aboutsummaryrefslogtreecommitdiff
path: root/modules/authmodule-eIDAS-v2/src/main/java
diff options
context:
space:
mode:
authorThomas <>2022-08-25 14:59:03 +0200
committerThomas <>2022-08-25 14:59:03 +0200
commitfd692be28186154ec5d217dfa35dbae45e5e0166 (patch)
treec68e475d1d09985a9084221e9aaf2d45f630da8d /modules/authmodule-eIDAS-v2/src/main/java
parent21b47ed477a52688918ff03bea64436a6ce621b8 (diff)
downloadNational_eIDAS_Gateway-fd692be28186154ec5d217dfa35dbae45e5e0166.tar.gz
National_eIDAS_Gateway-fd692be28186154ec5d217dfa35dbae45e5e0166.tar.bz2
National_eIDAS_Gateway-fd692be28186154ec5d217dfa35dbae45e5e0166.zip
feat(eidas): add support for new IDA AuthBlock format
The ID Austria system changes the format of technical AuthBlock with Frontend/Backend interface-specification v1.1.0
Diffstat (limited to 'modules/authmodule-eIDAS-v2/src/main/java')
-rw-r--r--modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java210
1 files changed, 130 insertions, 80 deletions
diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
index 098e76ce..1998fa85 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -1,5 +1,6 @@
package at.asitplus.eidas.specific.modules.auth.eidas.v2.service;
+import java.io.Serializable;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
@@ -44,7 +45,7 @@ import lombok.extern.slf4j.Slf4j;
/**
* Service to build and sign AuthBlock's for E-ID system.
- *
+ *
* @author tlenz
*
*/
@@ -55,157 +56,206 @@ public class AuthBlockSigningService {
private static final String KEYSTORE_FRIENDLYNAME = "AuthBlock_Signing";
private static ObjectMapper mapper = new ObjectMapper();
-
+
@Autowired
IConfiguration basicConfig;
-
+
@Autowired
EaafKeyStoreFactory keyStoreFactory;
-
private Pair<KeyStore, Provider> keyStore;
-
+
/**
- * Build and sign an AuthBlock for E-ID system.
- *
+ * Build and sign an AuthBlock for E-ID system.
+ *
* @param pendingReq data that should be added into AuthBlock
* @return serialized JWS
- * @throws JsonProcessingException In case of a AuthBlock generation error
- * @throws JoseException In case of a JWS signing error
- * @throws EaafException In case of a KeyStore or Key error
+ * @throws JsonProcessingException In case of a AuthBlock generation error
+ * @throws JoseException In case of a JWS signing error
+ * @throws EaafException In case of a KeyStore or Key error
*/
- public String buildSignedAuthBlock(IRequest pendingReq)
+ public String buildSignedAuthBlock(IRequest pendingReq)
throws JsonProcessingException, EaafException, JoseException {
-
- //TODO: set Challenge to SAML2 requestId to create link between authentication request and authBlock
-
+
+ // TODO: set Challenge to SAML2 requestId to create link between authentication
+ // request and authBlock
+
// build AuthBlock
- EidasAuchBlock authBlock = new EidasAuchBlock();
- authBlock.setChallenge(UUID.randomUUID().toString());
- authBlock.setTimestamp(LocalDateTime.now(ZoneOffset.UTC).truncatedTo(ChronoUnit.SECONDS));
- authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class));
- authBlock.setPiiTransactionId(pendingReq.getUniquePiiTransactionIdentifier());
-
- //set Binding PublicKey if available
- Object bindingPubKey = pendingReq.getRawData(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME);
- if (bindingPubKey instanceof String) {
- authBlock.setBindingPublicKey((String) bindingPubKey);
-
- }
-
- String jwsPayload = mapper.writeValueAsString(authBlock);
+ final String jwsPayload = mapper.writeValueAsString(buildAuthBlock(pendingReq));
log.debug("Building and sign authBlock with data: {}", jwsPayload);
-
- //sign JWS
- return JoseUtils
- .createSignature(keyStore, getKeyAlias(), getKeyPassword(), jwsPayload, false,
- KEYSTORE_FRIENDLYNAME);
+
+ // sign JWS
+ return JoseUtils.createSignature(
+ keyStore, getKeyAlias(), getKeyPassword(), jwsPayload, false, KEYSTORE_FRIENDLYNAME);
+
+ }
+
+ private Serializable buildAuthBlock(IRequest pendingReq) {
+ if (basicConfig.getBasicConfigurationBoolean(
+ MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_LEGACY_USE, false)) {
+ final EidasAuchBlockV1 authBlock = new EidasAuchBlockV1();
+ authBlock.setChallenge(UUID.randomUUID().toString());
+ authBlock.setTimestamp(LocalDateTime.now(ZoneOffset.UTC).truncatedTo(ChronoUnit.SECONDS));
+ authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class));
+ authBlock.setPiiTransactionId(pendingReq.getUniquePiiTransactionIdentifier());
+
+ // set Binding PublicKey if available
+ final Object bindingPubKey = pendingReq.getRawData(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME);
+ if (bindingPubKey instanceof String) {
+ authBlock.setBindingPublicKey((String) bindingPubKey);
+
+ }
+ return authBlock;
+
+ } else {
+ final EidasAuchBlockV2 authBlock = new EidasAuchBlockV2();
+ authBlock.setChallenge(UUID.randomUUID().toString());
+ authBlock.setTimestamp(LocalDateTime.now(ZoneOffset.UTC).truncatedTo(ChronoUnit.SECONDS));
+
+ // set Binding PublicKey if available
+ final Object bindingPubKey = pendingReq.getRawData(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME);
+ if (bindingPubKey instanceof String) {
+ authBlock.setBindingPublicKey((String) bindingPubKey);
+
+ }
+ return authBlock;
+
+ }
}
-
/**
* Get the Base64 encoded PublicKey that is used to sign the AuthBlock.
