aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java67
1 files changed, 67 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
new file mode 100644
index 000000000..8df418f9a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -0,0 +1,67 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.RequestAbstractType;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.security.MetadataCriteria;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.xml.security.CriteriaSet;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.signature.SignatureTrustEngine;
+import org.opensaml.xml.validation.ValidationException;
+
+public class SAMLVerificationEngine {
+
+ public void verifyResponse(Response samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
+ SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+ try {
+ profileValidator.validate(samlObj.getSignature());
+ } catch (ValidationException e) {
+ // Indicates signature did not conform to SAML Signature profile
+ e.printStackTrace();
+ }
+
+ CriteriaSet criteriaSet = new CriteriaSet();
+ criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) );
+ criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
+ criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
+
+ try {
+ if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
+ throw new Exception("Signature was either invalid or signing key could not be established as trusted");
+ }
+ } catch (SecurityException e) {
+ // Indicates processing error evaluating the signature
+ e.printStackTrace();
+ }
+ }
+
+ public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
+ SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+ try {
+ profileValidator.validate(samlObj.getSignature());
+ } catch (ValidationException e) {
+ // Indicates signature did not conform to SAML Signature profile
+ e.printStackTrace();
+ }
+
+ CriteriaSet criteriaSet = new CriteriaSet();
+ criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) );
+ criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
+ criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
+
+ try {
+ if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
+ throw new Exception("Signature was either invalid or signing key could not be established as trusted");
+ }
+ } catch (SecurityException e) {
+ // Indicates processing error evaluating the signature
+ e.printStackTrace();
+ }
+ }
+
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 11:07:09 +0000