diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-01-31 20:41:54 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-01-31 20:41:54 +0100 |
commit | d41afe91ee59daf6b5f5037cecac52900fe2ccb2 (patch) | |
tree | 3a19e1818d276d701574758ce6166b2f3a7e2030 /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize | |
parent | 0cf9926282ba4aa46bad3f4e8020cec72683492f (diff) | |
download | EAAF-Components-d41afe91ee59daf6b5f5037cecac52900fe2ccb2.tar.gz EAAF-Components-d41afe91ee59daf6b5f5037cecac52900fe2ccb2.tar.bz2 EAAF-Components-d41afe91ee59daf6b5f5037cecac52900fe2ccb2.zip |
a lot of more OpenSAML3 refactoring staff
This version is also NOT stable!
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize')
3 files changed, 284 insertions, 178 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSaml2Bootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSaml2Bootstrap.java deleted file mode 100644 index 9625b591..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSaml2Bootstrap.java +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a - * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European - * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in - * compliance with the Licence. You may obtain a copy of the Licence at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software distributed under the Licence - * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the Licence for the specific language governing permissions and limitations under - * the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text file for details on the - * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative - * works that you distribute must include a readable copy of the "NOTICE" text file. -*/ - -package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize; - -import org.opensaml.DefaultBootstrap; -import org.opensaml.xml.ConfigurationException; - -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; - -/** - * EAAF specific OpenSAML Initializer. - * - * @author tlenz - * - */ -public class EaafDefaultSaml2Bootstrap extends DefaultBootstrap { - - /** - * OpenSAML2 bootstrap. - * - * @throws ConfigurationException In case of an error - */ - public static synchronized void bootstrap() throws ConfigurationException { - - initializeXMLSecurity(); - - initializeXMLTooling(); - - initializeArtifactBuilderFactories(); - - initializeGlobalSecurityConfiguration(); - - initializeParserPool(); - - initializeESAPI(); - - initializeExtenstions(); - - } - - private static void initializeExtenstions() { - org.opensaml.xml.Configuration.registerObjectProvider( - EaafRequestedAttribute.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributeBuilder(), - new EaafRequestedAttributeMarshaller(), new EaafRequestedAttributeUnmarshaller()); - - org.opensaml.xml.Configuration.registerObjectProvider( - EaafRequestedAttributes.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributesBuilder(), - new EaafRequestedAttributesMarshaller(), new EaafRequestedAttributesUnmarshaller()); - - } - - public static void initializeDefaultPvpConfiguration() { - initializeGlobalSecurityConfiguration(); - - } - - /** - * Initializes the default global security configuration. - */ - protected static void initializeGlobalSecurityConfiguration() { - org.opensaml.xml.Configuration.setGlobalSecurityConfiguration( - EaafDefaultSecurityConfigurationBootstrap.buildDefaultConfig()); - } -} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java index f3e50e4e..97f0f225 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java @@ -19,14 +19,17 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize; -import org.opensaml.xml.encryption.EncryptionConstants; -import org.opensaml.xml.security.BasicSecurityConfiguration; -import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; -import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory; -import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager; -import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.SignatureConstants; +import java.util.Arrays; +import java.util.Collections; + +import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap; +import org.opensaml.xmlsec.encryption.support.EncryptionConstants; +import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters; +import org.opensaml.xmlsec.impl.BasicDecryptionConfiguration; +import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration; +import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration; +import org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration; +import org.opensaml.xmlsec.signature.support.SignatureConstants; /** * EAAF specific OpenSAML2 security configuration. @@ -38,102 +41,137 @@ public class EaafDefaultSecurityConfigurationBootstrap extends DefaultSecurityConfigurationBootstrap { /** - * Build EAAF security configuration for OpenSAML2. + * Set EAAF specific encryption configuration to OpenSAML 3.x. * * @return */ - public static BasicSecurityConfiguration buildDefaultConfig() { - final BasicSecurityConfiguration config = new BasicSecurityConfiguration(); - - populateSignatureParams(config); - populateEncryptionParams(config); - populateKeyInfoCredentialResolverParams(config); - populateKeyInfoGeneratorManager(config); - populateKeyParams(config); + public static BasicEncryptionConfiguration buildEaafEncryptionConfiguration() { + final BasicEncryptionConfiguration config = new BasicEncryptionConfiguration(); + + config.setBlacklistedAlgorithms(Arrays.asList( + EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15, + EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES, + EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES)); + + config.setDataEncryptionAlgorithms(Arrays.asList( + // The order of these is significant. + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128, + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192, + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256, + + // register GCM algorithms + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM, + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM, + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM)); + + config.setKeyTransportEncryptionAlgorithms(Arrays.asList( + // The