MOA-ID, which use MOA-Sig (includes new IAIK-MOA, with iaik_xect, iaik_eccelerate, and new iaik_PKI module

6 files changed, 82 insertions, 96 deletions

diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml
index 9975fee54..50dda0554 100644
--- a/id/server/idserverlib/pom.xml
+++ b/id/server/idserverlib/pom.xml
@@ -305,6 +305,13 @@
 			<scope>test</scope>

 		</dependency>

 

+ 		<dependency>

+			<groupId>iaik.prod</groupId>

+			<artifactId>iaik_ixsil</artifactId>

+			<version>1.2.2.5</version>

+			<scope>test</scope>

+		</dependency> 

+

 		<dependency>

 			<groupId>com.h2database</groupId>

 			<artifactId>h2</artifactId>

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index 458f9afe6..4acce2813 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -40,14 +40,14 @@ import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.logging.LoggingContext;
-import at.gv.egovernment.moa.logging.LoggingContextManager;
 import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
 import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.LoggingContext;
+import at.gv.egovernment.moaspss.logging.LoggingContextManager;
 import iaik.pki.PKIException;
-import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.ec.provider.ECCelerate;
 import iaik.security.provider.IAIK;
 
 /**
@@ -104,7 +104,7 @@ public class MOAIDAuthInitializer {
 
         Logger.info("Loading Java security providers.");
         IAIK.addAsProvider();                
-        ECCProvider.addAsProvider();
+        ECCelerate.addAsProvider();
         
         // Initializes SSLSocketFactory store
         SSLUtils.initialize();
@@ -146,7 +146,7 @@ public class MOAIDAuthInitializer {
         //ECCProvider.addAsProvider();
         
         Security.insertProviderAt(IAIK.getInstance(), 0);
-        Security.addProvider(new ECCProvider());
+        Security.addProvider(new ECCelerate());
         
         if (Logger.isDebugEnabled()) {
         	Logger.debug("Loaded Security Provider:");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
index 3418ffb69..84285a318 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
@@ -24,8 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
 
 import java.io.IOException;
 import java.io.StringWriter;
-import java.security.PrivateKey;
-import java.security.interfaces.RSAPrivateKey;
 import java.util.List;
 
 import javax.xml.parsers.DocumentBuilder;
@@ -66,7 +64,6 @@ import org.opensaml.xml.security.credential.UsageType;
 import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
 import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
 import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.SignatureConstants;
 import org.opensaml.xml.signature.SignatureException;
 import org.opensaml.xml.signature.Signer;
 import org.springframework.stereotype.Service;
@@ -74,6 +71,7 @@ import org.w3c.dom.Document;
 
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
@@ -153,7 +151,7 @@ public class PVPMetadataBuilder {
 
 		//set metadata signature parameters
 		Credential metadataSignCred = config.getMetadataSigningCredentials();		
-		Signature signature = getIDPSignature(metadataSignCred);
+		Signature signature = AbstractCredentialProvider.getIDPSignature(metadataSignCred);
 		SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null);
 		
 		
@@ -434,27 +432,5 @@ public class PVPMetadataBuilder {
 		return idpSSODescriptor;
 		
 	}
-	
-	private Signature getIDPSignature(Credential credentials) {		
-		PrivateKey privatekey = credentials.getPrivateKey();		
-		Signature signer = SAML2Utils.createSAMLObject(Signature.class);
 		
-		if (privatekey instanceof RSAPrivateKey) {
-			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-			
-		} else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
-			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
-
-		} else {
-			Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential.");
-			
-			
-		}
-
-		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);		
-		signer.setSigningCredential(credentials);
-		return signer;
-		
-	}
-	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
index 4c9a1e59f..9102606a2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
@@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
 
 import java.security.KeyStore;
 import java.security.PrivateKey;
+import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.RSAPrivateKey;
 
 import org.opensaml.xml.security.credential.Credential;
@@ -197,7 +198,7 @@ public abstract class AbstractCredentialProvider {
 		if (privatekey instanceof RSAPrivateKey) {
 			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
 			
-		} else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
+		} else if (privatekey instanceof ECPrivateKey) {
 			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
 
 		} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
index 2c0a82708..f37ae0b0b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
@@ -20,48 +20,15 @@
  * The "NOTICE" text file is part of the distribution. Any derivative works
  * that you distribute must include a readable copy of the "NOTICE" text file.
  ******************************************************************************/
-/*
- * Copyright 2003 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
 
 package at.gv.egovernment.moa.id.util;
 
