aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2013-10-15 09:57:38 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2013-10-15 09:57:38 +0200
commita7c22b659f5bc760cb46d5892409dab12cc047d6 (patch)
tree66c8794e1b5988b200b83640507e9fa961ae37d6 /id/server/idserverlib/src
parente21f6944e484dd24f5f7f2aca7a39b6a25b32539 (diff)
downloadmoa-id-spss-a7c22b659f5bc760cb46d5892409dab12cc047d6.tar.gz
moa-id-spss-a7c22b659f5bc760cb46d5892409dab12cc047d6.tar.bz2
moa-id-spss-a7c22b659f5bc760cb46d5892409dab12cc047d6.zip
Add an unique random tokken to AuthBlock to prevent replay attacks. The timestamp, which was previously in use, can be predicted.
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java32
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java41
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties1
5 files changed, 86 insertions, 10 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 84f85b3d6..af23d4c78 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -553,7 +553,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
session.getPublicOAURLPrefix());
// builds the AUTH-block
- String authBlock = buildAuthenticationBlock(session, oaParam);
+ String authBlock = buildAuthenticationBlock(session, oaParam);
// builds the <CreateXMLSignatureRequest>
List<String> transformsInfos = oaParam.getTransformsInfos();
@@ -1141,7 +1141,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String xmlCreateXMLSignatureReadResponse)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ServiceException, ValidateException, BKUException {
-
+
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 0421a868c..f5d603480 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -84,6 +84,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
" </saml:Attribute>" + NL +
"{7}" +
"{8}" +
+ "{9}" +
" </saml:AttributeStatement>" + NL +
"</saml:Assertion>";
@@ -107,6 +108,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
" <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
" </saml:Attribute>" + NL;
+ private static String AUTHBLOCKTOKKEN_ATTRIBUTE =
+ " <saml:Attribute AttributeName=''UniqueTokken'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL;
+
private static String PR_IDENTIFICATION_ATTRIBUTE =
" <pr:Identification xmlns:pr=\"" + PD_NS_URI + "\">" + NL +
@@ -117,8 +123,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
/**
* The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes).
*/
- public static final int NUM_OF_SAML_ATTRIBUTES = 4;
- public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3;
+ public static final int NUM_OF_SAML_ATTRIBUTES = 5;
+ public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4;
/**
* Constructor for AuthenticationBlockAssertionBuilder.
@@ -170,6 +176,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
AuthenticationSession session,
OAAuthParameter oaParam)
throws BuildException
+
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
@@ -264,11 +271,13 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
Logger.warn("Addional AuthBlock Text can not loaded from OA!", e);
}
-
-
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
new Object[] { generateSpecialText(text, issuer, issueInstant) });
+ //generate unique AuthBlock tokken
+ String uniquetokken = Random.nextRandom();
+ session.setAuthBlockTokken(uniquetokken);
+
String assertion;
try {
assertion = MessageFormat.format(
@@ -281,6 +290,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
oaURL,
gebDat,
specialText,
+ MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
+ new Object[] { uniquetokken }),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
@@ -415,6 +426,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
new Object[] { generateSpecialText(text, issuer, issueInstant) });
+ //generate unique AuthBlock tokken
+ String uniquetokken = Random.nextRandom();
+ session.setAuthBlockTokken(uniquetokken);
+
String assertion;
try {
assertion = MessageFormat.format(
@@ -427,6 +442,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
oaURL,
gebDat,
specialText,
+ MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
+ new Object[] { uniquetokken }),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
@@ -521,9 +538,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
new Object[] { generateSpecialText(text, issuer, issueInstant) });
-
+ //generate unique AuthBlock tokken
+ String uniquetokken = Random.nextRandom();
+ session.setAuthBlockTokken(uniquetokken);
-
String assertion;
assertion = MessageFormat.format(
@@ -536,6 +554,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
oaURL,
gebDat,
specialText,
+ MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
+ new Object[] { uniquetokken }),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
return assertion;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index 4cb174e1c..9eaa13f04 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -158,6 +158,8 @@ public class AuthenticationSession implements Serializable {
*/
private String authBlock;
+ private String authBlockTokken;
+
/**
* The issuing time of the AUTH-Block SAML assertion.
*/
@@ -974,6 +976,22 @@ public class AuthenticationSession implements Serializable {
public void setOW(boolean isOW) {
this.isOW = isOW;
}
+
+ /**
+ * @return the authBlockTokken
+ */
+ public String getAuthBlockTokken() {
+ return authBlockTokken;
+ }
+
+ /**
+ * @param authBlockTokken the authBlockTokken to set
+ */
+ public void setAuthBlockTokken(String authBlockTokken) {
+ this.authBlockTokken = authBlockTokken;
+ }
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 9e98b73b4..ed7f9df0d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -262,7 +262,7 @@ public class CreateXMLSignatureResponseValidator {
if (!samlAttribute.getName().equals("SpecialText")) {
throw new ValidateException(
"validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
}
if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
String samlSpecialText = (String)samlAttribute.getValue();
@@ -285,6 +285,25 @@ public class CreateXMLSignatureResponseValidator {
throw new ValidateException("validator.35", null);
}
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[4 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
+
+ if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+
// now check the extended SAML attributes
int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
if (extendedSAMLAttributes != null) {
@@ -471,7 +490,7 @@ public class CreateXMLSignatureResponseValidator {
if (!samlAttribute.getName().equals("SpecialText")) {
throw new ValidateException(
"validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
}
if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
String samlSpecialText = (String)samlAttribute.getValue();
@@ -495,6 +514,24 @@ public class CreateXMLSignatureResponseValidator {
throw new ValidateException("validator.35", null);
}
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
+
+ if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+
// now check the extended SAML attributes
int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
if (extendedSAMLAttributes != null) {
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 9b945952d..6b664f692 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -187,6 +187,7 @@ validator.66=\uFFFDberpr\uFFFDfung der {0}-Infobox fehlgeschlagen\: berufliche P
validator.67=Der Specialtext ({0}) stimmt nicht mit dem f\u00FCr diese Applikation hinterlegten Text ({1}) \u00FCberein.
validator.68=SigningTime im AUTH-Block konnte nicht eruiert werden.
validator.69=SigningTime im AUTH-Block und Serverzeit weichen zu stark ab ({0}).
+validator.70=Das einmale Tokken im signierten AuthBlock ({0}) stimmt nicht mit dem von generierten Tokken ({1}) \u00FCberein.
ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen