CertificateChecker

/*
 * Copyright (c) 2002-2014, Mairie de Paris
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *  1. Redistributions of source code must retain the above copyright notice
 *     and the following disclaimer.
 *
 *  2. Redistributions in binary form must reproduce the above copyright notice
 *     and the following disclaimer in the documentation and/or other materials
 *     provided with the distribution.
 *
 *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
 *     contributors may be used to endorse or promote products derived from
 *     this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * License 1.0
 */
package fr.paris.lutece.plugins.mylutece.modules.saml.authentication.checkers;

import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.BootStrap;
import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.SAMLResponseManager;
import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.CertificateValidationException;
import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLParsingException;
import fr.paris.lutece.portal.service.util.AppLogService;

import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;

import java.util.List;


public class CertificateChecker implements SAMLChecker
{
    public void check( SAMLResponseManager responseManager )
        throws CertificateValidationException, SAMLParsingException
    {
        List<X509Certificate> certWhiteList = BootStrap.getInstance(  ).getIdpMetaDataManager(  )
                                                       .getCertificateWhiteList(  );
        X509Certificate responseCert;
        responseCert = responseManager.getSignatureCertificate(  );

        // V�rification du certificat (liste blanche)
        if ( !certWhiteList.contains( responseCert ) )
        {
            String message = "Le certificat de signature n'est pas reconnu. DN Certificat=[" +
                responseCert.getSubjectX500Principal(  ).getName(  ) + "]";
            AppLogService.info( message );
            throw new CertificateValidationException( message );
        }

        // Validite certificat
        try
        {
            responseCert.checkValidity(  );
        }
        catch ( CertificateExpiredException e )
        {
            String message = "Le certificat de signature est expir�. DN Certificat=[" +
                responseCert.getSubjectX500Principal(  ).getName(  ) + "]";
            AppLogService.info( message );
            throw new CertificateValidationException( message );
        }
        catch ( CertificateNotYetValidException e )
        {
            String message = "Le certificat de signature n'est pas encore valide. DN Certificat=[" +
                responseCert.getSubjectX500Principal(  ).getName(  ) + "]";
            AppLogService.info( message );
            throw new CertificateValidationException( message );
        }
    }
}