diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java | 138 |
1 files changed, 38 insertions, 100 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 589713c4b..57f1c2f9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -23,23 +23,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; import java.security.cert.CertificateException; -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.BasicX509Credential; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.AbstractMetadataSignatureFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; import iaik.x509.X509Certificate; -public class MetadataSignatureFilter implements MetadataFilter { +public class MetadataSignatureFilter extends AbstractMetadataSignatureFilter { private String metadataURL; private BasicX509Credential savedCredential; @@ -52,111 +49,52 @@ public class MetadataSignatureFilter implements MetadataFilter { savedCredential.setEntityCertificate(cert); } - public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { - -// String entityID = desc.getEntityID(); - - EntityVerifier.verify(desc); - } - - public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { - Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator(); - - if(desc.getSignature() != null) { - EntityVerifier.verify(desc, this.savedCredential); + @Override + protected void verify(EntityDescriptor desc) throws PVP2MetadataException { + try { + EntityVerifier.verify(desc); + + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for entity: " + desc.getEntityID() + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for entity: " + desc.getEntityID(), null, e); } - while(entID.hasNext()) { - processEntitiesDescriptor(entID.next()); - } - - Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); + } - List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>(); - - //check every Entity - - while(entIT.hasNext()) { - - EntityDescriptor entity = entIT.next(); - - String entityID = entity.getEntityID(); - - //CHECK if Entity also match MetaData signature. - /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ - Logger.debug("Validate metadata for entityID: " + entityID + " ..... "); - byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); - - if (entityCert != null) { + @Override + protected void verify(EntitiesDescriptor desc) throws PVP2MetadataException { + try { + EntityVerifier.verify(desc, this.savedCredential); - X509Certificate cert; - try { - cert = new X509Certificate(entityCert); - BasicX509Credential entityCrendential = new BasicX509Credential(); - entityCrendential.setEntityCertificate(cert); - - EntityVerifier.verify(desc, entityCrendential); - - //add entity to verified entity-list - verifiedEntIT.add(entity); - Logger.debug("Metadata for entityID: " + entityID + " valid"); - - - } catch (Exception e) { - - //remove entity of signature can not be verified. - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity verification error: " + e.getMessage()); -// throw new MOAIDException("The App", null, e); - } - - } else { - //remove entity if it is not registrated as OA - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity is not registrated or no certificate is found!"); -// throw new NoCredentialsException("NO Certificate found for OA " + entityID); - } + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL, null, e); - //TODO: insert to support signed Entity-Elements - //processEntityDescriptorr(entIT.next()); - } + } - //set only verified entity elements - desc.getEntityDescriptors().clear(); - desc.getEntityDescriptors().addAll(verifiedEntIT); } - - public void doFilter(XMLObject metadata) throws SignatureValidationException { + + @Override + protected void verify(EntityDescriptor entity, EntitiesDescriptor entities) throws PVP2MetadataException { try { - if (metadata instanceof EntitiesDescriptor) { - EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { - throw new MOAIDException("Root element of metadata file has to be signed", null); - } - processEntitiesDescriptor(entitiesDescriptor); - - - if (entitiesDescriptor.getEntityDescriptors().size() == 0) { - throw new MOAIDException("No valid entity in metadata " - + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); - } - - - } else if (metadata instanceof EntityDescriptor) { - EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; - processEntityDescriptorr(entityDescriptor); + if (entity.isSigned()) { + Logger.debug("EntityDescriptor: " + entity.getEntityID() + " is signed. Starting signature verification ... "); + EntityVerifier.verify(entity); } else { - throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + Logger.debug("EntityDescriptor: " + entity.getEntityID() + " is not signed. Verify EntitiesDescriptor by using 'Entity' certificate ... "); + Credential entityCredential = EntityVerifier.getSPTrustedCredential(entity.getEntityID()); + EntityVerifier.verify(entities, entityCredential); + } + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL, null, e); - - Logger.info("Metadata signature policy check done OK"); - } catch (MOAIDException e) { - Logger.warn("Metadata signature policy check FAILED.", e); - throw new SignatureValidationException(e); } } - } |