diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-02-03 15:38:24 +0100 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-02-03 15:38:24 +0100 |
| commit | ef35deb727190363d17d693d10f27171787cc92c (patch) | |
| tree | 92f4a4c6133147716328f93b86239d5dd8fcc629 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork | |
| parent | 4333fd60c637f2a739e3db17d00f61c68c465a8e (diff) | |
| download | moa-id-spss-ef35deb727190363d17d693d10f27171787cc92c.tar.gz moa-id-spss-ef35deb727190363d17d693d10f27171787cc92c.tar.bz2 moa-id-spss-ef35deb727190363d17d693d10f27171787cc92c.zip | |
Solve some merge problems
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork')
6 files changed, 0 insertions, 918 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java deleted file mode 100644 index 80089a423..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java +++ /dev/null @@ -1,72 +0,0 @@ -/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-/**
- *
- */
-package at.gv.egovernment.moa.id.auth.stork;
-
-import org.opensaml.xml.security.credential.Credential;
-
-import eu.stork.vidp.messages.exception.SAMLException;
-
-/**
- * Interface supporting different kinds of Credentials
- *
- * @author bzwattendorfer
- *
- */
-public interface CredentialProvider {
-
- /**
- * Gets appropriate credentials
- * @return Credential object
- * @throws SAMLException
- */
- public Credential getCredential() throws SAMLException;
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java deleted file mode 100644 index cf167ba84..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java +++ /dev/null @@ -1,148 +0,0 @@ -/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-package at.gv.egovernment.moa.id.auth.stork;
-
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-
-import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.security.x509.BasicX509Credential;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import at.gv.egovernment.moa.util.KeyStoreUtils;
-import at.gv.egovernment.moa.util.StringUtils;
-import eu.stork.vidp.messages.exception.SAMLException;
-
-/**
- * Provides credentials from a KeyStore
- * @author bzwattendorfer
- *
- */
-public class KeyStoreCredentialProvider implements CredentialProvider {
-
- private final static Logger log = LoggerFactory.getLogger(KeyStoreCredentialProvider.class);
-
- /** KeyStore Path */
- private String keyStorePath;
-
- /** KeyStore Password */
- private String keyStorePassword;
-
- /** Specific Key Name as Credential */
- private String keyName;
-
- /** Key password */
- private String keyPassword;
-
- /**
- * Creates a KeyStoreCredentialProvider object
- * @param keyStorePath KeyStore Path
- * @param keyStorePassword KeyStore Password
- * @param keyName KeyName of the key to be retrieved
- * @param keyPassword Password for the Key
- */
- public KeyStoreCredentialProvider(String keyStorePath,
- String keyStorePassword, String keyName, String keyPassword) {
- super();
- this.keyStorePath = keyStorePath;
- this.keyStorePassword = keyStorePassword;
- this.keyName = keyName;
- this.keyPassword = keyPassword;
- }
-
-
- /**
- * Gets the credential object from the KeyStore
- */
- public Credential getCredential() throws SAMLException {
- log.trace("Retrieving credentials for signing SAML Response.");
-
- if (StringUtils.isEmpty(this.keyStorePath))
- throw new SAMLException("No keyStorePath specified");
-
- //KeyStorePassword optional
- //if (StringUtils.isEmpty(this.keyStorePassword))
- // throw new SAMLException("No keyStorePassword specified");
-
- if (StringUtils.isEmpty(this.keyName))
- throw new SAMLException("No keyName specified");
-
- //KeyStorePassword optional
- //if (StringUtils.isEmpty(this.keyPassword))
- // throw new SAMLException("No keyPassword specified");
-
- KeyStore ks;
- try {
- ks = KeyStoreUtils.loadKeyStore(this.keyStorePath, this.keyStorePassword);
- } catch (Exception e) {
- log.error("Failed to load keystore information", e);
- throw new SAMLException(e);
- }
-
- //return new KeyStoreX509CredentialAdapter(ks, keyName, keyPwd.toCharArray());
- BasicX509Credential credential = null;
- try {
- java.security.cert.X509Certificate certificate = (X509Certificate) ks.getCertificate(this.keyName);
- PrivateKey privateKey = (PrivateKey) ks.getKey(this.keyName, this.keyPassword.toCharArray());
- credential = new BasicX509Credential();
- credential.setEntityCertificate(certificate);
- credential.setPrivateKey(privateKey);
-
- } catch (Exception e) {
- log.error("Error retrieving signing credentials.", e);
- throw new SAMLException(e);
- }
-
- return credential;
-
- }
-
