1 files changed, 2 insertions, 127 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 5e44c9057..f384dd511 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -22,50 +22,30 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
 
-import java.util.ArrayList;
-import java.util.List;
-
 import javax.xml.namespace.QName;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.Validator;
 
-import org.joda.time.DateTime;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.common.xml.SAMLSchemaBuilder;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
-import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusResponseType;
-import org.opensaml.saml2.encryption.Decrypter;
-import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.security.SAMLSignatureProfileValidator;
-import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
-import org.opensaml.xml.encryption.DecryptionException;
-import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
-import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
 import org.opensaml.xml.security.CriteriaSet;
-import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.security.credential.UsageType;
 import org.opensaml.xml.security.criteria.EntityIDCriteria;
 import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
 import org.opensaml.xml.signature.SignatureTrustEngine;
 import org.opensaml.xml.validation.ValidationException;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
@@ -77,8 +57,6 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Service("SAMLVerificationEngine")
 public class SAMLVerificationEngine {
 	
-	@Autowired AuthConfiguration authConfig;
-	
 	public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
 		try {		
 			if (msg instanceof MOARequest && 
@@ -181,111 +159,8 @@ public class SAMLVerificationEngine {
 			throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
 		}
 	}
-	
-	public void validateAssertion(Response samlResp, boolean validateDestination, Credential assertionDecryption) throws AssertionValidationExeption {
-		try {
-			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
-				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-				
-				//validate destination URL
-				List<String> allowedPublicURLPrefix = authConfig.getPublicURLPrefix();
-				boolean isValidDestination = false;
-				for (String allowedPreFix : allowedPublicURLPrefix) {
-					if (validateDestination && samlResp.getDestination().startsWith(
-							allowedPreFix)) {
-							isValidDestination = true;
-							break;
-					
-					}
-				}
-				if (!isValidDestination && validateDestination) {
-					Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
-					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);					
-					
-				}
-				
-				//check encrypted Assertion
-				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
-				if (encryAssertionList != null && encryAssertionList.size() > 0) {
-					//decrypt assertions
-					
-					Logger.debug("Found encryped assertion. Start decryption ...");
-																		
-					StaticKeyInfoCredentialResolver skicr =
-							  new StaticKeyInfoCredentialResolver(assertionDecryption);
-					
-					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
-					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
-					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
-					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-					
-					Decrypter samlDecrypter =
-							  new Decrypter(null, skicr, encryptedKeyResolver);
-					
-					for (EncryptedAssertion encAssertion : encryAssertionList) {							
-						saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-	
-					}
-					
-					Logger.debug("Assertion decryption finished. ");
-					
-				} else {
-					saml2assertions.addAll(samlResp.getAssertions());
-			
-				}
-				
-				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				
-				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-					
-					try {
-						performSchemaValidation(saml2assertion.getDOM());
-											
-						Conditions conditions = saml2assertion.getConditions();
-					DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
-					DateTime notafter = conditions.getNotOnOrAfter();
-					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
-						Logger.warn("PVP2 Assertion is out of Date. "
-								+ "{ Current : " + new DateTime() 
-								+ " NotBefore: " + notbefore 
-								+ " NotAfter : " + notafter
-								+ " }");;
-											
-						} else {
-							validatedassertions.add(saml2assertion);
-						
-						}
-						
-					} catch (SchemaValidationException e) {
-						
-					}
-				}
-				
-				if (validatedassertions.isEmpty()) {
-					Logger.info("No valid PVP 2.1 assertion received.");
-					throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
-				}
-					
-				samlResp.getAssertions().clear();
-				samlResp.getEncryptedAssertions().clear();
-				samlResp.getAssertions().addAll(validatedassertions);
-				
-			} else {
-				Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " 
-						+ samlResp.getStatus().getStatusCode().getValue());
-				throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " 
-						+ samlResp.getStatus().getStatusCode().getValue(), null);
-			}
-			
-		} catch (DecryptionException e) {
-			Logger.warn("Assertion decrypt FAILED.", e);
-			throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
-			
-		} catch (ConfigurationException e) {
-			throw new AssertionValidationExeption("pvp.12", null, e);
-		} 		
-	}
-	
-	private void performSchemaValidation(Element source) throws SchemaValidationException {
+		
+	protected void performSchemaValidation(Element source) throws SchemaValidationException {
 		
 		String err = null;
 		try {