updated samlengine

1 files changed, 125 insertions, 19 deletions

diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java
index 4c7bb18a3..9f0a88c84 100644
--- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java
+++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java
@@ -27,7 +27,9 @@ import java.security.PrivateKey;
 import java.security.Provider;

 import java.security.Security;

 import java.security.UnrecoverableKeyException;

+import java.security.cert.CertificateExpiredException;

 import java.security.cert.CertificateFactory;

+import java.security.cert.CertificateNotYetValidException;

 import java.security.cert.X509Certificate;

 import java.util.ArrayList;

 import java.util.Enumeration;

@@ -35,6 +37,7 @@ import java.util.InvalidPropertiesFormatException;
 import java.util.List;

 import java.util.Properties;

 

+import eu.stork.peps.auth.engine.SAMLEngineUtils;

 import eu.stork.peps.auth.engine.X509PrincipalUtil;

 import org.apache.commons.io.IOUtils;

 import org.apache.commons.lang.NotImplementedException;

@@ -43,6 +46,9 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.opensaml.Configuration;

 import org.opensaml.common.SAMLObject;

 import org.opensaml.common.SignableSAMLObject;

+import org.opensaml.saml2.core.Assertion;

+import org.opensaml.saml2.core.LogoutResponse;

+import org.opensaml.saml2.core.Response;

 import org.opensaml.security.SAMLSignatureProfileValidator;

 import org.opensaml.xml.io.MarshallingException;

 import org.opensaml.xml.security.SecurityConfiguration;

@@ -53,6 +59,7 @@ import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
 import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;

 import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;

 import org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator;

+import org.opensaml.xml.security.trust.ExplicitX509CertificateTrustEvaluator;

 import org.opensaml.xml.security.x509.BasicX509Credential;

 import org.opensaml.xml.signature.KeyInfo;

 import org.opensaml.xml.signature.Signature;

@@ -65,6 +72,7 @@ import org.opensaml.xml.validation.ValidationException;
 import org.slf4j.Logger;

 import org.slf4j.LoggerFactory;

 

+import eu.stork.peps.auth.engine.core.CustomAttributeQuery;

 import eu.stork.peps.auth.engine.core.SAMLEngineSignI;

 import eu.stork.peps.exceptions.SAMLEngineException;

 

@@ -235,14 +243,13 @@ public class SignSW implements SAMLEngineSignI {
 

 	    LOG.debug("Begin signature with openSaml");

 	    final Signature signature = (Signature) Configuration

-		    .getBuilderFactory().getBuilder(

-			    Signature.DEFAULT_ELEMENT_NAME).buildObject(

-			    Signature.DEFAULT_ELEMENT_NAME);

+			    .getBuilderFactory().getBuilder(

+				    Signature.DEFAULT_ELEMENT_NAME).buildObject(

+				    Signature.DEFAULT_ELEMENT_NAME);

 

 	    signature.setSigningCredential(credential);

-

 	    signature.setSignatureAlgorithm(

-		    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

+			    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

 

 	   

 	    final SecurityConfiguration secConfiguration = Configuration

@@ -261,15 +268,78 @@ public class SignSW implements SAMLEngineSignI {
 	    signature.setKeyInfo(keyInfo);

 	    signature.setCanonicalizationAlgorithm(

 		    SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

-

-	    tokenSaml.setSignature(signature);

+	    

+	    //Create a second signature which will be used when signing assertion and response

+	    final Signature signature2 = (Signature) Configuration

+	    .getBuilderFactory().getBuilder(

+		    Signature.DEFAULT_ELEMENT_NAME).buildObject(

+		    Signature.DEFAULT_ELEMENT_NAME);

+	    final SecurityConfiguration secConfiguration2 = Configuration

+	    .getGlobalSecurityConfiguration();

+	    final NamedKeyInfoGeneratorManager keyInfoManager2 = secConfiguration2

+		    .getKeyInfoGeneratorManager();

+	    final KeyInfoGeneratorManager keyInfoGenManager2 = keyInfoManager2

+		    .getDefaultManager();

+	    final KeyInfoGeneratorFactory keyInfoGenFac2 = keyInfoGenManager2

+		    .getFactory(credential);

+	    final KeyInfoGenerator keyInfoGenerator2 = keyInfoGenFac2

+		    .newInstance();

+	    

+	    KeyInfo keyInfo2 = keyInfoGenerator2.generate(credential);

+	    signature2.setSigningCredential(credential);

+	    signature2.setSignatureAlgorithm(

+			    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

+	    signature2.setKeyInfo(keyInfo2);

+	    signature2.setCanonicalizationAlgorithm(

+		    SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

+	    	 	    

 

 	    LOG.info("Marshall samlToken.");

-	    Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+	    String qn = tokenSaml.getElementQName().toString();

+	    

+	    if (qn.endsWith(CustomAttributeQuery.DEFAULT_ELEMENT_LOCAL_NAME))

