Add an unique random tokken to AuthBlock to prevent replay attacks. The timestamp, which was previously in use, can be predicted.

1 files changed, 39 insertions, 2 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 9e98b73b4..ed7f9df0d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -262,7 +262,7 @@ public class CreateXMLSignatureResponseValidator {
     if (!samlAttribute.getName().equals("SpecialText")) {
       throw new ValidateException(
           "validator.37", 
-          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
     }
     if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
       String samlSpecialText = (String)samlAttribute.getValue();
@@ -285,6 +285,25 @@ public class CreateXMLSignatureResponseValidator {
       throw new ValidateException("validator.35", null);
     }
     
+    
+    //check unique AuthBlock tokken
+    samlAttribute = samlAttributes[4 + offset];
+    if (!samlAttribute.getName().equals("UniqueTokken")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      String uniquetokken = (String)samlAttribute.getValue();
+           
+      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+      }
+    } else {
+      throw new ValidateException("validator.35", null);
+    }
+    
+    
     // now check the extended SAML attributes
     int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
     if (extendedSAMLAttributes != null) {
@@ -471,7 +490,7 @@ public class CreateXMLSignatureResponseValidator {
     if (!samlAttribute.getName().equals("SpecialText")) {
       throw new ValidateException(
           "validator.37", 
-          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
     }
     if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
       String samlSpecialText = (String)samlAttribute.getValue();
@@ -495,6 +514,24 @@ public class CreateXMLSignatureResponseValidator {
       throw new ValidateException("validator.35", null);
     }
     
+    //check unique AuthBlock tokken
+    samlAttribute = samlAttributes[3 + offset];
+    if (!samlAttribute.getName().equals("UniqueTokken")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      String uniquetokken = (String)samlAttribute.getValue();
+           
+      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+      }
+    } else {
+      throw new ValidateException("validator.35", null);
+    }
+    
+    
     // now check the extended SAML attributes
     int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
     if (extendedSAMLAttributes != null) {