diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2018-07-20 10:56:04 +0200 | 
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2018-07-20 10:56:04 +0200 | 
| commit | 31bc1246bb56fcd8807678e3f7516023bdfaed44 (patch) | |
| tree | 0c3ed662a5be943a4ceb70d021e1bb7ac9dc1015 /eidas_modules/authmodule-eIDAS-v2/src | |
| parent | 2945c875bda2c8236d0b3fd630358fcaca85f4a8 (diff) | |
| download | National_eIDAS_Gateway-31bc1246bb56fcd8807678e3f7516023bdfaed44.tar.gz National_eIDAS_Gateway-31bc1246bb56fcd8807678e3f7516023bdfaed44.tar.bz2 National_eIDAS_Gateway-31bc1246bb56fcd8807678e3f7516023bdfaed44.zip | |
add SZR client
add different logging backends
define errorcodes and error messages
update to eIDAS Ref. impl 2.1
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2/src')
27 files changed, 3419 insertions, 464 deletions
| diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/Constants.java index de7d9100..b1cd128f 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/Constants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/Constants.java @@ -7,13 +7,60 @@ import java.util.ArrayList;  import java.util.Collections;  import java.util.List; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +  public class Constants { +	public static final String EXECUTIONCONTEXT_SELECTED_COUNTRY = "selectedCountry"; +	public static final String DATA_REQUESTERID = "req_requesterId"; +	public static final String DATA_PROVIDERNAME = "req_providerName"; +	public static final String DATA_REQUESTED_LOA_LIST = "req_requestedLoA"; +	public static final String DATA_REQUESTED_LOA_COMPERISON = "req_requestedLoAComperision";	 +	public static final String DATA_FULL_EIDAS_RESPONSE = "resp_fulleIDASResponse"; +	 +	 +	//templates for post-binding forwarding +	public static final String TEMPLATE_POST_FORWARD_NAME = "eidas_node_forward.html"; +	public static final String TEMPLATE_POST_FORWARD_ENDPOINT = "endPoint"; +	public static final String TEMPLATE_POST_FORWARD_TOKEN_NAME = "tokenName"; +	public static final String TEMPLATE_POST_FORWARD_TOKEN_VALUE = "tokenValue"; +	 +	  	//configuration properties  	public static final String CONIG_PROPS_EIDAS_PREFIX="auth.eIDAS";  	public static final String CONIG_PROPS_EIDAS_NODE= CONIG_PROPS_EIDAS_PREFIX + ".node_v2";  	public static final String CONIG_PROPS_EIDAS_NODE_COUNTRYCODE = CONIG_PROPS_EIDAS_NODE + ".countrycode"; +	public static final String CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS = CONIG_PROPS_EIDAS_NODE + ".publicSectorTargets"; +	public static final String CONIG_PROPS_EIDAS_NODE_ENTITYID = CONIG_PROPS_EIDAS_NODE + ".entityId"; +	public static final String CONIG_PROPS_EIDAS_NODE_FORWARD_URL = CONIG_PROPS_EIDAS_NODE + ".forward.endpoint"; +	public static final String CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD = CONIG_PROPS_EIDAS_NODE + ".forward.method"; +	public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_ONLYNATURAL = CONIG_PROPS_EIDAS_NODE + ".attributes.requested.onlynatural."; +	public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_REPRESENTATION = CONIG_PROPS_EIDAS_NODE + ".attributes.requested.representation."; +	public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_ADD_ALWAYS_PROVIDERNAME = CONIG_PROPS_EIDAS_NODE + ".workarounds.addAlwaysProviderName";; +	public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER = CONIG_PROPS_EIDAS_NODE + ".workarounds.useRequestIdAsTransactionIdentifier"; +	public static final String FORWARD_METHOD_POST = "POST"; +	public static final String FORWARD_METHOD_GET = "GET"; +	 +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT= CONIG_PROPS_EIDAS_PREFIX + ".szrclient"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE= CONIG_PROPS_EIDAS_SZRCLIENT + ".useTestService"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_TRACEMESSAGES= CONIG_PROPS_EIDAS_SZRCLIENT + ".debug.logfullmessages"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY= CONIG_PROPS_EIDAS_SZRCLIENT + ".debug.useDummySolution"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_INSERTERNB= CONIG_PROPS_EIDAS_SZRCLIENT + ".debug.insertERnB"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION= CONIG_PROPS_EIDAS_SZRCLIENT + ".timeout.connection"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE= CONIG_PROPS_EIDAS_SZRCLIENT + ".timeout.response"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_PROD= CONIG_PROPS_EIDAS_SZRCLIENT + ".endpoint.prod"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_TEST= CONIG_PROPS_EIDAS_SZRCLIENT + ".endpoint.test"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PATH = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.keyStore.path"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PASSWORD = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.keyStore.password"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PATH = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.trustStore.path"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PASSWORD = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.trustStore.password"; +	 +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE = CONIG_PROPS_EIDAS_SZRCLIENT + ".params.documenttype"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ = CONIG_PROPS_EIDAS_SZRCLIENT + ".params.vkz"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_ISSUING_DATE = CONIG_PROPS_EIDAS_SZRCLIENT + ".params.issuingdate"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_ISSUING_AUTHORITY = CONIG_PROPS_EIDAS_SZRCLIENT + ".params.issuingauthority"; +	public static final String CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_KEYS_USEDUMMY= CONIG_PROPS_EIDAS_SZRCLIENT + ".params.usedummykeys";  	//http endpoint descriptions  	public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/light/sp/post"; @@ -42,4 +89,23 @@ public class Constants {  //				add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri());  			}  		}); +	  +	 public static final String POLICY_DEFAULT_ALLOWED_TARGETS =  +				EAAFConstants.URN_PREFIX_CDID.replaceAll("\\.", "\\\\.").replaceAll("\\+", "\\\\+") + ".*"; +	  +	 //SAML2 Constants +	 public static final String SUCCESS_URI = "urn:oasis:names:tc:SAML:2.0:status:Success"; +	  +	 public static final String HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION = "30";  //seconds +	 public static final String HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE = "60";    //seconds +	 +	  +	 //Default values for SZR communication +	 public static final String SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE = "ELEKTR_DOKUMENT"; +	  +	 //TODO remove!!! +	 public static final String SZR_CONSTANTS_DEFAULT_ISSUING_DATE = "2014-01-01"; +	 public static final String SZR_CONSTANTS_DEFAULT_ISSUING_AUTHORITY = "ms-specific eIDAS-Node for AT"; +	 public final static byte[] SZR_CONSTANTS_DEFAULT_PUBL_KEY = new byte[] {48, -127, -97, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5, 0, 3, -127, -115, 0, 48, -127, -119, 2, -127, -127, 0, -106, 114, -113, -1, -84, 116, 35, 3, 70, -81, 81, -110, -10, -59, 114, 4, -109, 86, 127, -50, 125, 47, 4, 80, 79, 53, 117, -36, 15, -16, -61, 110, 39, 89, 29, -43, 37, -127, 80, -109, -38, 65, 125, -119, 44, -111, -21, 47, -98, 38, -112, -24, 107, -110, 17, -10, 51, -4, -36, -72, -28, -18, -14, 117, -67, 76, -31, 32, 92, 104, -21, 68, 31, -12, 30, -104, -104, 42, -107, 126, 84, 50, 85, -117, 44, -100, -4, 102, -100, 52, -68, 77, -32, 9, -16, -30, -104, -90, 107, -88, 7, 97, -94, 72, -61, -40, 80, -112, -65, -25, -72, -19, -95, -54, 31, 15, 24, -105, 123, -81, 23, -123, 92, -103, -101, 47, 47, -105, 2, 3, 1, 0, 1}; +  } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationModulImpl.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationModulImpl.java index 1ce2f949..fef9cbfa 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationModulImpl.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationModulImpl.java @@ -4,8 +4,8 @@ package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2;  import org.apache.commons.lang3.StringUtils; -import at.gv.egovernment.moa.id.auth.modules.AuthModule; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;  /**   * @author tlenz @@ -33,8 +33,8 @@ public class eIDASAuthenticationModulImpl implements AuthModule {  	 */  	@Override  	public String selectProcess(ExecutionContext context) { -		if (StringUtils.isNotBlank((String) context.get("ccc")) ||  -				StringUtils.isNotBlank((String) context.get("CCC")))  +		if (StringUtils.isNotBlank((String) context.get(Constants.EXECUTIONCONTEXT_SELECTED_COUNTRY)) ||  +				StringUtils.isNotBlank((String) context.get(Constants.EXECUTIONCONTEXT_SELECTED_COUNTRY)))  			return "eIDASAuthentication_v2";  		else  			return null; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationSpringResourceProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationSpringResourceProvider.java index b491b8d8..e067acfb 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationSpringResourceProvider.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASAuthenticationSpringResourceProvider.java @@ -22,7 +22,7 @@ public class eIDASAuthenticationSpringResourceProvider implements SpringResource  	@Override  	public Resource[] getResourcesToLoad() { -		ClassPathResource eIDASAuthConfig = new ClassPathResource("/eidas_v2_auth.beans", eIDASAuthenticationSpringResourceProvider.class);					 +		ClassPathResource eIDASAuthConfig = new ClassPathResource("/eidas_v2_auth.beans.xml", eIDASAuthenticationSpringResourceProvider.class);					  		return new Resource[] {eIDASAuthConfig};  	} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASSignalServlet.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASSignalServlet.java index 51d1bd0c..77f799e7 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASSignalServlet.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/eIDASSignalServlet.java @@ -8,14 +8,25 @@ import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  import org.apache.commons.lang3.StringUtils; -import org.apache.commons.text.StringEscapeUtils;  import org.slf4j.Logger;  import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext;  import org.springframework.stereotype.Controller;  import org.springframework.web.bind.annotation.RequestMapping;  import org.springframework.web.bind.annotation.RequestMethod; -import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController; +import com.google.common.collect.ImmutableSortedSet; + +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.eIDASAuthenticationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service.eIDASAttributeRegistry; +import eu.eidas.auth.commons.EidasParameterKeys; +import eu.eidas.auth.commons.light.ILightResponse; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.impl.SpecificConnectorCommunicationServiceImpl; +  /**   * @author tlenz @@ -25,9 +36,10 @@ import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalControll  public class eIDASSignalServlet extends AbstractProcessEngineSignalController {  	private static final Logger log = LoggerFactory.getLogger(eIDASSignalServlet.class); +	@Autowired private ApplicationContext context; +	@Autowired private eIDASAttributeRegistry attrRegistry; - -	public eIDASSignalServlet() { +	public eIDASSignalServlet() {   		super();  		log.debug("Registering servlet " + getClass().getName() +   				" with mappings '"+ Constants.eIDAS_HTTP_ENDPOINT_SP_POST +  @@ -39,11 +51,11 @@ public class eIDASSignalServlet extends AbstractProcessEngineSignalController {  							  Constants.eIDAS_HTTP_ENDPOINT_SP_REDIRECT  							},   					method = {RequestMethod.POST, RequestMethod.GET}) -	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { +	public void restoreEidasAuthProcess(HttpServletRequest req, HttpServletResponse resp) throws IOException {  		signalProcessManagement(req, resp);  	} -	@Override +	  	/**  	 * Protocol specific implementation to get the pending-requestID   	 * from http request object @@ -52,31 +64,68 @@ public class eIDASSignalServlet extends AbstractProcessEngineSignalController {  	 * @return The Pending-request id   	 *   	 */ +	@Override  	public String getPendingRequestId(HttpServletRequest request) { -		String sessionId = super.getPendingRequestId(request); +		//String sessionId = super.getPendingRequestId(request);  		try { - -			// use SAML2 relayState -			if (sessionId == null) { -				log.trace("No transaction identifier from pendingReq. Search for SAML2 'RelayState' ..."); -				sessionId = StringEscapeUtils.escapeHtml4(request.getParameter("RelayState")); -				 -				if (StringUtils.isEmpty(sessionId)) -						log.info("NO transaction identifier found! Stopping process ...."); -				else -					log.debug("Find transaction identifier in SAML2 'RelayState': " + sessionId); +			//get token from Request +			final String tokenBase64 = request.getParameter(EidasParameterKeys.TOKEN.toString());			 +			if (StringUtils.isEmpty(tokenBase64)) { +				log.warn("NO eIDAS message token found."); +				throw new eIDASAuthenticationException("eidas.04", null); +			} +			log.trace("Receive eIDAS-node token: " + tokenBase64 + " Starting transaction-restore process ... "); -			} else -				log.trace("Find transaction identifier from pendingReq."); +			 +			 +			final SpecificConnectorCommunicationServiceImpl specificConnectorCommunicationService = +	                (SpecificConnectorCommunicationServiceImpl) context.getBean(SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); +			ILightResponse eIDASResponse = specificConnectorCommunicationService.getAndRemoveResponse(tokenBase64,  +    			ImmutableSortedSet.copyOf(attrRegistry.getCoreAttributeRegistry().getAttributes())); +				 +			String pendingReqId = null; +			if (StringUtils.isEmpty(eIDASResponse.getRelayState())) { +				log.debug("eIDAS Node returns no RelayState. "); +				 +				if (authConfig.getBasicMOAIDConfigurationBoolean( +						Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER,  +						false)) { +					log.trace("Use lightRequestId to recover session ... "); +					pendingReqId = transactionStorage.get(eIDASResponse.getInResponseToId(), String.class); +					if (StringUtils.isNotEmpty(pendingReqId)) { +						log.debug("Restoring session with lightRequestId ... "); +						transactionStorage.remove(eIDASResponse.getInResponseToId()); +						 +					}		 +				}  +											 +			} else {			 +				log.debug("Find transaction identifier in SAML2 'RelayState': " + eIDASResponse.getRelayState()); +				pendingReqId = eIDASResponse.getRelayState(); +				 				 +			} +			if (StringUtils.isNotEmpty(pendingReqId)) { +				request.setAttribute(Constants.DATA_FULL_EIDAS_RESPONSE, eIDASResponse); +				return pendingReqId; +				 +			} + +			log.info("NO transaction identifier found! Stopping process ...."); +			log.trace("FullResponse: " + eIDASResponse.toString()); +			 +		} catch (SpecificCommunicationException e) { +			log.warn("Can NOT load eIDAS Response from cache.", e); +			log.debug("eIDAS response token was: " + request.getParameter(EidasParameterKeys.TOKEN.toString())); +			  		} catch (Exception e) {  			log.warn("Unable to retrieve moa session id.", e);  		} -		return sessionId; +		return null;  	}  } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/SZRCommunicationException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/SZRCommunicationException.java new file mode 100644 index 00000000..a0c3cf88 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/SZRCommunicationException.java @@ -0,0 +1,15 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception; + +public class SZRCommunicationException extends eIDASAuthenticationException { + +	private static final long serialVersionUID = 1L; + +	public SZRCommunicationException(String internalMsgId, Object[] params) { +		super(internalMsgId, params); +	} + +	public SZRCommunicationException(String internalMsgId, Object[] params, Throwable e) { +		super(internalMsgId, params, e); +	} + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAttributeException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAttributeException.java new file mode 100644 index 00000000..f1d4280f --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAttributeException.java @@ -0,0 +1,15 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception; + +public class eIDASAttributeException extends eIDASAuthenticationException { + +	/** +	 *  +	 */ +	private static final long serialVersionUID = 1L; + +	public eIDASAttributeException(String attrbuteName) { +		super("eidas.00", new Object[] {attrbuteName}); + +	} + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAuthenticationException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAuthenticationException.java index fff6773e..939e7471 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAuthenticationException.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASAuthenticationException.java @@ -9,12 +9,12 @@ public class eIDASAuthenticationException extends EAAFAuthenticationException{  	 */  	private static final long serialVersionUID = 1L; -	public eIDASAuthenticationException(String internalMsgId, Object[] params, String msg) { -		super(internalMsgId, params, msg); +	public eIDASAuthenticationException(String internalMsgId, Object[] params) { +		super(internalMsgId, params);  	} -	public eIDASAuthenticationException(String internalMsgId, Object[] params, String msg, Throwable e) { -		super(internalMsgId, params, msg, e); +	public eIDASAuthenticationException(String internalMsgId, Object[] params, Throwable e) { +		super(internalMsgId, params, e);  	}  } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASValidationException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASValidationException.java new file mode 100644 index 00000000..7b81eacd --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/exception/eIDASValidationException.java @@ -0,0 +1,14 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception; + +public class eIDASValidationException extends eIDASAuthenticationException { + +	/** +	 *  +	 */ +	private static final long serialVersionUID = 1L; + +	public eIDASValidationException(String internalMsgId, Object[] params) { +		super(internalMsgId, params); +	} + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/service/eIDASAttributeRegistry.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/service/eIDASAttributeRegistry.java new file mode 100644 index 00000000..b3855635 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/service/eIDASAttributeRegistry.java @@ -0,0 +1,114 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service; + +import java.io.File; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import eu.eidas.auth.commons.attribute.AttributeRegistries; +import eu.eidas.auth.commons.attribute.AttributeRegistry; + +@Service("attributeRegistry") +public class eIDASAttributeRegistry { +	private static final Logger log = LoggerFactory.getLogger(eIDASAttributeRegistry.class);	 +	@Autowired private IConfiguration basicConfig; +	 +	private AttributeRegistry coreAttributeRegistry; +	  +	private String eidasAttributesFile; +	private String additionalAttributesFile; +	 +	@PostConstruct +	private void initialize() throws RuntimeException { +		try { +			if (eidasAttributesFile.isEmpty()) { +				log.error("Basic eIDAS addribute definition NOT defined"); +				throw new EAAFConfigurationException("Basic eIDAS addribute definition NOT defined"); +			 +			} +         +			boolean additionalAttrAvailabe = false; +			if (!additionalAttributesFile.isEmpty()) { +				File file = new File(additionalAttributesFile); +				if (file.exists()) +					additionalAttrAvailabe = true; +								 +			} +			 +			if (!additionalAttrAvailabe) { +				log.info("Start eIDAS ref. impl. Core without additional eIDAS attribute definitions ... "); +				coreAttributeRegistry = AttributeRegistries.fromFiles(eidasAttributesFile, null); +				 +			} else { +				//load attribute definitions +				log.info("Start eIDAS ref. impl. Core with additional eIDAS attribute definitions ... "); +				coreAttributeRegistry = AttributeRegistries.fromFiles(eidasAttributesFile, null, additionalAttributesFile); + +			} +						 +        } catch (Throwable e) { +			log.error("Can NOT initialize eIDAS attribute definition." , e); +			new RuntimeException("Can NOT initialize eIDAS attribute definition.", e); +			 +		}        	 +	} +	 +	 +    public AttributeRegistry getCoreAttributeRegistry() { +        return coreAttributeRegistry; +    } + +	public Map<String, Boolean> getAttributeSetFromConfiguration() { +		Map<String, Boolean> result = new HashMap<String, Boolean>(); +		 +		/*TODO: select set for representation if mandates should be used. +		 * It's an open task in respect to requested eIDAS attributes and isRequired flag, +		 * because there can be a decision problem in case of natural or legal person representation! +		 * From an Austrian use-case point of view, an Austrian service provider can support mandates for  +		 * natural and legal persons at the same time. However, we CAN NOT request attributes for natural AND +		 * legal persons on the same time, because it's not possible to represent both simultaneously. +		 */ +		Map<String, String> configAttributes =  +				basicConfig.getBasicMOAIDConfigurationWithPrefix( +						Constants.CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_ONLYNATURAL); +		for (String el: configAttributes.values()) { +			if (StringUtils.isNotEmpty(el.trim())) { +				List<String> attrDef = KeyValueUtils.getListOfCSVValues(el.trim()); +				boolean isRequired = false; +				if (attrDef.size() == 2) +					isRequired = Boolean.parseBoolean(attrDef.get(1)); +				 +				result.put(attrDef.get(0), isRequired); +				 +			}			 +		} +		 +		log.trace("Load #" + result.size() + " requested attributes from configuration"); +		return result; +		 +	} + + +	public void setEidasAttributesFile(String eidasAttributesFile) { +		this.eidasAttributesFile = eidasAttributesFile; +	} + +	public void setAdditionalAttributesFile(String additionalAttributesFile) { +		this.additionalAttributesFile = additionalAttributesFile; +	