diff options
author | Thomas <> | 2023-01-18 13:46:22 +0100 |
---|---|---|
committer | Thomas <> | 2023-01-18 13:46:22 +0100 |
commit | 19a717e5684ea7cac8a39d24263cde0825c95968 (patch) | |
tree | 8d31979c0cebd5c8f841a739c6c6b3ad05650582 /eaaf_modules/eaaf_module_pvp2_core | |
parent | 4a6a9f69d15d4a517af075b31e06ae73a1aa3262 (diff) | |
download | EAAF-Components-19a717e5684ea7cac8a39d24263cde0825c95968.tar.gz EAAF-Components-19a717e5684ea7cac8a39d24263cde0825c95968.tar.bz2 EAAF-Components-19a717e5684ea7cac8a39d24263cde0825c95968.zip |
fix(saml2): support XML decryption by using key from HSM-Facade
Details: openSAML4 uses org.apache.xml.security.algorithms.JCEMapper to
define JCE cryptoprovider for openSAML crypto. operations. However, this
JCEMapper is not used for openSAML Decrypter, so it must be set manually.
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core')
6 files changed, 239 insertions, 15 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index 60800eb2..6cace5cb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -30,6 +30,7 @@ import javax.xml.validation.Schema; import javax.xml.validation.Validator; import org.apache.commons.lang3.StringUtils; +import org.apache.xml.security.algorithms.JCEMapper; import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.core.xml.io.MarshallingException; @@ -375,7 +376,8 @@ public class SamlVerificationEngine { final Decrypter samlDecrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(assertionDecryption), new ChainingEncryptedKeyResolver(listOfKeyResolvers)); - + samlDecrypter.setJCAProviderName(JCEMapper.getProviderId()); + for (final EncryptedAssertion encAssertion : encryAssertionList) { saml2assertions.add(samlDecrypter.decrypt(encAssertion)); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java index abbfb1ea..0eb80cc9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java @@ -32,6 +32,7 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; @@ -48,15 +49,16 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; +import lombok.SneakyThrows; import net.shibboleth.utilities.java.support.xml.XMLParserException; public abstract class AbstractSamlVerificationEngine { @Autowired - private PvpMetadataResolverFactory metadataResolverFactory; + protected PvpMetadataResolverFactory metadataResolverFactory; @Autowired - private SamlVerificationEngine verifyEngine; + protected SamlVerificationEngine verifyEngine; @Autowired protected DummyCredentialProvider credentialProvider; @@ -255,22 +257,29 @@ public abstract class AbstractSamlVerificationEngine { } } + @SneakyThrows + protected Response initializeResponseSimple(String spEntityId, String authnReqPath, EaafX509Credential credential) { + final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); + response.setIssueInstant(Instant.