diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-02-09 15:35:15 +0100 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-02-09 15:35:15 +0100 | 
| commit | 3d6692ef16835b4ceeae3d3e85ea3bce053ab1a4 (patch) | |
| tree | 06094019076da7cf85f1b56130a5c4c318d77ac6 | |
| parent | dd88bbb1a644575395a03dcd757c0e3174914724 (diff) | |
| download | moa-id-spss-3d6692ef16835b4ceeae3d3e85ea3bce053ab1a4.tar.gz moa-id-spss-3d6692ef16835b4ceeae3d3e85ea3bce053ab1a4.tar.bz2 moa-id-spss-3d6692ef16835b4ceeae3d3e85ea3bce053ab1a4.zip | |
add additional validation steps in eIDAS message processing
10 files changed, 290 insertions, 38 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 3264fc3bd..cad3354f5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -71,7 +71,6 @@ import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.data.MISMandate;  import at.gv.egovernment.moa.id.data.Pair; -import at.gv.egovernment.moa.id.moduls.RequestImpl;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; @@ -1105,16 +1104,20 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  		String baseID = authData.getIdentificationValue();  		String baseIDType = authData.getIdentificationType(); -		 -		String eIDASOutboundCountry = pendingReq.getGenericData(RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, String.class); -		 -		//TODO: maybe find a better solution -		String cititzenCountryCode =  -				authConfig.getBasicMOAIDConfiguration("moa.id.protocols.eIDAS.node.countrycode",  -						MOAIDAuthConstants.COUNTRYCODE_AUSTRIA); -		 -		 if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { -			 if (MiscUtil.isNotEmpty(eIDASOutboundCountry) && !cititzenCountryCode.equals(eIDASOutboundCountry)) { +			 +		 if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {			  +			 //Calculate eIDAS identifier +			 if (oaParam.getBusinessService() &&  +					 oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) {  +				 String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+"); +				 String cititzenCountryCode = splittedTarget[1]; +				 String eIDASOutboundCountry = splittedTarget[2];				  +				  +				 if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { +					 Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); +					  +				 } +				 				   				 Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID,   						 cititzenCountryCode, eIDASOutboundCountry);  				 Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond());	 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index b612352c6..b87574d52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -61,7 +61,7 @@ public abstract class RequestImpl implements IRequest, Serializable{  	public static final String DATAID_REQUESTER_IP_ADDRESS = "requesterIP"; -	public static final String eIDAS_GENERIC_REQ_DATA_COUNTRY = "country"; +//	public static final String eIDAS_GENERIC_REQ_DATA_COUNTRY = "country";  	public static final String eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE = "eIDAS_LoA"; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 79dc11f34..1a2f0d1d3 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -272,6 +272,7 @@ eIDAS.12=Received eIDAS AuthnRequest is not valid. Reason:{0}  eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0}
  eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.
  eIDAS.15=Generation of eIDAS Response FAILED. Required attribute: {0} is NOT available.
 +eIDAS.16=eIDAS Response attribute-validation FAILED. Attribute:{0} Reason: {1}.
