aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-06-07 16:34:33 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-06-07 16:34:33 +0200
commit55876723bc59b0b3ea1a68f1a5df9a83d75a9385 (patch)
tree999f1c7fd223715f7ecd5cc211f96bed91e6f8df /id/server/modules/moa-id-module-eIDAS
parenta76ea96898c29947d321036f8eae4e5b5c01caaa (diff)
downloadmoa-id-spss-55876723bc59b0b3ea1a68f1a5df9a83d75a9385.tar.gz
moa-id-spss-55876723bc59b0b3ea1a68f1a5df9a83d75a9385.tar.bz2
moa-id-spss-55876723bc59b0b3ea1a68f1a5df9a83d75a9385.zip
first untested implementation that based on the snapshot version 1.3.0 of eIDAS SAML-engine
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/pom.xml10
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java9
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java8
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java1367
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java602
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java82
10 files changed, 1358 insertions, 734 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index 55d02e82a..58f6584ae 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -12,11 +12,11 @@
<properties>
<repositoryPath>${basedir}/../../../../repository</repositoryPath>
- <eidas-commons.version>1.2.0</eidas-commons.version>
- <eidas-light-commons.version>1.2.0</eidas-light-commons.version>
- <eidas-saml-engine.version>1.2.0</eidas-saml-engine.version>
- <eidas-encryption.version>1.2.0</eidas-encryption.version>
- <eidas-configmodule.version>1.2.0</eidas-configmodule.version>
+ <eidas-commons.version>1.3.0-SNAPSHOT</eidas-commons.version>
+ <eidas-light-commons.version>1.3.0-SNAPSHOT</eidas-light-commons.version>
+ <eidas-saml-engine.version>1.3.0-SNAPSHOT</eidas-saml-engine.version>
+ <eidas-encryption.version>1.3.0-SNAPSHOT</eidas-encryption.version>
+ <eidas-configmodule.version>1.3.0-SNAPSHOT</eidas-configmodule.version>
</properties>
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java
index c872bcfb6..6a48e5030 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java
@@ -98,8 +98,11 @@ public class MOAExtendedSWSigner implements ProtocolSignerI, MetadataSignerI {
private final ImmutableList<X509Credential> trustedCredentials;
private final String signatureAlgorithm;
- public MOAExtendedSWSigner(Map<String, String> properties) throws SamlEngineConfigurationException {
- this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(properties));
+
+ //TODO: check if it is required any more
+
+ public MOAExtendedSWSigner(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException {
+ this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(properties, null));
}
@@ -109,7 +112,7 @@ public class MOAExtendedSWSigner implements ProtocolSignerI, MetadataSignerI {
*/
public MOAExtendedSWSigner(CertificateConfigurationManager configManager) throws SamlEngineConfigurationException {
this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(
- ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters()));
+ ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters(), null));
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java
index 5cf5e83ec..3cc9787df 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java
@@ -79,8 +79,8 @@ public class MOASWSigner extends KeyStoreProtocolSigner {
//Set other algorithms which are not supported by openSAML in default
StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256_MGF1, Locale.ENGLISH));
- public MOASWSigner(Map<String, String> properties) throws SamlEngineConfigurationException {
- super(properties);
+ public MOASWSigner(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException {
+ super(properties, null);
props = properties;
}
@@ -90,7 +90,7 @@ public class MOASWSigner extends KeyStoreProtocolSigner {
* @throws SamlEngineConfigurationException
*/
public MOASWSigner(CertificateConfigurationManager configManager) throws SamlEngineConfigurationException {
- super(props = ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters());
+ super(props = ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters(), null);
}
@@ -100,7 +100,7 @@ public class MOASWSigner extends KeyStoreProtocolSigner {
if (sigAlgWhiteList == null) {
sigAlgWhiteList = MOAWhiteListConfigurator.getAllowedAlgorithms(DEFAULT_ALGORITHM_WHITE_LIST,
ALLOWED_ALGORITHMS_FOR_VERIFYING,
- (new KeyStoreSignatureConfigurator().getSignatureConfiguration(props)).getSignatureAlgorithmWhiteList());
+ (new KeyStoreSignatureConfigurator().getSignatureConfiguration(props, null)).getSignatureAlgorithmWhiteList());
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
index de4f3fc9c..d5cbb2cfd 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
@@ -33,15 +33,15 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption {
private static ReloadableProperties initActivationConf(Map<String, String> properties) {
String activationConfigurationFile = EncryptionKey.ENCRYPTION_ACTIVATION.getAsString(properties);
Logger.debug("File containing encryption configuration: \"" + activationConfigurationFile + "\"");
- return new ReloadableProperties(activationConfigurationFile);
+ return new ReloadableProperties(activationConfigurationFile, null);
}
/**
* @param properties
* @throws SamlEngineConfigurationException
*/
- public ModifiedEncryptionSW(Map<String, String> properties) throws SamlEngineConfigurationException {
- super(properties);
+ public ModifiedEncryptionSW(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException {
+ super(properties, null);
this.properties = ImmutableMap.copyOf(properties);
encryptionActivationProperties = initActivationConf(properties);
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 7155040c6..6f1d75bfe 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -228,9 +228,9 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
//set correct SPType for this online application
if (oaConfig.getBusinessService())
- authnRequestBuilder.spType(SpType.PRIVATE);
+ authnRequestBuilder.spType(SpType.PRIVATE.getValue());
else
- authnRequestBuilder.spType(SpType.PUBLIC);
+ authnRequestBuilder.spType(SpType.PUBLIC.getValue());
//set service provider (eIDAS node) countryCode
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
index 7b159c73d..9683db503 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
@@ -1,686 +1,681 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
-
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.commons.lang.StringUtils;
-import org.joda.time.DateTime;
-import org.joda.time.DurationFieldType;
-import org.opensaml.Configuration;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.saml2.common.Extensions;
-import org.opensaml.saml2.common.impl.ExtensionsBuilder;
-import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.AttributeValue;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.Company;
-import org.opensaml.saml2.metadata.ContactPerson;
-import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration;
-import org.opensaml.saml2.metadata.EmailAddress;
-import org.opensaml.saml2.metadata.EncryptionMethod;
-import org.opensaml.saml2.metadata.EntitiesDescriptor;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.GivenName;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml2.metadata.KeyDescriptor;
-import org.opensaml.saml2.metadata.LocalizedString;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.Organization;
-import org.opensaml.saml2.metadata.OrganizationDisplayName;
-import org.opensaml.saml2.metadata.OrganizationName;
-import org.opensaml.saml2.metadata.OrganizationURL;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.SSODescriptor;
-import org.opensaml.saml2.metadata.SingleSignOnService;
-import org.opensaml.saml2.metadata.SurName;
-import org.opensaml.saml2.metadata.TelephoneNumber;
-import org.opensaml.samlext.saml2mdattr.EntityAttributes;
-import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.XMLObjectBuilderFactory;
-import org.opensaml.xml.schema.XSString;
-import org.opensaml.xml.schema.impl.XSStringBuilder;
-import org.opensaml.xml.security.SecurityException;
-import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
-import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
-import org.opensaml.xml.signature.KeyInfo;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.ImmutableSortedSet;
-import com.google.common.collect.Ordering;
-
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import eu.eidas.auth.commons.EIDASUtil;
-import eu.eidas.auth.commons.EidasStringUtil;
-import eu.eidas.auth.commons.attribute.AttributeDefinition;
-import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat;
-import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper;
-import eu.eidas.auth.engine.ProtocolEngineI;
-import eu.eidas.auth.engine.core.SAMLExtensionFormat;
-import eu.eidas.auth.engine.core.eidas.DigestMethod;
-import eu.eidas.auth.engine.core.eidas.EidasConstants;
-import eu.eidas.auth.engine.core.eidas.SPType;
-import eu.eidas.auth.engine.core.eidas.SigningMethod;
-import eu.eidas.auth.engine.metadata.Contact;
-import eu.eidas.auth.engine.metadata.EntityDescriptorContainer;
-import eu.eidas.auth.engine.metadata.MetadataConfigParams;
-import eu.eidas.auth.engine.metadata.MetadataGenerator;
-import eu.eidas.auth.engine.metadata.MetadataSignerI;
-import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil;
-import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
-import eu.eidas.encryption.exception.UnmarshallException;
-import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
-import eu.eidas.engine.exceptions.SAMLEngineException;
-
-/**
- * @author tlenz
- *
- */
-public class MOAeIDASMetadataGenerator extends MetadataGenerator {
- private static final Logger LOGGER = LoggerFactory.getLogger(MetadataGenerator.class.getName());
-
- MetadataConfigParams params;
-
- XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
-
- SPSSODescriptor spSSODescriptor = null;
-
- IDPSSODescriptor idpSSODescriptor = null;
-
- private String ssoLocation;
-
- /**
- * @return a String representation of the entityDescriptr built based on the attributes previously set
- */
- public String generateMetadata() throws EIDASSAMLEngineException {
- EntityDescriptor entityDescriptor;
- try {
- entityDescriptor = (EntityDescriptor) builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME)
- .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME);
-
- entityDescriptor.setEntityID(params.getEntityID());
- entityDescriptor.setOrganization(buildOrganization());
-
- /**FIXME:
- * HOTFIX: do not add empty contactPerson elements
- */
- ContactPerson contactSupport = buildContact(ContactPersonTypeEnumeration.SUPPORT);
- if (contactSupport != null)
- entityDescriptor.getContactPersons().add(contactSupport);
- ContactPerson contactTech = buildContact(ContactPersonTypeEnumeration.TECHNICAL);
