From 7f1a1d200e647fce391f674994b908ef2c799f4d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 15 Apr 2014 13:29:57 +0200
Subject: add SPSSODescriptor for MOA-ID interfederation

---
 .../moa/id/protocols/pvp2x/MetadataAction.java     | 304 ++++++++++++++-------
 1 file changed, 206 insertions(+), 98 deletions(-)

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index a29728245..fd501fde7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -23,6 +23,7 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x;
 
 import java.io.StringWriter;
+import java.security.KeyStore;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
@@ -38,18 +39,27 @@ import org.joda.time.DateTime;
 import org.opensaml.Configuration;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
 import org.opensaml.saml2.metadata.ContactPerson;
 import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
 import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
 import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.SecurityHelper;
 import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.security.credential.UsageType;
 import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
 import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
 import org.opensaml.xml.signature.Signature;
 import org.opensaml.xml.signature.Signer;
@@ -57,14 +67,17 @@ import org.w3c.dom.Document;
 
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 public class MetadataAction implements IAction {
 
@@ -111,6 +124,7 @@ public class MetadataAction implements IAction {
 			//keyInfoFactory.setEmitPublicKeyValue(true);
 			keyInfoFactory.setEmitEntityIDAsKeyName(true);
 			keyInfoFactory.setEmitEntityCertificate(true);
+
 			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
 			
 			Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();
@@ -121,106 +135,12 @@ public class MetadataAction implements IAction {
 			SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null);
 			
 			idpEntitiesDescriptor.setSignature(signature);
-			
-//			//set SignatureMethode
-//			signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE);
-//			
-//			//set DigestMethode
-//			List<ContentReference> contentList = signature.getContentReferences();
-//			for (ContentReference content : contentList) {
-//				
-//				if (content instanceof SAMLObjectContentReference) {
-//					
-//					SAMLObjectContentReference el = (SAMLObjectContentReference) content;
-//					el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE);
-//					
-//				}
-//			}
-			
-			
-//			KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder();
-//			KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject();
-//			//KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.);
-//			signature.setKeyInfo(metadataKeyInfo );
-			
-
 
-			IDPSSODescriptor idpSSODescriptor = SAML2Utils
-					.createSAMLObject(IDPSSODescriptor.class);
-
-			idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
-			
-			idpSSODescriptor.setWantAuthnRequestsSigned(true);			
-			
-			if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) {
-				SingleSignOnService postSingleSignOnService = SAML2Utils
-						.createSAMLObject(SingleSignOnService.class);
-
-				postSingleSignOnService.setLocation(PVPConfiguration
-						.getInstance().getIDPSSOPostService());
-				postSingleSignOnService
-						.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
-
-				idpSSODescriptor.getSingleSignOnServices().add(
-						postSingleSignOnService);
-			}
-
-			if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) {
-				SingleSignOnService redirectSingleSignOnService = SAML2Utils
-						.createSAMLObject(SingleSignOnService.class);
-
-				redirectSingleSignOnService.setLocation(PVPConfiguration
-						.getInstance().getIDPSSORedirectService());
-				redirectSingleSignOnService
-						.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-
-				idpSSODescriptor.getSingleSignOnServices().add(
-						redirectSingleSignOnService);
-			}
-
-			/*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) {
-				ArtifactResolutionService artifactResolutionService = SAML2Utils
-						.createSAMLObject(ArtifactResolutionService.class);
-
-				artifactResolutionService
-						.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
-				artifactResolutionService.setLocation(PVPConfiguration
-						.getInstance().getIDPResolveSOAPService());
-
-				artifactResolutionService.setIndex(0);
-				
-				idpSSODescriptor.getArtifactResolutionServices().add(
-						artifactResolutionService);
-			}*/
-		
-			//set assertion signing key
-			Credential assertionSigingCredential = CredentialProvider
-					.getIDPAssertionSigningCredential();
-
-			KeyDescriptor signKeyDescriptor = SAML2Utils
-					.createSAMLObject(KeyDescriptor.class);
-			signKeyDescriptor.setUse(UsageType.SIGNING);
-			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential));
-			idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
-						
-			idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes());
-			
-			NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
-			persistenNameIDFormat.setFormat(NameIDType.PERSISTENT);
+			//set IDP metadata
+			idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator));
 			
-			idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat);
-			
-			NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
-			transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
-			
-			idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
-			
-			NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
-			unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED);
-			
-			idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat);
-			
-			idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor);
+			//set SP metadata for interfederation
+			idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator));
 			
 			DocumentBuilder builder;
 			DocumentBuilderFactory factory = DocumentBuilderFactory
@@ -269,4 +189,192 @@ public class MetadataAction implements IAction {
 		return (PVP2XProtocol.METADATA);
 	}
 