  pvp2.01=Fehler beim kodieren der PVP2 Antwort
  pvp2.02=Ungueltiges Datumsformat
 diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 8d6c77831..c6d0844ce 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -229,6 +229,7 @@ eIDAS.12=1305  eIDAS.13=1307  eIDAS.14=1301  eIDAS.15=1307 +eIDAS.16=1301  pvp2.01=6100  pvp2.06=6100 diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java index 260b2ecb1..129478270 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -449,7 +449,7 @@ public interface Constants {    //TODO: update to eIDAS prefix    /** URN prefix for context dependent id (eIDAS). */ -  public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":storkid"; +  public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid";    /** URN prefix for context dependent id. */    public static final String URN_PREFIX_BASEID = URN_PREFIX + ":baseid"; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index c4b2bfeae..45ba3d64e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -19,12 +19,12 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;  import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.eidas.validator.eIDASResponseValidator;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil;  import eu.eidas.auth.commons.EidasStringUtil;  import eu.eidas.auth.commons.protocol.IAuthenticationResponse; -import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;  import eu.eidas.auth.engine.ProtocolEngineI;  import eu.eidas.engine.exceptions.EIDASSAMLEngineException; @@ -78,16 +78,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  			// **********************************************************  			// *******   MOA-ID specific response validation   **********  			// ********************************************************** -			 -			//validate received LoA against minimum required LoA -			LevelOfAssurance reqLoA = LevelOfAssurance.fromString(pendingReq.getOnlineApplicationConfiguration().getQaaLevel()); -			LevelOfAssurance respLoA = LevelOfAssurance.fromString(samlResp.getLevelOfAssurance());  -			if (respLoA.numericValue() < reqLoA.numericValue()) { -				Logger.error("eIDAS Response LevelOfAssurance is lower than the required! " -						+ "(Resp-LoA:" + respLoA.getValue() + " Req-LoA:" + reqLoA.getValue() + ")"); -				throw new MOAIDException("eIDAS.14", new Object[]{respLoA.getValue()}); -				 -			} +			String spCountry = authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); +			eIDASResponseValidator.validateResponse(pendingReq, samlResp, spCountry);  			// ********************************************************** diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeProcessingUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeProcessingUtils.java new file mode 100644 index 000000000..30e1e4505 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeProcessingUtils.java @@ -0,0 +1,75 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.utils; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class eIDASAttributeProcessingUtils { +	public static final String PERSONALIDENIFIER_VALIDATION_PATTERN = "^[A-Z,a-z]{2}/[A-Z,a-z]{2}/.*"; +	 +	/** +	 * Validate a eIDAS PersonalIdentifier attribute value  +	 * This validation is done according to eIDAS SAML Attribute Profile -  Section 2.2.3 Unique Identifier  +	 *  +	 * @param uniqueID eIDAS attribute value of a unique identifier +	 * @return true if the uniqueID matches to eIDAS to Unique Identifier specification, otherwise false +	 */ +	public static boolean validateEidasPersonalIdentifier(String uniqueID) { +		Pattern pattern = Pattern.compile(PERSONALIDENIFIER_VALIDATION_PATTERN ); +		Matcher matcher = pattern.matcher(uniqueID);	 +		return matcher.matches(); +		 +	} +	 +	 +	/** +	 * Parse an eIDAS PersonalIdentifier attribute value into it components.  +	 * This processing is done according to eIDAS SAML Attribute Profile -  Section 2.2.3 Unique Identifier  +	 *  +	 * @param uniqueID eIDAS attribute value of a unique identifier +	 * @return {@link Trible} that contains:  +	 * 				<br> First : citizen country +	 * 				<br> Second: destination country +	 * 				<br> Third : unique identifier +	 * 	<br> or null if the attribute value has a wrong format +	 */					 +	public static Trible<String, String, String> parseEidasPersonalIdentifier(String uniqueID) { +		if (!validateEidasPersonalIdentifier(uniqueID)) { +			Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +					+ " looks wrong formated. Value:" + ((String)uniqueID));				 +			return null; +			 +		}		 +		return Trible.newInstance(uniqueID.substring(0, 2), uniqueID.substring(3, 5), uniqueID.substring(6));  +		 +	} +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index aefae939b..589cd9654 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.eidas;  import java.io.IOException;  import java.io.StringWriter;  import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; @@ -213,6 +215,11 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {  			} +			//check eIDAS node configuration +			IOAAuthParameters oaConfig = authConfig.getOnlineApplicationParameter(samlReq.getIssuer()); +			if (oaConfig == null) +				throw new EIDASAuthnRequestProcessingException("eIDAS.08", new Object[]{samlReq.getIssuer()}); +			  			//validate AssertionConsumerServiceURL against metadata   			EntityDescriptor eIDASNodeEntityDesc = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider)  						