aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorKlaus Stranacher <kstranacher@iaik.tugraz.at>2013-09-04 23:51:25 +0200
committerKlaus Stranacher <kstranacher@iaik.tugraz.at>2013-09-04 23:51:25 +0200
commit3b7776e9020ea8affdf9fcd10b12d2da28adcd08 (patch)
tree386e05cfdac42aa997b54181e400cc4ecfea99a1 /id/server/idserverlib/src
parent0d8dfd1b3b0892164fbd9d3d13eb231adad4062b (diff)
downloadmoa-id-spss-3b7776e9020ea8affdf9fcd10b12d2da28adcd08.tar.gz
moa-id-spss-3b7776e9020ea8affdf9fcd10b12d2da28adcd08.tar.bz2
moa-id-spss-3b7776e9020ea8affdf9fcd10b12d2da28adcd08.zip
Validation signing time (auth block) against server time
Update MOA-ID sample configs (new ES Test-PEPS Url) WAI compliant template
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java55
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties2
4 files changed, 64 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
index 6004f251f..1624a59c0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
@@ -25,10 +25,13 @@
package at.gv.egovernment.moa.id.auth.parser;
import java.io.ByteArrayInputStream;
+import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.transform.TransformerException;
+
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;
@@ -157,6 +160,7 @@ public class CreateXMLSignatureResponseParser {
Element dsigSignatureNode = (Element) list.item(0);
Element dsigSignatureElement = (Element) dsigSignatureNode;
+
cResp.setDsigSignature(dsigSignatureElement);
}
catch (Throwable t) {
@@ -201,6 +205,11 @@ public class CreateXMLSignatureResponseParser {
SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()];
samlAttributes.toArray(result);
cResp.setSamlAttributes(result);
+
+ NodeList list = sigResponse_.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+ Element dsigSignatureNode = (Element) list.item(0);
+ cResp.setDsigSignature(dsigSignatureNode);
+
}
catch (Throwable t) {
throw new ParseException("parser.01", new Object[] { t.toString()}, t);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
index 4ddad2429..2c957603b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
@@ -151,6 +151,8 @@ public class VerifyXMLSignatureResponseParser {
VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse();
try {
+
+ String s = DOMUtils.serializeNode(verifyXMLSignatureResponse);
respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,""));
Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH);
respData.setQualifiedCertificate(e!=null);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index d0fb1f87f..b2ef2d000 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -24,9 +24,14 @@
package at.gv.egovernment.moa.id.auth.validator;
+import java.util.Calendar;
+import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
+import javax.xml.bind.DatatypeConverter;
+
+import org.jaxen.SimpleNamespaceContext;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
@@ -59,11 +64,25 @@ public class CreateXMLSignatureResponseValidator {
/** Xpath expression to the dsig:Signature element */
private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature";
- //private static final String XADES_SIGNINGTIME_PATH = Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime";
-
+ private static final String XADES_1_1_1_SIGNINGTIME_PATH = "//" + Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime";
+ private static final String XADES_1_3_2_SIGNINGTIME_PATH = "//" + Constants.XADES_1_3_2_NS_PREFIX + ":SigningTime";
+
+
+ private static final long MAX_DIFFERENCE_IN_MILLISECONDS = 600000; // 10min
+
/** Singleton instance. <code>null</code>, if none has been created. */
private static CreateXMLSignatureResponseValidator instance;
+ private static SimpleNamespaceContext NS_CONTEXT;
+ static {
+ NS_CONTEXT = new SimpleNamespaceContext();
+ NS_CONTEXT.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI);
+ NS_CONTEXT.addNamespace(Constants.XADES_1_2_2_NS_PREFIX, Constants.XADES_1_2_2_NS_URI);
+ NS_CONTEXT.addNamespace(Constants.XADES_1_3_2_NS_PREFIX, Constants.XADES_1_3_2_NS_URI);
+ NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI);
+ }
+
+
/**
* Constructor for a singleton CreateXMLSignatureResponseValidator.
* @return an instance of CreateXMLSignatureResponseValidator
@@ -550,8 +569,36 @@ public class CreateXMLSignatureResponseValidator {
public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {
- //TODO: insert Time validation!!!!
-
+ Element dsigSignatureElement = csresp.getDsigSignature();
+ if (dsigSignatureElement == null) {
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+ }
+ else {
+ Element signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_1_1_SIGNINGTIME_PATH);
+ if (signingTimeElem == null) {
+ signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_3_2_SIGNINGTIME_PATH);
+ if (signingTimeElem == null)
+ throw new ValidateException("validator.68", null) ;
+ }
+
+
+ String signingTimeStr = signingTimeElem.getTextContent();
+ if (signingTimeStr == null)
+ throw new ValidateException("validator.68", null) ;
+
+ Calendar signingTimeCal = DatatypeConverter.parseDate(signingTimeStr);
+ Calendar serverTimeCal = new GregorianCalendar();
+
+ long diff = Math.abs(signingTimeCal.getTimeInMillis() - serverTimeCal.getTimeInMillis());
+
+ if (diff > MAX_DIFFERENCE_IN_MILLISECONDS)
+ throw new ValidateException("validator.69", new Object[] {"mehr als " + MAX_DIFFERENCE_IN_MILLISECONDS + " Millisekunden"}) ;
+
+ Logger.debug("Compare \"" + signingTimeCal.getTime() + "\" (SigningTime) with \"" + serverTimeCal.getTime() + "\" (server time)");
+
+
+ }
+
}
}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 272f26efb..c5ebc4b0d 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -181,6 +181,8 @@ validator.65=Es ist ein Fehler bei der Formulargenerierung f�r berufliche Part
validator.66=?berpr?fung der {0}-Infobox fehlgeschlagen\: berufliche Parteienvetretung ist nicht konfiguriert.
validator.67=Der Specialtext ({0}) stimmt nicht mit dem für diese Applikation hinterlegten Text ({1}) überein.
+validator.68=SigningTime im AUTH-Block konnte nicht eruiert werden.
+validator.69=SigningTime im AUTH-Block und Serverzeit weichen zu stark ab ({0}).
ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen