diff options
| author | Alexander Marsalek <amarsalek@iaik.tugraz.at> | 2014-09-04 13:35:57 +0200 | 
|---|---|---|
| committer | Alexander Marsalek <amarsalek@iaik.tugraz.at> | 2014-09-04 13:35:57 +0200 | 
| commit | c9685e638ee5de0d049c8f58fd91848c2dc8a0ba (patch) | |
| tree | 110bcbb0463868a39eba0880336ff32cc545034e /id/server/idserverlib | |
| parent | 33b76e7bb23d8772b3a2533aadd0c3313af4b29f (diff) | |
| parent | c109c1e86a228bd3b3ed49b97e182b3cd2136d00 (diff) | |
| download | moa-id-spss-c9685e638ee5de0d049c8f58fd91848c2dc8a0ba.tar.gz moa-id-spss-c9685e638ee5de0d049c8f58fd91848c2dc8a0ba.tar.bz2 moa-id-spss-c9685e638ee5de0d049c8f58fd91848c2dc8a0ba.zip | |
Merge branch 'merge' into moa-2.1-Snapshot
Diffstat (limited to 'id/server/idserverlib')
37 files changed, 1341 insertions, 317 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 33fed945b..d06298efa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1845,7 +1845,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {  		String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget();  		String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName();  		String spApplication = spInstitution; -		String spCountry = "AT"; +		String spCountry = "AT";  // intentionally set AT - the flow is limited on that use case only  		//generate AuthnRquest  		STORKAuthnRequest authnRequest = new STORKAuthnRequest(); @@ -1855,7 +1855,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {  		authnRequest.setIssuer(issuerValue);  		authnRequest.setQaa(oaParam.getQaaLevel());  		authnRequest.setSpInstitution(spInstitution); -		authnRequest.setCountry(spCountry); +		authnRequest.setSpCountry(spCountry);  		authnRequest.setSpApplication(spApplication);  		authnRequest.setSpSector(spSector);  		authnRequest.setPersonalAttributeList(attributeList); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 4cec99b9a..db8b4dd80 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -164,5 +164,6 @@ public interface MOAIDAuthConstants {  				}  			});	 +  public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$";  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 17d6898ee..ed2cd3ecb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -24,20 +24,26 @@ package at.gv.egovernment.moa.id.auth.builder;  import iaik.x509.X509Certificate; +import java.io.ByteArrayOutputStream;  import java.io.IOException;  import java.io.InputStream; +import java.security.PrivateKey;  import java.util.ArrayList; +import java.util.Arrays;  import java.util.Date; -import java.util.GregorianCalendar; +import java.util.Iterator;  import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern;  import javax.naming.ldap.LdapName;  import javax.naming.ldap.Rdn; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; -import org.opensaml.saml2.core.Assertion;  import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AttributeStatement;  import org.opensaml.saml2.core.Response;  import org.opensaml.ws.soap.common.SOAPException;  import org.opensaml.xml.XMLObject; @@ -45,9 +51,14 @@ import org.opensaml.xml.security.SecurityException;  import org.w3c.dom.Element;  import org.w3c.dom.Node; -import eu.stork.peps.auth.commons.PersonalAttribute; -import eu.stork.peps.auth.commons.PersonalAttributeList; - +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -76,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -149,7 +161,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  				}				  			} -			  		}  		InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); @@ -239,11 +250,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  				attributs = reqQueryAttr;  			//IDP is a service provider IDP and request interfederated IDP to collect attributes				 -			} else { -				 -				//TODO: check if response include attributes and map this attributes to requested attributes -				//TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst -				 +			} else {												  				//get PVP 2.1 attributes from protocol specific requested attributes  				attributs = req.getRequestedAttributes(); @@ -255,44 +262,56 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  				Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix());  				throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null);  			} + +			 +			//TODO: check if response include attributes and map this attributes to requested attributes +			//TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst +			Response intfResp = (Response) req.getInterfederationResponse().getResponse(); +			AssertionAttributeExtractor extractor =  +					new AssertionAttributeExtractor(intfResp);			 -			//build attributQuery request -			AttributeQuery query =  -					AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); +			if (!extractor.containsAllRequiredAttributes()) {			 +				//build attributQuery request +				AttributeQuery query =  +						AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); -			//build SOAP request				 -			List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); +				//build SOAP request				 +				List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); -			if (xmlObjects.size() == 0) { -				Logger.error("Receive emptry AttributeQuery response-body."); -				throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); +				if (xmlObjects.size() == 0) { +					Logger.error("Receive emptry AttributeQuery response-body."); +					throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); -			} +				} -			if (xmlObjects.get(0) instanceof Response) { -				Response intfResp = (Response) xmlObjects.get(0); +				if (xmlObjects.get(0) instanceof Response) { +					intfResp = (Response) xmlObjects.get(0); -				//validate PVP 2.1 response -				try { -					SAMLVerificationEngine engine = new SAMLVerificationEngine(); -					engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +					//validate PVP 2.1 response +					try { +						SAMLVerificationEngine engine = new SAMLVerificationEngine(); +						engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); -					SAMLVerificationEngine.validateAssertion(intfResp, false); +						SAMLVerificationEngine.validateAssertion(intfResp, false); -				} catch (Exception e) { -					Logger.warn("PVP 2.1 assertion validation FAILED.", e); -					throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); +					} catch (Exception e) { +						Logger.warn("PVP 2.1 assertion validation FAILED.", e); +						throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); +					} +												 +				} else { +					Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); +					throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); +				  				} -				//parse response information to authData -				buildAuthDataFormInterfederationResponse(authdata, session, intfResp); -								 -			} else { -				Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); -				throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); +				//create assertion attribute extractor from AttributeQuery response +				extractor = new AssertionAttributeExtractor(intfResp);  			} -										 						 +			//parse response information to authData +			buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam);			 +			  		} catch (SOAPException e) {  			throw new BuildException("builder.06", null, e); @@ -314,146 +333,280 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  		}  	} -	private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session,  -			Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { +	private static void buildAuthDataFormInterfederationResponse( +			AuthenticationData authData,  +			AuthenticationSession session,  +			AssertionAttributeExtractor extractor, +			IOAAuthParameters oaParam)  +					throws BuildException, AssertionAttributeExtractorExeption {  		Logger.debug("Build AuthData from assertion starts ...."); -		Assertion assertion = intfResp.getAssertions().get(0); +		authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME));		 +		authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME));		 +		authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); +		authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); +		authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME));		 +		authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); +		authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME));		 +		authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); -		if (assertion.getAttributeStatements().size() == 0) { -			Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); -			throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); -			 +		if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { +			String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME);				 +			authData.setBPK(pvpbPK.split(":")[1]);  		} -		AttributeStatement attrStat = assertion.getAttributeStatements().get(0); -		for (Attribute attr : attrStat.getAttributes()) { -			 -			if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) -				authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) -				authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) -				authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.BPK_NAME)) { -				String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent();				 -				authData.setBPK(pvpbPK.split(":")[1]); -			} -			 -			if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) -				authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) -				authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +   -						attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) -				authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); +		if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { +			List<String> encbPKList = Arrays.asList( +					extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";"));							 +			authData.setEncbPKList(encbPKList);			 +			for (String fullEncbPK : encbPKList) { +				int index = fullEncbPK.indexOf("|");								  +				if (index >= 0) { +					String encbPK = fullEncbPK.substring(index+1); +					String second = fullEncbPK.substring(0, index);					 +					int secIndex = second.indexOf("+"); +					if (secIndex >= 0) { +						if (oaParam.getTarget().equals(second.substring(secIndex+1))) { +							Logger.debug("Found encrypted bPK for online-application "  +									+ oaParam.getPublicURLPrefix() +									+ " Start decryption process ..."); +							PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); +							if (privKey != null) { +								try { +									String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); +									if (MiscUtil.isNotEmpty(bPK)) { +										if (MiscUtil.isEmpty(authData.getBPK())) { +											authData.setBPK(bPK); +											authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); +											Logger.info("bPK decryption process finished successfully."); +										} +																				 +									} else { +										Logger.error("bPK decryption FAILED."); +									 +									} +								} catch (BuildException e) { +									Logger.error("bPK decryption FAILED.", e); +									 +								} +								 +							} else { +								Logger.info("bPK decryption FAILED, because no valid decryption key is found."); +								 +							}							 +							 +						} else { +							Logger.info("Found encrypted bPK but " + +									"encrypted bPK target does not match to online-application target");  +							 +						} +					}					 +				}							 +			}						 +		} +		 +		if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { +			Logger.error("Federated assertion include no bPK or encrypted bPK"); +			throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME +					+ " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); -			if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) -				authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); +		} +		 +		if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) +			authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +   +					extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); +		 +		if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { +			try { +				byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false);				 +				authData.setAuthBlock(new String(authBlock, "UTF-8")); -			if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { -				try { -					byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);				 -					authData.setAuthBlock(new String(authBlock, "UTF-8")); +			} catch (IOException e) { +				Logger.error("Received AuthBlock is not valid", e); -				} catch (IOException e) { -					Logger.error("Received AuthBlock is not valid", e); -					 -				}  			} -			 -			if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { -				try { -					authData.setSignerCertificate(Base64Utils.decode( -							attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); -					 -				} catch (IOException e) { -					Logger.error("Received SignerCertificate is not valid", e); -					 -				}				 -			} -			 -			if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) -				authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) -				authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { -				try { -					InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);				 -					IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();				 -					authData.setIdentityLink(idl); -					 -				} catch (ParseException e) { -					Logger.error("Received IdentityLink is not valid", e); -					 -				} catch (Exception e) { -					Logger.error("Received IdentityLink is not valid", e); -					 -				} -			} -							 -			if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) -				authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); -			 -			 -			if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { -				try { -					byte[] mandate = Base64Utils.decode( -							attr.getAttributeValues().get(0).getDOM().getTextContent(), false); -					 -					if (authData.getMISMandate() == null) -						authData.setMISMandate(new MISMandate()); -					authData.getMISMandate().setMandate(mandate); +		} +		 +		if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { +			try { +				authData.setSignerCertificate(Base64Utils.decode( +						extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); +				 +			} catch (IOException e) { +				Logger.error("Received SignerCertificate is not valid", e); +				 +			}				 +		} +				 +		if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { +			try { +				InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false);				 +				IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();				 +				authData.setIdentityLink(idl); +				 +			} catch (ParseException e) { +				Logger.error("Received IdentityLink is not valid", e); +				 +			} catch (Exception e) { +				Logger.error("Received IdentityLink is not valid", e); -					authData.setUseMandate(true); -					 -				} catch (Exception e) { -					Logger.error("Received Mandate is not valid", e); -					throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); -					 -				}				  			} -			 -			if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { +		} +		 +		 +		// set mandate attributes +		authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); +				 +		if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { +			try { +				byte[] mandate = Base64Utils.decode( +						(extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); +				  				if (authData.getMISMandate() == null)  					authData.setMISMandate(new MISMandate()); -				authData.getMISMandate().setProfRep( -						attr.getAttributeValues().get(0).getDOM().getTextContent()); +				authData.getMISMandate().setMandate(mandate); +				authData.getMISMandate().setFullMandateIncluded(true);				 +				authData.setUseMandate(true); +								 +			} catch (Exception e) { +				Logger.error("Received Mandate is not valid", e); +				throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); -			} +			}				 +		} + +		//TODO: build short mandate if full mandate is no included. +		if (authData.getMISMandate() == null &&  +				(extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)  +					|| extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) +					|| extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { +			Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); +			 +			MISMandate misMandate = new MISMandate(); +			misMandate.setFullMandateIncluded(false); +			 +			Mandate mandateObject = new Mandate(); +			Mandator mandator = new Mandator(); +			mandateObject.setMandator(mandator); +			 +			//build legal person short mandate +			if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && +					extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && +					extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { +				Logger.debug("Build short mandate for legal person ..."); +				CorporateBodyType legalperson = new CorporateBodyType(); +				IdentificationType legalID = new IdentificationType(); +				Value idvalue = new Value(); +				legalID.setValue(idvalue ); +				legalperson.getIdentification().add(legalID ); +				mandator.setCorporateBody(legalperson ); +				 +				legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); +				legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); +				idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); +							 +			//build natural person short mandate +			} else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) ||  +						extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && +					extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && +					extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) &&  +					extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { +				Logger.debug("Build short mandate for natural person ..."); +				PhysicalPersonType physPerson = new PhysicalPersonType(); +				PersonNameType persName = new PersonNameType();				 +				mandator.setPhysicalPerson(physPerson );				 +				physPerson.setName(persName ); +				FamilyName familyName = new FamilyName(); +				persName.getFamilyName().add(familyName ); +				IdentificationType persID = new IdentificationType(); +				physPerson.getIdentification().add(persID ); +				Value idValue = new Value(); +				persID.setValue(idValue ); +				 +				String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); +				for(int i=0; i<pvp2GivenName.length; i++) +					persName.getGivenName().add(pvp2GivenName[i]);				 +				familyName.