/*******************************************************************************
* Copyright 2014 Federal Chancellery Austria
* MOA-ID has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
*
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
* the European Commission - subsequent versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
* http://www.osor.eu/eupl/
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the Licence is distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and
* limitations under the Licence.
*
* This product combines work with different licenses. See the "NOTICE" text
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
******************************************************************************/
/*
* Copyright 2003 Federal Chancellery Austria
* MOA-ID has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
*
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
* the European Commission - subsequent versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
* http://www.osor.eu/eupl/
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the Licence is distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and
* limitations under the Licence.
*
* This product combines work with different licenses. See the "NOTICE" text
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
package at.gv.egiz.eaaf.core.impl.idp.auth.builder;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.text.SimpleDateFormat;
import java.util.Date;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Base64Utils;
import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
/**
* Builder for the bPK, as defined in
* "Ableitung f¨r die bereichsspezifische Personenkennzeichnung"
* version 1.0.1 from "reference.e-government.gv.at".
*
*/
public class BPKBuilder {
private static final Logger log = LoggerFactory.getLogger(BPKBuilder.class);
/**
* Calculates an area specific unique person-identifier from a baseID
*
* @param baseID baseId from user but never null
* @param targetIdentifier target identifier for area specific identifier calculation but never null
* @return Pair consists of (unique person identifier for this target, targetArea) but never null
* @throws EAAFBuilderException if some input data are not valid
*/
public static Pair generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws EAAFBuilderException {
return generateAreaSpecificPersonIdentifier(baseID, EAAFConstants.URN_PREFIX_BASEID, targetIdentifier);
}
/**
* Calculates an area specific unique person-identifier from an unique identifier with a specific type
*
* @param baseID baseId from user but never null
* @param baseIdType Type of the baseID but never null
* @param targetIdentifier target identifier for area specific identifier calculation but never null
* @return Pair consists of (unique person identifier for this target, targetArea) but never null
* @throws EAAFBuilderException if some input data are not valid
*/
public static Pair generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws EAAFBuilderException{
if (StringUtils.isEmpty(baseID))
throw new EAAFBuilderException("builder.00", new Object[]{"baseID is empty or null"},
"BaseId is empty or null");
if (StringUtils.isEmpty(baseIdType))
throw new EAAFBuilderException("builder.00", new Object[]{"the type of baseID is empty or null"},
"Type of baseId is empty or null");
if (StringUtils.isEmpty(targetIdentifier))
throw new EAAFBuilderException("builder.00", new Object[]{"SP specific target identifier is empty or null"},
"SP specific target identifier is empty or null");
if (baseIdType.equals(EAAFConstants.URN_PREFIX_BASEID)) {
log.trace("Find baseID. Starting unique identifier caluclation for this target");
if (targetIdentifier.startsWith(EAAFConstants.URN_PREFIX_CDID) ||
targetIdentifier.startsWith(EAAFConstants.URN_PREFIX_WBPK)) {
log.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier);
return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier);
} else if (targetIdentifier.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) {
log.trace("Calculate eIDAS identifier for target: " + targetIdentifier);
final String[] splittedTarget = targetIdentifier.split("\\+");
final String cititzenCountryCode = splittedTarget[1];
final String eIDASOutboundCountry = splittedTarget[2];
if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
log.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
}
return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry);
} else
throw new EAAFBuilderException("builder.00",
new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"},
"Target identifier: " + targetIdentifier + " is NOT allowed or unknown");
} else {
log.trace("BaseID is not of type " + EAAFConstants.URN_PREFIX_BASEID + ". Check type against requested target ...");
if (baseIdType.equals(targetIdentifier)) {
log.debug("Unique identifier is already area specific. Is nothing todo");
return Pair.newInstance(baseID, targetIdentifier);
} else {
log.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!");
throw new EAAFBuilderException("builder.00",
new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"},
"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required");
}
}
}
/**
* Builds the eIDAS from the given parameters.
