aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java20
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java15
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java290
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java120
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java132
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java50
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java27
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java49
9 files changed, 610 insertions, 97 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 9f347b4ee..1d4556459 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -28,8 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas;
*/
public class Constants {
- //public static final String eIDAS_SAML_ENGINE_NAME = "MOA_eIDASEninge";
public static final String eIDAS_SAML_ENGINE_NAME = "default";
+ public static final String SSLSOCKETFACTORYNAME = "eIDASMetadataSSLSocketFactory";
//default keys for eIDAS SAML-engine configuration
public static final String eIDAS_SAML_ENGINE_NAME_ID_BASICCONFIG = "SamlEngineConf";
@@ -45,20 +45,30 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_PREFIX="moa.id.protocols.eIDAS";
public static final String CONIG_PROPS_EIDAS_SAMLENGINE="samlengine";
public static final String CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX=CONIG_PROPS_EIDAS_PREFIX + "." + CONIG_PROPS_EIDAS_SAMLENGINE;
- public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file";
-
+ public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file";
public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN="sign";
public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT="enc";
public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "."
+ CONIG_PROPS_EIDAS_SAMLENGINE_SIGN + ".config.file";
public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "."
- + CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";
+ + CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";
+ public static final String CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE = CONIG_PROPS_EIDAS_PREFIX + ".metadata.validation.truststore";
- public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
+ //timeouts and clock skews
+ public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
+ public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout
+ //eIDAS attribute names
public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier";
public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth";
public static final String eIDAS_ATTR_CURRENTGIVENNAME = "CurrentGivenName";
public static final String eIDAS_ATTR_CURRENTFAMILYNAME = "CurrentFamilyName";
+
+ //http endpoint descriptions
+ public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/sp/post";
+ public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/sp/redirect";
+ public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post";
+ public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect";
+ public static final String eIDAS_HTTP_ENDPOINT_METADATA = "/eidas/metadata";
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
index 556947572..49f0451cb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
@@ -22,30 +22,19 @@
*/
package at.gv.egovernment.moa.id.auth.modules.eidas;
-import java.io.ByteArrayInputStream;
-
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServletRequest;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpression;
-import javax.xml.xpath.XPathFactory;
import org.apache.commons.lang.StringEscapeUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.util.xml.SimpleNamespaceContext;
-import org.w3c.dom.Document;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Base64Utils;
/**
* @author tlenz
*
*/
-@WebServlet(urlPatterns = { "/eidas/post", "/eidas/redirect"}, loadOnStartup = 1)
+@WebServlet(urlPatterns = { "/eidas/sp/post", "/eidas/sp/redirect"}, loadOnStartup = 1)
public class eIDASSignalServlet extends ProcessEngineSignalServlet {
private static final long serialVersionUID = 8215688005533754459L;
@@ -53,7 +42,7 @@ public class eIDASSignalServlet extends ProcessEngineSignalServlet {
public eIDASSignalServlet() {
super();
Logger.debug("Registering servlet " + getClass().getName() +
- " with mappings '/eidas/post' and '/eidas/redirect'.");
+ " with mappings '/eidas/sp/post' and '/eidas/sp/redirect'.");
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
new file mode 100644
index 000000000..f1b14015b
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -0,0 +1,290 @@
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+