- *
+ *
* @return Base64 encoded PublicKey
* @throws EaafKeyAccessException In case of an unknown or invalid key
*/
- public String getBase64EncodedPublicKey() throws EaafKeyAccessException {
- Pair<Key, X509Certificate[]> keyPair = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME);
+ public String getBase64EncodedPublicKey() throws EaafKeyAccessException {
+ final Pair<Key, X509Certificate[]> keyPair = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME);
return Base64.getEncoder().encodeToString(keyPair.getSecond()[0].getPublicKey().getEncoded());
-
+
}
@PostConstruct
- private void initialize() throws KeyStoreException, EaafException {
+ private void initialize() throws KeyStoreException, EaafException {
log.debug("Initializing AuthBlock signing service ... ");
- // read Connector wide config data TODO connector wide!
- String keyStoreName = basicConfig
+ // read Connector wide config data TODO connector wide!
+ final String keyStoreName = basicConfig
.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME);
- String keyStorePw = basicConfig
+ final String keyStorePw = basicConfig
.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD);
- String keyStorePath = basicConfig
+ final String keyStorePath = basicConfig
.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH);
- String keyStoreType = basicConfig
+ final String keyStoreType = basicConfig
.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE);
-
- //build new KeyStore configuration
- KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
+ // build new KeyStore configuration
+ final KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
keyStoreConfiguration.setFriendlyName(KEYSTORE_FRIENDLYNAME);
-
+
keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath);
keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw);
- keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType));
+ keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType));
keyStoreConfiguration.setKeyStoreName(keyStoreName);
-
- //validate KeyStore configuration
+
+ // validate KeyStore configuration
keyStoreConfiguration.validate();
-
- //validate key alias
+
+ // validate key alias
if (StringUtils.isEmpty(getKeyAlias())) {
- throw new EaafConfigurationException("config.08",
- new Object[] {MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS});
-
+ throw new EaafConfigurationException("config.08",
+ new Object[] { MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS });
+
}
-
- //build new KeyStore based on configuration
- keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
-
- //check if Key is accessible
+
+ // build new KeyStore based on configuration
+ keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
+
+ // check if Key is accessible
EaafKeyStoreUtils.getPrivateKeyAndCertificates(
keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME);
-
- log.info("AuthBlock signing-service successful initialized");
-
- }
-
+
+ log.info("AuthBlock signing-service successful initialized {}",
+ basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_LEGACY_USE, false)
+ ? " in legacy mode"
+ : "");
+
+ }
+
private char[] getKeyPassword() {
- final String value = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD);
+ final String value = basicConfig.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD);
if (value != null) {
return value.trim().toCharArray();
}
return null;
-
- }
+ }
private String getKeyAlias() {
return basicConfig
.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS);
-
+
}
-
+
/**
* Technical AuthBlock for eIDAS Authentication.
- *
+ *
* @author tlenz
*
*/
@Data
@JsonInclude(JsonInclude.Include.NON_NULL)
- private static class EidasAuchBlock {
+ @Deprecated
+ private static class EidasAuchBlockV1 implements Serializable {
+
+ private static final long serialVersionUID = 8437172632081476257L;
@JsonProperty("challenge")
private String challenge;
-
+
@JsonProperty("timestamp")
@JsonSerialize(using = LocalDateTimeSerializer.class)
@JsonDeserialize(using = LocalDateTimeDeserializer.class)
@JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", timezone = "UTC")
private LocalDateTime timestamp;
-
+
@JsonProperty("appId")
private String uniqueId;
-
+
@JsonProperty("piiTransactionId")
private String piiTransactionId;
-
+
+ @JsonProperty("bindingPublicKey")
+ private String bindingPublicKey;
+
+ }
+
+ /**
+ * AuthBlock for Binding Authentication.
+ *
+ * @author tlenz
+ *
+ */
+ @Data
+ @JsonInclude(JsonInclude.Include.NON_NULL)
+ public class EidasAuchBlockV2 implements Serializable {
+
+ private static final long serialVersionUID = -2013435642666124497L;
+
+ @JsonProperty("challenge")
+ private String challenge;
+
+ @JsonProperty("issuedAt")
+ @JsonSerialize(using = LocalDateTimeSerializer.class)
+ @JsonDeserialize(using = LocalDateTimeDeserializer.class)
+ @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", timezone = "UTC")
+ private LocalDateTime timestamp;
+
@JsonProperty("bindingPublicKey")
private String bindingPublicKey;
-
+
}
-
}