Binding fixes, Exception messages

author: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> 2013-06-25 15:06:28 +0200
committer: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> 2013-06-25 15:06:28 +0200
commit: c7f3a798a9d220e39a8d8ac7b0c1dc159094a110 (patch)
tree: b7c8287617aa3ef2b11963223cb2293fa1feef8a
parent: 2c400ee1020dc9f25be8a4bfcf2a5227393a28ef (diff)
download: moa-id-spss-c7f3a798a9d220e39a8d8ac7b0c1dc159094a110.tar.gz
moa-id-spss-c7f3a798a9d220e39a8d8ac7b0c1dc159094a110.tar.bz2
moa-id-spss-c7f3a798a9d220e39a8d8ac7b0c1dc159094a110.zip
7 files changed, 82 insertions, 72 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 773155934..4f35b084f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -24,6 +24,7 @@
 package at.gv.egovernment.moa.id.auth;
 
 import iaik.pki.PKIException;
+import iaik.security.provider.IAIK;
 import iaik.x509.X509Certificate;
 
 import java.io.ByteArrayInputStream;
@@ -3020,7 +3021,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		
 		CertificateFactory cf;
 		X509Certificate cert = null;
-		cf = CertificateFactory.getInstance("X.509");
+		cf = CertificateFactory.getInstance("X.509", IAIK.getInstance());
 		cert = (X509Certificate)cf.generateCertificate(is);
 	
 		return cert;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
index 531ec0756..0f82d9a3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
@@ -6,14 +6,16 @@ import javax.servlet.http.HttpServletResponse;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
 import org.opensaml.xml.security.SecurityException;
 
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+
 public interface IDecoder {
 	public MOARequest decodeRequest(HttpServletRequest req, 
 			HttpServletResponse resp)
-					throws MessageDecodingException, SecurityException;
+					throws MessageDecodingException, SecurityException, PVP2Exception;
 	
 	public MOAResponse decodeRespone(HttpServletRequest req, 
 			HttpServletResponse resp)
-					throws MessageDecodingException, SecurityException;
+					throws MessageDecodingException, SecurityException, PVP2Exception;
 	
 	public boolean handleDecode(String action, HttpServletRequest req);
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
index f2c392a2a..66526534d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
@@ -8,12 +8,23 @@ import org.opensaml.saml2.core.StatusResponseType;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.security.SecurityException;
 
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+
 public interface IEncoder {
 	public void encodeRequest(HttpServletRequest req, 
 			HttpServletResponse resp, RequestAbstractType request, String targetLocation) 
-					throws MessageEncodingException, SecurityException;
+					throws MessageEncodingException, SecurityException, PVP2Exception;
 	
+	/**
+	 * Encoder SAML Response
+	 * @param req The http request
+	 * @param resp The http response
+	 * @param response The repsonse object
+	 * @param targetLocation
+	 * @throws MessageEncodingException
+	 * @throws SecurityException
+	 */
 	public void encodeRespone(HttpServletRequest req, 
 			HttpServletResponse resp, StatusResponseType response, String targetLocation) 
-					throws MessageEncodingException, SecurityException;
+					throws MessageEncodingException, SecurityException, PVP2Exception;
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 048ad8b38..97e7ef80c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -7,33 +7,25 @@ import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.runtime.RuntimeConstants;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
 import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
-import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusResponseType;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.opensaml.ws.security.SecurityPolicyResolver;
-import org.opensaml.ws.security.provider.BasicSecurityPolicy;
-import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
 import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
 import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.signature.Signature;
 
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 
 public class PostBinding implements IDecoder, IEncoder {
 
@@ -68,7 +60,7 @@ public class PostBinding implements IDecoder, IEncoder {
 			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
 			SingleSignOnService service = new SingleSignOnServiceBuilder()
 					.buildObject();
-			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT");
+			service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
 			service.setLocation(targetLocation);
 			context.setOutboundSAMLMessageSigningCredential(credentials);
 			context.setPeerEntityEndpoint(service);
@@ -92,27 +84,8 @@ public class PostBinding implements IDecoder, IEncoder {
 		messageContext
 				.setInboundMessageTransport(new HttpServletRequestAdapter(req));
 