} +	 +	 +} + diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/szr/SZRClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/szr/SZRClient.java new file mode 100644 index 00000000..86f0d0bb --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/szr/SZRClient.java @@ -0,0 +1,372 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.szr; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.net.URL; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.UnrecoverableKeyException; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import javax.annotation.PostConstruct; +import javax.annotation.Resource; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName; +import javax.xml.transform.Source; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.stream.StreamResult; +import javax.xml.transform.stream.StreamSource; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.Dispatch; +import javax.xml.ws.WebServiceContext; +import javax.xml.ws.handler.Handler; + +import org.apache.commons.lang3.StringUtils; +import org.apache.cxf.configuration.jsse.TLSClientParameters; +import org.apache.cxf.endpoint.Client; +import org.apache.cxf.frontend.ClientProxy; +import org.apache.cxf.jaxws.DispatchImpl; +import org.apache.cxf.transport.http.HTTPConduit; +import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; +import org.apache.xpath.XPathAPI; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; +import org.w3._2000._09.xmldsig.KeyValueType; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.gv.egiz.eaaf.core.api.data.XMLNamespaceConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.SZRCommunicationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.utils.LoggingHandler; +import szrservices.GetBPK; +import szrservices.GetBPKResponse; +import szrservices.GetIdentityLink; +import szrservices.GetIdentityLinkResponse; +import szrservices.IdentityLinkType; +import szrservices.PersonInfoType; +import szrservices.SZR; +import szrservices.SZRException_Exception; + +@Service("SZRClientForeIDAS") +public class SZRClient { +	private static final Logger log = LoggerFactory.getLogger(SZRClient.class); +	 +	private static final String CLIENT_DEFAULT = "DefaultClient";	 +	private static final String CLIENT_RAW = "RawClient"; +	 +	@Autowired private IConfiguration basicConfig; +	@Resource private WebServiceContext wsContext; +	  +	//client for anything, without identitylink +	private SZR szr = null; +	 +	//RAW client is needed for identitylink  +	private Dispatch<Source> dispatch = null; +	 +	 +	private SZRService szrService = null; +	private String szrURL = null; +	private QName qname = null; +	 +	public IdentityLinkType getIdentityLink(PersonInfoType personInfo, List<KeyValueType> keyValue, Boolean insertERnP) throws SZRCommunicationException  { +		try { +			return szr.getIdentityLink( +					personInfo,  +					keyValue,   +					insertERnP); +			 +		} catch (SZRException_Exception e) { +			log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); +			throw new SZRCommunicationException("ernb.02", new Object[] {e.getMessage()}, e); +			 +		} +				 +	} +	 +	public IdentityLinkType getIdentityLinkInRawMode(PersonInfoType personInfo, List<KeyValueType> keyValue, Boolean insertERnP) throws SZRCommunicationException  {					 +		try { +			GetIdentityLink getIDL = new GetIdentityLink(); +				getIDL.setInsertERnP(insertERnP); +				getIDL.setPersonInfo(personInfo); +				getIDL.getKeyValue().addAll(keyValue); +		 +				JAXBContext jaxbContext = JAXBContext.newInstance(GetIdentityLink.class); +				Marshaller jaxbMarshaller = jaxbContext.createMarshaller(); +		 +				final ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); +				jaxbMarshaller.marshal(getIDL, outputStream); +				outputStream.flush(); +		 +				Source source = new StreamSource(new ByteArrayInputStream(outputStream.toByteArray())); +				outputStream.close(); +		 +				log.trace("Requesting SZR ... "); +				Source response = dispatch.invoke(source); +				log.trace("Receive RAW response from SZR"); +				 +				byte[] szrResponse = sourceToByteArray(response); +				JAXBContext ctx = JAXBContext.newInstance(IdentityLinkType.class +				    .getPackage().getName()); +				GetIdentityLinkResponse jaxbElement = (GetIdentityLinkResponse) ctx +				    .createUnmarshaller().unmarshal(new ByteArrayInputStream(szrResponse)); +		 +				 +				//build response +				log.trace(new String(szrResponse)); +				log.trace("Signature successfully created. Extracting from MOA-SS container."); +				 +				// ok, we have success +				Document doc = DOMUtils.parseDocument( +							new ByteArrayInputStream(szrResponse), +							true, XMLNamespaceConstants.ALL_SCHEMA_LOCATIONS, null, null +						);				 +				String xpathExpression = "//saml:Assertion";				 +				Element nsNode = doc.createElementNS("urn:oasis:names:tc:SAML:1.0:assertion", "saml:NSNode"); + +				log.trace("Selecting signed doc " + xpathExpression); +				Element documentNode = (Element) XPathAPI.selectSingleNode(doc, +				    xpathExpression, nsNode); +				log.trace("Signed document: " + DOMUtils.serializeNode(documentNode)); + +				 +				IdentityLinkType idl = new IdentityLinkType(); +				idl.setAssertion(documentNode); +				idl.setPersonInfo(jaxbElement.getGetIdentityLinkReturn().getPersonInfo()); +				 +				return idl; +				 +		 +				//IdentityLinkType idlResp = this.szr.getIdentityLink(personInfo, keyValue, insertERnP); +				 +		} catch ( Exception e) { +			log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); +			throw new SZRCommunicationException("ernb.02", new Object[] {e.getMessage()}, e); +			 +		} +				 +	} +	 +	public String getBPK(PersonInfoType personInfo, String target, String vkz) throws SZRCommunicationException {		 +		try { +			GetBPK parameters = new GetBPK(); +			parameters.setPersonInfo(personInfo); +			parameters.setBereichsKennung(target); +			parameters.setVKZ(vkz); +			GetBPKResponse result = this.szr.getBPK(parameters); + +			return result.getGetBPKReturn(); +			 +		} catch (SZRException_Exception e) { +			log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); +			throw new SZRCommunicationException("ernb.02", new Object[] {e.getMessage()}, e); +			 +		} + +	} +	 +	 +	@PostConstruct +	private void initialize() { +		log.info("Starting SZR-Client initialization .... "); +		URL url = SZRClient.class.getResource("/szr_client/SZR-1.WSDL"); +		 +		boolean useTestSZR = basicConfig.getBasicMOAIDConfigurationBoolean( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE,  +				true); +			 +		if (useTestSZR) { +			log.debug("Initializing SZR test environment configuration."); +			qname = SZRService.SZRTestumgebung; +			szrService = new SZRService(url, new QName("urn:SZRServices", "SZRService")); +			szr = szrService.getSZRTestumgebung(); +			szrURL = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_TEST); +			 +			 +		} else { +			log.debug("Initializing SZR productive configuration."); +			qname = SZRService.SZRProduktionsumgebung; +			szrService = new SZRService(url, new QName("urn:SZRServices", "SZRService")); +			szr = szrService.getSZRProduktionsumgebung();			 +			szrURL = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_PROD); +			 +		} +		 +		//create raw client; +		dispatch = szrService.createDispatch(qname, Source.class, javax.xml.ws.Service.Mode.PAYLOAD); +				 +		if (StringUtils.isEmpty(szrURL)) { +			log.error("No SZR service-URL found. SZR-Client initalisiation failed."); +			throw new RuntimeException("No SZR service URL found. SZR-Client initalisiation failed."); +			 +		} +		 +		log.info("Use SZR service-URL: " + szrURL);		 +		injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT); +		injectBindingProvider((BindingProvider) dispatch, CLIENT_RAW); +		 +		log.debug("Inject HTTP client settings ... "); +		injectHTTPClient(szr, CLIENT_DEFAULT); +		injectHTTPClient(dispatch, CLIENT_RAW); + +	  	log.info("SZR-Client initialization successfull"); +	} +	 +	private void injectHTTPClient(Object raw, String clientType) { +		//extract client from implementation +		Client client = null; +		if (raw instanceof DispatchImpl<?>) +			client = ((DispatchImpl<?>)raw).getClient(); +		else if (raw instanceof Client) +			 client = ClientProxy.getClient(raw); +		else  +			throw new RuntimeException("SOAP Client for SZR connection is of UNSUPPORTED type: " + raw.getClass().getName()); +		 +		//set basic connection policies +		HTTPConduit http = (HTTPConduit) client.getConduit(); +				 +		//set timeout policy +		HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();			   +		httpClientPolicy.setConnectionTimeout( +				Integer.parseInt(basicConfig.getBasicConfiguration( +						Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION,  +						Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION)) * 1000); +		httpClientPolicy.setReceiveTimeout( +				Integer.parseInt(basicConfig.getBasicConfiguration( +						Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE,  +						Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE)) * 1000);  +		http.setClient(httpClientPolicy); +		 +		//inject SSL context in case of https +	  	if (szrURL.toLowerCase().startsWith("https")) { +	  		log.debug("Adding SSLContext to client: " + clientType +" ... "); 	  		 +			TLSClientParameters tlsParams = new TLSClientParameters();			 +			tlsParams.setSSLSocketFactory(createSSLContext(clientType).getSocketFactory());	  		 +			http.setTlsClientParameters(tlsParams );	  		 +			log.info("SSLContext initialized for client: " + clientType); +			 +	  	} +		 +	} + +	private void injectBindingProvider(BindingProvider bindingProvider, String clientType) { +		Map<String, Object> requestContext = bindingProvider.getRequestContext(); +		requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, szrURL); +		 +		log.trace("Adding JAX-WS request/response trace handler to client: " + clientType); +	  	List<Handler> handlerList = bindingProvider.getBinding().getHandlerChain(); +	  	if (handlerList == null) { +	  		handlerList = new ArrayList<Handler>(); +	  		bindingProvider.getBinding().setHandlerChain(handlerList); +	  		 +	  	} +	  	 +	  	//add logging handler to trace messages if required +	  	if (basicConfig.getBasicMOAIDConfigurationBoolean( +	  			Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_TRACEMESSAGES,  +	  			false)) {	  	 +	  		LoggingHandler loggingHandler = new LoggingHandler(); +	  		handlerList.add(loggingHandler); +	  		 +	  	}		 +	} + +	private SSLContext createSSLContext(String clientType) { +		try { +			SSLContext context = SSLContext.getInstance("TLS"); +			 +			//initialize key-mangager for SSL client-authentication +			KeyManager[] keyManager = null; +			String keyStorePath = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PATH); +			String keyStorePassword = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PASSWORD); +			if (StringUtils.isNotEmpty(keyStorePath)) { +				log.trace("Find keyStore path: " + keyStorePath + " Injecting SSL client certificate ... "); +				try { +					KeyStore keyStore = KeyStoreUtils.loadKeyStore( +							FileUtils.makeAbsoluteURL(keyStorePath, basicConfig.getConfigurationRootDirectory()),  +							keyStorePassword); +				 +					KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); +					kmf.init(keyStore, keyStorePassword.toCharArray()); +					keyManager = kmf.getKeyManagers(); +					log.debug("SSL client certificate injected to client: " + clientType); +					 +				} catch (KeyStoreException | IOException | UnrecoverableKeyException e) { +					log.error("Can NOT load SSL client certificate from path: " + keyStorePath); +					throw new RuntimeException("Can NOT load SSL client certificate from path: " + keyStorePath, e); +					 +				}				 +			} +			 +			 +			//initialize SSL TrustStore +			TrustManager[] trustManager = null; +			String trustStorePath = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PATH); +			String trustStorePassword = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PASSWORD); +			if (StringUtils.isNotEmpty(trustStorePath)) { +				log.trace("Find trustStore path: " + trustStorePath + " Injecting SSL TrustStore ... "); +				try { +					KeyStore trustStore = KeyStoreUtils.loadKeyStore( +							FileUtils.makeAbsoluteURL(trustStorePath, basicConfig.getConfigurationRootDirectory()),  +							trustStorePassword); +				 +					TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); +					tmf.init(trustStore); +					trustManager = tmf.getTrustManagers(); +					log.debug("SSL TrustStore injected to client: " + clientType); +					 +				} catch (KeyStoreException | IOException e) { +					log.error("Can NOT open SSL TrustStore from path: " + trustStorePath); +					throw new RuntimeException("Can NOT open SSL TrustStore from path: " + trustStorePath, e); +					 +				}	 +				 +			} +			 +			 +			context.init(keyManager, trustManager, new SecureRandom()); +		    return context; +			 +		} catch (NoSuchAlgorithmException | KeyManagementException e) { +			log.error("SSLContext initialization FAILED.", e); +			throw new RuntimeException("SSLContext initialization FAILED.", e); +			 +		} +		 +	} +	 +	private byte[] sourceToByteArray(Source result) throws TransformerException { +		TransformerFactory factory = TransformerFactory.newInstance(); +		Transformer transformer = factory.newTransformer(); +		transformer.setOutputProperty("omit-xml-declaration", "yes"); +		transformer.setOutputProperty("method", "xml"); +		ByteArrayOutputStream out = new ByteArrayOutputStream(); +		StreamResult streamResult = new StreamResult(); +		streamResult.setOutputStream(out); +		transformer.transform(result, streamResult); +		return out.toByteArray(); +	} +	 +	 +	 +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/szr/SZRService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/szr/SZRService.java new file mode 100644 index 00000000..8e4911b9 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/szr/SZRService.java @@ -0,0 +1,139 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.szr; + +import java.net.URL; + +import javax.xml.namespace.QName; +import javax.xml.ws.Service; +import javax.xml.ws.WebEndpoint; +import javax.xml.ws.WebServiceClient; +import javax.xml.ws.WebServiceFeature; + +import szrservices.SZR; + +/** + * This class was generated by Apache CXF 3.1.16 + * 2018-07-10T09:36:01.466+02:00 + * Generated source version: 3.1.16 + *  + */ +@WebServiceClient(name = "SZRService",  +                  wsdlLocation = "./src/main/resources/szr_client/SZR-1.WSDL", +                  targetNamespace = "urn:SZRServices")  +public class SZRService extends Service { + +    public final static URL WSDL_LOCATION; + +    public final static QName SERVICE = new QName("urn:SZRServices", "SZRService"); +    public final static QName SZRProduktionsumgebung = new QName("urn:SZRServices", "SZRProduktionsumgebung"); +    public final static QName SZRTestumgebung = new QName("urn:SZRServices", "SZRTestumgebung"); +    public final static QName SZRBusinesspartnerTestumgebung = new QName("urn:SZRServices", "SZRBusinesspartnerTestumgebung"); +    static { +    	URL url = SZRService.class.getResource("./src/main/resources/szr_client/SZR-1.WSDL"); +        if (url == null) { +            url = SZRService.class.getClassLoader().getResource("/szr_client/SZR-1.WSDL"); +        }  +        if (url == null) { +            java.util.logging.Logger.getLogger(SZRService.class.getName()) +                .log(java.util.logging.Level.INFO,  +                     "Can not initialize the default wsdl from {0}", "/szr_client/SZR-1.WSDL"); +        }        +        WSDL_LOCATION = url; + +    } + +    public SZRService(URL wsdlLocation) { +        super(wsdlLocation, SERVICE); +    } + +    public SZRService(URL wsdlLocation, QName serviceName) { +        super(wsdlLocation, serviceName); +    } + +    public SZRService() { +        super(WSDL_LOCATION, SERVICE); +    } +     +    public SZRService(WebServiceFeature ... features) { +        super(WSDL_LOCATION, SERVICE, features); +    } + +    public SZRService(URL wsdlLocation, WebServiceFeature ... features) { +        super(wsdlLocation, SERVICE, features); +    } + +    public SZRService(URL wsdlLocation, QName serviceName, WebServiceFeature ... features) { +        super(wsdlLocation, serviceName, features); +    }     + + + + +    /** +     * +     * @return +     *     returns SZR +     */ +    @WebEndpoint(name = "SZRProduktionsumgebung") +    public SZR getSZRProduktionsumgebung() { +        return super.getPort(SZRProduktionsumgebung, SZR.class); +    } + +    /** +     *  +     * @param features +     *     A list of {@link javax.xml.ws.WebServiceFeature} to configure on the proxy.  Supported features not in the <code>features</code> parameter will have their default values. +     * @return +     *     returns SZR +     */ +    @WebEndpoint(name = "SZRProduktionsumgebung") +    public SZR getSZRProduktionsumgebung(WebServiceFeature... features) { +        return super.getPort(SZRProduktionsumgebung, SZR.class, features); +    } + + +    /** +     * +     * @return +     *     returns SZR +     */ +    @WebEndpoint(name = "SZRTestumgebung") +    public SZR getSZRTestumgebung() { +        return super.getPort(SZRTestumgebung, SZR.class); +    } + +    /** +     *  +     * @param features +     *     A list of {@link javax.xml.ws.WebServiceFeature} to configure on the proxy.  Supported features not in the <code>features</code> parameter will have their default values. +     * @return +     *     returns SZR +     */ +    @WebEndpoint(name = "SZRTestumgebung") +    public SZR getSZRTestumgebung(WebServiceFeature... features) { +        return super.getPort(SZRTestumgebung, SZR.class, features); +    } + + +    /** +     * +     * @return +     *     returns SZR +     */ +    @WebEndpoint(name = "SZRBusinesspartnerTestumgebung") +    public SZR getSZRBusinesspartnerTestumgebung() { +        return super.getPort(SZRBusinesspartnerTestumgebung, SZR.class); +    } + +    /** +     *  +     * @param features +     *     A list of {@link javax.xml.ws.WebServiceFeature} to configure on the proxy.  Supported features not in the <code>features</code> parameter will have their default values. +     * @return +     *     returns SZR +     */ +    @WebEndpoint(name = "SZRBusinesspartnerTestumgebung") +    public SZR getSZRBusinesspartnerTestumgebung(WebServiceFeature... features) { +        return super.getPort(SZRBusinesspartnerTestumgebung, SZR.class, features); +    } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/CreateIdentityLinkTask.java index dfd945c9..b31b6a21 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/CreateIdentityLinkTask.java @@ -3,41 +3,80 @@  package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.tasks;  import java.io.InputStream; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec;  import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils;  import org.joda.time.DateTime; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Component; +import org.springframework.util.Base64Utils; +import org.w3._2000._09.xmldsig.KeyValueType; +import org.w3._2000._09.xmldsig.RSAKeyValueType;  import org.w3c.dom.Element;  import org.w3c.dom.Node; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; -import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASAttributeException; -import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; -import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; -import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.DOMUtils; -import at.gv.egovernment.moa.util.XPathUtils; -import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; - -/** +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; +import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.SZRCommunicationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.eIDASAttributeException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.utils.eIDASResponseUtils; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.attribute.AttributeValue; +import eu.eidas.auth.commons.light.ILightResponse; +import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; +import szrservices.IdentityLinkType; +import szrservices.PersonInfoType; +import szrservices.TravelDocumentType; + +/**    * @author tlenz - * + *    */  @Component("CreateIdentityLinkTask")  public class CreateIdentityLinkTask extends AbstractAuthServletTask { - +	private static final Logger log = LoggerFactory.getLogger(CreateIdentityLinkTask.class); +	 +	//@Autowired private eIDASAttributeRegistry attrRegistry; +	@Autowired private IConfiguration basicConfig; +	@Autowired private SZRClient szrClient; +	 +	  	/* (non-Javadoc)  	 * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)  	 */ @@ -46,115 +85,293 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {  			HttpServletRequest request, HttpServletResponse response)  			throws TaskExecutionException {  		try{ -			defaultTaskInitialization(request, executionContext); -												 -			//get eIDAS attributes from MOA-Session -			ImmutableAttributeMap eIDASAttributes = moasession.getGenericDataFromSession( -					AuthenticationSessionStorageConstants.eIDAS_ATTRIBUTELIST,  -					ImmutableAttributeMap.class); -			 -			IIdentityLink identityLink = null; -			 +			AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); +			ILightResponse eIDASResponse = authProcessData.getGenericDataFromSession( +					Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class);																	 +		    Map<String, Object> simpleAttrMap = converteIDASAttrToSimpleMap(eIDASResponse.getAttributes().getAttributeMap());		    		     +		     +		    IIdentityLink identityLink = null; +		    String bPK = null; +		     +		    //extract attributes +	        Object eIdentifierObj = simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); +	        Object familyNameObj = simpleAttrMap.get(Constants.eIDAS_ATTR_CURRENTFAMILYNAME); +	        Object givenNameObj = simpleAttrMap.get(Constants.eIDAS_ATTR_CURRENTGIVENNAME); +	        Object dateOfBirthObj = simpleAttrMap.get(Constants.eIDAS_ATTR_DATEOFBIRTH); +	         +	        //check if availabe +	        if (eIdentifierObj == null || !