aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2013-06-05 10:51:23 +0200
committerAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2013-06-05 10:51:23 +0200
commitbdc7311ce86c6d39c3ff96b38c33b36ee6a28d1d (patch)
tree4f72690ba50d39b68f7e692ff2d1cad28f8d87f1 /id/server/idserverlib/src
parent7489cb6721d99d997679fc7905f40acb7b296e98 (diff)
downloadmoa-id-spss-bdc7311ce86c6d39c3ff96b38c33b36ee6a28d1d.tar.gz
moa-id-spss-bdc7311ce86c6d39c3ff96b38c33b36ee6a28d1d.tar.bz2
moa-id-spss-bdc7311ce86c6d39c3ff96b38c33b36ee6a28d1d.zip
SAML Attribute Constants, Dynamic Attribute building system, Take metadata attributes into account for authnResponse
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java230
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java62
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java59
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java42
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java32
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java75
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java74
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java56
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java3
29 files changed, 922 insertions, 30 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
index 54d96ee2e..5f59b6f9a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
@@ -131,6 +131,7 @@ public class StartAuthenticationServlet extends AuthServlet {
action = StringEscapeUtils.escapeHtml(action);
oaURL = request.getOAURL();
+ target = request.getTarget();
setNoCachingHeadersInHttpRespone(req, resp);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index a45540726..3254927ed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -130,8 +130,6 @@ public class AuthenticationManager implements MOAIDAuthConstants {
throws ServletException, IOException, MOAIDException {
HttpSession session = request.getSession();
Logger.info("Starting authentication ...");
- String modul = target.requestedModule();
- String protocol = target.requestedAction();
if (!ParamValidatorUtils.isValidOA(target.getOAURL()))
throw new WrongParametersException("StartAuthentication", PARAM_OA,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
index 51e375b82..91b88acb9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
@@ -9,4 +9,5 @@ public interface IRequest {
public String requestedAction();
public void setModule(String module);
public void setAction(String action);
+ public String getTarget();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index 44b00a6c0..29f9ff69b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -8,6 +8,7 @@ public class RequestImpl implements IRequest {
private boolean ssosupport = false;
private String module = null;
private String action = null;
+ private String target = null;
public void setOAURL(String value) {
@@ -57,6 +58,12 @@ public class RequestImpl implements IRequest {
public void setAction(String action) {
this.action = action;
}
-
+ public String getTarget() {
+ return target;
+ }
+
+ public void setTarget(String target) {
+ this.target = target;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index a2bc664e9..d9129165e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -28,11 +28,10 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
-import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory.BasicKeyInfoGenerator;
-import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
@@ -41,6 +40,7 @@ import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.MOAIDException;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
@@ -66,9 +66,10 @@ public class MetadataAction implements IAction {
idpEntityDescriptor.setOrganization(PVPConfiguration.getInstance()
.getIDPOrganisation());
- BasicKeyInfoGeneratorFactory keyInfoFactory = new BasicKeyInfoGeneratorFactory();
+ X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory();
keyInfoFactory.setEmitPublicKeyValue(true);
keyInfoFactory.setEmitEntityIDAsKeyName(true);
+ keyInfoFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
Credential credential = CredentialProvider
@@ -81,7 +82,7 @@ public class MetadataAction implements IAction {
Signature signature = CredentialProvider
.getIDPSignature(credential);
-
+
idpEntityDescriptor.setSignature(signature);
IDPSSODescriptor idpSSODescriptor = SAML2Utils
@@ -129,9 +130,11 @@ public class MetadataAction implements IAction {
}
idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
-
+
+ idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes());
+
idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor);
-
+
DocumentBuilder builder;
DocumentBuilderFactory factory = DocumentBuilderFactory
.newInstance();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 4633f22d2..5ea596eeb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.id.protocols.pvp2x.validation.ChainSAMLValidator;
import at.gv.egovernment.moa.id.protocols.pvp2x.validation.SAMLSignatureValidator;
@@ -164,6 +165,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
getSPSSODescriptor(SAMLConstants.SAML20P_NS).
getAssertionConsumerServices().get(idx).getLocation();
+ String entityID = moaRequest.getEntityMetadata().getEntityID();
+
//String oaURL = (String) request.getParameter(PARAM_OA);
oaURL = StringEscapeUtils.escapeHtml(oaURL);
if (!ParamValidatorUtils.isValidOA(oaURL))
@@ -171,6 +174,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
PARAM_OA, "auth.12");
config.setOAURL(oaURL);
config.setRequest(moaRequest);
+ config.setTarget(PVPConfiguration.getInstance().getTargetForSP(entityID));
+
request.getSession().setAttribute(PARAM_OA, oaURL);
return config;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
