aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorFlorian Reimair <florian.reimair@iaik.tugraz.at>2014-01-31 16:21:13 +0100
committerFlorian Reimair <florian.reimair@iaik.tugraz.at>2014-01-31 17:17:31 +0100
commit9122bf6862fe34881e5454f54c69692b7f5ed083 (patch)
treee7c62fdbfe59f12732334cf8fb54947e1ea406b6 /id/server/idserverlib/src
parent2ee0d4beb3b23613b1bdaa3f9c58723d30303b79 (diff)
downloadmoa-id-spss-9122bf6862fe34881e5454f54c69692b7f5ed083.tar.gz
moa-id-spss-9122bf6862fe34881e5454f54c69692b7f5ed083.tar.bz2
moa-id-spss-9122bf6862fe34881e5454f54c69692b7f5ed083.zip
fixed outgoing signrequest - mostly tested
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java40
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java52
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java51
3 files changed, 73 insertions, 70 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 209743f45..146137a2c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -31,6 +31,7 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
+import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.CertificateException;
@@ -49,6 +50,7 @@ import javax.servlet.http.HttpSession;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
+import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
@@ -123,7 +125,6 @@ import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.util.Random;
-import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.id.util.XMLUtil;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
import at.gv.egovernment.moa.logging.LogMsg;
@@ -142,10 +143,14 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest.PEPSData;
import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
import at.gv.util.xsd.srzgw.MISType;
import at.gv.util.xsd.srzgw.MISType.Filters;
+import eu.stork.oasisdss.api.AdditionalProfiles;
import eu.stork.oasisdss.api.ApiUtils;
import eu.stork.oasisdss.api.ApiUtilsException;
+import eu.stork.oasisdss.api.Profiles;
+import eu.stork.oasisdss.api.QualityLevels;
+import eu.stork.oasisdss.api.SignatureTypes;
+import eu.stork.oasisdss.profile.AnyType;
import eu.stork.oasisdss.profile.DocumentType;
-import eu.stork.oasisdss.profile.InputDocuments;
import eu.stork.oasisdss.profile.SignRequest;
import eu.stork.peps.auth.commons.PEPSUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
@@ -1912,7 +1917,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {
PersonalAttribute newAttribute = new PersonalAttribute();
newAttribute.setName("signedDoc");
List<String> value = new ArrayList<String>();
- value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), "application/xhtml+xml"));
+ value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession),
+ "application/xhtml+xml",
+ moasession.getCcc()));
newAttribute.setValue(value);
attributeList.add(newAttribute);
@@ -2004,20 +2011,37 @@ public class AuthenticationServer implements MOAIDAuthConstants {
Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination());
}
- private static String generateDssSignRequest(String text, String mimeType) {
+ private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) {
IdentifierGenerator idGenerator;
try {
idGenerator = new SecureRandomIdentifierGenerator();
DocumentType doc = new DocumentType();
- doc.setBase64XML(Base64.encodeBytes(text.getBytes()).getBytes());
+ doc.setBase64XML(text.getBytes());
+ doc.setID(idGenerator.generateIdentifier());
SignRequest request = new SignRequest();
request.setInputDocuments(ApiUtils.createInputDocuments(doc));
- request.setRequestID(idGenerator.generateIdentifier());
+ String id = idGenerator.generateIdentifier();
+ request.setRequestID(id);
+ request.setDocUI(id);
- return ApiUtils.marshalToDocument(request).getTextContent();
+ request.setProfile(Profiles.XADES_BES.toString());
+ request.setNumberOfSigners(BigInteger.ONE);
+ request.setTargetCountry(citizenCountry);
+
+ // no, no todo. PEPS will alter this value anyhow.
