Add support for SSL bundles in SAML2 signing auto-configuration

Author: scottfrederick

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java

@@ -32,6 +32,7 @@
  * @author Phillip Webb
  * @author Moritz Halbritter
  * @author Lasse Wulff
+ * @author Scott Frederick
  * @since 2.2.0
  */
 @ConfigurationProperties("spring.security.saml2.relyingparty")
@@ -173,6 +174,12 @@ public static class Credential {
 				 */
 				private Resource certificateLocation;
 
+				/**
+				 * SSL bundle providing a private key used for signing and a Relying Party
+				 * X509Certificate shared with the identity provider.
+				 */
+				private Bundle bundle;
+
 				public Resource getPrivateKeyLocation() {
 					return this.privateKeyLocation;
 				}
@@ -189,6 +196,14 @@ public void setCertificateLocation(Resource certificate) {
 					this.certificateLocation = certificate;
 				}
 
+				public Bundle getBundle() {
+					return this.bundle;
+				}
+
+				public void setBundle(Bundle bundle) {
+					this.bundle = bundle;
+				}
+
 			}
 
 		}
@@ -222,6 +237,12 @@ public static class Credential {
 			 */
 			private Resource certificateLocation;
 
+			/**
+			 * SSL bundle providing a private key used for decrypting and a Relying Party
+			 * X509Certificate shared with the identity provider.
+			 */
+			private Bundle bundle;
+
 			public Resource getPrivateKeyLocation() {
 				return this.privateKeyLocation;
 			}
@@ -238,6 +259,14 @@ public void setCertificateLocation(Resource certificate) {
 				this.certificateLocation = certificate;
 			}
 
+			public Bundle getBundle() {
+				return this.bundle;
+			}
+
+			public void setBundle(Bundle bundle) {
+				this.bundle = bundle;
+			}
+
 		}
 
 	}
@@ -367,6 +396,12 @@ public static class Credential {
 				 */
 				private Resource certificate;
 
+				/**
+				 * SSL bundle providing the X.509 certificate used for verification of
+				 * incoming SAML messages.
+				 */
+				private Bundle bundle;
+
 				public Resource getCertificateLocation() {
 					return this.certificate;
 				}
@@ -375,6 +410,14 @@ public void setCertificateLocation(Resource certificate) {
 					this.certificate = certificate;
 				}
 
+				public Bundle getBundle() {
+					return this.bundle;
+				}
+
+				public void setBundle(Bundle bundle) {
+					this.bundle = bundle;
+				}
+
 			}
 
 		}
@@ -427,4 +470,33 @@ public void setBinding(Saml2MessageBinding binding) {
 
 	}
 
+	public static class Bundle {
+
+		/**
+		 * Name of the SSL bundle.
+		 */
+		private String name;
+
+		/**
+		 * Alias for the certificate to use from the SSL bundle.
+		 */
+		private String alias;
+
+		public String getName() {
+			return this.name;
+		}
+
+		public void setName(String name) {
+			this.name = name;
+		}
+
+		public String getAlias() {
+			return this.alias;
+		}
+
+		public void setAlias(String alias) {
+			this.alias = alias;
+		}
+	}
+
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java

@@ -17,6 +17,11 @@
 package org.springframework.boot.autoconfigure.security.saml2;
 
 import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
@@ -25,13 +30,18 @@
 import java.util.Map;
 import java.util.function.Consumer;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty.Verification;
+import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Bundle;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Decryption;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration;
-import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration.Signing;
+import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration.Signing.Credential;
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslBundleKey;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
@@ -57,27 +67,29 @@
  * @author Moritz Halbritter
  * @author Lasse Lindqvist
  * @author Lasse Wulff
+ * @author Scott Frederick
  */
 @Configuration(proxyBeanMethods = false)
 @Conditional(RegistrationConfiguredCondition.class)
 @ConditionalOnMissingBean(RelyingPartyRegistrationRepository.class)
 class Saml2RelyingPartyRegistrationConfiguration {
 
