genexuslabs · sgrampone · Aug 1, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025
diff --git a/gamsaml20/pom.xml b/gamsaml20/pom.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.genexus</groupId>
+        <artifactId>parent</artifactId>
+        <version>${revision}${changelist}</version>
+    </parent>
+
+    <artifactId>gamsaml20</artifactId>
+    <name>GAM Saml 2.0 EO</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.78.1</version>
+            <scope>compile</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>${log4j.version}</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.santuario</groupId>
+            <artifactId>xmlsec</artifactId>
+            <version>3.0.3</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.11.0</version>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>gamsaml20</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.0</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>3.1.1</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>test-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+
+    </build>
+
+</project>
diff --git a/gamsaml20/src/main/java/com/genexus/saml20/Binding.java b/gamsaml20/src/main/java/com/genexus/saml20/Binding.java
@@ -0,0 +1,29 @@
+package com.genexus.saml20;
+
+import com.genexus.saml20.utils.SamlAssertionUtils;
+
+@SuppressWarnings("unused")
+public abstract class Binding {
+
+	abstract void init(String input);
+
+	static String login(SamlParms parms, String relayState) {
+		return "";
+	}
+
+	static String logout(SamlParms parms, String relayState) {
+		return "";
+	}
+
+	abstract boolean verifySignatures(SamlParms parms);
+
+	abstract String getLoginAssertions();
+
+	abstract String getLoginAttribute(String name);
+
+	abstract String getRoles(String name);
+
+	abstract String getLogoutAssertions();
+
+	abstract boolean isLogout();
+}
diff --git a/gamsaml20/src/main/java/com/genexus/saml20/PostBinding.java b/gamsaml20/src/main/java/com/genexus/saml20/PostBinding.java
@@ -0,0 +1,73 @@
+package com.genexus.saml20;
+
+import com.genexus.saml20.utils.DSig;
+import com.genexus.saml20.utils.Encoding;
+import com.genexus.saml20.utils.SamlAssertionUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.w3c.dom.Document;
+
+import java.text.MessageFormat;
+
+@SuppressWarnings("unused")
+public class PostBinding extends Binding {
+
+	private static final Logger logger = LogManager.getLogger(PostBinding.class);
+
+	private Document xmlDoc;
+
+	public PostBinding() {
+		logger.trace("PostBinding constructor");
+		xmlDoc = null;
+	}
+	// EXTERNAL OBJECT PUBLIC METHODS  - BEGIN
+
+
+	public void init(String xml) {
+		logger.trace("init");
+		this.xmlDoc = SamlAssertionUtils.canonicalizeXml(xml);
+		logger.debug(MessageFormat.format("Init - XML IdP response: {0}", Encoding.documentToString(xmlDoc)));
+	}
+
+	public static String login(SamlParms parms, String relayState) {
+		//not implemented yet
+		logger.error("login - NOT IMPLEMENTED");
+		return "";
+	}
+
+	public static String logout(SamlParms parms, String relayState) {
+		//not implemented yet
+		logger.error("logout - NOT IMPLEMENTED");
+		return "";
+	}
+
+	public boolean verifySignatures(SamlParms parms) {
+		return DSig.validateSignatures(this.xmlDoc, parms.getTrustCertPath(), parms.getTrustCertAlias(), parms.getTrustCertPass());
+	}
+
+	public String getLoginAssertions() {
+		logger.trace("getLoginAssertions");
+		return SamlAssertionUtils.getLoginInfo(this.xmlDoc);
+	}
+
+	public String getLogoutAssertions() {
+		logger.trace("getLogoutAssertions");
+		return SamlAssertionUtils.getLogoutInfo(this.xmlDoc);
+	}
+
+	public String getLoginAttribute(String name) {
+		logger.trace("getLoginAttribute");
+		return SamlAssertionUtils.getLoginAttribute(this.xmlDoc, name).trim();
+	}
+
+	public String getRoles(String name) {
+		logger.debug("getRoles");
+		return SamlAssertionUtils.getRoles(this.xmlDoc, name);
+	}
+
+	public boolean isLogout(){
+		return SamlAssertionUtils.isLogout(this.xmlDoc);
+	}
+
+	// EXTERNAL OBJECT PUBLIC METHODS  - END
+}
