add configuration parameter to disable 'targetFriendlyName' validation in signed AuthBlock

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-03-13 13:55:21 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-03-13 13:55:21 +0100
commit: 74e5abe316de5748073cc69ca7ad1202b48daa5a (patch)
tree: 9da6f48602172205638fca627abdfc47e52d5923
parent: 5590e7a7477a5598736563b95e0c51ab9cb3c229 (diff)
download: moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.tar.gz
moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.tar.bz2
moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.zip
10 files changed, 62 insertions, 12 deletions
diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties
index fa6bccef0..24fe78261 100644
--- a/id/server/data/deploy/conf/moa-id/moa-id.properties
+++ b/id/server/data/deploy/conf/moa-id/moa-id.properties
@@ -18,6 +18,8 @@ configuration.moasession.key=SessionEncryptionKey
 configuration.moaconfig.key=ConfigurationEncryptionKey
 configuration.ssl.validation.revocation.method.order=ocsp,crl
 #configuration.ssl.validation.hostname=false
+#configuration.validate.authblock.targetfriendlyname=true<
+
 
 #MOA-ID 3.x Monitoring Servlet
 configuration.monitoring.active=false
diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html
index 8b2f6a632..9e70c073d 100644
--- a/id/server/doc/handbook/config/config.html
+++ b/id/server/doc/handbook/config/config.html
@@ -423,6 +423,13 @@ UNIX: moa.id.configuration=file:C:/Programme/apache/tomcat-8.x.x/conf/moa-id/moa
       <p><strong>Hinweis: </strong>Workaround, da der httpClient der openSAML2 Implementierung kein SNI (Server Name Indication) unterst&uuml;tzt.</p></td>
     </tr>
     <tr>
+      <td>configuration.validate.authblock.targetfriendlyname</td>
+      <td>true / false</td>
+      <td>Hiermit kann die &Uuml;berpr&uuml;fung des 'TargetFriendlyName', welcher Teil des vom Benutzer signierten Authblock ist, deaktiviert werden.  Eine Deaktivierung hat keinen Einfluss auf die Sicherheit des Authentifizierungsvorgangs mittels qualifizierter Signatur, jedoch kann der 'TargetFriendlyName im Authblock nicht als gesichert betrachtet werden.' Die Validierung ist deaktiviert wenn der Parameter auf <code>false</code> gesetzt wird.<br>
+        <strong>Hinweis:</strong> Hierbei handelt es sich um einen Workaround f&uuml;r Systeme auf denen die Validierung des 'TargetFriendlyName' wegen Problemen mit der Zeichencodierung fehlschl&auml;gt, die Signatur des AuthBlocks jedoch g&uuml;ltig ist.<br>
+        <strong>Defaultwert:</strong> true</td>
+    </tr>
+    <tr>
       <td>configuration.monitoring.active</td>
       <td>true / false</td>
       <td>Aktiviert das Modul f&uuml;r internes Monitoring / Testing.</td>
@@ -2190,7 +2197,7 @@ Alle in diesem Abschnitt angegebenen Parameter sind Optional und werden bei Beda
 <p><strong>Hinweis:</strong> Bei Verwendung einer online-applikationsspezifischen B&uuml;rgerkartenauswahl stehen alle Parameter die die B&uuml;rgerkartenauswahl betreffen nicht zur Verf&uuml;gung.</p>
 <p><strong>Hinweis:</strong> Bei Verwendung eines online-applikationsspezifischen Security-Layer-Request Templates stehen alle Parameter die das SL-Template betreffen nicht zur Verf&uuml;gung.</p>
 <h5><a name="service_revisionslogging" id="uebersicht_zentraledatei_aktualisierung11"></a>3.2.10 Revisionslogging</h5>
-<p>Ab MOA-ID 3.x steht ein erweitertes speziell f&uuml;r Revisionsaufgaben abgestimmtest Logging zur Verf&uuml;gung. &Uuml;ber dieses Feld k&ouml;nnen die zu loggenden Events als CSV codierte Eventcodes konfiguriert werden. Werden keine Eventcodes konfiguriert wird eine in MOA-ID hinterlegte Defaultkonfiguration verwendet. Eine Liste aller m&ouml;glichen Eventcodes finden Sie <a href="../additional/additional.html#revisionslog">hier</a>.</p>
+<p>Ab MOA-ID 3.x steht ein erweitertes speziell f&uuml;r Revisionsaufgaben abgestimmtest Logging zur Verf&uuml;gung. &Uuml;ber dieses Feld k&ouml;nnen die zu loggenden Events spezifisch nach Online Applikationen als CSV codierte Eventcodes konfiguriert werden. Hierf&uuml;r muss die online-applikationsspezifische Konfiguration des Loggings mittels Checkbox aktiviert und zumindesdt ein Eventcode definiert werden. Werden keine Eventcodes konfiguriert oder wird das OA spezifische Verhalten nicht aktiviertwird eine in MOA-ID hinterlegte Defaultkonfiguration verwendet. Eine Liste aller m&ouml;glichen Eventcodes finden Sie <a href="../additional/additional.html#revisionslog">hier</a>.</p>
 <h3><a name="import_export" id="uebersicht_zentraledatei_aktualisierung4"></a>3.3 Import / Export</h3>
 <p>&Uuml;er diese Funktionalit&auml;t besteht die M&ouml;glichkeit eine bestehende MOA-ID 2.x.x
 Konfiguration in MOA-ID 3.x zu importieren. Zus&auml;tzlich besteht die M&ouml;glichkeit eine MOA-ID-Auth 3.0
diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml
index f859b6a45..ce1430aa0 100644
--- a/id/server/idserverlib/pom.xml
+++ b/id/server/idserverlib/pom.xml
@@ -530,6 +530,17 @@
 					</execution>
 				</executions>
 			</plugin>
+             <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.6.1</version>
+                <configuration>
+                    <source>1.7</source>
+                    <target>1.7</target>
+                    <encoding>UTF-8</encoding>
+                </configuration>
+            </plugin>
+			
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-jar-plugin</artifactId>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index 3d45e2468..d09aac0f4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -35,6 +35,7 @@ import org.springframework.web.context.support.GenericWebApplicationContext;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.id.util.SSLUtils;
@@ -163,6 +164,10 @@ public class MOAIDAuthInitializer {
         
