diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java | 173 |
1 files changed, 63 insertions, 110 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index d05d180e1..1286c2351 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -23,7 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.io.IOException; -import java.util.List; +import java.security.cert.CertificateException; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; @@ -34,82 +34,38 @@ import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.validation.ValidationException; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SAMLMetadataSignatureException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate; public class EntityVerifier { - public static byte[] fetchSavedCredential(String entityID) { -// List<OnlineApplication> oaList = ConfigurationDBRead -// .getAllActiveOnlineApplications(); - try { - IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); - - if (oa == null) { - Logger.debug("No OnlineApplication with EntityID: " + entityID); - return null; - - } - - String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64)) { - return Base64Utils.decode(certBase64, false); - - } - - } catch (ConfigurationException e) { - Logger.error("Access MOA-ID configuration FAILED.", e); - - } catch (IOException e) { - Logger.warn("Decoding PVP2X metadata certificate FAILED.", e); - - } - - return null; - } - public static void verify(EntityDescriptor entityDescriptor) - throws MOAIDException { - if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); - } - + throws EAAFException { + Credential credential = getSPTrustedCredential(entityDescriptor.getEntityID()); if (credential == null) { throw new NoCredentialsException(entityDescriptor.getEntityID()); } - - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } + + verify(entityDescriptor, credential); + } public static void verify(EntityDescriptor entityDescriptor, Credential cred) - throws MOAIDException { + throws EAAFException { if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); + throw new SAMLMetadataSignatureException(); } try { @@ -117,7 +73,7 @@ public class EntityVerifier { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); + throw new SAMLMetadataSignatureException(e); } SignatureValidator sigValidator = new SignatureValidator(cred); @@ -125,14 +81,14 @@ public class EntityVerifier { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); + throw new SAMLMetadataSignatureException(e); } } public static void verify(EntitiesDescriptor entityDescriptor, - Credential cred) throws MOAIDException { + Credential cred) throws EAAFException { if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); + throw new SAMLMetadataSignatureException(); } try { @@ -140,7 +96,7 @@ public class EntityVerifier { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); + throw new SAMLMetadataSignatureException(e); } SignatureValidator sigValidator = new SignatureValidator(cred); @@ -149,58 +105,14 @@ public class EntityVerifier { } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } - } - - public static void verify(EntitiesDescriptor entityDescriptor) - throws MOAIDException { - if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); - } - - List<EntityDescriptor> entities = entityDescriptor - .getEntityDescriptors(); - - if (entities.size() > 0) { - - if (entities.size() > 1) { - Logger.warn("More then one EntityID in Metadatafile with Name " - + entityDescriptor.getName() - + " defined. Actually only the first" - + " entryID is used to select the certificate to perform Metadata verification."); - } - - Credential credential = getSPTrustedCredential(entities.get(0).getEntityID()); - - if (credential == null) { - throw new NoCredentialsException("moaID IDP"); - } - - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } + throw new SAMLMetadataSignatureException(e); } } - + public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException { - iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() - .getTrustEntityCertificate(entityID); + iaik.x509.X509Certificate cert = getTrustEntityCertificate(entityID); if (cert == null) { throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); @@ -213,5 +125,46 @@ public class EntityVerifier { return credential; } + + private static iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { + + try { + Logger.trace("Load metadata signing certificate for online application " + entityID); + ISPConfiguration oaParam = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); + if (oaParam == null) { + Logger.info("Online Application with ID " + entityID + " not found!"); + return null; + } + + String pvp2MetadataCertificateString = + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) { + Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!"); + return null; + + } + + X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false)); + Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded."); + return cert; + + } catch (CertificateException e) { + Logger.warn("Metadata signer certificate is not parsed.", e); + return null; + + } catch (ConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + + } catch (IOException e) { + Logger.warn("Metadata signer certificate is not decodeable.", e); + return null; + + } catch (EAAFConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + + } + } } |