aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:33:37 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:33:37 +0100
commite392f06a8e1920e4404f11f74c8f51795ad590a6 (patch)
tree74d06da7d89582d1448cbb0a3c0c8d1858318b06 /id/server/idserverlib/src
parent813e08137530dba321db7807bd1bb5a53af80541 (diff)
downloadmoa-id-spss-e392f06a8e1920e4404f11f74c8f51795ad590a6.tar.gz
moa-id-spss-e392f06a8e1920e4404f11f74c8f51795ad590a6.tar.bz2
moa-id-spss-e392f06a8e1920e4404f11f74c8f51795ad590a6.zip
add some more escaptions
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java112
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java25
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java12
-rw-r--r--id/server/idserverlib/src/test/java/test/MOAIDTestCase.java3
9 files changed, 131 insertions, 43 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 5a5d0bcf6..cc716f9f8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -352,6 +352,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
authData.setBkuURL(session.getGenericDataFromSession(PVPConstants.EID_CCS_URL_NAME, String.class));
+ //TODO: fully switch from STORK QAA to eIDAS LoA
//####################################################
//set QAA level
includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
index 19f3fdc54..0397bd501 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
@@ -117,7 +117,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
config.putCustomParameter("successMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.00", null));
else
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
guiBuilder.build(resp, config, "Single-LogOut GUI");
@@ -213,7 +213,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT,
null);
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
guiBuilder.build(resp, config, "Single-LogOut GUI");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
index e0484eb1b..4e7a72da6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
@@ -22,12 +22,19 @@
*/
package at.gv.egovernment.moa.id.data;
+import java.io.Serializable;
+
/**
* @author tlenz
*
*/
-public class EncryptedData {
+public class EncryptedData implements Serializable{
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
private byte[] encData = null;
private byte[] iv = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 3770dad2f..bb849a8d0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -659,7 +659,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} else {
revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
}
@@ -690,7 +690,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
null);
revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
index f17e4a99a..2395b913d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
@@ -38,8 +38,11 @@ import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -106,18 +109,36 @@ public class DBTransactionStorage implements ITransactionStorage {
}
}
-
- public Object getAssertionStore(String key) throws MOADatabaseException{
- return searchInDatabase(key);
- }
-
+
public Object get(String key) throws MOADatabaseException {
AssertionStore element = searchInDatabase(key);
if (element == null)
return null;
+
+ Object data = SerializationUtils.deserialize(element.getAssertion());
- return SerializationUtils.deserialize(element.getAssertion());
+ //decrypt data if required
+ Object resultData = null;
+ if (data instanceof EncryptedData) {
+ Logger.trace("Find encrypted data. --> Starting decryption process ...");
+ try {
+ byte[] decData = decryptData((EncryptedData)data);
+ resultData = SerializationUtils.deserialize(decData);
+
+ } catch (BuildException e) {
+ Logger.warn("Transaction information decryption FAILED.", e);
+ throw new MOADatabaseException("Transaction information decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.trace("Find unencrypted data. --> Use it as is");
+ resultData = data;
+
+ }
+
+ return resultData;
}
@@ -141,13 +162,34 @@ public class DBTransactionStorage implements ITransactionStorage {
}
- //Deserialize Assertion
+ //Deserialize Assertion
Object data = SerializationUtils.deserialize(element.getAssertion());
+ //decrypt data if required
+ Object resultData = null;
+ if (data instanceof EncryptedData) {
+ Logger.trace("Find encrypted data. --> Starting decryption process ...");
+ try {
+ byte[] decData = decryptData((EncryptedData)data);
+ resultData = SerializationUtils.deserialize(decData);
+
+ } catch (BuildException e) {
+ Logger.warn("Transaction information decryption FAILED.", e);
+ throw new MOADatabaseException("Transaction information decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.trace("Find unencrypted data. --> Use it as is");
+ resultData = data;
+
+ }
+
+
//check if assertion has the correct class type
try {
@SuppressWarnings("unchecked")
- T test = (T) Class.forName(element.getType()).cast(data);
+ T test = (T) Class.forName(element.getType()).cast(resultData);
return test;
} catch (Exception e) {
@@ -198,6 +240,17 @@ public class DBTransactionStorage implements ITransactionStorage {
}
}
+ public Object getAssertionStore(String key) throws MOADatabaseException{
+ return searchInDatabase(key);
+
+ }
+
+ @Override
+ public void putAssertionStore(Object element) throws MOADatabaseException{
