1 files changed, 74 insertions, 12 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 4ba93f8fe..257f9dac4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -25,14 +25,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.Validator;
+
 import org.joda.time.DateTime;
 import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.common.xml.SAMLSchemaBuilder;
 import org.opensaml.saml2.core.Conditions;
 import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator;
 import org.opensaml.saml2.encryption.Decrypter;
 import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -51,11 +57,14 @@ import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
 import org.opensaml.xml.security.x509.X509Credential;
 import org.opensaml.xml.signature.SignatureTrustEngine;
 import org.opensaml.xml.validation.ValidationException;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
@@ -81,9 +90,15 @@ public class SAMLVerificationEngine {
 		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
 		try {
 		    profileValidator.validate(samlObj.getSignature());
+		    performSchemaValidation(samlObj.getDOM());
+		    
 		} catch (ValidationException e) {
-		    // Indicates signature did not conform to SAML Signature profile
-		    e.printStackTrace();
+			 Logger.warn("Signature is not conform to SAML signature profile", e);
+			 throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+		
+		} catch (SchemaValidationException e) {			
+			throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+		
 		}
 
 		CriteriaSet criteriaSet = new CriteriaSet();
@@ -103,12 +118,17 @@ public class SAMLVerificationEngine {
 	
 	public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
 		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
-		
 		try {
-		    profileValidator.validate(samlObj.getSignature());
+		    profileValidator.validate(samlObj.getSignature());		    
+		    performSchemaValidation(samlObj.getDOM());
+		    
 		} catch (ValidationException e) {
-		    // Indicates signature did not conform to SAML Signature profile
-		    e.printStackTrace();
+		    Logger.warn("Signature is not conform to SAML signature profile", e);
+		    throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+		    
+		} catch (SchemaValidationException e) {			
+			throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+			
 		}
 
 		CriteriaSet criteriaSet = new CriteriaSet();
@@ -173,16 +193,27 @@ public class SAMLVerificationEngine {
 				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				
 				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
 					
-					Conditions conditions = saml2assertion.getConditions();
-					DateTime notbefore = conditions.getNotBefore();
+					try {
+						performSchemaValidation(saml2assertion.getDOM());
+											
+						Conditions conditions = saml2assertion.getConditions();
+					DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
 					DateTime notafter = conditions.getNotOnOrAfter();
 					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
-						Logger.warn("PVP2 Assertion is out of Date");
+						Logger.warn("PVP2 Assertion is out of Date. "
+								+ "{ Current : " + new DateTime() 
+								+ " NotBefore: " + notbefore 
+								+ " NotAfter : " + notafter
+								+ " }");;
 											
-					} else {
-						validatedassertions.add(saml2assertion);
+						} else {
+							validatedassertions.add(saml2assertion);
+						
+						}
+						
+					} catch (SchemaValidationException e) {
 						
-					}							
+					}
 				}
 				
 				if (validatedassertions.isEmpty()) {
@@ -213,4 +244,35 @@ public class SAMLVerificationEngine {
 			throw new AssertionValidationExeption("pvp.12", null, e);
 		} 		
 	}
+	
+	private static void performSchemaValidation(Element source) throws SchemaValidationException {
+		
+		String err = null;
+		try {
+			Schema test = SAMLSchemaBuilder.getSAML11Schema();
+			Validator val = test.newValidator();		
+			val.validate(new DOMSource(source));
+			Logger.debug("Schema validation check done OK");
+			return;
+		
+		} catch (SAXException e) {
+			err = e.getMessage();
+			if (Logger.isDebugEnabled() || Logger.isTraceEnabled())
+				Logger.warn("Schema validation FAILED with exception:", e);
+			else
+				Logger.warn("Schema validation FAILED with message: "+ e.getMessage());
+						
+		} catch (Exception e) {
+			err = e.getMessage();
+			if (Logger.isDebugEnabled() || Logger.isTraceEnabled())
+				Logger.warn("Schema validation FAILED with exception:", e);
+			else
+				Logger.warn("Schema validation FAILED with message: "+ e.getMessage());
+						
+		}
+		
+		throw new SchemaValidationException("pvp2.22", new Object[]{err});
+		
+	}
+	
 }