aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-01-24 11:32:38 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-01-24 11:32:38 +0100
commit653fd79254188db598c0b980640fab912c9e39f7 (patch)
tree9130bdec833580cba2146b41bbf4b744edec1795 /id/server/idserverlib/src/main/java
parent1f46df486fbab558fb3e935dfed160f26e698ac0 (diff)
downloadmoa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.tar.gz
moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.tar.bz2
moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.zip
--use differend keys for SAML2 metadata signing and SAML2 assertion signing
-- move oAuth idToken generation to OAuth20AuthAction, because MOASession does not exits anymore in OAuth20TokenAction if no SSO is used.
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java96
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java84
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java25
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java58
10 files changed, 177 insertions, 132 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
index 4c7d1a37b..d5dd70c11 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.id.protocols.oauth20;
import java.io.Serializable;
+import java.util.Map;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -15,7 +16,7 @@ public class OAuth20SessionObject implements Serializable {
private String code;
- private String authDataSession;
+ private Map<String, Object> authDataSession;
public String getScope() {
return scope;
@@ -40,12 +41,12 @@ public class OAuth20SessionObject implements Serializable {
this.code = code;
}
- public String getAuthDataSession() {
+ public Map<String, Object> getAuthDataSession() {
return authDataSession;
}
- public void setAuthDataSession(String authDataSession) {
- this.authDataSession = authDataSession;
+ public void setAuthDataSession(Map<String, Object> idToken) {
+ this.authDataSession = idToken;
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 17649487a..a5c8bb16e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -1,18 +1,33 @@
package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+import java.security.SignatureException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
+import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.Random;
@@ -23,27 +38,24 @@ class OAuth20AuthAction implements IAction {
public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
AuthenticationSession moasession) throws MOAIDException {
- OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;
-
- // OAAuthParameter oaParam =
- // AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
- // AuthenticationData authData =
- // AuthenticationServer.buildAuthenticationData(moasession, oaParam,
- // oAuthRequest.getTarget());
-
+ OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;
String responseType = oAuthRequest.getResponseType();
- AuthenticationSession session = null;
String code = Random.nextRandom();
try {
-
+
+ String accessToken = UUID.randomUUID().toString();
+
Logger.debug("Stored session with id: " + code);
OAuth20SessionObject o = new OAuth20SessionObject();
if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) {
o.setScope(oAuthRequest.getScope());
o.setCode(code);
- o.setAuthDataSession(moasession.getSessionID());
+
+ //generate idToken from MOASession
+ Map<String, Object> idToken = generateIDToken(o, oAuthRequest, moasession, accessToken);
+ o.setAuthDataSession(idToken);
} else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) {
throw new OAuth20ResponseTypeException();
@@ -65,6 +77,8 @@ class OAuth20AuthAction implements IAction {
String finalUrl = redirectURI;
httpResp.addHeader("Location", finalUrl);
Logger.debug("REDIRECT TO: " + finalUrl.toString());
+
+ return accessToken;
}
catch (Exception e) {
@@ -79,7 +93,65 @@ class OAuth20AuthAction implements IAction {
throw new OAuth20ServerErrorException();
}
- return null;
+ }
+
+ private Map<String, Object> generateIDToken(OAuth20SessionObject auth20SessionObject,
+ OAuth20AuthRequest oAuthRequest, AuthenticationSession moasession, String accessToken) throws SignatureException, MOAIDException {
+
+ // create response
+ Map<String, Object> params = new HashMap<String, Object>();
+ params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
+ params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
+ params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
+
+ // build id token and scope
+ Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
+ moasession);
+ Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
+ params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
+ Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
+ params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
+
+ return params;
+
+ }
+
+ private Pair<String, String> buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, AuthenticationSession session)
+ throws MOAIDException, SignatureException {
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
+ AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget());
+
+ OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer());
+ OAuthJsonToken token = new OAuthJsonToken(signer);
+
+ StringBuilder resultScopes = new StringBuilder();
+ // always fill with open id
+ OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData);
+ resultScopes.append("openId");
+
+ for (String s : scope.split(" ")) {
+ if (s.equalsIgnoreCase("profile")) {
+ OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData);
+ resultScopes.append(" profile");
+ } else if (s.equalsIgnoreCase("eID")) {
+ OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData);
+ resultScopes.append(" eID");
+ } else if (s.equalsIgnoreCase("eID_gov")) {
+ OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData);
+ resultScopes.append(" eID_gov");
+ } else if (s.equalsIgnoreCase("mandate")) {
+ OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData);
+ resultScopes.append(" mandate");
+ }
+ // TODO parser STORK
+ }
+
+ // add properties and sign
+ // HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id",
+ // "super_secure_pwd".getBytes());
+ // Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config());
+