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME));			 +				physPerson.setDateOfBirth(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME)); +				 +				if (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) { +					persID.setType(Constants.URN_PREFIX_BASEID); +					idValue.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)); +					 +				} else { +					String[] pvp2bPK = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":"); +					if (pvp2bPK.length == 2) { +						idValue.setValue(pvp2bPK[1]); +						 +						Pattern pattern = Pattern.compile(MOAIDAuthConstants.REGEX_PATTERN_TARGET); +						Matcher matcher = pattern.matcher(pvp2bPK[0]); +						if (matcher.matches()) +							persID.setType(Constants.URN_PREFIX_CDID + "+" +  pvp2bPK[0]);							 +						else +							persID.setType(Constants.URN_PREFIX_WBPK + "+" +  pvp2bPK[0]); -			if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) {				 -				authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent());				 -				authData.setForeigner(true); +					} else { +						Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)); +						throw new AssertionAttributeExtractorExeption("Receive mandator bPK from federation with an unsupported format."); +						 +					}					 +				} +										 +			} else { +				Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary."); +				throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null); +				  			} -			if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {	 +			try { +				JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_"); +				Marshaller m = jc.createMarshaller(); +				ByteArrayOutputStream stream = new ByteArrayOutputStream(); +				m.marshal(mandateObject, stream);				 +				misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes()); +				stream.close(); +				 +			} catch (JAXBException e) { +				Logger.error("Failed to parse short mandate", e); +				throw new AssertionAttributeExtractorExeption(); -				if (authData.getStorkAttributes() == null) -					authData.setStorkAttributes(new PersonalAttributeList());					 +			} catch (IOException e) {				 +				Logger.error("Failed to parse short mandate", e); +				throw new AssertionAttributeExtractorExeption(); -				List<String> storkAttrValues = new ArrayList<String>(); -				storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); -				PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),  -						false, storkAttrValues , "Available"); -				authData.getStorkAttributes().put(attr.getName(), storkAttr ); -				authData.setForeigner(true); -			} -						 +			}			 +			authData.setUseMandate(true); +			  		} + +		if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { +			if (authData.getMISMandate() == null) +				authData.setMISMandate(new MISMandate()); +			authData.getMISMandate().setProfRep( +					extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); +			 +		} +			 +	 +		//set STORK attributes +		if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) {				 +			authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME));				 +			authData.setForeigner(true); +			 +		} +	 +		if (!extractor.getSTORKAttributes().isEmpty()) { +			authData.setStorkAttributes(extractor.getSTORKAttributes()); +			authData.setForeigner(true); +			 +		} +				  		authData.setSsoSession(true); -		if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) -			authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate()); +		if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) +			authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate());  		//only for SAML1  		if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 20641ca7c..b122ba17e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,13 +46,27 @@  package at.gv.egovernment.moa.id.auth.builder; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;  import at.gv.egovernment.moa.id.auth.data.IdentityLink;  import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Base64Utils;  import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import java.io.UnsupportedEncodingException; +import java.security.InvalidKeyException;  import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.text.SimpleDateFormat; +import java.util.Date; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException;  /**   * Builder for the bPK, as defined in @@ -135,6 +149,58 @@ public class BPKBuilder {          }      } +	public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { +		MiscUtil.assertNotNull(bpk, "BPK"); +		MiscUtil.assertNotNull(publicKey, "publicKey"); +		 +		SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); +		if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) +			target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); +		 +		String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" +		    + bpk + "::" +		    + sdf.format(new Date()); +		System.out.println(input); +		byte[] result; +		try { +			byte[] inputBytes = input.getBytes("ISO-8859-1"); +			result = encrypt(inputBytes, publicKey); +			return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); +			 +		} catch (Exception e) { +			throw new BuildException("bPK encryption FAILED", null, e); +		}		 +	} + +	public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { +		MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); +		MiscUtil.assertNotNull(privateKey, "Private key"); +		String decryptedString; +		try { +			byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1"); +			byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); +			decryptedString = new String(decryptedBytes, "ISO-8859-1"); +			 +		} catch (Exception e) { +			throw new BuildException("bPK decryption FAILED", null, e); +		} +		String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); +		String sector = tmp.substring(0, tmp.indexOf("::")); +		tmp = tmp.substring(tmp.indexOf("::") + 2); +		String bPK = tmp.substring(0, tmp.indexOf("::")); + +		if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) +			target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); +		 +		if (target.equals(sector)) +			return bPK; +		 +		else { +			Logger.error("Decrypted bPK does not match to request bPK target."); +			return null; +		}		 +	} +          /**       * Builds the storkeid from the given parameters.       * @@ -214,6 +280,34 @@ public class BPKBuilder {              throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex);          }      } +     +	private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { +		byte[] result; +		Cipher cipher = null; +		try { +			cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle +		} catch(NoSuchAlgorithmException e) { +			cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider +		} +		cipher.init(Cipher.ENCRYPT_MODE, publicKey); +		result = cipher.doFinal(inputBytes); +		 +		return result; +	} + +	private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey)  +			throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ +		byte[] result; +		Cipher cipher = null; +		try { +			cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle +		} catch(NoSuchAlgorithmException e) { +			cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider +		} +		cipher.init(Cipher.DECRYPT_MODE, privateKey); +		result = cipher.doFinal(encryptedBytes); +		return result; +	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java new file mode 100644 index 000000000..69802d7e6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java @@ -0,0 +1,46 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DatabaseEncryptionException extends MOAIDException { + +	/** +	 *  +	 */ +	private static final long serialVersionUID = 6387519847869308880L; + +	/** +	 * @param messageId +	 * @param parameters +	 * @param wrapped +	 */ +	public DatabaseEncryptionException(String messageId, Object[] parameters, +			Throwable wrapped) { +		super(messageId, parameters, wrapped); +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index ff5e62d96..e3f32d59d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -133,7 +133,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{  		    String targetConfig = oaParam.getTarget();  			String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); -			if (StringUtils.isEmpty(targetConfig)) { +			if (StringUtils.isEmpty(targetConfig) +					|| (module.equals(SAML1Protocol.PATH) &&  +							!StringUtils.isEmpty(target))) {  			    	// no target attribut is given in OA config  			    	// target is used from request  			    	// check parameter diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 397eebd9b..ade7d3f3c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -223,7 +223,7 @@ public class PEPSConnectorServlet extends AuthServlet {  				moaSession.setUseMandate("true");
  				// and check if we have the gender value
 -			PersonalAttribute gender = attributeList.get("gender");
 +			PersonalAttribute gender = attributeList.get("gender");     // TODO Do we need to check gender value if there is no representation case?
