From bb15852878205381898c0719d163756d6aa96e1c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 20 Mar 2020 20:45:42 +0100 Subject: refactor SAML2 metadata signature-filter to use a TrustStore implementation to get trusted X509 certificates --- .../pvp2/api/utils/IPvp2CredentialProvider.java | 13 ++++++ .../impl/utils/AbstractCredentialProvider.java | 18 +++++---- .../SimpleMetadataSignatureVerificationFilter.java | 46 +++++++++++++++++----- 3 files changed, 61 insertions(+), 16 deletions(-) (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz') diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java index a564efb2..acd565a1 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java @@ -1,11 +1,14 @@ package at.gv.egiz.eaaf.modules.pvp2.api.utils; +import java.security.KeyStore; +import java.security.Provider; import java.security.cert.X509Certificate; import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; @@ -51,5 +54,15 @@ public interface IPvp2CredentialProvider { @Nonnull List getTrustedCertificates() throws CredentialsNotAvailableException; + + + /** + * Get the {@link KeyStore} that is used in this {@link IPvp2CredentialProvider}. + * + * @return KeyStore {@link Pair} of {@link KeyStore} and JCE {@link Provider} + * if a special provider is in use + */ + @Nonnull + Pair getKeyStore(); } \ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java index 26a5c5f6..e17e625e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java @@ -32,6 +32,12 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; +import org.apache.commons.lang3.StringUtils; +import org.apache.xml.security.algorithms.JCEMapper; +import org.opensaml.security.credential.UsageType; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.ResourceLoader; + import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; @@ -44,13 +50,6 @@ import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter; - -import org.apache.commons.lang3.StringUtils; -import org.apache.xml.security.algorithms.JCEMapper; -import org.opensaml.security.credential.UsageType; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.ResourceLoader; - import lombok.extern.slf4j.Slf4j; @Slf4j @@ -256,6 +255,11 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi } + public Pair getKeyStore() { + return keyStore; + + } + @PostConstruct private void initialize() throws Exception { try { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java index ef09e5c4..5a97924f 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java @@ -23,15 +23,14 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; - import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor; @@ -40,13 +39,18 @@ import org.opensaml.security.x509.BasicX509Credential; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureValidator; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; import lombok.extern.slf4j.Slf4j; @Slf4j public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter { private final String metadataUrl; - private final List trustedCredential = new ArrayList<>(); + private final KeyStore trustedCredential; private static final String ERROR_07 = "internal.pvp.07"; private static final String ERROR_12 = "internal.pvp.12"; @@ -61,13 +65,13 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS * SAML2 metadata with {@link EntitiesDescriptor} are not supported. *

* - * @param credentials Trust X509 certificates + * @param keyStore TrustStore that contains trusted X509 certificates * @param metadataUrl Metadata URL for logging purposes */ - public SimpleMetadataSignatureVerificationFilter(@Nonnull List credentials, + public SimpleMetadataSignatureVerificationFilter(@Nonnull KeyStore keyStore, @Nonnull String metadataUrl) { this.metadataUrl = metadataUrl; - this.trustedCredential.addAll(credentials); + this.trustedCredential = keyStore; } @@ -121,7 +125,7 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS // perform cryptographic signature verification boolean isTrusted = false; - for (final BasicX509Credential cred : trustedCredential) { + for (final BasicX509Credential cred : getTrustedCertificates()) { log.trace("Validating signature with credential: {} ... ", cred.getEntityCertificate().getSubjectDN()); try { @@ -140,7 +144,31 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID); } + } + + private List getTrustedCertificates() throws EaafConfigurationException { + try { + final List certs = + EaafKeyStoreUtils.readCertsFromKeyStore(trustedCredential); + if (certs.isEmpty()) { + log.warn("No trusted metadata-signing certificates in configuration"); + throw new EaafConfigurationException("module.eidasauth.02", + new Object[] { "No trusted metadata-signing certificates" }); + + } + + final List result = new ArrayList<>(); + for (final X509Certificate cert : certs) { + result.add(new BasicX509Credential(cert)); + } + return result; + + } catch (final KeyStoreException e) { + throw new EaafConfigurationException("module.eidasauth.01", + new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e); + + } } } -- cgit v1.2.3