From f696b4085fd10b3b9d627437f439b222903e13e1 Mon Sep 17 00:00:00 2001 From: lalber Date: Tue, 20 Oct 2020 07:47:44 +0200 Subject: stuck on how to test --- .../java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'connector_lib/src') diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java index c28e753a..f33ccf44 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java @@ -94,6 +94,8 @@ public class MsEidasNodeConstants { public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE = "pvp2.metadata.truststore"; public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD = "pvp2.metadata.truststore.password"; + public static final String PROP_CONFIG_SP_EID_MODE = + "eidMode"; public static final String PROP_CONFIG_SP_POLICY_ALLOWED_TARGETS = "policy.allowed.requested.targets"; public static final String PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION = "policy.hasBaseIdTransferRestriction"; -- cgit v1.2.3 From a9009a6f89c41dc19b85331dda676993c8a273b9 Mon Sep 17 00:00:00 2001 From: lalber Date: Wed, 4 Nov 2020 16:42:46 +0100 Subject: fix pw aliasname --- .../specific/connector/MsEidasNodeConstants.java | 4 + .../eidas/v2/tasks/CreateIdentityLinkTask.java | 187 ++++++++++----------- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 34 ++-- .../resources/config/junit_config_3.properties | 2 + 4 files changed, 107 insertions(+), 120 deletions(-) (limited to 'connector_lib/src') diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java index f33ccf44..d9aac126 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java @@ -96,6 +96,10 @@ public class MsEidasNodeConstants { "pvp2.metadata.truststore.password"; public static final String PROP_CONFIG_SP_EID_MODE = "eidMode"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_PW = + "authblock.truststore.password"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME = + "authblock.truststore.friendlyName"; public static final String PROP_CONFIG_SP_POLICY_ALLOWED_TARGETS = "policy.allowed.requested.targets"; public static final String PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION = "policy.hasBaseIdTransferRestriction"; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 765f7928..af260528 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -102,8 +102,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { EaafKeyStoreFactory keyStoreFactory; Pair ks; - private static final String KSPASSWORD = "f/+saJBc3a}*/T^s"; - private static final String KSALIAS = "connectorkeypair"; /* * (non-Javadoc) @@ -114,19 +112,18 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { * javax.servlet.http.HttpServletResponse) */ @Override - public void execute(ExecutionContext executionContext, - HttpServletRequest request, HttpServletResponse response) + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { try { final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - final ILightResponse eidasResponse = authProcessData.getGenericDataFromSession( - Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); + final ILightResponse eidasResponse = authProcessData + .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); String eidMode = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); + .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); - final Map simpleAttrMap = convertEidasAttrToSimpleMap(eidasResponse.getAttributes() - .getAttributeMap()); + final Map simpleAttrMap = convertEidasAttrToSimpleMap( + eidasResponse.getAttributes().getAttributeMap()); IIdentityLink identityLink = null; String bpk = null; @@ -138,13 +135,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { writeMdsLogInformation(eidData); // connect SZR-Gateway - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { + if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); // create fake IdL // - fetch IdL template from resources - final InputStream s = CreateIdentityLinkTask.class.getResourceAsStream( - "/resources/xmldata/fakeIdL_IdL_template.xml"); + final InputStream s = CreateIdentityLinkTask.class + .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml"); final Element idlTemplate = DomUtils.parseXmlValidating(s); identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink(); @@ -153,33 +149,34 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final Element idlassertion = identityLink.getSamlAssertion(); // - set fake baseID; - final Node prIdentification = XPathUtils.selectSingleNode(idlassertion, - SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + final Node prIdentification = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym()); // - set last name - final Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, - SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH); + final Node prFamilyName = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH); prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName()); // - set first name - final Node prGivenName = XPathUtils.selectSingleNode(idlassertion, - SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); + final Node prGivenName = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); prGivenName.getFirstChild().setNodeValue(eidData.getGivenName()); // - set date of birth - final Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, - SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); + final Node prDateOfBirth = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); new BpkBuilder(); - final Pair bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier( - identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + final Pair bpkCalc = BpkBuilder + .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); bpk = bpkCalc.getFirst(); } else { @@ -202,16 +199,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { eDocument.setDocumentNumber(eidData.getPseudonym()); // eID document information - eDocument.setDocumentType(basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, - Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); + eDocument.setDocumentType(basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, + Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); // set PlaceOfBirth if available if (eidData.getPlaceOfBirth() != null) { log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, - true)) { + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, + true)) { naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); @@ -221,9 +218,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { // set BirthName if available if (eidData.getBirthName() != null) { log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, - true)) { + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, + true)) { final AlternativeNameType alternativeName = new AlternativeNameType(); naturalPerson.setAlternativeName(alternativeName); alternativeName.setFamilyName(eidData.getBirthName()); @@ -234,12 +231,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { if (eidMode.equals("new")) { + String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue( + MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ""); + + String keyPw = pendingReq.getServiceProviderConfiguration() + .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, ""); + String vsz = szrClient.getEncryptedStammzahl(personInfo); // build Keystore - String pk64 = getPkFromKeystore(); - // setzte Keystore in config ?path? lade rein - // key pair art siehe jose utils + String pk64 = getPkFromKeystore(keyAlias, keyPw); String signedEidasBind = szrClient.getBcBind(vsz, pk64, "urn:eidgvat:eid.status.eidas"); @@ -249,8 +250,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { ObjectMapper mapper = new ObjectMapper(); String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier()); - String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload, - false, KSALIAS); + + String jwsSignature = JoseUtils + .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias); authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); @@ -264,31 +266,29 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { // write ERnB inputdata into revisionlog if (basicConfig.getBasicConfigurationBoolean( Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { - revisionsLogger.logEvent(pendingReq, - MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, - (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); - revisionsLogger.logEvent(pendingReq, - MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, + (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); } // get bPK from SZR - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { - bpk = szrClient.getBpk( - personInfo, - pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, - "no VKZ defined")).get(0); + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { + bpk = szrClient + .