From 3be8b5c3c139ab75db4ae9ac927800505194d987 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 29 May 2019 13:57:17 +0200 Subject: add new attribute builder fix some injection and dependency problems --- .../tasks/AbstractCreateQualeIDRequestTask.java | 2 +- .../sl20/tasks/AbstractReceiveQualeIDTask.java | 4 +-- eaaf_modules/eaaf_module_pvp2_core/pom.xml | 5 ++++ .../pvp2/idp/impl/AuthenticationAction.java | 29 ++++++++++++---------- 4 files changed, 24 insertions(+), 16 deletions(-) (limited to 'eaaf_modules') diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java index b0949cd3..dfcaaf5a 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java @@ -183,7 +183,7 @@ public abstract class AbstractCreateQualeIDRequestTask extends AbstractAuthServl //String spSpecificVDAEndpoints = oaConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS); final String spSpecificVDAEndpoints = null; - final Map endPointMap = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST); + final Map endPointMap = authConfig.getBasicConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST); if (StringUtils.isNotEmpty(spSpecificVDAEndpoints)) { endPointMap.putAll(KeyValueUtils.convertListToMap( KeyValueUtils.getListOfCSVValues( diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java index a377a4c0..5abbd543 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java @@ -100,10 +100,10 @@ public abstract class AbstractReceiveQualeIDTask extends AbstractAuthServletTask //validate signature final VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad( sl20ReqObj, joseTools, - authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); + authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) { - if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) { + if (authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) { log.info("SL20 result from VDA was not valid signed"); throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."}); diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml index e5cc555a..ae942318 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml @@ -61,6 +61,11 @@ org.apache.santuario xmlsec + + org.bouncycastle + bcprov-jdk15on + + org.owasp.esapi esapi diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java index 4ec7cf99..cbbed659 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java @@ -90,31 +90,32 @@ public class AuthenticationAction implements IAction { } + @Override public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws ResponderErrorException { - PVPSProfilePendingRequest pvpRequest = (PVPSProfilePendingRequest) req; + final PVPSProfilePendingRequest pvpRequest = (PVPSProfilePendingRequest) req; try { //get basic information - PVPSProfileRequest moaRequest = (PVPSProfileRequest) pvpRequest.getRequest(); - AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); - EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider); + final PVPSProfileRequest moaRequest = (PVPSProfileRequest) pvpRequest.getRequest(); + final AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); + final EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider); - AssertionConsumerService consumerService = + final AssertionConsumerService consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); consumerService.setBinding(pvpRequest.getBinding()); consumerService.setLocation(pvpRequest.getConsumerURL()); - DateTime date = new DateTime(); - SLOInformationImpl sloInformation = new SLOInformationImpl(); - String issuerEntityID = pvpBasicConfiguration.getIDPEntityId(pvpRequest.getAuthURL()); + final DateTime date = new DateTime(); + final SLOInformationImpl sloInformation = new SLOInformationImpl(); + final String issuerEntityID = pvpBasicConfiguration.getIDPEntityId(pvpRequest.getAuthURL()); //build Assertion - Assertion assertion = assertionBuilder.buildAssertion(issuerEntityID, pvpRequest, authnRequest, authData, + final Assertion assertion = assertionBuilder.buildAssertion(issuerEntityID, pvpRequest, authnRequest, authData, peerEntity, date, consumerService, sloInformation); - Response authResponse = AuthResponseBuilder.buildResponse( + final Response authResponse = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnRequest, - date, assertion, authConfig.getBasicMOAIDConfigurationBoolean( + date, assertion, authConfig.getBasicConfigurationBoolean( CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION, true)); IEncoder binding = null; @@ -148,11 +149,11 @@ public class AuthenticationAction implements IAction { log.warn("Message Encoding exception", e); throw new ResponderErrorException("pvp2.01", null, e); - } catch (EAAFException e) { + } catch (final EAAFException e) { log.info("Response generation error: Msg: ", e.getMessage()); throw new ResponderErrorException(e.getErrorId(), e.getParams(), e); - } catch (Exception e) { + } catch (final Exception e) { log.warn("Response generation error", e); throw new ResponderErrorException("pvp2.01", null, e); @@ -160,11 +161,13 @@ public class AuthenticationAction implements IAction { } + @Override public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { return true; } + @Override public String getDefaultActionName() { return "PVPAuthenticationRequestAction"; -- cgit v1.2.3 From 7ece75cb3dc9e4d13089b35cf011168811f7e10e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 19 Jun 2019 08:35:30 +0200 Subject: remove manifest check, if it is not necessary --- .../sigverify/moasig/impl/SignatureVerificationService.