From 496ba9bb6e150ad67c5c628c1c97f30d6da81dfb Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Mon, 10 Aug 2015 16:35:14 +0200 Subject: approved changes --- .../eu/stork/peps/auth/engine/core/SAMLCore.java | 3 + .../stork/peps/auth/engine/core/STORKSAMLCore.java | 26 +++++- .../core/impl/AuthenticationAttributesImpl.java | 5 -- .../engine/core/impl/CitizenCountryCodeImpl.java | 5 -- .../engine/core/impl/EIDCrossBorderShareImpl.java | 7 +- .../engine/core/impl/EIDCrossSectorShareImpl.java | 7 +- .../auth/engine/core/impl/QAAAttributeImpl.java | 5 -- .../engine/core/impl/RequestedAttributeImpl.java | 5 -- .../auth/engine/core/impl/SPApplicationImpl.java | 5 -- .../peps/auth/engine/core/impl/SPCountryImpl.java | 5 -- .../stork/peps/auth/engine/core/impl/SPIDImpl.java | 5 -- .../auth/engine/core/impl/SPInformationImpl.java | 5 -- .../auth/engine/core/impl/SPInstitutionImpl.java | 5 -- .../stork/peps/auth/engine/core/impl/SignHW.java | 78 ++++++------------ .../stork/peps/auth/engine/core/impl/SignP12.java | 45 +++++----- .../stork/peps/auth/engine/core/impl/SignSW.java | 96 ++++++++++++---------- .../impl/VIDPAuthenticationAttributesImpl.java | 6 -- .../validator/QAAAttributeSchemaValidator.java | 8 +- 18 files changed, 137 insertions(+), 184 deletions(-) (limited to 'id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core') diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java index 922e7e61e..16b9afd18 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java @@ -55,6 +55,9 @@ public enum SAMLCore { /** The RESPONDE r_ tag. */ RESPONDER_TAG("responder"), + + /** The format r_tag. */ + FORMAT_TAG("format"), /** The STOR k10_ ns. */ STORK10_NS("urn:eu:stork:names:tc:STORK:1.0:assertion"), diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java index 13d2f0af4..2a548ca6f 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java @@ -73,7 +73,11 @@ public final class STORKSAMLCore { /** The responder. */ private String responder = null; - /** The SAML core properties. */ + private String format = null; + + /** + * The SAML core properties. + */ private Properties samlCoreProp = null; /** The time not on or after. */ @@ -188,6 +192,15 @@ public final class STORKSAMLCore { return responder; } + /** + * return the format string. + * + * @return + */ + public String getFormat() { + return this.format; + } + /** * Gets the time not on or after. * @@ -330,6 +343,8 @@ public final class STORKSAMLCore { requester = samlCoreProp.getProperty(SAMLCore.REQUESTER_TAG.getValue()); responder = samlCoreProp.getProperty(SAMLCore.RESPONDER_TAG.getValue()); + format = samlCoreProp.getProperty(SAMLCore.FORMAT_TAG.getValue(), "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); + } catch (SAMLEngineException e) { LOGGER.error("SAMLCore: error loadConfiguration. ", e); throw new STORKSAMLEngineRuntimeException(e); @@ -491,6 +506,15 @@ public final class STORKSAMLCore { this.responder = newResponder; } + /** + * Sets the format string + * + * @param newFormat + */ + public void setFormat(final String newFormat) { + this.format = newFormat; + } + /** * Sets the time not on or after. * diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java index 907b9bf68..9f602aba1 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java @@ -102,9 +102,4 @@ public final class AuthenticationAttributesImpl extends AbstractSignableSAMLObje vIDPAuthenAttr = prepareForAssignment(this.vIDPAuthenAttr, newVIDPAuthenAttr); } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java index 003d56b46..aa4c725f1 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java @@ -77,9 +77,4 @@ public class CitizenCountryCodeImpl extends AbstractSAMLObject implements Citize return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java index b5d194c7f..13cc3d287 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java @@ -77,9 +77,4 @@ public class EIDCrossBorderShareImpl extends AbstractSAMLObject implements EIDCr return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } -} \ No newline at end of file +} diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java index f2762e327..2e3f6ab7e 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java @@ -78,9 +78,4 @@ public class EIDCrossSectorShareImpl extends AbstractSAMLObject implements EIDCr return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } -} \ No newline at end of file +} diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java index 423cf8b25..e74ce1fec 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java @@ -77,9 +77,4 @@ public class QAAAttributeImpl extends AbstractSAMLObject implements QAAAttribute return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java index e7ac7213b..2537d3794 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java @@ -213,9 +213,4 @@ public class RequestedAttributeImpl extends AbstractSAMLObject implements Reques this.unknownAttributes = newUnknownAttr; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java index 276697d6a..7f09d611f 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java @@ -77,9 +77,4 @@ public class SPApplicationImpl extends AbstractSAMLObject