+ return Pair.newInstance(token.serializeAndSign(), resultScopes.toString());
}
/*
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
index b975b5594..f3638d63e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
@@ -1,35 +1,19 @@
package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
-import java.security.SignatureException;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
-import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
-import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
-import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException;
-import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
-import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
-import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.logging.Logger;
import com.google.gson.JsonObject;
@@ -61,38 +45,10 @@ class OAuth20TokenAction implements IAction {
} else {
Logger.debug("Loaded of OAuth20SessionObject was successful");
}
-
-
- Logger.debug("Load MOASession from database");
- AuthenticationSession session = AuthenticationSessionStoreage.getSession(auth20SessionObject.getAuthDataSession());
- if (session == null) {
- Logger.warn("NO MOASession found with SessionID " + auth20SessionObject.getAuthDataSession());
- throw new OAuth20UnauthorizedClientException();
-
- } else {
- Logger.debug("Loading of MOASession was successful.");
-
- }
-
- final String accessToken = UUID.randomUUID().toString();
-
- // create response
- Map<String, Object> params = new HashMap<String, Object>();
- params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
- params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
- params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
-
- // build id token and scope
- Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
- session);
- Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
- params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
- Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
- params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
// create response
JsonObject jsonObject = new JsonObject();
- OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
+ OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession());
String jsonResponse = jsonObject.toString();
Logger.debug("JSON Response: " + jsonResponse);
@@ -137,43 +93,5 @@ class OAuth20TokenAction implements IAction {
public String getDefaultActionName() {
return OAuth20Protocol.TOKEN_ACTION;
}
-
- private Pair<String, String> buildIdToken(String scope, OAuth20TokenRequest oAuthRequest, AuthenticationSession session)
- throws MOAIDException, SignatureException {
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
- AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget());
-
- OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer());
- OAuthJsonToken token = new OAuthJsonToken(signer);
-
- StringBuilder resultScopes = new StringBuilder();
- // always fill with open id
- OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData);
- resultScopes.append("openId");
- for (String s : scope.split(" ")) {
- if (s.equalsIgnoreCase("profile")) {
- OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData);
- resultScopes.append(" profile");
- } else if (s.equalsIgnoreCase("eID")) {
- OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData);
- resultScopes.append(" eID");
- } else if (s.equalsIgnoreCase("eID_gov")) {
- OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData);
- resultScopes.append(" eID_gov");
- } else if (s.equalsIgnoreCase("mandate")) {
- OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData);
- resultScopes.append(" mandate");
- }
- // TODO parser STORK
- }
-
- // add properties and sign
- // HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id",
- // "super_secure_pwd".getBytes());
- // Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config());
-
- return Pair.newInstance(token.serializeAndSign(), resultScopes.toString());
- }
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index e6a8c9661..1c7b1c718 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -78,17 +78,10 @@ public class MetadataAction implements IAction {
keyInfoFactory.setEmitEntityIDAsKeyName(true);
keyInfoFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
-
- Credential credential = CredentialProvider
- .getIDPSigningCredential();
-
- KeyDescriptor signKeyDescriptor = SAML2Utils
- .createSAMLObject(KeyDescriptor.class);
- signKeyDescriptor.setUse(UsageType.SIGNING);
- signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
-
+
+ Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();
Signature signature = CredentialProvider
- .getIDPSignature(credential);
+ .getIDPSignature(metadataSigningCredential);
idpEntitiesDescriptor.setSignature(signature);
@@ -139,9 +132,17 @@ public class MetadataAction implements IAction {
idpSSODescriptor.getArtifactResolutionServices().add(
artifactResolutionService);
}*/
+
+ //set assertion signing key
+ Credential assertionSigingCredential = CredentialProvider
+ .getIDPAssertionSigningCredential();
+ KeyDescriptor signKeyDescriptor = SAML2Utils
+ .createSAMLObject(KeyDescriptor.class);
+ signKeyDescriptor.setUse(UsageType.SIGNING);
+ signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential));
idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
-
+
idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes());
NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
@@ -184,7 +185,7 @@ public class MetadataAction implements IAction {
String metadataXML = sw.toString();
- System.out.println("METADATA: " + metadataXML);
+ //System.out.println("METADATA: " + metadataXML);
httpResp.setContentType("text/xml");
httpResp.getOutputStream().write(metadataXML.getBytes());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
index c486d3ff2..57fa50384 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
@@ -37,7 +37,7 @@ public class ArtifactBinding implements IDecoder, IEncoder {
throws MessageEncodingException, SecurityException {
try {
Credential credentials = CredentialProvider
- .getIDPSigningCredential();
+ .getIDPAssertionSigningCredential();
Signature signer = CredentialProvider.getIDPSignature(credentials);
