From 95b21a826e5d81fdeabcf4673a9e87047edaec9d Mon Sep 17 00:00:00 2001 From: Thomas Date: Wed, 4 Dec 2019 22:54:51 +0100 Subject: to some more code quality tasks --- .../at/gv/egiz/eaaf/modules/pvp2/PvpConstants.java | 38 ++++++++-------- .../eaaf/modules/pvp2/api/binding/IDecoder.java | 6 +-- .../api/metadata/IRefreshableMetadataProvider.java | 2 +- .../eaaf/modules/pvp2/exception/Pvp2Exception.java | 4 +- .../modules/pvp2/impl/binding/PostBinding.java | 2 +- .../modules/pvp2/impl/binding/RedirectBinding.java | 4 +- .../modules/pvp2/impl/binding/SoapBinding.java | 4 +- .../modules/pvp2/impl/message/InboundMessage.java | 33 +++++++++++++- .../metadata/AbstractChainingMetadataProvider.java | 13 +++--- .../EaafKeyStoreX509CredentialAdapter.java | 53 ++++++++++++++++++++++ .../opensaml/HttpPostEncoderWithOwnTemplate.java | 2 +- .../opensaml/KeyStoreX509CredentialAdapter.java | 53 ---------------------- .../impl/utils/AbstractCredentialProvider.java | 8 ++-- .../eaaf/modules/pvp2/impl/utils/Saml2Utils.java | 14 +----- .../verification/PvpAuthRequestSignedRole.java | 4 +- .../impl/verification/SamlVerificationEngine.java | 13 ++++-- 16 files changed, 138 insertions(+), 115 deletions(-) create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java delete mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/KeyStoreX509CredentialAdapter.java (limited to 'eaaf_modules/eaaf_module_pvp2_core') diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PvpConstants.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PvpConstants.java index e8d42e80..8bd2f024 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PvpConstants.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PvpConstants.java @@ -30,34 +30,34 @@ import org.opensaml.xml.signature.SignatureConstants; public interface PvpConstants extends PVPAttributeDefinitions { - public static final String DEFAULT_SIGNING_METHODE = + String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; - public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; - public static final String DEFAULT_SYM_ENCRYPTION_METHODE = + String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; + String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256; - public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = + String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP; - public static final String ENTITY_CATEGORY_ATTRIBITE = "http://macedir.org/entity-category"; - public static final String EGOVTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/egovtoken"; - public static final String CITIZENTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/citizentoken"; + String ENTITY_CATEGORY_ATTRIBITE = "http://macedir.org/entity-category"; + String EGOVTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/egovtoken"; + String CITIZENTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/citizentoken"; @Deprecated - public static final String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/"; + String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/"; - public static final String REDIRECT = "Redirect"; - public static final String POST = "Post"; - public static final String SOAP = "Soap"; - public static final String METADATA = "Metadata"; - public static final String ATTRIBUTEQUERY = "AttributeQuery"; - public static final String SINGLELOGOUT = "SingleLogOut"; + String REDIRECT = "Redirect"; + String POST = "Post"; + String SOAP = "Soap"; + String METADATA = "Metadata"; + String ATTRIBUTEQUERY = "AttributeQuery"; + String SINGLELOGOUT = "SingleLogOut"; /** * Get required PVP attributes for egovtoken First : PVP attribute name (OID) Second: FriendlyName * Third: Required. * */ - public static final List> EGOVTOKEN_PVP_ATTRIBUTES = + List> EGOVTOKEN_PVP_ATTRIBUTES = Collections.unmodifiableList(new ArrayList>() { private static final long serialVersionUID = 1L; { @@ -82,7 +82,7 @@ public interface PvpConstants extends PVPAttributeDefinitions { * FriendlyName Third: Required. * */ - public static final List> CITIZENTOKEN_PVP_ATTRIBUTES = + List> CITIZENTOKEN_PVP_ATTRIBUTES = Collections.unmodifiableList(new ArrayList>() { private static final long serialVersionUID = 1L; { @@ -129,10 +129,10 @@ public interface PvpConstants extends PVPAttributeDefinitions { }); // constants for requested SAML2 attribtes by using own namespace - public static final String EIDAT10_SAML_NS = "http://eid.gv.at/eID/attributes/saml-extensions"; - public static final String EIDAT10_PREFIX = "eid"; + String EIDAT10_SAML_NS = "http://eid.gv.at/eID/attributes/saml-extensions"; + String EIDAT10_PREFIX = "eid"; - public static final QName EIDAS_REQUESTED_ATTRIBUTE_VALUE_TYPE = + QName EIDAS_REQUESTED_ATTRIBUTE_VALUE_TYPE = new QName(EIDAT10_SAML_NS, "AttributeValue", EIDAT10_PREFIX); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/binding/IDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/binding/IDecoder.java index 27a6532b..677028a5 