diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-09-04 07:25:09 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-09-04 07:25:09 +0200 |
commit | 61362f940ca679fe215de34b1683e1110fea8d3e (patch) | |
tree | 0857aa21842a33d6e6e52d27b058c1af9831cb6b /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | |
parent | 8854b5c2c1e342b891271a04face4f4479653d46 (diff) | |
download | moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.tar.gz moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.tar.bz2 moa-id-spss-61362f940ca679fe215de34b1683e1110fea8d3e.zip |
MOA-ID Updates and Bugfixes
-- OW BPK calculation
-- OA specific SL-Templates
-- update MOA-ID configuration XML
-- PVP2: QA Level and BPK calculation updated
-- PVP2: add two attribute builder
-- MOA-ID BKU selection: bugfix local BKU selection
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 375 |
1 files changed, 202 insertions, 173 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index f1c15e83b..89adbce3f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -23,9 +23,11 @@ package at.gv.egovernment.moa.id.auth; +import iaik.asn1.ObjectID; import iaik.pki.PKIException; import iaik.x509.CertificateFactory; import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; import java.io.ByteArrayInputStream; import java.io.IOException; @@ -652,21 +654,27 @@ public class AuthenticationServer implements MOAIDAuthConstants { // check if person is a Organwalter // if true - don't show bPK in AUTH Block - boolean isOW = false; -// String oid = null; -// if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER)) -// isOW = true; -// -// AuthenticationSession session = getSession(sessionID); - + try { + for (ObjectID OWid : MOAIDAuthConstants.OW_LIST) { + if (certificate.getExtension(OWid) != null) { + session.setOW(true); + } + + } + + } catch (X509ExtensionInitException e) { + Logger.warn("Certificate extension is not readable."); + session.setOW(false); + } + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session, - authConf, oaParam, isOW); + String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session, + authConf, oaParam); return returnvalue; } @@ -784,75 +792,77 @@ public class AuthenticationServer implements MOAIDAuthConstants { return createXMLSignatureRequest; } - /** - * - * @param session - * @param authConf - * @param oaParam - * @return - * @throws ConfigurationException - * @throws BuildException - * @throws ValidateException - */ - public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW( - AuthenticationSession session, AuthConfigurationProvider authConf, - OAAuthParameter oaParam, boolean isOW) throws ConfigurationException, - BuildException, ValidateException { - - // check for intermediate processing of the infoboxes - if (session.isValidatorInputPending()) - return "Redirect to Input Processor"; - - if (authConf == null) - authConf = AuthConfigurationProvider.getInstance(); - if (oaParam == null) - oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - - // BZ.., calculate bPK for signing to be already present in AuthBlock - IdentityLink identityLink = session.getIdentityLink(); - if (identityLink.getIdentificationType().equals( - Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we - // have the Stammzahl - if (isOW) { - // if person is OW, delete identification value (bPK is calculated via MIS) - identityLink.setIdentificationValue(null); - identityLink.setIdentificationType(null); - } - else { - - //TODO: check correctness!!! bpk calcultion is done during Assertion generation -// String bpkBase64 = new BPKBuilder().buildBPK(identityLink -// .getIdentificationValue(), session.getTarget()); -// identityLink.setIdentificationValue(bpkBase64); -// -// //TODO: insert correct Type!!!! -// identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); - } - } - // ..BZ - // } - - // builds the AUTH-block - String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW); - - // session.setAuthBlock(authBlock); - // builds the <CreateXMLSignatureRequest> - List<String> transformsInfos = oaParam.getTransformsInfos(); - if ((transformsInfos == null) || (transformsInfos.size() == 0)) { - // no OA specific transforms specified, use default ones - transformsInfos = authConf.getTransformsInfos(); - } - String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() - .build(authBlock, oaParam.getKeyBoxIdentifier(), - transformsInfos, oaParam.isSlVersion12()); - - System.out.println("XML: " + createXMLSignatureRequest); - - return createXMLSignatureRequest; - } +// /** +// * +// * @param