 	@Bean
-	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(Saml2RelyingPartyProperties properties) {
+	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(Saml2RelyingPartyProperties properties,
+			ObjectProvider<SslBundles> sslBundles) {
 		List<RelyingPartyRegistration> registrations = properties.getRegistration()
 			.entrySet()
 			.stream()
-			.map(this::asRegistration)
+			.map((entry) -> asRegistration(entry, sslBundles.getIfAvailable()))
 			.toList();
 		return new InMemoryRelyingPartyRegistrationRepository(registrations);
 	}
 
-	private RelyingPartyRegistration asRegistration(Map.Entry<String, Registration> entry) {
-		return asRegistration(entry.getKey(), entry.getValue());
+	private RelyingPartyRegistration asRegistration(Map.Entry<String, Registration> entry, SslBundles sslBundles) {
+		return asRegistration(entry.getKey(), entry.getValue(), sslBundles);
 	}
 
-	private RelyingPartyRegistration asRegistration(String id, Registration properties) {
+	private RelyingPartyRegistration asRegistration(String id, Registration properties, SslBundles sslBundles) {
 		boolean usingMetadata = StringUtils.hasText(properties.getAssertingparty().getMetadataUri());
 		Builder builder = (!usingMetadata) ? RelyingPartyRegistration.withRegistrationId(id)
 				: createBuilderUsingMetadata(properties.getAssertingparty()).registrationId(id);
@@ -87,19 +99,19 @@ private RelyingPartyRegistration asRegistration(String id, Registration properti
 		builder.signingX509Credentials((credentials) -> properties.getSigning()
 			.getCredentials()
 			.stream()
-			.map(this::asSigningCredential)
+			.map((signing) -> asSigningCredential(signing, sslBundles))
 			.forEach(credentials::add));
 		builder.decryptionX509Credentials((credentials) -> properties.getDecryption()
 			.getCredentials()
 			.stream()
-			.map(this::asDecryptionCredential)
+			.map((decryption) -> asDecryptionCredential(decryption, sslBundles))
 			.forEach(credentials::add));
 		builder.assertingPartyDetails(
 				(details) -> details.verificationX509Credentials((credentials) -> properties.getAssertingparty()
 					.getVerification()
 					.getCredentials()
 					.stream()
-					.map(this::asVerificationCredential)
+					.map((verification) -> asVerificationCredential(verification, sslBundles))
 					.forEach(credentials::add)));
 		builder.singleLogoutServiceLocation(properties.getSinglelogout().getUrl());
 		builder.singleLogoutServiceResponseLocation(properties.getSinglelogout().getResponseUrl());
@@ -150,19 +162,37 @@ private void validateSigningCredentials(Registration properties, boolean signReq
 		}
 	}
 
-	private Saml2X509Credential asSigningCredential(Signing.Credential properties) {
+	private Saml2X509Credential asSigningCredential(Credential properties, SslBundles sslBundles) {
+		Bundle sslBundle = properties.getBundle();
+		if (sslBundle != null) {
+			PrivateKey privateKey = getPrivateKey(sslBundle.getName(), sslBundles);
+			X509Certificate certificate = getCertificate(sslBundle, sslBundles);
+			return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.SIGNING);
+		}
 		RSAPrivateKey privateKey = readPrivateKey(properties.getPrivateKeyLocation());
 		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
 		return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.SIGNING);
 	}
 
-	private Saml2X509Credential asDecryptionCredential(Decryption.Credential properties) {
+	private Saml2X509Credential asDecryptionCredential(Decryption.Credential properties, SslBundles sslBundles) {
+		Bundle sslBundle = properties.getBundle();
+		if (sslBundle != null) {
+			PrivateKey privateKey = getPrivateKey(sslBundle.getName(), sslBundles);
+			X509Certificate certificate = getCertificate(sslBundle, sslBundles);
+			return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.DECRYPTION);
+		}
 		RSAPrivateKey privateKey = readPrivateKey(properties.getPrivateKeyLocation());
 		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
 		return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.DECRYPTION);
 	}
 
