/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.util; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import javax.xml.transform.TransformerException; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.SPSSFactory; import at.gv.egovernment.moa.spss.api.SignatureCreationService; import at.gv.egovernment.moa.spss.api.common.Content; import at.gv.egovernment.moa.spss.api.common.MetaInfo; import at.gv.egovernment.moa.spss.api.common.Transform; import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureEnvironmentProfile; import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureInfo; import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation; import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfo; import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfoProfile; import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse; import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo; import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse; import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; public class IdentityLinkReSigner { private static IdentityLinkReSigner instance; public static IdentityLinkReSigner getInstance() { if (instance == null) { instance = new IdentityLinkReSigner(); } return instance; } public Element resignIdentityLink(Element idl, String keyGroupId) throws MOAIDException { try { if (idl == null) { Logger.warn("IdentityLink is empty"); return null; } else { NodeList signatures = idl.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); Node signature = signatures.item(0); Node parent = signature.getParentNode(); parent.removeChild(signature); } SPSSFactory spssFac = SPSSFactory.getInstance(); if (MiscUtil.isEmpty(keyGroupId)) { Logger.warn("No IdentityLink reSigning-Key definded"); throw new MOAIDException("config.19", new Object[]{}); } MetaInfo mi = spssFac.createMetaInfo("text/xml", null, null, null); Transform envelopedSignatureTransform = spssFac.createEnvelopedSignatureTransform(); List transformsList = new ArrayList(); transformsList.add(envelopedSignatureTransform); CreateTransformsInfo ct = spssFac.createCreateTransformsInfo(transformsList, mi); CreateTransformsInfoProfile ctip = spssFac.createCreateTransformsInfoProfile(ct, null); Content content = spssFac.createContent(""); DataObjectInfo doi = spssFac.createDataObjectInfo(DataObjectInfo.STRUCTURE_DETACHED, false, content, ctip); // create signature environment HashMap nsMap = new HashMap(); nsMap.put(Constants.SAML_PREFIX, Constants.SAML_NS_URI); nsMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); nsMap.put(Constants.PD_PREFIX, Constants.PD_NS_URI); CreateSignatureLocation csl = spssFac.createCreateSignatureLocation("/" + Constants.SAML_PREFIX + ":" + "Assertion", -1, nsMap); CreateSignatureEnvironmentProfile csep = spssFac.createCreateSignatureEnvironmentProfile(csl, null); InputStream serializedIdl = new ByteArrayInputStream(DOMUtils.serializeNode(idl).getBytes()); Content confirmationContent = spssFac.createContent(serializedIdl, null); CreateSignatureInfo csi = spssFac.createCreateSignatureInfo(confirmationContent, csep); List dataobjectinfoList = new ArrayList(); dataobjectinfoList.add(doi); SingleSignatureInfo ssi = spssFac.createSingleSignatureInfo(dataobjectinfoList, csi, false); List singlesignatureinfolist = new ArrayList(); singlesignatureinfolist.add(ssi); CreateXMLSignatureRequest cxsreq = spssFac.createCreateXMLSignatureRequest(keyGroupId, singlesignatureinfolist); // signature creation service SignatureCreationService scs = SignatureCreationService.getInstance(); CreateXMLSignatureResponse cxresp; Logger.info("Creating MOA-SS signature"); cxresp = scs.createXMLSignature(cxsreq); // evaluate response List elements = cxresp.getResponseElements(); if (elements.get(0) instanceof ErrorResponse) { ErrorResponse errResponse = (ErrorResponse) elements.get(0); Logger.warn("Error while calling MOA-SS: " + errResponse.getErrorCode() + " / " + errResponse.getInfo()); throw new MOAIDException("builder.04", new Object[]{errResponse.getErrorCode(), errResponse.getInfo()}); } else if (elements.get(0) instanceof SignatureEnvironmentResponse) { Logger.debug("Successfully created signature."); SignatureEnvironmentResponse ser = (SignatureEnvironmentResponse) elements.get(0); int responseType = ser.getResponseType(); if (responseType == SignatureEnvironmentResponse.ERROR_RESPONSE) { Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); throw new MOAIDException("builder.05", new Object[]{}); } else { Logger.debug("MOA-SS Signature createn successfull"); return ser.getSignatureEnvironment(); } } else { Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); throw new MOAIDException("builder.05", new Object[]{}); } } catch (ConfigurationException e) { Logger.warn("Configuration can not be loaded", e); throw new MOAIDException("config.18", new Object[]{}); } catch (TransformerException e) { Logger.warn("IdentityLink serialization error.", e); throw new MOAIDException("builder.05", new Object[]{}); } catch (IOException e) { Logger.warn("IdentityLink I/O error.", e); throw new MOAIDException("builder.05", new Object[]{}); } catch (MOAException e) { Logger.warn("General IdentityLink signing error.", e); throw new MOAIDException("builder.05", new Object[]{}); } } }