aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java173
1 files changed, 63 insertions, 110 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index d05d180e1..1286c2351 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -23,7 +23,7 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
import java.io.IOException;
-import java.util.List;
+import java.security.cert.CertificateException;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
@@ -34,82 +34,38 @@ import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
-import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SAMLMetadataSignatureException;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
-import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.x509.X509Certificate;
public class EntityVerifier {
- public static byte[] fetchSavedCredential(String entityID) {
-// List<OnlineApplication> oaList = ConfigurationDBRead
-// .getAllActiveOnlineApplications();
- try {
- IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
-
- if (oa == null) {
- Logger.debug("No OnlineApplication with EntityID: " + entityID);
- return null;
-
- }
-
- String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
- if (MiscUtil.isNotEmpty(certBase64)) {
- return Base64Utils.decode(certBase64, false);
-
- }
-
- } catch (ConfigurationException e) {
- Logger.error("Access MOA-ID configuration FAILED.", e);
-
- } catch (IOException e) {
- Logger.warn("Decoding PVP2X metadata certificate FAILED.", e);
-
- }
-
- return null;
- }
-
public static void verify(EntityDescriptor entityDescriptor)
- throws MOAIDException {
- if (entityDescriptor.getSignature() == null) {
- throw new SAMLRequestNotSignedException();
- }
-
- try {
- SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
- sigValidator.validate(entityDescriptor.getSignature());
- } catch (ValidationException e) {
- Logger.error("Failed to validate Signature", e);
- throw new SAMLRequestNotSignedException(e);
- }
-
+ throws EAAFException {
+
Credential credential = getSPTrustedCredential(entityDescriptor.getEntityID());
if (credential == null) {
throw new NoCredentialsException(entityDescriptor.getEntityID());
}
-
- SignatureValidator sigValidator = new SignatureValidator(credential);
- try {
- sigValidator.validate(entityDescriptor.getSignature());
- } catch (ValidationException e) {
- Logger.error("Failed to verfiy Signature", e);
- throw new SAMLRequestNotSignedException(e);
- }
+
+ verify(entityDescriptor, credential);
+
}
public static void verify(EntityDescriptor entityDescriptor, Credential cred)
- throws MOAIDException {
+ throws EAAFException {
if (entityDescriptor.getSignature() == null) {
- throw new SAMLRequestNotSignedException();
+ throw new SAMLMetadataSignatureException();
}
try {
@@ -117,7 +73,7 @@ public class EntityVerifier {
sigValidator.validate(entityDescriptor.getSignature());
} catch (ValidationException e) {
Logger.error("Failed to validate Signature", e);
- throw new SAMLRequestNotSignedException(e);
+ throw new SAMLMetadataSignatureException(e);
}
SignatureValidator sigValidator = new SignatureValidator(cred);
@@ -125,14 +81,14 @@ public class EntityVerifier {
sigValidator.validate(entityDescriptor.getSignature());
} catch (ValidationException e) {
Logger.error("Failed to verfiy Signature", e);
- throw new SAMLRequestNotSignedException(e);
+ throw new SAMLMetadataSignatureException(e);
}
}
public static void verify(EntitiesDescriptor entityDescriptor,
- Credential cred) throws MOAIDException {
+ Credential cred) throws EAAFException {
if (entityDescriptor.getSignature() == null) {
- throw new SAMLRequestNotSignedException();
+ throw new SAMLMetadataSignatureException();
}
try {
@@ -140,7 +96,7 @@ public class EntityVerifier {
sigValidator.validate(entityDescriptor.getSignature());
} catch (ValidationException e) {
Logger.error("Failed to validate Signature", e);
- throw new SAMLRequestNotSignedException(e);
+ throw new SAMLMetadataSignatureException(e);
}
SignatureValidator sigValidator = new SignatureValidator(cred);
@@ -149,58 +105,14 @@ public class EntityVerifier {
} catch (ValidationException e) {
Logger.error("Failed to verfiy Signature", e);
- throw new SAMLRequestNotSignedException(e);
- }
- }
-
- public static void verify(EntitiesDescriptor entityDescriptor)
- throws MOAIDException {
- if (entityDescriptor.getSignature() == null) {
- throw new SAMLRequestNotSignedException();
- }
-
- try {
- SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
- sigValidator.validate(entityDescriptor.getSignature());
- } catch (ValidationException e) {
- Logger.error("Failed to validate Signature", e);
- throw new SAMLRequestNotSignedException(e);
- }
-
- List<EntityDescriptor> entities = entityDescriptor
- .getEntityDescriptors();
-
- if (entities.size() > 0) {
-
- if (entities.size() > 1) {
- Logger.warn("More then one EntityID in Metadatafile with Name "
- + entityDescriptor.getName()
- + " defined. Actually only the first"
- + " entryID is used to select the certificate to perform Metadata verification.");
- }
-
- Credential credential = getSPTrustedCredential(entities.get(0).getEntityID());
-
- if (credential == null) {
- throw new NoCredentialsException("moaID IDP");
- }
-
- SignatureValidator sigValidator = new SignatureValidator(credential);
- try {
- sigValidator.validate(entityDescriptor.getSignature());
-
- } catch (ValidationException e) {
- Logger.error("Failed to verfiy Signature", e);
- throw new SAMLRequestNotSignedException(e);
- }
+ throw new SAMLMetadataSignatureException(e);
}
}
-
+
public static Credential getSPTrustedCredential(String entityID)
throws CredentialsNotAvailableException {
- iaik.x509.X509Certificate cert = PVPConfiguration.getInstance()
- .getTrustEntityCertificate(entityID);
+ iaik.x509.X509Certificate cert = getTrustEntityCertificate(entityID);
if (cert == null) {
throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null);
@@ -213,5 +125,46 @@ public class EntityVerifier {
return credential;
}
+
+ private static iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) {
+
+ try {
+ Logger.trace("Load metadata signing certificate for online application " + entityID);
+ ISPConfiguration oaParam = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID);
+ if (oaParam == null) {
+ Logger.info("Online Application with ID " + entityID + " not found!");
+ return null;
+ }
+
+ String pvp2MetadataCertificateString =
+ oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
+ if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) {
+ Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!");
+ return null;
+
+ }
+
+ X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false));
+ Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded.");
+ return cert;
+
+ } catch (CertificateException e) {
+ Logger.warn("Metadata signer certificate is not parsed.", e);
+ return null;
+
+ } catch (ConfigurationException e) {
+ Logger.error("Configuration is not accessable.", e);
+ return null;
+
+ } catch (IOException e) {
+ Logger.warn("Metadata signer certificate is not decodeable.", e);
+ return null;
+
+ } catch (EAAFConfigurationException e) {
+ Logger.error("Configuration is not accessable.", e);
+ return null;
+
+ }
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-20 18:20:37 +0000