From 7ba8da297b7be40255ba5efb40c69a21fb130b3b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 21 Feb 2020 16:22:31 +0100 Subject: update to latest EAAF-components that uses OpenSAML3.x --- .../MetadataSignatureVerificationFilter.java | 175 --------------------- 1 file changed, 175 deletions(-) delete mode 100644 connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java (limited to 'connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java deleted file mode 100644 index b6dd249a..00000000 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/MetadataSignatureVerificationFilter.java +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright 2018 A-SIT Plus GmbH - * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, - * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "License"); - * You may not use this work except in compliance with the License. - * You may obtain a copy of the License at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. -*/ - -package at.asitplus.eidas.specific.connector.verification; - -import java.io.IOException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Enumeration; -import java.util.List; - -import org.opensaml.common.SignableSAMLObject; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.signature.SignatureValidator; -import org.opensaml.xml.validation.ValidationException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.SamlRequestNotSignedException; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.AbstractMetadataSignatureFilter; - -public class MetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter { - private static final Logger log = LoggerFactory.getLogger(MetadataSignatureVerificationFilter.class); - - private final String metadataUrl; - private final List trustedCredential = new ArrayList<>(); - - /** - * SAML2 Metadata signature verifier that checks signer certificates based on local TrustStores. - * - * @param trustStorePath Path to truststore - * @param trustStorePassword TrustStore password - * @param metadataUrl URL to PVP2 metadata - * @throws Pvp2MetadataException In case of a verification error - */ - public MetadataSignatureVerificationFilter(String trustStorePath, String trustStorePassword, - String metadataUrl) - throws Pvp2MetadataException { - this.metadataUrl = metadataUrl; - - log.trace("Initialize metadata signature-verification filter with truststore: " + trustStorePath - + " ... "); - try { - final KeyStore keyStore = KeyStoreUtils.loadKeyStore(trustStorePath, trustStorePassword); - if (keyStore != null) { - // load trusted certificates - final Enumeration aliases = keyStore.aliases(); - while (aliases.hasMoreElements()) { - final String el = aliases.nextElement(); - log.trace("Process TrustStoreEntry: " + el); - if (keyStore.isCertificateEntry(el)) { - final Certificate cert = keyStore.getCertificate(el); - if (cert != null && cert instanceof X509Certificate) { - final BasicX509Credential trustedCert = new BasicX509Credential(); - trustedCert.setEntityCertificate((X509Certificate) cert); - this.trustedCredential.add(trustedCert); - log.debug("Add cert: " + ((X509Certificate) cert).getSubjectDN() + " as trusted for metadata: " - + metadataUrl); - - } else { - log.info("Can not process entry: " + el + ". Reason: is null"); - } - - } - } - - } else { - throw new Pvp2MetadataException("pvp2.26", - new Object[] { "Can not open trustStore: " + trustStorePath + " for metadata: " + metadataUrl }); - } - - } catch (KeyStoreException | IOException e) { - log.warn("Can not open trustStore: " + trustStorePath + " for metadata: " + metadataUrl + " Reason: " - + e.getMessage(), e); - throw new Pvp2MetadataException("pvp2.26", - new Object[] { "Can not open trustStore: " + trustStorePath + " for metadata" }, e); - - } - - } - - @Override - protected void verify(EntityDescriptor desc) throws Pvp2MetadataException { - try { - internalVerify(desc); - - } catch (final EaafException e) { - log.info("Metadata verification FAILED for: " + metadataUrl + " Reason: " + e.getMessage()); - throw new Pvp2MetadataException("pvp2.26", - new Object[] { "Metadata verification FAILED for: " + metadataUrl + " Reason: " + e.getMessage() }, - e); - - } - } - - @Override - protected void verify(EntitiesDescriptor desc) throws Pvp2MetadataException { - throw new Pvp2MetadataException("pvp2.26", - new Object[] { "EntitiesDescritors are NOT supported" }); - - } - - @Override - protected void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws Pvp2MetadataException { - throw new Pvp2MetadataException("pvp2.26", - new Object[] { "EntitiesDescritors are NOT supported" }); - - } - - private void internalVerify(SignableSAMLObject signedElement) - throws EaafException { - if (signedElement.getSignature() == null) { - throw new SamlRequestNotSignedException(); - } - - try { - final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(signedElement.getSignature()); - } catch (final ValidationException e) { - log.error("Failed to validate Signature", e); - throw new SamlRequestNotSignedException(e); - } - - boolean isTrusted = false; - for (final BasicX509Credential cred : trustedCredential) { - final SignatureValidator sigValidator = new SignatureValidator(cred); - try { - sigValidator.validate(signedElement.getSignature()); - isTrusted = true; - - } catch (final ValidationException e) { - log.info("Failed to verfiy Signature with cert: " + cred.getEntityCertificate().getSubjectDN() - + " Reason: " + e.getMessage()); - - } - } - - if (!isTrusted) { - log.warn("PVP2 metadata: " + metadataUrl + " are NOT trusted!"); - throw new SamlRequestNotSignedException(); - - } - - } - -} -- cgit v1.2.3