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + response.setIssuer(issuer); + + return Saml2Utils.signSamlObject(response, credential, true); + + } + + protected Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath, String authnReqPath, EaafX509Credential credential) throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException { final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( metadataPath, null, "jUnit metadata resolver", null); - final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(Instant.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(spEntityId); - authnReq.setIssuer(issuer); - return Pair.newInstance( - Saml2Utils.signSamlObject(authnReq, credential, true), + initializeResponseSimple(spEntityId, authnReqPath, credential), mdResolver); } @@ -336,5 +345,34 @@ public abstract class AbstractSamlVerificationEngine { } + @SneakyThrows + protected void performEncryptionDecrytion(EaafX509Credential encdecCredential) { + final String responsePath = "/data/response_encrypt_decryption_test.xml"; + final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; + + final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(responsePath)); + + // encrypt assertion with key + response.getEncryptedAssertions().add(doEncryption(response.getAssertions().get(0), + encdecCredential, authConfig)); + response.getAssertions().clear(); + + // re-sign response + response.setIssueInstant(Instant.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + response.setIssuer(issuer); + Saml2Utils.signSamlObject(response, credentialProvider.getMetaDataSigningCredential(), true); + + DomUtils.serializeNode(XMLObjectSupport.marshall(response)); + + + // decrypt and verify assertion by using EAAF implementation + verifyEngine.validateAssertion(response, encdecCredential, + spEntityId, "jUnit Test", false); + + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java index 926f25b2..1511eb73 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java @@ -1,7 +1,13 @@ package at.gv.egiz.eaaf.modules.pvp2.test; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; + +import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.saml.saml2.core.Response; import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.annotation.DirtiesContext.ClassMode; @@ -10,7 +16,12 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import lombok.SneakyThrows; +import net.shibboleth.utilities.java.support.xml.XMLParserException; //@IfProfileValue(name = "spring.profiles.active", value = "devEnvironment") @RunWith(SpringJUnit4ClassRunner.class) @@ -35,7 +46,6 @@ public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerific @Override protected String getAuthnRequestWithoutSigPath() { return "/data/AuthRequest_without_sig_1.xml"; - } @Override @@ -69,6 +79,60 @@ public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerific } } + + @Test + public void assertionDecryptionWithWrongEcKey() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + final String responsePath = "/data/response_decrypt_test.xml"; + final String spEntityId = "https://vidp.gv.at/EidasNode/ColleagueResponse"; + + final Response inputMsg = + initializeResponseSimple(spEntityId, responsePath, + credentialProvider.getMetaDataSigningCredential()); + + SamlAssertionValidationExeption error = assertThrows("wrong exception", SamlAssertionValidationExeption.class, + () -> verifyEngine.validateAssertion(inputMsg, credentialProvider.getMessageSigningCredential(), + spEntityId, "jUnit Test", false)); + assertEquals("wrong errorCode", "internal.pvp.16", error.getErrorId()); + + } + + @Test + public void assertionDecryptionWithWrongRsaKey() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + final String responsePath = "/data/response_decrypt_test.xml"; + final String spEntityId = "https://vidp.gv.at/EidasNode/ColleagueResponse"; + + final Response inputMsg = + initializeResponseSimple(spEntityId, responsePath, + credentialProvider.getMetaDataSigningCredential()); + SamlAssertionValidationExeption error = assertThrows("wrong exception", SamlAssertionValidationExeption.class, + () -> verifyEngine.validateAssertion(inputMsg, credentialProvider.getMetaDataSigningCredential(), + spEntityId, "jUnit Test", false)); + assertEquals("wrong errorCode", "internal.pvp.16", error.getErrorId()); + } + + @Test + @SneakyThrows + public void assertionEncryptionDecryptionRsa() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + performEncryptionDecrytion(credentialProvider.getMessageEncryptionCredential()); + + } + + + /* + * ECC keys currently not support for encryption. + */ + @Test + @Ignore + @SneakyThrows + public void assertionEncryptionDecryptionEcc() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + performEncryptionDecrytion(credentialProvider.getMessageSigningCredential()); + + } + } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props index 87317300..cc0a706a 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props @@ -10,8 +10,8 @@ keystore.name=eid-junit key.metadata.alias=rsa-key-1 key.sig.alias=ec-key-1 key.sig.pass=password -key.enc.alias= -key.enc.pass= +key.enc.alias=rsa-key-1 +key.enc.pass=password client.http.connection.timeout.socket=2 client.http.connection.timeout.connection=2 diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/response_decrypt_test.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/response_decrypt_test.xml new file mode 100644 index 00000000..5bdba9eb --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/response_decrypt_test.