diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-10-15 09:57:38 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-10-15 09:57:38 +0200 |
| commit | a7c22b659f5bc760cb46d5892409dab12cc047d6 (patch) | |
| tree | 66c8794e1b5988b200b83640507e9fa961ae37d6 /id/server/idserverlib/src | |
| parent | e21f6944e484dd24f5f7f2aca7a39b6a25b32539 (diff) | |
| download | moa-id-spss-a7c22b659f5bc760cb46d5892409dab12cc047d6.tar.gz moa-id-spss-a7c22b659f5bc760cb46d5892409dab12cc047d6.tar.bz2 moa-id-spss-a7c22b659f5bc760cb46d5892409dab12cc047d6.zip | |
Add an unique random tokken to AuthBlock to prevent replay attacks. The timestamp, which was previously in use, can be predicted.
Diffstat (limited to 'id/server/idserverlib/src')
5 files changed, 86 insertions, 10 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 84f85b3d6..af23d4c78 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -553,7 +553,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getPublicOAURLPrefix()); // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session, oaParam); + String authBlock = buildAuthenticationBlock(session, oaParam); // builds the <CreateXMLSignatureRequest> List<String> transformsInfos = oaParam.getTransformsInfos(); @@ -1141,7 +1141,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { String xmlCreateXMLSignatureReadResponse) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException, BKUException { - + if (session == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index 0421a868c..f5d603480 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -84,6 +84,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion " </saml:Attribute>" + NL + "{7}" + "{8}" + + "{9}" + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; @@ -107,6 +108,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + " </saml:Attribute>" + NL; + private static String AUTHBLOCKTOKKEN_ATTRIBUTE = + " <saml:Attribute AttributeName=''UniqueTokken'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL; + private static String PR_IDENTIFICATION_ATTRIBUTE = " <pr:Identification xmlns:pr=\"" + PD_NS_URI + "\">" + NL + @@ -117,8 +123,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion /** * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes). */ - public static final int NUM_OF_SAML_ATTRIBUTES = 4; - public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3; + public static final int NUM_OF_SAML_ATTRIBUTES = 5; + public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4; /** * Constructor for AuthenticationBlockAssertionBuilder. @@ -170,6 +176,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion AuthenticationSession session, OAAuthParameter oaParam) throws BuildException + { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; @@ -264,11 +271,13 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); } - - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); + //generate unique AuthBlock tokken + String uniquetokken = Random.nextRandom(); + session.setAuthBlockTokken(uniquetokken); + String assertion; try { assertion = MessageFormat.format( @@ -281,6 +290,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion oaURL, gebDat, specialText, + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, + new Object[] { uniquetokken }), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); @@ -415,6 +426,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); + //generate unique AuthBlock tokken + String uniquetokken = Random.nextRandom(); + session.setAuthBlockTokken(uniquetokken); + String assertion; try { assertion = MessageFormat.format( @@ -427,6 +442,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion oaURL, gebDat, specialText, + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, + new Object[] { uniquetokken }), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); @@ -521,9 +538,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); - + //generate unique AuthBlock tokken + String uniquetokken = Random.nextRandom(); + session.setAuthBlockTokken(uniquetokken); - String assertion; assertion = MessageFormat.format( @@ -536,6 +554,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion oaURL, gebDat, specialText, + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, + new Object[] { uniquetokken }), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); return assertion; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 4cb174e1c..9eaa13f04 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -158,6 +158,8 @@ public class AuthenticationSession implements Serializable { */ private String authBlock; + private String authBlockTokken; + /** * The issuing time of the AUTH-Block SAML assertion. */ @@ -974,6 +976,22 @@ public class AuthenticationSession implements Serializable { public void setOW(boolean isOW) { this.isOW = isOW; } + + /** + * @return the authBlockTokken + */ + public String getAuthBlockTokken() { + return authBlockTokken; + } + + /** + * @param authBlockTokken the authBlockTokken to set + */ + public void setAuthBlockTokken(String authBlockTokken) { + this.authBlockTokken = authBlockTokken; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 9e98b73b4..ed7f9df0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -262,7 +262,7 @@ public class CreateXMLSignatureResponseValidator { if (!samlAttribute.getName().equals("SpecialText")) { throw new ValidateException( "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); @@ -285,6 +285,25 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.35", null); } + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); + + if (!uniquetokken.equals(session.getAuthBlockTokken())) { + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; if (extendedSAMLAttributes != null) { @@ -471,7 +490,7 @@ public class CreateXMLSignatureResponseValidator { if (!samlAttribute.getName().equals("SpecialText")) { throw new ValidateException( "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); @@ -495,6 +514,24 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.35", null); } + //check unique AuthBlock tokken + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); + + if (!uniquetokken.equals(session.getAuthBlockTokken())) { + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset; if (extendedSAMLAttributes != null) { diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 9b945952d..6b664f692 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -187,6 +187,7 @@ validator.66=\uFFFDberpr\uFFFDfung der {0}-Infobox fehlgeschlagen\: berufliche P validator.67=Der Specialtext ({0}) stimmt nicht mit dem f\u00FCr diese Applikation hinterlegten Text ({1}) \u00FCberein.
validator.68=SigningTime im AUTH-Block konnte nicht eruiert werden.
validator.69=SigningTime im AUTH-Block und Serverzeit weichen zu stark ab ({0}).
+validator.70=Das einmale Tokken im signierten AuthBlock ({0}) stimmt nicht mit dem von generierten Tokken ({1}) \u00FCberein.
ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen
|