diff options
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment')
9 files changed, 1353 insertions, 729 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java index c872bcfb6..6a48e5030 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.java @@ -98,8 +98,11 @@ public class MOAExtendedSWSigner implements ProtocolSignerI, MetadataSignerI { private final ImmutableList<X509Credential> trustedCredentials; private final String signatureAlgorithm; - public MOAExtendedSWSigner(Map<String, String> properties) throws SamlEngineConfigurationException { - this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(properties)); + + //TODO: check if it is required any more + + public MOAExtendedSWSigner(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException { + this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(properties, null)); } @@ -109,7 +112,7 @@ public class MOAExtendedSWSigner implements ProtocolSignerI, MetadataSignerI { */ public MOAExtendedSWSigner(CertificateConfigurationManager configManager) throws SamlEngineConfigurationException { this(new KeyStoreSignatureConfigurator().getSignatureConfiguration( - ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters())); + ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters(), null)); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java index 5cf5e83ec..3cc9787df 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java @@ -79,8 +79,8 @@ public class MOASWSigner extends KeyStoreProtocolSigner { //Set other algorithms which are not supported by openSAML in default StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256_MGF1, Locale.ENGLISH)); - public MOASWSigner(Map<String, String> properties) throws SamlEngineConfigurationException { - super(properties); + public MOASWSigner(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException { + super(properties, null); props = properties; } @@ -90,7 +90,7 @@ public class MOASWSigner extends KeyStoreProtocolSigner { * @throws SamlEngineConfigurationException */ public MOASWSigner(CertificateConfigurationManager configManager) throws SamlEngineConfigurationException { - super(props = ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters()); + super(props = ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters(), null); } @@ -100,7 +100,7 @@ public class MOASWSigner extends KeyStoreProtocolSigner { if (sigAlgWhiteList == null) { sigAlgWhiteList = MOAWhiteListConfigurator.getAllowedAlgorithms(DEFAULT_ALGORITHM_WHITE_LIST, ALLOWED_ALGORITHMS_FOR_VERIFYING, - (new KeyStoreSignatureConfigurator().getSignatureConfiguration(props)).getSignatureAlgorithmWhiteList()); + (new KeyStoreSignatureConfigurator().getSignatureConfiguration(props, null)).getSignatureAlgorithmWhiteList()); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java index de4f3fc9c..d5cbb2cfd 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java @@ -33,15 +33,15 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption { private static ReloadableProperties initActivationConf(Map<String, String> properties) { String activationConfigurationFile = EncryptionKey.ENCRYPTION_ACTIVATION.getAsString(properties); Logger.debug("File containing encryption configuration: \"" + activationConfigurationFile + "\""); - return new ReloadableProperties(activationConfigurationFile); + return new ReloadableProperties(activationConfigurationFile, null); } /** * @param properties * @throws SamlEngineConfigurationException */ - public ModifiedEncryptionSW(Map<String, String> properties) throws SamlEngineConfigurationException { - super(properties); + public ModifiedEncryptionSW(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException { + super(properties, null); this.properties = ImmutableMap.copyOf(properties); encryptionActivationProperties = initActivationConf(properties); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 7155040c6..6f1d75bfe 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -228,9 +228,9 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { //set correct SPType for this online application if (oaConfig.getBusinessService()) - authnRequestBuilder.spType(SpType.PRIVATE); + authnRequestBuilder.spType(SpType.PRIVATE.getValue()); else - authnRequestBuilder.spType(SpType.PUBLIC); + authnRequestBuilder.spType(SpType.PUBLIC.getValue()); //set service provider (eIDAS node) countryCode diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java index 7b159c73d..9683db503 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java @@ -1,686 +1,681 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth.modules.eidas.utils; - -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.apache.commons.lang.StringUtils; -import org.joda.time.DateTime; -import org.joda.time.DurationFieldType; -import org.opensaml.Configuration; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.common.Extensions; -import org.opensaml.saml2.common.impl.ExtensionsBuilder; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeValue; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.Company; -import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; -import org.opensaml.saml2.metadata.EmailAddress; -import org.opensaml.saml2.metadata.EncryptionMethod; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.GivenName; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.KeyDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.NameIDFormat; -import org.opensaml.saml2.metadata.Organization; -import org.opensaml.saml2.metadata.OrganizationDisplayName; -import org.opensaml.saml2.metadata.OrganizationName; -import org.opensaml.saml2.metadata.OrganizationURL; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.SSODescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.SurName; -import org.opensaml.saml2.metadata.TelephoneNumber; -import org.opensaml.samlext.saml2mdattr.EntityAttributes; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.XMLObjectBuilderFactory; -import org.opensaml.xml.schema.XSString; -import org.opensaml.xml.schema.impl.XSStringBuilder; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.KeyInfo; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.ImmutableSortedSet; -import com.google.common.collect.Ordering; - -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import eu.eidas.auth.commons.EIDASUtil; -import eu.eidas.auth.commons.EidasStringUtil; -import eu.eidas.auth.commons.attribute.AttributeDefinition; -import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat; -import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper; -import eu.eidas.auth.engine.ProtocolEngineI; -import eu.eidas.auth.engine.core.SAMLExtensionFormat; -import eu.eidas.auth.engine.core.eidas.DigestMethod; -import eu.eidas.auth.engine.core.eidas.EidasConstants; -import eu.eidas.auth.engine.core.eidas.SPType; -import eu.eidas.auth.engine.core.eidas.SigningMethod; -import eu.eidas.auth.engine.metadata.Contact; -import eu.eidas.auth.engine.metadata.EntityDescriptorContainer; -import eu.eidas.auth.engine.metadata.MetadataConfigParams; -import eu.eidas.auth.engine.metadata.MetadataGenerator; -import eu.eidas.auth.engine.metadata.MetadataSignerI; -import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil; -import eu.eidas.auth.engine.xml.opensaml.CertificateUtil; -import eu.eidas.encryption.exception.UnmarshallException; -import eu.eidas.engine.exceptions.EIDASSAMLEngineException; -import eu.eidas.engine.exceptions.SAMLEngineException; - -/** - * @author tlenz - * - */ -public class MOAeIDASMetadataGenerator extends MetadataGenerator { - private static final Logger LOGGER = LoggerFactory.getLogger(MetadataGenerator.class.getName()); - - MetadataConfigParams params; - - XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); - - SPSSODescriptor spSSODescriptor = null; - - IDPSSODescriptor idpSSODescriptor = null; - - private String ssoLocation; - - /** - * @return a String representation of the entityDescriptr built based on the attributes previously set - */ - public String generateMetadata() throws EIDASSAMLEngineException { - EntityDescriptor entityDescriptor; - try { - entityDescriptor = (EntityDescriptor) builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME) - .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME); - - entityDescriptor.setEntityID(params.getEntityID()); - entityDescriptor.setOrganization(buildOrganization()); - - /**FIXME: - * HOTFIX: do not add empty contactPerson elements - */ - ContactPerson contactSupport = buildContact(ContactPersonTypeEnumeration.SUPPORT); - if (contactSupport != null) - entityDescriptor.getContactPersons().add(contactSupport); - ContactPerson contactTech = buildContact(ContactPersonTypeEnumeration.TECHNICAL); - if (contactTech != null) - entityDescriptor.getContactPersons().add(contactTech); - - entityDescriptor.setValidUntil(getExpireDate()); - - X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory(); - keyInfoGeneratorFactory.setEmitEntityCertificate(true); - Extensions e = generateExtensions(); - if (!e.getUnknownXMLObjects().isEmpty()) { - entityDescriptor.setExtensions(e); - } - if (spSSODescriptor != null) { - generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory); - } - if (idpSSODescriptor != null) { - generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory); - } - if (params.getSpEngine() != null) { - ProtocolEngineI spEngine = params.getSpEngine(); - ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor); - } else if (params.getIdpEngine() != null) { - ProtocolEngineI idpEngine = params.getIdpEngine(); - ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor); - } - return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false)); - } catch (Exception ex) { - LOGGER.info("ERROR : SAMLException ", ex.getMessage()); - LOGGER.debug("ERROR : SAMLException ", ex); - throw new IllegalStateException(ex); - } - } - - private void generateSPSSODescriptor(final EntityDescriptor entityDescriptor, - final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) - throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException, - SAMLEngineException, EIDASSAMLEngineException { - //the node has SP role - spSSODescriptor.setWantAssertionsSigned(params.isWantAssertionsSigned()); - spSSODescriptor.setAuthnRequestsSigned(true); - - - /**FIXME: - * "SP" + params.getEntityID()) is not a valid XML ID attribute value - */ - //spSSODescriptor.setID(idpSSODescriptor == null ? params.getEntityID() : ("SP" + params.getEntityID())); - spSSODescriptor.setID(SAML2Utils.getSecureIdentifier()); - - - if (params.getSPSignature() != null) { - spSSODescriptor.setSignature(params.getSPSignature()); - } - if (params.getSpSigningCredential() != null) { - spSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpSigningCredential(), UsageType.SIGNING)); - - } else if (params.getSigningCredential() != null) { - spSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING)); - } - - if (params.getSpEncryptionCredential() != null) { - spSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpEncryptionCredential(), - UsageType.ENCRYPTION)); - } else if (params.getEncryptionCredential() != null) { - spSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION)); - } - spSSODescriptor.addSupportedProtocol(params.getSpSamlProtocol()); - if (!StringUtils.isEmpty(params.getAssertionConsumerUrl())) { - addAssertionConsumerService(); - } - - //FIX: Austrian eIDAS node SP only needs persistent identifiers - NameIDFormat persistentFormat = - (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); - persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat()); - spSSODescriptor.getNameIDFormats().add(persistentFormat); - - /**FIXME: - * Double signing of SPSSODescribtor is not required - */ -// if (params.getSpEngine() != null) { -// ProtocolEngineI spEngine = params.getSpEngine(); -// ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor); -// } - - entityDescriptor.getRoleDescriptors().add(spSSODescriptor); - - } - - private void fillIDPNameIDFormat(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException { - NameIDFormat persistentFormat = - (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); - persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat()); - ssoDescriptor.getNameIDFormats().add(persistentFormat); - NameIDFormat transientFormat = - (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); - transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat()); - ssoDescriptor.getNameIDFormats().add(transientFormat); - NameIDFormat unspecifiedFormat = - (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); - unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat()); - ssoDescriptor.getNameIDFormats().add(unspecifiedFormat); - } - - private void generateIDPSSODescriptor(final EntityDescriptor entityDescriptor, - final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) - throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException, - SAMLEngineException, EIDASSAMLEngineException { - //the node has IDP role - idpSSODescriptor.setWantAuthnRequestsSigned(true); - - /**FIXME: - * "IDP" + params.getEntityID()) is not a valid XML ID attribute value - */ - //idpSSODescriptor.setID(spSSODescriptor == null ? params.getEntityID() : ("IDP" + params.getEntityID())); - idpSSODescriptor.setID(SAML2Utils.getSecureIdentifier()); - - if (params.getIDPSignature() != null) { - idpSSODescriptor.setSignature(params.getIDPSignature()); - } - if (params.getIdpSigningCredential() != null) { - idpSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpSigningCredential(), UsageType.SIGNING)); - } else if (params.getSigningCredential() != null) { - idpSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING)); - } - if (params.getIdpEncryptionCredential() != null) { - idpSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpEncryptionCredential(), - UsageType.ENCRYPTION)); - } else if (params.getEncryptionCredential() != null) { - idpSSODescriptor.getKeyDescriptors() - .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION)); - } - idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol()); - - //Austrian eIDAS node IDP can provided persistent, transient, and unspecified identifiers - fillIDPNameIDFormat(idpSSODescriptor); - - - if (params.getIdpEngine() != null) { - if (params.getIdpEngine().getProtocolProcessor() != null - && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) { - - /*TODO: Only a work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata - * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more. - * - * INFO: Maybe, this code can be removed in a future version of the eIDAS engine - */ - generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes()); - } - - - /**FIXME: - * Double signing of IDPSSODescribtor is not required - */ -// ProtocolEngineI idpEngine = params.getIdpEngine(); -// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor); - } - - idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations()); - - entityDescriptor.getRoleDescriptors().add(idpSSODescriptor); - - } - - /* FIX: Work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata - * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more. - */ - public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() { - ImmutableSortedSet.Builder<AttributeDefinition<?>> builder = - new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural()); - - for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) { - AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr); - builder.add(supAttr); - } - - return builder.build(); - } - - private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations() - throws NoSuchFieldException, IllegalAccessException { - ArrayList<SingleSignOnService> singleSignOnServices = new ArrayList<SingleSignOnService>(); - - HashMap<String, String> bindingLocations = params.getProtocolBindingLocation(); - for (String binding : bindingLocations.keySet()) { - SingleSignOnService ssos = BuilderFactoryUtil.buildXmlObject(SingleSignOnService.class); - ssos.setBinding(binding); - ssos.setLocation(bindingLocations.get(binding)); - singleSignOnServices.add(ssos); - } - - return singleSignOnServices; - } - - /** - * @param metadata - * @return an EntityDescriptor parsed from the given String or null - */ - // TODO (commented by donydgr) Move to a eu.eidas.auth.engine.metadata.MetadataUtil ? Throw an exception if the metadata is invalid instead of returning null ? - public static EntityDescriptorContainer deserializeEntityDescriptor(String metadata) { - EntityDescriptorContainer result = new EntityDescriptorContainer(); - try { - byte[] metaDataBytes = EidasStringUtil.getBytes(metadata); - XMLObject obj = OpenSamlHelper.unmarshall(metaDataBytes); - if (obj instanceof EntityDescriptor) { - result.addEntityDescriptor((EntityDescriptor) obj, metaDataBytes); - } else if (obj instanceof EntitiesDescriptor) { - EntitiesDescriptor ed = (EntitiesDescriptor) obj; - result.setEntitiesDescriptor(ed); - result.getEntityDescriptors().addAll(((EntitiesDescriptor) obj).getEntityDescriptors()); - result.setSerializedEntitesDescriptor(metaDataBytes); - } - } catch (UnmarshallException ue) { - LOGGER.info("ERROR : unmarshalling error", ue.getMessage()); - LOGGER.debug("ERROR : unmarshalling error", ue); - } - return result; - } - - private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory, - Credential credential, - UsageType usage) - throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException { - KeyDescriptor keyDescriptor = null; - if (credential != null) { - keyDescriptor = BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class); - KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance(); - - KeyInfo keyInfo = keyInfoGenerator.generate(credential); - keyDescriptor.setUse(usage); - keyDescriptor.setKeyInfo(keyInfo); - if (usage == UsageType.ENCRYPTION && params.getEncryptionAlgorithms() != null) { - Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(params.getEncryptionAlgorithms()); - for (String encryptionAlgo : encryptionAlgos) { - EncryptionMethod em = - (EncryptionMethod) BuilderFactoryUtil.buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME); - em.setAlgorithm(encryptionAlgo); - keyDescriptor.getEncryptionMethods().add(em); - } - } - - } - return keyDescriptor; - } - - private Organization buildOrganization() { - Organization organization = null; - try { - organization = BuilderFactoryUtil.buildXmlObject(Organization.class); - - /**FIXME: - * set correct OrganizationName value if it is not fixed in next eIDAS node version - */ - OrganizationName orgName = BuilderFactoryUtil.buildXmlObject(OrganizationName.class); - orgName.setName(new LocalizedString(params.getNodeUrl(), "en")); - organization.getOrganizationNames().add(orgName); - - OrganizationDisplayName odn = BuilderFactoryUtil.buildXmlObject(OrganizationDisplayName.class); - odn.setName(new LocalizedString(params.getCountryName(), "en")); - organization.getDisplayNames().add(odn); - OrganizationURL url = BuilderFactoryUtil.buildXmlObject(OrganizationURL.class); - url.setURL(new LocalizedString(params.getNodeUrl(), "en")); - organization.getURLs().add(url); - } catch (IllegalAccessException iae) { - LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage()); - LOGGER.debug("ERROR : error generating the Organization: {}", iae); - } catch (NoSuchFieldException nfe) { - LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage()); - LOGGER.debug("ERROR : error generating the Organization: {}", nfe); - } - return organization; - } - - private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) { - ContactPerson contact = null; - try { - Contact currentContact = null; - if (contactType == ContactPersonTypeEnumeration.SUPPORT) { - currentContact = params.getSupportContact(); - } else if (contactType == ContactPersonTypeEnumeration.TECHNICAL) { - currentContact = params.getTechnicalContact(); - } else { - LOGGER.error("ERROR: unsupported contact type"); - } - contact = BuilderFactoryUtil.buildXmlObject(ContactPerson.class); - if (currentContact == null) { - LOGGER.error("ERROR: cannot retrieve contact from the configuration"); - return null; - } - - EmailAddress emailAddressObj = BuilderFactoryUtil.buildXmlObject(EmailAddress.class); - Company company = BuilderFactoryUtil.buildXmlObject(Company.class); - GivenName givenName = BuilderFactoryUtil.buildXmlObject(GivenName.class); - SurName surName = BuilderFactoryUtil.buildXmlObject(SurName.class); - TelephoneNumber phoneNumber = BuilderFactoryUtil.buildXmlObject(TelephoneNumber.class); - contact.setType(contactType); - emailAddressObj.setAddress(currentContact.getEmail()); - company.setName(currentContact.getCompany()); - givenName.setName(currentContact.getGivenName()); - surName.setName(currentContact.getSurName()); - phoneNumber.setNumber(currentContact.getPhone()); - - populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber); - - } catch (IllegalAccessException iae) { - LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage()); - LOGGER.debug("ERROR : error generating the Organization: {}", iae); - } catch (NoSuchFieldException nfe) { - LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage()); - LOGGER.debug("ERROR : error generating the Organization: {}", nfe); - } - return contact; - } - - private void populateContact(ContactPerson contact, - Contact currentContact, - EmailAddress emailAddressObj, - Company company, - GivenName givenName, - SurName surName, - TelephoneNumber phoneNumber) { - if (!StringUtils.isEmpty(currentContact.getEmail())) { - contact.getEmailAddresses().add(emailAddressObj); - } - if (!StringUtils.isEmpty(currentContact.getCompany())) { - contact.setCompany(company); - } - if (!StringUtils.isEmpty(currentContact.getGivenName())) { - contact.setGivenName(givenName); - } - if (!StringUtils.isEmpty(currentContact.getSurName())) { - contact.setSurName(surName); - } - if (!StringUtils.isEmpty(currentContact.getPhone())) { - contact.getTelephoneNumbers().add(phoneNumber); - } - - } - - /** - * @param engine a EIDASSamlEngine from which signing and encryption information is extracted - */ - - public void initialize(ProtocolEngineI engine) throws EIDASSAMLEngineException { - - X509Certificate decryptionCertificate = engine.getDecryptionCertificate(); - if (null != decryptionCertificate) { - params.setSpEncryptionCredential(CertificateUtil.toCredential(decryptionCertificate)); - } - params.setSigningCredential(CertificateUtil.toCredential(engine.getSigningCertificate())); - params.setIdpEngine(engine); - params.setSpEngine(engine); - } - - /** - * @param spEngine a EIDASSamlEngine for the - */ - - public void initialize(ProtocolEngineI spEngine, ProtocolEngineI idpEngine) throws EIDASSAMLEngineException { - if (idpEngine != null) { - idpEngine.getProtocolProcessor().configure(); - params.setIdpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate())); - - final X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate(); - if (idpEngineDecryptionCertificate != null) { - params.setIdpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate)); - } - - } - if (spEngine != null) { - spEngine.getProtocolProcessor().configure(); - params.setSpSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate())); - - final X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate(); - if (spEngineDecryptionCertificate != null) { - params.setSpEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate)); - } - } - - params.setIdpEngine(idpEngine); - params.setSpEngine(spEngine); - } - - public void addSPRole() throws EIDASSAMLEngineException { - try { - if (spSSODescriptor == null) { - spSSODescriptor = BuilderFactoryUtil.buildXmlObject(SPSSODescriptor.class); - } - } catch (IllegalAccessException iae) { - throw new EIDASSAMLEngineException(iae); - } catch (NoSuchFieldException nsfe) { - throw new EIDASSAMLEngineException(nsfe); - } - } - - public void addIDPRole() throws EIDASSAMLEngineException { - try { - if (idpSSODescriptor == null) { - idpSSODescriptor = BuilderFactoryUtil.buildXmlObject(IDPSSODescriptor.class); - } - } catch (IllegalAccessException iae) { - throw new EIDASSAMLEngineException(iae); - } catch (NoSuchFieldException nsfe) { - throw new EIDASSAMLEngineException(nsfe); - } - } - - private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException { - if (!StringUtils.isEmpty(params.getDigestMethods())) { - Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(params.getDigestMethods()); - Set<String> digestMethods = new HashSet<String>(); - for (String signatureMethod : signatureMethods) { - - //BUGFIX: eIDAS implementation does not allow MGF1 signature schemes - digestMethods.add(signatureMethod); - //digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod)); - } - for (String digestMethod : digestMethods) { - final DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME); - if (dm != null) { - dm.setAlgorithm(digestMethod); - eidasExtensions.getUnknownXMLObjects().add(dm); - } else { - LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension"); - } - } - } - - } - - private Extensions generateExtensions() throws EIDASSAMLEngineException { - /**FIXME: BuilderFactoryUtil.generateExtension() generates extensions from SAML2 request namespace - * but SAML2 metadata namespace is required - **/ - //Extensions eidasExtensions = BuilderFactoryUtil.generateExtension(); - - ExtensionsBuilder extensionsBuilder = new ExtensionsBuilder(); - Extensions eidasExtensions = extensionsBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:metadata", "Extensions", "md"); - - if (params.getAssuranceLevel() != null) { - generateLoA(eidasExtensions); - } - if (!StringUtils.isEmpty(params.getSpType())) { - final SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME); - if (spTypeObj != null) { - spTypeObj.setSPType(params.getSpType()); - eidasExtensions.getUnknownXMLObjects().add(spTypeObj); - } else { - LOGGER.info("BUSINESS EXCEPTION error adding SPType extension"); - } - } - generateDigest(eidasExtensions); - - if (!StringUtils.isEmpty(params.getSigningMethods())) { - Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(params.getSigningMethods()); - for (String signMethod : signMethods) { - final SigningMethod sm = - (SigningMethod) BuilderFactoryUtil.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME); - if (sm != null) { - sm.setAlgorithm(signMethod); - eidasExtensions.getUnknownXMLObjects().add(sm); - } else { - LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension"); - } - } - } - return eidasExtensions; - } - - private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException { - EntityAttributes loa = - (EntityAttributes) BuilderFactoryUtil.buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME); - Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME); - loaAttrib.setName(EidasConstants.LEVEL_OF_ASSURANCE_NAME); - loaAttrib.setNameFormat(Attribute.URI_REFERENCE); - XSStringBuilder stringBuilder = - (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); - XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME); - stringValue.setValue(params.getAssuranceLevel()); - loaAttrib.getAttributeValues().add(stringValue); - loa.getAttributes().add(loaAttrib); - eidasExtensions.getUnknownXMLObjects().add(loa); - - } - - private static final Set<String> DEFAULT_BINDING = new HashSet<String>() {{ - this.add(SAMLConstants.SAML2_POST_BINDING_URI); - }}; - - private void addAssertionConsumerService() throws EIDASSAMLEngineException { - int index = 0; - Set<String> bindings = params.getProtocolBinding().isEmpty() ? DEFAULT_BINDING : params.getProtocolBinding(); - for (String binding : bindings) { - AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil.buildXmlObject( - AssertionConsumerService.DEFAULT_ELEMENT_NAME); - asc.setLocation(params.getAssertionConsumerUrl()); - asc.setBinding(checkBinding(binding)); - asc.setIndex(index); - if (index == 0) { - asc.setIsDefault(true); - } - index++; - spSSODescriptor.getAssertionConsumerServices().add(asc); - } - } - - private String checkBinding(String binding) { - if (binding != null && (binding.equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) || binding.equals( - SAMLConstants.SAML2_POST_BINDING_URI))) { - return binding; - } - return SAMLConstants.SAML2_POST_BINDING_URI; - } - - private DateTime getExpireDate() { - DateTime expiryDate = DateTime.now(); - expiryDate = - expiryDate.withFieldAdded(DurationFieldType.seconds(), (int) (getConfigParams().getValidityDuration())); - return expiryDate; - } - - private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor, - ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions) - throws EIDASSAMLEngineException { - List<Attribute> attributes = idpssoDescriptor.getAttributes(); - for (AttributeDefinition<?> attributeDefinition : attributeDefinitions) { - Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME); - a.setName(attributeDefinition.getNameUri().toASCIIString()); - a.setFriendlyName(attributeDefinition.getFriendlyName()); - a.setNameFormat(Attribute.URI_REFERENCE); - attributes.add(a); - } - } - - public MetadataConfigParams getConfigParams() { - return params; - } - - public void setConfigParams(MetadataConfigParams params) { - this.params = params; - } - -} +///* +// * Copyright 2014 Federal Chancellery Austria +// * MOA-ID has been developed in a cooperation between BRZ, the Federal +// * Chancellery Austria - ICT staff unit, and Graz University of Technology. +// * +// * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by +// * the European Commission - subsequent versions of the EUPL (the "Licence"); +// * You may not use this work except in compliance with the Licence. +// * You may obtain a copy of the Licence at: +// * http://www.osor.eu/eupl/ +// * +// * Unless required by applicable law or agreed to in writing, software +// * distributed under the Licence is distributed on an "AS IS" basis, +// * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// * See the Licence for the specific language governing permissions and +// * limitations under the Licence. +// * +// * This product combines work with different licenses. See the "NOTICE" text +// * file for details on the various modules and licenses. +// * The "NOTICE" text file is part of the distribution. Any derivative works +// * that you distribute must include a readable copy of the "NOTICE" text file. +// */ +//package at.gv.egovernment.moa.id.auth.modules.eidas.utils; +// +//import java.security.cert.X509Certificate; +//import java.util.ArrayList; +//import java.util.HashMap; +//import java.util.HashSet; +//import java.util.List; +//import java.util.Set; +// +//import org.apache.commons.lang.StringUtils; +//import org.joda.time.DateTime; +//import org.joda.time.DurationFieldType; +//import org.opensaml.Configuration; +//import org.opensaml.common.xml.SAMLConstants; +//import org.opensaml.saml2.common.Extensions; +//import org.opensaml.saml2.common.impl.ExtensionsBuilder; +//import org.opensaml.saml2.core.Attribute; +//import org.opensaml.saml2.core.AttributeValue; +//import org.opensaml.saml2.metadata.AssertionConsumerService; +//import org.opensaml.saml2.metadata.Company; +//import org.opensaml.saml2.metadata.ContactPerson; +//import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; +//import org.opensaml.saml2.metadata.EmailAddress; +//import org.opensaml.saml2.metadata.EncryptionMethod; +//import org.opensaml.saml2.metadata.EntitiesDescriptor; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.saml2.metadata.GivenName; +//import org.opensaml.saml2.metadata.IDPSSODescriptor; +//import org.opensaml.saml2.metadata.KeyDescriptor; +//import org.opensaml.saml2.metadata.LocalizedString; +//import org.opensaml.saml2.metadata.NameIDFormat; +//import org.opensaml.saml2.metadata.Organization; +//import org.opensaml.saml2.metadata.OrganizationDisplayName; +//import org.opensaml.saml2.metadata.OrganizationName; +//import org.opensaml.saml2.metadata.OrganizationURL; +//import org.opensaml.saml2.metadata.SPSSODescriptor; +//import org.opensaml.saml2.metadata.SSODescriptor; +//import org.opensaml.saml2.metadata.SingleSignOnService; +//import org.opensaml.saml2.metadata.SurName; +//import org.opensaml.saml2.metadata.TelephoneNumber; +//import org.opensaml.samlext.saml2mdattr.EntityAttributes; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.XMLObjectBuilderFactory; +//import org.opensaml.xml.schema.XSString; +//import