From c36d00b46a7b628726b640117632b298bf218cf3 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 17 Mar 2022 08:00:03 +0100 Subject: fix(szr): Request getIdentityLinkEidas before getVSZ because getVSZ does not support insertErnp by using eIDAS entities --- .../modules/auth/eidas/v2/szr/SzrClient.java | 2 +- .../eidas/v2/tasks/CreateIdentityLinkTask.java | 37 +++++- .../eidas/v2/test/SzrClientTestProduction.java | 76 +++++++++--- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 134 ++++++++++++--------- 4 files changed, 171 insertions(+), 78 deletions(-) diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 1f5837d6..5558fdfd 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -234,7 +234,7 @@ public class SzrClient { final String resp; try { - resp = this.szr.getStammzahlEncrypted(personInfo, true); + resp = this.szr.getStammzahlEncrypted(personInfo, false); } catch (SZRException_Exception e) { throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index f4849b07..4a501ed6 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -55,6 +55,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidPr import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType; +import at.gv.e_government.reference.namespace.persondata._20020228.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; import at.gv.egiz.eaaf.core.api.data.EaafConstants; @@ -62,6 +63,7 @@ import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.builder.BpkBuilder; @@ -147,9 +149,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { //request SZR based on IDL or E-ID mode if (pendingReq.getServiceProviderConfiguration() .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) { - + + // work-around, because getEncryptedStammzahl does not support insertERnP for eIDAS entities + SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); + // get encrypted baseId - String vsz = szrClient.getEncryptedStammzahl(personInfo); + String vsz = szrClient.getEncryptedStammzahl(buildGetEncryptedBaseIdReq(idlResult.identityLink)); //write revision-Log entry and extended infos personal-identifier mapping revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); @@ -219,6 +224,33 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } + private PersonInfoType buildGetEncryptedBaseIdReq(IIdentityLink identityLink) throws EaafBuilderException { + log.debug("Generating getVsz request from identityLink information ... "); + final PersonInfoType personInfo = new PersonInfoType(); + final PersonNameType personName = new PersonNameType(); + final PhysicalPersonType naturalPerson = new PhysicalPersonType(); + IdentificationType bpk = new IdentificationType(); + + naturalPerson.setName(personName); + personInfo.setPerson(naturalPerson); + naturalPerson.setIdentification(bpk); + + // person information + personName.setFamilyName(identityLink.getFamilyName()); + personName.setGivenName(identityLink.getGivenName()); + naturalPerson.setDateOfBirth(identityLink.getDateOfBirth()); + + final Pair bpkCalc = + BpkBuilder.generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), + EaafConstants.URN_PREFIX_CDID + "ZP"); + bpk.setValue(bpkCalc.getFirst()); + bpk.setType(bpkCalc.getSecond()); + return personInfo; + + } + private void writeExtendedRevisionLogEntry(Map simpleAttrMap, ErnbEidData eidData) { // write ERnB input-data into revision-log if (basicConfig.getBasicConfigurationBoolean( @@ -307,7 +339,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } else { log.debug("Calculating bPK from baseId ... "); - new BpkBuilder(); final Pair bpkCalc = BpkBuilder .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), identityLink.getIdentificationType(), diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java index 1e7ff369..6a356d17 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java @@ -53,12 +53,16 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenti import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; +import at.gv.e_government.reference.namespace.persondata._20020228.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; import at.gv.egiz.eaaf.core.exceptions.EaafParserException; +import at.gv.egiz.eaaf.core.impl.builder.BpkBuilder; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.data.Triple; import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser; import szrservices.IdentityLinkType; @@ -104,6 +108,38 @@ public class SzrClientTestProduction { } + @Test + public void getVszRandom() throws SzrCommunicationException, EidasSAuthenticationException, EaafBuilderException { + + final String givenName = "Franz"; + final String familyName = RandomStringUtils.randomAlphabetic(10); + final String dateOfBirth = "1989-05-04"; + final String eIDASeID = "IS/AT/" + RandomStringUtils.randomAlphanumeric(20); + + IdentityLinkType idl = szrClient.getIdentityLinkInRawMode(getPersonInfo(familyName, givenName, dateOfBirth, eIDASeID)); + + PersonInfoType vszPerson = getPersonInfo( + idl.getPersonInfo().getPerson().getName().getFamilyName(), + idl.getPersonInfo().getPerson().getName().getGivenName(), + idl.getPersonInfo().getPerson().getDateOfBirth(), + null); + + final Pair bpkCalc = + BpkBuilder.generateAreaSpecificPersonIdentifier( + idl.getPersonInfo().getPerson().getIdentification().getValue(), + idl.getPersonInfo().getPerson().getIdentification().getType(), + EaafConstants.URN_PREFIX_CDID + "ZP"); + + IdentificationType vszId = new IdentificationType(); + vszPerson.getPerson().setIdentification(vszId); + vszId.setValue(bpkCalc.getFirst()); + vszId.setType(bpkCalc.getSecond()); + + String vsz = szrClient.getEncryptedStammzahl(vszPerson); + Assert.assertNotNull("vsz", vsz); + + } + @Test public void getEidasBind() throws SzrCommunicationException, EidasSAuthenticationException { String vsz = RandomStringUtils.randomAlphanumeric(10); @@ -204,6 +240,12 @@ public class