1 files changed, 232 insertions, 0 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
new file mode 100644
index 000000000..5032222d0
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
@@ -0,0 +1,232 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.SignableSAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
+import org.opensaml.saml2.core.RequestAbstractType;
+import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.security.MetadataCriteria;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.security.CriteriaSet;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
+import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
+import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
+import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.AbstractSignableXMLObject;
+import org.opensaml.xml.signature.SignableXMLObject;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
+import org.opensaml.xml.validation.ValidationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.exception.PVP2Exception;
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+
+/**
+ * @author tlenz
+ *
+ */
+public class PVP2Utils {
+
+	private static final Logger log = LoggerFactory
+			.getLogger(PVP2Utils.class);
+	
+	public static void postBindingEncoder(HttpServletRequest req, HttpServletResponse resp,
+			SignableSAMLObject pvp2Req, X509Credential authcredential, String targetLocation, String relayState) throws PVP2Exception {
+		try {
+			VelocityEngine engine = new VelocityEngine();
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+			engine.setProperty("classpath.resource.loader.class",
+					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+			engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
+					"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
+			engine.init();
+
+			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+					"templates/pvp_postbinding_template.html");
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					resp, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+				.buildObject();
+			service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+			service.setLocation(targetLocation);
+		
+			context.setOutboundSAMLMessageSigningCredential(authcredential);
+			context.setPeerEntityEndpoint(service);
+			context.setOutboundSAMLMessage(pvp2Req);
+			context.setOutboundMessageTransport(responseAdapter);
+			context.setRelayState(relayState);
+			
+			encoder.encode(context);
+			
+		} catch (MessageEncodingException e) {
+			log.warn("Encode PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Encode PVP 2.1 message FAILED.", e);
+			
+		}		
+	}
+	
+
+	/**
+	 * @param request
+	 * @param response
+	 * @param sloReq
+	 * @param authcredential
+	 * @param location
+	 * @param object
+	 * @throws PVP2Exception 
+	 */
+	public static void redirectBindingEncoder(HttpServletRequest request,
+			HttpServletResponse response, SignableSAMLObject pvp2Req,
+			X509Credential authcredential, String location, String relayState) throws PVP2Exception {
+		try {			
+			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					response
+					, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+					.buildObject();
+			service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+			service.setLocation(location);
+			context.setOutboundSAMLMessageSigningCredential(authcredential);
+			context.setPeerEntityEndpoint(service);
+			context.setOutboundSAMLMessage(pvp2Req);
+			context.setOutboundMessageTransport(responseAdapter);
+			context.setRelayState(relayState);
+
+			encoder.encode(context);
+		} catch (MessageEncodingException e) {
+			log.warn("Encode PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Encode PVP 2.1 message FAILED.", e);
+			
+		}		
+	}
+	
+	public static void validateSignature(SignableXMLObject msg, ConfigurationProvider configuration) throws SecurityException, ValidationException {
+		//Validate Signature
+		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+		profileValidator.validate(msg.getSignature());
+	
+		//Verify Signature
+		List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+		keyInfoProvider.add(new DSAKeyValueProvider());
+		keyInfoProvider.add(new RSAKeyValueProvider());
+		keyInfoProvider.add(new InlineX509DataProvider());
+	
+		KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+				keyInfoProvider);
+	
+		MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
+		MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(configuration.getMetaDataProvier());  
+	  
+		CriteriaSet criteriaSet = new CriteriaSet();  
+		criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
+		criteriaSet.add(new EntityIDCriteria(configuration.getPVP2IDPMetadataEntityName()));
+		criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+	  				
+		ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
+		trustEngine.validate(msg.getSignature(), criteriaSet);		
+	}
+	
+	public static X509Credential signMessage(AbstractSignableXMLObject msg, ConfigurationProvider config) throws PVP2Exception {
+		//sign authentication request
+		KeyStore keyStore;
+		try {
+			keyStore = config.getPVP2KeyStore();
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
+
+			Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
+			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+			signer.setSigningCredential(authcredential);
+			msg.setSignature(signer);
+			
+			return authcredential;
+						
+		} catch (NoSuchAlgorithmException e) {
+			log.warn("Sign PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
+			
+		} catch (CertificateException e) {
+			log.warn("Sign PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
+			
+		} catch (KeyStoreException e) {
+			log.warn("Sign PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
+			
+		} catch (ConfigurationException e) {
+			log.warn("Sign PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
+			
+		} catch (IOException e) {
+			log.warn("Sign PVP 2.1 message FAILED.", e);
+			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
+		}		
+	}
+}