+ entityManager.merge(element);
+
+ }
+
private void cleanDelete(AssertionStore element) {
@@ -245,30 +298,33 @@ public class DBTransactionStorage implements ITransactionStorage {
throw new MOADatabaseException("Transaction-Storage can only store objects which implements the 'Seralizable' interface", null);
}
-
- //serialize the Assertion for Database storage
- byte[] data = SerializationUtils.serialize((Serializable) value);
- element.setAssertion(data);
-
- //store AssertionStore element to Database
- //try {
+
+ try {
+ //serialize the Assertion for Database storage
+ byte[] data = SerializationUtils.serialize((Serializable) value);
+ element.setAssertion(encryptData(data));
+
+ //store AssertionStore element to Database
entityManager.persist(element);
- //MOASessionDBUtils.saveOrUpdate(element);
- Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");
-//
-// } catch (MOADatabaseException e) {
-// Logger.warn("Sessioninformation could not be stored.");
-// throw new MOADatabaseException(e);
-//
-// }
+ Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");
+
+ } catch (BuildException e) {
+ Logger.warn("Sessioninformation could not be stored.");
+ throw new MOADatabaseException(e);
+
+ }
}
+
+ private static byte[] encryptData(byte[] data) throws BuildException {
+ EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(data);
+ return SerializationUtils.serialize(encdata);
- @Override
- public void putAssertionStore(Object element) throws MOADatabaseException{
- // TODO Auto-generated method stub
- entityManager.merge(element);
-
+ }
+
+ private static byte[] decryptData(EncryptedData encdata) throws BuildException {
+ return SessionEncrytionUtil.getInstance().decrypt(encdata);
+
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
index 53a7f4f5e..51a36d426 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
@@ -114,6 +114,8 @@ public interface ITransactionStorage {
/**
* Get whole AssertionStoreObject, required for SLO
+ * <br>
+ * <b>IMPORTANT:</b> This method does NOT decrypt information before storage
*
* @param key key Id which identifiers the data object
* @return The transaction-data object, or null
@@ -123,6 +125,8 @@ public interface ITransactionStorage {
/**
* Put whole AssertionStoreObject to db, required for SLO
+ * <br>
+ * <b>IMPORTANT:</b> This method does NOT encrypt information before storage
*
* @param element assertion store object
*/
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
index b0d166951..84d40f619 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
@@ -22,9 +22,6 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.util;
-import iaik.security.cipher.PBEKey;
-import iaik.security.spec.PBEKeyAndParameterSpec;
-
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
@@ -35,19 +32,26 @@ import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
-
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
public abstract class AbstractEncrytionUtil {
- protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+ //protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+
+ protected static final String CIPHER_MODE = "AES/GCM/NoPadding";
+ public static final int GCM_NONCE_LENGTH = 12; // in bytes
+ public static final int GCM_TAG_LENGTH = 16; // in bytes
+
protected static final String KEYNAME = "AES";
private SecretKey secret = null;
@@ -114,8 +118,15 @@ public abstract class AbstractEncrytionUtil {
if (secret != null) {
try {
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.ENCRYPT_MODE, secret);
+ final byte[] nonce = Random.nextBytes(GCM_NONCE_LENGTH);
+
+// final byte[] nonce = new byte[GCM_NONCE_LENGTH];
+// SecureRandom.getInstanceStrong().nextBytes(nonce);
+
+ GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce);
+
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.ENCRYPT_MODE, secret, spec);
Logger.debug("Encrypt MOASession");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
index ac2b3c415..38c384c3a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
@@ -151,6 +151,16 @@ public class Random {
}
+/**
+ * Creates a new random byte[]
+ *
+ * @param size Size of random number in byte
+ * @return
+ */
+public static byte[] nextBytes(int size) {
+ return nextByteRandom(size);
+
+}
public static void seedRandom() {
@@ -165,7 +175,7 @@ public class Random {
/**
* Generate a new random number
*
- * @param size Size of random number in bits
+ * @param size Size of random number in byte
* @return
*/
private static synchronized byte[] nextByteRandom(int size) {
diff --git a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java
index e28b154f4..b3a9d367f 100644
--- a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java
+++ b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java
@@ -56,10 +56,8 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.StreamUtils;
import at.gv.egovernment.moa.util.XPathUtils;
-
import iaik.ixsil.algorithms.Transform;
import iaik.ixsil.algorithms.TransformImplExclusiveCanonicalXML;
import iaik.ixsil.exceptions.AlgorithmException;
@@ -68,6 +66,7 @@ import iaik.ixsil.exceptions.URIException;
import iaik.ixsil.init.IXSILInit;
import iaik.ixsil.util.URI;
import test.at.gv.egovernment.moa.MOATestCase;
+import test.at.gv.egovernment.moa.util.FileUtils;
/*
* @author Paul Ivancsics