From f696b4085fd10b3b9d627437f439b222903e13e1 Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Tue, 20 Oct 2020 07:47:44 +0200
Subject: stuck on how to test

---
 .../modules/auth/eidas/v2/szr/SzrClient.java       | 119 ++++++--
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     | 141 ++++++----
 .../modules/auth/eidas/v2/utils/JoseUtils.java     | 305 +++++++++++++++++++++
 3 files changed, 492 insertions(+), 73 deletions(-)
 create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/JoseUtils.java

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index 763d8dab..5a551649 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -33,9 +33,7 @@ import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import javax.annotation.PostConstruct;
 import javax.net.ssl.KeyManager;
@@ -56,7 +54,10 @@ import javax.xml.ws.BindingProvider;
 import javax.xml.ws.Dispatch;
 import javax.xml.ws.handler.Handler;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.time.StopWatch;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.frontend.ClientProxy;
@@ -79,15 +80,7 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
 import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
 import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
-import szrservices.GetBPK;
-import szrservices.GetBPKResponse;
-import szrservices.GetIdentityLinkEidas;
-import szrservices.GetIdentityLinkEidasResponse;
-import szrservices.IdentityLinkType;
-import szrservices.ObjectFactory;
-import szrservices.PersonInfoType;
-import szrservices.SZR;
-import szrservices.SZRException_Exception;
+import szrservices.*;
 
 @Service("SZRClientForeIDAS")
 public class SzrClient {
@@ -109,9 +102,11 @@ public class SzrClient {
   private String szrUrl = null;
   private QName qname = null;
 
+  final ObjectMapper mapper = new ObjectMapper();
+
   /**
    * Get IdentityLink of a person.
-   * 
+   *
    * @param personInfo Person identification information
    * @return IdentityLink
    * @throws SzrCommunicationException In case of a SZR error
@@ -165,7 +160,7 @@ public class SzrClient {
 
     } catch (final Exception e) {
       log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e);
-      throw new SzrCommunicationException("ernb.02", new Object[] { e.getMessage() }, e);
+      throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
 
     }
 
@@ -173,19 +168,19 @@ public class SzrClient {
 
   /**
    * Get bPK of person.
-   * 
+   *
    * @param personInfo Person identification information
-   * @param target requested bPK target
-   * @param vkz Verfahrenskennzeichen
+   * @param target     requested bPK target
+   * @param vkz        Verfahrenskennzeichen
    * @return bPK for this person
    * @throws SzrCommunicationException In case of a SZR error
    */
-  public String getBpk(PersonInfoType personInfo, String target, String vkz)
+  public List<String> getBpk(PersonInfoType personInfo, String target, String vkz)
       throws SzrCommunicationException {
     try {
       final GetBPK parameters = new GetBPK();
       parameters.setPersonInfo(personInfo);
-      parameters.setBereichsKennung(target);
+      parameters.getBereichsKennung().add(target);
       parameters.setVKZ(vkz);
       final GetBPKResponse result = this.szr.getBPK(parameters);
 
@@ -193,16 +188,98 @@ public class SzrClient {
 
     } catch (final SZRException_Exception e) {
       log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e);
-      throw new SzrCommunicationException("ernb.02", new Object[] { e.getMessage() }, e);
+      throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
 
     }
 
   }
 
+  /**
+   * Request a encryped baseId from SRZ.
+   *
+   * @param personInfo Minimum dataset of person
+   * @return encrypted baseId
+   * @throws SzrCommunicationException    In case of a SZR error
+   */
+  public String getEncryptedStammzahl(final PersonInfoType personInfo)
+      throws SzrCommunicationException {
+
+    final String resp;
+    try {
+      resp = this.szr.getStammzahlEncrypted(personInfo, false);
+    } catch (SZRException_Exception e) {
+      throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
+    }
+
+    if (resp == null || StringUtils.isEmpty(resp)) {
+      throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling
+    }
+
+    return resp;
+
+  }
+
+
+  /**
+   * Signs content.
+   *
+   * @param vsz ? TODO
+   * @param bindingPubKey  binding PublikKey as PKCS1# (ASN.1) container
+   * @param eidStatus Status of the E-ID
+   * @return bPK for this person
+   * @throws SzrCommunicationException In case of a SZR error
+   */
+  public String getBcBind(final String vsz, final String bindingPubKey, final String eidStatus)
+      throws SzrCommunicationException {
+
+    final String ATTR_NAME_VSZ = "urn:eidgvat:attributes.vsz.value";
+    final String ATTR_NAME_PUBKEYS = "urn:eidgvat:attributes.user.pubkeys";
+    final String ATTR_NAME_STATUS = "urn:eidgvat:attributes.eid.status";
+    final String KEY_BC_BIND = "bcBindReq";
+    final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype";
+    final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind";
+
+    final Map<String, Object> bcBindMap = new HashMap<>();
+    bcBindMap.put(ATTR_NAME_VSZ, vsz);
+    bcBindMap.put(ATTR_NAME_STATUS, eidStatus);
+    bcBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey));
+
+    try {
+      final String serializedBcBind = mapper.writeValueAsString(bcBindMap);
+      final SignContent req = new SignContent();
+      final SignContentEntry bcBindInfo = new SignContentEntry();
+      bcBindInfo.setKey(KEY_BC_BIND);
+      bcBindInfo.setValue(serializedBcBind);
+      req.getIn().add(bcBindInfo);
+      req.setAppendCert(false);
+      final JwsHeaderParam bcBindJoseHeader = new JwsHeaderParam();
+      bcBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE);
+      bcBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND);
+      req.getJWSHeaderParam().add(bcBindJoseHeader);
+
+      log.trace("Requesting SZR to sign bcBind datastructure ... ");
+      final SignContentResponseType resp = szr.signContent(req.isAppendCert(), req.getJWSHeaderParam(), req.getIn());
+      log.trace("Receive SZR response on bcBind siging operation ");
+
+      if (resp == null
+          || resp.getOut().isEmpty()
+          || resp.getOut().get(0).getValue() == null) {
+        throw new SzrCommunicationException("ernb.01", new Object[]{"BcBind response empty"}); //TODO check error handling
+      }
+
+      return resp.getOut().get(0).getValue();
+
+    } catch (final JsonProcessingException | SZRException_Exception e) {
+      log.warn("Requesting bcBind by using SZR FAILED. Reason: {}", e.getMessage(), null, e);
+      throw new SzrCommunicationException("ernb.02",
+          new Object[]{e.getMessage()}, e);
+    }
+  }
+
   @PostConstruct
   private void initialize() {
     log.info("Starting SZR-Client initialization .... ");
-    final URL url = SzrClient.class.getResource("/szr_client/SZR-1.1.WSDL");
+    final URL url = SzrClient.class.getResource("/szr_client/SZR_v4.0.wsdl");
 
     final boolean useTestSzr = basicConfig.getBasicConfigurationBoolean(
         Constants.CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE,
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 88c3515b..e4a22cbc 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -19,28 +19,10 @@
  * file for details on the various modules and licenses.
  * The "NOTICE" text file is part of the distribution. Any derivative works
  * that you distribute must include a readable copy of the "NOTICE" text file.
-*/
+ */
 
 package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks;
 
-import java.io.InputStream;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.lang3.StringUtils;
-import org.joda.time.DateTime;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
-
 import at.asitplus.eidas.specific.connector.MsConnectorEventCodes;
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
@@ -60,6 +42,8 @@ import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
 import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
@@ -67,20 +51,38 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser
 import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
 import at.gv.egiz.eaaf.core.impl.utils.XPathUtils;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import eu.eidas.auth.commons.attribute.AttributeDefinition;
 import eu.eidas.auth.commons.attribute.AttributeValue;
 import eu.eidas.auth.commons.light.ILightResponse;
 import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress;
 import lombok.extern.slf4j.Slf4j;
+import lombok.val;
+import org.apache.commons.lang3.StringUtils;
+import org.joda.time.DateTime;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 import szrservices.IdentityLinkType;
 import szrservices.PersonInfoType;
 import szrservices.TravelDocumentType;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.InputStream;
+import java.security.KeyStoreException;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
 /**
  * Task that creates the IdentityLink for an eIDAS authenticated person.
- * 
- * @author tlenz
  *
+ * @author tlenz
  */
 @Slf4j
 @Component("CreateIdentityLinkTask")
@@ -95,7 +97,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
   /*
    * (non-Javadoc)
-   * 
+   *
    * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.
    * egovernment.moa.id.process.api.ExecutionContext,
    * javax.servlet.http.HttpServletRequest,
@@ -103,7 +105,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
    */
   @Override
   public void execute(ExecutionContext executionContext,
-      HttpServletRequest request, HttpServletResponse response)
+                      HttpServletRequest request, HttpServletResponse response)
       throws TaskExecutionException {
     try {
       final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
@@ -217,43 +219,64 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           }
         }
 
-        final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo);
+        String eidMode = pendingReq.getServiceProviderConfiguration().getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old");
+        if (eidMode.equals("new")) {
 
-        final Element idlFromSzr = (Element) result.getAssertion();
-        identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink();
+          String vsz = szrClient.getEncryptedStammzahl(personInfo);
 
-        // write ERnB inputdata into revisionlog
-        if (basicConfig.getBasicConfigurationBoolean(
-            Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) {
-          revisionsLogger.logEvent(pendingReq,
-              MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID,
-              (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
-          revisionsLogger.logEvent(pendingReq,
-              MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym());
+          // build Keystore
+          String pK64 = getPkFromKeystore();
+          // setzte Keystore in config ?path? lade rein
+          // key pair art siehe jose utils
 
-        }
 
-        // get bPK from SZR
-        if (basicConfig.getBasicConfigurationBoolean(
-            Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
-          bpk = szrClient.getBpk(
-              personInfo,
-              pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
-              basicConfig.getBasicConfiguration(
-                  Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,
-                  "no VKZ defined"));
+          String signedEidasBind = szrClient.getBcBind(vsz, pK64, "urn:eidgvat:eid.status.eidas"); //eidstatus TODO as config?
+
+          //build AuthBlock JWS
+          ObjectMapper mapper = new ObjectMapper();
+          String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
+
+//          JoseUtils.createSignature(new Pair<>(ks, ks.getProvider()), "connectorkeypair", passord.chararray(), jwsPayload, false, ); //TODO joseutils kopiern
 
         } else {
-          log.debug("Calculating bPK from baseId ... ");
-          new BpkBuilder();
-          final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(
-              identityLink.getIdentificationValue(),
-              identityLink.getIdentificationType(),
-              pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
-          bpk = bpkCalc.getFirst();
 
-        }
+          final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo);
 
