From 496ba9bb6e150ad67c5c628c1c97f30d6da81dfb Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Mon, 10 Aug 2015 16:35:14 +0200 Subject: approved changes --- .../java/eu/stork/peps/auth/engine/SAMLEngine.java | 9 +- .../eu/stork/peps/auth/engine/STORKSAMLEngine.java | 99 +++++++++++++--------- .../stork/peps/auth/engine/X509PrincipalUtil.java | 2 +- .../eu/stork/peps/auth/engine/core/SAMLCore.java | 3 + .../stork/peps/auth/engine/core/STORKSAMLCore.java | 26 +++++- .../core/impl/AuthenticationAttributesImpl.java | 5 -- .../engine/core/impl/CitizenCountryCodeImpl.java | 5 -- .../engine/core/impl/EIDCrossBorderShareImpl.java | 7 +- .../engine/core/impl/EIDCrossSectorShareImpl.java | 7 +- .../auth/engine/core/impl/QAAAttributeImpl.java | 5 -- .../engine/core/impl/RequestedAttributeImpl.java | 5 -- .../auth/engine/core/impl/SPApplicationImpl.java | 5 -- .../peps/auth/engine/core/impl/SPCountryImpl.java | 5 -- .../stork/peps/auth/engine/core/impl/SPIDImpl.java | 5 -- .../auth/engine/core/impl/SPInformationImpl.java | 5 -- .../auth/engine/core/impl/SPInstitutionImpl.java | 5 -- .../stork/peps/auth/engine/core/impl/SignHW.java | 78 ++++++----------- .../stork/peps/auth/engine/core/impl/SignP12.java | 45 +++++----- .../stork/peps/auth/engine/core/impl/SignSW.java | 96 +++++++++++---------- .../impl/VIDPAuthenticationAttributesImpl.java | 6 -- .../validator/QAAAttributeSchemaValidator.java | 8 +- .../peps/configuration/ConfigurationCreator.java | 18 ++-- 22 files changed, 214 insertions(+), 235 deletions(-) (limited to 'id/server/stork2-saml-engine/src/main/java/eu') diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java index f4d084a79..1dcaf4c95 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java @@ -97,7 +97,14 @@ public class SAMLEngine { /** The Constant SAML_ENGINE_FILE_CONF. */ private static final String SAML_ENGINE_FILE_CONF = "fileConfiguration"; - /** The codification of characters. */ + /** + * Additional trust store for HW signing + */ + private static final String HW_TRUST_STORE_CONF = "softTrustStoreConfig"; + + /** + * The codification of characters. + */ private static final String CHARACTER_ENCODING = "UTF-8"; /** The SAML core. */ diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/STORKSAMLEngine.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/STORKSAMLEngine.java index 6a7e1f7c0..7bf5d5ca8 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/STORKSAMLEngine.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/STORKSAMLEngine.java @@ -202,8 +202,7 @@ public final class STORKSAMLEngine extends SAMLEngine { try { engine = new STORKSAMLEngine(nameInstance.trim()); } catch (Exception e) { - LOG.error("Error getting instance: " + nameInstance); - e.printStackTrace(); + LOG.error("Error get instance: " + nameInstance); } return engine; } @@ -389,15 +388,9 @@ public final class STORKSAMLEngine extends SAMLEngine { final Subject subject = SAMLEngineUtils.generateSubject(); - // Mandatory STORK verified - // String format = NameID.UNSPECIFIED - // specification: 'SAML:2.0' exist - // opensaml: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" - // opensaml "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" - final String format = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"; + final String format = super.getSamlCoreProperties().getFormat(); final String nameQualifier = ""; - LOG.debug("Generate NameID"); final NameID nameId = SAMLEngineUtils.generateNameID(super.getSamlCoreProperties().getResponder(), format, nameQualifier); nameId.setValue(format); @@ -1102,7 +1095,6 @@ public final class STORKSAMLEngine extends SAMLEngine { // Validate Parameters mandatories validateParamAttrQueryReq(request); - // final AttributeQuery attrQueryRequestAux = SAMLEngineUtils final CustomAttributeQuery attrQueryRequestAux = SAMLEngineUtils.generateSAMLAttrQueryRequest(SAMLEngineUtils.generateNCName(), SAMLVersion.VERSION_20, SAMLEngineUtils.getCurrentTime()); // Set name spaces. @@ -1930,6 +1922,8 @@ public final class STORKSAMLEngine extends SAMLEngine { citizenCountryCode = (CitizenCountryCode) SAMLEngineUtils.createSamlObject(CitizenCountryCode.DEF_ELEMENT_NAME); citizenCountryCode.setCitizenCountryCode(request.getCitizenCountryCode().toUpperCase()); + + extensions.getUnknownXMLObjects().add(citizenCountryCode); } SPID spid = null; @@ -1938,6 +1932,8 @@ public final class STORKSAMLEngine extends SAMLEngine { spid = (SPID) SAMLEngineUtils.createSamlObject(SPID.DEF_ELEMENT_NAME); spid.setSPID(request.getSPID().toUpperCase()); + + extensions.getUnknownXMLObjects().add(spid); } return extensions; @@ -2493,11 +2489,6 @@ public final class STORKSAMLEngine extends SAMLEngine { throw new STORKSAMLEngineException("StorkSamlEngine: Assertion Consumer Service URL it's mandatory."); } - // Destination of the request - not mandatory - /* - * if (StringUtils.isBlank(request.getDestination())) { throw new STORKSAMLEngineException( "StorkSamlEngine: Destination is mandatory."); } - */ - // SP country is empty if (StringUtils.isBlank(request.getSpCountry())) { throw new STORKSAMLEngineException("StorkSamlEngine: SP country is mandatory."); @@ -2525,12 +2516,7 @@ public final class STORKSAMLEngine extends SAMLEngine { */ private void validateParamLogoutReq(final STORKLogoutRequest request) throws STORKSAMLEngineException { LOG.info("Validate parameters from logout request."); - // URL to which AP Response must be sent. - /* - * if (StringUtils.isBlank(request.get())) { throw new STORKSAMLEngineException( "StorkSamlEngine: Assertion Consumer Service URL it's mandatory."); } - */ - // Destination of the request if (StringUtils.isBlank(request.getDestination())) { throw new STORKSAMLEngineException("StorkSamlEngine: Destination is mandatory."); @@ -2591,9 +2577,9 @@ public final class STORKSAMLEngine extends SAMLEngine { throw new STORKSAMLEngineException("Issuer must be not empty or null."); } - if (responseAuthReq.getPersonalAttributeList() == null || responseAuthReq.getPersonalAttributeList().isEmpty()) { - LOG.error("PersonalAttributeList is null or empty."); - throw new STORKSAMLEngineException("PersonalAttributeList is null or empty."); + if (responseAuthReq.getPersonalAttributeList() == null) { + LOG.error("PersonalAttributeList is null."); + throw new STORKSAMLEngineException("PersonalAttributeList is null."); } if (StringUtils.isBlank(request.getAssertionConsumerServiceURL())) { @@ -2627,10 +2613,6 @@ public final class STORKSAMLEngine extends SAMLEngine { throw new STORKSAMLEngineException("PersonalAttributeList is null or empty."); } - /* - * if (StringUtils.isBlank(request.getAssertionConsumerServiceURL())) { throw new STORKSAMLEngineException( "assertionConsumerServiceURL is null or empty."); } - */ - if (StringUtils.isBlank(request.getSamlId())) { throw new STORKSAMLEngineException("request ID is null or empty."); } @@ -2840,7 +2822,6 @@ public final class STORKSAMLEngine extends SAMLEngine { attrRequest.setDestination(samlRequest.getDestination()); attrRequest.setAssertionConsumerServiceURL(samlRequest.getAssertionConsumerServiceURL()); - /* authnRequest.setProviderName(samlRequest.getProviderName()); */ attrRequest.setIssuer(samlRequest.getIssuer().getValue()); // Delete unknown elements from requested ones @@ -2881,13 +2862,15 @@ public final class STORKSAMLEngine extends SAMLEngine { final LogoutRequest samlRequest = (LogoutRequest) validateStorkSaml(tokenSaml); - LOG.debug("Validate Extensions."); - final Validator validatorExt = new ExtensionsSchemaValidator(); - try { - validatorExt.validate(samlRequest.getExtensions()); - } catch (ValidationException e) { - LOG.error("ValidationException: validate Extensions.", e); - throw new STORKSAMLEngineException(e); + if (samlRequest.getExtensions() != null) { + LOG.debug("Validate Extensions."); + final Validator validatorExt = new ExtensionsSchemaValidator(); + try { + validatorExt.validate(samlRequest.getExtensions()); + } catch (ValidationException e) { + LOG.error("ValidationException: validate Extensions.", e); + throw new STORKSAMLEngineException(e); + } } LOG.debug("Generate STORKLogoutRequest."); @@ -2908,6 +2891,43 @@ public final class STORKSAMLEngine extends SAMLEngine { } + /** + * Validate stork logout