(eIdentifierObj instanceof String)) +	        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER);	 +	        	         +	        if (familyNameObj == null || !(familyNameObj instanceof String)) +	        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_CURRENTFAMILYNAME);	 +	        	         +	        if (givenNameObj == null || !(givenNameObj instanceof String)) +	        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_CURRENTGIVENNAME); +		    	         +	        if (dateOfBirthObj == null || !(dateOfBirthObj instanceof DateTime)) +	        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH); +	          			//connect SZR-Gateway -			//TODO: implement SZR-Gateway communication!!!! -			if(true) { -								 +			if(basicConfig.getBasicMOAIDConfigurationBoolean( +					Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { +				log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!");  				// create fake IdL  				// - fetch IdL template from resources  				InputStream s = CreateIdentityLinkTask.class.getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");  				Element idlTemplate = DOMUtils.parseXmlValidating(s); -			    identityLink = new IdentityLinkAssertionParser(idlTemplate).parseIdentityLink(); +			    identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink();  			    // replace data  	            Element idlassertion = identityLink.getSamlAssertion();  	            // - set fake baseID; -		        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);		        		         -		         -		         -		        Object eIdentifier = eIDASAttributes.getFirstValue( -		        		SAMLEngineUtils.getMapOfAllAvailableAttributes().get( -		        				Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); -		        if (eIdentifier == null || !(eIdentifier instanceof String)) -		        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER);		        			        		        		         -		        prIdentification.getFirstChild().setNodeValue((String) eIdentifier); +		        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);		        		         +		        prIdentification.getFirstChild().setNodeValue((String) eIdentifierObj);  		        //build personal identifier which looks like a baseID		          //		        String fakeBaseID = new BPKBuilder().buildBPK(eIdentifier, "baseID");  //		        Logger.info("Map eIDAS eIdentifier:" + eIdentifier + " to fake baseID:" + fakeBaseID);  //		        prIdentification.getFirstChild().setNodeValue(fakeBaseID); - +   		        // - set last name -		        Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);		         -		        Object familyName = eIDASAttributes.getFirstValue( -		        		SAMLEngineUtils.getMapOfAllAvailableAttributes().get( -		        				Constants.eIDAS_ATTR_CURRENTFAMILYNAME)); -		        if (familyName == null || !(familyName instanceof String)) -		        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_CURRENTFAMILYNAME); -				prFamilyName.getFirstChild().setNodeValue((String) familyName); +		        Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);		        	         +				prFamilyName.getFirstChild().setNodeValue((String) familyNameObj);  		        // - set first name -		        Node prGivenName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); -		        Object givenName = eIDASAttributes.getFirstValue( -		        		SAMLEngineUtils.getMapOfAllAvailableAttributes().get( -		        				Constants.eIDAS_ATTR_CURRENTGIVENNAME)); -		        if (givenName == null || !(givenName instanceof String)) -		        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_CURRENTGIVENNAME); -				prGivenName.getFirstChild().setNodeValue((String) givenName); +		        Node prGivenName = XPathUtils.selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); +				prGivenName.getFirstChild().setNodeValue((String) givenNameObj);  		        // - set date of birth -		        Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);		         -		        Object dateOfBirth = eIDASAttributes.getFirstValue( -		        		SAMLEngineUtils.getMapOfAllAvailableAttributes().get( -		        				Constants.eIDAS_ATTR_DATEOFBIRTH)); -		        if (dateOfBirth == null || !(dateOfBirth instanceof DateTime)) -		        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH); -		         -				String formatedDateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(((DateTime)dateOfBirth).toDate()); +		        Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);		        		         +				String formatedDateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(((DateTime)dateOfBirthObj).toDate());  				prDateOfBirth.getFirstChild().setNodeValue(formatedDateOfBirth); -	            identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink(); +	            identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); -	            //resign IDL -				IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); -				Element resignedilAssertion = identitylinkresigner.resignIdentityLink(identityLink.getSamlAssertion(), authConfig.getStorkFakeIdLResigningKey()); -				identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink(); -				 +	            Pair<String, String> bPKCalc = new BPKBuilder().generateAreaSpecificPersonIdentifier( +	            		identityLink.getIdentificationValue(),  +	            		identityLink.getIdentificationType(),  +	            		pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); +	            bPK = bPKCalc.getFirst(); +	             +	            	            				  			} else {  				//contact SZR Gateway -				Logger.debug("Starting connecting SZR Gateway"); +				log.debug("Starting connecting SZR Gateway");											 +				PersonInfoType personInfo = new PersonInfoType(); +				PersonNameType personName = new PersonNameType(); +				PhysicalPersonType naturalPerson = new PhysicalPersonType(); +				TravelDocumentType eDocument = new TravelDocumentType();				 +				 +				naturalPerson.setName(personName ); +				personInfo.setPerson(naturalPerson ); +				personInfo.setTravelDocument(eDocument ); +								 +				//parse some eID attributes +				String dateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(((DateTime)dateOfBirthObj).toDate()); +				Trible<String, String, String> eIdentifier =  +						eIDASResponseUtils.parseEidasPersonalIdentifier((String)eIdentifierObj); +				String uniqueId = (String)eIdentifierObj; +				String citizenCountry = eIdentifier.getFirst(); +							 +				//person information +				personName.setFamilyName((String)familyNameObj); +				personName.setGivenName((String)givenNameObj); +				naturalPerson.setDateOfBirth(dateOfBirth); +				eDocument.setIssuingCountry(citizenCountry); +				eDocument.setDocumentNumber(uniqueId); +				 +				//eID document information								 +				eDocument.setDocumentType(basicConfig.getBasicConfiguration( +						Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE,  +						Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); +				 +				//TODO: that should be removed +				eDocument.setIssueDate(basicConfig.getBasicConfiguration( +						Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_ISSUING_DATE,  +						Constants.SZR_CONSTANTS_DEFAULT_ISSUING_DATE)); +				eDocument.setIssuingAuthority(basicConfig.getBasicConfiguration( +						Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_ISSUING_AUTHORITY,  +						Constants.SZR_CONSTANTS_DEFAULT_ISSUING_AUTHORITY)); +				 +				//TODO: keys are not available in eIDAS				 +				List<KeyValueType> keyValue = dummyCodeForKeys(); +				 +				/*TODO:  +				 *  Validate if IDL signature is valid after using this method +				*   MAYBE we had to switch to 'getIdentityLinkInRawMode' method! +				*/ +				IdentityLinkType result = szrClient.getIdentityLink( +											personInfo,  +											keyValue,  +											basicConfig.getBasicMOAIDConfigurationBoolean( +													Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_INSERTERNB,  +													true) +											); + +				Element idlFromSZR = (Element)result.getAssertion();			 +				identityLink = new SimpleIdentityLinkAssertionParser(idlFromSZR).parseIdentityLink(); +				 +				 +				//get bPK from SZR +				bPK = szrClient.getBPK( +						personInfo,  +						pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),  +						basicConfig.getBasicConfiguration( +								Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,  +								"no VKZ defined")); +								 +			} +						 +			if (identityLink == null) { +				log.error("ERnB did not return an identity link."); +				throw new SZRCommunicationException("ernb.00", null); +				 +			} -				//TODO:!!!!!! +			if (bPK == null) { +				log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); +				throw new SZRCommunicationException("ernb.01", null);  			} -			Logger.debug("SZR communication was successfull"); +			log.debug("ERnB communication was successfull"); +			 +			revisionsLogger.logEvent(pendingReq, -1);			 +			authProcessData.setForeigner(true); +			authProcessData.setIdentityLink(identityLink); +			authProcessData.setGenericDataToSession( +					PVPAttributeDefinitions.EID_ISSUING_NATION_NAME,  +					eIDASResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst()); +			 +			//set bPK and bPKType into auth session +			authProcessData.setGenericDataToSession( +					PVPAttributeDefinitions.BPK_NAME,  +					extendBPKbyPrefix( +							bPK,  +							pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()) +					); +			authProcessData.setGenericDataToSession( +					PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,  +					pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); -			if (identityLink == null) { -				Logger.error("SZR Gateway did not return an identity link."); -				throw new MOAIDException("stork.10", null); -			} -			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_IDL_RECEIVED);			 -			moasession.setForeigner(true); -			moasession.setIdentityLink(identityLink); -			moasession.setBkuURL("Not applicable (eIDASAuthentication)"); -			//store MOA-session to database +			//store pending-request  			requestStoreage.storePendingRequest(pendingReq); -		 +					  		} catch (eIDASAttributeException e) {  			throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); -		} catch (MOAIDException | MOADatabaseException e) { +		} catch (EAAFException e) {  			throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e);  		} catch (Exception e) { -			Logger.error("IdentityLink generation for foreign person FAILED.", e); +			log.error("IdentityLink generation for foreign person FAILED.", e);  			throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e);  		}  	} +	private List<KeyValueType> dummyCodeForKeys() { +		if (basicConfig.getBasicMOAIDConfigurationBoolean( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_KEYS_USEDUMMY,  +				false)) { +			List<KeyValueType> keyvalueList = new ArrayList<KeyValueType>(); +			try {			 +				PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Constants.SZR_CONSTANTS_DEFAULT_PUBL_KEY); +				KeyFactory kf = KeyFactory.getInstance("RSA"); + +				PublicKey pb = kf.generatePublic(spec); +				 +				RSAPublicKey rsapb = (RSAPublicKey)pb;	         +				BigInteger modulus = rsapb.getModulus(); +				BigInteger exponent = rsapb.getPublicExponent(); +		           	            +				// set key values +				RSAKeyValueType rsa = new RSAKeyValueType(); +				rsa.setExponent(new String(Base64Utils.encode(exponent.toByteArray()))); +				rsa.setModulus(new String(Base64Utils.encode(modulus.toByteArray()))); +						 +				KeyValueType key = new KeyValueType(); +				key.setRSAKeyValue(rsa); +							 +				keyvalueList.add(key); +			 +				return keyvalueList; +			} catch (NoSuchAlgorithmException | InvalidKeySpecException e) { +				log.error("TestCode has an internal ERROR", e); +				 +			} +			 +		} +		 +		return null; +		 +	} + +	private String extendBPKbyPrefix(String bpk, String type) { +		String bPKType = null; +		 +		if (type.startsWith(EAAFConstants.URN_PREFIX_WBPK)) +			bPKType = type.substring((EAAFConstants.URN_PREFIX_WBPK).length()); +		 +		else if (type.startsWith(EAAFConstants.URN_PREFIX_CDID))  +			bPKType = type.substring((EAAFConstants.URN_PREFIX_CDID).length()); +		 +		else if (type.startsWith(EAAFConstants.URN_PREFIX_EIDAS))  +			bPKType = type.substring((EAAFConstants.URN_PREFIX_EIDAS).length()); +		 + +		if (bPKType != null ) { +			log.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + bPKType); +			return bPKType + ":" + bpk; +			 +		} else {		 +			log.warn("Service Provider Target with: " + type + " is NOT supported. Set bPK as it is ..."); +			return bpk; +			 +		} +		 +	} +	 +	//TODO: update for complexe attributes +	private Map<String, Object> converteIDASAttrToSimpleMap( +			ImmutableMap<AttributeDefinition<?>, ImmutableSet<? extends AttributeValue<?>>> attributeMap) { +		Map<String, Object> result = new HashMap<String, Object>(); +		 +		for (AttributeDefinition<?> el : attributeMap.keySet()) { +			 +			final Class parameterizedType = el.getParameterizedType(); +		    if ((DateTime.class).equals(parameterizedType)) { +		        DateTime attribute = eIDASResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); +		        if (attribute != null) +		        	result.put(el.getFriendlyName(), attribute); +		        else +		        	log.info("Ignore empty 'DateTime' attribute"); +		         +		    } else if ((PostalAddress.class).equals(parameterizedType)) { +		        PostalAddress addressAttribute = eIDASResponseUtils.translateAddressAttribute(el, attributeMap.get(el).asList()); +		        if (addressAttribute != null) +		        	result.put(el.getFriendlyName(), addressAttribute); +		        else +		        	log.info("Ignore empty 'PostalAddress' attribute"); +		         +		    } else {			 +		    	List<String> natPersonIdObj = eIDASResponseUtils.translateStringListAttribute(el, attributeMap.get(el).asList());		     +		    	String stringAttr = natPersonIdObj.get(0); +		    	if (StringUtils.isNotEmpty(stringAttr)) +		    		result.put(el.getFriendlyName(), stringAttr); +		    	else +		    		log.info("Ignore empty 'String' attribute"); +		    	 +		    }			 +		} +						 +		return result; +	} + +  } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java index 358b681e..da554249 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java @@ -2,66 +2,64 @@   *******************************************************************************/  package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.tasks; -import java.io.StringWriter; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; +import java.util.Map;  import java.util.UUID; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.servlet.ServletException;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; -import org.apache.commons.lang3.BooleanUtils; -import org.apache.velocity.Template; -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory;  import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext;  import org.springframework.stereotype.Component; -import org.springframework.util.StringUtils; +import org.springframework.web.util.UriComponentsBuilder; -import com.google.common.net.MediaType; +import com.google.common.collect.ImmutableSortedSet; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eidas.specific.connector.gui.StaticGuiBuilderConfiguration;  import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; -import at.gv.egovernment.moa.id.commons.api.data.CPEPS; -import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; -import eu.eidas.auth.commons.EidasStringUtil; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.eIDASAuthenticationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service.eIDASAttributeRegistry; +import eu.eidas.auth.commons.EidasParameterKeys;  import eu.eidas.auth.commons.attribute.AttributeDefinition; -import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder; -import eu.eidas.auth.commons.light.impl.LightRequest;  import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; -import eu.eidas.auth.commons.protocol.IRequestMessage; -import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance; -import eu.eidas.auth.commons.protocol.eidas.LevelOfAssuranceComparison; +import eu.eidas.auth.commons.light.ILightRequest; +import eu.eidas.auth.commons.light.impl.LightRequest;  import eu.eidas.auth.commons.protocol.eidas.SpType; -import eu.eidas.auth.commons.protocol.eidas.impl.EidasAuthenticationRequest; +import eu.eidas.auth.commons.tx.BinaryLightToken; +import eu.eidas.specificcommunication.BinaryLightTokenHelper; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.impl.SpecificConnectorCommunicationServiceImpl;  /**   * @author tlenz   * - */ -@Component("GenerateAuthnRequestTask") + */   +@Component("ConnecteIDASNodeTask")  public class GenerateAuthnRequestTask extends AbstractAuthServletTask { - -	/* (non-Javadoc) -	 * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) -	 */ +	private static final Logger log = LoggerFactory.getLogger(GenerateAuthnRequestTask.class); +	 +	@Autowired IConfiguration basicConfig; +	@Autowired eIDASAttributeRegistry attrRegistry; +	@Autowired ApplicationContext context; +	@Autowired ITransactionStorage transactionStore; +	@Autowired IGUIFormBuilder guiBuilder; +	  	@Override  	public void execute(ExecutionContext executionContext,  			HttpServletRequest request, HttpServletResponse response) @@ -69,245 +67,196 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {  		try{						  			//get service-provider configuration -			IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration(); +			ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration();  			// get target and validate citizen countryCode -			String citizenCountryCode = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC); +			String citizenCountryCode = (String) executionContext.get(Constants.EXECUTIONCONTEXT_SELECTED_COUNTRY);  			if (StringUtils.isEmpty(citizenCountryCode)) {  				// illegal state; task should not have been executed without a selected country -				throw new AuthenticationException("eIDAS.03", new Object[] { "" }); +				throw new eIDASAuthenticationException("eidas.03", new Object[] { "" });  			} -			CPEPS cpeps = authConfig.getStorkConfig().getCPEPSWithFullName(citizenCountryCode); -			if(null == cpeps) { -				Logger.error("PEPS unknown for country: " + citizenCountryCode); -				throw new AuthenticationException("eIDAS.04", new Object[] {citizenCountryCode}); -			} -			Logger.debug("Found eIDaS Node/C-PEPS configuration for citizen of country: " + citizenCountryCode); -			 -			//TODO: load authnReq End-Point URL from configuration  -			SingleSignOnService authnReqEndpoint = null; +			//TODO: maybe add countryCode validation before request ref. impl. eIDAS node +			log.debug("Request eIDAS auth. for citizen of country: " + citizenCountryCode); -			 +						  			//TODO: switch to entityID and set new status codes -//			revisionsLogger.logEvent(oaConfig, pendingReq,  -//					MOAIDEventConstants.AUTHPROCESS_PEPS_SELECTED, -//					metadataUrl); +			//revisionsLogger.logEvent(oaConfig, pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_SELECTED, metadataUrl); -			// assemble requested attributes -			Collection<StorkAttribute> attributesFromConfig = oaConfig.getRequestedSTORKAttributes(); - -			// - prepare attribute list						 -			 -			// - fill container -			List<AttributeDefinition<?>> reqAttrList = new ArrayList<AttributeDefinition<?>>(); -			//TODO: update requested attribute builder -//			for (StorkAttribute current : attributesFromConfig) {								 -//				AttributeDefinition<?> newAttribute = SAMLEngineUtils.getMapOfAllAvailableAttributes().get(current.getName()); -//				 -//				if (newAttribute == null) { -//					Logger.warn("eIDAS attribute with friendlyName:" + current.getName() + " is not supported."); -//					 -//				} else { -//					boolean globallyMandatory = false; -//					for (StorkAttribute currentGlobalAttribute : authConfig.getStorkConfig().getStorkAttributes()) -//						if (current.getName().equals(currentGlobalAttribute.getName())) { -//							globallyMandatory = BooleanUtils.isTrue(currentGlobalAttribute.getMandatory()); -//							break; -//						} -//					 -//					Builder<?> attrBuilder = AttributeDefinition.builder(newAttribute).required(current.getMandatory() || globallyMandatory); -//					reqAttrList.add(attrBuilder.build()); -//					 -//				}				 -//			} -			 -			//request  -//			if (reqAttrList.isEmpty()) { -//				Logger.info("No attributes requested by OA:" + pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix() -//						+ " -->  Request attr:" + Constants.eIDAS_ATTR_PERSONALIDENTIFIER + " by default"); -//				AttributeDefinition<?> newAttribute = SAMLEngineUtils.getMapOfAllAvailableAttributes().get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); -//				Builder<?