diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification')
7 files changed, 521 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java new file mode 100644 index 000000000..5cea607bc --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java @@ -0,0 +1,28 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.opensaml.saml2.core.RequestAbstractType; + +import at.gv.egovernment.moa.id.MOAIDException; + +public class ChainSAMLVerifier implements ISAMLVerifier { + + private List<ISAMLVerifier> verifier = new ArrayList<ISAMLVerifier>(); + + public void addVerifier(ISAMLVerifier verifier) { + this.verifier.add(verifier); + } + + public void verifyRequest(RequestAbstractType request) + throws MOAIDException { + Iterator<ISAMLVerifier> verifyIterator = verifier.iterator(); + while(verifyIterator.hasNext()) { + ISAMLVerifier verifier = verifyIterator.next(); + verifier.verifyRequest(request); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java new file mode 100644 index 000000000..b78c2f264 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -0,0 +1,160 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.Iterator; +import java.util.List; + +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.signature.SignatureValidator; +import org.opensaml.xml.validation.ValidationException; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class EntityVerifier { + + public static byte[] fetchSavedCredential(String entityID) { + List<OnlineApplication> oaList = ConfigurationDBRead + .getAllActiveOnlineApplications(); + Iterator<OnlineApplication> oaIt = oaList.iterator(); + while (oaIt.hasNext()) { + OnlineApplication oa = oaIt.next(); + if (oa.getPublicURLPrefix().equals(entityID)) { + OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); + if (pvp2Config != null) { + return pvp2Config.getCertificate(); + } + } + } + return null; + } + + public static void verify(EntityDescriptor entityDescriptor) + throws MOAIDException { + if (entityDescriptor.getSignature() == null) { + throw new SAMLRequestNotSignedException(); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + Logger.error("Failed to validate Signature", e); + throw new SAMLRequestNotSignedException(e); + } + + Credential credential = CredentialProvider + .getSPTrustedCredential(entityDescriptor.getEntityID()); + if (credential == null) { + throw new NoCredentialsException(entityDescriptor.getEntityID()); + } + + SignatureValidator sigValidator = new SignatureValidator(credential); + try { + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + Logger.error("Failed to verfiy Signature", e); + throw new SAMLRequestNotSignedException(e); + } + } + + public static void verify(EntityDescriptor entityDescriptor, Credential cred) + throws MOAIDException { + if (entityDescriptor.getSignature() == null) { + throw new SAMLRequestNotSignedException(); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + Logger.error("Failed to validate Signature", e); + throw new SAMLRequestNotSignedException(e); + } + + SignatureValidator sigValidator = new SignatureValidator(cred); + try { + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + Logger.error("Failed to verfiy Signature", e); + throw new SAMLRequestNotSignedException(e); + } + } + + public static void verify(EntitiesDescriptor entityDescriptor, + Credential cred) throws MOAIDException { + if (entityDescriptor.getSignature() == null) { + throw new SAMLRequestNotSignedException(); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + Logger.error("Failed to validate Signature", e); + throw new SAMLRequestNotSignedException(e); + } + + SignatureValidator sigValidator = new SignatureValidator(cred); + try { + sigValidator.validate(entityDescriptor.getSignature()); + + } catch (ValidationException e) { + Logger.error("Failed to verfiy Signature", e); + throw new SAMLRequestNotSignedException(e); + } + } + + public static void verify(EntitiesDescriptor entityDescriptor) + throws MOAIDException { + if (entityDescriptor.getSignature() == null) { + throw new SAMLRequestNotSignedException(); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + Logger.error("Failed to validate Signature", e); + throw new SAMLRequestNotSignedException(e); + } + + List<EntityDescriptor> entities = entityDescriptor + .getEntityDescriptors(); + + if (entities.size() > 0) { + + if (entities.size() > 1) { + Logger.warn("More then one EntityID in Metadatafile with Name " + + entityDescriptor.getName() + + " defined. Actually only the first" + + " entryID is used to select the certificate to perform Metadata verification."); + } + + Credential credential = CredentialProvider + .getSPTrustedCredential(entities.get(0).getEntityID()); + + if (credential == null) { + throw new NoCredentialsException("moaID IDP"); + } + + SignatureValidator sigValidator = new SignatureValidator(credential); + try { + sigValidator.validate(entityDescriptor.getSignature()); + + } catch (ValidationException e) { + Logger.error("Failed to verfiy Signature", e); + throw new SAMLRequestNotSignedException(e); + } + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java new file mode 100644 index 000000000..a577f3f46 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java @@ -0,0 +1,9 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import org.opensaml.saml2.core.RequestAbstractType; + +import at.gv.egovernment.moa.id.MOAIDException; + +public interface ISAMLVerifier { + public void verifyRequest(RequestAbstractType request) throws MOAIDException; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java new file mode 100644 index 000000000..36dc2442c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -0,0 +1,78 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import iaik.x509.X509Certificate; + +import java.security.cert.CertificateException; +import java.util.Iterator; + +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.x509.BasicX509Credential; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; + +public class MetadataSignatureFilter implements MetadataFilter { + + private String metadataURL; + private BasicX509Credential savedCredential; + + public MetadataSignatureFilter(String url, byte[] certificate) + throws CertificateException { + this.metadataURL = url; + X509Certificate cert = new X509Certificate(certificate); + savedCredential = new BasicX509Credential(); + savedCredential.setEntityCertificate(cert); + } + + public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { + + String entityID = desc.getEntityID(); + + EntityVerifier.verify(desc); + } + + public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { + Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator(); + + if(desc.getSignature() != null) { + EntityVerifier.verify(desc, this.savedCredential); + } + + while(entID.hasNext()) { + processEntitiesDescriptor(entID.next()); + } + + Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); + + while(entID.hasNext()) { + processEntityDescriptorr(entIT.next()); + } + } + + public void doFilter(XMLObject