Integration of STORK

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1285 d688527b-c9ab-4aba-bd8d-4036d912da1d
author: kstranacher_eGovL <kstranacher_eGovL@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2012-07-12 11:27:13 +0000
committer: kstranacher_eGovL <kstranacher_eGovL@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2012-07-12 11:27:13 +0000
commit: 1626ac9867cd5406b83e73651080e33c11fb98d1 (patch)
tree: 56bea0f086133bcd27017e2bfc205245a6e683b9 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork
parent: a86a5fe1cfe7b0104d6524517414c7d5b5d2a2bb (diff)
download: moa-id-spss-1626ac9867cd5406b83e73651080e33c11fb98d1.tar.gz
moa-id-spss-1626ac9867cd5406b83e73651080e33c11fb98d1.tar.bz2
moa-id-spss-1626ac9867cd5406b83e73651080e33c11fb98d1.zip
10 files changed, 1375 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/AssertionVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/AssertionVerifier.java
new file mode 100644
index 000000000..7ffe59fd9
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/AssertionVerifier.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+import java.util.List;
+
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+
+/**
+ * Interface to be implemented for verifying SAML assertions
+ * 
+ * @author bzwattendorfer
+ *
+ */
+public interface AssertionVerifier {
+	
+	/**
+	 * Verifies a given assertion
+	 * @param assertion SAML assertion
+	 * @param reqIPAddress IP address of the client
+	 * @param authnRequestID ID of the corresponding authentication request for verification
+	 * @param recipient recipient for verification 
+	 * @param audience audience for verification
+	 * @param reqAttrList RequestedAttribute list for verification
+	 * @throws SecurityException
+	 */
+	public void verify(Assertion assertion, String reqIPAddress, String authnRequestID, String recipient, String audience, List<RequestedAttribute> reqAttrList) throws SecurityException;
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java
new file mode 100644
index 000000000..b95ab6218
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+import org.opensaml.xml.security.credential.Credential;
+
+import eu.stork.vidp.messages.exception.SAMLException;
+
+/**
+ * Interface supporting different kinds of Credentials
+ * 
+ * @author bzwattendorfer
+ *
+ */
+public interface CredentialProvider {
+	
+	/**
+	 * Gets appropriate credentials
+	 * @return Credential object
+	 * @throws SAMLException
+	 */
+	public Credential getCredential() throws SAMLException;
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java
new file mode 100644
index 000000000..467210b4d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.stork;
+
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+import at.gv.egovernment.moa.util.StringUtils;
+import eu.stork.vidp.messages.exception.SAMLException;
+
+/**
+ * Provides credentials from a KeyStore
+ * @author bzwattendorfer
+ *
+ */
+public class KeyStoreCredentialProvider implements CredentialProvider {
+	
+	private final static Logger log = LoggerFactory.getLogger(KeyStoreCredentialProvider.class);
+	
+	/** KeyStore Path */
+	private String keyStorePath;
+	
+	/** KeyStore Password */
+	private String keyStorePassword;
+	
+	/** Specific Key Name as Credential */
+	private String keyName;
+	
+	/** Key password */
+	private String keyPassword;
+	
+	/**
+	 * Creates a KeyStoreCredentialProvider object
+	 * @param keyStorePath KeyStore Path
+	 * @param keyStorePassword KeyStore Password
+	 * @param keyName KeyName of the key to be retrieved
+	 * @param keyPassword Password for the Key
+	 */
+	public KeyStoreCredentialProvider(String keyStorePath,
+			String keyStorePassword, String keyName, String keyPassword) {
+		super();
+		this.keyStorePath = keyStorePath;
+		this.keyStorePassword = keyStorePassword;
+		this.keyName = keyName;
+		this.keyPassword = keyPassword;
+	}
+
+
+	/**
+	 * Gets the credential object from the KeyStore
+	 */
+	public Credential getCredential() throws SAMLException {
+		log.trace("Retrieving credentials for signing SAML Response.");
+		
+		if (StringUtils.isEmpty(this.keyStorePath))
+			throw new SAMLException("No keyStorePath specified");
+		
+		//KeyStorePassword optional
+		//if (StringUtils.isEmpty(this.keyStorePassword))
+		//	throw new SAMLException("No keyStorePassword specified");
+		
+		if (StringUtils.isEmpty(this.keyName))
+			throw new SAMLException("No keyName specified");
+		
+		//KeyStorePassword optional
+		//if (StringUtils.isEmpty(this.keyPassword))
+		//	throw new SAMLException("No keyPassword specified");
+		
+		KeyStore ks;
+		try {
+			ks = KeyStoreUtils.loadKeyStore(this.keyStorePath, this.keyStorePassword);					
+		} catch (Exception e) {
+			log.error("Failed to load keystore information", e);
+			throw new SAMLException(e);
+		}
+		
+		//return new KeyStoreX509CredentialAdapter(ks, keyName, keyPwd.toCharArray());
+		BasicX509Credential credential = null;
+		try {
+			java.security.cert.X509Certificate certificate = (X509Certificate) ks.getCertificate(this.keyName);
+			PrivateKey privateKey = (PrivateKey) ks.getKey(this.keyName, this.keyPassword.toCharArray());
