first stable version that uses OpenSAML 3.x

1 files changed, 35 insertions, 12 deletions

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
index 1591198c..f0758706 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
@@ -23,9 +23,11 @@ import java.util.ArrayList;
 import java.util.List;
 
 import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
 
 import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
 import org.opensaml.saml.security.impl.MetadataCredentialResolver;
+import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
 import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
 import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider;
 import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
@@ -34,29 +36,50 @@ import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
 import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
 import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
 
+import lombok.extern.slf4j.Slf4j;
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+
+@Slf4j
 public class TrustEngineFactory {
 
   /**
    * Get OpenSAML2 TrustEngine.
    *
    * @param mdResolver Metadata provider
-   * @return
+   * @return TrustEngine for SAML2 message validation
+   * @throws Pvp2InternalErrorException In case of a TrustEngine initialization
+   *                                    error
    */
   public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(
-      final IPvp2MetadataProvider mdResolver) {
-    final MetadataCredentialResolver resolver = new MetadataCredentialResolver();
-    resolver.setRoleDescriptorResolver(new PredicateRoleDescriptorResolver(mdResolver));
+      final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException {
+    try {
+      final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
+      keyInfoProvider.add(new DSAKeyValueProvider());
+      keyInfoProvider.add(new RSAKeyValueProvider());
+      keyInfoProvider.add(new InlineX509DataProvider());
+      final KeyInfoCredentialResolver keyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver(
+          keyInfoProvider);
+
+      final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver(
+          mdResolver);
+      roleDescriptorResolver.setRequireValidMetadata(true);
+      roleDescriptorResolver.initialize();
+
+      final MetadataCredentialResolver resolver = new MetadataCredentialResolver();
+      resolver.setRoleDescriptorResolver(roleDescriptorResolver);
+      resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver);
+      resolver.initialize();
+
+      final ExplicitKeySignatureTrustEngine engine =
+          new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver);
 
-    final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
-    keyInfoProvider.add(new DSAKeyValueProvider());
-    keyInfoProvider.add(new RSAKeyValueProvider());
-    keyInfoProvider.add(new InlineX509DataProvider());
+      return engine;
 
-    final ExplicitKeySignatureTrustEngine engine =
-        new ExplicitKeySignatureTrustEngine(resolver,
-            new BasicProviderKeyInfoCredentialResolver(keyInfoProvider));
+    } catch (final ComponentInitializationException e) {
+      log.warn("Initialization of SignatureTrustEngine FAILED.", e);
+      throw new Pvp2InternalErrorException(e);
 
-    return engine;
+    }
 
   }