         fixJava8_141ProblemWithSSLAlgorithms();
         
+        if (!authConf.getBasicMOAIDConfigurationBoolean(ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true))
+        	Logger.info("AuthBlock 'TargetFriendlyName' validation deactivated");
+        
+        
         if (Logger.isDebugEnabled()) {
         	Logger.debug("Loaded Security Provider:");
         	Provider[] providerList = Security.getProviders();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java
index 804b98a5f..8b0134f9c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java
@@ -103,7 +103,11 @@ public abstract class ConfigurationProviderImpl implements ConfigurationProvider
 	public static final String TRUST_MANAGER_REVOCATION_CHECKING =
 		"TrustManager.RevocationChecking";    
 
-
+	/**
+	 * Deactivate TargetFriendlyName validation in Authblock
+	 */
+	public static final String VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME = "configuration.validate.authblock.targetfriendlyname";
+	
   /**
      * A <code>Map</code> which contains generic configuration information. Maps a
      * configuration name (a <code>String</code>) to a configuration value (also a
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 59bd3893d..5642861c5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -76,7 +76,7 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
-import at.gv.egovernment.moa.id.commons.validation.TargetValidator;
+import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
 import at.gv.egovernment.moa.id.data.EncryptedData;
 import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil;
 import at.gv.egovernment.moa.logging.Logger;
@@ -245,7 +245,7 @@ private String getTargetFriendlyName() {
 		return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME);
 		
 	else
-		return TargetValidator.getTargetFriendlyName(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_TARGET));
+		return TargetToSectorNameMapper.getSectorNameViaTarget(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_TARGET));
 