+			credential = new BasicX509Credential();
+			credential.setEntityCertificate(certificate);			
+			credential.setPrivateKey(privateKey);
+						
+		} catch (Exception e) {
+			log.error("Error retrieving signing credentials.", e);
+			throw new SAMLException(e);
+		}
+						
+		return credential;
+		
+	}
+	
+		
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java
new file mode 100644
index 000000000..3048ccbee
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java
@@ -0,0 +1,241 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+import java.util.List;
+
+import org.joda.time.DateTime;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+
+import at.gv.egovernment.moa.logging.Logger;
+import eu.stork.vidp.messages.saml.STORKAttribute;
+import eu.stork.vidp.messages.util.SAMLUtil;
+
+/**
+ * Verifies the SAML assertion according to the STORK specification
+ * @author bzwattendorfer
+ *
+ */
+public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
+			
+	private static final int CLOCK_SKEW_MINUTES = 5;
+	
+	private static final boolean IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY = false;
+
+	/* (non-Javadoc)
+	 * @see eu.stork.mw.peps.connector.validation.AssertionVerifier#verifyAssertion(org.opensaml.saml2.core.Assertion, java.lang.String, java.lang.String, java.lang.String)
+	 */
+	public void verify(Assertion assertion, String reqIPAddress,
+			String authnRequestID, String recipient, String audience, List<RequestedAttribute> reqAttrList) throws SecurityException {
+
+		//SAML assertion need not to be signed, skipping signature validation
+		
+		verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient);
+		
+		Logger.debug("SubjectConfirmationData successfully verified");
+		
+		verifyConditions(assertion, audience);
+		
+		Logger.debug("Conditions successfully verified");
+	}
+	
+	
+	private void verifySubjectConfirmation(Assertion assertion, String reqAddress, String requestID, String recipient) throws SecurityException {		
+		for (SubjectConfirmation sc : assertion.getSubject().getSubjectConfirmations()) {
+			verifySubjectConfirmationData(sc.getSubjectConfirmationData(), reqAddress, requestID, recipient);
+		}
+				
+	}
+	
+	private void verifySubjectConfirmationData(SubjectConfirmationData scData, String reqAddress, String requestID, String recipient) throws SecurityException {				
+		//NotBefore not allowed in SSO profile
+		verifyNotOnOrAfter(scData.getNotOnOrAfter());
+		
+		Logger.trace("NotOnOrAfter successfully verified");
+		
+		if(IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY) {
+			verifyClientAddress(scData, reqAddress);
+			Logger.trace("User's client IP address successfully verified.");
+		} else {
+			Logger.warn("User's client IP address will not be verified.");
+		}
+		
+		verifyRecipient(scData, recipient);
+		Logger.trace("Recipient successfully verified");
+		
+		verifyInResponseTo(scData, requestID);
+		Logger.trace("InResponseTo successfully verified");
+				 
+	}
+	
+	private void verifyNotBefore(DateTime notBefore) throws SecurityException {
+		if (notBefore.minusMinutes(CLOCK_SKEW_MINUTES).isAfterNow()) {
+			String msg = "Subject/Assertion not yet valid, Timestamp: ";
+			Logger.error(msg + notBefore);
+			throw new SecurityException(msg);
+		}
+		
+		Logger.trace("Subject/Assertion already valid, notBefore: " + notBefore);
+		
+	}
+	
+	private void verifyNotOnOrAfter(DateTime notOnOrAfter) throws SecurityException {
+		if (notOnOrAfter.plusMinutes(CLOCK_SKEW_MINUTES).isBeforeNow()) {
+			String msg = "Subject/Assertion no longer valid.";
+			Logger.error(msg);
+			throw new SecurityException(msg);
+		}
+		
+		Logger.trace("Subject/Assertion still valid, notOnOrAfter: " + notOnOrAfter);
+	}
+
+	private void verifyClientAddress(SubjectConfirmationData scData, String reqAddress) throws SecurityException {
+		if (!reqAddress.equals(scData.getAddress())) {
+			String msg = "Response coming from wrong Client-Address";
+			Logger.error("Response coming from wrong Client-Address " +  reqAddress + ", expected " + scData.getAddress());
+			throw new SecurityException(msg);
+		}
+		
+	}
+	
+	private void verifyInResponseTo(SubjectConfirmationData scData, String requestID) throws SecurityException {
+		if (!scData.getInResponseTo().equals(requestID)) {
+			String msg = "Assertion issued for wrong request";
+			Logger.error(msg);
+			throw new SecurityException(msg);
+		}
+	}
+	
+	private void verifyRecipient(SubjectConfirmationData scData, String reqRecipient) throws SecurityException {
+		if (!scData.getRecipient().equals(reqRecipient)) {
+			String msg = "Assertion intended for another recipient";
+			Logger.error("Assertion intended for recipient " + scData.getRecipient() + "but expected " + reqRecipient);
+			throw new SecurityException(msg);
+		}
+		
+	}
+	
+	private void verifyAudience(AudienceRestriction audienceRestriction, String reqAudience) throws SecurityException {
+		for (Audience audience : audienceRestriction.getAudiences()) {
+			if (audience.getAudienceURI().equals(reqAudience))
+				return;
+		}