org.opensaml.xml.schema.impl.XSStringBuilder; +//import org.opensaml.xml.security.SecurityException; +//import org.opensaml.xml.security.credential.Credential; +//import org.opensaml.xml.security.credential.UsageType; +//import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +//import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +//import org.opensaml.xml.signature.KeyInfo; +//import org.slf4j.Logger; +//import org.slf4j.LoggerFactory; +// +//import com.google.common.collect.ImmutableSortedSet; +//import com.google.common.collect.Ordering; +// +//import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.Contact; +//import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +//import eu.eidas.auth.commons.EIDASUtil; +//import eu.eidas.auth.commons.EidasStringUtil; +//import eu.eidas.auth.commons.attribute.AttributeDefinition; +//import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat; +//import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper; +//import eu.eidas.auth.engine.ProtocolEngineI; +//import eu.eidas.auth.engine.core.SAMLExtensionFormat; +//import eu.eidas.auth.engine.core.eidas.DigestMethod; +//import eu.eidas.auth.engine.core.eidas.EidasConstants; +//import eu.eidas.auth.engine.core.eidas.SPType; +//import eu.eidas.auth.engine.core.eidas.SigningMethod; +//import eu.eidas.auth.engine.metadata.EntityDescriptorContainer; +//import eu.eidas.auth.engine.metadata.MetadataConfigParams; +//import eu.eidas.auth.engine.metadata.MetadataGenerator; +//import eu.eidas.auth.engine.metadata.MetadataSignerI; +//import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil; +//import eu.eidas.auth.engine.xml.opensaml.CertificateUtil; +//import eu.eidas.encryption.exception.UnmarshallException; +//import eu.eidas.engine.exceptions.EIDASSAMLEngineException; +//import eu.eidas.engine.exceptions.SAMLEngineException; +// +///** +// * @author tlenz +// * +// */ +//public class MOAeIDASMetadataGenerator extends MetadataGenerator { +// private static final Logger LOGGER = LoggerFactory.getLogger(MetadataGenerator.class.getName()); +// +// MetadataConfigParams params; +// +// XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); +// +// SPSSODescriptor spSSODescriptor = null; +// +// IDPSSODescriptor idpSSODescriptor = null; +// +// private String ssoLocation; +// +// /** +// * @return a String representation of the entityDescriptr built based on the attributes previously set +// */ +// public String generateMetadata() throws EIDASSAMLEngineException { +// EntityDescriptor entityDescriptor; +// try { +// entityDescriptor = (EntityDescriptor) builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME) +// .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME); +// +// entityDescriptor.setEntityID(params.getEntityID()); +// entityDescriptor.setOrganization(buildOrganization()); +// +// /**FIXME: +// * HOTFIX: do not add empty contactPerson elements +// */ +// ContactPerson contactSupport = buildContact(ContactPersonTypeEnumeration.SUPPORT); +// if (contactSupport != null) +// entityDescriptor.getContactPersons().add(contactSupport); +// ContactPerson contactTech = buildContact(ContactPersonTypeEnumeration.TECHNICAL); +// if (contactTech != null) +// entityDescriptor.getContactPersons().add(contactTech); +// +// entityDescriptor.setValidUntil(getExpireDate()); +// +// X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory(); +// keyInfoGeneratorFactory.setEmitEntityCertificate(true); +// Extensions e = generateExtensions(); +// if (!e.getUnknownXMLObjects().isEmpty()) { +// entityDescriptor.setExtensions(e); +// } +// if (spSSODescriptor != null) { +// generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory); +// } +// if (idpSSODescriptor != null) { +// generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory); +// } +// if (params.getSpEngine() != null) { +// ProtocolEngineI spEngine = params.getSpEngine(); +// ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor); +// } else if (params.getIdpEngine() != null) { +// ProtocolEngineI idpEngine = params.getIdpEngine(); +// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor); +// } +// return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false)); +// } catch (Exception ex) { +// LOGGER.info("ERROR : SAMLException ", ex.getMessage()); +// LOGGER.debug("ERROR : SAMLException ", ex); +// throw new IllegalStateException(ex); +// } +// } +// +// private void generateSPSSODescriptor(final EntityDescriptor entityDescriptor, +// final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) +// throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException, +// SAMLEngineException, EIDASSAMLEngineException { +// //the node has SP role +// spSSODescriptor.setWantAssertionsSigned(params.isWantAssertionsSigned()); +// spSSODescriptor.setAuthnRequestsSigned(true); +// +// +// /**FIXME: +// * "SP" + params.getEntityID()) is not a valid XML ID attribute value +// */ +// //spSSODescriptor.setID(idpSSODescriptor == null ? params.getEntityID() : ("SP" + params.getEntityID())); +// spSSODescriptor.setID(SAML2Utils.getSecureIdentifier()); +// +// +// if (params.getSPSignature() != null) { +// spSSODescriptor.setSignature(params.getSPSignature()); +// } +// if (params.getSpSigningCredential() != null) { +// spSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpSigningCredential(), UsageType.SIGNING)); +// +// } else if (params.getSigningCredential() != null) { +// spSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING)); +// } +// +// if (params.getSpEncryptionCredential() != null) { +// spSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpEncryptionCredential(), +// UsageType.ENCRYPTION)); +// } else if (params.getEncryptionCredential() != null) { +// spSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION)); +// } +// spSSODescriptor.addSupportedProtocol(params.getSpSamlProtocol()); +// if (!StringUtils.isEmpty(params.getAssertionConsumerUrl())) { +// addAssertionConsumerService(); +// } +// +// //FIX: Austrian eIDAS node SP only needs persistent identifiers +// NameIDFormat persistentFormat = +// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); +// persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat()); +// spSSODescriptor.getNameIDFormats().add(persistentFormat); +// +// /**FIXME: +// * Double signing of SPSSODescribtor is not required +// */ +//// if (params.getSpEngine() != null) { +//// ProtocolEngineI spEngine = params.getSpEngine(); +//// ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor); +//// } +// +// entityDescriptor.getRoleDescriptors().add(spSSODescriptor); +// +// } +// +// private void fillIDPNameIDFormat(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException { +// NameIDFormat persistentFormat = +// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); +// persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat()); +// ssoDescriptor.getNameIDFormats().add(persistentFormat); +// NameIDFormat transientFormat = +// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); +// transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat()); +// ssoDescriptor.getNameIDFormats().add(transientFormat); +// NameIDFormat unspecifiedFormat = +// (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); +// unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat()); +// ssoDescriptor.getNameIDFormats().add(unspecifiedFormat); +// } +// +// private void generateIDPSSODescriptor(final EntityDescriptor entityDescriptor, +// final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) +// throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException, +// SAMLEngineException, EIDASSAMLEngineException { +// //the node has IDP role +// idpSSODescriptor.setWantAuthnRequestsSigned(true); +// +// /**FIXME: +// * "IDP" + params.getEntityID()) is not a valid XML ID attribute value +// */ +// //idpSSODescriptor.setID(spSSODescriptor == null ? params.getEntityID() : ("IDP" + params.getEntityID())); +// idpSSODescriptor.setID(SAML2Utils.getSecureIdentifier()); +// +// if (params.getIDPSignature() != null) { +// idpSSODescriptor.setSignature(params.getIDPSignature()); +// } +// if (params.getIdpSigningCredential() != null) { +// idpSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpSigningCredential(), UsageType.SIGNING)); +// } else if (params.getSigningCredential() != null) { +// idpSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING)); +// } +// if (params.getIdpEncryptionCredential() != null) { +// idpSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpEncryptionCredential(), +// UsageType.ENCRYPTION)); +// } else if (params.getEncryptionCredential() != null) { +// idpSSODescriptor.getKeyDescriptors() +// .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION)); +// } +// idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol()); +// +// //Austrian eIDAS node IDP can provided persistent, transient, and unspecified identifiers +// fillIDPNameIDFormat(idpSSODescriptor); +// +// +// if (params.getIdpEngine() != null) { +// if (params.getIdpEngine().getProtocolProcessor() != null +// && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) { +// +// generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes()); +// } +// +// +// /**FIXME: +// * Double signing of IDPSSODescribtor is not required +// */ +//// ProtocolEngineI idpEngine = params.getIdpEngine(); +//// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor); +// } +// +// idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations()); +// +// entityDescriptor.getRoleDescriptors().add(idpSSODescriptor); +// +// } +// +// /* FIX: Work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata +// * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more. +// */ +// public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() { +// ImmutableSortedSet.Builder<AttributeDefinition<?