+          final Element idlFromSzr = (Element) result.getAssertion();
+          identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink();
+
+          // write ERnB inputdata into revisionlog
+          if (basicConfig.getBasicConfigurationBoolean(
+              Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) {
+            revisionsLogger.logEvent(pendingReq,
+                MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID,
+                (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
+            revisionsLogger.logEvent(pendingReq,
+                MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym());
+
+          }
+
+          // get bPK from SZR
+          if (basicConfig.getBasicConfigurationBoolean(
+              Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
+            bpk = szrClient.getBpk(
+                personInfo,
+                pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
+                basicConfig.getBasicConfiguration(
+                    Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,
+                    "no VKZ defined")).get(0);
+
+          } else {
+            log.debug("Calculating bPK from baseId ... ");
+            new BpkBuilder();
+            final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(
+                identityLink.getIdentificationValue(),
+                identityLink.getIdentificationType(),
+                pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+            bpk = bpkCalc.getFirst();
+
+          }
+        }
       }
 
       if (identityLink == null) {
@@ -307,6 +330,20 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
     }
   }
 
+  private String getPkFromKeystore() throws EaafException, KeyStoreException {
+    EaafKeyStoreFactory keyStoreFactory = new EaafKeyStoreFactory();
+    KeyStoreConfiguration configuration = new KeyStoreConfiguration();
+
+    final String current = new java.io.File(".").toURI().toString();
+    configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks");
+
+    configuration.setSoftKeyStorePassword("f/+saJBc3a}*/T^s");
+    configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
+    val ks = keyStoreFactory.buildNewKeyStore(configuration);
+    val publicKey = ks.getFirst().getCertificate("connectorkeypair").getPublicKey();
+    return Base64.getEncoder().encodeToString(publicKey.getEncoded());
+  }
+
   private String extendBpkByPrefix(String bpk, String type) {
     String bpkType = null;
 
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/JoseUtils.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/JoseUtils.java
new file mode 100644
index 00000000..e81c4c92
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/JoseUtils.java
@@ -0,0 +1,305 @@
+package at.asitplus.eidas.specific.modules.auth.eidas.v2.utils;
+
+import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.jose4j.jca.ProviderContext;
+import org.jose4j.jwa.AlgorithmConstraints;
+import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwx.Headers;
+import org.jose4j.jwx.JsonWebStructure;
+import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
+import org.jose4j.lang.JoseException;
+import org.springframework.util.Base64Utils;
+
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.Provider;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+/**
+ * {@link JoseUtils} provides static methods JWS and JWE processing.
+ *
+ * @author tlenz
+ *
+ */
+@Slf4j
+public class JoseUtils {
+
+  /**
+   * Create a JWS signature.
+   *
+   * <p>
+   * Use {@link AlgorithmIdentifiers.RSA_PSS_USING_SHA256} in case
+   * of a RSA based key and
+   * {@link AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256}
+   * in case of an ECC based key.
+   * </p>
+   *
+   * @param keyStore               KeyStore that should be used
+   * @param keyAlias               Alias of the private key
+   * @param keyPassword            Password to access the key
+   * @param payLoad                PayLoad to sign
+   * @param addFullCertChain       If true the full certificate chain will be
+   *                               added, otherwise only the
+   *                               X509CertSha256Fingerprint is added into JOSE
+   *                               header
+   * @param friendlyNameForLogging FriendlyName for the used KeyStore for logging
+   *                               purposes only
+   * @return Signed PayLoad in serialized form
+   * @throws EaafException In case of a key-access or key-usage error
+   * @throws JoseException In case of a JOSE error
+   */
+  public static String createSignature(@Nonnull Pair<KeyStore, Provider> keyStore,
+      @Nonnull final String keyAlias, @Nonnull final char[] keyPassword,
+      @Nonnull final String payLoad, boolean addFullCertChain,
+      @Nonnull String friendlyNameForLogging) throws EaafException, JoseException {
+    return createSignature(keyStore, keyAlias, keyPassword, payLoad, addFullCertChain, Collections.emptyMap(),
+        AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256,
+        friendlyNameForLogging);
+
+  }
+
+  /**
+   * Create a JWS signature.
+   *
+   * <p>
+   * Use {@link AlgorithmIdentifiers.RSA_PSS_USING_SHA256} in case
+   * of a RSA based key and
+   * {@link AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256}
+   * in case of an ECC based key.
+   * </p>
+   *
+   * @param keyStore               KeyStore that should be used
+   * @param keyAlias               Alias of the private key
+   * @param keyPassword            Password to access the key
+   * @param payLoad                PayLoad to sign
+   * @param addFullCertChain       If true the full certificate chain will be
+   *                               added, otherwise only the
+   *                               X509CertSha256Fingerprint is added into JOSE
+   *                               header
+   * @param joseHeaders            HeaderName and HeaderValue that should be set
+   *                               into JOSE header
+   * @param friendlyNameForLogging FriendlyName for the used KeyStore for logging
+   *                               purposes only
+   * @return Signed PayLoad in serialized form
+   * @throws EaafException In case of a key-access or key-usage error
+   * @throws JoseException In case of a JOSE error
+   */
+  public static String createSignature(@Nonnull Pair<KeyStore, Provider> keyStore,
+      @Nonnull final String keyAlias, @Nonnull final char[] keyPassword,
+      @Nonnull final String payLoad, boolean addFullCertChain,
+      @Nonnull final Map<String, String> joseHeaders,
+      @Nonnull String friendlyNameForLogging) throws EaafException, JoseException {
+    return createSignature(keyStore, keyAlias, keyPassword, payLoad, addFullCertChain, joseHeaders,
+        AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256,
+        friendlyNameForLogging);
+
+  }
+
+  /**
+   * Create a JWS signature.
+   *
+   * @param keyStore               KeyStore that should be used
+   * @param keyAlias               Alias of the private key
+   * @param keyPassword            Password to access the key
+   * @param payLoad                PayLoad to sign
+   * @param addFullCertChain       If true the full certificate chain will be
+   *                               added, otherwise only the
+   *                               X509CertSha256Fingerprint is added into JOSE
+   *                               header
+   * @param joseHeaders            HeaderName and HeaderValue that should be set
+   *                               into JOSE header
+   * @param rsaAlgToUse            Signing algorithm that should be used in case
+   *                               of a signing key based on RSA
+   * @param eccAlgToUse            Signing algorithm that should be used in case
+   *                               of a signing key based on ECC
+   * @param friendlyNameForLogging FriendlyName for the used KeyStore for logging
+   *                               purposes only
+   * @return Signed PayLoad in serialized form
+   * @throws EaafException In case of a key-access or key-usage error
+   * @throws JoseException In case of a JOSE error
+   */
+  public static String createSignature(@Nonnull Pair<KeyStore, Provider> keyStore,
+      @Nonnull final String keyAlias, @Nonnull final char[] keyPassword,
+      @Nonnull final String payLoad, boolean addFullCertChain,
+      @Nonnull final Map<String, String> joseHeaders,
+      @Nonnull final String rsaAlgToUse, @Nonnull final String eccAlgToUse,
+      @Nonnull String friendlyNameForLogging) throws EaafException, JoseException {
+
+    final JsonWebSignature jws = new JsonWebSignature();
+
+    // set payload
+    jws.setPayload(payLoad);
+
+    // set JOSE headers
+    for (final Entry<String, String> el : joseHeaders.entrySet()) {
+      log.trace("Set JOSE header: {} with value: {} into JWS", el.getKey(), el.getValue());
+      jws.setHeader(el.getKey(), el.getValue());
+
+    }
+
+    // set signing information
+    final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        keyStore.getFirst(), keyAlias, keyPassword, true, friendlyNameForLogging);
+    jws.setKey(signingCred.getFirst());
+    jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(
+        jws.getKey(), rsaAlgToUse, eccAlgToUse, friendlyNameForLogging));
+
+    // set special provider if required
+    if (keyStore.getSecond() != null) {
+      log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName());
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+          keyStore.getSecond().getName());
+      jws.setProviderContext(providerCtx);
+
+    }
+
+    if (addFullCertChain) {
+      jws.setCertificateChainHeaderValue(signingCred.getSecond());
+
+    }
+
+    jws.setX509CertSha256ThumbprintHeaderValue(signingCred.getSecond()[0]);
+
+    return jws.getCompactSerialization();
+
+  }
+
+  /**
+   * Verify a JOSE signature.
+   *
+   * @param serializedContent Serialized content that should be verified
+   * @param trustedCerts      Trusted certificates that should be used for
+   *                          verification
+   * @param constraints       {@link AlgorithmConstraints} for verification
+   * @return {@link JwsResult} object
+   * @throws JoseException In case of a signature verification error
+   * @throws IOException   In case of a general error
+   */
+  public static JwsResult validateSignature(@Nonnull final String serializedContent,
+      @Nonnull final List<X509Certificate> trustedCerts, @Nonnull final AlgorithmConstraints constraints)
+      throws JoseException, IOException {
+    final JsonWebSignature jws = new JsonWebSignature();
+    // set payload
+    jws.setCompactSerialization(serializedContent);
+
+    // set security constrains
+    jws.setAlgorithmConstraints(constraints);
+
+    // load signinc certs
+    Key selectedKey = null;
+    final List<X509Certificate> x5cCerts = jws.getCertificateChainHeaderValue();
+    final String x5t256 = jws.getX509CertSha256ThumbprintHeaderValue();
+    if (x5cCerts != null) {
+      log.debug("Found x509 certificate in JOSE header ... ");
+      log.trace("Sorting received X509 certificates ... ");
+      final List<X509Certificate> sortedX5cCerts = X509Utils.sortCertificates(x5cCerts);
+
+      if (trustedCerts.contains(sortedX5cCerts.get(0))) {
+        selectedKey = sortedX5cCerts.get(0).getPublicKey();
+
+      } else {
+        log.info("Can NOT find JOSE certificate in truststore.");
+        if (log.isDebugEnabled()) {
+          try {
+            log.debug("Cert: {}", Base64Utils.encodeToString(sortedX5cCerts.get(0).getEncoded()));
+
+          } catch (final CertificateEncodingException e) {
+            log.warn("Can not create DEBUG output", e);
+
+          }
+        }
+      }
+
+    } else if (StringUtils.isNotEmpty(x5t256)) {
+      log.debug("Found x5t256 fingerprint in JOSE header .... ");
+      final X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(
+          trustedCerts);
+      selectedKey = x509VerificationKeyResolver.resolveKey(jws, Collections.<JsonWebStructure>emptyList());
+
+    } else {
+      throw new JoseException("JWS contains NO signature certificate or NO certificate fingerprint");
+
+    }
+
+    if (selectedKey == null) {
+      throw new JoseException("Can NOT select verification key for JWS. Signature verification FAILED");
+
+    }
+
+    // set verification key
+    jws.setKey(selectedKey);
+
+    // load payLoad
+    return new JwsResult(
+        jws.verifySignature(),
+        jws.getUnverifiedPayload(),
+        jws.getHeaders(),
+        x5cCerts);
+
+  }
+
+  /**
+   * Select signature algorithm for a given credential.
+   *
+   * @param key                    {@link X509Credential} that will be used for
+   *                               key operations
+   * @param rsaSigAlgorithm        RSA based algorithm that should be used in case
+   *                               of RSA credential
+   * @param ecSigAlgorithm         EC based algorithm that should be used in case
+   *                               of RSA credential
+   * @param friendlyNameForLogging KeyStore friendlyName for logging purposes
+   * @return either the RSA based algorithm or the EC based algorithm
+   * @throws EaafKeyUsageException In case of an unsupported private-key type
+   */
+  private static String getKeyOperationAlgorithmFromCredential(Key key,
+      String rsaSigAlgorithm, String ecSigAlgorithm, String friendlyNameForLogging)
+      throws EaafKeyUsageException {
+    if (key instanceof RSAPrivateKey) {
+      return rsaSigAlgorithm;
+
+    } else if (key instanceof ECPrivateKey) {
+      return ecSigAlgorithm;
+
+    } else {
+      log.warn("Could NOT select the cryptographic algorithm from Private-Key type");
+      throw new EaafKeyUsageException(EaafKeyUsageException.ERROR_CODE_01,
+          friendlyNameForLogging,
+          "Can not select cryptographic algorithm");
+
+    }
+
+  }
+
+  private JoseUtils() {
+
+  }
+
+  @Getter
+  @AllArgsConstructor
+  public static class JwsResult {
+    final boolean valid;
+    final String payLoad;
+    final Headers fullJoseHeader;
+    final List<X509Certificate> x5cCerts;
+
+  }
+}
-- 
cgit v1.2.3