+		String msg = "Assertion sent to wrong audience";
+		Logger.error("Assertion intended for wrong audience, expected " + reqAudience);
+		throw new SecurityException(msg);
+	}
+	
+	private void verifyOneTimeUse(String assertionID) {
+		//not necessarily required to check since notBefore and notOnOrAfter are verified   
+		//check response Store for already existing assertion
+		
+	}
+	
+	private void verifyConditions(Assertion assertion, String reqAudience) throws SecurityException {		
+		Conditions conditions = assertion.getConditions();
+		
+		verifyNotBefore(conditions.getNotBefore());
+		Logger.trace("NotBefore successfully verified");
+		
+		verifyNotOnOrAfter(conditions.getNotOnOrAfter());
+		Logger.trace("NotOnOrAfter successfully verified");
+		
+		verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience);
+		
+		Logger.trace("Audience successfully verified");
+		
+	}
+	
+	public static void validateRequiredAttributes(
+			List<RequestedAttribute> reqAttrList,
+			List<Attribute> attrList)
+			throws STORKException {
+		
+		Logger.debug("Starting required attribute validation");
+		
+		if (reqAttrList == null || reqAttrList.isEmpty()) {
+			Logger.error("Requested Attributes list is empty.");
+			throw new STORKException("No attributes have been requested");
+		}
+		
+		if (attrList == null || attrList.isEmpty()) {
+			Logger.error("STORK AttributeStatement is empty.");
+			throw new STORKException("No attributes have been received");
+		}
+		
+		Logger.trace("These attributes have been requested and received: ");
+		int count = 0;
+		for (RequestedAttribute reqAttr : reqAttrList) {
+			Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired());
+			for(Attribute attr : attrList) {
+				if (verifyRequestedAttribute(reqAttr, attr))
+					count++;
+			}
+		}
+		
+		int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList);
+		Logger.trace("Number of requested required attributes: " + numRequiredReqAttr);
+		Logger.trace("Number of received required attributes: " + count);
+		
+		if (count != numRequiredReqAttr) {
+			Logger.error("Not all required attributes have been received");
+			throw new STORKException("Not all required attributes have been received");
+		}
+		Logger.debug("Received all required attributes!");			
+		
+	}
+	
+	private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) {
+		
+		if ((reqAttr.getName()).equals(attr.getName())) {
+			if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) {
+				Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr));
+				return true;
+			}			
+		}
+		return false;
+	}
+	
+	private static int getNumberOfRequiredAttributes(List<RequestedAttribute> reqAttrList) {
+		int count = 0;
+		for (RequestedAttribute reqAttr : reqAttrList)
+			if (reqAttr.isRequired()) count++;
+		
+		return count;
+	}
+	
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java
new file mode 100644
index 000000000..2deeb2aae
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java
@@ -0,0 +1,153 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.ServiceException;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
+import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+import eu.stork.mw.messages.saml.STORKResponse;
+import eu.stork.vidp.messages.exception.SAMLValidationException;
+import eu.stork.vidp.messages.util.SAMLUtil;
+import eu.stork.vidp.messages.util.XMLUtil;
+
+/**
+ * Verifies the SMAL response according to the STORK specification
+ * @author bzwattendorfer
+ *
+ */
+public class PEPSConnectorResponseVerifier implements ResponseVerifier {
+		
+		
+	/* (non-Javadoc)
+	 * @see eu.stork.mw.peps.connector.validation.ResponseVerifier#verify(org.opensaml.saml2.core.Response)
+	 */
+	public void verify(STORKResponse response) throws SecurityException {
+		
+		verifySignature(response);
+		Logger.debug("Signature of SAML response valid.");
+		
+		verifyStandardValidation(response);
+		
+		Logger.debug("SAML response format valid.");
+		
+	}
+	
+	
+	private void verifySignature(STORKResponse response) throws SecurityException {
+		//validate Signature
+		try {
+			if (response.isSigned()) {		
+				
+				String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID();
+				
+				Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID);
+				
+				// builds a <VerifyXMLSignatureRequest> for a call of MOA-SP
+				Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
+						.build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID);
+
+				Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built");
+				
+				Logger.trace("Calling MOA-SP");
+				// invokes the call
+				Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
+						.verifyXMLSignature(domVerifyXMLSignatureRequest);								
+				
+				// parses the <VerifyXMLSignatureResponse>
+				VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
+						domVerifyXMLSignatureResponse).parseData();
+				
+				Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP");
+
+				if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) {
+					String msg = "Signature of SAMLResponse not valid";
+					Logger.error(msg);					
