Merge branch 'eIDAS_node_implementation' into development_preview

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-02-03 08:51:45 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-02-03 08:51:45 +0100
commit: 2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2 (patch)
tree: 28e34446dc263144a09441120b0483e50e8e95b2 /id/server/idserverlib/src/main/java/at
parent: 3573f8ea5a4b269834723da4708bf0bace50fa65 (diff)
parent: e25d9bfa5fb81fd275706fb7cbee21fe5add5b19 (diff)
download: moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.tar.gz
moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.tar.bz2
moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.zip
2 files changed, 72 insertions, 53 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
index 8f6dff849..99e4b4cce 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
@@ -83,10 +83,19 @@ public class STORKConfig implements IStorkConfig {
         				
         				if (MiscUtil.isNotEmpty(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY))) {
         					try {
+        						
+        						//Assertion encryption is enabled by default
+        						boolean enableAssertionEncryption = true;
+        						String enableAssertionEncryptionString = storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG);
+        						if (MiscUtil.isNotEmpty(enableAssertionEncryptionString)) {
+        							enableAssertionEncryption = Boolean.parseBoolean(enableAssertionEncryptionString);
+        							
+        						}
+        						        						
         						CPEPS moacpep = 
         								new CPEPS(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY), 
         										new URL(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL)), 
-        											Boolean.valueOf(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG)));
+        										enableAssertionEncryption);
         						cpepsMap.put(moacpep.getCountryCode(), moacpep);
         					
         					} catch (MalformedURLException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
index b6fed5934..16b179d89 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.provider.FilterException;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
@@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter {
 	@Override
 	public void doFilter(XMLObject metadata) throws FilterException {
 		if (metadata instanceof EntityDescriptor) {
-			if (((EntityDescriptor) metadata).isSigned()) {				
-				EntityDescriptor entityDes = (EntityDescriptor) metadata;
-				//check signature;
-				try {
-					byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
-					
-//					Transformer transformer = TransformerFactory.newInstance()
-//							.newTransformer();	
-//					StringWriter sw = new StringWriter();
-//					StreamResult sr = new StreamResult(sw);
-//					DOMSource source = new DOMSource(metadata.getDOM());
-//					transformer.transform(source, sr);
-//					sw.close();
-//					String metadataXML = sw.toString();
-					
-					SignatureVerificationUtils sigVerify = 
-							new SignatureVerificationUtils();
-					IVerifiyXMLSignatureResponse result = sigVerify.verify(
-							serialized, trustProfileID);
-					
-					//check signature-verification result
-					if (result.getSignatureCheckCode() != 0) {
-						Logger.warn("Metadata signature-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getSignatureCheckCode());
-						throw new FilterException("Metadata signature-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getSignatureCheckCode());
+			checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID());
 						
-					}
-					
-					if (result.getCertificateCheckCode() != 0) {
-						Logger.warn("Metadata certificate-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getCertificateCheckCode());
-						throw new FilterException("Metadata certificate-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getCertificateCheckCode());
-						
-					}
-					
-					Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid");
+		} else if (metadata instanceof EntitiesDescriptor) {
+			EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+			if (entitiesDesc.getEntityDescriptors() != null && 
+					entitiesDesc.getEntityDescriptors().size() > 1) {
+				String nameForLogging = entitiesDesc.getName();
+				if (MiscUtil.isEmpty(nameForLogging))
+					nameForLogging = entitiesDesc.getID();
+				
+				checkSignature(metadata, nameForLogging);
+				
+			} else {
+				Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'");
+				throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor");
+				
+			}
+			
+		} else {
+			Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+			
+		}
+		
+	}
+	
+	private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException {
+		if (((EntityDescriptor) metadata).isSigned()) {				
+			//check signature;
+			try {
+				byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
+				
+				SignatureVerificationUtils sigVerify = 
+						new SignatureVerificationUtils();
+				IVerifiyXMLSignatureResponse result = sigVerify.verify(
+						serialized, trustProfileID);
 				
-				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
-					Logger.error("Metadata verification for Entity:" + entityDes.getEntityID() 
-							+ " has an interal error.", e);
-					throw new FilterException("Metadata verification has an interal error."
-							+ " Message:" + e.getMessage());
+				//check signature-verification result
+				if (result.getSignatureCheckCode() != 0) {
+					Logger.warn("Metadata signature-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getSignatureCheckCode());
 					
 				}
 				
+				if (result.getCertificateCheckCode() != 0) {
+					Logger.warn("Metadata certificate-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getCertificateCheckCode());
+					throw new FilterException("Metadata certificate-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getCertificateCheckCode());
+					
+				}
 				
-			} else {
-				Logger.warn("Metadata root-element MUST be signed.");
-				throw new FilterException("Metadata root-element MUST be signed.'");
+				Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid");
+			
+			} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+				Logger.error("Metadata verification for Entity:" + nameForLogging 
+						+ " has an interal error.", e);
+				throw new FilterException("Metadata verification has an interal error."
+						+ " Message:" + e.getMessage());
 				
 			}
-						
+			
+			
 		} else {
-			Logger.warn("Metadata root-element is not of type 'EntityDescriptor'");
-			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'");
+			Logger.warn("Metadata root-element MUST be signed.");
+			throw new FilterException("Metadata root-element MUST be signed.'");
 			
 		}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-02-03 08:51:45 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-02-03 08:51:45 +0100
commit	2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2 (patch)
tree	28e34446dc263144a09441120b0483e50e8e95b2 /id/server/idserverlib/src/main/java/at
parent	3573f8ea5a4b269834723da4708bf0bace50fa65 (diff)
parent	e25d9bfa5fb81fd275706fb7cbee21fe5add5b19 (diff)
download	moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.tar.gz moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.tar.bz2 moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.zip