.getEntityDescriptor(eIDASSamlReq.getIssuer(), SAMLEngineUtils.getMetadataSigner()); @@ -258,8 +265,33 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {  			}		 +			//validate request country-code against eIDAS node config +			String reqCC = samlReq.getOriginCountryCode(); +			String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier(); + +			//validate eIDAS target +			Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS  +					+ "\\+[A-Z,a-z]{2}\\+[A-Z,a-z]{2}$"); +			Matcher matcher = pattern.matcher(eIDASTarget);						 +			if (MiscUtil.isEmpty(eIDASTarget) || !matcher.matches()) { +				Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()  +					+ " contains wrong formated eIDAS target:" + eIDASTarget); +				throw new MOAIDException("config.08", new Object[]{samlReq.getIssuer()}); +				 +			} else { +				String[] splittedTarget = eIDASTarget.split("\\+"); +				if (!splittedTarget[2].equalsIgnoreCase(reqCC)) { +					Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()  +						+ " Destination Country from request (" + reqCC  +						+ ") does not match to configuration:" + eIDASTarget); +					throw new MOAIDException("eIDAS.01",  +							new Object[]{"Destination Country from request does not match to configuration"}); +					 +				} +				Logger.debug("CountryCode from request matches eIDAS-node configuration target"); +			} -			 +						  			//*************************************************  			//*****  store eIDAS request information  *********  			//************************************************* @@ -269,10 +301,6 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {  			// - memorize relaystate  			String relayState = request.getParameter("RelayState");  			pendingReq.setRemoteRelayState(relayState); - -			// - memorize country code of target country -			pendingReq.setGenericDataToSession( -					RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getOriginCountryCode());  			//store level of assurance  			pendingReq.setGenericDataToSession(RequestImpl.eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE,  @@ -288,10 +316,6 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {  			pendingReq.setOAURL(samlReq.getIssuer());  			// - memorize OA config -			IOAAuthParameters oaConfig = authConfig.getOnlineApplicationParameter(pendingReq.getOAURL()); -			if (oaConfig == null) -				throw new EIDASAuthnRequestProcessingException("eIDAS.08", new Object[]{pendingReq.getOAURL()}); -			  			pendingReq.setOnlineApplicationConfiguration(oaConfig);  			// - memorize service-provider type from eIDAS request @@ -302,7 +326,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {  			if (MiscUtil.isEmpty(spType))  				spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc); -			if (MiscUtil.isEmpty(spType)) +			if (MiscUtil.isNotEmpty(spType))  				Logger.debug("eIDAS request has SPType:" + spType);			  			else  				Logger.info("eIDAS request and eIDAS metadata contains NO 'SPType' element."); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index f0e7e918b..26a171ba8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -43,12 +43,14 @@ import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;  import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;  import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;  import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SimpleEidasAttributeGenerator; +import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeProcessingUtils;  import at.gv.egovernment.moa.id.commons.MOAIDConstants;  import at.gv.egovernment.moa.id.commons.api.IRequest;  import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.data.SLOInformationImpl;  import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.data.Trible;  import at.gv.egovernment.moa.id.moduls.IAction;  import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;  import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonFullNameAttributeBuilder; @@ -121,12 +123,28 @@ public class eIDASAuthenticationRequest implements IAction {  						newValue = authData.getBPK();  						isUniqueID = true; +						//generate eIDAS conform 'PersonalIdentifier' attribute +						if (!eIDASAttributeProcessingUtils.validateEidasPersonalIdentifier(newValue)) { +							Logger.debug("preCalculated PersonalIdentifier does not include eIDAS conform prefixes ... add prefix now"); +							if (MiscUtil.isEmpty(authData.getBPKType()) +									|| !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) { +								Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType()); +								throw new MOAIDException("builder.08", new Object[]{"Suspect bPKType for eIDAS identifier generation"}); +								 +							}  +							 +							String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1); +							newValue = prefix.replaceAll("\\+", "/") + "/" + newValue; +														 +						} +												  						//generate a transient unique identifier if it is requested  						String reqNameIDFormat = eidasRequest.getEidasRequest().getNameIdFormat();  						if (MiscUtil.isNotEmpty(reqNameIDFormat)   								&& reqNameIDFormat.equals(SamlNameIdFormat.TRANSIENT.getNameIdFormat()))  							newValue = generateTransientNameID(newValue); -																			 + +												  						subjectNameID = newValue;  						break;  					case Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER: @@ -301,12 +319,20 @@ public class eIDASAuthenticationRequest