From 320485ae06e93da206049f4c3706db4e4fec554b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Jan 2016 14:03:03 +0100 Subject: refactor PVP Metadata provider functionality --- .../engine/MOAeIDASMetadataSignatureFilter.java | 132 +++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java new file mode 100644 index 000000000..c9f3e5bcd --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java @@ -0,0 +1,132 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.io.IOException; +import java.io.StringWriter; + +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOAeIDASMetadataSignatureFilter implements MetadataFilter { + + private String trustProfileID = null; + + /** + * + */ + public MOAeIDASMetadataSignatureFilter(String trustProfileID) { + this.trustProfileID = trustProfileID; + + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject metadata) throws FilterException { + if (metadata instanceof EntityDescriptor) { + if (((EntityDescriptor) metadata).isSigned()) { + EntityDescriptor entityDes = (EntityDescriptor) metadata; + //check signature; + try { + Transformer transformer = TransformerFactory.newInstance() + .newTransformer(); + StringWriter sw = new StringWriter(); + StreamResult sr = new StreamResult(sw); + DOMSource source = new DOMSource(metadata.getDOM()); + transformer.transform(source, sr); + sw.close(); + String metadataXML = sw.toString(); + + SignatureVerificationUtils sigVerify = + new SignatureVerificationUtils(); + VerifyXMLSignatureResponse result = sigVerify.verify( + metadataXML.getBytes(), trustProfileID); + + //check signature-verification result + if (result.getSignatureCheckCode() != 0) { + Logger.warn("eIDAS Metadata signature-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getSignatureCheckCode()); + throw new FilterException("eIDAS Metadata signature-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getSignatureCheckCode()); + + } + + if (result.getCertificateCheckCode() != 0) { + Logger.warn("eIDAS Metadata certificate-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getCertificateCheckCode()); + throw new FilterException("eIDAS Metadata certificate-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getCertificateCheckCode()); + + } + + + } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { + Logger.error("eIDAS Metadata verification has an interal error.", e); + throw new FilterException("eIDAS Metadata verification has an interal error." + + " Message:" + e.getMessage()); + + } + + + } else { + Logger.warn("eIDAS Metadata root-element MUST be signed."); + throw new FilterException("eIDAS Metadata root-element MUST be signed.'"); + + } + + } else { + Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); + throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); + + } + + } + +} -- cgit v1.2.3 From 28884c5d5ee4685aaf88309b1b6b340b65ffbe86 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Jan 2016 14:04:58 +0100 Subject: update eIDAS http(s) endpoints --- .../moa/id/auth/modules/eidas/Constants.java | 18 ++++++++++++++---- .../id/auth/modules/eidas/eIDASSignalServlet.java | 15 ++------------- .../eidas/tasks/GenerateAuthnRequestTask.java | 4 ++++ .../modules/eidas/utils/EidasMetaDataServlet.java | 21 ++++++++++++++++----- 4 files changed, 36 insertions(+), 22 deletions(-) (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index 9f347b4ee..1c20a81bf 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -45,20 +45,30 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_PREFIX="moa.id.protocols.eIDAS"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE="samlengine"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX=CONIG_PROPS_EIDAS_PREFIX + "." + CONIG_PROPS_EIDAS_SAMLENGINE; - public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file"; - + public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN="sign"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT="enc"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." + CONIG_PROPS_EIDAS_SAMLENGINE_SIGN + ".config.file"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." - + CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file"; + + CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file"; + public static final String CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE = CONIG_PROPS_EIDAS_PREFIX + ".metadata.validation.truststore"; - public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation + //timeouts and clock skews + public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation + public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout + //eIDAS attribute names public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier"; public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth"; public static final String eIDAS_ATTR_CURRENTGIVENNAME = "CurrentGivenName"; public static final String eIDAS_ATTR_CURRENTFAMILYNAME = "CurrentFamilyName"; + + //http endpoint descriptions + public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/sp/post"; + public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/sp/redirect"; + public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post"; + public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect"; + public