response. + * + * @param tokenSaml + * The SAML token + * + * @return the STORK logout response + * + * @throws STORKSAMLEngineException + * the STORKSAML engine exception + */ + public STORKLogoutResponse validateSTORKLogoutResponse(final byte[] tokenSaml) throws STORKSAMLEngineException { + + LOG.info("validate STORK Logout Response"); + + final LogoutResponse samlRes = (LogoutResponse) validateStorkSaml(tokenSaml); + + LOG.debug("Generate STORKLogoutResponse."); + final STORKLogoutResponse logoutRes = new STORKLogoutResponse(); + + try { + logoutRes.setTokenSaml(super.signAndMarshall(samlRes)); + } catch (SAMLEngineException e) { + LOG.error("Sign and Marshall.", e); + throw new STORKSAMLEngineException(e); + } + + logoutRes.setAlias(this.getAlias(samlRes.getSignature().getKeyInfo(), super.getSigner().getTrustStore())); + logoutRes.setSamlId(samlRes.getID()); + logoutRes.setDestination(samlRes.getDestination()); + logoutRes.setIssuer(samlRes.getIssuer().getValue()); + logoutRes.setStatusCode(samlRes.getStatus().getStatusCode().getValue().toString()); + logoutRes.setStatusMessage(samlRes.getStatus().getStatusMessage().getMessage().toString()); + logoutRes.setInResponseTo(samlRes.getInResponseTo()); + return logoutRes; + } + /** * Validate stork authentication response. * @@ -3060,16 +3080,15 @@ public final class STORKSAMLEngine extends SAMLEngine { authnResponse.setAssertions(samlResponse.getAssertions()); if (samlResponse.getAssertions().size() > 1) { PersonalAttributeList total = new PersonalAttributeList(); - List attrList = new ArrayList(); + List attrList = new ArrayList(); for (int i = 0; i < samlResponse.getAssertions().size(); i++) { Assertion tempAssertion = (Assertion) samlResponse.getAssertions().get(i); IPersonalAttributeList temp = generatePersonalAttributeList(tempAssertion); if (temp != null) { attrList.add(temp); - for (PersonalAttribute attribute : temp) { - PersonalAttribute attr = (PersonalAttribute) attribute.clone(); - attr.setName(attr.getName() + tempAssertion.getID()); - total.add(attr); + for (PersonalAttribute attribute : (IPersonalAttributeList) temp.clone()) { + attribute.setName(attribute.getName() + tempAssertion.getID()); + total.add(attribute); } } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/X509PrincipalUtil.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/X509PrincipalUtil.java index 175084048..73d7e4f62 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/X509PrincipalUtil.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/X509PrincipalUtil.java @@ -25,7 +25,7 @@ public final class X509PrincipalUtil { * @param principal2 * @return true if arguments are not null and equals */ - public static boolean equals(X509Principal principal1, X509Principal principal2) { + public static boolean X509equals(X509Principal principal1, X509Principal principal2) { boolean continueProcess = true; if (principal1 == null || principal2 == null) { return false; diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java index 922e7e61e..16b9afd18 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/SAMLCore.java @@ -55,6 +55,9 @@ public enum SAMLCore { /** The RESPONDE r_ tag. */ RESPONDER_TAG("responder"), + + /** The format r_tag. */ + FORMAT_TAG("format"), /** The STOR k10_ ns. */ STORK10_NS("urn:eu:stork:names:tc:STORK:1.0:assertion"), diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java index 13d2f0af4..2a548ca6f 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/STORKSAMLCore.java @@ -73,7 +73,11 @@ public final class STORKSAMLCore { /** The responder. */ private String responder = null; - /** The SAML core properties. */ + private String format = null; + + /** + * The SAML core properties. + */ private Properties samlCoreProp = null; /** The time not on or after. */ @@ -188,6 +192,15 @@ public final class STORKSAMLCore { return responder; } + /** + * return the format string. + * + * @return + */ + public String getFormat() { + return this.format; + } + /** * Gets the time not on or after. * @@ -330,6 +343,8 @@ public final class STORKSAMLCore { requester = samlCoreProp.getProperty(SAMLCore.REQUESTER_TAG.getValue()); responder = samlCoreProp.getProperty(SAMLCore.RESPONDER_TAG.getValue()); + format = samlCoreProp.getProperty(SAMLCore.FORMAT_TAG.getValue(), "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); + } catch (SAMLEngineException e) { LOGGER.error("SAMLCore: error loadConfiguration. ", e); throw new STORKSAMLEngineRuntimeException(e); @@ -491,6 +506,15 @@ public final class STORKSAMLCore { this.responder = newResponder; } + /** + * Sets the format string + * + * @param newFormat + */ + public void setFormat(final String newFormat) { + this.format = newFormat; + } + /** * Sets the time not on or after. * diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java index 907b9bf68..9f602aba1 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/AuthenticationAttributesImpl.java @@ -102,9 +102,4 @@ public final class AuthenticationAttributesImpl extends AbstractSignableSAMLObje vIDPAuthenAttr = prepareForAssignment(this.vIDPAuthenAttr, newVIDPAuthenAttr); } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java index 003d56b46..aa4c725f1 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/CitizenCountryCodeImpl.java @@ -77,9 +77,4 @@ public class CitizenCountryCodeImpl extends AbstractSAMLObject implements Citize return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java index b5d194c7f..13cc3d287 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossBorderShareImpl.java @@ -77,9 +77,4 @@ public class EIDCrossBorderShareImpl extends AbstractSAMLObject implements EIDCr return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } -} \ No newline at end of file +} diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java index f2762e327..2e3f6ab7e 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/EIDCrossSectorShareImpl.java @@ -78,9 +78,4 @@ public class EIDCrossSectorShareImpl extends AbstractSAMLObject implements EIDCr return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } -} \ No newline at end of file +} diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java index 423cf8b25..e74ce1fec 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/QAAAttributeImpl.java @@ -77,9 +77,4 @@ public class QAAAttributeImpl extends AbstractSAMLObject implements QAAAttribute return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java index e7ac7213b..2537d3794 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/RequestedAttributeImpl.java @@ -213,9 +213,4 @@ public class RequestedAttributeImpl extends AbstractSAMLObject implements Reques this.unknownAttributes = newUnknownAttr; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java index 276697d6a..7f09d611f 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPApplicationImpl.java @@ -77,9 +77,4 @@ public class SPApplicationImpl extends AbstractSAMLObject implements SPApplicati return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java index 404a90079..ea9085867 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPCountryImpl.java @@ -77,9 +77,4 @@ public class SPCountryImpl extends AbstractSAMLObject implements SPCountry { return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java index cea51a5a8..03dea20ed 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPIDImpl.java @@ -77,9 +77,4 @@ public class SPIDImpl extends AbstractSAMLObject implements SPID { return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java index 4089f0862..41b3d8998 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInformationImpl.java @@ -101,9 +101,4 @@ public final class SPInformationImpl extends AbstractSignableSAMLObject implemen this.spId = prepareForAssignment(this.spId, newSPId); } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java index 054481744..ed0a75f35 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SPInstitutionImpl.java @@ -77,9 +77,4 @@ public class SPInstitutionImpl extends AbstractSAMLObject implements SPInstituti return null; } - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java index 6e23d7f24..1cd5fb761 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignHW.java @@ -72,6 +72,7 @@ import eu.stork.peps.exceptions.SAMLEngineException; * The