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), + basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) + .get(0); } else { log.debug("Calculating bPK from baseId ... "); new BpkBuilder(); - final Pair bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier( - identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + final Pair bpkCalc = BpkBuilder + .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); bpk = bpkCalc.getFirst(); } @@ -297,10 +297,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { if (eidMode.equals("new")) { authProcessData.setForeigner(true); - authProcessData.setGenericDataToSession( - PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, - EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get( - Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst()); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils + .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) + .getFirst()); authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); } else { @@ -310,11 +309,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED, - identityLink.getSamlAssertion().getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); + identityLink.getSamlAssertion() + .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); if (bpk == null) { log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + .getAreaSpecificTargetIdentifier()); throw new SzrCommunicationException("ernb.01", null); } @@ -324,20 +324,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { authProcessData.setForeigner(true); authProcessData.setIdentityLink(identityLink); - authProcessData.setGenericDataToSession( - PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, - EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get( - Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst()); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils + .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) + .getFirst()); // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession( - PvpAttributeDefinitions.BPK_NAME, - extendBpkByPrefix( - bpk, - pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession( - PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, - pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(bpk, pendingReq + .getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); // store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -355,17 +351,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - private String getPkFromKeystore() throws EaafException, KeyStoreException { + private String getPkFromKeystore(String keyAlias, String keyPw) throws EaafException, KeyStoreException { KeyStoreConfiguration configuration = new KeyStoreConfiguration(); final String current = new java.io.File(".").toURI().toString(); configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks"); - configuration.setSoftKeyStorePassword(KSPASSWORD); //TODO from config + configuration.setSoftKeyStorePassword(keyPw); //TODO from config configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS); - configuration.setFriendlyName(KSALIAS); - configuration.setKeyStoreName(KSALIAS); + configuration.setFriendlyName(keyAlias); + configuration.setKeyStoreName(keyAlias); ks = keyStoreFactory.buildNewKeyStore(configuration); - val publicKey = ks.getFirst().getCertificate(KSALIAS).getPublicKey(); + val publicKey = ks.getFirst().getCertificate(keyAlias).getPublicKey(); return Base64.getEncoder().encodeToString(publicKey.getEncoded()); } @@ -400,8 +396,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final Class parameterizedType = el.getParameterizedType(); if (DateTime.class.equals(parameterizedType)) { - final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el) - .asList()); + final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); if (attribute != null) { result.put(el.getFriendlyName(), attribute); log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + attribute.toString()); @@ -411,8 +406,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } else if (PostalAddress.class.equals(parameterizedType)) { - final PostalAddress addressAttribute = EidasResponseUtils.translateAddressAttribute(el, attributeMap - .get(el).asList()); + final PostalAddress addressAttribute = EidasResponseUtils + .translateAddressAttribute(el, attributeMap.get(el).asList()); if (addressAttribute != null) { result.put(el.getFriendlyName(), addressAttribute); log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + addressAttribute.toString()); @@ -422,8 +417,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } else { - final List natPersonIdObj = EidasResponseUtils.translateStringListAttribute(el, attributeMap - .get(el).asList()); + final List natPersonIdObj = EidasResponseUtils + .translateStringListAttribute(el, attributeMap.get(el).asList()); final String stringAttr = natPersonIdObj.get(0); if (StringUtils.isNotEmpty(stringAttr)) { result.put(el.getFriendlyName(), stringAttr); @@ -443,23 +438,19 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { private void writeMdsLogInformation(ErnbEidData eidData) { // log MDS and country code into technical log - if (basicConfig.getBasicConfigurationBoolean( - MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false)) { - log.info("eIDAS Auth. for user: " - + eidData.getGivenName() + " " - + eidData.getFamilyName() + " " - + eidData.getFormatedDateOfBirth() + " " - + "from " + eidData.getCitizenCountryCode()); + if (basicConfig + .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false)) { + log.info("eIDAS Auth. for user: " + eidData.getGivenName() + " " + eidData.getFamilyName() + " " + eidData + .getFormatedDateOfBirth() + " " + "from " + eidData.getCitizenCountryCode()); } // log MDS and country code into revision log - if (basicConfig.getBasicConfigurationBoolean( - MsEidasNodeConstants.PROP_CONFIG_REVISIONLOG_WRITE_MDS_INTO_REVISION_LOG, false)) { + if (basicConfig + .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_REVISIONLOG_WRITE_MDS_INTO_REVISION_LOG, + false)) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_MDSDATA, - "{" + eidData.getGivenName() + "," - + eidData.getFamilyName() + "," - + eidData.getFormatedDateOfBirth() + "," - + eidData.getCitizenCountryCode() + "}"); + "{" + eidData.getGivenName() + "," + eidData.getFamilyName() + "," + eidData + .getFormatedDateOfBirth() + "," + eidData.getCitizenCountryCode() + "}"); } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 031ea825..00e01a2c 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -1,5 +1,8 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE; import static org.mockito.ArgumentMatchers.any; import static org.powermock.api.mockito.PowerMockito.when; @@ -81,6 +84,9 @@ public class CreateIdentityLinkTaskEidNewTest { private TestRequestImpl pendingReq; private DummySpConfiguration oaParam; private SZR szrMock; + + private static final String PW = "f/+saJBc3a}*/T^s"; + private static final String ALIAS = "connectorkeypair"; @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -112,13 +118,17 @@ public class CreateIdentityLinkTaskEidNewTest { final Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); - spConfig.put("eidMode", "new"); + spConfig.put(PROP_CONFIG_SP_EID_MODE, "new"); + spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_PW, PW); + spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ALIAS); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); AuthenticationResponse response = buildDummyAuthResponse(); + + pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); pendingReq.setSpConfig(oaParam); pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue()); @@ -169,40 +179,20 @@ public class CreateIdentityLinkTaskEidNewTest { String test = szrMock.getStammzahlEncrypted(new PersonInfoType(), false); -// SZR szrMock2 = Mockito.mock(SZR.class, Mockito.CALLS_REAL_METHODS); when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); val signContentResp = new SignContentResponseType(); SignContentEntry signContentEntry = new SignContentEntry(); signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); signContentResp.getOut().add(signContentEntry); when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); -// when(szrMock2, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); - // Wie kann ich das vom Bean rein gehängte SZR mit dem Mock überschreiben? - task.execute(pendingReq, executionContext); -// authTask.execute(pendingReq, executionContext); } catch (Exception e) { e.printStackTrace(); Assert.fail(); } -// val spyTask = spy(task); -// Map requiredAttributes = new HashMap<>(); -// requiredAttributes.put(Constants.eIDAS_ATTR_PERSONALIDENTIFIER, "asdf"); -// requiredAttributes.put(Constants.eIDAS_ATTR_CURRENTFAMILYNAME, "asdf"); -// requiredAttributes.put(Constants.eIDAS_ATTR_CURRENTGIVENNAME, "asdf"); -// requiredAttributes.put(Constants.eIDAS_ATTR_DATEOFBIRTH, new DateTime()); -// requiredAttributes.put(Constants.eIDAS_ATTR_PLACEOFBIRTH, "adf"); -// requiredAttributes.put(Constants.eIDAS_ATTR_BIRTHNAME, "adf"); -// requiredAttributes.put(Constants.eIDAS_ATTR_CURRENTADDRESS, new PostalAddressType()); -// try { -// doReturn(requiredAttributes).when(spyTask, "convertEidasAttrToSimpleMap", (any(ImmutableMap.class))); -// spyTask.execute(pendingReq, executionContext); -// } catch (final Exception e) { -// e.printStackTrace(); -// Assert.fail(); -// } + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties index 326e14fe..33207118 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties @@ -94,6 +94,8 @@ eidas.ms.sp.0.uniqueID= eidas.ms.sp.0.pvp2.metadata.truststore= eidas.ms.sp.0.pvp2.metadata.truststore.password= eidas.ms.sp.0.eidMode=new +eidas.ms.sp.0.authblock.truststore.password=f/+saJBc3a}*/T^s +eidas.ms.sp.0.authblock.truststore.friendlyName=connectorkeypair #eidas.ms.sp.0.friendlyName= #eidas.ms.sp.0.pvp2.metadata.url= -- cgit v1.2.3 From f358f3ba6a24d5e9575b3fd63e3fbfe8848b63c4 Mon Sep 17 00:00:00 2001 From: lalber Date: Fri, 6 Nov 2020 16:28:26 +0100 Subject: some improvements --- .../builder/AuthenticationDataBuilder.java | 8 +- .../test/AuthenticationDataBuilderTest.java | 4 +- .../specific/connector/MsEidasNodeConstants.java | 18 +++-- .../eidas/v2/tasks/CreateIdentityLinkTask.java | 65 ++++++++++------- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 85 +++++++++++++--------- .../resources/config/junit_config_3.properties | 11 ++- 6 files changed, 115 insertions(+), 76 deletions(-) (limited to 'connector_lib/src') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java index 42163097..ef1a1f2b 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java @@ -56,13 +56,11 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder final IAuthProcessDataContainer authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); AuthenticationData authData = new AuthenticationData(); - String eidMode = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); - - if (eidMode.equals("new")) { + boolean isEidModeNew = pendingReq.getServiceProviderConfiguration() + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); + if (isEidModeNew) { authData = (AuthenticationData) super.buildAuthenticationData(pendingReq); - } else { try { generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java index 4ae2a34d..78d2ee1a 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java @@ -31,6 +31,8 @@ import org.springframework.web.context.request.ServletRequestAttributes; import java.util.HashMap; import java.util.Map; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; + @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration({"/applicationContext.xml", "/SpringTest_connector.beans.xml", @@ -72,7 +74,7 @@ public class AuthenticationDataBuilderTest { final Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); - spConfig.put("eidMode", "new"); + spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java index d9aac126..10ec9791 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java @@ -86,6 +86,15 @@ public class MsEidasNodeConstants { public static final String PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL = "auth.eIDAS.node_v2.loa.requested.minimum"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD = + "auth.eIDAS.authblock.keystore.password"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME = + "auth.eIDAS.authblock.keystore.friendlyName"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH = + "auth.eIDAS.authblock.keystore.path"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE = + "auth.eIDAS.authblock.keystore.type"; + public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp."; public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER; @@ -94,12 +103,9 @@ public class MsEidasNodeConstants { public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE = "pvp2.metadata.truststore"; public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD = "pvp2.metadata.truststore.password"; - public static final String PROP_CONFIG_SP_EID_MODE = - "eidMode"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_PW = - "authblock.truststore.password"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME = - "authblock.truststore.friendlyName"; + public static final String PROP_CONFIG_SP_NEW_EID_MODE = + "newEidMode"; + public static final String PROP_CONFIG_SP_POLICY_ALLOWED_TARGETS = "policy.allowed.requested.targets"; public static final String PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION = "policy.hasBaseIdTransferRestriction"; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index f060a4cf..8626c709 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -60,7 +60,6 @@ import eu.eidas.auth.commons.attribute.AttributeValue; import eu.eidas.auth.commons.light.ILightResponse; import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; import lombok.extern.slf4j.Slf4j; -import lombok.val; import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.springframework.beans.factory.annotation.Autowired; @@ -77,6 +76,7 @@ import java.io.InputStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.Provider; +import java.security.PublicKey; import java.util.Base64; import java.util.HashMap; import java.util.List; @@ -102,7 +102,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { EaafKeyStoreFactory keyStoreFactory; private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; - Pair ks; /* * (non-Javadoc) @@ -119,8 +118,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); final ILightResponse eidasResponse = authProcessData .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); - String eidMode = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); + boolean isNewEidMode = pendingReq.getServiceProviderConfiguration() + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); final Map simpleAttrMap = convertEidasAttrToSimpleMap( @@ -230,17 +229,31 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - if (eidMode.equals("new")) { - String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue( - MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ""); - String keyPw = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, ""); + if (isNewEidMode) { + + // read Connector wide config data TODO connector wide! + String keyStoreAlias = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME); + String keyStorePw = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE); + // get verschlüsselte Stammzahl String vsz = szrClient.getEncryptedStammzahl(personInfo); // build Keystore - String pk64 = getPkFromKeystore(keyAlias, keyPw); + Pair keystoreProvider = initKeystore(keyStoreAlias, keyStorePw, keyStorePath, + keyStoreType); + + // get pubKey + PublicKey publicKey = keystoreProvider.getFirst().getCertificate(keyStoreAlias).getPublicKey(); + + // encode pubKey base64 + String pk64 = Base64.getEncoder().encodeToString(publicKey.getEncoded()); // get eIDAS bind String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS); @@ -250,7 +263,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier()); String jwsSignature = JoseUtils - .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias); + .createSignature(keystoreProvider, keyStoreAlias, keyStorePw.toCharArray(), jwsPayload, false, + keyStoreAlias); authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); @@ -275,8 +289,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { bpk = szrClient .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, - "no VKZ defined")).get(0); + basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) + .get(0); } else { log.debug("Calculating bPK from baseId ... "); @@ -292,7 +307,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - if (eidMode.equals("new")) { + if (isNewEidMode) { authProcessData.setForeigner(true); authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) @@ -305,7 +320,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { throw new SzrCommunicationException("ernb.00", null); } - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED, + revisionsLogger.logEvent(pendingReq, + MsConnectorEventCodes.SZR_IDL_RECEIVED, identityLink.getSamlAssertion() .