diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-09-20 16:00:31 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-09-20 16:00:31 +0200 |
commit | 5f690a9ddc9a28a91e6f78ffebd859be9c4eb430 (patch) | |
tree | b53de02d96729086bc3601594763a49e9db6859f | |
parent | a2555b24a8a956fa2fa65bd69e2cac3227e9405f (diff) | |
download | moa-id-spss-5f690a9ddc9a28a91e6f78ffebd859be9c4eb430.tar.gz moa-id-spss-5f690a9ddc9a28a91e6f78ffebd859be9c4eb430.tar.bz2 moa-id-spss-5f690a9ddc9a28a91e6f78ffebd859be9c4eb430.zip |
fix bug in eIDAS SAML-engine to allow 2 minutes time jitter in Assertion->Conditions element
5 files changed, 151 insertions, 3 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index 7664eec86..035a9e7f6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -67,7 +67,7 @@ public class Constants { //timeouts and clock skews - public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation + public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java index f214efc90..c24c5efca 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java @@ -32,6 +32,8 @@ import eu.eidas.auth.engine.metadata.MetadataSignerI; */ public class MOAEidasProtocolProcesser extends EidasProtocolProcessor { + private static final String OWN_EIDAS_RESPONSE_VALIDATOR_SUITE_ID = "moaEidasResponseValidatorSuiteId"; + private final MetadataFetcherI metadataFetcher; private final MetadataSignerI metadataSigner; @@ -46,5 +48,10 @@ public class MOAEidasProtocolProcesser extends EidasProtocolProcessor { this.metadataSigner = metadataSigner; } + + @Override + public String getResponseValidatorId() { + return OWN_EIDAS_RESPONSE_VALIDATOR_SUITE_ID; + } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java new file mode 100644 index 000000000..d9453322f --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java @@ -0,0 +1,83 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine.validation; + +import org.joda.time.DateTime; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.validator.ConditionsSpecValidator; +import org.opensaml.xml.validation.ValidationException; + +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + * MOA-ID specific eIDAS Response Condition validator + * + * This validator allows time jitter in 'notBefore' validation + * + */ + +public class MoaEidasConditionsValidator extends ConditionsSpecValidator { + + + + @Override + public void validate(Conditions conditions) throws ValidationException { + Logger.debug("conditions.getNotBefore() "+ conditions.getNotBefore()); + Logger.debug("conditions.getNotOnOrAfter() "+ conditions.getNotOnOrAfter()); + Logger.debug("dateTime.now() "+ DateTime.now()); + + super.validate(conditions); + + if (conditions.getNotBefore() == null) { + + throw new ValidationException("NotBefore is required."); + } + + if (conditions.getNotBefore().minusMillis(Constants.CONFIG_PROPS_SKEWTIME).isAfterNow()) { + throw new ValidationException("Current time is before NotBefore condition"); + } + + if (conditions.getNotOnOrAfter() == null) { + + throw new ValidationException("NotOnOrAfter is required."); + } + if (conditions.getNotOnOrAfter().isBeforeNow()) { + + throw new ValidationException("Current time is after NotOnOrAfter condition"); + } + + if (conditions.getAudienceRestrictions() == null || conditions.getAudienceRestrictions().isEmpty()) { + + throw new ValidationException("AudienceRestriction is required."); + } + + if (conditions.getOneTimeUse() == null) { + + throw new ValidationException("OneTimeUse is required."); + } + + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index b95d4359f..eb50c113f 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -22,9 +22,13 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas.utils; +import java.io.InputStream; import java.util.HashMap; import java.util.Map; +import org.opensaml.xml.ConfigurationException; +import org.opensaml.xml.XMLConfigurator; + import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl; import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOASWSigner; @@ -38,6 +42,7 @@ import eu.eidas.auth.engine.ProtocolEngineI; import eu.eidas.auth.engine.SamlEngineSystemClock; import eu.eidas.auth.engine.metadata.MetadataFetcherI; import eu.eidas.auth.engine.metadata.MetadataSignerI; +import eu.eidas.auth.engine.xml.opensaml.SAMLBootstrap; import eu.eidas.engine.exceptions.EIDASSAMLEngineException; import eu.eidas.samlengineconfig.CertificateConfigurationManager; @@ -76,10 +81,15 @@ public class SAMLEngineUtils { //build a map with all actually supported attributes for (AttributeDefinition<?> el : engine.getProtocolProcessor().getAllSupportedAttributes()) allSupportedAttributeMap.put(el.getFriendlyName(), el); - + + //TODO: check if bug is fixed in next eIDAS SAML-engine version + //overwrite eIDAS response validator suite because Condition-Valitator has not time jitter + initOpenSAMLConfig("own-saml-eidasnode-config.xml"); + + eIDASEngine = engine; - } catch (EIDASSAMLEngineException e) { + } catch (EIDASSAMLEngineException | ConfigurationException e) { Logger.error("eIDAS SAMLengine initialization FAILED!", e); throw new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e); @@ -127,6 +137,12 @@ public class SAMLEngineUtils { } } + private static void initOpenSAMLConfig(String xmlConfig) throws ConfigurationException { + XMLConfigurator configurator = new XMLConfigurator(); + InputStream is = SAMLBootstrap.class.getClassLoader().getResourceAsStream(xmlConfig); + configurator.load(is); + + } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml b/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml new file mode 100644 index 000000000..856ebd96a --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XMLTooling xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.opensaml.org/xmltooling-config ../../src/schema/xmltooling-config.xsd" + xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" + xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" + xmlns:stork="urn:eu:stork:names:tc:STORK:1.0:assertion" + xmlns:storkp="urn:eu:stork:names:tc:STORK:1.0:protocol" + xmlns:eidas="http://eidas.europa.eu/saml-extensions" + xmlns="http://www.opensaml.org/xmltooling-config"> + +<!-- SAML 2.0 Protocol Object providers --> + <ValidatorSuites> + <!-- SAML 2.0 Schema Validation Rules --> + + <ValidatorSuite id="moaEidasResponseValidatorSuiteId"> + + <Validator qualifiedName="saml2p:Response" + className="eu.eidas.auth.engine.core.validator.eidas.EidasResponseOneAssertionValidator"/> + + <Validator qualifiedName="saml2p:Response" + className="eu.eidas.auth.engine.core.validator.eidas.EidasResponseValidator"/> + + <Validator qualifiedName="saml2:Assertion" + className="eu.eidas.auth.engine.core.validator.eidas.EidasAssertionValidator"/> + + + <Validator qualifiedName="saml2:Conditions" + className="at.gv.egovernment.moa.id.auth.modules.eidas.engine.validation.MoaEidasConditionsValidator"/> + + <Validator qualifiedName="saml2:AuthnStatement" + className="eu.eidas.auth.engine.core.validator.eidas.EidasAuthnStatementValidator"/> + + <Validator qualifiedName="saml2:Attribute" + className="eu.eidas.auth.engine.core.validator.eidas.EidasAttributeValidator"/> + + </ValidatorSuite> + + + </ValidatorSuites> + + +</XMLTooling>
\ No newline at end of file |