diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification')
9 files changed, 106 insertions, 834 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index d05d180e1..1286c2351 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -23,7 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.io.IOException; -import java.util.List; +import java.security.cert.CertificateException; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; @@ -34,82 +34,38 @@ import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.validation.ValidationException; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SAMLMetadataSignatureException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate; public class EntityVerifier { - public static byte[] fetchSavedCredential(String entityID) { -// List<OnlineApplication> oaList = ConfigurationDBRead -// .getAllActiveOnlineApplications(); - try { - IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); - - if (oa == null) { - Logger.debug("No OnlineApplication with EntityID: " + entityID); - return null; - - } - - String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64)) { - return Base64Utils.decode(certBase64, false); - - } - - } catch (ConfigurationException e) { - Logger.error("Access MOA-ID configuration FAILED.", e); - - } catch (IOException e) { - Logger.warn("Decoding PVP2X metadata certificate FAILED.", e); - - } - - return null; - } - public static void verify(EntityDescriptor entityDescriptor) - throws MOAIDException { - if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); - } - + throws EAAFException { + Credential credential = getSPTrustedCredential(entityDescriptor.getEntityID()); if (credential == null) { throw new NoCredentialsException(entityDescriptor.getEntityID()); } - - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } + + verify(entityDescriptor, credential); + } public static void verify(EntityDescriptor entityDescriptor, Credential cred) - throws MOAIDException { + throws EAAFException { if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); + throw new SAMLMetadataSignatureException(); } try { @@ -117,7 +73,7 @@ public class EntityVerifier { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); + throw new SAMLMetadataSignatureException(e); } SignatureValidator sigValidator = new SignatureValidator(cred); @@ -125,14 +81,14 @@ public class EntityVerifier { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); + throw new SAMLMetadataSignatureException(e); } } public static void verify(EntitiesDescriptor entityDescriptor, - Credential cred) throws MOAIDException { + Credential cred) throws EAAFException { if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); + throw new SAMLMetadataSignatureException(); } try { @@ -140,7 +96,7 @@ public class EntityVerifier { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); + throw new SAMLMetadataSignatureException(e); } SignatureValidator sigValidator = new SignatureValidator(cred); @@ -149,58 +105,14 @@ public class EntityVerifier { } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } - } - - public static void verify(EntitiesDescriptor entityDescriptor) - throws MOAIDException { - if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); - } - - List<EntityDescriptor> entities = entityDescriptor - .getEntityDescriptors(); - - if (entities.size() > 0) { - - if (entities.size() > 1) { - Logger.warn("More then one EntityID in Metadatafile with Name " - + entityDescriptor.getName() - + " defined. Actually only the first" - + " entryID is used to select the certificate to perform Metadata verification."); - } - - Credential credential = getSPTrustedCredential(entities.get(0).getEntityID()); - - if (credential == null) { - throw new NoCredentialsException("moaID IDP"); - } - - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } + throw new SAMLMetadataSignatureException(e); } } - + public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException { - iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() - .getTrustEntityCertificate(entityID); + iaik.x509.X509Certificate cert = getTrustEntityCertificate(entityID); if (cert == null) { throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); @@ -213,5 +125,46 @@ public class EntityVerifier { return credential; } + + private static iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { + + try { + Logger.trace("Load metadata signing certificate for online application " + entityID); + ISPConfiguration oaParam = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); + if (oaParam == null) { + Logger.info("Online Application with ID " + entityID + " not found!"); + return null; + } + + String pvp2MetadataCertificateString = + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) { + Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!"); + return null; + + } + + X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false)); + Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded."); + return cert; + + } catch (CertificateException e) { + Logger.warn("Metadata signer certificate is not parsed.", e); + return null; + + } catch (ConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + + } catch (IOException e) { + Logger.warn("Metadata signer certificate is not decodeable.", e); + return null; + + } catch (EAAFConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java deleted file mode 100644 index f6104bdeb..