Java tutorial
/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.configuration.validation.oa; import iaik.x509.X509Certificate; import java.io.IOException; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; import java.util.Timer; import javax.net.ssl.SSLHandshakeException; import javax.servlet.http.HttpServletRequest; import org.apache.commons.httpclient.MOAHttpClient; import org.apache.log4j.Logger; import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.saml2.metadata.provider.MetadataFilterChain; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallerFactory; import org.opensaml.xml.io.Unmarshaller; import org.opensaml.xml.io.UnmarshallerFactory; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.auth.pvp2.MetaDataVerificationFilter; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.util.MiscUtil; public class OAPVP2ConfigValidation { private static final Logger log = Logger.getLogger(OAPVP2ConfigValidation.class); public List<String> validate(OAPVP2Config form, String oaID, HttpServletRequest request) { Timer timer = null; MOAHttpClient httpClient = null; HTTPMetadataProvider httpProvider = null; List<String> errors = new ArrayList<String>(); try { byte[] certSerialized = null; if (form.getFileUpload() != null) certSerialized = form.getCertificate(); else { OnlineApplication oa = ConfigurationDBRead.getOnlineApplication(oaID); if (oa != null && oa.getAuthComponentOA() != null && oa.getAuthComponentOA().getOAPVP2() != null) { certSerialized = oa.getAuthComponentOA().getOAPVP2().getCertificate(); } } String check = form.getMetaDataURL(); if (MiscUtil.isNotEmpty(check)) { if (!ValidationHelper.validateURL(check)) { log.info("MetaDataURL has no valid form."); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request)); } else { if (certSerialized == null) { log.info("No certificate for metadata validation"); errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); } else { X509Certificate cert = new X509Certificate(certSerialized); BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(cert); timer = new Timer(); httpClient = new MOAHttpClient(); if (form.getMetaDataURL().startsWith("https:")) try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( "MOAMetaDataProvider", ConfigurationProvider.getInstance().getCertStoreDirectory(), ConfigurationProvider.getInstance().getTrustStoreDirectory(), null, ChainingModeType.PKIX, true); httpClient.setCustomSSLTrustStore(form.getMetaDataURL(), protoSocketFactory); } catch (MOAHttpProtocolSocketFactoryException e) { log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); } catch (ConfigurationException e) { log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); } List<MetadataFilter> filterList = new ArrayList<MetadataFilter>(); filterList.add(new MetaDataVerificationFilter(credential)); filterList.add(new SchemaValidationFilter()); MetadataFilterChain filter = new MetadataFilterChain(); filter.setFilters(filterList); httpProvider = new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); httpProvider.setParserPool(new BasicParserPool()); httpProvider.setRequireValidMetadata(true); httpProvider.setMetadataFilter(filter); httpProvider.setMinRefreshDelay(1000 * 60 * 15); //15 minutes httpProvider.setMaxRefreshDelay(1000 * 60 * 60 * 24); //24 hours httpProvider.setRequireValidMetadata(true); httpProvider.initialize(); if (httpProvider.getMetadata() == null) { log.info("Metadata could be received but validation FAILED."); errors.add( LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request)); } } } } } catch (CertificateException e) { log.info("Uploaded Certificate can not be found", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request)); } catch (IOException e) { log.info("Metadata can not be loaded from URL", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request)); } catch (MetadataProviderException e) { //TODO: check exception handling if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { log.info("SSL Server certificate not trusted.", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); } else { log.info("MetaDate verification failed", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request)); } } finally { if (httpProvider != null) httpProvider.destroy(); if (timer != null) timer.cancel(); } return errors; } }