+					throw new SecurityException(msg);
+				}
+				
+				Logger.debug("Signature of SAML response successfully verified");
+				
+				if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
+					String msg = "Certificate of SAMLResponse not valid";
+					Logger.error(msg);					
+					throw new SecurityException(msg);
+				}
+				
+				Logger.debug("Signing certificate of SAML response succesfully verified");
+				
+			} else {
+				String msg = "SAML Response is not signed.";
+				throw new SecurityException(msg);
+			}
+			
+		} catch (ConfigurationException e) {
+			String msg = "Unable to load STORK configuration for STORK SAML Response signature verification.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
+		} catch (ParseException e) {
+			String msg = "Unable to parse VerifyXMLSignature Request or Response.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
+		} catch (BuildException e) {
+			String msg = "Unable to parse VerifyXMLSignature Request or Response.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
+		} catch (ServiceException e) {
+			String msg = "Unable to invoke MOA-SP.";
+			Logger.error(msg, e);
+			throw new SecurityException(msg, e);
+		} 			
+		
+	}
+	
+	private void verifyStandardValidation(STORKResponse response) throws SecurityException {
+		try {
+			SAMLUtil.verifySAMLObjectStandardValidation(response, "saml2-core-schema-and-stork-validator");
+		} catch (SAMLValidationException e) {
+			String msg ="SAML Response received not valid.";
+			throw new SecurityException(msg, e);
+		}
+		
+	}
+	
+	
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java
new file mode 100644
index 000000000..848937824
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.stork;
+
+import eu.stork.mw.messages.saml.STORKResponse;
+
+/**
+ * Interface to be implemented for SAML response verification
+ * @author bzwattendorfer
+ *
+ */
+public interface ResponseVerifier {
+	
+	/**
+	 * Verifies a STORK response
+	 * @param response STORK response
+	 * @throws SecurityException
+	 */
+	public void verify(STORKResponse response) throws SecurityException;
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java
new file mode 100644
index 000000000..ff30919bc
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java
@@ -0,0 +1,170 @@
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.Endpoint;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.ws.transport.http.HTTPOutTransport;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import eu.stork.mw.messages.saml.STORKAuthnRequest;
+import eu.stork.vidp.messages.builder.STORKMessagesBuilder;
+import eu.stork.vidp.messages.exception.SAMLException;
+import eu.stork.vidp.messages.exception.SAMLValidationException;
+import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel;
+import eu.stork.vidp.messages.stork.RequestedAttributes;
+import eu.stork.vidp.messages.util.SAMLUtil;
+
+/**
+ * Class handling all necessary functionality for STORK AuthnRequest processing
+ * 
+ * @author bzwattendorfer
+ *
+ */
+public class STORKAuthnRequestProcessor {
+	
+	/**
+	 * Creates a STORK AuthnRequest
+	 * @param destination Destination URL
+	 * @param acsURL Assertion Consumer Service URL
+	 * @param providerName SP Provider Name
+	 * @param issuerValue Issuer Name
+	 * @param qaaLevel STORK QAALevel to be requested
+	 * @param requestedAttributes Requested Attributes to be requested
+	 * @param spSector Sp Sector
+	 * @param spInstitution SP Institution
+	 * @param spApplication SP Application
+	 * @param spCountry SP Country
+	 * @param textToBeSigned text to be included in signedDoc element
+	 * @param mimeType mimeType for the text to be signed in signedDoc
+	 * @return STORK AuthnRequest
+	 */
+	public static STORKAuthnRequest generateSTORKAuthnRequest(
+			String destination, 
+			String acsURL, 
+			String providerName, 
+			String issuerValue, 
+			QualityAuthenticationAssuranceLevel qaaLevel, 
+			RequestedAttributes requestedAttributes, 
+			String spSector, 
+			String spInstitution, 
+			String spApplication, 
+			String spCountry,
+			String textToBeSigned,
+			String mimeType) {
+		
+			
+		STORKAuthnRequest storkAuthnRequest =  
+			STORKMessagesBuilder.buildSTORKAuthnRequest(
+					destination, 
+					acsURL, 
+					providerName, 
+					issuerValue, 
+					qaaLevel, 
+					requestedAttributes, 
+					spSector, 
+					spInstitution, 
+					spApplication, 
+					spCountry);				
+		
+		STORKMessagesBuilder.buildAndAddSignatureRequestToAuthnRequest(storkAuthnRequest, textToBeSigned, mimeType, true);
+		
+		Logger.debug("Added signedDoc attribute to STORK AuthnRequest");
+		
+		return storkAuthnRequest;
+		
+	}
+	
+	/**
+	 * Signs a STORK AuthnRequest
+	 * @param storkAuthnRequest STORK AuthRequest to sign
+	 * @param keyStorePath KeyStorePath to the signing key
+	 * @param keyStorePassword KeyStore Password
+	 * @param keyName Signing key name
+	 * @param keyPassword Signing key password
+	 * @return Signed STORK AuthnRequest
+	 * @throws SAMLException
+	 */
+	public static STORKAuthnRequest signSTORKAuthnRequest(
+			STORKAuthnRequest storkAuthnRequest,