+	    {	    

+	  		tokenSaml.setSignature(signature);

+	    	CustomAttributeQueryMarshaller mars = new CustomAttributeQueryMarshaller();

+	    	mars.marshall(tokenSaml);

+	    	Signer.signObject(signature);

+	    }

+	    else if (qn.endsWith(Response.DEFAULT_ELEMENT_LOCAL_NAME) && !qn.contains(LogoutResponse.DEFAULT_ELEMENT_LOCAL_NAME))

+	    {

+	    	Response res = (Response)tokenSaml;

+	    	List<Assertion> asserts = res.getAssertions();

+	    	//If multiple assertions we just sign the response and not the assertion

+	    	if (asserts.size() > 1)

+	    	{	    		

+	    		tokenSaml.setSignature(signature);

+	    		Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+			    .marshall(tokenSaml);

+	    		LOG.info("Sign samlToken.");

+	    	    Signer.signObject(signature);

+	    	}

+	    	//If single assertion we sign the assertion and response

+	    	else

+	    	{

+			    Assertion assertion = (Assertion)asserts.get(0);

+			    assertion.setSignature(signature);			    

+			    tokenSaml.setSignature(signature2);

+			    Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+			    .marshall(tokenSaml);

+			    LOG.info("Sign samlToken.");

+			    Signer.signObject(signature);

+			    Signer.signObject(signature2);

+	    	}

+	    }

+	    //Normally we just sign the total saml response

+	    else

+	    {

+	    	tokenSaml.setSignature(signature);

+	    	Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

 		    .marshall(tokenSaml);

-

-	    LOG.info("Sign samlToken.");

-	    Signer.signObject(signature);

+	    	LOG.info("Sign samlToken.");

+		    Signer.signObject(signature);

+	    }

+	    

 

 	} catch (MarshallingException e) {

 	    LOG.error("MarshallingException");

@@ -319,7 +389,7 @@ public class SignSW implements SAMLEngineSignI {
 	    String aliasCert = null;

 	    X509Certificate certificate;

 

-	    final List<Credential> trustCred = new ArrayList<Credential>();

+	    /*final List<Credential> trustCred = new ArrayList<Credential>();	    

 

 	    for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e

 		    .hasMoreElements();) {

@@ -329,8 +399,8 @@ public class SignSW implements SAMLEngineSignI {
 			.getCertificate(aliasCert);

 		credential.setEntityCertificate(certificate);

 		trustCred.add(credential);

-	    }

-

+	    }*/

+	    	    

 	    final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo();

 

 	    final org.opensaml.xml.signature.X509Certificate xmlCert = keyInfo

@@ -342,17 +412,53 @@ public class SignSW implements SAMLEngineSignI {
 		    .decode(xmlCert.getValue()));

 	    final X509Certificate cert = (X509Certificate) certFact

 		    .generateCertificate(bis);

-

+	    

 	    // Exist only one certificate

 	    final BasicX509Credential entityX509Cred = new BasicX509Credential();

-	    entityX509Cred.setEntityCertificate(cert);

-

+	    entityX509Cred.setEntityCertificate(cert);	    

+	    

+	    try {

+			cert.checkValidity();

+		} 

+	    catch (CertificateExpiredException exp) {

+			throw new SAMLEngineException("Certificate expired.");

+		}

+		catch (CertificateNotYetValidException exp) {

+			throw new SAMLEngineException("Certificate not yet valid.");

+		}		

+		

+		boolean trusted = false;

+		

+		for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e.hasMoreElements();) 

+	    {

+	    	aliasCert = e.nextElement();		

+	    	certificate = (X509Certificate) storkOwnKeyStore.getCertificate(aliasCert);					

+	    	try {

+	    		cert.verify(certificate.getPublicKey());

+	    		trusted = true;

+	    		break;

+	    	}

+	    	catch (Exception ex) {

+	    		//Do nothing - cert not trusted yet

+	    	}

+	    }

+		

+		if (!trusted)

+		    throw new SAMLEngineException("Certificate is not trusted.");

+	    

+		/*	    

 	    // Validate trust certificates

-	    final ExplicitKeyTrustEvaluator keyTrustEvaluator = 

+	    final ExplicitX509CertificateTrustEvaluator chainTrustEvaluator = new ExplicitX509CertificateTrustEvaluator();

+	    	    

+	    if (!chainTrustEvaluator.validate(entityX509Cred, trustCred)) {

+		    throw new SAMLEngineException("Certificate is not trusted.");

+	    }

+	    /*final ExplicitKeyTrustEvaluator keyTrustEvaluator = 

 		new ExplicitKeyTrustEvaluator();

+

 	    if (!keyTrustEvaluator.validate(entityX509Cred, trustCred)) {

 		    throw new SAMLEngineException("Certificate is not trusted.");

-	    }

+	    }*/

 

 	    // Validate signature

 	    final SignatureValidator sigValidator = new SignatureValidator(