- if (contactTech != null)
- entityDescriptor.getContactPersons().add(contactTech);
-
- entityDescriptor.setValidUntil(getExpireDate());
-
- X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
- keyInfoGeneratorFactory.setEmitEntityCertificate(true);
- Extensions e = generateExtensions();
- if (!e.getUnknownXMLObjects().isEmpty()) {
- entityDescriptor.setExtensions(e);
- }
- if (spSSODescriptor != null) {
- generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
- }
- if (idpSSODescriptor != null) {
- generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
- }
- if (params.getSpEngine() != null) {
- ProtocolEngineI spEngine = params.getSpEngine();
- ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor);
- } else if (params.getIdpEngine() != null) {
- ProtocolEngineI idpEngine = params.getIdpEngine();
- ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor);
- }
- return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false));
- } catch (Exception ex) {
- LOGGER.info("ERROR : SAMLException ", ex.getMessage());
- LOGGER.debug("ERROR : SAMLException ", ex);
- throw new IllegalStateException(ex);
- }
- }
-
- private void generateSPSSODescriptor(final EntityDescriptor entityDescriptor,
- final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory)
- throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException,
- SAMLEngineException, EIDASSAMLEngineException {
- //the node has SP role
- spSSODescriptor.setWantAssertionsSigned(params.isWantAssertionsSigned());
- spSSODescriptor.setAuthnRequestsSigned(true);
-
-
- /**FIXME:
- * "SP" + params.getEntityID()) is not a valid XML ID attribute value
- */
- //spSSODescriptor.setID(idpSSODescriptor == null ? params.getEntityID() : ("SP" + params.getEntityID()));
- spSSODescriptor.setID(SAML2Utils.getSecureIdentifier());
-
-
- if (params.getSPSignature() != null) {
- spSSODescriptor.setSignature(params.getSPSignature());
- }
- if (params.getSpSigningCredential() != null) {
- spSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpSigningCredential(), UsageType.SIGNING));
-
- } else if (params.getSigningCredential() != null) {
- spSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING));
- }
-
- if (params.getSpEncryptionCredential() != null) {
- spSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpEncryptionCredential(),
- UsageType.ENCRYPTION));
- } else if (params.getEncryptionCredential() != null) {
- spSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION));
- }
- spSSODescriptor.addSupportedProtocol(params.getSpSamlProtocol());
- if (!StringUtils.isEmpty(params.getAssertionConsumerUrl())) {
- addAssertionConsumerService();
- }
-
- //FIX: Austrian eIDAS node SP only needs persistent identifiers
- NameIDFormat persistentFormat =
- (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
- persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
- spSSODescriptor.getNameIDFormats().add(persistentFormat);
-
- /**FIXME:
- * Double signing of SPSSODescribtor is not required
- */
-// if (params.getSpEngine() != null) {
-// ProtocolEngineI spEngine = params.getSpEngine();
-// ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor);
-// }
-
- entityDescriptor.getRoleDescriptors().add(spSSODescriptor);
-
- }
-
- private void fillIDPNameIDFormat(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException {
- NameIDFormat persistentFormat =
- (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
- persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
- ssoDescriptor.getNameIDFormats().add(persistentFormat);
- NameIDFormat transientFormat =
- (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
- transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat());
- ssoDescriptor.getNameIDFormats().add(transientFormat);
- NameIDFormat unspecifiedFormat =
- (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
- unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat());
- ssoDescriptor.getNameIDFormats().add(unspecifiedFormat);
- }
-
- private void generateIDPSSODescriptor(final EntityDescriptor entityDescriptor,
- final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory)
- throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException,
- SAMLEngineException, EIDASSAMLEngineException {
- //the node has IDP role
- idpSSODescriptor.setWantAuthnRequestsSigned(true);
-
- /**FIXME:
- * "IDP" + params.getEntityID()) is not a valid XML ID attribute value
- */
- //idpSSODescriptor.setID(spSSODescriptor == null ? params.getEntityID() : ("IDP" + params.getEntityID()));
- idpSSODescriptor.setID(SAML2Utils.getSecureIdentifier());
-
- if (params.getIDPSignature() != null) {
- idpSSODescriptor.setSignature(params.getIDPSignature());
- }
- if (params.getIdpSigningCredential() != null) {
- idpSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpSigningCredential(), UsageType.SIGNING));
- } else if (params.getSigningCredential() != null) {
- idpSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING));
- }
- if (params.getIdpEncryptionCredential() != null) {
- idpSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpEncryptionCredential(),
- UsageType.ENCRYPTION));
- } else if (params.getEncryptionCredential() != null) {
- idpSSODescriptor.getKeyDescriptors()
- .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION));
- }
- idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol());
-
- //Austrian eIDAS node IDP can provided persistent, transient, and unspecified identifiers
- fillIDPNameIDFormat(idpSSODescriptor);
-
-
- if (params.getIdpEngine() != null) {
- if (params.getIdpEngine().getProtocolProcessor() != null
- && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) {
-
- /*TODO: Only a work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
- * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
- *
- * INFO: Maybe, this code can be removed in a future version of the eIDAS engine
- */
- generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes());
- }
-
-
- /**FIXME:
- * Double signing of IDPSSODescribtor is not required
- */
-// ProtocolEngineI idpEngine = params.getIdpEngine();
-// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor);
- }
-
- idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations());
-
- entityDescriptor.getRoleDescriptors().add(idpSSODescriptor);
-
- }
-
- /* FIX: Work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
- * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
- */
- public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() {
- ImmutableSortedSet.Builder<AttributeDefinition<?>> builder =
- new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural());
-
- for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) {
- AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr);
- builder.add(supAttr);
- }
-
- return builder.build();
- }
-
- private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations()
- throws NoSuchFieldException, IllegalAccessException {
- ArrayList<SingleSignOnService> singleSignOnServices = new ArrayList<SingleSignOnService>();
-
- HashMap<String, String> bindingLocations = params.getProtocolBindingLocation();
- for (String binding : bindingLocations.keySet()) {
- SingleSignOnService ssos = BuilderFactoryUtil.buildXmlObject(SingleSignOnService.class);
- ssos.setBinding(binding);
- ssos.setLocation(bindingLocations.get(binding));
- singleSignOnServices.add(ssos);
- }
-
- return singleSignOnServices;
- }
-
- /**
- * @param metadata
- * @return an EntityDescriptor parsed from the given String or null
- */
- // TODO (commented by donydgr) Move to a eu.eidas.auth.engine.metadata.MetadataUtil ? Throw an exception if the metadata is invalid instead of returning null ?
- public static EntityDescriptorContainer deserializeEntityDescriptor(String metadata) {
- EntityDescriptorContainer result = new EntityDescriptorContainer();
- try {
- byte[] metaDataBytes = EidasStringUtil.getBytes(metadata);
- XMLObject obj = OpenSamlHelper.unmarshall(metaDataBytes);
- if (obj instanceof EntityDescriptor) {
- result.addEntityDescriptor((EntityDescriptor) obj, metaDataBytes);
- } else if (obj instanceof EntitiesDescriptor) {
- EntitiesDescriptor ed = (EntitiesDescriptor) obj;
- result.setEntitiesDescriptor(ed);
- result.getEntityDescriptors().addAll(((EntitiesDescriptor) obj).getEntityDescriptors());
- result.setSerializedEntitesDescriptor(metaDataBytes);
- }
- } catch (UnmarshallException ue) {
- LOGGER.info("ERROR : unmarshalling error", ue.getMessage());
- LOGGER.debug("ERROR : unmarshalling error", ue);
- }
- return result;
- }
-
- private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory,
- Credential credential,
- UsageType usage)
- throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException {
- KeyDescriptor keyDescriptor = null;
- if (credential != null) {
- keyDescriptor = BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class);
- KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
-
- KeyInfo keyInfo = keyInfoGenerator.generate(credential);
- keyDescriptor.setUse(usage);
- keyDescriptor.setKeyInfo(keyInfo);
- if (usage == UsageType.ENCRYPTION && params.getEncryptionAlgorithms() != null) {
- Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(params.getEncryptionAlgorithms());
- for (String encryptionAlgo : encryptionAlgos) {
- EncryptionMethod em =
- (EncryptionMethod) BuilderFactoryUtil.buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME);
- em.setAlgorithm(encryptionAlgo);
- keyDescriptor.getEncryptionMethods().add(em);
- }
- }
-
- }
- return keyDescriptor;
- }
-
- private Organization buildOrganization() {
- Organization organization = null;
- try {
- organization = BuilderFactoryUtil.buildXmlObject(Organization.class);
-
- /**FIXME:
- * set correct OrganizationName value if it is not fixed in next eIDAS node version
- */
- OrganizationName orgName = BuilderFactoryUtil.buildXmlObject(OrganizationName.class);
- orgName.setName(new LocalizedString(params.getNodeUrl(), "en"));
- organization.getOrganizationNames().add(orgName);
-
- OrganizationDisplayName odn = BuilderFactoryUtil.buildXmlObject(OrganizationDisplayName.class);
- odn.setName(new LocalizedString(params.getCountryName(), "en"));
- organization.getDisplayNames().add(odn);
- OrganizationURL url = BuilderFactoryUtil.buildXmlObject(OrganizationURL.class);
- url.setURL(new LocalizedString(params.getNodeUrl(), "en"));
- organization.getURLs().add(url);
- } catch (IllegalAccessException iae) {
- LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage());
- LOGGER.debug("ERROR : error generating the Organization: {}", iae);
- } catch (NoSuchFieldException nfe) {
- LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage());
- LOGGER.debug("ERROR : error generating the Organization: {}", nfe);
- }
- return organization;
