From bb15852878205381898c0719d163756d6aa96e1c Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 20 Mar 2020 20:45:42 +0100
Subject: refactor SAML2 metadata signature-filter to use a TrustStore
 implementation to get trusted X509 certificates

---
 .../SimpleMetadataSignatureVerificationFilter.java | 46 +++++++++++++++++-----
 1 file changed, 37 insertions(+), 9 deletions(-)

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
index ef09e5c4..5a97924f 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
@@ -23,15 +23,14 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata;
 
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 
 import javax.annotation.Nonnull;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
-
 import org.opensaml.saml.common.SignableSAMLObject;
 import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
@@ -40,13 +39,18 @@ import org.opensaml.security.x509.BasicX509Credential;
 import org.opensaml.xmlsec.signature.support.SignatureException;
 import org.opensaml.xmlsec.signature.support.SignatureValidator;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
 public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter {
 
   private final String metadataUrl;
-  private final List<BasicX509Credential> trustedCredential = new ArrayList<>();
+  private final KeyStore trustedCredential;
 
   private static final String ERROR_07 = "internal.pvp.07";
   private static final String ERROR_12 = "internal.pvp.12";
@@ -61,13 +65,13 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
    * SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b>
    * </p>
    *
-   * @param credentials Trust X509 certificates
+   * @param keyStore TrustStore that contains trusted X509 certificates
    * @param metadataUrl Metadata URL for logging purposes
    */
-  public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials,
+  public SimpleMetadataSignatureVerificationFilter(@Nonnull KeyStore keyStore,
       @Nonnull String metadataUrl) {
     this.metadataUrl = metadataUrl;
-    this.trustedCredential.addAll(credentials);
+    this.trustedCredential = keyStore;
 
   }
 
@@ -121,7 +125,7 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
 
     // perform cryptographic signature verification
     boolean isTrusted = false;
-    for (final BasicX509Credential cred : trustedCredential) {
+    for (final BasicX509Credential cred : getTrustedCertificates()) {
       log.trace("Validating signature with credential: {} ... ",
           cred.getEntityCertificate().getSubjectDN());
       try {
@@ -140,7 +144,31 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS
       throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID);
 
     }
+  }
+  
+  private List<BasicX509Credential> getTrustedCertificates() throws EaafConfigurationException {
+    try {
+      final List<X509Certificate> certs =
+          EaafKeyStoreUtils.readCertsFromKeyStore(trustedCredential);
+      if (certs.isEmpty()) {
+        log.warn("No trusted metadata-signing certificates in configuration");
+        throw new EaafConfigurationException("module.eidasauth.02",
+            new Object[] { "No trusted metadata-signing certificates" });
+
+      }
+
+      final List<BasicX509Credential> result = new ArrayList<>();
+      for (final X509Certificate cert : certs) {
+        result.add(new BasicX509Credential(cert));
 
+      }
+      return result;
+
+    } catch (final KeyStoreException e) {
+      throw new EaafConfigurationException("module.eidasauth.01",
+          new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e);
+
+    }
   }
 
 }
-- 
cgit v1.2.3