+import javax.net.ssl.SSLHandshakeException;
+import javax.xml.namespace.QName;
+
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+import eu.eidas.auth.engine.AbstractSAMLEngine;
+
+public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider {
+
+ private static MOAeIDASChainingMetadataProvider instance = null;
+ private static Object mutex = new Object();
+
+ private MetadataProvider internalProvider;
+
+
+ public static MOAeIDASChainingMetadataProvider getInstance() {
+ if (instance == null) {
+ synchronized (mutex) {
+ if (instance == null) {
+ instance = new MOAeIDASChainingMetadataProvider();
+ }
+ }
+ }
+ return instance;
+ }
+
+
+ private MOAeIDASChainingMetadataProvider() {
+ internalProvider = new ChainingMetadataProvider();
+
+ }
+
+ private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+ HTTPMetadataProvider httpProvider = null;
+ Timer timer= null;
+ MOAHttpClient httpClient = null;
+ try {
+ AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
+
+ httpClient = new MOAHttpClient();
+
+ HttpClientParams httpClientParams = new HttpClientParams();
+ httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+ httpClient.setParams(httpClientParams);
+
+ if (metadataURL.startsWith("https:")) {
+ try {
+ MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ Constants.SSLSOCKETFACTORYNAME,
+ authConfig.getCertstoreDirectory(),
+ authConfig.getTrustedCACertificates(),
+ null,
+ AuthConfiguration.DEFAULT_X509_CHAININGMODE,
+ authConfig.isTrustmanagerrevoationchecking());
+
+ httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+ } catch (MOAHttpProtocolSocketFactoryException e) {
+ Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+
+ }
+ }
+
+ timer = new Timer();
+ httpProvider = new HTTPMetadataProvider(timer, httpClient,
+ metadataURL);
+ httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool());
+ httpProvider.setRequireValidMetadata(true);
+ httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+ httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+ //httpProvider.setRefreshDelayFactor(0.1F);
+
+ //add Metadata filters
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+ httpProvider.setMetadataFilter(filter);
+
+ httpProvider.initialize();
+
+ return httpProvider;
+
+ } catch (Throwable e) {
+ if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+ Logger.warn("SSL-Server certificate for metadata "
+ + metadataURL + " not trusted.", e);
+
+ } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
+ Logger.warn("Signature verification for metadata"
+ + metadataURL + " FAILED.", e);
+
+ } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+ Logger.warn("Schema validation for metadata "
+ + metadataURL + " FAILED.", e);
+ }
+
+ Logger.error(
+ "Failed to add Metadata file for "
+ + metadataURL + "[ "
+ + e.getMessage() + " ]", e);
+
+ if (httpProvider != null) {
+ Logger.debug("Destroy failed Metadata provider");
+ httpProvider.destroy();
+ }
+
+ if (timer != null) {
+ Logger.debug("Destroy Timer.");
+ timer.cancel();
+ }
+
+
+ }
+
+ return null;
+ }
+
+ private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() {
+ Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>();
+ ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
+
+ //make a Map of all actually loaded HTTPMetadataProvider
+ List<MetadataProvider> providers = chainProvider.getProviders();
+ for (MetadataProvider provider : providers) {
+ if (provider instanceof HTTPMetadataProvider) {
+ HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider;
+ loadedproviders.put(httpprovider.getMetadataURI(), httpprovider);
+
+ }
+ }
+
+ return loadedproviders;
+ }
+
+ public boolean refreshMetadataProvider(String metadataURL) {
+ try {
+ if (MiscUtil.isNotEmpty(metadataURL)) {
+ Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders();
+
+ // check if MetadataProvider is actually loaded
+ if (actuallyLoadedProviders.containsKey(metadataURL)) {
+ actuallyLoadedProviders.get(metadataURL).refresh();
+ Logger.info("eIDAS metadata for "
+ + metadataURL + " is refreshed.");
+ return true;
+
+ } else {
+ //load new Metadata Provider
+ ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
+ HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
+ chainProvider.addMetadataProvider(newMetadataProvider);
+
+ emitChangeEvent();
+ Logger.info("eIDAS metadata for "
+ + metadataURL + " is added.");
+ return true;
+
+ }
+
+ } else
+ Logger.debug("Can not refresh eIDAS metadata: NO eIDAS metadata URL.");
+
+ } catch (MetadataProviderException e) {