- }
-
- private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) {
- ContactPerson contact = null;
- try {
- Contact currentContact = null;
- if (contactType == ContactPersonTypeEnumeration.SUPPORT) {
- currentContact = params.getSupportContact();
- } else if (contactType == ContactPersonTypeEnumeration.TECHNICAL) {
- currentContact = params.getTechnicalContact();
- } else {
- LOGGER.error("ERROR: unsupported contact type");
- }
- contact = BuilderFactoryUtil.buildXmlObject(ContactPerson.class);
- if (currentContact == null) {
- LOGGER.error("ERROR: cannot retrieve contact from the configuration");
- return null;
- }
-
- EmailAddress emailAddressObj = BuilderFactoryUtil.buildXmlObject(EmailAddress.class);
- Company company = BuilderFactoryUtil.buildXmlObject(Company.class);
- GivenName givenName = BuilderFactoryUtil.buildXmlObject(GivenName.class);
- SurName surName = BuilderFactoryUtil.buildXmlObject(SurName.class);
- TelephoneNumber phoneNumber = BuilderFactoryUtil.buildXmlObject(TelephoneNumber.class);
- contact.setType(contactType);
- emailAddressObj.setAddress(currentContact.getEmail());
- company.setName(currentContact.getCompany());
- givenName.setName(currentContact.getGivenName());
- surName.setName(currentContact.getSurName());
- phoneNumber.setNumber(currentContact.getPhone());
-
- populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber);
-
- } catch (IllegalAccessException iae) {
- LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage());
- LOGGER.debug("ERROR : error generating the Organization: {}", iae);
- } catch (NoSuchFieldException nfe) {
- LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage());
- LOGGER.debug("ERROR : error generating the Organization: {}", nfe);
- }
- return contact;
- }
-
- private void populateContact(ContactPerson contact,
- Contact currentContact,
- EmailAddress emailAddressObj,
- Company company,
- GivenName givenName,
- SurName surName,
- TelephoneNumber phoneNumber) {
- if (!StringUtils.isEmpty(currentContact.getEmail())) {
- contact.getEmailAddresses().add(emailAddressObj);
- }
- if (!StringUtils.isEmpty(currentContact.getCompany())) {
- contact.setCompany(company);
- }
- if (!StringUtils.isEmpty(currentContact.getGivenName())) {
- contact.setGivenName(givenName);
- }
- if (!StringUtils.isEmpty(currentContact.getSurName())) {
- contact.setSurName(surName);
- }
- if (!StringUtils.isEmpty(currentContact.getPhone())) {
- contact.getTelephoneNumbers().add(phoneNumber);
- }
-
- }
-
- /**
- * @param engine a EIDASSamlEngine from which signing and encryption information is extracted
- */
-
- public void initialize(ProtocolEngineI engine) throws EIDASSAMLEngineException {
-
- X509Certificate decryptionCertificate = engine.getDecryptionCertificate();
- if (null != decryptionCertificate) {
- params.setSpEncryptionCredential(CertificateUtil.toCredential(decryptionCertificate));
- }
- params.setSigningCredential(CertificateUtil.toCredential(engine.getSigningCertificate()));
- params.setIdpEngine(engine);
- params.setSpEngine(engine);
- }
-
- /**
- * @param spEngine a EIDASSamlEngine for the
- */
-
- public void initialize(ProtocolEngineI spEngine, ProtocolEngineI idpEngine) throws EIDASSAMLEngineException {
- if (idpEngine != null) {
- idpEngine.getProtocolProcessor().configure();
- params.setIdpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate()));
-
- final X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate();
- if (idpEngineDecryptionCertificate != null) {
- params.setIdpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate));
- }
-
- }
- if (spEngine != null) {
- spEngine.getProtocolProcessor().configure();
- params.setSpSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate()));
-
- final X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate();
- if (spEngineDecryptionCertificate != null) {
- params.setSpEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate));
- }
- }
-
- params.setIdpEngine(idpEngine);
- params.setSpEngine(spEngine);
- }
-
- public void addSPRole() throws EIDASSAMLEngineException {
- try {
- if (spSSODescriptor == null) {
- spSSODescriptor = BuilderFactoryUtil.buildXmlObject(SPSSODescriptor.class);
- }
- } catch (IllegalAccessException iae) {
- throw new EIDASSAMLEngineException(iae);
- } catch (NoSuchFieldException nsfe) {
- throw new EIDASSAMLEngineException(nsfe);
- }
- }
-
- public void addIDPRole() throws EIDASSAMLEngineException {
- try {
- if (idpSSODescriptor == null) {
- idpSSODescriptor = BuilderFactoryUtil.buildXmlObject(IDPSSODescriptor.class);
- }
- } catch (IllegalAccessException iae) {
- throw new EIDASSAMLEngineException(iae);
- } catch (NoSuchFieldException nsfe) {
- throw new EIDASSAMLEngineException(nsfe);
- }
- }
-
- private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
- if (!StringUtils.isEmpty(params.getDigestMethods())) {
- Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(params.getDigestMethods());
- Set<String> digestMethods = new HashSet<String>();
- for (String signatureMethod : signatureMethods) {
-
- //BUGFIX: eIDAS implementation does not allow MGF1 signature schemes
- digestMethods.add(signatureMethod);
- //digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
- }
- for (String digestMethod : digestMethods) {
- final DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
- if (dm != null) {
- dm.setAlgorithm(digestMethod);
- eidasExtensions.getUnknownXMLObjects().add(dm);
- } else {
- LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension");
- }
- }
- }
-
- }
-
- private Extensions generateExtensions() throws EIDASSAMLEngineException {
- /**FIXME: BuilderFactoryUtil.generateExtension() generates extensions from SAML2 request namespace
- * but SAML2 metadata namespace is required
- **/
- //Extensions eidasExtensions = BuilderFactoryUtil.generateExtension();
-
- ExtensionsBuilder extensionsBuilder = new ExtensionsBuilder();
- Extensions eidasExtensions = extensionsBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:metadata", "Extensions", "md");
-
- if (params.getAssuranceLevel() != null) {
- generateLoA(eidasExtensions);
- }
- if (!StringUtils.isEmpty(params.getSpType())) {
- final SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME);
- if (spTypeObj != null) {
- spTypeObj.setSPType(params.getSpType());
- eidasExtensions.getUnknownXMLObjects().add(spTypeObj);
- } else {
- LOGGER.info("BUSINESS EXCEPTION error adding SPType extension");
- }
- }
- generateDigest(eidasExtensions);
-
- if (!StringUtils.isEmpty(params.getSigningMethods())) {
- Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(params.getSigningMethods());
- for (String signMethod : signMethods) {
- final SigningMethod sm =
- (SigningMethod) BuilderFactoryUtil.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
- if (sm != null) {
- sm.setAlgorithm(signMethod);
- eidasExtensions.getUnknownXMLObjects().add(sm);
- } else {
- LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension");
- }
- }
- }
- return eidasExtensions;
- }
-
- private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException {
- EntityAttributes loa =
- (EntityAttributes) BuilderFactoryUtil.buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME);
- Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
- loaAttrib.setName(EidasConstants.LEVEL_OF_ASSURANCE_NAME);
- loaAttrib.setNameFormat(Attribute.URI_REFERENCE);
- XSStringBuilder stringBuilder =
- (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
- XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
- stringValue.setValue(params.getAssuranceLevel());
- loaAttrib.getAttributeValues().add(stringValue);
- loa.getAttributes().add(loaAttrib);
- eidasExtensions.getUnknownXMLObjects().add(loa);
-
- }
-
- private static final Set<String> DEFAULT_BINDING = new HashSet<String>() {{
- this.add(SAMLConstants.SAML2_POST_BINDING_URI);
- }};
-
- private void addAssertionConsumerService() throws EIDASSAMLEngineException {
- int index = 0;
- Set<String> bindings = params.getProtocolBinding().isEmpty() ? DEFAULT_BINDING : params.getProtocolBinding();
- for (String binding : bindings) {
- AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil.buildXmlObject(
- AssertionConsumerService.DEFAULT_ELEMENT_NAME);
- asc.setLocation(params.getAssertionConsumerUrl());
- asc.setBinding(checkBinding(binding));
- asc.setIndex(index);
- if (index == 0) {
- asc.setIsDefault(true);
- }
- index++;
- spSSODescriptor.getAssertionConsumerServices().add(asc);
- }
- }
-
- private String checkBinding(String binding) {
- if (binding != null && (binding.equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) || binding.equals(
- SAMLConstants.SAML2_POST_BINDING_URI))) {
- return binding;
- }
- return SAMLConstants.SAML2_POST_BINDING_URI;
- }
-
- private DateTime getExpireDate() {
- DateTime expiryDate = DateTime.now();
- expiryDate =
- expiryDate.withFieldAdded(DurationFieldType.seconds(), (int) (getConfigParams().getValidityDuration()));
- return expiryDate;
- }
-
- private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor,
- ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions)
- throws EIDASSAMLEngineException {
- List<Attribute> attributes = idpssoDescriptor.getAttributes();
- for (AttributeDefinition<?> attributeDefinition : attributeDefinitions) {
- Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
- a.setName(attributeDefinition.getNameUri().toASCIIString());
- a.setFriendlyName(attributeDefinition.getFriendlyName());
- a.setNameFormat(Attribute.URI_REFERENCE);
- attributes.add(a);
- }
- }
-
- public MetadataConfigParams getConfigParams() {
- return params;
- }
-
- public void setConfigParams(MetadataConfigParams params) {
- this.params = params;
- }
-
-}
+///*
+// * Copyright 2014 Federal Chancellery Austria
+// * MOA-ID has been developed in a cooperation between BRZ, the Federal
+// * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+// *
+// * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+// * the European Commission - subsequent versions of the EUPL (the "Licence");
+// * You may not use this work except in compliance with the Licence.
+// * You may obtain a copy of the Licence at:
+// * http://www.osor.eu/eupl/
+// *
+// * Unless required by applicable law or agreed to in writing, software
+// * distributed under the Licence is distributed on an "AS IS" basis,
+// * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// * See the Licence for the specific language governing permissions and
+// * limitations under the Licence.
+// *
+// * This product combines work with different licenses. See the "NOTICE" text
+// * file for details on the various modules and licenses.
+// * The "NOTICE" text file is part of the distribution. Any derivative works
+// * that you distribute must include a readable copy of the "NOTICE" text file.
