/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.validation.ValidationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.logging.Logger; public class EntityVerifier { public static byte[] fetchSavedCredential(String entityID) { // List oaList = ConfigurationDBRead // .getAllActiveOnlineApplications(); OnlineApplication oa = ConfigurationDBRead .getActiveOnlineApplication(entityID); // Iterator oaIt = oaList.iterator(); // while (oaIt.hasNext()) { // OnlineApplication oa = oaIt.next(); // if (oa.getPublicURLPrefix().equals(entityID)) { if (oa != null && oa.getAuthComponentOA() != null) { OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); if (pvp2Config != null) { return pvp2Config.getCertificate(); } } // } return null; } public static void verify(EntityDescriptor entityDescriptor) throws MOAIDException { if (entityDescriptor.getSignature() == null) { throw new SAMLRequestNotSignedException(); } try { SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); throw new SAMLRequestNotSignedException(e); } Credential credential = CredentialProvider .getSPTrustedCredential(entityDescriptor.getEntityID()); if (credential == null) { throw new NoCredentialsException(entityDescriptor.getEntityID()); } SignatureValidator sigValidator = new SignatureValidator(credential); try { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); throw new SAMLRequestNotSignedException(e); } } public static void verify(EntityDescriptor entityDescriptor, Credential cred) throws MOAIDException { if (entityDescriptor.getSignature() == null) { throw new SAMLRequestNotSignedException(); } try { SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); throw new SAMLRequestNotSignedException(e); } SignatureValidator sigValidator = new SignatureValidator(cred); try { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); throw new SAMLRequestNotSignedException(e); } } public static void verify(EntitiesDescriptor entityDescriptor, Credential cred) throws MOAIDException { if (entityDescriptor.getSignature() == null) { throw new SAMLRequestNotSignedException(); } try { SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); throw new SAMLRequestNotSignedException(e); } SignatureValidator sigValidator = new SignatureValidator(cred); try { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); throw new SAMLRequestNotSignedException(e); } } public static void verify(EntitiesDescriptor entityDescriptor) throws MOAIDException { if (entityDescriptor.getSignature() == null) { throw new SAMLRequestNotSignedException(); } try { SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to validate Signature", e); throw new SAMLRequestNotSignedException(e); } List entities = entityDescriptor .getEntityDescriptors(); if (entities.size() > 0) { if (entities.size() > 1) { Logger.warn("More then one EntityID in Metadatafile with Name " + entityDescriptor.getName() + " defined. Actually only the first" + " entryID is used to select the certificate to perform Metadata verification."); } Credential credential = CredentialProvider .getSPTrustedCredential(entities.get(0).getEntityID()); if (credential == null) { throw new NoCredentialsException("moaID IDP"); } SignatureValidator sigValidator = new SignatureValidator(credential); try { sigValidator.validate(entityDescriptor.getSignature()); } catch (ValidationException e) { Logger.error("Failed to verfiy Signature", e); throw new SAMLRequestNotSignedException(e); } } } }