Merge branch 'moa2_0_tlenz' into moa_2.0_OAuth

Conflicts: id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-23 14:10:24 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-23 14:10:24 +0100
commit: 9eb81a78755db5c9735d2a43ee91fb11ce62e58e (patch)
tree: 91ed5dd8a8dcb9b6ebb43ec32d782a9bff410405 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa
parent: 587971b14627083236df96b8a79f005f92990d75 (diff)
parent: d9550b5e3f24a0f6013502dcc632c4d2730a6749 (diff)
download: moa-id-spss-9eb81a78755db5c9735d2a43ee91fb11ce62e58e.tar.gz
moa-id-spss-9eb81a78755db5c9735d2a43ee91fb11ce62e58e.tar.bz2
moa-id-spss-9eb81a78755db5c9735d2a43ee91fb11ce62e58e.zip
13 files changed, 329 insertions, 85 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index c98af695b..5ff8b74b8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -24,6 +24,7 @@
 
 package at.gv.egovernment.moa.id.auth;
 
+import iaik.cms.ecc.IaikEccProvider;
 import iaik.pki.PKIException;
 import iaik.pki.jsse.IAIKX509TrustManager;
 import iaik.security.ecc.provider.ECCProvider;
@@ -31,6 +32,7 @@ import iaik.security.provider.IAIK;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.Security;
 import java.util.Properties;
 
 import javax.activation.CommandMap;
@@ -76,6 +78,14 @@ public class MOAIDAuthInitializer {
         Logger.info("Default java file.encoding: "
                 + System.getProperty("file.encoding"));
 
+        
+		Logger.info("Loading security providers.");
+		IAIK.addAsProvider();
+		
+		
+//		Security.insertProviderAt(new IAIK(), 1);
+//		Security.insertProviderAt(new ECCProvider(), 1);
+        
         //JDK bug workaround according to:
         // http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier
         // register content data handlers for S/MIME types
@@ -185,5 +195,4 @@ public class MOAIDAuthInitializer {
         AuthConfigLoader.start();
     }
     
-
 }
 \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
index 27ac16157..1b7b317c1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
@@ -23,9 +23,13 @@
 
 package at.gv.egovernment.moa.id.auth.servlet;
 
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.Security;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
@@ -34,6 +38,7 @@ import java.util.Map;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -351,6 +356,12 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
 		super.init(servletConfig);
 	}
 
+	
+//	public void contextDestroyed(ServletContextEvent arg0) {
+//		Security.removeProvider((new IAIK()).getName());
+//		Security.removeProvider((new ECCProvider()).getName());
+//	}
+	
 	/**
 	 * Set response headers to avoid caching
 	 * 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 7130089ae..ef9b63606 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -2,7 +2,11 @@ package at.gv.egovernment.moa.id.entrypoints;
 
 
 
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+
 import java.io.IOException;
+import java.security.Security;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
@@ -481,7 +485,7 @@ public class DispatcherServlet extends AuthServlet{
 	    }
 
 	}
-
+	
 	@Override
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 			throws ServletException, IOException {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index bef58ab59..dc2330f40 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -124,7 +124,6 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			RequestAbstractType samlReq =  moaRequest.getSamlRequest();
 
 			//String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq));
-			
 			//Logger.info("SAML : " + xml);
 			
 			if(!moaRequest.isVerified()) {
@@ -137,6 +136,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 				throw new MOAIDException("Unsupported request", new Object[] {});
 			}
 			
+			EntityDescriptor metadata = moaRequest.getEntityMetadata();
+			if(metadata == null) {
+				throw new NoMetadataInformationException();
+			}
+			SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+			
 			AuthnRequest authnRequest = (AuthnRequest)samlReq;
 			
 			Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
@@ -144,6 +149,9 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			
 			if(aIdx != null) {
 				assertionidx = aIdx.intValue();
+				
+			} else {				
+				assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
 			}
 			
 			aIdx = authnRequest.getAttributeConsumingServiceIndex();
@@ -153,13 +161,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 				attributeIdx = aIdx.intValue();
 			}
 			