implements SPApplicati return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java index 404a90079..ea9085867 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java @@ -77,9 +77,4 @@ public class SPCountryImpl extends AbstractSAMLObject implements SPCountry { return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java index cea51a5a8..03dea20ed 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java @@ -77,9 +77,4 @@ public class SPIDImpl extends AbstractSAMLObject implements SPID { return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java index 4089f0862..41b3d8998 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java @@ -101,9 +101,4 @@ public final class SPInformationImpl extends AbstractSignableSAMLObject implemen this.spId = prepareForAssignment(this.spId, newSPId); } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java index 054481744..ed0a75f35 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java @@ -77,9 +77,4 @@ public class SPInstitutionImpl extends AbstractSAMLObject implements SPInstituti return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java index 6e23d7f24..1cd5fb761 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java @@ -72,6 +72,7 @@ import eu.stork.peps.exceptions.SAMLEngineException; * The Class HWSign. Module of sign. * * @author fjquevedo + * @author advania */ public final class SignHW implements SAMLEngineSignI { @@ -79,14 +80,19 @@ public final class SignHW implements SAMLEngineSignI { private static final String CONF_FILE = "configurationFile"; /** - * The Constant KEYSTORE_TYPE. private static final String KEYSTORE_TYPE = "keystoreType" + * The Constant KEYSTORE_TYPE. */ + private static final String KEYSTORE_TYPE = "keystoreType"; /** The logger. */ private static final Logger LOG = LoggerFactory.getLogger(SignHW.class.getName()); /** The stork own key store. */ private KeyStore storkOwnKeyStore = null; + /** + * The soft trust key store. + */ + private SignSW swTrustStore = null; /** * Gets the stork own key store. @@ -160,6 +166,12 @@ public final class SignHW implements SAMLEngineSignI { throw new SAMLEngineException(e); } finally { IOUtils.closeQuietly(inputStr); + /** + * Init the soft keystore to validate with. trustStoreConfig is read from the SignModule config file and should refer to the keystore containing trusted certificates. + */ + swTrustStore = new SignSW(); + swTrustStore.init(properties.getProperty("trustStoreConfig")); + swTrustStore.loadCryptServiceProvider(); } } @@ -204,7 +216,7 @@ public final class SignHW implements SAMLEngineSignI { X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); X509Principal issuerDNConf = new X509Principal(issuer); - if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) { + if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) { alias = aliasCert; find = true; } @@ -339,56 +351,14 @@ public final class SignHW implements SAMLEngineSignI { * exception in validate signature */ public SAMLObject validateSignature(final SignableSAMLObject tokenSaml) throws SAMLEngineException { - LOG.info("Start signature validation."); + LOG.info("Start signature validation HW."); + /* + * we are using the soft signature class to validate the signatures. This way we use the same key store code and validation that is used there. + */ try { - - // Validate structure signature - final SAMLSignatureProfileValidator signProfValidator = new SAMLSignatureProfileValidator(); - - // Indicates signature id conform to SAML Signature profile - signProfValidator.validate(tokenSaml.getSignature()); - - String aliasCert; - X509Certificate certificate; - - final List trustedCred = new ArrayList(); - - for (final Enumeration e = storkOwnKeyStore.aliases(); e.hasMoreElements();) { - aliasCert = e.nextElement(); - final BasicX509Credential credential = new BasicX509Credential(); - certificate = (X509Certificate) storkOwnKeyStore.getCertificate(aliasCert); - credential.setEntityCertificate(certificate); - trustedCred.add(credential); - } - - final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo(); - final List listCertificates = KeyInfoHelper.getCertificates(keyInfo); - - if (listCertificates.size() != 1) { - throw new SAMLEngineException("Only must be one certificate"); - } - - // Exist only one certificate - final BasicX509Credential entityX509Cred = new BasicX509Credential(); - entityX509Cred.setEntityCertificate(listCertificates.get(0)); - - final ExplicitKeyTrustEvaluator keyTrustEvaluator = new ExplicitKeyTrustEvaluator(); - if (!keyTrustEvaluator.validate(entityX509Cred, trustedCred)) { - throw new SAMLEngineException("Certificate it is not trusted."); - } - - final SignatureValidator sigValidator = new SignatureValidator(entityX509Cred); - - sigValidator.validate(tokenSaml.getSignature()); - - } catch (final ValidationException e) { - LOG.error("ValidationException.", e); - throw new SAMLEngineException(e); - } catch (final KeyStoreException e) { - LOG.error("ValidationException.", e); - throw new SAMLEngineException(e); - } catch (final CertificateException e) { - LOG.error("CertificateException.", e); + swTrustStore.validateSignature(tokenSaml); + } catch (Exception e) { + LOG.error("SW ValidationException.", e); throw new SAMLEngineException(e); } return tokenSaml; @@ -408,6 +378,12 @@ public final class SignHW implements SAMLEngineSignI { try { inputStream = SignHW.class.getResourceAsStream("/" + properties.getProperty(CONF_FILE)); + final Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(inputStream); + if (Security.getProperty(pkcs11Provider.getName()) == null) { + Security.insertProviderAt(pkcs11Provider, Security.getProviders().length); + } + + storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE), pkcs11Provider); } catch (final Exception e) { throw new SAMLEngineException("Error loading CryptographicServiceProvider", e); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java index c91f11444..d5f01a4cc 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java @@ -41,6 +41,7 @@ import eu.stork.peps.auth.engine.X509PrincipalUtil; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.NotImplementedException; import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.opensaml.Configuration; import org.opensaml.common.SAMLObject; import org.opensaml.common.SignableSAMLObject; @@ -166,25 +167,25 @@ public final class SignP12 implements SAMLEngineSignI { properties = new Properties(); try { try { - LOG.debug("Fichero a cargar " + fileConf); + LOG.debug("Loading " + fileConf); fileProperties = new FileInputStream(fileConf); properties.loadFromXML(fileProperties); } catch (Exception e) { - LOG.error("Fallo al cargar el recurso externo. Se reintenta como fichero interno."); + LOG.error("Failed to load external resource. Retrieving internal file."); fileProperties = SignP12.class.getResourceAsStream("/" + fileConf); if (fileProperties == null) { fileProperties = Thread.currentThread().getContextClassLoader().getResourceAsStream(fileConf); if (fileProperties == null) { Enumeration files = ClassLoader.getSystemClassLoader().getResources(fileConf); if (files != null && files.hasMoreElements()) { - LOG.info("Se han encontrado recurso/s. Se toma el primero."); + LOG.info("Found /s."); fileProperties = ClassLoader.getSystemClassLoader().getResourceAsStream(files.nextElement().getFile()); } else { - throw new IOException("No se pudo recuperar el fichero: " + fileConf, e); + throw new IOException("Could not load file: " + fileConf, e); } } } - LOG.debug("Recuperados " + fileProperties.available() + " bytes"); + LOG.debug("Recovered " + fileProperties.available() + " bytes"); properties.loadFromXML(fileProperties); } } catch (InvalidPropertiesFormatException e) { @@ -243,7 +244,7 @@ public final class SignP12 implements SAMLEngineSignI { X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); X509Principal issuerDNConf = new X509Principal(issuer); - if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) { + if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) { alias = aliasCert; find = true; } @@ -455,23 +456,21 @@ public final class SignP12 implements SAMLEngineSignI { FileInputStream fisTrustStore = null; try { - // // Dynamically register Bouncy Castle provider. - // boolean found = false; - // // Check if BouncyCastle is already registered as a provider - // final Provider[] providers = Security.getProviders(); - // for (int i = 0; i < providers.length; i++) { - // if (providers[i].getName().equals( - // BouncyCastleProvider.PROVIDER_NAME)) { - // found = true; - // } - // } - // - // // Register only if the provider has not been previously registered - // if (!found) { - // LOG.debug("SAMLCore: Register Bouncy Castle provider."); - // Security.insertProviderAt(new BouncyCastleProvider(), Security - // .getProviders().length); - // } + // Dynamically register Bouncy Castle provider. + boolean found = false; + // Check if BouncyCastle is already registered as a provider + final Provider[] providers = Security.getProviders(); + for (int i = 0; i < providers.length; i++) { + if (providers[i].getName().equals(BouncyCastleProvider.PROVIDER_NAME)) { + found = true; + } + } + + // Register only if the provider has not been previously registered + if (!found) { + LOG.debug("SAMLCore: Register Bouncy Castle provider."); + Security.insertProviderAt(new BouncyCastleProvider(), Security.getProviders().length); + } p12Store = KeyStore.getInstance(properties.getProperty("keystoreType")); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java index e1ae2b8e2..1ca857e9e 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java @@ -12,17 +12,34 @@ * Licence for the specific language governing permissions and limitations under * the Licence. */ - package eu.stork.peps.auth.engine.core.impl; -import eu.stork.peps.auth.engine.X509PrincipalUtil; -import eu.stork.peps.auth.engine.core.CustomAttributeQuery; -import eu.stork.peps.auth.engine.core.SAMLEngineSignI; -import eu.stork.peps.exceptions.SAMLEngineException; +import java.io.ByteArrayInputStream; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.Security; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.InvalidPropertiesFormatException; +import java.util.List; +import java.util.Properties; + import org.apache.commons.io.IOUtils; import org.apache.commons.lang.NotImplementedException; import org.bouncycastle.jce.X509Principal; -//import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.opensaml.Configuration; import org.opensaml.common.SAMLObject; import org.opensaml.common.SignableSAMLObject; @@ -41,25 +58,22 @@ import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; import org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator; import org.opensaml.xml.security.trust.ExplicitX509CertificateTrustEvaluator; import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.signature.