some more SL20 authentication module updates

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-06-05 11:22:47 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-06-05 11:22:47 +0200
commit: f6be7465031504f3b9764d1e7a687f5ba491e7b5 (patch)
tree: 21135275dd1ea556afda968c8e501a5d77df0f6e
parent: eeb353539af8e185eca23795ae592df01b049914 (diff)
download: moa-id-spss-f6be7465031504f3b9764d1e7a687f5ba491e7b5.tar.gz
moa-id-spss-f6be7465031504f3b9764d1e7a687f5ba491e7b5.tar.bz2
moa-id-spss-f6be7465031504f3b9764d1e7a687f5ba491e7b5.zip
6 files changed, 30 insertions, 16 deletions
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
index a3648220d..10a95501b 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -7,7 +7,8 @@ public class Constants {
 	
 	public static final String CONFIG_PROP_PREFIX = "modules.sl20";
 	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
-	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";	
+	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";
+	public static final String CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID = CONFIG_PROP_PREFIX + ".vda.authblock.transformation.id";	
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PATH = CONFIG_PROP_PREFIX + ".security.keystore.path";
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD = CONFIG_PROP_PREFIX + ".security.keystore.password";
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS = CONFIG_PROP_PREFIX + ".security.sign.alias";
@@ -19,7 +20,9 @@ public class Constants {
 	public static final String CONFIG_PROP_SP_LIST = CONFIG_PROP_PREFIX + ".sp.entityIds.";
 	
 	public static final String CONFIG_PROP_DISABLE_EID_VALIDATION = CONFIG_PROP_PREFIX + ".security.eID.validation.disable";
-	public static final String CONFIG_PROP_DISABLE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.enabled";
+	public static final String CONFIG_PROP_ENABLE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.enabled";
+	public static final String CONFIG_PROP_FORCE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.required";
+	public static final String CONFIG_PROP_FORCE_EID_SIGNED_RESULT = CONFIG_PROP_PREFIX + ".security.eID.signed.result.required";
 	
 	public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";
 	
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index 2e81d9c64..fa52634a3 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -226,11 +226,6 @@ public class SL20JSONExtractorUtils {
 		if (sl20Payload == null && sl20SignedPayload == null)
 			throw new SLCommandoParserException("NO payLoad OR signedPayload FOUND.");		
 		
-		//TODO:
-		//else if (sl20Payload != null && sl20SignedPayload != null) { 
-		    //log.warn("Find 'signed' AND 'unsigned' SL2.0 payload");
-			//throw new SLCommandoParserException("payLoad AND signedPayload FOUND. Can not used twice");
-		//}
 		else if (sl20SignedPayload == null && mustBeSigned)
 			throw new SLCommandoParserException("payLoad MUST be signed.");
 
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
index a7253c2c6..0c93e7886 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -2,7 +2,6 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 
@@ -29,6 +28,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
@@ -87,7 +87,11 @@ public class QualifiedeIDVerifier {
 	
 	public static IVerifiyXMLSignatureResponse verifyAuthBlock(String authBlockB64, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException, IOException {
 		String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore());
-		List<String> verifyTransformsInfoProfileID = Arrays.asList("SL20Authblock_v1.0");
+		List<String> verifyTransformsInfoProfileID = 
+				KeyValueUtils.getListOfCSVValues(
+						KeyValueUtils.normalizeCSVValueString(
+								authConfig.getBasicMOAIDConfiguration(
+										at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants.CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID))); 
 		
 		SignatureVerificationUtils sigVerify = new SignatureVerificationUtils();
 		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(Base64Utils.decode(authBlockB64, false), trustProfileId , verifyTransformsInfoProfileID);
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 26283cab2..c425ca0a7 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -1,5 +1,6 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
 
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -86,13 +87,19 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE, "AT");
 				//qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE, UUID.randomUUID().toString());
 
-				//TODO:
+				
+				X509Certificate encCert = null;
+				if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_ENABLE_EID_ENCRYPTION, true))
+					encCert = joseTools.getEncryptionCertificate();
+				else
+					Logger.info("eID data encryption is disabled by configuration");
+				
 				JsonObject qualeIDCommandParams = SL20JSONBuilderUtils.createQualifiedeIDCommandParameters(
 						authBlockId, 
 						dataURL, 
 						qualifiedeIDParams, 
-						//joseTools.getEncryptionCertificate());
-						null);
+						encCert
+						);
 								
 				//String qualeIDReqId = UUID.randomUUID().toString();
 				//TODO: work-Around for A-trust
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 357ecb6ec..9262e43e9 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -100,7 +100,9 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				
 				
 				//validate signature
-				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
+				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, 
+						authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true));
+				
 				if (payLoadContainer.isValidSigned() == null || 
 						!payLoadContainer.isValidSigned()) {
 					Logger.info("SL20 result from VDA was not valid signed");
@@ -125,7 +127,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 									
 					JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(
 							payLoad, joseTools, 
-							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true));
+							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_ENCRYPTION, true));
 
 					//extract attributes from result
 					Map<String, String> eIDData = SL20JSONExtractorUtils.getMapOfStringElements(qualeIDResult);
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java b/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java
index 93e046797..bba4ade82 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java
@@ -76,8 +76,11 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public String getBasicMOAIDConfiguration(String key) {
-		// TODO Auto-generated method stub
-		return null;
+		if (at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants.CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID.equals(key))
+			return "SL20Authblock_v1.0";
+		
+		else
+			return null;
 	}
 
 	@Override
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-06-05 11:22:47 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-06-05 11:22:47 +0200
commit	f6be7465031504f3b9764d1e7a687f5ba491e7b5 (patch)
tree	21135275dd1ea556afda968c8e501a5d77df0f6e
parent	eeb353539af8e185eca23795ae592df01b049914 (diff)
download	moa-id-spss-f6be7465031504f3b9764d1e7a687f5ba491e7b5.tar.gz moa-id-spss-f6be7465031504f3b9764d1e7a687f5ba491e7b5.tar.bz2 moa-id-spss-f6be7465031504f3b9764d1e7a687f5ba491e7b5.zip