diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java | 237 |
1 files changed, 108 insertions, 129 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index bf9a61fe4..f7e753273 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -22,55 +22,34 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; -import java.util.ArrayList; -import java.util.List; - import javax.xml.namespace.QName; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.encryption.Decrypter; -import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; -import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; -import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; -import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; import org.w3c.dom.Element; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -179,114 +158,114 @@ public class SAMLVerificationEngine { } } - public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { - try { - if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); - - List<String> allowedPublicURLPrefix = - AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); - boolean isValidDestination = false; - for (String allowedPreFix : allowedPublicURLPrefix) { - if (validateDestination && samlResp.getDestination().startsWith( - allowedPreFix)) { - isValidDestination = true; - break; - - } - } - if (!isValidDestination && validateDestination) { - Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); - throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); - - } - - //check encrypted Assertion - List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions(); - if (encryAssertionList != null && encryAssertionList.size() > 0) { - //decrypt assertions - - Logger.debug("Found encryped assertion. Start decryption ..."); - - X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); - - StaticKeyInfoCredentialResolver skicr = - new StaticKeyInfoCredentialResolver(authDecCredential); - - ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); - encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); - - Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); - - for (EncryptedAssertion encAssertion : encryAssertionList) { - saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - - } - - Logger.debug("Assertion decryption finished. "); - - } else { - saml2assertions.addAll(samlResp.getAssertions()); - - } - - List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); - for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - try { - performSchemaValidation(saml2assertion.getDOM()); - - Conditions conditions = saml2assertion.getConditions(); - DateTime notbefore = conditions.getNotBefore().minusMinutes(5); - DateTime notafter = conditions.getNotOnOrAfter(); - if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { - Logger.warn("PVP2 Assertion is out of Date. " - + "{ Current : " + new DateTime() - + " NotBefore: " + notbefore - + " NotAfter : " + notafter - + " }");; - - } else { - validatedassertions.add(saml2assertion); - - } - - } catch (SchemaValidationException e) { - - } - } - - if (validatedassertions.isEmpty()) { - Logger.info("No valid PVP 2.1 assertion received."); - throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); - } - - samlResp.getAssertions().clear(); - samlResp.getEncryptedAssertions().clear(); - samlResp.getAssertions().addAll(validatedassertions); - - } else { - Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " - + samlResp.getStatus().getStatusCode().getValue()); - throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " - + samlResp.getStatus().getStatusCode().getValue(), null); - } - - } catch (CredentialsNotAvailableException e) { - Logger.warn("Assertion decrypt FAILED - No Credentials", e); - throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); - - } catch (DecryptionException e) { - Logger.warn("Assertion decrypt FAILED.", e); - throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); - - } catch (ConfigurationException e) { - throw new AssertionValidationExeption("pvp.12", null, e); - } - } +// public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { +// try { +// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { +// List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); +// +// List<String> allowedPublicURLPrefix = +// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +// boolean isValidDestination = false; +// for (String allowedPreFix : allowedPublicURLPrefix) { +// if (validateDestination && samlResp.getDestination().startsWith( +// allowedPreFix)) { +// isValidDestination = true; +// break; +// +// } +// } +// if (!isValidDestination && validateDestination) { +// Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); +// throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); +// +// } +// +// //check encrypted Assertion +// List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions(); +// if (encryAssertionList != null && encryAssertionList.size() > 0) { +// //decrypt assertions +// +// Logger.debug("Found encryped assertion. Start decryption ..."); +// +// X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); +// +// StaticKeyInfoCredentialResolver skicr = +// new StaticKeyInfoCredentialResolver(authDecCredential); +// +// ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); +// encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); +// encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); +// encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); +// +// Decrypter samlDecrypter = +// new Decrypter(null, skicr, encryptedKeyResolver); +// +// for (EncryptedAssertion encAssertion : encryAssertionList) { +// saml2assertions.add(samlDecrypter.decrypt(encAssertion)); +// +// } +// +// Logger.debug("Assertion decryption finished. "); +// +// } else { +// saml2assertions.addAll(samlResp.getAssertions()); +// +// } +// +// List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); +// for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { +// +// try { +// performSchemaValidation(saml2assertion.getDOM()); +// +// Conditions conditions = saml2assertion.getConditions(); +// DateTime notbefore = conditions.getNotBefore().minusMinutes(5); +// DateTime notafter = conditions.getNotOnOrAfter(); +// if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { +// Logger.warn("PVP2 Assertion is out of Date. " +// + "{ Current : " + new DateTime() +// + " NotBefore: " + notbefore +// + " NotAfter : " + notafter +// + " }");; +// +// } else { +// validatedassertions.add(saml2assertion); +// +// } +// +// } catch (SchemaValidationException e) { +// +// } +// } +// +// if (validatedassertions.isEmpty()) { +// Logger.info("No valid PVP 2.1 assertion received."); +// throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); +// } +// +// samlResp.getAssertions().clear(); +// samlResp.getEncryptedAssertions().clear(); +// samlResp.getAssertions().addAll(validatedassertions); +// +// } else { +// Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " +// + samlResp.getStatus().getStatusCode().getValue()); +// throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " +// + samlResp.getStatus().getStatusCode().getValue(), null); +// } +// +// } catch (CredentialsNotAvailableException e) { +// Logger.warn("Assertion decrypt FAILED - No Credentials", e); +// throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); +// +// } catch (DecryptionException e) { +// Logger.warn("Assertion decrypt FAILED.", e); +// throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); +// +// } catch (ConfigurationException e) { +// throw new AssertionValidationExeption("pvp.12", null, e); +// } +// } private static void performSchemaValidation(Element source) throws SchemaValidationException { |