-			EntityDescriptor metadata = moaRequest.getEntityMetadata();
-			if(metadata == null) {
-				throw new NoMetadataInformationException();
-			}
-			SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
 			AssertionConsumerService consumerService  = spSSODescriptor.getAssertionConsumerServices().get(assertionidx);
-			AttributeConsumingService attributeConsumer  = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+			
+			AttributeConsumingService attributeConsumer = null;
+			
+			if (spSSODescriptor.getAttributeConsumingServices() != null  && 
+					spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+				attributeConsumer  = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+			} 
 			
 			String oaURL = moaRequest.getEntityMetadata().getEntityID();
 			String binding = consumerService.getBinding();
@@ -176,7 +185,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 						
 			String useMandate = request.getParameter(PARAM_USEMANDATE);
 			if(useMandate != null) {
-				if(useMandate.equals("true")) {
+				if(useMandate.equals("true") && attributeConsumer != null) {
 					if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) {
 						throw new MandateAttributesNotHandleAbleException();
 					}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 232ad315f..9319c306b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -27,6 +27,7 @@ import org.opensaml.xml.security.credential.Credential;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.logging.Logger;
 
 public class PostBinding implements IDecoder, IEncoder {
 
@@ -45,6 +46,8 @@ public class PostBinding implements IDecoder, IEncoder {
 			Credential credentials = CredentialProvider
 					.getIDPSigningCredential();
 
+			Logger.debug("create SAML POSTBinding response");
+			
 			// VelocityEngine engine =
 			// VelocityProvider.getClassPathVelocityEngine();
 			VelocityEngine engine = new VelocityEngine();
@@ -67,7 +70,7 @@ public class PostBinding implements IDecoder, IEncoder {
 					.buildObject();
 			service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
 			service.setLocation(targetLocation);
-			context.setOutboundSAMLMessageSigningCredential(credentials);
+			context.setOutboundSAMLMessageSigningCredential(credentials);			
 			context.setPeerEntityEndpoint(service);
 			// context.setOutboundMessage(authReq);
 			context.setOutboundSAMLMessage(response);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 418c4a60c..78b63e041 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -3,11 +3,13 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
 import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
 import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Response;
@@ -31,6 +33,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
 
 public class RedirectBinding implements IDecoder, IEncoder {
 
@@ -47,6 +51,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
 			Credential credentials = CredentialProvider
 					.getIDPSigningCredential();
 
+			Logger.debug("create SAML RedirectBinding response");
+			
 			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
 			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
 					resp, true);
@@ -84,13 +90,18 @@ public class RedirectBinding implements IDecoder, IEncoder {
 		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
 				TrustEngineFactory.getSignatureKnownKeysTrustEngine());
 
+		SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+		
+		
 		BasicSecurityPolicy policy = new BasicSecurityPolicy();
 		policy.getPolicyRules().add(signatureRule);
+		policy.getPolicyRules().add(signedRole);
+		
 		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
 				policy);
 		messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 		messageContext.setSecurityPolicyResolver(resolver);
-
+		
 		decode.decode(messageContext);
 
 		signatureRule.evaluate(messageContext);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 5e8206739..9e2c89583 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -21,6 +21,7 @@ import org.opensaml.saml2.core.RequestedAuthnContext;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeConsumingService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.NameIDFormat;
@@ -42,6 +43,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
@@ -55,53 +57,55 @@ import at.gv.egovernment.moa.util.Constants;
 
 public class PVP2AssertionBuilder implements PVPConstants {
 	public static Assertion buildAssertion(AuthnRequest authnRequest,
-			AuthenticationSession authSession, EntityDescriptor peerEntity)
+			AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date)
 			throws MOAIDException {
 		Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
 
 		RequestedAuthnContext reqAuthnContext = authnRequest
 				.getRequestedAuthnContext();
 