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); @@ -348,18 +364,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - private String getPkFromKeystore(String keyAlias, String keyPw) throws EaafException, KeyStoreException { - KeyStoreConfiguration configuration = new KeyStoreConfiguration(); + private Pair initKeystore(String keyAlias, String keyPw, String path, String type) + throws EaafException, KeyStoreException { + KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); final String current = new java.io.File(".").toURI().toString(); - configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks"); - configuration.setSoftKeyStorePassword(keyPw); //TODO from config - configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS); - configuration.setFriendlyName(keyAlias); - configuration.setKeyStoreName(keyAlias); - ks = keyStoreFactory.buildNewKeyStore(configuration); - val publicKey = ks.getFirst().getCertificate(keyAlias).getPublicKey(); - return Base64.getEncoder().encodeToString(publicKey.getEncoded()); + keyStoreConfiguration.setSoftKeyStoreFilePath(current + path); + keyStoreConfiguration.setSoftKeyStorePassword(keyPw); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(type)); + keyStoreConfiguration.setFriendlyName(keyAlias); + keyStoreConfiguration.setKeyStoreName(keyAlias); + return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); } private String extendBpkByPrefix(String bpk, String type) { diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 00e01a2c..888b7631 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -1,8 +1,8 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; import static org.powermock.api.mockito.PowerMockito.when; @@ -69,8 +69,8 @@ public class CreateIdentityLinkTaskEidNewTest { @Autowired(required = true) private CreateIdentityLinkTask task; -// @Autowired(required = true) -// private FinalizeAuthenticationTask authTask; + // @Autowired(required = true) + // private FinalizeAuthenticationTask authTask; @Autowired(required = true) private DummySpecificCommunicationService commService; @Autowired(required = true) @@ -87,7 +87,7 @@ public class CreateIdentityLinkTaskEidNewTest { private static final String PW = "f/+saJBc3a}*/T^s"; private static final String ALIAS = "connectorkeypair"; - + @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -99,8 +99,7 @@ public class CreateIdentityLinkTaskEidNewTest { @BeforeClass public static void classInitializer() throws IOException { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current - + "src/test/resources/config/junit_config_3.properties"); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties"); } @@ -118,18 +117,17 @@ public class CreateIdentityLinkTaskEidNewTest { final Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); - spConfig.put(PROP_CONFIG_SP_EID_MODE, "new"); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_PW, PW); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ALIAS); + spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); + spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD, PW); + spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME, ALIAS); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); AuthenticationResponse response = buildDummyAuthResponse(); - - - pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); + pendingReq.getSessionData(AuthProcessDataWrapper.class) + .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); pendingReq.setSpConfig(oaParam); pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue()); pendingReq.setAuthUrl("http://test.com/"); @@ -143,33 +141,48 @@ public class CreateIdentityLinkTaskEidNewTest { @NotNull private AuthenticationResponse buildDummyAuthResponse() throws URISyntaxException { - AttributeDefinition attributeDef = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) - .nameUri(new URI("ad", "sd", "ff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "af")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); - AttributeDefinition attributeDef2 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) - .nameUri(new URI("ad", "sd", "fff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "aff")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); - AttributeDefinition attributeDef3 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) - .nameUri(new URI("ad", "sd", "ffff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "afff")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); + AttributeDefinition attributeDef = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) + .nameUri(new URI("ad", "sd", "ff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "af")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + AttributeDefinition attributeDef2 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) + .nameUri(new URI("ad", "sd", "fff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "aff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + AttributeDefinition attributeDef3 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) + .nameUri(new URI("ad", "sd", "ffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "afff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_DATEOFBIRTH) - .nameUri(new URI("ad", "sd", "fffff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "affff")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller").build(); + .nameUri(new URI("ad", "sd", "fffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "affff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") + .build(); - ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + RandomStringUtils.randomNumeric(64)) - .put(attributeDef2, RandomStringUtils.randomAlphabetic(10)) - .put(attributeDef3, RandomStringUtils.randomAlphabetic(10)) - .put(attributeDef4, "2001-01-01") - .build(); + ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + RandomStringUtils + .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, + RandomStringUtils + .randomAlphabetic(10)) + .put(attributeDef4, "2001-01-01").build(); val b = new AuthenticationResponse.Builder(); - return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf") - .subjectNameIdFormat("afaf").attributes(attributeMap).build(); + return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf") + .attributes(attributeMap).build(); } @Test diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties index 33207118..79352734 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties @@ -47,6 +47,12 @@ eidas.ms.auth.eIDAS.szrclient.timeout.connection=15 eidas.ms.auth.eIDAS.szrclient.timeout.response=30 eidas.ms.auth.eIDAS.szrclient.params.vkz= +eidas.ms.auth.eIDAS.authblock.keystore.password=f/+saJBc3a}*/T^s +eidas.ms.auth.eIDAS.authblock.keystore.friendlyName=connectorkeypair +eidas.ms.auth.eIDAS.authblock.keystore.path=src/test/resources/keystore/teststore.jks +eidas.ms.auth.eIDAS.authblock.keystore.type=jks + + eidas.ms.auth.eIDAS.szrclient.params.useSZRForbPKCalculation=false @@ -93,9 +99,8 @@ eidas.ms.pvp2.metadata.validity=24 eidas.ms.sp.0.uniqueID= eidas.ms.sp.0.pvp2.metadata.truststore= eidas.ms.sp.0.pvp2.metadata.truststore.password= -eidas.ms.sp.0.eidMode=new -eidas.ms.sp.0.authblock.truststore.password=f/+saJBc3a}*/T^s -eidas.ms.sp.0.authblock.truststore.friendlyName=connectorkeypair +eidas.ms.sp.0.newEidMode=true + #eidas.ms.sp.0.friendlyName= #eidas.ms.sp.0.pvp2.metadata.url= -- cgit v1.2.3 From 57d813b9cfbbd231a2e6f9d47169b31435d1d6c0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Sat, 7 Nov 2020 18:21:49 +0100 Subject: code clean-up and first jUnit test modifications for CreateIdentityLink task --- basicConfig/default_config.properties | 9 + basicConfig/keys/teststore.jks | Bin 0 -> 2028 bytes .../connector/provider/PvpMetadataProvider.java | 7 + .../specific/connector/MsEidasNodeConstants.java | 23 +- .../eidas/v2/service/AuthBlockSigningService.java | 147 ++++++ .../eidas/v2/tasks/CreateIdentityLinkTask.java | 507 +++++++++++---------- .../src/main/resources/eidas_v2_auth.beans.xml | 3 + .../eidas/v2/test/SzrClientTestProduction.java | 2 +- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 204 ++++++--- .../resources/SpringTest-context_tasks_test.xml | 3 + .../resources/config/junit_config_1.properties | 8 + .../resources/config/junit_config_2.properties | 8 + .../resources/config/junit_config_3.properties | 4 +- pom.xml | 2 +- 14 files changed, 595 insertions(+), 332 deletions(-) create mode 100644 basicConfig/keys/teststore.jks create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java (limited