MOA-ID Updates and Bugfixes

 -- OW BPK calculation
 -- OA specific SL-Templates
 -- update MOA-ID configuration XML
 -- PVP2: QA Level and BPK calculation updated
 -- PVP2: add two attribute builder
 -- MOA-ID BKU selection: bugfix local BKU selection

1 files changed, 202 insertions, 173 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index f1c15e83b..89adbce3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -23,9 +23,11 @@
 
 package at.gv.egovernment.moa.id.auth;
 
+import iaik.asn1.ObjectID;
 import iaik.pki.PKIException;
 import iaik.x509.CertificateFactory;
 import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -652,21 +654,27 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 
 		// check if person is a Organwalter
 		// if true - don't show bPK in AUTH Block
-		boolean isOW = false;
-//		String oid = null;
-//		if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER))
-//			isOW = true;
-//		
-//		AuthenticationSession session = getSession(sessionID);
-		
+		try {
+			for (ObjectID OWid : MOAIDAuthConstants.OW_LIST) {
+				if (certificate.getExtension(OWid) != null) {
+					session.setOW(true);
+				}
+			
+			}
+			
+		} catch (X509ExtensionInitException e) {
+			Logger.warn("Certificate extension is not readable.");
+			session.setOW(false);
+		}
+				
 		AuthConfigurationProvider authConf = AuthConfigurationProvider
 				.getInstance();
 
 		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
-		String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session,
-				authConf, oaParam, isOW);
+		String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
+				authConf, oaParam);
 			
 		return returnvalue;
 	}
@@ -784,75 +792,77 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		return createXMLSignatureRequest;
 	}
 
-	/**
-	 * 
-	 * @param session
-	 * @param authConf
-	 * @param oaParam
-	 * @return
-	 * @throws ConfigurationException
-	 * @throws BuildException
-	 * @throws ValidateException
-	 */
-	public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
-			AuthenticationSession session, AuthConfigurationProvider authConf,
-			OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
-			BuildException, ValidateException {
-
-		// check for intermediate processing of the infoboxes
-		if (session.isValidatorInputPending())
-			return "Redirect to Input Processor";
-
-		if (authConf == null)
-			authConf = AuthConfigurationProvider.getInstance();
-		if (oaParam == null)
-			oaParam = AuthConfigurationProvider.getInstance()
-					.getOnlineApplicationParameter(
-							session.getPublicOAURLPrefix());
-
-		// BZ.., calculate bPK for signing to be already present in AuthBlock
-		IdentityLink identityLink = session.getIdentityLink();
-		if (identityLink.getIdentificationType().equals(
-				Constants.URN_PREFIX_BASEID)) {
-			// only compute bPK if online application is a public service and we
-			// have the Stammzahl
-			if (isOW) {
-				// if person is OW, delete identification value (bPK is calculated via MIS)
-				identityLink.setIdentificationValue(null);
-				identityLink.setIdentificationType(null);
-			}
-			else {
-			
-			//TODO: check correctness!!! bpk calcultion is done during Assertion generation	
-//			String bpkBase64 = new BPKBuilder().buildBPK(identityLink
-//					.getIdentificationValue(), session.getTarget());
-//				identityLink.setIdentificationValue(bpkBase64);
-//				
-//				//TODO: insert correct Type!!!!
-//				identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
-			}
-		}
-		// ..BZ
-		// }
-
-		// builds the AUTH-block
-		String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
-
-		// session.setAuthBlock(authBlock);
-		// builds the <CreateXMLSignatureRequest>
-		List<String> transformsInfos = oaParam.getTransformsInfos();
-		if ((transformsInfos == null) || (transformsInfos.size() == 0)) {
-			// no OA specific transforms specified, use default ones
-			transformsInfos = authConf.getTransformsInfos();
-		}
-		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
-				.build(authBlock, oaParam.getKeyBoxIdentifier(),
-						transformsInfos, oaParam.isSlVersion12());
-		
-		System.out.println("XML: " + createXMLSignatureRequest);
-		
-		return createXMLSignatureRequest;
-	}
+//	/**
+//	 * 
+//	 * @param session
+//	 * @param authConf
+//	 * @param oaParam
+//	 * @return
+//	 * @throws ConfigurationException
+//	 * @throws BuildException
+//	 * @throws ValidateException
+//	 */
+//	public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
+//			AuthenticationSession session, AuthConfigurationProvider authConf,
+//			OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
+//			BuildException, ValidateException {
+//
+//		// check for intermediate processing of the infoboxes
+//		if (session.isValidatorInputPending())
+//			return "Redirect to Input Processor";
+//
+//		if (authConf == null)
+//			authConf = AuthConfigurationProvider.getInstance();
+//		if (oaParam == null)
+//			oaParam = AuthConfigurationProvider.getInstance()
+//					.getOnlineApplicationParameter(
+//							session.getPublicOAURLPrefix());
+//
+//		// BZ.., calculate bPK for signing to be already present in AuthBlock
+//		IdentityLink identityLink = session.getIdentityLink();
+//		if (identityLink.getIdentificationType().equals(
+//				Constants.URN_PREFIX_BASEID)) {
+//			
+//			// only compute bPK if online application is a public service and we
+//			// have the Stammzahl
+////			if (isOW) {
+////				// if person is OW, delete identification value (bPK is calculated via MIS)
+////				identityLink.setIdentificationValue(null);
+////				identityLink.setIdentificationType(null);
+////			}
+////			else {
+//			
+//			//TODO: check correctness!!! bpk calcultion is done during Assertion generation	
+////			String bpkBase64 = new BPKBuilder().buildBPK(identityLink
+////					.getIdentificationValue(), session.getTarget());
+////				identityLink.setIdentificationValue(bpkBase64);
+////				
+////				//TODO: insert correct Type!!!!
+////				identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
+////			}
+//			
+//		}
+//		// ..BZ
+//		// }
+//
+//		// builds the AUTH-block
+//		String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
+//
+//		// session.setAuthBlock(authBlock);
+//		// builds the <CreateXMLSignatureRequest>
+//		List<String> transformsInfos = oaParam.getTransformsInfos();
+//		if ((transformsInfos == null) || (transformsInfos.size() == 0)) {
+//			// no OA specific transforms specified, use default ones
+//			transformsInfos = authConf.getTransformsInfos();
+//		}
+//		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
+//				.build(authBlock, oaParam.getKeyBoxIdentifier(),
+//						transformsInfos, oaParam.isSlVersion12());
+//		
+//		System.out.println("XML: " + createXMLSignatureRequest);
+//		
+//		return createXMLSignatureRequest;
+//	}
 	/**
 	 * Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br>
 	 * <ul>
@@ -1067,14 +1077,22 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		} else {
 			identificationValue = identityLink.getIdentificationValue();
 			identificationType = identityLink.getIdentificationType();
-		}
 			
