aboutsummaryrefslogtreecommitdiff
path: root/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java')
-rw-r--r--id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java78
1 files changed, 27 insertions, 51 deletions
diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
index 6e23d7f24..1cd5fb761 100644
--- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
+++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java
@@ -72,6 +72,7 @@ import eu.stork.peps.exceptions.SAMLEngineException;
* The Class HWSign. Module of sign.
*
* @author fjquevedo
+ * @author advania
*/
public final class SignHW implements SAMLEngineSignI {
@@ -79,14 +80,19 @@ public final class SignHW implements SAMLEngineSignI {
private static final String CONF_FILE = "configurationFile";
/**
- * The Constant KEYSTORE_TYPE. private static final String KEYSTORE_TYPE = "keystoreType"
+ * The Constant KEYSTORE_TYPE.
*/
+ private static final String KEYSTORE_TYPE = "keystoreType";
/** The logger. */
private static final Logger LOG = LoggerFactory.getLogger(SignHW.class.getName());
/** The stork own key store. */
private KeyStore storkOwnKeyStore = null;
+ /**
+ * The soft trust key store.
+ */
+ private SignSW swTrustStore = null;
/**
* Gets the stork own key store.
@@ -160,6 +166,12 @@ public final class SignHW implements SAMLEngineSignI {
throw new SAMLEngineException(e);
} finally {
IOUtils.closeQuietly(inputStr);
+ /**
+ * Init the soft keystore to validate with. trustStoreConfig is read from the SignModule config file and should refer to the keystore containing trusted certificates.
+ */
+ swTrustStore = new SignSW();
+ swTrustStore.init(properties.getProperty("trustStoreConfig"));
+ swTrustStore.loadCryptServiceProvider();
}
}
@@ -204,7 +216,7 @@ public final class SignHW implements SAMLEngineSignI {
X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName());
X509Principal issuerDNConf = new X509Principal(issuer);
- if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) {
+ if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) {
alias = aliasCert;
find = true;
}
@@ -339,56 +351,14 @@ public final class SignHW implements SAMLEngineSignI {
* exception in validate signature
*/
public SAMLObject validateSignature(final SignableSAMLObject tokenSaml) throws SAMLEngineException {
- LOG.info("Start signature validation.");
+ LOG.info("Start signature validation HW.");
+ /*
+ * we are using the soft signature class to validate the signatures. This way we use the same key store code and validation that is used there.
+ */
try {
-
- // Validate structure signature
- final SAMLSignatureProfileValidator signProfValidator = new SAMLSignatureProfileValidator();
-
- // Indicates signature id conform to SAML Signature profile
- signProfValidator.validate(tokenSaml.getSignature());
-
- String aliasCert;
- X509Certificate certificate;
-
- final List<Credential> trustedCred = new ArrayList<Credential>();
-
- for (final Enumeration<String> e = storkOwnKeyStore.aliases(); e.hasMoreElements();) {
- aliasCert = e.nextElement();
- final BasicX509Credential credential = new BasicX509Credential();
- certificate = (X509Certificate) storkOwnKeyStore.getCertificate(aliasCert);
- credential.setEntityCertificate(certificate);
- trustedCred.add(credential);
- }
-
- final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo();
- final List<X509Certificate> listCertificates = KeyInfoHelper.getCertificates(keyInfo);
-
- if (listCertificates.size() != 1) {
- throw new SAMLEngineException("Only must be one certificate");
- }
-
- // Exist only one certificate
- final BasicX509Credential entityX509Cred = new BasicX509Credential();
- entityX509Cred.setEntityCertificate(listCertificates.get(0));
-
- final ExplicitKeyTrustEvaluator keyTrustEvaluator = new ExplicitKeyTrustEvaluator();
- if (!keyTrustEvaluator.validate(entityX509Cred, trustedCred)) {
- throw new SAMLEngineException("Certificate it is not trusted.");
- }
-
- final SignatureValidator sigValidator = new SignatureValidator(entityX509Cred);
-
- sigValidator.validate(tokenSaml.getSignature());
-
- } catch (final ValidationException e) {
- LOG.error("ValidationException.", e);
- throw new SAMLEngineException(e);
- } catch (final KeyStoreException e) {
- LOG.error("ValidationException.", e);
- throw new SAMLEngineException(e);
- } catch (final CertificateException e) {
- LOG.error("CertificateException.", e);
+ swTrustStore.validateSignature(tokenSaml);
+ } catch (Exception e) {
+ LOG.error("SW ValidationException.", e);
throw new SAMLEngineException(e);
}
return tokenSaml;
@@ -408,6 +378,12 @@ public final class SignHW implements SAMLEngineSignI {
try {
inputStream = SignHW.class.getResourceAsStream("/" + properties.getProperty(CONF_FILE));
+ final Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(inputStream);
+ if (Security.getProperty(pkcs11Provider.getName()) == null) {
+ Security.insertProviderAt(pkcs11Provider, Security.getProviders().length);
+ }
+
+ storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE), pkcs11Provider);
} catch (final Exception e) {
throw new SAMLEngineException("Error loading CryptographicServiceProvider", e);
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-06 03:42:06 +0000