diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20')
9 files changed, 55 insertions, 45 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java index 4009796f..1a88c43b 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java @@ -81,8 +81,7 @@ public abstract class AbstractSL20AuthenticationModulImpl implements AuthModule if (authConfig.getBasicConfigurationBoolean(getGeneralConfigPropertyNameEnableModule(), getGeneralConfigPropertyNameEnableModuleDefault())) { - if (spConfig != null - && StringUtils + if (StringUtils .isNotEmpty(spConfig.getConfigurationValue(getSpConfigPropertyNameEnableModule())) && Boolean .valueOf(spConfig.getConfigurationValue(getSpConfigPropertyNameEnableModule()))) { diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java index 251b516f..518f0d24 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java @@ -92,7 +92,7 @@ public abstract class AbstractCreateQualEidRequestTask extends AbstractAuthServl final HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualEidDUrl).build()); final List<NameValuePair> parameters = new ArrayList<>(); parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, - Base64Url.encode(sl20Req.toString().getBytes()))); + Base64Url.encode(sl20Req.toString().getBytes("UTF-8")))); httpReq.setEntity(new UrlEncodedFormEntity(parameters)); // build http GET request @@ -105,7 +105,7 @@ public abstract class AbstractCreateQualEidRequestTask extends AbstractAuthServl httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE); - log.trace("Request VDA via SL20 with: " + Base64Url.encode(sl20Req.toString().getBytes())); + log.trace("Request VDA via SL20 with: " + Base64Url.encode(sl20Req.toString().getBytes("UTF-8"))); // request VDA final HttpResponse httpResp = httpClientFactory.getHttpClient(false).execute(httpReq); diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java index 39cfce05..516a33b9 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java @@ -138,7 +138,7 @@ public abstract class AbstractReceiveQualEidTask extends AbstractAuthServletTask .extractSL20PayLoad(sl20ReqObj, joseTools, authConfig.getBasicConfigurationBoolean( Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); - if ((payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) { + if (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned()) { if (authConfig.getBasicConfigurationBoolean( Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) { log.info("SL20 result from VDA was not valid signed"); @@ -151,10 +151,7 @@ public abstract class AbstractReceiveQualEidTask extends AbstractAuthServletTask } } - - payLoadContainer.getCertChain(); - - + // extract payloaf final JsonNode payLoad = payLoadContainer.getPayload(); @@ -193,7 +190,7 @@ public abstract class AbstractReceiveQualEidTask extends AbstractAuthServletTask // buildResponse(request, response, sl20ReqObj, aTrustErrorWorkAround); buildResponse(request, response, sl20ReqObj); } else { - buildErrorResponse(request, response, "2000", "General transport Binding error"); + buildErrorResponse(response, "2000", "General transport Binding error"); } } @@ -225,8 +222,7 @@ public abstract class AbstractReceiveQualEidTask extends AbstractAuthServletTask protected abstract String getResumeEndPoint(); - private void buildErrorResponse(final HttpServletRequest request, - final HttpServletResponse response, final String errorCode, final String errorMsg) + private void buildErrorResponse(final HttpServletResponse response, final String errorCode, final String errorMsg) throws Exception { final ObjectNode error = SL20JsonBuilderUtils.createErrorCommandResult(errorCode, errorMsg); final ObjectNode errorCommand = SL20JsonBuilderUtils diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java index caa2e8d8..9d444802 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java @@ -21,7 +21,7 @@ public interface IJoseTools { * @param payLoad Payload to sign * @throws SlCommandoBuildException In case of a signature creation error */ - public String createSignature(String payLoad) throws SlCommandoBuildException; + String createSignature(String payLoad) throws SlCommandoBuildException; /** * Validates a signed SL2.0 message. @@ -31,7 +31,7 @@ public interface IJoseTools { * @throws SL20Exception In case of a signature validation error */ @Nonnull - public VerificationResult validateSignature(@Nonnull String serializedContent) + VerificationResult validateSignature(@Nonnull String serializedContent) throws SL20Exception; /** @@ -45,7 +45,7 @@ public interface IJoseTools { * @throws IOException In case of a general IO error */ @Nonnull - public VerificationResult validateSignature(@Nonnull String serializedContent, + VerificationResult validateSignature(@Nonnull String serializedContent, @Nonnull List<X509Certificate> trustedCerts, @Nonnull AlgorithmConstraints constraints) throws JoseException, IOException; @@ -61,7 +61,7 @@ public interface