static final String eIDAS_HTTP_ENDPOINT_METADATA = "/eidas/metadata"; } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java index 556947572..49f0451cb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java @@ -22,30 +22,19 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas; -import java.io.ByteArrayInputStream; - import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServletRequest; -import javax.xml.xpath.XPath; -import javax.xml.xpath.XPathConstants; -import javax.xml.xpath.XPathExpression; -import javax.xml.xpath.XPathFactory; import org.apache.commons.lang.StringEscapeUtils; -import org.apache.commons.lang3.StringUtils; -import org.springframework.util.xml.SimpleNamespaceContext; -import org.w3c.dom.Document; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; /** * @author tlenz * */ -@WebServlet(urlPatterns = { "/eidas/post", "/eidas/redirect"}, loadOnStartup = 1) +@WebServlet(urlPatterns = { "/eidas/sp/post", "/eidas/sp/redirect"}, loadOnStartup = 1) public class eIDASSignalServlet extends ProcessEngineSignalServlet { private static final long serialVersionUID = 8215688005533754459L; @@ -53,7 +42,7 @@ public class eIDASSignalServlet extends ProcessEngineSignalServlet { public eIDASSignalServlet() { super(); Logger.debug("Registering servlet " + getClass().getName() + - " with mappings '/eidas/post' and '/eidas/redirect'."); + " with mappings '/eidas/sp/post' and '/eidas/sp/redirect'."); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 57588287d..963fe70c1 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -142,7 +142,11 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { EIDASAuthnRequest authnRequest = new EIDASAuthnRequest(); authnRequest.setProviderName(moaconfig.getPublicURLPrefix()); authnRequest.setPersonalAttributeList(pAttList); + authnRequest.setIssuer(moaconfig.getPublicURLPrefix() + "/eidas/metadata"); + //TODO: only for development and reverse proxy + authnRequest.setIssuer("http://localhost:12343/moa-id-auth/eidas/metadata"); + authnRequest.setDestination(destination); authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED); authnRequest.setEidasLoA(EidasLoaLevels.LOW.stringValue()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java index c8df9ca97..cd30f2bec 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java @@ -29,7 +29,10 @@ import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import eu.eidas.auth.engine.EIDASSAMLEngine; import eu.eidas.auth.engine.metadata.MetadataConfigParams; import eu.eidas.auth.engine.metadata.MetadataGenerator; @@ -49,15 +52,23 @@ public class EidasMetaDataServlet extends HttpServlet { */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - logger.info("EidasMetaDataServlet GET"); + logger.debug("EidasMetaDataServlet GET"); - String metadata_url = "http://localhost:12344/moa-id-auth/eidas/metadata"; - String sp_return_url = "http://localhost:12344/moa-id-auth/eidas/metadata"; + AuthConfiguration config = AuthConfigurationProviderFactory.getInstance(); + String pubURLPrefix = config.getPublicURLPrefix(); + + + String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA; + + //TODO: only for development and reverse proxy + metadata_url = "http://localhost:12343/moa-id-auth/eidas/metadata"; + + String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST; String metaData = generateMetadata(metadata_url, sp_return_url); - logger.debug(metaData); + logger.trace(metaData); - response.setContentType("text/html"); + response.setContentType("text/xml"); response.getWriter().print(metaData); response.flushBuffer(); } catch (Exception e) { -- cgit v1.2.3 From 0247b654a6278acff55999e8b6318a6db4354510 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Jan 2016 14:05:48 +0100 Subject: reimplement eIDAS metadata provider which use MOA-SP to verify metadata --- .../engine/MOAeIDASSimpleMetadataProvider.java | 184 ++++++++++++++++++--- 1 file changed, 165 insertions(+), 19 deletions(-) (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java index 2aec81db5..a8099f42e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java @@ -1,50 +1,196 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.engine; import java.security.KeyStore; +import java.util.Timer; +import javax.net.ssl.SSLHandshakeException; + +import org.apache.commons.httpclient.MOAHttpClient; +import org.apache.commons.httpclient.params.HttpClientParams; +import org.apache.commons.lang.StringUtils; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.xml.parse.BasicParserPool; +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.engine.EIDASSAMLEngine; -import eu.eidas.auth.engine.metadata.SimpleMetadataProcessor; +import eu.eidas.auth.engine.metadata.MetadataProcessorI; import eu.eidas.engine.exceptions.SAMLEngineException; -public class MOAeIDASSimpleMetadataProvider extends SimpleMetadataProcessor { +public class MOAeIDASSimpleMetadataProvider implements MetadataProcessorI { + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String) + */ @Override - public EntityDescriptor getEntityDescriptor(String url) { - EntityDescriptor entityDescriptor=getEntityDescriptorHelper(url); - - if(Logger.isDebugEnabled()){ - Logger.debug("got entityDescriptor: " + entityDescriptor); + public EntityDescriptor getEntityDescriptor(String url) + throws SAMLEngineException { + EntityDescriptor entityDescriptor=null; + try { + if (StringUtils.isNotEmpty(url)) { + HTTPMetadataProvider provider = createNewHTTPMetaDataProvider(url); + entityDescriptor = provider.getEntityDescriptor(url); + + } else { + throw new MetadataProviderException("the metadata url parameter is null or empty"); + + } + } catch (MetadataProviderException mpe) { + Logger.error("error getting a metadataprovider {}", mpe); + } return entityDescriptor; + } + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String) + */ @Override - public SPSSODescriptor getSPSSODescriptor(String url) throws SAMLEngineException { + public SPSSODescriptor getSPSSODescriptor(String url) + throws SAMLEngineException { return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class); } + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String) + */ @Override - public IDPSSODescriptor getIDPSSODescriptor(String url) throws SAMLEngineException { + public IDPSSODescriptor getIDPSSODescriptor(String url) + throws SAMLEngineException { return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class); } - @Override - public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) throws SAMLEngineException { - //TODO: implement Metadata signature validation - Logger.warn("MetadataProcessor in demo SP does not actually check the signature of metadata"); - - } - @Override - public void checkValidMetadataSignature(String url, KeyStore store) throws SAMLEngineException { - //not implemented - + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine) + */ + @Override + public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) + throws SAMLEngineException { + //Do nothing, because metadata signature is already validated during + //metadata provider initialization + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore) + */ + @Override + public void checkValidMetadataSignature(String url, KeyStore trustStore) + throws SAMLEngineException { + //Do nothing, because metadata signature is already validated during + //metadata provider initialization + + } + + protected T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class clazz){ + for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){ + if(clazz.isInstance(rd)){ + return (T)rd; + } + } + return null; } + + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) { + HTTPMetadataProvider httpProvider = null; + Timer timer= null; + MOAHttpClient httpClient = null; + try { + AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance(); + + httpClient = new MOAHttpClient(); + + HttpClientParams httpClientParams = new HttpClientParams(); + httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); + httpClient.setParams(httpClientParams); + + if (metadataURL.startsWith("https:")) { + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + authConfig.getCertstoreDirectory(), + authConfig.getTrustedCACertificates(), + null, + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + authConfig.isTrustmanagerrevoationchecking()); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + + timer = new Timer(); + httpProvider = new HTTPMetadataProvider(timer, httpClient, + metadataURL); + httpProvider.setParserPool(new BasicParserPool()); + httpProvider.setRequireValidMetadata(true); + httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes + httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours + //httpProvider.setRefreshDelayFactor(0.1F); + + //add Metadata filters + MetadataFilterChain filter = new MetadataFilterChain(); + filter.addFilter(new MOAeIDASMetadataSignatureFilter( + authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE))); + httpProvider.setMetadataFilter(filter); + + httpProvider.initialize(); + + + return httpProvider; + + } catch (Throwable e) { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + Logger.warn("SSL-Server certificate for metadata " + + metadataURL + " not trusted.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + Logger.warn("Signature verification for metadata" + + metadataURL + " FAILED.