/*
* Copyright 2014 Federal Chancellery Austria MOA-ID has been developed in a cooperation between
* BRZ, the Federal Chancellery Austria - ICT staff unit, and Graz University of Technology.
*
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by the European
* Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
* compliance with the Licence. You may obtain a copy of the Licence at: http://www.osor.eu/eupl/
*
* Unless required by applicable law or agreed to in writing, software distributed under the Licence
* is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
* or implied. See the Licence for the specific language governing permissions and limitations under
* the Licence.
*
* This product combines work with different licenses. See the "NOTICE" text file for details on the
* various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
* works that you distribute must include a readable copy of the "NOTICE" text file.
*/
package at.gv.egiz.eaaf.core.impl.idp.auth.builder;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.text.SimpleDateFormat;
import java.util.Date;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Base64Utils;
import at.gv.egiz.eaaf.core.api.data.EaafConstants;
import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
/**
* Builder for the bPK, as defined in
* "Ableitung f¨r die bereichsspezifische Personenkennzeichnung"
* version 1.0.1
from
* "reference.e-government.gv.at"
.
*
*/
public class BpkBuilder {
private static final Logger log = LoggerFactory.getLogger(BpkBuilder.class);
/**
* Calculates an area specific unique person-identifier from a baseID.
*
* @param baseID baseId from user but never null
* @param targetIdentifier target identifier for area specific identifier
* calculation but never null
* @return Pair consists of (unique person identifier for this target,
* targetArea) but never null
* @throws EaafBuilderException if some input data are not valid
*/
public static Pair generateAreaSpecificPersonIdentifier(final String baseID,
final String targetIdentifier) throws EaafBuilderException {
return generateAreaSpecificPersonIdentifier(baseID, EaafConstants.URN_PREFIX_BASEID,
targetIdentifier);
}
/**
* Calculates an area specific unique person-identifier from an unique
* identifier with a specific type.
*
* @param baseID baseId from user but never null
* @param baseIdType Type of the baseID but never null
* @param targetIdentifier target identifier for area specific identifier
* calculation but never null
* @return Pair consists of (unique person identifier for this target,
* targetArea) but never null
* @throws EaafBuilderException if some input data are not valid
*/
public static Pair generateAreaSpecificPersonIdentifier(final String baseID,
final String baseIdType, final String targetIdentifier) throws EaafBuilderException {
if (StringUtils.isEmpty(baseID)) {
throw new EaafBuilderException("builder.00", new Object[] { "baseID is empty or null" },
"BaseId is empty or null");
}
if (StringUtils.isEmpty(baseIdType)) {
throw new EaafBuilderException("builder.00",
new Object[] { "the type of baseID is empty or null" }, "Type of baseId is empty or null");
}
if (StringUtils.isEmpty(targetIdentifier)) {
throw new EaafBuilderException("builder.00",
new Object[] { "SP specific target identifier is empty or null" },
"SP specific target identifier is empty or null");
}
if (baseIdType.equals(EaafConstants.URN_PREFIX_BASEID)) {
log.trace("Find baseID. Starting unique identifier caluclation for this target");
if (targetIdentifier.startsWith(EaafConstants.URN_PREFIX_CDID)
|| targetIdentifier.startsWith(EaafConstants.URN_PREFIX_WBPK)) {
log.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier);
return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier),
targetIdentifier);
} else if (targetIdentifier.startsWith(EaafConstants.URN_PREFIX_EIDAS)) {
log.trace("Calculate eIDAS identifier for target: " + targetIdentifier);
final String[] splittedTarget = targetIdentifier.split("\\+");
final String cititzenCountryCode = splittedTarget[1];
final String eidasOutboundCountry = splittedTarget[2];
if (cititzenCountryCode.equalsIgnoreCase(eidasOutboundCountry)) {
log.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
}
return buildEidasIdentifer(baseID, baseIdType, cititzenCountryCode, eidasOutboundCountry);
} else {
throw new EaafBuilderException("builder.00",
new Object[] { "Target identifier: " + targetIdentifier + " is NOT allowed or unknown" },
"Target identifier: " + targetIdentifier + " is NOT allowed or unknown");
}
} else {
log.trace("BaseID is not of type " + EaafConstants.URN_PREFIX_BASEID
+ ". Check type against requested target ...");
if (baseIdType.equals(targetIdentifier)) {
log.debug("Unique identifier is already area specific. Is nothing todo");
return Pair.newInstance(baseID, targetIdentifier);
} else {
log.warn("Get unique identifier for target: " + baseIdType + " but target: "
+ targetIdentifier + " is required!");
throw new EaafBuilderException("builder.00",
new Object[] { "Get unique identifier for target: " + baseIdType + " but target: "
+ targetIdentifier + " is required" },
"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier
+ " is required");
}
}
}
/**
* Builds the eIDAS from the given parameters.