+ request.setReturnURL("http://invalid_return");
+
+ AnyType required = new AnyType();
+ required.getAny().add(ApiUtils.createSignatureType(SignatureTypes.XMLSIG_RFC3275.toString()));
+ required.getAny().add(ApiUtils.createAdditionalProfile(AdditionalProfiles.XADES.toString()));
+ required.getAny().add(ApiUtils.createQualityRequirements(QualityLevels.QUALITYLEVEL_QUALIFIEDSIG));
+ required.getAny().add(ApiUtils.createIncludeObject(doc));
+ request.setOptionalInputs(required);
+
+ return IOUtils.toString(ApiUtils.marshalToInputStream(request));
} catch (NoSuchAlgorithmException e) {
Logger.error("Cannot generate id", e);
throw new RuntimeException(e);
@@ -2027,7 +2051,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
} catch (DOMException e) {
Logger.error("Could not create SignRequest", e);
throw new RuntimeException(e);
- } catch (ParserConfigurationException e) {
+ } catch (IOException e) {
Logger.error("Could not create SignRequest", e);
throw new RuntimeException(e);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 9dfce7838..a3c8ebe4d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -1,7 +1,10 @@
package at.gv.egovernment.moa.id.auth.servlet;
+import iaik.x509.X509Certificate;
import java.io.IOException;
+import java.io.InputStream;
import java.io.StringWriter;
+import java.net.URL;
import java.util.ArrayList;
import java.util.List;
@@ -10,19 +13,19 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
import javax.xml.transform.stream.StreamSource;
+import org.apache.commons.io.IOUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
-import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.StatusCode;
-import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -33,14 +36,14 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.proxy.parser.SAMLResponseParser;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.util.xsd.xmldsig.SignatureType;
+import at.gv.util.xsd.xmldsig.X509DataType;
import eu.stork.oasisdss.api.ApiUtils;
-import eu.stork.oasisdss.api.LightweightSourceResolver;
+import eu.stork.oasisdss.profile.DocumentWithSignature;
import eu.stork.oasisdss.profile.SignResponse;
import eu.stork.peps.auth.commons.PEPSUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
@@ -173,14 +176,41 @@ public class PEPSConnectorServlet extends AuthServlet {
//extract signed doc element and citizen signature
String citizenSignature = null;
try {
- citizenSignature = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+ String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+ SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
+
+ List<DocumentWithSignature> doclocations = ApiUtils.findNamedElement(dssSignResponse.getOptionalOutputs(), DocumentWithSignature.class.getSimpleName(), DocumentWithSignature.class);
+ // TODO handle multiple docs?
+ Logger.debug("trying first doclocation");
+ String docUrl = doclocations.get(0).getDocument().getDocumentURL();
+ Logger.debug("trying first doclocation successful");
+
+ // fetch signed doc
+ URL url = new URL(docUrl);
+ InputStream incomming = url.openStream();
+ citizenSignature = IOUtils.toString(incomming);
+ incomming.close();
+
+ JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
+ SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue();
+
+ // memorize signature into authblock
moaSession.setAuthBlock(citizenSignature);
+
+ // extract certificate
+ for(Object current : root.getKeyInfo().getContent())
+ if(((JAXBElement<?>) current).getValue() instanceof X509DataType) {
+ for(Object currentX509Data : ((JAXBElement<X509DataType>) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
+ JAXBElement<?> casted = ((JAXBElement<?>) currentX509Data);
+ if(casted.getName().getLocalPart().equals("X509Certificate")) {
+ moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes()));
+ break;
+ }
+ }
+ }
- // FIXME untested
- Element sepp = (Element) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(citizenSignature)));
- moaSession.setSignerCertificate(AuthenticationServer.getCertificateFromXML(sepp));
- } catch (Exception e) {
+ } catch (Throwable e) {
Logger.error("Could not extract citizen signature from C-PEPS", e);
throw new MOAIDException("stork.09", null);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index 20ceb2128..2534110d5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -58,57 +58,6 @@ public class STORKResponseProcessor {
public static final String OASIS_DSS_SUCCESS_MSG = "urn:oasis:names:tc:dss:1.0:resultmajor:Success";
/**
- * Extracts the signature value out of a DSS response
- * @param signatureResponse DSS signature response
- * @return signature
- * @throws STORKException
- */
- private static Element getSignature(Element signatureResponse) throws STORKException {
-
- NodeList nList = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "ResultMajor");
-
- String resultMajor = XMLUtil.getFirstTextValueFromNodeList(nList);
-
- if (StringUtils.isEmpty(resultMajor)) {
- String msg = "DSS response not correct, ResultMajor element missing.";
- Logger.error(msg);
- throw new STORKException(msg);
- }
-
- Logger.trace("ResultMajor of DSS response: " + resultMajor);
-
- if (!OASIS_DSS_SUCCESS_MSG.equals(resultMajor)) {
- String msg = "DSS response not correct, ResultMajor is " + resultMajor;
- Logger.error(msg);
- throw new STORKException(msg);
- }
-
- NodeList nList2 = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "Base64Signature");;
-
- String base64SigString = XMLUtil.getFirstTextValueFromNodeList(nList2);
-
- if (StringUtils.isEmpty(base64SigString)) {
- String msg = "DSS response not correct, Base64Signature element missing.";
- Logger.error(msg);
- throw new STORKException(msg);
- }
-
- Logger.trace("Base64Signature element of DSS response: " + base64SigString);
-
- String sigString = new String(Base64.decode(base64SigString));
-
- try {
- return XMLUtil.stringToDOM(sigString);
- } catch (Exception e) {
- String msg = "Unable to extract signature from DSS response";
- Logger.error(msg);
- throw new STORKException(msg);
- }
-
-
- }
-
- /**
* Checks for attribute.
*
* @param attributeName the attribute name