metadata) throws FilterException { + try { + if (metadata instanceof EntitiesDescriptor) { + EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; + if(entitiesDescriptor.getSignature() == null) { + throw new MOAIDException("Root element of metadata file has to be signed", null); + } + processEntitiesDescriptor(entitiesDescriptor); + } /*else if (metadata instanceof EntityDescriptor) { + EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; + processEntityDescriptorr(entityDescriptor); + } */else { + throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + } + Logger.info("Metadata Filter done OK"); + } catch (MOAIDException e) { + e.printStackTrace(); + throw new FilterException(e); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java new file mode 100644 index 000000000..8df418f9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -0,0 +1,67 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.signature.SignatureTrustEngine; +import org.opensaml.xml.validation.ValidationException; + +public class SAMLVerificationEngine { + + public void verifyResponse(Response samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); + try { + profileValidator.validate(samlObj.getSignature()); + } catch (ValidationException e) { + // Indicates signature did not conform to SAML Signature profile + e.printStackTrace(); + } + + CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); + criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); + + try { + if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { + throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + } + } catch (SecurityException e) { + // Indicates processing error evaluating the signature + e.printStackTrace(); + } + } + + public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); + try { + profileValidator.validate(samlObj.getSignature()); + } catch (ValidationException e) { + // Indicates signature did not conform to SAML Signature profile + e.printStackTrace(); + } + + CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); + criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); + + try { + if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { + throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + } + } catch (SecurityException e) { + // Indicates processing error evaluating the signature + e.printStackTrace(); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java new file mode 100644 index 000000000..6dbaae0a1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -0,0 +1,108 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.validation.ValidationException; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.ServiceException; +import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; +import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; +import eu.stork.vidp.messages.util.XMLUtil; + +public class SAMLVerifierMOASP implements ISAMLVerifier { + + + //TODO: implement via metadata validator .... + public void verifyRequest(RequestAbstractType request) + throws MOAIDException { + // validate Signature + try { + if (request.isSigned()) { + + String trustProfileID = AuthConfigurationProvider.getInstance() + .getStorkConfig().getSignatureVerificationParameter() + .getTrustProfileID(); + + Logger.trace("Starting validation of Signature references"); + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(request.getSignature()); + } catch (ValidationException e) { + Logger.error("Validation of XML Signature refrences failed: " + + e.getMessage()); + throw new SecurityException(e); + } + Logger.debug("XML Signature references are OK."); + + Logger.debug("Invoking MOA-SP with TrustProfileID: " + + trustProfileID); + + // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP + Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() + .build(XMLUtil.printXML(request.getDOM()).getBytes(), + trustProfileID); + + Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); + + Logger.trace("Calling MOA-SP"); + // invokes the call + Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + + // parses the <VerifyXMLSignatureResponse> + VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( + domVerifyXMLSignatureResponse).parseData(); + + Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP"); + + if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) { + String msg = "Signature of SAMLResponse not valid"; + Logger.error(msg); + throw new SecurityException(msg); + } + + Logger.debug("Signature of SAML response successfully verified"); + + if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { + String msg = "Certificate of SAMLResponse not valid"; + Logger.error(msg); + throw new SecurityException(msg); + } + + Logger.debug("Signing certificate of SAML response succesfully verified"); + + } else { + String msg = "SAML Object is not signed."; + throw new SecurityException(msg); + } + + } catch (ConfigurationException e) { + String msg = "Unable to load STORK configuration for STORK SAML Response signature verification."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (ParseException e) { + String msg = "Unable to parse VerifyXMLSignature Request or Response."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (BuildException e) { + String msg = "Unable to parse VerifyXMLSignature Request or Response."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (ServiceException e) { + String msg = "Unable to invoke MOA-SP."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java new file mode 100644 index 000000000..f3c5ed86a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java @@ -0,0 +1,71 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.xml.security.credential.CredentialResolver; +import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; +import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; +import org.opensaml.xml.security.keyinfo.KeyInfoProvider; +import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; +import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; +import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; +import org.opensaml.xml.signature.SignatureTrustEngine; +import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; +import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; + +import sun.security.krb5.Credentials; + +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; + +public class TrustEngineFactory { + + public static SignatureTrustEngine getSignatureTrustEngine() { + try { + MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver( + MOAMetadataProvider.getInstance()); + + List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine( + mdResolver, keyInfoResolver); + + return engine; + + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + + public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() { + MetadataCredentialResolver resolver; + + resolver = new MetadataCredentialResolver( + MOAMetadataProvider.getInstance()); + + List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( + resolver, keyInfoResolver); + + return engine; + + } + +} |