order of the RSA algos is significant. + EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, + EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11, + + // The order of these is not significant. + // These aren't really "preferences" per se. They just need to be registered + // so that they can be used if a credential with a key of that type and size is + // seen. + EncryptionConstants.ALGO_ID_KEYWRAP_AES128, + EncryptionConstants.ALGO_ID_KEYWRAP_AES192, + EncryptionConstants.ALGO_ID_KEYWRAP_AES256)); + + config.setRSAOAEPParameters(new RSAOAEPParameters( + SignatureConstants.ALGO_ID_DIGEST_SHA1, + EncryptionConstants.ALGO_ID_MGF1_SHA1, + null)); + + config.setDataKeyInfoGeneratorManager(buildDataEncryptionKeyInfoGeneratorManager()); + config.setKeyTransportKeyInfoGeneratorManager(buildKeyTransportEncryptionKeyInfoGeneratorManager()); return config; } - protected static void populateKeyInfoGeneratorManager(final BasicSecurityConfiguration config) { - final NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager(); - config.setKeyInfoGeneratorManager(namedManager); - - namedManager.setUseDefaultManager(true); - final KeyInfoGeneratorManager defaultManager = namedManager.getDefaultManager(); + /** + * Set EAAF specific decryption configuration to OpenSAML 3.x. + * + * @return + */ + public static BasicDecryptionConfiguration buildEaaftDecryptionConfiguration() { + final BasicDecryptionConfiguration config = new BasicDecryptionConfiguration(); - final BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory(); - basicFactory.setEmitPublicKeyValue(true); + config.setBlacklistedAlgorithms(Collections.singletonList( + EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)); - final X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory(); - x509Factory.setEmitEntityCertificate(true); + config.setEncryptedKeyResolver(buildBasicEncryptedKeyResolver()); - defaultManager.registerFactory(basicFactory); - defaultManager.registerFactory(x509Factory); + return config; } - protected static void populateSignatureParams(final BasicSecurityConfiguration config) { - - // use SHA256 instead of SHA1 - config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - - config.registerSignatureAlgorithmURI("DSA", "http://www.w3.org/2000/09/xmldsig#dsa-sha1"); - - // use SHA256 instead of SHA1 - config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); - - // use SHA256 instead of SHA1 - config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); - - config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); - - config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); - config.setSignatureHMACOutputLength(null); + /** + * Set EAAF specific signature-creation configuration to OpenSAML 3.x. + * + * @return + */ + public static BasicSignatureSigningConfiguration buildEaafSignatureSigningConfiguration() { + final BasicSignatureSigningConfiguration config = new BasicSignatureSigningConfiguration(); + + config.setBlacklistedAlgorithms(Arrays.asList( + SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5, + SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5, + SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5, + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1, + SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1, + SignatureConstants.ALGO_ID_DIGEST_SHA1)); + + config.setSignatureAlgorithms(Arrays.asList( + // The order within each key group is significant. + // The order of the key groups themselves is not significant. + + // RSA + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384, + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512, + + // ECDSA + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256, + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384, + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512 + + // HMAC (all symmetric keys) + // SignatureConstants.ALGO_ID_MAC_HMAC_SHA256, + // SignatureConstants.ALGO_ID_MAC_HMAC_SHA384, + // SignatureConstants.ALGO_ID_MAC_HMAC_SHA512, + // SignatureConstants.ALGO_ID_MAC_HMAC_SHA1 + )); + + config.setSignatureReferenceDigestMethods(Arrays.asList( + // The order of these is significant. + SignatureConstants.ALGO_ID_DIGEST_SHA256, + SignatureConstants.ALGO_ID_DIGEST_SHA384, + SignatureConstants.ALGO_ID_DIGEST_SHA512)); + + config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + + config.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager()); - // use SHA256 instead of SHA1 - config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); + return config; } - protected static void populateEncryptionParams(final BasicSecurityConfiguration config) { - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), - "http://www.w3.org/2001/04/xmlenc#aes128-cbc"); - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), - "http://www.w3.org/2001/04/xmlenc#aes192-cbc"); - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), - "http://www.w3.org/2001/04/xmlenc#aes256-cbc"); - - // support GCM mode - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), - EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM); - - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), - EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM); - - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), - EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM); - - config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(168), - "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); - config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(192), - "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); - - config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", - "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); - - config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "DESede", - "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); - - config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(128), null, - "http://www.w3.org/2001/04/xmlenc#kw-aes128"); - config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(192), null, - "http://www.w3.org/2001/04/xmlenc#kw-aes192"); - config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(256), null, - "http://www.w3.org/2001/04/xmlenc#kw-aes256"); - config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(168), null, - "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); - config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(192), null, - "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); - - config.setAutoGeneratedDataEncryptionKeyAlgorithmURI( - "http://www.w3.org/2001/04/xmlenc#aes128-cbc"); + /** + * Set