aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
authorAlexander Marsalek <amarsalek@iaik.tugraz.at>2014-09-04 13:35:57 +0200
committerAlexander Marsalek <amarsalek@iaik.tugraz.at>2014-09-04 13:35:57 +0200
commitc9685e638ee5de0d049c8f58fd91848c2dc8a0ba (patch)
tree110bcbb0463868a39eba0880336ff32cc545034e /id/server/idserverlib/src/main/java/at
parent33b76e7bb23d8772b3a2533aadd0c3313af4b29f (diff)
parentc109c1e86a228bd3b3ed49b97e182b3cd2136d00 (diff)
downloadmoa-id-spss-c9685e638ee5de0d049c8f58fd91848c2dc8a0ba.tar.gz
moa-id-spss-c9685e638ee5de0d049c8f58fd91848c2dc8a0ba.tar.bz2
moa-id-spss-c9685e638ee5de0d049c8f58fd91848c2dc8a0ba.zip
Merge branch 'merge' into moa-2.1-Snapshot
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java461
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java94
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java46
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java36
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java127
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java20
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java30
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java70
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java93
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java98
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java157
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java71
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java132
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java2
37 files changed, 1341 insertions, 317 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 33fed945b..d06298efa 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1845,7 +1845,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget();
String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName();
String spApplication = spInstitution;
- String spCountry = "AT";
+ String spCountry = "AT"; // intentionally set AT - the flow is limited on that use case only
//generate AuthnRquest
STORKAuthnRequest authnRequest = new STORKAuthnRequest();
@@ -1855,7 +1855,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
authnRequest.setIssuer(issuerValue);
authnRequest.setQaa(oaParam.getQaaLevel());
authnRequest.setSpInstitution(spInstitution);
- authnRequest.setCountry(spCountry);
+ authnRequest.setSpCountry(spCountry);
authnRequest.setSpApplication(spApplication);
authnRequest.setSpSector(spSector);
authnRequest.setPersonalAttributeList(attributeList);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 4cec99b9a..db8b4dd80 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -164,5 +164,6 @@ public interface MOAIDAuthConstants {
}
});
+ public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 17d6898ee..ed2cd3ecb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -24,20 +24,26 @@ package at.gv.egovernment.moa.id.auth.builder;
import iaik.x509.X509Certificate;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.security.PrivateKey;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
-import java.util.GregorianCalendar;
+import java.util.Iterator;
import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
-import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
-import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.xml.XMLObject;
@@ -45,9 +51,14 @@ import org.opensaml.xml.security.SecurityException;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-import eu.stork.peps.auth.commons.PersonalAttribute;
-import eu.stork.peps.auth.commons.PersonalAttributeList;
-
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator;
+import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
@@ -76,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
@@ -149,7 +161,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
-
}
InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
@@ -239,11 +250,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
attributs = reqQueryAttr;
//IDP is a service provider IDP and request interfederated IDP to collect attributes
- } else {
-
- //TODO: check if response include attributes and map this attributes to requested attributes
- //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst
-
+ } else {
//get PVP 2.1 attributes from protocol specific requested attributes
attributs = req.getRequestedAttributes();
@@ -255,44 +262,56 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix());
throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null);
}
+
+
+ //TODO: check if response include attributes and map this attributes to requested attributes
+ //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst
+ Response intfResp = (Response) req.getInterfederationResponse().getResponse();
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor(intfResp);
- //build attributQuery request
- AttributeQuery query =
- AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
+ if (!extractor.containsAllRequiredAttributes()) {
+ //build attributQuery request
+ AttributeQuery query =
+ AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
- //build SOAP request
- List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+ //build SOAP request
+ List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
- if (xmlObjects.size() == 0) {
- Logger.error("Receive emptry AttributeQuery response-body.");
- throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
+ if (xmlObjects.size() == 0) {
+ Logger.error("Receive emptry AttributeQuery response-body.");
+ throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
- }
+ }
- if (xmlObjects.get(0) instanceof Response) {
- Response intfResp = (Response) xmlObjects.get(0);
+ if (xmlObjects.get(0) instanceof Response) {
+ intfResp = (Response) xmlObjects.get(0);
- //validate PVP 2.1 response
- try {
- SAMLVerificationEngine engine = new SAMLVerificationEngine();
- engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ //validate PVP 2.1 response
+ try {
+ SAMLVerificationEngine engine = new SAMLVerificationEngine();
+ engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
- SAMLVerificationEngine.validateAssertion(intfResp, false);
+ SAMLVerificationEngine.validateAssertion(intfResp, false);
- } catch (Exception e) {
- Logger.warn("PVP 2.1 assertion validation FAILED.", e);
- throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ } catch (Exception e) {
+ Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+ throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ }
+
+ } else {
+ Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+ throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
+
}
- //parse response information to authData
- buildAuthDataFormInterfederationResponse(authdata, session, intfResp);
-
- } else {
- Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
- throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
+ //create assertion attribute extractor from AttributeQuery response
+ extractor = new AssertionAttributeExtractor(intfResp);
}
-
+ //parse response information to authData
+ buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam);
+
} catch (SOAPException e) {
throw new BuildException("builder.06", null, e);
@@ -314,146 +333,280 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
- private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session,
- Response intfResp) throws BuildException, AssertionAttributeExtractorExeption {