-		if (reqAuthnContext == null) {
-			throw new NoAuthContextException();
-		}
-
-		boolean stork_qaa_1_4_found = false;
-
 		AuthnContextClassRef authnContextClassRef = SAML2Utils
 				.createSAMLObject(AuthnContextClassRef.class);
-
-		 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
-				.getAuthnContextClassRefs();
 		
-		 if (reqAuthnContextClassRefIt.size() == 0) {
-			 stork_qaa_1_4_found = true;
+		if (reqAuthnContext == null) {
 			 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
-			 
-		 } else {
-			 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
-				 String qaa_uri = authnClassRef.getAuthnContextClassRef();
-				 if (qaa_uri.trim().equals(STORK_QAA_1_4)
-						 || qaa_uri.trim().equals(STORK_QAA_1_3)
-						 || qaa_uri.trim().equals(STORK_QAA_1_2)
-						 || qaa_uri.trim().equals(STORK_QAA_1_1)) {
-					
-					 if (authSession.isForeigner()) {
-						 //TODO: insert QAA check
-					
-						 stork_qaa_1_4_found = false;
-					
-					 } else {
-						 stork_qaa_1_4_found = true;
-						 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+			
+		} else {
+
+			boolean stork_qaa_1_4_found = false;
+		
+			 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+					.getAuthnContextClassRefs();
+			
+			 if (reqAuthnContextClassRefIt.size() == 0) {
+				 stork_qaa_1_4_found = true;
+				 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+				 
+			 } else {
+				 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+					 String qaa_uri = authnClassRef.getAuthnContextClassRef();
+					 if (qaa_uri.trim().equals(STORK_QAA_1_4)
+							 || qaa_uri.trim().equals(STORK_QAA_1_3)
+							 || qaa_uri.trim().equals(STORK_QAA_1_2)
+							 || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+						
+						 if (authSession.isForeigner()) {
+							 //TODO: insert QAA check
+						
+							 stork_qaa_1_4_found = false;
+						
+						 } else {
+							 stork_qaa_1_4_found = true;
+							 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+						 }
+						 break;
 					 }
-					 break;
 				 }
 			 }
-		 }
-
-		if (!stork_qaa_1_4_found) {
-			throw new QAANotSupportedException(STORK_QAA_1_4);
+	
+			if (!stork_qaa_1_4_found) {
+				throw new QAANotSupportedException(STORK_QAA_1_4);
+			}
 		}
 
 //		reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
@@ -133,7 +137,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		AuthnStatement authnStatement = SAML2Utils
 				.createSAMLObject(AuthnStatement.class);
 		String remoteSessionID = SAML2Utils.getSecureIdentifier();
-		authnStatement.setAuthnInstant(new DateTime());
+		authnStatement.setAuthnInstant(date);
 		// currently dummy id ...
 		authnStatement.setSessionIndex(remoteSessionID);
 		authnStatement.setAuthnContext(authnContext);
@@ -142,16 +146,14 @@ public class PVP2AssertionBuilder implements PVPConstants {
 
 		SPSSODescriptor spSSODescriptor = peerEntity
 				.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
-
+		
 		Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
 		int idx = 0;
 
 		if (aIdx != null) {
 			idx = aIdx.intValue();
-		}
-
-		AttributeConsumingService attributeConsumingService = spSSODescriptor
-				.getAttributeConsumingServices().get(idx);
+			
+		} 
 
 		AttributeStatement attributeStatement = SAML2Utils
 				.createSAMLObject(AttributeStatement.class);
@@ -195,32 +197,38 @@ public class PVP2AssertionBuilder implements PVPConstants {
 				.buildAuthenticationData(authSession, oaParam,
 						oaParam.getTarget());
 
