/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.configuration.auth.pvp2; import java.util.Iterator; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egovernment.moa.id.config.webgui.exception.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; public class MetaDataVerificationFilter implements MetadataFilter { BasicX509Credential credential; public MetaDataVerificationFilter(BasicX509Credential credential) { this.credential = credential; } public void doFilter(XMLObject metadata) throws SignatureValidationException { if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; if(entitiesDescriptor.getSignature() == null) { throw new SignatureValidationException("Root element of metadata file has to be signed"); } try { processEntitiesDescriptor(entitiesDescriptor); } catch (EAAFException e) { throw new SignatureValidationException("Invalid signature element in EntitiesDescriptor"); } } if (metadata instanceof EntityDescriptor) { try { EntityDescriptor entity = (EntityDescriptor) metadata; if (entity.getSignature() != null) EntityVerifier.verify(entity, this.credential); else throw new SignatureValidationException("Root element of metadata file has to be signed", null); } catch (EAAFException e) { throw new SignatureValidationException("Invalid signature element in EntityDescriptor", null); } } } private void processEntitiesDescriptor(EntitiesDescriptor desc) throws EAAFException { Iterator entID = desc.getEntitiesDescriptors().iterator(); if(desc.getSignature() != null) { EntityVerifier.verify(desc, this.credential); } while(entID.hasNext()) { processEntitiesDescriptor(entID.next()); } Iterator entIT = desc.getEntityDescriptors().iterator(); while(entIT.hasNext()) { EntityDescriptor entity = entIT.next(); if (entity.getSignature() != null) EntityVerifier.verify(entity); } } }