>> builder = +// new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural()); +// +// for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) { +// AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr); +// builder.add(supAttr); +// } +// +// return builder.build(); +// } +// +// private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations() +// throws NoSuchFieldException, IllegalAccessException { +// ArrayList<SingleSignOnService> singleSignOnServices = new ArrayList<SingleSignOnService>(); +// +// HashMap<String, String> bindingLocations = params.getProtocolBindingLocation(); +// for (String binding : bindingLocations.keySet()) { +// SingleSignOnService ssos = BuilderFactoryUtil.buildXmlObject(SingleSignOnService.class); +// ssos.setBinding(binding); +// ssos.setLocation(bindingLocations.get(binding)); +// singleSignOnServices.add(ssos); +// } +// +// return singleSignOnServices; +// } +// +// /** +// * @param metadata +// * @return an EntityDescriptor parsed from the given String or null +// */ +// // TODO (commented by donydgr) Move to a eu.eidas.auth.engine.metadata.MetadataUtil ? Throw an exception if the metadata is invalid instead of returning null ? +// public static EntityDescriptorContainer deserializeEntityDescriptor(String metadata) { +// EntityDescriptorContainer result = new EntityDescriptorContainer(); +// try { +// byte[] metaDataBytes = EidasStringUtil.getBytes(metadata); +// XMLObject obj = OpenSamlHelper.unmarshall(metaDataBytes); +// if (obj instanceof EntityDescriptor) { +// result.addEntityDescriptor((EntityDescriptor) obj, metaDataBytes); +// } else if (obj instanceof EntitiesDescriptor) { +// EntitiesDescriptor ed = (EntitiesDescriptor) obj; +// result.setEntitiesDescriptor(ed); +// result.getEntityDescriptors().addAll(((EntitiesDescriptor) obj).getEntityDescriptors()); +// result.setSerializedEntitesDescriptor(metaDataBytes); +// } +// } catch (UnmarshallException ue) { +// LOGGER.info("ERROR : unmarshalling error", ue.getMessage()); +// LOGGER.debug("ERROR : unmarshalling error", ue); +// } +// return result; +// } +// +// private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory, +// Credential credential, +// UsageType usage) +// throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException { +// KeyDescriptor keyDescriptor = null; +// if (credential != null) { +// keyDescriptor = BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class); +// KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance(); +// +// KeyInfo keyInfo = keyInfoGenerator.generate(credential); +// keyDescriptor.setUse(usage); +// keyDescriptor.setKeyInfo(keyInfo); +// if (usage == UsageType.ENCRYPTION && params.getEncryptionAlgorithms() != null) { +// Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(params.getEncryptionAlgorithms()); +// for (String encryptionAlgo : encryptionAlgos) { +// EncryptionMethod em = +// (EncryptionMethod) BuilderFactoryUtil.buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME); +// em.setAlgorithm(encryptionAlgo); +// keyDescriptor.getEncryptionMethods().add(em); +// } +// } +// +// } +// return keyDescriptor; +// } +// +// private Organization buildOrganization() { +// Organization organization = null; +// try { +// organization = BuilderFactoryUtil.buildXmlObject(Organization.class); +// +// /**FIXME: +// * set correct OrganizationName value if it is not fixed in next eIDAS node version +// */ +// OrganizationName orgName = BuilderFactoryUtil.buildXmlObject(OrganizationName.class); +// orgName.setName(new LocalizedString(params.getNodeUrl(), "en")); +// organization.getOrganizationNames().add(orgName); +// +// OrganizationDisplayName odn = BuilderFactoryUtil.buildXmlObject(OrganizationDisplayName.class); +// odn.setName(new LocalizedString(params.getCountryName(), "en")); +// organization.getDisplayNames().add(odn); +// OrganizationURL url = BuilderFactoryUtil.buildXmlObject(OrganizationURL.class); +// url.setURL(new LocalizedString(params.getNodeUrl(), "en")); +// organization.getURLs().add(url); +// } catch (IllegalAccessException iae) { +// LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage()); +// LOGGER.debug("ERROR : error generating the Organization: {}", iae); +// } catch (NoSuchFieldException nfe) { +// LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage()); +// LOGGER.debug("ERROR : error generating the Organization: {}", nfe); +// } +// return organization; +// } +// +// private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) { +// ContactPerson contact = null; +// try { +// Contact currentContact = null; +// if (contactType == ContactPersonTypeEnumeration.SUPPORT) { +// currentContact = params.getSupportContact(); +// } else if (contactType == ContactPersonTypeEnumeration.TECHNICAL) { +// currentContact = params.getTechnicalContact(); +// } else { +// LOGGER.error("ERROR: unsupported contact type"); +// } +// contact = BuilderFactoryUtil.buildXmlObject(ContactPerson.class); +// if (currentContact == null) { +// LOGGER.error("ERROR: cannot retrieve contact from the configuration"); +// return null; +// } +// +// EmailAddress emailAddressObj = BuilderFactoryUtil.buildXmlObject(EmailAddress.class); +// Company company = BuilderFactoryUtil.buildXmlObject(Company.class); +// GivenName givenName = BuilderFactoryUtil.buildXmlObject(GivenName.class); +// SurName surName = BuilderFactoryUtil.buildXmlObject(SurName.class); +// TelephoneNumber phoneNumber = BuilderFactoryUtil.buildXmlObject(TelephoneNumber.class); +// contact.setType(contactType); +// emailAddressObj.setAddress(currentContact.getEmail()); +// company.setName(currentContact.getCompany()); +// givenName.setName(currentContact.getGivenName()); +// surName.setName(currentContact.getSurName()); +// phoneNumber.setNumber(currentContact.getPhone()); +// +// populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber); +// +// } catch (IllegalAccessException iae) { +// LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage()); +// LOGGER.debug("ERROR : error generating the Organization: {}", iae); +// } catch (NoSuchFieldException nfe) { +// LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage()); +// LOGGER.debug("ERROR : error generating the Organization: {}", nfe); +// } +// return contact; +// } +// +// private void populateContact(ContactPerson contact, +// Contact currentContact, +// EmailAddress emailAddressObj, +// Company company, +// GivenName givenName, +// SurName surName, +// TelephoneNumber phoneNumber) { +// if (!StringUtils.isEmpty(currentContact.getEmail())) { +// contact.getEmailAddresses().add(emailAddressObj); +// } +// if (!StringUtils.isEmpty(currentContact.getCompany())) { +// contact.setCompany(company); +// } +// if (!StringUtils.isEmpty(currentContact.getGivenName())) { +// contact.setGivenName(givenName); +// } +// if (!StringUtils.isEmpty(currentContact.getSurName())) { +// contact.setSurName(surName); +// } +// if (!StringUtils.isEmpty(currentContact.getPhone())) { +// contact.getTelephoneNumbers().add(phoneNumber); +// } +// +// } +// +// /** +// * @param engine a EIDASSamlEngine from which signing and encryption information is extracted +// */ +// +// public void initialize(ProtocolEngineI engine) throws EIDASSAMLEngineException { +// +// X509Certificate decryptionCertificate = engine.getDecryptionCertificate(); +// if (null != decryptionCertificate) { +// params.setSpEncryptionCredential(CertificateUtil.toCredential(decryptionCertificate)); +// } +// params.setSigningCredential(CertificateUtil.toCredential(engine.getSigningCertificate())); +// params.setIdpEngine(engine); +// params.setSpEngine(engine); +// } +// +// /** +// * @param spEngine a EIDASSamlEngine for the +// */ +// +// public void initialize(ProtocolEngineI spEngine, ProtocolEngineI idpEngine) throws EIDASSAMLEngineException { +// if (idpEngine != null) { +// idpEngine.getProtocolProcessor().configure(); +// params.setIdpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate())); +// +// final X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate(); +// if (idpEngineDecryptionCertificate != null) { +// params.setIdpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate)); +// } +// +// } +// if (spEngine != null) { +// spEngine.getProtocolProcessor().configure(); +// params.setSpSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate())); +// +// final X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate(); +// if (spEngineDecryptionCertificate != null) { +// params.setSpEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate)); +// } +// } +// +// params.setIdpEngine(idpEngine); +// params.setSpEngine(spEngine); +// } +// +// public void addSPRole() throws EIDASSAMLEngineException { +// try { +// if (spSSODescriptor == null) { +// spSSODescriptor = BuilderFactoryUtil.buildXmlObject(SPSSODescriptor.class); +// } +// } catch (IllegalAccessException iae) { +// throw new EIDASSAMLEngineException(iae); +// } catch (NoSuchFieldException nsfe) { +// throw new EIDASSAMLEngineException(nsfe); +// } +// } +// +// public void addIDPRole() throws EIDASSAMLEngineException { +// try { +// if (idpSSODescriptor == null) { +// idpSSODescriptor = BuilderFactoryUtil.buildXmlObject(IDPSSODescriptor.class); +// } +// } catch (IllegalAccessException iae) { +// throw new EIDASSAMLEngineException(iae); +// } catch (NoSuchFieldException nsfe) { +// throw new EIDASSAMLEngineException(nsfe); +// } +// } +// +// private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException { +// if (!StringUtils.isEmpty(params.getDigestMethods())) { +// Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(params.getDigestMethods()); +// Set<String> digestMethods = new HashSet<String>(); +// for (String signatureMethod : signatureMethods) { +// +// //BUGFIX: eIDAS implementation does not allow MGF1 signature schemes +// digestMethods.add(signatureMethod); +// //digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod)); +// } +// for (String digestMethod : digestMethods) { +// final DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME); +// if (dm != null) { +// dm.setAlgorithm(digestMethod); +// eidasExtensions.getUnknownXMLObjects().add(dm); +// } else { +// LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension"); +// } +// } +// } +// +// } +// +// private Extensions generateExtensions() throws EIDASSAMLEngineException { +// /**FIXME: BuilderFactoryUtil.generateExtension() generates extensions from SAML2 request namespace +// * but SAML2 metadata namespace is required +// **/ +// //Extensions eidasExtensions = BuilderFactoryUtil.generateExtension(); +// +// ExtensionsBuilder extensionsBuilder = new ExtensionsBuilder(); +// Extensions eidasExtensions = extensionsBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:metadata", "Extensions", "md"); +// +// if (params.getAssuranceLevel() != null) { +// generateLoA(eidasExtensions); +// } +// if (!StringUtils.isEmpty(params.getSpType())) { +// final SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME); +// if (spTypeObj != null) { +// spTypeObj.setSPType(params.getSpType()); +// eidasExtensions.getUnknownXMLObjects().add(spTypeObj); +// } else { +// LOGGER.info("BUSINESS EXCEPTION error adding SPType extension"); +// } +// } +// generateDigest(eidasExtensions); +// +// if (!StringUtils.isEmpty(params.getSigningMethods())) { +// Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(params.getSigningMethods()); +// for (String signMethod : signMethods) { +// final SigningMethod sm = +// (SigningMethod) BuilderFactoryUtil.