session +// * @param authConf +// * @param oaParam +// * @return +// * @throws ConfigurationException +// * @throws BuildException +// * @throws ValidateException +// */ +// public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW( +// AuthenticationSession session, AuthConfigurationProvider authConf, +// OAAuthParameter oaParam, boolean isOW) throws ConfigurationException, +// BuildException, ValidateException { +// +// // check for intermediate processing of the infoboxes +// if (session.isValidatorInputPending()) +// return "Redirect to Input Processor"; +// +// if (authConf == null) +// authConf = AuthConfigurationProvider.getInstance(); +// if (oaParam == null) +// oaParam = AuthConfigurationProvider.getInstance() +// .getOnlineApplicationParameter( +// session.getPublicOAURLPrefix()); +// +// // BZ.., calculate bPK for signing to be already present in AuthBlock +// IdentityLink identityLink = session.getIdentityLink(); +// if (identityLink.getIdentificationType().equals( +// Constants.URN_PREFIX_BASEID)) { +// +// // only compute bPK if online application is a public service and we +// // have the Stammzahl +//// if (isOW) { +//// // if person is OW, delete identification value (bPK is calculated via MIS) +//// identityLink.setIdentificationValue(null); +//// identityLink.setIdentificationType(null); +//// } +//// else { +// +// //TODO: check correctness!!! bpk calcultion is done during Assertion generation +//// String bpkBase64 = new BPKBuilder().buildBPK(identityLink +//// .getIdentificationValue(), session.getTarget()); +//// identityLink.setIdentificationValue(bpkBase64); +//// +//// //TODO: insert correct Type!!!! +//// identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); +//// } +// +// } +// // ..BZ +// // } +// +// // builds the AUTH-block +// String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW); +// +// // session.setAuthBlock(authBlock); +// // builds the <CreateXMLSignatureRequest> +// List<String> transformsInfos = oaParam.getTransformsInfos(); +// if ((transformsInfos == null) || (transformsInfos.size() == 0)) { +// // no OA specific transforms specified, use default ones +// transformsInfos = authConf.getTransformsInfos(); +// } +// String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() +// .build(authBlock, oaParam.getKeyBoxIdentifier(), +// transformsInfos, oaParam.isSlVersion12()); +// +// System.out.println("XML: " + createXMLSignatureRequest); +// +// return createXMLSignatureRequest; +// } /** * Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br> * <ul> @@ -1067,14 +1077,22 @@ public class AuthenticationServer implements MOAIDAuthConstants { } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); - } + } + + //set empty AuthBlock BPK in case of OW + if (session.isOW()) { + identificationType = ""; + identificationValue = ""; + } + String issueInstant = DateTimeUtils.buildDateTime(Calendar .getInstance(), oaParam.getUseUTC()); session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); String targetFriendlyName = session.getTargetFriendlyName(); + // Bug #485 // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) // String oaURL = session.getPublicOAURLPrefix(); @@ -1115,59 +1133,61 @@ public class AuthenticationServer implements MOAIDAuthConstants { } - /** - * Builds an authentication block <code><saml:Assertion></code> from - * given session data. - * - * @param session - * authentication session - * - * @return <code><saml:Assertion></code> as a String - * - * @throws BuildException - * If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. - */ - private String buildAuthenticationBlockForOW(AuthenticationSession session, - OAAuthParameter oaParam, boolean isOW) throws BuildException { - IdentityLink identityLink = session.getIdentityLink(); - String issuer = identityLink.getName(); - String gebDat = identityLink.getDateOfBirth(); - String identificationValue = identityLink.getIdentificationValue(); - String identificationType = identityLink.getIdentificationType(); - - String issueInstant = DateTimeUtils.buildDateTime(Calendar - .getInstance(), oaParam.getUseUTC()); - session.setIssueInstant(issueInstant); - String authURL = session.getAuthURL(); - String target = session.getTarget(); - String targetFriendlyName = session.getTargetFriendlyName(); - // Bug #485 - // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) - // String oaURL = session.getPublicOAURLPrefix(); - String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); - List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - Iterator