Class HWSign. Module of sign. * * @author fjquevedo + * @author advania */ public final class SignHW implements SAMLEngineSignI { @@ -79,14 +80,19 @@ public final class SignHW implements SAMLEngineSignI { private static final String CONF_FILE = "configurationFile"; /** - * The Constant KEYSTORE_TYPE. private static final String KEYSTORE_TYPE = "keystoreType" + * The Constant KEYSTORE_TYPE. */ + private static final String KEYSTORE_TYPE = "keystoreType"; /** The logger. */ private static final Logger LOG = LoggerFactory.getLogger(SignHW.class.getName()); /** The stork own key store. */ private KeyStore storkOwnKeyStore = null; + /** + * The soft trust key store. + */ + private SignSW swTrustStore = null; /** * Gets the stork own key store. @@ -160,6 +166,12 @@ public final class SignHW implements SAMLEngineSignI { throw new SAMLEngineException(e); } finally { IOUtils.closeQuietly(inputStr); + /** + * Init the soft keystore to validate with. trustStoreConfig is read from the SignModule config file and should refer to the keystore containing trusted certificates. + */ + swTrustStore = new SignSW(); + swTrustStore.init(properties.getProperty("trustStoreConfig")); + swTrustStore.loadCryptServiceProvider(); } } @@ -204,7 +216,7 @@ public final class SignHW implements SAMLEngineSignI { X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); X509Principal issuerDNConf = new X509Principal(issuer); - if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) { + if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) { alias = aliasCert; find = true; } @@ -339,56 +351,14 @@ public final class SignHW implements SAMLEngineSignI { * exception in validate signature */ public SAMLObject validateSignature(final SignableSAMLObject tokenSaml) throws SAMLEngineException { - LOG.info("Start signature validation."); + LOG.info("Start signature validation HW."); + /* + * we are using the soft signature class to validate the signatures. This way we use the same key store code and validation that is used there. + */ try { - - // Validate structure signature - final SAMLSignatureProfileValidator signProfValidator = new SAMLSignatureProfileValidator(); - - // Indicates signature id conform to SAML Signature profile - signProfValidator.validate(tokenSaml.getSignature()); - - String aliasCert; - X509Certificate certificate; - - final List trustedCred = new ArrayList(); - - for (final Enumeration e = storkOwnKeyStore.aliases(); e.hasMoreElements();) { - aliasCert = e.nextElement(); - final BasicX509Credential credential = new BasicX509Credential(); - certificate = (X509Certificate) storkOwnKeyStore.getCertificate(aliasCert); - credential.setEntityCertificate(certificate); - trustedCred.add(credential); - } - - final KeyInfo keyInfo = tokenSaml.getSignature().getKeyInfo(); - final List listCertificates = KeyInfoHelper.getCertificates(keyInfo); - - if (listCertificates.size() != 1) { - throw new SAMLEngineException("Only must be one certificate"); - } - - // Exist only one certificate - final BasicX509Credential entityX509Cred = new BasicX509Credential(); - entityX509Cred.setEntityCertificate(listCertificates.get(0)); - - final ExplicitKeyTrustEvaluator keyTrustEvaluator = new ExplicitKeyTrustEvaluator(); - if (!keyTrustEvaluator.validate(entityX509Cred, trustedCred)) { - throw new SAMLEngineException("Certificate it is not trusted."); - } - - final SignatureValidator sigValidator = new SignatureValidator(entityX509Cred); - - sigValidator.validate(tokenSaml.getSignature()); - - } catch (final ValidationException e) { - LOG.error("ValidationException.", e); - throw new SAMLEngineException(e); - } catch (final KeyStoreException e) { - LOG.error("ValidationException.", e); - throw new SAMLEngineException(e); - } catch (final CertificateException e) { - LOG.error("CertificateException.", e); + swTrustStore.validateSignature(tokenSaml); + } catch (Exception e) { + LOG.error("SW ValidationException.", e); throw new SAMLEngineException(e); } return tokenSaml; @@ -408,6 +378,12 @@ public final class SignHW implements SAMLEngineSignI { try { inputStream = SignHW.class.getResourceAsStream("/" + properties.getProperty(CONF_FILE)); + final Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(inputStream); + if (Security.getProperty(pkcs11Provider.getName()) == null) { + Security.insertProviderAt(pkcs11Provider, Security.getProviders().length); + } + + storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE), pkcs11Provider); } catch (final Exception e) { throw new SAMLEngineException("Error loading CryptographicServiceProvider", e); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java index c91f11444..d5f01a4cc 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignP12.java @@ -41,6 +41,7 @@ import eu.stork.peps.auth.engine.X509PrincipalUtil; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.NotImplementedException; import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.opensaml.Configuration; import org.opensaml.common.SAMLObject; import org.opensaml.common.SignableSAMLObject; @@ -166,25 +167,25 @@ public final class SignP12 implements SAMLEngineSignI { properties = new Properties(); try { try { - LOG.debug("Fichero a cargar " + fileConf); + LOG.debug("Loading " + fileConf); fileProperties = new FileInputStream(fileConf); properties.loadFromXML(fileProperties); } catch (Exception e) { - LOG.error("Fallo al cargar el recurso externo. Se reintenta como fichero interno."); + LOG.error("Failed to load external resource. Retrieving internal file."); fileProperties = SignP12.class.getResourceAsStream("/" + fileConf); if (fileProperties == null) { fileProperties = Thread.currentThread().getContextClassLoader().getResourceAsStream(fileConf); if (fileProperties == null) { Enumeration files = ClassLoader.getSystemClassLoader().getResources(fileConf); if (files != null && files.hasMoreElements()) { - LOG.info("Se han encontrado recurso/s. Se toma el primero."); + LOG.info("Found /s."); fileProperties = ClassLoader.getSystemClassLoader().getResourceAsStream(files.nextElement().getFile()); } else { - throw new IOException("No se pudo recuperar el fichero: " + fileConf, e); + throw new IOException("Could not load file: " + fileConf, e); } } } - LOG.debug("Recuperados " + fileProperties.available() + " bytes"); + LOG.debug("Recovered " + fileProperties.available() + " bytes"); properties.loadFromXML(fileProperties); } } catch (InvalidPropertiesFormatException e) { @@ -243,7 +244,7 @@ public final class SignP12 implements SAMLEngineSignI { X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); X509Principal issuerDNConf = new X509Principal(issuer); - if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) { + if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) { alias = aliasCert; find = true; } @@ -455,23 +456,21 @@ public final class SignP12 implements SAMLEngineSignI { FileInputStream fisTrustStore = null; try { - // // Dynamically register Bouncy Castle provider. - // boolean found = false; - // // Check if BouncyCastle is already registered as a provider - // final Provider[] providers = Security.getProviders(); - // for (int i = 0; i < providers.length; i++) { - // if (providers[i].getName().equals( - // BouncyCastleProvider.PROVIDER_NAME)) { - // found = true; - // } - // } - // - // // Register only if the provider has not been previously registered - // if (!found) { - // LOG.debug("SAMLCore: Register Bouncy Castle provider."); - // Security.insertProviderAt(new BouncyCastleProvider(), Security - // .getProviders().length); - // } + // Dynamically register Bouncy Castle provider. + boolean found = false; + // Check if BouncyCastle is already registered as a provider + final Provider[] providers = Security.getProviders(); + for (int i = 0; i < providers.length; i++) { + if (providers[i].getName().equals(BouncyCastleProvider.PROVIDER_NAME)) { + found = true; + } + } + + // Register only if the provider has not been previously registered + if (!found) { + LOG.debug("SAMLCore: Register Bouncy Castle provider."); + Security.insertProviderAt(new BouncyCastleProvider(), Security.getProviders().length); + } p12Store = KeyStore.getInstance(properties.getProperty("keystoreType")); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java