to 'connector_lib/src') diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties index dda5144e..2e0aebcc 100644 --- a/basicConfig/default_config.properties +++ b/basicConfig/default_config.properties @@ -50,6 +50,15 @@ eidas.ms.auth.eIDAS.szrclient.params.vkz= eidas.ms.auth.eIDAS.szrclient.params.useSZRForbPKCalculation=false +## E-AuthBlock configuration +eidas.ms.auth.eIDAS.authblock.keystore.type=jks +eidas.ms.auth.eIDAS.authblock.keystore.path=keys/teststore.jks +eidas.ms.auth.eIDAS.authblock.keystore.password=f/+saJBc3a}*/T^s +eidas.ms.auth.eIDAS.authblock.keystore.name= +eidas.ms.auth.eIDAS.authblock.key.alias=connectorkeypair +eidas.ms.auth.eIDAS.authblock.key.password=f/+saJBc3a}*/T^s + + #Raw eIDAS Id data storage eidas.ms.auth.eIDAS.szrclient.workarounds.eidmapping.revisionlog.active=true diff --git a/basicConfig/keys/teststore.jks b/basicConfig/keys/teststore.jks new file mode 100644 index 00000000..fcc6400c Binary files /dev/null and b/basicConfig/keys/teststore.jks differ diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java index 651b7b78..8dbb74c7 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java @@ -173,4 +173,11 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { return "Service-provider chainging metadata provider"; } + + @Override + public void doDestroy() { + this.fullyDestroy(); + + } + } diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java index 10ec9791..b1ef799f 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java @@ -86,15 +86,22 @@ public class MsEidasNodeConstants { public static final String PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL = "auth.eIDAS.node_v2.loa.requested.minimum"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD = - "auth.eIDAS.authblock.keystore.password"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME = - "auth.eIDAS.authblock.keystore.friendlyName"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH = - "auth.eIDAS.authblock.keystore.path"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE = - "auth.eIDAS.authblock.keystore.type"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE = + "auth.eIDAS.authblock.keystore.type"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH = + "auth.eIDAS.authblock.keystore.path"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD = + "auth.eIDAS.authblock.keystore.password"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME = + "auth.eIDAS.authblock.keystore.name"; + public static final String PROP_CONFIG_AUTHBLOCK_KEY_ALIAS = + "auth.eIDAS.authblock.key.alias"; + public static final String PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD = + "auth.eIDAS.authblock.key.password"; + + + public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp."; public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java new file mode 100644 index 00000000..30d255b9 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java @@ -0,0 +1,147 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.service; + +import java.security.Key; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.Provider; +import java.security.cert.X509Certificate; +import java.util.Base64; + +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.jose4j.lang.JoseException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import lombok.extern.slf4j.Slf4j; + +/** + * Service to build and sign AuthBlock's for E-ID system. + * + * @author tlenz + * + */ +@Slf4j +@Service("authBlockSigningService") +public class AuthBlockSigningService { + + private static final String KEYSTORE_FRIENDLYNAME = "AuthBlock_Signing"; + + private static ObjectMapper mapper = new ObjectMapper(); + + @Autowired + IConfiguration basicConfig; + + @Autowired + EaafKeyStoreFactory keyStoreFactory; + + + private Pair keyStore; + + /** + * Build and sign an AuthBlock for E-ID system. + * + * @param dataToSign data that should be added into AuthBlock + * @return serialized JWS + * @throws JsonProcessingException In case of a AuthBlock generation error + * @throws JoseException In case of a JWS signing error + * @throws EaafException In case of a KeyStore or Key error + */ + public String buildSignedAuthBlock(String dataToSign) + throws JsonProcessingException, EaafException, JoseException { + log.debug("Building and sign authBlock with data: {}", dataToSign); + + // build AuthBlock + String jwsPayload = mapper.writeValueAsString(dataToSign); + + //sign JWS + return JoseUtils + .createSignature(keyStore, getKeyAlias(), getKeyPassword(), jwsPayload, false, + KEYSTORE_FRIENDLYNAME); + } + + + /** + * Get the Base64 encoded PublicKey that is used to sign the AuthBlock. + * + * @return Base64 encoded PublicKey + * @throws EaafKeyAccessException In case of an unknown or invalid key + */ + public String getBase64EncodedPublicKey() throws EaafKeyAccessException { + Pair keyPair = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME); + return Base64.getEncoder().encodeToString(keyPair.getSecond()[0].getPublicKey().getEncoded()); + + } + + @PostConstruct + private void initialize() throws KeyStoreException, EaafException { + log.debug("Initializing AuthBlock signing service ... "); + // read Connector wide config data TODO connector wide! + String keyStoreName = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); + String keyStorePw = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE); + + + //build new KeyStore configuration + KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); + keyStoreConfiguration.setFriendlyName(KEYSTORE_FRIENDLYNAME); + + keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath); + keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType)); + keyStoreConfiguration.setKeyStoreName(keyStoreName); + + //validate KeyStore configuration + keyStoreConfiguration.validate(); + + //validate key alias + if (StringUtils.isEmpty(getKeyAlias())) { + throw new EaafConfigurationException("config.08", + new Object[] {MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS}); + + } + + //build new KeyStore based on configuration + keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); + + log.info("AuthBlock signing-service successful initialized"); + + } + + private char[] getKeyPassword() { + final String value = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD); + if (value != null) { + return value.trim().toCharArray(); + } + + return null; + + } + + + private String getKeyAlias() { + return basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS); + + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 8626c709..1ffd56e4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -23,16 +23,37 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; +import java.io.IOException; +import java.io.InputStream; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.ParserConfigurationException; + +import org.apache.commons.lang3.StringUtils; +import org.joda.time.DateTime; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.xml.sax.SAXException; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType; import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; @@ -43,8 +64,6 @@ import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder; import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; @@ -52,36 +71,16 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeValue; import eu.eidas.auth.commons.light.ILightResponse; import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; +import lombok.Data; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; -import org.w3c.dom.Element; -import org.w3c.dom.Node; import szrservices.IdentityLinkType; import szrservices.PersonInfoType; import szrservices.TravelDocumentType; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.InputStream; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.Provider; -import java.security.PublicKey; -import java.util.Base64; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - /** * Task that creates the IdentityLink for an eIDAS authenticated person. * @@ -97,12 +96,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { private SzrClient szrClient; @Autowired private ICcSpecificEidProcessingService eidPostProcessor; - + @Autowired - EaafKeyStoreFactory keyStoreFactory; + private AuthBlockSigningService authBlockSigner; private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; - + /* * (non-Javadoc) * @@ -118,164 +117,57 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); final ILightResponse eidasResponse = authProcessData .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); - boolean isNewEidMode = pendingReq.getServiceProviderConfiguration() - .