From 3332e8c363b624e7478f303c403ea709844e822f Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Tue, 20 Oct 2020 09:02:39 +0200
Subject: fixes thanks to Thomas

---
 .../modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java        | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index e4a22cbc..93813ff5 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -95,6 +95,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   @Autowired
   private ICcSpecificEidProcessingService eidPostProcessor;
 
+  @Autowired
+  EaafKeyStoreFactory keyStoreFactory;
+
   /*
    * (non-Javadoc)
    *
@@ -331,14 +334,14 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   }
 
   private String getPkFromKeystore() throws EaafException, KeyStoreException {
-    EaafKeyStoreFactory keyStoreFactory = new EaafKeyStoreFactory();
     KeyStoreConfiguration configuration = new KeyStoreConfiguration();
 
     final String current = new java.io.File(".").toURI().toString();
     configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks");
-
     configuration.setSoftKeyStorePassword("f/+saJBc3a}*/T^s");
     configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
+    configuration.setFriendlyName("connectorkeypair");
+    configuration.setKeyStoreName("connectorkeypair");
     val ks = keyStoreFactory.buildNewKeyStore(configuration);
     val publicKey = ks.getFirst().getCertificate("connectorkeypair").getPublicKey();
     return Base64.getEncoder().encodeToString(publicKey.getEncoded());
-- 
cgit v1.2.3


From d42ef2bccc0acd4e1ee830f42956a5cafb863299 Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Tue, 20 Oct 2020 16:57:45 +0200
Subject: cyclic depend

---
 .../specific/modules/auth/eidas/v2/Constants.java  |  5 ++
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     | 98 ++++++++++++----------
 2 files changed, 61 insertions(+), 42 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
index 3eec12bd..eac62aae 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
@@ -156,6 +156,11 @@ public class Constants {
   // Default values for SZR communication
   public static final String SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE = "ELEKTR_DOKUMENT";
 
+  // AuthBlock
+  public static final String SZR_AUTHBLOCK = "AUTHBLOCK";
+  public static final String EIDAS_BIND = "EIDAS_BIND";
+
+
   // TODO remove!!!
   public static final String SZR_CONSTANTS_DEFAULT_ISSUING_DATE = "2014-01-01";
   public static final String SZR_CONSTANTS_DEFAULT_ISSUING_AUTHORITY = "ms-specific eIDAS-Node for AT";
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 93813ff5..b141402a 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -32,6 +32,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicati
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils;
 import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType;
 import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType;
 import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType;
@@ -61,6 +62,7 @@ import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.PKCS10CertificationRequest;
 import org.joda.time.DateTime;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@@ -72,8 +74,10 @@ import szrservices.TravelDocumentType;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.InputStream;
+import java.io.*;
+import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.Provider;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.List;
@@ -98,6 +102,10 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   @Autowired
   EaafKeyStoreFactory keyStoreFactory;
 
+  Pair<KeyStore, Provider> ks;
+  private final String KSPASSWORD = "f/+saJBc3a}*/T^s";
+  private final String KSALIAS = "connectorkeypair";
+
   /*
    * (non-Javadoc)
    *
@@ -114,6 +122,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
       final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
       final ILightResponse eidasResponse = authProcessData.getGenericDataFromSession(
           Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class);
+      String eidMode = pendingReq.getServiceProviderConfiguration()
+          .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old");
+
 
       final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap(eidasResponse.getAttributes()
           .getAttributeMap());
@@ -222,7 +233,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           }
         }
 
-        String eidMode = pendingReq.getServiceProviderConfiguration().getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old");
         if (eidMode.equals("new")) {
 
           String vsz = szrClient.getEncryptedStammzahl(personInfo);
@@ -239,8 +249,10 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           ObjectMapper mapper = new ObjectMapper();
           String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
 
-//          JoseUtils.createSignature(new Pair<>(ks, ks.getProvider()), "connectorkeypair", passord.chararray(), jwsPayload, false, ); //TODO joseutils kopiern
+          String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload, false, KSALIAS);//TODO joseutils kopiern
 
+          authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
+          authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, jwsSignature);
         } else {
 
           final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo);
@@ -282,44 +294,46 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         }
       }
 
-      if (identityLink == null) {
-        log.error("ERnB did not return an identity link.");
-        throw new SzrCommunicationException("ernb.00", null);
+      if (eidMode.equals("new")) {}
+      else {
+        if (identityLink == null) {
+          log.error("ERnB did not return an identity link.");
+          throw new SzrCommunicationException("ernb.00", null);
 
-      }
-      revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED,
-          identityLink.getSamlAssertion().getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
+        }
+        revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED,
+            identityLink.getSamlAssertion().getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
 
-      if (bpk == null) {
-        log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration()
-            .getAreaSpecificTargetIdentifier());
-        throw new SzrCommunicationException("ernb.01", null);
+        if (bpk == null) {
+          log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration()
+              .getAreaSpecificTargetIdentifier());
+          throw new SzrCommunicationException("ernb.01", null);
 
-      }
-      revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED);
-
-      log.debug("ERnB communication was successfull");
-
-      authProcessData.setForeigner(true);
-      authProcessData.setIdentityLink(identityLink);
-      authProcessData.setGenericDataToSession(
-          PvpAttributeDefinitions.EID_ISSUING_NATION_NAME,
-          EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(
-              Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst());
-
-      // set bPK and bPKType into auth session
-      authProcessData.setGenericDataToSession(
-          PvpAttributeDefinitions.BPK_NAME,
-          extendBpkByPrefix(
-              bpk,
-              pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
-      authProcessData.setGenericDataToSession(
-          PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
-          pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
-
-      // store pending-request
-      requestStoreage.storePendingRequest(pendingReq);
+        }
+        revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED);
+
+        log.debug("ERnB communication was successfull");
+
+        authProcessData.setForeigner(true);
+        authProcessData.setIdentityLink(identityLink);
+        authProcessData.setGenericDataToSession(
+            PvpAttributeDefinitions.EID_ISSUING_NATION_NAME,
+            EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(
+                Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst());
+
+        // set bPK and bPKType into auth session
+        authProcessData.setGenericDataToSession(
+            PvpAttributeDefinitions.BPK_NAME,
+            extendBpkByPrefix(
+                bpk,
+                pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
+        authProcessData.setGenericDataToSession(
+            PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
+            pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
 
+        // store pending-request
+        requestStoreage.storePendingRequest(pendingReq);
+      }
     } catch (final EidasAttributeException e) {
       throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e);
 
@@ -338,12 +352,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
     final String current = new java.io.File(".").toURI().toString();
     configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks");
-    configuration.setSoftKeyStorePassword("f/+saJBc3a}*/T^s");
+    configuration.setSoftKeyStorePassword(KSPASSWORD); //TODO from config
     configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
-    configuration.setFriendlyName("connectorkeypair");
-    configuration.setKeyStoreName("connectorkeypair");
-    val ks = keyStoreFactory.buildNewKeyStore(configuration);
-    val publicKey = ks.getFirst().getCertificate("connectorkeypair").getPublicKey();
+    configuration.setFriendlyName(KSALIAS);
+    configuration.setKeyStoreName(KSALIAS);
+    ks = keyStoreFactory.buildNewKeyStore(configuration);
+    val publicKey = ks.getFirst().getCertificate(KSALIAS).getPublicKey();
     return Base64.getEncoder().encodeToString(publicKey.getEncoded());
   }
 
-- 
cgit v1.2.3


From 8e239b9cb072e62d693f3d54a6a9ad2d9983cc71 Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Mon, 2 Nov 2020 23:29:54 +0100
Subject: AuthDataBuilder and AttributeBuilder

---
 .../eidas/specific/modules/auth/eidas/v2/Constants.java     |  4 ++--
 .../modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java | 13 ++++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
index eac62aae..83a2afa6 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
@@ -157,8 +157,8 @@ public class Constants {
   public static final String SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE = "ELEKTR_DOKUMENT";
 
   // AuthBlock
-  public static final String SZR_AUTHBLOCK = "AUTHBLOCK";
-  public static final String EIDAS_BIND = "EIDAS_BIND";
+  public static final String SZR_AUTHBLOCK = "authData_AUTHBLOCK";
+  public static final String EIDAS_BIND = "authData_EIDAS_BIND";
 
 
   // TODO remove!!!
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index b141402a..86f28561 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -249,10 +249,10 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           ObjectMapper mapper = new ObjectMapper();
           String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
 
-          String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload, false, KSALIAS);//TODO joseutils kopiern
+          String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload, false, KSALIAS);
 
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
-          authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, jwsSignature);
+          authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind);
         } else {
 
           final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo);
@@ -294,7 +294,14 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         }
       }
 