new file mode 100644
index 000000000..b818a2d8a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -0,0 +1,230 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x;
+
+public interface PVPConstants {
+ public static final String URN_OID_PREFIX = "urn:oid:";
+
+ public static final String PVP_VERSION_OID = "1.2.40.0.10.2.1.1.261.10";
+ public static final String PVP_VERSION_NAME = URN_OID_PREFIX + PVP_VERSION_OID;
+ public static final String PVP_VERSION_FRIENDLY_NAME = "PVP-VERSION";
+ public static final String PVP_VERSION_2_1 = "2.1";
+
+ public static final String SECCLASS_FRIENDLY_NAME = "SECCLASS";
+
+ public static final String PRINCIPAL_NAME_OID = "1.2.40.0.10.2.1.1.261.20";
+ public static final String PRINCIPAL_NAME_NAME = URN_OID_PREFIX + PRINCIPAL_NAME_OID;
+ public static final String PRINCIPAL_NAME_FRIENDLY_NAME = "PRINCIPAL-NAME";
+ public static final int PRINCIPAL_NAME_MAX_LENGTH = 128;
+
+ public static final String GIVEN_NAME_OID = "2.5.4.42";
+ public static final String GIVEN_NAME_NAME = URN_OID_PREFIX + GIVEN_NAME_OID;
+ public static final String GIVEN_NAME_FRIENDLY_NAME = "GIVEN-NAME";
+ public static final int GIVEN_NAME_MAX_LENGTH = 128;
+
+ public static final String BIRTHDATE_OID = "1.2.40.0.10.2.1.1.55";
+ public static final String BIRTHDATE_NAME = URN_OID_PREFIX + BIRTHDATE_OID;
+ public static final String BIRTHDATE_FRIENDLY_NAME = "BIRTHDATE";
+ public static final String BIRTHDATE_FORMAT_PATTERN = "yyyy-MM-dd";
+
+ public static final String USERID_OID = "0.9.2342.19200300.100.1.1";
+ public static final String USERID_NAME = URN_OID_PREFIX + USERID_OID;
+ public static final String USERID_FRIENDLY_NAME = "USERID";
+ public static final int USERID_MAX_LENGTH = 128;
+
+ public static final String GID_OID = "1.2.40.0.10.2.1.1.1";
+ public static final String GID_NAME = URN_OID_PREFIX + GID_OID;
+ public static final String GID_FRIENDLY_NAME = "GID";
+ public static final int GID_MAX_LENGTH = 128;
+
+ public static final String BPK_OID = "1.2.40.0.10.2.1.1.149";
+ public static final String BPK_NAME = URN_OID_PREFIX + BPK_OID;
+ public static final String BPK_FRIENDLY_NAME = "BPK";
+ public static final int BPK_MAX_LENGTH = 1024;
+
+ public static final String ENC_BPK_LIST_OID = "1.2.40.0.10.2.1.1.261.22";
+ public static final String ENC_BPK_LIST_NAME = URN_OID_PREFIX+ENC_BPK_LIST_OID;
+ public static final String ENC_BPK_LIST_FRIENDLY_NAME = "ENC-BPK-LIST";
+ public static final int ENC_BPK_LIST_MAX_LENGTH = 32767;
+
+ public static final String MAIL_OID = "0.9.2342.19200300.100.1.3";
+ public static final String MAIL_NAME = URN_OID_PREFIX + MAIL_OID;
+ public static final String MAIL_FRIENDLY_NAME = "MAIL";
+ public static final int MAIL_MAX_LENGTH = 128;
+
+ public static final String TEL_OID = "2.5.4.20";
+ public static final String TEL_NAME = URN_OID_PREFIX + TEL_OID;
+ public static final String TEL_FRIENDLY_NAME = "TEL";
+ public static final int TEL_MAX_LENGTH = 32;
+
+ public static final String PARTICIPANT_ID_OID = "1.2.40.0.10.2.1.1.71";
+ public static final String PARTICIPANT_ID_NAME = URN_OID_PREFIX + PARTICIPANT_ID_OID;
+ public static final String PARTICIPANT_ID_FRIENDLY_NAME = "PARTICIPANT-ID";
+ public static final int PARTICIPANT_MAX_LENGTH = 39;
+
+ public static final String PARTICIPANT_OKZ_OID = "1.2.40.0.10.2.1.1.261.24";
+ public static final String PARTICIPANT_OKZ_NAME = URN_OID_PREFIX + PARTICIPANT_OKZ_OID;
+ public static final String PARTICIPANT_OKZ_FRIENDLY_NAME = "PARTICIPANT-OKZ";
+ public static final int PARTICIPANT_OKZ_MAX_LENGTH = 32;
+
+ public static final String OU_OKZ_OID = "1.2.40.0.10.2.1.1.153";
+ public static final String OU_OKZ_NAME = URN_OID_PREFIX + OU_OKZ_OID;
+ public static final int OU_OKZ_MAX_LENGTH = 32;
+
+ public static final String OU_GV_OU_ID_OID = "1.2.40.0.10.2.1.1.3";
+ public static final String OU_GV_OU_ID_NAME = URN_OID_PREFIX + OU_GV_OU_ID_OID;
+ public static final String OU_GV_OU_ID_FRIENDLY_NAME = "OU-GV-OU-ID";
+ public static final int OU_GV_OU_ID_MAX_LENGTH = 39;
+
+ public static final String OU_OID = "2.5.4.11";
+ public static final String OU_NAME = URN_OID_PREFIX + OU_OID;
+ public static final String OU_FRIENDLY_NAME = "OU";
+ public static final int OU_MAX_LENGTH = 64;
+
+ public static final String FUNCTION_OID = "1.2.40.0.10.2.1.1.33";
+ public static final String FUNCTION_NAME = URN_OID_PREFIX + FUNCTION_OID;
+ public static final String FUNCTION_FRIENDLY_NAME = "FUNCTION";
+ public static final int FUNCTION_MAX_LENGTH = 32;
+
+ public static final String ROLES_OID = "1.2.40.0.10.2.1.1.261.30";
+ public static final String ROLES_NAME = URN_OID_PREFIX + ROLES_OID;
+ public static final String ROLES_FRIENDLY_NAME = "ROLES";
+ public static final int ROLES_MAX_LENGTH = 32767;
+
+ public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94";
+ public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID;
+ public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL";
+
+ public static final String EID_ISSUING_NATION_OID = "1.2.40.0.10.2.1.1.261.32";
+ public static final String EID_ISSUING_NATION_NAME = URN_OID_PREFIX + EID_ISSUING_NATION_OID;
+ public static final String EID_ISSUING_NATION_FRIENDLY_NAME = "EID-ISSUING-NATION";
+ public static final int EID_ISSUING_NATION_MAX_LENGTH = 2;
+
+ public static final String EID_SECTOR_FOR_IDENTIFIER_OID = "1.2.40.0.10.2.1.1.261.34";
+ public static final String EID_SECTOR_FOR_IDENTIFIER_NAME = URN_OID_PREFIX + EID_SECTOR_FOR_IDENTIFIER_OID;
+ public static final String EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME = "EID-SECTOR-FOR-IDENTIFIER";
+ public static final int EID_SECTOR_FOR_IDENTIFIER_MAX_LENGTH = 255;