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); - final Map simpleAttrMap = convertEidasAttrToSimpleMap( eidasResponse.getAttributes().getAttributeMap()); - IIdentityLink identityLink = null; - String bpk = null; - // post-process eIDAS attributes final ErnbEidData eidData = eidPostProcessor.postProcess(simpleAttrMap); // write MDS into technical log and revision log writeMdsLogInformation(eidData); - // connect SZR-Gateway + //build IdentityLink or VSZ and eidasBind if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { - log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); - // create fake IdL - // - fetch IdL template from resources - final InputStream s = CreateIdentityLinkTask.class - .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml"); - final Element idlTemplate = DomUtils.parseXmlValidating(s); - - identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink(); - - // replace data - final Element idlassertion = identityLink.getSamlAssertion(); - - // - set fake baseID; - final Node prIdentification = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym()); - - // - set last name - final Node prFamilyName = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH); - prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName()); - - // - set first name - final Node prGivenName = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); - prGivenName.getFirstChild().setNodeValue(eidData.getGivenName()); - - // - set date of birth - final Node prDateOfBirth = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); - - prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); - - identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); - - new BpkBuilder(); - final Pair bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - bpk = bpkCalc.getFirst(); - + SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData); + //inject personal-data into session + authProcessData.setIdentityLink(idlResult.getIdentityLink()); + + // set bPK and bPKType into auth session + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } else { - // contact SZR Gateway - log.debug("Starting connecting SZR Gateway"); - final PersonInfoType personInfo = new PersonInfoType(); - final PersonNameType personName = new PersonNameType(); - final PhysicalPersonType naturalPerson = new PhysicalPersonType(); - final TravelDocumentType eDocument = new TravelDocumentType(); - - naturalPerson.setName(personName); - personInfo.setPerson(naturalPerson); - personInfo.setTravelDocument(eDocument); - - // person information - personName.setFamilyName(eidData.getFamilyName()); - personName.setGivenName(eidData.getGivenName()); - naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth()); - eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); - eDocument.setDocumentNumber(eidData.getPseudonym()); - - // eID document information - eDocument.setDocumentType(basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, - Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); - - // set PlaceOfBirth if available - if (eidData.getPlaceOfBirth() != null) { - log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, - true)) { - naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); - log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); - - } - } - - // set BirthName if available - if (eidData.getBirthName() != null) { - log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, - true)) { - final AlternativeNameType alternativeName = new AlternativeNameType(); - naturalPerson.setAlternativeName(alternativeName); - alternativeName.setFamilyName(eidData.getBirthName()); - log.trace("Adding 'BirthName' to ERnB request ... "); - - } - } - - if (isNewEidMode) { - - // read Connector wide config data TODO connector wide! - String keyStoreAlias = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME); - String keyStorePw = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD); - String keyStorePath = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH); - String keyStoreType = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE); - - - // get verschlüsselte Stammzahl + //build SZR request from eIDAS data + final PersonInfoType personInfo = generateSzrRequest(eidData); + + //request SZR based on IDL or E-ID mode + if (pendingReq.getServiceProviderConfiguration() + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) { + + // get encrypted baseId String vsz = szrClient.getEncryptedStammzahl(personInfo); - - // build Keystore - Pair keystoreProvider = initKeystore(keyStoreAlias, keyStorePw, keyStorePath, - keyStoreType); - - // get pubKey - PublicKey publicKey = keystoreProvider.getFirst().getCertificate(keyStoreAlias).getPublicKey(); - - // encode pubKey base64 - String pk64 = Base64.getEncoder().encodeToString(publicKey.getEncoded()); - + // get eIDAS bind - String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS); - - // build AuthBlock (JWS) - ObjectMapper mapper = new ObjectMapper(); - String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier()); - - String jwsSignature = JoseUtils - .createSignature(keystoreProvider, keyStoreAlias, keyStorePw.toCharArray(), jwsPayload, false, - keyStoreAlias); - + String signedEidasBind = szrClient.getBcBind(vsz, + authBlockSigner.getBase64EncodedPublicKey(), + EID_STATUS); + + //get signed AuthBlock + String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier()); + + //inject personal-data into session authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + } else { - - final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo); - - final Element idlFromSzr = (Element) result.getAssertion(); - identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); - - // write ERnB inputdata into revisionlog + //request SZR + SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); + + // write ERnB input-data into revision-log if (basicConfig.getBasicConfigurationBoolean( Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, @@ -283,100 +175,158 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); } - - // get bPK from SZR - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { - bpk = szrClient - .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) - .get(0); - - } else { - log.debug("Calculating bPK from baseId ... "); - new BpkBuilder(); - final Pair bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - bpk = bpkCalc.getFirst(); - - } + + //check result-data and write revision-log based on current state + checkStateAndWriteRevisionLog(idlResult); + + + //inject personal-data into session + authProcessData.setIdentityLink(idlResult.getIdentityLink()); + + // set bPK and bPKType into auth session + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } } + + //add generic info's into session + authProcessData.setForeigner(true); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils + .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) + .getFirst()); + authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + + // store pending-request + requestStoreage.storePendingRequest(pendingReq); + + + } catch (final EidasAttributeException e) { + throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); - if (isNewEidMode) { - authProcessData.setForeigner(true); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils - .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) - .getFirst()); - authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + } catch (final EaafException e) { + throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); - } else { - if (identityLink == null) { - log.error("ERnB did not return an identity link."); - throw new SzrCommunicationException("ernb.00", null); + } catch (final Exception e) { + log.error("IdentityLink generation for foreign person FAILED.", e); + throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); - } - revisionsLogger.logEvent(pendingReq, - MsConnectorEventCodes.SZR_IDL_RECEIVED, - identityLink.getSamlAssertion() - .