+		}
+
+		//set empty AuthBlock BPK in case of OW 
+		if (session.isOW()) {
+			identificationType = "";
+			identificationValue = "";
+		}
+		
 		String issueInstant = DateTimeUtils.buildDateTime(Calendar
 				.getInstance(), oaParam.getUseUTC());
 		session.setIssueInstant(issueInstant);
 		String authURL = session.getAuthURL();
 		String target = session.getTarget();
 		String targetFriendlyName = session.getTargetFriendlyName();
+		
 		// Bug #485
 		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
 		// String oaURL = session.getPublicOAURLPrefix();
@@ -1115,59 +1133,61 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		
 	}
 
-	/**
-	 * Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from
-	 * given session data.
-	 * 
-	 * @param session
-	 *            authentication session
-	 * 
-	 * @return <code>&lt;saml:Assertion&gt;</code> as a String
-	 * 
-	 * @throws BuildException
-	 *             If an error occurs on serializing an extended SAML attribute
-	 *             to be appended to the AUTH-Block.
-	 */
-	private String buildAuthenticationBlockForOW(AuthenticationSession session,
-			OAAuthParameter oaParam, boolean isOW) throws BuildException {
-		IdentityLink identityLink = session.getIdentityLink();
-		String issuer = identityLink.getName();
-		String gebDat = identityLink.getDateOfBirth();
-		String identificationValue = identityLink.getIdentificationValue();
-		String identificationType = identityLink.getIdentificationType();
-
-		String issueInstant = DateTimeUtils.buildDateTime(Calendar
-				.getInstance(), oaParam.getUseUTC());
-		session.setIssueInstant(issueInstant);
-		String authURL = session.getAuthURL();
-		String target = session.getTarget();
-		String targetFriendlyName = session.getTargetFriendlyName();
-		// Bug #485
-		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
-		// String oaURL = session.getPublicOAURLPrefix();
-		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&amp;");
-		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
-		Iterator it = extendedSAMLAttributes.iterator();
-		// delete bPK attribute from extended SAML attributes
-		if (isOW) {
-			ExtendedSAMLAttribute toDelete = null;
-			while (it.hasNext()) {
-				ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
-				if (attr.getName().equalsIgnoreCase("bPK"))
-					toDelete = attr;
-			}		
-			if (toDelete != null)
-				extendedSAMLAttributes.remove(toDelete);
-		}
-		
-		String authBlock = new AuthenticationBlockAssertionBuilder()
-				.buildAuthBlock(issuer, issueInstant, authURL, target,
-						targetFriendlyName, identificationValue,
-						identificationType, oaURL, gebDat,
-						extendedSAMLAttributes, session, oaParam);
-
-		return authBlock;
-	}
+//	/**
+//	 * Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from
+//	 * given session data.
+//	 * 
+//	 * @param session
+//	 *            authentication session
+//	 * 
+//	 * @return <code>&lt;saml:Assertion&gt;</code> as a String
+//	 * 
+//	 * @throws BuildException
+//	 *             If an error occurs on serializing an extended SAML attribute
+//	 *             to be appended to the AUTH-Block.
+//	 */
+//	private String buildAuthenticationBlockForOW(AuthenticationSession session,
+//			OAAuthParameter oaParam, boolean isOW) throws BuildException {
+//		IdentityLink identityLink = session.getIdentityLink();
+//		String issuer = identityLink.getName();
+//		String gebDat = identityLink.getDateOfBirth();
+//		String identificationValue = identityLink.getIdentificationValue();
+//		String identificationType = identityLink.getIdentificationType();
+//
+//		String issueInstant = DateTimeUtils.buildDateTime(Calendar
+//				.getInstance(), oaParam.getUseUTC());
+//		session.setIssueInstant(issueInstant);
+//		String authURL = session.getAuthURL();
+//		String target = session.getTarget();
+//		String targetFriendlyName = session.getTargetFriendlyName();
+//		// Bug #485
+//		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
+//		// String oaURL = session.getPublicOAURLPrefix();
+//		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&amp;");
+//		
+//		
+//		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+//		Iterator it = extendedSAMLAttributes.iterator();
+//		// delete bPK attribute from extended SAML attributes
+//		if (session.isOW()) {
+//			ExtendedSAMLAttribute toDelete = null;
+//			while (it.hasNext()) {
+//				ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
+//				if (attr.getName().equalsIgnoreCase("bPK"))
+//					toDelete = attr;
+//			}		
+//			if (toDelete != null)
+//				extendedSAMLAttributes.remove(toDelete);
+//		}
+//		
+//		String authBlock = new AuthenticationBlockAssertionBuilder()
+//				.buildAuthBlock(issuer, issueInstant, authURL, target,
+//						targetFriendlyName, identificationValue,
+//						identificationType, oaURL, gebDat,
+//						extendedSAMLAttributes, session, oaParam);
+//
+//		return authBlock;
+//	}
 	