-import iaik.security.ecc.ecdsa.ECDSAParameter;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-import iaik.security.ecc.math.ecgroup.AffineCoordinate;
-import iaik.security.ecc.math.ecgroup.Coordinate;
-import iaik.security.ecc.math.ecgroup.CoordinateTypes;
-import iaik.security.ecc.math.ecgroup.ECGroupFactory;
-import iaik.security.ecc.math.ecgroup.ECPoint;
-import iaik.security.ecc.math.ecgroup.EllipticCurve;
-import iaik.security.ecc.math.field.Field;
-import iaik.security.ecc.math.field.FieldElement;
-import iaik.security.ecc.math.field.PrimeField;
-import iaik.security.ecc.parameter.ECCParameterFactory;
-import iaik.security.ecc.spec.ECCParameterSpec;
-
 import java.math.BigInteger;
 import java.security.PublicKey;
+import java.security.spec.ECField;
+import java.security.spec.ECFieldF2m;
+import java.security.spec.ECFieldFp;
+import java.security.spec.ECPoint;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Vector;
@@ -72,6 +39,15 @@ import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
+import at.gv.egovernment.moa.logging.Logger;
+import iaik.security.ec.common.ECParameterSpec;
+import iaik.security.ec.common.ECPublicKey;
+import iaik.security.ec.common.ECStandardizedParameterFactory;
+import iaik.security.ec.common.EllipticCurve;
+import iaik.security.ec.math.field.Field;
+import iaik.security.ec.math.field.FieldElement;
+import iaik.security.ec.math.field.PrimeField;
+
 public class ECDSAKeyValueConverter
 { 
     
@@ -94,15 +70,13 @@ public class ECDSAKeyValueConverter
     if (domainParams == null) throw new Exception("Domain parameters must not be implicit.");
 
     Element namedCurve = getChildElement(domainParams, ecdsaNS, "NamedCurve", 1);
-    ECCParameterSpec eccParameterSpec;
+    ECParameterSpec eccParameterSpec;
 
     if (namedCurve != null)
     {
       // URL curveNameURN = new URL(namedCurve.getAttributeNS(null, "URN"));
       String curveNameOID = namedCurve.getAttributeNS(null, "URN").substring(8);
-      ECCParameterFactory eccParamFactory = ECCParameterFactory.getInstance();
-      // eccParameterSpec = eccParamFactory.getParameterByOID(curveNameURN.getPath().substring(4));
-      eccParameterSpec = eccParamFactory.getParameterByOID(curveNameOID);
+      eccParameterSpec = ECStandardizedParameterFactory.getParametersByOID(curveNameOID);
     }
     else
     {
@@ -167,14 +141,21 @@ public class ECDSAKeyValueConverter
       String cofactorStr = getChildElementText(basePointParams, ecdsaNS, "Cofactor", 1);
       BigInteger cofactor = (cofactorStr != null) ? new BigInteger(cofactorStr, 10) : null;
 
+      BigInteger a = new BigInteger(aStr, 10);
+      BigInteger b = new BigInteger(bStr, 10);
+      BigInteger basePointX = new BigInteger(basePointXStr, 10);
+      BigInteger basePointY = new BigInteger(basePointYStr, 10);
+      
       if (fieldParamsType == FIELD_TYPE_PRIME)
-      {
-        BigInteger a = new BigInteger(aStr, 10);
-        BigInteger b = new BigInteger(bStr, 10);
-        BigInteger basePointX = new BigInteger(basePointXStr, 10);
-        BigInteger basePointY = new BigInteger(basePointYStr, 10);
-        eccParameterSpec = new ECCParameterSpec(p, cofactor, order, seed, null, a, b, basePointX,
-          basePointY, null);
+      {        
+        ECField javaECField = new ECFieldFp(p);
+		java.security.spec.EllipticCurve curve = 
+        		new java.security.spec.EllipticCurve(javaECField, a, b, seed.toByteArray());
+		java.security.spec.ECPoint javaECbasePoint = 
+				new java.security.spec.ECPoint(basePointX, basePointY);		
+		java.security.spec.ECParameterSpec javaECSpec = 
+        		new java.security.spec.ECParameterSpec(curve, javaECbasePoint, order, cofactor.intValue());        
+        eccParameterSpec = ECParameterSpec.getParameterSpec(javaECSpec);
       }
       else
       {
@@ -193,9 +174,19 @@ public class ECDSAKeyValueConverter
           irreducible[k1/32] += 1 << k1 % 32;
           irreducible[0] += 1;
         }
-        eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr),
-          octetString2IntArray(bStr), octetString2IntArray(basePointXStr),
-          octetString2IntArray(basePointYStr), null);
+        
+        ECField javaECField = new ECFieldF2m(m, irreducible);
+		java.security.spec.EllipticCurve curve = 
+        		new java.security.spec.EllipticCurve(javaECField, a, b, seed.toByteArray());
+		java.security.spec.ECPoint javaECbasePoint = 
+				new java.security.spec.ECPoint(basePointX, basePointY);		
+		java.security.spec.ECParameterSpec javaECSpec = 
+        		new java.security.spec.ECParameterSpec(curve, javaECbasePoint, order, cofactor.intValue());        
+        eccParameterSpec = ECParameterSpec.getParameterSpec(javaECSpec);
+                
+//        eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr),
+//          octetString2IntArray(bStr), octetString2IntArray(basePointXStr),
+//          octetString2IntArray(basePointYStr), null);
       }
     }
 