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java deleted file mode 100644 index dcd1a8a1a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java +++ /dev/null @@ -1,263 +0,0 @@ -/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-/**
- *
- */
-package at.gv.egovernment.moa.id.auth.stork;
-
-import java.util.List;
-
-import org.joda.time.DateTime;
-import org.opensaml.saml2.core.Assertion;
-import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.Audience;
-import org.opensaml.saml2.core.AudienceRestriction;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.saml2.core.SubjectConfirmation;
-import org.opensaml.saml2.core.SubjectConfirmationData;
-import org.opensaml.saml2.metadata.RequestedAttribute;
-
-import at.gv.egovernment.moa.logging.Logger;
-import eu.stork.vidp.messages.saml.STORKAttribute;
-import eu.stork.vidp.messages.util.SAMLUtil;
-
-/**
- * Verifies the SAML assertion according to the STORK specification
- * @author bzwattendorfer
- *
- */
-public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
-
- private static final int CLOCK_SKEW_MINUTES = 5;
-
- private static final boolean IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY = false;
-
- /* (non-Javadoc)
- * @see eu.stork.mw.peps.connector.validation.AssertionVerifier#verifyAssertion(org.opensaml.saml2.core.Assertion, java.lang.String, java.lang.String, java.lang.String)
- */
- public void verify(Assertion assertion, String reqIPAddress,
- String authnRequestID, String recipient, String audience, List<RequestedAttribute> reqAttrList) throws SecurityException {
-
- //SAML assertion need not to be signed, skipping signature validation
-
- verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient);
-
- Logger.debug("SubjectConfirmationData successfully verified");
-
- verifyConditions(assertion, audience);
-
- Logger.debug("Conditions successfully verified");
- }
-
-
- private void verifySubjectConfirmation(Assertion assertion, String reqAddress, String requestID, String recipient) throws SecurityException {
- for (SubjectConfirmation sc : assertion.getSubject().getSubjectConfirmations()) {
- verifySubjectConfirmationData(sc.getSubjectConfirmationData(), reqAddress, requestID, recipient);
- }
-
- }
-
- private void verifySubjectConfirmationData(SubjectConfirmationData scData, String reqAddress, String requestID, String recipient) throws SecurityException {
- //NotBefore not allowed in SSO profile
- verifyNotOnOrAfter(scData.getNotOnOrAfter());
-
- Logger.trace("NotOnOrAfter successfully verified");
-
- if(IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY) {
- verifyClientAddress(scData, reqAddress);
- Logger.trace("User's client IP address successfully verified.");
- } else {
- Logger.warn("User's client IP address will not be verified.");
- }
-
- verifyRecipient(scData, recipient);
- Logger.trace("Recipient successfully verified");
-
- verifyInResponseTo(scData, requestID);
- Logger.trace("InResponseTo successfully verified");
-
- }
-
- private void verifyNotBefore(DateTime notBefore) throws SecurityException {
- if (notBefore.minusMinutes(CLOCK_SKEW_MINUTES).isAfterNow()) {
- String msg = "Subject/Assertion not yet valid, Timestamp: ";
- Logger.error(msg + notBefore);
- throw new SecurityException(msg);
- }
-
- Logger.trace("Subject/Assertion already valid, notBefore: " + notBefore);
-
- }
-
- private void verifyNotOnOrAfter(DateTime notOnOrAfter) throws SecurityException {
- if (notOnOrAfter.plusMinutes(CLOCK_SKEW_MINUTES).isBeforeNow()) {
- String msg = "Subject/Assertion no longer valid.";
- Logger.error(msg);
- throw new SecurityException(msg);
- }
-
- Logger.trace("Subject/Assertion still valid, notOnOrAfter: " + notOnOrAfter);
- }
-
- private void verifyClientAddress(SubjectConfirmationData scData, String reqAddress) throws SecurityException {
- if (!reqAddress.equals(scData.getAddress())) {
- String msg = "Response coming from wrong Client-Address";
- Logger.error("Response coming from wrong Client-Address " + reqAddress + ", expected " + scData.getAddress());
- throw new SecurityException(msg);
- }
-
- }
-
- private void verifyInResponseTo(SubjectConfirmationData scData, String requestID) throws SecurityException {
- if (!scData.getInResponseTo().equals(requestID)) {
- String msg = "Assertion issued for wrong request";
- Logger.error(msg);
- throw new SecurityException(msg);
- }
- }
-
- private void verifyRecipient(SubjectConfirmationData scData, String reqRecipient) throws SecurityException {
- if (!scData.getRecipient().equals(reqRecipient)) {
- String msg = "Assertion intended for another recipient";
- Logger.error("Assertion intended for recipient " + scData.getRecipient() + "but expected " + reqRecipient);
- throw new SecurityException(msg);
- }
-
- }
-
- private void verifyAudience(AudienceRestriction audienceRestriction, String reqAudience) throws SecurityException {
- for (Audience audience : audienceRestriction.getAudiences()) {
- if (audience.getAudienceURI().equals(reqAudience))
- return;
- }
- String msg = "Assertion sent to wrong audience";
- Logger.error("Assertion intended for wrong audience, expected " + reqAudience);
- throw new SecurityException(msg);
- }
-
- private void verifyOneTimeUse(String assertionID) {
- //not necessarily required to check since notBefore and notOnOrAfter are verified
- //check response Store for already existing assertion
-
- }
-
- private void verifyConditions(Assertion assertion, String reqAudience) throws SecurityException {
- Conditions conditions = assertion.getConditions();
-
- verifyNotBefore(conditions.getNotBefore());
- Logger.trace("NotBefore successfully verified");
-
- verifyNotOnOrAfter(conditions.getNotOnOrAfter());
- Logger.trace("NotOnOrAfter successfully verified");
-
- verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience);
-
- Logger.trace("Audience successfully verified");
-
- }
-
- public static void validateRequiredAttributes(
- List<RequestedAttribute> reqAttrList,
- List<Attribute> attrList)
- throws STORKException {
-
- Logger.debug("Starting required attribute validation");
-
- if (reqAttrList == null || reqAttrList.isEmpty()) {
- Logger.error("Requested Attributes list is empty.");
- throw new STORKException("No attributes have been requested");
- }
-
- if (attrList == null || attrList.isEmpty()) {
- Logger.error("STORK AttributeStatement is empty.");
- throw new STORKException("No attributes have been received");
- }
-
- Logger.trace("These attributes have been requested and received: ");
- int count = 0;
- for (RequestedAttribute reqAttr : reqAttrList) {
- Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired());
- for(Attribute attr : attrList) {
- if (verifyRequestedAttribute(reqAttr, attr))
- count++;
- }
- }
-
- int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList);
- Logger.trace("Number of requested required attributes: " + numRequiredReqAttr);
- Logger.trace("Number of received required attributes: " + count);
-
- if (count != numRequiredReqAttr) {
- Logger.error("Not all required attributes have been received");
- throw new STORKException("Not all required attributes have been received");
- }
- Logger.debug("Received all required attributes!");
-
- }
-
- private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) {
-
- if ((reqAttr.getName()).equals(attr.getName())) {
- if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) {
- Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr));
- return true;
- }
- }
- return false;
- }
-
- private static int getNumberOfRequiredAttributes(List<RequestedAttribute> reqAttrList) {
- int count = 0;
- for (RequestedAttribute reqAttr : reqAttrList)
- if (reqAttr.isRequired()) count++;
-
- return count;
- }
-
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java deleted file mode 100644 index f9589950f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java +++ /dev/null @@ -1,182 +0,0 @@ -/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-/**
- *
- */
-package at.gv.egovernment.moa.id.auth.stork;
-
-import org.opensaml.xml.validation.ValidationException;
-import org.w3c.dom.Element;
-
-import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
-import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
-import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.ServiceException;
-import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
-import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.util.XMLUtil;
-import at.gv.egovernment.moa.logging.Logger;
-import eu.stork.mw.messages.saml.STORKResponse;
-import eu.stork.vidp.messages.exception.SAMLValidationException;
-import eu.stork.vidp.messages.util.SAMLUtil;
-
-/**
- * Verifies the SMAL response according to the STORK specification
- * @author bzwattendorfer
- *
- */
-public class PEPSConnectorResponseVerifier implements ResponseVerifier {
-
-
- /* (non-Javadoc)
- * @see eu.stork.mw.peps.connector.validation.ResponseVerifier#verify(org.opensaml.saml2.core.Response)
- */
- public void verify(STORKResponse response) throws SecurityException {
-
- verifySignature(response);
- Logger.debug("Signature of SAML response valid.");
-
- verifyStandardValidation(response);
-
- Logger.debug("SAML response format valid.");
-
- }
-
-
