add some more escaptions

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-11-27 15:33:37 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-11-27 15:45:37 +0100
commit: f6ef9b2e21af5a55b9f2b360de3cff38c56904d6 (patch)
tree: 71c3e2dcdade53d820655a9b5f1aa1b451278f5f /id/server/idserverlib/src/main/java
parent: 75c7ab602fe14d56217f268ea80e787a5316288a (diff)
download: moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.tar.gz
moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.tar.bz2
moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.zip
8 files changed, 130 insertions, 41 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 5a5d0bcf6..cc716f9f8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -352,6 +352,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 				authData.setBkuURL(session.getGenericDataFromSession(PVPConstants.EID_CCS_URL_NAME, String.class));
 						
 	
+			//TODO: fully switch from STORK QAA to eIDAS LoA
 			//####################################################
 			//set QAA level
 			includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
index 19f3fdc54..0397bd501 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
@@ -117,7 +117,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
 					config.putCustomParameter("successMsg",
 							MOAIDMessageProvider.getInstance().getMessage("slo.00", null));
 				else
-					config.putCustomParameter("errorMsg", 
+					config.putCustomParameterWithOutEscaption("errorMsg", 
 							MOAIDMessageProvider.getInstance().getMessage("slo.01", null));			
 				guiBuilder.build(resp, config, "Single-LogOut GUI");
 			
@@ -213,7 +213,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
 								DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, 
 								null);					
 						
-						config.putCustomParameter("errorMsg", 
+						config.putCustomParameterWithOutEscaption("errorMsg", 
 								MOAIDMessageProvider.getInstance().getMessage("slo.01", null));		                	
 				
 						guiBuilder.build(resp, config, "Single-LogOut GUI");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
index e0484eb1b..4e7a72da6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
@@ -22,12 +22,19 @@
  */
 package at.gv.egovernment.moa.id.data;
 
+import java.io.Serializable;
+
 /**
  * @author tlenz
  *
  */
-public class EncryptedData {
+public class EncryptedData implements Serializable{
 
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+	
 	private byte[] encData = null;
 	private byte[] iv = null;
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 3770dad2f..bb849a8d0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -659,7 +659,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			        	
 			        } else {
 			        	revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
-			        	config.putCustomParameter("errorMsg", 
+			        	config.putCustomParameterWithOutEscaption("errorMsg", 
 			        			MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
 			        	
 			        }
@@ -690,7 +690,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 						null);
 				
 				revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
-				config.putCustomParameter("errorMsg", 
+				config.putCustomParameterWithOutEscaption("errorMsg", 
 	        			MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
 	        	
 	        	try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
index f17e4a99a..2395b913d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
@@ -38,8 +38,11 @@ import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -106,18 +109,36 @@ public class DBTransactionStorage implements ITransactionStorage {
 			
 		}	
 	}
-	
-	public Object getAssertionStore(String key) throws MOADatabaseException{
-		return searchInDatabase(key);
-	}
-	
+		
 	public Object get(String key) throws MOADatabaseException {
 		  AssertionStore element = searchInDatabase(key);
 		  
 		  if (element == null)
 			  return null;
+		  		  
+		  Object data = SerializationUtils.deserialize(element.getAssertion());
 		  
-		  return SerializationUtils.deserialize(element.getAssertion());
+		//decrypt data if required
+		  Object resultData = null;
+		  if (data instanceof EncryptedData) {
+			  Logger.trace("Find encrypted data. --> Starting decryption process ...");
+			  try {
+				byte[] decData = decryptData((EncryptedData)data);
+				resultData = SerializationUtils.deserialize(decData);
+				
+			  } catch (BuildException e) {
+				  Logger.warn("Transaction information decryption FAILED.", e);
+				  throw new MOADatabaseException("Transaction information decryption FAILED.", e);
+				  
+			  }
+			  		  
+		  } else {
+			  Logger.trace("Find unencrypted data. --> Use it as is");
+			  resultData = data;
+			  
+		  }
+		  
+		  return resultData;
 		
 		
 	}
@@ -141,13 +162,34 @@ public class DBTransactionStorage implements ITransactionStorage {
 	  }
 	  
 	  
-	  //Deserialize Assertion
+	  //Deserialize Assertion	  
 	  Object data = SerializationUtils.deserialize(element.getAssertion());
 	  
+	  //decrypt data if required
+	  Object resultData = null;
+	  if (data instanceof EncryptedData) {
+		  Logger.trace("Find encrypted data. --> Starting decryption process ...");
+		  try {
+			byte[] decData = decryptData((EncryptedData)data);
+			resultData = SerializationUtils.deserialize(decData);
+			
+		  } catch (BuildException e) {
+			  Logger.warn("Transaction information decryption FAILED.", e);
+			  throw new MOADatabaseException("Transaction information decryption FAILED.", e);
+			  
+		  }
+		  		  
+	  } else {
+		  Logger.trace("Find unencrypted data. --> Use it as is");
+		  resultData = data;
+		  
+	  }
+		  
+	  
 	  //check if assertion has the correct class type 
 	  try {
 		  @SuppressWarnings("unchecked")
-		T test = (T) Class.forName(element.getType()).cast(data);
+		T test = (T) Class.forName(element.getType()).cast(resultData);
 		return test;
 		