@@ -206,10 +197,14 @@ public class ECDSAKeyValueConverter
     Element publicKeyYElem = getChildElement(publicKeyElem, ecdsaNS, "Y", 1);
     String publicKeyYStr = publicKeyYElem.getAttributeNS(null, "Value");
 
-    ECDSAParameter ecdsaParams = new ECDSAParameter(eccParameterSpec, CoordinateTypes.PROJECTIVE_COORDINATES);
-    ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance();
-    EllipticCurve eCurve = ecGroupFactory.getCurve(eccParameterSpec.getA(),
-        eccParameterSpec.getB(), eccParameterSpec.getR(), CoordinateTypes.PROJECTIVE_COORDINATES);
+    //ECParameterSpec ecdsaParams = new ECParameterSpec(eccParameterSpec, CoordinateTypes.PROJECTIVE_COORDINATES);
+    //ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance();
+        
+    EllipticCurve eCurve = eccParameterSpec.getCurve();
+    
+//    EllipticCurve eCurve = ecGroupFactory.getCurve(eccParameterSpec.getA(),
+//        eccParameterSpec.getB(), eccParameterSpec.getR(), CoordinateTypes.PROJECTIVE_COORDINATES);    
+    
     Field field = eCurve.getField();
 
     // Detect type of public key field elements
@@ -239,10 +234,19 @@ public class ECDSAKeyValueConverter
     }
 //    ProjectiveCoordinate publicKeyPointCoordinate = new ProjectiveCoordinate(publicKeyPointX,
 //      publicKeyPointY, field.getONEelement());
-    Coordinate publicKeyPointCoordinate = new AffineCoordinate(publicKeyPointX,
-        publicKeyPointY).toProjective();
-    ECPoint publicKeyPoint = eCurve.newPoint(publicKeyPointCoordinate);
-    ECPublicKey publicKey = new ECPublicKey(ecdsaParams, publicKeyPoint);
+//    Coordinate publicKeyPointCoordinate = new AffineCoordinate(publicKeyPointX,
+//        publicKeyPointY).toProjective();
+    
+    ECPoint publicKeyPointECPoint =  new ECPoint(publicKeyPointX.toBigInteger(),
+    		publicKeyPointY.toBigInteger());
+    
+    if (!eCurve.containsPoint(publicKeyPointECPoint)) {
+    	Logger.error("IDL ECC parameter extraction FAILED! Public-Key ECPoint is not on the curve!");
+    	throw new Exception("IDL ECC parameter extraction FAILED! Public-Key ECPoint is not on the curve!");
+    	
+    }
+    	
+    ECPublicKey publicKey = new ECPublicKey(eccParameterSpec, publicKeyPointECPoint);
 
     return publicKey;
   }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index af3424881..d3fba8854 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -46,9 +46,6 @@
 
 package at.gv.egovernment.moa.id.util;
 
-import iaik.pki.PKIException;
-import iaik.security.provider.IAIK;
-
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -71,6 +68,8 @@ import at.gv.egovernment.moa.id.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
 import at.gv.egovernment.moa.id.config.ConnectionParameterInterface;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import iaik.pki.PKIException;
+import iaik.security.provider.IAIK;
 
 
 /**
@@ -126,8 +125,7 @@ public class SSLUtils {
    	   //INFO: MOA-ID 2.x always use defaultChainingMode 
 	    
 	    try {	    
-	    	SSLSocketFactory ssf =  
-	    			at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
+	    	SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
 	    					connParam.getUrl(), 
 	    					conf.getCertstoreDirectory(), 
 	    					trustStoreURL,