diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-04-01 17:24:53 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-04-01 17:24:53 +0200 |
commit | c972a8106bbff5dea9fecc76864be9a99a868d78 (patch) | |
tree | 6c9cfca3a7cd002d5fe6e4bbaf884b877ecaf5bf /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java | |
parent | f4a941a0c4bbe6251a108612a4ee49607d6951fc (diff) | |
parent | 5945c62128c2cb9d552ad7b4c085c09d046d2d56 (diff) | |
download | EAAF-Components-c972a8106bbff5dea9fecc76864be9a99a868d78.tar.gz EAAF-Components-c972a8106bbff5dea9fecc76864be9a99a868d78.tar.bz2 EAAF-Components-c972a8106bbff5dea9fecc76864be9a99a868d78.zip |
Merge branch 'nightlyBuild'
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java')
-rw-r--r-- | eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java index ef09e5c4..5a97924f 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java @@ -23,15 +23,14 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; - import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor; @@ -40,13 +39,18 @@ import org.opensaml.security.x509.BasicX509Credential; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureValidator; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; import lombok.extern.slf4j.Slf4j; @Slf4j public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter { private final String metadataUrl; - private final List<BasicX509Credential> trustedCredential = new ArrayList<>(); + private final KeyStore trustedCredential; private static final String ERROR_07 = "internal.pvp.07"; private static final String ERROR_12 = "internal.pvp.12"; @@ -61,13 +65,13 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS * SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b> * </p> * - * @param credentials Trust X509 certificates + * @param keyStore TrustStore that contains trusted X509 certificates * @param metadataUrl Metadata URL for logging purposes */ - public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials, + public SimpleMetadataSignatureVerificationFilter(@Nonnull KeyStore keyStore, @Nonnull String metadataUrl) { this.metadataUrl = metadataUrl; - this.trustedCredential.addAll(credentials); + this.trustedCredential = keyStore; } @@ -121,7 +125,7 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS // perform cryptographic signature verification boolean isTrusted = false; - for (final BasicX509Credential cred : trustedCredential) { + for (final BasicX509Credential cred : getTrustedCertificates()) { log.trace("Validating signature with credential: {} ... ", cred.getEntityCertificate().getSubjectDN()); try { @@ -140,7 +144,31 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID); } + } + + private List<BasicX509Credential> getTrustedCertificates() throws EaafConfigurationException { + try { + final List<X509Certificate> certs = + EaafKeyStoreUtils.readCertsFromKeyStore(trustedCredential); + if (certs.isEmpty()) { + log.warn("No trusted metadata-signing certificates in configuration"); + throw new EaafConfigurationException("module.eidasauth.02", + new Object[] { "No trusted metadata-signing certificates" }); + + } + + final List<BasicX509Credential> result = new ArrayList<>(); + for (final X509Certificate cert : certs) { + result.add(new BasicX509Credential(cert)); + } + return result; + + } catch (final KeyStoreException e) { + throw new EaafConfigurationException("module.eidasauth.01", + new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e); + + } } } |