+
+ public static final String EID_SOURCE_PIN_OID = "1.2.40.0.10.2.1.1.261.36";
+ public static final String EID_SOURCE_PIN_NAME = URN_OID_PREFIX + EID_SOURCE_PIN_OID;
+ public static final String EID_SOURCE_PIN_FRIENDLY_NAME = "EID-SOURCE-PIN";
+ public static final int EID_SOURCE_PIN_MAX_LENGTH = 128;
+
+ public static final String EID_SOURCE_PIN_TYPE_OID = "1.2.40.0.10.2.1.1.261.104";
+ public static final String EID_SOURCE_PIN_TYPE_NAME = URN_OID_PREFIX + EID_SOURCE_PIN_TYPE_OID;
+ public static final String EID_SOURCE_PIN_TYPE_FRIENDLY_NAME = "EID-SOURCE-PIN-TYPE";
+ public static final int EID_SOURCE_PIN_TYPE_MAX_LENGTH = 128;
+
+ public static final String EID_IDENTITY_LINK_OID = "1.2.40.0.10.2.1.1.261.38";
+ public static final String EID_IDENTITY_LINK_NAME = URN_OID_PREFIX + EID_IDENTITY_LINK_OID;
+ public static final String EID_IDENTITY_LINK_FRIENDLY_NAME = "EID-IDENTITY-LINK";
+ public static final int EID_IDENTITY_LINK_MAX_LENGTH = 32767;
+
+ public static final String EID_AUTH_BLOCK_OID = "1.2.40.0.10.2.1.1.261.62";
+ public static final String EID_AUTH_BLOCK_NAME = URN_OID_PREFIX + EID_AUTH_BLOCK_OID;
+ public static final String EID_AUTH_BLOCK_FRIENDLY_NAME = "EID-AUTH-BLOCK";
+ public static final int EID_AUTH_BLOCK_MAX_LENGTH = 32767;
+
+ public static final String EID_CCS_URL_OID = "1.2.40.0.10.2.1.1.261.64";
+ public static final String EID_CCS_URL_NAME = URN_OID_PREFIX + EID_CCS_URL_OID;
+ public static final String EID_CCS_URL_FRIENDLY_NAME = "EID-CCS-URL";
+ public static final int EID_CCS_URL_MAX_LENGTH = 1024;
+
+ public static final String EID_SIGNER_CERTIFICATE_OID = "1.2.40.0.10.2.1.1.261.66";
+ public static final String EID_SIGNER_CERTIFICATE_NAME = URN_OID_PREFIX + EID_SIGNER_CERTIFICATE_OID;
+ public static final String EID_SIGNER_CERTIFICATE_FRIENDLY_NAME = "EID-SIGNER-CERTIFICATE";
+ public static final int EID_SIGNER_CERTIFICATE_MAX_LENGTH = 32767;
+
+ public static final String EID_STORK_TOKEN_OID = "1.2.40.0.10.2.1.1.261.96";
+ public static final String EID_STORK_TOKEN_NAME = URN_OID_PREFIX + EID_STORK_TOKEN_OID;
+ public static final String EID_STORK_TOKEN_FRIENDLY_NAME = "EID-STORK-TOKEN";
+ public static final int EID_STORK_TOKEN_MAX_LENGTH = 32767;
+
+ public static final String MANDATE_TYPE_OID = "1.2.40.0.10.2.1.1.261.68";
+ public static final String MANDATE_TYPE_NAME = URN_OID_PREFIX + MANDATE_TYPE_OID;
+ public static final String MANDATE_TYPE_FRIENDLY_NAME = "MANDATE-TYPE";
+ public static final int MANDATE_TYPE_MAX_LENGTH = 256;
+
+ public static final String MANDATE_NAT_PER_SOURCE_PIN_OID = "1.2.40.0.10.2.1.1.261.70";
+ public static final String MANDATE_NAT_PER_SOURCE_PIN_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_SOURCE_PIN_OID;
+ public static final String MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-SOURCE-PIN";
+ public static final int MANDATE_NAT_PER_SOURCE_PIN_MAX_LENGTH = 128;
+
+ public static final String MANDATE_LEG_PER_SOURCE_PIN_OID = "1.2.40.0.10.2.1.1.261.100";
+ public static final String MANDATE_LEG_PER_SOURCE_PIN_NAME = URN_OID_PREFIX + MANDATE_LEG_PER_SOURCE_PIN_OID;
+ public static final String MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME = "MANDATOR-LEGAL-PERSON-SOURCE-PIN";
+ public static final int MANDATE_LEG_PER_SOURCE_PIN_MAX_LENGTH = 128;
+
+ public static final String MANDATE_NAT_PER_SOURCE_PIN_TYPE_OID = "1.2.40.0.10.2.1.1.261.102";
+ public static final String MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_SOURCE_PIN_TYPE_OID;
+ public static final String MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-SOURCE-PIN-TYPE";
+ public static final int MANDATE_NAT_PER_SOURCE_PIN_TYPE_MAX_LENGTH = 128;
+
+ public static final String MANDATE_LEG_PER_SOURCE_PIN_TYPE_OID = "1.2.40.0.10.2.1.1.261.76";
+ public static final String MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME = URN_OID_PREFIX + MANDATE_LEG_PER_SOURCE_PIN_TYPE_OID;
+ public static final String MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME = "MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE";
+ public static final int MANDATE_LEG_PER_SOURCE_PIN_TYPE_MAX_LENGTH = 128;
+
+ public static final String MANDATE_NAT_PER_BPK_OID = "1.2.40.0.10.2.1.1.261.98";
+ public static final String MANDATE_NAT_PER_BPK_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_BPK_OID;
+ public static final String MANDATE_NAT_PER_BPK_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-BPK";
+ public static final int MANDATE_NAT_PER_BPK_MAX_LENGTH = 1024;
+
+ public static final String MANDATE_NAT_PER_ENC_BPK_LIST_OID = "1.2.40.0.10.2.1.1.261.72";
+ public static final String MANDATE_NAT_PER_ENC_BPK_LIST_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_ENC_BPK_LIST_OID;
+ public static final String MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-ENC-BPK-LIST";
+ public static final int MANDATE_NAT_PER_ENC_BPK_LIST_MAX_LENGTH = 32767;
+
+ public static final String MANDATE_NAT_PER_GIVEN_NAME_OID = "1.2.40.0.10.2.1.1.261.78";
+ public static final String MANDATE_NAT_PER_GIVEN_NAME_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_GIVEN_NAME_OID;
+ public static final String MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-GIVEN-NAME";
+ public static final int MANDATE_NAT_PER_GIVEN_NAME_MAX_LENGTH = 128;
+
+ public static final String MANDATE_NAT_PER_FAMILY_NAME_OID = "1.2.40.0.10.2.1.1.261.80";
+ public static final String MANDATE_NAT_PER_FAMILY_NAME_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_FAMILY_NAME_OID;
+ public static final String MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-FAMILY-NAME";