- private void verifySignature(STORKResponse response) throws SecurityException {
- //validate Signature
- try {
- if (response.isSigned()) {
-
- String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID();
-
- Logger.trace("Starting validation of Signature references");
- try {
- SAMLUtil.validateSignatureReferences(response);
- } catch (ValidationException e) {
- Logger.error("Validation of XML Signature refrences failed: " + e.getMessage());
- throw new SecurityException(e);
- }
- Logger.debug("XML Signature references are OK.");
-
- Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID);
-
- // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP
- Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
- .build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID);
-
- Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built");
-
- Logger.trace("Calling MOA-SP");
- // invokes the call
- Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
- .verifyXMLSignature(domVerifyXMLSignatureRequest);
-
- // parses the <VerifyXMLSignatureResponse>
- VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
- domVerifyXMLSignatureResponse).parseData();
-
- Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP");
-
- if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) {
- String msg = "Signature of SAMLResponse not valid";
- Logger.error(msg);
- throw new SecurityException(msg);
- }
-
- Logger.debug("Signature of SAML response successfully verified");
-
- if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
- String msg = "Certificate of SAMLResponse not valid";
- Logger.error(msg);
- throw new SecurityException(msg);
- }
-
- Logger.debug("Signing certificate of SAML response succesfully verified");
-
- } else {
- String msg = "SAML Response is not signed.";
- throw new SecurityException(msg);
- }
-
- } catch (ConfigurationException e) {
- String msg = "Unable to load STORK configuration for STORK SAML Response signature verification.";
- Logger.error(msg, e);
- throw new SecurityException(msg, e);
- } catch (ParseException e) {
- String msg = "Unable to parse VerifyXMLSignature Request or Response.";
- Logger.error(msg, e);
- throw new SecurityException(msg, e);
- } catch (BuildException e) {
- String msg = "Unable to parse VerifyXMLSignature Request or Response.";
- Logger.error(msg, e);
- throw new SecurityException(msg, e);
- } catch (ServiceException e) {
- String msg = "Unable to invoke MOA-SP.";
- Logger.error(msg, e);
- throw new SecurityException(msg, e);
- }
-
- }
-
- private void verifyStandardValidation(STORKResponse response) throws SecurityException {
- try {
- SAMLUtil.verifySAMLObjectStandardValidation(response, "saml2-core-schema-and-stork-validator");
- } catch (SAMLValidationException e) {
- String msg ="SAML Response received not valid.";
- throw new SecurityException(msg, e);
- }
-
- }
-
-
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java deleted file mode 100644 index ea3d4101b..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java +++ /dev/null @@ -1,66 +0,0 @@ -/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-package at.gv.egovernment.moa.id.auth.stork;
-
-import eu.stork.mw.messages.saml.STORKResponse;
-
-/**
- * Interface to be implemented for SAML response verification
- * @author bzwattendorfer
- *
- */
-public interface ResponseVerifier {
-
- /**
- * Verifies a STORK response
- * @param response STORK response
- * @throws SecurityException
- */
- public void verify(STORKResponse response) throws SecurityException;
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java deleted file mode 100644 index 5dc615b6c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java +++ /dev/null @@ -1,187 +0,0 @@ -/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/**
- *
- */
-package at.gv.egovernment.moa.id.auth.stork;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.velocity.app.VelocityEngine;
-import org.opensaml.common.binding.BasicSAMLMessageContext;
-import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.Endpoint;
-import org.opensaml.ws.transport.http.HTTPOutTransport;
-import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
-import org.opensaml.xml.security.credential.Credential;
-
-import at.gv.egovernment.moa.logging.Logger;
-import eu.stork.mw.messages.saml.STORKAuthnRequest;
-import eu.stork.vidp.messages.builder.STORKMessagesBuilder;
-import eu.stork.vidp.messages.exception.SAMLException;
-import eu.stork.vidp.messages.exception.SAMLValidationException;
-import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel;
-import eu.stork.vidp.messages.stork.RequestedAttributes;
