diff options
Diffstat (limited to 'id/server/idserverlib/src')
| -rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java | 304 | 
1 files changed, 206 insertions, 98 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index a29728245..fd501fde7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -23,6 +23,7 @@  package at.gv.egovernment.moa.id.protocols.pvp2x;  import java.io.StringWriter; +import java.security.KeyStore;  import java.util.List;  import javax.servlet.http.HttpServletRequest; @@ -38,18 +39,27 @@ import org.joda.time.DateTime;  import org.opensaml.Configuration;  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService;  import org.opensaml.saml2.metadata.ContactPerson;  import org.opensaml.saml2.metadata.EntitiesDescriptor;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.IDPSSODescriptor;  import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString;  import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName;  import org.opensaml.saml2.metadata.SingleSignOnService;  import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.security.SecurityHelper;  import org.opensaml.xml.security.credential.Credential;  import org.opensaml.xml.security.credential.UsageType;  import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential;  import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;  import org.opensaml.xml.signature.Signature;  import org.opensaml.xml.signature.Signer; @@ -57,14 +67,17 @@ import org.w3c.dom.Document;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.IAction;  import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MetadataAction implements IAction { @@ -111,6 +124,7 @@ public class MetadataAction implements IAction {  			//keyInfoFactory.setEmitPublicKeyValue(true);  			keyInfoFactory.setEmitEntityIDAsKeyName(true);  			keyInfoFactory.setEmitEntityCertificate(true); +  			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();  			Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); @@ -121,106 +135,12 @@ public class MetadataAction implements IAction {  			SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null);  			idpEntitiesDescriptor.setSignature(signature); -			 -//			//set SignatureMethode -//			signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); -//			 -//			//set DigestMethode -//			List<ContentReference> contentList = signature.getContentReferences(); -//			for (ContentReference content : contentList) { -//				 -//				if (content instanceof SAMLObjectContentReference) { -//					 -//					SAMLObjectContentReference el = (SAMLObjectContentReference) content; -//					el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); -//					 -//				} -//			} -			 -			 -//			KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); -//			KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); -//			//KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); -//			signature.setKeyInfo(metadataKeyInfo ); -			 - -			IDPSSODescriptor idpSSODescriptor = SAML2Utils -					.createSAMLObject(IDPSSODescriptor.class); - -			idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); -			 -			idpSSODescriptor.setWantAuthnRequestsSigned(true);			 -			 -			if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { -				SingleSignOnService postSingleSignOnService = SAML2Utils -						.createSAMLObject(SingleSignOnService.class); - -				postSingleSignOnService.setLocation(PVPConfiguration -						.getInstance().getIDPSSOPostService()); -				postSingleSignOnService -						.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - -				idpSSODescriptor.getSingleSignOnServices().add( -						postSingleSignOnService); -			} - -			if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { -				SingleSignOnService redirectSingleSignOnService = SAML2Utils -						.createSAMLObject(SingleSignOnService.class); - -				redirectSingleSignOnService.setLocation(PVPConfiguration -						.getInstance().getIDPSSORedirectService()); -				redirectSingleSignOnService -						.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - -				idpSSODescriptor.getSingleSignOnServices().add( -						redirectSingleSignOnService); -			} - -			/*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { -				ArtifactResolutionService artifactResolutionService = SAML2Utils -						.createSAMLObject(ArtifactResolutionService.class); - -				artifactResolutionService -						.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); -				artifactResolutionService.setLocation(PVPConfiguration -						.getInstance().getIDPResolveSOAPService()); - -				artifactResolutionService.setIndex(0); -				 -				idpSSODescriptor.getArtifactResolutionServices().add( -						artifactResolutionService); -			}*/ -		 -			//set assertion signing key -			Credential assertionSigingCredential = CredentialProvider -					.getIDPAssertionSigningCredential(); - -			KeyDescriptor signKeyDescriptor = SAML2Utils -					.createSAMLObject(KeyDescriptor.class); -			signKeyDescriptor.setUse(UsageType.SIGNING); -			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); -			idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); -						 -			idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); -			 -			NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -			persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); +			//set IDP metadata +			idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator)); -			idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); -			 -			NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -			transientNameIDFormat.setFormat(NameIDType.TRANSIENT); -			 -			idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); -			 -			NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -			unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); -			 -			idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); -			 -			idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor); +			//set SP metadata for interfederation +			idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator));  			DocumentBuilder builder;  			DocumentBuilderFactory factory = DocumentBuilderFactory @@ -269,4 +189,192 @@ public class MetadataAction implements IAction {  		return (PVP2XProtocol.METADATA);  	} +	private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { + +		Logger.debug("Set SP Metadata key information"); +		 +		SPSSODescriptor spSSODescriptor = SAML2Utils +				.createSAMLObject(SPSSODescriptor.class); + +		spSSODescriptor.setAuthnRequestsSigned(true); +		