/* * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software distributed under the Licence * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express * or implied. See the Licence for the specific language governing permissions and limitations under * the Licence. * * This product combines work with different licenses. See the "NOTICE" text file for details on the * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative * works that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize; import java.util.HashMap; import java.util.Map; import javax.annotation.Nonnull; import javax.xml.XMLConstants; import org.opensaml.core.config.ConfigurationService; import org.opensaml.core.config.InitializationException; import org.opensaml.core.config.InitializationService; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.xmlsec.DecryptionConfiguration; import org.opensaml.xmlsec.EncryptionConfiguration; import org.opensaml.xmlsec.SignatureSigningConfiguration; import org.opensaml.xmlsec.SignatureValidationConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.xml.BasicParserPool; import net.shibboleth.utilities.java.support.xml.ParserPool; /** * EAAF specific OpenSAML Initializer. * * @author tlenz * */ @Slf4j public class EaafOpenSaml3xInitializer extends InitializationService { /** * EAAF specific OpenSAML3.x initialization. * * @throws InitializationException In case of an error * @throws ComponentInitializationException In case of an OpenSAML3 * initialization error */ public static synchronized void eaafInitialize() throws InitializationException, ComponentInitializationException { log.debug("Initializing OpenSAML 4.x ... "); initialize(); log.debug("Injecting EAAF-specific configuration into OpenSAML 4.x ... "); injectEaafSecurityProperty(); injectEaafExtenstions(); XMLObjectProviderRegistrySupport.setParserPool(eaafSecuredBasicParserPool()); log.info("OpenSAML 4.x with EAAF extensions initialized"); } private static void injectEaafSecurityProperty() { ConfigurationService.register(EncryptionConfiguration.class, EaafDefaultSecurityConfigurationBootstrap.buildEaafEncryptionConfiguration()); ConfigurationService.register(DecryptionConfiguration.class, EaafDefaultSecurityConfigurationBootstrap.buildEaaftDecryptionConfiguration()); ConfigurationService.register(SignatureSigningConfiguration.class, EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureSigningConfiguration()); ConfigurationService.register(SignatureValidationConfiguration.class, EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureValidationConfiguration()); } private static void injectEaafExtenstions() { XMLObjectProviderRegistrySupport.registerObjectProvider( EaafRequestedAttribute.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributeBuilder(), new EaafRequestedAttributeMarshaller(), new EaafRequestedAttributeUnmarshaller()); XMLObjectProviderRegistrySupport.registerObjectProvider( EaafRequestedAttributes.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributesBuilder(), new EaafRequestedAttributesMarshaller(), new EaafRequestedAttributesUnmarshaller()); } /** * Build a secured OpenSAML 3.x XML parser-pool. * * @return {@link ParserPool} * @throws ComponentInitializationException In case of an initialization error */ @Nonnull private static ParserPool eaafSecuredBasicParserPool() throws ComponentInitializationException { // Get parser pool manager final BasicParserPool ppMgr = new BasicParserPool(); // Note: this is necessary due to an unresolved Xerces deferred DOM issue/bug ppMgr.setBuilderFeatures(getSecureDocumentBuilderFeatures()); ppMgr.setNamespaceAware(true); ppMgr.setIgnoreComments(true); ppMgr.setExpandEntityReferences(false); ppMgr.setXincludeAware(false); ppMgr.initialize(); return ppMgr; } @Nonnull private static Map getSecureDocumentBuilderFeatures() { final Map features = new HashMap<>(); features.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); // Ignore the external DTD completely // Note: this is for Xerces only: features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE); // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all // XML entity attacks are prevented // Xerces 2 only - // http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl features.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE); // If you can't completely disable DTDs, then at least do the following: // Xerces 1 - // http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - // http://xerces.apache.org/xerces2-j/features.html#external-general-entities features.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE); // Xerces 1 - // http://xerces.apache.org/xerces-j/features.html#external-parameter-entities // Xerces 2 - // http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities features.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE); return features; } }