diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java new file mode 100644 index 000000000..2deeb2aae --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java @@ -0,0 +1,153 @@ +/* + * Copyright 2011 by Graz University of Technology, Austria + * The Austrian STORK Modules have been developed by the E-Government + * Innovation Center EGIZ, a joint initiative of the Federal Chancellery + * Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +/**
+ *
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+ +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.ServiceException; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; +import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; +import eu.stork.mw.messages.saml.STORKResponse; +import eu.stork.vidp.messages.exception.SAMLValidationException; +import eu.stork.vidp.messages.util.SAMLUtil; +import eu.stork.vidp.messages.util.XMLUtil; +
+/**
+ * Verifies the SMAL response according to the STORK specification + * @author bzwattendorfer
+ *
+ */
+public class PEPSConnectorResponseVerifier implements ResponseVerifier {
+
+
+ /* (non-Javadoc)
+ * @see eu.stork.mw.peps.connector.validation.ResponseVerifier#verify(org.opensaml.saml2.core.Response)
+ */
+ public void verify(STORKResponse response) throws SecurityException {
+
+ verifySignature(response);
+ Logger.debug("Signature of SAML response valid.");
+
+ verifyStandardValidation(response);
+
+ Logger.debug("SAML response format valid.");
+
+ }
+
+
+ private void verifySignature(STORKResponse response) throws SecurityException {
+ //validate Signature
+ try {
+ if (response.isSigned()) { + + String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID(); + + Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID); +
+ // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP + Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() + .build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID); + + Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); + + Logger.trace("Calling MOA-SP"); + // invokes the call + Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + + // parses the <VerifyXMLSignatureResponse> + VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( + domVerifyXMLSignatureResponse).parseData(); + + Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP"); + + if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) { + String msg = "Signature of SAMLResponse not valid"; + Logger.error(msg); + throw new SecurityException(msg); + } + + Logger.debug("Signature of SAML response successfully verified"); + + if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { + String msg = "Certificate of SAMLResponse not valid"; + Logger.error(msg); + throw new SecurityException(msg); + } + + Logger.debug("Signing certificate of SAML response succesfully verified"); +
+ } else {
+ String msg = "SAML Response is not signed.";
+ throw new SecurityException(msg);
+ }
+
+ } catch (ConfigurationException e) {
+ String msg = "Unable to load STORK configuration for STORK SAML Response signature verification.";
+ Logger.error(msg, e);
+ throw new SecurityException(msg, e);
+ } catch (ParseException e) { + String msg = "Unable to parse VerifyXMLSignature Request or Response."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (BuildException e) { + String msg = "Unable to parse VerifyXMLSignature Request or Response."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (ServiceException e) { + String msg = "Unable to invoke MOA-SP."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + }
+
+ }
+
+ private void verifyStandardValidation(STORKResponse response) throws SecurityException {
+ try {
+ SAMLUtil.verifySAMLObjectStandardValidation(response, "saml2-core-schema-and-stork-validator");
+ } catch (SAMLValidationException e) {
+ String msg ="SAML Response received not valid.";
+ throw new SecurityException(msg, e);
+ }
+
+ }
+
+
+
+}
|