summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java13
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java6
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java19
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java18
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java46
5 files changed, 75 insertions, 27 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java
index a564efb2..acd565a1 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java
@@ -1,11 +1,14 @@
package at.gv.egiz.eaaf.modules.pvp2.api.utils;
+import java.security.KeyStore;
+import java.security.Provider;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
@@ -51,5 +54,15 @@ public interface IPvp2CredentialProvider {
@Nonnull
List<X509Certificate> getTrustedCertificates()
throws CredentialsNotAvailableException;
+
+
+ /**
+ * Get the {@link KeyStore} that is used in this {@link IPvp2CredentialProvider}.
+ *
+ * @return KeyStore {@link Pair} of {@link KeyStore} and JCE {@link Provider}
+ * if a special provider is in use
+ */
+ @Nonnull
+ Pair<KeyStore, Provider> getKeyStore();
} \ No newline at end of file
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java
index bf201803..1d6e3738 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java
@@ -19,8 +19,6 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.builder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
-
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.schema.XSInteger;
@@ -30,6 +28,8 @@ import org.opensaml.core.xml.schema.impl.XSStringBuilder;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeValue;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+
/**
* Build all attributes from PVP2 citizen-token.
*
@@ -73,6 +73,7 @@ public class CitizenTokenBuilder {
* Build simple attribute.
*
* @param friendlyName attribute friendly-name
+ * @param name attribute name
* @param value Attributevalue
* @return XML attribute
*/
@@ -89,6 +90,7 @@ public class CitizenTokenBuilder {
* Build simple attribute.
*
* @param friendlyName attribute friendly-name
+ * @param name attribute name
* @param value Attributevalue
* @return XML attribute
*/
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java
index 0b505e56..d29f1a0e 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java
@@ -8,15 +8,6 @@ import javax.annotation.Nullable;
import javax.annotation.PostConstruct;
import javax.net.ssl.SSLHandshakeException;
-import at.gv.egiz.components.spring.api.IDestroyableObject;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter;
-
import org.apache.http.client.HttpClient;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver;
@@ -30,6 +21,15 @@ import org.springframework.core.io.ResourceLoader;
import com.google.common.base.Predicates;
import com.google.common.base.Throwables;
import com.google.common.collect.FluentIterable;
+
+import at.gv.egiz.components.spring.api.IDestroyableObject;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
@@ -90,6 +90,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject {
* @param filter Filters, which should be used to validate the
* metadata
* @param idForLogging Id, which is used for Logging
+ * @param pool XML parser-pool to parse SAML2 Metadaten
* @param httpClient Apache commons 4.x http client
*
* @return SAML2 Metadata Provider, or null if the metadata provider can not
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index 26a5c5f6..e17e625e 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -32,6 +32,12 @@ import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
+import org.opensaml.security.credential.UsageType;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.ResourceLoader;
+
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
@@ -44,13 +50,6 @@ import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.xml.security.algorithms.JCEMapper;
-import org.opensaml.security.credential.UsageType;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.core.io.ResourceLoader;
-
import lombok.extern.slf4j.Slf4j;
@Slf4j
@@ -256,6 +255,11 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
}
+ public Pair<KeyStore, Provider> getKeyStore() {
+ return keyStore;
+
+ }
+
@PostConstruct
private void initialize() throws Exception {
try {
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
index ef09e5c4..5a97924f 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
@@ -23,15 +23,14 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
-
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
@@ -40,13 +39,18 @@ import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
import lombok.extern.slf4j.Slf4j;
@Slf4j
public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter {
private final String metadataUrl;
- private final List<BasicX509Credential> trustedCredential = new ArrayList<>();
+ private final KeyStore trustedCredential;
private static final String ERROR_07 = "internal.pvp.07";
private static final String ERROR_12 = "internal.pvp.12";
@@ -61,13 +65,13 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
* SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b>
* </p>
*
- * @param credentials Trust X509 certificates
+ * @param keyStore TrustStore that contains trusted X509 certificates
* @param metadataUrl Metadata URL for logging purposes
*/
- public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials,
+ public SimpleMetadataSignatureVerificationFilter(@Nonnull KeyStore keyStore,
@Nonnull String metadataUrl) {
this.metadataUrl = metadataUrl;
- this.trustedCredential.addAll(credentials);
+ this.trustedCredential = keyStore;
}
@@ -121,7 +125,7 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
// perform cryptographic signature verification
boolean isTrusted = false;
- for (final BasicX509Credential cred : trustedCredential) {
+ for (final BasicX509Credential cred : getTrustedCertificates()) {
log.trace("Validating signature with credential: {} ... ",
cred.getEntityCertificate().getSubjectDN());
try {
@@ -140,7 +144,31 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID);
}
+ }
+
+ private List<BasicX509Credential> getTrustedCertificates() throws EaafConfigurationException {
+ try {
+ final List<X509Certificate> certs =
+ EaafKeyStoreUtils.readCertsFromKeyStore(trustedCredential);
+ if (certs.isEmpty()) {
+ log.warn("No trusted metadata-signing certificates in configuration");
+ throw new EaafConfigurationException("module.eidasauth.02",
+ new Object[] { "No trusted metadata-signing certificates" });
+
+ }
+
+ final List<BasicX509Credential> result = new ArrayList<>();
+ for (final X509Certificate cert : certs) {
+ result.add(new BasicX509Credential(cert));
+ }
+ return result;
+
+ } catch (final KeyStoreException e) {
+ throw new EaafConfigurationException("module.eidasauth.01",
+ new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e);
+
+ }
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-18 00:25:56 +0000