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ /dev/null @@ -1,197 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification; - -import javax.xml.namespace.QName; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.validation.ValidationException; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; -import org.w3c.dom.Element; -import org.xml.sax.SAXException; - -import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -@Service("SAMLVerificationEngine") -public class SAMLVerificationEngine { - - @Autowired(required=true) MOAMetadataProvider metadataProvider; - - public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { - try { - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) - verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); - - else - verifyIDPResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); - - } catch (InvalidProtocolRequestException e) { - if (MiscUtil.isEmpty(msg.getEntityID())) { - throw e; - - } - Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID()); - - if (metadataProvider == null || !metadataProvider.refreshMetadataProvider(msg.getEntityID())) - throw e; - - else { - Logger.trace("PVP2X metadata reload finished. Check validate message again."); - - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) - verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); - - else - verifyIDPResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); - - } - Logger.trace("Second PVP2X message validation finished"); - } - } - - public void verifyIDPResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine) throws InvalidProtocolRequestException{ - verifyResponse(samlObj, sigTrustEngine, IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - - } - - public void verifySLOResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { - verifyResponse(samlObj, sigTrustEngine, SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - } - - private void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine, QName defaultElementName) throws InvalidProtocolRequestException{ - SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); - performSchemaValidation(samlObj.getDOM()); - - } catch (ValidationException e) { - Logger.warn("Signature is not conform to SAML signature profile", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); - - } catch (SchemaValidationException e) { - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); - - } - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(defaultElementName, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); - - try { - if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); - } - } catch (org.opensaml.xml.security.SecurityException e) { - Logger.warn("PVP2x message signature validation FAILED.", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); - } - } - - public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { - SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); - performSchemaValidation(samlObj.getDOM()); - - } catch (ValidationException e) { - Logger.warn("Signature is not conform to SAML signature profile", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); - - } catch (SchemaValidationException e) { - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); - - } - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); - - try { - if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); - } - } catch (org.opensaml.xml.security.SecurityException e) { - Logger.warn("PVP2x message signature validation FAILED.", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); - } - } - - protected void performSchemaValidation(Element source) throws SchemaValidationException { - - String err = null; - try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - val.validate(new DOMSource(source)); - Logger.debug("Schema validation check done OK"); - return; - - } catch (SAXException e) { - err = e.getMessage(); - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Schema validation FAILED with exception:", e); - else - Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); - - } catch (Exception e) { - err = e.getMessage(); - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Schema validation FAILED with exception:", e); - else - Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); - - } - - throw new SchemaValidationException("pvp2.22", new Object[]{err}); - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java index 385fe90fb..d1d8c9368 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java @@ -47,11 +47,12 @@ import org.opensaml.xml.validation.ValidationException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.logging.Logger; /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java deleted file mode 100644 index 3ea124db6..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java +++ /dev/null @@ -1,87 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification; - -import java.util.ArrayList; -import java.util.List; - -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoProvider; -import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; -import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; -import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; -//import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; -//import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; - -public class TrustEngineFactory { - -// public static SignatureTrustEngine getSignatureTrustEngine() { -// try { -// MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver( -// MOAMetadataProvider.getInstance()); -// -// List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); -// keyInfoProvider.add(new DSAKeyValueProvider()); -// keyInfoProvider.add(new RSAKeyValueProvider()); -// keyInfoProvider.add(new InlineX509DataProvider()); -// -// KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( -// keyInfoProvider); -// -// PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine( -// mdResolver, keyInfoResolver); -// -// return engine; -// -// } catch (Exception e) { -// e.printStackTrace(); -// return null; -// } -// } - - public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(MetadataProvider provider) { - MetadataCredentialResolver resolver; - - resolver = new MetadataCredentialResolver(provider); - - List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); - - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); - - ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( - resolver, keyInfoResolver); - - return engine; - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java index 16b179d89..75ca2ccdf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java @@ -33,11 +33,11 @@ import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; +import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.MiscUtil; /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 589713c4b..57f1c2f9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -23,23 +23,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; import java.security.cert.CertificateException; -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.BasicX509Credential; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.AbstractMetadataSignatureFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; import