EAAF specific signature-verification configuration to OpenSAML 3.x. + * + * @return + */ + public static BasicSignatureValidationConfiguration buildEaafSignatureValidationConfiguration() { + final BasicSignatureValidationConfiguration config = new BasicSignatureValidationConfiguration(); + + config.setBlacklistedAlgorithms(Arrays.asList( + SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5, + SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5, + SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5, + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1, + SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1, + SignatureConstants.ALGO_ID_DIGEST_SHA1)); + + return config; } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java new file mode 100644 index 00000000..42d4d736 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java @@ -0,0 +1,156 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize; + +import java.util.HashMap; +import java.util.Map; + +import javax.annotation.Nonnull; +import javax.xml.XMLConstants; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; + +import org.opensaml.core.config.ConfigurationService; +import org.opensaml.core.config.InitializationException; +import org.opensaml.core.config.InitializationService; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.xmlsec.DecryptionConfiguration; +import org.opensaml.xmlsec.EncryptionConfiguration; +import org.opensaml.xmlsec.SignatureSigningConfiguration; +import org.opensaml.xmlsec.SignatureValidationConfiguration; + +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.component.ComponentInitializationException; +import net.shibboleth.utilities.java.support.xml.BasicParserPool; +import net.shibboleth.utilities.java.support.xml.ParserPool; + +/** + * EAAF specific OpenSAML Initializer. + * + * @author tlenz + * + */ +@Slf4j +public class EaafOpenSaml3xInitializer extends InitializationService { + + /** + * EAAF specific OpenSAML3.x initialization. + * + * @throws InitializationException In case of an error + * @throws ComponentInitializationException + */ + public static synchronized void eaafInitialize() throws InitializationException, ComponentInitializationException { + log.debug("Initializing OpenSAML 3.x ... "); + initialize(); + + log.debug("Injecting EAAF-specific configuration into OpenSAML 3.x ... "); + injectEaafSecurityProperty(); + injectEaafExtenstions(); + + XMLObjectProviderRegistrySupport.setParserPool(eaafSecuredBasicParserPool()); + + log.info("OpenSAML3.x with EAAF extensions initialized"); + + } + + private static void injectEaafSecurityProperty() { + ConfigurationService.register(EncryptionConfiguration.class, + EaafDefaultSecurityConfigurationBootstrap.buildEaafEncryptionConfiguration()); + + ConfigurationService.register(DecryptionConfiguration.class, + EaafDefaultSecurityConfigurationBootstrap.buildEaaftDecryptionConfiguration()); + + ConfigurationService.register(SignatureSigningConfiguration.class, + EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureSigningConfiguration()); + + ConfigurationService.register(SignatureValidationConfiguration.class, + EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureValidationConfiguration()); + + } + + private static void injectEaafExtenstions() { + XMLObjectProviderRegistrySupport.registerObjectProvider( + EaafRequestedAttribute.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributeBuilder(), + new EaafRequestedAttributeMarshaller(), new EaafRequestedAttributeUnmarshaller()); + + XMLObjectProviderRegistrySupport.registerObjectProvider( + EaafRequestedAttributes.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributesBuilder(), + new EaafRequestedAttributesMarshaller(), new EaafRequestedAttributesUnmarshaller()); + + } + + /** + * Build a secured OpenSAML 3.x XML parser-pool. + * + * @return {@link ParserPool} + * @throws ComponentInitializationException In case of an initialization error + */ + @Nonnull + private static ParserPool eaafSecuredBasicParserPool() throws ComponentInitializationException { + // Get parser pool manager + final BasicParserPool ppMgr = new BasicParserPool(); + // Note: this is necessary due to an unresolved Xerces deferred DOM issue/bug + ppMgr.setBuilderFeatures(getSecureDocumentBuilderFeatures()); + ppMgr.setNamespaceAware(true); + ppMgr.setIgnoreComments(true); + ppMgr.setExpandEntityReferences(false); + ppMgr.setXincludeAware(false); + ppMgr.initialize(); + return ppMgr; + } + + @Nonnull + private static Map<String, Boolean> getSecureDocumentBuilderFeatures() { + final Map<String, Boolean> features = new HashMap<>(); + features.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + + // Ignore the external DTD completely + // Note: this is for Xerces only: + features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE); + // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all + // XML entity attacks are prevented + // Xerces 2 only - + // http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl + features.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE); + + // If you can't completely disable DTDs, then at least do the following: + // Xerces 1 - + // http://xerces.apache.org/xerces-j/features.html#external-general-entities + // Xerces 2 - + // http://xerces.apache.org/xerces2-j/features.html#external-general-entities + features.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE); + + // Xerces 1 - + // http://xerces.apache.org/xerces-j/features.html#external-parameter-entities + // Xerces 2 - + // http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities + features.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE); + + return features; + } + +} |