refactor PVP Metadata provider functionality

7 files changed, 375 insertions, 26 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java
new file mode 100644
index 000000000..e321c9d05
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.builder;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.auth.exception.ServiceException;
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
+import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.Constants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SignatureVerificationUtils {
+	  /** shortcut for XMLNS namespace URI */
+	  private static final String XMLNS_NS_URI = Constants.XMLNS_NS_URI;
+	  /** shortcut for MOA namespace URI */
+	  private static final String MOA_NS_URI = Constants.MOA_NS_URI;
+	  /** The DSIG-Prefix */
+	  private static final String DSIG = Constants.DSIG_PREFIX + ":";
+	  
+	  /** The document containing the <code>VerifyXMLsignatureRequest</code> */
+	  private Document requestDoc_;
+	  /** the <code>VerifyXMLsignatureRequest</code> root element */
+	  private Element requestElem_;
+	
+	  
+	  public SignatureVerificationUtils() throws BuildException {
+		  try {
+		        DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();        
+		        requestDoc_ = docBuilder.newDocument();
+		        requestElem_ = requestDoc_.createElementNS(MOA_NS_URI, "VerifyXMLSignatureRequest");
+		        requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns", MOA_NS_URI);
+		        requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns:" + Constants.DSIG_PREFIX, Constants.DSIG_NS_URI);
+		        requestDoc_.appendChild(requestElem_); 
+		        
+		  } catch (Throwable t) {
+		        throw new BuildException(
+		          "builder.00", 
+		          new Object[] {"VerifyXMLSignatureRequest", t.toString()}, 
+		          t);
+		  }
+	  }
+	  
+	  public VerifyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException {		  
+		  try {
+			  //build signature-verification request
+			  Element domVerifyXMLSignatureRequest = build(signature, trustProfileID);
+
+			  //send signature-verification to MOA-SP 
+			  Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
+			  		.verifyXMLSignature(domVerifyXMLSignatureRequest);
+			
+			// parses the <VerifyXMLSignatureResponse>
+			VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
+					domVerifyXMLSignatureResponse).parseData();
+			
+			return verifyXMLSignatureResponse;
+			  
+		  } catch (ParseException e) {
+			  Logger.error("Build signature-verification request FAILED." ,e);
+			  throw e;
+			
+		  } catch (ServiceException e) {
+			  Logger.error("MOA-SP signature verification FAILED." ,e);
+			  throw e;
+			  
+		}
+		 				  
+	  }
+	  
+	/**
+	   * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
+	   * from an IdentityLink with a known trustProfileID which 
+	   * has to exist in MOA-SP
+	   * @param signature - The XML signature as byte[]
+	   * @param trustProfileID - a preconfigured TrustProfile at MOA-SP
+	   * 
+	   * @return Element - The complete request as Dom-Element
+	   * 
+	   * @throws ParseException
+	   */
+	  private Element build(byte[] signature, String trustProfileID)
+	    throws ParseException 
+	  { 
+	    try {
+	      // build the request
+	      Element verifiySignatureInfoElem = 
+	        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo");
+	      requestElem_.appendChild(verifiySignatureInfoElem);
+	      Element verifySignatureEnvironmentElem = 
+	        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment");
+	      verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem);
+	      Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content");
+	      verifySignatureEnvironmentElem.appendChild(base64ContentElem);
+
+	      // insert the base64 encoded signature	      
+	      String base64EncodedAssertion = Base64Utils.encode(signature);
+	      //replace all '\r' characters by no char.
+	      StringBuffer replaced = new StringBuffer();
+	      for (int i = 0; i < base64EncodedAssertion.length(); i ++) {
+	        char c = base64EncodedAssertion.charAt(i);
+	        if (c != '\r') {
+	          replaced.append(c);
+	        }
+	      }
+	      base64EncodedAssertion = replaced.toString();
+	      Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion);
+	      base64ContentElem.appendChild(base64Content);      
+	     
+	      // specify the signature location
+	      Element verifySignatureLocationElem = 
+	        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation");
+	      verifiySignatureInfoElem.appendChild(verifySignatureLocationElem);
+	      Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature");
+	      verifySignatureLocationElem.appendChild(signatureLocation);      
+	      
+	      // signature manifest params
+	      Element signatureManifestCheckParamsElem = 
+	        requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams");
+	      requestElem_.appendChild(signatureManifestCheckParamsElem);
+	      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false");
+
+	      Element returnHashInputDataElem = 
+	        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
+	      requestElem_.appendChild(returnHashInputDataElem);
+
+	      //add trustProfileID
+	      Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID");
+	      trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID));
+	      requestElem_.appendChild(trustProfileIDElem);
+	    } catch (Throwable t) {
+	      throw new ParseException("builder.00", 
+	        new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t);
+	    }
+
+	    return requestElem_;
+	  }
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
index 72a7d3ba1..72a7d3ba1 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
index 7bce406e0..7bce406e0 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index f33cadc41..f4c099878 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -60,7 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
@@ -422,8 +422,8 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{
 		internalProvider = chainProvider;
 	}
 	
-	private MetadataFilterChain buildMetadataFilterChain(OAAuthParameter oaParam, String metadataURL, byte[] certificate) throws CertificateException {
-		MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate);
+	private PVPMetadataFilterChain buildMetadataFilterChain(OAAuthParameter oaParam, String metadataURL, byte[] certificate) throws CertificateException {
+		PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
 		filterChain.getFilters().add(new SchemaValidationFilter());
 		
 		if (oaParam.isInderfederationIDP()) {
@@ -435,7 +435,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{
 		return filterChain;		
 	}
 	