-		Iterator<RequestedAttribute> it = attributeConsumingService
-				.getRequestAttributes().iterator();
-		while (it.hasNext()) {
-			RequestedAttribute reqAttribut = it.next();
-			try {
-				Attribute attr = PVPAttributeBuilder.buildAttribute(
-						reqAttribut.getName(), authSession, oaParam, authData);
-				if (attr == null) {
+		if (spSSODescriptor.getAttributeConsumingServices() != null && 
+				spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+		
+			AttributeConsumingService attributeConsumingService = spSSODescriptor
+					.getAttributeConsumingServices().get(idx);
+			
+			Iterator<RequestedAttribute> it = attributeConsumingService
+					.getRequestAttributes().iterator();
+			while (it.hasNext()) {
+				RequestedAttribute reqAttribut = it.next();
+				try {
+					Attribute attr = PVPAttributeBuilder.buildAttribute(
+							reqAttribut.getName(), authSession, oaParam, authData);
+					if (attr == null) {
+						if (reqAttribut.isRequired()) {
+							throw new UnprovideableAttributeException(
+									reqAttribut.getName());
+						}
+					} else {
+						attributeStatement.getAttributes().add(attr);
+					}
+				} catch (PVP2Exception e) {
+					Logger.error(
+							"Attribute generation failed! for "
+									+ reqAttribut.getFriendlyName(), e);
 					if (reqAttribut.isRequired()) {
 						throw new UnprovideableAttributeException(
 								reqAttribut.getName());
 					}
-				} else {
-					attributeStatement.getAttributes().add(attr);
-				}
-			} catch (PVP2Exception e) {
-				Logger.error(
-						"Attribute generation failed! for "
-								+ reqAttribut.getFriendlyName(), e);
-				if (reqAttribut.isRequired()) {
-					throw new UnprovideableAttributeException(
-							reqAttribut.getName());
 				}
 			}
 		}
-
 		if (attributeStatement.getAttributes().size() > 0) {
 			assertion.getAttributeStatements().add(attributeStatement);
 		}
@@ -292,8 +300,17 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		SubjectConfirmationData subjectConfirmationData = SAML2Utils
 				.createSAMLObject(SubjectConfirmationData.class);
 		subjectConfirmationData.setInResponseTo(authnRequest.getID());
-		subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
-		subjectConfirmationData.setRecipient(peerEntity.getEntityID());
+		subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5));
+		
+		//TL: change from entityID to destination URL 
+		AssertionConsumerService consumerService = spSSODescriptor
+				.getAssertionConsumerServices().get(idx);
+
+		if (consumerService == null) {
+			throw new InvalidAssertionConsumerServiceException(idx);
+		}
+		
+		subjectConfirmationData.setRecipient(consumerService.getLocation());
 
 		subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
 
@@ -303,12 +320,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		AudienceRestriction audienceRestriction = SAML2Utils
 				.createSAMLObject(AudienceRestriction.class);
 		Audience audience = SAML2Utils.createSAMLObject(Audience.class);
-
+		
 		audience.setAudienceURI(peerEntity.getEntityID());
 		audienceRestriction.getAudiences().add(audience);
-		conditions.setNotBefore(new DateTime());
+		conditions.setNotBefore(date);
 		
-		conditions.setNotOnOrAfter(new DateTime().plusMinutes(20));
+		conditions.setNotOnOrAfter(date.plusMinutes(5));
 //		conditions.setNotOnOrAfter(new DateTime());
 		
 		conditions.getAudienceRestrictions().add(audienceRestriction);
@@ -316,12 +333,16 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		assertion.setConditions(conditions);
 
 		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
-		issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+		
+		//TODO: check!
+		//change to entity value from entity name to IDP EntityID (URL)
+		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
 		issuer.setFormat(NameID.ENTITY);
+		
 		assertion.setIssuer(issuer);
 		assertion.setSubject(subject);
 		assertion.setID(SAML2Utils.getSecureIdentifier());
-		assertion.setIssueInstant(new DateTime());
+		assertion.setIssueInstant(date);
 
 		return assertion;
 	}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
index ad664486b..2c4eb15de 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
@@ -15,6 +15,7 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild
 	public String getName() {
 		return MANDATE_REFERENCE_VALUE_NAME;
 	}
+	public Attribute build(AuthenticationSession authSession, 
 	