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); + } + } - if (bpk == null) { - log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - throw new SzrCommunicationException("ernb.01", null); + private PersonInfoType generateSzrRequest(ErnbEidData eidData) { + log.debug("Starting connecting SZR Gateway"); + final PersonInfoType personInfo = new PersonInfoType(); + final PersonNameType personName = new PersonNameType(); + final PhysicalPersonType naturalPerson = new PhysicalPersonType(); + final TravelDocumentType eDocument = new TravelDocumentType(); + + naturalPerson.setName(personName); + personInfo.setPerson(naturalPerson); + personInfo.setTravelDocument(eDocument); + + // person information + personName.setFamilyName(eidData.getFamilyName()); + personName.setGivenName(eidData.getGivenName()); + naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth()); + eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); + eDocument.setDocumentNumber(eidData.getPseudonym()); + + // eID document information + eDocument.setDocumentType(basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, + Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); + + // set PlaceOfBirth if available + if (eidData.getPlaceOfBirth() != null) { + log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, + true)) { + naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); + log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); - } - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED); + } + } - log.debug("ERnB communication was successfull"); + // set BirthName if available + if (eidData.getBirthName() != null) { + log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, + true)) { + final AlternativeNameType alternativeName = new AlternativeNameType(); + naturalPerson.setAlternativeName(alternativeName); + alternativeName.setFamilyName(eidData.getBirthName()); + log.trace("Adding 'BirthName' to ERnB request ... "); - authProcessData.setForeigner(true); - authProcessData.setIdentityLink(identityLink); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils - .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) - .getFirst()); + } + } + + return personInfo; + + } - // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(bpk, pendingReq - .getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + private SzrResultHolder requestSzrForIdentityLink(PersonInfoType personInfo) + throws SzrCommunicationException, EaafException { + //request IdentityLink from SZR + final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo); + + final Element idlFromSzr = (Element) result.getAssertion(); + IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); + + // get bPK from SZR + String bpk; + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { + bpk = szrClient + .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), + basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) + .get(0); + + } else { + log.debug("Calculating bPK from baseId ... "); + new BpkBuilder(); + final Pair bpkCalc = BpkBuilder + .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), pendingReq.getServiceProviderConfiguration() .getAreaSpecificTargetIdentifier()); + bpk = bpkCalc.getFirst(); - // store pending-request - requestStoreage.storePendingRequest(pendingReq); - } - } catch (final EidasAttributeException e) { - throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); + } + + return new SzrResultHolder(identityLink, bpk); + + } + + private void checkStateAndWriteRevisionLog(SzrResultHolder idlResult) throws SzrCommunicationException { + // write some infos into revision log + if (idlResult.getIdentityLink() == null) { + log.error("ERnB did not return an identity link."); + throw new SzrCommunicationException("ernb.00", null); - } catch (final EaafException e) { - throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); + } + revisionsLogger.logEvent(pendingReq, + MsConnectorEventCodes.SZR_IDL_RECEIVED, + idlResult.getIdentityLink().getSamlAssertion() + .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); - } catch (final Exception e) { - log.error("IdentityLink generation for foreign person FAILED.", e); - throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); + if (idlResult.getBpK() == null) { + log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + throw new SzrCommunicationException("ernb.01", null); } + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED); + log.debug("ERnB communication was successfull"); + } - - private Pair initKeystore(String keyAlias, String keyPw, String path, String type) - throws EaafException, KeyStoreException { - KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); - - final String current = new java.io.File(".").toURI().toString(); - keyStoreConfiguration.setSoftKeyStoreFilePath(current + path); - keyStoreConfiguration.setSoftKeyStorePassword(keyPw); - keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(type)); - keyStoreConfiguration.setFriendlyName(keyAlias); - keyStoreConfiguration.setKeyStoreName(keyAlias); - return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); - } - + private String extendBpkByPrefix(String bpk, String type) { String bpkType = null; @@ -406,7 +356,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { for (final AttributeDefinition el : attributeMap.keySet()) { - final Class parameterizedType = el.getParameterizedType(); + final Class parameterizedType = el.getParameterizedType(); if (DateTime.class.equals(parameterizedType)) { final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); if (attribute != null) { @@ -466,5 +416,72 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } + + @Data + private static class SzrResultHolder { + final IIdentityLink identityLink; + final String bpK; + + } + + /** + * Build a dummy IdentityLink and a dummy bPK based on eIDAS information. + * + *

+ * FOR LOCAL TESTING ONLY!!! + * + * @param eidData Information from eIDAS response + * @return IdentityLink and bPK + * @throws ParserConfigurationException In case of an IDL processing error + * @throws SAXException In case of an IDL processing error + * @throws IOException In case of an IDL processing error + * @throws EaafException In case of a bPK generation error + */ + private SzrResultHolder createDummyIdentityLinkForTestDeployment(ErnbEidData eidData) + throws ParserConfigurationException, SAXException, IOException, EaafException { + log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); + // create fake IdL + // - fetch IdL template from resources + final InputStream s = CreateIdentityLinkTask.class + .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml"); + final Element idlTemplate = DomUtils.parseXmlValidating(s); + + IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink(); + + // replace data + final Element idlassertion = identityLink.getSamlAssertion(); + + // - set fake baseID; + final Node prIdentification = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym()); + + // - set last name + final Node prFamilyName = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH); + prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName()); + + // - set first name + final Node prGivenName = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); + prGivenName.getFirstChild().setNodeValue(eidData.getGivenName()); + + // - set date of birth + final Node prDateOfBirth = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); + + prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); + + identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); + + new BpkBuilder(); + final Pair bpkCalc = BpkBuilder + .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + return new SzrResultHolder(identityLink, bpkCalc.getFirst()); + + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml index fbb48229..6cc704ab 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml @@ -58,6 +58,9 @@ + + diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java index a30ea2a0..2f573f53 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java @@ -59,7 +59,7 @@ import szrservices.PersonInfoType; import szrservices.SZRException_Exception; import szrservices.TravelDocumentType; -//@Ignore +@Ignore @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/SpringTest-context_basic_test.xml") public class SzrClientTestProduction { diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 888b7631..f67b4d93 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -1,7 +1,5 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD; import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; import static org.powermock.api.mockito.PowerMockito.when; @@ -9,13 +7,22 @@ import static org.powermock.api.mockito.PowerMockito.when; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; +import java.security.KeyStore; +import java.security.Provider; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; import javax.xml.namespace.QName; import org.apache.commons.lang3.RandomStringUtils; import org.jetbrains.annotations.NotNull; +import org.jose4j.jwa.AlgorithmConstraints; +import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; +import