SzrClientTestProduction { } private PersonInfoType getPersonInfo() throws EidasSAuthenticationException { + return getPersonInfo(familyName, givenName, dateOfBirth, eIDASeID); + + } + + private PersonInfoType getPersonInfo(String familyName, String givenName, String dateOfBirth, String eIDASeID) + throws EidasSAuthenticationException { final PersonInfoType personInfo = new PersonInfoType(); final PersonNameType personName = new PersonNameType(); final PhysicalPersonType naturalPerson = new PhysicalPersonType(); @@ -211,25 +253,31 @@ public class SzrClientTestProduction { naturalPerson.setName(personName); personInfo.setPerson(naturalPerson); - personInfo.setTravelDocument(eDocument); - - // parse some eID attributes - final Triple eIdentifier = - EidasResponseUtils.parseEidasPersonalIdentifier(eIDASeID); - final String uniqueId = createHashFromUniqueId(eIdentifier.getThird()); - final String citizenCountry = eIdentifier.getFirst(); + // person information personName.setFamilyName(familyName); personName.setGivenName(givenName); naturalPerson.setDateOfBirth(dateOfBirth); - eDocument.setIssuingCountry(citizenCountry); - eDocument.setDocumentNumber(uniqueId); - - // eID document information - eDocument.setDocumentType(basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, - Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); + + // parse some eID attributes + if (eIDASeID != null) { + final Triple eIdentifier = + EidasResponseUtils.parseEidasPersonalIdentifier(eIDASeID); + final String uniqueId = createHashFromUniqueId(eIdentifier.getThird()); + final String citizenCountry = eIdentifier.getFirst(); + + eDocument.setIssuingCountry(citizenCountry); + eDocument.setDocumentNumber(uniqueId); + + // eID document information + eDocument.setDocumentType(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, + Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); + + personInfo.setTravelDocument(eDocument); + + } return personInfo; } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 175f95e6..720365fe 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -17,6 +17,10 @@ import java.util.Iterator; import java.util.List; import java.util.Map; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; + import org.apache.commons.lang3.RandomStringUtils; import org.jetbrains.annotations.NotNull; import org.jose4j.jwa.AlgorithmConstraints; @@ -73,9 +77,11 @@ import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap.Builder; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import lombok.val; +import szrservices.GetIdentityLinkEidasResponse; import szrservices.JwsHeaderParam; import szrservices.PersonInfoType; import szrservices.SZR; +import szrservices.SZRException_Exception; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -166,7 +172,8 @@ public class CreateIdentityLinkTaskEidNewTest { response = buildDummyAuthResponse(true); pendingReq.getSessionData(AuthProcessDataWrapper.class) .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); - + + setSzrResponseIdentityLink("/data/szr/szr_resp_valid_1.xml"); String vsz = RandomStringUtils.randomNumeric(10); when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz); val signContentResp = new SignContentResponseType(); @@ -230,39 +237,31 @@ public class CreateIdentityLinkTaskEidNewTest { verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture()); Boolean param5 = argument5.getValue(); - Assert.assertTrue("insertERnP flag", param5); + Assert.assertFalse("insertERnP flag", param5); PersonInfoType person = argument4.getValue(); - Assert.assertEquals("FamilyName", - response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), - person.getPerson().getName().getFamilyName()); - Assert.assertEquals("GivenName", - response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), - person.getPerson().getName().getGivenName()); - Assert.assertEquals("DateOfBirth", - response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next()) - .toString().split("T")[0], - person.getPerson().getDateOfBirth()); - - Assert.assertEquals("PlaceOfBirth", - response.getAttributes().getAttributeValuesByFriendlyName("PlaceOfBirth").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("PlaceOfBirth").iterator().next()), - person.getPerson().getPlaceOfBirth()); - Assert.assertEquals("BirthName", - response.getAttributes().getAttributeValuesByFriendlyName("BirthName").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("BirthName").iterator().next()), - person.getPerson().getAlternativeName().getFamilyName()); + Assert.assertEquals("FamilyName", "Mustermann", person.getPerson().getName().getFamilyName()); + Assert.assertEquals("GivenName", "Hans", person.getPerson().getName().getGivenName()); + Assert.assertEquals("DateOfBirth", "1989-05-05", person.getPerson().getDateOfBirth()); + Assert.assertEquals("bpk", "1NjpYBHFn6onfNp2pCM8nXrlyQc=", person.getPerson().getIdentification().getValue()); + Assert.assertEquals("bPKType", EaafConstants.URN_PREFIX_CDID + "ZP", person.getPerson().getIdentification().getType()); - Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry()); - Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType()); - - Assert.assertEquals("Identifier", - response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next()) - .toString().split("/")[2], - person.getTravelDocument().getDocumentNumber()); +// Assert.assertEquals("PlaceOfBirth", +// response.getAttributes().getAttributeValuesByFriendlyName("PlaceOfBirth").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("PlaceOfBirth").iterator().next()), +// person.getPerson().getPlaceOfBirth()); +// Assert.assertEquals("BirthName", +// response.getAttributes().getAttributeValuesByFriendlyName("BirthName").