*
* @param baseId baseID of the citizen
* @param baseIdType Type of the baseID
* @param sourceCountry CountryCode of that country, which build the eIDAs
* ID
* @param destinationCountry CountryCode of that country, which receives the
* eIDAs ID
*
* @return Pair eIDAs/bPKType in a BASE64 encoding
* @throws EaafBuilderException if some input data are not valid
*/
private static Pair buildEidasIdentifer(final String baseId,
final String baseIdType, final String sourceCountry, final String destinationCountry)
throws EaafBuilderException {
String bpk = null;
String bpkType = null;
// check if we have been called by public sector application
if (baseIdType.startsWith(EaafConstants.URN_PREFIX_BASEID)) {
bpkType = EaafConstants.URN_PREFIX_EIDAS + sourceCountry + "+" + destinationCountry;
log.debug("Building eIDAS identification from: [identValue]+" + bpkType);
bpk = calculatebPKwbPK(baseId + "+" + bpkType);
} else { // if not, sector identification value is already calculated by BKU
log.debug("eIDAS eIdentifier already provided by BKU");
bpk = baseId;
}
if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(sourceCountry)
|| StringUtils.isEmpty(destinationCountry)) {
throw new EaafBuilderException("builder.00",
new Object[] { "eIDAS-ID",
"Unvollständige Parameterangaben: identificationValue=" + bpk + ", Zielland="
+ destinationCountry + ", Ursprungsland=" + sourceCountry },
"eIDAS-ID: Unvollständige Parameterangaben: identificationValue=" + bpk + ", Zielland="
+ destinationCountry + ", Ursprungsland=" + sourceCountry);
}
log.trace("eIDAS pseudonym generation finished. ");
final String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bpk;
return Pair.newInstance(eIdentifier, bpkType);
}
/**
* Create an encrypted bPK.
*
* @param bpk unencrypted bPK
* @param target bPK target
* @param publicKey Public-Key used for encryption
* @return encrypted bPK
* @throws EaafBuilderException In case of an error
*/
public static String encryptBpk(final String bpk, String target, final PublicKey publicKey)
throws EaafBuilderException {
final SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
if (target.startsWith(EaafConstants.URN_PREFIX_CDID)) {
target = target.substring(EaafConstants.URN_PREFIX_CDID.length());
}
final String input =
"V1::urn:publicid:gv.at:cdid+" + target + "::" + bpk + "::" + sdf.format(new Date());
// System.out.println(input);
byte[] result;
try {
final byte[] inputBytes = input.getBytes("ISO-8859-1");
result = encrypt(inputBytes, publicKey);
return new String(Base64Utils.encode(result), "ISO-8859-1").replaceAll("\r\n", "");
// return new String(Base64Utils.encode(result,
// "ISO-8859-1")).replaceAll("\r\n", "");
} catch (final Exception e) {
throw new EaafBuilderException("bPK encryption FAILED", null, e.getMessage(), e);
}
}
/**
* Decrypt an encrypted bPK.
*
* @param encryptedBpk encrypted bPK
* @param target bPK target
* @param privateKey private-key for decryption
* @return bPK
* @throws EaafBuilderException In case of an error
*/
public static String decryptBpk(final String encryptedBpk, String target,
final PrivateKey privateKey) throws EaafBuilderException {
String decryptedString;
try {
// byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false,
// "ISO-8859-1");
final byte[] encryptedBytes = Base64Utils.decode(encryptedBpk.getBytes("ISO-8859-1"));
final byte[] decryptedBytes = decrypt(encryptedBytes, privateKey);
decryptedString = new String(decryptedBytes, "ISO-8859-1");
} catch (final Exception e) {
throw new EaafBuilderException("bPK decryption FAILED", null, e.getMessage(), e);
}
String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1);
final String sector = tmp.substring(0, tmp.indexOf("::"));
tmp = tmp.substring(tmp.indexOf("::") + 2);
final String bPK = tmp.substring(0, tmp.indexOf("::"));
if (target.startsWith(EaafConstants.URN_PREFIX_CDID + "+")) {
target = target.substring((EaafConstants.URN_PREFIX_CDID + "+").length());
}
if (target.equals(sector)) {
return bPK;
} else {
log.error("Decrypted bPK does not match to request bPK target.");
return null;
}
}
private static String calculatebPKwbPK(final String basisbegriff) throws EaafBuilderException {
try {
final MessageDigest md = MessageDigest.getInstance("SHA-1");
final byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1"));
final String hashBase64 =
new String(Base64Utils.encode(hash), "ISO-8859-1").replaceAll("\r\n", ""); // Base64Utils.encode(hash);
return hashBase64;
} catch (final Exception ex) {
throw new EaafBuilderException("builder.00", new Object[] { "bPK/wbPK", ex.toString() },
ex.getMessage(), ex);
}
}
private static byte[] encrypt(final byte[] inputBytes, final PublicKey publicKey)
throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException {
byte[] result;
Cipher cipher = null;
try {
cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
} catch (final NoSuchAlgorithmException e) {
cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
}
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
result = cipher.doFinal(inputBytes);
return result;
}
private static byte[] decrypt(final byte[] encryptedBytes, final PrivateKey privateKey)
throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException {
byte[] result;
Cipher cipher = null;
try {
cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
} catch (final NoSuchAlgorithmException e) {
cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
}
cipher.init(Cipher.DECRYPT_MODE, privateKey);
result = cipher.doFinal(encryptedBytes);
return result;
}
}