+ private static void buildAuthDataFormInterfederationResponse(
+ AuthenticationData authData,
+ AuthenticationSession session,
+ AssertionAttributeExtractor extractor,
+ IOAAuthParameters oaParam)
+ throws BuildException, AssertionAttributeExtractorExeption {
Logger.debug("Build AuthData from assertion starts ....");
- Assertion assertion = intfResp.getAssertions().get(0);
+ authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME));
+ authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME));
+ authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME));
+ authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME));
+ authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME));
+ authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME));
+ authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME));
+ authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME));
- if (assertion.getAttributeStatements().size() == 0) {
- Logger.warn("Can not build AuthData from Assertion. NO Attributes included.");
- throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null);
-
+ if (extractor.containsAttribute(PVPConstants.BPK_NAME)) {
+ String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME);
+ authData.setBPK(pvpbPK.split(":")[1]);
}
- AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
- for (Attribute attr : attrStat.getAttributes()) {
-
- if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME))
- authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME))
- authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME))
- authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.BPK_NAME)) {
- String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent();
- authData.setBPK(pvpbPK.split(":")[1]);
- }
-
- if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))
- authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
- authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
- attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME))
- authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) {
+ List<String> encbPKList = Arrays.asList(
+ extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";"));
+ authData.setEncbPKList(encbPKList);
+ for (String fullEncbPK : encbPKList) {
+ int index = fullEncbPK.indexOf("|");
+ if (index >= 0) {
+ String encbPK = fullEncbPK.substring(index+1);
+ String second = fullEncbPK.substring(0, index);
+ int secIndex = second.indexOf("+");
+ if (secIndex >= 0) {
+ if (oaParam.getTarget().equals(second.substring(secIndex+1))) {
+ Logger.debug("Found encrypted bPK for online-application "
+ + oaParam.getPublicURLPrefix()
+ + " Start decryption process ...");
+ PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey();
+ if (privKey != null) {
+ try {
+ String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey);
+ if (MiscUtil.isNotEmpty(bPK)) {
+ if (MiscUtil.isEmpty(authData.getBPK())) {
+ authData.setBPK(bPK);
+ authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+ Logger.info("bPK decryption process finished successfully.");
+ }
+
+ } else {
+ Logger.error("bPK decryption FAILED.");
+
+ }
+ } catch (BuildException e) {
+ Logger.error("bPK decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+
+ }
+
+ } else {
+ Logger.info("Found encrypted bPK but " +
+ "encrypted bPK target does not match to online-application target");
+
+ }
+ }
+ }
+ }
+ }
+
+ if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) {
+ Logger.error("Federated assertion include no bPK or encrypted bPK");
+ throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME
+ + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME);
- if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME))
- authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
+ authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
+ extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) {
+ try {
+ byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false);
+ authData.setAuthBlock(new String(authBlock, "UTF-8"));
- if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) {
- try {
- byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
- authData.setAuthBlock(new String(authBlock, "UTF-8"));
+ } catch (IOException e) {
+ Logger.error("Received AuthBlock is not valid", e);
- } catch (IOException e) {
- Logger.error("Received AuthBlock is not valid", e);
-
- }
}
-
- if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) {
- try {
- authData.setSignerCertificate(Base64Utils.decode(
- attr.getAttributeValues().get(0).getDOM().getTextContent(), false));
-
- } catch (IOException e) {
- Logger.error("Received SignerCertificate is not valid", e);
-
- }
- }
-
- if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME))
- authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME))
- authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) {
- try {
- InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
- IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();
- authData.setIdentityLink(idl);
-
- } catch (ParseException e) {
- Logger.error("Received IdentityLink is not valid", e);
-
- } catch (Exception e) {
- Logger.error("Received IdentityLink is not valid", e);
-
- }
- }
-
- if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME))
- authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
-
- if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) {
- try {
- byte[] mandate = Base64Utils.decode(
- attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
-
- if (authData.getMISMandate() == null)
- authData.setMISMandate(new MISMandate());
- authData.getMISMandate().setMandate(mandate);
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) {
+ try {
+ authData.setSignerCertificate(Base64Utils.decode(
+ extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false));
+
+ } catch (IOException e) {
+ Logger.error("Received SignerCertificate is not valid", e);
+
+ }
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) {
+ try {
+ InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false);
+ IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();
+ authData.setIdentityLink(idl);
+
+ } catch (ParseException e) {
+ Logger.error("Received IdentityLink is not valid", e);
+
+ } catch (Exception e) {
+ Logger.error("Received IdentityLink is not valid", e);
- authData.setUseMandate(true);
-
- } catch (Exception e) {
- Logger.error("Received Mandate is not valid", e);
- throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME);
-
- }
}
-
- if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) {
+ }
+
+
+ // set mandate attributes
+ authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) {
+ try {
+ byte[] mandate = Base64Utils.decode(
+ (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false);
+
if (authData.getMISMandate() == null)
authData.setMISMandate(new MISMandate());
- authData.getMISMandate().setProfRep(
- attr.getAttributeValues().get(0).getDOM().getTextContent());
+ authData.getMISMandate().setMandate(mandate);
+ authData.getMISMandate().setFullMandateIncluded(true);
+ authData.setUseMandate(true);
+
+ } catch (Exception e) {
+ Logger.error("Received Mandate is not valid", e);
+ throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME);
- }
+ }
+ }
+
+ //TODO: build short mandate if full mandate is no included.