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("BirthName").iterator().next()), +// person.getPerson().getAlternativeName().getFamilyName()); +// +// Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry()); +// Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType()); +// +// Assert.assertEquals("Identifier", +// response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next()) +// .toString().split("/")[2], +// person.getTravelDocument().getDocumentNumber()); // check bcBind singing request ArgumentCaptor argument1 = ArgumentCaptor.forClass(Boolean.class); @@ -306,6 +305,7 @@ public class CreateIdentityLinkTaskEidNewTest { @Test public void successfulProcessWithStandardInfos() throws Exception { //initialize test + setSzrResponseIdentityLink("/data/szr/szr_resp_valid_1.xml"); String vsz = RandomStringUtils.randomNumeric(10); when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz); val signContentResp = new SignContentResponseType(); @@ -368,34 +368,34 @@ public class CreateIdentityLinkTaskEidNewTest { ArgumentCaptor argument5 = ArgumentCaptor.forClass(Boolean.class); verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture()); - Boolean param5 = argument5.getValue(); - Assert.assertTrue("insertERnP flag", param5); - PersonInfoType person = argument4.getValue(); - Assert.assertEquals("FamilyName", - response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), - person.getPerson().getName().getFamilyName()); - Assert.assertEquals("GivenName", - response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), - person.getPerson().getName().getGivenName()); - Assert.assertEquals("DateOfBirth", - response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next()) - .toString().split("T")[0], - person.getPerson().getDateOfBirth()); - - Assert.assertNull("PlaceOfBirth", person.getPerson().getPlaceOfBirth()); - Assert.assertNull("BirthName", person.getPerson().getAlternativeName()); - - Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry()); - Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType()); - - Assert.assertEquals("Identifier", - response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue( - response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next()) - .toString().split("/")[2], - person.getTravelDocument().getDocumentNumber()); +// Boolean param5 = argument5.getValue(); +// Assert.assertTrue("insertERnP flag", param5); +// PersonInfoType person = argument4.getValue(); +// Assert.assertEquals("FamilyName", +// response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), +// person.getPerson().getName().getFamilyName()); +// Assert.assertEquals("GivenName", +// response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), +// person.getPerson().getName().getGivenName()); +// Assert.assertEquals("DateOfBirth", +// response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next()) +// .toString().split("T")[0], +// person.getPerson().getDateOfBirth()); +// +// Assert.assertNull("PlaceOfBirth", person.getPerson().getPlaceOfBirth()); +// Assert.assertNull("BirthName", person.getPerson().getAlternativeName()); +// +// Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry()); +// Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType()); +// +// Assert.assertEquals("Identifier", +// response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue( +// response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next()) +// .toString().split("/")[2], +// person.getTravelDocument().getDocumentNumber()); } @@ -403,6 +403,7 @@ public class CreateIdentityLinkTaskEidNewTest { @Test public void getStammzahlEncryptedExceptionTest() throws Exception { try { + setSzrResponseIdentityLink("/data/szr/szr_resp_valid_1.xml"); when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(null); task.execute(pendingReq, executionContext); } catch (TaskExecutionException e) { @@ -417,6 +418,7 @@ public class CreateIdentityLinkTaskEidNewTest { @Test public void signContentExceptionTest() throws Exception { try { + setSzrResponseIdentityLink("/data/szr/szr_resp_valid_1.xml"); when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); when(szrMock, "signContent", any(), any(), any()).thenReturn(null); task.execute(pendingReq, executionContext); @@ -451,6 +453,18 @@ public class CreateIdentityLinkTaskEidNewTest { } + private void setSzrResponseIdentityLink(String responseXmlPath) throws JAXBException, SZRException_Exception { + final JAXBContext jaxbContext = JAXBContext + .newInstance(szrservices.ObjectFactory.class, org.w3._2001._04.xmldsig_more.ObjectFactory.class, + org.w3._2000._09.xmldsig.ObjectFactory.class, + at.gv.e_government.reference.namespace.persondata._20020228.ObjectFactory.class); + final Unmarshaller jaxbUnmarshaller = jaxbContext.createUnmarshaller(); + final GetIdentityLinkEidasResponse szrResponse = (GetIdentityLinkEidasResponse) jaxbUnmarshaller + .unmarshal(this.getClass().getResourceAsStream(responseXmlPath)); + org.mockito.Mockito.when(szrMock.getIdentityLinkEidas(any(PersonInfoType.class))).thenReturn(szrResponse.getGetIdentityLinkReturn()); + + } + @NotNull private AuthenticationResponse buildDummyAuthResponse(boolean withAll) throws URISyntaxException { final AttributeDefinition attributeDef = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( -- cgit v1.2.3 From 7bad70d9a5eac74d3e8651f709739e4099c13e58 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 17 Mar 2022 08:00:29 +0100 Subject: chore(core): add readme and history for next release version --- infos/history.txt | 51 ++++++++++++++++++++++++++++++++++++++++++++ infos/readme_1.2.4.md | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 infos/history.txt create mode 100644 infos/readme_1.2.4.md diff --git a/infos/history.txt b/infos/history.txt new file mode 100644 index 00000000..ac815270 --- /dev/null +++ b/infos/history.txt @@ -0,0 +1,51 @@ +Dieses Dokument zeigt die Veränderungen und Erweiterungen am eIDAS MS-Connector + +Version 1.2.4 (2022-03-17): + - Bugfix + - Work-Around für insertErnp im ID Austria Betriebsmodus + - Akutalisierung von Drittherstellerbibliotheken + +Version 1.2.3 (2021-10-21): + - Bugfix + - Inkompatibilität zwischen AT MS-Connector und ID Austria System behoben + - Logging optimiert und Beispielkonfiguration um TransactionsId erweitert + - Akutalisierung von Drittherstellerbibliotheken + +Version 1.2.2 (2021-06-26): + - Bugfix + - Inkompatibilität zwischen AT MS-Connector, EidasNode v2.5 und Deutscher Middleware behoben + +Version 1.2.1 (2021-05-28): + - Bugfix + - Möglichen Fehler in der Sprachauswahl via GUI behoben + +Version 1.2 (2021-05-12): + - Erforderliche Anpassungen zur Integration in den ID Austria + - Update auf eIDAS Ref. Impl. 2.5.0 (Implementiert eIDAS Spezifikation 1.2) https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+version+2.5 + - Codestabilisierung + - Monitoring und HealthChecks Verbesserungen + - Akutalisierung von Drittherstellerbibliotheken + +Version 1.1 (2019-12-13): + - Update auf eIDAS Ref. Impl. 2.4.0 mit Apache Ignite Cache https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+version+2.4 + - Statischer Service-Provider Name für öffentliche Applikationen + - Mindest LoA, welche für Requests an eIDAS Proxy-Services verwendet wird. + - Requested Attributes je Land konfigurierbar + - Neue Template-Engine mit i18n Unterstützung + - Neuer Algorithmus zur Generierung von Sessiontokens + - Akutalisierung von Drittherstellerbibliotheken + +Version 1.0.1 (2019-08-02): + - Update auf eIDAS Ref. Impl. 2.2.0 + - Bugfix + - Ungültige Zeichenkodierung bei nonLatin Zeichen behoben + - Akutalisierung von Drittherstellerbibliotheken + +Version 1.0 (2018-10-30): + - Initiale Version des eIDAS MS-Connector + + + + + + diff --git a/infos/readme_1.2.4.md b/infos/readme_1.2.4.md new file mode 100644 index 00000000..82a6588a --- /dev/null +++ b/infos/readme_1.2.4.md @@ -0,0 +1,58 @@ +# MS-Connector v1.2.4 Release vom 17.03.2022 + +Der MS-Connector implementiert eine Bridge zwischen dem österreichischen E-ID System und dem eIDAS Framework um ausländischen Benutzern eine Anmeldung am österreichischen Service-Providern zu ermöglichen. + +### Änderungen in dieser Version + + - Bugfix + - Work-Around für insertErnp im ID Austria Betriebsmodus +- Akutalisierung von Drittherstellerbibliotheken + + + + +### Durchführen eines Updates + +Nachfolgend finden Sie die erforderlichen Schritte für das Update eines bestehenden MS-specific eIDAS Connectors auf die aktuelle Version 1.2.4. Das vollständige Handbuch mit allen Konfigurationsparametern finden Sie im Releasepackage im Verzeichnis: _infos/handbook/_ + +### Ausgehend von einer bestehenden Version 1.2.x + +1. Stoppen Sie die *MS-Connector* Applikation und fertigen Sie eine Sicherungskopie Ihrer Applikation inklusive Konfiguration an +2. Entpacken Sie das Releasepacket *ms_specific_connector-1.2.4-dist.zip* in ein temporäres Verzeichnis welches in weiterer Folge __MsConnectorPackage__ bezeichnet wird. +3. Kopieren sie die Applikation __MsConnectorPackage__/ms_connector.war nach in das Applikationsverzeichnis ihres Applikationsservers + +### Ausgehend von einer bestehenden Version 1.1.0 + +1. Stoppen Sie die *MS-Connector* Applikation und fertigen Sie eine Sicherungskopie Ihrer Applikation inklusive Konfiguration an +2. Entpacken Sie das Releasepacket *ms_specific_connector-1.2.4-dist.zip* in ein temporäres Verzeichnis welches in weiterer Folge __MsConnectorPackage__ bezeichnet wird. +3. Kopieren sie die Applikation __MsConnectorPackage__/ms_connector.war nach in das Applikationsverzeichnis ihres Applikationsservers +4. Mit der Version 1.2.0 wurde die Konfiguration eine eine Minimalkonfiguration [`default_config.properties`](./../config/default_config.properties) und eine in den MS-Connectorintegrierte Defaultkonfiguration aufgteilt. Die nachfolgende Aufzählung umfasst die neuen oder geänderten Konfigurationsparameter, beschreibt jedoch keine Aufteilung einer bestehenden Konfiguration in Minimal- und Defaultteil. Eine vollständige Beschreibung aller Konfigurationswerte finden Sie im Handbuch zum AT MS-Connector. +5. Update bestehender Dateien . Die nachfolgenden Dateien wurden geändert und erfordern eine Anpassung oder eine Übernahme dem Releasepacket, sofern die Anpassung nicht bereits durchgeführt wurde. Sofern die entsprechenden Datein an die bestehende Infrastruktur angepasst wurden so müssen diese Änderungen übernommen werden. + - __MsConnectorPackage__/config/templates/error_message.html + - __MsConnectorPackage__/config/eIDAS/igniteSpecificCommunication.xml + Hinweis: Siehe auch Update-Hinweise zur EIDAS-Node v2.5 +6. Erstellung neuer Dateien + - _KeyStore für ID Austria AuthBlock:_ Erstellen eines KeyStore mit mit öffentlichem und privaten Schlüssel welcher für die JWS Signature des technischen ID Austria AuthBlocks verwendet werden soll. +7. Neue Konfigurationsparameter + - *Allgemeine Konfiguration* + - ```eidas.ms.core.configRootDir``` + - *ID Austria Umsetzung* + - ```eidas.ms.auth.eIDAS.authblock.keystore.type``` + - ```eidas.ms.auth.eIDAS.authblock.keystore.path``` + - ```eidas.ms.auth.eIDAS.authblock.keystore.password``` + - ```eidas.ms.auth.eIDAS.authblock.key.alias``` + - ```eidas.ms.auth.eIDAS.authblock.key.password``` + - *Service-Provider Konfiguration Konfiguration* + - ```eidas.ms.sp.x.newEidMode``` +8. Gelöschte Konfigurationsparameter + + - ```authhandler.modules.bindingservice.bpk.target``` +9. Neue optionale Konfigurationsparameter + - *Allgemeine Konfiguration* + - ```eidas.ms.core.logging.level.info.errorcodes``` + - *eIDAS Node Kommunikation* + * ```eidas.ms.auth.eIDAS.node_v2.requesterId.useHashedForm``` + * ```eidas.ms.auth.eIDAS.node_v2.requesterId.lu.useStaticRequesterForAll``` + - *ID Austria Umsetzung* + - ```eidas.ms.auth.eIDAS.eid.testidentity.default``` + - ```eidas.ms.auth.eIDAS.szrclient.eidasbind.mds.inject``` -- cgit