response.setSignature(signer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 9319c306b..625782cab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -44,7 +44,7 @@ public class PostBinding implements IDecoder, IEncoder {
try {
Credential credentials = CredentialProvider
- .getIDPSigningCredential();
+ .getIDPAssertionSigningCredential();
Logger.debug("create SAML POSTBinding response");
@@ -103,7 +103,7 @@ public class PostBinding implements IDecoder, IEncoder {
RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
.getInboundMessage();
-
+
MOARequest request = new MOARequest(inboundMessage);
request.setVerified(false);
request.setEntityMetadata(messageContext.getPeerEntityMetadata());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 78b63e041..0fd639c1b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -49,7 +49,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
throws MessageEncodingException, SecurityException {
try {
Credential credentials = CredentialProvider
- .getIDPSigningCredential();
+ .getIDPAssertionSigningCredential();
Logger.debug("create SAML RedirectBinding response");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 3974e7fd5..1cfb0103e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -65,7 +65,7 @@ public class SoapBinding implements IDecoder, IEncoder {
throws MessageEncodingException, SecurityException, PVP2Exception {
try {
Credential credentials = CredentialProvider
- .getIDPSigningCredential();
+ .getIDPAssertionSigningCredential();
HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder();
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 116d3b740..b41331dab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -46,10 +46,15 @@ public class PVPConfiguration {
public static final String PVP2_POST = "/pvp2/post";
public static final String PVP_CONFIG_FILE = "pvp2config.properties";
+
public static final String IDP_JAVAKEYSTORE = "idp.ks.file";
- public static final String IDP_KEYALIAS = "idp.ks.alias";
public static final String IDP_KS_PASS = "idp.ks.kspassword";
- public static final String IDP_KEY_PASS = "idp.ks.keypassword";
+
+ public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias";
+ public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword";
+
+ public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias";
+ public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword";
public static final String IDP_ISSUER_NAME = "idp.issuer.name";
@@ -115,17 +120,25 @@ public class PVPConfiguration {
public String getIDPKeyStoreFilename() {
return props.getProperty(IDP_JAVAKEYSTORE);
}
-
+
public String getIDPKeyStorePassword() {
return props.getProperty(IDP_KS_PASS);
}
- public String getIDPKeyAlias() {
- return props.getProperty(IDP_KEYALIAS);
+ public String getIDPKeyAliasMetadata() {
+ return props.getProperty(IDP_KEYALIASMETADATA);
+ }
+
+ public String getIDPKeyPasswordMetadata() {
+ return props.getProperty(IDP_KEY_PASSMETADATA);
+ }
+
+ public String getIDPKeyAliasAssertionSign() {
+ return props.getProperty(IDP_KEYALIASASSERTION);
}
- public String getIDPKeyPassword() {
- return props.getProperty(IDP_KEY_PASS);
+ public String getIDPKeyPasswordAssertionSign() {
+ return props.getProperty(IDP_KEY_PASSASSERTION);
}
public String getIDPIssuerName() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
index cf0f48f1c..511caa908 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
@@ -1,6 +1,8 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPrivateKey;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
@@ -13,35 +15,73 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.KeyStoreUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
public class CredentialProvider {
- public static Credential getIDPSigningCredential()
+
+ private static KeyStore keyStore = null;
+
+ public static Credential getIDPMetaDataSigningCredential()
throws CredentialsNotAvailableException {
- KeyStore keyStore;
PVPConfiguration config = PVPConfiguration.getInstance();
try {
- keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
- config.getIDPKeyStorePassword());
+
+ if (keyStore == null)
+ keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
+ config.getIDPKeyStorePassword());
KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(
- keyStore, config.getIDPKeyAlias(), config
- .getIDPKeyPassword().toCharArray());
+ keyStore, config.getIDPKeyAliasMetadata(), config
+ .getIDPKeyPasswordMetadata().toCharArray());
credentials.setUsageType(UsageType.SIGNING);
return credentials;
} catch (Exception e) {
- Logger.error("Failed to generate IDP Signing credentials");
+ Logger.error("Failed to generate IDP Metadata Signing credentials");
e.printStackTrace();
throw new CredentialsNotAvailableException(e.getMessage(), null);
}
}
+ public static Credential getIDPAssertionSigningCredential()
+ throws CredentialsNotAvailableException {
+ PVPConfiguration config = PVPConfiguration.getInstance();
+ try {
+ if (keyStore == null)
+ keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
+ config.getIDPKeyStorePassword());
+
+ KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(
+ keyStore, config.getIDPKeyAliasAssertionSign(), config
+ .getIDPKeyPasswordAssertionSign().toCharArray());
+
+ credentials.setUsageType(UsageType.SIGNING);
+ return credentials;
+ } catch (Exception e) {
+ Logger.error("Failed to generate IDP Assertion Signing credentials");
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ }
+ }
+
public static Signature getIDPSignature(Credential credentials) {
+
+ PrivateKey privatekey = credentials.getPrivateKey();
+
Signature signer = SAML2Utils.createSAMLObject(Signature.class);
- signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
- signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+
+ if (privatekey instanceof RSAPrivateKey) {
+ signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+
+ } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
+ signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
+
+ }
+
+ signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signer.setSigningCredential(credentials);
return signer;
+
}
public static Credential getSPTrustedCredential(String entityID)