+ public static final int MANDATE_NAT_PER_FAMILY_NAME_MAX_LENGTH = 128;
+
+ public static final String MANDATE_NAT_PER_BIRTHDATE_OID = "1.2.40.0.10.2.1.1.261.82";
+ public static final String MANDATE_NAT_PER_BIRTHDATE_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_BIRTHDATE_OID;
+ public static final String MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-BIRTHDATE";
+ public static final String MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN = BIRTHDATE_FORMAT_PATTERN;
+
+ public static final String MANDATE_LEG_PER_FULL_NAME_OID = "1.2.40.0.10.2.1.1.261.84";
+ public static final String MANDATE_LEG_PER_FULL_NAME_NAME = URN_OID_PREFIX + MANDATE_LEG_PER_FULL_NAME_OID;
+ public static final String MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME = "MANDATOR-LEGAL-PERSON-FULL-NAME";
+ public static final int MANDATE_LEG_PER_FULL_NAME_MAX_LENGTH = 256;
+
+ public static final String MANDATE_PROF_REP_OID_OID = "1.2.40.0.10.2.1.1.261.86";
+ public static final String MANDATE_PROF_REP_OID_NAME = URN_OID_PREFIX + MANDATE_PROF_REP_OID_OID;
+ public static final String MANDATE_PROF_REP_OID_FRIENDLY_NAME = "MANDATOR-PROF-REP-OID";
+ public static final int MANDATE_PROF_REP_OID_MAX_LENGTH = 256;
+
+ public static final String MANDATE_PROF_REP_DESC_OID = "1.2.40.0.10.2.1.1.261.88";
+ public static final String MANDATE_PROF_REP_DESC_NAME = URN_OID_PREFIX + MANDATE_PROF_REP_DESC_OID;
+ public static final String MANDATE_PROF_REP_DESC_FRIENDLY_NAME = "MANDATOR-PROF-REP-DESCRIPTION";
+ public static final int MANDATE_PROF_REP_DESC_MAX_LENGTH = 1024;
+
+ public static final String MANDATE_REFERENCE_VALUE_OID = "1.2.40.0.10.2.1.1.261.90";
+ public static final String MANDATE_REFERENCE_VALUE_NAME = URN_OID_PREFIX + MANDATE_REFERENCE_VALUE_OID;
+ public static final String MANDATE_REFERENCE_VALUE_FRIENDLY_NAME = "MANDATE-REFERENCE-VALUE";
+ public static final int MANDATE_REFERENCE_VALUE_MAX_LENGTH = 100;
+
+ public static final String MANDATE_FULL_MANDATE_OID = "1.2.40.0.10.2.1.1.261.92";
+ public static final String MANDATE_FULL_MANDATE_NAME = URN_OID_PREFIX + MANDATE_FULL_MANDATE_OID;
+ public static final String MANDATE_FULL_MANDATE_FRIENDLY_NAME = "MANDATE-FULL-MANDATE";
+ public static final int MANDATE_FULL_MANDATE_MAX_LENGTH = 32767;
+
+ public static final String INVOICE_RECPT_ID_OID = "1.2.40.0.10.2.1.1.261.40";
+ public static final String INVOICE_RECPT_ID_NAME = URN_OID_PREFIX + INVOICE_RECPT_ID_OID;
+ public static final String INVOICE_RECPT_ID_FRIENDLY_NAME = "INVOICE-RECPT-ID";
+ public static final int INVOICE_RECPT_ID_MAX_LENGTH = 64;
+
+ public static final String COST_CENTER_ID_OID = "1.2.40.0.10.2.1.1.261.50";
+ public static final String COST_CENTER_ID_NAME = URN_OID_PREFIX + COST_CENTER_ID_OID;
+ public static final String COST_CENTER_ID_FRIENDLY_NAME = "COST-CENTER-ID";
+ public static final int COST_CENTER_ID_MAX_LENGTH = 32767;
+
+ public static final String CHARGE_CODE_OID = "1.2.40.0.10.2.1.1.261.60";
+ public static final String CHARGE_CODE_NAME = URN_OID_PREFIX + CHARGE_CODE_OID;
+ public static final String CHARGE_CODE_FRIENDLY_NAME = "CHARGE-CODE";
+ public static final int CHARGE_CODE_MAX_LENGTH = 32767;
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
new file mode 100644
index 000000000..dc0a2884a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
@@ -0,0 +1,62 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BirthdateAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCitizenQAALevelAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIssuingNationAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSectorForIDAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.GivenNameAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.PVPVersionAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.PrincipalNameAttributeBuilder;
+
+public class PVPAttributeBuilder {
+
+ private static HashMap<String, IAttributeBuilder> builders;
+
+ private static void addBuilder(IAttributeBuilder builder) {
+ builders.put(builder.getName(), builder);
+ }
+
+ static {
+ builders = new HashMap<String, IAttributeBuilder>();
+ addBuilder(new PVPVersionAttributeBuilder());
+ addBuilder(new PrincipalNameAttributeBuilder());
+ addBuilder(new GivenNameAttributeBuilder());
+ addBuilder(new BirthdateAttributeBuilder());
+ addBuilder(new BPKAttributeBuilder());
+ addBuilder(new EIDCitizenQAALevelAttributeBuilder());
+ addBuilder(new EIDIssuingNationAttributeBuilder());
+ addBuilder(new EIDSectorForIDAttributeBuilder());
+ }
+
+ public static Attribute buildAttribute(String name,
+ AuthenticationSession authSession) {
+ if (builders.containsKey(name)) {
+ return builders.get(name).build(authSession);
+ }
+ return null;
+ }
+
+ public static List<Attribute> buildSupportedEmptyAttributes() {
+ List<Attribute> attributes = new ArrayList<Attribute>();
+ Iterator<IAttributeBuilder> builderIt = builders.values().iterator();
+ while (builderIt.hasNext()) {
+ IAttributeBuilder builder = builderIt.next();
+ Attribute emptyAttribute = builder.buildEmpty();
+ if (emptyAttribute != null) {
+ attributes.add(emptyAttribute);
+ }
+ }
+ return attributes;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
new file mode 100644
index 000000000..0b1d80e0d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
@@ -0,0 +1,26 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class BPKAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return BPK_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ String bpk = authSession.getIdentityLink().getIdentificationValue();
+ if(bpk.length() > BPK_MAX_LENGTH) {
+ bpk = bpk.substring(0, BPK_MAX_LENGTH);
+ }