v1.2.3 From 440dcedcfb17e05e439d3019a8cfdb27c307123d Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 17 Mar 2022 08:17:14 +0100 Subject: test(core): fix integration test with included work-around for IDA mode --- .../connector/test/FullStartUpAndProcessTest.java | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java index 64e8272e..c56ac1ef 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java @@ -11,6 +11,9 @@ import java.net.URISyntaxException; import java.util.Map; import java.util.Timer; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; import javax.xml.transform.TransformerException; import org.apache.commons.lang3.RandomStringUtils; @@ -85,7 +88,10 @@ import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; import lombok.val; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.xml.XMLParserException; +import szrservices.GetIdentityLinkEidasResponse; +import szrservices.PersonInfoType; import szrservices.SZR; +import szrservices.SZRException_Exception; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -400,6 +406,8 @@ public class FullStartUpAndProcessTest { private void injectSzrResponse() throws Exception { + setSzrResponseIdentityLink("/data/szr/szr_resp_valid_1.xml"); + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz); val signContentResp = new SignContentResponseType(); final SignContentEntry signContentEntry = new SignContentEntry(); @@ -493,4 +501,17 @@ public class FullStartUpAndProcessTest { metadataProvider.addMetadataResolverIntoChain(fileSystemResolver); } + + private void setSzrResponseIdentityLink(String responseXmlPath) throws JAXBException, SZRException_Exception { + final JAXBContext jaxbContext = JAXBContext + .newInstance(szrservices.ObjectFactory.class, org.w3._2001._04.xmldsig_more.ObjectFactory.class, + org.w3._2000._09.xmldsig.ObjectFactory.class, + at.gv.e_government.reference.namespace.persondata._20020228.ObjectFactory.class); + final Unmarshaller jaxbUnmarshaller = jaxbContext.createUnmarshaller(); + final GetIdentityLinkEidasResponse szrResponse = (GetIdentityLinkEidasResponse) jaxbUnmarshaller + .unmarshal(this.getClass().getResourceAsStream(responseXmlPath)); + org.mockito.Mockito.when(szrMock.getIdentityLinkEidas(any(PersonInfoType.class))).thenReturn(szrResponse.getGetIdentityLinkReturn()); + + } + } -- cgit v1.2.3 From d23001c7436559fade8647ffdaa158080c05f0b7 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 31 Mar 2022 17:36:55 +0200 Subject: fix(core): switch to Spring-Core 5.3.18 and Spring-Boot 2.5.12 to fix cve-2022-22965 --- infos/readme_1.2.4.md | 1 + pom.xml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/infos/readme_1.2.4.md b/infos/readme_1.2.4.md index 82a6588a..9aed1251 100644 --- a/infos/readme_1.2.4.md +++ b/infos/readme_1.2.4.md @@ -6,6 +6,7 @@ Der MS-Connector implementiert eine Bridge zwischen dem österreichischen E-ID S - Bugfix - Work-Around für insertErnp im ID Austria Betriebsmodus + - Mögliche RCE Schwachstelle in Spring Framework behoben ([CVE-2022-22965](https://tanzu.vmware.com/security/cve-2022-22965)) - Akutalisierung von Drittherstellerbibliotheken diff --git a/pom.xml b/pom.xml index 80ee55b8..a77858cb 100644 --- a/pom.xml +++ b/pom.xml @@ -24,9 +24,9 @@ 0.4 1.1.17 - 2.5.7 + 2.5.12 2.5.4 - 5.3.13 + 5.3.18 3.0.14.RELEASE 3.4.5 -- cgit v1.2.3 From 49a945fa17ee06f38ddada441df7a1f29c58e317 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Fri, 1 Apr 2022 21:47:48 +0200 Subject: feat(szr): add configuration property to activate/deactivate work-around for insertErnp in case of IDA mode --- .../src/main/resources/application.properties | 2 +- .../specific/modules/auth/eidas/v2/Constants.java | 4 + .../modules/auth/eidas/v2/szr/SzrClient.java | 25 ++++- .../eidas/v2/tasks/CreateIdentityLinkTask.java | 27 ++++-- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 101 +++++++++++++++++++++ 5 files changed, 148 insertions(+), 11 deletions(-) diff --git a/connector/src/main/resources/application.properties b/connector/src/main/resources/application.properties index e7437840..73a258d7 100644 --- a/connector/src/main/resources/application.properties +++ b/connector/src/main/resources/application.properties @@ -100,7 +100,7 @@ eidas.ms.auth.eIDAS.szrclient.eidasbind.mds.inject=false #Raw eIDAS Id data storage eidas.ms.auth.eIDAS.szrclient.workarounds.eidmapping.revisionlog.active=true - +eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida=true eidas.ms.auth.eIDAS.szrclient.params.setPlaceOfBirthIfAvailable=true eidas.ms.auth.eIDAS.szrclient.params.setBirthNameIfAvailable=true diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index 1732a61a..08b1b315 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -132,6 +132,10 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_SQLLITEDATASTORE_ACTIVE = CONIG_PROPS_EIDAS_SZRCLIENT + ".workarounds.datastore.sqlite.active"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_IDA_VSZ_IDL = + CONIG_PROPS_EIDAS_SZRCLIENT + ".workarounds.use.getidentitylink.for.ida"; + + // http endpoint descriptions public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/light/sp/post"; public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/light/sp/redirect"; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 5558fdfd..e000a2e4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -226,15 +226,15 @@ public class SzrClient { * Request a encryped baseId from SRZ. * * @param personInfo Minimum dataset of person + * @param insertErnp insertErnp flag on SZR request * @return encrypted baseId * @throws SzrCommunicationException In case of a SZR error */ - public String getEncryptedStammzahl(final PersonInfoType personInfo) - throws SzrCommunicationException { - + public String getEncryptedStammzahl(final PersonInfoType personInfo, boolean insertErnp) + throws