From 0436de6184c1a95d463da52929e3bf60923d6e04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 13 Dec 2021 09:23:09 +0100 Subject: update third-party libs and resolve API issues --- .../validation/oa/OAPVP2ConfigValidation.java | 362 +++++++++++---------- 1 file changed, 182 insertions(+), 180 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index cbb7c88b2..8e9865a3a 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -33,7 +33,6 @@ import javax.net.ssl.SSLHandshakeException; import javax.servlet.http.HttpServletRequest; import org.apache.commons.httpclient.MOAHttpClient; -import org.apache.log4j.Logger; import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.saml2.metadata.provider.MetadataFilterChain; @@ -57,186 +56,189 @@ import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; import iaik.x509.X509Certificate; +import lombok.extern.slf4j.Slf4j; +@Slf4j public class OAPVP2ConfigValidation { - private static final Logger log = Logger.getLogger(OAPVP2ConfigValidation.class); - - public List validate(OAPVP2Config form, String oaID, HttpServletRequest request) { - - Timer timer = null; - MOAHttpClient httpClient = null; - HTTPMetadataProvider httpProvider = null; - - List errors = new ArrayList(); - try { - byte[] certSerialized = null; - if (form.getFileUpload() != null) - certSerialized = form.getCertificate(); - - else { - try { - //Some databases does not allow the selection of a lob in SQL where expression - String dbDriver = ConfigurationProvider.getInstance().getConfigurationProperties().getProperty("hibernate.connection.driver_class"); - boolean backupVersion = false; - if (MiscUtil.isNotEmpty(dbDriver)) { - for (String el:MOAIDConstants.JDBC_DRIVER_NEEDS_WORKAROUND) { - if (dbDriver.startsWith(el)) { - backupVersion = true; - log.debug("JDBC driver '" + dbDriver - + "' is blacklisted --> Switch to alternative DB access methode implementation."); - - } - - } - } - - Map oa = ConfigurationProvider.getInstance().getDbRead().getOnlineApplicationKeyValueWithId(oaID, backupVersion); - if (oa != null && - MiscUtil.isNotEmpty(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE))) { - certSerialized = Base64Utils.decode(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE), false); - form.setStoredCert(certSerialized); - } - - } catch (ConfigurationException e) { - log.error("MOA-ID-Configuration initialization FAILED.", e); - - } - } - - String check = form.getMetaDataURL(); - if (MiscUtil.isNotEmpty(check)) { - - if (!ValidationHelper.validateURL(check)) { - log.info("MetaDataURL has no valid form."); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request)); - - } else { - if (certSerialized == null) { - log.info("No certificate for metadata validation"); - errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); - - } else { - if (form.getMetaDataURL().startsWith("http")) { - X509Certificate cert = new X509Certificate(certSerialized); - BasicX509Credential credential = new BasicX509Credential(); - credential.setEntityCertificate(cert); - - timer = new Timer(); - httpClient = new MOAHttpClient(); - - if (form.getMetaDataURL().startsWith("https:")) - try { - MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - "MOAMetaDataProvider", - true, - ConfigurationProvider.getInstance().getCertStoreDirectory(), - ConfigurationProvider.getInstance().getTrustStoreDirectory(), - null, - "pkix", - true, - new String[]{"crl"}, - false); - - httpClient.setCustomSSLTrustStore( - form.getMetaDataURL(), - protoSocketFactory); - - } catch (MOAHttpProtocolSocketFactoryException e) { - log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); - - } catch (ConfigurationException e) { - log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore."); - - } - - List filterList = new ArrayList(); - filterList.add(new MetaDataVerificationFilter(credential)); - - try { - filterList.add(new SchemaValidationFilter( - ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive())); - - } catch (ConfigurationException e) { - log.warn("Configuration access FAILED!", e); - - } - - MetadataFilterChain filter = new MetadataFilterChain(); - filter.setFilters(filterList); - - httpProvider = - new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); - httpProvider.setParserPool(new BasicParserPool()); - httpProvider.setRequireValidMetadata(true); - httpProvider.setMetadataFilter(filter); - httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes - httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours - - httpProvider.setRequireValidMetadata(true); - - httpProvider.initialize(); - - - - - if (httpProvider.getMetadata() == null) { - log.info("Metadata could be received but validation FAILED."); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request)); - } - - } else { - log.info("Metadata load validation skipped, because it's no http(s) metadata: " + form.getMetaDataURL()); - - } - - } - } - } - - } catch (CertificateException e) { - log.info("Uploaded Certificate can not be found", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); - - } catch (IOException e) { - log.info("Metadata can not be loaded from URL", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request)); - - } catch (MetadataProviderException e) { - - try { - if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { - log.info("SSL Server certificate not trusted.", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); - - } else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { - log.info("MetaDate verification failed", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request)); - - } else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { - log.info("MetaDate verification failed", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request)); - - } else { - log.info("MetaDate verification failed", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request)); - } - - } catch (Exception e1) { - log.info("MetaDate verification failed", e1); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request)); - - } - - } finally { - if (httpProvider != null) - httpProvider.destroy(); - - if (timer != null) - timer.cancel(); - - } - - return errors; - } + public List validate(OAPVP2Config form, String oaID, HttpServletRequest request) { + + Timer timer = null; + MOAHttpClient httpClient = null; + HTTPMetadataProvider httpProvider = null; + + final List errors = new ArrayList<>(); + try { + byte[] certSerialized = null; + if (form.getFileUpload() != null) { + certSerialized = form.getCertificate(); + } else { + try { + // Some databases does not allow the selection of a lob in SQL where expression + final String dbDriver = ConfigurationProvider.getInstance().getConfigurationProperties() + .getProperty("hibernate.connection.driver_class"); + boolean backupVersion = false; + if (MiscUtil.isNotEmpty(dbDriver)) { + for (final String el : MOAIDConstants.JDBC_DRIVER_NEEDS_WORKAROUND) { + if (dbDriver.startsWith(el)) { + backupVersion = true; + log.debug("JDBC driver '" + dbDriver + + "' is blacklisted --> Switch to alternative DB access methode implementation."); + + } + + } + } + + final Map oa = ConfigurationProvider.getInstance().getDbRead() + .getOnlineApplicationKeyValueWithId(oaID, backupVersion); + if (oa != null && + MiscUtil.isNotEmpty(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE))) { + certSerialized = Base64Utils.decode(oa.get( + MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE), false); + form.setStoredCert(certSerialized); + } + + } catch (final ConfigurationException e) { + log.error("MOA-ID-Configuration initialization FAILED.", e); + + } + } + + final String check = form.getMetaDataURL(); + if (MiscUtil.isNotEmpty(check)) { + + if (!ValidationHelper.validateURL(check)) { + log.info("MetaDataURL has no valid form."); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request)); + + } else { + if (certSerialized == null) { + log.info("No certificate for metadata validation"); + errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); + + } else { + if (form.getMetaDataURL().startsWith("http")) { + final X509Certificate cert = new X509Certificate(certSerialized); + final BasicX509Credential credential = new BasicX509Credential(); + credential.setEntityCertificate(cert); + + timer = new Timer(); + httpClient = new MOAHttpClient(); + + if (form.getMetaDataURL().startsWith("https:")) { + try { + final MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + "MOAMetaDataProvider", + true, + ConfigurationProvider.getInstance().getCertStoreDirectory(), + ConfigurationProvider.getInstance().getTrustStoreDirectory(), + null, + "pkix", + true, + new String[] { "crl" }, + false); + + httpClient.setCustomSSLTrustStore( + form.getMetaDataURL(), + protoSocketFactory); + + } catch (final MOAHttpProtocolSocketFactoryException e) { + log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); + + } catch (final ConfigurationException e) { + log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore."); + + } + } + + final List filterList = new ArrayList<>(); + filterList.add(new MetaDataVerificationFilter(credential)); + + try { + filterList.add(new SchemaValidationFilter( + ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive())); + + } catch (final ConfigurationException e) { + log.warn("Configuration access FAILED!", e); + + } + + final MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); + + httpProvider = + new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); + httpProvider.setParserPool(new BasicParserPool()); + httpProvider.setRequireValidMetadata(true); + httpProvider.setMetadataFilter(filter); + httpProvider.setMinRefreshDelay(1000 * 60 * 15); // 15 minutes + httpProvider.setMaxRefreshDelay(1000 * 60 * 60 * 24); // 24 hours + + httpProvider.setRequireValidMetadata(true); + + httpProvider.initialize(); + + if (httpProvider.getMetadata() == null) { + log.info("Metadata could be received but validation FAILED."); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request)); + } + + } else { + log.info("Metadata load validation skipped, because it's no http(s) metadata: " + form + .getMetaDataURL()); + + } + + } + } + } + + } catch (final CertificateException e) { + log.info("Uploaded Certificate can not be found", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); + + } catch (final IOException e) { + log.info("Metadata can not be loaded from URL", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request)); + + } catch (final MetadataProviderException e) { + + try { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + log.info("SSL Server certificate not trusted.", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); + + } else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request)); + + } else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request)); + + } else { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request)); + } + + } catch (final Exception e1) { + log.info("MetaDate verification failed", e1); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request)); + + } + + } finally { + if (httpProvider != null) { + httpProvider.destroy(); + } + + if (timer != null) { + timer.cancel(); + } + + } + + return errors; + } } -- cgit v1.2.3