+ return buildStringAttribute(BPK_FRIENDLY_NAME, BPK_NAME, bpk);
+ }
+
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(BPK_FRIENDLY_NAME, BPK_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java
new file mode 100644
index 000000000..d62cf72b1
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java
@@ -0,0 +1,59 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeValue;
+import org.opensaml.xml.Configuration;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.schema.XSInteger;
+import org.opensaml.xml.schema.XSString;
+import org.opensaml.xml.schema.impl.XSIntegerBuilder;
+import org.opensaml.xml.schema.impl.XSStringBuilder;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+
+public abstract class BaseAttributeBuilder implements PVPConstants, IAttributeBuilder {
+
+
+ protected static XMLObject buildAttributeStringValue(String value) {
+ XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
+ XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+ stringValue.setValue(value);
+ return stringValue;
+ }
+
+ protected static XMLObject buildAttributeIntegerValue(int value) {
+ XSIntegerBuilder integerBuilder = (XSIntegerBuilder) Configuration.getBuilderFactory().getBuilder(XSInteger.TYPE_NAME);
+ XSInteger integerValue = integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME);
+ integerValue.setValue(value);
+ return integerValue;
+ }
+
+ protected static Attribute buildStringAttribute(String friendlyName,
+ String name, String value) {
+ Attribute attribute =
+ SAML2Utils.createSAMLObject(Attribute.class);
+ attribute.setFriendlyName(friendlyName);
+ attribute.setName(name);
+ attribute.getAttributeValues().add(buildAttributeStringValue(value));
+ return attribute;
+ }
+
+ protected static Attribute buildIntegerAttribute(String friendlyName,
+ String name, int value) {
+ Attribute attribute =
+ SAML2Utils.createSAMLObject(Attribute.class);
+ attribute.setFriendlyName(friendlyName);
+ attribute.setName(name);
+ attribute.getAttributeValues().add(buildAttributeIntegerValue(value));
+ return attribute;
+ }
+
+ protected static Attribute buildemptyAttribute(String friendlyName, String name) {
+ Attribute attribute =
+ SAML2Utils.createSAMLObject(Attribute.class);
+ attribute.setFriendlyName(friendlyName);
+ attribute.setName(name);
+ return attribute;
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java
new file mode 100644
index 000000000..84011436e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java
@@ -0,0 +1,42 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class BirthdateAttributeBuilder extends BaseAttributeBuilder {
+
+ public static final String IDENTITY_LINK_DATE_FORMAT = "yyyy-MM-dd";
+
+ public String getName() {
+ return BIRTHDATE_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ try {
+ DateFormat identityLinkFormat = new SimpleDateFormat(
+ IDENTITY_LINK_DATE_FORMAT);
+ Date date = identityLinkFormat.parse(authSession.getIdentityLink()
+ .getDateOfBirth());
+ DateFormat pvpDateFormat = new SimpleDateFormat(
+ BIRTHDATE_FORMAT_PATTERN);
+ String dateString = pvpDateFormat.format(date);
+ return buildStringAttribute(BIRTHDATE_FRIENDLY_NAME,
+ BIRTHDATE_NAME, dateString);
+ } catch (ParseException e) {
+ e.printStackTrace();
+ return null;
+ }
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(BIRTHDATE_FRIENDLY_NAME,
+ BIRTHDATE_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java
new file mode 100644
index 000000000..5524ed44d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java
@@ -0,0 +1,24 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class EIDCitizenQAALevelAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return EID_CITIZEN_QAA_LEVEL_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ return buildIntegerAttribute(EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME,
+ EID_CITIZEN_QAA_LEVEL_NAME, 2);
+ }
+
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME,
+ EID_CITIZEN_QAA_LEVEL_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java
new file mode 100644
index 000000000..251d263d9
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java
@@ -0,0 +1,27 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class EIDIssuingNationAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return EID_ISSUING_NATION_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ String countryCode = "AT";
+ if(authSession.getStorkAuthnRequest() != null) {
+ countryCode = authSession.getStorkAuthnRequest().getCitizenCountryCode();
+ }
+ return buildStringAttribute(EID_ISSUING_NATION_FRIENDLY_NAME,
+ EID_ISSUING_NATION_NAME, countryCode);
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(EID_ISSUING_NATION_FRIENDLY_NAME,
+ EID_ISSUING_NATION_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
new file mode 100644
index 000000000..c91a87548
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
@@ -0,0 +1,23 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class EIDSectorForIDAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return EID_SECTOR_FOR_IDENTIFIER_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ return buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME,
+ EID_SECTOR_FOR_IDENTIFIER_NAME, authSession.getIdentityLink().getIdentificationType());
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME,
+ EID_SECTOR_FOR_IDENTIFIER_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java
new file mode 100644
index 000000000..f9a217810
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java
@@ -0,0 +1,21 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class GivenNameAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return GIVEN_NAME_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ return buildStringAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME, authSession.getIdentityLink().getGivenName());