+ Logger.warn("Refresh eIDAS metadata for "
+ + metadataURL + " FAILED.", e);
+
+ }
+
+ return false;
+
+ }
+
+
+ public boolean requireValidMetadata() {
+ return internalProvider.requireValidMetadata();
+ }
+
+ public void setRequireValidMetadata(boolean requireValidMetadata) {
+ internalProvider.setRequireValidMetadata(requireValidMetadata);
+ }
+
+ public MetadataFilter getMetadataFilter() {
+ return internalProvider.getMetadataFilter();
+ }
+
+ public void setMetadataFilter(MetadataFilter newFilter)
+ throws MetadataProviderException {
+ internalProvider.setMetadataFilter(newFilter);
+ }
+
+ public XMLObject getMetadata() throws MetadataProviderException {
+ return internalProvider.getMetadata();
+ }
+
+ public EntitiesDescriptor getEntitiesDescriptor(String entitiesID)
+ throws MetadataProviderException {
+ Logger.warn("eIDAS metadata not support 'EntitiesDescriptor' elements!");
+ return null;
+
+ }
+
+ public EntityDescriptor getEntityDescriptor(String entityID)
+ throws MetadataProviderException {
+ EntityDescriptor entityDesc = null;
+ try {
+ entityDesc = internalProvider.getEntityDescriptor(entityID);
+ if (entityDesc == null) {
+ Logger.debug("Can not find eIDAS metadata for entityID: " + entityID
+ + " Start refreshing process ...");
+ if (refreshMetadataProvider(entityID))
+ return internalProvider.getEntityDescriptor(entityID);
+
+ } else {
+ if (!entityDesc.isValid())
+ if (refreshMetadataProvider(entityID))
+ return internalProvider.getEntityDescriptor(entityID);
+
+ }
+
+
+ } catch (MetadataProviderException e) {
+ Logger.debug("Can not find eIDAS metadata for entityID: " + entityID
+ + " Start refreshing process ...");
+ if (refreshMetadataProvider(entityID))
+ return internalProvider.getEntityDescriptor(entityID);
+
+ }
+
+ return entityDesc;
+ }
+
+ public List<RoleDescriptor> getRole(String entityID, QName roleName)
+ throws MetadataProviderException {
+ return internalProvider.getRole(entityID, roleName);
+ }
+
+ public RoleDescriptor getRole(String entityID, QName roleName,
+ String supportedProtocol) throws MetadataProviderException {
+ return internalProvider.getRole(entityID, roleName, supportedProtocol);
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers()
+ */
+ @Override
+ public List<Observer> getObservers() {
+ return ((ChainingMetadataProvider) internalProvider).getObservers();
+ }
+
+ protected void emitChangeEvent() {
+ if ((getObservers() == null) || (getObservers().size() == 0)) {
+ return;
+ }
+
+ List<Observer> tempObserverList = new ArrayList<Observer>(getObservers());
+ for (ObservableMetadataProvider.Observer observer : tempObserverList)
+ if (observer != null)
+ observer.onEvent(this);
+ }
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
new file mode 100644
index 000000000..e3ae5c046
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.security.KeyStore;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+
+import eu.eidas.auth.engine.EIDASSAMLEngine;
+import eu.eidas.auth.engine.metadata.MetadataProcessorI;
+import eu.eidas.engine.exceptions.SAMLEngineException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
+
+ private MetadataProvider metadataprovider = null;
+
+ /**
+ *
+ */
+ public MOAeIDASMetadataProviderDecorator(MetadataProvider metadataprovider) {
+ this.metadataprovider = metadataprovider;
+
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String)
+ */
+ @Override
+ public EntityDescriptor getEntityDescriptor(String url)
+ throws SAMLEngineException {
+ try {
+ return this.metadataprovider.getEntityDescriptor(url);
+
+ } catch (MetadataProviderException e) {
+ throw new SAMLEngineException("eIDAS Metadata processing FAILED.", e);
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String)
+ */
+ @Override
+ public SPSSODescriptor getSPSSODescriptor(String url)
+ throws SAMLEngineException {
+ return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
+
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String)
+ */
+ @Override
+ public IDPSSODescriptor getIDPSSODescriptor(String url)
+ throws SAMLEngineException {
+ return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
+
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine)
+ */
+ @Override
+ public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine)
+ throws SAMLEngineException {
+ //Do nothing, because metadata signature is already validated during
+ //metadata provider initialization
+
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore)
+ */
+ @Override
+ public void checkValidMetadataSignature(String url, KeyStore trustStore)
