diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-08-16 10:22:49 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-08-16 10:22:49 +0200 |
| commit | 3139b9126ae10976848be640d2b8648401e36137 (patch) | |
| tree | 2f37cadd1a7fe9264cc2440ac533ff18f12aeff6 | |
| parent | 54c45296f9782803f261f6c25409a32dad86d75c (diff) | |
| download | moa-id-spss-3139b9126ae10976848be640d2b8648401e36137.tar.gz moa-id-spss-3139b9126ae10976848be640d2b8648401e36137.tar.bz2 moa-id-spss-3139b9126ae10976848be640d2b8648401e36137.zip | |
add eIDAS response LoA validation
3 files changed, 26 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 226e4ac98..36f1392d5 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -270,6 +270,7 @@ eIDAS.10=Internal server error. Reason:{0} eIDAS.11=Received eIDAS Error-Response. Reason:{0}
eIDAS.12=Received eIDAS AuthnRequest is not valid. Reason:{0}
eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0}
+eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.
pvp2.01=Fehler beim kodieren der PVP2 Antwort
pvp2.02=Ungueltiges Datumsformat
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index aa30073f0..e72a28046 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -227,6 +227,7 @@ eIDAS.10=9199 eIDAS.11=1302 eIDAS.12=1305 eIDAS.13=1307 +eIDAS.14=1301 pvp2.01=6100 pvp2.06=6100 diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index fd7a19be8..7ba5aee1e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -24,6 +24,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EidasStringUtil; import eu.eidas.auth.commons.protocol.IAuthenticationResponse; +import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance; import eu.eidas.auth.engine.ProtocolEngineI; import eu.eidas.engine.exceptions.EIDASSAMLEngineException; @@ -73,13 +74,29 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { throw new EIDASResponseNotSuccessException("eIDAS.11", new Object[]{samlResp.getStatusMessage()}); } + + // ********************************************************** + // ******* MOA-ID specific response validation ********** + // ********************************************************** + + //validate received LoA against minimum required LoA + LevelOfAssurance reqLoA = LevelOfAssurance.fromString(pendingReq.getOnlineApplicationConfiguration().getQaaLevel()); + LevelOfAssurance respLoA = LevelOfAssurance.fromString(samlResp.getLevelOfAssurance()); + if (respLoA.numericValue() < reqLoA.numericValue()) { + Logger.error("eIDAS Response LevelOfAssurance is lower than the required! " + + "(Resp-LoA:" + respLoA.getValue() + " Req-LoA:" + reqLoA.getValue() + ")"); + throw new MOAIDException("eIDAS.14", new Object[]{respLoA.getValue()}); + + } + - //MOA-ID specific response validation - //TODO: implement MOA-ID specific response validation + // ********************************************************** + // ******* Store resonse infos into session object ********** + // ********************************************************** //update MOA-Session data with received information Logger.debug("Store eIDAS response information into MOA-session."); - + moasession.setQAALevel(samlResp.getLevelOfAssurance()); moasession.setGenericDataToSession( @@ -99,12 +116,15 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED, samlResp.getId()); + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e); }catch (EIDASSAMLEngineException e) { Logger.error("eIDAS AuthnRequest generation FAILED.", e); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR); - throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", + throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", new EIDASEngineException("eIDAS.09", new Object[]{e.getMessage()}, e)); } catch (MOADatabaseException e) { |