-      if (eidMode.equals("new")) {}
+      if (eidMode.equals("new")) {
+        authProcessData.setForeigner(true);
+        authProcessData.setGenericDataToSession(
+            PvpAttributeDefinitions.EID_ISSUING_NATION_NAME,
+            EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(
+                Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst());
+        authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance());
+      }
       else {
         if (identityLink == null) {
           log.error("ERnB did not return an identity link.");
-- 
cgit v1.2.3


From 9704a357d117c48ed66d0b2d71b95747e1b73fef Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Tue, 3 Nov 2020 12:10:28 +0100
Subject: code style fixes

---
 .../modules/auth/eidas/v2/szr/SzrClient.java       | 38 +++++++++++++++-------
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     | 19 ++++++-----
 2 files changed, 37 insertions(+), 20 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index 5a551649..d2ce2f5d 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -33,7 +33,11 @@ import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 import javax.annotation.PostConstruct;
 import javax.net.ssl.KeyManager;
@@ -57,7 +61,6 @@ import javax.xml.ws.handler.Handler;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.lang3.time.StopWatch;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.frontend.ClientProxy;
@@ -80,7 +83,20 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
 import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
 import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
-import szrservices.*;
+import szrservices.GetBPK;
+import szrservices.GetBPKResponse;
+import szrservices.GetIdentityLinkEidas;
+import szrservices.GetIdentityLinkEidasResponse;
+import szrservices.IdentityLinkType;
+import szrservices.JwsHeaderParam;
+import szrservices.ObjectFactory;
+import szrservices.PersonInfoType;
+import szrservices.SZR;
+import szrservices.SZRException_Exception;
+import szrservices.SignContent;
+import szrservices.SignContentEntry;
+import szrservices.SignContentResponseType;
+
 
 @Service("SZRClientForeIDAS")
 public class SzrClient {
@@ -89,6 +105,13 @@ public class SzrClient {
   private static final String CLIENT_DEFAULT = "DefaultClient";
   private static final String CLIENT_RAW = "RawClient";
 
+  private static final String ATTR_NAME_VSZ = "urn:eidgvat:attributes.vsz.value";
+  private static final String ATTR_NAME_PUBKEYS = "urn:eidgvat:attributes.user.pubkeys";
+  private static final String ATTR_NAME_STATUS = "urn:eidgvat:attributes.eid.status";
+  private static final String KEY_BC_BIND = "bcBindReq";
+  private static final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype";
+  private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind";
+
   @Autowired
   private IConfiguration basicConfig;
 
@@ -232,13 +255,6 @@ public class SzrClient {
   public String getBcBind(final String vsz, final String bindingPubKey, final String eidStatus)
       throws SzrCommunicationException {
 
-    final String ATTR_NAME_VSZ = "urn:eidgvat:attributes.vsz.value";
-    final String ATTR_NAME_PUBKEYS = "urn:eidgvat:attributes.user.pubkeys";
-    final String ATTR_NAME_STATUS = "urn:eidgvat:attributes.eid.status";
-    final String KEY_BC_BIND = "bcBindReq";
-    final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype";
-    final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind";
-
     final Map<String, Object> bcBindMap = new HashMap<>();
     bcBindMap.put(ATTR_NAME_VSZ, vsz);
     bcBindMap.put(ATTR_NAME_STATUS, eidStatus);
@@ -264,7 +280,7 @@ public class SzrClient {
       if (resp == null
           || resp.getOut().isEmpty()
           || resp.getOut().get(0).getValue() == null) {
-        throw new SzrCommunicationException("ernb.01", new Object[]{"BcBind response empty"}); //TODO check error handling
+        throw new SzrCommunicationException("ernb.01", new Object[]{"BcBind response empty"});
       }
 
       return resp.getOut().get(0).getValue();
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 86f28561..765f7928 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -62,7 +62,6 @@ import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
-import org.bouncycastle.jce.PKCS10CertificationRequest;
 import org.joda.time.DateTime;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@@ -74,7 +73,7 @@ import szrservices.TravelDocumentType;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.*;
+import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.Provider;
@@ -103,8 +102,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   EaafKeyStoreFactory keyStoreFactory;
 
   Pair<KeyStore, Provider> ks;
-  private final String KSPASSWORD = "f/+saJBc3a}*/T^s";
-  private final String KSALIAS = "connectorkeypair";
+  private static final String KSPASSWORD = "f/+saJBc3a}*/T^s";
+  private static final String KSALIAS = "connectorkeypair";
 
   /*
    * (non-Javadoc)
@@ -238,18 +237,20 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           String vsz = szrClient.getEncryptedStammzahl(personInfo);
 
           // build Keystore
-          String pK64 = getPkFromKeystore();
+          String pk64 = getPkFromKeystore();
           // setzte Keystore in config ?path? lade rein
           // key pair art siehe jose utils
 
 
-          String signedEidasBind = szrClient.getBcBind(vsz, pK64, "urn:eidgvat:eid.status.eidas"); //eidstatus TODO as config?
+          String signedEidasBind = szrClient.getBcBind(vsz, pk64, "urn:eidgvat:eid.status.eidas");
+          //TODO eidStatus as config?
 
           //build AuthBlock JWS
           ObjectMapper mapper = new ObjectMapper();
           String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
 
-          String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload, false, KSALIAS);
+          String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload,
+              false, KSALIAS);
 
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
           authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind);
@@ -301,8 +302,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
             EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(
                 Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst());
         authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance());
-      }
-      else {
+
+      } else {
         if (identityLink == null) {
           log.error("ERnB did not return an identity link.");
           throw new SzrCommunicationException("ernb.00", null);
-- 
cgit v1.2.3


From a9009a6f89c41dc19b85331dda676993c8a273b9 Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Wed, 4 Nov 2020 16:42:46 +0100
Subject: fix pw aliasname

---
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     | 187 ++++++++++-----------
 1 file changed, 89 insertions(+), 98 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 765f7928..af260528 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -102,8 +102,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   EaafKeyStoreFactory keyStoreFactory;
 
   Pair<KeyStore, Provider> ks;
-  private static final String KSPASSWORD = "f/+saJBc3a}*/T^s";
-  private static final String KSALIAS = "connectorkeypair";
 
   /*
    * (non-Javadoc)
@@ -114,19 +112,18 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
    * javax.servlet.http.HttpServletResponse)
    */
   @Override
-  public void execute(ExecutionContext executionContext,
-                      HttpServletRequest request, HttpServletResponse response)
+  public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
       throws TaskExecutionException {
     try {
       final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
-      final ILightResponse eidasResponse = authProcessData.getGenericDataFromSession(
-          Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class);
+      final ILightResponse eidasResponse = authProcessData
+          .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class);
       String eidMode = pendingReq.getServiceProviderConfiguration()
-          .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old");
+                                 .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old");
 
 
-      final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap(eidasResponse.getAttributes()
-          .getAttributeMap());
+      final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap(
+          eidasResponse.getAttributes().getAttributeMap());
 
       IIdentityLink identityLink = null;
       String bpk = null;
@@ -138,13 +135,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
       writeMdsLogInformation(eidData);
 
       // connect SZR-Gateway
-      if (basicConfig.getBasicConfigurationBoolean(
-          Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) {
+      if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) {
         log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!");
         // create fake IdL
         // - fetch IdL template from resources
-        final InputStream s = CreateIdentityLinkTask.class.getResourceAsStream(
-            "/resources/xmldata/fakeIdL_IdL_template.xml");
+        final InputStream s = CreateIdentityLinkTask.class
+            .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");
         final Element idlTemplate = DomUtils.parseXmlValidating(s);
 
         identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink();
@@ -153,33 +149,34 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         final Element idlassertion = identityLink.getSamlAssertion();
 
         // - set fake baseID;
-        final Node prIdentification = XPathUtils.selectSingleNode(idlassertion,
-            SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+        final Node prIdentification = XPathUtils
+            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
         prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym());
 
         // - set last name
-        final Node prFamilyName = XPathUtils.selectSingleNode(idlassertion,
-            SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
+        final Node prFamilyName = XPathUtils
+            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
         prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName());
 
         // - set first name
-        final Node prGivenName = XPathUtils.selectSingleNode(idlassertion,
-            SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
+        final Node prGivenName = XPathUtils
+            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
         prGivenName.getFirstChild().setNodeValue(eidData.getGivenName());
 
         // - set date of birth
-        final Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion,
-            SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
+        final Node prDateOfBirth = XPathUtils
+            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
 
         prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth());
 
         identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink();
 
         new BpkBuilder();
-        final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(
-            identityLink.getIdentificationValue(),
-            identityLink.getIdentificationType(),
-            pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+        final Pair<String, String> bpkCalc = BpkBuilder
+            .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
+                                                  identityLink.getIdentificationType(),
+                                                  pendingReq.getServiceProviderConfiguration()
+                                                            .getAreaSpecificTargetIdentifier());
         bpk = bpkCalc.getFirst();
 
       } else {
@@ -202,16 +199,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         eDocument.setDocumentNumber(eidData.getPseudonym());
 
         // eID document information
-        eDocument.setDocumentType(basicConfig.getBasicConfiguration(
-            Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE,
-            Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE));
+        eDocument.setDocumentType(basicConfig
+                                      .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE,
+                                                             Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE));
 
         // set PlaceOfBirth if available
         if (eidData.getPlaceOfBirth() != null) {
           log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth());
-          if (basicConfig.getBasicConfigurationBoolean(
-              Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE,
-              true)) {
+          if (basicConfig
+              .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE,
+                                            true)) {
             naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth());
             log.trace("Adding 'PlaceOfBirth' to ERnB request ... ");
 
@@ -221,9 +218,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         // set BirthName if available
         if (eidData.getBirthName() != null) {
           log.trace("Find 'BirthName' attribute: " + eidData.getBirthName());
-          if (basicConfig.getBasicConfigurationBoolean(
-              Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE,
-              true)) {
+          if (basicConfig
+              .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE,
+                                            true)) {
             final AlternativeNameType alternativeName = new AlternativeNameType();
             naturalPerson.setAlternativeName(alternativeName);
             alternativeName.setFamilyName(eidData.getBirthName());
@@ -234,12 +231,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
         if (eidMode.equals("new")) {
 
+          String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue(
+              MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, "");
+
+          String keyPw = pendingReq.getServiceProviderConfiguration()
+                                    .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, "");
+
           String vsz = szrClient.getEncryptedStammzahl(personInfo);
 
           // build Keystore
-          String pk64 = getPkFromKeystore();
-          // setzte Keystore in config ?path? lade rein
-          // key pair art siehe jose utils
+          String pk64 = getPkFromKeystore(keyAlias, keyPw);
 
 
           String signedEidasBind = szrClient.getBcBind(vsz, pk64, "urn:eidgvat:eid.status.eidas");
@@ -249,8 +250,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           ObjectMapper mapper = new ObjectMapper();
           String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
 