diff --git a/gamsaml20/src/main/java/com/genexus/saml20/RedirectBinding.java b/gamsaml20/src/main/java/com/genexus/saml20/RedirectBinding.java
@@ -0,0 +1,200 @@
+package com.genexus.saml20;
+
+import com.genexus.saml20.utils.*;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.bouncycastle.crypto.Signer;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.signers.RSADigestSigner;
+import org.bouncycastle.util.encoders.Base64;
+import org.w3c.dom.Document;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.util.HashMap;
+import java.util.Map;
+
+@SuppressWarnings("unused")
+public class RedirectBinding extends Binding {
+
+	private static final Logger logger = LogManager.getLogger(RedirectBinding.class);
+
+	private Document xmlDoc;
+	private Map<String, String> redirectMessage;
+
+	// EXTERNAL OBJECT PUBLIC METHODS  - BEGIN
+
+
+	public RedirectBinding() {
+		logger.trace("RedirectBinding constructor");
+	}
+
+	public void init(String queryString) {
+		logger.trace("init");
+		logger.debug(MessageFormat.format("init - queryString : {0}", queryString));
+		this.redirectMessage = parseRedirect(queryString);
+		String xml = Encoding.decodeAndInflateXmlParameter(this.redirectMessage.get("SAMLResponse"));
+		logger.debug("init - inflated xml: {0}", xml);
+		this.xmlDoc = SamlAssertionUtils.canonicalizeXml(xml);
+		logger.debug(MessageFormat.format("init - XML IdP response: {0}", Encoding.documentToString(xmlDoc)));
+	}
+
+
+	public static String login(SamlParms parms, String relayState) {
+		Document request = SamlAssertionUtils.createLoginRequest(parms.getId(), parms.getEndPointLocation(), parms.getAcs(), parms.getIdentityProviderEntityID(), parms.getPolicyFormat(), parms.getAuthnContext(), parms.getServiceProviderEntityID(), parms.getForceAuthn());
+		return generateQuery(request, parms.getEndPointLocation(), parms.getCertPath(), parms.getCertPass(), parms.getCertAlias(), relayState);
+	}
+
+	public static String logout(SamlParms parms, String relayState) {
+		Document request = SamlAssertionUtils.createLogoutRequest(parms.getId(), parms.getServiceProviderEntityID(), parms.getNameID(), parms.getSessionIndex(), parms.getSingleLogoutEndpoint());
+		return generateQuery(request, parms.getSingleLogoutEndpoint(), parms.getCertPath(), parms.getCertPass(), parms.getCertAlias(), relayState);
+	}
+
+	public boolean verifySignatures(SamlParms parms) {
+		logger.debug("verifySignatures");
+
+		try {
+			return verifySignature_internal(parms.getTrustCertPath(), parms.getTrustCertPass(), parms.getTrustCertAlias());
+		} catch (Exception e) {
+			logger.error("verifySignature", e);
+			return false;
+		}
+	}
+
+	public String getLogoutAssertions() {
+		logger.trace("getLogoutAssertions");
+		return SamlAssertionUtils.getLogoutInfo(this.xmlDoc);
+	}
+
+	public String getRelayState() {
+		logger.trace("getRelayState");
+		try {
+			return this.redirectMessage.get("RelayState") == null ? "" : URLDecoder.decode(this.redirectMessage.get("RelayState"), StandardCharsets.UTF_8.name());
+		} catch (Exception e) {
+			logger.error("getRelayState", e);
+			return "";
+		}
+	}
+
+	public String getLoginAssertions() {
+		//Getting user's data by URL parms (GET) is deemed insecure so we are not implementing this method for redirect binding
+		logger.error("getLoginAssertions - NOT IMPLEMENTED insecure SAML implementation");
+		return "";
+	}
+
+	public String getRoles(String name) {
+		//Getting user's data by URL parms (GET) is deemed insecure so we are not implementing this method for redirect binding
+		logger.error("getRoles - NOT IMPLEMENTED insecure SAML implementation");
+		return "";
+	}
+
+	public String getLoginAttribute(String name) {
+		//Getting user's data by URL parms (GET) is deemed insecure so we are not implementing this method for redirect binding
+		logger.error("getLoginAttribute - NOT IMPLEMENTED insecure SAML implementation");
+		return "";
+	}
+
+	public boolean isLogout(){
+		return SamlAssertionUtils.isLogout(this.xmlDoc);
+	}
+
+	// EXTERNAL OBJECT PUBLIC METHODS  - END
+
+	private boolean verifySignature_internal(String certPath, String certPass, String certAlias) {