+ throws SAMLEngineException {
+ //Do nothing, because metadata signature is already validated during
+ //metadata provider initialization
+
+ }
+
+ protected <T extends RoleDescriptor> T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class<T> clazz){
+ for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){
+ if(clazz.isInstance(rd)){
+ return (T)rd;
+ }
+ }
+ return null;
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
new file mode 100644
index 000000000..c9f3e5bcd
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
+
+ private String trustProfileID = null;
+
+ /**
+ *
+ */
+ public MOAeIDASMetadataSignatureFilter(String trustProfileID) {
+ this.trustProfileID = trustProfileID;
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+ */
+ @Override
+ public void doFilter(XMLObject metadata) throws FilterException {
+ if (metadata instanceof EntityDescriptor) {
+ if (((EntityDescriptor) metadata).isSigned()) {
+ EntityDescriptor entityDes = (EntityDescriptor) metadata;
+ //check signature;
+ try {
+ Transformer transformer = TransformerFactory.newInstance()
+ .newTransformer();
+ StringWriter sw = new StringWriter();
+ StreamResult sr = new StreamResult(sw);
+ DOMSource source = new DOMSource(metadata.getDOM());
+ transformer.transform(source, sr);
+ sw.close();
+ String metadataXML = sw.toString();
+
+ SignatureVerificationUtils sigVerify =
+ new SignatureVerificationUtils();
+ VerifyXMLSignatureResponse result = sigVerify.verify(
+ metadataXML.getBytes(), trustProfileID);
+
+ //check signature-verification result
+ if (result.getSignatureCheckCode() != 0) {
+ Logger.warn("eIDAS Metadata signature-verification FAILED!"
+ + " Metadata: " + entityDes.getEntityID()
+ + " StatusCode:" + result.getSignatureCheckCode());
+ throw new FilterException("eIDAS Metadata signature-verification FAILED!"
+ + " Metadata: " + entityDes.getEntityID()
+ + " StatusCode:" + result.getSignatureCheckCode());
+
+ }
+
+ if (result.getCertificateCheckCode() != 0) {
+ Logger.warn("eIDAS Metadata certificate-verification FAILED!"
+ + " Metadata: " + entityDes.getEntityID()
+ + " StatusCode:" + result.getCertificateCheckCode());
+ throw new FilterException("eIDAS Metadata certificate-verification FAILED!"
+ + " Metadata: " + entityDes.getEntityID()
+ + " StatusCode:" + result.getCertificateCheckCode());
+
+ }
+
+
+ } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+ Logger.error("eIDAS Metadata verification has an interal error.", e);
+ throw new FilterException("eIDAS Metadata verification has an interal error."
+ + " Message:" + e.getMessage());
+
+ }
+
+
+ } else {
+ Logger.warn("eIDAS Metadata root-element MUST be signed.");
+ throw new FilterException("eIDAS Metadata root-element MUST be signed.'");
+
+ }
+
+ } else {
+ Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+ throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
deleted file mode 100644
index 2aec81db5..000000000
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
+++ /dev/null
@@ -1,50 +0,0 @@
-package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
-
-import java.security.KeyStore;
-
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-
-import at.gv.egovernment.moa.logging.Logger;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.metadata.SimpleMetadataProcessor;
-import eu.eidas.engine.exceptions.SAMLEngineException;
-
-public class MOAeIDASSimpleMetadataProvider extends SimpleMetadataProcessor {
-
- @Override
- public EntityDescriptor getEntityDescriptor(String url) {
- EntityDescriptor entityDescriptor=getEntityDescriptorHelper(url);
-
- if(Logger.isDebugEnabled()){
- Logger.debug("got entityDescriptor: " + entityDescriptor);
- }
- return entityDescriptor;
- }
-
- @Override
- public SPSSODescriptor getSPSSODescriptor(String url) throws SAMLEngineException {
- return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
-
- }
-
- @Override
- public IDPSSODescriptor getIDPSSODescriptor(String url) throws SAMLEngineException {
- return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
-
- }
-
- @Override
- public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) throws SAMLEngineException {
- //TODO: implement Metadata signature validation
- Logger.warn("MetadataProcessor in demo SP does not actually check the signature of metadata");
-
- }
- @Override
- public void checkValidMetadataSignature(String url, KeyStore store) throws SAMLEngineException {
- //not implemented
-
- }
-
-}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 57588287d..963fe70c1 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -142,7 +142,11 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