+			String keyStorePath,
+			String keyStorePassword,
+			String keyName,
+			String keyPassword) throws SAMLException {
+		
+		Logger.trace("Building Credential Provider for signing process");
+		
+		CredentialProvider credentialProvider = new KeyStoreCredentialProvider(keyStorePath, keyStorePassword, keyName, keyPassword);
+		
+		Credential credential = credentialProvider.getCredential();
+		
+		Logger.trace("Credentials found");
+		
+		SAMLUtil.signSAMLObject(storkAuthnRequest, credential);
+		
+		return storkAuthnRequest;
+	}
+	
+	/**
+	 * Validates a STORK AuthnRequest
+	 * @param storkAuthnRequest STORK AuthnRequest to validate
+	 * @throws SAMLValidationException
+	 */
+	public static void validateSTORKAuthnRequest(STORKAuthnRequest storkAuthnRequest) throws SAMLValidationException {
+				
+		SAMLUtil.verifySAMLObjectStandardValidation(storkAuthnRequest, "saml2-core-schema-and-stork-validator");
+		
+	}
+	
+	/**
+	 * Sends a STORK AuthnRequest (Endpoint taken out of AuthnRequest)
+	 * @param request HttpServletRequest
+	 * @param response HttpServletResponse
+	 * @param storkAuthnRequest STORK AuthnRequest to send
+	 * @throws Exception
+	 */
+	public static void sendSTORKAuthnRequest(HttpServletRequest request, HttpServletResponse response, STORKAuthnRequest storkAuthnRequest) throws Exception {
+		
+		Logger.trace("Create endpoint...");
+		Endpoint endpoint = STORKMessagesBuilder.buildSAMLObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
+		endpoint.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+		endpoint.setLocation(storkAuthnRequest.getDestination());
+
+		
+		Logger.trace("Prepare SAMLMessageContext...");
+		HTTPOutTransport outTransport = new HttpServletResponseAdapter(response, request.isSecure());		
+		BasicSAMLMessageContext<?, STORKAuthnRequest, ?> samlMessageContext = new BasicSAMLMessageContext();
+		samlMessageContext.setOutboundMessageTransport(outTransport);
+		samlMessageContext.setPeerEntityEndpoint(endpoint);
+
+		Logger.trace("Set STORK SAML AuthnRequest to SAMLMessageContext...");
+		samlMessageContext.setOutboundSAMLMessage(storkAuthnRequest);
+				
+		Logger.trace("Initialize VelocityEngine...");
+
+		VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+		
+//		HTTPPostEncoder encoder = new HTTPPostEncoder(velocityEngine, "/templates/saml2-post-binding.vm");
+		HTTPPostEncoder encoder = new HTTPPostEncoder(velocityEngine, "/saml2-post-binding-moa.vm");
+
+		Logger.trace("HTTP-Post encode SAMLMessageContext...");
+		encoder.encode(samlMessageContext);
+	}
+		
+	
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKException.java
new file mode 100644
index 000000000..5b737603b
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKException.java
@@ -0,0 +1,42 @@
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+
+/**
+ * Exception thrown if error occurs in STORK processing
+ * @author bzwattendorfer
+ *
+ */
+public class STORKException extends Exception{
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+
+	public STORKException() {
+		super();
+		
+	}
+
+	public STORKException(String message, Throwable cause) {
+		super(message, cause);
+		
+	}
+
+	public STORKException(String message) {
+		super(message);
+		
+	}
+
+	public STORKException(Throwable cause) {
+		super(cause);
+		
+	}
+	
+	
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
new file mode 100644
index 000000000..c98ca87b9
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -0,0 +1,405 @@
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+import iaik.x509.X509Certificate;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.util.List;
+import java.util.Vector;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.namespace.QName;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.SurName;
+import org.opensaml.ws.transport.http.HTTPInTransport;
+import org.opensaml.ws.transport.http.HTTPOutTransport;
+import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.schema.XSAny;
+import org.opensaml.xml.schema.XSString;
+import org.opensaml.xml.util.Base64;
+import org.opensaml.xml.util.XMLHelper;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse;
+import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moa.util.StringUtils;
+import eu.stork.mw.messages.saml.STORKResponse;
+import eu.stork.vidp.messages.common.STORKConstants;
+import eu.stork.vidp.messages.util.SAMLUtil;
+import eu.stork.vidp.messages.util.XMLUtil;
+
+/**
+ * 
+ * Handles all functionality for the processing of a STORK response
+ * @author bzwattendorfer
+ *
+ */
+public class STORKResponseProcessor {
+	
+	/** OASIS DSS Namespace */
+	public static final String OASIS_DSS_NS = "urn:oasis:names:tc:dss:1.0:core:schema";
+	
+	/** OASIS DSS Success Message */
+	public static final String OASIS_DSS_SUCCESS_MSG = "urn:oasis:names:tc:dss:1.0:resultmajor:Success";
+	
+	/**
+	 * Extracts a STORK response from a HTTP message
+	 * @param request HttpServletRequest
+	 * @param response HttpServletResponse
+	 * @return STORK Response
+	 * @throws STORKException
+	 */