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + Logger.warn("Schema validation for metadata " + + metadataURL + " FAILED.", e); + } + + Logger.error( + "Failed to add Metadata file for " + + metadataURL + "[ " + + e.getMessage() + " ]", e); + + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } + + if (timer != null) { + Logger.debug("Destroy Timer."); + timer.cancel(); + } + + + } + + return null; + } } -- cgit v1.2.3 From 587d9f326ce905f9b60fda37af747df5dfcb33ec Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Jan 2016 16:54:50 +0100 Subject: change MOA eIDAS metadata provider to a cached version as chaining metadata provider --- .../engine/MOAeIDASChainingMetadataProvider.java | 290 +++++++++++++++++++++ .../engine/MOAeIDASMetadataProviderDecorator.java | 120 +++++++++ .../engine/MOAeIDASSimpleMetadataProvider.java | 196 -------------- .../auth/modules/eidas/utils/SAMLEngineUtils.java | 8 +- 4 files changed, 415 insertions(+), 199 deletions(-) create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java delete mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java new file mode 100644 index 000000000..4d6cd62fa --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -0,0 +1,290 @@ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Timer; + +import javax.net.ssl.SSLHandshakeException; +import javax.xml.namespace.QName; + +import org.apache.commons.httpclient.MOAHttpClient; +import org.apache.commons.httpclient.params.HttpClientParams; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import eu.eidas.auth.engine.AbstractSAMLEngine; + +public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider { + + private static MOAeIDASChainingMetadataProvider instance = null; + private static Object mutex = new Object(); + + private MetadataProvider internalProvider; + + + public static MOAeIDASChainingMetadataProvider getInstance() { + if (instance == null) { + synchronized (mutex) { + if (instance == null) { + instance = new MOAeIDASChainingMetadataProvider(); + } + } + } + return instance; + } + + + private MOAeIDASChainingMetadataProvider() { + internalProvider = new ChainingMetadataProvider(); + + } + + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) { + HTTPMetadataProvider httpProvider = null; + Timer timer= null; + MOAHttpClient httpClient = null; + try { + AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance(); + + httpClient = new MOAHttpClient(); + + HttpClientParams httpClientParams = new HttpClientParams(); + httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); + httpClient.setParams(httpClientParams); + + if (metadataURL.startsWith("https:")) { + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + authConfig.getCertstoreDirectory(), + authConfig.getTrustedCACertificates(), + null, + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + authConfig.isTrustmanagerrevoationchecking()); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + + timer = new Timer(); + httpProvider = new HTTPMetadataProvider(timer, httpClient, + metadataURL); + httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool()); + httpProvider.setRequireValidMetadata(true); + httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes + httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours + //httpProvider.setRefreshDelayFactor(0.1F); + + //add Metadata filters + MetadataFilterChain filter = new MetadataFilterChain(); + filter.addFilter(new MOAeIDASMetadataSignatureFilter( + authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE))); + httpProvider.setMetadataFilter(filter); + + httpProvider.initialize(); + + return httpProvider; + + } catch (Throwable e) { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + Logger.warn("SSL-Server certificate for metadata " + + metadataURL + " not trusted.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + Logger.warn("Signature verification for metadata" + + metadataURL + " FAILED.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + Logger.warn("Schema validation for metadata " + + metadataURL + " FAILED.", e); + } + + Logger.error( + "Failed to add Metadata file for " + + metadataURL + "[ " + + e.getMessage() + " ]", e); + + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } + + if (timer != null) { + Logger.debug("Destroy Timer."); + timer.cancel(); + } + + + } + + return null; + } + + private Map getAllActuallyLoadedProviders() { + Map loadedproviders = new HashMap(); + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + + //make a Map of all actually loaded HTTPMetadataProvider + List providers = chainProvider.getProviders(); + for (MetadataProvider provider : providers) { + if (provider instanceof HTTPMetadataProvider) { + HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; + loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); + + } + } + + return loadedproviders; + } + + public boolean refreshMetadataProvider(String metadataURL) { + try { + if (MiscUtil.isNotEmpty(metadataURL)) { + Map actuallyLoadedProviders = getAllActuallyLoadedProviders(); + + // check if MetadataProvider is actually loaded + if (actuallyLoadedProviders.containsKey(metadataURL)) { + actuallyLoadedProviders.get(metadataURL).refresh(); + Logger.info("eIDAS metadata for " + + metadataURL + " is refreshed."); + return true; + + } else { + //load new Metadata Provider + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL); + chainProvider.addMetadataProvider(newMetadataProvider); + + emitChangeEvent(); + Logger.info("eIDAS metadata for " + + metadataURL + " is added."); + return true; + + } + + } else + Logger.debug("Can not refresh eIDAS metadata: NO eIDAS metadata URL."); + + } catch (MetadataProviderException e) { + Logger.warn("Refresh eIDAS metadata for " + + metadataURL + " FAILED.", e); + + } + + return false; + + } + + + public boolean