-import eu.stork.vidp.messages.util.SAMLUtil;
-
-/**
- * Class handling all necessary functionality for STORK AuthnRequest processing
- *
- * @author bzwattendorfer
- *
- */
-public class STORKAuthnRequestProcessor {
-
- /**
- * Creates a STORK AuthnRequest
- * @param destination Destination URL
- * @param acsURL Assertion Consumer Service URL
- * @param providerName SP Provider Name
- * @param issuerValue Issuer Name
- * @param qaaLevel STORK QAALevel to be requested
- * @param requestedAttributes Requested Attributes to be requested
- * @param spSector Sp Sector
- * @param spInstitution SP Institution
- * @param spApplication SP Application
- * @param spCountry SP Country
- * @param textToBeSigned text to be included in signedDoc element
- * @param mimeType mimeType for the text to be signed in signedDoc
- * @return STORK AuthnRequest
- */
- public static STORKAuthnRequest generateSTORKAuthnRequest(
- String destination,
- String acsURL,
- String providerName,
- String issuerValue,
- QualityAuthenticationAssuranceLevel qaaLevel,
- RequestedAttributes requestedAttributes,
- String spSector,
- String spInstitution,
- String spApplication,
- String spCountry,
- String textToBeSigned,
- String mimeType) {
-
-
- STORKAuthnRequest storkAuthnRequest =
- STORKMessagesBuilder.buildSTORKAuthnRequest(
- destination,
- acsURL,
- providerName,
- issuerValue,
- qaaLevel,
- requestedAttributes,
- spSector,
- spInstitution,
- spApplication,
- spCountry);
-
- STORKMessagesBuilder.buildAndAddSignatureRequestToAuthnRequest(storkAuthnRequest, textToBeSigned, mimeType, true);
-
- Logger.debug("Added signedDoc attribute to STORK AuthnRequest");
-
- return storkAuthnRequest;
-
- }
-
- /**
- * Signs a STORK AuthnRequest
- * @param storkAuthnRequest STORK AuthRequest to sign
- * @param keyStorePath KeyStorePath to the signing key
- * @param keyStorePassword KeyStore Password
- * @param keyName Signing key name
- * @param keyPassword Signing key password
- * @return Signed STORK AuthnRequest
- * @throws SAMLException
- */
- public static STORKAuthnRequest signSTORKAuthnRequest(
- STORKAuthnRequest storkAuthnRequest,
- String keyStorePath,
- String keyStorePassword,
- String keyName,
- String keyPassword) throws SAMLException {
-
- Logger.trace("Building Credential Provider for signing process");
-
- CredentialProvider credentialProvider = new KeyStoreCredentialProvider(keyStorePath, keyStorePassword, keyName, keyPassword);
-
- Credential credential = credentialProvider.getCredential();
-
- Logger.trace("Credentials found");
-
- SAMLUtil.signSAMLObject(storkAuthnRequest, credential);
-
- return storkAuthnRequest;
- }
-
- /**
- * Validates a STORK AuthnRequest
- * @param storkAuthnRequest STORK AuthnRequest to validate
- * @throws SAMLValidationException
- */
- public static void validateSTORKAuthnRequest(STORKAuthnRequest storkAuthnRequest) throws SAMLValidationException {
-
- SAMLUtil.verifySAMLObjectStandardValidation(storkAuthnRequest, "saml2-core-schema-and-stork-validator");
-
- }
-
- /**
- * Sends a STORK AuthnRequest (Endpoint taken out of AuthnRequest)
- * @param request HttpServletRequest
- * @param response HttpServletResponse
- * @param storkAuthnRequest STORK AuthnRequest to send
- * @throws Exception
- */
- public static void sendSTORKAuthnRequest(HttpServletRequest request, HttpServletResponse response, STORKAuthnRequest storkAuthnRequest) throws Exception {
-
- Logger.trace("Create endpoint...");
- Endpoint endpoint = STORKMessagesBuilder.buildSAMLObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
- endpoint.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
- endpoint.setLocation(storkAuthnRequest.getDestination());
-
-
- Logger.trace("Prepare SAMLMessageContext...");
- HTTPOutTransport outTransport = new HttpServletResponseAdapter(response, request.isSecure());
- BasicSAMLMessageContext<?, STORKAuthnRequest, ?> samlMessageContext = new BasicSAMLMessageContext();
- samlMessageContext.setOutboundMessageTransport(outTransport);
- samlMessageContext.setPeerEntityEndpoint(endpoint);
-
- Logger.trace("Set STORK SAML AuthnRequest to SAMLMessageContext...");
- samlMessageContext.setOutboundSAMLMessage(storkAuthnRequest);
-
- Logger.trace("Initialize VelocityEngine...");
-
- VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
-
-// HTTPPostEncoder encoder = new HTTPPostEncoder(velocityEngine, "/templates/saml2-post-binding.vm");
- HTTPPostEncoder encoder = new HTTPPostEncoder(velocityEngine, "/saml2-post-binding-moa.vm");
-
- Logger.trace("HTTP-Post encode SAMLMessageContext...");
- encoder.encode(samlMessageContext);
- }
-
-
-
-}
|