diff options
Diffstat (limited to 'connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java')
| -rw-r--r-- | connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java | 243 |
1 files changed, 127 insertions, 116 deletions
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java index eeaea135..b6dd249a 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java @@ -1,6 +1,6 @@ -/******************************************************************************* +/* * Copyright 2018 A-SIT Plus GmbH - * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by @@ -19,9 +19,8 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ +*/ + package at.asitplus.eidas.specific.connector.verification; import java.io.IOException; @@ -49,116 +48,128 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.idp.exception.SamlRequestNotSignedException; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.AbstractMetadataSignatureFilter; -public class MetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter{ - private static final Logger log = LoggerFactory.getLogger(MetadataSignatureVerificationFilter.class); - - private String metadataURL; - private List<BasicX509Credential> trustedCredential = new ArrayList<BasicX509Credential>(); - - public MetadataSignatureVerificationFilter(String trustStorePath, String trustStorePassword, String metadataURL) - throws Pvp2MetadataException { - this.metadataURL = metadataURL; - - log.trace("Initialize metadata signature-verification filter with truststore: " + trustStorePath + " ... "); - try { - KeyStore keyStore = KeyStoreUtils.loadKeyStore(trustStorePath, trustStorePassword); - if (keyStore != null) { - //load trusted certificates - Enumeration<String> aliases = keyStore.aliases(); - while(aliases.hasMoreElements()) { - String el = aliases.nextElement(); - log.trace("Process TrustStoreEntry: " + el); - if (keyStore.isCertificateEntry(el)) { - Certificate cert = keyStore.getCertificate(el); - if (cert != null && cert instanceof X509Certificate) { - BasicX509Credential trustedCert = new BasicX509Credential(); - trustedCert.setEntityCertificate((X509Certificate) cert); - this.trustedCredential.add(trustedCert); - log.debug("Add cert: " + ((X509Certificate) cert).getSubjectDN() + " as trusted for metadata: " + metadataURL); - - } else - log.info("Can not process entry: " + el + ". Reason: " + cert.toString()); - - } - } - - - } else - throw new Pvp2MetadataException("pvp2.26", - new Object[] {"Can not open trustStore: " + trustStorePath + " for metadata: " + metadataURL}); - - } catch (KeyStoreException | IOException e) { - log.warn("Can not open trustStore: " + trustStorePath + " for metadata: " + metadataURL + " Reason: " + e.getMessage(), e); - throw new Pvp2MetadataException("pvp2.26", - new Object[] {"Can not open trustStore: " + trustStorePath + " for metadata"}, e); - - } - - - } - - - @Override - protected void verify(EntityDescriptor desc) throws Pvp2MetadataException { - try { - internalVerify(desc); - - } catch (EaafException e) { - log.info("Metadata verification FAILED for: " + metadataURL + " Reason: " +e.getMessage()); - throw new Pvp2MetadataException("pvp2.26", - new Object[] {"Metadata verification FAILED for: " + metadataURL + " Reason: " +e.getMessage()}, e); - - } - } - - @Override - protected void verify(EntitiesDescriptor desc) throws Pvp2MetadataException { - throw new Pvp2MetadataException("pvp2.26", - new Object[] {"EntitiesDescritors are NOT supported"}); - - } - - @Override - protected void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws Pvp2MetadataException { - throw new Pvp2MetadataException("pvp2.26", - new Object[] {"EntitiesDescritors are NOT supported"}); - - } - - private void internalVerify(SignableSAMLObject signedElement) - throws EaafException { - if (signedElement.getSignature() == null) { - throw new SamlRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(signedElement.getSignature()); - } catch (ValidationException e) { - log.error("Failed to validate Signature", e); - throw new SamlRequestNotSignedException(e); - } - - boolean isTrusted = false; - for (BasicX509Credential cred : trustedCredential) { - SignatureValidator sigValidator = new SignatureValidator(cred); - try { - sigValidator.validate(signedElement.getSignature()); - isTrusted = true; - - } catch (ValidationException e) { - log.info("Failed to