requireValidMetadata() { + return internalProvider.requireValidMetadata(); + } + + public void setRequireValidMetadata(boolean requireValidMetadata) { + internalProvider.setRequireValidMetadata(requireValidMetadata); + } + + public MetadataFilter getMetadataFilter() { + return internalProvider.getMetadataFilter(); + } + + public void setMetadataFilter(MetadataFilter newFilter) + throws MetadataProviderException { + internalProvider.setMetadataFilter(newFilter); + } + + public XMLObject getMetadata() throws MetadataProviderException { + return internalProvider.getMetadata(); + } + + public EntitiesDescriptor getEntitiesDescriptor(String entitiesID) + throws MetadataProviderException { + Logger.warn("eIDAS metadata not support 'EntitiesDescriptor' elements!"); + return null; + + } + + public EntityDescriptor getEntityDescriptor(String entityID) + throws MetadataProviderException { + EntityDescriptor entityDesc = null; + try { + entityDesc = internalProvider.getEntityDescriptor(entityID); + if (entityDesc == null) { + Logger.debug("Can not find eIDAS metadata for entityID: " + entityID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } else { + if (!entityDesc.isValid()) + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } + + + } catch (MetadataProviderException e) { + Logger.debug("Can not find eIDAS metadata for entityID: " + entityID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } + + return entityDesc; + } + + public List getRole(String entityID, QName roleName) + throws MetadataProviderException { + return internalProvider.getRole(entityID, roleName); + } + + public RoleDescriptor getRole(String entityID, QName roleName, + String supportedProtocol) throws MetadataProviderException { + return internalProvider.getRole(entityID, roleName, supportedProtocol); + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers() + */ + @Override + public List getObservers() { + return ((ChainingMetadataProvider) internalProvider).getObservers(); + } + + protected void emitChangeEvent() { + if ((getObservers() == null) || (getObservers().size() == 0)) { + return; + } + + List tempObserverList = new ArrayList(getObservers()); + for (ObservableMetadataProvider.Observer observer : tempObserverList) + if (observer != null) + observer.onEvent(this); + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java new file mode 100644 index 000000000..e3ae5c046 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java @@ -0,0 +1,120 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.security.KeyStore; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; + +import eu.eidas.auth.engine.EIDASSAMLEngine; +import eu.eidas.auth.engine.metadata.MetadataProcessorI; +import eu.eidas.engine.exceptions.SAMLEngineException; + +/** + * @author tlenz + * + */ +public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI { + + private MetadataProvider metadataprovider = null; + + /** + * + */ + public MOAeIDASMetadataProviderDecorator(MetadataProvider metadataprovider) { + this.metadataprovider = metadataprovider; + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String) + */ + @Override + public EntityDescriptor getEntityDescriptor(String url) + throws SAMLEngineException { + try { + return this.metadataprovider.getEntityDescriptor(url); + + } catch (MetadataProviderException e) { + throw new SAMLEngineException("eIDAS Metadata processing FAILED.", e); + + } + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String) + */ + @Override + public SPSSODescriptor getSPSSODescriptor(String url) + throws SAMLEngineException { + return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class); + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String) + */ + @Override + public IDPSSODescriptor getIDPSSODescriptor(String url) + throws SAMLEngineException { + return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class); + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine) + */ + @Override + public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) + throws SAMLEngineException { + //Do nothing, because metadata signature is already validated during + //metadata provider initialization + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore) + */ + @Override + public void checkValidMetadataSignature(String url, KeyStore trustStore) + throws SAMLEngineException { + //Do nothing, because metadata signature is already validated during + //metadata provider initialization + + } + + protected T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class clazz){ + for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){ + if(clazz.isInstance(rd)){ + return (T)rd; + } + } + return null; + } + +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java deleted file mode 100644 index a8099f42e..000000000 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java +++ /dev/null @@ -1,196 +0,0 @@ -package at.gv.egovernment.moa.id.auth.modules.eidas.engine; - -import java.security.KeyStore; -import java.util.Timer; - -import javax.net.ssl.SSLHandshakeException; - -import org.apache.commons.httpclient.MOAHttpClient; -import