summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java46
1 files changed, 37 insertions, 9 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
index ef09e5c4..5a97924f 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
@@ -23,15 +23,14 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
-
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
@@ -40,13 +39,18 @@ import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
import lombok.extern.slf4j.Slf4j;
@Slf4j
public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter {
private final String metadataUrl;
- private final List<BasicX509Credential> trustedCredential = new ArrayList<>();
+ private final KeyStore trustedCredential;
private static final String ERROR_07 = "internal.pvp.07";
private static final String ERROR_12 = "internal.pvp.12";
@@ -61,13 +65,13 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
* SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b>
* </p>
*
- * @param credentials Trust X509 certificates
+ * @param keyStore TrustStore that contains trusted X509 certificates
* @param metadataUrl Metadata URL for logging purposes
*/
- public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials,
+ public SimpleMetadataSignatureVerificationFilter(@Nonnull KeyStore keyStore,
@Nonnull String metadataUrl) {
this.metadataUrl = metadataUrl;
- this.trustedCredential.addAll(credentials);
+ this.trustedCredential = keyStore;
}
@@ -121,7 +125,7 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
// perform cryptographic signature verification
boolean isTrusted = false;
- for (final BasicX509Credential cred : trustedCredential) {
+ for (final BasicX509Credential cred : getTrustedCertificates()) {
log.trace("Validating signature with credential: {} ... ",
cred.getEntityCertificate().getSubjectDN());
try {
@@ -140,7 +144,31 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID);
}
+ }
+
+ private List<BasicX509Credential> getTrustedCertificates() throws EaafConfigurationException {
+ try {
+ final List<X509Certificate> certs =
+ EaafKeyStoreUtils.readCertsFromKeyStore(trustedCredential);
+ if (certs.isEmpty()) {
+ log.warn("No trusted metadata-signing certificates in configuration");
+ throw new EaafConfigurationException("module.eidasauth.02",
+ new Object[] { "No trusted metadata-signing certificates" });
+
+ }
+
+ final List<BasicX509Credential> result = new ArrayList<>();
+ for (final X509Certificate cert : certs) {
+ result.add(new BasicX509Credential(cert));
+ }
+ return result;
+
+ } catch (final KeyStoreException e) {
+ throw new EaafConfigurationException("module.eidasauth.01",
+ new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e);
+
+ }
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 10:11:20 +0000