*
* @param baseID baseID of the citizen
* @param baseIDType Type of the baseID
* @param sourceCountry CountryCode of that country, which build the eIDAs ID
* @param destinationCountry CountryCode of that country, which receives the eIDAs ID
*
* @return Pair in a BASE64 encoding
* @throws EAAFBuilderException if some input data are not valid
*/
private static Pair buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
throws EAAFBuilderException {
String bPK = null;
String bPKType = null;
// check if we have been called by public sector application
if (baseIDType.startsWith(EAAFConstants.URN_PREFIX_BASEID)) {
bPKType = EAAFConstants.URN_PREFIX_EIDAS + sourceCountry + "+" + destinationCountry;
log.debug("Building eIDAS identification from: [identValue]+" + bPKType);
bPK = calculatebPKwbPK(baseID + "+" + bPKType);
} else { // if not, sector identification value is already calculated by BKU
log.debug("eIDAS eIdentifier already provided by BKU");
bPK = baseID;
}
if ((StringUtils.isEmpty(bPK) ||
StringUtils.isEmpty(sourceCountry) ||
StringUtils.isEmpty(destinationCountry))) {
throw new EAAFBuilderException("builder.00",
new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}
,"eIDAS-ID: Unvollständige Parameterangaben: identificationValue=" +
bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry);
}
log.trace("eIDAS pseudonym generation finished. ");
final String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
return Pair.newInstance(eIdentifier, bPKType);
}
public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws EAAFBuilderException {
final SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
if (target.startsWith(EAAFConstants.URN_PREFIX_CDID))
target = target.substring((EAAFConstants.URN_PREFIX_CDID).length());
final String input = "V1::urn:publicid:gv.at:cdid+" + target + "::"
+ bpk + "::"
+ sdf.format(new Date());
System.out.println(input);
byte[] result;
try {
final byte[] inputBytes = input.getBytes("ISO-8859-1");
result = encrypt(inputBytes, publicKey);
return new String(Base64Utils.encode(result), "ISO-8859-1").replaceAll("\r\n", "");
//return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", "");
} catch (final Exception e) {
throw new EAAFBuilderException("bPK encryption FAILED", null,
e.getMessage(), e);
}
}
public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws EAAFBuilderException {
String decryptedString;
try {
//byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1");
final byte[] encryptedBytes = Base64Utils.decode(encryptedBpk.getBytes("ISO-8859-1"));
final byte[] decryptedBytes = decrypt(encryptedBytes, privateKey);
decryptedString = new String(decryptedBytes, "ISO-8859-1");
} catch (final Exception e) {
throw new EAAFBuilderException("bPK decryption FAILED", null,
e.getMessage(), e);
}
String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1);
final String sector = tmp.substring(0, tmp.indexOf("::"));
tmp = tmp.substring(tmp.indexOf("::") + 2);
final String bPK = tmp.substring(0, tmp.indexOf("::"));
if (target.startsWith(EAAFConstants.URN_PREFIX_CDID + "+"))
target = target.substring((EAAFConstants.URN_PREFIX_CDID + "+").length());
if (target.equals(sector))
return bPK;
else {
log.error("Decrypted bPK does not match to request bPK target.");
return null;
}
}
private static String calculatebPKwbPK(String basisbegriff) throws EAAFBuilderException {
try {
final MessageDigest md = MessageDigest.getInstance("SHA-1");
final byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1"));
final String hashBase64 = new String(Base64Utils.encode(hash), "ISO-8859-1").replaceAll("\r\n", ""); //Base64Utils.encode(hash);
return hashBase64;
} catch (final Exception ex) {
throw new EAAFBuilderException("builder.00", new Object[]{"bPK/wbPK", ex.toString()},
ex.getMessage(), ex);
}
}
private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
byte[] result;
Cipher cipher = null;
try {
cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
} catch(final NoSuchAlgorithmException e) {
cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
}
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
result = cipher.doFinal(inputBytes);
return result;
}
private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey)
throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{
byte[] result;
Cipher cipher = null;
try {
cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
} catch(final NoSuchAlgorithmException e) {
cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
}
cipher.init(Cipher.DECRYPT_MODE, privateKey);
result = cipher.doFinal(encryptedBytes);
return result;
}
}