org.apache.commons.httpclient.params.HttpClientParams; -import org.apache.commons.lang.StringUtils; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.xml.parse.BasicParserPool; - -import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; -import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; -import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; -import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; -import at.gv.egovernment.moa.logging.Logger; -import eu.eidas.auth.engine.EIDASSAMLEngine; -import eu.eidas.auth.engine.metadata.MetadataProcessorI; -import eu.eidas.engine.exceptions.SAMLEngineException; - -public class MOAeIDASSimpleMetadataProvider implements MetadataProcessorI { - - /* (non-Javadoc) - * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String) - */ - @Override - public EntityDescriptor getEntityDescriptor(String url) - throws SAMLEngineException { - EntityDescriptor entityDescriptor=null; - try { - if (StringUtils.isNotEmpty(url)) { - HTTPMetadataProvider provider = createNewHTTPMetaDataProvider(url); - entityDescriptor = provider.getEntityDescriptor(url); - - } else { - throw new MetadataProviderException("the metadata url parameter is null or empty"); - - } - } catch (MetadataProviderException mpe) { - Logger.error("error getting a metadataprovider {}", mpe); - - } - return entityDescriptor; - - } - - /* (non-Javadoc) - * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String) - */ - @Override - public SPSSODescriptor getSPSSODescriptor(String url) - throws SAMLEngineException { - return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class); - - } - - /* (non-Javadoc) - * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String) - */ - @Override - public IDPSSODescriptor getIDPSSODescriptor(String url) - throws SAMLEngineException { - return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class); - - } - - /* (non-Javadoc) - * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine) - */ - @Override - public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) - throws SAMLEngineException { - //Do nothing, because metadata signature is already validated during - //metadata provider initialization - - } - - /* (non-Javadoc) - * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore) - */ - @Override - public void checkValidMetadataSignature(String url, KeyStore trustStore) - throws SAMLEngineException { - //Do nothing, because metadata signature is already validated during - //metadata provider initialization - - } - - protected T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class clazz){ - for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){ - if(clazz.isInstance(rd)){ - return (T)rd; - } - } - return null; - } - - private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) { - HTTPMetadataProvider httpProvider = null; - Timer timer= null; - MOAHttpClient httpClient = null; - try { - AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance(); - - httpClient = new MOAHttpClient(); - - HttpClientParams httpClientParams = new HttpClientParams(); - httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); - httpClient.setParams(httpClientParams); - - if (metadataURL.startsWith("https:")) { - try { - MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, - authConfig.getCertstoreDirectory(), - authConfig.getTrustedCACertificates(), - null, - AuthConfiguration.DEFAULT_X509_CHAININGMODE, - authConfig.isTrustmanagerrevoationchecking()); - - httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); - - } catch (MOAHttpProtocolSocketFactoryException e) { - Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); - - } - } - - timer = new Timer(); - httpProvider = new HTTPMetadataProvider(timer, httpClient, - metadataURL); - httpProvider.setParserPool(new BasicParserPool()); - httpProvider.setRequireValidMetadata(true); - httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes - httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours - //httpProvider.setRefreshDelayFactor(0.1F); - - //add Metadata filters - MetadataFilterChain filter = new MetadataFilterChain(); - filter.addFilter(new MOAeIDASMetadataSignatureFilter( - authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE))); - httpProvider.setMetadataFilter(filter); - - httpProvider.initialize(); - - - return httpProvider; - - } catch (Throwable e) { - if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { - Logger.warn("SSL-Server certificate for metadata " - + metadataURL + " not trusted.", e); - - } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { - Logger.warn("Signature verification for metadata" - + metadataURL + " FAILED.", e); - - } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { - Logger.warn("Schema validation for metadata " - + metadataURL + " FAILED.", e); - } - - Logger.error( - "Failed to add Metadata file for " - + metadataURL + "[ " - + e.getMessage() + " ]", e); - - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } - - if (timer != null) { - Logger.debug("Destroy Timer."); - timer.cancel(); - } - - - } - - return