SzrCommunicationException{ final String resp; try { - resp = this.szr.getStammzahlEncrypted(personInfo, false); + resp = this.szr.getStammzahlEncrypted(personInfo, insertErnp); } catch (SZRException_Exception e) { throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); } @@ -244,6 +244,23 @@ public class SzrClient { } return resp; + + } + + + + + + /** + * Request a encrypted baseId from SRZ without insertErnp. + * + * @param personInfo Minimum dataset of person + * @return encrypted baseId + * @throws SzrCommunicationException In case of a SZR error + */ + public String getEncryptedStammzahl(final PersonInfoType personInfo) + throws SzrCommunicationException { + return getEncryptedStammzahl(personInfo, false); } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 4a501ed6..d08d8362 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -150,12 +150,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { if (pendingReq.getServiceProviderConfiguration() .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) { - // work-around, because getEncryptedStammzahl does not support insertERnP for eIDAS entities - SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); - - // get encrypted baseId - String vsz = szrClient.getEncryptedStammzahl(buildGetEncryptedBaseIdReq(idlResult.identityLink)); - + // get VSZ + String vsz = getVszForPerson(personInfo); + //write revision-Log entry and extended infos personal-identifier mapping revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); writeExtendedRevisionLogEntry(simpleAttrMap, eidData); @@ -224,6 +221,24 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } + private String getVszForPerson(PersonInfoType personInfo) throws SzrCommunicationException, EaafException { + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_IDA_VSZ_IDL, true)) { + log.debug("IDA workaround is active. Requesting IDL to insert person into ERnP .... "); + + // work-around, because getEncryptedStammzahl does not support insertERnP for eIDAS entities + SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); + + // get encrypted baseId + return szrClient.getEncryptedStammzahl(buildGetEncryptedBaseIdReq(idlResult.identityLink)); + + + } else { + return szrClient.getEncryptedStammzahl(personInfo, true); + + } + } + private PersonInfoType buildGetEncryptedBaseIdReq(IIdentityLink identityLink) throws EaafBuilderException { log.debug("Generating getVsz request from identityLink information ... "); final PersonInfoType personInfo = new PersonInfoType(); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 720365fe..fbc070a9 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -141,6 +141,7 @@ public class CreateIdentityLinkTaskEidNewTest { RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.debug.useDummySolution", "false"); + basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida", "true"); final Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); @@ -302,6 +303,106 @@ public class CreateIdentityLinkTaskEidNewTest { } + + + @Test + public void successfulProcessWithStandardInfosWithoutIdl() throws Exception { + //initialize test + basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida", "false"); + + String vsz = RandomStringUtils.randomNumeric(10); + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz); + val signContentResp = new SignContentResponseType(); + final SignContentEntry signContentEntry = new SignContentEntry(); + signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); + signContentResp.getOut().add(signContentEntry); + when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); + + String randomTestSp = RandomStringUtils.randomAlphabetic(10); + String bindingPubKey = RandomStringUtils.randomAlphabetic(10); + pendingReq.setRawDataToTransaction(MsEidasNodeConstants.DATA_REQUESTERID, randomTestSp); + pendingReq.setRawDataToTransaction(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME, bindingPubKey); + + //perform test + task.execute(pendingReq, executionContext); + + //validate state + // check if pendingRequest was stored + IRequest storedPendingReq = requestStorage.getPendingRequest(pendingReq.getPendingRequestId()); + Assert.assertNotNull("pendingReq not stored", storedPendingReq); + + //check data in session + final AuthProcessDataWrapper authProcessData = storedPendingReq.getSessionData(AuthProcessDataWrapper.class); + Assert.assertNotNull("AuthProcessData", authProcessData); + Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class)); + + // check authblock signature + String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class); + Assert.assertNotNull("AuthBlock", authBlock); + final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, + BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); + Pair keyStore = getKeyStore(); + X509Certificate[] trustedCerts = EaafKeyStoreUtils + .getPrivateKeyAndCertificates(keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); + JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts), constraints); + Assert.assertTrue("AuthBlock not valid", result.isValid()); + JsonNode authBlockJson = mapper.readTree(result.getPayLoad()); + Assert.assertNotNull("deserialized AuthBlock", authBlockJson); + + Assert.assertNotNull("no piiTransactionId in pendingRequesdt", + storedPendingReq.getUniquePiiTransactionIdentifier()); + Assert.assertEquals("piiTransactionId", storedPendingReq.getUniquePiiTransactionIdentifier(), + authBlockJson.get("piiTransactionId").asText()); + Assert.assertEquals("appId", randomTestSp, authBlockJson.get("appId").asText()); + Assert.assertFalse("'challenge' is null", authBlockJson.get("challenge").asText().isEmpty()); + Assert.assertFalse("'timestamp' is null", authBlockJson.get("timestamp").asText().isEmpty()); + Assert.assertTrue("binding pubKey", authBlockJson.has("bindingPublicKey")); + Assert.assertEquals("binding