org.jose4j.jws.AlgorithmIdentifiers; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; @@ -38,12 +45,18 @@ import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummySpecificCommunicationService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils.JwsResult; import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; @@ -53,7 +66,6 @@ import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.attribute.PersonType; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import lombok.val; -import szrservices.PersonInfoType; import szrservices.SZR; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -66,17 +78,16 @@ import szrservices.SignContentResponseType; @ContextConfiguration("/SpringTest-context_tasks_test.xml") public class CreateIdentityLinkTaskEidNewTest { - @Autowired(required = true) private CreateIdentityLinkTask task; - // @Autowired(required = true) - // private FinalizeAuthenticationTask authTask; - @Autowired(required = true) - private DummySpecificCommunicationService commService; + @Autowired(required = true) private IConfiguration basicConfig; @Autowired protected EidasAttributeRegistry attrRegistry; + + @Autowired + EaafKeyStoreFactory keyStoreFactory; final ExecutionContext executionContext = new ExecutionContextImpl(); private MockHttpServletRequest httpReq; @@ -88,6 +99,13 @@ public class CreateIdentityLinkTaskEidNewTest { private static final String PW = "f/+saJBc3a}*/T^s"; private static final String ALIAS = "connectorkeypair"; + private static final List BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList( + Arrays.asList( + AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256, + AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, + AlgorithmIdentifiers.RSA_PSS_USING_SHA256, + AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); + @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -99,7 +117,8 @@ public class CreateIdentityLinkTaskEidNewTest { @BeforeClass public static void classInitializer() throws IOException { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties"); + System.setProperty("eidas.ms.configuration", current + + "src/test/resources/config/junit_config_3.properties"); } @@ -118,16 +137,13 @@ public class CreateIdentityLinkTaskEidNewTest { spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD, PW); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME, ALIAS); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); - AuthenticationResponse response = buildDummyAuthResponse(); - + final AuthenticationResponse response = buildDummyAuthResponse(); pendingReq.getSessionData(AuthProcessDataWrapper.class) - .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); + .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); pendingReq.setSpConfig(oaParam); pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue()); pendingReq.setAuthUrl("http://test.com/"); @@ -141,73 +157,109 @@ public class CreateIdentityLinkTaskEidNewTest { @NotNull private AuthenticationResponse buildDummyAuthResponse() throws URISyntaxException { - AttributeDefinition attributeDef = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) - .nameUri(new URI("ad", "sd", "ff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "af")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - AttributeDefinition attributeDef2 = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) - .nameUri(new URI("ad", "sd", "fff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "aff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - AttributeDefinition attributeDef3 = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) - .nameUri(new URI("ad", "sd", "ffff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "afff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_DATEOFBIRTH) - .nameUri(new URI("ad", "sd", "fffff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "affff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") - .build(); - - ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + RandomStringUtils - .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, - RandomStringUtils - .randomAlphabetic(10)) - .put(attributeDef4, "2001-01-01").build(); - + final AttributeDefinition attributeDef = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) + .nameUri(new URI("ad", "sd", "ff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "af")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + final AttributeDefinition attributeDef2 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) + .nameUri(new URI("ad", "sd", "fff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "aff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + final AttributeDefinition attributeDef3 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) + .nameUri(new URI("ad", "sd", "ffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "afff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + final AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName( + Constants.eIDAS_ATTR_DATEOFBIRTH) + .nameUri(new URI("ad", "sd", "fffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "affff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") + .build(); + + final ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + + RandomStringUtils + .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, + RandomStringUtils + .randomAlphabetic(10)) + .put(attributeDef4, "2001-01-01").build(); val b = new AuthenticationResponse.Builder(); - return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf") - .attributes(attributeMap).build(); + return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf") + .subjectNameIdFormat("afaf") + .attributes(attributeMap).build(); } @Test - public void fullTest() { - // keystore password f/+saJBc3a}*/T^s - try { - - String test = szrMock.getStammzahlEncrypted(new PersonInfoType(), false); - - when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); - val signContentResp = new SignContentResponseType(); - SignContentEntry signContentEntry = new SignContentEntry(); - signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); - signContentResp.getOut().add(signContentEntry); - when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); - task.execute(pendingReq, executionContext); - - } catch (Exception e) { - e.printStackTrace(); - Assert.fail(); - } - + public void successfulProcess() throws Exception { + //initialize test + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); + val signContentResp = new SignContentResponseType(); + final SignContentEntry signContentEntry = new SignContentEntry(); + signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); + signContentResp.getOut().add(signContentEntry); + when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); + + //perform test + task.execute(pendingReq, executionContext); + + //validate state + final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + Assert.assertNotNull("AuthProcessData", authProcessData); + Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class)); + + String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class); + Assert.assertNotNull("AuthBlock", authBlock); + + //check authblock signature + final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, + BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING + .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); + Pair keyStore = getKeyStore(); + X509Certificate[] trustedCerts = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); + JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts) , constraints); + Assert.assertTrue("AuthBlock not valid", result.isValid()); + + } + private Pair getKeyStore() throws EaafException { + // read Connector wide config data TODO connector wide! + String keyStoreName = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); + String keyStorePw = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE); + + + //build new KeyStore configuration + KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); + keyStoreConfiguration.setFriendlyName("jUnit test"); + + keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath); + keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType)); + keyStoreConfiguration.setKeyStoreName(keyStoreName); + + //build new KeyStore based on configuration + return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); + } } - - diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml index dd116bd3..7d5a4c53 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml @@ -45,6 +45,9 @@ ref="specificConnectorAdditionalAttributesFileWithPath" /> + + 0.3 0.4 - 1.1.8 + 1.1.10-SNAPSHOT 5.2.9.RELEASE 3.0.11.RELEASE 3.4.0 -- cgit v1.2.3