subject to the terms and conditions of the
 *     subcomponent's license, as noted in the LICENSE file.
 *******************************************************************************/
package org.cloudfoundry.identity.uaa.provider.saml;

import org.cloudfoundry.identity.uaa.saml.SamlKey;
import org.cloudfoundry.identity.uaa.util.KeyWithCert;
import org.cloudfoundry.identity.uaa.zone.SamlConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;

import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;

import static java.util.Optional.ofNullable;

public final class SamlKeyManagerFactory {

    protected final static Logger logger = LoggerFactory.getLogger(SamlKeyManagerFactory.class);

    private SamlKeyManagerFactory() {}

    public static KeyManager getKeyManager(SamlConfig config) {
        return getKeyManager(config.getKeys(), config.getActiveKeyId());
    }

    private static KeyManager getKeyManager(Map<String, SamlKey> keys, String activeKeyId) {
        SamlKey activeKey = keys.get(activeKeyId);

        if (activeKey == null) {
            return null;
        }

        try {
            KeyStore keystore = KeyStore.getInstance("JKS");
            keystore.load(null);
            Map<String, String> aliasPasswordMap = new HashMap<>();
            for (Map.Entry<String, SamlKey> entry : keys.entrySet()) {
                String password = ofNullable(entry.getValue().getPassphrase()).orElse("");
                KeyWithCert keyWithCert = entry.getValue().getKey() == null ?
                    new KeyWithCert(entry.getValue().getCertificate()) :
                    new KeyWithCert(entry.getValue().getKey(), password, entry.getValue().getCertificate());

                X509Certificate cert = keyWithCert.getCert();


                String alias = entry.getKey();
                keystore.setCertificateEntry(alias, cert);
                if (keyWithCert.getPkey()!=null) {
                    KeyPair pkey = keyWithCert.getPkey();
                    keystore.setKeyEntry(alias, pkey.getPrivate(), password.toCharArray(), new Certificate[]{cert});
                    aliasPasswordMap.put(alias, password);
                }
            }


            JKSKeyManager keyManager = new JKSKeyManager(keystore, aliasPasswordMap, activeKeyId);

            if (null == keyManager) {
                throw new IllegalArgumentException(
                        "Could not load service provider certificate. Check serviceProviderKey and certificate parameters");
            }

            logger.info("Loaded service provider certificate " + keyManager.getDefaultCredentialName());

            return keyManager;
        } catch (Throwable t) {
            logger.error("Could not load certificate", t);
            throw new IllegalArgumentException(
                    "Could not load service provider certificate. Check serviceProviderKey and certificate parameters",
                    t);
        }
    }
}