aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-09-08 14:37:54 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-09-08 14:37:54 +0200
commit698a0066e84dee07f0f8de8aa408d9744f755660 (patch)
tree17085c61b97cef37b7d2443513622c1d02553710 /id/server/idserverlib
parentb754f06150f8a8b6235bc3a138ab403175036171 (diff)
parenta512ce06caa134ea978ca54a87a8b78d5c10bf1c (diff)
downloadmoa-id-spss-698a0066e84dee07f0f8de8aa408d9744f755660.tar.gz
moa-id-spss-698a0066e84dee07f0f8de8aa408d9744f755660.tar.bz2
moa-id-spss-698a0066e84dee07f0f8de8aa408d9744f755660.zip
Merge tag 'MOA-ID-3.2.3' into development_previewMOA-ID-3.2.3
JoinUp Release # Conflicts: # pom.xml
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java41
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/IAttributeGenerator.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java145
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java125
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java4
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties2
13 files changed, 294 insertions, 94 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index 6f700d1cb..55b1a7c9a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -69,6 +69,7 @@ public class StatisticLogger implements IStatisticLogger{
private static final String GENERIC_LOCALBKU = ":3496/https-security-layer-request";
private static final String GENERIC_HANDYBKU = "https://www.handy-signatur.at/";
+ private static final String GENERIC_ONLINE_BKU = "bkuonline";
private static final String MANTATORTYPE_JUR = "jur";
private static final String MANTATORTYPE_NAT = "nat";
@@ -289,7 +290,11 @@ public class StatisticLogger implements IStatisticLogger{
if (moasession != null) {
if (MiscUtil.isNotEmpty(moasession.getBkuURL())) {
dblog.setBkuurl(moasession.getBkuURL());
- dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA));
+ if (moasession.isForeigner()) {
+ dblog.setBkutype(IOAAuthParameters.EIDAS);
+
+ } else
+ dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA));
}
dblog.setMandatelogin(moasession.isMandateUsed());
@@ -418,8 +423,13 @@ public class StatisticLogger implements IStatisticLogger{
return IOAAuthParameters.HANDYBKU;
}
- Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
- return IOAAuthParameters.ONLINEBKU;
+ if (bkuURL.contains(GENERIC_ONLINE_BKU)) {
+ Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
+ return IOAAuthParameters.ONLINEBKU;
+ }
+
+ Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS);
+ return IOAAuthParameters.AUTHTYPE_OTHERS;
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java
new file mode 100644
index 000000000..d918be463
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth;
+
+
+/**
+ *
+ * @author tlenz
+ *
+ * Interface initialize a Object when the MOA-ID-Auth start-up process is fully completed
+ *
+ */
+public interface IPostStartupInitializable {
+
+ /**
+ * This method is called once when MOA-ID-Auth start-up process is fully completed
+ *
+ */
+ public void executeAfterStartup();
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index 5769d99df..3d45e2468 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -44,6 +44,7 @@ import at.gv.egovernment.moa.spss.api.Configurator;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moaspss.logging.LoggingContext;
import at.gv.egovernment.moaspss.logging.LoggingContextManager;
+import iaik.asn1.structures.AlgorithmID;
import iaik.pki.PKIException;
import iaik.security.ec.provider.ECCelerate;
import iaik.security.provider.IAIK;
@@ -126,7 +127,7 @@ public class MOAIDAuthInitializer {
Random.seedRandom();
Logger.debug("Random-number generator is seeded.");
- // Initialize configuration provider
+ // Initialize configuration provider for non-spring managed parts
AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(rootContext);
//test, if MOA-ID is already configured
@@ -160,6 +161,8 @@ public class MOAIDAuthInitializer {
Security.addProvider(new ECCelerate());
+ fixJava8_141ProblemWithSSLAlgorithms();
+
if (Logger.isDebugEnabled()) {
Logger.debug("Loaded Security Provider:");
Provider[] providerList = Security.getProviders();
@@ -167,5 +170,24 @@ public class MOAIDAuthInitializer {
Logger.debug(i + ": " + providerList[i].getName() + " Version " + providerList[i].getVersion());
}
+
}
+
+ private static void fixJava8_141ProblemWithSSLAlgorithms() {
+ Logger.info("Change AlgorithmIDs to fix problems with Java8 >= 141 ...");
+ //new AlgorithmID("1.2.840.113549.1.1.4", "md5WithRSAEncryption", new String[] { "MD5withRSA", "MD5/RSA", }, null, true);
+ new AlgorithmID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption",
+ new String[] { "SHA1withRSA" , "SHA1/RSA", "SHA-1/RSA", "SHA/RSA", }, null, true);
+ new AlgorithmID("1.2.840.113549.1.1.14", "sha224WithRSAEncryption",
+ new String[] { "SHA224withRSA", "SHA224/RSA", "SHA-224/RSA", }, null, true);
+ new AlgorithmID("1.2.840.113549.1.1.11", "sha256WithRSAEncryption",
+ new String[] { "SHA256withRSA", "SHA256/RSA", "SHA-256/RSA", }, null, true);
+ new AlgorithmID("1.2.840.113549.1.1.12", "sha384WithRSAEncryption",
+ new String[] { "SHA384withRSA", "SHA384/RSA", "SHA-384/RSA", }, null, true);
+ new AlgorithmID("1.2.840.113549.1.1.13", "sha512WithRSAEncryption",
+ new String[] { "SHA512withRSA", "SHA512/RSA", "SHA-512/RSA" }, null, true);
+
+ Logger.info("Change AlgorithmIDs finished");
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 7e0f48744..35d052acd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -235,6 +235,11 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