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME); +// if (sm != null) { +// sm.setAlgorithm(signMethod); +// eidasExtensions.getUnknownXMLObjects().add(sm); +// } else { +// LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension"); +// } +// } +// } +// return eidasExtensions; +// } +// +// private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException { +// EntityAttributes loa = +// (EntityAttributes) BuilderFactoryUtil.buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME); +// Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME); +// loaAttrib.setName(EidasConstants.LEVEL_OF_ASSURANCE_NAME); +// loaAttrib.setNameFormat(Attribute.URI_REFERENCE); +// XSStringBuilder stringBuilder = +// (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); +// XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME); +// stringValue.setValue(params.getAssuranceLevel()); +// loaAttrib.getAttributeValues().add(stringValue); +// loa.getAttributes().add(loaAttrib); +// eidasExtensions.getUnknownXMLObjects().add(loa); +// +// } +// +// private static final Set<String> DEFAULT_BINDING = new HashSet<String>() {{ +// this.add(SAMLConstants.SAML2_POST_BINDING_URI); +// }}; +// +// private void addAssertionConsumerService() throws EIDASSAMLEngineException { +// int index = 0; +// Set<String> bindings = params.getProtocolBinding().isEmpty() ? DEFAULT_BINDING : params.getProtocolBinding(); +// for (String binding : bindings) { +// AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil.buildXmlObject( +// AssertionConsumerService.DEFAULT_ELEMENT_NAME); +// asc.setLocation(params.getAssertionConsumerUrl()); +// asc.setBinding(checkBinding(binding)); +// asc.setIndex(index); +// if (index == 0) { +// asc.setIsDefault(true); +// } +// index++; +// spSSODescriptor.getAssertionConsumerServices().add(asc); +// } +// } +// +// private String checkBinding(String binding) { +// if (binding != null && (binding.equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) || binding.equals( +// SAMLConstants.SAML2_POST_BINDING_URI))) { +// return binding; +// } +// return SAMLConstants.SAML2_POST_BINDING_URI; +// } +// +// private DateTime getExpireDate() { +// DateTime expiryDate = DateTime.now(); +// expiryDate = +// expiryDate.withFieldAdded(DurationFieldType.seconds(), (int) (getConfigParams().getValidityDuration())); +// return expiryDate; +// } +// +// private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor, +// ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions) +// throws EIDASSAMLEngineException { +// List<Attribute> attributes = idpssoDescriptor.getAttributes(); +// for (AttributeDefinition<?> attributeDefinition : attributeDefinitions) { +// Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME); +// a.setName(attributeDefinition.getNameUri().toASCIIString()); +// a.setFriendlyName(attributeDefinition.getFriendlyName()); +// a.setNameFormat(Attribute.URI_REFERENCE); +// attributes.add(a); +// } +// } +// +// public MetadataConfigParams getConfigParams() { +// return params; +// } +// +// public void setConfigParams(MetadataConfigParams params) { +// this.params = params; +// } +// +//} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java new file mode 100644 index 000000000..d0c003b31 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java @@ -0,0 +1,602 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.utils; + +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.commons.lang.StringUtils; +import org.joda.time.DateTime; +import org.joda.time.DurationFieldType; +import org.opensaml.Configuration; +import org.opensaml.saml2.common.Extensions; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeValue; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.Company; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; +import org.opensaml.saml2.metadata.EmailAddress; +import org.opensaml.saml2.metadata.EncryptionMethod; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.GivenName; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.OrganizationDisplayName; +import org.opensaml.saml2.metadata.OrganizationName; +import org.opensaml.saml2.metadata.OrganizationURL; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SSODescriptor; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.SurName; +import org.opensaml.saml2.metadata.TelephoneNumber; +import org.opensaml.samlext.saml2mdattr.EntityAttributes; +import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.xml.schema.XSString; +import org.opensaml.xml.schema.impl.XSStringBuilder; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.KeyInfo; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.collect.ImmutableSortedSet; +import com.google.common.collect.Ordering; + +import eu.eidas.auth.commons.EIDASUtil; +import eu.eidas.auth.commons.EidasStringUtil; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat; +import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper; +import eu.eidas.auth.engine.ProtocolEngineI; +import eu.eidas.auth.engine.core.SAMLExtensionFormat; +import eu.eidas.auth.engine.core.eidas.DigestMethod; +import eu.eidas.auth.engine.core.eidas.SPType; +import eu.eidas.auth.engine.core.eidas.SigningMethod; +import eu.eidas.auth.engine.metadata.ContactData; +import eu.eidas.auth.engine.metadata.EidasMetadata; +import eu.eidas.auth.engine.metadata.MetadataConfigParams; +import eu.eidas.auth.engine.metadata.MetadataSignerI; +import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil; +import eu.eidas.auth.engine.xml.opensaml.CertificateUtil; +import eu.eidas.engine.exceptions.EIDASSAMLEngineException; +import eu.eidas.engine.exceptions.SAMLEngineException; +import eu.eidas.util.Preconditions; + +/** + * @author tlenz + * + * MOA specific implementation of {@link EidasMetadata} + * This version fix some bugs<br> + * <ul> + * <li>Does not add an encryption certificated to IDPSSODescriptor</li> + * <li>Only set provideable eIDAS attributes to IDPSSODescriptor</li> + * <li>SPSSODescriptor only requests 'persistent' subject nameIDs</li> + * </ul> + * + */ +public class NewMoaEidasMetadata { + private static final Logger LOGGER = LoggerFactory.getLogger(EidasMetadata.class.getName()); + private final String metadata; + private final String entityId; + private static final Set<String> DEFAULT_BINDING = new HashSet() { + }; + + private NewMoaEidasMetadata( Generator generator) throws EIDASSAMLEngineException { + this.entityId = generator.entityId; + this.metadata = generator.metadata; + } + + public String getMetadata() { + return this.metadata; + } + + + public static Generator generator() { + return new Generator(); + } + + + public static Generator generator( Generator copy) { + return new Generator(copy); + } + + public static final class Generator { + private XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory(); + private MetadataConfigParams params; + private SPSSODescriptor spSSODescriptor = null; + private IDPSSODescriptor idpSSODescriptor = null; + private String ssoLocation; + private String metadata; + private String entityId; + + public Generator() { + } + + public Generator( Generator copy) { + Preconditions.checkNotNull(copy, "copy"); + this.params = copy.params; + this.spSSODescriptor = copy.spSSODescriptor; + this.idpSSODescriptor = copy.idpSSODescriptor; + this.ssoLocation = copy.ssoLocation; + this.entityId = copy.entityId; + } + + + public NewMoaEidasMetadata build() throws EIDASSAMLEngineException { + initialize(); + this.entityId = this.params.getEntityID(); + this.metadata = generateMetadata(); + return new NewMoaEidasMetadata(this); + } + + public Generator configParams(MetadataConfigParams params) { + this.params = params; + return this; + } + + private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException { + if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) { + Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods()); + Set<String> digestMethods = new HashSet(); + for (String signatureMethod : signatureMethods) { + digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod)); + } + for (String digestMethod : digestMethods) { + DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME); + if (dm != null) { + dm.setAlgorithm(digestMethod); + eidasExtensions.getUnknownXMLObjects().add(dm); + } else { + NewMoaEidasMetadata.LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension"); + } + } + } + } + + private Extensions generateExtensions() throws EIDASSAMLEngineException { + Extensions eidasExtensions = BuilderFactoryUtil.generateMetadataExtension(); + if (this.params.getAssuranceLevel() != null) { + generateLoA(eidasExtensions); + } + if (!(StringUtils.isEmpty(this.params.getSpType()))) { + SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME); + if (spTypeObj != null) { + spTypeObj.setSPType(this.params.getSpType()); + eidasExtensions.getUnknownXMLObjects().add(spTypeObj); + } else { + NewMoaEidasMetadata.LOGGER.info("BUSINESS EXCEPTION error adding SPType extension"); + } + } + generateDigest(eidasExtensions); + + if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) { + Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods()); + for (String signMethod : signMethods) { + SigningMethod sm = (SigningMethod) BuilderFactoryUtil + .buildXmlObject(SigningMethod.DEF_ELEMENT_NAME); + + if (sm != null) { + sm.setAlgorithm(signMethod); + eidasExtensions.getUnknownXMLObjects().add(sm); + } else { + NewMoaEidasMetadata.LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension"); + } + } + } + return eidasExtensions; + } + + private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException { + EntityAttributes loa = (EntityAttributes) BuilderFactoryUtil + .buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME); + + Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME); + loaAttrib.setName("urn:oasis:names:tc:SAML:attribute:assurance-certification"); + loaAttrib.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri"); + XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory() + .getBuilder(XSString.TYPE_NAME); + + XSString stringValue = (XSString) stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, + XSString.TYPE_NAME); + stringValue.setValue(this.params.getAssuranceLevel()); + loaAttrib.getAttributeValues().add(stringValue); + loa.getAttributes().add(loaAttrib); + eidasExtensions.getUnknownXMLObjects().add(loa); + } + + private void addAssertionConsumerService() throws EIDASSAMLEngineException { + int index = 0; + Set<String> bindings = (this.params.getProtocolBinding().isEmpty()) ? NewMoaEidasMetadata.DEFAULT_BINDING + : this.params.getProtocolBinding(); + for (String binding : bindings) { + AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil + .buildXmlObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME); + + asc.setLocation(this.params.getAssertionConsumerUrl()); + asc.setBinding(checkBinding(binding)); + asc.setIndex(Integer.valueOf(index)); + if (index == 0) { + asc.setIsDefault(Boolean.valueOf(true)); + } + ++index; + this.spSSODescriptor.getAssertionConsumerServices().add(asc); + } + } + + private String checkBinding(String binding) { + if ((binding != null) && (((binding.