+ if (authData.getMISMandate() == null &&
+ (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) {
+ Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... ");
+
+ MISMandate misMandate = new MISMandate();
+ misMandate.setFullMandateIncluded(false);
+
+ Mandate mandateObject = new Mandate();
+ Mandator mandator = new Mandator();
+ mandateObject.setMandator(mandator);
+
+ //build legal person short mandate
+ if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) {
+ Logger.debug("Build short mandate for legal person ...");
+ CorporateBodyType legalperson = new CorporateBodyType();
+ IdentificationType legalID = new IdentificationType();
+ Value idvalue = new Value();
+ legalID.setValue(idvalue );
+ legalperson.getIdentification().add(legalID );
+ mandator.setCorporateBody(legalperson );
+
+ legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME));
+ legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME));
+ idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME));
+
+ //build natural person short mandate
+ } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) ||
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) {
+ Logger.debug("Build short mandate for natural person ...");
+ PhysicalPersonType physPerson = new PhysicalPersonType();
+ PersonNameType persName = new PersonNameType();
+ mandator.setPhysicalPerson(physPerson );
+ physPerson.setName(persName );
+ FamilyName familyName = new FamilyName();
+ persName.getFamilyName().add(familyName );
+ IdentificationType persID = new IdentificationType();
+ physPerson.getIdentification().add(persID );
+ Value idValue = new Value();
+ persID.setValue(idValue );
+
+ String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" ");
+ for(int i=0; i<pvp2GivenName.length; i++)
+ persName.getGivenName().add(pvp2GivenName[i]);
+ familyName.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME));
+ physPerson.setDateOfBirth(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) {
+ persID.setType(Constants.URN_PREFIX_BASEID);
+ idValue.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME));
+
+ } else {
+ String[] pvp2bPK = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":");
+ if (pvp2bPK.length == 2) {
+ idValue.setValue(pvp2bPK[1]);
+
+ Pattern pattern = Pattern.compile(MOAIDAuthConstants.REGEX_PATTERN_TARGET);
+ Matcher matcher = pattern.matcher(pvp2bPK[0]);
+ if (matcher.matches())
+ persID.setType(Constants.URN_PREFIX_CDID + "+" + pvp2bPK[0]);
+ else
+ persID.setType(Constants.URN_PREFIX_WBPK + "+" + pvp2bPK[0]);
- if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) {
- authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent());
- authData.setForeigner(true);
+ } else {
+ Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME));
+ throw new AssertionAttributeExtractorExeption("Receive mandator bPK from federation with an unsupported format.");
+
+ }
+ }
+
+ } else {
+ Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary.");
+ throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null);
+
}
- if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {
+ try {
+ JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_");
+ Marshaller m = jc.createMarshaller();
+ ByteArrayOutputStream stream = new ByteArrayOutputStream();
+ m.marshal(mandateObject, stream);
+ misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes());
+ stream.close();
+
+ } catch (JAXBException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new AssertionAttributeExtractorExeption();
- if (authData.getStorkAttributes() == null)
- authData.setStorkAttributes(new PersonalAttributeList());
+ } catch (IOException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new AssertionAttributeExtractorExeption();
- List<String> storkAttrValues = new ArrayList<String>();
- storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent());
- PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),
- false, storkAttrValues , "Available");
- authData.getStorkAttributes().put(attr.getName(), storkAttr );
- authData.setForeigner(true);
- }
-
+ }
+ authData.setUseMandate(true);
+
}
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) {
+ if (authData.getMISMandate() == null)
+ authData.setMISMandate(new MISMandate());
+ authData.getMISMandate().setProfRep(
+ extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME));
+
+ }
+
+
+ //set STORK attributes
+ if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) {
+ authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME));
+ authData.setForeigner(true);
+
+ }
+
+ if (!extractor.getSTORKAttributes().isEmpty()) {
+ authData.setStorkAttributes(extractor.getSTORKAttributes());
+ authData.setForeigner(true);
+
+ }
+
authData.setSsoSession(true);
- if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null)
- authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate());
+ if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null)
+ authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate());
//only for SAML1
if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 20641ca7c..b122ba17e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -46,13 +46,27 @@
package at.gv.egovernment.moa.id.auth.builder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
+import java.io.UnsupportedEncodingException;
+import java.security.InvalidKeyException;
import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
/**
* Builder for the bPK, as defined in
@@ -135,6 +149,58 @@ public class BPKBuilder {
}
}
+ public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
+ MiscUtil.assertNotNull(bpk, "BPK");
+ MiscUtil.assertNotNull(publicKey, "publicKey");
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
+ if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+ target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ String input = "V1::urn:publicid:gv.at:cdid+" + target + "::"
+ + bpk + "::"
+ + sdf.format(new Date());
+ System.out.println(input);
+ byte[] result;
+ try {
+ byte[] inputBytes = input.getBytes("ISO-8859-1");
+ result = encrypt(inputBytes, publicKey);
+ return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", "");
+
+ } catch (Exception e) {
+ throw new BuildException("bPK encryption FAILED", null, e);
+ }
+ }
+
+ public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException {
+ MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK");
+ MiscUtil.assertNotNull(privateKey, "Private key");
+ String decryptedString;
+ try {
+ byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1");
+ byte[] decryptedBytes = decrypt(encryptedBytes, privateKey);
+ decryptedString = new String(decryptedBytes, "ISO-8859-1");
+
+ } catch (Exception e) {
+ throw new BuildException("bPK decryption FAILED", null, e);
+ }
+ String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1);
+ String sector = tmp.substring(0, tmp.indexOf("::"));
+ tmp = tmp.substring(tmp.indexOf("::") + 2);
+ String bPK = tmp.substring(0, tmp.indexOf("::"));
+
+ if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+ target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ if (target.equals(sector))
+ return bPK;
+
+ else {
+ Logger.error("Decrypted bPK does not match to request bPK target.");
+ return null;
+ }
+ }
+
/**
* Builds the storkeid from the given parameters.
*
@@ -214,6 +280,34 @@ public class BPKBuilder {
throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex);
}
}
+
+ private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+ byte[] result;
+ Cipher cipher = null;
+ try {
+ cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
+ } catch(NoSuchAlgorithmException e) {
+ cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
+ }
+ cipher.init(Cipher.ENCRYPT_MODE, publicKey);
+ result = cipher.doFinal(inputBytes);
+
+ return result;
+ }
+
+ private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey)
+ throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{
+ byte[] result;
+ Cipher cipher = null;
+ try {
+ cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
+ } catch(NoSuchAlgorithmException e) {
+ cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
+ }
+ cipher.init(Cipher.DECRYPT_MODE, privateKey);
+ result = cipher.doFinal(encryptedBytes);
+ return result;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java
new file mode 100644
index 000000000..69802d7e6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.exception;
+
+/**
+ * @author tlenz
+ *
+ */
+public class DatabaseEncryptionException extends MOAIDException {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 6387519847869308880L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ * @param wrapped
+ */
+ public DatabaseEncryptionException(String messageId, Object[] parameters,
+ Throwable wrapped) {
+ super(messageId, parameters, wrapped);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index ff5e62d96..e3f32d59d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -133,7 +133,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
String targetConfig = oaParam.getTarget();
String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
- if (StringUtils.isEmpty(targetConfig)) {
+ if (StringUtils.isEmpty(targetConfig)
+ || (module.equals(SAML1Protocol.PATH) &&
+ !StringUtils.isEmpty(target))) {
// no target attribut is given in OA config
// target is used from request
// check parameter
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 397eebd9b..ade7d3f3c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -223,7 +223,7 @@ public class PEPSConnectorServlet extends AuthServlet {
moaSession.setUseMandate("true");
// and check if we have the gender value
- PersonalAttribute gender = attributeList.get("gender");
+ PersonalAttribute gender = attributeList.get("gender"); // TODO Do we need to check gender value if there is no representation case?