EIDASAuthnRequest authnRequest = new EIDASAuthnRequest();
authnRequest.setProviderName(moaconfig.getPublicURLPrefix());
authnRequest.setPersonalAttributeList(pAttList);
+
authnRequest.setIssuer(moaconfig.getPublicURLPrefix() + "/eidas/metadata");
+ //TODO: only for development and reverse proxy
+ authnRequest.setIssuer("http://localhost:12343/moa-id-auth/eidas/metadata");
+
authnRequest.setDestination(destination);
authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED);
authnRequest.setEidasLoA(EidasLoaLevels.LOW.stringValue());
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java
index 6a573d0f2..d1bc02766 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java
@@ -29,7 +29,10 @@ import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import eu.eidas.auth.engine.EIDASSAMLEngine;
import eu.eidas.auth.engine.metadata.MetadataConfigParams;
import eu.eidas.auth.engine.metadata.MetadataGenerator;
@@ -49,13 +52,21 @@ public class EidasMetaDataServlet extends HttpServlet {
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
- logger.info("EidasMetaDataServlet GET");
+ logger.debug("EidasMetaDataServlet GET");
- String metadata_url = "http://localhost:12344/moa-id-auth/eidas/metadata";
- String sp_return_url = "http://localhost:12344/moa-id-auth/eidas/metadata";
+ AuthConfiguration config = AuthConfigurationProviderFactory.getInstance();
+ String pubURLPrefix = config.getPublicURLPrefix();
+
+
+ String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
+
+ //TODO: only for development and reverse proxy
+ metadata_url = "http://localhost:12343/moa-id-auth/eidas/metadata";
+
+ String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST;
String metaData = generateMetadata(metadata_url, sp_return_url);
- logger.debug(metaData);
+ logger.trace(metaData);
response.setContentType("text/xml");
response.getWriter().print(metaData);
@@ -69,13 +80,13 @@ public class EidasMetaDataServlet extends HttpServlet {
String metadata="invalid metadata";
// FIXME workaround!?
- Security.removeProvider("IAIK");
- Security.removeProvider("IAIK_ECC");
+// Security.removeProvider("IAIK");
+// Security.removeProvider("IAIK_ECC");
EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
- IAIK.addAsProvider();
- ECCProvider.addAsProvider(true);
+// IAIK.addAsProvider();
+// ECCProvider.addAsProvider(true);
MetadataGenerator generator = new MetadataGenerator();
MetadataConfigParams mcp=new MetadataConfigParams();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index 2c2435ff6..8e46f0ef1 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -24,7 +24,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl;
-import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASSimpleMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
import at.gv.egovernment.moa.logging.Logger;
import eu.eidas.auth.engine.EIDASSAMLEngine;
@@ -37,28 +38,34 @@ import eu.eidas.samlengineconfig.CertificateConfigurationManager;
*/
public class SAMLEngineUtils {
- public static EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{
+ private static EIDASSAMLEngine eIDASEngine = null;
+
+ public static synchronized EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{
- try {
- //get eIDAS SAMLengine configuration from MOA-ID configuration
- CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
-
- //initial eIDAS SAMLengine
- EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME,
- configManager);
-
- //set Metadata managment to eIDAS SAMLengine
- //TODO: implement final Metadata processor (this is only a first solution!!!)
- engine.setMetadataProcessor(new MOAeIDASSimpleMetadataProvider());
-
- return engine;
-
- } catch (EIDASSAMLEngineException e) {
- Logger.error("eIDAS SAMLengine initialization FAILED!", e);
- throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e);
-
+ if (eIDASEngine == null) {
+ try {
+ //get eIDAS SAMLengine configuration from MOA-ID configuration
+ CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
+
+ //initial eIDAS SAMLengine
+ EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME,
+ configManager);
+
+ //set Metadata managment to eIDAS SAMLengine
+ engine.setMetadataProcessor(
+ new MOAeIDASMetadataProviderDecorator(
+ MOAeIDASChainingMetadataProvider.getInstance()));
+
+ eIDASEngine = engine;
+
+ } catch (EIDASSAMLEngineException e) {
+ Logger.error("eIDAS SAMLengine initialization FAILED!", e);
+ throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e);
+
+ }
}
-
+
+ return eIDASEngine;
}
}