-          String jwsSignature = JoseUtils.createSignature(ks, KSALIAS, KSPASSWORD.toCharArray(), jwsPayload,
-              false, KSALIAS);
+
+          String jwsSignature = JoseUtils
+              .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias);
 
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
           authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind);
@@ -264,31 +266,29 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           // write ERnB inputdata into revisionlog
           if (basicConfig.getBasicConfigurationBoolean(
               Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) {
-            revisionsLogger.logEvent(pendingReq,
-                MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID,
-                (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
-            revisionsLogger.logEvent(pendingReq,
-                MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym());
+            revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID,
+                                     (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
+            revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym());
 
           }
 
           // get bPK from SZR
-          if (basicConfig.getBasicConfigurationBoolean(
-              Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
-            bpk = szrClient.getBpk(
-                personInfo,
-                pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
-                basicConfig.getBasicConfiguration(
-                    Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,
-                    "no VKZ defined")).get(0);
+          if (basicConfig
+              .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
+            bpk = szrClient
+                .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
+                        basicConfig
+                            .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"))
+                .get(0);
 
           } else {
             log.debug("Calculating bPK from baseId ... ");
             new BpkBuilder();
-            final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(
-                identityLink.getIdentificationValue(),
-                identityLink.getIdentificationType(),
-                pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+            final Pair<String, String> bpkCalc = BpkBuilder
+                .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
+                                                      identityLink.getIdentificationType(),
+                                                      pendingReq.getServiceProviderConfiguration()
+                                                                .getAreaSpecificTargetIdentifier());
             bpk = bpkCalc.getFirst();
 
           }
@@ -297,10 +297,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
       if (eidMode.equals("new")) {
         authProcessData.setForeigner(true);
-        authProcessData.setGenericDataToSession(
-            PvpAttributeDefinitions.EID_ISSUING_NATION_NAME,
-            EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(
-                Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst());
+        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils
+            .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
+            .getFirst());
         authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance());
 
       } else {
@@ -310,11 +309,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
         }
         revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED,
-            identityLink.getSamlAssertion().getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
+                                 identityLink.getSamlAssertion()
+                                             .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
 
         if (bpk == null) {
           log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration()
-              .getAreaSpecificTargetIdentifier());
+                                                                         .getAreaSpecificTargetIdentifier());
           throw new SzrCommunicationException("ernb.01", null);
 
         }
@@ -324,20 +324,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
         authProcessData.setForeigner(true);
         authProcessData.setIdentityLink(identityLink);
-        authProcessData.setGenericDataToSession(
-            PvpAttributeDefinitions.EID_ISSUING_NATION_NAME,
-            EidasResponseUtils.parseEidasPersonalIdentifier((String) simpleAttrMap.get(
-                Constants.eIDAS_ATTR_PERSONALIDENTIFIER)).getFirst());
+        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils
+            .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
+            .getFirst());
 
         // set bPK and bPKType into auth session
-        authProcessData.setGenericDataToSession(
-            PvpAttributeDefinitions.BPK_NAME,
-            extendBpkByPrefix(
-                bpk,
-                pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
-        authProcessData.setGenericDataToSession(
-            PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
-            pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(bpk, pendingReq
+            .getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
+        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
+                                                pendingReq.getServiceProviderConfiguration()
+                                                          .getAreaSpecificTargetIdentifier());
 
         // store pending-request
         requestStoreage.storePendingRequest(pendingReq);
@@ -355,17 +351,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
     }
   }
 
-  private String getPkFromKeystore() throws EaafException, KeyStoreException {
+  private String getPkFromKeystore(String keyAlias, String keyPw) throws EaafException, KeyStoreException {
     KeyStoreConfiguration configuration = new KeyStoreConfiguration();
 
     final String current = new java.io.File(".").toURI().toString();
     configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks");
-    configuration.setSoftKeyStorePassword(KSPASSWORD); //TODO from config
+    configuration.setSoftKeyStorePassword(keyPw); //TODO from config
     configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
-    configuration.setFriendlyName(KSALIAS);
-    configuration.setKeyStoreName(KSALIAS);
+    configuration.setFriendlyName(keyAlias);
+    configuration.setKeyStoreName(keyAlias);
     ks = keyStoreFactory.buildNewKeyStore(configuration);
-    val publicKey = ks.getFirst().getCertificate(KSALIAS).getPublicKey();
+    val publicKey = ks.getFirst().getCertificate(keyAlias).getPublicKey();
     return Base64.getEncoder().encodeToString(publicKey.getEncoded());
   }
 
@@ -400,8 +396,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
       final Class parameterizedType = el.getParameterizedType();
       if (DateTime.class.equals(parameterizedType)) {
-        final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el)
-            .asList());
+        final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList());
         if (attribute != null) {
           result.put(el.getFriendlyName(), attribute);
           log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + attribute.toString());
@@ -411,8 +406,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         }
 
       } else if (PostalAddress.class.equals(parameterizedType)) {
-        final PostalAddress addressAttribute = EidasResponseUtils.translateAddressAttribute(el, attributeMap
-            .get(el).asList());
+        final PostalAddress addressAttribute = EidasResponseUtils
+            .translateAddressAttribute(el, attributeMap.get(el).asList());
         if (addressAttribute != null) {
           result.put(el.getFriendlyName(), addressAttribute);
           log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + addressAttribute.toString());
@@ -422,8 +417,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         }
 
       } else {
-        final List<String> natPersonIdObj = EidasResponseUtils.translateStringListAttribute(el, attributeMap
-            .get(el).asList());
+        final List<String> natPersonIdObj = EidasResponseUtils
+            .translateStringListAttribute(el, attributeMap.get(el).asList());
         final String stringAttr = natPersonIdObj.get(0);
         if (StringUtils.isNotEmpty(stringAttr)) {
           result.put(el.getFriendlyName(), stringAttr);
@@ -443,23 +438,19 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
   private void writeMdsLogInformation(ErnbEidData eidData) {
     // log MDS and country code into technical log
-    if (basicConfig.getBasicConfigurationBoolean(
-        MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false)) {
-      log.info("eIDAS Auth. for user: "
-          + eidData.getGivenName() + " "
-          + eidData.getFamilyName() + " "
-          + eidData.getFormatedDateOfBirth() + " "
-          + "from " + eidData.getCitizenCountryCode());
+    if (basicConfig
+        .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false)) {
+      log.info("eIDAS Auth. for user: " + eidData.getGivenName() + " " + eidData.getFamilyName() + " " + eidData
+          .getFormatedDateOfBirth() + " " + "from " + eidData.getCitizenCountryCode());
     }
 
     // log MDS and country code into revision log
-    if (basicConfig.getBasicConfigurationBoolean(
-        MsEidasNodeConstants.PROP_CONFIG_REVISIONLOG_WRITE_MDS_INTO_REVISION_LOG, false)) {
+    if (basicConfig
+        .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_REVISIONLOG_WRITE_MDS_INTO_REVISION_LOG,
+                                      false)) {
       revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_MDSDATA,
-          "{" + eidData.getGivenName() + ","
-              + eidData.getFamilyName() + ","
-              + eidData.getFormatedDateOfBirth() + ","
-              + eidData.getCitizenCountryCode() + "}");
+                               "{" + eidData.getGivenName() + "," + eidData.getFamilyName() + "," + eidData
+                                   .getFormatedDateOfBirth() + "," + eidData.getCitizenCountryCode() + "}");
     }
 
   }
-- 
cgit v1.2.3


From 3e422c60952d5892a0e568de8c28ce878610eb2f Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Wed, 4 Nov 2020 18:47:51 +0100
Subject: Attribute builder tests EidasBindAttributeBuilderTest and
 AuthBlockAttributeBuilderTest

---
 .../auth/eidas/v2/tasks/CreateIdentityLinkTask.java     | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index af260528..f060a4cf 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -101,6 +101,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   @Autowired
   EaafKeyStoreFactory keyStoreFactory;
 
+  private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas";
   Pair<KeyStore, Provider> ks;
 
   /*
@@ -230,27 +231,24 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         }
 
         if (eidMode.equals("new")) {
-
           String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue(
               MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, "");
-
           String keyPw = pendingReq.getServiceProviderConfiguration()
                                     .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, "");
 
+          // get verschlüsselte Stammzahl
           String vsz = szrClient.getEncryptedStammzahl(personInfo);
 
           // build Keystore
           String pk64 = getPkFromKeystore(keyAlias, keyPw);
 
+          // get eIDAS bind
+          String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS);
 
-          String signedEidasBind = szrClient.getBcBind(vsz, pk64, "urn:eidgvat:eid.status.eidas");
-          //TODO eidStatus as config?
-
-          //build AuthBlock JWS
+          // build AuthBlock (JWS)
           ObjectMapper mapper = new ObjectMapper();
           String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
 
-
           String jwsSignature = JoseUtils
               .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias);
 
@@ -277,9 +275,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
               .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
             bpk = szrClient
                 .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
-                        basicConfig
-                            .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"))
-                .get(0);
+                        basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,
+                                                          "no VKZ defined")).get(0);
 
           } else {
             log.debug("Calculating bPK from baseId ... ");
-- 
cgit v1.2.3


From d40505ed35a8db7d242a8b218297e322350722b3 Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Thu, 5 Nov 2020 12:18:26 +0100
Subject: Test fixes

---
 .../eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index d2ce2f5d..69b993a4 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -234,7 +234,7 @@ public class SzrClient {
       throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
     }
 
-    if (resp == null || StringUtils.isEmpty(resp)) {
+    if (StringUtils.isEmpty(resp)) {
       throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling
     }
 
@@ -277,9 +277,9 @@ public class SzrClient {
       final SignContentResponseType resp = szr.signContent(req.isAppendCert(), req.getJWSHeaderParam(), req.getIn());
       log.trace("Receive SZR response on bcBind siging operation ");
 
-      if (resp == null
+      if (resp == null || resp.getOut() == null
           || resp.getOut().isEmpty()
-          || resp.getOut().get(0).getValue() == null) {
+          || StringUtils.isEmpty(resp.getOut().get(0).getValue())) {
         throw new SzrCommunicationException("ernb.01", new Object[]{"BcBind response empty"});
       }
 
-- 
cgit v1.2.3


From f358f3ba6a24d5e9575b3fd63e3fbfe8848b63c4 Mon Sep 17 00:00:00 2001
From: lalber <lukas.alber@iaik.tugraz.at>
Date: Fri, 6 Nov 2020 16:28:26 +0100
Subject: some improvements

