View Javadoc
1   /*
2    * Copyright (c) 2002-2014, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.plugins.mylutece.modules.saml.authentication.checkers;
35  
36  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.BootStrap;
37  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.SAMLResponseManager;
38  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLParsingException;
39  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SignatureValidationException;
40  import fr.paris.lutece.portal.service.util.AppLogService;
41  
42  import org.opensaml.common.xml.SAMLConstants;
43  
44  import org.opensaml.saml2.metadata.IDPSSODescriptor;
45  
46  import org.opensaml.security.MetadataCriteria;
47  import org.opensaml.security.SAMLSignatureProfileValidator;
48  
49  import org.opensaml.xml.security.CriteriaSet;
50  import org.opensaml.xml.security.SecurityException;
51  import org.opensaml.xml.security.criteria.EntityIDCriteria;
52  import org.opensaml.xml.validation.ValidationException;
53  
54  
55  public class SignatureChecker implements SAMLChecker
56  {
57      public void check( SAMLResponseManager responseManager )
58          throws SignatureValidationException, SAMLParsingException
59      {
60          // XML Validation
61          SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(  );
62  
63          try
64          {
65              profileValidator.validate( responseManager.getAssertion(  ).getSignature(  ) );
66          }
67          catch ( ValidationException e )
68          {
69              String message = "Erreur lors de la validation du sch�ma de la signature : " + e.getLocalizedMessage(  );
70              AppLogService.info( message );
71              throw new SignatureValidationException( message );
72          }
73  
74          CriteriaSet criteriaSet = new CriteriaSet(  );
75          criteriaSet.add( new EntityIDCriteria( responseManager.getAssertion(  ).getIssuer(  ).getValue(  ) ) );
76          criteriaSet.add( new MetadataCriteria( IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS ) );
77  
78          /*
79           * criteriaSet.add(new KeyInfoCriteria(idpMetaDataManager.getMetaData()
80           * .getIDPSSODescriptor(SAMLConstants.SAML20P_NS)
81           * .getKeyDescriptors().get(0).getKeyInfo()));
82           */
83  
84          // Verification signature technique + validation entityID et protocol
85          // support via criteriaSet
86          try
87          {
88              if ( !BootStrap.getInstance(  ).getTrustEngine(  )
89                                 .validate( responseManager.getAssertion(  ).getSignature(  ), criteriaSet ) )
90              {
91                  String message = "Erreur lors de la validation de la signature";
92                  AppLogService.info( message );
93                  throw new SignatureValidationException( message );
94              }
95          }
96          catch ( SecurityException e1 )
97          {
98              String message = "Erreur lors de la validation de la signature" + e1.getLocalizedMessage(  );
99              AppLogService.info( message );
100             throw new SignatureValidationException( message );
101         }
102         catch ( Exception e1 )
103         {
104             String message = "Erreur lors de la validation de la signature" + e1.getLocalizedMessage(  );
105             AppLogService.info( message );
106             throw new SignatureValidationException( message );
107         }
108     }
109 }