implements IAction {  	private String generateTransientNameID(String nameID) { -		String random = Random.nextLongRandom(); +		//extract source-country and destination country from persistent identifier  +		Trible<String, String, String> split = eIDASAttributeProcessingUtils.parseEidasPersonalIdentifier(nameID); +		if (split == null) { +			Logger.error("eIDAS 'PersonalIdentifier' has a wrong format. There had to be a ERROR in implementation!!!!"); +			throw new IllegalStateException("eIDAS 'PersonalIdentifier' has a wrong format. There had to be a ERROR in implementation!!!!"); +			 +		}  +		//build correct formated transient identifier +		String random = Random.nextLongRandom();		  		try {  			MessageDigest md = MessageDigest.getInstance("SHA-1"); -			byte[] hash = md.digest((nameID + random).getBytes("ISO-8859-1"));			 -			return Base64Utils.encode(hash); +			byte[] hash = md.digest((split.getThird() + random).getBytes("ISO-8859-1"));			 +			return split.getFirst() + "/" + split.getSecond() + "/" + Base64Utils.encode(hash);  		} catch (Exception e) {  			Logger.error("Can not generate transient personal identifier!", e); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.java new file mode 100644 index 000000000..f0527bc5e --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.java @@ -0,0 +1,130 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.validator; + +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; +import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeProcessingUtils; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import eu.eidas.auth.commons.protocol.IAuthenticationResponse; +import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance; + +/** + * @author tlenz + * + */ +public class eIDASResponseValidator { +	 + +	public static void validateResponse(IRequest pendingReq, IAuthenticationResponse samlResp, String spCountry) throws MOAIDException {		 + +		/*-----------------------------------------------------| +		 * validate received LoA against minimum required LoA  | +		 *_____________________________________________________| +		 */ +		LevelOfAssurance reqLoA = LevelOfAssurance.fromString(pendingReq.getOnlineApplicationConfiguration().getQaaLevel()); +		LevelOfAssurance respLoA = LevelOfAssurance.fromString(samlResp.getLevelOfAssurance());  +		if (respLoA.numericValue() < reqLoA.numericValue()) { +			Logger.error("eIDAS Response LevelOfAssurance is lower than the required! " +					+ "(Resp-LoA:" + respLoA.getValue() + " Req-LoA:" + reqLoA.getValue() + ")"); +			throw new MOAIDException("eIDAS.14", new Object[]{respLoA.getValue()}); +			 +		} + +		/*-----------------------------------------------------| +		 *     validate 'PersonalIdentifier' attribute         | +		 *_____________________________________________________| +		 */ +		String respCC = samlResp.getCountry();		 +		Object personalIdObj = samlResp.getAttributes().getFirstValue( +	        		SAMLEngineUtils.getMapOfAllAvailableAttributes().get( +	        				Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); +	    +		//check attribute type +		if (personalIdObj == null || !(personalIdObj instanceof String)) +	        	Logger.warn("eIDAS Response include NO 'PersonalIdentifier' attriubte " +	        			+ ".... That can be a BIG problem in further processing steps");	 +		 +		else { +			//validate attribute value format +			Trible<String, String, String> split =  +					eIDASAttributeProcessingUtils.parseEidasPersonalIdentifier((String)personalIdObj); +			if (split == null) { +				throw new MOAIDException("eIDAS.16",  +						new Object[]{ +								Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +								"Wrong identifier format"}); +				 +			} else { +				//validation according to eIDAS SAML Attribute Profile, Section 2.2.3  +				if (MiscUtil.isEmpty(split.getSecond())) { +					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes NO destination country. Value:" + ((String)personalIdObj));				 +					throw new MOAIDException("eIDAS.16",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"No or empty destination country"}); +					 +				} +				if (!split.getSecond().equalsIgnoreCase(spCountry)) { +					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes wrong destination country. Value:" + ((String)personalIdObj) +							+ " SP-Country:" + spCountry);				 +					throw new MOAIDException("eIDAS.16",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"Destination country does not match to SP country"}); +					 +				} +				 +				if (MiscUtil.isEmpty(split.getFirst())) { +					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes NO citizen country. Value:" + ((String)personalIdObj));				 +					throw new MOAIDException("eIDAS.16",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"No or empty citizen country"}); +					 +				} +				if (!split.getFirst().equalsIgnoreCase(respCC)) { +					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER  +							+ " includes a citizen country that does not match to eIDAS Response node. " +							+ " Value:" + ((String)personalIdObj) +							+ " Response-Node Country:" + respCC);				 +					throw new MOAIDException("eIDAS.16",  +							new Object[]{ +									Constants.eIDAS_ATTR_PERSONALIDENTIFIER, +									"Citizen country does not match to eIDAS-node country that generates the response"}); +					 +				}				 +			}									 +		} +		 +		 +		 +	} +} | 