if(null == gender) {
String gendervalue = (String) request.getParameter("gender");
if(null != gendervalue) {
@@ -244,7 +244,7 @@ public class PEPSConnectorServlet extends AuthServlet {
//extract signed doc element and citizen signature
String citizenSignature = null;
try {
- String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+ String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 6fc1d28c1..a62de27fc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return prop;
}
+ /**
+ * @return
+ */
+ public String getMOAConfigurationEncryptionKey() {
+ String prop = props.getProperty("configuration.moaconfig.key");
+ if (MiscUtil.isEmpty(prop))
+ return null;
+ else
+ return prop;
+ }
+
public boolean isIdentityLinkResigning() {
String prop = props.getProperty("configuration.resignidentitylink.active", "false");
return Boolean.valueOf(prop);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
index 6398de34f..4c6519b57 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.config.auth;
+import java.security.PrivateKey;
import java.util.List;
import java.util.Map;
@@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
/**
* @author tlenz
@@ -149,4 +151,6 @@ public interface IOAAuthParameters {
List<String> getTestCredentialOIDs();
+ PrivateKey getBPKDecBpkDecryptionKey();
+
} \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index f58fe2495..673d23373 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -46,11 +46,15 @@
package at.gv.egovernment.moa.id.config.auth;
+import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.SerializationUtils;
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin;
import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType;
@@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;
import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
import at.gv.egovernment.moa.id.config.ConfigurationUtils;
import at.gv.egovernment.moa.id.config.OAParameter;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil;
import at.gv.egovernment.moa.id.util.FormBuildUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -555,4 +562,33 @@ public List<String> getTestCredentialOIDs() {
return null;
}
+
+/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters()
+ */
+@Override
+public PrivateKey getBPKDecBpkDecryptionKey() {
+
+ try {
+ EncryptedData encdata = new EncryptedData(
+ oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(),
+ oa_auth.getEncBPKInformation().getBPKDecryption().getIv());
+ byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata);
+ BPKDecryptionParameters data =
+ (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData);
+
+ return data.getPrivateKey();
+
+ } catch (BuildException e) {
+ // TODO Auto-generated catch block
+ Logger.error("Can not decrypt key information for bPK decryption", e);
+
+ } catch (NullPointerException e) {
+ Logger.error("No keyInformation found for bPK decryption");
+
+ }
+ return null;
+
+}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java
new file mode 100644
index 000000000..787a480f0
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java
@@ -0,0 +1,127 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+
+import org.apache.commons.lang.SerializationUtils;
+
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+
+
+/**
+ * @author tlenz
+ *
+ */
+public class BPKDecryptionParameters implements Serializable{
+
+ private static final long serialVersionUID = 1L;
+
+ private byte[] keyStore = null;
+ private String keyStorePassword = null;
+ private String keyAlias = null;
+ private String keyPassword = null;
+
+ /**
+ * @return
+ */
+ public PrivateKey getPrivateKey() {
+ try {
+ InputStream in = new ByteArrayInputStream(keyStore);
+ KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword);
+
+ char[] chPassword = " ".toCharArray();
+ if (keyPassword != null)
+ chPassword = keyPassword.toCharArray();
+
+// Certificate test = store.getCertificate(keyAlias);
+// Base64Utils.encode(test.getPublicKey().getEncoded());
+
+ return (PrivateKey) store.getKey(keyAlias, chPassword);
+
+
+ } catch (KeyStoreException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (IOException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (UnrecoverableKeyException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ }
+
+ return null;
+ }
+
+ public byte[] serialize() {
+ return SerializationUtils.serialize(this);
+
+ }
+
+ /**
+ * @param keyStore the keyStore to set
+ */
+ public void setKeyStore(byte[] keyStore) {
+ this.keyStore = keyStore;
+ }
+
+ /**
+ * @param keyStorePassword the keyStorePassword to set
+ */
+ public void setKeyStorePassword(String keyStorePassword) {
+ this.keyStorePassword = keyStorePassword;
+ }
+
+ /**
+ * @param keyAlias the keyAlias to set
+ */
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+ /**
+ * @param keyPassword the keyPassword to set
+ */
+ public void setKeyPassword(String keyPassword) {
+ this.keyPassword = keyPassword;
+ }
+
+
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index eddf605a6..7dbdcfa52 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.config.auth.data;
+import java.security.PrivateKey;
import java.util.List;
import java.util.Map;
@@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters {
return null;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters()
+ */
+ @Override
+ public PrivateKey getBPKDecBpkDecryptionKey() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 5685977bc..6fd327add 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -27,6 +27,7 @@ import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
+import java.util.List;
import org.w3c.dom.Element;
@@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable {
private byte[] signerCertificate = null;
private String authBlock = null;
-
+ private List<String> encbPKList = null;
+
+
private boolean useMandate = false;
private MISMandate mandate = null;
private String mandateReferenceValue = null;
@@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable {
this.ssoSessionValidTo = ssoSessionValidTo;
}
+ /**
+ * @return the encbPKList
+ */
+ public List<String> getEncbPKList() {
+ return encbPKList;
+ }
+
+ /**
+ * @param encbPKList the encbPKList to set
+ */
+ public void setEncbPKList(List<String> encbPKList) {
+ this.encbPKList = encbPKList;
+ }
+
+
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java
new file mode 100644
index 000000000..da6840fd7
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.data;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EncryptedbPK {
+ private String vkz = null;
+ private String target = null;
+ private String encbPK = null;
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 7e421da0f..8ce33021d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.data;
import java.util.Date;
+import java.util.List;
import org.w3c.dom.Element;
@@ -62,6 +63,8 @@ public interface IAuthData {
String getBkuURL();
+ List<String> getEncbPKList();
+
IdentityLink getIdentityLink();
byte[] getSignerCertificate();
String getAuthBlock();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 0d34fcb87..1e38bd4ff 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{
info = ModulStorage.getModuleByPath(protocolRequest.requestedModule());
moduleAction = info.getAction(protocolRequest.requestedAction());
- //create interfederated mOASession
+ //create interfederated MOASession
String sessionID =
AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId);