-	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) {
+	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, PVPMetadataFilterChain filter) {
 		HTTPMetadataProvider httpProvider = null;
 		Timer timer= null;
 		MOAHttpClient httpClient = null;
@@ -470,7 +470,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{
 			//httpProvider.setRefreshDelayFactor(0.1F);
 			
 			if (filter == null) {			
-				filter = new MetadataFilterChain(metadataURL, certificate);
+				filter = new PVPMetadataFilterChain(metadataURL, certificate);
 			}
 			httpProvider.setMetadataFilter(filter);
 			httpProvider.initialize();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java
new file mode 100644
index 000000000..4c1da747b
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import java.security.cert.CertificateException;
+
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
+
+/**
+ * @author tlenz
+ *
+ */
+public class PVPMetadataFilterChain extends MetadataFilterChain {
+
+		
+	/**
+	 * @throws CertificateException 
+	 * 
+	 */
+	public PVPMetadataFilterChain(String url, byte[] certificate) throws CertificateException {
+		addDefaultFilters(url, certificate);
+	}
+	
+	public void addDefaultFilters(String url, byte[] certificate) throws CertificateException {
+		addFilter(new MetadataSignatureFilter(url, certificate));
+		
+	}
+
+
+
+
+
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java
index 4e1d939ff..e7412a0fc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java
@@ -20,9 +20,8 @@
  * The "NOTICE" text file is part of the distribution. Any derivative works
  * that you distribute must include a readable copy of the "NOTICE" text file.
  */
-package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+package at.gv.egovernment.moa.id.saml2;
 
-import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -39,25 +38,23 @@ import at.gv.egovernment.moa.logging.Logger;
 public class MetadataFilterChain implements MetadataFilter {
 
 	private List<MetadataFilter> filters = new ArrayList<MetadataFilter>();
-	
+		
 	/**
-	 * @throws CertificateException 
+	 * Return all actually used Metadata filters
 	 * 
+	 * @return List of Metadata filters
 	 */
-	public MetadataFilterChain(String url, byte[] certificate) throws CertificateException {
-		addDefaultFilters(url, certificate);
-	}
-	
-	public void addDefaultFilters(String url, byte[] certificate) throws CertificateException {
-		filters.add(new MetadataSignatureFilter(url, certificate));
-		
+	public List<MetadataFilter> getFilters() {
+		return filters;
 	}
 	
 	/**
-	 * @return the filter
+	 * Add a new Metadata filter to filterchain
+	 * 
+	 * @param filter 
 	 */
-	public List<MetadataFilter> getFilters() {
-		return filters;
+	public void addFilter(MetadataFilter filter) {
+		filters.add(filter);
 	}
 	
 	
@@ -67,16 +64,10 @@ public class MetadataFilterChain implements MetadataFilter {
 	@Override
 	public void doFilter(XMLObject arg0) throws FilterException {
 		for (MetadataFilter filter : filters) {
-			Logger.trace("Use MOAMetadatafilter " + filter.getClass().getName());
+			Logger.trace("Use MOAMetadataFilter " + filter.getClass().getName());
 			filter.doFilter(arg0);
 		}
 
 	}
 
-
-
-
-
-
-	
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
new file mode 100644
index 000000000..c9f3e5bcd
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
+
+	private String trustProfileID = null;
+	
+	/**
+	 * 
+	 */
+	public MOAeIDASMetadataSignatureFilter(String trustProfileID) {
+		this.trustProfileID = trustProfileID;
+		
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+	 */
+	@Override
+	public void doFilter(XMLObject metadata) throws FilterException {
+		if (metadata instanceof EntityDescriptor) {
+			if (((EntityDescriptor) metadata).isSigned()) {				
+				EntityDescriptor entityDes = (EntityDescriptor) metadata;
+				//check signature;
+				try {
+					Transformer transformer = TransformerFactory.newInstance()
+							.newTransformer();	
+					StringWriter sw = new StringWriter();
+					StreamResult sr = new StreamResult(sw);
+					DOMSource source = new DOMSource(metadata.getDOM());
+					transformer.transform(source, sr);
+					sw.close();
+					String metadataXML = sw.toString();
+					
+					SignatureVerificationUtils sigVerify = 
+							new SignatureVerificationUtils();
+					VerifyXMLSignatureResponse result = sigVerify.verify(
+							metadataXML.getBytes(), trustProfileID);
+					
+					//check signature-verification result
+					if (result.getSignatureCheckCode() != 0) {
+						Logger.warn("eIDAS Metadata signature-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getSignatureCheckCode());
+						throw new FilterException("eIDAS Metadata signature-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getSignatureCheckCode());
+						
+					}
+					
+					if (result.getCertificateCheckCode() != 0) {
+						Logger.warn("eIDAS Metadata certificate-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getCertificateCheckCode());
+						throw new FilterException("eIDAS Metadata certificate-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getCertificateCheckCode());
+						
+					}
+					
+				
+				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+					Logger.error("eIDAS Metadata verification has an interal error.", e);
+					throw new FilterException("eIDAS Metadata verification has an interal error."
+							+ " Message:" + e.getMessage());
+					
+				}
+				
+				
+			} else {
+				Logger.warn("eIDAS Metadata root-element MUST be signed.");
+				throw new FilterException("eIDAS Metadata root-element MUST be signed.'");
+				
+			}
+						
+		} else {
+			Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+			throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+			
+		}
+		
+	}
+
+}