+	public static STORKResponse receiveSTORKRepsonse(HttpServletRequest request, HttpServletResponse response) throws STORKException {
+		
+		HTTPInTransport httpInTransport = new HttpServletRequestAdapter(request);
+		HTTPOutTransport httpOutTransport = new HttpServletResponseAdapter(response, request.isSecure());
+		
+		httpInTransport.getPeerAddress();
+		
+		String samlResponseString = request.getParameter("SAMLResponse");
+		
+		if (StringUtils.isEmpty(samlResponseString)) {
+			Logger.error("SAMLResponse not found in request.");
+			throw new STORKException("SAMLResponse not found in request.");
+		}
+		
+		BasicSAMLMessageContext samlMessageContext = new BasicSAMLMessageContext();
+		
+		samlMessageContext.setInboundMessageTransport(httpInTransport);
+		samlMessageContext.setOutboundMessageTransport(httpOutTransport);
+		
+		HTTPPostDecoder postDecoder = new HTTPPostDecoder();
+		
+		try {
+			postDecoder.decode(samlMessageContext);
+		} catch (Exception e) {
+			Logger.error("Error decoding SAMLResponse message", e);
+			throw new STORKException("Error decoding SAMLResponse message", e);
+		}
+		
+		if (!(samlMessageContext.getInboundSAMLMessage() instanceof STORKResponse)) {
+			Logger.error("Message received is not a SAMLResponse message");
+			throw new STORKException("Message received is not a SAMLResponse message");
+		}
+			
+		STORKResponse samlResponse = (STORKResponse) samlMessageContext.getInboundSAMLMessage();
+		
+		return samlResponse;
+	}
+	
+	/**
+	 * Verifies a STORK response according STORK specification
+	 * @param storkResponse STORK Response to verify
+	 * @throws STORKException if validation fails
+	 */
+	public static void verifySTORKResponse(STORKResponse storkResponse) throws STORKException {
+		
+		ResponseVerifier responseVerifier = new PEPSConnectorResponseVerifier();
+		try {
+			responseVerifier.verify(storkResponse);
+		} catch (SecurityException e) {
+			Logger.error("Error validating response message from PEPS.", e);
+			throw new STORKException("Error validating response message from PEPS.");
+		}
+		
+	}
+	
+	/**
+	 * Verifies a STORK assertion
+	 * @param assertion STORK assertion
+	 * @param ipAddress Client IP address
+	 * @param authnRequestID ID of the AuthnRequest
+	 * @param recipient recipient for verification
+	 * @param audience audience for verification
+	 * @param reqAttributeList RequestedAttribute list for verification
+	 * @throws STORKException
+	 */
+	public static void verifySTORKAssertion(
+			Assertion assertion, 
+			String ipAddress, 
+			String authnRequestID, 
+			String recipient, 
+			String audience,
+			List<RequestedAttribute> reqAttributeList) throws STORKException {
+		
+		//validate Assertion			
+		AssertionVerifier assertionVerifier = new PEPSConnectorAssertionVerifier();
+		try {
+			assertionVerifier.verify(assertion, ipAddress, authnRequestID, recipient, audience, reqAttributeList);
+			
+			//verify if all required attributes are present
+			PEPSConnectorAssertionVerifier.validateRequiredAttributes(reqAttributeList, assertion.getAttributeStatements().get(0).getAttributes());
+			
+		} catch (SecurityException e) {
+			Logger.error("Error verifying assertion from PEPS", e);
+			throw new STORKException("Error validating assertion received from PEPS.");
+		}						
+			
+	}
+	
+	/**
+	 * Extracts the citizen signature from the signedDoc element present in the STORK assertion
+	 * @param storkAssertion STORK assertion
+	 * @return citizen signature as XML
+	 * @throws STORKException
+	 */
+	public static Element extractCitizenSignature(Assertion storkAssertion) throws STORKException {
+		
+		Logger.debug("Processing DSS signature response from PEPS");
+		
+		Element signatureResponse = getSignedDocAttributeValue(storkAssertion);
+					
+		if (signatureResponse == null) {
+			String msg = "Could not find DSS signature response in SAML assertion";
+			Logger.error(msg);
+			throw new STORKException(msg);
+		}
+		
+		Logger.debug("Found DSS signature in SAML assertion");
+		
+		Logger.debug("DSS Signature creation response received from PEPS (pretty print):");
+		Logger.debug(XMLHelper.prettyPrintXML(signatureResponse));
+		Logger.trace("DSS Signature creation response received from PEPS (original):");
+		Logger.trace(XMLUtil.printXML(signatureResponse));
+		
+		Element signature = getSignature(signatureResponse);
+		
+		if (signature == null) {
+			String msg = "Could not find citizen signature in SAML assertion";
+			Logger.error(msg);
+			throw new STORKException(msg);
+		} 		
+				
+		Logger.debug("Found foreign citizen signature in SAML assertion (pretty print):");
+		Logger.debug(XMLHelper.prettyPrintXML(signature));
+		Logger.trace("Found foreign citizen signature in SAML assertion (original):");
+		Logger.trace(XMLUtil.printXML(signature));		
+		
+		return signature;
+	}
+	
+	/**
+	 * Extracts the signedDoc attribute from a STORK assertion as XML
+	 * @param storkAssertion STORK assertion
+	 * @return Value of signedDoc attribute
+	 * @throws STORKException
+	 */
+	private static Element getSignedDocAttributeValue(Assertion storkAssertion) throws STORKException {	
+		