IJoseTools { * @throws KeyStoreException In case of TrustStore error */ @Nonnull - public VerificationResult validateSignature(@Nonnull String serializedContent, + VerificationResult validateSignature(@Nonnull String serializedContent, @Nonnull KeyStore trustStore, @Nonnull AlgorithmConstraints algconstraints) throws JoseException, IOException, KeyStoreException; @@ -70,7 +70,7 @@ public interface IJoseTools { * * @return */ - public X509Certificate getEncryptionCertificate(); + X509Certificate getEncryptionCertificate(); /** * Decrypt a serialized JWE token. @@ -79,6 +79,6 @@ public interface IJoseTools { * @return decrypted payload * @throws SL20Exception In case of a decryption error */ - public JsonNode decryptPayload(String compactSerialization) throws SL20Exception; + JsonNode decryptPayload(String compactSerialization) throws SL20Exception; } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 28106377..6ec56825 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -133,6 +133,9 @@ public class JsonSecurityUtils implements IJoseTools { log.info("NO SL2.0 authentication security configuration. Initialization was skipped"); } + } catch (RuntimeException e) { + throw e; + } catch (final Exception e) { log.error("SL2.0 security constrains initialization FAILED.", e); @@ -304,11 +307,11 @@ public class JsonSecurityUtils implements IJoseTools { final List<X509Certificate> sortedX5cCerts = X509Utils.sortCertificates(x5cCerts); if (!sortedX5cCerts.get(0).equals(encCertChain[0])) { - log.info("Certificate from JOSE header does NOT match encryption certificate"); - log.debug("JOSE certificate: " + sortedX5cCerts.get(0).toString()); + log.info("Certificate from JOSE header does NOT match encryption certificate"); try { - log.debug("Cert: " + Base64Utils.encode(sortedX5cCerts.get(0).getEncoded())); + + log.debug("JOSE certificate: {}", Base64Utils.encode(sortedX5cCerts.get(0).getEncoded())); } catch (final CertificateEncodingException e) { e.printStackTrace(); } @@ -441,7 +444,8 @@ public class JsonSecurityUtils implements IJoseTools { if (cert != null && cert instanceof X509Certificate) { result.add((X509Certificate) cert); } else { - log.info("Can not process entry: " + el + ". Reason: " + cert.toString()); + log.info("Can not process entry: {}. Reason: {}", el, + cert != null ? cert.getType() : "cert is null"); } } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java index 5a8be243..d3726546 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java @@ -1,6 +1,7 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; import java.util.Arrays; +import java.util.Collections; import java.util.List; import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; @@ -43,9 +44,9 @@ public class SL20Constants { public static final String JSON_ALGORITHM_SIGNING_PS512 = AlgorithmIdentifiers.RSA_PSS_USING_SHA512; - public static final List<String> SL20_ALGORITHM_WHITELIST_SIGNING = Arrays.asList( + public static final List<String> SL20_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList(Arrays.asList( JSON_ALGORITHM_SIGNING_RS256, JSON_ALGORITHM_SIGNING_RS512, JSON_ALGORITHM_SIGNING_ES256, - JSON_ALGORITHM_SIGNING_ES512, JSON_ALGORITHM_SIGNING_PS256, JSON_ALGORITHM_SIGNING_PS512); + JSON_ALGORITHM_SIGNING_ES512, JSON_ALGORITHM_SIGNING_PS256, JSON_ALGORITHM_SIGNING_PS512)); public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = KeyManagementAlgorithmIdentifiers.RSA_OAEP; @@ -53,7 +54,7 @@ public class SL20Constants { KeyManagementAlgorithmIdentifiers.RSA_OAEP_256; public static final List<String> SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = - Arrays.asList(JSON_ALGORITHM_ENC_KEY_RSAOAEP, JSON_ALGORITHM_ENC_KEY_RSAOAEP256); + Collections.unmodifiableList(Arrays.asList(JSON_ALGORITHM_ENC_KEY_RSAOAEP, JSON_ALGORITHM_ENC_KEY_RSAOAEP256)); public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256; @@ -64,9 +65,9 @@ public class SL20Constants { public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = ContentEncryptionAlgorithmIdentifiers.AES_256_GCM; - public static final List<String> SL20_ALGORITHM_WHITELIST_ENCRYPTION = Arrays.asList( + public static final List<String> SL20_ALGORITHM_WHITELIST_ENCRYPTION = Collections.unmodifiableList(Arrays.asList( JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256, JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512, - JSON_ALGORITHM_ENC_PAYLOAD_A128GCM, JSON_ALGORITHM_ENC_PAYLOAD_A256GCM); + JSON_ALGORITHM_ENC_PAYLOAD_A128GCM, JSON_ALGORITHM_ENC_PAYLOAD_A256GCM)); // ********************************************************************************************* diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java index be306b69..6a8b96d4 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java @@ -53,7 +53,7 @@ public class SL20HttpBindingUtils { log.debug("Client request containts is no native client ... "); final URIBuilder clientRedirectUri = new URIBuilder(redirectUrl); clientRedirectUri.