/* * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software distributed under the Licence * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express * or implied. See the Licence for the specific language governing permissions and limitations under * the Licence. * * This product combines work with different licenses. See the "NOTICE" text file for details on the * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative * works that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; import java.time.Duration; import java.time.Instant; import java.util.ArrayList; import java.util.List; import javax.xml.namespace.QName; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; import org.apache.commons.lang3.StringUtils; import org.apache.xml.security.algorithms.JCEMapper; import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.core.xml.io.MarshallingException; import org.opensaml.core.xml.util.XMLObjectSupport; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml.common.xml.SAMLSchemaBuilder.SAML1Version; import org.opensaml.saml.criterion.EntityRoleCriterion; import org.opensaml.saml.criterion.ProtocolCriterion; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.Audience; import org.opensaml.saml.saml2.core.AudienceRestriction; import org.opensaml.saml.saml2.core.Conditions; import org.opensaml.saml.saml2.core.EncryptedAssertion; import org.opensaml.saml.saml2.core.RequestAbstractType; import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.StatusCode; import org.opensaml.saml.saml2.core.StatusResponseType; import org.opensaml.saml.saml2.encryption.Decrypter; import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; import org.opensaml.security.credential.UsageType; import org.opensaml.security.criteria.UsageCriterion; import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver; import org.opensaml.xmlsec.encryption.support.DecryptionException; import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver; import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver; import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; import org.w3c.dom.Element; import org.xml.sax.SAXException; import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.URIException; import net.shibboleth.utilities.java.support.net.impl.BasicURLComparator; import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.xml.SerializeSupport; @Slf4j public class SamlVerificationEngine { private static SAMLSchemaBuilder schemaBuilder = new SAMLSchemaBuilder(SAML1Version.SAML_11); private static final String ERROR_03 = "internal.pvp.03"; private static final String ERROR_10 = "internal.pvp.10"; private static final String ERROR_14 = "internal.pvp.14"; private static final String ERROR_15 = "internal.pvp.15"; private static final String ERROR_16 = "internal.pvp.16"; private static final String ERROR_17 = "internal.pvp.17"; private static final Object SIG_VAL_ERROR_MSG = "Signature verification return false"; /** * allow 3 minutes time jitter in before validation. */ private static final int TIME_JITTER = 3; /** * Verify signature of a signed SAML2 object. * *
This method only perform signature verification
* * @param msg SAML2 message * @param sigTrustEngine TrustEngine * @throws org.opensaml.xml.security.SecurityException In case of invalid * signature * @throws Exception In case of a general * error */ public void verify(final InboundMessage msg, final SignatureTrustEngine sigTrustEngine) throws SecurityException, Exception { try { if (msg instanceof PvpSProfileRequest && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), sigTrustEngine); } else if (msg instanceof PvpSProfileResponse) { verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); } else { log.warn("SAML2 message type: {} not supported", msg.getClass().getName()); throw new EaafProtocolException("internal.pvp.99", null); } } catch (final InvalidProtocolRequestException e) { if (StringUtils.isEmpty(msg.getEntityID())) { throw e; } log.debug("PVP2X message validation FAILED. Relead metadata for entityID: {}", msg.getEntityID()); if (sigTrustEngine instanceof SignatureTrustEngineDecorator) { IPvp2MetadataProvider metadataProvider = ((SignatureTrustEngineDecorator) sigTrustEngine).getMetadataProvider(); if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) || !((IRefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(msg.getEntityID())) { throw e; } else { log.trace("PVP2X metadata reload finished. Check validate message again."); if (msg instanceof PvpSProfileRequest && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), sigTrustEngine); } else { verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); } } log.trace("Second PVP2X message validation finished"); } else { log.debug("TrustEninge is not of type: {} Dynamic SAML2 metadata refresh not possibile.", SignatureTrustEngineDecorator.class); throw e; } } } /** * Verify the signature of a signed SAML2 object from ServiceProvider. * * @param samlObj signed Response from ServiceProvider * @param sigTrustEngine TrustEngie for verification * @throws InvalidProtocolRequestException In case of a verification error */ public void verifySloResponse(final StatusResponseType samlObj, final SignatureTrustEngine sigTrustEngine) throws InvalidProtocolRequestException { verifyResponse(samlObj, sigTrustEngine, SPSSODescriptor.DEFAULT_ELEMENT_NAME); } /** * Verify the signature of a signed SAML2 object from IDP. * *This method only perform signature verification
* * @param samlObj signed SAML2 message from IDP * @param sigTrustEngine TrustEngie for verification * @throws InvalidProtocolRequestException In case of a verification error */ public void verifyIdpResponse(final StatusResponseType samlObj, final SignatureTrustEngine sigTrustEngine) throws InvalidProtocolRequestException { verifyResponse(samlObj, sigTrustEngine, IDPSSODescriptor.DEFAULT_ELEMENT_NAME); } /** * Validate a PVP response and all included assertions. * ** If the SAML2 assertions are encrypted than they will be decrypted afterwards *
* *This method DOES NOT verify the Destination attribute in SAML2 Response
* * @param samlResp SAML2 Response object * @param assertionDecryption Assertion decryption-credentials to decrypt SAML2 * assertions * @param spEntityID EntityId of the SAML2 client * @param loggerName Name for logging purposes * @throws SamlAssertionValidationExeption In case of a validation error */ public void validateAssertion(Response samlResp, EaafX509Credential assertionDecryption, String spEntityID, String loggerName) throws SamlAssertionValidationExeption { validateAssertion(samlResp, assertionDecryption, spEntityID, loggerName, true); } /** * Validate each SAML2 assertions in a SAML2 response.* If the SAML2 assertions are encrypted than they will be decrypted afterwards *
* *This method DOES NOT verify the Destination attribute in SAML2 Response
* * @param samlResp SAML2 Response object * @param assertionDecryption Assertion decryption-credentials to decrypt SAML2 * assertions * @param spEntityID EntityId of the SAML2 client * @param loggerName Name for logging purposes * @param validateDateTimetrue
if getIssueInstant
* attribute should be validated, otherwise false
* @throws SamlAssertionValidationExeption In case of a validation error
*/
public void validateAssertion(Response samlResp, EaafX509Credential assertionDecryption,
String spEntityID, String loggerName, boolean validateDateTime)
throws SamlAssertionValidationExeption {
try {
// pre-validate the SAML2 response
assertionPreValidation(samlResp, loggerName, validateDateTime);
// get Assertion from response and decrypt them if the are encrypted
final List