index e1ae2b8e2..1ca857e9e 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/SignSW.java @@ -12,17 +12,34 @@ * Licence for the specific language governing permissions and limitations under * the Licence. */ - package eu.stork.peps.auth.engine.core.impl; -import eu.stork.peps.auth.engine.X509PrincipalUtil; -import eu.stork.peps.auth.engine.core.CustomAttributeQuery; -import eu.stork.peps.auth.engine.core.SAMLEngineSignI; -import eu.stork.peps.exceptions.SAMLEngineException; +import java.io.ByteArrayInputStream; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.Security; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.InvalidPropertiesFormatException; +import java.util.List; +import java.util.Properties; + import org.apache.commons.io.IOUtils; import org.apache.commons.lang.NotImplementedException; import org.bouncycastle.jce.X509Principal; -//import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.opensaml.Configuration; import org.opensaml.common.SAMLObject; import org.opensaml.common.SignableSAMLObject; @@ -41,25 +58,22 @@ import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; import org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator; import org.opensaml.xml.security.trust.ExplicitX509CertificateTrustEvaluator; import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.signature.*; +import org.opensaml.xml.signature.KeyInfo; import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.signature.Signer; import org.opensaml.xml.util.Base64; import org.opensaml.xml.validation.ValidationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.ByteArrayInputStream; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.security.*; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateFactory; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; -import java.util.*; +import eu.stork.peps.auth.engine.X509PrincipalUtil; +import eu.stork.peps.auth.engine.core.CustomAttributeQuery; +import eu.stork.peps.auth.engine.core.SAMLEngineSignI; +import eu.stork.peps.exceptions.SAMLEngineException; + /** * The Class SWSign. Class responsible for signing and validating of messages SAML with a certificate store software. @@ -215,16 +229,12 @@ public class SignSW implements SAMLEngineSignI { final String serialNum = certificate.getSerialNumber().toString(16); - try { - X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); - X509Principal issuerDNConf = new X509Principal(issuer); + X509Principal issuerDN = new X509Principal(certificate.getIssuerDN().getName()); + X509Principal issuerDNConf = new X509Principal(issuer); - if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.equals(issuerDN, issuerDNConf)) { - alias = aliasCert; - find = true; - } - } catch (Exception ex) { - LOG.error("Exception during signing: " + ex.getMessage()); // Added as a workaround for Bouncycastle email error + if (serialNum.equalsIgnoreCase(serialNumber) && X509PrincipalUtil.X509equals(issuerDN, issuerDNConf)) { + alias = aliasCert; + find = true; } } if (!find) { @@ -344,7 +354,7 @@ public class SignSW implements SAMLEngineSignI { * @see eu.stork.peps.auth.engine.core.SAMLEngineSignI#validateSignature(org.opensaml.common.SignableSAMLObject) */ public final SAMLObject validateSignature(final SignableSAMLObject tokenSaml) throws SAMLEngineException { - LOG.info("Start signature validation."); + LOG.info("Start signature validation SW."); try { // Validate structure signature @@ -440,23 +450,21 @@ public class SignSW implements SAMLEngineSignI { LOG.info("Load Cryptographic Service Provider"); FileInputStream fis = null; try { - // // Dynamically register Bouncy Castle provider. - // boolean found = false; - // // Check if BouncyCastle is already registered as a provider - // final Provider[] providers = Security.getProviders(); - // for (int i = 0; i < providers.length; i++) { - // if (providers[i].getName().equals( - // BouncyCastleProvider.PROVIDER_NAME)) { - // found = true; - // } - // } - // - // // Register only if the provider has not been previously registered - // if (!found) { - // LOG.info("SAMLCore: Register Bouncy