aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java237
1 files changed, 108 insertions, 129 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index bf9a61fe4..f7e753273 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -22,55 +22,34 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
-import java.util.ArrayList;
-import java.util.List;
-
import javax.xml.namespace.QName;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
-import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.common.xml.SAMLSchemaBuilder;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
-import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
-import org.opensaml.saml2.encryption.Decrypter;
-import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
-import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
-import org.opensaml.xml.encryption.DecryptionException;
-import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
-import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
-import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -179,114 +158,114 @@ public class SAMLVerificationEngine {
}
}
- public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
- try {
- if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
- List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-
- List<String> allowedPublicURLPrefix =
- AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
- boolean isValidDestination = false;
- for (String allowedPreFix : allowedPublicURLPrefix) {
- if (validateDestination && samlResp.getDestination().startsWith(
- allowedPreFix)) {
- isValidDestination = true;
- break;
-
- }
- }
- if (!isValidDestination && validateDestination) {
- Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
- throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
-
- }
-
- //check encrypted Assertion
- List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
- if (encryAssertionList != null && encryAssertionList.size() > 0) {
- //decrypt assertions
-
- Logger.debug("Found encryped assertion. Start decryption ...");
-
- X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
-
- StaticKeyInfoCredentialResolver skicr =
- new StaticKeyInfoCredentialResolver(authDecCredential);
-
- ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
- encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-
- Decrypter samlDecrypter =
- new Decrypter(null, skicr, encryptedKeyResolver);
-
- for (EncryptedAssertion encAssertion : encryAssertionList) {
- saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-
- }
-
- Logger.debug("Assertion decryption finished. ");
-
- } else {
- saml2assertions.addAll(samlResp.getAssertions());
-
- }
-
- List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-
- try {
- performSchemaValidation(saml2assertion.getDOM());
-
- Conditions conditions = saml2assertion.getConditions();
- DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
- DateTime notafter = conditions.getNotOnOrAfter();
- if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
- Logger.warn("PVP2 Assertion is out of Date. "
- + "{ Current : " + new DateTime()
- + " NotBefore: " + notbefore
- + " NotAfter : " + notafter
- + " }");;
-
- } else {
- validatedassertions.add(saml2assertion);
-
- }
-
- } catch (SchemaValidationException e) {
-
- }
- }
-
- if (validatedassertions.isEmpty()) {
- Logger.info("No valid PVP 2.1 assertion received.");
- throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
- }
-
- samlResp.getAssertions().clear();
- samlResp.getEncryptedAssertions().clear();
- samlResp.getAssertions().addAll(validatedassertions);
-
- } else {
- Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
- + samlResp.getStatus().getStatusCode().getValue());
- throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "
- + samlResp.getStatus().getStatusCode().getValue(), null);
- }
-
- } catch (CredentialsNotAvailableException e) {
- Logger.warn("Assertion decrypt FAILED - No Credentials", e);
- throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
-
- } catch (DecryptionException e) {
- Logger.warn("Assertion decrypt FAILED.", e);
- throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
-
- } catch (ConfigurationException e) {
- throw new AssertionValidationExeption("pvp.12", null, e);
- }
- }
+// public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
+// try {
+// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+// List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+//
+// List<String> allowedPublicURLPrefix =
+// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+// boolean isValidDestination = false;
+// for (String allowedPreFix : allowedPublicURLPrefix) {
+// if (validateDestination && samlResp.getDestination().startsWith(
+// allowedPreFix)) {
+// isValidDestination = true;
+// break;
+//
+// }
+// }
+// if (!isValidDestination && validateDestination) {
+// Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
+// throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
+//
+// }
+//
+// //check encrypted Assertion
+// List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
+// if (encryAssertionList != null && encryAssertionList.size() > 0) {
+// //decrypt assertions
+//
+// Logger.debug("Found encryped assertion. Start decryption ...");
+//
+// X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
+//
+// StaticKeyInfoCredentialResolver skicr =
+// new StaticKeyInfoCredentialResolver(authDecCredential);
+//
+// ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+// encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+// encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+// encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+//
+// Decrypter samlDecrypter =
+// new Decrypter(null, skicr, encryptedKeyResolver);
+//
+// for (EncryptedAssertion encAssertion : encryAssertionList) {
+// saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+//
+// }
+//
+// Logger.debug("Assertion decryption finished. ");
+//
+// } else {
+// saml2assertions.addAll(samlResp.getAssertions());
+//
+// }
+//
+// List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+// for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+//
+// try {
+// performSchemaValidation(saml2assertion.getDOM());
+//
+// Conditions conditions = saml2assertion.getConditions();
+// DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
+// DateTime notafter = conditions.getNotOnOrAfter();
+// if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
+// Logger.warn("PVP2 Assertion is out of Date. "
+// + "{ Current : " + new DateTime()
+// + " NotBefore: " + notbefore
+// + " NotAfter : " + notafter
+// + " }");;
+//
+// } else {
+// validatedassertions.add(saml2assertion);
+//
+// }
+//
+// } catch (SchemaValidationException e) {
+//
+// }
+// }
+//
+// if (validatedassertions.isEmpty()) {
+// Logger.info("No valid PVP 2.1 assertion received.");
+// throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
+// }
+//
+// samlResp.getAssertions().clear();
+// samlResp.getEncryptedAssertions().clear();
+// samlResp.getAssertions().addAll(validatedassertions);
+//
+// } else {
+// Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
+// + samlResp.getStatus().getStatusCode().getValue());
+// throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "
+// + samlResp.getStatus().getStatusCode().getValue(), null);
+// }
+//
+// } catch (CredentialsNotAvailableException e) {
+// Logger.warn("Assertion decrypt FAILED - No Credentials", e);
+// throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
+//
+// } catch (DecryptionException e) {
+// Logger.warn("Assertion decrypt FAILED.", e);
+// throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
+//
+// } catch (ConfigurationException e) {
+// throw new AssertionValidationExeption("pvp.12", null, e);
+// }
+// }
private static void performSchemaValidation(Element source) throws SchemaValidationException {