-		// TODO: used to verify signature!
-		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
-				TrustEngineFactory.getSignatureKnownKeysTrustEngine());
-
-		// signatureRule.evaluate(messageContext);
-		BasicSecurityPolicy policy = new BasicSecurityPolicy();
-		policy.getPolicyRules().add(signatureRule);
-		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
-				policy);
 		messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
-		messageContext.setSecurityPolicyResolver(resolver);
-		
-		MOAMetadataProvider provider = null;
-		try {
-			provider = new MOAMetadataProvider();
-		} catch (MetadataProviderException e) {
-			// TODO Auto-generated catch block
-			e.printStackTrace();
-		}
-		messageContext.setMetadataProvider(provider);
-		
+
 		decode.decode(messageContext);
 
 		RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
@@ -133,18 +106,8 @@ public class PostBinding implements IDecoder, IEncoder {
 		BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
 		messageContext
 				.setInboundMessageTransport(new HttpServletRequestAdapter(req));
-		
-		// TODO: used to verify signature!
-		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
-				TrustEngineFactory.getSignatureKnownKeysTrustEngine());
-
-		// signatureRule.evaluate(messageContext);
-		BasicSecurityPolicy policy = new BasicSecurityPolicy();
-		policy.getPolicyRules().add(signatureRule);
-		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
-				policy);
+
 		messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
-		messageContext.setSecurityPolicyResolver(resolver);
 		
 		decode.decode(messageContext);
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index d90e59c35..c0cf6ac63 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -5,6 +5,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
 import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
 import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
@@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
 
 public class RedirectBinding implements IDecoder, IEncoder {
 
@@ -53,7 +55,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
 			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
 			SingleSignOnService service = new SingleSignOnServiceBuilder()
 					.buildObject();
-			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT");
+			service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
 			service.setLocation(targetLocation);
 			context.setOutboundSAMLMessageSigningCredential(credentials);
 			context.setPeerEntityEndpoint(service);
@@ -81,8 +83,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
 		try {
 			messageContext.setMetadataProvider(new MOAMetadataProvider());
 		} catch (MetadataProviderException e) {
-			// TODO Auto-generated catch block
-			e.printStackTrace();
+			Logger.error("Failed to get Metadata Provider");
+			throw new SecurityException("Failed to get Metadata Provider");
 		}
 
 		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
@@ -117,7 +119,6 @@ public class RedirectBinding implements IDecoder, IEncoder {
 		messageContext
 				.setInboundMessageTransport(new HttpServletRequestAdapter(req));
 
-		// TODO: used to verify signature!
 		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
 				TrustEngineFactory.getSignatureKnownKeysTrustEngine());
 
@@ -132,8 +133,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
 		try {
 			provider = new MOAMetadataProvider();
 		} catch (MetadataProviderException e) {
-			// TODO Auto-generated catch block
-			e.printStackTrace();
+			Logger.error("Failed to get Metadata Provider");
+			throw new SecurityException("Failed to get Metadata Provider");
 		}
 		messageContext.setMetadataProvider(provider);
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index acadd3cb4..0820b5d4f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -5,23 +5,31 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
 import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
 import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
 
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 
 public class SoapBinding implements IDecoder, IEncoder {
 
 	public MOARequest decodeRequest(HttpServletRequest req,
 			HttpServletResponse resp) throws MessageDecodingException,
-			SecurityException {
+			SecurityException, PVP2Exception {
 		HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder();
 		BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = 
 				new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>();
@@ -40,20 +48,8 @@ public class SoapBinding implements IDecoder, IEncoder {
 
 	public MOAResponse decodeRespone(HttpServletRequest req,
 			HttpServletResponse resp) throws MessageDecodingException,
-			SecurityException {
-		HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder();
-		BasicSAMLMessageContext<Response, ?, ?> messageContext = 
-				new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
-		messageContext
-				.setInboundMessageTransport(new HttpServletRequestAdapter(
-						req));
-		soapDecoder.decode(messageContext);
-
-		Response inboundMessage = (Response) messageContext
-				.getInboundMessage();
-		
-		MOAResponse moaResponse = new MOAResponse(inboundMessage);
-		return moaResponse;
+			SecurityException, PVP2Exception {
+		throw new BindingNotSupportedException(SAMLConstants.SAML2_SOAP11_BINDING_URI + " response");
 	}
 
 	public boolean handleDecode(String action, HttpServletRequest req) {
@@ -62,15 +58,35 @@ public class SoapBinding implements IDecoder, IEncoder {
 