iaik.x509.X509Certificate; -public class MetadataSignatureFilter implements MetadataFilter { +public class MetadataSignatureFilter extends AbstractMetadataSignatureFilter { private String metadataURL; private BasicX509Credential savedCredential; @@ -52,111 +49,52 @@ public class MetadataSignatureFilter implements MetadataFilter { savedCredential.setEntityCertificate(cert); } - public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { - -// String entityID = desc.getEntityID(); - - EntityVerifier.verify(desc); - } - - public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { - Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator(); - - if(desc.getSignature() != null) { - EntityVerifier.verify(desc, this.savedCredential); + @Override + protected void verify(EntityDescriptor desc) throws PVP2MetadataException { + try { + EntityVerifier.verify(desc); + + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for entity: " + desc.getEntityID() + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for entity: " + desc.getEntityID(), null, e); } - while(entID.hasNext()) { - processEntitiesDescriptor(entID.next()); - } - - Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); + } - List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>(); - - //check every Entity - - while(entIT.hasNext()) { - - EntityDescriptor entity = entIT.next(); - - String entityID = entity.getEntityID(); - - //CHECK if Entity also match MetaData signature. - /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ - Logger.debug("Validate metadata for entityID: " + entityID + " ..... "); - byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); - - if (entityCert != null) { + @Override + protected void verify(EntitiesDescriptor desc) throws PVP2MetadataException { + try { + EntityVerifier.verify(desc, this.savedCredential); - X509Certificate cert; - try { - cert = new X509Certificate(entityCert); - BasicX509Credential entityCrendential = new BasicX509Credential(); - entityCrendential.setEntityCertificate(cert); - - EntityVerifier.verify(desc, entityCrendential); - - //add entity to verified entity-list - verifiedEntIT.add(entity); - Logger.debug("Metadata for entityID: " + entityID + " valid"); - - - } catch (Exception e) { - - //remove entity of signature can not be verified. - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity verification error: " + e.getMessage()); -// throw new MOAIDException("The App", null, e); - } - - } else { - //remove entity if it is not registrated as OA - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity is not registrated or no certificate is found!"); -// throw new NoCredentialsException("NO Certificate found for OA " + entityID); - } + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL, null, e); - //TODO: insert to support signed Entity-Elements - //processEntityDescriptorr(entIT.next()); - } + } - //set only verified entity elements - desc.getEntityDescriptors().clear(); - desc.getEntityDescriptors().addAll(verifiedEntIT); } - - public void doFilter(XMLObject metadata) throws SignatureValidationException { + + @Override + protected void verify(EntityDescriptor entity, EntitiesDescriptor entities) throws PVP2MetadataException { try { - if (metadata instanceof EntitiesDescriptor) { - EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { - throw new MOAIDException("Root element of metadata file has to be signed", null); - } - processEntitiesDescriptor(entitiesDescriptor); - - - if (entitiesDescriptor.getEntityDescriptors().size() == 0) { - throw new MOAIDException("No valid entity in metadata " - + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); - } - - - } else if (metadata instanceof EntityDescriptor) { - EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; - processEntityDescriptorr(entityDescriptor); + if (entity.isSigned()) { + Logger.debug("EntityDescriptor: " + entity.getEntityID() + " is signed. Starting signature verification ... "); + EntityVerifier.verify(entity); } else { - throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + Logger.debug("EntityDescriptor: " + entity.getEntityID() + " is not signed. Verify EntitiesDescriptor by using 'Entity' certificate ... "); + Credential entityCredential = EntityVerifier.getSPTrustedCredential(entity.getEntityID()); + EntityVerifier.verify(entities, entityCredential); + } + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL, null, e); - - Logger.info("Metadata signature policy check done OK"); - } catch (MOAIDException e) { - Logger.warn("Metadata signature policy check FAILED.", e); - throw new SignatureValidationException(e); } } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java deleted file mode 100644 index caabfea30..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; - -import java.util.ArrayList; -import java.util.List; - -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.common.Extensions; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.ServiceName; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.samlext.saml2mdattr.EntityAttributes; -import org.opensaml.xml.XMLObject; - -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.data.Trible; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moaspss.logging.Logger; - -/** - * @author tlenz - * - */ -public class PVPEntityCategoryFilter implements MetadataFilter { - - - private boolean isUsed = false; - - /** - * Filter to map PVP EntityCategories into a set of single PVP attributes - * - * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored - * - */ - public PVPEntityCategoryFilter(boolean isUsed) { - this.isUsed = isUsed; - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject metadata) throws FilterException { - - if (isUsed) { - Logger.trace("Map PVP EntityCategory to single PVP Attributes ... "); - String entityId = null; - try { - if (metadata instanceof EntitiesDescriptor) { - Logger.trace("Find EnitiesDescriptor ... "); - EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; - if (entitiesDesc.getEntityDescriptors() != null) { - for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) - resolveEntityCategoriesToAttributes(el); - - } - - } else if (metadata instanceof EntityDescriptor) { - Logger.trace("Find EntityDescriptor"); - resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); - - - } else - throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - - - - } catch (Exception e) { - Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); - - } - - } else - Logger.