summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java79
1 files changed, 68 insertions, 11 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
index 5a97924f..f4b008af 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
@@ -25,17 +25,24 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.xml.security.keys.KeyInfo;
+import org.apache.xml.security.keys.keyresolver.KeyResolverException;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
@@ -124,28 +131,78 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
}
// perform cryptographic signature verification
- boolean isTrusted = false;
- for (final BasicX509Credential cred : getTrustedCertificates()) {
- log.trace("Validating signature with credential: {} ... ",
- cred.getEntityCertificate().getSubjectDN());
+ if (!performCryptographicCheck(signedElement.getSignature())) {
+ log.info("PVP2 metadata: " + metadataUrl + " are NOT trusted!");
+ throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID);
+
+ }
+ }
+
+ private boolean performCryptographicCheck(Signature signature) throws EaafConfigurationException {
+
+ // extract trusted signer certificate from signature
+ BasicX509Credential x509FromSig = extractTrustedX509FromSignature(signature);
+ if (x509FromSig != null) {
try {
- SignatureValidator.validate(signedElement.getSignature(), cred);
- isTrusted = true;
+ SignatureValidator.validate(signature, x509FromSig);
+ return true;
} catch (final SignatureException e) {
log.debug("Failed to verfiy Signature with cert: {} Reason: {}",
- cred.getEntityCertificate().getSubjectDN(), e.getMessage());
+ x509FromSig.getEntityCertificate().getSubjectDN(), e.getMessage());
+
+ }
+ } else {
+ for (final BasicX509Credential cred : getTrustedCertificates()) {
+ log.trace("Validating signature with credential: {} ... ",
+ cred.getEntityCertificate().getSubjectDN());
+ try {
+ SignatureValidator.validate(signature, cred);
+ return true;
+
+ } catch (final SignatureException e) {
+ log.debug("Failed to verfiy Signature with cert: {} Reason: {}",
+ cred.getEntityCertificate().getSubjectDN(), e.getMessage());
+
+ }
}
}
- if (!isTrusted) {
- log.info("PVP2 metadata: " + metadataUrl + " are NOT trusted!");
- throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID);
+ return false;
+
+ }
+
+ private BasicX509Credential extractTrustedX509FromSignature(Signature signature) {
+ try {
+ KeyInfo keyInfo = ((SignatureImpl) signature).getXMLSignature().getKeyInfo();
+
+ byte[] encSigCert = keyInfo.getX509Certificate() != null
+ ? keyInfo.getX509Certificate().getEncoded()
+ : ArrayUtils.EMPTY_BYTE_ARRAY;
+
+ return getTrustedCertificates().stream()
+ .filter(el -> {
+ try {
+ return MessageDigest.isEqual(el.getEntityCertificate().getEncoded(), encSigCert);
+
+ } catch (CertificateEncodingException e) {
+ log.warn("Can not match certificates.", e);
+ return false;
+
+ }
+ })
+ .findFirst()
+ .orElse(null);
+
+ } catch (KeyResolverException | EaafConfigurationException | CertificateEncodingException e) {
+ log.info("Can not extract X509 certificate from XML signature. Reason: {}", e.getMessage());
}
+ return null;
+
}
-
+
private List<BasicX509Credential> getTrustedCertificates() throws EaafConfigurationException {
try {
final List<X509Certificate> certs =
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 10:55:24 +0000