From 1bfe0985454ecd361bd345cd712506c66d5dbd40 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 27 Jan 2017 23:13:06 +0100
Subject: allow EntitiesDescriptor elements in eIDAS metadata.

---
 .../metadata/MOASPMetadataSignatureFilter.java     | 114 +++++++++++----------
 1 file changed, 62 insertions(+), 52 deletions(-)

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
index b6fed5934..16b179d89 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.provider.FilterException;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
@@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter {
 	@Override
 	public void doFilter(XMLObject metadata) throws FilterException {
 		if (metadata instanceof EntityDescriptor) {
-			if (((EntityDescriptor) metadata).isSigned()) {				
-				EntityDescriptor entityDes = (EntityDescriptor) metadata;
-				//check signature;
-				try {
-					byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
-					
-//					Transformer transformer = TransformerFactory.newInstance()
-//							.newTransformer();	
-//					StringWriter sw = new StringWriter();
-//					StreamResult sr = new StreamResult(sw);
-//					DOMSource source = new DOMSource(metadata.getDOM());
-//					transformer.transform(source, sr);
-//					sw.close();
-//					String metadataXML = sw.toString();
-					
-					SignatureVerificationUtils sigVerify = 
-							new SignatureVerificationUtils();
-					IVerifiyXMLSignatureResponse result = sigVerify.verify(
-							serialized, trustProfileID);
-					
-					//check signature-verification result
-					if (result.getSignatureCheckCode() != 0) {
-						Logger.warn("Metadata signature-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getSignatureCheckCode());
-						throw new FilterException("Metadata signature-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getSignatureCheckCode());
+			checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID());
 						
-					}
-					
-					if (result.getCertificateCheckCode() != 0) {
-						Logger.warn("Metadata certificate-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getCertificateCheckCode());
-						throw new FilterException("Metadata certificate-verification FAILED!"
-								+ " Metadata: " + entityDes.getEntityID()
-								+ " StatusCode:" + result.getCertificateCheckCode());
-						
-					}
-					
-					Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid");
+		} else if (metadata instanceof EntitiesDescriptor) {
+			EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+			if (entitiesDesc.getEntityDescriptors() != null && 
+					entitiesDesc.getEntityDescriptors().size() > 1) {
+				String nameForLogging = entitiesDesc.getName();
+				if (MiscUtil.isEmpty(nameForLogging))
+					nameForLogging = entitiesDesc.getID();
+				
+				checkSignature(metadata, nameForLogging);
+				
+			} else {
+				Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'");
+				throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor");
+				
+			}
+			
+		} else {
+			Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'");
+			
+		}
+		
+	}
+	
+	private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException {
+		if (((EntityDescriptor) metadata).isSigned()) {				
+			//check signature;
+			try {
+				byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
+				
+				SignatureVerificationUtils sigVerify = 
+						new SignatureVerificationUtils();
+				IVerifiyXMLSignatureResponse result = sigVerify.verify(
+						serialized, trustProfileID);
 				
-				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
-					Logger.error("Metadata verification for Entity:" + entityDes.getEntityID() 
-							+ " has an interal error.", e);
-					throw new FilterException("Metadata verification has an interal error."
-							+ " Message:" + e.getMessage());
+				//check signature-verification result
+				if (result.getSignatureCheckCode() != 0) {
+					Logger.warn("Metadata signature-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getSignatureCheckCode());
 					
 				}
 				
+				if (result.getCertificateCheckCode() != 0) {
+					Logger.warn("Metadata certificate-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getCertificateCheckCode());
+					throw new FilterException("Metadata certificate-verification FAILED!"
+							+ " Metadata: " + nameForLogging
+							+ " StatusCode:" + result.getCertificateCheckCode());
+					
+				}
 				
-			} else {
-				Logger.warn("Metadata root-element MUST be signed.");
-				throw new FilterException("Metadata root-element MUST be signed.'");
+				Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid");
+			
+			} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+				Logger.error("Metadata verification for Entity:" + nameForLogging 
+						+ " has an interal error.", e);
+				throw new FilterException("Metadata verification has an interal error."
+						+ " Message:" + e.getMessage());
 				
 			}
-						
+			
+			
 		} else {
-			Logger.warn("Metadata root-element is not of type 'EntityDescriptor'");
-			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'");
+			Logger.warn("Metadata root-element MUST be signed.");
+			throw new FilterException("Metadata root-element MUST be signed.'");
 			
 		}
 		
-- 
cgit v1.2.3