---
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     | 65 +++++++++++++---------
 1 file changed, 40 insertions(+), 25 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index f060a4cf..8626c709 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -60,7 +60,6 @@ import eu.eidas.auth.commons.attribute.AttributeValue;
 import eu.eidas.auth.commons.light.ILightResponse;
 import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress;
 import lombok.extern.slf4j.Slf4j;
-import lombok.val;
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -77,6 +76,7 @@ import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.Provider;
+import java.security.PublicKey;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.List;
@@ -102,7 +102,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   EaafKeyStoreFactory keyStoreFactory;
 
   private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas";
-  Pair<KeyStore, Provider> ks;
 
   /*
    * (non-Javadoc)
@@ -119,8 +118,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
       final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
       final ILightResponse eidasResponse = authProcessData
           .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class);
-      String eidMode = pendingReq.getServiceProviderConfiguration()
-                                 .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old");
+      boolean isNewEidMode = pendingReq.getServiceProviderConfiguration()
+                                       .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false);
 
 
       final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap(
@@ -230,17 +229,31 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           }
         }
 
-        if (eidMode.equals("new")) {
-          String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue(
-              MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, "");
-          String keyPw = pendingReq.getServiceProviderConfiguration()
-                                    .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, "");
+        if (isNewEidMode) {
+
+          // read Connector wide config data TODO connector wide!
+          String keyStoreAlias = basicConfig
+              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME);
+          String keyStorePw = basicConfig
+              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD);
+          String keyStorePath = basicConfig
+              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH);
+          String keyStoreType = basicConfig
+              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE);
+
 
           // get verschlüsselte Stammzahl
           String vsz = szrClient.getEncryptedStammzahl(personInfo);
 
           // build Keystore
-          String pk64 = getPkFromKeystore(keyAlias, keyPw);
+          Pair<KeyStore, Provider> keystoreProvider = initKeystore(keyStoreAlias, keyStorePw, keyStorePath,
+                                                                   keyStoreType);
+
+          // get pubKey
+          PublicKey publicKey = keystoreProvider.getFirst().getCertificate(keyStoreAlias).getPublicKey();
+
+          // encode pubKey base64
+          String pk64 = Base64.getEncoder().encodeToString(publicKey.getEncoded());
 
           // get eIDAS bind
           String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS);
@@ -250,7 +263,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
 
           String jwsSignature = JoseUtils
-              .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias);
+              .createSignature(keystoreProvider, keyStoreAlias, keyStorePw.toCharArray(), jwsPayload, false,
+                               keyStoreAlias);
 
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
           authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind);
@@ -275,8 +289,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
               .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
             bpk = szrClient
                 .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
-                        basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ,
-                                                          "no VKZ defined")).get(0);
+                        basicConfig
+                            .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"))
+                .get(0);
 
           } else {
             log.debug("Calculating bPK from baseId ... ");
@@ -292,7 +307,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         }
       }
 
-      if (eidMode.equals("new")) {
+      if (isNewEidMode) {
         authProcessData.setForeigner(true);
         authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils
             .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
@@ -305,7 +320,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
           throw new SzrCommunicationException("ernb.00", null);
 
         }
-        revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED,
+        revisionsLogger.logEvent(pendingReq,
+                                 MsConnectorEventCodes.SZR_IDL_RECEIVED,
                                  identityLink.getSamlAssertion()
                                              .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
 
@@ -348,18 +364,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
     }
   }
 
-  private String getPkFromKeystore(String keyAlias, String keyPw) throws EaafException, KeyStoreException {
-    KeyStoreConfiguration configuration = new KeyStoreConfiguration();
+  private Pair<KeyStore, Provider> initKeystore(String keyAlias, String keyPw, String path, String type)
+      throws EaafException, KeyStoreException {
+    KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
 
     final String current = new java.io.File(".").toURI().toString();
-    configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks");
-    configuration.setSoftKeyStorePassword(keyPw); //TODO from config
-    configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
-    configuration.setFriendlyName(keyAlias);
-    configuration.setKeyStoreName(keyAlias);
-    ks = keyStoreFactory.buildNewKeyStore(configuration);
-    val publicKey = ks.getFirst().getCertificate(keyAlias).getPublicKey();
-    return Base64.getEncoder().encodeToString(publicKey.getEncoded());
+    keyStoreConfiguration.setSoftKeyStoreFilePath(current + path);
+    keyStoreConfiguration.setSoftKeyStorePassword(keyPw);
+    keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(type));
+    keyStoreConfiguration.setFriendlyName(keyAlias);
+    keyStoreConfiguration.setKeyStoreName(keyAlias);
+    return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
   }
 
   private String extendBpkByPrefix(String bpk, String type) {
-- 
cgit v1.2.3


From 57d813b9cfbbd231a2e6f9d47169b31435d1d6c0 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Sat, 7 Nov 2020 18:21:49 +0100
Subject: code clean-up and first jUnit test modifications for
 CreateIdentityLink task

---
 .../eidas/v2/service/AuthBlockSigningService.java  | 147 ++++++
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     | 507 +++++++++++----------
 2 files changed, 409 insertions(+), 245 deletions(-)
 create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
new file mode 100644
index 00000000..30d255b9
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -0,0 +1,147 @@
+package at.asitplus.eidas.specific.modules.auth.eidas.v2.service;
+
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Provider;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.lang3.StringUtils;
+import org.jose4j.lang.JoseException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Service to build and sign AuthBlock's for E-ID system.
+ * 
+ * @author tlenz
+ *
+ */
+@Slf4j
+@Service("authBlockSigningService")
+public class AuthBlockSigningService {
+
+  private static final String KEYSTORE_FRIENDLYNAME = "AuthBlock_Signing";
+
+  private static ObjectMapper mapper = new ObjectMapper();
+  
+  @Autowired
+  IConfiguration basicConfig;
+  
+  @Autowired
+  EaafKeyStoreFactory keyStoreFactory;
+
+  
+  private Pair<KeyStore, Provider> keyStore;
+  
+  /**
+   * Build and sign an AuthBlock for E-ID system. 
+   * 
+   * @param dataToSign data that should be added into AuthBlock
+   * @return serialized JWS
+   * @throws JsonProcessingException In case of a AuthBlock generation error 
+   * @throws JoseException  In case of a JWS signing error
+   * @throws EaafException  In case of a KeyStore or Key error
+   */
+  public String buildSignedAuthBlock(String dataToSign) 
+      throws JsonProcessingException, EaafException, JoseException {
+    log.debug("Building and sign authBlock with data: {}", dataToSign);
+    
+    // build AuthBlock
+    String jwsPayload = mapper.writeValueAsString(dataToSign);
+    
+    //sign JWS
+    return JoseUtils
+        .createSignature(keyStore, getKeyAlias(), getKeyPassword(), jwsPayload, false,
+                         KEYSTORE_FRIENDLYNAME);    
+  }
+  
+
+  /**
+   * Get the Base64 encoded PublicKey that is used to sign the AuthBlock.
+   * 
+   * @return Base64 encoded PublicKey
+   * @throws EaafKeyAccessException In case of an unknown or invalid key
+   */
+  public String getBase64EncodedPublicKey() throws EaafKeyAccessException {       
+    Pair<Key, X509Certificate[]> keyPair = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME);       
+    return Base64.getEncoder().encodeToString(keyPair.getSecond()[0].getPublicKey().getEncoded());
+    
+  }
+
+  @PostConstruct
+  private void initialize() throws KeyStoreException, EaafException {   
+    log.debug("Initializing AuthBlock signing service ... ");
+    // read Connector wide config data TODO connector wide!   
+    String keyStoreName = basicConfig
+        .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME);
+    String keyStorePw = basicConfig
+        .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD);
+    String keyStorePath = basicConfig
+        .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH);
+    String keyStoreType = basicConfig
+        .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE);
+
+    
+    //build new KeyStore configuration
+    KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
+    keyStoreConfiguration.setFriendlyName(KEYSTORE_FRIENDLYNAME);
+    
+    keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath);
+    keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw);
+    keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType));    
+    keyStoreConfiguration.setKeyStoreName(keyStoreName);
+    
+    //validate KeyStore configuration
+    keyStoreConfiguration.validate();
+        
+    //validate key alias
+    if (StringUtils.isEmpty(getKeyAlias())) {
+      throw new EaafConfigurationException("config.08", 
+          new Object[] {MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS});
+      
+    }
+        
+    //build new KeyStore based on configuration
+    keyStore =  keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
+    
+    log.info("AuthBlock signing-service successful initialized");
+    
+  }   
+  
+  private char[] getKeyPassword() {
+    final String value = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD);
+    if (value != null) {
+      return value.trim().toCharArray();
+    }
+
+    return null;
+    
+  }
+
+
+  private String getKeyAlias() {
+    return basicConfig
+        .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS);
+    
+  }
+}
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 8626c709..1ffd56e4 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -23,16 +23,37 @@
 
 package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.lang3.StringUtils;
+import org.joda.time.DateTime;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.xml.sax.SAXException;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+
 import at.asitplus.eidas.specific.connector.MsConnectorEventCodes;
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils;
-import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils;
 import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType;
 import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType;
 import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType;
@@ -43,8 +64,6 @@ import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
 import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
@@ -52,36 +71,16 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser
 import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
 import at.gv.egiz.eaaf.core.impl.utils.XPathUtils;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import eu.eidas.auth.commons.attribute.AttributeDefinition;
 import eu.eidas.auth.commons.attribute.AttributeValue;
 import eu.eidas.auth.commons.light.ILightResponse;
 import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress;
+import lombok.Data;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang3.StringUtils;
-import org.joda.time.DateTime;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
 import szrservices.IdentityLinkType;
 import szrservices.PersonInfoType;
 import szrservices.TravelDocumentType;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.InputStream;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.Provider;
-import java.security.PublicKey;
-import java.util.Base64;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
 /**
  * Task that creates the IdentityLink for an eIDAS authenticated person.
  *
@@ -97,12 +96,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
   private SzrClient szrClient;
   @Autowired
   private ICcSpecificEidProcessingService eidPostProcessor;
-
+  
   @Autowired
-  EaafKeyStoreFactory keyStoreFactory;
+  private AuthBlockSigningService authBlockSigner;
 
   private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas";
-
+  
   /*
    * (non-Javadoc)
    *
@@ -118,164 +117,57 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
       final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
       final ILightResponse eidasResponse = authProcessData
           .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class);
-      boolean isNewEidMode = pendingReq.getServiceProviderConfiguration()
-                                       .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false);
-
 
       final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap(
           eidasResponse.getAttributes().getAttributeMap());
 
-      IIdentityLink identityLink = null;
-      String bpk = null;
-
       // post-process eIDAS attributes
       final ErnbEidData eidData = eidPostProcessor.postProcess(simpleAttrMap);
 
