@Override protected void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { boolean requireSignature = provider.isMetadataRequireSignature(); SignatureTrustEngine trustEngine = getTrustEngine(provider); SignatureValidationFilter filter = new SignatureValidationFilter(trustEngine); filter.setRequireSignature(requireSignature); log.debug("Created new trust manager for metadata provider {}", provider); // Combine any existing filters with the signature verification MetadataFilter currentFilter = provider.getMetadataFilter(); if (currentFilter != null) { if (currentFilter instanceof MetadataFilterChain) { log.debug("Adding signature filter into existing chain"); MetadataFilterChain chain = (MetadataFilterChain) currentFilter; chain.getFilters().add(filter); } else { log.debug("Combining signature filter with the existing in a new chain"); MetadataFilterChain chain = new MetadataFilterChain(); chain.getFilters().add(currentFilter); chain.getFilters().add(filter); } } else { log.debug("Adding signature filter"); provider.setMetadataFilter(filter); } }
/** {@inheritDoc} */ public void doFilter(XMLObject metadata) throws FilterException { SignableXMLObject signableMetadata = (SignableXMLObject) metadata; if (!signableMetadata.isSigned()){ if (getRequireSignature()) { throw new FilterException("Metadata root element was unsigned and signatures are required."); } } if (signableMetadata instanceof EntityDescriptor) { processEntityDescriptor((EntityDescriptor) signableMetadata); } else if (signableMetadata instanceof EntitiesDescriptor) { processEntityGroup((EntitiesDescriptor) signableMetadata); } else { log.error("Internal error, metadata object was of an unsupported type: {}", metadata.getClass().getName()); } }
performPreValidation(signature, metadataEntryName); CriteriaSet criteriaSet = buildCriteriaSet(signedMetadata, metadataEntryName, isEntityGroup); if ( getSignatureTrustEngine().validate(signature, criteriaSet) ) { log.trace("Signature trust establishment succeeded for metadata entry {}", metadataEntryName); return;
verifySignature(entitiesDescriptor, entitiesDescriptor.getName(), true); processEntityDescriptor(entityChild); } catch (FilterException e) { log.error("EntityDescriptor '{}' failed signature verification, removing from metadata provider", log.trace("Processing EntitiesDescriptor member: {}", entitiesChild.getName()); try { processEntityGroup(entitiesChild); } catch (FilterException e) { log.error("EntitiesDescriptor '{}' failed signature verification, removing from metadata provider",
verifySignature(entityDescriptor, entityID, false); String roleID = getRoleIDToken(entityID, roleChild); verifySignature(roleChild, roleID, false); } catch (FilterException e) { log.error("RoleDescriptor '{}' subordinate to entity '{}' failed signature verification, " verifySignature(affiliationDescriptor, affiliationDescriptor.getOwnerID(), false); } catch (FilterException e) { log.error("AffiliationDescriptor with owner ID '{}' subordinate to entity '{}' " +
/** * Perform pre-validation on the Signature token. * * @param signature the signature to evaluate * @param metadataEntryName the EntityDescriptor entityID, EntitiesDescriptor Name, * AffiliationDescriptor affiliationOwnerID, * or RoleDescriptor {@link #getRoleIDToken(String, RoleDescriptor)} * corresponding to the element whose signature is being evaluated. * This is used exclusively for logging/debugging purposes and * should not be used operationally (e.g. for building a criteria set). * @throws FilterException thrown if the signature element fails pre-validation */ protected void performPreValidation(Signature signature, String metadataEntryName) throws FilterException { if (getSignaturePrevalidator() != null) { try { getSignaturePrevalidator().validate(signature); } catch (ValidationException e) { log.error("Signature on metadata entry '{}' failed signature pre-validation", metadataEntryName); throw new FilterException("Metadata instance signature failed signature pre-validation", e); } } }
if (getDefaultCriteria() != null) { newCriteriaSet.addAll( getDefaultCriteria() );
SignatureValidationFilter filter = new SignatureValidationFilter(trustEngine); filter.setRequireSignature(requireSignature);