> attrBuilder = AttributeDefinition.builder(newAttribute).required(true); -//				reqAttrList.add(attrBuilder.build()); -//				 -//			} -			 -			//build requested attribute set			 -			ImmutableAttributeMap reqAttrMap = new ImmutableAttributeMap.Builder().putAll(reqAttrList).build();  			//build eIDAS AuthnRequest			 -			LightRequest.Builder authnRequestBuilder = LightRequest.builder(); -			 +			LightRequest.Builder authnRequestBuilder = LightRequest.builder();			  			authnRequestBuilder.id(UUID.randomUUID().toString()); -			authnRequestBuilder.providerName(pendingReq.getAuthURL()); -			String issur = pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA; -			authnRequestBuilder.issuer(issur); -			//TODO: -			//authnRequestBuilder.destination(authnReqEndpoint.getLocation()); -						 -			authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT);			 +			String issur = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); +			if (StringUtils.isEmpty(issur)) { +				log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); +				throw new EAAFConfigurationException("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); +				 +			} +			authnRequestBuilder.issuer(issur); -			//set minimum required eIDAS LoA from OA config -			String LoA = oaConfig.getQaaLevel(); -			//TODO: -//			if (MiscUtil.isNotEmpty(LoA))			 -//				authnRequestBuilder.levelOfAssurance(LevelOfAssurance.fromString(oaConfig.getQaaLevel())); -//			else -				authnRequestBuilder.levelOfAssurance(LevelOfAssurance.HIGH.getValue()); -			//TODO: check if required -			//authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); +			//TODO: set matching mode if eIDAS ref. impl. support this method +				 +			//TODO: update if eIDAS ref. impl. supports exact matching for non-notified LoA schemes +			String loa = EAAFConstants.EIDAS_LOA_HIGH; +			if (spConfig.getRequiredLoA() != null) { +				if (spConfig.getRequiredLoA().isEmpty()) +					log.info("No eIDAS LoA requested. Use LoA HIGH as default"); +				 +				else {					 +					if (spConfig.getRequiredLoA().size() > 1 ) +						log.info("Currently only ONE requested LoA is supported for service provider. Use first one ... "); +					 +					loa = spConfig.getRequiredLoA().get(0); +					 +				}									 +			} +						 +			log.debug("Request eIdAS node with LoA: " + loa); +			authnRequestBuilder.levelOfAssurance(loa); -			//set correct SPType for this online application -			if (oaConfig.hasBaseIdTransferRestriction()) -				authnRequestBuilder.spType(SpType.PRIVATE.getValue()); -			else +			//set correct SPType for requested target sector				 +			String publicSectorTargetSelector = basicConfig.getBasicConfiguration( +					Constants.CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS,  +					Constants.POLICY_DEFAULT_ALLOWED_TARGETS);		 +			Pattern p = Pattern.compile(publicSectorTargetSelector); +			Matcher m = p.matcher(spConfig.getAreaSpecificTargetIdentifier()); +			if (m.matches()) { +				log.debug("Map " + spConfig.getAreaSpecificTargetIdentifier() + " to 'PublicSector'");  				authnRequestBuilder.spType(SpType.PUBLIC.getValue()); + +				//TODO: only for eIDAS ref. node 2.0 because it need 'Providername' for any SPType  +				String providerName = pendingReq.getRawData(Constants.DATA_PROVIDERNAME, String.class); +				if (StringUtils.isNotEmpty(providerName)  +						&& basicConfig.getBasicMOAIDConfigurationBoolean( +								Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_ADD_ALWAYS_PROVIDERNAME,  +								false) +						) +					authnRequestBuilder.providerName(providerName); +				 +			} else { +				log.debug("Map " + spConfig.getAreaSpecificTargetIdentifier() + " to 'PrivateSector'"); +				authnRequestBuilder.spType(SpType.PRIVATE.getValue()); +				//TODO: switch to RequesterId in further version +				//set provider name for private sector applications +				String providerName = pendingReq.getRawData(Constants.DATA_PROVIDERNAME, String.class); +				if (StringUtils.isNotEmpty(providerName)) +					authnRequestBuilder.providerName(providerName); -			//TODO -			//set service provider (eIDAS node) countryCode  -//			authnRequestBuilder.serviceProviderCountryCode( -//					authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT")); -						 -			//set citizen country code for foreign uses -			authnRequestBuilder.citizenCountryCode(cpeps.getCountryCode()); -			 -			//add requested attributes -			authnRequestBuilder.requestedAttributes(reqAttrMap); -			 +			} -			LightRequest lightAuthnReq = authnRequestBuilder.build(); +			//set nameIDFormat +			authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT); +			//set citizen country code for foreign uses +			authnRequestBuilder.citizenCountryCode(citizenCountryCode); +			//set relay state +			authnRequestBuilder.relayState(pendingReq.getPendingRequestId()); -			//IRequestMessage authnRequest = engine.generateRequestMessage(authnRequestBuilder.build(), issur);					 +			//build and add requested attribute set								 +			ImmutableAttributeMap reqAttrMap = translateToEidasAttributes(attrRegistry.getAttributeSetFromConfiguration());						 +			authnRequestBuilder.requestedAttributes(reqAttrMap); -			//encode AuthnRequest -//			byte[] token = authnRequest.getMessageBytes();		 -//			String SAMLRequest = EidasStringUtil.encodeToBase64(token); +			//build request +			LightRequest lightAuthnReq = authnRequestBuilder.build(); +			//put request into cache +			BinaryLightToken token = putRequestInCommunicationCache(lightAuthnReq); +			final String tokenBase64 = BinaryLightTokenHelper.encodeBinaryLightTokenBase64(token); + +			//Workaround, because eIDAS node ref. impl. does not return relayState +			if (basicConfig.getBasicMOAIDConfigurationBoolean( +					Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER,  +					false)) { +				log.trace("Put lightRequestId into transactionstore as session-handling backup"); +				transactionStore.put(lightAuthnReq.getId(), pendingReq.getPendingRequestId(), -1); +				 +			} -//			if (SAMLConstants.SAML2_POST_BINDING_URI.equals(authnReqEndpoint.getBinding()))  -//				buildPostBindingRequest(pendingReq, authnReqEndpoint, SAMLRequest, authnRequest, response); -//			 -//			//TODO: redirect Binding is not completely implemented -//			//else if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(authnReqEndpoint.getBinding())) -//				//buildRedirecttBindingRequest(pendingReq, authnReqEndpoint, token, authnRequest, response); -//			 -//			else { -//				Logger.error("eIDAS-node use an unsupported binding (" -//						+ authnReqEndpoint.getBinding() + "). Request eIDAS node not possible."); -//				throw new MOAIDException("eIDAS.02", new Object[]{"eIDAS-node use an unsupported binding"}); -//				 -//			} +			if (basicConfig.getBasicConfiguration( +						Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD,  +						Constants.FORWARD_METHOD_GET +					).equals(Constants.FORWARD_METHOD_GET)) { +				 +				log.debug("Use http-redirect for eIDAS node forwarding ...  "); +				//send redirect +				UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL)); +				redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64);			 +				response.sendRedirect(redirectUrl.build().encode().toString()); +				 +			} else { +				log.debug("Use http-post for eIDAS node forwarding ...  "); +				StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( +						basicConfig,  +						pendingReq,  +						Constants.TEMPLATE_POST_FORWARD_NAME,  +						null); +				 +				config.putCustomParameter(Constants.TEMPLATE_POST_FORWARD_ENDPOINT,  +						basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL)); +				config.putCustomParameter(Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, +						EidasParameterKeys.TOKEN.toString());				 +				config.putCustomParameter(Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, +						tokenBase64); +				 +				guiBuilder.build(response, config, "BKU-Selection form"); +								 +			} 				 - - -//		}catch (EIDASSAMLEngineException e){ -//			throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.",  -//					new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e)); -		} catch (MOAIDException  e) { +					 +		} catch (eIDASAuthenticationException  e) {  			throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", e);  		} catch (Exception e) { -			Logger.error("eIDAS AuthnRequest generation FAILED.", e); +			log.warn("eIDAS AuthnRequest generation FAILED.", e);  			throw new TaskExecutionException(pendingReq, e.getMessage(), e);  		} +		  	} +		 +    private ImmutableAttributeMap translateToEidasAttributes(final Map<String, Boolean> requiredAttributes) { +        ImmutableAttributeMap.Builder builder = ImmutableAttributeMap.builder(); +        for (Map.Entry<String,Boolean> attribute : requiredAttributes.entrySet()) { +            final String name = attribute.getKey(); +            final ImmutableSortedSet<AttributeDefinition<?>> byFriendlyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(name);             +            if (!byFriendlyName.isEmpty()) { +                final AttributeDefinition<?> attributeDefinition = byFriendlyName.first(); +                builder.put(AttributeDefinition.builder(attributeDefinition).required(attribute.getValue()).build()); +                                 +            } else +            	log.warn("Can NOT request UNKNOWN attribute: " + attribute.getKey() + " Ignore it!"); +            	 +        } + +        return builder.build(); +         +    } -	/** -	 * Encode the eIDAS request with POST binding -	 *  -	 * @param pendingReq -	 * @param authnReqEndpoint -	 * @param SAMLRequest -	 * @param authnRequest -	 * @param response -	 * @throws MOAIDException -	 */ -	private void buildPostBindingRequest(IRequest pendingReq, SingleSignOnService authnReqEndpoint,  -			String SAMLRequest, IRequestMessage authnRequest, HttpServletResponse response)  -			throws MOAIDException { -		//send +    private BinaryLightToken putRequestInCommunicationCache(ILightRequest iLightRequest) throws ServletException { +        final BinaryLightToken binaryLightToken;          try { -            VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); -            Template template = velocityEngine.getTemplate("/resources/templates/eidas_postbinding_template.vm"); -            VelocityContext context = new VelocityContext(); - -            String actionType = "SAMLRequest"; -            context.put(actionType, SAMLRequest); -            context.put("RelayState", pendingReq.getRequestID()); -            context.put("action", authnReqEndpoint.getLocation()); -             -            Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); -            Logger.debug("Encoded " + actionType + " original: " + SAMLRequest); +            final SpecificConnectorCommunicationServiceImpl springManagedSpecificConnectorCommunicationService = +                    (SpecificConnectorCommunicationServiceImpl) context.getBean(SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); -            Logger.trace("Starting template merge"); -            StringWriter writer = new StringWriter(); - -            Logger.trace("Doing template merge");             -            template.merge(context, writer); -             -            Logger.trace("Template merge done"); -            Logger.trace("Sending html content: " + writer.getBuffer().toString()); +            binaryLightToken = springManagedSpecificConnectorCommunicationService.putRequest(iLightRequest); -             -            byte[] content = writer.getBuffer().toString().getBytes("UTF-8");	             -            response.setContentType(MediaType.HTML_UTF_8.toString()); -            response.setContentLength(content.length); -            response.getOutputStream().write(content); - -            revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq,  -					MOAIDEventConstants.AUTHPROCESS_PEPS_REQUESTED, -					authnRequest.getRequest().getId()); -            	         -        } catch (Exception e) { -            Logger.error("Velocity general error: " + e.getMessage()); -            throw new MOAIDException("eIDAS.02", new Object[]{e.getMessage()}, e); +        } catch (SpecificCommunicationException e) { +            log.error("Unable to process specific request"); +            throw new ServletException(e);          } -		 -	} -	 -	/** -	 * Select a SingleSignOnService endPoint from eIDAS node metadata. -	 * This endPoint receives the Authn. request -	 *  -	 * @param idpEntity -	 * @return -	 */ -	private SingleSignOnService selectSingleSignOnServiceFromMetadata(EntityDescriptor idpEntity) { -		//select SingleSignOn Service endpoint from IDP metadata -		SingleSignOnService endpoint = null; -		if (idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) == null) { -			return null; -			 -		} -		 -		for (SingleSignOnService sss :  -				idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { -			 -			// use POST binding as default if it exists  -			if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI))   -				endpoint = sss; -			 -			//TODO: redirect Binding is not completely implemented -			// use Redirect binding as backup	 -//			else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)  -//					&& endpoint == null ) -//				endpoint = sss; -			 -		} -		 -		return endpoint; -	} -	 +         +        return binaryLightToken; +    } +      } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/ReceiveAuthnResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/ReceiveAuthnResponseTask.java index 055c402f..f0b37ede 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/ReceiveAuthnResponseTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/ReceiveAuthnResponseTask.java @@ -5,84 +5,78 @@ package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.tasks;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; -import org.opensaml.saml2.core.StatusCode; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory;  import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext;  import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; -import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; -import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; -import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASResponseNotSuccessException; -import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.eidas.validator.eIDASResponseValidator; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; -import eu.eidas.auth.commons.EidasStringUtil; -import eu.eidas.auth.commons.protocol.IAuthenticationResponse; -import eu.eidas.auth.engine.ProtocolEngineI; -import eu.eidas.engine.exceptions.EIDASSAMLEngineException; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.eIDASAuthenticationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service.eIDASAttributeRegistry; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.validator.eIDASResponseValidator; +import eu.eidas.auth.commons.light.ILightResponse; -@Component("ReceiveAuthnResponseTask") +@Component("ReceiveResponseFromeIDASNodeTask")  public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { - -	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; +	private static final Logger log = LoggerFactory.getLogger(ReceiveAuthnResponseTask.class); -	@Override +	@Autowired private ApplicationContext context; +	@Autowired private IConfiguration basicConfig; +	@Autowired private eIDASAttributeRegistry attrRegistry; +		 +	@Override   	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - -		try{			 -			//get SAML Response -			String base64SamlToken = request.getParameter("SAMLResponse"); -			if (MiscUtil.isEmpty(base64SamlToken)) { -				Logger.warn("No eIDAS SAMLReponse found in http request."); -				throw new MOAIDException("HTTP request includes no eIDAS SAML-Response element.", null); +		try{ +			 +//			//get token from Request +//			final String tokenBase64 = request.getParameter(EidasParameterKeys.TOKEN.toString());			 +//			if (StringUtils.isEmpty(tokenBase64)) { +//				log.warn("NO eIDAS message token found."); +//				throw new eIDASAuthenticationException("TODO", null,  +//						"NO eIDAS message token found."); +//				 +//			} +//			 +//			//get eIDAS response from cache +//			final SpecificConnectorCommunicationServiceImpl specificConnectorCommunicationService = +//		                (SpecificConnectorCommunicationServiceImpl) context.getBean(SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); +//	    	ILightResponse eIDASResponse = specificConnectorCommunicationService.getAndRemoveResponse(tokenBase64,  +//	    			ImmutableSortedSet.copyOf(attrRegistry.getCoreAttributeRegistry().getAttributes())); +		     +			ILightResponse eIDASResponse = (ILightResponse) request.getAttribute(Constants.DATA_FULL_EIDAS_RESPONSE); +			if (eIDASResponse == null) { +				log.warn("NO eIDAS response-message found."); +				throw new eIDASAuthenticationException("eidas.01", null);  			} -			//get MOASession -			defaultTaskInitialization(request, executionContext); +	    	log.debug("Receive eIDAS response with RespId:" + eIDASResponse.getId() + " for ReqId:" + eIDASResponse.getInResponseToId()); -			//decode SAML response -			byte[] decSamlToken = EidasStringUtil.decodeBytesFromBase64(base64SamlToken);		 -			 -			//get eIDAS SAML-engine -			ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); -						 -			//validate SAML token -			IAuthenticationResponse samlResp = engine.unmarshallResponseAndValidate(decSamlToken,  -					request.getRemoteHost(),  -					Constants.CONFIG_PROPS_SKEWTIME_BEFORE,  -					Constants.CONFIG_PROPS_SKEWTIME_AFTER, -					pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA); -												 -			if (samlResp.isEncrypted()) { -				Logger.info("Received encrypted eIDAS SAML-Response."); -				//TODO: check if additional decryption operation is required -				 -			} - -						 -			//check response StatusCode -			if (!samlResp.getStatusCode().equals(StatusCode.SUCCESS_URI)) { -				Logger.info("Receice eIDAS Response with StatusCode:" + samlResp.getStatusCode() -				+ " Subcode:" + samlResp.getSubStatusCode() + " Msg:" + samlResp.getStatusMessage()); -				throw new EIDASResponseNotSuccessException("eIDAS.11", new Object[]{samlResp.getStatusMessage()}); +	    	 +			//check response StatusCode  +			if (!eIDASResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { +				log.info("Receice eIDAS Response with StatusCode:" + eIDASResponse.getStatus().getStatusCode() +				+ " Subcode:" + eIDASResponse.getStatus().getSubStatusCode() + " Msg:" + eIDASResponse.getStatus().getStatusMessage()); +				throw new eIDASAuthenticationException("eidas.02", new Object[]{eIDASResponse.getStatus().getStatusCode(), eIDASResponse.getStatus().getStatusMessage()});  			} +			// extract all Attributes from response +			 +			 +			  			// ********************************************************** -			// *******   MOA-ID specific response validation   ********** +			// *******   MS-specificresponse validation   **********  			// ********************************************************** -			String spCountry = authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); -			eIDASResponseValidator.validateResponse(pendingReq, samlResp, spCountry); +			String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); +			eIDASResponseValidator.validateResponse(pendingReq, eIDASResponse, spCountry, attrRegistry);  			// ********************************************************** @@ -90,51 +84,24 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  			// **********************************************************  			//update MOA-Session data with received information			 -			Logger.debug("Store eIDAS response information into MOA-session."); -					 -			moasession.setQAALevel(samlResp.getLevelOfAssurance()); -						 -			moasession.setGenericDataToSession( -					AuthenticationSessionStorageConstants.eIDAS_ATTRIBUTELIST,  -					samlResp.getAttributes()); -						 -			moasession.setGenericDataToSession( -					AuthenticationSessionStorageConstants.eIDAS_RESPONSE,  -					decSamlToken); +			log.debug("Store eIDAS response information into pending-request.");				 +			AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); +			authProcessData.setQAALevel(eIDASResponse.getLevelOfAssurance()); +			authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, eIDASResponse); -			//set issuer nation as PVP attribute into MOASession -			moasession.setGenericDataToSession(PVPConstants.EID_ISSUING_NATION_NAME, samlResp.getCountry()); -						  			//store MOA-session to database  			requestStoreage.storePendingRequest(pendingReq); -			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq,  -					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED, -					samlResp.getId()); +			revisionsLogger.logEvent(pendingReq, -1, eIDASResponse.getId()); -		} catch (MOAIDException e) { +		} catch (EAAFException e) {  			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e); -			 -		}catch (EIDASSAMLEngineException e) { -			Logger.warn("eIDAS Response validation FAILED.", e); -			Logger.debug("eIDAS response was: " + request.getParameter("SAMLResponse")); -			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq,  -					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR); -			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.",  -					new EIDASEngineException("eIDAS.09", new Object[]{e.getMessage()}, e)); -		} catch (MOADatabaseException e) { -			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq,  -					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR); -			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.",  -					new MOAIDException("init.04", new Object[]{""}, e)); -			  		} catch (Exception e) { -			Logger.warn("eIDAS Response processing FAILED.", e); -			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq,  -					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR); +			log.warn("eIDAS Response processing FAILED.", e); +			revisionsLogger.logEvent(pendingReq, -1);  			throw new TaskExecutionException(pendingReq, e.getMessage(),  -					new MOAIDException("eIDAS.10", new Object[]{e.getMessage()}, e)); +					new eIDASAuthenticationException("eidas.05", new Object[]{e.getMessage()}, e));  		}	 diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/utils/LoggingHandler.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/utils/LoggingHandler.java new file mode 100644 index 00000000..c58d369b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/utils/LoggingHandler.java @@ -0,0 +1,52 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.utils; + +import java.io.ByteArrayOutputStream; +import java.util.Set; + +import javax.xml.namespace.QName; +import javax.xml.soap.SOAPMessage; +import javax.xml.ws.handler.MessageContext; +import javax.xml.ws.handler.soap.SOAPHandler; +import javax.xml.ws.handler.soap.SOAPMessageContext; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class LoggingHandler implements SOAPHandler<SOAPMessageContext> { + +	Logger log = LoggerFactory.getLogger(LoggingHandler.class); + +	public boolean handleMessage(SOAPMessageContext context) { +		SOAPMessage msg = context.getMessage(); +		boolean request = ((Boolean) context +		    .get(SOAPMessageContext.MESSAGE_OUTBOUND_PROPERTY)).booleanValue(); +		ByteArrayOutputStream bos = new ByteArrayOutputStream(); + +		try { +			if (request) { +				msg.writeTo(bos); +			} else { // This is the response message +				msg.writeTo(bos); +			} +										 +			log.trace(bos.toString()); +			log.trace(new String(bos.toByteArray())); +			 +		} catch (Exception e) { +			log.trace(e.getMessage(), e); +		} +		return true; +	} + +	public boolean handleFault(SOAPMessageContext context) { +		return handleMessage(context); +	} + +	public void close(MessageContext context) { +	} + +	public Set<QName> getHeaders() { +		return null; +	} + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/utils/eIDASResponseUtils.