Castle provider."); - // Security.insertProviderAt(new BouncyCastleProvider(), Security - // .getProviders().length); - // } + // Dynamically register Bouncy Castle provider. + boolean found = false; + // Check if BouncyCastle is already registered as a provider + final Provider[] providers = Security.getProviders(); + for (int i = 0; i < providers.length; i++) { + if (providers[i].getName().equals(BouncyCastleProvider.PROVIDER_NAME)) { + found = true; + } + } + + // Register only if the provider has not been previously registered + if (!found) { + LOG.info("SAMLCore: Register Bouncy Castle provider."); + Security.insertProviderAt(new BouncyCastleProvider(), Security.getProviders().length); + } storkOwnKeyStore = KeyStore.getInstance(properties.getProperty(KEYSTORE_TYPE)); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java index d7d92ea74..bfb85e357 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/impl/VIDPAuthenticationAttributesImpl.java @@ -125,10 +125,4 @@ public final class VIDPAuthenticationAttributesImpl extends AbstractSignableSAML public void setSPInformation(SPInformation newSPInformation) { this.spInformation = prepareForAssignment(this.spInformation, newSPInformation); } - - @Override - public int hashCode() { - LOGGER.warn("Hashcode has been called, passed to super. Nothing foreseen here"); - return super.hashCode(); - } } diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java index bf7626dc5..04ff153d3 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/core/validator/QAAAttributeSchemaValidator.java @@ -54,8 +54,12 @@ public class QAAAttributeSchemaValidator implements Validator { if (DatatypeHelper.isEmpty(qaaAttribute.getQaaLevel())) { throw new ValidationException("QAALevel label must be specified."); } - - final int qaa = Integer.valueOf(qaaAttribute.getQaaLevel()); + int qaa = 0; + try { + qaa = Integer.valueOf(qaaAttribute.getQaaLevel()); + } catch (Exception e) { + throw new ValidationException("QAALevel is not a valid number!"); + } if (qaa < QAAAttribute.MIN_VALUE || qaa > QAAAttribute.MAX_VALUE) { throw new ValidationException("QAALevel label must be greater than 0."); diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/configuration/ConfigurationCreator.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/configuration/ConfigurationCreator.java index 6e76c52a6..c0197b9db 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/configuration/ConfigurationCreator.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/configuration/ConfigurationCreator.java @@ -12,15 +12,8 @@ * Licence for the specific language governing permissions and limitations under * the Licence. */ - package eu.stork.peps.configuration; -import eu.stork.peps.exceptions.STORKSAMLEngineException; -import org.apache.commons.io.IOUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.util.HashMap; @@ -28,6 +21,12 @@ import java.util.InvalidPropertiesFormatException; import java.util.Map; import java.util.Properties; +import org.apache.commons.io.IOUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import eu.stork.peps.exceptions.STORKSAMLEngineException; + /** * The Class InstanceCreator. * @@ -90,6 +89,7 @@ public final class ConfigurationCreator { * the STORKSAML engine runtime exception */ private static Properties getNewInstance(final String fileName) throws STORKSAMLEngineException { + LOGGER.info("Create file configuration properties to Stork Saml Engine: " + fileName); InputStream fileEngineProp = null; // fetch base from system properties, give a default if there is nothing configured @@ -115,10 +115,10 @@ public final class ConfigurationCreator { configuration.loadFromXML(fileEngineProp); return configuration; } catch (InvalidPropertiesFormatException e) { - LOGGER.error("Invalid properties format."); + LOGGER.error("Invalid properties format: " + fileName); throw new STORKSAMLEngineException(e); } catch (IOException e) { - LOGGER.error("Error read file: " + base + fileName); + LOGGER.error("Error read file: " + fileName); throw new STORKSAMLEngineException(e); } finally { IOUtils.closeQuietly(fileEngineProp); -- cgit v1.2.3