refactor PVP Metadata provider functionality

3 files changed, 132 insertions, 353 deletions

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
deleted file mode 100644
index 72a7d3ba1..000000000
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
+++ /dev/null
@@ -1,142 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- * 
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- * 
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2003 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-package at.gv.egovernment.moa.id.auth.invoke;
-
-import java.util.Vector;
-
-import javax.xml.namespace.QName;
-import javax.xml.rpc.Call;
-import javax.xml.rpc.Service;
-import javax.xml.rpc.ServiceFactory;
-
-import org.apache.axis.message.SOAPBodyElement;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import at.gv.egovernment.moa.id.auth.exception.ServiceException;
-import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.spss.api.SignatureVerificationService;
-import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser;
-import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder;
-import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
-import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.util.MiscUtil;
-
-/**
- * Invoker of the <code>SignatureVerification</code> web service of MOA-SPSS.<br>
- * Either invokes the web service, or calls the corresponding API, depending on configuration data.
- * 
- * @author Stefan Knirsch
- * @version $Id$
- */
-public class SignatureVerificationInvoker {
-  /** This QName Object identifies the SignatureVerification endpoint of the web service */
-  private static final QName SERVICE_QNAME = new QName("SignatureVerification");
-
-  /**
-   * Method verifyXMLSignature.
-   * @param request to be sent
-   * @return Element with the answer
-   * @throws ServiceException if an error occurs
-   */
-  public Element verifyXMLSignature(Element request) throws ServiceException {
-    return doCall(SERVICE_QNAME, request);
-  }
-
-  /**
-   * Method doCall.
-   * @param serviceName the name of the service
-   * @param request the request to be sent
-   * @return Element the answer
-   * @throws ServiceException if an error occurs
-   */
-  protected Element doCall(QName serviceName, Element request) throws ServiceException {
-    ConnectionParameter authConnParam = null;
-    try {
-      Service service = ServiceFactory.newInstance().createService(serviceName);
-      Call call = service.createCall();
-      SOAPBodyElement body = new SOAPBodyElement(request);
-      SOAPBodyElement[] params = new SOAPBodyElement[] { body };
-      Vector responses;
-      SOAPBodyElement response;
-
-      String endPoint;
-      AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance();
-      authConnParam = authConfigProvider.getMoaSpConnectionParameter();
-      //If the ConnectionParameter do NOT exist, we try to get the api to work....
-      if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) {
-        Logger.debug("Connecting using auth url: " + authConnParam.getUrl() + ", service " + serviceName.getNamespaceURI() + " : " + serviceName.getLocalPart() + " : "+ serviceName.getPrefix());
-        endPoint = authConnParam.getUrl();
-        call.setTargetEndpointAddress(endPoint);
-        responses = (Vector) call.invoke(serviceName, params);
-        Logger.debug("Got responses: " + responses.size()); // TODO handle axis 302 response when incorrect service url is used
-        response = (SOAPBodyElement) responses.get(0);
-        return response.getAsDOM();
-      }
-      else {
-        SignatureVerificationService svs = SignatureVerificationService.getInstance();
-        VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(request);
-		
-        VerifyXMLSignatureResponse vsresponse = svs.verifyXMLSignature(vsrequest);
-        Document result = new VerifyXMLSignatureResponseBuilder().build(vsresponse);
-
-        //Logger.setHierarchy("moa.id.auth");
-        return result.getDocumentElement();
-      }
-    }
-    catch (Exception ex) {
-      if (authConnParam != null) {
-	      throw new ServiceException("service.00", new Object[] { ex.toString()}, ex);
-      } else {
-        throw new ServiceException("service.03", new Object[] { ex.toString()}, ex);
-      }
-    }
-  }
-}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
deleted file mode 100644
index 7bce406e0..000000000
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ /dev/null
@@ -1,211 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- * 
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- * 
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-/*
- * Copyright 2003 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
-package at.gv.egovernment.moa.id.auth.parser;
-
-import iaik.utils.Base64InputStream;
-import iaik.x509.X509Certificate;
-
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-
-import org.w3c.dom.Element;
-
-import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.DOMUtils;
-import at.gv.egovernment.moa.util.XPathUtils;
-
-/**
- * Parses a <code>&lt;VerifyXMLSignatureResponse&gt;</code> returned by
- * MOA-SPSS.