       // write MDS into technical log and revision log
       writeMdsLogInformation(eidData);
 
-      // connect SZR-Gateway
+      //build IdentityLink or VSZ and eidasBind
       if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) {
-        log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!");
-        // create fake IdL
-        // - fetch IdL template from resources
-        final InputStream s = CreateIdentityLinkTask.class
-            .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");
-        final Element idlTemplate = DomUtils.parseXmlValidating(s);
-
-        identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink();
-
-        // replace data
-        final Element idlassertion = identityLink.getSamlAssertion();
-
-        // - set fake baseID;
-        final Node prIdentification = XPathUtils
-            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
-        prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym());
-
-        // - set last name
-        final Node prFamilyName = XPathUtils
-            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
-        prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName());
-
-        // - set first name
-        final Node prGivenName = XPathUtils
-            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
-        prGivenName.getFirstChild().setNodeValue(eidData.getGivenName());
-
-        // - set date of birth
-        final Node prDateOfBirth = XPathUtils
-            .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
-
-        prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth());
-
-        identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink();
-
-        new BpkBuilder();
-        final Pair<String, String> bpkCalc = BpkBuilder
-            .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
-                                                  identityLink.getIdentificationType(),
-                                                  pendingReq.getServiceProviderConfiguration()
-                                                            .getAreaSpecificTargetIdentifier());
-        bpk = bpkCalc.getFirst();
-
+        SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData);
+        //inject personal-data into session
+        authProcessData.setIdentityLink(idlResult.getIdentityLink());  
+        
+        // set bPK and bPKType into auth session
+        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(
+            idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
+        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
+                                                pendingReq.getServiceProviderConfiguration()
+                                                          .getAreaSpecificTargetIdentifier());
+                 
       } else {
-        // contact SZR Gateway
-        log.debug("Starting connecting SZR Gateway");
-        final PersonInfoType personInfo = new PersonInfoType();
-        final PersonNameType personName = new PersonNameType();
-        final PhysicalPersonType naturalPerson = new PhysicalPersonType();
-        final TravelDocumentType eDocument = new TravelDocumentType();
-
-        naturalPerson.setName(personName);
-        personInfo.setPerson(naturalPerson);
-        personInfo.setTravelDocument(eDocument);
-
-        // person information
-        personName.setFamilyName(eidData.getFamilyName());
-        personName.setGivenName(eidData.getGivenName());
-        naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth());
-        eDocument.setIssuingCountry(eidData.getCitizenCountryCode());
-        eDocument.setDocumentNumber(eidData.getPseudonym());
-
-        // eID document information
-        eDocument.setDocumentType(basicConfig
-                                      .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE,
-                                                             Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE));
-
-        // set PlaceOfBirth if available
-        if (eidData.getPlaceOfBirth() != null) {
-          log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth());
-          if (basicConfig
-              .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE,
-                                            true)) {
-            naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth());
-            log.trace("Adding 'PlaceOfBirth' to ERnB request ... ");
-
-          }
-        }
-
-        // set BirthName if available
-        if (eidData.getBirthName() != null) {
-          log.trace("Find 'BirthName' attribute: " + eidData.getBirthName());
-          if (basicConfig
-              .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE,
-                                            true)) {
-            final AlternativeNameType alternativeName = new AlternativeNameType();
-            naturalPerson.setAlternativeName(alternativeName);
-            alternativeName.setFamilyName(eidData.getBirthName());
-            log.trace("Adding 'BirthName' to ERnB request ... ");
-
-          }
-        }
-
-        if (isNewEidMode) {
-
-          // read Connector wide config data TODO connector wide!
-          String keyStoreAlias = basicConfig
-              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME);
-          String keyStorePw = basicConfig
-              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD);
-          String keyStorePath = basicConfig
-              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH);
-          String keyStoreType = basicConfig
-              .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE);
-
-
-          // get verschlüsselte Stammzahl
+        //build SZR request from eIDAS data        
+        final PersonInfoType personInfo = generateSzrRequest(eidData);
+        
+        //request SZR based on IDL or E-ID mode
+        if (pendingReq.getServiceProviderConfiguration()
+            .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) {
+
+          // get encrypted baseId
           String vsz = szrClient.getEncryptedStammzahl(personInfo);
-
-          // build Keystore
-          Pair<KeyStore, Provider> keystoreProvider = initKeystore(keyStoreAlias, keyStorePw, keyStorePath,
-                                                                   keyStoreType);
-
-          // get pubKey
-          PublicKey publicKey = keystoreProvider.getFirst().getCertificate(keyStoreAlias).getPublicKey();
-
-          // encode pubKey base64
-          String pk64 = Base64.getEncoder().encodeToString(publicKey.getEncoded());
-
+                            
           // get eIDAS bind
-          String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS);
-
-          // build AuthBlock (JWS)
-          ObjectMapper mapper = new ObjectMapper();
-          String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier());
-
-          String jwsSignature = JoseUtils
-              .createSignature(keystoreProvider, keyStoreAlias, keyStorePw.toCharArray(), jwsPayload, false,
-                               keyStoreAlias);
-
+          String signedEidasBind = szrClient.getBcBind(vsz, 
+              authBlockSigner.getBase64EncodedPublicKey(), 
+              EID_STATUS);
+
+          //get signed AuthBlock
+          String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier());
+       
+          //inject personal-data into session
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
           authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind);
+               
         } else {
-
-          final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo);
-
-          final Element idlFromSzr = (Element) result.getAssertion();
-          identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink();
-
-          // write ERnB inputdata into revisionlog
+          //request SZR
+          SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo);
+          
+          // write ERnB input-data into revision-log
           if (basicConfig.getBasicConfigurationBoolean(
               Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) {
             revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID,
@@ -283,100 +175,158 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
             revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym());
 
           }
-
-          // get bPK from SZR
-          if (basicConfig
-              .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
-            bpk = szrClient
-                .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
-                        basicConfig
-                            .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"))
-                .get(0);
-
-          } else {
-            log.debug("Calculating bPK from baseId ... ");
-            new BpkBuilder();
-            final Pair<String, String> bpkCalc = BpkBuilder
-                .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
-                                                      identityLink.getIdentificationType(),
-                                                      pendingReq.getServiceProviderConfiguration()
-                                                                .getAreaSpecificTargetIdentifier());
-            bpk = bpkCalc.getFirst();
-
-          }
+          
+          //check result-data and write revision-log based on current state
+          checkStateAndWriteRevisionLog(idlResult);
+          
+
+          //inject personal-data into session
+          authProcessData.setIdentityLink(idlResult.getIdentityLink());  
+          
+          // set bPK and bPKType into auth session
+          authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(
+              idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
+          authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
+                                                  pendingReq.getServiceProviderConfiguration()
+                                                            .getAreaSpecificTargetIdentifier());
+          
         }
       }
+      
+      //add generic info's into session
+      authProcessData.setForeigner(true);
+      authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils
+          .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
+          .getFirst());
+      authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance());
+           
+      // store pending-request
+      requestStoreage.storePendingRequest(pendingReq);
+      
+      
+    } catch (final EidasAttributeException e) {
+      throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e);
 
-      if (isNewEidMode) {
-        authProcessData.setForeigner(true);
-        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils
-            .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
-            .getFirst());
-        authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance());
+    } catch (final EaafException e) {
+      throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e);
 
-      } else {
-        if (identityLink == null) {
-          log.error("ERnB did not return an identity link.");
-          throw new SzrCommunicationException("ernb.00", null);
+    } catch (final Exception e) {
+      log.error("IdentityLink generation for foreign person FAILED.", e);
+      throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e);
 
-        }
-        revisionsLogger.logEvent(pendingReq,
-                                 MsConnectorEventCodes.SZR_IDL_RECEIVED,
-                                 identityLink.getSamlAssertion()
-                                             .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
+    }
+  }
 
-        if (bpk == null) {
-          log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration()
-                                                                         .getAreaSpecificTargetIdentifier());
-          throw new SzrCommunicationException("ernb.01", null);
+  private PersonInfoType generateSzrRequest(ErnbEidData eidData) {
+    log.debug("Starting connecting SZR Gateway");
+    final PersonInfoType personInfo = new PersonInfoType();
+    final PersonNameType personName = new PersonNameType();
+    final PhysicalPersonType naturalPerson = new PhysicalPersonType();
+    final TravelDocumentType eDocument = new TravelDocumentType();
+
+    naturalPerson.setName(personName);
+    personInfo.setPerson(naturalPerson);
+    personInfo.setTravelDocument(eDocument);
+
+    // person information
+    personName.setFamilyName(eidData.getFamilyName());
+    personName.setGivenName(eidData.getGivenName());
+    naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth());
+    eDocument.setIssuingCountry(eidData.getCitizenCountryCode());
+    eDocument.setDocumentNumber(eidData.getPseudonym());
+
+    // eID document information
+    eDocument.setDocumentType(basicConfig
+                                  .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE,
+                                                         Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE));
+
+    // set PlaceOfBirth if available
+    if (eidData.getPlaceOfBirth() != null) {
+      log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth());
+      if (basicConfig
+          .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE,
+                                        true)) {
+        naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth());
+        log.trace("Adding 'PlaceOfBirth' to ERnB request ... ");
 
-        }
-        revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED);
+      }
+    }
 
-        log.debug("ERnB communication was successfull");
+    // set BirthName if available
+    if (eidData.getBirthName() != null) {
+      log.trace("Find 'BirthName' attribute: " + eidData.getBirthName());
+      if (basicConfig
+          .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE,
+                                        true)) {
+        final AlternativeNameType alternativeName = new AlternativeNameType();
+        naturalPerson.setAlternativeName(alternativeName);
+        alternativeName.setFamilyName(eidData.getBirthName());
+        log.trace("Adding 'BirthName' to ERnB request ... ");
 
-        authProcessData.setForeigner(true);
-        authProcessData.setIdentityLink(identityLink);
-        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils
-            .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
-            .getFirst());
+      }
+    }
+    
+    return personInfo;
+    
+  }
 
-        // set bPK and bPKType into auth session
-        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(bpk, pendingReq
-            .getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()));
-        authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME,
+  private SzrResultHolder requestSzrForIdentityLink(PersonInfoType personInfo) 
+      throws SzrCommunicationException, EaafException {
+    //request IdentityLink from SZR
+    final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo);
+    
+    final Element idlFromSzr = (Element) result.getAssertion();
+    IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink();
+
+    // get bPK from SZR
+    String bpk;
+    if (basicConfig
+        .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) {
+      bpk = szrClient
+          .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(),
+                  basicConfig
+                      .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"))
+          .get(0);
+
+    } else {
+      log.debug("Calculating bPK from baseId ... ");
+      new BpkBuilder();
+      final Pair<String, String> bpkCalc = BpkBuilder
+          .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
+                                                identityLink.getIdentificationType(),
                                                 pendingReq.getServiceProviderConfiguration()
                                                           .getAreaSpecificTargetIdentifier());
+      bpk = bpkCalc.getFirst();
 