verfiy Signature with cert: " + cred.getEntityCertificate().getSubjectDN() - + " Reason: " + e.getMessage()); - - } - } - - if (!isTrusted) { - log.warn("PVP2 metadata: " + metadataURL + " are NOT trusted!"); - throw new SamlRequestNotSignedException(); - - } - - } +public class MetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter { + private static final Logger log = LoggerFactory.getLogger(MetadataSignatureVerificationFilter.class); + + private final String metadataUrl; + private final List<BasicX509Credential> trustedCredential = new ArrayList<>(); + + /** + * SAML2 Metadata signature verifier that checks signer certificates based on local TrustStores. + * + * @param trustStorePath Path to truststore + * @param trustStorePassword TrustStore password + * @param metadataUrl URL to PVP2 metadata + * @throws Pvp2MetadataException In case of a verification error + */ + public MetadataSignatureVerificationFilter(String trustStorePath, String trustStorePassword, + String metadataUrl) + throws Pvp2MetadataException { + this.metadataUrl = metadataUrl; + + log.trace("Initialize metadata signature-verification filter with truststore: " + trustStorePath + + " ... "); + try { + final KeyStore keyStore = KeyStoreUtils.loadKeyStore(trustStorePath, trustStorePassword); + if (keyStore != null) { + // load trusted certificates + final Enumeration<String> aliases = keyStore.aliases(); + while (aliases.hasMoreElements()) { + final String el = aliases.nextElement(); + log.trace("Process TrustStoreEntry: " + el); + if (keyStore.isCertificateEntry(el)) { + final Certificate cert = keyStore.getCertificate(el); + if (cert != null && cert instanceof X509Certificate) { + final BasicX509Credential trustedCert = new BasicX509Credential(); + trustedCert.setEntityCertificate((X509Certificate) cert); + this.trustedCredential.add(trustedCert); + log.debug("Add cert: " + ((X509Certificate) cert).getSubjectDN() + " as trusted for metadata: " + + metadataUrl); + + } else { + log.info("Can not process entry: " + el + ". Reason: is null"); + } + + } + } + + } else { + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "Can not open trustStore: " + trustStorePath + " for metadata: " + metadataUrl }); + } + + } catch (KeyStoreException | IOException e) { + log.warn("Can not open trustStore: " + trustStorePath + " for metadata: " + metadataUrl + " Reason: " + + e.getMessage(), e); + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "Can not open trustStore: " + trustStorePath + " for metadata" }, e); + + } + + } + + @Override + protected void verify(EntityDescriptor desc) throws Pvp2MetadataException { + try { + internalVerify(desc); + + } catch (final EaafException e) { + log.info("Metadata verification FAILED for: " + metadataUrl + " Reason: " + e.getMessage()); + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "Metadata verification FAILED for: " + metadataUrl + " Reason: " + e.getMessage() }, + e); + + } + } + + @Override + protected void verify(EntitiesDescriptor desc) throws Pvp2MetadataException { + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "EntitiesDescritors are NOT supported" }); + + } + + @Override + protected void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws Pvp2MetadataException { + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "EntitiesDescritors are NOT supported" }); + + } + + private void internalVerify(SignableSAMLObject signedElement) + throws EaafException { + if (signedElement.getSignature() == null) { + throw new SamlRequestNotSignedException(); + } + + try { + final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(signedElement.getSignature()); + } catch (final ValidationException e) { + log.error("Failed to validate Signature", e); + throw new SamlRequestNotSignedException(e); + } + + boolean isTrusted = false; + for (final BasicX509Credential cred : trustedCredential) { + final SignatureValidator sigValidator = new SignatureValidator(cred); + try { + sigValidator.validate(signedElement.getSignature()); + isTrusted = true; + + } catch (final ValidationException e) { + log.info("Failed to verfiy Signature with cert: " + cred.getEntityCertificate().getSubjectDN() + + " Reason: " + e.getMessage()); + + } + } + + if (!isTrusted) { + log.warn("PVP2 metadata: " + metadataUrl + " are NOT trusted!"); + throw new SamlRequestNotSignedException(); + + } + + } } |