diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-01-31 08:42:39 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-01-31 08:42:39 +0100 |
commit | 9e75e06b799e2baeae88a9e4b0e16acf0e292965 (patch) | |
tree | d205ff7b71a70b3e8672fd8acd97107013eaa7a9 | |
parent | d4a8d57e4cd10fc7e427f936983ae7c28aa6eab2 (diff) | |
download | moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.tar.gz moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.tar.bz2 moa-id-spss-9e75e06b799e2baeae88a9e4b0e16acf0e292965.zip |
update SessionEncryption to use IAIK JCE and salt for encryption
6 files changed, 192 insertions, 50 deletions
diff --git a/id/oa/bin/src/main/resources/templates/pvp_postbinding_template.html b/id/oa/bin/src/main/resources/templates/pvp_postbinding_template.html new file mode 100644 index 000000000..1215c2b58 --- /dev/null +++ b/id/oa/bin/src/main/resources/templates/pvp_postbinding_template.html @@ -0,0 +1,51 @@ +## +## Velocity Template for SAML 2 HTTP-POST binding +## +## Velocity context may contain the following properties +## action - String - the action URL for the form +## RelayState - String - the relay state for the message +## SAMLRequest - String - the Base64 encoded SAML Request +## SAMLResponse - String - the Base64 encoded SAML Response + +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + + <body onload="document.forms[0].submit()"> + <noscript> + <p> + <strong>Note:</strong> Since your browser does not support JavaScript, + you must press the Continue button once to proceed. + </p> + </noscript> + + + <div id="alert">Your login is being processed. Thank you for waiting.</div> + + <style type="text/css"> + <!-- + #alert { + margin:100px 250px; + font-family: Verdana, Arial, Helvetica, sans-serif; + font-size:14px; + font-weight:normal; + } + --> + </style> + + <form action="${action}" method="post"> + <div> + #if($RelayState)<input type="hidden" name="RelayState" value="${RelayState}"/>#end + + #if($SAMLRequest)<input type="hidden" name="SAMLRequest" value="${SAMLRequest}"/>#end + + #if($SAMLResponse)<input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>#end + + </div> + <noscript> + <div> + <input type="submit" value="Continue"/> + </div> + </noscript> + </form> + + </body> +</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java new file mode 100644 index 000000000..e0484eb1b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java @@ -0,0 +1,58 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public class EncryptedData { + + private byte[] encData = null; + private byte[] iv = null; + + + /** + * + */ + public EncryptedData(byte[] encdata, byte[] iv) { + this.encData = encdata; + this.iv = iv; + + } + + /** + * @return the encData + */ + public byte[] getEncData() { + return encData; + } + /** + * @return the iv + */ + public byte[] getIv() { + return iv; + } + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 655c507be..90863890f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -271,32 +271,5 @@ public class AuthenticationManager extends AuthServlet { PrintWriter out = new PrintWriter(response.getOutputStream()); out.print(form); out.flush(); - } - - -// private AuthenticationSession getORCreateMOASession(HttpServletRequest request) throws MOAIDException { -// -// //String sessionID = request.getParameter(PARAM_SESSIONID); -// String sessionID = (String) request.getSession().getAttribute(MOA_SESSION); -// AuthenticationSession moasession; -// -// try { -// moasession = AuthenticationSessionStoreage.getSession(sessionID); -// Logger.info("Found existing MOASession with sessionID=" + sessionID -// + ". This session is used for reauthentification."); -// -// } catch (MOADatabaseException e) { -// try { -// moasession = AuthenticationSessionStoreage.createSession(); -// Logger.info("Create a new MOASession with sessionID=" + moasession.getSessionID() + "."); -// -// } catch (MOADatabaseException e1) { -// Logger.error("Database Error! MOASession are not created."); -// throw new MOAIDException("init.04", new Object[] { -// "0"}); -// } -// } -// -// return moasession; -// } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index b00df8a86..393b80d04 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; @@ -110,7 +111,9 @@ public class AuthenticationSessionStoreage { dbsession.setAuthenticated(session.isAuthenticated()); byte[] serialized = SerializationUtils.serialize(session); - dbsession.setSession(SessionEncrytionUtil.encrypt(serialized)); + EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + dbsession.setSession(encdata.getEncData()); + dbsession.setIv(encdata.getIv()); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -133,7 +136,9 @@ public class AuthenticationSessionStoreage { dbsession.setAuthenticated(session.isAuthenticated()); byte[] serialized = SerializationUtils.serialize(session); - dbsession.setSession(SessionEncrytionUtil.encrypt(serialized)); + EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + dbsession.setSession(encdata.getEncData()); + dbsession.setIv(encdata.getIv()); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -193,7 +198,9 @@ public class AuthenticationSessionStoreage { byte[] serialized = SerializationUtils.serialize(session); - dbsession.setSession(SessionEncrytionUtil.encrypt(serialized)); + EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + dbsession.setSession(encdata.getEncData()); + dbsession.setIv(encdata.getIv()); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -291,7 +298,9 @@ public class AuthenticationSessionStoreage { AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); //decrypt Session - byte[] decrypted = SessionEncrytionUtil.decrypt(dbsession.getSession()); + EncryptedData encdata = new EncryptedData(dbsession.getSession(), + dbsession.getIv()); + byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); AuthenticationSession session = (AuthenticationSession) SerializationUtils.deserialize(decrypted); @@ -454,9 +463,11 @@ public class AuthenticationSessionStoreage { } //decrypt Session - byte[] decrypted = SessionEncrytionUtil.decrypt(result.get(0).getSession()); - + EncryptedData encdata = new EncryptedData(result.get(0).getSession(), + result.get(0).getIv()); + byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); return (AuthenticationSession) SerializationUtils.deserialize(decrypted); + } catch (Throwable e) { Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index 4b7e46ce7..acc2a7273 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -22,34 +22,58 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.util; +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.SecureRandom; import java.security.spec.KeySpec; import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.SecretKeySpec; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; public class SessionEncrytionUtil { - static SecretKey secret = null; - + private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + private static final String KEYNAME = "AES"; + + static private SecretKey secret = null; + static { try { String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); if (key != null) { - SecretKeyFactory factory; - factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); - KeySpec spec = new PBEKeySpec(key.toCharArray(), "TestSALT".getBytes(), 1024, 128); - SecretKey tmp = factory.generateSecret(spec); - secret = new SecretKeySpec(tmp.getEncoded(), "AES"); + PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); + PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); + + SecureRandom random = new SecureRandom(); + KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); + + PBEKeyAndParameterSpec parameterSpec = + new PBEKeyAndParameterSpec(pbeKey.getEncoded(), + "TestSALT".getBytes(), + 2000, + 16); + + pbkdf2.init(parameterSpec, random); + SecretKey derivedKey = pbkdf2.generateKey(); + + SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); + SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); + secret = kf.generateSecret(spec); } else { Logger.warn("MOASession encryption is deaktivated."); @@ -61,41 +85,47 @@ public class SessionEncrytionUtil { } - public static byte[] encrypt(byte[] data) throws BuildException { + public static EncryptedData encrypt(byte[] data) throws BuildException { Cipher cipher; if (secret != null) { try { - cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding"); + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); cipher.init(Cipher.ENCRYPT_MODE, secret); Logger.debug("Encrypt MOASession"); - return cipher.doFinal(data); + + byte[] encdata = cipher.doFinal(data); + byte[] iv = cipher.getIV(); + + return new EncryptedData(encdata, iv); } catch (Exception e) { Logger.warn("MOASession is not encrypted",e); throw new BuildException("MOASession is not encrypted", new Object[]{}, e); } } else - return data; + return new EncryptedData(data, null); } - public static byte[] decrypt(byte[] data) throws BuildException { + public static byte[] decrypt(EncryptedData data) throws BuildException { Cipher cipher; if (secret != null) { try { - cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding"); - cipher.init(Cipher.DECRYPT_MODE, secret); + IvParameterSpec iv = new IvParameterSpec(data.getIv()); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.DECRYPT_MODE, secret, iv); Logger.debug("Decrypt MOASession"); - return cipher.doFinal(data); + return cipher.doFinal(data.getEncData()); } catch (Exception e) { Logger.warn("MOASession is not decrypted",e); throw new BuildException("MOASession is not decrypted", new Object[]{}, e); } } else - return data; + return data.getEncData(); } } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java index 64f543973..730a328ab 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java @@ -74,6 +74,9 @@ public class AuthenticatedSessionStore implements Serializable{ @Column(name = "session", nullable=false) @Lob private byte [] session; + @Column(name = "iv", nullable=true) + @Lob private byte [] iv; + @Column(name = "isAuthenticated", nullable=false) private boolean isAuthenticated = false; @@ -205,5 +208,21 @@ public class AuthenticatedSessionStore implements Serializable{ this.pendingRequestID = pendingRequestID; } + /** + * @return the iv + */ + public byte[] getIv() { + return iv; + } + + /** + * @param iv the iv to set + */ + public void setIv(byte[] iv) { + this.iv = iv; + } + + + } |