-        // store pending-request
-        requestStoreage.storePendingRequest(pendingReq);
-      }
-    } catch (final EidasAttributeException e) {
-      throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e);
+    }
+    
+    return new SzrResultHolder(identityLink, bpk);
+    
+  }
+  
+  private void checkStateAndWriteRevisionLog(SzrResultHolder idlResult) throws SzrCommunicationException {
+    // write some infos into revision log
+    if (idlResult.getIdentityLink() == null) {
+      log.error("ERnB did not return an identity link.");
+      throw new SzrCommunicationException("ernb.00", null);
 
-    } catch (final EaafException e) {
-      throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e);
+    }
+    revisionsLogger.logEvent(pendingReq,
+                             MsConnectorEventCodes.SZR_IDL_RECEIVED,
+                             idlResult.getIdentityLink().getSamlAssertion()
+                                         .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID));
 
-    } catch (final Exception e) {
-      log.error("IdentityLink generation for foreign person FAILED.", e);
-      throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e);
+    if (idlResult.getBpK() == null) {
+      log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration()
+                                                                     .getAreaSpecificTargetIdentifier());
+      throw new SzrCommunicationException("ernb.01", null);
 
     }
+    revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED);
+    log.debug("ERnB communication was successfull");
+        
   }
-
-  private Pair<KeyStore, Provider> initKeystore(String keyAlias, String keyPw, String path, String type)
-      throws EaafException, KeyStoreException {
-    KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
-
-    final String current = new java.io.File(".").toURI().toString();
-    keyStoreConfiguration.setSoftKeyStoreFilePath(current + path);
-    keyStoreConfiguration.setSoftKeyStorePassword(keyPw);
-    keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(type));
-    keyStoreConfiguration.setFriendlyName(keyAlias);
-    keyStoreConfiguration.setKeyStoreName(keyAlias);
-    return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
-  }
-
+  
   private String extendBpkByPrefix(String bpk, String type) {
     String bpkType = null;
 
@@ -406,7 +356,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
     for (final AttributeDefinition<?> el : attributeMap.keySet()) {
 
-      final Class parameterizedType = el.getParameterizedType();
+      final Class<?> parameterizedType = el.getParameterizedType();
       if (DateTime.class.equals(parameterizedType)) {
         final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList());
         if (attribute != null) {
@@ -466,5 +416,72 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
     }
 
   }
+  
+  @Data
+  private static class SzrResultHolder {    
+    final IIdentityLink identityLink;
+    final String bpK;
+    
+  }
+    
+  /**
+   * Build a dummy IdentityLink and a dummy bPK based on eIDAS information.
+   * 
+   * <br><br>
+   * <b>FOR LOCAL TESTING ONLY!!!</b>
+   * 
+   * @param eidData Information from eIDAS response
+   * @return IdentityLink and bPK
+   * @throws ParserConfigurationException In case of an IDL processing error
+   * @throws SAXException In case of an IDL processing error
+   * @throws IOException In case of an IDL processing error
+   * @throws EaafException In case of a bPK generation error
+   */
+  private SzrResultHolder createDummyIdentityLinkForTestDeployment(ErnbEidData eidData) 
+      throws ParserConfigurationException, SAXException, IOException, EaafException {
+    log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!");
+    // create fake IdL
+    // - fetch IdL template from resources
+    final InputStream s = CreateIdentityLinkTask.class
+        .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");
+    final Element idlTemplate = DomUtils.parseXmlValidating(s);
+
+    IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink();
+
+    // replace data
+    final Element idlassertion = identityLink.getSamlAssertion();
+
+    // - set fake baseID;
+    final Node prIdentification = XPathUtils
+        .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+    prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym());
+
+    // - set last name
+    final Node prFamilyName = XPathUtils
+        .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
+    prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName());
+
+    // - set first name
+    final Node prGivenName = XPathUtils
+        .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
+    prGivenName.getFirstChild().setNodeValue(eidData.getGivenName());
+
+    // - set date of birth
+    final Node prDateOfBirth = XPathUtils
+        .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
+
+    prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth());
+
+    identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink();
+
+    new BpkBuilder();
+    final Pair<String, String> bpkCalc = BpkBuilder
+        .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
+                                              identityLink.getIdentificationType(),
+                                              pendingReq.getServiceProviderConfiguration()
+                                                        .getAreaSpecificTargetIdentifier());   
+    return new SzrResultHolder(identityLink, bpkCalc.getFirst());
+    
+  }
 
 }
-- 
cgit v1.2.3


From b04c31afa0213048367ee6e4eec4fb52dfd59915 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 11 Nov 2020 11:35:27 +0100
Subject: verify on start-up, if AuthBlock signing-key is accessable

---
 .../modules/auth/eidas/v2/service/AuthBlockSigningService.java        | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
index 30d255b9..cb96b0a0 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -124,6 +124,10 @@ public class AuthBlockSigningService {
     //build new KeyStore based on configuration
     keyStore =  keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
     
+    //check if Key is accessable
+    EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME);
+    
     log.info("AuthBlock signing-service successful initialized");
     
   }   
-- 
cgit v1.2.3


From 3d01b42c1e57145850feefd49327cec2bc8b7843 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 24 Nov 2020 12:05:00 +0100
Subject: remove unused code

---
 .../specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java | 2 +-
 .../specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java    | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
index cb96b0a0..ccc6eb0c 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -124,7 +124,7 @@ public class AuthBlockSigningService {
     //build new KeyStore based on configuration
     keyStore =  keyStoreFactory.buildNewKeyStore(keyStoreConfiguration);
     
-    //check if Key is accessable
+    //check if Key is accessible
     EaafKeyStoreUtils.getPrivateKeyAndCertificates(
         keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME);
     
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 1ffd56e4..80142b09 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -474,7 +474,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 
     identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink();
 
-    new BpkBuilder();
     final Pair<String, String> bpkCalc = BpkBuilder
         .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(),
                                               identityLink.getIdentificationType(),
-- 
cgit v1.2.3


From d01abea064f33d1c985464aadf3e2326c6ba3219 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 27 Nov 2020 09:07:27 +0100
Subject: upatate AuthBlock format in case of E-ID like authentication

---
 .../eidas/v2/service/AuthBlockSigningService.java  | 52 ++++++++++++++++++++--
 .../eidas/v2/tasks/CreateIdentityLinkTask.java     |  2 +-
 2 files changed, 49 insertions(+), 5 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
index ccc6eb0c..ad9b1082 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -1,11 +1,15 @@
 package at.asitplus.eidas.specific.modules.auth.eidas.v2.service;
 
+import java.io.Serializable;
 import java.security.Key;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.Provider;
 import java.security.cert.X509Certificate;
+import java.time.LocalDateTime;
+import java.time.temporal.ChronoUnit;
 import java.util.Base64;
+import java.util.UUID;
 
 import javax.annotation.PostConstruct;
 
@@ -14,11 +18,18 @@ import org.jose4j.lang.JoseException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+import com.fasterxml.jackson.annotation.JsonFormat;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateTimeDeserializer;
+import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateTimeSerializer;
 
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils;
+import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
@@ -27,6 +38,7 @@ import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
 import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
 import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
+import lombok.Data;
 import lombok.extern.slf4j.Slf4j;
 
 /**
@@ -55,18 +67,22 @@ public class AuthBlockSigningService {
   /**
    * Build and sign an AuthBlock for E-ID system. 
    * 
-   * @param dataToSign data that should be added into AuthBlock
+   * @param pendingReq data that should be added into AuthBlock
    * @return serialized JWS
    * @throws JsonProcessingException In case of a AuthBlock generation error 
    * @throws JoseException  In case of a JWS signing error
    * @throws EaafException  In case of a KeyStore or Key error
    */
-  public String buildSignedAuthBlock(String dataToSign) 
+  public String buildSignedAuthBlock(IRequest pendingReq) 
       throws JsonProcessingException, EaafException, JoseException {
-    log.debug("Building and sign authBlock with data: {}", dataToSign);
     
     // build AuthBlock
-    String jwsPayload = mapper.writeValueAsString(dataToSign);
+    EidasAuchBlock authBlock = new EidasAuchBlock();
+    authBlock.setChallenge(UUID.randomUUID().toString());
+    authBlock.setTimestamp(LocalDateTime.now().truncatedTo(ChronoUnit.SECONDS));
+    authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class));    
+    String jwsPayload = mapper.writeValueAsString(authBlock);
+    log.debug("Building and sign authBlock with data: {}", jwsPayload);
     
     //sign JWS
     return JoseUtils
@@ -148,4 +164,32 @@ public class AuthBlockSigningService {
         .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS);
     
   }
+  
+  /**
+   * Technical AuthBlock for eIDAS Authentication.
+   * 
+   * @author tlenz
+   *
+   */
+  @Data
+  public class EidasAuchBlock implements Serializable {
+
+    private static final long serialVersionUID = -2013435642666124497L;
+
+    @JsonProperty("challenge")
+    private String challenge;
+    
+    @JsonProperty("timestamp")
+    @JsonSerialize(using = LocalDateTimeSerializer.class)
+    @JsonDeserialize(using = LocalDateTimeDeserializer.class)
+    @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
+    private LocalDateTime timestamp;
+    
+    @JsonProperty("appId")
+    private String uniqueId;
+    
+    
+  }
+
+  
 }
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 80142b09..f9142f8e 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -157,7 +157,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
               EID_STATUS);
 
           //get signed AuthBlock
-          String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier());
+          String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq);
        
           //inject personal-data into session
           authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature);
-- 
cgit v1.2.3


From 9f684f489a2825d1c8fde371b7e71b8d7513060a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 27 Nov 2020 09:12:22 +0100
Subject: fix a code-style issue

---
 .../modules/auth/eidas/v2/service/AuthBlockSigningService.java       | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
index ad9b1082..cfaecfbb 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java
@@ -1,6 +1,5 @@
 package at.asitplus.eidas.specific.modules.auth.eidas.v2.service;
 
-import java.io.Serializable;
 import java.security.Key;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -172,9 +171,7 @@ public class AuthBlockSigningService {
    *
    */
   @Data
-  public class EidasAuchBlock implements Serializable {
-
-    private static final long serialVersionUID = -2013435642666124497L;
+  private static class EidasAuchBlock {
 
     @JsonProperty("challenge")
     private String challenge;
-- 
cgit v1.2.3