  			if(null == gender) {
  				String gendervalue = (String) request.getParameter("gender");
  				if(null != gendervalue) {
 @@ -244,7 +244,7 @@ public class PEPSConnectorServlet extends AuthServlet {  			//extract signed doc element and citizen signature
  			String citizenSignature = null;
  			try {
 -				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
 +				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
  				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..a62de27fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider {  		  return prop;    } +  /** +   * @return +   */ +  public String getMOAConfigurationEncryptionKey() { +	  String prop = props.getProperty("configuration.moaconfig.key");   +	  if (MiscUtil.isEmpty(prop)) +		  return null; +	  else +		  return prop; +  } +      public boolean isIdentityLinkResigning() {  	  String prop = props.getProperty("configuration.resignidentitylink.active", "false");  	  return Boolean.valueOf(prop); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 6398de34f..4c6519b57 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -22,6 +22,7 @@   */  package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey;  import java.util.List;  import java.util.Map; @@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;  import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;  import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute;  import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;  /**   * @author tlenz @@ -149,4 +151,6 @@ public interface IOAAuthParameters {  	List<String> getTestCredentialOIDs(); +	PrivateKey getBPKDecBpkDecryptionKey(); +	  }
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f58fe2495..673d23373 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -46,11 +46,15 @@  package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey;  import java.util.ArrayList;  import java.util.HashMap;  import java.util.List;  import java.util.Map; +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin;  import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;  import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType; @@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;  import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;  import at.gv.egovernment.moa.id.config.ConfigurationUtils;  import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil;  import at.gv.egovernment.moa.id.util.FormBuildUtils;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -555,4 +562,33 @@ public List<String> getTestCredentialOIDs() {  		return null;	  } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ +@Override +public PrivateKey getBPKDecBpkDecryptionKey() { + +	try {		 +		EncryptedData encdata = new EncryptedData( +			oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(),  +			oa_auth.getEncBPKInformation().getBPKDecryption().getIv()); +		byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata); +		BPKDecryptionParameters data =  +				(BPKDecryptionParameters) SerializationUtils.deserialize(serializedData); +		 +		return data.getPrivateKey(); +				 +	} catch (BuildException e) { +		// TODO Auto-generated catch block +		Logger.error("Can not decrypt key information for bPK decryption", e); +		 +	} catch (NullPointerException e) { +		Logger.error("No keyInformation found for bPK decryption"); +		 +	}	 +	return null; +	 +} +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java new file mode 100644 index 000000000..787a480f0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java @@ -0,0 +1,127 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; + +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.KeyStoreUtils; + + +/** + * @author tlenz + * + */ +public class BPKDecryptionParameters implements Serializable{ + +	private static final long serialVersionUID = 1L; +	 +	private byte[] keyStore = null; +	private String keyStorePassword = null; +	private String keyAlias = null; +	private String keyPassword = null; +	 +	/** +	 * @return +	 */ +	public PrivateKey getPrivateKey() {		 +		try { +			InputStream in = new ByteArrayInputStream(keyStore); +			KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword); +			 +		    char[] chPassword = " ".toCharArray(); +		    if (keyPassword != null) +		      chPassword = keyPassword.toCharArray(); +		     +//		    Certificate test = store.getCertificate(keyAlias); +//		    Base64Utils.encode(test.getPublicKey().getEncoded()); +		     +			return (PrivateKey) store.getKey(keyAlias, chPassword); +			 +			 +		} catch (KeyStoreException e) { +			Logger.error("Can not load private key from keystore.", e); +			 +		} catch (IOException e) { +			Logger.error("Can not load private key from keystore.", e); +			 +		} catch (UnrecoverableKeyException e) { +			Logger.error("Can not load private key from keystore.", e); + +		} catch (NoSuchAlgorithmException e) { +			Logger.error("Can not load private key from keystore.", e); +			 +		} +		 +		return null;		 +	} +	 +	public byte[] serialize() { +		return SerializationUtils.serialize(this); +		 +	} + +	/** +	 * @param keyStore the keyStore to set +	 */ +	public void setKeyStore(byte[] keyStore) { +		this.keyStore = keyStore; +	} + +	/** +	 * @param keyStorePassword the keyStorePassword to set +	 */ +	public void setKeyStorePassword(String keyStorePassword) { +		this.keyStorePassword = keyStorePassword; +	} + +	/** +	 * @param keyAlias the keyAlias to set +	 */ +	public void setKeyAlias(String keyAlias) { +		this.keyAlias = keyAlias; +	} + +	/** +	 * @param keyPassword the keyPassword to set +	 */ +	public void setKeyPassword(String keyPassword) { +		this.keyPassword = keyPassword; +	} +	 +	 +	 +	 +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index eddf605a6..7dbdcfa52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -22,6 +22,7 @@   */  package at.gv.egovernment.moa.id.config.auth.data; +import java.security.PrivateKey;  import java.util.List;  import java.util.Map; @@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters {  		return null;  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() +	 */ +	@Override +	public PrivateKey getBPKDecBpkDecryptionKey() { +		// TODO Auto-generated method stub +		return null; +	} +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 5685977bc..6fd327add 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,7 @@ import java.text.DateFormat;  import java.text.ParseException;  import java.text.SimpleDateFormat;  import java.util.Date; +import java.util.List;  import org.w3c.dom.Element; @@ -126,7 +127,9 @@ public class AuthenticationData  implements IAuthData, Serializable {  	  private byte[] signerCertificate = null;  	  private String authBlock = null;  - +	  private List<String> encbPKList = null; +	   +	    	  private boolean useMandate = false;  	  private MISMandate mandate = null;  	  private String mandateReferenceValue = null; @@ -672,6 +675,22 @@ public class AuthenticationData  implements IAuthData, Serializable {  		this.ssoSessionValidTo = ssoSessionValidTo;  	} +	/** +	 * @return the encbPKList +	 */ +	public List<String> getEncbPKList() { +		return encbPKList; +	} + +	/** +	 * @param encbPKList the encbPKList to set +	 */ +	public void setEncbPKList(List<String> encbPKList) { +		this.encbPKList = encbPKList; +	} +	 +	 + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java new file mode 100644 index 000000000..da6840fd7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java @@ -0,0 +1,33 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public class EncryptedbPK { +	private String vkz = null; +	private String target = null; +	private String encbPK = null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 7e421da0f..8ce33021d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -23,6 +23,7 @@  package at.gv.egovernment.moa.id.data;  import java.util.Date; +import java.util.List;  import org.w3c.dom.Element; @@ -62,6 +63,8 @@ public interface IAuthData {  	 String getBkuURL(); +	 List<String> getEncbPKList(); +	   	 IdentityLink getIdentityLink();  	 byte[] getSignerCertificate();  	 String getAuthBlock(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 0d34fcb87..1e38bd4ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{  							info = ModulStorage.getModuleByPath(protocolRequest.requestedModule());  							moduleAction = info.getAction(protocolRequest.requestedAction()); -							//create interfederated mOASession +							//create interfederated MOASession  							String sessionID =   									AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId);  							req.getParameterMap().put(PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 8f9417096..daa70efce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -49,6 +49,7 @@ import org.opensaml.saml2.core.NameID;  import org.opensaml.saml2.core.NameIDPolicy;  import org.opensaml.saml2.core.NameIDType;  import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.StatusCode;  import