req.getParameterMap().put(PARAM_SESSIONID, sessionID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 8f9417096..daa70efce 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -49,6 +49,7 @@ import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
@@ -252,8 +253,8 @@ public class AuthenticationManager extends AuthServlet {
VelocityContext context = new VelocityContext();
context.put("redirectURLs", sloReqList);
- context.put("$timeoutURL", timeOutURL);
- context.put("$timeout", SLOTIMEOUT);
+ context.put("timeoutURL", timeOutURL);
+ context.put("timeout", SLOTIMEOUT);
ssomanager.printSingleLogOutInfo(context, httpResp);
@@ -284,7 +285,7 @@ public class AuthenticationManager extends AuthServlet {
Logger.error("MOA AssertionDatabase ERROR", e);
if (pvpReq != null) {
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
}else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index 46e02d048..b22941216 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction {
if (MiscUtil.isEmpty(ssoID)) {
Logger.warn("Can not find active Session. Single LogOut not possible!");
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
@@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction {
} catch (MOADatabaseException e) {
Logger.warn("Can not find active Session. Single LogOut not possible!");
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
@@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction {
((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) {
Logger.debug("Process Single LogOut response");
LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse();
-
+
+ Transaction tx = null;
+
try {
String relayState = pvpReq.getRequest().getRelayState();
if (MiscUtil.isEmpty(relayState)) {
@@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction {
//TODO: add counter to prevent deadlock
while (!storageSuccess) {
- Transaction tx = session.beginTransaction();
+ tx = session.beginTransaction();
List result;
Query query = session.getNamedQuery("getAssertionWithArtifact");
@@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction {
try {
session.delete(element);
tx.commit();
-
+
} catch(HibernateException e) {
tx.rollback();
Logger.error("SLOContainter could not deleted from database. ");
@@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction {
Logger.error("Finale SLO redirct not possible.", e);
throw new AuthenticationException("pvp2.13", new Object[]{});
+ } finally {
+ if (tx != null && !tx.wasCommitted()) {
+ tx.commit();
+
+ }
}
+
+
} else {
Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse.");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 7f73b1ed7..1a268c812 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder {
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(req));
try {
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
-
+ //set metadata descriptor type
+ if (isSPEndPoint) {
+ messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService()));
+
+ } else {
+ messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
+ }
+
} catch (ConfigurationException e) {
throw new SecurityException(e);
}
messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
-
- //set metadata descriptor type
- if (isSPEndPoint)
- messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- else
- messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
-
+
decode.decode(messageContext);
InboundMessage msg = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 26f6f3a62..587d8e935 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder {
HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
new BasicParserPool());
+ BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ messageContext
+ .setInboundMessageTransport(new HttpServletRequestAdapter(req));
+
try {
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ //set metadata descriptor type
+ if (isSPEndPoint) {
+ messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService()));
+
+ } else {
+ messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ }
} catch (ConfigurationException e) {
throw new SecurityException(e);
}
-
- BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
- messageContext
- .setInboundMessageTransport(new HttpServletRequestAdapter(req));
-
+
messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
@@ -198,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
}
public boolean handleDecode(String action, HttpServletRequest req) {
- return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod()
- .equals("GET"));
+ return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT))
+ && req.getMethod().equals("GET"));
}
public String getSAML2BindingName() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index f0eafe272..a2583c706 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
@@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class SoapBinding implements IDecoder, IEncoder {
@@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder {
new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(
- req));
-
+ req));
+ //messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
+
soapDecoder.decode(messageContext);
Envelope inboundMessage = (Envelope) messageContext
@@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder {
if (!xmlElemList.isEmpty()) {
SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0);
- MOARequest request = new MOARequest(attrReq, getSAML2BindingName());
- request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
+ MOARequest request = new MOARequest(attrReq, getSAML2BindingName());
+
+ if (messageContext.getPeerEntityMetadata() != null)
+ request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
+
+ else if (attrReq instanceof RequestAbstractType) {
+ RequestAbstractType attributeRequest = (RequestAbstractType) attrReq;
+ try {
+ if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) &&
+ MOAMetadataProvider.getInstance().getRole(
+ attributeRequest.getIssuer().getValue(),
+ SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null)
+ request.setEntityID(attributeRequest.getIssuer().getValue());
+
+ } catch (Exception e) {
+ Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue());
+ }
+ }
+
request.setVerified(false);
return request;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index eeb1dd104..01139d95c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -213,12 +213,13 @@ public class SingleLogOutBuilder {
}
-
+ DateTime now = new DateTime();
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
- sloReq.setIssueInstant(new DateTime());
+ sloReq.setIssueInstant(now);
+ sloReq.setNotOnOrAfter(now.plusMinutes(5));
sloReq.setDestination(sloInfo.getServiceURL());
@@ -230,14 +231,17 @@ public class SingleLogOutBuilder {
return sloReq;
}
- public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
+ public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);
Status status = SAML2Utils.createSAMLObject(Status.class);
StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class);
- statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setValue(firstLevelStatusCode);
statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null));
+ StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class);
+ secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setStatusCode(secondLevelCode);
status.setStatusCode(statusCode);
status.setStatusMessage(statusMessage);
sloResp.setStatus(status);
@@ -255,8 +259,11 @@ public class SingleLogOutBuilder {
status = SAML2Utils.createSAMLObject(Status.class);
StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class);
- statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setValue(StatusCode.SUCCESS_URI);
statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null));
+ StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class);
+ secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setStatusCode(secondLevelCode);
status.setStatusCode(statusCode);
status.setStatusMessage(statusMessage);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
index 3dd1dd064..a38446826 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
@@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
public class BPKAttributeBuilder implements IPVPAttributeBuilder {
@@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder {
String bpk = authData.getBPK();
String type = authData.getBPKType();
+ if (MiscUtil.isEmpty(bpk))
+ throw new UnavailableAttributeException(BPK_NAME);
+
if (type.startsWith(Constants.URN_PREFIX_WBPK))
type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
- else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ else if (type.startsWith(Constants.URN_PREFIX_CDID))
+ type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
if (bpk.length() > BPK_MAX_LENGTH) {
bpk = bpk.substring(0, BPK_MAX_LENGTH);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java
index e8aeb8fcd..29d6df040 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java
@@ -27,6 +27,7 @@ import java.io.IOException;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -40,6 +41,10 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder {
IAttributeGenerator<ATT> g) throws AttributeException {
try {
String ilAssertion = null;
+
+ if (authData.getIdentityLink() == null)
+ throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME);
+
ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
index 7f52e1d47..463658a3d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
@@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder {
@@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder {
}
public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
- IAttributeGenerator<ATT> g) throws AttributeException {
+ IAttributeGenerator<ATT> g) throws AttributeException {
String bpktype = authData.getBPKType();
+
+ if (MiscUtil.isEmpty(authData.getBPKType()))
+ throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME);
+
return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME,
EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java
index a8b703fc2..16de43e11 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java
@@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
public class EIDSourcePIN implements IPVPAttributeBuilder {
@@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder {
throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
else {
+ if (MiscUtil.isEmpty(authData.getIdentificationValue()))
+ throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME);
+
return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue());
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java
new file mode 100644
index 000000000..b3256ac9a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+
+public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
+
+ public String getName() {
+ return ENC_BPK_LIST_NAME;
+ }
+
+ public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+
+ if (authData.getEncbPKList() != null &&
+ authData.getEncbPKList().size() > 0) {
+ String value = authData.getEncbPKList().get(0);
+ for (int i=1; i<authData.getEncbPKList().size(); i++)
+ value += ";"+authData.getEncbPKList().get(i);
+
+ return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,
+ value);
+
+ }
+
+ throw new UnavailableAttributeException(ENC_BPK_LIST_NAME);
+
+// String encbpk = "XXX01234567890XXX";
+// String type = "Bereich";
+// String vkz = "Verfahrenskennzeichen";
+//
+// //TODO: implement encrypted bPK support
+//
+// Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk);
+//
+// return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,
+// vkz + "+" + type + "|" + encbpk);
+ }
+
+ public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
index 670398ff6..790c1e8ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if (authData.isUseMandate()) {
- if (authData.getMandate() != null) {
+ //only provide full mandate if it is included.
+ //In case of federation only a short mandate could be include
+ if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) {
String fullMandate;
try {
fullMandate = DOMUtils.serializeNode(authData
@@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
Logger.error("Failed to generate Full Mandate", e);
}
}
+ throw new NoMandateDataAttributeException();
+
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index ee0088576..a16fed9cd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -22,15 +22,25 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.core.Subject;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.PersonalAttributeList;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -38,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class AssertionAttributeExtractor {
private Assertion assertion = null;
+ private Map<String, String> attributs = new HashMap<String, String>();
+ private PersonalAttributeList storkAttributes = new PersonalAttributeList();
+
+ private final List<String> minimalAttributeNameList = Arrays.asList(
+ PVPConstants.PRINCIPAL_NAME_NAME,
+ PVPConstants.GIVEN_NAME_NAME,
+ PVPConstants.BIRTHDATE_NAME);
+
public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption {
if (samlResponse != null && samlResponse instanceof Response) {
@@ -48,12 +66,79 @@ public class AssertionAttributeExtractor {
else if (assertions.size() > 1)
Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used.");
- assertion = assertions.get(0);
-
+ assertion = assertions.get(0);
+
+ if (assertion.getAttributeStatements() != null &&
+ assertion.getAttributeStatements().size() > 0) {
+ AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
+ for (Attribute attr : attrStat.getAttributes()) {
+ if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {
+ List<String> storkAttrValues = new ArrayList<String>();
+ storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),
+ false, storkAttrValues , "Available");
+ storkAttributes.put(attr.getName(), storkAttr );
+
+ } else
+ attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent());
+ }
+
+ }
+
} else
throw new AssertionAttributeExtractorExeption();
}
+ /**
+ * check attributes from assertion with minimal required attribute list
+ * @return
+ */
+ public boolean containsAllRequiredAttributes() {
+ return containsAllRequiredAttributes(minimalAttributeNameList);
+
+ }
+
+ /**
+ * check attributes from assertion with attributeNameList
+ * bPK or enc_bPK is always needed
+ *
+ * @param List of attributes which are required
+ *
+ * @return
+ */
+ public boolean containsAllRequiredAttributes(List<String> attributeNameList) {
+
+ //first check if a bPK or an encrypted bPK is available
+ if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||
+ (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) {
+ boolean flag = true;
+ for (String attr : attributeNameList) {
+ if (!attributs.containsKey(attr))
+ flag = false;
+ }
+
+ return flag;
+
+ }
+ return false;
+
+ }
+
+ public boolean containsAttribute(String attributeName) {
+ return attributs.containsKey(attributeName);
+
+ }
+
+ public String getAttribute(String attributeName) {
+ return attributs.get(attributeName);
+
+ }
+
+ public PersonalAttributeList getSTORKAttributes() {
+ return storkAttributes;
+ }
+
+