PubKey", bindingPubKey, authBlockJson.get("bindingPublicKey").asText()); + + Assert.assertTrue("EID process", authProcessData.isEidProcess()); + Assert.assertTrue("foreigner process", authProcessData.isForeigner()); + Assert.assertEquals("EID-ISSUING_NATION", "LU", + authProcessData.getGenericDataFromSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, String.class)); + Assert.assertNotNull("LoA is null", authProcessData.getQaaLevel()); + Assert.assertEquals("LoA", response.getLevelOfAssurance(), + authProcessData.getQaaLevel()); + + // check vsz request + ArgumentCaptor argument4 = ArgumentCaptor.forClass(PersonInfoType.class); + ArgumentCaptor argument5 = ArgumentCaptor.forClass(Boolean.class); + verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture()); + + Boolean param5 = argument5.getValue(); + Assert.assertTrue("insertERnP flag", param5); + PersonInfoType person = argument4.getValue(); + Assert.assertEquals("FamilyName", + response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), + person.getPerson().getName().getFamilyName()); + Assert.assertEquals("GivenName", + response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), + person.getPerson().getName().getGivenName()); + Assert.assertEquals("DateOfBirth", + response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next()) + .toString().split("T")[0], + person.getPerson().getDateOfBirth()); + + Assert.assertNull("PlaceOfBirth", person.getPerson().getPlaceOfBirth()); + Assert.assertNull("BirthName", person.getPerson().getAlternativeName()); + + Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry()); + Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType()); + + Assert.assertEquals("Identifier", + response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next()) + .toString().split("/")[2], + person.getTravelDocument().getDocumentNumber()); + + } + @Test public void successfulProcessWithStandardInfos() throws Exception { //initialize test -- cgit v1.2.3 From 1d0a637b1c30f000db122cd0a0a6f0806e47bd32 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Fri, 1 Apr 2022 21:48:28 +0200 Subject: doc: update handbook and add configuration property for IDA -> SZR work-around --- infos/Handbuch_MS-eIDAS-Node.docx | Bin 58160 -> 44039 bytes infos/handbook/Handbuch_MS-eIDAS-Node.pdf | Bin 162244 -> 432764 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/infos/Handbuch_MS-eIDAS-Node.docx b/infos/Handbuch_MS-eIDAS-Node.docx index aacb3828..0401fea9 100644 Binary files a/infos/Handbuch_MS-eIDAS-Node.docx and b/infos/Handbuch_MS-eIDAS-Node.docx differ diff --git a/infos/handbook/Handbuch_MS-eIDAS-Node.pdf b/infos/handbook/Handbuch_MS-eIDAS-Node.pdf index 1d4195bb..b35a77bc 100644 Binary files a/infos/handbook/Handbuch_MS-eIDAS-Node.pdf and b/infos/handbook/Handbuch_MS-eIDAS-Node.pdf differ -- cgit v1.2.3 From 6276651d5ad742b2a569ff322cafa0a9529b4b76 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Sat, 2 Apr 2022 10:36:41 +0200 Subject: style(szr): fix two code-style issues --- .../eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index e000a2e4..11ea2843 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -231,7 +231,7 @@ public class SzrClient { * @throws SzrCommunicationException In case of a SZR error */ public String getEncryptedStammzahl(final PersonInfoType personInfo, boolean insertErnp) - throws SzrCommunicationException{ + throws SzrCommunicationException { final String resp; try { resp = this.szr.getStammzahlEncrypted(personInfo, insertErnp); @@ -243,14 +243,9 @@ public class SzrClient { throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling } - return resp; - + return resp; } - - - - - + /** * Request a encrypted baseId from SRZ without insertErnp. * -- cgit v1.2.3 From 5a773ddcf9653102ecd6564951e3b9b16e531196 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Tue, 5 Apr 2022 08:40:24 +0200 Subject: doc: update handbook, readme, history, ... --- README.md | 17 +++++++++++++++++ infos/history.txt | 13 ++++++++++++- infos/readme_1.2.4.md | 9 +++++++-- 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2afa0deb..62f3ec33 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,23 @@ The full release package will be located add ## Changelog +**v1.2.4** + +- Bugfix + - Mögliche RCE Schwachstelle in Spring Framework behoben ([CVE-2022-22965](https://tanzu.vmware.com/security/cve-2022-22965)) + - Work-Around für insertErnp im ID Austria Betriebsmodus +- Akutalisierung von Drittherstellerbibliotheken + - Spring-Core 5.3.18 + - Spring-Boot 2.5.12 + - thymeleaf-spring5 3.0.15.RELEASE + - Apache CXF 3.4.6 + - Google Guava 31.1-jre + - Jackson 2.13.2 + - Joda-Time 2.10.14 + - jose4j 0.7.11 + - log4j 2.17.2 + - slf4j 1.7.36 + **v1.2.3** - Logging optimiert und Beispielkonfiguration um TransactionsId erweitert diff --git a/infos/history.txt b/infos/history.txt index ac815270..9c6f06d1 100644 --- a/infos/history.txt +++ b/infos/history.txt @@ -1,9 +1,20 @@ Dieses Dokument zeigt die Veränderungen und Erweiterungen am eIDAS MS-Connector -Version 1.2.4 (2022-03-17): +Version 1.2.4 (2022-04-05): - Bugfix + - Mögliche RCE Schwachstelle via Spring Framework behoben (CVE-2022-22965) - Work-Around für insertErnp im ID Austria Betriebsmodus - Akutalisierung von Drittherstellerbibliotheken + - Spring-Core 5.3.18 + - Spring-Boot 2.5.12 + - thymeleaf-spring5 3.0.15.RELEASE + - Apache CXF 3.4.6 + - Google Guava 31.1-jre + - Jackson 2.13.2 + - Joda-Time 2.10.14 + - jose4j 0.7.11 + - log4j 2.17.2 + - slf4j 1.7.36 Version 1.2.3 (2021-10-21): - Bugfix diff --git a/infos/readme_1.2.4.md b/infos/readme_1.2.4.md index 9aed1251..f81c2a0a 100644 --- a/infos/readme_1.2.4.md +++ b/infos/readme_1.2.4.md @@ -1,12 +1,12 @@ -# MS-Connector v1.2.4 Release vom 17.03.2022 +# MS-Connector v1.2.4 Release vom 05.04.2022 Der MS-Connector implementiert eine Bridge