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://vidp.gv.at/EidasNode/ColleagueResponse" ID="_1da6cbd8-70c0-4b0b-8a76-b106d8ecc1e8" InResponseTo="_FmefJFPJ4pgx5898SIiXDlGfTzIZ4JR8WyZsO4vno4Dz5pVTDvr-ZNx6W6vx3XR" IssueInstant="2021-06-24T17:30:43.887Z" Version="2.0"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://vidp.gv.at/eidas-middleware/Metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_1da6cbd8-70c0-4b0b-8a76-b106d8ecc1e8"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>G6vY7YV/lyaHX+P5f6l/TnnTel6SoP+eqv0TR81daWs=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>MODjxzyLAMne+TsCLKhX8qU9k814Imv5Vmsjo28WpKuEyIoobHaVD2WoEtoFq+li59e0lu+xtgSReKT7JD8wgbbey5Z9eBskAPTwKbClctxXG7Zuapc+tTmLL3W6or89/1L/0vrzqoQdopQ7xAswOd3J6ypKl7fNalYCzaulFAEQjhFh6z/xXF4NPK90sajlIQtS8bS1AkalYzNOhjPK7PeM65nHR1iH0Menxkk6QX+htbbhuJnc/+fL0tgo/Qv2IhIr0WFtx4grx2C2kVtVLtIWeRv90NnI8oeLFNOcnGR7yfP1/m6+C+7yAaLS8yZCMwCEAurj4NuhCghsxbsl0299Q3kDz/8GNg3Z+HYZtpQ5iN8RynZ2oDC4QfDAKPfo07okPhtO5P8syNmI+UYMLTPp4B5LKgvp2GcvvEtNb9XJ5UemEjDRaSxP6Ny9KnqYcd+fA4tgvAi4Ib9hFuf0oTMvXlUWaSBG+CxzBUxUY5Dpo6qx0B10EHkibW6JwoAiK1us5kUtsWbfVXnV1+Dq6MwRUx6P8nHWMWCN6qo316jGJRBs9VLNtPnJS9LxF41UBLoHCbqMLXh6sKrlMWAs+ZMPVtgZaXeKsJZFpUw68UZto9BIF96HZICdnOT/ixBBxORr6fP3ceIGn71qUzdttIpJ46dIAqxrCL8Pl6+YcbI=</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIE7TCCAtUCBGC0mmQwDQYJKoZIhvcNAQELBQAwOjELMAkGA1UEBhMCREUxDTALBgNVBAoMBEVHSVoxHDAaBgNVBAMME2VJREFTIERFLU1pZGRsZXdhcmUwIBcNMjEwNTMxMDgxMjIwWhgPMjI5NTAzMTUwODEyMjBaMDoxCzAJBgNVBAYTAkRFMQ0wCwYDVQQKDARFR0laMRwwGgYDVQQDDBNlSURBUyBERS1NaWRkbGV3YXJlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgG/ussCjHSQPLxv8ewExMQdv5s7P4wgPILiFyfRAFuu3kA9NXBXx895/pnxKOoFyNhN+D7mUkhLwNh/C77G/1pBZbAb7RUQYEC0WtrE1LV2j/bkmkdmN4LEkf8sQ2u7H3i5lXKNUmlolsoXd0zZv5dKrCsh2V6NT7AAJOVoySLNC/BIy08/OZxc6iF3KC24hrYjThD6sb1Lfw9Htds9ycLjFvV+3XI1rOOOyJweMmodkk4ReJT+rPHZq0gXUT4uwg4Cpf+2DJDyerozYa4cTBbIgXp9SffOfJI6ZuJ4BI29MymgsaNyc6EgEI2nRjGf0Bn5XKnBYLUYvHT2bCekYgHNJYYv8AODjk6hQ0Iw0A4/LlsibIXvkBNnlHw8TwZw+hNkM+L68G6ltTJ4+XPZ/2HMLVzSqSENdHVpOFTVl0NbpvuI/CQXHJQ685jUqWuZQnB1FJ8ZR7JXVhR1WKUCZcXqzgN98GqijVFF8DB7hL+98KmE87oEYGqAKDfffuHoIqb6dfNNEQDr1nOkfYgurCj38hs5GngI2g/dwpnSvDC1KKuD+mgeT6d2A6fWcaYwDWPTuCEbK1MUBAQRe4GFBugdG/zvf4ULeGyyhJvzeeqyRcbftFui7YW4eF4vCFS8Bd8YxbPt2RcJU8RMWhVgIqKcFCna/zpLXWHIHA4LpQUUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAMferzA+hzfgNrl+P9hZ8FiZehFs080b275cZq0c8C4NdtPh+VBtwVfKyfNQLavmxcMYQf2AScHdiLPAWEpinG3nVdR8HIk3dtSSLjXh0KAth0q8PsUtb7Am7oWBYXIzRGWbbCQIn1bod6vMiO4RjmrrV0jJ5+24MkNsmkc+Vf2LLpqkFtzgJpPdtodgMnTatWy7xYT4/hqHpNqhYVPKxKAVoSSOizNt2kEP3b1QfzjDLhqGuzOTaHxBsGnWwu4eTsw60BPRP1c3t7k0CLBn2H59Q+BbN1pUI2ux7/qiYNvCtQLLf0VB6tttxBzcHH80ah/51FXtBYGd8