summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java114
1 files changed, 62 insertions, 52 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
index b6fed5934..16b179d89 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
@@ -27,6 +27,7 @@ import java.io.IOException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactoryConfigurationError;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.FilterException;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
@@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter {
@Override
public void doFilter(XMLObject metadata) throws FilterException {
if (metadata instanceof EntityDescriptor) {
- if (((EntityDescriptor) metadata).isSigned()) {
- EntityDescriptor entityDes = (EntityDescriptor) metadata;
- //check signature;
- try {
- byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
-
-// Transformer transformer = TransformerFactory.newInstance()
-// .newTransformer();
-// StringWriter sw = new StringWriter();
-// StreamResult sr = new StreamResult(sw);
-// DOMSource source = new DOMSource(metadata.getDOM());
-// transformer.transform(source, sr);
-// sw.close();
-// String metadataXML = sw.toString();
-
- SignatureVerificationUtils sigVerify =
- new SignatureVerificationUtils();
- IVerifiyXMLSignatureResponse result = sigVerify.verify(
- serialized, trustProfileID);
-
- //check signature-verification result
- if (result.getSignatureCheckCode() != 0) {
- Logger.warn("Metadata signature-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getSignatureCheckCode());
- throw new FilterException("Metadata signature-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getSignatureCheckCode());
+ checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID());
- }
-
- if (result.getCertificateCheckCode() != 0) {
- Logger.warn("Metadata certificate-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getCertificateCheckCode());
- throw new FilterException("Metadata certificate-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getCertificateCheckCode());
-
- }
-
- Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid");
+ } else if (metadata instanceof EntitiesDescriptor) {
+ EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+ if (entitiesDesc.getEntityDescriptors() != null &&
+ entitiesDesc.getEntityDescriptors().size() > 1) {
+ String nameForLogging = entitiesDesc.getName();
+ if (MiscUtil.isEmpty(nameForLogging))
+ nameForLogging = entitiesDesc.getID();
+
+ checkSignature(metadata, nameForLogging);
+
+ } else {
+ Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'");
+ throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor");
+
+ }
+
+ } else {
+ Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+ throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+
+ }
+
+ }
+
+ private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException {
+ if (((EntityDescriptor) metadata).isSigned()) {
+ //check signature;
+ try {
+ byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
+
+ SignatureVerificationUtils sigVerify =
+ new SignatureVerificationUtils();
+ IVerifiyXMLSignatureResponse result = sigVerify.verify(
+ serialized, trustProfileID);
- } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
- Logger.error("Metadata verification for Entity:" + entityDes.getEntityID()
- + " has an interal error.", e);
- throw new FilterException("Metadata verification has an interal error."
- + " Message:" + e.getMessage());
+ //check signature-verification result
+ if (result.getSignatureCheckCode() != 0) {
+ Logger.warn("Metadata signature-verification FAILED!"
+ + " Metadata: " + nameForLogging
+ + " StatusCode:" + result.getSignatureCheckCode());
}
+ if (result.getCertificateCheckCode() != 0) {
+ Logger.warn("Metadata certificate-verification FAILED!"
+ + " Metadata: " + nameForLogging
+ + " StatusCode:" + result.getCertificateCheckCode());
+ throw new FilterException("Metadata certificate-verification FAILED!"
+ + " Metadata: " + nameForLogging
+ + " StatusCode:" + result.getCertificateCheckCode());
+
+ }
- } else {
- Logger.warn("Metadata root-element MUST be signed.");
- throw new FilterException("Metadata root-element MUST be signed.'");
+ Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid");
+
+ } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+ Logger.error("Metadata verification for Entity:" + nameForLogging
+ + " has an interal error.", e);
+ throw new FilterException("Metadata verification has an interal error."
+ + " Message:" + e.getMessage());
}
-
+
+
} else {
- Logger.warn("Metadata root-element is not of type 'EntityDescriptor'");
- throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'");
+ Logger.warn("Metadata root-element MUST be signed.");
+ throw new FilterException("Metadata root-element MUST be signed.'");
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-26 23:36:10 +0000