+// */
+//package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+//
+//import java.security.cert.X509Certificate;
+//import java.util.ArrayList;
+//import java.util.HashMap;
+//import java.util.HashSet;
+//import java.util.List;
+//import java.util.Set;
+//
+//import org.apache.commons.lang.StringUtils;
+//import org.joda.time.DateTime;
+//import org.joda.time.DurationFieldType;
+//import org.opensaml.Configuration;
+//import org.opensaml.common.xml.SAMLConstants;
+//import org.opensaml.saml2.common.Extensions;
+//import org.opensaml.saml2.common.impl.ExtensionsBuilder;
+//import org.opensaml.saml2.core.Attribute;
+//import org.opensaml.saml2.core.AttributeValue;
+//import org.opensaml.saml2.metadata.AssertionConsumerService;
+//import org.opensaml.saml2.metadata.Company;
+//import org.opensaml.saml2.metadata.ContactPerson;
+//import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration;
+//import org.opensaml.saml2.metadata.EmailAddress;
+//import org.opensaml.saml2.metadata.EncryptionMethod;
+//import org.opensaml.saml2.metadata.EntitiesDescriptor;
+//import org.opensaml.saml2.metadata.EntityDescriptor;
+//import org.opensaml.saml2.metadata.GivenName;
+//import org.opensaml.saml2.metadata.IDPSSODescriptor;
+//import org.opensaml.saml2.metadata.KeyDescriptor;
+//import org.opensaml.saml2.metadata.LocalizedString;
+//import org.opensaml.saml2.metadata.NameIDFormat;
+//import org.opensaml.saml2.metadata.Organization;
+//import org.opensaml.saml2.metadata.OrganizationDisplayName;
+//import org.opensaml.saml2.metadata.OrganizationName;
+//import org.opensaml.saml2.metadata.OrganizationURL;
+//import org.opensaml.saml2.metadata.SPSSODescriptor;
+//import org.opensaml.saml2.metadata.SSODescriptor;
+//import org.opensaml.saml2.metadata.SingleSignOnService;
+//import org.opensaml.saml2.metadata.SurName;
+//import org.opensaml.saml2.metadata.TelephoneNumber;
+//import org.opensaml.samlext.saml2mdattr.EntityAttributes;
+//import org.opensaml.xml.XMLObject;
+//import org.opensaml.xml.XMLObjectBuilderFactory;
+//import org.opensaml.xml.schema.XSString;
+//import org.opensaml.xml.schema.impl.XSStringBuilder;
+//import org.opensaml.xml.security.SecurityException;
+//import org.opensaml.xml.security.credential.Credential;
+//import org.opensaml.xml.security.credential.UsageType;
+//import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+//import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+//import org.opensaml.xml.signature.KeyInfo;
+//import org.slf4j.Logger;
+//import org.slf4j.LoggerFactory;
+//
+//import com.google.common.collect.ImmutableSortedSet;
+//import com.google.common.collect.Ordering;
+//
+//import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.Contact;
+//import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+//import eu.eidas.auth.commons.EIDASUtil;
+//import eu.eidas.auth.commons.EidasStringUtil;
+//import eu.eidas.auth.commons.attribute.AttributeDefinition;
+//import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat;
+//import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper;
+//import eu.eidas.auth.engine.ProtocolEngineI;
+//import eu.eidas.auth.engine.core.SAMLExtensionFormat;
+//import eu.eidas.auth.engine.core.eidas.DigestMethod;
+//import eu.eidas.auth.engine.core.eidas.EidasConstants;
+//import eu.eidas.auth.engine.core.eidas.SPType;
+//import eu.eidas.auth.engine.core.eidas.SigningMethod;
+//import eu.eidas.auth.engine.metadata.EntityDescriptorContainer;
+//import eu.eidas.auth.engine.metadata.MetadataConfigParams;
+//import eu.eidas.auth.engine.metadata.MetadataGenerator;
+//import eu.eidas.auth.engine.metadata.MetadataSignerI;
+//import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil;
+//import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
+//import eu.eidas.encryption.exception.UnmarshallException;
+//import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
+//import eu.eidas.engine.exceptions.SAMLEngineException;
+//
+///**
+// * @author tlenz
+// *
+// */
+//public class MOAeIDASMetadataGenerator extends MetadataGenerator {
+// private static final Logger LOGGER = LoggerFactory.getLogger(MetadataGenerator.class.getName());
+//
+// MetadataConfigParams params;
+//
+// XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+//
+// SPSSODescriptor spSSODescriptor = null;
+//
+// IDPSSODescriptor idpSSODescriptor = null;
+//
+// private String ssoLocation;
+//
+// /**
+// * @return a String representation of the entityDescriptr built based on the attributes previously set
+// */
+// public String generateMetadata() throws EIDASSAMLEngineException {
+// EntityDescriptor entityDescriptor;
+// try {
+// entityDescriptor = (EntityDescriptor) builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME)
+// .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME);
+//
+// entityDescriptor.setEntityID(params.getEntityID());
+// entityDescriptor.setOrganization(buildOrganization());
+//
+// /**FIXME:
+// * HOTFIX: do not add empty contactPerson elements
+// */
+// ContactPerson contactSupport = buildContact(ContactPersonTypeEnumeration.SUPPORT);
+// if (contactSupport != null)
+// entityDescriptor.getContactPersons().add(contactSupport);
+// ContactPerson contactTech = buildContact(ContactPersonTypeEnumeration.TECHNICAL);
+// if (contactTech != null)
+// entityDescriptor.getContactPersons().add(contactTech);
+//
+// entityDescriptor.setValidUntil(getExpireDate());
+//
+// X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
+// keyInfoGeneratorFactory.setEmitEntityCertificate(true);
+// Extensions e = generateExtensions();
+// if (!e.getUnknownXMLObjects().isEmpty()) {
+// entityDescriptor.setExtensions(e);
+// }
+// if (spSSODescriptor != null) {
+// generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
+// }
+// if (idpSSODescriptor != null) {
+// generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
+// }
+// if (params.getSpEngine() != null) {
+// ProtocolEngineI spEngine = params.getSpEngine();
+// ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor);
+// } else if (params.getIdpEngine() != null) {
+// ProtocolEngineI idpEngine = params.getIdpEngine();
+// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor);
+// }
+// return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false));
+// } catch (Exception ex) {
+// LOGGER.info("ERROR : SAMLException ", ex.getMessage());
+// LOGGER.debug("ERROR : SAMLException ", ex);
+// throw new IllegalStateException(ex);
+// }
+// }
+//
+// private void generateSPSSODescriptor(final EntityDescriptor entityDescriptor,
+// final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory)
+// throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException,
+// SAMLEngineException, EIDASSAMLEngineException {
+// //the node has SP role
+// spSSODescriptor.setWantAssertionsSigned(params.isWantAssertionsSigned());
+// spSSODescriptor.setAuthnRequestsSigned(true);
+//
+//
+// /**FIXME:
+// * "SP" + params.getEntityID()) is not a valid XML ID attribute value
+// */
+// //spSSODescriptor.setID(idpSSODescriptor == null ? params.getEntityID() : ("SP" + params.getEntityID()));
+// spSSODescriptor.setID(SAML2Utils.getSecureIdentifier());
+//
+//
+// if (params.getSPSignature() != null) {
+// spSSODescriptor.setSignature(params.getSPSignature());
+// }
+// if (params.getSpSigningCredential() != null) {
+// spSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpSigningCredential(), UsageType.SIGNING));
+//
+// } else if (params.getSigningCredential() != null) {
+// spSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING));
+// }
+//
+// if (params.getSpEncryptionCredential() != null) {
+// spSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpEncryptionCredential(),
+// UsageType.ENCRYPTION));
+// } else if (params.getEncryptionCredential() != null) {
+// spSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION));
+// }
+// spSSODescriptor.addSupportedProtocol(params.getSpSamlProtocol());
+// if (!StringUtils.isEmpty(params.getAssertionConsumerUrl())) {
+// addAssertionConsumerService();
+// }
+//
+// //FIX: Austrian eIDAS node SP only needs persistent identifiers
+// NameIDFormat persistentFormat =
+// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+// persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
+// spSSODescriptor.getNameIDFormats().add(persistentFormat);
+//
+// /**FIXME:
+// * Double signing of SPSSODescribtor is not required
+// */
+//// if (params.getSpEngine() != null) {
+//// ProtocolEngineI spEngine = params.getSpEngine();
+//// ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor);
+//// }
+//
+// entityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+//
+// }
+//
+// private void fillIDPNameIDFormat(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException {
+// NameIDFormat persistentFormat =
+// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+// persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
+// ssoDescriptor.getNameIDFormats().add(persistentFormat);
+// NameIDFormat transientFormat =
+// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+// transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat());
+// ssoDescriptor.getNameIDFormats().add(transientFormat);
+// NameIDFormat unspecifiedFormat =
+// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+// unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat());
+// ssoDescriptor.getNameIDFormats().add(unspecifiedFormat);
+// }
+//
+// private void generateIDPSSODescriptor(final EntityDescriptor entityDescriptor,
+// final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory)
+// throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException,
+// SAMLEngineException, EIDASSAMLEngineException {
+// //the node has IDP role
+// idpSSODescriptor.setWantAuthnRequestsSigned(true);
+//
+// /**FIXME:
+// * "IDP" + params.getEntityID()) is not a valid XML ID attribute value
+// */
+// //idpSSODescriptor.setID(spSSODescriptor == null ? params.getEntityID() : ("IDP" + params.getEntityID()));
+// idpSSODescriptor.setID(SAML2Utils.getSecureIdentifier());
+//
+// if (params.getIDPSignature() != null) {
+// idpSSODescriptor.setSignature(params.getIDPSignature());
+// }
+// if (params.getIdpSigningCredential() != null) {
+// idpSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpSigningCredential(), UsageType.SIGNING));
+// } else if (params.getSigningCredential() != null) {
+// idpSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING));
+// }
+// if (params.getIdpEncryptionCredential() != null) {
+// idpSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpEncryptionCredential(),
+// UsageType.ENCRYPTION));
+// } else if (params.getEncryptionCredential() != null) {
+// idpSSODescriptor.getKeyDescriptors()
+// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION));
+// }
+// idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol());
+//
+// //Austrian eIDAS node IDP can provided persistent, transient, and unspecified identifiers
+// fillIDPNameIDFormat(idpSSODescriptor);
+//
+//
+// if (params.getIdpEngine() != null) {
+// if (params.getIdpEngine().getProtocolProcessor() != null
+// && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) {
+//
+// generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes());
+// }
+//
+//
+// /**FIXME:
+// * Double signing of IDPSSODescribtor is not required
+// */
+//// ProtocolEngineI idpEngine = params.getIdpEngine();
+//// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor);
+// }
+//
+// idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations());
+//
+// entityDescriptor.getRoleDescriptors().add(idpSSODescriptor);
+//
+// }
+//
+// /* FIX: Work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
+// * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
+// */
+// public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() {
+// ImmutableSortedSet.Builder<AttributeDefinition<?>> builder =
+// new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural());
+//
+// for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) {
+// AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr);
+// builder.add(supAttr);
+// }
+//
+// return builder.build();
+// }
+//
+// private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations()
+// throws NoSuchFieldException, IllegalAccessException {
+// ArrayList<SingleSignOnService> singleSignOnServices = new ArrayList<SingleSignOnService>();
+//
+// HashMap<String, String> bindingLocations = params.getProtocolBindingLocation();
+// for (String binding : bindingLocations.keySet()) {
+// SingleSignOnService ssos = BuilderFactoryUtil.buildXmlObject(SingleSignOnService.class);
+// ssos.setBinding(binding);
+// ssos.setLocation(bindingLocations.get(binding));
+// singleSignOnServices.add(ssos);
+// }
+//
+// return singleSignOnServices;
+// }
+//
+// /**
+// * @param metadata
+// * @return an EntityDescriptor parsed from the given String or null
+// */
+// // TODO (commented by donydgr) Move to a eu.eidas.auth.engine.metadata.MetadataUtil ? Throw an exception if the metadata is invalid instead of returning null ?