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/utils/eIDASResponseUtils.java new file mode 100644 index 00000000..165c35cb --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/utils/eIDASResponseUtils.java @@ -0,0 +1,98 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.utils; + +import java.util.ArrayList; +import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.joda.time.DateTime; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.collect.ImmutableList; + +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.attribute.AttributeValue; +import eu.eidas.auth.commons.attribute.AttributeValueMarshaller; +import eu.eidas.auth.commons.attribute.AttributeValueMarshallingException; +import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; + +public class eIDASResponseUtils { +	private static final Logger log = LoggerFactory.getLogger(eIDASResponseUtils.class); +	 +	public static final String PERSONALIDENIFIER_VALIDATION_PATTERN = "^[A-Z,a-z]{2}/[A-Z,a-z]{2}/.*"; +	  +	/** +	 * Validate a eIDAS PersonalIdentifier attribute value  +	 * This validation is done according to eIDAS SAML Attribute Profile -  Section 2.2.3 Unique Identifier  +	 *  +	 * @param uniqueID eIDAS attribute value of a unique identifier +	 * @return true if the uniqueID matches to eIDAS to Unique Identifier specification, otherwise false +	 */ +	public static boolean validateEidasPersonalIdentifier(String uniqueID) { +		Pattern pattern = Pattern.compile(PERSONALIDENIFIER_VALIDATION_PATTERN ); +		Matcher matcher = pattern.matcher(uniqueID);	 +		return matcher.matches(); +		 +	} +	 +	 +	/** +	 * Parse an eIDAS PersonalIdentifier attribute value into it components.  +	 * This processing is done according to eIDAS SAML Attribute Profile -  Section 2.2.3 Unique Identifier  +	 *  +	 * @param uniqueID eIDAS attribute value of a unique identifier +	 * @return {@link Trible} that contains:  +	 * 				<br> First : citizen country +	 * 				<br> Second: destination country +	 * 				<br> Third : unique identifier +	 * 	<br> or null if the attribute value has a wrong format +	 */					 +	public static Trible<String, String, String> parseEidasPersonalIdentifier(String uniqueID) { +		if (!validateEidasPersonalIdentifier(uniqueID)) { +			log.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +					+ " looks wrong formated. Value:" + ((String)uniqueID));				 +			return null; +			 +		}		 +		return Trible.newInstance(uniqueID.substring(0, 2), uniqueID.substring(3, 5), uniqueID.substring(6));  +		 +	} + +    public static List<String> translateStringListAttribute(AttributeDefinition<?> attributeDefinition, ImmutableList<? extends AttributeValue<?>> attributeValues) { +        final List<String> stringListAttribute = new ArrayList<String>(); +        AttributeValueMarshaller<?> attributeValueMarshaller = attributeDefinition.getAttributeValueMarshaller(); +        for (AttributeValue<?> attributeValue : attributeValues) { +            String valueString = null; +            try { +                valueString = attributeValueMarshaller.marshal((AttributeValue) attributeValue); +                stringListAttribute.add(valueString); +            } catch (AttributeValueMarshallingException e) { +                throw new IllegalStateException(e); +                 +            } +        } +         +        return stringListAttribute; +         +    } +     +    public static DateTime translateDateAttribute(AttributeDefinition<?> attributeDefinition, ImmutableList<? extends AttributeValue<?>> attributeValues) { +        if (attributeValues.size() != 0) { +            final AttributeValue<?> firstAttributeValue = attributeValues.get(0); +            return (DateTime) firstAttributeValue.getValue(); + +        } +         +        return null; +    } +     +    public static PostalAddress translateAddressAttribute(AttributeDefinition<?> attributeDefinition, ImmutableList<? extends AttributeValue<?>> attributeValues) { +        final AttributeValue<?> firstAttributeValue = attributeValues.get(0); +        return (PostalAddress) firstAttributeValue.getValue(); + +    } +	 +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/validator/eIDASResponseValidator.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/validator/eIDASResponseValidator.java new file mode 100644 index 00000000..3791d0d7 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/validator/eIDASResponseValidator.java @@ -0,0 +1,135 @@ +package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.validator; + +import java.util.List; + +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.collect.ImmutableList; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.eIDASValidationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service.eIDASAttributeRegistry; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.utils.eIDASResponseUtils; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.attribute.AttributeValue; +import eu.eidas.auth.commons.light.ILightResponse; +import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance; + +/** + * @author tlenz + * + */ +public class eIDASResponseValidator { +	private static final Logger log = LoggerFactory.getLogger(eIDASResponseValidator.class); + +	public static void validateResponse(IRequest pendingReq, ILightResponse eIDASResponse, String spCountry, eIDASAttributeRegistry attrRegistry) throws eIDASValidationException {		 + +		/*-----------------------------------------------------| +		 * validate received LoA against minimum required LoA  | +		 *_____________________________________________________| +		 */  +		LevelOfAssurance respLoA = LevelOfAssurance.fromString(eIDASResponse.getLevelOfAssurance());		 +		List<String> allowedLoAs = pendingReq.getServiceProviderConfiguration().getRequiredLoA(); +		boolean loaValid = false; +		for (String allowedLoaString : allowedLoAs) { +			LevelOfAssurance allowedLoa = LevelOfAssurance.fromString(allowedLoaString); +			if (respLoA.numericValue() >= allowedLoa.numericValue()) { +				log.debug("Response contains valid LoA. Resume process ... "); +				loaValid = true; +				break; +				 +			} else +				log.trace("Allowed LoA: " + allowedLoaString + " DOES NOT match response LoA: " + eIDASResponse.getLevelOfAssurance()); +			 +		} +		 +		if (!loaValid) { +			log.error("eIDAS Response LevelOfAssurance is lower than the required! " +					+ "(Resp-LoA:" + respLoA.getValue() + " Req-LoA:" + allowedLoAs.toArray() + ")"); +			throw new eIDASValidationException("eidas.06", new Object[]{respLoA.getValue()}); +			 +		} +						 + + +		/*-----------------------------------------------------| +		 *     validate 'PersonalIdentifier' attribute         | +		 *_____________________________________________________| +		 */ +		AttributeDefinition<?> attrDefinition = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first();         +	    final ImmutableList<? extends AttributeValue<?>> attributeValues = eIDASResponse.getAttributes().getAttributeMap().get(attrDefinition).asList(); +	    List<String> personalIdObj = eIDASResponseUtils.translateStringListAttribute(attrDefinition, attributeValues); +	    	    +		//check if attribute exists +		if (personalIdObj == null || personalIdObj.isEmpty()) { +	        	log.warn("eIDAS Response include NO 'PersonalIdentifier' attriubte " +	        			+ ".... That can be a BIG problem in further processing steps");	 +	        	throw new eIDASValidationException("eidas.05", new Object[] {"NO 'PersonalIdentifier' attriubte"}); +	        	 +		} else if (personalIdObj.size() > 1) { +			log.warn("eIDAS Response include MORE THAN ONE 'PersonalIdentifier' attriubtes " +        			+ ".... That can be a BIG problem in further processing steps"); +			throw new eIDASValidationException("eidas.05", new Object[] {"MORE THAN ONE 'PersonalIdentifier' attriubtes"}); +								 +		} else { +			String natPersId = personalIdObj.get(0); +			//validate attribute value format			 +			Trible<String, String, String> split =  +					eIDASResponseUtils.parseEidasPersonalIdentifier(natPersId); +			if (split == null) { +				throw new eIDASValidationException("eidas.07",  +						new Object[]{ +								Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +								"Wrong identifier format"}); +				 +			} else { +				//validation according to eIDAS SAML Attribute Profile, Section 2.2.3  +				if (StringUtils.isEmpty(split.getSecond())) { +					log.warn("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes NO destination country. Value:" + natPersId);				 +					throw new eIDASValidationException("eidas.07",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"No or empty destination country"}); +					 +				} +				if (!split.getSecond().equalsIgnoreCase(spCountry)) { +					log.warn("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes wrong destination country. Value:" + natPersId +							+ " SP-Country:" + spCountry);				 +					throw new eIDASValidationException("eidas.07",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"Destination country does not match to SP country"}); +					 +				} +				 +				if (StringUtils.isEmpty(split.getFirst())) { +					log.warn("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes NO citizen country. Value:" + natPersId);				 +					throw new eIDASValidationException("eidas.07",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"No or empty citizen country"}); +					 +				} +				if (!split.getSecond().equalsIgnoreCase(spCountry)) { +					log.warn("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes a relaying-party country that does not match to service-provider country. " +							+ " Value:" + natPersId +							+ " SP Country:" + spCountry);				 +					throw new eIDASValidationException("eidas.07",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"Citizen country does not match to eIDAS-node country that generates the response"}); +					 +				}				 +			}									 +		} + +	} +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml index 958c3391..14ef4b42 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml @@ -3,18 +3,17 @@  	xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1"> -	<pd:Task id="createAuthnRequest" class="GenerateAuthnRequestTask" /> -	<pd:Task id="receiveAuthnResponse" class="ReceiveAuthnResponseTask" -		async="true" /> -	<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" /> -	<pd:Task id="generateIdentityLink" class="CreateIdentityLinkTask" /> +	<pd:Task id="createAuthnRequest"   		class="ConnecteIDASNodeTask" 					/> +	<pd:Task id="receiveAuthnResponse" 		class="ReceiveResponseFromeIDASNodeTask" 	 async="true" 	/> +	<pd:Task id="finalizeAuthentication" 	class="FinalizeAuthenticationTask" 					/> +	<pd:Task id="generateIdentityLink" 		class="CreateIdentityLinkTask" 						/>  	<pd:StartEvent id="start" /> -	<pd:Transition from="start" to="createAuthnRequest" /> -	<pd:Transition from="createAuthnRequest" to="receiveAuthnResponse" /> -	<pd:Transition from="receiveAuthnResponse" to="generateIdentityLink" /> -	<pd:Transition from="generateIdentityLink" to="finalizeAuthentication" /> -	<pd:Transition from="finalizeAuthentication" to="end" /> +	<pd:Transition from="start" 					to="createAuthnRequest" /> +	<pd:Transition from="createAuthnRequest" 		to="receiveAuthnResponse" /> +	<pd:Transition from="receiveAuthnResponse" 		to="generateIdentityLink" /> +	<pd:Transition from="generateIdentityLink" 		to="finalizeAuthentication" /> +	<pd:Transition from="finalizeAuthentication" 	to="end" />  	<pd:EndEvent id="end" />  </pd:ProcessDefinition> diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS/additional-attributes.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS/additional-attributes.xml new file mode 100644 index 00000000..a72ac1e8 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS/additional-attributes.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +  ~ Copyright (c) 2017 by European Commission +  ~ +  ~ Licensed under the EUPL, Version 1.2 or - as soon they will be +  ~ approved by the European Commission - subsequent versions of the +  ~ EUPL (the "Licence"); +  ~ You may not use this work except in compliance with the Licence. +  ~ You may obtain a copy of the Licence at: +  ~ https://joinup.ec.europa.eu/page/eupl-text-11-12 +  ~ +  ~ Unless required by applicable law or agreed to in writing, software +  ~ distributed under the Licence is distributed on an "AS IS" basis, +  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +  ~ implied. +  ~ See the Licence for the specific language governing permissions and +  ~ limitations under the Licence. +  --> + +<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> +<properties> +    <comment>Dynamic attributes</comment> + +    <entry key="1.NameUri">http://eidas.europa.eu/attributes/naturalperson/AdditionalAttribute</entry> +    <entry key="1.FriendlyName">AdditionalAttribute</entry> +    <entry key="1.PersonType">NaturalPerson</entry> +    <entry key="1.Required">false</entry> +    <entry key="1.XmlType.NamespaceUri">http://www.w3.org/2001/XMLSchema</entry> +    <entry key="1.XmlType.LocalPart">string</entry> +    <entry key="1.XmlType.NamespacePrefix">xs</entry> +    <entry key="1.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="2.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalAdditionalAttribute</entry> +    <entry key="2.FriendlyName">LegalAdditionalAttribute</entry> +    <entry key="2.PersonType">LegalPerson</entry> +    <entry key="2.Required">false</entry> +    <entry key="2.XmlType.NamespaceUri">http://www.w3.org/2001/XMLSchema</entry> +    <entry key="2.XmlType.LocalPart">string</entry> +    <entry key="2.XmlType.NamespacePrefix">xs</entry> +    <entry key="2.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +</properties> diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS/eidas-attributes.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS/eidas-attributes.xml new file mode 100644 index 00000000..c9288d59 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS/eidas-attributes.xml @@ -0,0 +1,379 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +  ~ Copyright (c) 2017 by European Commission +  ~ +  ~ Licensed under the EUPL, Version 1.2 or - as soon they will be +  ~ approved by the European Commission - subsequent versions of the +  ~ EUPL (the "Licence"); +  ~ You may not use this work except in compliance with the Licence. +  ~ You may obtain a copy of the Licence at: +  ~ https://joinup.ec.europa.eu/page/eupl-text-11-12 +  ~ +  ~ Unless required by applicable law or agreed to in writing, software +  ~ distributed under the Licence is distributed on an "AS IS" basis, +  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +  ~ implied. +  ~ See the Licence for the specific language governing permissions and +  ~ limitations under the Licence. +  --> + +<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> +<properties> +    <comment>eIDAS attributes</comment> + +    <entry key="1.NameUri">http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier</entry> +    <entry key="1.FriendlyName">PersonIdentifier</entry> +    <entry key="1.PersonType">NaturalPerson</entry> +    <entry key="1.Required">true</entry> +    <entry key="1.UniqueIdentifier">true</entry> +    <entry key="1.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="1.XmlType.LocalPart">PersonIdentifierType</entry> +    <entry key="1.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="1.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="2.NameUri">http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName</entry> +    <entry key="2.FriendlyName">FamilyName</entry> +    <entry key="2.PersonType">NaturalPerson</entry> +    <entry key="2.Required">true</entry> +    <entry key="2.TransliterationMandatory">true</entry> +    <entry key="2.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="2.XmlType.LocalPart">CurrentFamilyNameType</entry> +    <entry key="2.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="2.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="3.NameUri">http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName</entry> +    <entry key="3.FriendlyName">FirstName</entry> +    <entry key="3.PersonType">NaturalPerson</entry> +    <entry key="3.Required">true</entry> +    <entry key="3.TransliterationMandatory">true</entry> +    <entry key="3.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="3.XmlType.LocalPart">CurrentGivenNameType</entry> +    <entry key="3.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="3.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="4.NameUri">http://eidas.europa.eu/attributes/naturalperson/DateOfBirth</entry> +    <entry key="4.FriendlyName">DateOfBirth</entry> +    <entry key="4.PersonType">NaturalPerson</entry> +    <entry key="4.Required">true</entry> +    <entry key="4.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="4.XmlType.LocalPart">DateOfBirthType</entry> +    <entry key="4.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="4.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller</entry> + +    <entry key="5.NameUri">http://eidas.europa.eu/attributes/naturalperson/BirthName</entry> +    <entry key="5.FriendlyName">BirthName</entry> +    <entry key="5.PersonType">NaturalPerson</entry> +    <entry key="5.Required">false</entry> +    <entry key="5.TransliterationMandatory">true</entry> +    <entry key="5.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="5.XmlType.LocalPart">BirthNameType</entry> +    <entry key="5.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="5.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="6.NameUri">http://eidas.europa.eu/attributes/naturalperson/PlaceOfBirth</entry> +    <entry key="6.FriendlyName">PlaceOfBirth</entry> +    <entry key="6.PersonType">NaturalPerson</entry> +    <entry key="6.Required">false</entry> +    <entry key="6.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="6.XmlType.LocalPart">PlaceOfBirthType</entry> +    <entry key="6.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="6.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="7.NameUri">http://eidas.europa.eu/attributes/naturalperson/CurrentAddress</entry> +    <entry key="7.FriendlyName">CurrentAddress</entry> +    <entry key="7.PersonType">NaturalPerson</entry> +    <entry key="7.Required">false</entry> +    <entry key="7.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="7.XmlType.LocalPart">CurrentAddressType</entry> +    <entry key="7.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="7.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.CurrentAddressAttributeValueMarshaller</entry> + +    <entry key="8.NameUri">http://eidas.europa.eu/attributes/naturalperson/Gender</entry> +    <entry key="8.FriendlyName">Gender</entry> +    <entry key="8.PersonType">NaturalPerson</entry> +    <entry key="8.Required">false</entry> +    <entry key="8.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="8.XmlType.LocalPart">GenderType</entry> +    <entry key="8.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="8.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.GenderAttributeValueMarshaller</entry> + +    <entry key="9.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalPersonIdentifier</entry> +    <entry key="9.FriendlyName">LegalPersonIdentifier</entry> +    <entry key="9.PersonType">LegalPerson</entry> +    <entry key="9.Required">true</entry> +    <entry key="9.UniqueIdentifier">true</entry> +    <entry key="9.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="9.XmlType.LocalPart">LegalPersonIdentifierType</entry> +    <entry key="9.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="9.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="10.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalName</entry> +    <entry key="10.FriendlyName">LegalName</entry> +    <entry key="10.PersonType">LegalPerson</entry> +    <entry key="10.Required">true</entry> +    <entry key="10.TransliterationMandatory">true</entry> +    <entry key="10.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="10.XmlType.LocalPart">LegalNameType</entry> +    <entry key="10.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="10.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="11.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalPersonAddress</entry> +    <entry key="11.FriendlyName">LegalAddress</entry> +    <entry key="11.PersonType">LegalPerson</entry> +    <entry key="11.Required">false</entry> +    <entry key="11.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="11.XmlType.LocalPart">LegalPersonAddressType</entry> +    <entry key="11.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="11.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.LegalAddressAttributeValueMarshaller</entry> + +    <entry key="12.NameUri">http://eidas.europa.eu/attributes/legalperson/VATRegistrationNumber</entry> +    <entry key="12.FriendlyName">VATRegistration</entry> +    <entry key="12.PersonType">LegalPerson</entry> +    <entry key="12.Required">false</entry> +    <entry key="12.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="12.XmlType.LocalPart">VATRegistrationNumberType</entry> +    <entry key="12.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="12.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="13.NameUri">http://eidas.europa.eu/attributes/legalperson/TaxReference</entry> +    <entry key="13.FriendlyName">TaxReference</entry> +    <entry key="13.PersonType">LegalPerson</entry> +    <entry key="13.Required">false</entry> +    <entry key="13.