 	public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
@@ -39,3 +40,29 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild
 		return g.buildEmptyAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME);
 	}
 }
+
+	public Attribute build(AuthenticationSession authSession, 
+			OAAuthParameter oaParam, AuthenticationData authData) throws PVP2Exception {
+		if(authSession.getUseMandate()) {
+			
+//			Element mandate = authSession.getMandate();
+//			if(mandate == null) {
+//				throw new NoMandateDataAvailableException();
+//			}
+//			Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+//			if(mandateObject == null) {
+//				throw new NoMandateDataAvailableException();
+//			}
+			
+			return buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, 
+					MANDATE_REFERENCE_VALUE_NAME, authSession.getMandateReferenceValue());
+		}
+		return null;
+		
+	}
+	
+	public Attribute buildEmpty() {
+		return buildemptyAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, 
+				MANDATE_REFERENCE_VALUE_NAME);
+	}
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
new file mode 100644
index 000000000..142227a59
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
@@ -0,0 +1,14 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+import org.opensaml.saml2.core.StatusCode;
+
+public class InvalidAssertionEncryptionException extends PVP2Exception {
+
+	private static final long serialVersionUID = 6513388841485355549L;
+
+	public InvalidAssertionEncryptionException() {
+		super("pvp2.16", new Object[]{});
+		this.statusCodeValue = StatusCode.REQUESTER_URI;
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 1d494c512..0c7dea3c8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,19 +1,47 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
 
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
 
+import org.opensaml.Configuration;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.NameID;
 import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder;
+import org.opensaml.saml2.encryption.Encrypter;
+import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCriteria;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.encryption.EncryptionException;
+import org.opensaml.xml.encryption.EncryptionParameters;
+import org.opensaml.xml.encryption.KeyEncryptionParameters;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.CriteriaSet;
 import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.KeyInfo;
 
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -27,6 +55,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -45,37 +76,110 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 		AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest();
 		EntityDescriptor peerEntity = obj.getEntityMetadata();
 		
-		Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity);
-
+		DateTime date = new DateTime();
+		
+		Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity, date);
+		
 		Response authResponse = SAML2Utils.createSAMLObject(Response.class);
 
-
 		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
 		nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
 		nissuer.setFormat(NameID.ENTITY);
 		authResponse.setIssuer(nissuer);
 		authResponse.setInResponseTo(authnRequest.getID());
-		authResponse.getAssertions().add(assertion);
+
+		
+		//SAML2 response required IssueInstant
+		authResponse.setIssueInstant(date);
+		
 		authResponse.setStatus(SAML2Utils.getSuccessStatus());
 
+		SPSSODescriptor spSSODescriptor = peerEntity
+				.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+		
 		Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
 		int idx = 0;
 
 		if (aIdx != null) {
 			idx = aIdx.intValue();
+			
+		} else {				
+			idx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
 		}
-		
-		SPSSODescriptor spSSODescriptor = peerEntity
-				.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
 
 		AssertionConsumerService consumerService = spSSODescriptor
 				.getAssertionConsumerServices().get(idx);
 
 		if (consumerService == null) {
+			//TODO: maybe use default ConsumerService
+			
 			throw new InvalidAssertionConsumerServiceException(idx);
+			
 		}
 		String oaURL = consumerService.getLocation();
 
+		//check, if metadata includes an encryption key				
+		MetadataCredentialResolver mdCredResolver = 
+				new MetadataCredentialResolver(MOAMetadataProvider.getInstance());
+	
+		CriteriaSet criteriaSet = new CriteriaSet();
+		criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) );
+		criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
+		criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) );
+	
+		X509Credential encryptionCredentials = null;
+		try {
+			encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet);
+				
+		} catch (SecurityException e2) {
+			Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
+			throw new InvalidAssertionEncryptionException();
+			
+		}
+	
+		if (encryptionCredentials != null) {
+			//encrypt SAML2 assertion
+				
+			try {
+				
+				EncryptionParameters dataEncParams = new EncryptionParameters();
+				dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
+			
+				List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();
+				KeyEncryptionParameters  keyEncParam = new KeyEncryptionParameters();
+			
+				keyEncParam.setEncryptionCredential(encryptionCredentials);
+				keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
+				KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()
+						.getKeyInfoGeneratorManager().getDefaultManager()
+						.getFactory(encryptionCredentials);
+				keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+				keyEncParamList.add(keyEncParam);
+			
+				Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); 
+				//samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
+				samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+				
+				EncryptedAssertion encryptAssertion = null;
+				
+				encryptAssertion = samlEncrypter.encrypt(assertion);
+
+				authResponse.getEncryptedAssertions().add(encryptAssertion);
+				
+				} catch (EncryptionException e1) {
+					Logger.warn("Can not encrypt the PVP2 assertion", e1);
+					throw new InvalidAssertionEncryptionException();
+					
+				} 
+
+			} else {
+				authResponse.getAssertions().add(assertion);
+				
+			}
+			
+
+
+		
 		IEncoder binding = null;
 