 	/**
 	 * Verifies the infoboxes (except of the identity link infobox) returned by
@@ -2283,52 +2303,61 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 			
 			//TODO: resign the IdentityLink!!!
 			
-			if (businessService) {
-				//since we have foreigner, wbPK is not calculated in BKU
-				if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
+			
+			if (session.getUseMandate() && session.isOW()) {
+				MISMandate mandate = session.getMISMandate();
+				authData.setBPK(mandate.getOWbPK());
+				authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW");
+				
+			} else {
+			
+				if (businessService) {
+					//since we have foreigner, wbPK is not calculated in BKU
+					if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
+							
+					 	String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
+						 
+						if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
+							// If domainIdentifier starts with prefix
+							// "urn:publicid:gv.at:wbpk+"; remove this prefix
+							registerAndOrdNr = registerAndOrdNr
+									.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
+							Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
+									+ registerAndOrdNr);
+						} 
+							    
+						String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
+						authData.setBPK(wbpkBase64);
+						authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
 						
-				 	String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
-					 
-					if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
-						// If domainIdentifier starts with prefix
-						// "urn:publicid:gv.at:wbpk+"; remove this prefix
-						registerAndOrdNr = registerAndOrdNr
-								.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
-						Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
-								+ registerAndOrdNr);
-					} 
-						    
-					String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
-					authData.setBPK(wbpkBase64);
-					authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
+					} else {
+						authData.setBPK(identityLink.getIdentificationValue());
+						authData.setBPKType(identityLink.getIdentificationType());
+					}
+									
+					Element idlassertion = session.getIdentityLink().getSamlAssertion();
+					//set bpk/wpbk;
+					Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+					prIdentification.getFirstChild().setNodeValue(authData.getBPK());
+					//set bkp/wpbk type 
+					Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH);
+					prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType());
+					
+					IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion);
+					IdentityLink idl = idlparser.parseIdentityLink();
+					authData.setIdentityLink(idl);
 					
 				} else {
-					authData.setBPK(identityLink.getIdentificationValue());
-					authData.setBPKType(identityLink.getIdentificationType());
-				}
-								
-				Element idlassertion = session.getIdentityLink().getSamlAssertion();
-				//set bpk/wpbk;
-				Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
-				prIdentification.getFirstChild().setNodeValue(authData.getBPK());
-				//set bkp/wpbk type 
-				Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH);
-				prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType());
-				
-				IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion);
-				IdentityLink idl = idlparser.parseIdentityLink();
-				authData.setIdentityLink(idl);
-				
-			} else {
+									
+					if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { 
+						// only compute bPK if online application is a public service and we have the Stammzahl
+						String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
+						authData.setBPK(bpkBase64);
+						authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+					}
 					
-				if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { 
-					// only compute bPK if online application is a public service and we have the Stammzahl
-					String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
-					authData.setBPK(bpkBase64);
-					authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+					authData.setIdentityLink(identityLink);
 				}
-				
-				authData.setIdentityLink(identityLink);
 			}
 				
 			return authData;