spSSODescriptor.setWantAssertionsSigned(true); +	 + 		 +		//Set AuthRequest Signing certificate +		X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential(); +		 +		KeyDescriptor signKeyDescriptor = SAML2Utils +				.createSAMLObject(KeyDescriptor.class); +		signKeyDescriptor.setUse(UsageType.SIGNING); +		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	 +		spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); +		 +		 +		//set AuthRequest encryption certificate +		 +		X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential();			 + +		if (authEncCredential != null) { +			KeyDescriptor encryKeyDescriptor = SAML2Utils +					.createSAMLObject(KeyDescriptor.class); +			encryKeyDescriptor.setUse(UsageType.ENCRYPTION); +			encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));	 +			spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); +			 +		} else { +			Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); +			 +		} +				 +		NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +		persistentnameIDFormat.setFormat(NameIDType.PERSISTENT); +		 +		spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat); +		 +		NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +		transientnameIDFormat.setFormat(NameIDType.TRANSIENT); +		 +		spSSODescriptor.getNameIDFormats().add(transientnameIDFormat); +		 +		NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +		unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED); +		 +		spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat); +					 +		AssertionConsumerService postassertionConsumerService =  +				SAML2Utils.createSAMLObject(AssertionConsumerService.class);		 +		postassertionConsumerService.setIndex(0); +		postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +		postassertionConsumerService.setLocation(PVPConfiguration +				.getInstance().getIDPSSOPostService());	 +		postassertionConsumerService.setIsDefault(true); +		spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); +		 +		 +		AssertionConsumerService redirectassertionConsumerService =  +				SAML2Utils.createSAMLObject(AssertionConsumerService.class);		 +		redirectassertionConsumerService.setIndex(1); +		redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +		redirectassertionConsumerService.setLocation(PVPConfiguration +				.getInstance().getIDPSSORedirectService());		 +		spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); +		 +		spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); +						 +		AttributeConsumingService attributeService =  +				SAML2Utils.createSAMLObject(AttributeConsumingService.class); +		 +		attributeService.setIndex(0); +		attributeService.setIsDefault(true); +		ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); +		serviceName.setName(new LocalizedString("Default Service", "de")); +		attributeService.getNames().add(serviceName); +						 +		return spSSODescriptor; +	} +	 +	private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { +		 + +//		//set SignatureMethode +//		signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +//		 +//		//set DigestMethode +//		List<ContentReference> contentList = signature.getContentReferences(); +//		for (ContentReference content : contentList) { +//			 +//			if (content instanceof SAMLObjectContentReference) { +//				 +//				SAMLObjectContentReference el = (SAMLObjectContentReference) content; +//				el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +//				 +//			} +//		} +		 +		 +//		KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); +//		KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); +//		//KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); +//		signature.setKeyInfo(metadataKeyInfo ); +		 +		 +		IDPSSODescriptor idpSSODescriptor = SAML2Utils +				.createSAMLObject(IDPSSODescriptor.class); + +		idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); +		 +		idpSSODescriptor.setWantAuthnRequestsSigned(true);			 +		 +		if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { +			SingleSignOnService postSingleSignOnService = SAML2Utils +					.createSAMLObject(SingleSignOnService.class); + +			postSingleSignOnService.setLocation(PVPConfiguration +					.getInstance().getIDPSSOPostService()); +			postSingleSignOnService +					.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + +			idpSSODescriptor.getSingleSignOnServices().add( +					postSingleSignOnService); +		} + +		if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { +			SingleSignOnService redirectSingleSignOnService = SAML2Utils +					.createSAMLObject(SingleSignOnService.class); + +			redirectSingleSignOnService.setLocation(PVPConfiguration +					.getInstance().getIDPSSORedirectService()); +			redirectSingleSignOnService +					.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + +			idpSSODescriptor.getSingleSignOnServices().add( +					redirectSingleSignOnService); +		} + +		/*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { +			ArtifactResolutionService artifactResolutionService = SAML2Utils +					.createSAMLObject(ArtifactResolutionService.class); + +			artifactResolutionService +					.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); +			artifactResolutionService.setLocation(PVPConfiguration +					.getInstance().getIDPResolveSOAPService()); + +			artifactResolutionService.setIndex(0); +			 +			idpSSODescriptor.getArtifactResolutionServices().add( +					artifactResolutionService); +		}*/ +	 +		//set assertion signing key +		Credential assertionSigingCredential = CredentialProvider +				.getIDPAssertionSigningCredential(); + +		KeyDescriptor signKeyDescriptor = SAML2Utils +				.createSAMLObject(KeyDescriptor.class); +		signKeyDescriptor.setUse(UsageType.SIGNING); +		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); +		idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); +					 +		idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); +		 +		NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +		persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); +		 +		idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); +		 +		NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +		transientNameIDFormat.setFormat(NameIDType.TRANSIENT); +		 +		idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); +		 +		NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +		unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); +		 +		idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); +		 +		return idpSSODescriptor; +		 +	} +	  } | 