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="13.XmlType.LocalPart">TaxReferenceType</entry> +    <entry key="13.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="13.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="14.NameUri">http://eidas.europa.eu/attributes/legalperson/D-2012-17-EUIdentifier</entry> +    <entry key="14.FriendlyName">D-2012-17-EUIdentifier</entry> +    <entry key="14.PersonType">LegalPerson</entry> +    <entry key="14.Required">false</entry> +    <entry key="14.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="14.XmlType.LocalPart">D-2012-17-EUIdentifierType</entry> +    <entry key="14.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="14.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="15.NameUri">http://eidas.europa.eu/attributes/legalperson/LEI</entry> +    <entry key="15.FriendlyName">LEI</entry> +    <entry key="15.PersonType">LegalPerson</entry> +    <entry key="15.Required">false</entry> +    <entry key="15.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="15.XmlType.LocalPart">LEIType</entry> +    <entry key="15.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="15.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="16.NameUri">http://eidas.europa.eu/attributes/legalperson/EORI</entry> +    <entry key="16.FriendlyName">EORI</entry> +    <entry key="16.PersonType">LegalPerson</entry> +    <entry key="16.Required">false</entry> +    <entry key="16.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="16.XmlType.LocalPart">EORIType</entry> +    <entry key="16.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="16.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="17.NameUri">http://eidas.europa.eu/attributes/legalperson/SEED</entry> +    <entry key="17.FriendlyName">SEED</entry> +    <entry key="17.PersonType">LegalPerson</entry> +    <entry key="17.Required">false</entry> +    <entry key="17.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="17.XmlType.LocalPart">SEEDType</entry> +    <entry key="17.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="17.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="18.NameUri">http://eidas.europa.eu/attributes/legalperson/SIC</entry> +    <entry key="18.FriendlyName">SIC</entry> +    <entry key="18.PersonType">LegalPerson</entry> +    <entry key="18.Required">false</entry> +    <entry key="18.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="18.XmlType.LocalPart">SICType</entry> +    <entry key="18.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="18.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="19.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/PersonIdentifier</entry> +    <entry key="19.FriendlyName">RepresentativePersonIdentifier</entry> +    <entry key="19.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="19.Required">false</entry> +    <entry key="19.UniqueIdentifier">true</entry> +    <entry key="19.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="19.XmlType.LocalPart">PersonIdentifierType</entry> +    <entry key="19.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="19.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="20.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/CurrentFamilyName</entry> +    <entry key="20.FriendlyName">RepresentativeFamilyName</entry> +    <entry key="20.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="20.Required">false</entry> +    <entry key="20.TransliterationMandatory">true</entry> +    <entry key="20.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="20.XmlType.LocalPart">CurrentFamilyNameType</entry> +    <entry key="20.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="20.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="21.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/CurrentGivenName</entry> +    <entry key="21.FriendlyName">RepresentativeFirstName</entry> +    <entry key="21.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="21.Required">false</entry> +    <entry key="21.TransliterationMandatory">true</entry> +    <entry key="21.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="21.XmlType.LocalPart">CurrentGivenNameType</entry> +    <entry key="21.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="21.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="22.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/DateOfBirth</entry> +    <entry key="22.FriendlyName">RepresentativeDateOfBirth</entry> +    <entry key="22.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="22.Required">false</entry> +    <entry key="22.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="22.XmlType.LocalPart">DateOfBirthType</entry> +    <entry key="22.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="22.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller</entry> + +    <entry key="23.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/BirthName</entry> +    <entry key="23.FriendlyName">RepresentativeBirthName</entry> +    <entry key="23.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="23.Required">false</entry> +    <entry key="23.TransliterationMandatory">true</entry> +    <entry key="23.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="23.XmlType.LocalPart">BirthNameType</entry> +    <entry key="23.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="23.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="24.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/PlaceOfBirth</entry> +    <entry key="24.FriendlyName">RepresentativePlaceOfBirth</entry> +    <entry key="24.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="24.Required">false</entry> +    <entry key="24.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="24.XmlType.LocalPart">PlaceOfBirthType</entry> +    <entry key="24.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="24.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="25.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/CurrentAddress</entry> +    <entry key="25.FriendlyName">RepresentativeCurrentAddress</entry> +    <entry key="25.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="25.Required">false</entry> +    <entry key="25.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="25.XmlType.LocalPart">CurrentAddressType</entry> +    <entry key="25.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="25.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.RepvCurrentAddressAttributeValueMarshaller</entry> + +    <entry key="26.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/Gender</entry> +    <entry key="26.FriendlyName">RepresentativeGender</entry> +    <entry key="26.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="26.Required">false</entry> +    <entry key="26.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="26.XmlType.LocalPart">GenderType</entry> +    <entry key="26.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="26.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.GenderAttributeValueMarshaller</entry> + +    <entry key="27.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalPersonIdentifier</entry> +    <entry key="27.FriendlyName">RepresentativeLegalPersonIdentifier</entry> +    <entry key="27.PersonType">RepresentativeLegalPerson</entry> +    <entry key="27.Required">false</entry> +    <entry key="27.UniqueIdentifier">true</entry> +    <entry key="27.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="27.XmlType.LocalPart">LegalPersonIdentifierType</entry> +    <entry key="27.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="27.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="28.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalName</entry> +    <entry key="28.FriendlyName">RepresentativeLegalName</entry> +    <entry key="28.PersonType">RepresentativeLegalPerson</entry> +    <entry key="28.Required">false</entry> +    <entry key="28.TransliterationMandatory">true</entry> +    <entry key="28.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="28.XmlType.LocalPart">LegalNameType</entry> +    <entry key="28.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="28.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="29.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalPersonAddress</entry> +    <entry key="29.FriendlyName">RepresentativeLegalAddress</entry> +    <entry key="29.PersonType">RepresentativeLegalPerson</entry> +    <entry key="29.Required">false</entry> +    <entry key="29.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="29.XmlType.LocalPart">LegalPersonAddressType</entry> +    <entry key="29.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="29.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.RepvLegalAddressAttributeValueMarshaller</entry> + +    <entry key="30.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/VATRegistrationNumber</entry> +    <entry key="30.FriendlyName">RepresentativeVATRegistration</entry> +    <entry key="30.PersonType">RepresentativeLegalPerson</entry> +    <entry key="30.Required">false</entry> +    <entry key="30.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="30.XmlType.LocalPart">VATRegistrationNumberType</entry> +    <entry key="30.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="30.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="31.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/TaxReference</entry> +    <entry key="31.FriendlyName">RepresentativeTaxReference</entry> +    <entry key="31.PersonType">RepresentativeLegalPerson</entry> +    <entry key="31.Required">false</entry> +    <entry key="31.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="31.XmlType.LocalPart">TaxReferenceType</entry> +    <entry key="31.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="31.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="32.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/D-2012-17-EUIdentifier</entry> +    <entry key="32.FriendlyName">RepresentativeD-2012-17-EUIdentifier</entry> +    <entry key="32.PersonType">RepresentativeLegalPerson</entry> +    <entry key="32.Required">false</entry> +    <entry key="32.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="32.XmlType.LocalPart">D-2012-17-EUIdentifierType</entry> +    <entry key="32.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="32.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="33.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LEI</entry> +    <entry key="33.FriendlyName">RepresentativeLEI</entry> +    <entry key="33.PersonType">RepresentativeLegalPerson</entry> +    <entry key="33.Required">false</entry> +    <entry key="33.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="33.XmlType.LocalPart">LEIType</entry> +    <entry key="33.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="33.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="34.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/EORI</entry> +    <entry key="34.FriendlyName">RepresentativeEORI</entry> +    <entry key="34.PersonType">RepresentativeLegalPerson</entry> +    <entry key="34.Required">false</entry> +    <entry key="34.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="34.XmlType.LocalPart">EORIType</entry> +    <entry key="34.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="34.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="35.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/SEED</entry> +    <entry key="35.FriendlyName">RepresentativeSEED</entry> +    <entry key="35.PersonType">RepresentativeLegalPerson</entry> +    <entry key="35.Required">false</entry> +    <entry key="35.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="35.XmlType.LocalPart">SEEDType</entry> +    <entry key="35.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="35.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="36.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/SIC</entry> +    <entry key="36.FriendlyName">RepresentativeSIC</entry> +    <entry key="36.PersonType">RepresentativeLegalPerson</entry> +    <entry key="36.Required">false</entry> +    <entry key="36.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="36.XmlType.LocalPart">SICType</entry> +    <entry key="36.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="36.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="39.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalPersonAddress</entry> +    <entry key="39.FriendlyName">RepresentativeLegalAddress</entry> +    <entry key="39.PersonType">RepresentativeLegalPerson</entry> +    <entry key="39.Required">false</entry> +    <entry key="39.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="39.XmlType.LocalPart">LegalPersonAddressType</entry> +    <entry key="39.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="39.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.RepvLegalAddressAttributeValueMarshaller</entry> + +    <entry key="40.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/VATRegistrationNumber</entry> +    <entry key="40.FriendlyName">RepresentativeVATRegistration</entry> +    <entry key="40.PersonType">RepresentativeLegalPerson</entry> +    <entry key="40.Required">false</entry> +    <entry key="40.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="40.XmlType.LocalPart">VATRegistrationNumberType</entry> +    <entry key="40.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="40.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + + +</properties> diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml index 1ad8cbeb..4664bc27 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml @@ -9,6 +9,27 @@  	<context:annotation-config /> +	<import resource="classpath:specificCommunicationDefinitionApplicationContext.xml"/> + +	<bean id="SZRClientForeIDAS" +		class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient" /> + +    <bean id="specificConnectorAttributesFile" class="java.lang.String"> +        <constructor-arg value="eidas-attributes.xml"/> +    </bean> + +    <bean id="specificAdditionalAttributesFile" class="java.lang.String"> +        <constructor-arg value="additional-attributes.xml"/> +    </bean> + +    <bean id="specificConnectorAttributesFileWithPath" class="java.lang.String"> +        <constructor-arg value="#{specificConnectorConfigRepository}#{specificConnectorAttributesFile}"/> +    </bean> + +    <bean id="specificConnectorAdditionalAttributesFileWithPath" class="java.lang.String"> +        <constructor-arg value="#{specificConnectorConfigRepository}#{specificAdditionalAttributesFile}"/> +    </bean> +  	<bean id="eIDASAuthModule"  		class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.eIDASAuthenticationModulImpl">  		<property name="priority" value="2" /> @@ -17,13 +38,18 @@  	<bean id="eIDASSignalServlet"  		class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.eIDASSignalServlet" /> +	<bean id="attributeRegistry" +			class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service.eIDASAttributeRegistry"> +		<property name="eidasAttributesFile" ref="specificConnectorAttributesFileWithPath"/> +        <property name="additionalAttributesFile" ref="specificConnectorAdditionalAttributesFileWithPath"/>		 +	</bean>  	<!-- Authentication Process Tasks --> -	<bean id="GenerateAuthnRequestTask" +	<bean id="ConnecteIDASNodeTask"  		class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.tasks.GenerateAuthnRequestTask"  		scope="prototype" /> -	<bean id="ReceiveAuthnResponseTask" +	<bean id="ReceiveResponseFromeIDASNodeTask"  		class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.tasks.ReceiveAuthnResponseTask"  		scope="prototype" /> diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml new file mode 100644 index 00000000..09084a34 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID13456264458587874" IssueInstant="2012-08-22T11:07:25+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> +	<saml:AttributeStatement> +		<saml:Subject> +			<saml:SubjectConfirmation> +				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> +				<saml:SubjectConfirmationData> +					<pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>wJO/bvDJjUysG0yARn7I6w==</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXRúùd</pr:GivenName><pr:FamilyName primary="undefined">XXXVàn Nisteĺrooy</pr:FamilyName></pr:Name><pr:DateOfBirth>1969-02-13</pr:DateOfBirth></pr:Person> +				</saml:SubjectConfirmationData> +			</saml:SubjectConfirmation> +		</saml:Subject> +	<saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="22280299907126338788314199678167217078072953115254374209747379168424021905237" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="40387096985250872237992703378062984723606079359080588656963239072881568409170" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>4Y4FL09VhczsfYQgFPuycP8quJNZBAAu1R1rFXNodI2711B6BTMjAGQn6xuFWfd3/nyFav/MLTr/ +t2VazvANS4TRFxJAcWyIx7xbxCdzZr6gJ+FCmq4g5JPrQvt50v3JX+wKSYft1gHBOWlDn90Ia4Gm +P8MVuze21T+VVKM6ZklmS6d5PT1er/uYQFydGErmJ17xlSQG6Fi5xuftopBDyJxG1tL1KIebpLFg +gaM2EyuB1HxH8/+Mfqa4UgeqIH65</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement> +	<dsig:Signature> +		<dsig:SignedInfo> +			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> +			<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> +			<dsig:Reference URI=""> +				<dsig:Transforms> +					<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> +						<dsig:XPath>not(ancestor-or-self::pr:Identification)</dsig:XPath> +					</dsig:Transform> +					<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> +				</dsig:Transforms> +				<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> +				<dsig:DigestValue>KEQEPY2O3Z3IRaISSSoRZVPzsHE=</dsig:DigestValue> +			</dsig:Reference> +			<dsig:Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest"> +				<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> +				<dsig:DigestValue>gzGhjH1kdmPcPbgen0xojNIoJLk=</dsig:DigestValue> +			</dsig:Reference> +		</dsig:SignedInfo> +		<dsig:SignatureValue> +    06wqWHgplwpu3N5HMhzb6QC5NkXMO1z4N4oc1L6eDqwZlvFJ9X1XGW//QqviKO9oog3il7IzdfJwnjygR4trgGCIqx+JYCDHJCrG9l8zlxlSW0ZqfsygGXthutcQ1aeUpfO6jYuhnWOUywa8BgzukRtWT+AOJBQZPRYTb8IBmey+uAwlhFLni94eMOd81l+efCvkWi3jRajwsG8ZOaNxSZT3aEV5vj+32Aqtx2MPEVzQWtIA7GqZi+EzcdSdHQvHhg7UB+8kqbU70ENAJbEMTANFZYvLOJ0Om9KfDtPf/+R2TvTc360fNo9RnPl04pHPhCIjcGZhFZorBpUhXFwd2Q== +  </dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIF3TCCBMWgAwIBAgIDByniMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMSIwIAYDVQQLDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMSIwIAYDVQQDDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMB4XDTEwMDcyODExMzY0M1oXDTE1MDcyODExMzY0M1owgbYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0emtvbW1pc3Npb24xIjAgBgNVBAsMGVN0YW1temFobHJlZ2lzdGVyYmVob2VyZGUxLjAsBgNVBAMMJVNpZ25hdHVyc2VydmljZSBEYXRlbnNjaHV0emtvbW1pc3Npb24xFTATBgNVBAUTDDMyNTkyODMyMzk5ODEcMBoGCSqGSIb3DQEJARYNZHNrQGRzay5ndi5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+dBSEBGj2jUXIK1Mp3lVxc/Za+pJMiyKrX3G1ZxgX/ikx7D9scsPYMt473LlAWl9cmCbHbJK+PV2XNNdURLMUCIX+4vUNs2MHeDTQtX8BXjJFpwJYSoaRJQ39FVS/1r5sWcra9Hhdm7w5Gtx/2ukyDX0kdkxawkhP4EQEzi/SI+Fugn+WqgQ1nAdlbxb/dcBw5w1h9b3lmuwUf4z3ooQWUD2DgA/kKd1KejNR43mLUsmvSzevPxT9zs78pOR1OacB7IszTVJPXeOEaaNZHnnB/UeO3g8LEV/3OkXcUgcMkbIIiaBHlll71Pq0COj9kqjXoe7OrRjLY5i3KwOpa6TMCAwEAAaOCAgcwggIDMBMGA1UdIwQMMAqACEkcWDpP6A0DMH8GCCsGAQUFBwEBBHMwcTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwMEYGCCsGAQUFBzAChjpodHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMvYS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMmEuY3J0MFQGA1UdIARNMEswSQYGKigAEQESMD8wPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1BbXRzc2lnbmF0dXIwgZ4GA1UdHwSBljCBkzCBkKCBjaCBioaBh2xkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMixvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQITAgOnhr0tbowDgYDVR0PAQH/BAQDAgSwMCAGA1UdEQQZMBeBFW1hcmN1cy5oaWxkQGRzay5ndi5hdDAJBgNVHRMEAjAAMA4GByooAAoBBwEEAwEB/zAUBgcqKAAKAQEBBAkMB0JTQi1EU0swDQYJKoZIhvcNAQEFBQADggEBAHTklnvPCH/bJSOlIPbLUEkSGuFHsektSZ8Vr22x/Yv7EzsxoQrJIiz2mQ2gQqFuExdWYxvsowjiSbiis9iUf1c0zscvDS3mIZxGs4M89XHsjHnIyb+Fuwnamw65QrFvM1tNB1ZMjxJ3x+YmHLHdtT3BEBcr3/NCRHd2S0HoBspNz9HVgJaZY1llR7poKBvnAc4g1i+QTvyVb00PtKxR9Lw/9ABInX/1pzpxqrPy7Ib2OP8z6dd3WHmIsCiSHUaj0Dxwwln6fYJjhxZ141SnbovlCLYtrsZLXoi9ljIqX4xO0PwMI2RfNc9cXxTRrRS6rEOvX7PpvgXiDXhp592Yyp4=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo> +		<dsig:Object> +			<dsig:Manifest Id="manifest"> +				<dsig:Reference URI=""> +					<dsig:Transforms> +						<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> +							<dsig:XPath>not(ancestor-or-self::dsig:Signature)</dsig:XPath> +						</dsig:Transform> +					</dsig:Transforms> +					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> +					<dsig:DigestValue>8e7RjLnA4Mgltq5ruIJzheKGxu0=</dsig:DigestValue> +				</dsig:Reference> +			</dsig:Manifest> +		</dsig:Object> +	</dsig:Signature> +</saml:Assertion>