it = extendedSAMLAttributes.iterator(); - // delete bPK attribute from extended SAML attributes - if (isOW) { - ExtendedSAMLAttribute toDelete = null; - while (it.hasNext()) { - ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next(); - if (attr.getName().equalsIgnoreCase("bPK")) - toDelete = attr; - } - if (toDelete != null) - extendedSAMLAttributes.remove(toDelete); - } - - String authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlock(issuer, issueInstant, authURL, target, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - - return authBlock; - } +// /** +// * Builds an authentication block <code><saml:Assertion></code> from +// * given session data. +// * +// * @param session +// * authentication session +// * +// * @return <code><saml:Assertion></code> as a String +// * +// * @throws BuildException +// * If an error occurs on serializing an extended SAML attribute +// * to be appended to the AUTH-Block. +// */ +// private String buildAuthenticationBlockForOW(AuthenticationSession session, +// OAAuthParameter oaParam, boolean isOW) throws BuildException { +// IdentityLink identityLink = session.getIdentityLink(); +// String issuer = identityLink.getName(); +// String gebDat = identityLink.getDateOfBirth(); +// String identificationValue = identityLink.getIdentificationValue(); +// String identificationType = identityLink.getIdentificationType(); +// +// String issueInstant = DateTimeUtils.buildDateTime(Calendar +// .getInstance(), oaParam.getUseUTC()); +// session.setIssueInstant(issueInstant); +// String authURL = session.getAuthURL(); +// String target = session.getTarget(); +// String targetFriendlyName = session.getTargetFriendlyName(); +// // Bug #485 +// // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) +// // String oaURL = session.getPublicOAURLPrefix(); +// String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); +// +// +// List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); +// Iterator it = extendedSAMLAttributes.iterator(); +// // delete bPK attribute from extended SAML attributes +// if (session.isOW()) { +// ExtendedSAMLAttribute toDelete = null; +// while (it.hasNext()) { +// ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next(); +// if (attr.getName().equalsIgnoreCase("bPK")) +// toDelete = attr; +// } +// if (toDelete != null) +// extendedSAMLAttributes.remove(toDelete); +// } +// +// String authBlock = new AuthenticationBlockAssertionBuilder() +// .buildAuthBlock(issuer, issueInstant, authURL, target, +// targetFriendlyName, identificationValue, +// identificationType, oaURL, gebDat, +// extendedSAMLAttributes, session, oaParam); +// +// return authBlock; +// } /** * Verifies the infoboxes (except of the identity link infobox) returned by @@ -2283,52 +2303,61 @@ public class AuthenticationServer implements MOAIDAuthConstants { //TODO: resign the IdentityLink!!! - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + if (session.getUseMandate() && session.isOW()) { + MISMandate mandate = session.getMISMandate(); + authData.setBPK(mandate.getOWbPK()); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); + + } else { + + if (businessService) { + //since we have foreigner, wbPK is not calculated in BKU + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { + // If domainIdentifier starts with prefix + // "urn:publicid:gv.at:wbpk+"; remove this prefix + registerAndOrdNr = registerAndOrdNr + .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + + registerAndOrdNr); + } + + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); + authData.setBPK(wbpkBase64); + authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } - - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); + } else { + authData.setBPK(identityLink.getIdentificationValue()); + authData.setBPKType(identityLink.getIdentificationType()); + } + + Element idlassertion = session.getIdentityLink().getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink idl = idlparser.parseIdentityLink(); + authData.setIdentityLink(idl); } else { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - } - - Element idlassertion = session.getIdentityLink().getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IdentityLink idl = idlparser.parseIdentityLink(); - authData.setIdentityLink(idl); - - } else { + + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + } - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + authData.setIdentityLink(identityLink); } - - authData.setIdentityLink(identityLink); } return authData; |