diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java')
| -rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java | 66 |
1 files changed, 60 insertions, 6 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java index 36dc2442c..d398ca533 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -1,3 +1,25 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import iaik.x509.X509Certificate; @@ -10,10 +32,11 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.BasicX509Credential; -import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.logging.Logger; public class MetadataSignatureFilter implements MetadataFilter { @@ -31,7 +54,7 @@ public class MetadataSignatureFilter implements MetadataFilter { public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { - String entityID = desc.getEntityID(); +// String entityID = desc.getEntityID(); EntityVerifier.verify(desc); } @@ -48,9 +71,37 @@ public class MetadataSignatureFilter implements MetadataFilter { } Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); - - while(entID.hasNext()) { - processEntityDescriptorr(entIT.next()); + + //check every Entity + while(entIT.hasNext()) { + + EntityDescriptor entity = entIT.next(); + String entityID = entity.getEntityID(); + + //CHECK if Entity also match MetaData signature. + /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ + byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); + + if (entityCert != null) { + + X509Certificate cert; + try { + cert = new X509Certificate(entityCert); + BasicX509Credential entityCrendential = new BasicX509Credential(); + entityCrendential.setEntityCertificate(cert); + + EntityVerifier.verify(desc, entityCrendential); + + } catch (Exception e) { + throw new MOAIDException("The App", null, e); + } + + } else { + throw new NoCredentialsException("NO Certificate found for OA " + entityID); + } + + //TODO: insert to support signed Entity-Elements + //processEntityDescriptorr(entIT.next()); } } @@ -68,6 +119,9 @@ public class MetadataSignatureFilter implements MetadataFilter { } */else { throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); } + + ConfigurationDBUtils.closeSession(); + Logger.info("Metadata Filter done OK"); } catch (MOAIDException e) { e.printStackTrace(); |