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, - Base64Url.encode(sl20Forward.toString().getBytes())); + Base64Url.encode(sl20Forward.toString().getBytes("UTF-8"))); httpResp.setStatus(httpCodeRedirect); httpResp.setHeader("Location", clientRedirectUri.build().toString()); diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java index f505f28d..82a8cf26 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java @@ -1,5 +1,6 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; +import java.io.UnsupportedEncodingException; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Arrays; @@ -65,13 +66,17 @@ public class SL20JsonBuilderUtils { final JsonSecurityUtils encrypter) throws SlCommandoBuildException { // TODO: add real implementation // create header and footer - final String dummyHeader = createJsonEncryptionHeader(encrypter).toString(); + final String dummyHeader = createJsonEncryptionHeader().toString(); final String payLoad = result.toString(); - final String dummyFooter = createJsonSignedFooter(encrypter); + final String dummyFooter = createJsonSignedFooter(); - return Base64.getUrlEncoder().encodeToString(dummyHeader.getBytes()) + "." - + Base64.getUrlEncoder().encodeToString(payLoad.getBytes()) + "." - + Base64.getUrlEncoder().encodeToString(dummyFooter.getBytes()); + try { + return Base64.getUrlEncoder().encodeToString(dummyHeader.getBytes("UTF-8")) + "." + + Base64.getUrlEncoder().encodeToString(payLoad.getBytes("UTF-8")) + "." + + Base64.getUrlEncoder().encodeToString(dummyFooter.getBytes("UTF-8")); + } catch (UnsupportedEncodingException e) { + throw new SlCommandoBuildException("No UTF-8 encoding", e); + } } @@ -116,12 +121,17 @@ public class SL20JsonBuilderUtils { // TODO: add real implementation // create header and footer - final String dummyHeader = createJsonSignedHeader(signer).toString(); - final String dummyFooter = createJsonSignedFooter(signer); + final String dummyHeader = createJsonSignedHeader().toString(); + final String dummyFooter = createJsonSignedFooter(); - return Base64.getUrlEncoder().encodeToString(dummyHeader.getBytes()) + "." - + Base64.getUrlEncoder().encodeToString(encodedCommand.getBytes()) + "." - + Base64.getUrlEncoder().encodeToString(dummyFooter.getBytes()); + try { + return Base64.getUrlEncoder().encodeToString(dummyHeader.getBytes("UTF-8")) + "." + + Base64.getUrlEncoder().encodeToString(encodedCommand.getBytes("UTF-8")) + "." + + Base64.getUrlEncoder().encodeToString(dummyFooter.getBytes("UTF-8")); + + } catch (UnsupportedEncodingException e) { + throw new SlCommandoBuildException("No UTF-8 encoding", e); + } } @@ -560,7 +570,7 @@ public class SL20JsonBuilderUtils { // TODO!!!! - private static ObjectNode createJsonSignedHeader(final JsonSecurityUtils signer) + private static ObjectNode createJsonSignedHeader() throws SlCommandoBuildException { final ObjectNode header = mapper.getMapper().createObjectNode(); addSingleStringElement(header, SL20Constants.JSON_ALGORITHM, @@ -574,7 +584,7 @@ public class SL20JsonBuilderUtils { } // TODO!!!! - private static ObjectNode createJsonEncryptionHeader(final JsonSecurityUtils signer) + private static ObjectNode createJsonEncryptionHeader() throws SlCommandoBuildException { final ObjectNode header = mapper.getMapper().createObjectNode(); addSingleStringElement(header, SL20Constants.JSON_ALGORITHM, @@ -590,7 +600,7 @@ public class SL20JsonBuilderUtils { } // TODO!!!! - private static String createJsonSignedFooter(final JsonSecurityUtils signer) { + private static String createJsonSignedFooter() { return "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7\n" + " AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4\n" + " BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K\n" diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java index f4b5a724..d4e1490d 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java @@ -245,7 +245,7 @@ public class SL20JsonExtractorUtils { try { final String[] signedPayload = encryptedResult.toString().split("\\."); final JsonNode payLoad = mapper.getMapper() - .readTree(new String(Base64.getUrlDecoder().decode(signedPayload[1]))); + .readTree(new String(Base64.getUrlDecoder().decode(signedPayload[1]), "UTF-8")); return payLoad; } catch (final Exception e1) { @@ -338,9 +338,9 @@ public class SL20JsonExtractorUtils { } sl20Resp = parseSL20ResultFromResponse(httpResp.getEntity()); - } else if ((httpResp.getStatusLine().getStatusCode() == 500) - || (httpResp.getStatusLine().getStatusCode() == 401) - || (httpResp.getStatusLine().getStatusCode() == 400)) { + } else if (httpResp.getStatusLine().getStatusCode() == 500 + || httpResp.getStatusLine().getStatusCode() == 401 + || httpResp.getStatusLine().getStatusCode() == 400) { log.info("SL20 response with http-code: " + httpResp.getStatusLine().getStatusCode() + ". Search for error message"); |