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) + || (binding.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"))))) { + return binding; + } + return "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"; + } + + private DateTime getExpireDate() { + DateTime expiryDate = DateTime.now(); + expiryDate = expiryDate.withFieldAdded(DurationFieldType.seconds(), + (int) this.params.getValidityDuration()); + + return expiryDate; + } + + private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor, + ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions) throws EIDASSAMLEngineException { + List attributes = idpssoDescriptor.getAttributes(); + for (AttributeDefinition attributeDefinition : attributeDefinitions) { + Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME); + a.setName(attributeDefinition.getNameUri().toASCIIString()); + a.setFriendlyName(attributeDefinition.getFriendlyName()); + a.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri"); + attributes.add(a); + } + } + + private void generateSPSSODescriptor(EntityDescriptor entityDescriptor, + X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) throws SecurityException, IllegalAccessException, + NoSuchFieldException, SAMLEngineException, EIDASSAMLEngineException { + this.spSSODescriptor.setWantAssertionsSigned(Boolean.valueOf(this.params.isWantAssertionsSigned())); + this.spSSODescriptor.setAuthnRequestsSigned(Boolean.valueOf(true)); + if (this.params.getSpSignature() != null) { + this.spSSODescriptor.setSignature(this.params.getSpSignature()); + } + if (this.params.getSpSigningCredential() != null) { + this.spSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory, + this.params.getSpSigningCredential(), UsageType.SIGNING)); + } + + if (this.params.getSpEncryptionCredential() != null) { + this.spSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory, + this.params.getSpEncryptionCredential(), UsageType.ENCRYPTION)); + } + + this.spSSODescriptor.addSupportedProtocol(this.params.getSpSamlProtocol()); + if (!(StringUtils.isEmpty(this.params.getAssertionConsumerUrl()))) { + addAssertionConsumerService(); + } + + + //fillNameIDFormat(this.spSSODescriptor); + //FIX: Austrian eIDAS node SP only needs persistent identifiers + NameIDFormat persistentFormat = + (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); + persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat()); + spSSODescriptor.getNameIDFormats().add(persistentFormat); + + entityDescriptor.getRoleDescriptors().add(this.spSSODescriptor); + } + + private void fillNameIDFormatIDP(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException { + NameIDFormat persistentFormat = (NameIDFormat) BuilderFactoryUtil + .buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); + + persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat()); + ssoDescriptor.getNameIDFormats().add(persistentFormat); + NameIDFormat transientFormat = (NameIDFormat) BuilderFactoryUtil + .buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); + + transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat()); + ssoDescriptor.getNameIDFormats().add(transientFormat); + NameIDFormat unspecifiedFormat = (NameIDFormat) BuilderFactoryUtil + .buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME); + + unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat()); + ssoDescriptor.getNameIDFormats().add(unspecifiedFormat); + } + + private void generateIDPSSODescriptor(EntityDescriptor entityDescriptor, + X509KeyInfoGeneratorFactory keyInfoGeneratorFactory) throws SecurityException, IllegalAccessException, + NoSuchFieldException, SAMLEngineException, EIDASSAMLEngineException { + this.idpSSODescriptor.setWantAuthnRequestsSigned(Boolean.valueOf(true)); + if (this.params.getIdpSignature() != null) { + this.idpSSODescriptor.setSignature(this.params.getIdpSignature()); + } + if (this.params.getIdpSigningCredential() != null) { + this.idpSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory, + this.params.getIdpSigningCredential(), UsageType.SIGNING)); + } + + //INFO: IDP requires no encryption certificate +// if (this.params.getIdpEncryptionCredential() != null) { +// this.idpSSODescriptor.getKeyDescriptors().add(getKeyDescriptor(keyInfoGeneratorFactory, +// this.params.getIdpEncryptionCredential(), UsageType.ENCRYPTION)); +// } + + this.idpSSODescriptor.addSupportedProtocol(this.params.getIdpSamlProtocol()); + fillNameIDFormatIDP(this.idpSSODescriptor); + this.idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations()); + if ((this.params.getIdpEngine() != null) && (this.params.getIdpEngine().getProtocolProcessor() != null) + && (this.params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10)) { + + /*TODO: Only a work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata + * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more. + * + * INFO: Maybe, this code can be removed in a future version of the eIDAS engine + */ + generateSupportedAttributes(this.idpSSODescriptor, getAllSupportedAttributes()); + } + entityDescriptor.getRoleDescriptors().add(this.idpSSODescriptor); + } + + /* FIX: Work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata + * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more. + */ + public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() { + ImmutableSortedSet.Builder<AttributeDefinition<?>> builder = + new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural()); + + for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) { + AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr); + builder.add(supAttr); + } + + return builder.build(); + } + + private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations() + throws NoSuchFieldException, IllegalAccessException { + ArrayList singleSignOnServices = new ArrayList(); + + HashMap<String, String> bindingLocations = this.params.getProtocolBindingLocation(); + Iterator bindLocs = bindingLocations.entrySet().iterator(); + while (bindLocs.hasNext()) { + Map.Entry bindingLoc = (Map.Entry) bindLocs.next(); + SingleSignOnService ssos = (SingleSignOnService) BuilderFactoryUtil + .buildXmlObject(SingleSignOnService.class); + ssos.setBinding((String) bindingLoc.getKey()); + ssos.setLocation((String) bindingLoc.getValue()); + singleSignOnServices.add(ssos); + } + return singleSignOnServices; + } + + private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory, + Credential credential, UsageType usage) + throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException { + KeyDescriptor keyDescriptor = null; + if (credential != null) { + keyDescriptor = (KeyDescriptor) BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class); + KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance(); + + KeyInfo keyInfo = keyInfoGenerator.generate(credential); + keyDescriptor.setUse(usage); + keyDescriptor.setKeyInfo(keyInfo); + if ((usage == UsageType.ENCRYPTION) && (this.params.getEncryptionAlgorithms() != null)) { + Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(this.params.getEncryptionAlgorithms()); + for (String encryptionAlgo : encryptionAlgos) { + EncryptionMethod em = (EncryptionMethod) BuilderFactoryUtil + .buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME); + + em.setAlgorithm(encryptionAlgo); + keyDescriptor.getEncryptionMethods().add(em); + } + } + } + + return keyDescriptor; + } + + private Organization buildOrganization() { + Organization organization = null; + if (this.params.getOrganization() != null) { + try { + organization = (Organization) BuilderFactoryUtil.buildXmlObject(Organization.class); + OrganizationDisplayName odn = (OrganizationDisplayName) BuilderFactoryUtil + .buildXmlObject(OrganizationDisplayName.class); + odn.setName(new LocalizedString(this.params.getOrganization().getDisplayName(), "en")); + organization.getDisplayNames().add(odn); + OrganizationName on = (OrganizationName) BuilderFactoryUtil.buildXmlObject(OrganizationName.class); + on.setName(new LocalizedString(this.params.getOrganization().getName(), "en")); + organization.getOrganizationNames().add(on); + OrganizationURL url = (OrganizationURL) BuilderFactoryUtil.buildXmlObject(OrganizationURL.class); + url.setURL(new LocalizedString(this.params.getOrganization().getUrl(), "en")); + organization.getURLs().add(url); + } catch (IllegalAccessException iae) { + NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", iae.getMessage()); + NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", iae); + } catch (NoSuchFieldException nfe) { + NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", nfe.getMessage()); + NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", nfe); + } + } + return organization; + } + + private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) { + ContactPerson contact = null; + try { + ContactData currentContact = null; + if (contactType == ContactPersonTypeEnumeration.SUPPORT) + currentContact = this.params.getSupportContact(); + else if (contactType == ContactPersonTypeEnumeration.TECHNICAL) + currentContact = this.params.getTechnicalContact(); + else { + NewMoaEidasMetadata.LOGGER.error("ERROR: unsupported contact type"); + } + contact = (ContactPerson) BuilderFactoryUtil.buildXmlObject(ContactPerson.class); + if (currentContact == null) { + NewMoaEidasMetadata.LOGGER.error("ERROR: cannot retrieve contact from the configuration"); + return contact; + } + + EmailAddress emailAddressObj = (EmailAddress) BuilderFactoryUtil.buildXmlObject(EmailAddress.class); + Company company = (Company) BuilderFactoryUtil.buildXmlObject(Company.class); + GivenName givenName = (GivenName) BuilderFactoryUtil.buildXmlObject(GivenName.class); + SurName surName = (SurName) BuilderFactoryUtil.buildXmlObject(SurName.class); + TelephoneNumber phoneNumber = (TelephoneNumber) BuilderFactoryUtil + .buildXmlObject(TelephoneNumber.class); + contact.setType(contactType); + emailAddressObj.setAddress(currentContact.getEmail()); + company.setName(currentContact.getCompany()); + givenName.setName(currentContact.getGivenName()); + surName.setName(currentContact.getSurName()); + phoneNumber.setNumber(currentContact.getPhone()); + + populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber); + } catch (IllegalAccessException iae) { + NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", iae.getMessage()); + NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", iae); + } catch (NoSuchFieldException nfe) { + NewMoaEidasMetadata.LOGGER.info("ERROR : error generating the OrganizationData: {}", nfe.getMessage()); + NewMoaEidasMetadata.LOGGER.debug("ERROR : error generating the OrganizationData: {}", nfe); + } + return contact; + } + + private void populateContact(ContactPerson contact, ContactData currentContact, EmailAddress emailAddressObj, + Company company, GivenName givenName, SurName surName, TelephoneNumber phoneNumber) { + if (!