From e7610325ee2f1d1f4e97e1e7a9b212e692836b5a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 4 Feb 2020 17:37:34 +0100
Subject: first stable version that uses OpenSAML 3.x

---
 .../SimpleMetadataSignatureVerificationFilter.java | 146 +++++++++++++++++++++
 1 file changed, 146 insertions(+)
 create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
new file mode 100644
index 00000000..ef09e5c4
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.annotation.Nonnull;
+
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException;
+
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.SignatureValidator;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter {
+
+  private final String metadataUrl;
+  private final List<BasicX509Credential> trustedCredential = new ArrayList<>();
+
+  private static final String ERROR_07 = "internal.pvp.07";
+  private static final String ERROR_12 = "internal.pvp.12";
+  private static final String ERROR_MSG_ENTITIESDESC = "EntitiesDescritors are NOT supported";
+  private static final String ERROR_MSG_SIGNOTVALID = "Signature not valid or no trusted certificate found";
+
+  /**
+   * SAML2 metadata-signature verification-filter that uses a simple {@link List}
+   * of trusted {@link BasicX509Credential} as truststore. <br>
+   * <p>
+   * This filter only validates {@link EntityDescriptor} elements.<br>
+   * SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b>
+   * </p>
+   *
+   * @param credentials Trust X509 certificates
+   * @param metadataUrl Metadata URL for logging purposes
+   */
+  public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials,
+      @Nonnull String metadataUrl) {
+    this.metadataUrl = metadataUrl;
+    this.trustedCredential.addAll(credentials);
+
+  }
+
+  @Override
+  protected void verify(EntityDescriptor desc) throws Pvp2MetadataException {
+    try {
+      internalVerify(desc);
+
+    } catch (final EaafException e) {
+      log.info("Metadata verification FAILED for: {} Reason: {}", metadataUrl, e.getMessage());
+      throw new Pvp2MetadataException(ERROR_07,
+          new Object[] { metadataUrl, e.getMessage() }, e);
+
+    }
+  }
+
+  @Override
+  protected void verify(EntitiesDescriptor desc) throws Pvp2MetadataException {
+    throw new Pvp2MetadataException(ERROR_07,
+        new Object[] { metadataUrl, ERROR_MSG_ENTITIESDESC });
+
+  }
+
+  @Override
+  protected void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws Pvp2MetadataException {
+    throw new Pvp2MetadataException(ERROR_07,
+        new Object[] { metadataUrl, ERROR_MSG_ENTITIESDESC });
+
+  }
+
+  private void internalVerify(SignableSAMLObject signedElement)
+      throws EaafException {
+    // check if signature exists
+    if (signedElement.getSignature() == null) {
+      throw new Pvp2MetadataException(ERROR_12,
+          new Object[] { metadataUrl });
+
+    }
+
+    // perform general signature validation
+    try {
+      final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
+      sigValidator.validate(signedElement.getSignature());
+
+    } catch (final SignatureException e) {
+      log.error("Failed to validate Signature", e);
+      throw new Pvp2MetadataException(ERROR_07,
+          new Object[] { metadataUrl, e.getMessage() }, e);
+
+    }
+
+    // perform cryptographic signature verification
+    boolean isTrusted = false;
+    for (final BasicX509Credential cred : trustedCredential) {
+      log.trace("Validating signature with credential: {} ... ",
+          cred.getEntityCertificate().getSubjectDN());
+      try {
+        SignatureValidator.validate(signedElement.getSignature(), cred);
+        isTrusted = true;
+
+      } catch (final SignatureException e) {
+        log.debug("Failed to verfiy Signature with cert: {} Reason: {}",
+            cred.getEntityCertificate().getSubjectDN(), e.getMessage());
+
+      }
+    }
+
+    if (!isTrusted) {
+      log.info("PVP2 metadata: " + metadataUrl + " are NOT trusted!");
+      throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID);
+
+    }
+
+  }
+
+}
-- 
cgit v1.2.3