public String getNameID() throws AssertionAttributeExtractorExeption {
if (assertion.getSubject() != null) {
Subject subject = assertion.getSubject();
@@ -99,6 +184,10 @@ public class AssertionAttributeExtractor {
throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");
}
+ public Assertion getFullAssertion() {
+ return assertion;
+ }
+
private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {
List<AuthnStatement> authnList = assertion.getAuthnStatements();
if (authnList.size() == 0)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 08f40f888..7d3c72630 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -22,15 +22,22 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.saml1;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.List;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.Marshaller;
+import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
+import com.sun.xml.bind.marshaller.NamespacePrefixMapper;
+
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
@@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.util.xsd.persondata.IdentificationType;
+import at.gv.util.xsd.persondata.IdentificationType.Value;
+import at.gv.util.xsd.persondata.PersonNameType;
+import at.gv.util.xsd.persondata.PersonNameType.FamilyName;
+import at.gv.util.xsd.persondata.PhysicalPersonType;
public class SAML1AuthenticationServer extends AuthenticationServer {
@@ -185,30 +197,82 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
//set prPersion
boolean provideStammzahl = saml1parameter.isProvideStammzahl()
|| oaParam.getBusinessService();
- String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(),
- provideStammzahl);
- //set Authblock
- String authBlock = saml1parameter.isProvideAUTHBlock() ? authData
- .getAuthBlock() : "";
-
- //set IdentityLink for assortion
+ String prPerson = "";
String ilAssertion = "";
- if (saml1parameter.isProvideIdentityLink()) {
- ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
-
- if (!provideStammzahl)
- ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()
- .getIdentificationValue(), "");
- }
-
+ if (authData.getIdentityLink() != null) {
+ prPerson = new PersonDataBuilder().build(authData.getIdentityLink(),
+ provideStammzahl);
- String samlAssertion;
+ //set IdentityLink for assortion
+ if (saml1parameter.isProvideIdentityLink()) {
+ ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
+
+ if (!provideStammzahl)
+ ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()
+ .getIdentificationValue(), "");
+ }
+ } else {
+ Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. ");
+ PhysicalPersonType person = new PhysicalPersonType();
+ PersonNameType name = new PersonNameType();
+ person.setName(name);
+ FamilyName familyName = new FamilyName();
+ name.getFamilyName().add(familyName );
+ IdentificationType id = new IdentificationType();
+ person.getIdentification().add(id );
+ Value value = new Value();
+ id.setValue(value );
+
+ id.setType(Constants.URN_PREFIX_BASEID);
+ value.setValue("");
+ familyName.setValue(authData.getFamilyName());
+ familyName.setPrimary("undefined");
+ name.getGivenName().add(authData.getGivenName());
+ person.setDateOfBirth(authData.getFormatedDateOfBirth());
+
+ JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata");
+ Marshaller m = jc.createMarshaller();
+ m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE);
+
+ m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() {
+ public String getPreferredPrefix(String arg0, String arg1, boolean arg2) {
+ if (Constants.PD_NS_URI.equals(arg0))
+ return Constants.PD_PREFIX;
+ else
+ return arg1;
+ }
+ });
+
+ ByteArrayOutputStream stream = new ByteArrayOutputStream();
+ m.marshal(
+ new JAXBElement<PhysicalPersonType>(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person),
+ stream);
+ prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8"));
+ stream.close();
+
+
+
+ }
+
+ //set Authblock
+ String authBlock = "";
+ if (authData.getAuthBlock() != null) {
+ authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : "";
+
+ } else {
+ Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available");
+
+ }
+ String samlAssertion;
if (authData.isUseMandate()) {
List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA();
- if (saml1parameter.isProvideFullMandatorData()) {
+ //only provide full mandate if it is included.
+ //In case of federation only a short mandate could be include
+ if (saml1parameter.isProvideFullMandatorData()
+ && authData.getMISMandate().isFullMandateIncluded()) {
try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
index 139c438f9..baa91a854 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
@@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction {
httpResp.reset();
this.representingIdentityLink = authData.getIdentityLink();
+
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL());
if (oaParam == null)
throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()});
@@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction {
}
if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
- Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType());
+ Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)");
+ Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() + ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue());
throw new MOAIDException("stork.20", new Object[]{}); // TODO
}
@@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction {
represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute));
} else if (mandateContainer instanceof PhyPersonMandateContainer) {
PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer;
- represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE
+ represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer));
represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName());
represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName());
represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 350c4e9da..a9f5ed60a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage {
private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException {
byte[] serialized = SerializationUtils.serialize(session);
- EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized);
+ EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized);
dbsession.setSession(encdata.getEncData());
dbsession.setIv(encdata.getIv());
}
@@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage {
private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException {
EncryptedData encdata = new EncryptedData(dbsession.getSession(),
dbsession.getIv());
- byte[] decrypted = SessionEncrytionUtil.decrypt(encdata);
+ byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata);
return (AuthenticationSession) SerializationUtils.deserialize(decrypted);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
new file mode 100644
index 000000000..f246c55e1
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
@@ -0,0 +1,157 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.util;
+
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public abstract class AbstractEncrytionUtil {
+ protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+ protected static final String KEYNAME = "AES";
+
+ private SecretKey secret = null;
+
+ public AbstractEncrytionUtil() throws DatabaseEncryptionException {
+ initialize(getKey(), getSalt());
+ }
+
+ protected abstract String getSalt();
+ protected abstract String getKey();
+
+ protected void initialize(String key, String salt) throws DatabaseEncryptionException {