(StringUtils.isEmpty(currentContact.getEmail()))) { + contact.getEmailAddresses().add(emailAddressObj); + } + if (!(StringUtils.isEmpty(currentContact.getCompany()))) { + contact.setCompany(company); + } + if (!(StringUtils.isEmpty(currentContact.getGivenName()))) { + contact.setGivenName(givenName); + } + if (!(StringUtils.isEmpty(currentContact.getSurName()))) { + contact.setSurName(surName); + } + if (!(StringUtils.isEmpty(currentContact.getPhone()))) + contact.getTelephoneNumbers().add(phoneNumber); + } + + private String generateMetadata() throws EIDASSAMLEngineException { + try { + EntityDescriptor entityDescriptor = (EntityDescriptor) this.builderFactory + .getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME) + .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME); + + entityDescriptor.setEntityID(this.params.getEntityID()); + entityDescriptor.setOrganization(buildOrganization()); + entityDescriptor.getContactPersons().add(buildContact(ContactPersonTypeEnumeration.SUPPORT)); + entityDescriptor.getContactPersons().add(buildContact(ContactPersonTypeEnumeration.TECHNICAL)); + entityDescriptor.setValidUntil(getExpireDate()); + + X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory(); + keyInfoGeneratorFactory.setEmitEntityCertificate(true); + Extensions e = generateExtensions(); + if (!(e.getUnknownXMLObjects().isEmpty())) { + entityDescriptor.setExtensions(e); + } + if (this.spSSODescriptor != null) { + generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory); + } + if (this.idpSSODescriptor != null) { + generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory); + } + if (this.params.getSpEngine() != null) { + ProtocolEngineI spEngine = this.params.getSpEngine(); + ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor); + } else if (this.params.getIdpEngine() != null) { + ProtocolEngineI idpEngine = this.params.getIdpEngine(); + ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor); + } + return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false)); + } catch (Exception ex) { + NewMoaEidasMetadata.LOGGER.info("ERROR : SAMLException ", ex.getMessage()); + NewMoaEidasMetadata.LOGGER.debug("ERROR : SAMLException ", ex); + throw new IllegalStateException(ex); + } + } + + private void initialize() throws EIDASSAMLEngineException { + ProtocolEngineI idpEngine = this.params.getIdpEngine(); + ProtocolEngineI spEngine = this.params.getSpEngine(); + MetadataConfigParams.Builder initParamBuilder = MetadataConfigParams.builder(this.params); + if (idpEngine != null) { + idpEngine.getProtocolProcessor().configure(); + initParamBuilder.idpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate())); + + X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate(); + if (idpEngineDecryptionCertificate != null) { + initParamBuilder + .idpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate)); + } + if (this.idpSSODescriptor == null) { + try { + this.idpSSODescriptor = ((IDPSSODescriptor) BuilderFactoryUtil + .buildXmlObject(IDPSSODescriptor.class)); + } catch (NoSuchFieldException e) { + throw new EIDASSAMLEngineException(e); + } catch (IllegalAccessException e) { + throw new EIDASSAMLEngineException(e); + } + } + } + if (spEngine != null) { + spEngine.getProtocolProcessor().configure(); + initParamBuilder.spSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate())); + + X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate(); + if (spEngineDecryptionCertificate != null) { + initParamBuilder + .spEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate)); + } + if (this.spSSODescriptor == null) { + try { + this.spSSODescriptor = ((SPSSODescriptor) BuilderFactoryUtil + .buildXmlObject(SPSSODescriptor.class)); + } catch (NoSuchFieldException e) { + throw new EIDASSAMLEngineException(e); + } catch (IllegalAccessException e) { + throw new EIDASSAMLEngineException(e); + } + } + } + this.params = initParamBuilder.build(); + } + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index 773e08ea9..d469ca28c 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -88,7 +88,7 @@ public class SAMLEngineUtils { URL addAttrConfigUrl = new URL(FileUtils.makeAbsoluteURL( additionalAttributeConfigFile, AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir())); - addAttrDefinitions = AttributeRegistries.fromFile(addAttrConfigUrl.getPath()); + addAttrDefinitions = AttributeRegistries.fromFile(addAttrConfigUrl.getPath(), null); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 5d13e26e2..940b91b44 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -330,7 +330,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { // - memorize service-provider type from eIDAS request String spType = null; if (eIDASSamlReq.getSpType() != null) - spType = eIDASSamlReq.getSpType().getValue(); + spType = eIDASSamlReq.getSpType(); if (MiscUtil.isEmpty(spType)) spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java index df96bef12..bfe410fc2 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java @@ -31,7 +31,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; -import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAeIDASMetadataGenerator; +import at.gv.egovernment.moa.id.auth.modules.eidas.utils.NewMoaEidasMetadata; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -44,8 +44,10 @@ import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.engine.ProtocolEngineI; -import eu.eidas.auth.engine.metadata.Contact; +import eu.eidas.auth.engine.metadata.ContactData; import eu.eidas.auth.engine.metadata.MetadataConfigParams; +import eu.eidas.auth.engine.metadata.MetadataConfigParams.Builder; +import eu.eidas.auth.engine.metadata.OrganizationData; import eu.eidas.engine.exceptions.EIDASSAMLEngineException; @@ -119,22 +121,20 @@ public class EidasMetaDataRequest implements IAction { ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); - MOAeIDASMetadataGenerator generator = new MOAeIDASMetadataGenerator(); - MetadataConfigParams mcp=new MetadataConfigParams(); - generator.setConfigParams(mcp); - generator.initialize(engine); - - mcp.setEntityID(metadata_url); - mcp.setAssertionConsumerUrl(sp_return_url); - mcp.getProtocolBindingLocation().put( + //configura metadata builder + Builder metadataConfigBuilder = MetadataConfigParams.builder(); + metadataConfigBuilder.entityID(metadata_url); + metadataConfigBuilder.assertionConsumerUrl(sp_return_url); + + metadataConfigBuilder.addProtocolBindingLocation( SAMLConstants.SAML2_POST_BINDING_URI, pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST); //TODO: make it configurable - mcp.setAuthnRequestsSigned(true); - mcp.setWantAssertionsSigned(true); - mcp.setAssuranceLevel( + metadataConfigBuilder.authnRequestsSigned(true); + metadataConfigBuilder.wantAssertionsSigned(true); + metadataConfigBuilder.assuranceLevel( authConfig.getBasicMOAIDConfiguration( Constants.CONIG_PROPS_EIDAS_NODE_LoA, MOAIDAuthConstants.eIDAS_LOA_HIGH)); @@ -142,47 +142,71 @@ public class EidasMetaDataRequest implements IAction { //must be set in request, because it could be different for every online-application //mcp.setSpType(SPType.DEFAULT_VALUE); - mcp.setDigestMethods(Constants.METADATA_ALLOWED_ALG_DIGIST); - mcp.setSigningMethods(Constants.METADATA_ALLOWED_ALG_SIGN); - mcp.setEncryptionAlgorithms(Constants.METADATA_ALLOWED_ALG_ENCRYPT); + metadataConfigBuilder.digestMethods(Constants.METADATA_ALLOWED_ALG_DIGIST); + metadataConfigBuilder.signingMethods(Constants.METADATA_ALLOWED_ALG_SIGN); + metadataConfigBuilder.encryptionAlgorithms(Constants.METADATA_ALLOWED_ALG_ENCRYPT); //add organisation information from PVP metadata information Organization pvpOrganisation = null; try { pvpOrganisation = PVPConfiguration.getInstance().getIDPOrganisation(); - Contact technicalContact = new Contact(); + eu.eidas.auth.engine.metadata.ContactData.Builder technicalContact = ContactData.builder(); List<ContactPerson> contacts = PVPConfiguration.getInstance().getIDPContacts(); if (contacts != null && contacts.size() >= 1) { ContactPerson contact = contacts.get(0); - technicalContact.setGivenName(contact.getGivenName().getName()); - technicalContact.setSurName(contact.getSurName().getName()); + technicalContact.givenName(contact.getGivenName().getName()); + technicalContact.surName(contact.getSurName().getName()); if (!contact.getEmailAddresses().isEmpty()) - technicalContact.setEmail(contact.getEmailAddresses().get(0).getAddress()); + technicalContact.email(contact.getEmailAddresses().get(0).getAddress()); if (!contact.getTelephoneNumbers().isEmpty()) - technicalContact.setPhone(contact.getTelephoneNumbers().get(0).getNumber()); + technicalContact.phone(contact.getTelephoneNumbers().get(0).getNumber()); - mcp.setTechnicalContact(technicalContact ); + } if (pvpOrganisation != null) { - mcp.setNodeUrl(pvpOrganisation.getURLs().get(0).getURL().getLocalString()); - mcp.setCountryName(authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRY, "Austria")); - technicalContact.setCompany(pvpOrganisation.getDisplayNames().get(0).getName().getLocalString()); + eu.eidas.auth.engine.metadata.OrganizationData.Builder organizationConfig = OrganizationData.builder(); + organizationConfig.url(pvpOrganisation.getURLs().get(0).getURL().getLocalString()); + organizationConfig.name(authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRY, "Austria")); + //TODO: add display name and maybe update name + + + metadataConfigBuilder.organization(organizationConfig.build()); + + technicalContact.company(pvpOrganisation.getDisplayNames().get(0).getName().getLocalString()); } + + metadataConfigBuilder.technicalContact(technicalContact.build()); + + //TODO: add correct support contact + metadataConfigBuilder.supportContact(ContactData.builder(technicalContact.build()).build()); + } catch (ConfigurationException | NullPointerException e) { Logger.warn("Can not load Organisation or Contact from Configuration", e); } - - generator.addSPRole(); - generator.addIDPRole(); + + metadataConfigBuilder.idpEngine(engine); + metadataConfigBuilder.spEngine(engine); + + //TODO: +// MOAeIDASMetadataGenerator generator = new MOAeIDASMetadataGenerator(); +// generator.initialize(engine); +// generator.addSPRole(); +// generator.addIDPRole(); +// metadata = generator.generateMetadata(); + + //use own implementation that solves some problems in original implementation + NewMoaEidasMetadata.Generator generator = NewMoaEidasMetadata.generator(); + generator.configParams(metadataConfigBuilder.build()); + NewMoaEidasMetadata eidasMetadata = generator.build(); + metadata = eidasMetadata.getMetadata(); - metadata = generator.generateMetadata(); return metadata; } } |