add extended SAML2 metadata validation

2 files changed, 91 insertions, 36 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java
index c2a92c9fc..bcac63a5f 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java
@@ -117,7 +117,7 @@ public class OAPVP2Config implements IOnlineApplicationData{
 	@Override
 	public List<String> validate(OAGeneralConfig general,
 			AuthenticatedUser authUser, HttpServletRequest request) {
-		return new OAPVP2ConfigValidation().validate(this, request);
+		return new OAPVP2ConfigValidation().validate(this, general.getIdentifier(), request);
 	}
 	
 	/* (non-Javadoc)
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 7da3eb0b7..98d500526 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -22,31 +22,67 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.configuration.validation.oa;
 
+import iaik.x509.X509Certificate;
+
 import java.io.IOException;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Timer;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.commons.httpclient.MOAHttpClient;
 import org.apache.log4j.Logger;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.security.x509.BasicX509Credential;
 
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
 import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
+import at.gv.egovernment.moa.id.configuration.auth.pvp2.MetaDataVerificationFilter;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
-import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 public class OAPVP2ConfigValidation {
 
 	private static final Logger log = Logger.getLogger(OAPVP2ConfigValidation.class);
 	
-	public List<String> validate(OAPVP2Config form, HttpServletRequest request) {
+	public List<String> validate(OAPVP2Config form, String oaID, HttpServletRequest request) {
+		
+		Timer timer = null;
+		MOAHttpClient httpClient = null;
+		HTTPMetadataProvider httpProvider = null;
 		
 		List<String> errors = new ArrayList<String>();
 		try {
-			byte[] metadata = null;
-//			byte[] cert = null;
+			byte[] certSerialized = null;			
+			if (form.getFileUpload() != null)
+				certSerialized = form.getCertificate();
+			else {
+				OnlineApplication oa = ConfigurationDBRead.getOnlineApplication(oaID);
+				if (oa != null && 
+						oa.getAuthComponentOA() != null && 
+						oa.getAuthComponentOA().getOAPVP2() != null) {
+					certSerialized = oa.getAuthComponentOA().getOAPVP2().getCertificate();					
+				}				
+			}
+			
+			if (certSerialized == null) {
+				log.info("No certificate for metadata validation");
+				errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
+			}
+			
 			
 			String check = form.getMetaDataURL();
 			if (MiscUtil.isNotEmpty(check)) {
@@ -55,37 +91,48 @@ public class OAPVP2ConfigValidation {
 					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request));
 				
 				} else {
-					metadata = FileUtils.readURL(check);
-					if (MiscUtil.isEmpty(metadata)) {
-						log.info("Filecontent can not be read form MetaDataURL.");
-						errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
+					
+					if (certSerialized != null) {
+					X509Certificate cert = new X509Certificate(certSerialized);
+					BasicX509Credential credential = new BasicX509Credential();
+					credential.setEntityCertificate(cert);
+					
+					timer = new Timer();
+					httpClient = new MOAHttpClient();
+					
+					if (form.getMetaDataURL().startsWith("https:"))
+						try {
+							MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+									"MOAMetaDataProvider",
+									ConfigurationProvider.getInstance().getCertStoreDirectory(), 
+									ConfigurationProvider.getInstance().getTrustStoreDirectory(),
+									null,
+									ChainingModeType.PKIX, 
+									true);
+							
+								httpClient.setCustomSSLTrustStore(
+										form.getMetaDataURL(), 
+										protoSocketFactory);
+
+						} catch (MOAHttpProtocolSocketFactoryException e) {
+							log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+							
+						} catch (ConfigurationException e) {
+							log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
+							
+						}
+					
+					httpProvider = 
+							new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
+					httpProvider.setParserPool(new BasicParserPool());
+					httpProvider.setRequireValidMetadata(true);
+					MetadataFilter filter = new MetaDataVerificationFilter(credential);
+					httpProvider.setMetadataFilter(filter);
+					httpProvider.initialize();
 					}
 				}
 			}
-		
-			if (form.getFileUpload() != null)
-				form.getCertificate();
-			
-//			else {
-//				if (metadata != null) {
-//					log.info("No certificate to verify the Metadata defined.");
-//					errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound"));
-//				}
-//			}
-			
-//			if (cert != null && metadata != null) {
-//				HTTPMetadataProvider httpProvider = new HTTPMetadataProvider(
-//						check, 20000);
-//				httpProvider.setParserPool(new BasicParserPool());
-//				httpProvider.setRequireValidMetadata(true);
-//				MetadataFilter filter = new MetadataSignatureFilter(
-//						check, cert);
-//				httpProvider.setMetadataFilter(filter);
-//				httpProvider.initialize();
-//				
-//			}
-			
-			
+									
 		} catch (CertificateException e) {
 			log.info("Uploaded Certificate can not be found", e);
 			errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
@@ -94,9 +141,17 @@ public class OAPVP2ConfigValidation {
 			log.info("Metadata can not be loaded from URL", e);
 			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
 			
-//		} catch (MetadataProviderException e) {
-//			log.info("MetaDate verification failed");
-//			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify"));
+		} catch (MetadataProviderException e) {
+			log.info("MetaDate verification failed");
+			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request));
+			
+		} finally {			
+			if (httpProvider != null)
+				httpProvider.destroy();
+			
+			if (timer != null)
+				timer.cancel();
+			
 		}
 		
 		return errors;