From d01abea064f33d1c985464aadf3e2326c6ba3219 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 27 Nov 2020 09:07:27 +0100 Subject: upatate AuthBlock format in case of E-ID like authentication --- eidas_modules/authmodule-eIDAS-v2/pom.xml | 6 ++- .../eidas/v2/service/AuthBlockSigningService.java | 52 ++++++++++++++++++++-- .../eidas/v2/tasks/CreateIdentityLinkTask.java | 2 +- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 37 ++------------- 4 files changed, 57 insertions(+), 40 deletions(-) (limited to 'eidas_modules/authmodule-eIDAS-v2') diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml index 4fe2bb36..b2e841fb 100644 --- a/eidas_modules/authmodule-eIDAS-v2/pom.xml +++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml @@ -123,8 +123,10 @@ org.apache.cxf cxf-rt-transports-http - + + com.fasterxml.jackson.datatype + jackson-datatype-jsr310 + javax.servlet diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java index ccc6eb0c..ad9b1082 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java @@ -1,11 +1,15 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.service; +import java.io.Serializable; import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.Provider; import java.security.cert.X509Certificate; +import java.time.LocalDateTime; +import java.time.temporal.ChronoUnit; import java.util.Base64; +import java.util.UUID; import javax.annotation.PostConstruct; @@ -14,11 +18,18 @@ import org.jose4j.lang.JoseException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import com.fasterxml.jackson.annotation.JsonFormat; +import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateTimeDeserializer; +import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateTimeSerializer; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; @@ -27,6 +38,7 @@ import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.data.Pair; +import lombok.Data; import lombok.extern.slf4j.Slf4j; /** @@ -55,18 +67,22 @@ public class AuthBlockSigningService { /** * Build and sign an AuthBlock for E-ID system. * - * @param dataToSign data that should be added into AuthBlock + * @param pendingReq data that should be added into AuthBlock * @return serialized JWS * @throws JsonProcessingException In case of a AuthBlock generation error * @throws JoseException In case of a JWS signing error * @throws EaafException In case of a KeyStore or Key error */ - public String buildSignedAuthBlock(String dataToSign) + public String buildSignedAuthBlock(IRequest pendingReq) throws JsonProcessingException, EaafException, JoseException { - log.debug("Building and sign authBlock with data: {}", dataToSign); // build AuthBlock - String jwsPayload = mapper.writeValueAsString(dataToSign); + EidasAuchBlock authBlock = new EidasAuchBlock(); + authBlock.setChallenge(UUID.randomUUID().toString()); + authBlock.setTimestamp(LocalDateTime.now().truncatedTo(ChronoUnit.SECONDS)); + authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class)); + String jwsPayload = mapper.writeValueAsString(authBlock); + log.debug("Building and sign authBlock with data: {}", jwsPayload); //sign JWS return JoseUtils @@ -148,4 +164,32 @@ public class AuthBlockSigningService { .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS); } + + /** + * Technical AuthBlock for eIDAS Authentication. + * + * @author tlenz + * + */ + @Data + public class EidasAuchBlock implements Serializable { + + private static final long serialVersionUID = -2013435642666124497L; + + @JsonProperty("challenge") + private String challenge; + + @JsonProperty("timestamp") + @JsonSerialize(using = LocalDateTimeSerializer.class) + @JsonDeserialize(using = LocalDateTimeDeserializer.class) + @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'") + private LocalDateTime timestamp; + + @JsonProperty("appId") + private String uniqueId; + + + } + + } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 80142b09..f9142f8e 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -157,7 +157,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { EID_STATUS); //get signed AuthBlock - String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier()); + String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq); //inject personal-data into session authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index d08855f2..dd485ee6 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -2,9 +2,6 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.anyString; -import static org.mockito.BDDMockito.given; -import static org.mockito.Mockito.doThrow; import static org.powermock.api.mockito.PowerMockito.when; import java.io.IOException; @@ -21,19 +18,14 @@ import java.util.Map; import javax.xml.namespace.QName; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; -import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import org.apache.commons.lang3.RandomStringUtils; import org.jetbrains.annotations.NotNull; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; import org.jose4j.jws.AlgorithmIdentifiers; -import org.jose4j.lang.JoseException; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; -import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -51,6 +43,8 @@ import com.skjolberg.mockito.soap.SoapServiceRule; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; @@ -61,6 +55,7 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; @@ -75,7 +70,6 @@ import eu.eidas.auth.commons.attribute.PersonType; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import lombok.val; import szrservices.SZR; -import szrservices.SZRException_Exception; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -193,7 +187,7 @@ public class CreateIdentityLinkTaskEidNewTest { .getPrivateKeyAndCertificates(keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts), constraints); Assert.assertTrue("AuthBlock not valid", result.isValid()); - + } @Test @@ -225,29 +219,6 @@ public class CreateIdentityLinkTaskEidNewTest { } } - @Ignore - @Test - public void exceptionTest() throws Exception { - try { - when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); - val signContentResp = new SignContentResponseType(); - final SignContentEntry signContentEntry = new SignContentEntry(); - signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); - signContentResp.getOut().add(signContentEntry); - when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); - doThrow(new EaafException("test")).when(authBlockSigner) - .buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier()); - - task.execute(pendingReq, executionContext); - } catch (TaskExecutionException e) { - Assert.assertEquals("Incorrect exception thrown", e.getMessage(), - "IdentityLink generation for foreign person " + "FAILED."); - Assert.assertTrue("Incorrect exception thrown", e.getCause() instanceof EaafException); - Assert.assertTrue("Incorrect exception thrown", e.getCause().getMessage().contains("test")); - } - - } - private Pair getKeyStore() throws EaafException { // read Connector wide config data TODO connector wide! String keyStoreName = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); -- cgit v1.2.3