summaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java237
1 files changed, 129 insertions, 108 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index cc7afa842..bf9a61fe4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -22,34 +22,55 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+import java.util.ArrayList;
+import java.util.List;
+
import javax.xml.namespace.QName;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
+import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.common.xml.SAMLSchemaBuilder;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.RequestAbstractType;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.DecryptionException;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
+import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -158,114 +179,114 @@ public class SAMLVerificationEngine {
}
}
-// public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
-// try {
-// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
-// List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-//
-// List<String> allowedPublicURLPrefix =
-// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
-// boolean isValidDestination = false;
-// for (String allowedPreFix : allowedPublicURLPrefix) {
-// if (validateDestination && samlResp.getDestination().startsWith(
-// allowedPreFix)) {
-// isValidDestination = true;
-// break;
-//
-// }
-// }
-// if (!isValidDestination) {
-// Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
-// throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
-//
-// }
-//
-// //check encrypted Assertion
-// List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
-// if (encryAssertionList != null && encryAssertionList.size() > 0) {
-// //decrypt assertions
-//
-// Logger.debug("Found encryped assertion. Start decryption ...");
-//
-// X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
-//
-// StaticKeyInfoCredentialResolver skicr =
-// new StaticKeyInfoCredentialResolver(authDecCredential);
-//
-// ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
-// encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
-// encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
-// encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-//
-// Decrypter samlDecrypter =
-// new Decrypter(null, skicr, encryptedKeyResolver);
-//
-// for (EncryptedAssertion encAssertion : encryAssertionList) {
-// saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-//
-// }
-//
-// Logger.debug("Assertion decryption finished. ");
-//
-// } else {
-// saml2assertions.addAll(samlResp.getAssertions());
-//
-// }
-//
-// List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-// for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-//
-// try {
-// performSchemaValidation(saml2assertion.getDOM());
-//
-// Conditions conditions = saml2assertion.getConditions();
-// DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
-// DateTime notafter = conditions.getNotOnOrAfter();
-// if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
-// Logger.warn("PVP2 Assertion is out of Date. "
-// + "{ Current : " + new DateTime()
-// + " NotBefore: " + notbefore
-// + " NotAfter : " + notafter
-// + " }");;
-//
-// } else {
-// validatedassertions.add(saml2assertion);
-//
-// }
-//
-// } catch (SchemaValidationException e) {
-//
-// }
-// }
-//
-// if (validatedassertions.isEmpty()) {
-// Logger.info("No valid PVP 2.1 assertion received.");
-// throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
-// }
-//
-// samlResp.getAssertions().clear();
-// samlResp.getEncryptedAssertions().clear();
-// samlResp.getAssertions().addAll(validatedassertions);
-//
-// } else {
-// Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
-// + samlResp.getStatus().getStatusCode().getValue());
-// throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "
-// + samlResp.getStatus().getStatusCode().getValue(), null);
-// }
-//
-// } catch (CredentialsNotAvailableException e) {
-// Logger.warn("Assertion decrypt FAILED - No Credentials", e);
-// throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
-//
-// } catch (DecryptionException e) {
-// Logger.warn("Assertion decrypt FAILED.", e);
-// throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
-//
-// } catch (ConfigurationException e) {
-// throw new AssertionValidationExeption("pvp.12", null, e);
-// }
-// }
+ public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
+ try {
+ if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isValidDestination = false;
+ for (String allowedPreFix : allowedPublicURLPrefix) {
+ if (validateDestination && samlResp.getDestination().startsWith(
+ allowedPreFix)) {
+ isValidDestination = true;
+ break;
+
+ }
+ }
+ if (!isValidDestination && validateDestination) {
+ Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
+ throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
+
+ }
+
+ //check encrypted Assertion
+ List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
+ if (encryAssertionList != null && encryAssertionList.size() > 0) {
+ //decrypt assertions
+
+ Logger.debug("Found encryped assertion. Start decryption ...");
+
+ X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
+
+ StaticKeyInfoCredentialResolver skicr =
+ new StaticKeyInfoCredentialResolver(authDecCredential);
+
+ ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+ encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+
+ Decrypter samlDecrypter =
+ new Decrypter(null, skicr, encryptedKeyResolver);
+
+ for (EncryptedAssertion encAssertion : encryAssertionList) {
+ saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+
+ }
+
+ Logger.debug("Assertion decryption finished. ");
+
+ } else {
+ saml2assertions.addAll(samlResp.getAssertions());
+
+ }
+
+ List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+ for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+
+ try {
+ performSchemaValidation(saml2assertion.getDOM());
+
+ Conditions conditions = saml2assertion.getConditions();
+ DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
+ DateTime notafter = conditions.getNotOnOrAfter();
+ if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
+ Logger.warn("PVP2 Assertion is out of Date. "
+ + "{ Current : " + new DateTime()
+ + " NotBefore: " + notbefore
+ + " NotAfter : " + notafter
+ + " }");;
+
+ } else {
+ validatedassertions.add(saml2assertion);
+
+ }
+
+ } catch (SchemaValidationException e) {
+
+ }
+ }
+
+ if (validatedassertions.isEmpty()) {
+ Logger.info("No valid PVP 2.1 assertion received.");
+ throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
+ }
+
+ samlResp.getAssertions().clear();
+ samlResp.getEncryptedAssertions().clear();
+ samlResp.getAssertions().addAll(validatedassertions);
+
+ } else {
+ Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
+ + samlResp.getStatus().getStatusCode().getValue());
+ throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "
+ + samlResp.getStatus().getStatusCode().getValue(), null);
+ }
+
+ } catch (CredentialsNotAvailableException e) {
+ Logger.warn("Assertion decrypt FAILED - No Credentials", e);
+ throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
+
+ } catch (DecryptionException e) {
+ Logger.warn("Assertion decrypt FAILED.", e);
+ throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
+
+ } catch (ConfigurationException e) {
+ throw new AssertionValidationExeption("pvp.12", null, e);
+ }
+ }
private static void performSchemaValidation(Element source) throws SchemaValidationException {
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 01:32:46 +0000