aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java40
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java50
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java4
5 files changed, 65 insertions, 41 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index 550643da1..69c760f19 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -22,6 +22,7 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+import java.io.IOException;
import java.util.List;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
@@ -32,36 +33,39 @@ import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
-import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
-import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
public class EntityVerifier {
public static byte[] fetchSavedCredential(String entityID) {
// List<OnlineApplication> oaList = ConfigurationDBRead
// .getAllActiveOnlineApplications();
+ try {
+ OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
- OnlineApplication oa = ConfigurationDBRead
- .getActiveOnlineApplication(entityID);
-
-// Iterator<OnlineApplication> oaIt = oaList.iterator();
-// while (oaIt.hasNext()) {
-// OnlineApplication oa = oaIt.next();
-// if (oa.getPublicURLPrefix().equals(entityID)) {
-
- if (oa != null && oa.getAuthComponentOA() != null) {
-
- OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2();
- if (pvp2Config != null) {
- return pvp2Config.getCertificate();
- }
+ String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
+ if (MiscUtil.isNotEmpty(certBase64)) {
+ return Base64Utils.decode(certBase64, false);
+
}
-// }
+
+ } catch (ConfigurationException e) {
+ Logger.error("Access MOA-ID configuration FAILED.", e);
+
+ } catch (IOException e) {
+ Logger.warn("Decoding PVP2X metadata certificate FAILED.", e);
+
+ }
+
return null;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 257f9dac4..70b778c49 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -38,7 +38,6 @@ import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
-import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -68,25 +67,50 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationExcep
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class SAMLVerificationEngine {
public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
- if (msg instanceof MOARequest &&
- ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType)
- verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);
-
- else
- verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);
+ try {
+ if (msg instanceof MOARequest &&
+ ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType)
+ verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);
+ else
+ verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);
+
+ } catch (InvalidProtocolRequestException e) {
+ if (MiscUtil.isEmpty(msg.getEntityID())) {
+ throw e;
+
+ }
+ Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID());
+ if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(msg.getEntityID()))
+ throw e;
+
+ else {
+ Logger.trace("PVP2X metadata reload finished. Check validate message again.");
+
+ if (msg instanceof MOARequest &&
+ ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType)
+ verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);
+
+ else
+ verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);
+
+ }
+ Logger.trace("Second PVP2X message validation finished");
+ }
}
- public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
+ public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException{
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(samlObj.getSignature());
@@ -110,13 +134,13 @@ public class SAMLVerificationEngine {
if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
- } catch (SecurityException e) {
- e.printStackTrace();
+ } catch (org.opensaml.xml.security.SecurityException e) {
+ Logger.warn("PVP2x message signature validation FAILED.", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
}
- public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
+ public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(samlObj.getSignature());
@@ -140,8 +164,8 @@ public class SAMLVerificationEngine {
if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
- } catch (SecurityException e) {
- e.printStackTrace();
+ } catch (org.opensaml.xml.security.SecurityException e) {
+ Logger.warn("PVP2x message signature validation FAILED.", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java
index 885de6805..942fab4f3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java
@@ -38,7 +38,7 @@ import at.gv.egovernment.moa.id.auth.exception.ServiceException;
import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.util.XMLUtil;
import at.gv.egovernment.moa.logging.Logger;
@@ -52,7 +52,7 @@ public class SAMLVerifierMOASP implements ISAMLVerifier {
try {
if (request.isSigned()) {
- String trustProfileID = AuthConfigurationProvider.getInstance()
+ String trustProfileID = AuthConfigurationProviderFactory.getInstance()
.getStorkConfig().getSignatureVerificationParameter()
.getTrustProfileID();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
index 4d9b97a52..918863d05 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
@@ -41,14 +41,10 @@ public class InterfederatedIDPPublicServiceFilter implements MetadataFilter {
/**
*
*/
- public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) {
+ public InterfederatedIDPPublicServiceFilter(String metadataURL, boolean isBusinessService) {
Logger.debug("Add " + this.getClass().getName() + " to metadata policy");
this.metadataURL = metadataURL;
-
- if (oaType.equals("businessService"))
- this.isPublicService = false;
- else
- this.isPublicService = true;
+ this.isPublicService = !isBusinessService;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
index f73b541bf..1aca587c9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
@@ -35,7 +35,7 @@ import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
import at.gv.egovernment.moa.logging.Logger;
@@ -49,7 +49,7 @@ public class SchemaValidationFilter implements MetadataFilter {
public SchemaValidationFilter() {
try {
- isActive = AuthConfigurationProvider.getInstance().isPVPSchemaValidationActive();
+ isActive = AuthConfigurationProviderFactory.getInstance().isPVPSchemaValidationActive();
} catch (ConfigurationException e) {
e.printStackTrace();
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 20:10:26 +0000