git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1296 d688527b-c9ab-4aba-bd8d-4036d912da1d

author: zwattenb <zwattenb@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2012-08-14 07:31:28 +0000
committer: zwattenb <zwattenb@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2012-08-14 07:31:28 +0000
commit: a8cc85ab0b641e06e43214ffb700703638469231 (patch)
tree: f67bde304dc3a699d704d640f66ffd655cd1181d
parent: 860fa0a0b1e2928b8b39784bce9785c192bde1d6 (diff)
download: moa-id-spss-a8cc85ab0b641e06e43214ffb700703638469231.tar.gz
moa-id-spss-a8cc85ab0b641e06e43214ffb700703638469231.tar.bz2
moa-id-spss-a8cc85ab0b641e06e43214ffb700703638469231.zip
1 files changed, 103 insertions, 94 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java
index 2deeb2aae..637e46200 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java
@@ -1,55 +1,55 @@
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
 /**
  * 
  */
 package at.gv.egovernment.moa.id.auth.stork;
 
-
-import org.w3c.dom.Element;
-
-import at.gv.egovernment.moa.id.BuildException;
-import at.gv.egovernment.moa.id.ParseException;
-import at.gv.egovernment.moa.id.ServiceException;
-import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
-import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
-import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
-import eu.stork.mw.messages.saml.STORKResponse;
-import eu.stork.vidp.messages.exception.SAMLValidationException;
-import eu.stork.vidp.messages.util.SAMLUtil;
-import eu.stork.vidp.messages.util.XMLUtil;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.ServiceException;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
+import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+import eu.stork.mw.messages.saml.STORKResponse;
+import eu.stork.vidp.messages.exception.SAMLValidationException;
+import eu.stork.vidp.messages.util.SAMLUtil;
+import eu.stork.vidp.messages.util.XMLUtil;
 
 /**
- * Verifies the SMAL response according to the STORK specification
+ * Verifies the SMAL response according to the STORK specification
  * @author bzwattendorfer
  *
  */
@@ -74,44 +74,53 @@ public class PEPSConnectorResponseVerifier implements ResponseVerifier {
 	private void verifySignature(STORKResponse response) throws SecurityException {
 		//validate Signature
 		try {
-			if (response.isSigned()) {		
-				
-				String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID();
-				
-				Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID);
+			if (response.isSigned()) {		
+				
+				String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID();
+				
+				Logger.trace("Starting validation of Signature references");
+				try {
+					SAMLUtil.validateSignatureReferences(response);
+				} catch (ValidationException e) {
+					Logger.error("Validation of XML Signature refrences failed: " + e.getMessage());
+					throw new SecurityException(e);
+				}
+				Logger.debug("XML Signature references are OK.");
+				
+				Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID);
+				
+				// builds a <VerifyXMLSignatureRequest> for a call of MOA-SP
+				Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
+						.build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID);
+
+				Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built");
 				
-				// builds a <VerifyXMLSignatureRequest> for a call of MOA-SP
-				Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
-						.build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID);
-
-				Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built");
-				
-				Logger.trace("Calling MOA-SP");
-				// invokes the call
-				Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
-						.verifyXMLSignature(domVerifyXMLSignatureRequest);								
-				
-				// parses the <VerifyXMLSignatureResponse>
-				VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
-						domVerifyXMLSignatureResponse).parseData();
-				
-				Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP");
-
-				if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) {
-					String msg = "Signature of SAMLResponse not valid";
-					Logger.error(msg);					
-					throw new SecurityException(msg);
-				}
-				
-				Logger.debug("Signature of SAML response successfully verified");
-				
-				if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
-					String msg = "Certificate of SAMLResponse not valid";
-					Logger.error(msg);					
-					throw new SecurityException(msg);
-				}
-				
-				Logger.debug("Signing certificate of SAML response succesfully verified");
+				Logger.trace("Calling MOA-SP");
+				// invokes the call
+				Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
+						.verifyXMLSignature(domVerifyXMLSignatureRequest);								
+				
+				// parses the <VerifyXMLSignatureResponse>
+				VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
+						domVerifyXMLSignatureResponse).parseData();
+				
+				Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP");
+
+				if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) {
+					String msg = "Signature of SAMLResponse not valid";
+					Logger.error(msg);					
+					throw new SecurityException(msg);
+				}
+				
+				Logger.debug("Signature of SAML response successfully verified");
+				
+				if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
+					String msg = "Certificate of SAMLResponse not valid";
+					Logger.error(msg);					
+					throw new SecurityException(msg);
+				}
+				
+				Logger.debug("Signing certificate of SAML response succesfully verified");
 				
 			} else {
 				String msg = "SAML Response is not signed.";
@@ -122,18 +131,18 @@ public class PEPSConnectorResponseVerifier implements ResponseVerifier {
 			String msg = "Unable to load STORK configuration for STORK SAML Response signature verification.";
 			Logger.error(msg, e);
 			throw new SecurityException(msg, e);
-		} catch (ParseException e) {
-			String msg = "Unable to parse VerifyXMLSignature Request or Response.";
-			Logger.error(msg, e);
-			throw new SecurityException(msg, e);
-		} catch (BuildException e) {
-			String msg = "Unable to parse VerifyXMLSignature Request or Response.";
-			Logger.error(msg, e);
-			throw new SecurityException(msg, e);
-		} catch (ServiceException e) {
-			String msg = "Unable to invoke MOA-SP.";
-			Logger.error(msg, e);
-			throw new SecurityException(msg, e);
+		} catch (ParseException e) {
+			String msg = "Unable to parse VerifyXMLSignature Request or Response.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
+		} catch (BuildException e) {
+			String msg = "Unable to parse VerifyXMLSignature Request or Response.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
+		} catch (ServiceException e) {
+			String msg = "Unable to invoke MOA-SP.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
 		} 			
 		
 	}
author	zwattenb <zwattenb@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2012-08-14 07:31:28 +0000
committer	zwattenb <zwattenb@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2012-08-14 07:31:28 +0000
commit	a8cc85ab0b641e06e43214ffb700703638469231 (patch)
tree	f67bde304dc3a699d704d640f66ffd655cd1181d
parent	860fa0a0b1e2928b8b39784bce9785c192bde1d6 (diff)
download	moa-id-spss-a8cc85ab0b641e06e43214ffb700703638469231.tar.gz moa-id-spss-a8cc85ab0b641e06e43214ffb700703638469231.tar.bz2 moa-id-spss-a8cc85ab0b641e06e43214ffb700703638469231.zip