FWYDf7iTSQ2/NbQC18+3uAwaGlz35tmlxOxuNdXHkLf9qtrdPsXTKb2dLHt0EvhErOhiN+h5tcBcC7Il2BOy2UgaGguVt5NsqyFi6l55xYai2NbQJbPtPrTsmAy4TZHSma2IH+2keJvxwQWVde+EwDpIeBei/V+vJBUUTWT9zATwiFOGlqokvqMhFQSENOHkZ6UUA6nZ6oA0THhSU9HWSceSpeHE2firL0xpIAfl8pjfXzHiEd0pRey5Cukq6VSQioop6BWY0Vd8jYkdU+ld1FnDIyCr+xxwBVvmE3FC+EX3WlWCgVU3uq8DLijOcPJ5qoYOxFCxdS94fQpwCvhKeCE/qjnuQ+4=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Status> + <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> + </saml2p:Status> + <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> + <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_2b818d0931341ae510aec15ee1425171" Type="http://www.w3.org/2001/04/xmlenc#Element"> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <xenc:EncryptedKey Id="_9d084f6ad17c241c10c6323dfc992f5b"> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + </xenc:EncryptionMethod> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIEDDCCAnQCCQCbVfZgUmuq4jANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJBVDENMAsGA1UE +CgwERUdJWjEYMBYGA1UECwwPZUlEQVMgVGVzdC1Ob2RlMRAwDgYDVQQDDAdzaWduaW5nMB4XDTIw +MDQxNDE1MDcyMFoXDTIzMDEwODE1MDcyMFowSDELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVox +GDAWBgNVBAsMD2VJREFTIFRlc3QtTm9kZTEQMA4GA1UEAwwHc2lnbmluZzCCAaIwDQYJKoZIhvcN +AQEBBQADggGPADCCAYoCggGBAJu0ab3tEsQ/9xQ4rwvO7PjnK+NOVUvPkReQMFOFg8uduSocBwZ2 +Kdr/WBRrC9kI8cCkWxJHcJi9o6QBKM8Jtc/cJbPmR7CZvm2rtVGiVNew83C3BAFWeUkXpdnXt1lP +lEklsMwq7eOD+OqWPmi6O0sL/QFMDBMo6J51YIXLtFz0ymiu4V4C75/2c5A/ztI7svDdzxIQEJLo +ATnikFV7WD9SZbgFXPi20v/9IicvtQVjLrfKWbctSXe9RV2CBFsuWevJUdxbf7DWETH+e9eukg+9 +6ZFkBIXDqr5xrXXYVD07Hx2DVqjq+aZM2ALnivNPAp7nLqN4GYP+VmqpDJ9A6S/C9K/6ROnVmK1x +YMtqmxv9WKTi0FkMsBEiH5TRuig3gl+MLKQeA44XjdXgNvPmd1WiSL3IgaQPTLXgLeVsflHAWpy/ +IrGjlzuYcpFhg40x0IMvvOv4Z8RGiXyuhFxa3P+T+0mRYBos/RA70UHjIzgoLhoAShBS/WKs3KqZ +2xi4HwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQAImDWnTLdq/4VEeaEJKoVzXk7yk++Rxj2gERRI +vh/eHDskFPDZ5Q2Cby3IC4iLaJFpbXyjKskAvVgoasAbRACA5Zf1H6v31V1YLtTmIViPOY1u3130 +kkY86z9QlLx8u6o86GWL2rGb09ZMxqSMjEEGXYntPJ4rWtdUT32Ef1sUKqh0Dm+qPb/M3OnlV2aO +Ti/yJR7sCuIJ8rrTBO5lqOrdK+zzyhWuJx5/JLfTRp7wjGHR+KPS+3CsnPa6fkG9YUkjz0/E7f1G +emt6cq4ozbGw5j5H50YxVJ5KS76KckKNETGUF2/9XXXV0rrBY7HcnqRCqWuc+sZPqv6pQph21gEZ ++1s2FY735uGRrxDR+1tsWuJd5o5agfl8w544erWQ+aLlkouISzfWZdN8opTLNtt/u0qfUjkcXQFg +CyaVwyMJp9Iq/fqOZzVY3he9i6OVGt6owox+n2rymNQ/Zon6qtDCdvgfw30TIpL8AuZzjMyUL1oG +aAb6colSGusGLBkme5k=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + <xenc:CipherData> + <xenc:CipherValue>f5x87ezyK4WvJnx4N3eJF58Bepk+YYKClzMRZwodZGy74lxvjFUVPxZdrnbSN0maoZdfsiJyW2pr2EUX2bxmctqOf/g/1zGF0zzLj6k0o/62evC2vQObNi615OBkXSK+IOTE3De9gGl6UHpFdPASM5ZuwDj+vpdtA3zzagJVJHquzgm7x9XyURBgVBcJ40bE3v66rOpauyOLL6LDihU279F2Eb35W3nHoshQwhRbuIVWx7Pe0uvB/E3xBvi4l20GYZiO3sQ7ldcqWywNc2XVc+aBPB8wLFT/Bk5qtOaphf0VNJBArcQSFS5xFaC1BFvkUD3+7ywMmvV5ALYRqU/Steix4d/VO17ARC6UG158S3D/GeXy1PVhjESUaQpxM7z8Zo2yUr+Qak2zV1SG96XPRnSh3up8bBDurt1IpD3YcvJ8huI4ymLw7Cq7wanDQsL31jlq+pq9wt2EtAzwebXEjVvbgwSItE/wmqtyhsD7BF/IZHcifXYA5hYuVy6unFM2</xenc:CipherValue> + </xenc:CipherData> + </xenc:EncryptedKey> + </ds:KeyInfo> + <xenc:CipherData> + <xenc:CipherValue>obMc5/fte+6VsladUvA3LsGg+n2S3ydYdAoVrt2Xpmy5hs3hX39u8W36oIwTs0CjXta6Ulgjtaxfh8qlkJRhYIdhITCWtpvoIi4eHFghrz2mHXvqJ8iddkN2W31sxvqG4QcdnUJ0qT14g9C5znJwfn0ASUk7Dt4UnSIQZtZVNXEeZLpmKkv62RrvhK/RbQOuAPbE9AvaQNPgsFM4iduQhDxg0e9qxaCHRAD8jzJYqhEzbJq3NoliRjPbHZtOQyVF7BT0SIp7P/nakKG9NWIZgbWHo4+0tXVfMJZyIs6XVK0yY7bglZh9wfHWCOLBtA4R2/l69u9mHXeVy4l444QqLQ7bqHqKUiiR8q2+8VJLkwbTBiJaQRR8kGwYbq641H88nO6ALWRX/sk9SoTwo67k3p5QOgmc6DACexHcd0+PIBe+za3UvuftxuOhJVStDfl2GPfS9Ayyr6oGcw0xky/4W3KDheB7KbZAKcy9JRcvMOY2cakSdTW+l0AgmAj0ZqnYi9PpRUIuHBXxf9JFWYWx/Ej6I8V2hlZbG15h6ihDIHZyqgB14yDffuz0vznosJ8yTWmCtnoiPclKojusAWdwIquSCpgdxe7SxxGoQEidLSF9khig/b8f5rq3S72NjG2308FB8ryM6MlIGkFvMJ/VB3btlQEc7J69O2HeasVzAr+RBGYabKHMDROvck5MAOeJz+k2mUTFs1lznV0FiXMLGMigVWeQC8VgyQCUESXG7SslKj7zy4/dfFTOTLq1DfAd7H3HJdEAlq+3o1AG+HrLJPby2YnNqe5vGzG7Sd9snNic2YBCavpNXMy3fhNQv8IXuDGKGzXyuUlDpOXYSIRKmBw74Whlj8SaAwUCR3uZ/7DeqMvc8kOQeetch1rxZod8DZlOrCt92jdTAIGJJhMj1ZW1UQhOW8HqL6EHYKnf+ehsgax4D48pWF+w1lKS/05E3fYJGz0+UtpqR0ttHif+9b+bMAikZFZ5Y9z680PtFWe7NihsMHhiSglJlN3pHZQcqLyNCEepw3Acib5im+tLl5OebwcZ3aQVDeTfObSkNWW4rU0q8mhSg86mWAoUd+/gE3xP0RoMfjv7MHKvz0xjiSO8eFxO3KD6xJOPqvkbYxgoBxbvDR5nMNcINrU/agpneW3sMLib13e/TkIXy5ajKVHP1LFyfuZKBvmDtqKS2baNiCKDoIbTh3chuaFba1t08pZGATZrFE4shDzkQrZnvHSlcb2sLqCixVrbN/sNu8uQl/yHcqE7mur04vhBwTc39bYaI8sJ3elNhEmvIyHvOo7IBNlGvR45/e2AODOkur7oMJpuqjtqQBGVyTkBHGNMEVcByikHXL+xrYXZUIGOqhhjV0gbjqAydPpif0hPxdQbEq46GuM5UyJ2UjQ6BKJRH0nHdJ+J6AbdZZ2vKaHpt6c6B2tz5X4Gwr/DAiOcN+fzd7f/+tLIp/gmZtT8zm8ztVCGnipDzdozgPBDjD2D0XQeV5uAjwyYtb55vxc83wzuav5sCUJA2we+BWyRJ965ZJzTFbgE3P64wU5wPkVNVjU0dH/n1YSRXeDB/oXhaEAYShk9X/oQ7rAtQA5LMr8O+76w3OllAkywDQHb2eaKvhakpkiMBzybT9DLHu9RfAo2p4BpyiCxhH/t4560ErjSgxqCMG5BMZiymDA8qD4C0+TX1xjPCSclDrGlvZ0ovDX3mand8TKXZv0kgUSmvO3JvHy6h3dkV75uE7VZUqI1GnqHwrxqOsCmBCq2Vqf/B+IvAi+ysfIJ1qC/S+qx9Q0irIMtff4xFz33RWh8hMd883tdXQXg2M8XoDwbNJ3ndhkgKIyfWqD0AOkby6ecy8mCq6HpciTgAxNmML4NwNa2aF8AgOiKwBKCfLoanPr9GERUlVloBA0culvfobqNtsFCcVq6eL/LKeq3KaBBoE4T5AF06YQyBzmtug/unac/zS5RIibvFkt1CJ19fM10yLj1HBXZlgz5PTV7cCZaiaRUW2nPL/iSK5hoHvj9ej75JLOYnpjGcBe/jV160bQaFANa1KiLSOjpAh5QmKvnbo9eDYVdyIf4BtL2RXu0u9bsB9d6TczmNrGQEJ+Y+Y3d8aCEpbBSe8rdSHxqpWHnh2Mnp9fsA/ZNnTUYWIqHcjynOjAICvUFRr8bU8AxBVjLIpkqVYCV8RnY+NZAibiJBeD5ApvySoDTpjxLZbmUryxKZ/31sn087NwUhpBj2CmGiIjm2Qy0EZAJPiZKOxuy9F7oREe4NvLGTWdyG5yNSLUYhh6GOu4uQfuAbcuEjoZ103PN8rbFNg2wqKVmdytwr7BEjlmwCWwJoeL8fF3+lf5GeuHb8feGzFb0Zv/F1347Q4Q2VETwpoQzgUQqXqtVSzUTLfreu2nVvptpn26wfsNO37VcNa9gFau7LLHLfsJV77k2pDPJWhwGABAySr4fGWWVzUMYMZJ7fOQ6ghrr9oye1KVILHOdKOktwP56g9ze70Aw8mUYev0tfEWGNZZAgQSagyS3VaTVWOBKZjCLTfjBkLLPAQCpigHQqam8U8O2pY9WSgDZFGHjjyqXu3JprMu2nCvwsGGJbCDNzO4RGRvXuUoqc2uE9xWRS+nRqei71wuwj4822nd606MxixMMgLuRenB/s4bXo/thNr0KHEebtFEDZvJ+dvV7Bn7/GpnsSseKpxemuVDZvZw4oL7aWAnjkQ3ugazLaKvEwAnm+1a1Yv2J6R7OsijAgP7R3sgK4XkwFWQ04otcihJAiFJ9uoPFW38nVZgEAMygrpQOWRlmEh7iRxDw0t+TzlxDZc1qDQbQXpZiDFK+G0A+CJBL/MOg8qsGBecdSUf/cF4woJR21rjIQojug1tq/kthKNFGIY341Sz28Mg/ig3b5IroG5QCbglMMamNnQ6JhItCaj90hmfJIxvkVSj2d1ezWTDAcWxXcpfmpLqcbBdi2qoW5gLvYZ8QHpye8K+gq/qjyxonBKt5kUmxcxMJODKwNOrl/UAty04rsO9q9h3+bCL7bfjrutZ+PKuDBz5Xo7pi9NKTMS333NTTiM7iZ4jrpOfObjH+CbAKHxh9clYOXPrLA74bnQXyAcFiLFsvL/2ola2LaapjANsqqX24yzDCRHPAYYLG4UYOgYVD0GQFqk+xXh00CHtOMNwYMBxvJ9gRGGIHAxNplPSAdl6a6JE2hGMQK77WD0uRxXbyphNPvXvZXC1xxfNPY9589wWmQ5hVtv4NnQ4baKA+8/A1DfXMxWD1YCRGVaBLjpasdBLg5t4drh1PyqVJy77aKZ9lEfBAe1fzgn2yItRwAcjw3rlByvSrjtzCB9YcOcwgQF3bELe3YZ4E6fx/Fq+9LO+VDQu8HZ+fuxlHTGUTNGlz4R62Yfl92ZB+teN2GyLGhe74tm+/lbf5jzAv/hV6sMy8IgAxNGStpcc8T6MYnGBVoHEpFAs0ZQmyLUB3wRM+x52c0htmCD1C0vJBEbd738GIxkDk3e/RXTQ0A6K+6Bi2dlCu0Z3/k18on8xlwQjShOhxGyJ5NqyYice0dBOtsoqZnPlHo0mI+QYnp48diqoXDP6tGstxYbvQ+KkYlQtFNTHkCln1+omoyIEeez0oHUOOiO4r5tSHrW0TyE0X8y60gZCKJaHAIWZLyAh5BkUdTvNeqFgoxYeH6QThFqllC7c7KA6RXRkl2dFrbNN3vbA3kMQefdKGEa4VZSQCbKuuUY3k1epVn845fOEv9e1gGdZOCq0Z+2xMwdqfh4tu4tYpMrXfynqkBopfn+lZFRq1YCWUVYqNQ1QgaiSCC1C7GtVKi8Jop5M+x7F0TY/kN3i2160PAjO0ooeedFYVl87t2zz7FigsxI4ZQ1tqQ03ngTzFhNPolTnUf75O71EyXGGOLXoaY9uJPKXoN76oql0Ece2og2+qZY86O0xErsUHdSPURe8ixgeKg984vu1e2KXWBqu8MmdCM85qh70G7pivdUe/JCYKBh3+AFZx/EvatVdR+G++HyDeD9x5T59z+9DS5rm8TgHhL/8xH+k3+/SXz6K+KJ4G4Jlr8wMwEyBD7ypb8H5/oD2fXnWehuCoxUjwsSBB+RShsCUBO2hAIDOL9TbIuRXk3yPfRJ6sGUybPnLwiiwrCM3Cap3lWKfOdCFWwCk1JkY5JzzAxsiUD6DdEcaKriHHMT2PFYJK2fkFO1wbPlJbGdU0Vq4ZwELrs2xr9I/QalbEB2U0zOCpvG14x55MslbQvVY5aHK9IUwASfjQPJ6RTFRwQTbG4Rze+Nj77jB0ltUq34Wp9z925mBAYrxtcUL5ra8+s5CL5AApXrBHE66j/h2WuuAuFkI4bTJpO7K01w2II1NRNHUlkHjBxuh6vPPwSqdf4FNQY/Zi+EsR0jTQuDPG7e4vGUmZkjCx/OOMb6SBIiY4SnNVCKWT/OfpWdehjjnOsD+Wkg3lypmEenc0Ii8GzFT1g+q5LQRuJAJXFu89ia03UVL9SbFdVWJQ21ZOU+aV7+myYXLQ+vKIkerxTwKhGn2XcwPlEMjAs49wKH3iYZxMjdqwB5bVbSZpxJjVSZ7jXZg47Ze5h+G3uNXBZnw5laD0lNAqta9gRjRpFwlWZPTVOBy7Qfu26LYBLHX9U4BuycdhgYH6Z1kP7jHqtaVSpLz5zSdWaVulyWls/m8z6H0f/jit/Id40N7li1U8oQHfdwFkdWXS/gFO6DuCpv1iWeXWpoVglT3AWuhtEN8s80lEWcGUm/jjQ+MXeCaCO+6Tl+StUKT3lbz1xGPEOjIVSpobUjPpUUTPV6XNH07/cUTvT5B2U4G4Lt70fWxj5Yyk1EYMlMaM0zUnzPECnBx8ncTuQpggt6niDUpyAvB7Qp6+w6aiqASQJXjb5jm1YFhVb/8cTyX/hIi/Wqv/ID+nrkuC7Ho3a8z3blZsTub9oh1la09m8zDJaLJD2bwBdWXPiJn3QM8W8Dck+1inxBILUhPlKS+KGcxa41IREGSxT3JErsS1q3QxvkppszNuayelZgw0D6q43JKtRiH0sQZC/DJMfYscOajKVXWx2jp57fwc6v0dGXgnj4JD3kp6yGO5B7GUn/y5iHSX1cb0JcirqQS7FKmc3O/0Zt0NN29lDFtP8vJYbXmqHOpRKT52aC411Qkj1Qd4/09DhpO6RSeKZi+omGOg53CzPCylz6AbKGqRCHd3VxGNo8k5veSlVMgM+XpLmD56JHzL1skKsA5Hdec18HHWNh1HN9Ou6eamR8S7lhjd4YSLDNFQo7o2jWw5+n26fIfrgo4lurnR5MAjd5/sJcoEyyexBQ/D+5X1J8lnA7gPPbCRn4Zs7XjAZdExcYlC49Ht9iytT+ELEr7keMrV4TwQ3xFM5+R1QOICGbSdvRz/y4tB0NNqQUSPkCQbzz4j22gAc3e4rq4NHgOQIP3Rti7j/gGYRCUlLOAugo4tsoKy9Qp5GuwO+nGY0WrtRoSGQoDPRygCT1AR2x2DWDHPMnr7OQv/rdfk2HBuxiZl9MPvstFdwH6biXZ7eBj0eKhoVVAYD54Q0B9IEt9UkY+4xxrMoLC355mQ5GYCjBQd1iLOYeJktDr7UEZfaZkgl7hjBZcQQOnNr02ODIaWd3T45acak6NyBfSYV/AaZUavbXAjE3zkXgwPw4fGIK+urIwk</xenc:CipherValue> + </xenc:CipherData> + </xenc:EncryptedData> + </saml2:EncryptedAssertion> +</saml2p:Response> diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/response_encrypt_decryption_test.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/response_encrypt_decryption_test.xml new file mode 100644 index 00000000..88c6b1ba --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/response_encrypt_decryption_test.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_4c1c39ee0969b320bf0cae37816f7d5b" Destination="https://demo.egiz.gv.at/demoportal_demologin/securearea.action" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_demologin/</saml2:Issuer> + <saml2p:Status> + <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> + </saml2p:Status> + <saml2:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> + <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> + <saml2:Subject> + <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> + <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> + <saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://demo.egiz.gv.at/demoportal_demologin/securearea.action"/> + </saml2:SubjectConfirmation> + </saml2:Subject> + <saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2048-03-05T06:44:51.017Z"> + <saml2:AudienceRestriction> + <saml2:Audience>https://demo.egiz.gv.at/demoportal_demologin/</saml2:Audience> + </saml2:AudienceRestriction> + </saml2:Conditions> + <saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> + <saml2:AuthnContext> + <saml2:AuthnContextClassRef>http://www.stork.gov.eu/1.0/citizenQAALevel/4</saml2:AuthnContextClassRef> + </saml2:AuthnContext> + </saml2:AuthnStatement> + <saml2:AttributeStatement> + <saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BF:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="EID-CITIZEN-QAA-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.94" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:integer">4</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> + </saml2:Attribute> + <saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:cdid+BF</saml2:AttributeValue> + </saml2:Attribute> + </saml2:AttributeStatement> + </saml2:Assertion> +</saml2p:Response> |