From 1bfe0985454ecd361bd345cd712506c66d5dbd40 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 27 Jan 2017 23:13:06 +0100 Subject: allow EntitiesDescriptor elements in eIDAS metadata. --- .../metadata/MOASPMetadataSignatureFilter.java | 114 +++++++++++---------- 1 file changed, 62 insertions(+), 52 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java index b6fed5934..16b179d89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java @@ -27,6 +27,7 @@ import java.io.IOException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactoryConfigurationError; +import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; @@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter { @Override public void doFilter(XMLObject metadata) throws FilterException { if (metadata instanceof EntityDescriptor) { - if (((EntityDescriptor) metadata).isSigned()) { - EntityDescriptor entityDes = (EntityDescriptor) metadata; - //check signature; - try { - byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8"); - -// Transformer transformer = TransformerFactory.newInstance() -// .newTransformer(); -// StringWriter sw = new StringWriter(); -// StreamResult sr = new StreamResult(sw); -// DOMSource source = new DOMSource(metadata.getDOM()); -// transformer.transform(source, sr); -// sw.close(); -// String metadataXML = sw.toString(); - - SignatureVerificationUtils sigVerify = - new SignatureVerificationUtils(); - IVerifiyXMLSignatureResponse result = sigVerify.verify( - serialized, trustProfileID); - - //check signature-verification result - if (result.getSignatureCheckCode() != 0) { - Logger.warn("Metadata signature-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getSignatureCheckCode()); - throw new FilterException("Metadata signature-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getSignatureCheckCode()); + checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID()); - } - - if (result.getCertificateCheckCode() != 0) { - Logger.warn("Metadata certificate-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getCertificateCheckCode()); - throw new FilterException("Metadata certificate-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getCertificateCheckCode()); - - } - - Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid"); + } else if (metadata instanceof EntitiesDescriptor) { + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null && + entitiesDesc.getEntityDescriptors().size() > 1) { + String nameForLogging = entitiesDesc.getName(); + if (MiscUtil.isEmpty(nameForLogging)) + nameForLogging = entitiesDesc.getID(); + + checkSignature(metadata, nameForLogging); + + } else { + Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'"); + throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor"); + + } + + } else { + Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'"); + throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'"); + + } + + } + + private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException { + if (((EntityDescriptor) metadata).isSigned()) { + //check signature; + try { + byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8"); + + SignatureVerificationUtils sigVerify = + new SignatureVerificationUtils(); + IVerifiyXMLSignatureResponse result = sigVerify.verify( + serialized, trustProfileID); - } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { - Logger.error("Metadata verification for Entity:" + entityDes.getEntityID() - + " has an interal error.", e); - throw new FilterException("Metadata verification has an interal error." - + " Message:" + e.getMessage()); + //check signature-verification result + if (result.getSignatureCheckCode() != 0) { + Logger.warn("Metadata signature-verification FAILED!" + + " Metadata: " + nameForLogging + + " StatusCode:" + result.getSignatureCheckCode()); } + if (result.getCertificateCheckCode() != 0) { + Logger.warn("Metadata certificate-verification FAILED!" + + " Metadata: " + nameForLogging + + " StatusCode:" + result.getCertificateCheckCode()); + throw new FilterException("Metadata certificate-verification FAILED!" + + " Metadata: " + nameForLogging + + " StatusCode:" + result.getCertificateCheckCode()); + + } - } else { - Logger.warn("Metadata root-element MUST be signed."); - throw new FilterException("Metadata root-element MUST be signed.'"); + Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid"); + + } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { + Logger.error("Metadata verification for Entity:" + nameForLogging + + " has an interal error.", e); + throw new FilterException("Metadata verification has an interal error." + + " Message:" + e.getMessage()); } - + + } else { - Logger.warn("Metadata root-element is not of type 'EntityDescriptor'"); - throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'"); + Logger.warn("Metadata root-element MUST be signed."); + throw new FilterException("Metadata root-element MUST be signed.'"); } -- cgit v1.2.3