zwischen dem österreichischen E-ID System und dem eIDAS Framework um ausländischen Benutzern eine Anmeldung am österreichischen Service-Providern zu ermöglichen. ### Änderungen in dieser Version - Bugfix - - Work-Around für insertErnp im ID Austria Betriebsmodus - Mögliche RCE Schwachstelle in Spring Framework behoben ([CVE-2022-22965](https://tanzu.vmware.com/security/cve-2022-22965)) + - Work-Around für insertErnp im ID Austria Betriebsmodus - Akutalisierung von Drittherstellerbibliotheken @@ -21,6 +21,9 @@ Nachfolgend finden Sie die erforderlichen Schritte für das Update eines bestehe 1. Stoppen Sie die *MS-Connector* Applikation und fertigen Sie eine Sicherungskopie Ihrer Applikation inklusive Konfiguration an 2. Entpacken Sie das Releasepacket *ms_specific_connector-1.2.4-dist.zip* in ein temporäres Verzeichnis welches in weiterer Folge __MsConnectorPackage__ bezeichnet wird. 3. Kopieren sie die Applikation __MsConnectorPackage__/ms_connector.war nach in das Applikationsverzeichnis ihres Applikationsservers +4. Neue optionale Konfigurationsparameter + - *SZR Kommunikation* + - ```eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida``` ### Ausgehend von einer bestehenden Version 1.1.0 @@ -57,3 +60,5 @@ Nachfolgend finden Sie die erforderlichen Schritte für das Update eines bestehe - *ID Austria Umsetzung* - ```eidas.ms.auth.eIDAS.eid.testidentity.default``` - ```eidas.ms.auth.eIDAS.szrclient.eidasbind.mds.inject``` + - *SZR Kommunikation* + - ```eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida``` -- cgit v1.2.3 From 575d4cfc074efcd327345dc2dc0025e04b73de5e Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Tue, 5 Apr 2022 08:40:49 +0200 Subject: chore(core): update some more third-party libs --- pom.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pom.xml b/pom.xml index a77858cb..3133cfeb 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 at.asitplus.eidas ms_specific - 1.2.4-SNAPSHOT + 1.2.4 pom MS specific eIDAS components @@ -27,21 +27,21 @@ 2.5.12 2.5.4 5.3.18 - 3.0.14.RELEASE - 3.4.5 + 3.0.15.RELEASE + 3.4.6 2.5.0 3.12.0 1.9 4.4 - 30.1.1-jre - 2.10.13 + 31.1-jre + 2.10.14 - 1.7.30 - 2.15.0 + 1.7.36 + 2.17.2 - 2.12.5 + 2.13.2 2.0.1.Final -- cgit v1.2.3 From f4212032b6accc74977e91ae22ce18cf3ca21c0a Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Tue, 5 Apr 2022 08:52:14 +0200 Subject: build(core): switch to next release version --- build_reporting/pom.xml | 2 +- connector/pom.xml | 26 +++++++++++++------------- connector_lib/pom.xml | 2 +- eidas_modules/authmodule-eIDAS-v2/pom.xml | 2 +- eidas_modules/pom.xml | 2 +- pom.xml | 9 ++++++++- 6 files changed, 25 insertions(+), 18 deletions(-) diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml index ef3f735f..bcc35bac 100644 --- a/build_reporting/pom.xml +++ b/build_reporting/pom.xml @@ -6,7 +6,7 @@ at.asitplus.eidas ms_specific - 1.2.4-SNAPSHOT + 1.2.4 build_reporting pom diff --git a/connector/pom.xml b/connector/pom.xml index 63a39346..05a07470 100644 --- a/connector/pom.xml +++ b/connector/pom.xml @@ -6,7 +6,7 @@ at.asitplus.eidas ms_specific - 1.2.4-SNAPSHOT + 1.2.4 at.asitplus.eidas.ms_specific @@ -49,15 +49,15 @@ spring-boot-starter-actuator + org.springframework.boot + spring-boot-starter-web + + org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-tomcat - - - + spring-boot-starter-tomcat + + + de.codecentric spring-boot-admin-starter-client @@ -86,10 +86,10 @@ org.apache.commons commons-collections4 - - org.hibernate.validator - hibernate-validator - + + org.hibernate.validator + hibernate-validator + org.apache.cxf diff --git a/connector_lib/pom.xml b/connector_lib/pom.xml index 0c9a1ab6..8d7e2f2d 100644 --- a/connector_lib/pom.xml +++ b/connector_lib/pom.xml @@ -7,7 +7,7 @@ at.asitplus.eidas ms_specific - 1.2.4-SNAPSHOT + 1.2.4 at.asitplus.eidas.ms_specific connector_lib diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml index 017e82c1..d3c5ba63 100644 --- a/eidas_modules/authmodule-eIDAS-v2/pom.xml +++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml @@ -6,7 +6,7 @@ at.asitplus.eidas.ms_specific modules - 1.2.4-SNAPSHOT + 1.2.4 at.asitplus.eidas.ms_specific.modules authmodule-eIDAS-v2 diff --git a/eidas_modules/pom.xml b/eidas_modules/pom.xml index 758180e0..a1863066 100644 --- a/eidas_modules/pom.xml +++ b/eidas_modules/pom.xml @@ -4,7 +4,7 @@ at.asitplus.eidas ms_specific - 1.2.4-SNAPSHOT + 1.2.4 at.asitplus.eidas.ms_specific modules diff --git a/pom.xml b/pom.xml index 3133cfeb..87d24b98 100644 --- a/pom.xml +++ b/pom.xml @@ -46,7 +46,7 @@ 2.0.1.Final 6.1.5.Final - 0.7.9 + 0.7.11 4.13.2 @@ -308,6 +308,13 @@ jackson-datatype-jsr310 ${jackson-datatype-jsr310.version} + + com.fasterxml.jackson.module + jackson-modules-java8 + ${jackson-datatype-jsr310.version} + pom + runtime + javax.validation validation-api -- cgit v1.2.3 From 791dc8acd7edbf22b98c2be111d420e61ebb39e6 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Tue, 5 Apr 2022 08:52:50 +0200 Subject: build(assembly): add histroy.txt into release package --- connector/src/assembly/assembly_dir.xml | 1 + connector/src/assembly/assembly_zip.xml | 1 + 2 files changed, 2 insertions(+) diff --git a/connector/src/assembly/assembly_dir.xml b/connector/src/assembly/assembly_dir.xml index 59437be6..bc12a470 100644 --- a/connector/src/assembly/assembly_dir.xml +++ b/connector/src/assembly/assembly_dir.xml @@ -44,6 +44,7 @@ readme_${project.version}.txt readme_${project.version}.md + history.txt eIDAS_Ref_Impl/* handbook/* diff --git a/connector/src/assembly/assembly_zip.xml b/connector/src/assembly/assembly_zip.xml index 43877283..dcb7dab0 100644 --- a/connector/src/assembly/assembly_zip.xml +++ b/connector/src/assembly/assembly_zip.xml @@ -44,6 +44,7 @@ readme_${project.version}.txt readme_${project.version}.md + history.txt eIDAS_Ref_Impl/* handbook/* -- cgit v1.2.3