+		XMLObject xmlObj = SAMLUtil.getAttributeValue(storkAssertion.getAttributeStatements().get(0).getAttributes(), STORKConstants.STORK_ATTRIBUTE_SIGNEDDOC);
+		
+		
+		if (xmlObj instanceof XSAny)
+			return getSignedDocAttributeValueFromAny((XSAny) xmlObj);
+		else if (xmlObj instanceof XSString)
+			return getSignedDocAttributValueFromString((XSString) xmlObj);
+		else 
+			return null;
+		
+	}
+	
+	/**
+	 * Get signedDoc as XML if provided as anyType
+	 * @param any AttributeValue as anyType
+	 * @return signedDoc as XML
+	 */
+	private static Element getSignedDocAttributeValueFromAny(XSAny any) {
+		if (!any.getUnknownXMLObjects(new QName(OASIS_DSS_NS, "SignResponse")).isEmpty()) {
+			XMLObject xmlObj = any.getUnknownXMLObjects(new QName(OASIS_DSS_NS, "SignResponse")).get(0);
+			return xmlObj.getDOM();
+		} else {
+			return null;
+		}
+	}
+	
+	/**
+	 * Get signedDoc as XML if provided as String
+	 * @param string AttributeValue as String
+	 * @return signedDoc as XML
+	 * @throws STORKException
+	 */
+	private static Element getSignedDocAttributValueFromString(XSString string) throws STORKException {
+		try {
+			return XMLUtil.stringToDOM(string.getValue());
+		} catch (Exception e) {
+			Logger.error("Error building DOM", e);
+			throw new STORKException(e);
+			
+		} 
+	}
+	
+	/**
+	 * Extracts the signature value out of a DSS response
+	 * @param signatureResponse DSS signature response
+	 * @return signature 
+	 * @throws STORKException
+	 */
+	private static Element getSignature(Element signatureResponse) throws STORKException {
+		
+		NodeList nList = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "ResultMajor");
+				
+		String resultMajor = XMLUtil.getFirstTextValueFromNodeList(nList);
+		
+		if (StringUtils.isEmpty(resultMajor)) {					
+			String msg = "DSS response not correct, ResultMajor element missing.";
+			Logger.error(msg);
+			throw new STORKException(msg);
+		}
+		
+		Logger.trace("ResultMajor of DSS response: " + resultMajor);
+		
+		if (!OASIS_DSS_SUCCESS_MSG.equals(resultMajor)) {
+			String msg = "DSS response not correct, ResultMajor is " + resultMajor;
+			Logger.error(msg);
+			throw new STORKException(msg);
+		}
+				
+		NodeList nList2 = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "Base64Signature");; 
+		
+		String base64SigString = XMLUtil.getFirstTextValueFromNodeList(nList2);
+		
+		if (StringUtils.isEmpty(base64SigString)) {					
+			String msg = "DSS response not correct, Base64Signature element missing.";
+			Logger.error(msg);
+			throw new STORKException(msg);
+		}
+		
+		Logger.trace("Base64Signature element of DSS response: " + base64SigString);
+		
+		String sigString = new String(Base64.decode(base64SigString));
+		
+		try {
+			return XMLUtil.stringToDOM(sigString);
+		} catch (Exception e) {
+			String msg = "Unable to extract signature from DSS response";
+			Logger.error(msg);
+			throw new STORKException(msg);
+		} 
+		
+		
+	}
+	
+	/**
+	 * Handels connection to SZR-GW and returns Identity Link on success
+	 * @param citizenSignature Citizen signature
+	 * @param attributeList Received attribute List in assertion
+	 * @return Identity Link
+	 * @throws STORKException
+	 */
+	public static IdentityLink connectToSZRGateway(Element citizenSignature, List<Attribute> attributeList) throws STORKException {				
+		Logger.trace("Calling SZR Gateway with the following attributes:");
+
+		String fiscalNumber = SAMLUtil.getAttributeStringValue(attributeList, STORKConstants.STORK_ATTRIBUTE_FISCALNUMBER);
+		Logger.trace(STORKConstants.STORK_ATTRIBUTE_FISCALNUMBER + " : " + fiscalNumber);
+				
+		String givenName = SAMLUtil.getAttributeStringValue(attributeList, STORKConstants.STORK_ATTRIBUTE_GIVENNAME);
+		Logger.trace(STORKConstants.STORK_ATTRIBUTE_GIVENNAME+ " : " + givenName);
+		
+		String lastName = SAMLUtil.getAttributeStringValue(attributeList, STORKConstants.STORK_ATTRIBUTE_SURNAME);
+		Logger.trace(STORKConstants.STORK_ATTRIBUTE_SURNAME+ " : " + lastName);
+		
+		String dateOfBirth = SAMLUtil.getAttributeStringValue(attributeList, STORKConstants.STORK_ATTRIBUTE_DATEOFBIRTH);
+		Logger.trace(STORKConstants.STORK_ATTRIBUTE_DATEOFBIRTH + " : " + dateOfBirth);
+		
+		if (!StringUtils.isEmpty(dateOfBirth)) {
+			dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth);
+		} 
+		
+		CreateIdentityLinkResponse response;
+		IdentityLink identityLink = null;
+		try {
+			Logger.trace("Starting call...");
+			response = AuthenticationServer.getInstance().getIdentityLink(fiscalNumber, givenName, lastName, dateOfBirth, citizenSignature);
+			if (response.isError()) {	    
+				Logger.error("Receveid ErrorResponse from SZR Gateway.");
+	    		throw new SZRGWClientException(response.getError());
+	    	}
+	    	else {
+	    		Logger.trace("Receveid Success Response from SZR Gateway.");
+	    		Element samlAssertion = response.getAssertion();
+	    		    	
+		    	IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(samlAssertion);
+		    	identityLink = ilParser.parseIdentityLink();
+		    	
+		    	
+		    	Logger.debug("Received Identity Link from SZR Gateway");
+		    	//TODO: is this ok?
