1 files changed, 97 insertions, 9 deletions

diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java
index 33ed05515..50ad9936d 100644
--- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java
+++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java
@@ -44,6 +44,9 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.opensaml.Configuration;

 import org.opensaml.common.SAMLObject;

 import org.opensaml.common.SignableSAMLObject;

+import org.opensaml.saml2.core.Assertion;

+import org.opensaml.saml2.core.LogoutResponse;

+import org.opensaml.saml2.core.Response;

 import org.opensaml.security.SAMLSignatureProfileValidator;

 import org.opensaml.xml.io.MarshallingException;

 import org.opensaml.xml.security.SecurityConfiguration;

@@ -66,6 +69,7 @@ import org.opensaml.xml.validation.ValidationException;
 import org.slf4j.Logger;

 import org.slf4j.LoggerFactory;

 

+import eu.stork.peps.auth.engine.core.CustomAttributeQuery;

 import eu.stork.peps.auth.engine.core.SAMLEngineSignI;

 import eu.stork.peps.exceptions.SAMLEngineException;

 

@@ -274,8 +278,10 @@ public final class SignP12 implements SAMLEngineSignI {
 

 	    signature.setSigningCredential(credential);

 

+	    /*signature.setSignatureAlgorithm(

+	    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);*/

 	    signature.setSignatureAlgorithm(

-		    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

+		    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

 	    

 	    final SecurityConfiguration secConfiguration = Configuration

 		    .getGlobalSecurityConfiguration();

@@ -294,14 +300,76 @@ public final class SignP12 implements SAMLEngineSignI {
 	    signature.setCanonicalizationAlgorithm(

 		    SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

 

-	    tokenSaml.setSignature(signature);

+	  //Create a second signature which will be used when signing assertion and response

+	    final Signature signature2 = (Signature) Configuration

+	    .getBuilderFactory().getBuilder(

+		    Signature.DEFAULT_ELEMENT_NAME).buildObject(

+		    Signature.DEFAULT_ELEMENT_NAME);

+	    final SecurityConfiguration secConfiguration2 = Configuration

+	    .getGlobalSecurityConfiguration();

+	    final NamedKeyInfoGeneratorManager keyInfoManager2 = secConfiguration2

+		    .getKeyInfoGeneratorManager();

+	    final KeyInfoGeneratorManager keyInfoGenManager2 = keyInfoManager2

+		    .getDefaultManager();

+	    final KeyInfoGeneratorFactory keyInfoGenFac2 = keyInfoGenManager2

+		    .getFactory(credential);

+	    final KeyInfoGenerator keyInfoGenerator2 = keyInfoGenFac2

+		    .newInstance();

+	    

+	    KeyInfo keyInfo2 = keyInfoGenerator2.generate(credential);

+	    signature2.setSigningCredential(credential);

+	    signature2.setSignatureAlgorithm(

+			    SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

+	    signature2.setKeyInfo(keyInfo2);

+	    signature2.setCanonicalizationAlgorithm(

+		    SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

+	    	 	    

 

 	    LOG.info("Marshall samlToken.");

-	    Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+	    String qn = tokenSaml.getElementQName().toString();

+	    

+	    if (qn.endsWith(CustomAttributeQuery.DEFAULT_ELEMENT_LOCAL_NAME))

+	    {	    

+	  		tokenSaml.setSignature(signature);

+	    	CustomAttributeQueryMarshaller mars = new CustomAttributeQueryMarshaller();

+	    	mars.marshall(tokenSaml);

+	    	Signer.signObject(signature);

+	    }

+	    else if (qn.endsWith(Response.DEFAULT_ELEMENT_LOCAL_NAME) && !qn.contains(LogoutResponse.DEFAULT_ELEMENT_LOCAL_NAME))

+	    {

+	    	Response res = (Response)tokenSaml;

+	    	List<Assertion> asserts = res.getAssertions();

+	    	//If multiple assertions we just sign the response and not the assertion

+	    	if (asserts.size() > 1)

+	    	{	    		

+	    		tokenSaml.setSignature(signature);

+	    		Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+			    .marshall(tokenSaml);

+	    		LOG.info("Sign samlToken.");

+	    	    Signer.signObject(signature);

+	    	}

+	    	//If single assertion we sign the assertion and response

+	    	else

+	    	{

+			    Assertion assertion = (Assertion)asserts.get(0);

+			    assertion.setSignature(signature);			    

+			    tokenSaml.setSignature(signature2);

+			    Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

+			    .marshall(tokenSaml);

+			    LOG.info("Sign samlToken.");

+			    Signer.signObject(signature);

+			    Signer.signObject(signature2);

+	    	}

+	    }

+	    //Normally we just sign the total saml response

+	    else

+	    {

+	    	tokenSaml.setSignature(signature);

+	    	Configuration.getMarshallerFactory().getMarshaller(tokenSaml)

 		    .marshall(tokenSaml);

-

-	    LOG.info("Sign samlToken.");

-	    Signer.signObject(signature);

+	    	LOG.info("Sign samlToken.");

+		    Signer.signObject(signature);

+	    }

 

 	} catch (MarshallingException e) {

 	    LOG.error("MarshallingException");

@@ -355,7 +423,7 @@ public final class SignP12 implements SAMLEngineSignI {
 	    String aliasCert = null;

 	    X509Certificate certificate;

 

-	    final List<Credential> trustCred = new ArrayList<Credential>();

+	    /*final List<Credential> trustCred = new ArrayList<Credential>();

 

 	    for (final Enumeration<String> e = trustStore.aliases(); e

 		    .hasMoreElements();) {

@@ -365,7 +433,7 @@ public final class SignP12 implements SAMLEngineSignI {
 			.getCertificate(aliasCert);

 		credential.setEntityCertificate(certificate);

 		trustCred.add(credential);

-	    }

+	    }*/

 

 	    final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo();

 

@@ -382,13 +450,33 @@ public final class SignP12 implements SAMLEngineSignI {
 	    // Exist only one certificate

 	    final BasicX509Credential entityX509Cred = new BasicX509Credential();

 	    entityX509Cred.setEntityCertificate(cert);

+	    

+	    boolean trusted = false;

+		

+		for (final Enumeration<String> e = trustStore.aliases(); e.hasMoreElements();) 

+	    {

+	    	aliasCert = e.nextElement();		

+	    	certificate = (X509Certificate) trustStore.getCertificate(aliasCert);					

+	    	try {

+	    		cert.verify(certificate.getPublicKey());

+	    		trusted = true;

+	    		break;

+	    	}

+	    	catch (Exception ex) {

+	    		//Do nothing - cert not trusted yet

+	    	}

+	    }

+		

+		if (!trusted)

+		    throw new SAMLEngineException("Certificate is not trusted.");

 

+		/*

 	    // Validate trust certificates

 	    final ExplicitKeyTrustEvaluator keyTrustEvaluator = 

 		new ExplicitKeyTrustEvaluator();

 	    if (!keyTrustEvaluator.validate(entityX509Cred, trustCred)) {

 		throw new SAMLEngineException("Certificate it is not trusted.");

-	    }

+	    }*/

 

 	    // Validate signature

 	    final SignatureValidator sigValidator = new SignatureValidator(