- * This class implements the Singleton pattern
- * 
- * @author Stefan Knirsch
- * @version $Id$
- */
-
-
-public class VerifyXMLSignatureResponseParser {
-  //
-  // XPath namespace prefix shortcuts
-  //
-  /** Xpath prefix for reaching MOA Namespaces */
-  private static final String MOA = Constants.MOA_PREFIX + ":";
-  /** Xpath prefix for reaching DSIG Namespaces */
-  private static final String DSIG = Constants.DSIG_PREFIX + ":";
-  /** Xpath expression to the root element */    
-  private static final String ROOT = "/" + MOA + "VerifyXMLSignatureResponse/";
-  
-    /** Xpath expression to the X509SubjectName element */  
-  private static final String DSIG_SUBJECT_NAME_XPATH = 
-      ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + 
-      DSIG + "X509SubjectName";        
-  /** Xpath expression to the X509Certificate element */  
-  private static final String DSIG_X509_CERTIFICATE_XPATH = 
-      ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + 
-          DSIG + "X509Certificate";        
-  /** Xpath expression to the PublicAuthority element */  
-  private static final String PUBLIC_AUTHORITY_XPATH =
-     ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + 
-      MOA + "PublicAuthority";        
-  /** Xpath expression to the PublicAuthorityCode element */  
-  private static final String PUBLIC_AUTHORITY_CODE_XPATH =
-     PUBLIC_AUTHORITY_XPATH + "/" + MOA + "Code";        
-  /** Xpath expression to the QualifiedCertificate element */  
-   private static final String QUALIFIED_CERTIFICATE_XPATH =
-     ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + 
-      MOA + "QualifiedCertificate";        
-   
-  /** Xpath expression to the SignatureCheckCode element */    
-  private static final String SIGNATURE_CHECK_CODE_XPATH = 
-   ROOT + MOA + "SignatureCheck/" + MOA + "Code";
-  /** Xpath expression to the XMLDSIGManifestCheckCode element */    
-  private static final String XMLDSIG_MANIFEST_CHECK_CODE_XPATH = 
-   ROOT + MOA + "XMLDSIGManifestCheck/" + MOA + "Code";
-  /** Xpath expression to the SignatureManifestCheckCode element */    
-  private static final String SIGNATURE_MANIFEST_CHECK_CODE_XPATH = 
-   ROOT + MOA + "SignatureManifestCheck/" + MOA + "Code";
-  /** Xpath expression to the CertificateCheckCode element */      
-  private static final String CERTIFICATE_CHECK_CODE_XPATH = 
-   ROOT + MOA + "CertificateCheck/" + MOA + "Code";
-  
-    
-  /** This is the root element of the XML-Document provided by the Security Layer Card*/
-  private Element verifyXMLSignatureResponse;
-
-  /**
-   * Constructor for VerifyXMLSignatureResponseParser.
-   * A DOM-representation of the incoming String will be created
-   * @param xmlResponse <code>&lt;InfoboxReadResponse&gt;</code> as String
-   * @throws ParseException on any parsing error
-   */
-  public VerifyXMLSignatureResponseParser(String xmlResponse) throws ParseException{
-   try {
-  InputStream s = new ByteArrayInputStream(xmlResponse.getBytes("UTF-8"));
-  
-  verifyXMLSignatureResponse = DOMUtils.parseXmlValidating(s); 
-     }
-     catch (Throwable t) {
-      throw new ParseException("parser.01", new Object[] { t.toString() }, t);
-    } 
-  }
-  
-  /**
-   * Constructor for VerifyXMLSignatureResponseParser.
-   * A DOM-representation of the incoming Inputstream will be created
-   * @param xmlResponse <code>&lt;InfoboxReadResponse&gt;</code> as InputStream
-   * @throws Exception on any parsing error
-   */
-  public VerifyXMLSignatureResponseParser(InputStream xmlResponse) throws Exception
-  {
-    try {
-       verifyXMLSignatureResponse = DOMUtils.parseXmlValidating(xmlResponse);                        
-    }
-     catch (Throwable t) {
-      throw new ParseException("parser.01", null, t);
-    } 
-  } 
-  
-   /**
-   * Constructor for VerifyXMLSignatureResponseParser.
