From 44cb2c6299c247a9836150c68ba45b206c6499aa Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 16:01:44 +0200 Subject: add extended SAML2 metadata validation --- .../moa/id/configuration/data/oa/OAPVP2Config.java | 2 +- .../validation/oa/OAPVP2ConfigValidation.java | 125 +++++++++++++++------ 2 files changed, 91 insertions(+), 36 deletions(-) (limited to 'id/ConfigWebTool') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java index c2a92c9fc..bcac63a5f 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java @@ -117,7 +117,7 @@ public class OAPVP2Config implements IOnlineApplicationData{ @Override public List validate(OAGeneralConfig general, AuthenticatedUser authUser, HttpServletRequest request) { - return new OAPVP2ConfigValidation().validate(this, request); + return new OAPVP2ConfigValidation().validate(this, general.getIdentifier(), request); } /* (non-Javadoc) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 7da3eb0b7..98d500526 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -22,31 +22,67 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.configuration.validation.oa; +import iaik.x509.X509Certificate; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; +import java.util.Timer; import javax.servlet.http.HttpServletRequest; +import org.apache.commons.httpclient.MOAHttpClient; import org.apache.log4j.Logger; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.security.x509.BasicX509Credential; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; +import at.gv.egovernment.moa.id.configuration.auth.pvp2.MetaDataVerificationFilter; +import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; +import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; -import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; public class OAPVP2ConfigValidation { private static final Logger log = Logger.getLogger(OAPVP2ConfigValidation.class); - public List validate(OAPVP2Config form, HttpServletRequest request) { + public List validate(OAPVP2Config form, String oaID, HttpServletRequest request) { + + Timer timer = null; + MOAHttpClient httpClient = null; + HTTPMetadataProvider httpProvider = null; List errors = new ArrayList(); try { - byte[] metadata = null; -// byte[] cert = null; + byte[] certSerialized = null; + if (form.getFileUpload() != null) + certSerialized = form.getCertificate(); + else { + OnlineApplication oa = ConfigurationDBRead.getOnlineApplication(oaID); + if (oa != null && + oa.getAuthComponentOA() != null && + oa.getAuthComponentOA().getOAPVP2() != null) { + certSerialized = oa.getAuthComponentOA().getOAPVP2().getCertificate(); + } + } + + if (certSerialized == null) { + log.info("No certificate for metadata validation"); + errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); + } + String check = form.getMetaDataURL(); if (MiscUtil.isNotEmpty(check)) { @@ -55,37 +91,48 @@ public class OAPVP2ConfigValidation { errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request)); } else { - metadata = FileUtils.readURL(check); - if (MiscUtil.isEmpty(metadata)) { - log.info("Filecontent can not be read form MetaDataURL."); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request)); + + if (certSerialized != null) { + X509Certificate cert = new X509Certificate(certSerialized); + BasicX509Credential credential = new BasicX509Credential(); + credential.setEntityCertificate(cert); + + timer = new Timer(); + httpClient = new MOAHttpClient(); + + if (form.getMetaDataURL().startsWith("https:")) + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + "MOAMetaDataProvider", + ConfigurationProvider.getInstance().getCertStoreDirectory(), + ConfigurationProvider.getInstance().getTrustStoreDirectory(), + null, + ChainingModeType.PKIX, + true); + + httpClient.setCustomSSLTrustStore( + form.getMetaDataURL(), + protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } catch (ConfigurationException e) { + log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore."); + + } + + httpProvider = + new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); + httpProvider.setParserPool(new BasicParserPool()); + httpProvider.setRequireValidMetadata(true); + MetadataFilter filter = new MetaDataVerificationFilter(credential); + httpProvider.setMetadataFilter(filter); + httpProvider.initialize(); } } } - - if (form.getFileUpload() != null) - form.getCertificate(); - -// else { -// if (metadata != null) { -// log.info("No certificate to verify the Metadata defined."); -// errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound")); -// } -// } - -// if (cert != null && metadata != null) { -// HTTPMetadataProvider httpProvider = new HTTPMetadataProvider( -// check, 20000); -// httpProvider.setParserPool(new BasicParserPool()); -// httpProvider.setRequireValidMetadata(true); -// MetadataFilter filter = new MetadataSignatureFilter( -// check, cert); -// httpProvider.setMetadataFilter(filter); -// httpProvider.initialize(); -// -// } - - + } catch (CertificateException e) { log.info("Uploaded Certificate can not be found", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); @@ -94,9 +141,17 @@ public class OAPVP2ConfigValidation { log.info("Metadata can not be loaded from URL", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request)); -// } catch (MetadataProviderException e) { -// log.info("MetaDate verification failed"); -// errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify")); + } catch (MetadataProviderException e) { + log.info("MetaDate verification failed"); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request)); + + } finally { + if (httpProvider != null) + httpProvider.destroy(); + + if (timer != null) + timer.cancel(); + } return errors; -- cgit v1.2.3