org.opensaml.saml2.core.Subject;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.SingleLogoutService; @@ -252,8 +253,8 @@ public class AuthenticationManager extends AuthServlet {  		        VelocityContext context = new VelocityContext();  		        context.put("redirectURLs", sloReqList); -		        context.put("$timeoutURL", timeOutURL); -		        context.put("$timeout", SLOTIMEOUT); +		        context.put("timeoutURL", timeOutURL); +		        context.put("timeout", SLOTIMEOUT);  		        ssomanager.printSingleLogOutInfo(context, httpResp); @@ -284,7 +285,7 @@ public class AuthenticationManager extends AuthServlet {  			Logger.error("MOA AssertionDatabase ERROR", e);  			if (pvpReq != null) {  				SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -				LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); +				LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);  				SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);  			}else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 46e02d048..b22941216 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction {  					if (MiscUtil.isEmpty(ssoID)) {  						Logger.warn("Can not find active Session. Single LogOut not possible!");  						SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -						LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); +						LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);  						SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());  						return null; @@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction {  						} catch (MOADatabaseException e) {  							Logger.warn("Can not find active Session. Single LogOut not possible!");  							SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -							LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); +							LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);  							SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());  							return null; @@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction {  					((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) {  				Logger.debug("Process Single LogOut response");  				LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse(); -														 + +				Transaction tx = null; +				  				try {					  					String relayState = pvpReq.getRequest().getRelayState();  					if (MiscUtil.isEmpty(relayState)) { @@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction {  					//TODO: add counter to prevent deadlock  					while (!storageSuccess) { -						Transaction tx = session.beginTransaction(); +						tx = session.beginTransaction();  						List result;  						Query query = session.getNamedQuery("getAssertionWithArtifact"); @@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction {  								try {  									session.delete(element);  									tx.commit(); - +									  								} catch(HibernateException e) {  									tx.rollback();								  									Logger.error("SLOContainter could not deleted from database. "); @@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction {  					Logger.error("Finale SLO redirct not possible.", e);  					throw new AuthenticationException("pvp2.13", new Object[]{}); +				} finally { +					if (tx != null && !tx.wasCommitted()) { +						tx.commit(); +						 +					}  				} +				 +				  			} else {  				Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 7f73b1ed7..1a268c812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder {  		messageContext  				.setInboundMessageTransport(new HttpServletRequestAdapter(req));  		try { -			decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); -			 +			//set metadata descriptor type +			if (isSPEndPoint) { +				messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); +				 +			} else { +				messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); +			} +						  		} catch (ConfigurationException e) {  			throw new SecurityException(e);  		}  		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); -		 -		//set metadata descriptor type -		if (isSPEndPoint) -			messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); -		else -			messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); -		 +				  		decode.decode(messageContext);  		InboundMessage msg = null;		 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 26f6f3a62..587d8e935 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder {  		HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(  				new BasicParserPool()); +		BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); +		messageContext +				.setInboundMessageTransport(new HttpServletRequestAdapter(req)); +		  		try { -			decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); +			//set metadata descriptor type +			if (isSPEndPoint) { +				messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); +				 +			} else { +				messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); +			}  		} catch (ConfigurationException e) {  			throw new SecurityException(e);  		} -		 -		BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); -		messageContext -				.setInboundMessageTransport(new HttpServletRequestAdapter(req)); -					 +							  		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());  		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( @@ -198,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder {  	}  	public boolean handleDecode(String action, HttpServletRequest req) { -		return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() -				.equals("GET")); +		return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT))  +				&& req.getMethod().equals("GET"));  	}  	public String getSAML2BindingName() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index f0eafe272..a2583c706 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;  import org.opensaml.saml2.core.RequestAbstractType;  import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.ws.message.encoder.MessageEncodingException;  import org.opensaml.ws.soap.client.BasicSOAPMessageContext; @@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class SoapBinding implements IDecoder, IEncoder { @@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder {  				new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();  		messageContext  				.setInboundMessageTransport(new HttpServletRequestAdapter( -						req)); -		 +						req));		 +		//messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); +		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); +				  		soapDecoder.decode(messageContext);  		Envelope inboundMessage = (Envelope) messageContext @@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder {  			if (!xmlElemList.isEmpty()) {  				SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0);			 -				MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); -				request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); +				MOARequest request = new MOARequest(attrReq, getSAML2BindingName());				 +				 +				if (messageContext.getPeerEntityMetadata() != null) +					request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); +				 +				else if (attrReq instanceof RequestAbstractType) { +					RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; +					try {						 +						if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) &&  +								MOAMetadataProvider.getInstance().getRole( +										attributeRequest.getIssuer().getValue(),  +										SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) +							request.setEntityID(attributeRequest.getIssuer().getValue()); +						 +					} catch (Exception e) { +						Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue()); +					}					 +				}  +				  				request.setVerified(false);			  				return request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index eeb1dd104..01139d95c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -213,12 +213,13 @@ public class SingleLogOutBuilder {  		}			 -		 +		DateTime now = new DateTime();  		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);		  		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());  		issuer.setFormat(NameID.ENTITY);  		sloReq.setIssuer(issuer);		 -		sloReq.setIssueInstant(new DateTime()); +		sloReq.setIssueInstant(now); +		sloReq.setNotOnOrAfter(now.plusMinutes(5));  		sloReq.setDestination(sloInfo.getServiceURL()); @@ -230,14 +231,17 @@ public class SingleLogOutBuilder {  		return sloReq;		  	} -	public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { +	public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {  		LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);  		Status status = SAML2Utils.createSAMLObject(Status.class);  		StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);  		StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); -		statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); +		statusCode.setValue(firstLevelStatusCode);  		statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); +		StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); +		secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); +		