When using OpenSAML out of the box you'll get the defaults that the OpenSAML developers thinks are sensible defaults. We should add support so that it is easy to set up a system to use the eIDAS defaults when it comes to algorithms.

Requires #24 to be done first.

Add support for new features in eIDAS Message Format v1.2.

eIDAS Message Format_v1.2_final.docx

We should support
eIDAS Message Format_v1.2_draft_1.95.docx and
2017_11_29_eIDAS Crypto Requirements_v1.2_DRAFT3_CT.pdf which are likely to be the next official versions.

Snyk reports the following vulnerabilities for the eidas-opensaml dependencies:

HIGH SEVERITY:

Unexpected Code Execution
Vulnerable module: org.bouncycastle:bcprov-jdk15on
Introduced through: org.opensaml:[email protected], org.opensaml:[email protected] and others.

MEDIUM SEVERITY:

Deserialization of Untrusted Data
Vulnerable module: com.google.guava:guava
Introduced through: net.shibboleth.utilities:[email protected] and com.google.guava:[email protected]

MEDIUM SEVERITY:

Insecure Encryption
Vulnerable module: org.bouncycastle:bcprov-jdk15on
Introduced through: org.opensaml:[email protected], org.opensaml:[email protected] and others

For eIDAS implementors that are releasing their code under non-GPL licenses or building proprietary implementations it would be beneficial to have the code licensed more permissively.

On the other hand I completely acknowledge the Free Software arguments about releasing libraries under the full GPL (Why you shouldn't use the Lesser GPL for your next library).

Would the copyright holders consider modifying the license to include a linking exception or switching to the LGPL (or another more permissive license)?

Version 1.2 of the message profile defines URI:s for non-notified schemes. Up until now we have used our own as placeholders. This needs to be fixed.

We should upgrade to OpenSAML 3.4.2 to get the latest bug fixes and functionality.

The CurrentAddress attribute is something very special. I sucks. It's value is the Base64 encoding of an XML-structure, but it isn't a valid XML-document of its own. We'll have to make a fix for the case when the eidas namespace prefix isn't defined anywhere in the document, but appears in the decoded CurrentAddress value. There have been cases when that has happened. So, instead of trying to convince everyone that the fault is made by the issuer of the assertion, let's just implement a sensible workaround ...

To be able to support ECDH (as mandated by the eIDAS crypto spec) we should add a dependency to the opensaml-security-ext library.

Add support for the attributes defined in section 2.3 of "eIDAS SAML Attribute Profile".

OpenSAML 3 will be end-of-life 31/12 2020, so we should make an OpenSAML 4 version.

Hi there,

we discovered a bug where the AdminUnitFirstLine in a StrcutedAddress is added twice if AdminUnitSecondLine is also present.
This bug is present in the OpenSAML 3 and OpenSAML 4 versions of this extension, we did not examine OpenSAML 2.

I will create a pull request to show and fix this bug.

SPTypeEnumeration ist a final class with two public static final instances of itself, PUBLIC and PRIVATE.
It contains most of a typical Enum class, but is missing the valueOf(...) method.
As this class contains no functionality to create an object from a String representation of public or private, it is quite a hassle to determine if an arbitrary String is equal to the value of PRIVATE or PUBLIC.

My suggestion would be to make this a public enum class or add a valueOf(...) method to this class. If this suggestion is approved, I'm happy to provide a pull request.

An eIDAS node makes use of an XML document that is called MetadataServiceList in order to get information about the member state keys, and URL:s to connectors and proxy services.

The eidas-opensaml library should include a representation of this XML element.