null; - } - -} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index 2c2435ff6..548d05da6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -24,7 +24,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.utils; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl; -import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASSimpleMetadataProvider; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.engine.EIDASSAMLEngine; @@ -48,8 +49,9 @@ public class SAMLEngineUtils { configManager); //set Metadata managment to eIDAS SAMLengine - //TODO: implement final Metadata processor (this is only a first solution!!!) - engine.setMetadataProcessor(new MOAeIDASSimpleMetadataProvider()); + engine.setMetadataProcessor( + new MOAeIDASMetadataProviderDecorator( + MOAeIDASChainingMetadataProvider.getInstance())); return engine; -- cgit v1.2.3 From bf0f1eaee2e5b79427ec979d9c68b6c321de20a2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 14 Jan 2016 21:07:15 +0100 Subject: change eIDAS SAML-engine to singelton --- .../auth/modules/eidas/utils/SAMLEngineUtils.java | 47 ++++++++++++---------- 1 file changed, 26 insertions(+), 21 deletions(-) (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index 548d05da6..8e46f0ef1 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -38,29 +38,34 @@ import eu.eidas.samlengineconfig.CertificateConfigurationManager; */ public class SAMLEngineUtils { - public static EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{ + private static EIDASSAMLEngine eIDASEngine = null; + + public static synchronized EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{ - try { - //get eIDAS SAMLengine configuration from MOA-ID configuration - CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl(); - - //initial eIDAS SAMLengine - EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME, - configManager); - - //set Metadata managment to eIDAS SAMLengine - engine.setMetadataProcessor( - new MOAeIDASMetadataProviderDecorator( - MOAeIDASChainingMetadataProvider.getInstance())); - - return engine; - - } catch (EIDASSAMLEngineException e) { - Logger.error("eIDAS SAMLengine initialization FAILED!", e); - throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e); - + if (eIDASEngine == null) { + try { + //get eIDAS SAMLengine configuration from MOA-ID configuration + CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl(); + + //initial eIDAS SAMLengine + EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME, + configManager); + + //set Metadata managment to eIDAS SAMLengine + engine.setMetadataProcessor( + new MOAeIDASMetadataProviderDecorator( + MOAeIDASChainingMetadataProvider.getInstance())); + + eIDASEngine = engine; + + } catch (EIDASSAMLEngineException e) { + Logger.error("eIDAS SAMLengine initialization FAILED!", e); + throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e); + + } } - + + return eIDASEngine; } } -- cgit v1.2.3 From 58e0da935069fb68e456830414ccead10a36f4b0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 14 Jan 2016 21:08:03 +0100 Subject: remove IAIK security-provider fix in eIDAS metadata generation --- .../moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java index cd30f2bec..130eb1026 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java @@ -80,13 +80,13 @@ public class EidasMetaDataServlet extends HttpServlet { String metadata="invalid metadata"; // FIXME workaround!? - Security.removeProvider("IAIK"); - Security.removeProvider("IAIK_ECC"); +// Security.removeProvider("IAIK"); +// Security.removeProvider("IAIK_ECC"); EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); - IAIK.addAsProvider(); - ECCProvider.addAsProvider(true); +// IAIK.addAsProvider(); +// ECCProvider.addAsProvider(true); MetadataGenerator generator = new MetadataGenerator(); MetadataConfigParams mcp=new MetadataConfigParams(); -- cgit v1.2.3 From 2d8bef6716671c96575f4ab3e0ca97f094705c15 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 15 Jan 2016 08:24:18 +0100 Subject: fix problem with certificate validation --- .../java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java | 2 +- .../id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index 1c20a81bf..1d4556459 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -28,8 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas; */ public class Constants { - //public static final String eIDAS_SAML_ENGINE_NAME = "MOA_eIDASEninge"; public static final String eIDAS_SAML_ENGINE_NAME = "default"; + public static final String SSLSOCKETFACTORYNAME = "eIDASMetadataSSLSocketFactory"; //default keys for eIDAS SAML-engine configuration public static final String eIDAS_SAML_ENGINE_NAME_ID_BASICCONFIG = "SamlEngineConf"; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 4d6cd62fa..f1b14015b 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -76,7 +76,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi if (metadataURL.startsWith("https:")) { try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, + Constants.SSLSOCKETFACTORYNAME, authConfig.getCertstoreDirectory(), authConfig.getTrustedCACertificates(), null, -- cgit v1.2.3