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java
new file mode 100644
index 000000000..96c12f413
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java
@@ -0,0 +1,11 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public interface IAttributeBuilder {
+ public String getName();
+ public Attribute build(AuthenticationSession authSession);
+ public Attribute buildEmpty();
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java
new file mode 100644
index 000000000..a901a54ea
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java
@@ -0,0 +1,21 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class PVPVersionAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return PVP_VERSION_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ return buildStringAttribute(PVP_VERSION_FRIENDLY_NAME, PVP_VERSION_NAME, PVP_VERSION_2_1);
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(PVP_VERSION_FRIENDLY_NAME, PVP_VERSION_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java
new file mode 100644
index 000000000..7ffdca50e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java
@@ -0,0 +1,21 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class PrincipalNameAttributeBuilder extends BaseAttributeBuilder {
+
+ public String getName() {
+ return PRINCIPAL_NAME_NAME;
+ }
+
+ public Attribute build(AuthenticationSession authSession) {
+ return buildStringAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME, authSession.getIdentityLink().getFamilyName());
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 1f8dfa153..d38c900bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -35,6 +35,7 @@ import org.opensaml.xml.validation.Validator;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.Digester;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
@@ -53,6 +54,9 @@ public class PVPConfiguration {
public static final String IDP_KEYALIAS = "idp.ks.alias";
public static final String IDP_KS_PASS = "idp.ks.kspassword";
public static final String IDP_KEY_PASS = "idp.ks.keypassword";
+
+ public static final String IDP_ISSUER_NAME = "idp.issuer.name";
+
public static final String METADATA_FILE = "md.file";
public static final String IDP_ENTITY = "idp.entityid";
@@ -64,6 +68,9 @@ public class PVPConfiguration {
public static final String IDP_REDIRECT_SSO_SERVICE = "idp.sso.redirect";
public static final String IDP_SOAP_RESOLVE_SERVICE = "idp.resolve.soap";
+ public static final String IDP_TRUST_STORE = "idp.truststore";
+ public static final String SP_TARGET_PREFIX = "sp.target.";
+
public static final String IDP_CONTACT_PREFIX = "idp.contact";
public static final String IDP_CONTACT_LIST = "idp.contact_list";
@@ -120,10 +127,35 @@ public class PVPConfiguration {
return props.getProperty(IDP_KEY_PASS);
}
+ public String getIDPIssuerName() {
+ return props.getProperty(IDP_ISSUER_NAME);
+ }
+
public String getMetadataFile() {
return props.getProperty(METADATA_FILE);
}
+ public String getTargetForSP(String sp) {
+ String spHash = Digester.toSHA1(sp.getBytes());
+ Logger.info("SHA hash for sp: " + sp + " => " + spHash);
+ return props.getProperty(SP_TARGET_PREFIX + spHash);
+ }
+
+ public String getTrustEntityCertificate(String entityID) {
+ String path = props.getProperty(IDP_TRUST_STORE);
+ if(path == null) {
+ return null;
+ }
+
+ if(!path.endsWith("/")) {
+ path = path + "/";
+ }
+
+ String entityIDHash = Digester.toSHA1(entityID.getBytes());
+
+ return path + entityIDHash;
+ }
+
public List<ContactPerson> getIDPContacts() {
List<ContactPerson> list = new ArrayList<ContactPerson>();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 94741df73..71de16a97 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -16,19 +16,20 @@ import org.opensaml.xml.XMLObject;
import org.opensaml.xml.parse.BasicParserPool;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter;
public class MOAMetadataProvider implements MetadataProvider {
MetadataProvider internalProvider;
- private static final String MD_FILE = "/home/afitzek/server/moaid_conf/moaid/metadata/samplePVP_MD.xml";
- //private static final String MD_FILE = "/home/afitzek/server/moaid_conf/moaid/metadata/md_provider.xml";
-
public MOAMetadataProvider() throws MetadataProviderException {
FilesystemMetadataProvider fsProvider = new FilesystemMetadataProvider(
new File(PVPConfiguration.getInstance().getMetadataFile()));
fsProvider.setParserPool(new BasicParserPool());
internalProvider = fsProvider;
+ internalProvider.setRequireValidMetadata(true);
+ MetadataFilter filter = new MetadataSignatureFilter();
+ internalProvider.setMetadataFilter(filter);
fsProvider.initialize();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 5fc1dc785..964c19208 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,5 +1,7 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
+import java.util.Iterator;
+
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -7,6 +9,8 @@ import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.ArtifactResponse;
import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnRequest;
@@ -14,6 +18,9 @@ import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
@@ -23,7 +30,8 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.builder.CitizenTokenBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
public class AuthnRequestHandler implements IRequestHandler {
@@ -55,26 +63,54 @@ public class AuthnRequestHandler implements IRequestHandler {
assertion.getAuthnStatements().add(authnStatement);
+ SPSSODescriptor spSSODescriptor = obj.getEntityMetadata().
+ getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+ AttributeConsumingService attributeConsumingService =
+ spSSODescriptor.getAttributeConsumingServices().iterator().next();
+
+
AuthenticationSession authSession =
AuthenticationManager.getAuthenticationSession(req.getSession());
+ AttributeStatement attributeStatement = SAML2Utils.createSAMLObject(AttributeStatement.class);
+
+ Iterator<RequestedAttribute> it = attributeConsumingService.getRequestAttributes().iterator();
+ while(it.hasNext()) {
+ RequestedAttribute reqAttribut = it.next();
+ Attribute attr = PVPAttributeBuilder.buildAttribute(reqAttribut.getName(), authSession);
+ if(attr == null) {
+ if(reqAttribut.isRequired()) {
+ throw new MOAIDException("Cannot provide requested attribute " + reqAttribut.getName(), null);
+ }
+ } else {
+ attributeStatement.getAttributes().add(attr);
+ }
+ }
+
+ if(attributeStatement.getAttributes().size() > 0) {
+ assertion.getAttributeStatements().add(attributeStatement);
+ }
+
Subject subject = SAML2Utils.createSAMLObject(Subject.class);
NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);
subjectNameID.setFormat(NameID.PERSISTENT);
subjectNameID.setValue(authSession.getAuthData().getIdentificationValue());
subject.setNameID(subjectNameID);
- assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession));
+ //assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession));
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue("pvpIDP");
+ issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+ issuer.setFormat(NameID.ENTITY);
assertion.setIssuer(issuer);
assertion.setSubject(subject);
ArtifactResponse authResponse = SAML2Utils.createSAMLObject(ArtifactResponse.class);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue("pvpIDP");
+ nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+ nissuer.setFormat(NameID.ENTITY);
authResponse.setIssuer(nissuer);
authResponse.setInResponseTo(authnRequest.getID());
authResponse.setMessage(assertion);
@@ -87,8 +123,8 @@ public class AuthnRequestHandler implements IRequestHandler {
idx = aIdx.intValue();
}
- String oaURL = obj.getEntityMetadata().
- getSPSSODescriptor(SAMLConstants.SAML20P_NS).
+
+ String oaURL = spSSODescriptor.
getAssertionConsumerServices().get(idx).getLocation();
IEncoder binding = new PostBinding();
@@ -100,5 +136,4 @@ public class AuthnRequestHandler implements IRequestHandler {
e.printStackTrace();
}
}
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
index ec65f6bce..5f9f4d63b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
@@ -1,13 +1,21 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
+import iaik.x509.X509Certificate;
+
+import java.io.File;
import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+
+import javax.jws.soap.SOAPBinding.Use;
-import org.opensaml.xml.security.credential.BasicCredential;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
@@ -27,12 +35,13 @@ public class CredentialProvider {
keyStore.load(inputStream, config.getIDPKeyStorePassword().toCharArray());
inputStream.close();
- BasicCredential credentials = new BasicCredential();
- PrivateKey key = (PrivateKey) keyStore.getKey(config.getIDPKeyAlias(),
+ KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(keyStore, config.getIDPKeyAlias(),
config.getIDPKeyPassword().toCharArray());
- Certificate cert = keyStore.getCertificate(config.getIDPKeyAlias());
- credentials.setPublicKey(cert.getPublicKey());
- credentials.setPrivateKey(key);
+ //PrivateKey key = (PrivateKey) keyStore.getKey(config.getIDPKeyAlias(),
+ // config.getIDPKeyPassword().toCharArray());
+ //Certificate cert = keyStore.getCertificate(config.getIDPKeyAlias());
+ //credentials.setPublicKey(cert.getPublicKey());
+ //credentials.setPrivateKey(key);
credentials.setUsageType(UsageType.SIGNING);
return credentials;
} catch(Exception e) {
@@ -49,4 +58,54 @@ public class CredentialProvider {
signer.setSigningCredential(credentials);
return signer;
}
+
+ public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException {
+ String filename = PVPConfiguration.getInstance().getTrustEntityCertificate(entityID);
+
+ iaik.x509.X509Certificate cert;
+ try {
+ cert = new X509Certificate(new FileInputStream(new File(filename)));
+ } catch (CertificateException e) {
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ } catch (IOException e) {
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ }
+
+ BasicX509Credential credential = new BasicX509Credential();
+ credential.setEntityId(entityID);
+ credential.setUsageType(UsageType.SIGNING);
+ credential.setPublicKey(cert.getPublicKey());
+
+ return credential;
+ }
+
+ public static Credential getTrustedCredential() throws CredentialsNotAvailableException {
+ String filename = PVPConfiguration.getInstance().getTrustEntityCertificate("sp.crt");
+
+ iaik.x509.X509Certificate cert;
+ try {
+ cert = new X509Certificate(new FileInputStream(new File(filename)));
+ } catch (CertificateException e) {
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ } catch (IOException e) {
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ }
+
+ BasicX509Credential credential = new BasicX509Credential();
+ credential.setEntityId("sp.crt");
+ credential.setUsageType(UsageType.SIGNING);
+ credential.setPublicKey(cert.getPublicKey());
+
+ return credential;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java
new file mode 100644
index 000000000..7d81825d9
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java
@@ -0,0 +1,26 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class Digester {
+ public static String byteArrayToHexString(byte[] b) {
+ String result = "";
+ for (int i=0; i < b.length; i++) {
+ result +=
+ Integer.toString( ( b[i] & 0xff ) + 0x100, 16).substring( 1 );
+ }
+ return result;
+ }
+
+ public static String toSHA1(byte[] convertme) {
+ MessageDigest md = null;
+ try {
+ md = MessageDigest.getInstance("SHA-1");
+ }
+ catch(NoSuchAlgorithmException e) {
+ e.printStackTrace();
+ }
+ return byteArrayToHexString(md.digest(convertme));
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java
index 95c548389..df0fec001 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java
@@ -1,5 +1,6 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.validation.ValidationException;
@@ -11,10 +12,11 @@ public class SAMLSignatureValidator implements ISAMLValidator {
public void validateRequest(RequestAbstractType request)
throws MOAIDException {
- if(request.getSignature() == null) {
- throw new SAMLRequestNotSignedException("NOT SIGNED", new Object[] {});