+ try {
+ if (MiscUtil.isNotEmpty(key)) {
+ if (MiscUtil.isEmpty(salt))
+ salt = "TestSalt";
+
+ PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
+ SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
+ PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
+
+ SecureRandom random = new SecureRandom();
+ KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
+
+ PBEKeyAndParameterSpec parameterSpec =
+ new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
+ salt.getBytes(),
+ 2000,
+ 16);
+
+ pbkdf2.init(parameterSpec, random);
+ SecretKey derivedKey = pbkdf2.generateKey();
+
+ SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
+ SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
+ secret = kf.generateSecret(spec);
+
+ } else {
+ Logger.error("Database encryption can not initialized. No key found!");
+
+ }
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (NoSuchProviderException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (InvalidKeySpecException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (InvalidAlgorithmParameterException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ }
+ }
+
+ public EncryptedData encrypt(byte[] data) throws BuildException {
+ Cipher cipher;
+
+ if (secret != null) {
+ try {
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.ENCRYPT_MODE, secret);
+
+ Logger.debug("Encrypt MOASession");
+
+ byte[] encdata = cipher.doFinal(data);
+ byte[] iv = cipher.getIV();
+
+ return new EncryptedData(encdata, iv);
+
+ } catch (Exception e) {
+ Logger.warn("MOASession is not encrypted",e);
+ throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
+ }
+ } else
+ return new EncryptedData(data, null);
+ }
+
+ public byte[] decrypt(EncryptedData data) throws BuildException {
+ Cipher cipher;
+
+ if (secret != null) {
+ try {
+ IvParameterSpec iv = new IvParameterSpec(data.getIv());
+
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.DECRYPT_MODE, secret, iv);
+
+ Logger.debug("Decrypt MOASession");
+ return cipher.doFinal(data.getEncData());
+
+ } catch (Exception e) {
+ Logger.warn("MOASession is not decrypted",e);
+ throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
+ }
+ } else
+ return data.getEncData();
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java
new file mode 100644
index 000000000..10221604c
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.util;
+
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil {
+
+ private static ConfigurationEncrytionUtil instance = null;
+ private static String key = null;
+
+ public static ConfigurationEncrytionUtil getInstance() {
+ if (instance == null) {
+ try {
+ key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey();
+ instance = new ConfigurationEncrytionUtil();
+
+ } catch (Exception e) {
+ Logger.warn("MOAConfiguration encryption initialization FAILED.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ private ConfigurationEncrytionUtil() throws DatabaseEncryptionException {
+ super();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Configuration-Salt";
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
index acc2a7273..8660f7c09 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
@@ -22,110 +22,50 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.util;
-import iaik.security.cipher.PBEKey;
-import iaik.security.spec.PBEKeyAndParameterSpec;
-
-import java.security.SecureRandom;
-import java.security.spec.KeySpec;
-
-import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.logging.Logger;
-public class SessionEncrytionUtil {
-
- private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
- private static final String KEYNAME = "AES";
-
- static private SecretKey secret = null;
+public class SessionEncrytionUtil extends AbstractEncrytionUtil {
- static {
- try {
- String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
-
- if (key != null) {
-
- PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
- SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
- PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
-
-
- SecureRandom random = new SecureRandom();
- KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
-
- PBEKeyAndParameterSpec parameterSpec =
- new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
- "TestSALT".getBytes(),
- 2000,
- 16);
-
- pbkdf2.init(parameterSpec, random);
- SecretKey derivedKey = pbkdf2.generateKey();
-
- SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
- SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
- secret = kf.generateSecret(spec);
-
- } else {
- Logger.warn("MOASession encryption is deaktivated.");
- }
-
- } catch (Exception e) {
- Logger.warn("MOASession encryption can not be inizialized.", e);
- }
-
- }
+ private static SessionEncrytionUtil instance = null;
+ private static String key = null;
- public static EncryptedData encrypt(byte[] data) throws BuildException {
- Cipher cipher;
-
- if (secret != null) {
+ public static SessionEncrytionUtil getInstance() {
+ if (instance == null) {
try {
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.ENCRYPT_MODE, secret);
-
- Logger.debug("Encrypt MOASession");
-
- byte[] encdata = cipher.doFinal(data);
- byte[] iv = cipher.getIV();
-
- return new EncryptedData(encdata, iv);
-
+ key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
+ instance = new SessionEncrytionUtil();
+
} catch (Exception e) {
- Logger.warn("MOASession is not encrypted",e);
- throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
- }
- } else
- return new EncryptedData(data, null);
+ Logger.warn("MOASession encryption can not be inizialized.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ private SessionEncrytionUtil() throws DatabaseEncryptionException {
+ super();
}
- public static byte[] decrypt(EncryptedData data) throws BuildException {
- Cipher cipher;
-
- if (secret != null) {
- try {
- IvParameterSpec iv = new IvParameterSpec(data.getIv());
-
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.DECRYPT_MODE, secret, iv);
-
- Logger.debug("Decrypt MOASession");
- return cipher.doFinal(data.getEncData());
-
- } catch (Exception e) {
- Logger.warn("MOASession is not decrypted",e);
- throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
- }
- } else
- return data.getEncData();
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Session-Salt";
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
index f7785d2c2..20cabaf4d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
@@ -70,6 +70,7 @@ public class MISMandate implements Serializable{
private String oid = null;
private byte[] mandate = null;
private String owBPK = null;
+ private boolean isFullMandateIncluded = false;
public String getProfRep() {
return oid;
@@ -109,5 +110,18 @@ public class MISMandate implements Serializable{
}
}
+ /**
+ * @return the isFullMandateIncluded
+ */
+ public boolean isFullMandateIncluded() {
+ return isFullMandateIncluded;
+ }
+ /**
+ * @param isFullMandateIncluded the isFullMandateIncluded to set
+ */
+ public void setFullMandateIncluded(boolean isFullMandateIncluded) {
+ this.isFullMandateIncluded = isFullMandateIncluded;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
index aaf793987..15b2a89b5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -145,6 +145,8 @@ public class MISSimpleClient {
//misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate)));
misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes()));
+ misMandate.setFullMandateIncluded(true);
+
foundMandates.add(misMandate);
}
return foundMandates;