+// public static EntityDescriptorContainer deserializeEntityDescriptor(String metadata) {
+// EntityDescriptorContainer result = new EntityDescriptorContainer();
+// try {
+// byte[] metaDataBytes = EidasStringUtil.getBytes(metadata);
+// XMLObject obj = OpenSamlHelper.unmarshall(metaDataBytes);
+// if (obj instanceof EntityDescriptor) {
+// result.addEntityDescriptor((EntityDescriptor) obj, metaDataBytes);
+// } else if (obj instanceof EntitiesDescriptor) {
+// EntitiesDescriptor ed = (EntitiesDescriptor) obj;
+// result.setEntitiesDescriptor(ed);
+// result.getEntityDescriptors().addAll(((EntitiesDescriptor) obj).getEntityDescriptors());
+// result.setSerializedEntitesDescriptor(metaDataBytes);
+// }
+// } catch (UnmarshallException ue) {
+// LOGGER.info("ERROR : unmarshalling error", ue.getMessage());
+// LOGGER.debug("ERROR : unmarshalling error", ue);
+// }
+// return result;
+// }
+//
+// private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory,
+// Credential credential,
+// UsageType usage)
+// throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException {
+// KeyDescriptor keyDescriptor = null;
+// if (credential != null) {
+// keyDescriptor = BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class);
+// KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
+//
+// KeyInfo keyInfo = keyInfoGenerator.generate(credential);
+// keyDescriptor.setUse(usage);
+// keyDescriptor.setKeyInfo(keyInfo);
+// if (usage == UsageType.ENCRYPTION && params.getEncryptionAlgorithms() != null) {
+// Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(params.getEncryptionAlgorithms());
+// for (String encryptionAlgo : encryptionAlgos) {
+// EncryptionMethod em =
+// (EncryptionMethod) BuilderFactoryUtil.buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME);
+// em.setAlgorithm(encryptionAlgo);
+// keyDescriptor.getEncryptionMethods().add(em);
+// }
+// }
+//
+// }
+// return keyDescriptor;
+// }
+//
+// private Organization buildOrganization() {
+// Organization organization = null;
+// try {
+// organization = BuilderFactoryUtil.buildXmlObject(Organization.class);
+//
+// /**FIXME:
+// * set correct OrganizationName value if it is not fixed in next eIDAS node version
+// */
+// OrganizationName orgName = BuilderFactoryUtil.buildXmlObject(OrganizationName.class);
+// orgName.setName(new LocalizedString(params.getNodeUrl(), "en"));
+// organization.getOrganizationNames().add(orgName);
+//
+// OrganizationDisplayName odn = BuilderFactoryUtil.buildXmlObject(OrganizationDisplayName.class);
+// odn.setName(new LocalizedString(params.getCountryName(), "en"));
+// organization.getDisplayNames().add(odn);
+// OrganizationURL url = BuilderFactoryUtil.buildXmlObject(OrganizationURL.class);
+// url.setURL(new LocalizedString(params.getNodeUrl(), "en"));
+// organization.getURLs().add(url);
+// } catch (IllegalAccessException iae) {
+// LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage());
+// LOGGER.debug("ERROR : error generating the Organization: {}", iae);
+// } catch (NoSuchFieldException nfe) {
+// LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage());
+// LOGGER.debug("ERROR : error generating the Organization: {}", nfe);
+// }
+// return organization;
+// }
+//
+// private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) {
+// ContactPerson contact = null;
+// try {
+// Contact currentContact = null;
+// if (contactType == ContactPersonTypeEnumeration.SUPPORT) {
+// currentContact = params.getSupportContact();
+// } else if (contactType == ContactPersonTypeEnumeration.TECHNICAL) {
+// currentContact = params.getTechnicalContact();
+// } else {
+// LOGGER.error("ERROR: unsupported contact type");
+// }
+// contact = BuilderFactoryUtil.buildXmlObject(ContactPerson.class);
+// if (currentContact == null) {
+// LOGGER.error("ERROR: cannot retrieve contact from the configuration");
+// return null;
+// }
+//
+// EmailAddress emailAddressObj = BuilderFactoryUtil.buildXmlObject(EmailAddress.class);
+// Company company = BuilderFactoryUtil.buildXmlObject(Company.class);
+// GivenName givenName = BuilderFactoryUtil.buildXmlObject(GivenName.class);
+// SurName surName = BuilderFactoryUtil.buildXmlObject(SurName.class);
+// TelephoneNumber phoneNumber = BuilderFactoryUtil.buildXmlObject(TelephoneNumber.class);
+// contact.setType(contactType);
+// emailAddressObj.setAddress(currentContact.getEmail());
+// company.setName(currentContact.getCompany());
+// givenName.setName(currentContact.getGivenName());
+// surName.setName(currentContact.getSurName());
+// phoneNumber.setNumber(currentContact.getPhone());
+//
+// populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber);
+//
+// } catch (IllegalAccessException iae) {
+// LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage());
+// LOGGER.debug("ERROR : error generating the Organization: {}", iae);
+// } catch (NoSuchFieldException nfe) {
+// LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage());
+// LOGGER.debug("ERROR : error generating the Organization: {}", nfe);
+// }
+// return contact;
+// }
+//
+// private void populateContact(ContactPerson contact,
+// Contact currentContact,
+// EmailAddress emailAddressObj,
+// Company company,
+// GivenName givenName,
+// SurName surName,
+// TelephoneNumber phoneNumber) {
+// if (!StringUtils.isEmpty(currentContact.getEmail())) {
+// contact.getEmailAddresses().add(emailAddressObj);
+// }
+// if (!StringUtils.isEmpty(currentContact.getCompany())) {
+// contact.setCompany(company);
+// }
+// if (!StringUtils.isEmpty(currentContact.getGivenName())) {
+// contact.setGivenName(givenName);
+// }
+// if (!StringUtils.isEmpty(currentContact.getSurName())) {
+// contact.setSurName(surName);
+// }
+// if (!StringUtils.isEmpty(currentContact.getPhone())) {
+// contact.getTelephoneNumbers().add(phoneNumber);
+// }
+//
+// }
+//
+// /**
+// * @param engine a EIDASSamlEngine from which signing and encryption information is extracted
+// */
+//
+// public void initialize(ProtocolEngineI engine) throws EIDASSAMLEngineException {
+//
+// X509Certificate decryptionCertificate = engine.getDecryptionCertificate();
+// if (null != decryptionCertificate) {
+// params.setSpEncryptionCredential(CertificateUtil.toCredential(decryptionCertificate));
+// }
+// params.setSigningCredential(CertificateUtil.toCredential(engine.getSigningCertificate()));
+// params.setIdpEngine(engine);
+// params.setSpEngine(engine);
+// }
+//
+// /**
+// * @param spEngine a EIDASSamlEngine for the
+// */
+//
+// public void initialize(ProtocolEngineI spEngine, ProtocolEngineI idpEngine) throws EIDASSAMLEngineException {
+// if (idpEngine != null) {
+// idpEngine.getProtocolProcessor().configure();
+// params.setIdpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate()));
+//
+// final X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate();
+// if (idpEngineDecryptionCertificate != null) {
+// params.setIdpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate));
+// }
+//
+// }
+// if (spEngine != null) {
+// spEngine.getProtocolProcessor().configure();
+// params.setSpSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate()));
+//
+// final X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate();
+// if (spEngineDecryptionCertificate != null) {
+// params.setSpEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate));
+// }
+// }
+//
+// params.setIdpEngine(idpEngine);
+// params.setSpEngine(spEngine);
+// }
+//
+// public void addSPRole() throws EIDASSAMLEngineException {
+// try {
+// if (spSSODescriptor == null) {
+// spSSODescriptor = BuilderFactoryUtil.buildXmlObject(SPSSODescriptor.class);
+// }
+// } catch (IllegalAccessException iae) {
+// throw new EIDASSAMLEngineException(iae);
+// } catch (NoSuchFieldException nsfe) {
+// throw new EIDASSAMLEngineException(nsfe);
+// }
+// }
+//
+// public void addIDPRole() throws EIDASSAMLEngineException {
+// try {
+// if (idpSSODescriptor == null) {
+// idpSSODescriptor = BuilderFactoryUtil.buildXmlObject(IDPSSODescriptor.class);
+// }
+// } catch (IllegalAccessException iae) {
+// throw new EIDASSAMLEngineException(iae);
+// } catch (NoSuchFieldException nsfe) {
+// throw new EIDASSAMLEngineException(nsfe);
+// }
+// }
+//
+// private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
+// if (!StringUtils.isEmpty(params.getDigestMethods())) {
+// Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(params.getDigestMethods());
+// Set<String> digestMethods = new HashSet<String>();
+// for (String signatureMethod : signatureMethods) {
+//
+// //BUGFIX: eIDAS implementation does not allow MGF1 signature schemes
+// digestMethods.add(signatureMethod);
+// //digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
+// }
+// for (String digestMethod : digestMethods) {
+// final DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
+// if (dm != null) {
+// dm.setAlgorithm(digestMethod);
+// eidasExtensions.getUnknownXMLObjects().add(dm);
+// } else {
+// LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension");
+// }
+// }
+// }
+//
+// }
+//
+// private Extensions generateExtensions() throws EIDASSAMLEngineException {
+// /**FIXME: BuilderFactoryUtil.generateExtension() generates extensions from SAML2 request namespace
+// * but SAML2 metadata namespace is required
+// **/
+// //Extensions eidasExtensions = BuilderFactoryUtil.generateExtension();
+//
+// ExtensionsBuilder extensionsBuilder = new ExtensionsBuilder();
+// Extensions eidasExtensions = extensionsBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:metadata", "Extensions", "md");
+//
+// if (params.getAssuranceLevel() != null) {
+// generateLoA(eidasExtensions);
+// }
+// if (!StringUtils.isEmpty(params.getSpType())) {
+// final SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME);
+// if (spTypeObj != null) {
+// spTypeObj.setSPType(params.getSpType());
+// eidasExtensions.getUnknownXMLObjects().add(spTypeObj);
+// } else {
+// LOGGER.info("BUSINESS EXCEPTION error adding SPType extension");
+// }
+// }
+// generateDigest(eidasExtensions);
+//
+// if (!StringUtils.isEmpty(params.getSigningMethods())) {
+// Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(params.getSigningMethods());
+// for (String signMethod : signMethods) {
+// final SigningMethod sm =
+// (SigningMethod) BuilderFactoryUtil.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
+// if (sm != null) {
+// sm.setAlgorithm(signMethod);
+// eidasExtensions.getUnknownXMLObjects().add(sm);
+// } else {
+// LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension");
+// }
+// }
+// }
+// return eidasExtensions;
+// }
+//