 		if (consumerService.getBinding().equals(
@@ -101,6 +205,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 			binding.encodeRespone(req, resp, authResponse, oaURL);
 			// TODO add remoteSessionID to AuthSession ExternalPVPSessionStore
 			
+//			Logger logger = new Logger();
+//			logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse)));
+			
+
 			return assertion.getID();
 			
 		} catch (MessageEncodingException e) {
@@ -109,6 +217,15 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 		} catch (SecurityException e) {
 			Logger.error("Security exception", e);
 			throw new MOAIDException("pvp2.01", null, e);
+//		} catch (TransformerException e) {
+//			Logger.error("Security exception", e);
+//			throw new MOAIDException("pvp2.01", null, e);
+//		} catch (IOException e) {
+//			Logger.error("Security exception", e);
+//			throw new MOAIDException("pvp2.01", null, e);
+//		} catch (MarshallingException e) {
+//			Logger.error("Security exception", e);
+//			throw new MOAIDException("pvp2.01", null, e);
 		}
 	}
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
index 7bb5b052f..373bca902 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
@@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
 
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
+import java.util.List;
 
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
@@ -13,6 +14,8 @@ import org.opensaml.Configuration;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.XMLObjectBuilderFactory;
 import org.opensaml.xml.io.Marshaller;
@@ -77,4 +80,17 @@ public class SAML2Utils {
 		status.setStatusCode(statusCode);
 		return status;
 	}
+	
+	public static int getDefaultAssertionConsumerServiceIndex(SPSSODescriptor spSSODescriptor) {
+		
+		List<AssertionConsumerService> assertionConsumerList = spSSODescriptor.getAssertionConsumerServices();
+		
+		for (AssertionConsumerService el : assertionConsumerList) {
+			if (el.isDefault())
+				return el.getIndex();
+			
+		}
+		
+		return 0;
+	}
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 628da6773..4823d7629 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -41,6 +41,7 @@ public class SAMLVerificationEngine {
 	
 	public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
 		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+		
 		try {
 		    profileValidator.validate(samlObj.getSignature());
 		} catch (ValidationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index e40d11128..840c3f2be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -209,6 +209,7 @@ public class AuthenticationSessionStoreage {
 				  //Assertion requires an unique artifact
 				  if (result.size() != 1) {
 					 Logger.trace("No entries found.");
+					 tx.rollback();
 				   	throw new MOADatabaseException("No session found with this sessionID");
 				  }
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-23 14:10:24 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-23 14:10:24 +0100
commit	9eb81a78755db5c9735d2a43ee91fb11ce62e58e (patch)
tree	91ed5dd8a8dcb9b6ebb43ec32d782a9bff410405 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa
parent	587971b14627083236df96b8a79f005f92990d75 (diff)
parent	d9550b5e3f24a0f6013502dcc632c4d2730a6749 (diff)
download	moa-id-spss-9eb81a78755db5c9735d2a43ee91fb11ce62e58e.tar.gz moa-id-spss-9eb81a78755db5c9735d2a43ee91fb11ce62e58e.tar.bz2 moa-id-spss-9eb81a78755db5c9735d2a43ee91fb11ce62e58e.zip