 	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
 			RequestAbstractType request, String targetLocation)
-			throws MessageEncodingException, SecurityException {
-		// TODO Auto-generated method stub
+			throws MessageEncodingException, SecurityException, PVP2Exception {
 		
 	}
 
 	public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
 			StatusResponseType response, String targetLocation)
-			throws MessageEncodingException, SecurityException {
-		
+			throws MessageEncodingException, SecurityException, PVP2Exception {
+		try {
+			Credential credentials = CredentialProvider
+					.getIDPSigningCredential();
+			
+			HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder();
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					resp, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+					.buildObject();
+			service.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
+			service.setLocation(targetLocation);
+			context.setOutboundSAMLMessageSigningCredential(credentials);
+			context.setPeerEntityEndpoint(service);
+			context.setOutboundSAMLMessage(response);
+			context.setOutboundMessageTransport(responseAdapter);
+			
+			encoder.encode(context);
+		} catch (CredentialsNotAvailableException e) {
+			e.printStackTrace();
+			throw new SecurityException(e);
+		}
 	}
 
 }
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 8089b851c..aa0418e77 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -35,6 +35,7 @@ auth.14=Zertifikat konnte nicht ausgelesen werden.
 auth.15=Fehler bei Anfrage an Vollmachten Service.
 auth.16=Fehler bei Abarbeitung der Vollmacht in "{0}"
 auth.17=Vollmachtenmodus f�r nicht-�ffentlichen Bereich wird nicht unterst�tzt.
+auth.18=Die Authentifizierung kann nicht passiv durchgef�hrt werden.
 
 init.00=MOA ID Authentisierung wurde erfolgreich gestartet
 init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround: SSL ist m�glicherweise nicht verf�gbar
@@ -184,3 +185,18 @@ stork.07=Es existiert kein STORK AuthnRequest f�r diese STORK Response
 stork.08=STORK SAML Assertion Validierung fehlgeschlagen
 stork.09=Fehler beim �berpr�fen der STORK B�rgerInnen Signatur
 stork.10=Fehler in der Verbindung zum SZR-Gateway
+
+pvp2.00={0} ist kein gueltiger consumer service index
+pvp2.01=Fehler beim kodieren der PVP2 Antwort
+pvp2.02=Ungueltiges Datumsformat
+pvp2.03=Vollmachtattribute nicht in Metadaten verfuegbar
+pvp2.04=Kein Authorisierungs Context verfuegbar
+pvp2.05=Es wird nur {0} als QAA unterstuetzt
+pvp2.06=Keine Vollmacht verfuegbar
+pvp2.07=SAML Anfrage nicht korrekt digital signiert
+pvp2.08=Keine Credentials fuer {0} verfuegbar
+pvp2.09=SAML Anfrage wird nicht unterstuetzt
+pvp2.10=Attribut {0} nicht verfuegbar
+pvp2.11=Binding {0} wird nicht unterstuetzt
+pvp2.12=NameID Format {0} wird nicht unterstuetzt
+pvp2.13=Interner Server Fehler
+\ No newline at end of file
author	Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>	2013-06-25 15:06:28 +0200
committer	Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>	2013-06-25 15:06:28 +0200
commit	c7f3a798a9d220e39a8d8ac7b0c1dc159094a110 (patch)
tree	b7c8287617aa3ef2b11963223cb2293fa1feef8a
parent	2c400ee1020dc9f25be8a4bfcf2a5227393a28ef (diff)
download	moa-id-spss-c7f3a798a9d220e39a8d8ac7b0c1dc159094a110.tar.gz moa-id-spss-c7f3a798a9d220e39a8d8ac7b0c1dc159094a110.tar.bz2 moa-id-spss-c7f3a798a9d220e39a8d8ac7b0c1dc159094a110.zip