-	private Saml2X509Credential asVerificationCredential(Verification.Credential properties) {
+	private Saml2X509Credential asVerificationCredential(Verification.Credential properties, SslBundles sslBundles) {
+		Bundle sslBundle = properties.getBundle();
+		if (sslBundle != null) {
+			X509Certificate certificate = getCertificate(sslBundle, sslBundles);
+			return new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION,
+					Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
+		}
 		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
 		return new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION,
 				Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
@@ -190,4 +220,35 @@ private X509Certificate readCertificate(Resource location) {
 		}
 	}
 
+	private PrivateKey getPrivateKey(String sslBundle, SslBundles sslBundles) {
+		try {
+			SslBundle bundle = sslBundles.getBundle(sslBundle);
+			SslBundleKey key = bundle.getKey();
+			KeyStore keyStore = bundle.getStores().getKeyStore();
+			Key privateKey = keyStore.getKey(key.getAlias(), key.getPassword().toCharArray());
+			Assert.notNull(privateKey,
+					"Private key with alias '" + key.getAlias() + "' was not found in SSL bundle '" + sslBundle + "'");
+			Assert.isInstanceOf(PrivateKey.class, privateKey);
+			return (PrivateKey) privateKey;
+		}
+		catch (GeneralSecurityException ex) {
+			throw new IllegalStateException("Error getting private key from SSL bundle '" + sslBundle + "'", ex);
+		}
+	}
+
+	private X509Certificate getCertificate(Bundle sslBundle, SslBundles sslBundles) {
+		try {
+			SslBundle bundle = sslBundles.getBundle(sslBundle.getName());
+			KeyStore keyStore = bundle.getStores().getKeyStore();
+			Certificate certificate = keyStore.getCertificate(sslBundle.getAlias());
+			Assert.notNull(certificate, "Certificate with alias '" + sslBundle.getAlias()
+					+ "' was not found in SSL bundle '" + sslBundle + "'");
+			Assert.isInstanceOf(X509Certificate.class, certificate);
+			return (X509Certificate) certificate;
+		}
+		catch (GeneralSecurityException ex) {
+			throw new IllegalStateException("Error getting certificate from SSL bundle '" + sslBundle + "'", ex);
+		}
+	}
+
 }

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
@@ -58,13 +59,14 @@
  * @author Madhura Bhave
  * @author Moritz Halbritter
  * @author Lasse Lindqvist
+ * @author Scott Frederick
  */
 class Saml2RelyingPartyAutoConfigurationTests {
 
 	private static final String PREFIX = "spring.security.saml2.relyingparty.registration";
 
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
-			AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class, SecurityAutoConfiguration.class));
+			AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class, SecurityAutoConfiguration.class, SslAutoConfiguration.class));
 
 	@Test
 	void autoConfigurationShouldBeConditionalOnRelyingPartyRegistrationRepositoryClass() {
@@ -122,6 +124,40 @@ void relyingPartyRegistrationRepositoryBeanShouldBeCreatedWhenPropertiesPresent(
 		});
 	}
 