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/szr_client/SZR-1.WSDL b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/szr_client/SZR-1.WSDL new file mode 100644 index 00000000..4ad2645a --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/szr_client/SZR-1.WSDL @@ -0,0 +1,901 @@ +<?xml version="1.0" encoding="UTF-8"?> +<definitions targetNamespace="urn:SZRServices" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pd="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:pvp="http://egov.gv.at/pvp1.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:szr="urn:SZRServices" xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<types> +		<xs:schema elementFormDefault="qualified" targetNamespace="http://reference.e-government.gv.at/namespace/persondata/20020228#"> +			<xs:complexType name="PhysicalPersonType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="Identification" type="pd:IdentificationType" /> +					<xs:element minOccurs="1" name="Name" type="pd:PersonNameType" /> +					<xs:element minOccurs="0" name="AlternativeName" type="pd:AlternativeNameType" /> +					<xs:element minOccurs="0" name="Sex" type="xs:string" /> +					<xs:element minOccurs="0" name="DateOfBirth" type="xs:string" /> +					<xs:element minOccurs="0" name="PlaceOfBirth" type="xs:string" /> +					<xs:element minOccurs="0" name="CountryOfBirth" type="xs:string" /> +					<xs:element minOccurs="0" name="Nationality" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="IdentificationType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="Value" type="xs:string" /> +					<xs:element minOccurs="0" name="Type" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="PersonNameType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="PrefixedDegree" type="xs:string" /> +					<xs:element name="GivenName" type="xs:string" nillable="true" /> +					<xs:element name="FamilyName" type="xs:string" nillable="true" /> +					<xs:element minOccurs="0" name="SuffixedDegree" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="AlternativeNameType"> +				<xs:sequence> +					<xs:element name="FamilyName" type="xs:string" nillable="true" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="PostalAddressType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="PostalCode" type="xs:string" /> +					<xs:element minOccurs="0" name="Municipality" type="xs:string" /> +					<xs:element minOccurs="0" name="Locality" type="xs:string" /> +					<xs:element minOccurs="0" name="StateCode3" type="xs:string" /> +					<xs:element minOccurs="0" name="DeliveryAddress" type="pd:DeliveryAddressType" /> +					<xs:element minOccurs="0" name="HistoricRecord" type="xs:boolean" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="DeliveryAddressType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="AddressLine" type="xs:string" /> +					<xs:element minOccurs="0" name="StreetName" type="xs:string" /> +					<xs:element minOccurs="0" name="BuildingNumber" type="xs:string" /> +					<xs:element minOccurs="0" name="Unit" type="xs:string" /> +					<xs:element minOccurs="0" name="DoorNumber" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +		</xs:schema> +		<xs:schema elementFormDefault="qualified" targetNamespace="http://www.w3.org/2001/04/xmldsig-more#"> +			<xs:element name="ECDSAKeyValue" type="ecdsa:ECDSAKeyValueType" nillable="true" /> +			<xs:complexType name="ECDSAKeyValueType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="DomainParameters" type="ecdsa:DomainParamsType" /> +					<xs:element name="PublicKey" type="ecdsa:ECPointType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="DomainParamsType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="NamedCurve" type="ecdsa:NamedCurveType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="NamedCurveType"> +				<xs:attribute name="URN" type="xs:string" use="required" /> +			</xs:complexType> +			<xs:complexType name="ECPointType"> +				<xs:sequence minOccurs="0"> +					<xs:element name="X" type="ecdsa:PrimeFieldElemType" /> +					<xs:element name="Y" type="ecdsa:PrimeFieldElemType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="PrimeFieldElemType"> +				<xs:attribute name="Value" type="xs:string" use="required" /> +			</xs:complexType> +		</xs:schema> +		<xs:schema elementFormDefault="qualified" targetNamespace="http://www.w3.org/2000/09/xmldsig#" xmlns="http://www.w3.org/2001/XMLSchema"> +			<xs:import namespace="http://www.w3.org/2001/04/xmldsig-more#" /> +			<xs:complexType name="KeyValueType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="DSAKeyValue" type="dsig:DSAKeyValueType" /> +					<xs:element minOccurs="0" name="RSAKeyValue" type="dsig:RSAKeyValueType" /> +					<xs:element minOccurs="0" ref="ecdsa:ECDSAKeyValue" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="DSAKeyValueType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="P" type="xs:string" /> +					<xs:element minOccurs="0" name="Q" type="xs:string" /> +					<xs:element minOccurs="0" name="J" type="xs:string" /> +					<xs:element minOccurs="0" name="G" type="xs:string" /> +					<xs:element minOccurs="0" name="Y" type="xs:string" /> +					<!-- https://www.w3.org/TR/xmldsig-core/ defines PgenCounter THEN Seed, SZR.wsdl used Seed BEFORE PgenCounter. To keep it backwards compatible but allow the usual order, both ways are allowed. --> +					<xs:choice maxOccurs="unbounded"> +						<xs:element minOccurs="0" name="PgenCounter" type="xs:string" /> +						<xs:element minOccurs="0" name="Seed" type="xs:string" /> +					</xs:choice> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="RSAKeyValueType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="Modulus" type="xs:string" /> +					<xs:element minOccurs="0" name="Exponent" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +		</xs:schema> +		<xs:schema elementFormDefault="qualified" targetNamespace="urn:SZRServices"> +			<xs:import namespace="http://reference.e-government.gv.at/namespace/persondata/20020228#" /> +			<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" /> +			<xs:element name="SZRException" type="szr:SZRException" /> +			<xs:complexType name="SZRException" /> +			<xs:complexType name="PersonInfoType"> +				<xs:sequence> +					<xs:element name="Person" type="pd:PhysicalPersonType" /> +					<xs:element minOccurs="0" name="RegularDomicile" type="pd:PostalAddressType" /> +					<xs:element minOccurs="0" name="AddressCodes" type="szr:AddressCodesType" /> +					<xs:element minOccurs="0" name="TravelDocument" type="szr:TravelDocumentType" /> +					<xs:element minOccurs="0" name="DateOfBirthWildcard" type="xs:boolean" /> +					<xs:element minOccurs="0" name="AuskunftssperreGesetzt" type="xs:boolean" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="TravelDocumentType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="DocumentNumber" type="xs:string" /> +					<xs:element minOccurs="0" name="DocumentType" type="xs:string" /> +					<xs:element minOccurs="0" name="IssueDate" type="xs:string" /> +					<xs:element minOccurs="0" name="IssuingAuthority" type="xs:string" /> +					<xs:element minOccurs="0" name="IssuingCountry" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="AddressCodesType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="GKZ" type="xs:string" /> +					<xs:element minOccurs="0" name="OKZ" type="xs:string" /> +					<xs:element minOccurs="0" name="SKZ" type="xs:string" /> +					<xs:element minOccurs="0" name="ADRCD" type="xs:string" /> +					<xs:element minOccurs="0" name="SUBCD" type="xs:string" /> +					<xs:element minOccurs="0" name="OBJNR" type="xs:string" /> +					<xs:element minOccurs="0" name="NTZLNR" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:element name="TransformBPK"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +						<xs:element name="InputBPK" type="xs:string" /> +						<xs:element name="InputBereichsKennung" type="xs:string" /> +						<xs:element name="Begruendung" type="xs:string" /> +						<xs:element maxOccurs="unbounded" name="Target" type="szr:FremdBPKRequestType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="TransformBPKResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element maxOccurs="unbounded" name="TransformBPKReturn" type="szr:FremdBPKType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetVKZPermission"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="VKZ" type="xs:string" /> +						<xs:element name="BereichsKennung" type="xs:string" /> +						<xs:element minOccurs="0" name="ParticipantId" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetVKZPermissionResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetVKZPermissionReturn" type="szr:GetVKZPermissionResponseType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:complexType name="IdentityLinkType"> +				<xs:sequence> +					<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +					<xs:element name="Assertion" type="xs:anyType" /> +					<xs:element minOccurs="0" name="AdditionalInfo" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="ResultRecord"> +				<xs:sequence> +					<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +					<xs:element name="Register" type="xs:string" /> +					<xs:element name="bPK" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPK" type="szr:FremdBPKType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="GetBPKKombiRequestType"> +				<xs:sequence> +					<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +					<xs:element minOccurs="0" name="InsertERnP"> +						<xs:simpleType> +							<xs:restriction base="xs:string"> +								<xs:enumeration value="NoInsert" /> +								<xs:enumeration value="InsertOnNoMatch" /> +								<xs:enumeration value="ForceInsert" /> +							</xs:restriction> +						</xs:simpleType> +					</xs:element> +					<xs:element minOccurs="0" name="Suchwizard" type="xs:boolean" /> +					<xs:element name="VKZ" type="xs:string" nillable="true" /> +					<xs:element minOccurs="0" name="BehoerdenKennzeichen" type="xs:string" /> +					<xs:element minOccurs="0" name="BereichsKennung" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="Target" type="szr:FremdBPKRequestType" /> +					<xs:element minOccurs="0" name="Sessionid" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="GetBPKKombiResponseType"> +				<xs:complexContent> +					<xs:extension base="szr:GetBPKZPVResponseType"> +						<xs:sequence> +							<xs:element name="FoundWithSuchwizard" type="xs:boolean" /> +							<xs:element name="Sessionid" type="xs:string" /> +						</xs:sequence> +					</xs:extension> +				</xs:complexContent> +			</xs:complexType> +			<xs:complexType name="GetBPKZPVRequestType"> +				<xs:sequence> +					<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +					<xs:element minOccurs="0" name="InsertERnP" type="xs:boolean" default="false" /> +					<xs:element minOccurs="1" name="VKZ" type="xs:string" /> +					<xs:element minOccurs="0" name="BehoerdenKennzeichen" type="xs:string" /> +					<xs:element minOccurs="0" name="BereichsKennung" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="Target" type="szr:FremdBPKRequestType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="GetBPKZPVResponseType"> +				<xs:sequence> +					<xs:element maxOccurs="unbounded" name="ResultRecord" type="szr:ResultRecord" /> +					<xs:element name="InsertERnPResult" type="xs:boolean" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="GetBPKFromStammzahlEncryptedRequestType"> +				<xs:sequence> +					<xs:element minOccurs="1" name="StammzahlEncrypted" type="xs:string" /> +					<xs:element minOccurs="0" name="PersonInfo" type="szr:PersonInfoType" /> +					<xs:element minOccurs="1" name="VKZ" type="xs:string" /> +					<xs:element minOccurs="0" name="BereichsKennung" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="Target" type="szr:FremdBPKRequestType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="GetBPKFromStammzahlEncryptedResponseType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="bPK" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPK" type="szr:FremdBPKType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:element name="GetIdentityLink"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +						<xs:element maxOccurs="unbounded" name="KeyValue" type="dsig:KeyValueType" /> +						<xs:element minOccurs="0" name="InsertERnP" type="xs:boolean" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetIdentityLinkResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetIdentityLinkReturn" type="szr:IdentityLinkType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPK"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +						<xs:element minOccurs="0" name="BereichsKennung" type="xs:string" /> +						<xs:element minOccurs="0" name="VKZ" type="xs:string" /> +						<xs:element maxOccurs="unbounded" minOccurs="0" name="Target" type="szr:FremdBPKRequestType" /> +						<xs:element minOccurs="0" name="ListMultiplePersons" type="xs:boolean" /> +						<xs:element minOccurs="0" name="InsertERnP" type="xs:boolean" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element minOccurs="0" name="GetBPKReturn" type="xs:string" /> +						<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPK" type="szr:FremdBPKType" /> +						<xs:element maxOccurs="5" minOccurs="0" name="PersonInfo" type="szr:PersonInfoType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKs"> +				<xs:complexType> +					<xs:sequence> +						<xs:element maxOccurs="unbounded" name="PersonInfo" type="szr:PersonInfoType" /> +						<xs:element minOccurs="0" name="BereichsKennung" type="xs:string" /> +						<xs:element name="VKZ" type="xs:string" /> +						<xs:element maxOccurs="unbounded" minOccurs="0" name="Target" type="szr:FremdBPKRequestType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKsResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element maxOccurs="unbounded" name="ResultRecord" type="szr:GetBPKsResponseType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:complexType name="GetBPKsResponseType"> +				<xs:sequence> +					<xs:element minOccurs="0" name="BPK" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPK" type="szr:FremdBPKType" /> +					<xs:element minOccurs="0" name="Fault"> +						<xs:complexType> +							<xs:attribute name="Code" type="xs:string" /> +							<xs:attribute name="String" type="xs:string" /> +						</xs:complexType> +					</xs:element> +				</xs:sequence> +			</xs:complexType> +			<xs:element name="GetBPKKombi"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetBPKKombiRequest" type="szr:GetBPKKombiRequestType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKKombiResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetBPKKombiResponse" type="szr:GetBPKKombiResponseType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKZPV"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetBPKZPVRequest" type="szr:GetBPKZPVRequestType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKZPVResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetBPKZPVResponse" type="szr:GetBPKZPVResponseType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKFromStammzahlEncrypted"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetBPKFromStammzahlEncryptedRequest" type="szr:GetBPKFromStammzahlEncryptedRequestType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetBPKFromStammzahlEncryptedResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="GetBPKFromStammzahlEncryptedResponse" type="szr:GetBPKFromStammzahlEncryptedResponseType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="ValidateIdentityLink"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="IdentityLink" type="szr:IdentityLinkType" /> +						<xs:element name="BereichsKennung" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="ValidateIdentityLinkResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="ValidateIdentityLinkReturn" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="BPKzuBasiszahl"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="Bereich" type="xs:string" /> +						<xs:element name="BPK" type="xs:string" /> +						<xs:element maxOccurs="unbounded" name="BasisZahl" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="BPKzuBasiszahlResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="BPKzuBasiszahlReturn" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:complexType name="FremdBPKRequestType"> +				<xs:sequence> +					<xs:element name="BereichsKennung" type="xs:string" /> +					<xs:element name="VKZ" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="FremdBPKType"> +				<xs:sequence> +					<xs:element name="BereichsKennung" type="xs:string" /> +					<xs:element name="FremdBPK" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:complexType name="GetVKZPermissionResponseType"> +				<xs:sequence> +					<xs:element name="isAllowed" type="xs:boolean" /> +					<xs:element minOccurs="0" name="behSchluessel" type="xs:string" /> +				</xs:sequence> +			</xs:complexType> +			<xs:element name="BasiszahlZuBPK"> +				<xs:complexType> +					<xs:sequence> +						<xs:element minOccurs="0" name="VKZ" type="xs:string" /> +						<xs:element maxOccurs="unbounded" name="BasisZahl" type="xs:string" /> +						<xs:element maxOccurs="unbounded" minOccurs="0" name="Bereich" type="xs:string" /> +						<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPKTargets" type="szr:FremdBPKRequestType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:complexType name="BasiszahlZuBPKReturnType"> +				<xs:sequence> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="BPK" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPKs" type="szr:FremdBPKType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:element name="BasiszahlZuBPKResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element maxOccurs="unbounded" name="BasiszahlZuBPKReturn" type="szr:BasiszahlZuBPKReturnType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="ZMRAnwendungsIntegration"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="Bereich" type="xs:string" /> +						<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPKTargets" type="szr:FremdBPKRequestType" /> +						<xs:element maxOccurs="unbounded" name="ZMRfremdbPK" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:complexType name="ZMRAnwendungsIntegrationReturnType"> +				<xs:sequence> +					<xs:element name="BPK" type="xs:string" /> +					<xs:element maxOccurs="unbounded" minOccurs="0" name="FremdBPKs" type="szr:FremdBPKType" /> +				</xs:sequence> +			</xs:complexType> +			<xs:element name="ZMRAnwendungsIntegrationResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element maxOccurs="unbounded" name="ZMRAnwendungsIntegrationReturn" type="szr:ZMRAnwendungsIntegrationReturnType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetStammzahl"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetStammzahlResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="Stammzahl" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetStammzahlEncrypted"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="PersonInfo" type="szr:PersonInfoType" /> +						<xs:element minOccurs="0" name="InsertERnP" type="xs:boolean" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetStammzahlEncryptedResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="Stammzahl" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="GetVersion" /> +			<xs:element name="GetVersionResponse"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="Version" type="xs:string" /> +						<xs:element name="Revision" type="xs:string" /> +						<xs:element name="Time" type="xs:string" /> +						<xs:element name="IdentityLinkNotAfter" type="xs:string" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +		</xs:schema> +		<xs:schema targetNamespace="http://egov.gv.at/pvp1.xsd"> +			<xs:include schemaLocation="pvp1.xsd" /> +		</xs:schema> +		<xs:schema elementFormDefault="qualified" targetNamespace="http://schemas.xmlsoap.org/ws/2002/04/secext"> +			<xs:element name="Security"> +				<xs:complexType> +					<xs:sequence> +						<!-- add the pvpToken here. You can also uncomment the following line if you support XSD 1.1 --> +						<!