+// private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException {
+// EntityAttributes loa =
+// (EntityAttributes) BuilderFactoryUtil.buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME);
+// Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
+// loaAttrib.setName(EidasConstants.LEVEL_OF_ASSURANCE_NAME);
+// loaAttrib.setNameFormat(Attribute.URI_REFERENCE);
+// XSStringBuilder stringBuilder =
+// (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
+// XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+// stringValue.setValue(params.getAssuranceLevel());
+// loaAttrib.getAttributeValues().add(stringValue);
+// loa.getAttributes().add(loaAttrib);
+// eidasExtensions.getUnknownXMLObjects().add(loa);
+//
+// }
+//
+// private static final Set<String> DEFAULT_BINDING = new HashSet<String>() {{
+// this.add(SAMLConstants.SAML2_POST_BINDING_URI);
+// }};
+//
+// private void addAssertionConsumerService() throws EIDASSAMLEngineException {
+// int index = 0;
+// Set<String> bindings = params.getProtocolBinding().isEmpty() ? DEFAULT_BINDING : params.getProtocolBinding();
+// for (String binding : bindings) {
+// AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil.buildXmlObject(
+// AssertionConsumerService.DEFAULT_ELEMENT_NAME);
+// asc.setLocation(params.getAssertionConsumerUrl());
+// asc.setBinding(checkBinding(binding));
+// asc.setIndex(index);
+// if (index == 0) {
+// asc.setIsDefault(true);
+// }
+// index++;
+// spSSODescriptor.getAssertionConsumerServices().add(asc);
+// }
+// }
+//
+// private String checkBinding(String binding) {
+// if (binding != null && (binding.equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) || binding.equals(
+// SAMLConstants.SAML2_POST_BINDING_URI))) {
+// return binding;
+// }
+// return SAMLConstants.SAML2_POST_BINDING_URI;
+// }
+//
+// private DateTime getExpireDate() {
+// DateTime expiryDate = DateTime.now();
+// expiryDate =
+// expiryDate.withFieldAdded(DurationFieldType.seconds(), (int) (getConfigParams().getValidityDuration()));
+// return expiryDate;
+// }
+//
+// private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor,
+// ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions)
+// throws EIDASSAMLEngineException {
+// List<Attribute> attributes = idpssoDescriptor.getAttributes();
+// for (AttributeDefinition<?> attributeDefinition : attributeDefinitions) {
+// Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
+// a.setName(attributeDefinition.getNameUri().toASCIIString());
+// a.setFriendlyName(attributeDefinition.getFriendlyName());
+// a.setNameFormat(Attribute.URI_REFERENCE);
+// attributes.add(a);
+// }
+// }
+//
+// public MetadataConfigParams getConfigParams() {
+// return params;
+// }
+//
+// public void setConfigParams(MetadataConfigParams params) {
+// this.params = params;
+// }
+//
+//}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
new file mode 100644
index 000000000..d0c003b31
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
@@ -0,0 +1,602 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.lang.StringUtils;
+import org.joda.time.DateTime;
+import org.joda.time.DurationFieldType;
+import org.opensaml.Configuration;
+import org.opensaml.saml2.common.Extensions;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeValue;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.Company;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration;
+import org.opensaml.saml2.metadata.EmailAddress;
+import org.opensaml.saml2.metadata.EncryptionMethod;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.GivenName;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.OrganizationDisplayName;
+import org.opensaml.saml2.metadata.OrganizationName;
+import org.opensaml.saml2.metadata.OrganizationURL;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.SSODescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.SurName;
+import org.opensaml.saml2.metadata.TelephoneNumber;
+import org.opensaml.samlext.saml2mdattr.EntityAttributes;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+import org.opensaml.xml.schema.XSString;
+import org.opensaml.xml.schema.impl.XSStringBuilder;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.KeyInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.ImmutableSortedSet;
+import com.google.common.collect.Ordering;
+
+import eu.eidas.auth.commons.EIDASUtil;
+import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat;
+import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper;
+import eu.eidas.auth.engine.ProtocolEngineI;
+import eu.eidas.auth.engine.core.SAMLExtensionFormat;
+import eu.eidas.auth.engine.core.eidas.DigestMethod;
+import eu.eidas.auth.engine.core.eidas.SPType;
+import eu.eidas.auth.engine.core.eidas.SigningMethod;
+import eu.eidas.auth.engine.metadata.ContactData;
+import eu.eidas.auth.engine.metadata.EidasMetadata;
+import eu.eidas.auth.engine.metadata.MetadataConfigParams;
+import eu.eidas.auth.engine.metadata.MetadataSignerI;
+import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil;
+import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
+import eu.eidas.engine.exceptions.SAMLEngineException;
+import eu.eidas.util.Preconditions;
+
+/**
+ * @author tlenz
+ *
+ * MOA specific implementation of {@link EidasMetadata}
+ * This version fix some bugs<br>
+ * <ul>
+ * <li>Does not add an encryption certificated to IDPSSODescriptor</li>
+ * <li>Only set provideable eIDAS attributes to IDPSSODescriptor</li>
+ * <li>SPSSODescriptor only requests 'persistent' subject nameIDs</li>
+ * </ul>
+ *
+ */
+public class NewMoaEidasMetadata {
+ private static final Logger LOGGER = LoggerFactory.getLogger(EidasMetadata.class.getName());
+ private final String metadata;
+ private final String entityId;
+ private static final Set<String> DEFAULT_BINDING = new HashSet() {
+ };
+
+ private NewMoaEidasMetadata( Generator generator) throws EIDASSAMLEngineException {
+ this.entityId = generator.entityId;
+ this.metadata = generator.metadata;
+ }
+
+ public String getMetadata() {
+ return this.metadata;
+ }
+
+
+ public static Generator generator() {
+ return new Generator();
+ }
+
+
+ public static Generator generator( Generator copy) {
+ return new Generator(copy);
+ }
+
+ public static final class Generator {
+ private XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+ private MetadataConfigParams params;
+ private SPSSODescriptor spSSODescriptor = null;
+ private IDPSSODescriptor idpSSODescriptor = null;
+ private String ssoLocation;
+ private String metadata;
+ private String entityId;
+
+ public Generator() {
+ }
+
+ public Generator( Generator copy) {
+ Preconditions.checkNotNull(copy, "copy");
+ this.params = copy.params;
+ this.spSSODescriptor = copy.spSSODescriptor;
+ this.idpSSODescriptor = copy.idpSSODescriptor;
+ this.ssoLocation = copy.ssoLocation;
+ this.entityId = copy.entityId;
+ }
+
+
+ public NewMoaEidasMetadata build() throws EIDASSAMLEngineException {
+ initialize();
+ this.entityId = this.params.getEntityID();
+ this.metadata = generateMetadata();
+ return new NewMoaEidasMetadata(this);
+ }
+
+ public Generator configParams(MetadataConfigParams params) {
+ this.params = params;
+ return this;
+ }
+
+ private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
+ if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) {
+ Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+ Set<String> digestMethods = new HashSet();
+ for (String signatureMethod : signatureMethods) {
+ digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
+ }
+ for (String digestMethod : digestMethods) {
+ DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
+ if (dm != null) {
+ dm.setAlgorithm(digestMethod);
+ eidasExtensions.getUnknownXMLObjects().add(dm);
+ } else {
+ NewMoaEidasMetadata.LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension");
+ }
+ }
+ }
+ }
+
+ private Extensions generateExtensions() throws EIDASSAMLEngineException {
+ Extensions eidasExtensions = BuilderFactoryUtil.generateMetadataExtension();
+ if (this.params.getAssuranceLevel() != null) {
+ generateLoA(eidasExtensions);
+ }
+ if (!(StringUtils.isEmpty(this.params.getSpType()))) {
+ SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME);
+ if (spTypeObj != null) {
+ spTypeObj.setSPType(this.params.getSpType());
+ eidasExtensions.getUnknownXMLObjects().add(spTypeObj);
+ } else {
+ NewMoaEidasMetadata.LOGGER.info("BUSINESS EXCEPTION error adding SPType extension");
+ }
+ }
+ generateDigest(eidasExtensions);
+
+ if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
+ Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+ for (String signMethod : signMethods) {
+ SigningMethod sm = (SigningMethod) BuilderFactoryUtil
+ .buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
+
+ if (sm != null) {
+ sm.setAlgorithm(signMethod);
+ eidasExtensions.getUnknownXMLObjects().add(sm);
+ } else {
+ NewMoaEidasMetadata.LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension");
+ }
+ }
+ }
+ return eidasExtensions;
+ }
+
+ private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException {
+ EntityAttributes loa = (EntityAttributes) BuilderFactoryUtil
+ .buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME);
+
+ Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
+ loaAttrib.setName("urn:oasis:names:tc:SAML:attribute:assurance-certification");
+ loaAttrib.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
+ XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory()
+ .getBuilder(XSString.TYPE_NAME);
+
+ XSString stringValue = (XSString) stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME,
+ XSString.TYPE_NAME);
+ stringValue.setValue(this.params.getAssuranceLevel());
+ loaAttrib.getAttributeValues().add(stringValue);
+ loa.getAttributes().add(loaAttrib);
+ eidasExtensions.getUnknownXMLObjects().add(loa);
+ }
+
+ private void addAssertionConsumerService() throws EIDASSAMLEngineException {
+ int index = 0;
+ Set<String> bindings = (this.params.getProtocolBinding().isEmpty()) ? NewMoaEidasMetadata.DEFAULT_BINDING
+ : this.params.getProtocolBinding();
+ for (String binding : bindings) {
+ AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil
+ .buildXmlObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
+
+ asc.setLocation(this.params.getAssertionConsumerUrl());
+ asc.setBinding(checkBinding(binding));
+ asc.setIndex(Integer.valueOf(index));
+ if (index == 0) {
+ asc.setIsDefault(Boolean.valueOf(true));
+ }
+ ++index;
+ this.spSSODescriptor.getAssertionConsumerServices().add(asc);
+ }
+ }
+
+ private String checkBinding(String binding) {
+ if ((binding != null) && (((binding.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"))