+ if (request.getSignature() == null) {
+ throw new SAMLRequestNotSignedException("NOT SIGNED",
+ new Object[] {});
}
-
+
try {
SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
sigValidator.validate(request.getSignature());
@@ -24,4 +26,19 @@ public class SAMLSignatureValidator implements ISAMLValidator {
}
}
+ public static void validateSignable(SignableSAMLObject signableObject)
+ throws MOAIDException {
+ if (signableObject.getSignature() == null) {
+ throw new SAMLRequestNotSignedException("NOT SIGNED",
+ new Object[] {});
+ }
+
+ try {
+ SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
+ sigValidator.validate(signableObject.getSignature());
+ } catch (ValidationException e) {
+ e.printStackTrace();
+ throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {});
+ }
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
new file mode 100644
index 000000000..41e9b70cf
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -0,0 +1,74 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.signature.SignatureValidator;
+import org.opensaml.xml.validation.ValidationException;
+
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.SAMLRequestNotSignedException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+
+public class EntityVerifier {
+ public static void verify(EntityDescriptor entityDescriptor) throws MOAIDException {
+ if (entityDescriptor.getSignature() == null) {
+ throw new SAMLRequestNotSignedException("NOT SIGNED",
+ new Object[] {});
+ }
+
+ try {
+ SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
+ sigValidator.validate(entityDescriptor.getSignature());
+ } catch (ValidationException e) {
+ e.printStackTrace();
+ throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {});
+ }
+
+ Credential credential = CredentialProvider.getSPTrustedCredential(entityDescriptor.getEntityID());
+ if(credential == null) {
+ throw new MOAIDException("NO CREDENTIALS FOR " + entityDescriptor.getEntityID(), new Object[] {});
+ }
+
+ SignatureValidator sigValidator = new SignatureValidator(credential);
+ try {
+ sigValidator.validate(entityDescriptor.getSignature());
+ } catch (ValidationException e) {
+ // Indicates signature was not cryptographically valid, or possibly a processing error
+ e.printStackTrace();
+ throw new MOAIDException("FAILED TO VERIFY SIGNATURE", new Object[] {});
+ }
+ }
+
+ public static void verify(EntitiesDescriptor entityDescriptor) throws MOAIDException {
+ if (entityDescriptor.getSignature() == null) {
+ throw new SAMLRequestNotSignedException("NOT SIGNED",
+ new Object[] {});
+ }
+
+ try {
+ SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
+ sigValidator.validate(entityDescriptor.getSignature());
+ } catch (ValidationException e) {
+ e.printStackTrace();
+ throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {});
+ }
+
+ Credential credential = CredentialProvider.getTrustedCredential();
+ if(credential == null) {
+ throw new MOAIDException("NO CREDENTIALS FOR ", new Object[] {});
+ }
+
+ SignatureValidator sigValidator = new SignatureValidator(credential);
+ try {
+ sigValidator.validate(entityDescriptor.getSignature());
+ } catch (ValidationException e) {
+ // Indicates signature was not cryptographically valid, or possibly a processing error
+ e.printStackTrace();
+ throw new MOAIDException("FAILED TO VERIFY SIGNATURE", new Object[] {});
+ }
+ }
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
new file mode 100644
index 000000000..19176af1f
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
@@ -0,0 +1,56 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+
+import java.util.Iterator;
+
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class MetadataSignatureFilter implements MetadataFilter {
+
+ public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException {
+ EntityVerifier.verify(desc);
+ }
+
+ public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException {
+ Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator();
+
+ if(desc.getSignature() != null) {
+ EntityVerifier.verify(desc);
+ }
+
+ while(entID.hasNext()) {
+ processEntitiesDescriptor(entID.next());
+ }
+
+ Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
+
+ while(entID.hasNext()) {
+ processEntityDescriptorr(entIT.next());
+ }
+ }
+
+ public void doFilter(XMLObject metadata) throws FilterException {
+ try {
+ if (metadata instanceof EntitiesDescriptor) {
+ EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
+ processEntitiesDescriptor(entitiesDescriptor);
+ } else if (metadata instanceof EntityDescriptor) {
+ EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
+ processEntityDescriptorr(entityDescriptor);
+ } else {
+ throw new MOAIDException("Invalid Metadata file", null);
+ }
+ Logger.info("Metadata Filter done OK");
+ } catch (MOAIDException e) {
+ e.printStackTrace();
+ throw new FilterException(e);
+ }
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
index 8e4e88031..60de84161 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
@@ -5,6 +5,7 @@ import java.util.List;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.xml.security.credential.CredentialResolver;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
@@ -15,6 +16,8 @@ import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;
+import sun.security.krb5.Credentials;
+
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver;
@@ -67,4 +70,5 @@ public class TrustEngineFactory {
return null;
}
}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java
index f5219f7e9..47050bf28 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java
@@ -45,6 +45,9 @@ public class GetArtifactServlet extends AuthServlet {
String oaURL = (String) req.getAttribute(PARAM_OA);
oaURL = StringEscapeUtils.escapeHtml(oaURL);
+ String target = (String) req.getAttribute(PARAM_TARGET);
+ target = StringEscapeUtils.escapeHtml(target);
+
try {
// check parameter
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 1731a738c..678d5f961 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -67,11 +67,14 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
RequestImpl config = new RequestImpl();
String oaURL = (String) request.getParameter(PARAM_OA);
oaURL = StringEscapeUtils.escapeHtml(oaURL);
+ String target = (String) request.getParameter(PARAM_TARGET);
+ target = StringEscapeUtils.escapeHtml(target);
if (!ParamValidatorUtils.isValidOA(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA,
"auth.12");
config.setOAURL(oaURL);
request.getSession().setAttribute(PARAM_OA, oaURL);
+ request.getSession().setAttribute(PARAM_TARGET, target);
return config;
}