 	  } catch (Exception e) {
@@ -198,6 +240,17 @@ public class DBTransactionStorage implements ITransactionStorage {
 		}
 	}
 
+	public Object getAssertionStore(String key) throws MOADatabaseException{
+		return searchInDatabase(key);
+		
+	}
+	
+	@Override
+	public void putAssertionStore(Object element) throws MOADatabaseException{
+		entityManager.merge(element);
+		
+	}
+	
 	private void cleanDelete(AssertionStore element) {
 	
 			
@@ -245,30 +298,33 @@ public class DBTransactionStorage implements ITransactionStorage {
 			throw new MOADatabaseException("Transaction-Storage can only store objects which implements the 'Seralizable' interface", null);
 			
 		}	
-		
-		//serialize the Assertion for Database storage
-		byte[] data = SerializationUtils.serialize((Serializable) value);
-		element.setAssertion(data);
-		
-		//store AssertionStore element to Database
-		//try {
+	
+		try {
+			//serialize the Assertion for Database storage
+			byte[] data = SerializationUtils.serialize((Serializable) value);
+			element.setAssertion(encryptData(data));
+
+			//store AssertionStore element to Database
 			entityManager.persist(element);
-			//MOASessionDBUtils.saveOrUpdate(element);
-			Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");
-//			
-//		} catch (MOADatabaseException e) {
-//			Logger.warn("Sessioninformation could not be stored.");
-//			throw new MOADatabaseException(e);
-//			
-//		}
+			Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");			
+			
+		} catch (BuildException e) {
+			Logger.warn("Sessioninformation could not be stored.");
+			throw new MOADatabaseException(e);
+			
+		}
 		
 	}
+	
+	private static byte[] encryptData(byte[] data) throws BuildException {		
+		EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(data);
+		return SerializationUtils.serialize(encdata);
 
-	@Override
-	public void putAssertionStore(Object element) throws MOADatabaseException{
-		// TODO Auto-generated method stub
-		entityManager.merge(element);
-		
+	}
+	
+	private static byte[] decryptData(EncryptedData encdata) throws BuildException {
+		return SessionEncrytionUtil.getInstance().decrypt(encdata);
+						
 	}
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
index 53a7f4f5e..51a36d426 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
@@ -114,6 +114,8 @@ public interface ITransactionStorage {
 	
 	/**
 	 * Get whole AssertionStoreObject, required for SLO
+	 * <br>
+	 * <b>IMPORTANT:</b> This method does NOT decrypt information before storage
 	 * 
 	 * @param key key Id which identifiers the data object
 	 * @return The transaction-data object, or null
@@ -123,6 +125,8 @@ public interface ITransactionStorage {
 	
 	/**
 	 * Put whole AssertionStoreObject to db, required for SLO
+ 	 * <br>
+	 * <b>IMPORTANT:</b> This method does NOT encrypt information before storage
 	 * 
 	 * @param element assertion store object
 	 */
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
index b0d166951..84d40f619 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
@@ -22,9 +22,6 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.util;
 
-import iaik.security.cipher.PBEKey;
-import iaik.security.spec.PBEKeyAndParameterSpec;
-
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
@@ -35,19 +32,26 @@ import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
 
-
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
 import at.gv.egovernment.moa.id.data.EncryptedData;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
 
 public abstract class AbstractEncrytionUtil {
-	protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+	//protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+	
+	protected static final String CIPHER_MODE = "AES/GCM/NoPadding";
+	public static final int GCM_NONCE_LENGTH = 12; // in bytes
+	public static final int GCM_TAG_LENGTH = 16; // in bytes
+	
 	protected static final String KEYNAME = "AES";
 
 	private SecretKey secret = null;
@@ -114,8 +118,15 @@ public abstract class AbstractEncrytionUtil {
 		
 		if (secret != null) {
 			try {
-				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
-			    cipher.init(Cipher.ENCRYPT_MODE, secret);
+				final byte[] nonce = Random.nextBytes(GCM_NONCE_LENGTH);
+				
+//				final byte[] nonce = new byte[GCM_NONCE_LENGTH];				
+//				SecureRandom.getInstanceStrong().nextBytes(nonce);
+		        
+				GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce);
+		        
+				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");				
+			    cipher.init(Cipher.ENCRYPT_MODE, secret, spec);
 				
 			    Logger.debug("Encrypt MOASession");
 			    
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
index ac2b3c415..38c384c3a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
@@ -151,6 +151,16 @@ public class Random {
 		
   }
   
+/**
+ * Creates a new random byte[]
+ * 	
+ * @param size Size of random number in byte
+ * @return
+ */
+public static byte[] nextBytes(int size) {
+	return  nextByteRandom(size);
+	
+}
   
   public static void seedRandom() {
 	  
@@ -165,7 +175,7 @@ public class Random {
   /**
    * Generate a new random number
    * 
-   * @param size Size of random number in bits
+   * @param size Size of random number in byte
    * @return
    */
   private static synchronized byte[] nextByteRandom(int size) {
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-11-27 15:33:37 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-11-27 15:45:37 +0100
commit	f6ef9b2e21af5a55b9f2b360de3cff38c56904d6 (patch)
tree	71c3e2dcdade53d820655a9b5f1aa1b451278f5f /id/server/idserverlib/src/main/java
parent	75c7ab602fe14d56217f268ea80e787a5316288a (diff)
download	moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.tar.gz moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.tar.bz2 moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.zip