+ || (binding.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"))))) {
+ return binding;
+ }
+ return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
+ }
+
+ private DateTime getExpireDate() {
+ DateTime expiryDate = DateTime.now();
+ expiryDate = expiryDate.withFieldAdded(DurationFieldType.seconds(),
+ (int) this.params.getValidityDuration());
+
+ return expiryDate;
+ }
+
+ private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor,
+ ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions) throws EIDASSAMLEngineException {
+ List attributes = idpssoDescriptor.getAttributes();
+ for (AttributeDefinition attributeDefinition : attributeDefinitions) {
+ Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
+ a.setName(attributeDefinition.getNameUri().toASCIIString());
+ a.setFriendlyName(attributeDefinition.getFriendlyName());
+ a.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
+ attributes.add(a);
+ }
+ }
+
+ private void generateSPSSODescriptor(EntityDescriptor entityDescriptor,
+ X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) throws SecurityException, IllegalAccessException,
+ NoSuchFieldException, SAMLEngineException, EIDASSAMLEngineException {
+ this.spSSODescriptor.setWantAssertionsSigned(Boolean.valueOf(this.params.isWantAssertionsSigned()));
+ this.spSSODescriptor.setAuthnRequestsSigned(Boolean.valueOf(true));
+ if (this.params.getSpSignature() != null) {
+ this.spSSODescriptor.setSignature(this.params.getSpSignature());
+ }
+ if (this.params.getSpSigningCredential() != null) {
+ this.spSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory,
+ this.params.getSpSigningCredential(), UsageType.SIGNING));
+ }
+
+ if (this.params.getSpEncryptionCredential() != null) {
+ this.spSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory,
+ this.params.getSpEncryptionCredential(), UsageType.ENCRYPTION));
+ }
+
+ this.spSSODescriptor.addSupportedProtocol(this.params.getSpSamlProtocol());
+ if (!(StringUtils.isEmpty(this.params.getAssertionConsumerUrl()))) {
+ addAssertionConsumerService();
+ }
+
+
+ //fillNameIDFormat(this.spSSODescriptor);
+ //FIX: Austrian eIDAS node SP only needs persistent identifiers
+ NameIDFormat persistentFormat =
+ (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+ persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
+ spSSODescriptor.getNameIDFormats().add(persistentFormat);
+
+ entityDescriptor.getRoleDescriptors().add(this.spSSODescriptor);
+ }
+
+ private void fillNameIDFormatIDP(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException {
+ NameIDFormat persistentFormat = (NameIDFormat) BuilderFactoryUtil
+ .buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+
+ persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
+ ssoDescriptor.getNameIDFormats().add(persistentFormat);
+ NameIDFormat transientFormat = (NameIDFormat) BuilderFactoryUtil
+ .buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+
+ transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat());
+ ssoDescriptor.getNameIDFormats().add(transientFormat);
+ NameIDFormat unspecifiedFormat = (NameIDFormat) BuilderFactoryUtil
+ .buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+
+ unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat());
+ ssoDescriptor.getNameIDFormats().add(unspecifiedFormat);
+ }
+
+ private void generateIDPSSODescriptor(EntityDescriptor entityDescriptor,
+ X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) throws SecurityException, IllegalAccessException,
+ NoSuchFieldException, SAMLEngineException, EIDASSAMLEngineException {
+ this.idpSSODescriptor.setWantAuthnRequestsSigned(Boolean.valueOf(true));
+ if (this.params.getIdpSignature() != null) {
+ this.idpSSODescriptor.setSignature(this.params.getIdpSignature());
+ }
+ if (this.params.getIdpSigningCredential() != null) {
+ this.idpSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory,
+ this.params.getIdpSigningCredential(), UsageType.SIGNING));
+ }
+
+ //INFO: IDP requires no encryption certificate
+// if (this.params.getIdpEncryptionCredential() != null) {
+// this.idpSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory,
+// this.params.getIdpEncryptionCredential(), UsageType.ENCRYPTION));
+// }
+
+ this.idpSSODescriptor.addSupportedProtocol(this.params.getIdpSamlProtocol());
+ fillNameIDFormatIDP(this.idpSSODescriptor);
+ this.idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations());
+ if ((this.params.getIdpEngine() != null) && (this.params.getIdpEngine().getProtocolProcessor() != null)
+ && (this.params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10)) {
+
+ /*TODO: Only a work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
+ * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
+ *
+ * INFO: Maybe, this code can be removed in a future version of the eIDAS engine
+ */
+ generateSupportedAttributes(this.idpSSODescriptor, getAllSupportedAttributes());
+ }
+ entityDescriptor.getRoleDescriptors().add(this.idpSSODescriptor);
+ }
+
+ /* FIX: Work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
+ * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
+ */
+ public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() {
+ ImmutableSortedSet.Builder<AttributeDefinition<?>> builder =
+ new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural());
+
+ for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) {
+ AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr);
+ builder.add(supAttr);
+ }
+
+ return builder.build();
+ }
+
+ private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations()
+ throws NoSuchFieldException, IllegalAccessException {
+ ArrayList singleSignOnServices = new ArrayList();
+
+ HashMap<String, String> bindingLocations = this.params.getProtocolBindingLocation();
+ Iterator bindLocs = bindingLocations.entrySet().iterator();
+ while (bindLocs.hasNext()) {
+ Map.Entry bindingLoc = (Map.Entry) bindLocs.next();
+ SingleSignOnService ssos = (SingleSignOnService) BuilderFactoryUtil
+ .buildXmlObject(SingleSignOnService.class);
+ ssos.setBinding((String) bindingLoc.getKey());
+ ssos.setLocation((String) bindingLoc.getValue());
+ singleSignOnServices.add(ssos);
+ }
+ return singleSignOnServices;
+ }
+
+ private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory,
+ Credential credential, UsageType usage)
+ throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException {
+ KeyDescriptor keyDescriptor = null;
+ if (credential != null) {
+ keyDescriptor = (KeyDescriptor) BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class);
+ KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
+
+ KeyInfo keyInfo = keyInfoGenerator.generate(credential);
+ keyDescriptor.setUse(usage);
+ keyDescriptor.setKeyInfo(keyInfo);
+ if ((usage == UsageType.ENCRYPTION) && (this.params.getEncryptionAlgorithms() != null)) {
+ Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(this.params.getEncryptionAlgorithms());
+ for (String encryptionAlgo : encryptionAlgos) {
+ EncryptionMethod em = (EncryptionMethod) BuilderFactoryUtil
+ .buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME);
+
+ em.setAlgorithm(encryptionAlgo);
+ keyDescriptor.getEncryptionMethods().add(em);
+ }
+ }
+ }
+
+ return keyDescriptor;
+ }
+
+ private Organization buildOrganization() {
+ Organization organization = null;
+ if (this.params.getOrganization() != null) {
+ try {
+ organization = (Organization) BuilderFactoryUtil.buildXmlObject(Organization.class);
+ OrganizationDisplayName odn = (OrganizationDisplayName) BuilderFactoryUtil
+ .buildXmlObject(OrganizationDisplayName.class);
+ odn.setName(new LocalizedString(this.params.getOrganization().getDisplayName(), "en"));
+ organization.getDisplayNames().add(odn);
+ OrganizationName on = (OrganizationName) BuilderFactoryUtil.buildXmlObject(OrganizationName.class);
+ on.setName(new LocalizedString(this.params.getOrganization().getName(), "en"));
+ organization.getOrganizationNames().add(on);
+ OrganizationURL url = (OrganizationURL) BuilderFactoryUtil.buildXmlObject(OrganizationURL.class);
+ url.setURL(new LocalizedString(this.params.getOrganization().getUrl(), "en"));
+ organization.getURLs().add(url);
+ } catch (IllegalAccessException iae) {
+ NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", iae.getMessage());
+ NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", iae);
+ } catch (NoSuchFieldException nfe) {
+ NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", nfe.getMessage());
+ NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", nfe);
+ }
+ }
+ return organization;
+ }
+
+ private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) {
+ ContactPerson contact = null;
+ try {
+ ContactData currentContact = null;
+ if (contactType == ContactPersonTypeEnumeration.SUPPORT)
+ currentContact = this.params.getSupportContact();
+ else if (contactType == ContactPersonTypeEnumeration.TECHNICAL)
+ currentContact = this.params.getTechnicalContact();
+ else {
+ NewMoaEidasMetadata.LOGGER.error("ERROR: unsupported contact type");
+ }
+ contact = (ContactPerson) BuilderFactoryUtil.buildXmlObject(ContactPerson.class);
+ if (currentContact == null) {
+ NewMoaEidasMetadata.LOGGER.error("ERROR: cannot retrieve contact from the configuration");
+ return contact;
+ }
+
+ EmailAddress emailAddressObj = (EmailAddress) BuilderFactoryUtil.buildXmlObject(EmailAddress.class);
+ Company company = (Company) BuilderFactoryUtil.buildXmlObject(Company.class);
+ GivenName givenName = (GivenName) BuilderFactoryUtil.buildXmlObject(GivenName.class);
+ SurName surName = (SurName) BuilderFactoryUtil.buildXmlObject(SurName.class);
+ TelephoneNumber phoneNumber = (TelephoneNumber) BuilderFactoryUtil
+ .buildXmlObject(TelephoneNumber.class);
+ contact.setType(contactType);
+ emailAddressObj.setAddress(currentContact.getEmail());
+ company.setName(currentContact.getCompany());
+ givenName.setName(currentContact.getGivenName());
+ surName.setName(currentContact.getSurName());
+ phoneNumber.setNumber(currentContact.getPhone());
+
+ populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber);
+ } catch (IllegalAccessException iae) {
+ NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", iae.getMessage());
+ NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", iae);
+ } catch (NoSuchFieldException nfe) {
+ NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", nfe.getMessage());
+ NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", nfe);
+ }
+ return contact;
+ }
+
+ private void populateContact(ContactPerson contact, ContactData currentContact, EmailAddress emailAddressObj,