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/binding/IDecoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/binding/IDecoder.java @@ -30,11 +30,11 @@ import org.opensaml.xml.security.SecurityException; public interface IDecoder { - public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp, + InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSpEndPoint, URIComparator comparator) throws MessageDecodingException, SecurityException, Pvp2Exception; - public boolean handleDecode(String action, HttpServletRequest req); + boolean handleDecode(String action, HttpServletRequest req); - public String getSaml2BindingName(); + String getSaml2BindingName(); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IRefreshableMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IRefreshableMetadataProvider.java index 74ee74de..5f69ba62 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IRefreshableMetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IRefreshableMetadataProvider.java @@ -33,5 +33,5 @@ public interface IRefreshableMetadataProvider { * @param entityID EntityId * @return true, if refresh is success, otherwise false */ - public boolean refreshMetadataProvider(String entityID); + boolean refreshMetadataProvider(String entityID); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/exception/Pvp2Exception.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/exception/Pvp2Exception.java index 93980a73..0ea909e2 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/exception/Pvp2Exception.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/exception/Pvp2Exception.java @@ -40,11 +40,11 @@ public abstract class Pvp2Exception extends EaafException { public String getStatusCodeValue() { - return (this.statusCodeValue); + return this.statusCodeValue; } public String getStatusMessageValue() { - return (this.statusMessageValue); + return this.statusMessageValue; } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java index 0933f0a2..2734c859 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java @@ -229,7 +229,7 @@ public class PostBinding implements IDecoder, IEncoder { @Override public boolean handleDecode(final String action, final HttpServletRequest req) { - return (req.getMethod().equals("POST") && action.equals(PvpConstants.POST)); + return req.getMethod().equals("POST") && action.equals(PvpConstants.POST); } @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java index 4e548d57..7b8525ce 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java @@ -229,8 +229,8 @@ public class RedirectBinding implements IDecoder, IEncoder { @Override public boolean handleDecode(final String action, final HttpServletRequest req) { - return ((action.equals(PvpConstants.REDIRECT) || action.equals(PvpConstants.SINGLELOGOUT)) - && req.getMethod().equals("GET")); + return action.equals(PvpConstants.REDIRECT) || action.equals(PvpConstants.SINGLELOGOUT) + && req.getMethod().equals("GET"); } @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java index 79a88487..2e19f259 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java @@ -126,8 +126,8 @@ public class SoapBinding implements IDecoder, IEncoder { @Override public boolean handleDecode(final String action, final HttpServletRequest req) { - return (req.getMethod().equals("POST") - && (action.equals(PvpConstants.SOAP) || action.equals(PvpConstants.ATTRIBUTEQUERY))); + return req.getMethod().equals("POST") + && action.equals(PvpConstants.SOAP) || action.equals(PvpConstants.ATTRIBUTEQUERY); } @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/message/InboundMessage.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/message/InboundMessage.java index 107a856e..c21524dd 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/message/InboundMessage.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/message/InboundMessage.java @@ -19,7 +19,13 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.message; +import java.io.IOException; import java.io.Serializable; + +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.TransformerException; + +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException; @@ -28,17 +34,20 @@ import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Element; +import org.xml.sax.SAXException; public class InboundMessage implements InboundMessageInterface, Serializable { private static final Logger log = LoggerFactory.getLogger(InboundMessage.class); private static final long serialVersionUID = 2395131650841669663L; - private Element samlMessage = null; + private transient Element samlMessage = null; private boolean verified = false; private String entityID = null; private String relayState = null; + private String serializedSamlMessage; + /** * Get SAML2 metadata for Entity that sends this request. * @@ -90,6 +99,13 @@ public class InboundMessage implements InboundMessageInterface, Serializable { */ public void setSamlMessage(final Element msg) { this.samlMessage = msg; + try { + this.serializedSamlMessage = DomUtils.serializeNode(msg); + + } catch (TransformerException | IOException e) { + log.warn("Can not serialize message",e ); + + } } /* @@ -129,7 +145,20 @@ public class InboundMessage implements InboundMessageInterface, Serializable { */ @Override public Element getInboundMessage() { - return samlMessage; + if (this.samlMessage != null) { + return samlMessage; + + } else { + try { + return (Element) DomUtils.parseDocument(serializedSamlMessage, false, null, null); + + } catch (SAXException | IOException | ParserConfigurationException e) { + throw new RuntimeException(e); + + } + + } + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java index ec81353a..8a6105bc 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java @@ -401,7 +401,7 @@ public abstract class AbstractChainingMetadataProvider extends SimpleMetadataPro protected void emitChangeEvent() { - if ((getObservers() == null) || (getObservers().size() == 0)) { + if (getObservers() == null || getObservers().size() == 0) { return; } @@ -463,13 +463,12 @@ public abstract class AbstractChainingMetadataProvider extends SimpleMetadataPro while (metadataUrlInterator.hasNext()) { final String metadataurl = metadataUrlInterator.next(); try { - if (StringUtils.isNotEmpty(metadataurl)) { - if (loadedproviders.containsKey(metadataurl)) { - // SAML2 SP is actually loaded, to nothing - providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); - loadedproviders.remove(metadataurl); + if (StringUtils.isNotEmpty(metadataurl) + && loadedproviders.containsKey(metadataurl)) { + // SAML2 SP is actually loaded, to nothing + providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); + loadedproviders.remove(metadataurl); - } } } catch (final Throwable e) { log.error("Failed to add Metadata (unhandled reason: " + e.getMessage(), e); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java new file mode 100644 index 00000000..a6d2508d --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java @@ -0,0 +1,53 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml; + +import java.security.KeyStore; +import org.opensaml.xml.security.x509.X509Credential; + + +/** + * OpenSAML2 KeyStore adapter. + * + * @author tlenz + * + */ +public class EaafKeyStoreX509CredentialAdapter + extends org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter { + + /** + * Get an OpenSAML2 keystore. + * + * @param store Java KeyStore + * @param alias Key alias + * @param password key Password + */ + public EaafKeyStoreX509CredentialAdapter(final KeyStore store, final String alias, + final char[] password) { + super(store, alias, password); + } + + @Override + public Class getCredentialType() { + return X509Credential.class; + } + + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java index 860eec64..957def02 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java @@ -101,7 +101,7 @@ public class HttpPostEncoderWithOwnTemplate extends HTTPPostEncoder { // evaluate template and write content to response final Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8"); velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", - new BufferedReader(new InputStreamReader(is))); + new BufferedReader(new InputStreamReader(is, "UTF-8"))); out.flush(); } catch (final Exception e) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/KeyStoreX509CredentialAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/KeyStoreX509CredentialAdapter.java deleted file mode 100644 index d84b407f..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/KeyStoreX509CredentialAdapter.java +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a - * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European - * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in - * compliance with the Licence. You may obtain a copy of the Licence at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software distributed under the Licence - * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the Licence for the specific language governing permissions and limitations under - * the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text file for details on the - * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative - * works that you distribute must include a readable copy of the "NOTICE" text file. -*/ - -package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml; - -import java.security.KeyStore; -import org.opensaml.xml.security.x509.X509Credential; - - -/** - * OpenSAML2 KeyStore adapter. - * - * @author tlenz - * - */ -public class KeyStoreX509CredentialAdapter - extends org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter { - - /** - * Get an OpenSAML2 keystore. - * - * @param store Java KeyStore - * @param alias Key alias - * @param password key Password - */ - public KeyStoreX509CredentialAdapter(final KeyStore store, final String alias, - final char[] password) { - super(store, alias, password); - } - - @Override - public Class getCredentialType() { - return X509Credential.class; - } - - -} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java