+//		    	if (StringUtils.isEmpty(identityLink.getDateOfBirth())) {
+//		    		identityLink.setDateOfBirth("9999-12-31");
+//				}
+
+	    	}
+		} catch (SZRGWClientException e) {
+			Logger.error("Error connecting SZR-Gateway: ", e);
+			throw new STORKException("Error connecting SZR-Gateway: ", e);
+		} catch (ParseException e) {
+			Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e);
+			throw new STORKException("Error parsing IdentityLink received from SZR-Gateway: ", e);
+		}
+    		    	
+    	return identityLink;
+		
+	}
+	
+	
+	/**
+	 * Transforms additional STORK attributes to MOA Extended attributes
+	 * @param storkAttributeList STORK attribute list
+	 * @return
+	 */
+	public static List<ExtendedSAMLAttribute> addAdditionalSTORKAttributes(List<Attribute> storkAttributeList) {
+		List<ExtendedSAMLAttribute> moaExtendedSAMLAttributeList = new Vector<ExtendedSAMLAttribute>();
+		
+		Logger.trace("Adding the following attributes to MOA assertion: ");
+		int count = 0;
+		//only add attributes different than eIdentifier, given name, surname, dateOfBirth, signedDoc
+		for (Attribute attribute : storkAttributeList) {
+			//attribute is not in default returned attribute set
+			if (!STORKConstants.DEFAULT_STORK_RETURNED_ATTRIBUTE_SET.contains(attribute.getName())) {
+				
+				String attributeValue = null;
+				if (!attribute.getAttributeValues().isEmpty()) {
+					//we have attribute value
+					attributeValue = SAMLUtil.getStringValueFromXMLObject(attribute.getAttributeValues().get(0));
+				}
+				ExtendedSAMLAttribute extendedSAMLAttribute = 
+					new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0);
+				moaExtendedSAMLAttributeList.add(extendedSAMLAttribute);
+				count++;
+				Logger.trace("Additional attribute: " + attribute.getName());
+			}				
+		}
+		
+		
+		Logger.debug("Added " + count + " STORK attribute(s) to the MOA assertion.");		
+		
+		return moaExtendedSAMLAttributeList;
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/VelocityProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/VelocityProvider.java
new file mode 100644
index 000000000..29478718f
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/VelocityProvider.java
@@ -0,0 +1,88 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+/**
+ * 
+ */
+package at.gv.egovernment.moa.id.auth.stork;
+
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
+
+/**
+ * Gets a Velocity Engine
+ * 
+ * @author bzwattendorfer
+ *
+ */
+public class VelocityProvider {
+
+	/**
+	 * Gets velocityEngine from Classpath
+	 * @return VelocityEngine
+	 * @throws Exception
+	 */
+	public static VelocityEngine getClassPathVelocityEngine() throws Exception {
+		VelocityEngine velocityEngine = getBaseVelocityEngine();
+        velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+        velocityEngine.setProperty("classpath.resource.loader.class",
+                "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+        
+		velocityEngine.init();
+		
+		return velocityEngine;
+	}
+	
+	/**
+	 * Gets VelocityEngine from File
+	 * @param rootPath File Path to template file
+	 * @return VelocityEngine
+	 * @throws Exception
+	 */
+	public static VelocityEngine getFileVelocityEngine(String rootPath) throws Exception {
+		VelocityEngine velocityEngine = getBaseVelocityEngine();
+        velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");
+        velocityEngine.setProperty("file.resource.loader.class",
+                "org.apache.velocity.runtime.resource.loader.FileResourceLoader");
+        velocityEngine.setProperty("file.resource.loader.path", rootPath);
+        
+		velocityEngine.init();
+		
+		return velocityEngine;
+	}
+	
+	/**
+	 * Gets a basic VelocityEngine
+	 * @return VelocityEngine
+	 */
+	private static VelocityEngine getBaseVelocityEngine() {
+		VelocityEngine velocityEngine = new VelocityEngine();
+        velocityEngine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+        velocityEngine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+        
+        return velocityEngine;
+	}
+	
+}
author	kstranacher_eGovL <kstranacher_eGovL@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2012-07-12 11:27:13 +0000
committer	kstranacher_eGovL <kstranacher_eGovL@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2012-07-12 11:27:13 +0000
commit	1626ac9867cd5406b83e73651080e33c11fb98d1 (patch)
tree	56bea0f086133bcd27017e2bfc205245a6e683b9 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork
parent	a86a5fe1cfe7b0104d6524517414c7d5b5d2a2bb (diff)
download	moa-id-spss-1626ac9867cd5406b83e73651080e33c11fb98d1.tar.gz moa-id-spss-1626ac9867cd5406b83e73651080e33c11fb98d1.tar.bz2 moa-id-spss-1626ac9867cd5406b83e73651080e33c11fb98d1.zip