statusCode.setStatusCode(secondLevelCode);  		status.setStatusCode(statusCode);  		status.setStatusMessage(statusMessage);  		sloResp.setStatus(status); @@ -255,8 +259,11 @@ public class SingleLogOutBuilder {  			status = SAML2Utils.createSAMLObject(Status.class);  			StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);  			StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); -			statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); +			statusCode.setValue(StatusCode.SUCCESS_URI);			  			statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); +			StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); +			secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); +			statusCode.setStatusCode(secondLevelCode);  			status.setStatusCode(statusCode);  			status.setStatusMessage(statusMessage); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 3dd1dd064..a38446826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil;  public class BPKAttributeBuilder implements IPVPAttributeBuilder { @@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder {  		String bpk = authData.getBPK();  		String type = authData.getBPKType(); +		if (MiscUtil.isEmpty(bpk)) +			throw new UnavailableAttributeException(BPK_NAME); +			  		if (type.startsWith(Constants.URN_PREFIX_WBPK))  			type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); -		else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); +		 +		else if (type.startsWith(Constants.URN_PREFIX_CDID))  +			type = type.substring((Constants.URN_PREFIX_CDID + "+").length());  		if (bpk.length() > BPK_MAX_LENGTH) {  			bpk = bpk.substring(0, BPK_MAX_LENGTH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index e8aeb8fcd..29d6df040 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -27,6 +27,7 @@ import java.io.IOException;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Base64Utils; @@ -40,6 +41,10 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder {  			IAttributeGenerator<ATT> g) throws AttributeException {  		try {  			String ilAssertion = null; +			 +			if (authData.getIdentityLink() == null) +				throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME); +			  			ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();  			return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 7f52e1d47..463658a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil;  public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder {  	}  	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, -			IAttributeGenerator<ATT> g) throws AttributeException { +			IAttributeGenerator<ATT> g) throws AttributeException {		  		String bpktype = authData.getBPKType(); +		 +		if (MiscUtil.isEmpty(authData.getBPKType())) +			throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME); +				  		return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME,  				EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype);  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index a8b703fc2..16de43e11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil;  public class EIDSourcePIN implements IPVPAttributeBuilder  { @@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder  {  			throw new AttributePolicyException(EID_SOURCE_PIN_NAME);  		else { +			if (MiscUtil.isEmpty(authData.getIdentificationValue())) +				throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); +			  			return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue());  		}  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java new file mode 100644 index 000000000..b3256ac9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { +	 +	public String getName() { +		return ENC_BPK_LIST_NAME; +	} +	 +	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, +			IAttributeGenerator<ATT> g) throws AttributeException { + +		if (authData.getEncbPKList() != null && +				authData.getEncbPKList().size() > 0) { +			String value = authData.getEncbPKList().get(0); +			for (int i=1; i<authData.getEncbPKList().size(); i++) +				value += ";"+authData.getEncbPKList().get(i);			 +			 +			return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,  +					value); +			 +		}  +		 +		throw new UnavailableAttributeException(ENC_BPK_LIST_NAME); +		 +//		String encbpk = "XXX01234567890XXX"; +//		String type = "Bereich"; +//		String vkz = "Verfahrenskennzeichen"; +//		 +//		//TODO: implement encrypted bPK support +//		 +//		Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk); +//		 +//		return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,  +//				vkz + "+" + type + "|" + encbpk); +	} +	 +	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { +		return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME); +	} +	 +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 670398ff6..790c1e8ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.AuthenticationData;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Base64Utils;  import at.gv.egovernment.moa.util.DOMUtils; @@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder  	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException {  		if (authData.isUseMandate()) { -			if (authData.getMandate() != null) { +			//only provide full mandate if it is included.  +			//In case of federation only a short mandate could be include  +			if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) {  				String fullMandate;  				try {  					fullMandate = DOMUtils.serializeNode(authData @@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder  					Logger.error("Failed to generate Full Mandate", e);  				}  			} +			throw new NoMandateDataAttributeException(); +			  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index ee0088576..a16fed9cd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -22,15 +22,25 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap;  import java.util.List; +import java.util.Map;  import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement;  import org.opensaml.saml2.core.AuthnContextClassRef;  import org.opensaml.saml2.core.AuthnStatement;  import org.opensaml.saml2.core.Response;  import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.saml2.core.Subject; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -38,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil;  public class AssertionAttributeExtractor {  	private Assertion assertion = null; +	private Map<String, String> attributs = new HashMap<String, String>(); +	private PersonalAttributeList storkAttributes = new PersonalAttributeList(); +		 +	private final List<String> minimalAttributeNameList = Arrays.asList( +			PVPConstants.PRINCIPAL_NAME_NAME,  +			PVPConstants.GIVEN_NAME_NAME, +			PVPConstants.BIRTHDATE_NAME); +	  	public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption {  		if (samlResponse != null && samlResponse instanceof Response) { @@ -48,12 +66,79 @@ public class AssertionAttributeExtractor {  			else if (assertions.size() > 1)  				Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); -			assertion = assertions.get(0);			 -					 +			assertion = assertions.get(0); + +			if (assertion.getAttributeStatements() != null && +					assertion.getAttributeStatements().size() > 0) { +				AttributeStatement attrStat = assertion.getAttributeStatements().get(0); +				for (Attribute attr : attrStat.getAttributes()) { +					if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {							 +						List<String> storkAttrValues = new ArrayList<String>(); +						storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); +						PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),  +								false, storkAttrValues , "Available"); +						storkAttributes.put(attr.getName(), storkAttr ); +						 +					} else 					 +						attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); +			} +				 +			} +						  		} else   			throw new AssertionAttributeExtractorExeption();		  	} +	/** +	 * check attributes from assertion with minimal required attribute list +	 * @return +	 */ +	public boolean containsAllRequiredAttributes() { +		return containsAllRequiredAttributes(minimalAttributeNameList); +		 +	} +	 +	/** +	 * check attributes from assertion with attributeNameList +	 * bPK or enc_bPK is always needed +	 *  +	 * @param List of attributes which are required +	 *  +	 * @return +	 */ +	public boolean containsAllRequiredAttributes(List<String> attributeNameList) {		 +		 +		//first check if a bPK or an encrypted bPK is available +		if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||  +				(attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { +			boolean flag = true; +			for (String attr : attributeNameList) { +				if (!attributs.containsKey(attr)) +					flag = false; +			} +			 +			return flag; +			 +		}			 +		return false; +		 +	} +	 +	public boolean containsAttribute(String attributeName) { +		return attributs.containsKey(attributeName); +		 +	} +	 +	public String getAttribute(String attributeName) { +		return attributs.get(attributeName); +		 +	} +	 +	public PersonalAttributeList getSTORKAttributes() { +		return storkAttributes; +	} +	 +	  	public String getNameID() throws AssertionAttributeExtractorExeption {		  		if (assertion.getSubject() != null) {  			Subject subject = assertion.getSubject(); @@ -99,6 +184,10 @@ public class AssertionAttributeExtractor {  		throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");		  	} +	public Assertion getFullAssertion() { +		return assertion; +	} +	  	private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {  		List<AuthnStatement> authnList = assertion.getAuthnStatements();  		if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 08f40f888..7d3c72630 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -22,15 +22,22 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.saml1; +import java.io.ByteArrayOutputStream;  import java.io.IOException;  import java.util.List; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName;  import javax.xml.parsers.ParserConfigurationException;  import javax.xml.transform.TransformerException;  import org.w3c.dom.Element;  import org.xml.sax.SAXException; +import com.sun.xml.bind.marshaller.NamespacePrefixMapper; +  import at.gv.egovernment.moa.id.auth.AuthenticationServer;  import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;  import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; @@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils;  import at.gv.egovernment.moa.util.Constants;  import at.gv.egovernment.moa.util.DOMUtils;  import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.persondata.IdentificationType; +import at.gv.util.xsd.persondata.IdentificationType.Value; +import at.gv.util.xsd.persondata.PersonNameType; +import at.gv.util.xsd.persondata.PersonNameType.FamilyName; +import at.gv.util.xsd.persondata.PhysicalPersonType;  public class SAML1AuthenticationServer extends AuthenticationServer { @@ -185,30 +197,82 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  			//set prPersion  			boolean provideStammzahl = saml1parameter.isProvideStammzahl()   					|| oaParam.getBusinessService(); -			String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), -					provideStammzahl); -			//set Authblock -			String authBlock = saml1parameter.isProvideAUTHBlock() ? authData -					.getAuthBlock() : ""; -					 -			//set IdentityLink for assortion +			String prPerson = "";  			String ilAssertion = ""; -			if (saml1parameter.isProvideIdentityLink()) {		 -				ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); -					 -				if (!provideStammzahl) -					ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() -							.getIdentificationValue(), "");					 -			} - +			if (authData.getIdentityLink() != null) { +				prPerson = new PersonDataBuilder().build(authData.getIdentityLink(),			 +						provideStammzahl); -			String samlAssertion; +				//set IdentityLink for assortion				 +				if (saml1parameter.isProvideIdentityLink()) {		 +					ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); +						 +					if (!provideStammzahl) +						ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() +								.getIdentificationValue(), "");					 +				}			  +			} else { +				Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. "); +				PhysicalPersonType person = new PhysicalPersonType(); +				PersonNameType name = new PersonNameType(); +				person.setName(name);				 +				FamilyName familyName = new FamilyName(); +				name.getFamilyName().add(familyName ); +				IdentificationType id = new IdentificationType(); +				person.getIdentification().add(id ); +				Value value = new Value(); +				id.setValue(value  ); +				 +				id.setType(Constants.URN_PREFIX_BASEID); +				value.setValue("");				 +				familyName.setValue(authData.getFamilyName()); +				familyName.setPrimary("undefined"); +				name.getGivenName().add(authData.getGivenName()); +				person.setDateOfBirth(authData.getFormatedDateOfBirth()); +							 +				JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata"); +				Marshaller m = jc.createMarshaller(); +				m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); +				 +				m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { +		            public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { +		            	if (Constants.PD_NS_URI.equals(arg0)) +		            		return Constants.PD_PREFIX; +		            	else +		            		return arg1; +		            } +		        }); +				 +				ByteArrayOutputStream stream = new ByteArrayOutputStream(); +				m.marshal( +						new JAXBElement<PhysicalPersonType>(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person),  +						stream);				 +				prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8")); +				stream.close(); +				 +				 +				 +			} +			 +			//set Authblock +			String authBlock = ""; +			if (authData.getAuthBlock() != null) { +				authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : ""; +				 +			} else { +				Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available"); +				 +			} +			String samlAssertion;			  			if (authData.isUseMandate()) {  				List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA(); -				if (saml1parameter.isProvideFullMandatorData()) { +				//only provide full mandate if it is included.  +				//In case of federation only a short mandate could be include  +				if (saml1parameter.isProvideFullMandatorData()  +						&& authData.getMISMandate().isFullMandateIncluded()) {  					try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 139c438f9..baa91a854 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction {          httpResp.reset();          this.representingIdentityLink = authData.getIdentityLink(); +          OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL());          if (oaParam == null)              throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); @@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction {          }          if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { -            Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType()); +            Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)"); +            Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() +  ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue());              throw new MOAIDException("stork.20", new Object[]{}); // TODO          } @@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction {              represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute));          } else if (mandateContainer instanceof PhyPersonMandateContainer) {              PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer; -            represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE +            represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer));              represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName());              represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName());              represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 350c4e9da..a9f5ed60a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage {  	private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException {  		byte[] serialized = SerializationUtils.serialize(session); -		EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); +		EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized);  		dbsession.setSession(encdata.getEncData());  		dbsession.setIv(encdata.getIv());  	} @@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage {  	private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException {  		EncryptedData encdata = new EncryptedData(dbsession.getSession(),  				dbsession.getIv()); -		byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); +		byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata);  		return (AuthenticationSession) SerializationUtils.deserialize(decrypted); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java new file mode 100644 index 000000000..f246c55e1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -0,0 +1,157 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + + +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public abstract class AbstractEncrytionUtil { +	protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; +	protected static final String KEYNAME = "AES"; + +	private SecretKey secret = null; +	 +	public AbstractEncrytionUtil() throws DatabaseEncryptionException { +		initialize(getKey(), getSalt()); +	} +	 +	protected abstract String getSalt(); +	protected abstract String getKey(); + +	protected void initialize(String key, String salt) throws DatabaseEncryptionException { +		try { +			if (MiscUtil.isNotEmpty(key)) {			 +				if (MiscUtil.isEmpty(salt)) +					salt = "TestSalt"; +			 +				PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); +				SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); +				PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); +							 +				SecureRandom random = new SecureRandom(); +				KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); +				 +				PBEKeyAndParameterSpec parameterSpec = +						   new PBEKeyAndParameterSpec(pbeKey.getEncoded(), +								   					  salt.getBytes(), +						                              2000, +						                              16); +					 +				pbkdf2.init(parameterSpec, random); +				SecretKey derivedKey = pbkdf2.generateKey(); +				 +				SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); +				SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); +				secret = kf.generateSecret(spec); +				 +			} else { +				Logger.error("Database encryption can not initialized. No key found!"); +				 +			} +						 +		} catch (NoSuchAlgorithmException e) { +			Logger.error("Database encryption can not initialized", e); +			throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + +		} catch (NoSuchProviderException e) { +			Logger.error("Database encryption can not initialized", e); +			throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); +			 +		} catch (InvalidKeySpecException e) { +			Logger.error("Database encryption can not initialized", e); +			throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); +			 +		} catch (InvalidAlgorithmParameterException e) { +			Logger.error("Database encryption can not initialized", e); +			throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); +			 +		}		 +	} +	 +	public EncryptedData encrypt(byte[] data) throws BuildException { +		Cipher cipher; +		 +		if (secret != null) { +			try { +				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); +			    cipher.init(Cipher.ENCRYPT_MODE, secret); +				 +			    Logger.debug("Encrypt MOASession"); +			     +			    byte[] encdata = cipher.doFinal(data); +			    byte[] iv = cipher.getIV(); +			     +			    return new EncryptedData(encdata, iv); +			     +			} catch (Exception e) { +				Logger.warn("MOASession is not encrypted",e); +				throw new BuildException("MOASession is not encrypted", new Object[]{}, e); +			} +		} else +			return new EncryptedData(data, null); +	} +	 +	public byte[] decrypt(EncryptedData data) throws BuildException { +		Cipher cipher; +		 +		if (secret != null) { +			try { +				IvParameterSpec iv = new IvParameterSpec(data.getIv()); +				 +				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); +			    cipher.init(Cipher.DECRYPT_MODE, secret, iv); +				 +			    Logger.debug("Decrypt MOASession"); +			    return cipher.doFinal(data.getEncData()); +			     +			} catch (Exception e) { +				Logger.warn("MOASession is not decrypted",e); +				throw new BuildException("MOASession is not decrypted", new Object[]{}, e); +			} +		} else +		return data.getEncData(); +	} +	 +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java new file mode 100644 index 000000000..10221604c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil { +	 +	private static ConfigurationEncrytionUtil instance = null;	 +	private static String key = null; +	 +	public static ConfigurationEncrytionUtil getInstance() { +		if (instance == null) { +			try { +				key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey();			 +				instance =  new ConfigurationEncrytionUtil(); +								 +			} catch (Exception e) { +				Logger.warn("MOAConfiguration encryption initialization FAILED.", e); +				 +			}					 +		} +		return instance; +	} + +	/** +	 * @throws DatabaseEncryptionException +	 */ +	private ConfigurationEncrytionUtil() throws DatabaseEncryptionException { +		super(); +	} +	 +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() +	 */ +	@Override +	protected String getSalt() { +		return "Configuration-Salt"; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() +	 */ +	@Override +	protected String getKey() { +		return key; +	} +	 +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index acc2a7273..8660f7c09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -22,110 +22,50 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; - -import java.security.SecureRandom; -import java.security.spec.KeySpec; - -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.SecretKeySpec; - -import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.data.EncryptedData;  import at.gv.egovernment.moa.logging.Logger; -public class SessionEncrytionUtil { - -	private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; -	private static final String KEYNAME = "AES"; -	 -	static private SecretKey secret = null; +public class SessionEncrytionUtil extends AbstractEncrytionUtil { -	static { -		try { -			String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); -			 -			if (key != null) { - -					PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); -					SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); -					PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); -					 -					 -					SecureRandom random = new SecureRandom(); -					KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); -					 -					PBEKeyAndParameterSpec parameterSpec = -							   new PBEKeyAndParameterSpec(pbeKey.getEncoded(), -									   					  "TestSALT".getBytes(), -							                              2000, -							                              16); -						 -					pbkdf2.init(parameterSpec, random); -					SecretKey derivedKey = pbkdf2.generateKey(); -					 -					SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); -					SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); -					secret = kf.generateSecret(spec); -					 -			} else { -				Logger.warn("MOASession encryption is deaktivated."); -			} -			 -		} catch (Exception e) { -			Logger.warn("MOASession encryption can not be inizialized.", e); -		} -		 -	} +	private static SessionEncrytionUtil instance = null;	 +	private static String key = null; -	public static EncryptedData encrypt(byte[] data) throws BuildException { -		Cipher cipher; -		 -		if (secret != null) { +	public static SessionEncrytionUtil getInstance() { +		if (instance == null) {  			try { -				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); -			    cipher.init(Cipher.ENCRYPT_MODE, secret); -				 -			    Logger.debug("Encrypt MOASession"); -			     -			    byte[] encdata = cipher.doFinal(data); -			    byte[] iv = cipher.getIV(); -			     -			    return new EncryptedData(encdata, iv); -			     +				key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();			 +				instance =  new SessionEncrytionUtil(); +								  			} catch (Exception e) { -				Logger.warn("MOASession is not encrypted",e); -				throw new BuildException("MOASession is not encrypted", new Object[]{}, e); -			} -		} else -			return new EncryptedData(data, null); +				Logger.warn("MOASession encryption can not be inizialized.", e); +				 +			}					 +		} +		return instance; +	} + +	/** +	 * @throws DatabaseEncryptionException +	 */ +	private SessionEncrytionUtil() throws DatabaseEncryptionException { +		super();  	} -	public static byte[] decrypt(EncryptedData data) throws BuildException { -		Cipher cipher; -		 -		if (secret != null) { -			try { -				IvParameterSpec iv = new IvParameterSpec(data.getIv()); -				 -				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); -			    cipher.init(Cipher.DECRYPT_MODE, secret, iv); -				 -			    Logger.debug("Decrypt MOASession"); -			    return cipher.doFinal(data.getEncData()); -			     -			} catch (Exception e) { -				Logger.warn("MOASession is not decrypted",e); -				throw new BuildException("MOASession is not decrypted", new Object[]{}, e); -			} -		} else -		return data.getEncData(); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() +	 */ +	@Override +	protected String getSalt() { +		return "Session-Salt";  	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() +	 */ +	@Override +	protected String getKey() { +		return key; +	} +	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index f7785d2c2..20cabaf4d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -70,6 +70,7 @@ public class MISMandate implements Serializable{  	private String oid = null;
  	private byte[] mandate = null;
  	private String owBPK = null;
 +	private boolean isFullMandateIncluded = false;
  	public String getProfRep() {
    	return oid;
 @@ -109,5 +110,18 @@ public class MISMandate implements Serializable{  		}
  	}
 +	/**
 +	 * @return the isFullMandateIncluded
 +	 */
 +	public boolean isFullMandateIncluded() {
 +		return isFullMandateIncluded;
 +	}
 +	/**
 +	 * @param isFullMandateIncluded the isFullMandateIncluded to set
 +	 */
 +	public void setFullMandateIncluded(boolean isFullMandateIncluded) {
 +		this.isFullMandateIncluded = isFullMandateIncluded;
 +	}
 +	
  }
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index aaf793987..15b2a89b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -145,6 +145,8 @@ public class MISSimpleClient {  				//misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate)));
  				misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes()));
 +				misMandate.setFullMandateIncluded(true);
 +				
  				foundMandates.add(misMandate);
  			}
  			return foundMandates;
 | 