 }
 
diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml
index fd8ddc7fb..31fe6af26 100644
--- a/id/server/moa-id-commons/pom.xml
+++ b/id/server/moa-id-commons/pom.xml
@@ -321,6 +321,7 @@
                 <configuration>
                     <source>1.7</source>
                     <target>1.7</target>
+                    <encoding>UTF-8</encoding>
                 </configuration>
             </plugin>
              <plugin>
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 7c435d0b0..3d0073276 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -4,6 +4,7 @@ package at.gv.egovernment.moa.id.auth;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
 import java.security.Principal;
 import java.security.cert.CertificateException;
 import java.util.Calendar;
@@ -20,6 +21,7 @@ import org.apache.xpath.XPathAPI;
 import org.opensaml.xml.util.Base64;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.Base64Utils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -65,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
 import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
@@ -447,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		.build(authBlock, oaParam.getKeyBoxIdentifier(),
 				transformsInfos);
 		
-		SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+		SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes()));
 		SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
 		SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
 		SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));	
@@ -962,7 +965,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
 		
 		else
-			new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq);
+			new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq, 
+					authConfig.getBasicMOAIDConfigurationBoolean(
+							ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true));
 
 		// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
 		List<String> vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index ddd52c337..5730224e5 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.PARAM_XMLRESPONSE;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
@@ -12,6 +13,7 @@ import org.apache.commons.fileupload.FileUploadException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
+import org.springframework.util.Base64Utils;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
@@ -19,9 +21,11 @@ import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).<p/>
@@ -79,7 +83,9 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
 	    }
 	    
 	    String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-	    		
+	    if (createXMLSignatureResponse != null)
+			SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes()));
+	    		    	    	   
 		try {
 			//check if authblock is received
 			if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 8e3ccb01b..1d2887e6a 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -54,6 +54,7 @@ import java.util.List;
 import javax.xml.bind.DatatypeConverter;
 
 import org.jaxen.SimpleNamespaceContext;
+import org.springframework.util.Base64Utils;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
@@ -135,7 +136,7 @@ public class CreateXMLSignatureResponseValidator {
  * @throws BuildException 
  * @throws ConfigurationException 
    */
-  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
+  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName)
    throws ValidateException, BuildException, ConfigurationException {
       // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
     IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
@@ -272,8 +273,16 @@ public class CreateXMLSignatureResponseValidator {
 	    			}
 	    			
 	    			String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
-	    			if (!refValueSector.equals((String)samlAttribute.getValue()))
-	    				throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});             
+	    			if (!refValueSector.equals((String)samlAttribute.getValue())) {
+	    				if (validateTargetFriendlyName)	    				
+	    					throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+	    				
+	    				else {
+	    					Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector);
+	    						    					
+	    				}
+	    				
+	    			}
 	    	  
 	    		} else
 	    			throw new ValidateException("validator.12", null);
@@ -429,7 +438,7 @@ public class CreateXMLSignatureResponseValidator {
 	  
 	  } catch (Exception e) {
 		  SpecificTraceLogger.trace("Validate AuthBlock without SSO");
-		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
 		  SpecificTraceLogger.trace("OA config: " + oaParam.toString());
 		  SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
 		  SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);		  
@@ -662,7 +671,7 @@ public class CreateXMLSignatureResponseValidator {
     
 	  } catch (Exception e) {
 		  SpecificTraceLogger.trace("Validate AuthBlock with SSO");
-		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
 		  SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());		  
 		  throw e;
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-03-13 13:55:21 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-03-13 13:55:21 +0100
commit	74e5abe316de5748073cc69ca7ad1202b48daa5a (patch)
tree	9da6f48602172205638fca627abdfc47e52d5923
parent	5590e7a7477a5598736563b95e0c51ab9cb3c229 (diff)
download	moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.tar.gz moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.tar.bz2 moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.zip