/* * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software distributed under the Licence * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express * or implied. See the Licence for the specific language governing permissions and limitations under * the Licence. * * This product combines work with different licenses. See the "NOTICE" text file for details on the * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative * works that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egiz.eaaf.modules.pvp2.impl.validation; import java.util.ArrayList; import java.util.List; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver; import org.opensaml.saml.security.impl.MetadataCredentialResolver; import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver; import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @Slf4j public class TrustEngineFactory { /** * Get OpenSAML2 TrustEngine. * * @param mdResolver Metadata provider * @return TrustEngine for SAML2 message validation * @throws Pvp2InternalErrorException In case of a TrustEngine initialization * error */ public static SignatureTrustEngine getSignatureKnownKeysTrustEngine( final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException { try { final List keyInfoProvider = new ArrayList<>(); keyInfoProvider.add(new DSAKeyValueProvider()); keyInfoProvider.add(new RSAKeyValueProvider()); keyInfoProvider.add(new InlineX509DataProvider()); final KeyInfoCredentialResolver keyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver( keyInfoProvider); final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver( mdResolver); roleDescriptorResolver.setRequireValidMetadata(true); roleDescriptorResolver.initialize(); final MetadataCredentialResolver resolver = new MetadataCredentialResolver(); resolver.setRoleDescriptorResolver(roleDescriptorResolver); resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver); resolver.initialize(); final ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver); return engine; } catch (final ComponentInitializationException e) { log.warn("Initialization of SignatureTrustEngine FAILED.", e); throw new Pvp2InternalErrorException(e); } } }