+	@Test
+	void relyingPartyRegistrationRepositoryBeanShouldBeCreatedWhenPropertiesPresentWithSslBundles() {
+		this.contextRunner.withPropertyValues(getPropertyValuesWithSslBundles()).run((context) -> {
+			RelyingPartyRegistrationRepository repository = context.getBean(RelyingPartyRegistrationRepository.class);
+			RelyingPartyRegistration registration = repository.findByRegistrationId("foo");
+
+			assertThat(registration.getAssertingPartyDetails().getSingleSignOnServiceLocation())
+				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php");
+			assertThat(registration.getAssertingPartyDetails().getEntityId())
+				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php");
+			assertThat(registration.getAssertionConsumerServiceLocation())
+				.isEqualTo("{baseUrl}/login/saml2/foo-entity-id");
+			assertThat(registration.getAssertionConsumerServiceBinding()).isEqualTo(Saml2MessageBinding.REDIRECT);
+			assertThat(registration.getAssertingPartyDetails().getSingleSignOnServiceBinding())
+				.isEqualTo(Saml2MessageBinding.POST);
+			assertThat(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()).isFalse();
+			assertThat(registration.getSigningX509Credentials()).hasSize(1);
+			assertThat(registration.getDecryptionX509Credentials()).hasSize(1);
+			assertThat(registration.getAssertingPartyDetails().getVerificationX509Credentials()).isNotNull();
+			assertThat(registration.getEntityId()).isEqualTo("{baseUrl}/saml2/foo-entity-id");
+			assertThat(registration.getSingleLogoutServiceLocation())
+				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SLOService.php");
+			assertThat(registration.getSingleLogoutServiceResponseLocation())
+				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/");
+			assertThat(registration.getSingleLogoutServiceBinding()).isEqualTo(Saml2MessageBinding.POST);
+			assertThat(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation())
+				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SLOService.php");
+			assertThat(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation())
+				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/");
+			assertThat(registration.getAssertingPartyDetails().getSingleLogoutServiceBinding())
+				.isEqualTo(Saml2MessageBinding.POST);
+		});
+	}
+
 	@Test
 	void autoConfigurationWhenSignRequestsTrueAndNoSigningCredentialsShouldThrowException() {
 		this.contextRunner.withPropertyValues(getPropertyValuesWithoutSigningCredentials(true)).run((context) -> {
@@ -325,6 +361,32 @@ private String[] getPropertyValues() {
 				PREFIX + ".foo.acs.binding=redirect" };
 	}
 
+	private String[] getPropertyValuesWithSslBundles() {
+		return new String[] { "spring.ssl.bundle.pem.saml.key.alias=key-alias",
+				"spring.ssl.bundle.pem.saml.key.password=secret1",
+				"spring.ssl.bundle.pem.saml.keystore.certificate=classpath:saml/certificate-location",
+				"spring.ssl.bundle.pem.saml.keystore.private-key=classpath:saml/private-key-location",
+				PREFIX + ".foo.signing.credentials[0].bundle.name=saml",
+				PREFIX + ".foo.signing.credentials[0].bundle.alias=key-alias",
+				PREFIX + ".foo.decryption.credentials[0].bundle.name=saml",
+				PREFIX + ".foo.decryption.credentials[0].bundle.alias=key-alias",
+				PREFIX + ".foo.singlelogout.url=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SLOService.php",
+				PREFIX + ".foo.singlelogout.response-url=https://simplesaml-for-spring-saml.cfapps.io/",
+				PREFIX + ".foo.singlelogout.binding=post",
+				PREFIX + ".foo.assertingparty.singlesignon.url=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php",
+				PREFIX + ".foo.assertingparty.singlesignon.binding=post",
+				PREFIX + ".foo.assertingparty.singlesignon.sign-request=false",
+				PREFIX + ".foo.assertingparty.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
+				PREFIX + ".foo.assertingparty.verification.credentials[0].bundle.name=saml",
+				PREFIX + ".foo.assertingparty.verification.credentials[0].bundle.alias=key-alias",
+				PREFIX + ".foo.asserting-party.singlelogout.url=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SLOService.php",
+				PREFIX + ".foo.asserting-party.singlelogout.response-url=https://simplesaml-for-spring-saml.cfapps.io/",
+				PREFIX + ".foo.asserting-party.singlelogout.binding=post",
+				PREFIX + ".foo.entity-id={baseUrl}/saml2/foo-entity-id",
+				PREFIX + ".foo.acs.location={baseUrl}/login/saml2/foo-entity-id",
+				PREFIX + ".foo.acs.binding=redirect" };
+	}
+
 	private boolean hasSecurityFilter(AssertableWebApplicationContext context, Class<? extends Filter> filter) {
 		return getSecurityFilterChain(context).getFilters().stream().anyMatch(filter::isInstance);
 	}