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); - - } - - private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { - Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); - Extensions extensions = metadata.getExtensions(); - if (extensions != null) { - List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); - if (listOfExt != null && !listOfExt.isEmpty()) { - Logger.trace("Find #" + listOfExt.size() + " 'Extension' elements "); - for (XMLObject el : listOfExt) { - Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); - if (el instanceof EntityAttributes) { - EntityAttributes entityAttrElem = (EntityAttributes)el; - if (entityAttrElem.getAttributes() != null) { - Logger.trace("Find EntityAttributes. Start attribute processing ..."); - for (Attribute entityAttr : entityAttrElem.getAttributes()) { - if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) { - if (!entityAttr.getAttributeValues().isEmpty()) { - String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); - if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) { - Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); - addAttributesToEntityDescriptor(metadata, - buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES), - entityAttrValue); - - - } else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) { - Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); - addAttributesToEntityDescriptor(metadata, - buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES), - entityAttrValue); - - } else - Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); - - } else - Logger.info("EntityAttribute: No attribute value"); - - } else - Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); - - } - - } else - Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); - - } - } - - } else - Logger.trace("'Extension' element is 'null' or empty"); - - } else - Logger.trace("No 'Extension' element found"); - - } - - /** - * @param metadata - * @param attrList - */ - private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) { - SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); - if (spSSODesc != null) { - if (spSSODesc.getAttributeConsumingServices() == null || - spSSODesc.getAttributeConsumingServices().isEmpty()) { - Logger.trace("No 'AttributeConsumingServices' found. Added it ..."); - - AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); - attributeService.setIndex(0); - attributeService.setIsDefault(true); - ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); - serviceName.setName(new LocalizedString("Default Service", "en")); - attributeService.getNames().add(serviceName); - - if (attrList != null && !attrList.isEmpty()) { - attributeService.getRequestAttributes().addAll(attrList); - Logger.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); - - } - - spSSODesc.getAttributeConsumingServices().add(attributeService); - - } else { - Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); - for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) { - Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); - - //load currently requested attributes - List<String> currentlyReqAttr = new ArrayList<String>(); - for (RequestedAttribute reqAttr : el.getRequestAttributes()) - currentlyReqAttr.add(reqAttr.getName()); - - - //check against EntityAttribute List - for (RequestedAttribute entityAttrListEl : attrList) { - if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { - el.getRequestAttributes().add(entityAttrListEl); - - } else - Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName()); - - } - - } - - } - - } else - Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); - - } - - private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) { - List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>(); - for (Trible<String, String, Boolean> el : attrSet) - requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); - - return requestedAttributes; - - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java index 4c1da747b..615a0eaa7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java @@ -24,7 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; import java.security.cert.CertificateException; -import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; /** * @author tlenz diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java deleted file mode 100644 index 83a2b61d2..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; - -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; -import org.xml.sax.SAXException; - -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class SchemaValidationFilter implements MetadataFilter { - - private boolean isActive = true; - - public SchemaValidationFilter() { - try { - isActive = AuthConfigurationProviderFactory.getInstance().isPVPSchemaValidationActive(); - - } catch (ConfigurationException e) { - e.printStackTrace(); - } - } - - /** - * - */ - public SchemaValidationFilter(boolean useSchemaValidation) { - this.isActive = useSchemaValidation; - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject arg0) throws SchemaValidationException { - - String errString = null; - - if (isActive) { - try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - DOMSource source = new DOMSource(arg0.getDOM()); - val.validate(source); - Logger.info("Metadata Schema validation check done OK"); - return; - - } catch (SAXException e) { - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Metadata Schema validation FAILED with exception:", e); - else - Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); - - errString = e.getMessage(); - - } catch (Exception e) { - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Metadata Schema validation FAILED with exception:", e); - else - Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); - - errString = e.getMessage(); - - } - - throw new SchemaValidationException("Metadata Schema validation FAILED with message: "+ errString); - - } else - Logger.info("Metadata Schema validation check is DEACTIVATED!"); - - } - -} |