/* * Copyright 2011 by Graz University of Technology, Austria * The Austrian STORK Modules have been developed by the E-Government * Innovation Center EGIZ, a joint initiative of the Federal Chancellery * Austria and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ /** * */ package at.gv.egovernment.moa.id.auth.stork; import org.opensaml.xml.validation.ValidationException; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import eu.stork.mw.messages.saml.STORKResponse; import eu.stork.vidp.messages.exception.SAMLValidationException; import eu.stork.vidp.messages.util.SAMLUtil; import eu.stork.vidp.messages.util.XMLUtil; /** * Verifies the SMAL response according to the STORK specification * @author bzwattendorfer * */ public class PEPSConnectorResponseVerifier implements ResponseVerifier { /* (non-Javadoc) * @see eu.stork.mw.peps.connector.validation.ResponseVerifier#verify(org.opensaml.saml2.core.Response) */ public void verify(STORKResponse response) throws SecurityException { verifySignature(response); Logger.debug("Signature of SAML response valid."); verifyStandardValidation(response); Logger.debug("SAML response format valid."); } private void verifySignature(STORKResponse response) throws SecurityException { //validate Signature try { if (response.isSigned()) { String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID(); Logger.trace("Starting validation of Signature references"); try { SAMLUtil.validateSignatureReferences(response); } catch (ValidationException e) { Logger.error("Validation of XML Signature refrences failed: " + e.getMessage()); throw new SecurityException(e); } Logger.debug("XML Signature references are OK."); Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID); // builds a for a call of MOA-SP Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() .build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID); Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); Logger.trace("Calling MOA-SP"); // invokes the call Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() .verifyXMLSignature(domVerifyXMLSignatureRequest); // parses the VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( domVerifyXMLSignatureResponse).parseData(); Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP"); if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) { String msg = "Signature of SAMLResponse not valid"; Logger.error(msg); throw new SecurityException(msg); } Logger.debug("Signature of SAML response successfully verified"); if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { String msg = "Certificate of SAMLResponse not valid"; Logger.error(msg); throw new SecurityException(msg); } Logger.debug("Signing certificate of SAML response succesfully verified"); } else { String msg = "SAML Response is not signed."; throw new SecurityException(msg); } } catch (ConfigurationException e) { String msg = "Unable to load STORK configuration for STORK SAML Response signature verification."; Logger.error(msg, e); throw new SecurityException(msg, e); } catch (ParseException e) { String msg = "Unable to parse VerifyXMLSignature Request or Response."; Logger.error(msg, e); throw new SecurityException(msg, e); } catch (BuildException e) { String msg = "Unable to parse VerifyXMLSignature Request or Response."; Logger.error(msg, e); throw new SecurityException(msg, e); } catch (ServiceException e) { String msg = "Unable to invoke MOA-SP."; Logger.error(msg, e); throw new SecurityException(msg, e); } } private void verifyStandardValidation(STORKResponse response) throws SecurityException { try { SAMLUtil.verifySAMLObjectStandardValidation(response, "saml2-core-schema-and-stork-validator"); } catch (SAMLValidationException e) { String msg ="SAML Response received not valid."; throw new SecurityException(msg, e); } } }