-   * The incoming Element will be used for further operations
-   * @param xmlResponse <code>&lt;InfoboxReadResponse&gt;</code> as Element
-   */
-  public VerifyXMLSignatureResponseParser(Element xmlResponse)
-  {
-      verifyXMLSignatureResponse =xmlResponse;                        
-  
-  }
-  
-  /**
-   * Parse identity link from <code>&lt;InfoboxReadResponse&gt;</code>
-   * @return Identity link
-   * @throws ParseException on any parsing error
-   */
-
-  public VerifyXMLSignatureResponse parseData() throws ParseException {
-
-    VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse();
-
-    try {
-    	
-      String s = DOMUtils.serializeNode(verifyXMLSignatureResponse);
-      respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,""));
-      Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH);
-      respData.setQualifiedCertificate(e!=null);
-
-      Base64InputStream in = new Base64InputStream(new ByteArrayInputStream(XPathUtils.getElementValue(
-        verifyXMLSignatureResponse,DSIG_X509_CERTIFICATE_XPATH,"").getBytes("UTF-8")),true);
-
-      respData.setX509certificate(new X509Certificate(in));
-      Element publicAuthority = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,PUBLIC_AUTHORITY_XPATH);
-      respData.setPublicAuthority(publicAuthority != null);
-      respData.setPublicAuthorityCode(XPathUtils.getElementValue(verifyXMLSignatureResponse,PUBLIC_AUTHORITY_CODE_XPATH,""));
-      respData.setSignatureCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNATURE_CHECK_CODE_XPATH,"")).intValue());
-
-      String xmlDsigCheckCode = XPathUtils.getElementValue(verifyXMLSignatureResponse,XMLDSIG_MANIFEST_CHECK_CODE_XPATH,null);
-      if (xmlDsigCheckCode!=null) { 
-        respData.setXmlDSIGManigest(true);
-        respData.setXmlDSIGManifestCheckCode(new Integer(xmlDsigCheckCode).intValue());
-      } else {
-        respData.setXmlDSIGManigest(false);
-      }
-      String signatureManifestCheckCode = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNATURE_MANIFEST_CHECK_CODE_XPATH,null);
-      if (signatureManifestCheckCode != null) {
-        respData.setSignatureManifestCheckCode(new Integer(signatureManifestCheckCode).intValue());
-      }
-      respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue());             
-    }
-    catch (Throwable t) {
-      throw new ParseException("parser.01", null, t);
-    }        
-    return respData;
-  }
-  
-  
-}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
new file mode 100644
index 000000000..c9f3e5bcd
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
+
+	private String trustProfileID = null;
+	
+	/**
+	 * 
+	 */
+	public MOAeIDASMetadataSignatureFilter(String trustProfileID) {
+		this.trustProfileID = trustProfileID;
+		
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+	 */
+	@Override
+	public void doFilter(XMLObject metadata) throws FilterException {
+		if (metadata instanceof EntityDescriptor) {
+			if (((EntityDescriptor) metadata).isSigned()) {				
+				EntityDescriptor entityDes = (EntityDescriptor) metadata;
+				//check signature;
+				try {
+					Transformer transformer = TransformerFactory.newInstance()
+							.newTransformer();	
+					StringWriter sw = new StringWriter();
+					StreamResult sr = new StreamResult(sw);
+					DOMSource source = new DOMSource(metadata.getDOM());
+					transformer.transform(source, sr);
+					sw.close();
+					String metadataXML = sw.toString();
+					
+					SignatureVerificationUtils sigVerify = 
+							new SignatureVerificationUtils();
+					VerifyXMLSignatureResponse result = sigVerify.verify(
+							metadataXML.getBytes(), trustProfileID);
+					
+					//check signature-verification result
+					if (result.getSignatureCheckCode() != 0) {
+						Logger.warn("eIDAS Metadata signature-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getSignatureCheckCode());
+						throw new FilterException("eIDAS Metadata signature-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getSignatureCheckCode());
+						
+					}
+					
+					if (result.getCertificateCheckCode() != 0) {
+						Logger.warn("eIDAS Metadata certificate-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getCertificateCheckCode());
+						throw new FilterException("eIDAS Metadata certificate-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getCertificateCheckCode());
+						
+					}
+					
+				
+				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+					Logger.error("eIDAS Metadata verification has an interal error.", e);
+					throw new FilterException("eIDAS Metadata verification has an interal error."
+							+ " Message:" + e.getMessage());
+					
+				}
+				
+				
+			} else {
+				Logger.warn("eIDAS Metadata root-element MUST be signed.");
+				throw new FilterException("eIDAS Metadata root-element MUST be signed.'");
+				
+			}
+						
+		} else {
+			Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+			throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+			
+		}
+		
+	}
+
+}