+ Company company, GivenName givenName, SurName surName, TelephoneNumber phoneNumber) {
+ if (!(StringUtils.isEmpty(currentContact.getEmail()))) {
+ contact.getEmailAddresses().add(emailAddressObj);
+ }
+ if (!(StringUtils.isEmpty(currentContact.getCompany()))) {
+ contact.setCompany(company);
+ }
+ if (!(StringUtils.isEmpty(currentContact.getGivenName()))) {
+ contact.setGivenName(givenName);
+ }
+ if (!(StringUtils.isEmpty(currentContact.getSurName()))) {
+ contact.setSurName(surName);
+ }
+ if (!(StringUtils.isEmpty(currentContact.getPhone())))
+ contact.getTelephoneNumbers().add(phoneNumber);
+ }
+
+ private String generateMetadata() throws EIDASSAMLEngineException {
+ try {
+ EntityDescriptor entityDescriptor = (EntityDescriptor) this.builderFactory
+ .getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME)
+ .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME);
+
+ entityDescriptor.setEntityID(this.params.getEntityID());
+ entityDescriptor.setOrganization(buildOrganization());
+ entityDescriptor.getContactPersons().add(buildContact(ContactPersonTypeEnumeration.SUPPORT));
+ entityDescriptor.getContactPersons().add(buildContact(ContactPersonTypeEnumeration.TECHNICAL));
+ entityDescriptor.setValidUntil(getExpireDate());
+
+ X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
+ keyInfoGeneratorFactory.setEmitEntityCertificate(true);
+ Extensions e = generateExtensions();
+ if (!(e.getUnknownXMLObjects().isEmpty())) {
+ entityDescriptor.setExtensions(e);
+ }
+ if (this.spSSODescriptor != null) {
+ generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
+ }
+ if (this.idpSSODescriptor != null) {
+ generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
+ }
+ if (this.params.getSpEngine() != null) {
+ ProtocolEngineI spEngine = this.params.getSpEngine();
+ ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor);
+ } else if (this.params.getIdpEngine() != null) {
+ ProtocolEngineI idpEngine = this.params.getIdpEngine();
+ ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor);
+ }
+ return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false));
+ } catch (Exception ex) {
+ NewMoaEidasMetadata.LOGGER.info("ERROR : SAMLException ", ex.getMessage());
+ NewMoaEidasMetadata.LOGGER.debug("ERROR : SAMLException ", ex);
+ throw new IllegalStateException(ex);
+ }
+ }
+
+ private void initialize() throws EIDASSAMLEngineException {
+ ProtocolEngineI idpEngine = this.params.getIdpEngine();
+ ProtocolEngineI spEngine = this.params.getSpEngine();
+ MetadataConfigParams.Builder initParamBuilder = MetadataConfigParams.builder(this.params);
+ if (idpEngine != null) {
+ idpEngine.getProtocolProcessor().configure();
+ initParamBuilder.idpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate()));
+
+ X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate();
+ if (idpEngineDecryptionCertificate != null) {
+ initParamBuilder
+ .idpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate));
+ }
+ if (this.idpSSODescriptor == null) {
+ try {
+ this.idpSSODescriptor = ((IDPSSODescriptor) BuilderFactoryUtil
+ .buildXmlObject(IDPSSODescriptor.class));
+ } catch (NoSuchFieldException e) {
+ throw new EIDASSAMLEngineException(e);
+ } catch (IllegalAccessException e) {
+ throw new EIDASSAMLEngineException(e);
+ }
+ }
+ }
+ if (spEngine != null) {
+ spEngine.getProtocolProcessor().configure();
+ initParamBuilder.spSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate()));
+
+ X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate();
+ if (spEngineDecryptionCertificate != null) {
+ initParamBuilder
+ .spEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate));
+ }
+ if (this.spSSODescriptor == null) {
+ try {
+ this.spSSODescriptor = ((SPSSODescriptor) BuilderFactoryUtil
+ .buildXmlObject(SPSSODescriptor.class));
+ } catch (NoSuchFieldException e) {
+ throw new EIDASSAMLEngineException(e);
+ } catch (IllegalAccessException e) {
+ throw new EIDASSAMLEngineException(e);
+ }
+ }
+ }
+ this.params = initParamBuilder.build();
+ }
+ }
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index 773e08ea9..d469ca28c 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -88,7 +88,7 @@ public class SAMLEngineUtils {
URL addAttrConfigUrl = new URL(FileUtils.makeAbsoluteURL(
additionalAttributeConfigFile,
AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir()));
- addAttrDefinitions = AttributeRegistries.fromFile(addAttrConfigUrl.getPath());
+ addAttrDefinitions = AttributeRegistries.fromFile(addAttrConfigUrl.getPath(), null);
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 5d13e26e2..940b91b44 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -330,7 +330,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
// - memorize service-provider type from eIDAS request
String spType = null;
if (eIDASSamlReq.getSpType() != null)
- spType = eIDASSamlReq.getSpType().getValue();
+ spType = eIDASSamlReq.getSpType();
if (MiscUtil.isEmpty(spType))
spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
index df96bef12..bfe410fc2 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
@@ -31,7 +31,7 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAeIDASMetadataGenerator;
+import at.gv.egovernment.moa.id.auth.modules.eidas.utils.NewMoaEidasMetadata;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -44,8 +44,10 @@ import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.logging.Logger;
import eu.eidas.auth.engine.ProtocolEngineI;
-import eu.eidas.auth.engine.metadata.Contact;
+import eu.eidas.auth.engine.metadata.ContactData;
import eu.eidas.auth.engine.metadata.MetadataConfigParams;
+import eu.eidas.auth.engine.metadata.MetadataConfigParams.Builder;
+import eu.eidas.auth.engine.metadata.OrganizationData;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
@@ -119,22 +121,20 @@ public class EidasMetaDataRequest implements IAction {
ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
- MOAeIDASMetadataGenerator generator = new MOAeIDASMetadataGenerator();
- MetadataConfigParams mcp=new MetadataConfigParams();
- generator.setConfigParams(mcp);
- generator.initialize(engine);
-
- mcp.setEntityID(metadata_url);
- mcp.setAssertionConsumerUrl(sp_return_url);
- mcp.getProtocolBindingLocation().put(
+ //configura metadata builder
+ Builder metadataConfigBuilder = MetadataConfigParams.builder();
+ metadataConfigBuilder.entityID(metadata_url);
+ metadataConfigBuilder.assertionConsumerUrl(sp_return_url);
+
+ metadataConfigBuilder.addProtocolBindingLocation(
SAMLConstants.SAML2_POST_BINDING_URI,
pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST);
//TODO: make it configurable
- mcp.setAuthnRequestsSigned(true);
- mcp.setWantAssertionsSigned(true);
- mcp.setAssuranceLevel(
+ metadataConfigBuilder.authnRequestsSigned(true);
+ metadataConfigBuilder.wantAssertionsSigned(true);
+ metadataConfigBuilder.assuranceLevel(
authConfig.getBasicMOAIDConfiguration(
Constants.CONIG_PROPS_EIDAS_NODE_LoA,
MOAIDAuthConstants.eIDAS_LOA_HIGH));
@@ -142,47 +142,71 @@ public class EidasMetaDataRequest implements IAction {
//must be set in request, because it could be different for every online-application
//mcp.setSpType(SPType.DEFAULT_VALUE);
- mcp.setDigestMethods(Constants.METADATA_ALLOWED_ALG_DIGIST);
- mcp.setSigningMethods(Constants.METADATA_ALLOWED_ALG_SIGN);
- mcp.setEncryptionAlgorithms(Constants.METADATA_ALLOWED_ALG_ENCRYPT);
+ metadataConfigBuilder.digestMethods(Constants.METADATA_ALLOWED_ALG_DIGIST);
+ metadataConfigBuilder.signingMethods(Constants.METADATA_ALLOWED_ALG_SIGN);
+ metadataConfigBuilder.encryptionAlgorithms(Constants.METADATA_ALLOWED_ALG_ENCRYPT);
//add organisation information from PVP metadata information
Organization pvpOrganisation = null;
try {
pvpOrganisation = PVPConfiguration.getInstance().getIDPOrganisation();
- Contact technicalContact = new Contact();
+ eu.eidas.auth.engine.metadata.ContactData.Builder technicalContact = ContactData.builder();
List<ContactPerson> contacts = PVPConfiguration.getInstance().getIDPContacts();
if (contacts != null && contacts.size() >= 1) {
ContactPerson contact = contacts.get(0);
- technicalContact.setGivenName(contact.getGivenName().getName());
- technicalContact.setSurName(contact.getSurName().getName());
+ technicalContact.givenName(contact.getGivenName().getName());
+ technicalContact.surName(contact.getSurName().getName());
if (!contact.getEmailAddresses().isEmpty())
- technicalContact.setEmail(contact.getEmailAddresses().get(0).getAddress());
+ technicalContact.email(contact.getEmailAddresses().get(0).getAddress());
if (!contact.getTelephoneNumbers().isEmpty())
- technicalContact.setPhone(contact.getTelephoneNumbers().get(0).getNumber());
+ technicalContact.phone(contact.getTelephoneNumbers().get(0).getNumber());
- mcp.setTechnicalContact(technicalContact );
+
}
if (pvpOrganisation != null) {
- mcp.setNodeUrl(pvpOrganisation.getURLs().get(0).getURL().getLocalString());
- mcp.setCountryName(authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRY, "Austria"));
- technicalContact.setCompany(pvpOrganisation.getDisplayNames().get(0).getName().getLocalString());
+ eu.eidas.auth.engine.metadata.OrganizationData.Builder organizationConfig = OrganizationData.builder();
+ organizationConfig.url(pvpOrganisation.getURLs().get(0).getURL().getLocalString());
+ organizationConfig.name(authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRY, "Austria"));
+ //TODO: add display name and maybe update name
+
+
+ metadataConfigBuilder.organization(organizationConfig.build());
+
+ technicalContact.company(pvpOrganisation.getDisplayNames().get(0).getName().getLocalString());
}
+
+ metadataConfigBuilder.technicalContact(technicalContact.build());
+
+ //TODO: add correct support contact
+ metadataConfigBuilder.supportContact(ContactData.builder(technicalContact.build()).build());
+
} catch (ConfigurationException | NullPointerException e) {
Logger.warn("Can not load Organisation or Contact from Configuration", e);
}
-
- generator.addSPRole();
- generator.addIDPRole();
+
+ metadataConfigBuilder.idpEngine(engine);
+ metadataConfigBuilder.spEngine(engine);
+
+ //TODO:
+// MOAeIDASMetadataGenerator generator = new MOAeIDASMetadataGenerator();
+// generator.initialize(engine);
+// generator.addSPRole();
+// generator.addIDPRole();
+// metadata = generator.generateMetadata();
+
+ //use own implementation that solves some problems in original implementation
+ NewMoaEidasMetadata.Generator generator = NewMoaEidasMetadata.generator();
+ generator.configParams(metadataConfigBuilder.build());
+ NewMoaEidasMetadata eidasMetadata = generator.build();
+ metadata = eidasMetadata.getMetadata();
- metadata = generator.generateMetadata();
return metadata;
}
}