*; +import org.opensaml.xml.signature.KeyInfo; import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.signature.Signer; import org.opensaml.xml.util.Base64; import org.opensaml.xml.validation.ValidationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.ByteArrayInputStream; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.security.*; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateFactory; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; -import java.util.*; +import eu.stork.peps.auth.engine.X509PrincipalUtil; +import eu.stork.peps.auth.engine.core.CustomAttributeQuery; +import eu.stork.peps.auth.engine.core.SAMLEngineSignI; +import eu.stork.peps.exceptions.SAMLEngineException; + /** * The Class SWSign. Class responsible for signing and validating of messages SAML with a certificate store software. @@ -215,16 +229,12 @@ public class SignSW implements SAMLEngineSignI { final String serialNum = certificate.getSerialNumber().toString(16); - try { - X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); - X509Principal issuerDNConf = new X509Principal(issuer); + X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); + X509Principal issuerDNConf = new X509Principal(issuer); - if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) { - alias = aliasCert; - find = true; - } - } catch (Exception ex) { - LOG.error("Exception during signing: " + ex.getMessage()); // Added as a workaround for Bouncycastle email error + if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) { + alias = aliasCert; + find = true; } } if (!find) { @@ -344,7 +354,7 @@ public class SignSW implements SAMLEngineSignI { * @see eu.stork.peps.auth.engine.core.SAMLEngineSignI#validateSignature(org.opensaml.common.SignableSAMLObject) */ public final SAMLObject validateSignature(final SignableSAMLObject tokenSaml) throws SAMLEngineException { - LOG.info("Start signature validation."); + LOG.info("Start signature validation SW."); try { // Validate structure signature @@ -440,23 +450,21 @@ public class SignSW implements SAMLEngineSignI { LOG.info("Load Cryptographic Service Provider"); FileInputStream fis = null; try { - // // Dynamically register Bouncy Castle provider. - // boolean found = false; - // // Check if BouncyCastle is already registered as a provider - // final Provider[] providers = Security.getProviders(); - // for (int i = 0; i < providers.length; i++) { - // if (providers[i].getName().equals( - // BouncyCastleProvider.PROVIDER_NAME)) { - // found = true; - // } - // } - // - // // Register only if the provider has not been previously registered - // if (!found) { - // LOG.info("SAMLCore: Register Bouncy Castle provider."); - // Security.insertProviderAt(new BouncyCastleProvider(), Security - // .getProviders().length); - // } + // Dynamically register Bouncy Castle provider. + boolean found = false; + // Check if BouncyCastle is already registered as a provider + final Provider[] providers = Security.getProviders(); + for (int i = 0; i < providers.length; i++) { + if (providers[i].getName().equals(BouncyCastleProvider.PROVIDER_NAME)) { + found = true; + } + } + + // Register only if the provider has not been previously registered + if (!found) { + LOG.info("SAMLCore: Register Bouncy Castle provider."); + Security.insertProviderAt(new BouncyCastleProvider(), Security.getProviders().length); + } storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE)); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java index d7d92ea74..bfb85e357 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java @@ -125,10 +125,4 @@ public final class VIDPAuthenticationAttributesImpl extends AbstractSignableSAML public void setSPInformation(SPInformation newSPInformation) { this.spInformation = prepareForAssignment(this.spInformation, newSPInformation); } - - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java index bf7626dc5..04ff153d3 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java @@ -54,8 +54,12 @@ public class QAAAttributeSchemaValidator implements Validator { if (DatatypeHelper.isEmpty(qaaAttribute.getQaaLevel())) { throw new ValidationException("QAALevel label must be specified."); } - - final int qaa = Integer.valueOf(qaaAttribute.getQaaLevel()); + int qaa = 0; + try { + qaa = Integer.valueOf(qaaAttribute.getQaaLevel()); + } catch (Exception e) { + throw new ValidationException("QAALevel is not a valid number!"); + } if (qaa < QAAAttribute.MIN_VALUE || qaa > QAAAttribute.MAX_VALUE) { throw new ValidationException("QAALevel label must be greater than 0."); -- cgit v1.2.3