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'eaaf_modules') diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java index 1608490d..ca20ce0f 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java @@ -221,12 +221,12 @@ public class SignatureVerificationService extends AbstractSignatureService imple verifySignatureLocationElem.appendChild(signatureLocation); // signature manifest params - final Element signatureManifestCheckParamsElem = requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); - requestElem_.appendChild(signatureManifestCheckParamsElem); - signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); + if (verifyTransformsInfoProfileID != null && !verifyTransformsInfoProfileID.isEmpty()) { + final Element signatureManifestCheckParamsElem = requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); - //verify transformations - if (verifyTransformsInfoProfileID != null && !verifyTransformsInfoProfileID.isEmpty()) { + //verify transformations final Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); signatureManifestCheckParamsElem.appendChild(referenceInfoElem); for (final String element : verifyTransformsInfoProfileID) { -- cgit v1.2.3 From 470ac2c6234a0bac1e973fd3c1f49e1d9da41be4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 19 Jun 2019 08:36:10 +0200 Subject: add interface to inject external XML schemes into MOA-Sig --- .../moasig/api/data/ISchemaRessourceProvider.java | 20 ++++++++++++++ .../moasig/impl/AbstractSignatureService.java | 32 ++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/data/ISchemaRessourceProvider.java (limited to 'eaaf_modules') diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/data/ISchemaRessourceProvider.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/data/ISchemaRessourceProvider.java new file mode 100644 index 00000000..9548d96b --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/data/ISchemaRessourceProvider.java @@ -0,0 +1,20 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data; + +import java.io.InputStream; +import java.util.Map; + +/** + * Inject additional XML schemes into MOA-Sig + * + * @author tlenz + * + */ +public interface ISchemaRessourceProvider { + + /** + * Get a Map of additional XML schemes that should be injected into MOA-Sig + * + * @return A Set of {@link Entry} consist of Name of the Scheme and XML scheme as {@link InputStream} + */ + public Map getSchemas(); +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java index fe99e328..d796c165 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java @@ -1,7 +1,11 @@ package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; +import java.io.IOException; +import java.io.InputStream; import java.security.Provider; import java.security.Security; +import java.util.Iterator; +import java.util.Map.Entry; import javax.annotation.PostConstruct; import javax.xml.parsers.DocumentBuilder; @@ -10,13 +14,16 @@ import javax.xml.parsers.ParserConfigurationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; import org.w3c.dom.Document; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ISchemaRessourceProvider; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceConfigurationException; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.Configurator; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; +import at.gv.egovernment.moaspss.util.DOMUtils; import iaik.asn1.structures.AlgorithmID; import iaik.security.ec.provider.ECCelerate; import iaik.security.provider.IAIK; @@ -25,6 +32,7 @@ public abstract class AbstractSignatureService { private static final Logger log = LoggerFactory.getLogger(AbstractSignatureService.class); private static boolean isMOASigInitialized = false; + @Autowired(required=false) ISchemaRessourceProvider[] schemas; @PostConstruct private synchronized void initialize() throws MOASigServiceConfigurationException { @@ -66,6 +74,30 @@ public abstract class AbstractSignatureService { } + + //Inject additional XML schemes + if (schemas != null && schemas.length > 0) { + log.debug("Infjecting additional XML schemes ... "); + for (final ISchemaRessourceProvider el : schemas) { + final Iterator> xmlSchemeIt = el.getSchemas().entrySet().iterator(); + while (xmlSchemeIt.hasNext()) { + final Entry xmlDef = xmlSchemeIt.next(); + try { + DOMUtils.addSchemaToPool(xmlDef.getValue(), xmlDef.getKey()); + log.info("Inject XML scheme: {}", xmlDef.getKey()); + + } catch (final IOException e) { + log.warn("Can NOT inject XML scheme: " + xmlDef.getKey(), e); + + } + + } + } + + } else + log.trace("No additional XML schemes to inject. Skip this feature"); + + isMOASigInitialized = true; } else -- cgit v1.2.3