+		logger.trace("verifySignature_internal");
+
+		byte[] signature = Encoding.decodeParameter(this.redirectMessage.get("Signature"));
+
+		String signedMessage;
+		if (this.redirectMessage.containsKey("RelayState")) {
+			signedMessage = MessageFormat.format("SAMLResponse={0}", this.redirectMessage.get("SAMLResponse"));
+			signedMessage += MessageFormat.format("&RelayState={0}", this.redirectMessage.get("RelayState"));
+			signedMessage += MessageFormat.format("&SigAlg={0}", this.redirectMessage.get("SigAlg"));
+		} else {
+			signedMessage = MessageFormat.format("SAMLResponse={0}", this.redirectMessage.get("SAMLResponse"));
+			signedMessage += MessageFormat.format("&SigAlg={0}", this.redirectMessage.get("SigAlg"));
+		}
+
+		byte[] query = signedMessage.getBytes(StandardCharsets.UTF_8);
+
+		X509Certificate cert = Keys.loadCertificate(certPath, certAlias, certPass);
+
+		try (InputStream inputStream = new ByteArrayInputStream(query)) {
+			String sigalg = URLDecoder.decode(this.redirectMessage.get("SigAlg"), StandardCharsets.UTF_8.name());
+			RSADigestSigner signer = new RSADigestSigner(Hash.getDigest(Hash.getHashFromSigAlg(sigalg)));
+			setUpSigner(signer, inputStream, Keys.getAsymmetricKeyParameter(cert), false);
+			return signer.verifySignature(signature);
+		} catch (Exception e) {
+			logger.error("verifySignature_internal", e);
+			return false;
+		}
+	}
+
+	private static Map<String, String> parseRedirect(String request) {
+		logger.trace("parseRedirect");
+		Map<String, String> result = new HashMap<>();
+		String[] redirect = request.split("&");
+
+		for (String s : redirect) {
+			String[] res = s.split("=");
+			result.put(res[0], res[1]);
+		}
+		return result;
+	}
+
+	private static String generateQuery(Document request, String destination, String certPath, String certPass, String alias, String relayState) {
+		logger.trace("generateQuery");
+		try {
+			String samlRequestParameter = Encoding.delfateAndEncodeXmlParameter(Encoding.documentToString(request));
+			String relayStateParameter = URLEncoder.encode(relayState, StandardCharsets.UTF_8.name());
+			Hash hash = Keys.isBase64(certPath) ? Hash.getHash(certPass.toUpperCase().trim()) : Hash.getHash(Keys.getHash(certPath, alias, certPass));
+
+			String sigAlgParameter = URLEncoder.encode(Hash.getSigAlg(hash), StandardCharsets.UTF_8.name());
+			String query = MessageFormat.format("SAMLRequest={0}&RelayState={1}&SigAlg={2}", samlRequestParameter, relayStateParameter, sigAlgParameter);
+			String signatureParameter = URLEncoder.encode(signRequest_RedirectBinding(query, certPath, certPass, hash, alias), StandardCharsets.UTF_8.name());
+
+			query += MessageFormat.format("&Signature={0}", signatureParameter);
+
+			logger.debug(MessageFormat.format("generateQuery - query: {0}", query));
+			return MessageFormat.format("{0}?{1}", destination, query);
+		} catch (Exception e) {
+			logger.error("generateQuery", e);
+			return "";
+		}
+
+	}
+
+	private static String signRequest_RedirectBinding(String query, String path, String password, Hash hash, String alias) {
+		logger.trace("signRequest_RedirectBinding");
+		RSADigestSigner signer = new RSADigestSigner(Hash.getDigest(hash));
+		byte[] inputText = query.getBytes(StandardCharsets.UTF_8);
+		try (InputStream inputStream = new ByteArrayInputStream(inputText)) {
+			setUpSigner(signer, inputStream, Keys.loadPrivateKey(path, alias, password), true);
+			byte[] outputBytes = signer.generateSignature();
+			return Base64.toBase64String(outputBytes);
+		} catch (Exception e) {
+			logger.error("signRequest_RedirectBinding", e);
+			return "";
+		}
+	}
+
+	private static void setUpSigner(Signer signer, InputStream input, AsymmetricKeyParameter asymmetricKeyParameter,
+									boolean toSign) {
+		logger.trace("setUpSigner");
+		byte[] buffer = new byte[8192];
+		int n;
+		try {
+			signer.init(toSign, asymmetricKeyParameter);
+			while ((n = input.read(buffer)) > 0) {
+				signer.update(buffer, 0, n);
+			}
+		} catch (Exception e) {
+			logger.error("setUpSigner", e);
+		}
+	}
+}