aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2013-09-05 09:46:38 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2013-09-05 09:46:38 +0200
commite3667b6ccf1ae70a8c93b0af7a5bcf505831b073 (patch)
tree85f74fd2bcf1745dfc8537db7c5c7d2468b46a75 /id/server/idserverlib/src/main/java/at
parentcf5cf7c5baa823329d38e764ea53efe8f291d367 (diff)
parenteb33e9afb53314c8ab1e0854c587a808e8605fad (diff)
downloadmoa-id-spss-e3667b6ccf1ae70a8c93b0af7a5bcf505831b073.tar.gz
moa-id-spss-e3667b6ccf1ae70a8c93b0af7a5bcf505831b073.tar.bz2
moa-id-spss-e3667b6ccf1ae70a8c93b0af7a5bcf505831b073.zip
Merge branch 'moa2_0_tlenz' of https://gitlab.iaik.tugraz.at/afitzek/moa-idspss into moa2_0_tlenz
Conflicts: id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java55
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java27
6 files changed, 99 insertions, 14 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 89adbce3f..ff2cee559 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -2301,9 +2301,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {
try {
- //TODO: resign the IdentityLink!!!
-
-
if (session.getUseMandate() && session.isOW()) {
MISMandate mandate = session.getMISMandate();
authData.setBPK(mandate.getOWbPK());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
index 6004f251f..1624a59c0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
@@ -25,10 +25,13 @@
package at.gv.egovernment.moa.id.auth.parser;
import java.io.ByteArrayInputStream;
+import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.transform.TransformerException;
+
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;
@@ -157,6 +160,7 @@ public class CreateXMLSignatureResponseParser {
Element dsigSignatureNode = (Element) list.item(0);
Element dsigSignatureElement = (Element) dsigSignatureNode;
+
cResp.setDsigSignature(dsigSignatureElement);
}
catch (Throwable t) {
@@ -201,6 +205,11 @@ public class CreateXMLSignatureResponseParser {
SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()];
samlAttributes.toArray(result);
cResp.setSamlAttributes(result);
+
+ NodeList list = sigResponse_.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+ Element dsigSignatureNode = (Element) list.item(0);
+ cResp.setDsigSignature(dsigSignatureNode);
+
}
catch (Throwable t) {
throw new ParseException("parser.01", new Object[] { t.toString()}, t);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
index 4ddad2429..2c957603b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
@@ -151,6 +151,8 @@ public class VerifyXMLSignatureResponseParser {
VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse();
try {
+
+ String s = DOMUtils.serializeNode(verifyXMLSignatureResponse);
respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,""));
Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH);
respData.setQualifiedCertificate(e!=null);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index d0fb1f87f..b2ef2d000 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -24,9 +24,14 @@
package at.gv.egovernment.moa.id.auth.validator;
+import java.util.Calendar;
+import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
+import javax.xml.bind.DatatypeConverter;
+
+import org.jaxen.SimpleNamespaceContext;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
@@ -59,11 +64,25 @@ public class CreateXMLSignatureResponseValidator {
/** Xpath expression to the dsig:Signature element */
private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature";
- //private static final String XADES_SIGNINGTIME_PATH = Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime";
-
+ private static final String XADES_1_1_1_SIGNINGTIME_PATH = "//" + Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime";
+ private static final String XADES_1_3_2_SIGNINGTIME_PATH = "//" + Constants.XADES_1_3_2_NS_PREFIX + ":SigningTime";
+
+
+ private static final long MAX_DIFFERENCE_IN_MILLISECONDS = 600000; // 10min
+
/** Singleton instance. <code>null</code>, if none has been created. */
private static CreateXMLSignatureResponseValidator instance;
+ private static SimpleNamespaceContext NS_CONTEXT;
+ static {
+ NS_CONTEXT = new SimpleNamespaceContext();
+ NS_CONTEXT.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI);
+ NS_CONTEXT.addNamespace(Constants.XADES_1_2_2_NS_PREFIX, Constants.XADES_1_2_2_NS_URI);
+ NS_CONTEXT.addNamespace(Constants.XADES_1_3_2_NS_PREFIX, Constants.XADES_1_3_2_NS_URI);
+ NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI);
+ }
+
+
/**
* Constructor for a singleton CreateXMLSignatureResponseValidator.
* @return an instance of CreateXMLSignatureResponseValidator
@@ -550,8 +569,36 @@ public class CreateXMLSignatureResponseValidator {
public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {
- //TODO: insert Time validation!!!!
-
+ Element dsigSignatureElement = csresp.getDsigSignature();
+ if (dsigSignatureElement == null) {
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+ }
+ else {
+ Element signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_1_1_SIGNINGTIME_PATH);
+ if (signingTimeElem == null) {
+ signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_3_2_SIGNINGTIME_PATH);
+ if (signingTimeElem == null)
+ throw new ValidateException("validator.68", null) ;
+ }
+
+
+ String signingTimeStr = signingTimeElem.getTextContent();
+ if (signingTimeStr == null)
+ throw new ValidateException("validator.68", null) ;
+
+ Calendar signingTimeCal = DatatypeConverter.parseDate(signingTimeStr);
+ Calendar serverTimeCal = new GregorianCalendar();
+
+ long diff = Math.abs(signingTimeCal.getTimeInMillis() - serverTimeCal.getTimeInMillis());
+
+ if (diff > MAX_DIFFERENCE_IN_MILLISECONDS)
+ throw new ValidateException("validator.69", new Object[] {"mehr als " + MAX_DIFFERENCE_IN_MILLISECONDS + " Millisekunden"}) ;
+
+ Logger.debug("Compare \"" + signingTimeCal.getTime() + "\" (SigningTime) with \"" + serverTimeCal.getTime() + "\" (server time)");
+
+
+ }
+
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index bc53a876c..28288815a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -830,6 +830,23 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return prop;
}
+ public boolean isIdentityLinkResigning() {
+ String prop = props.getProperty("configuration.resignidentitylink", "false");
+ if (Boolean.valueOf(prop))
+ return true;
+ else
+ return false;
+ }
+
+ public String getIdentityLinkResigningKey() {
+ String prop = props.getProperty("configuration.resignidentitylink.keygroup");
+
+ if (MiscUtil.isNotEmpty(prop))
+ return prop;
+ else
+ return null;
+ }
+
/**
* Retruns the STORK Configuration
* @return STORK Configuration
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index fec2d2b35..ee0b4e7e2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
@@ -193,14 +194,26 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
.getAuthBlock() : "";
//set IdentityLink for assortion
- String ilAssertion = saml1parameter.isProvideIdentityLink() ? authData.getIdentityLink()
- .getSerializedSamlAssertion()
- : "";
- if (!saml1parameter.isProvideStammzahl()) {
- ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()
- .getIdentificationValue(), "");
+ String ilAssertion = "";
+ if (saml1parameter.isProvideIdentityLink()) {
+ if (session.getBusinessService()) {
+ IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();
+
+ Element resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink()
+ .getSamlAssertion());
+
+ ilAssertion = DOMUtils.serializeNode(resignedilAssertion);
+
+ } else {
+ ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
+
+ if (!saml1parameter.isProvideStammzahl())
+ ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()
+ .getIdentificationValue(), "");
+
+ }
}
-
+
String samlAssertion;
if (session.getUseMandate()) {