From db20fd9eeb41c4ee4f5b7618081e83c9e01052fa Mon Sep 17 00:00:00 2001
From: Dane Barentine <dane.barentine@software.dell.com>
Date: Thu, 17 Sep 2015 13:27:35 -0700
Subject: [PATCH] KEYCLOAK-1861 Allow setting of signature algorithm when
 signing SAML AuthnRequests to IDPs

---
 .../java/org/keycloak/broker/saml/SAMLEndpoint.java  |  1 +
 .../keycloak/broker/saml/SAMLIdentityProvider.java   | 12 ++++++++++++
 .../broker/saml/SAMLIdentityProviderConfig.java      |  8 ++++++++
 .../base/admin/resources/js/controllers/realm.js     |  7 +++++++
 .../partials/realm-identity-provider-saml.html       | 12 ++++++++++++
 5 files changed, 40 insertions(+)

diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
index f6ea2f5fcb..f15a23f2aa 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
@@ -250,6 +250,7 @@ public class SAMLEndpoint {
             builder.relayState(relayState);
             if (config.isWantAuthnRequestsSigned()) {
                 builder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                        .signatureAlgorithm(provider.getSignatureAlgorithm())
                         .signDocument();
             }
             try {
diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
index 4517a94304..52959f8319 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -36,6 +36,7 @@ import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.saml.SAML2AuthnRequestBuilder;
 import org.keycloak.protocol.saml.SAML2LogoutRequestBuilder;
 import org.keycloak.protocol.saml.SAML2NameIDPolicyBuilder;
+import org.keycloak.protocol.saml.SignatureAlgorithm;
 import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
@@ -110,6 +111,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 KeyPair keypair = new KeyPair(publicKey, privateKey);
 
                 authnRequestBuilder.signWith(keypair);
+                authnRequestBuilder.signatureAlgorithm(getSignatureAlgorithm());
                 authnRequestBuilder.signDocument();
             }
 
@@ -196,6 +198,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 .relayState(userSession.getId());
         if (getConfig().isWantAuthnRequestsSigned()) {
             logoutBuilder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                    .signatureAlgorithm(getSignatureAlgorithm())
                     .signDocument();
         }
         return logoutBuilder;
@@ -245,4 +248,13 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                 "</EntityDescriptor>\n";
         return Response.ok(descriptor, MediaType.APPLICATION_XML_TYPE).build();
     }
+
+    public SignatureAlgorithm getSignatureAlgorithm() {
+        String alg = getConfig().getSignatureAlgorithm();
+        if (alg != null) {
+            SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg);
+            if (algorithm != null) return algorithm;
+        }
+        return SignatureAlgorithm.RSA_SHA256;
+    }
 }
diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
index ad11be3e41..6ab3963d39 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
@@ -87,6 +87,14 @@ public class SAMLIdentityProviderConfig extends IdentityProviderModel {
         getConfig().put("wantAuthnRequestsSigned", String.valueOf(wantAuthnRequestsSigned));
     }
 
+    public String getSignatureAlgorithm() {
+        return getConfig().get("signatureAlgorithm");
+    }
+
+    public void setSignatureAlgorithm(String signatureAlgorithm) {
+        getConfig().put("signatureAlgorithm", signatureAlgorithm);
+    }
+
     public String getEncryptionPublicKey() {
         return getConfig().get("encryptionPublicKey");
     }
diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
index 4027a85b73..489979007e 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
@@ -693,10 +693,17 @@ module.controller('RealmIdentityProviderCtrl', function($scope, $filter, $upload
 
             }
         ];
+        $scope.signatureAlgorithms = [
+            "RSA_SHA1",
+            "RSA_SHA256",
+            "RSA_SHA512",
+            "DSA_SHA1"
+        ];
         if (instance && instance.alias) {
 
         } else {
             $scope.identityProvider.config.nameIDPolicyFormat = $scope.nameIdFormats[0].format;
+            $scope.identityProvider.config.signatureAlgorithm = $scope.signatureAlgorithms[1];
             $scope.identityProvider.updateProfileFirstLoginMode = "off";
         }
     }
diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html
index 1723919672..53878269a9 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html
@@ -135,6 +135,18 @@
                 </div>
                 <kc-tooltip> Indicates whether the identity provider expects signed a AuthnRequest.</kc-tooltip>
             </div>
+            <div class="form-group" data-ng-show="identityProvider.config.wantAuthnRequestsSigned == 'true'">
+                <label class="col-md-2 control-label" for="signatureAlgorithm">Signature Algorithm</label>
+                <div class="col-sm-6">
+                    <div>
+                        <select class="form-control" id="signatureAlgorithm"
+                                ng-model="identityProvider.config.signatureAlgorithm"
+                                ng-options="alg for alg in signatureAlgorithms">
+                        </select>
+                    </div>
+                </div>
+                <kc-tooltip>The signature algorithm to use to sign documents.</kc-tooltip>
+            </div>
             <div class="form-group">
                 <label class="col-md-2 control-label" for="forceAuthn">Force Authentication</label>
                 <div class="col-md-6">