+	private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
+
+		Logger.debug("Set SP Metadata key information");
+		
+		SPSSODescriptor spSSODescriptor = SAML2Utils
+				.createSAMLObject(SPSSODescriptor.class);
+
+		spSSODescriptor.setAuthnRequestsSigned(true);
+		spSSODescriptor.setWantAssertionsSigned(true);
+	
+ 		
+		//Set AuthRequest Signing certificate
+		X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential();
+		
+		KeyDescriptor signKeyDescriptor = SAML2Utils
+				.createSAMLObject(KeyDescriptor.class);
+		signKeyDescriptor.setUse(UsageType.SIGNING);
+		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	
+		spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+		
+		
+		//set AuthRequest encryption certificate
+		
+		X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential();			
+
+		if (authEncCredential != null) {
+			KeyDescriptor encryKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			encryKeyDescriptor.setUse(UsageType.ENCRYPTION);
+			encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));	
+			spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor);
+			
+		} else {
+			Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!");
+			
+		}
+				
+		NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+		persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
+		
+		spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat);
+		
+		NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+		transientnameIDFormat.setFormat(NameIDType.TRANSIENT);
+		
+		spSSODescriptor.getNameIDFormats().add(transientnameIDFormat);
+		
+		NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+		unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED);
+		
+		spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat);
+					
+		AssertionConsumerService postassertionConsumerService = 
+				SAML2Utils.createSAMLObject(AssertionConsumerService.class);		
+		postassertionConsumerService.setIndex(0);
+		postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+		postassertionConsumerService.setLocation(PVPConfiguration
+				.getInstance().getIDPSSOPostService());	
+		postassertionConsumerService.setIsDefault(true);
+		spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+		
+		
+		AssertionConsumerService redirectassertionConsumerService = 
+				SAML2Utils.createSAMLObject(AssertionConsumerService.class);		
+		redirectassertionConsumerService.setIndex(1);
+		redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+		redirectassertionConsumerService.setLocation(PVPConfiguration
+				.getInstance().getIDPSSORedirectService());		
+		spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
+		
+		spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+						
+		AttributeConsumingService attributeService = 
+				SAML2Utils.createSAMLObject(AttributeConsumingService.class);
+		
+		attributeService.setIndex(0);
+		attributeService.setIsDefault(true);
+		ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+		serviceName.setName(new LocalizedString("Default Service", "de"));
+		attributeService.getNames().add(serviceName);
+						
+		return spSSODescriptor;
+	}
+	
+	private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
+		
+
+//		//set SignatureMethode
+//		signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE);
+//		
+//		//set DigestMethode
+//		List<ContentReference> contentList = signature.getContentReferences();
+//		for (ContentReference content : contentList) {
+//			
+//			if (content instanceof SAMLObjectContentReference) {
+//				
+//				SAMLObjectContentReference el = (SAMLObjectContentReference) content;
+//				el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE);
+//				
+//			}
+//		}
+		
+		
+//		KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder();
+//		KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject();
+//		//KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.);
+//		signature.setKeyInfo(metadataKeyInfo );
+		
+		
+		IDPSSODescriptor idpSSODescriptor = SAML2Utils
+				.createSAMLObject(IDPSSODescriptor.class);
+
+		idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+		
+		idpSSODescriptor.setWantAuthnRequestsSigned(true);			
+		
+		if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) {
+			SingleSignOnService postSingleSignOnService = SAML2Utils
+					.createSAMLObject(SingleSignOnService.class);
+
+			postSingleSignOnService.setLocation(PVPConfiguration
+					.getInstance().getIDPSSOPostService());
+			postSingleSignOnService
+					.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+
+			idpSSODescriptor.getSingleSignOnServices().add(
+					postSingleSignOnService);
+		}
+
+		if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) {
+			SingleSignOnService redirectSingleSignOnService = SAML2Utils
+					.createSAMLObject(SingleSignOnService.class);
+
+			redirectSingleSignOnService.setLocation(PVPConfiguration
+					.getInstance().getIDPSSORedirectService());
+			redirectSingleSignOnService
+					.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+
+			idpSSODescriptor.getSingleSignOnServices().add(
+					redirectSingleSignOnService);
+		}
+
+		/*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) {
+			ArtifactResolutionService artifactResolutionService = SAML2Utils
+					.createSAMLObject(ArtifactResolutionService.class);
+
+			artifactResolutionService
+					.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
+			artifactResolutionService.setLocation(PVPConfiguration
+					.getInstance().getIDPResolveSOAPService());
+
+			artifactResolutionService.setIndex(0);
+			
+			idpSSODescriptor.getArtifactResolutionServices().add(
+					artifactResolutionService);
+		}*/
+	
+		//set assertion signing key
+		Credential assertionSigingCredential = CredentialProvider
+				.getIDPAssertionSigningCredential();
+
+		KeyDescriptor signKeyDescriptor = SAML2Utils
+				.createSAMLObject(KeyDescriptor.class);
+		signKeyDescriptor.setUse(UsageType.SIGNING);
+		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential));
+		idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+					
+		idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes());
+		
+		NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+		persistenNameIDFormat.setFormat(NameIDType.PERSISTENT);
+		
+		idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat);
+		
+		NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+		transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
+		
+		idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
+		
+		NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+		unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED);
+		
+		idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat);
+		
+		return idpSSODescriptor;
+		
+	}
+	
 }
-- 
cgit v1.2.3