From a5d2e6d6fa2c75ae8211c818537524e8c54c3129 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 11 Jan 2021 15:15:03 +0100 Subject: fix some minor incompatibilities between AuthHandler and MS-Connector in E-ID mode --- .../specific/modules/auth/eidas/v2/Constants.java | 2 + .../modules/auth/eidas/v2/szr/SzrClient.java | 56 ++++++++++++++-------- .../eidas/v2/tasks/CreateIdentityLinkTask.java | 2 +- 3 files changed, 40 insertions(+), 20 deletions(-) (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus') diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index ba3c46fe..cdc17654 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -76,6 +76,8 @@ public class Constants { + ".debug.logfullmessages"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY = CONIG_PROPS_EIDAS_SZRCLIENT + ".debug.useDummySolution"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SET_MDS_TO_EIDASBIND = CONIG_PROPS_EIDAS_SZRCLIENT + + ".eidasbind.mds.inject"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION = CONIG_PROPS_EIDAS_SZRCLIENT + ".timeout.connection"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE = CONIG_PROPS_EIDAS_SZRCLIENT diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 0b8de8a7..1f5837d6 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -78,8 +78,10 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; @@ -113,7 +115,8 @@ public class SzrClient { private static final String KEY_BC_BIND = "bcBindReq"; private static final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype"; private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind"; - + public static final String ATTR_NAME_MDS = "urn:eidgvat:mds"; + @Autowired private IConfiguration basicConfig; @@ -244,36 +247,38 @@ public class SzrClient { } - /** * Sign an eidasBind data-structure that combines vsz with user's pubKey and E-ID status. * * @param vsz encryped baseId * @param bindingPubKey binding PublikKey as PKCS1# (ASN.1) container * @param eidStatus Status of the E-ID + * @param eidData eID information that was used for ERnP registration * @return bPK for this person * @throws SzrCommunicationException In case of a SZR error */ - public String getEidsaBind(final String vsz, final String bindingPubKey, final String eidStatus) - throws SzrCommunicationException { - - final Map bcBindMap = new HashMap<>(); - bcBindMap.put(ATTR_NAME_VSZ, vsz); - bcBindMap.put(ATTR_NAME_STATUS, eidStatus); - bcBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey)); - + public String getEidsaBind(final String vsz, final String bindingPubKey, final String eidStatus, + ErnbEidData eidData)throws SzrCommunicationException { + + final Map eidsaBindMap = new HashMap<>(); + eidsaBindMap.put(ATTR_NAME_VSZ, vsz); + eidsaBindMap.put(ATTR_NAME_STATUS, eidStatus); + eidsaBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey)); + eidsaBindMap.put(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, eidData.getCitizenCountryCode()); + injectMdsIfAvailableAndActive(eidsaBindMap, eidData); + try { - final String serializedBcBind = mapper.writeValueAsString(bcBindMap); + final String serializedEidasBind = mapper.writeValueAsString(eidsaBindMap); final SignContent req = new SignContent(); - final SignContentEntry bcBindInfo = new SignContentEntry(); - bcBindInfo.setKey(KEY_BC_BIND); - bcBindInfo.setValue(serializedBcBind); - req.getIn().add(bcBindInfo); + final SignContentEntry eidasBindInfo = new SignContentEntry(); + eidasBindInfo.setKey(KEY_BC_BIND); + eidasBindInfo.setValue(serializedEidasBind); + req.getIn().add(eidasBindInfo); req.setAppendCert(false); - final JwsHeaderParam bcBindJoseHeader = new JwsHeaderParam(); - bcBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE); - bcBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND); - req.getJWSHeaderParam().add(bcBindJoseHeader); + final JwsHeaderParam eidasBindJoseHeader = new JwsHeaderParam(); + eidasBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE); + eidasBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND); + req.getJWSHeaderParam().add(eidasBindJoseHeader); log.trace("Requesting SZR to sign bcBind datastructure ... "); final SignContentResponseType resp = szr.signContent(req.isAppendCert(), req.getJWSHeaderParam(), req.getIn()); @@ -488,6 +493,19 @@ public class SzrClient { } + private void injectMdsIfAvailableAndActive(Map eidsaBindMap, ErnbEidData eidData) { + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SET_MDS_TO_EIDASBIND, false)) { + log.info("Injecting MDS into eidasBind ... "); + final Map mds = new HashMap<>(); + mds.put(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, eidData.getFamilyName()); + mds.put(PvpAttributeDefinitions.GIVEN_NAME_NAME, eidData.getGivenName()); + mds.put(PvpAttributeDefinitions.BIRTHDATE_NAME, eidData.getFormatedDateOfBirth()); + eidsaBindMap.put(ATTR_NAME_MDS, mds); + + } + } + private byte[] sourceToByteArray(Source result) throws TransformerException { final TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 4ace8cf0..b519354c 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -159,7 +159,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { // get eIDAS bind String signedEidasBind = szrClient.getEidsaBind(vsz, authBlockSigner.getBase64EncodedPublicKey(), - EID_STATUS); + EID_STATUS, eidData); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_EIDASBIND_RECEIVED); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); -- cgit v1.2.3