-- <xs:element ref="pvp:pvpToken" /> --> +						<xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> +					</xs:sequence> +					<xs:anyAttribute processContents="lax" /> +				</xs:complexType> +			</xs:element> +		</xs:schema> +	</types> +	<message name="Header"> +		<part name="SecurityHeader" element="wsse:Security" /> +	</message> +	<message name="GetIdentityLinkRequest"> +		<part element="szr:GetIdentityLink" name="parameters" /> +	</message> +	<message name="GetIdentityLinkResponse"> +		<part element="szr:GetIdentityLinkResponse" name="parameters" /> +	</message> +	<message name="GetBPKRequest"> +		<part element="szr:GetBPK" name="parameters" /> +	</message> +	<message name="GetBPKResponse"> +		<part element="szr:GetBPKResponse" name="parameters" /> +	</message> +	<message name="GetBPKsRequest"> +		<part element="szr:GetBPKs" name="parameters" /> +	</message> +	<message name="GetBPKsResponse"> +		<part element="szr:GetBPKsResponse" name="parameters" /> +	</message> +	<message name="GetBPKKombiRequest"> +		<part element="szr:GetBPKKombi" name="parameters" /> +	</message> +	<message name="GetBPKKombiResponse"> +		<part element="szr:GetBPKKombiResponse" name="parameters" /> +	</message> +	<message name="GetBPKZPVRequest"> +		<part element="szr:GetBPKZPV" name="parameters" /> +	</message> +	<message name="GetBPKZPVResponse"> +		<part element="szr:GetBPKZPVResponse" name="parameters" /> +	</message> +	<message name="GetBPKFromStammzahlEncryptedRequest"> +		<part element="szr:GetBPKFromStammzahlEncrypted" name="parameters" /> +	</message> +	<message name="GetBPKFromStammzahlEncryptedResponse"> +		<part element="szr:GetBPKFromStammzahlEncryptedResponse" name="parameters" /> +	</message> +	<message name="BPKzuBasiszahlRequest"> +		<part element="szr:BPKzuBasiszahl" name="parameters" /> +	</message> +	<message name="BPKzuBasiszahlResponse"> +		<part element="szr:BPKzuBasiszahlResponse" name="parameters" /> +	</message> +	<message name="BasiszahlZuBPKRequest"> +		<part element="szr:BasiszahlZuBPK" name="parameters" /> +	</message> +	<message name="BasiszahlZuBPKResponse"> +		<part element="szr:BasiszahlZuBPKResponse" name="parameters" /> +	</message> +	<message name="ValidateIdentityLinkRequest"> +		<part element="szr:ValidateIdentityLink" name="parameters" /> +	</message> +	<message name="ValidateIdentityLinkResponse"> +		<part element="szr:ValidateIdentityLinkResponse" name="parameters" /> +	</message> +	<message name="TransformBPKRequest"> +		<part element="szr:TransformBPK" name="parameters" /> +	</message> +	<message name="TransformBPKResponse"> +		<part element="szr:TransformBPKResponse" name="parameters" /> +	</message> +	<message name="GetVKZPermissionRequest"> +		<part element="szr:GetVKZPermission" name="parameters" /> +	</message> +	<message name="GetVKZPermissionResponse"> +		<part element="szr:GetVKZPermissionResponse" name="parameters" /> +	</message> +	<message name="ZMRAnwendungsIntegrationRequest"> +		<part element="szr:ZMRAnwendungsIntegration" name="parameters" /> +	</message> +	<message name="ZMRAnwendungsIntegrationResponse"> +		<part element="szr:ZMRAnwendungsIntegrationResponse" name="parameters" /> +	</message> +	<message name="GetStammzahlRequest"> +		<part element="szr:GetStammzahl" name="parameters" /> +	</message> +	<message name="GetStammzahlResponse"> +		<part element="szr:GetStammzahlResponse" name="parameters" /> +	</message> +	<message name="GetStammzahlEncryptedRequest"> +		<part element="szr:GetStammzahlEncrypted" name="parameters" /> +	</message> +	<message name="GetStammzahlEncryptedResponse"> +		<part element="szr:GetStammzahlEncryptedResponse" name="parameters" /> +	</message> +	<message name="GetVersionRequest"> +		<part element="szr:GetVersion" name="parameters" /> +	</message> +	<message name="GetVersionResponse"> +		<part element="szr:GetVersionResponse" name="parameters" /> +	</message> +	<message name="SZRException"> +		<part element="szr:SZRException" name="fault" /> +	</message> +	<portType name="SZR"> +		<operation name="GetIdentityLink"> +			<input message="szr:GetIdentityLinkRequest" name="GetIdentityLinkRequest" /> +			<output message="szr:GetIdentityLinkResponse" name="GetIdentityLinkResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetBPK"> +			<jaxws:bindings xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"> +				<jaxws:enableWrapperStyle>false</jaxws:enableWrapperStyle> +			</jaxws:bindings> +			<input message="szr:GetBPKRequest" name="GetBPKRequest" /> +			<output message="szr:GetBPKResponse" name="GetBPKResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetBPKs"> +			<input message="szr:GetBPKsRequest" name="GetBPKsRequest" /> +			<output message="szr:GetBPKsResponse" name="GetBPKsResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetBPKKombi"> +			<input message="szr:GetBPKKombiRequest" name="GetBPKKombiRequest" /> +			<output message="szr:GetBPKKombiResponse" name="GetBPKKombiResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetBPKZPV"> +			<input message="szr:GetBPKZPVRequest" name="GetBPKZPVRequest" /> +			<output message="szr:GetBPKZPVResponse" name="GetBPKZPVResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetBPKFromStammzahlEncrypted"> +			<input message="szr:GetBPKFromStammzahlEncryptedRequest" name="GetBPKFromStammzahlEncryptedRequest" /> +			<output message="szr:GetBPKFromStammzahlEncryptedResponse" name="GetBPKFromStammzahlEncryptedResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="ValidateIdentityLink"> +			<input message="szr:ValidateIdentityLinkRequest" name="ValidateIdentityLinkRequest" /> +			<output message="szr:ValidateIdentityLinkResponse" name="ValidateIdentityLinkResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="TransformBPK"> +			<input message="szr:TransformBPKRequest" name="TransformBPKRequest" /> +			<output message="szr:TransformBPKResponse" name="TransformBPKResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetVKZPermission"> +			<input message="szr:GetVKZPermissionRequest" name="GetVKZPermissionRequest" /> +			<output message="szr:GetVKZPermissionResponse" name="GetVKZPermissionResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="BPKzuBasiszahl"> +			<input message="szr:BPKzuBasiszahlRequest" name="BPKzuBasiszahlRequest" /> +			<output message="szr:BPKzuBasiszahlResponse" name="BPKzuBasiszahlResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="BasiszahlZuBPK"> +			<input message="szr:BasiszahlZuBPKRequest" name="BasiszahlZuBPKRequest" /> +			<output message="szr:BasiszahlZuBPKResponse" name="BasiszahlZuBPKResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="ZMRAnwendungsIntegration"> +			<input message="szr:ZMRAnwendungsIntegrationRequest" name="ZMRAnwendungsIntegrationRequest" /> +			<output message="szr:ZMRAnwendungsIntegrationResponse" name="ZMRAnwendungsIntegrationResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetStammzahl"> +			<input message="szr:GetStammzahlRequest" name="GetStammzahlRequest" /> +			<output message="szr:GetStammzahlResponse" name="GetStammzahlResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetStammzahlEncrypted"> +			<input message="szr:GetStammzahlEncryptedRequest" name="GetStammzahlEncryptedRequest" /> +			<output message="szr:GetStammzahlEncryptedResponse" name="GetStammzahlEncryptedResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +		<operation name="GetVersion"> +			<input message="szr:GetVersionRequest" name="GetVersionRequest" /> +			<output message="szr:GetVersionResponse" name="GetVersionResponse" /> +			<fault message="szr:SZRException" name="SZRException" /> +		</operation> +	</portType> +	<binding name="SZRSoapBinding" type="szr:SZR"> +		<wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" /> +		<operation name="GetIdentityLink"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetIdentityLinkRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetIdentityLinkResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetBPK"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetBPKRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetBPKResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetBPKs"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetBPKsRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetBPKsResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetBPKKombi"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetBPKKombiRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetBPKKombiResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetBPKZPV"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetBPKZPVRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetBPKZPVResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetBPKFromStammzahlEncrypted"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetBPKFromStammzahlEncryptedRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetBPKFromStammzahlEncryptedResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetVKZPermission"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetVKZPermissionRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetVKZPermissionResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="ValidateIdentityLink"> +			<wsdlsoap:operation soapAction="" /> +			<input name="ValidateIdentityLinkRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="ValidateIdentityLinkResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="TransformBPK"> +			<wsdlsoap:operation soapAction="" /> +			<input name="TransformBPKRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="TransformBPKResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="BPKzuBasiszahl"> +			<wsdlsoap:operation soapAction="" /> +			<input name="BPKzuBasiszahlRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="BPKzuBasiszahlResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="BasiszahlZuBPK"> +			<wsdlsoap:operation soapAction="" /> +			<input name="BasiszahlZuBPKRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="BasiszahlZuBPKResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="ZMRAnwendungsIntegration"> +			<wsdlsoap:operation soapAction="" /> +			<input name="ZMRAnwendungsIntegrationRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="ZMRAnwendungsIntegrationResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetStammzahl"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetStammzahlRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetStammzahlResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetStammzahlEncrypted"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetStammzahlEncryptedRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetStammzahlEncryptedResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +		<operation name="GetVersion"> +			<wsdlsoap:operation soapAction="" /> +			<input name="GetVersionRequest"> +				<wsdlsoap:header message="szr:Header" part="SecurityHeader" use="literal" /> +				<wsdlsoap:body use="literal" /> +			</input> +			<output name="GetVersionResponse"> +				<wsdlsoap:body use="literal" /> +			</output> +			<fault name="SZRException"> +				<wsdlsoap:fault name="SZRException" use="literal" /> +			</fault> +		</operation> +	</binding> +	<service name="SZRService"> +		<port binding="szr:SZRSoapBinding" name="SZRBusinesspartnerTestumgebung"> +			<wsdlsoap:address location="https://pvawp.bmi.gv.at/at.gv.bmi.szrsrv-b/services/SZR" /> +		</port> +		<port binding="szr:SZRSoapBinding" name="SZRTestumgebung"> +			<wsdlsoap:address location="https://pvawp.bmi.gv.at/bmi.gv.at/soap/SZ2Services-T/services/SZR" /> +		</port> +		<port binding="szr:SZRSoapBinding" name="SZRProduktionsumgebung"> +			<wsdlsoap:address location="https://pvawp.bmi.gv.at/bmi.gv.at/soap/SZ2Services/services/SZR" /> +		</port> +	</service> +</definitions>
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/szr_client/pvp1.xsd b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/szr_client/pvp1.xsd new file mode 100644 index 00000000..09c0b1e3 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/szr_client/pvp1.xsd @@ -0,0 +1,133 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- edited with XMLSPY v2004 rel. 2 U (http://www.xmlspy.com) by BM (Bundeskanzleramt) --> +<!-- PVP Schema 1.8.10 --> +<!-- pvpToken wird über das Element <Security> aus der Spezifikation WS-Security in den SOAP-Header eingebunden --> +<!--erstellt: rainer.hoerbe@bmi.gv.at 2004-04-30 --> +<!--geändert: rainer.hoerbe@beko.at 2007-04-04: Extensions Points definiert --> +<xs:schema targetNamespace="http://egov.gv.at/pvp1.xsd" xmlns="http://egov.gv.at/pvp1.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> +	<xs:element name="pvpToken"> +		<xs:complexType> +			<xs:complexContent> +				<xs:extension base="pvpTokenType" /> +			</xs:complexContent> +		</xs:complexType> +	</xs:element> +	<xs:complexType name="pvpTokenType"> +		<xs:sequence> +			<xs:element name="authenticate"> +				<xs:complexType> +					<xs:sequence> +						<xs:element name="participantId" type="xs:string" /> +						<xs:element name="gvOuDomain" type="xs:string" minOccurs="0" maxOccurs="1" /> +						<xs:choice> +							<xs:element name="userPrincipal"> +								<xs:complexType> +									<xs:complexContent> +										<xs:extension base="pvpPrincipalType"> +											<xs:sequence> +												<xs:element name="gvGid" type="xs:string" /> +												<xs:element name="mail" type="xs:string" minOccurs="0" maxOccurs="1" /> +												<xs:element name="tel" type="xs:string" minOccurs="0" maxOccurs="1" /> +												<xs:element name="bpk" type="xs:string" minOccurs="0" maxOccurs="1" /> +												<xs:element name="gvFunction" type="xs:string" minOccurs="0" maxOccurs="1" /> +											</xs:sequence> +										</xs:extension> +									</xs:complexContent> +								</xs:complexType> +							</xs:element> +							<xs:element name="systemPrincipal" type="pvpPrincipalType" /> +						</xs:choice> +						<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> +							<xs:annotation> +								<xs:documentation>additional authentication properties</xs:documentation> +							</xs:annotation> +						</xs:any> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="authorize" minOccurs="0" maxOccurs="1"> +				<xs:complexType> +					<xs:sequence> +						<xs:sequence minOccurs="0"> +							<xs:element name="gvOuId" type="xs:string" /> +							<xs:element name="ou" type="xs:string" /> +						</xs:sequence> +						<xs:element name="role" maxOccurs="unbounded"> +							<xs:complexType> +								<xs:sequence> +									<xs:any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded" /> +								</xs:sequence> +								<xs:attribute name="value" type="xs:string" use="required" /> +							</xs:complexType> +						</xs:element> +						<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> +							<xs:annotation> +								<xs:documentation>additional authorization properties</xs:documentation> +							</xs:annotation> +						</xs:any> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="accounting" minOccurs="0"> +				<xs:complexType> +					<xs:sequence> +						<xs:any processContents="skip" minOccurs="0" maxOccurs="unbounded" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +			<xs:element name="pvpChainedToken" type="pvpTokenType" minOccurs="0" /> +			<xs:element name="pvpExtension" block="extension" minOccurs="0"> +				<xs:complexType> +					<xs:sequence> +						<xs:any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded" /> +					</xs:sequence> +				</xs:complexType> +			</xs:element> +		</xs:sequence> +		<xs:attribute name="version" type="gvVersionType" use="required" /> +		<xs:anyAttribute namespace="##any" processContents="lax" /> +	</xs:complexType> +	<xs:complexType name="pvpPrincipalType"> +		<xs:sequence> +			<xs:element name="userId" type="xs:string" /> +			<xs:element name="cn" type="xs:string" /> +			<xs:element name="gvOuId" type="xs:string" /> +			<xs:element name="ou" type="xs:string" /> +			<xs:element name="gvOuOKZ" type="xs:string" minOccurs="0" /> <!-- steht auch in der pvp doku, fehlt aber im normalen pvp1.xsd --> +			<xs:element name="gvSecClass" type="gvSecClassType" minOccurs="0" /> +			<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> +				<xs:annotation> +					<xs:documentation>additional principal attributes</xs:documentation> +				</xs:annotation> +			</xs:any> +		</xs:sequence> +		<xs:anyAttribute namespace="##any" processContents="lax" /> +	</xs:complexType> +	<xs:simpleType name="gvSecClassType"> +		<xs:restriction base="xs:integer"> +			<xs:enumeration value="0" /> +			<xs:enumeration value="1" /> +			<xs:enumeration value="2" /> +			<xs:enumeration value="3" /> +		</xs:restriction> +	</xs:simpleType> +	<xs:simpleType name="gvVersionType"> +		<xs:restriction base="xs:string"> +			<xs:enumeration value="1.0" /> +			<xs:enumeration value="1.1" /> +			<xs:enumeration value="1.2" /> +			<xs:enumeration value="1.8" /> +			<xs:enumeration value="1.9" /> +		</xs:restriction> +	</xs:simpleType> +	<xs:simpleType name="logLevelType"> +		<xs:restriction base="xs:integer"> +			<xs:enumeration value="0" /> +			<xs:enumeration value="1" /> +			<xs:enumeration value="2" /> +			<xs:enumeration value="3" /> +			<xs:enumeration value="4" /> +			<xs:enumeration value="5" /> +		</xs:restriction> +	</xs:simpleType> +</xs:schema> diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/templates/eidas_node_forward.html b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/templates/eidas_node_forward.html new file mode 100644 index 00000000..85e1d18f --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/templates/eidas_node_forward.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> +<head> +  <script src="$contextPath/autocommit.js"></script> +</head> +<body> +	<noscript> +		<p> +			<strong>Note:</strong> Since your browser does not support +			JavaScript, you must press the Continue button once to proceed. +		</p> +	</noscript> + +	<div id="alert">Your login is being processed. Thank you for +		waiting.</div> + +	<form action="${endPoint}" method="post" target="_parent"> +		<div> +			<input type="hidden" name="${tokenName}" value="${tokenValue}" /> +		</div> +		<noscript> +			<div> +				<p>Your browser does not support JavaScript. Click the button to continuing the process .</p> +				<input type="submit" value="Continue" /> +			</div> +		</noscript> +	</form> + +</body> +</html>
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/gv/egiz/test/eidas/specific/modules/authmodule_eIDASv2/SZRClientTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/gv/egiz/test/eidas/specific/modules/authmodule_eIDASv2/SZRClientTest.java new file mode 100644 index 00000000..33050b12 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/gv/egiz/test/eidas/specific/modules/authmodule_eIDASv2/SZRClientTest.java @@ -0,0 +1,172 @@ +package at.gv.egiz.test.eidas.specific.modules.authmodule_eIDASv2; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.List; + +import org.apache.commons.lang3.StringUtils; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.util.Base64Utils; +import org.w3._2000._09.xmldsig.KeyValueType; +import org.w3._2000._09.xmldsig.RSAKeyValueType; +import org.w3c.dom.Element; + +import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.exceptions.EAAFParserException; +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.SZRCommunicationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.utils.eIDASResponseUtils; +import szrservices.IdentityLinkType; +import szrservices.PersonInfoType; +import szrservices.SZRException_Exception; +import szrservices.TravelDocumentType; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/SpringTest-context_basic_test.xml") +public class SZRClientTest { +	private static final Logger log = LoggerFactory.getLogger(SZRClientTest.class); +	 +	@Autowired SZRClient szrClient; +	@Autowired IConfiguration basicConfig; +	 +	private static final String givenName = "Franz"; +	private static final String familyName = "Mustermann"; +	private static final String dateOfBirth = "1987-05-05"; +	private static final String eIDASeID = "IS/AT/123456789ABCDE"; +	 +	private static final String DUMMY_TARGET = EAAFConstants.URN_PREFIX_CDID + "ZP"; +	 +	@Test +	public void dummyTest() {  +				 +	} +	 +	 +	//@Test +	public void getIdentityLink() throws SZRException_Exception, EAAFParserException, NoSuchProviderException, IOException, InvalidKeyException, SZRCommunicationException { +		log.debug("Starting connecting SZR Gateway");											 +		IdentityLinkType result = szrClient.getIdentityLink( +									getPersonInfo(),  +									dummyCodeForKeys(),  +									basicConfig.getBasicMOAIDConfigurationBoolean( +											Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_INSERTERNB,  +											true) +									); + +		Element idlFromSZR = (Element)result.getAssertion();			 +		IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSZR).parseIdentityLink(); +		if (identityLink == null) +			throw new SZRCommunicationException("ernb.00", new Object[] {"bPK is null or empty"}); +			 +	} +	 +	//@Test +	public void getbPKTest() throws SZRException_Exception, SZRCommunicationException { +		String bPK = szrClient.getBPK(getPersonInfo(), DUMMY_TARGET,  +				basicConfig.getBasicConfiguration( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,  +				"no VKZ defined")); +		 +		if (StringUtils.isEmpty(bPK)) +			throw new SZRCommunicationException("ernb.01", new Object[] {"bPK is null or empty"}); +		 +		 +	} +	 +	private PersonInfoType getPersonInfo() { +		PersonInfoType personInfo = new PersonInfoType(); +		PersonNameType personName = new PersonNameType(); +		PhysicalPersonType naturalPerson = new PhysicalPersonType(); +		TravelDocumentType eDocument = new TravelDocumentType();				 +		 +		naturalPerson.setName(personName ); +		personInfo.setPerson(naturalPerson ); +		personInfo.setTravelDocument(eDocument ); +						 +		//parse some eID attributes +		Trible<String, String, String> eIdentifier =  +				eIDASResponseUtils.parseEidasPersonalIdentifier((String)eIDASeID); +		String uniqueId = (String)eIDASeID; +		String citizenCountry = eIdentifier.getFirst(); +					 +		//person information +		personName.setFamilyName((String)familyName); +		personName.setGivenName((String)givenName); +		naturalPerson.setDateOfBirth(dateOfBirth); +		eDocument.setIssuingCountry(citizenCountry); +		eDocument.setDocumentNumber(uniqueId); +		 +		//eID document information								 +		eDocument.setDocumentType(basicConfig.getBasicConfiguration( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE,  +				Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); +		 +		//TODO: that should be removed +		eDocument.setIssueDate(basicConfig.getBasicConfiguration( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_ISSUING_DATE,  +				Constants.SZR_CONSTANTS_DEFAULT_ISSUING_DATE)); +		eDocument.setIssuingAuthority(basicConfig.getBasicConfiguration( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_ISSUING_AUTHORITY,  +				Constants.SZR_CONSTANTS_DEFAULT_ISSUING_AUTHORITY)); +		 +		return personInfo; +	} + + +	private List<KeyValueType> dummyCodeForKeys() throws IOException, NoSuchProviderException, InvalidKeyException { +		if (basicConfig.getBasicMOAIDConfigurationBoolean( +				Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_KEYS_USEDUMMY,  +				false)) { +			List<KeyValueType> keyvalueList = new ArrayList<KeyValueType>(); +			try { +				//Security.addProvider(new BouncyCastleProvider()); +				//PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Constants.SZR_CONSTANTS_DEFAULT_PUBL_KEY); +				//KeyFactory kf = KeyFactory.getInstance("RSA", "BC"); +										 +				//PublicKey pb = kf.generatePublic(spec); +				PublicKey pb = new iaik.security.rsa.RSAPublicKey(Constants.SZR_CONSTANTS_DEFAULT_PUBL_KEY); +				 +				RSAPublicKey rsapb = (RSAPublicKey)pb;	         +				BigInteger modulus = rsapb.getModulus(); +				BigInteger exponent = rsapb.getPublicExponent(); +		           	            +				// set key values +				RSAKeyValueType rsa = new RSAKeyValueType(); +				rsa.setExponent(new String(Base64Utils.encode(exponent.toByteArray()))); +				rsa.setModulus(new String(Base64Utils.encode(modulus.toByteArray()))); +						 +				KeyValueType key = new KeyValueType(); +				key.setRSAKeyValue(rsa); +							 +				keyvalueList.add(key); +			 +				return keyvalueList; +			} catch (Exception e) { +				log.error("TestCode has an internal ERROR", e); +				throw e; +			} +			 +		} +		 +		return null; +		 +	} +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml new file mode 100644 index 00000000..b381a0e9 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" +	xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" +	xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + +	<context:annotation-config /> + +	<bean id="SZRClientForeIDAS" +		class="at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient" /> +  + 	<bean id="BasicMSSpecificNodeConfig"  + 			class="at.gv.egiz.eidas.specific.connector.config.BasicConfigurationProvider"> +		<constructor-arg value="#{systemProperties['eidas.ms.configuration'] != null ? systemProperties['eidas.ms.configuration'] : 'file:/F:/Projekte/configs/ms_connector/default_config.properties' }"/> +	</bean>	 + +</beans>
\ No newline at end of file | 