index ea361f11..ec4009f0 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java @@ -26,7 +26,7 @@ import java.security.interfaces.RSAPrivateKey; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.KeyStoreX509CredentialAdapter; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter; import org.apache.commons.lang3.StringUtils; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; @@ -120,7 +120,7 @@ public abstract class AbstractCredentialProvider { keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword()); } - final KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(keyStore, + final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore, getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray()); credentials.setUsageType(UsageType.SIGNING); @@ -152,7 +152,7 @@ public abstract class AbstractCredentialProvider { keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword()); } - final KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(keyStore, + final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore, getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray()); credentials.setUsageType(UsageType.SIGNING); @@ -191,7 +191,7 @@ public abstract class AbstractCredentialProvider { return null; } - final KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(keyStore, + final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore, getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray()); credentials.setUsageType(UsageType.ENCRYPTION); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java index 1c7a9652..8bcc3e74 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java @@ -20,7 +20,6 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; import java.io.IOException; -import java.security.NoSuchAlgorithmException; import java.util.List; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; @@ -34,7 +33,6 @@ import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; import org.apache.commons.lang3.StringUtils; -import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.Status; @@ -56,8 +54,6 @@ import org.w3c.dom.Document; public class Saml2Utils { private static final Logger log = LoggerFactory.getLogger(Saml2Utils.class); - private static SecureRandomIdentifierGenerator idGenerator; - private static DocumentBuilder builder; static { @@ -70,15 +66,7 @@ public class Saml2Utils { } catch (final ParserConfigurationException e) { // TODO Auto-generated catch block e.printStackTrace(); - } - - try { - idGenerator = new SecureRandomIdentifierGenerator(); - - } catch (final NoSuchAlgorithmException e) { - e.printStackTrace(); - - } + } } /** diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpAuthRequestSignedRole.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpAuthRequestSignedRole.java index 4eb711f9..8f042ae2 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpAuthRequestSignedRole.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpAuthRequestSignedRole.java @@ -46,8 +46,8 @@ public class PvpAuthRequestSignedRole extends SAML2AuthnRequestsSignedRule { final List samlReqParam = inTransport.getParameterValues("SAMLRequest"); final List samlRespParam = inTransport.getParameterValues("SAMLResponse"); final boolean isValidContent = - ((samlReqParam.size() == 1 && !DatatypeHelper.isEmpty(samlReqParam.get(0))) - || (samlRespParam.size() == 1 && !DatatypeHelper.isEmpty(samlRespParam.get(0)))) + (samlReqParam.size() == 1 && !DatatypeHelper.isEmpty(samlReqParam.get(0)) + || samlRespParam.size() == 1 && !DatatypeHelper.isEmpty(samlRespParam.get(0))) && !(samlReqParam.size() == 1 && samlRespParam.size() == 1); return isValidSigned && isValidSigAlgExists && isValidContent; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index 64eb5247..024c35d8 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -23,6 +23,8 @@ import javax.xml.namespace.QName; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; + +import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; @@ -73,10 +75,15 @@ public class SamlVerificationEngine { try { if (msg instanceof PvpSProfileRequest && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { - verifyRequest(((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest()), + verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), sigTrustEngine); - } else { + } else if (msg instanceof PvpSProfileResponse){ verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + + } else { + log.warn("SAML2 message type: {} not supported", msg.getClass().getName()); + throw new EaafProtocolException("9999", null); + } } catch (final InvalidProtocolRequestException e) { @@ -96,7 +103,7 @@ public class SamlVerificationEngine { if (msg instanceof PvpSProfileRequest && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { - verifyRequest(((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest()), + verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), sigTrustEngine); } else { verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); -- cgit v1.2.3