diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java | 197 |
1 files changed, 103 insertions, 94 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java index 2deeb2aae..637e46200 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java @@ -1,55 +1,55 @@ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - +/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
/**
*
*/
package at.gv.egovernment.moa.id.auth.stork;
- -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.BuildException; -import at.gv.egovernment.moa.id.ParseException; -import at.gv.egovernment.moa.id.ServiceException; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; -import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; -import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; -import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; -import eu.stork.mw.messages.saml.STORKResponse; -import eu.stork.vidp.messages.exception.SAMLValidationException; -import eu.stork.vidp.messages.util.SAMLUtil; -import eu.stork.vidp.messages.util.XMLUtil; +
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.ServiceException;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
+import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+import eu.stork.mw.messages.saml.STORKResponse;
+import eu.stork.vidp.messages.exception.SAMLValidationException;
+import eu.stork.vidp.messages.util.SAMLUtil;
+import eu.stork.vidp.messages.util.XMLUtil;
/**
- * Verifies the SMAL response according to the STORK specification + * Verifies the SMAL response according to the STORK specification
* @author bzwattendorfer
*
*/
@@ -74,44 +74,53 @@ public class PEPSConnectorResponseVerifier implements ResponseVerifier { private void verifySignature(STORKResponse response) throws SecurityException {
//validate Signature
try {
- if (response.isSigned()) { - - String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID(); - - Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID); + if (response.isSigned()) {
+
+ String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID();
+
+ Logger.trace("Starting validation of Signature references");
+ try {
+ SAMLUtil.validateSignatureReferences(response);
+ } catch (ValidationException e) {
+ Logger.error("Validation of XML Signature refrences failed: " + e.getMessage());
+ throw new SecurityException(e);
+ }
+ Logger.debug("XML Signature references are OK.");
+
+ Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID);
+
+ // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP
+ Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
+ .build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID);
+
+ Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built");
- // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP - Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() - .build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID); - - Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); - - Logger.trace("Calling MOA-SP"); - // invokes the call - Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() - .verifyXMLSignature(domVerifyXMLSignatureRequest); - - // parses the <VerifyXMLSignatureResponse> - VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( - domVerifyXMLSignatureResponse).parseData(); - - Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP"); - - if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) { - String msg = "Signature of SAMLResponse not valid"; - Logger.error(msg); - throw new SecurityException(msg); - } - - Logger.debug("Signature of SAML response successfully verified"); - - if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { - String msg = "Certificate of SAMLResponse not valid"; - Logger.error(msg); - throw new SecurityException(msg); - } - - Logger.debug("Signing certificate of SAML response succesfully verified"); + Logger.trace("Calling MOA-SP");
+ // invokes the call
+ Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
+ .verifyXMLSignature(domVerifyXMLSignatureRequest);
+
+ // parses the <VerifyXMLSignatureResponse>
+ VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
+ domVerifyXMLSignatureResponse).parseData();
+
+ Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP");
+
+ if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) {
+ String msg = "Signature of SAMLResponse not valid";
+ Logger.error(msg);
+ throw new SecurityException(msg);
+ }
+
+ Logger.debug("Signature of SAML response successfully verified");
+
+ if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
+ String msg = "Certificate of SAMLResponse not valid";
+ Logger.error(msg);
+ throw new SecurityException(msg);
+ }
+
+ Logger.debug("Signing certificate of SAML response succesfully verified");
} else {
String msg = "SAML Response is not signed.";
@@ -122,18 +131,18 @@ public class PEPSConnectorResponseVerifier implements ResponseVerifier { String msg = "Unable to load STORK configuration for STORK SAML Response signature verification.";
Logger.error(msg, e);
throw new SecurityException(msg, e);
- } catch (ParseException e) { - String msg = "Unable to parse VerifyXMLSignature Request or Response."; - Logger.error(msg, e); - throw new SecurityException(msg, e); - } catch (BuildException e) { - String msg = "Unable to parse VerifyXMLSignature Request or Response."; - Logger.error(msg, e); - throw new SecurityException(msg, e); - } catch (ServiceException e) { - String msg = "Unable to invoke MOA-SP."; - Logger.error(msg, e); - throw new SecurityException(msg, e); + } catch (ParseException e) {
+ String msg = "Unable to parse VerifyXMLSignature Request or Response.";
+ Logger.error(msg, e);
+ throw new SecurityException(msg, e);
+ } catch (BuildException e) {
+ String msg = "Unable to parse VerifyXMLSignature Request or Response.";
+ Logger.error(msg, e);
+ throw new SecurityException(msg, e);
+ } catch (ServiceException e) {
+ String msg = "Unable to invoke MOA-SP.";
+ Logger.error(msg, e);
+ throw new SecurityException(msg, e);
}
}
|