return properties.getProperty(key, defaultValue);
}
+
+ public Map<String, String> getBasicMOAIDConfigurationWithPrefix(final String prefix) {
+ return KeyValueUtils.getSubSetWithPrefix(KeyValueUtils.concertPropertiesToMap(properties), prefix);
+
+ }
/* (non-Javadoc)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index f718777b0..ab0a1ec40 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -366,6 +366,10 @@ public class AuthenticationManager extends MOAIDAuthConstants {
//create authentication process execution context
ExecutionContext executionContext = new ExecutionContextImpl();
+
+ //set oaIdentifeir
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER,
+ pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
//set interfederation authentication flag
executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/IAttributeGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/IAttributeGenerator.java
index 0d51818f8..ecd67db64 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/IAttributeGenerator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/IAttributeGenerator.java
@@ -23,6 +23,13 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
public interface IAttributeGenerator<ATT> {
+ /**
+ *
+ * @param friendlyName FriendlyName
+ * @param name Name
+ * @param value value
+ * @return
+ */
public abstract ATT buildStringAttribute(final String friendlyName, final String name, final String value);
public abstract ATT buildIntegerAttribute(final String friendlyName, final String name, final int value);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
index e2f8664d8..e2ac50e5e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
@@ -71,6 +71,7 @@ import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
@@ -153,8 +154,7 @@ public class PVPMetadataBuilder {
Credential metadataSignCred = config.getMetadataSigningCredentials();
Signature signature = AbstractCredentialProvider.getIDPSignature(metadataSignCred);
SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null);
-
-
+
//initialize XML document builder
DocumentBuilder builder;
DocumentBuilderFactory factory = DocumentBuilderFactory
@@ -173,8 +173,11 @@ public class PVPMetadataBuilder {
entitiesDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil()));
entitiesDescriptor.getEntityDescriptors().add(entityDescriptor);
+ //load default PVP security configurations
+ MOADefaultBootstrap.initializeDefaultPVPConfiguration();
entitiesDescriptor.setSignature(signature);
+
//marshall document
Marshaller out = Configuration.getMarshallerFactory()
.getMarshaller(entitiesDescriptor);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index b2597c3cb..5380d7f53 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -38,6 +38,7 @@ import javax.xml.namespace.QName;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.BaseMetadataProvider;
import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
@@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.parse.BasicParserPool;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.IDestroyableObject;
@@ -52,7 +54,6 @@ import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
@@ -154,7 +155,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
//reload metadata provider
IOAAuthParameters oaParam =
- AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
+ authConfig.getOnlineApplicationParameter(entityID);
if (oaParam != null) {
String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
if (MiscUtil.isNotEmpty(metadataURL)) {
@@ -178,10 +179,11 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
timer = new Timer(true);
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
- HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL,
+ MetadataProvider newMetadataProvider = createNewMoaMetadataProvider(metadataURL,
buildMetadataFilterChain(oaParam, metadataURL, cert),
oaFriendlyName,
- timer);
+ timer,
+ new BasicParserPool());
chainProvider.addMetadataProvider(newMetadataProvider);
@@ -203,9 +205,6 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
Logger.debug("Can not refresh PVP2X metadata: NO onlineApplication with Id: " + entityID);
- } catch (ConfigurationException e) {
- Logger.warn("Access MOA-ID configuration FAILED.", e);
-
} catch (MetadataProviderException e) {
Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ entityID + " FAILED.", e);
@@ -268,7 +267,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
//load all PVP2 OAs form ConfigurationDatabase and
//compare actually loaded Providers with configured PVP2 OAs
- Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard(
+ Map<String, String> allOAs = authConfig.getConfigurationWithWildCard(
MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES
+ ".%."
+ MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER);
@@ -279,7 +278,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
Entry<String, String> oaKeyPair = oaInterator.next();
IOAAuthParameters oaParam =
- AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue());
+ authConfig.getOnlineApplicationParameter(oaKeyPair.getValue());
if (oaParam != null) {
String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
@@ -409,83 +408,79 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
ChainingMetadataProvider chainProvider = new ChainingMetadataProvider();
Logger.info("Loading metadata");
Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>();
- try {
- Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard(
- MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES
- + ".%."
- + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER);
-
- if (allOAs != null) {
- Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator();
- while (oaInterator.hasNext()) {
- Entry<String, String> oaKeyPair = oaInterator.next();
-
- IOAAuthParameters oaParam =
- AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue());
- if (oaParam != null) {
- String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
- String oaFriendlyName = oaParam.getFriendlyName();
- HTTPMetadataProvider httpProvider = null;
+ Map<String, String> allOAs = authConfig.getConfigurationWithWildCard(
+ MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES
+ + ".%."
+ + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER);
+
+ if (allOAs != null) {
+ Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator();
+ while (oaInterator.hasNext()) {
+ Entry<String, String> oaKeyPair = oaInterator.next();
- try {
- String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
- if (MiscUtil.isNotEmpty(certBase64) && MiscUtil.isNotEmpty(metadataurl)) {
- byte[] cert = Base64Utils.decode(certBase64, false);
-
-
- if (timer == null)
- timer = new Timer(true);
-
- Logger.info("Loading metadata for: " + oaFriendlyName);
- if (!providersinuse.containsKey(metadataurl)) {
- httpProvider = createNewHTTPMetaDataProvider(
- metadataurl,
- buildMetadataFilterChain(oaParam, metadataurl, cert),
- oaFriendlyName,
- timer);
-
- if (httpProvider != null)
- providersinuse.put(metadataurl, httpProvider);
+ IOAAuthParameters oaParam =
+ authConfig.getOnlineApplicationParameter(oaKeyPair.getValue());
+ if (oaParam != null) {
+ String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
+ String oaFriendlyName = oaParam.getFriendlyName();
+ MetadataProvider httpProvider = null;
+
+ try {
+ String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
+ if (MiscUtil.isNotEmpty(certBase64) && MiscUtil.isNotEmpty(metadataurl)) {
+ byte[] cert = Base64Utils.decode(certBase64, false);
- } else {
- Logger.info(metadataurl + " are already added.");
- }
+
+ if (timer == null)
+ timer = new Timer(true);
+
+ Logger.info("Loading metadata for: " + oaFriendlyName);
+ if (!providersinuse.containsKey(metadataurl)) {
+ httpProvider = createNewMoaMetadataProvider(
+ metadataurl,
+ buildMetadataFilterChain(oaParam, metadataurl, cert),
+ oaFriendlyName,
+ timer,
+ new BasicParserPool());
+
+ if (httpProvider != null)
+ providersinuse.put(metadataurl, httpProvider);
} else {
- Logger.info(oaFriendlyName
- + " is not a PVP2 Application skipping");
+ Logger.info(metadataurl + " are already added.");
}
- } catch (Throwable e) {
- Logger.error(
- "Failed to add Metadata (unhandled reason: "
- + e.getMessage(), e);
- if (httpProvider != null) {
- Logger.debug("Destroy failed Metadata provider");
- httpProvider.destroy();
- }
- }
- }
- }
+ } else {
+ Logger.info(oaFriendlyName
+ + " is not a PVP2 Application skipping");
+ }
+ } catch (Throwable e) {
+ Logger.error(
+ "Failed to add Metadata (unhandled reason: "
+ + e.getMessage(), e);
- } else
- Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!");
-
- try {
- chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values()));
-
- } catch (MetadataProviderException e) {
- Logger.error(
- "Failed to add Metadata (unhandled reason: "
- + e.getMessage(), e);
+ if (httpProvider != null && httpProvider instanceof BaseMetadataProvider) {
+ Logger.debug("Destroy failed Metadata provider");
+ ((BaseMetadataProvider)httpProvider).destroy();
+
+ }
+ }
+ }
}
- internalProvider = chainProvider;
-
- } catch (ConfigurationException e) {
- Logger.error("Access MOA-ID configuration FAILED.", e);
+ } else
+ Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!");
+
+ try {
+ chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values()));
+ } catch (MetadataProviderException e) {
+ Logger.error(
+ "Failed to add Metadata (unhandled reason: "
+ + e.getMessage(), e);
}
+
+ internalProvider = chainProvider;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
index d5c7d9100..6c2235654 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
@@ -22,24 +22,28 @@
*/
package at.gv.egovernment.moa.id.protocols.pvp2x.metadata;
+import java.io.File;
import java.util.Timer;
import javax.net.ssl.SSLHandshakeException;
import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.parse.ParserPool;
+import org.springframework.beans.factory.annotation.Autowired;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
/**
* @author tlenz
@@ -47,6 +51,104 @@ import at.gv.egovernment.moa.logging.Logger;
*/
public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
+ private static final String URI_PREFIX_HTTP = "http:";
+ private static final String URI_PREFIX_HTTPS = "https:";
+ private static final String URI_PREFIX_FILE = "file:";
+
+
+ @Autowired
+ protected AuthConfiguration authConfig;
+
+ /**
+ * Create a single SAML2 MOA specific metadata provider
+ *
+ * @param metadataLocation where the metadata should be loaded, but never null. If the location starts with http(s):, than a http
+ * based metadata provider is used. If the location starts with file:, than a filesystem based metadata provider is used
+ * @param filter Filters, which should be used to validate the metadata
+ * @param IdForLogging Id, which is used for Logging
+ * @param timer {@link Timer} which is used to schedule metadata refresh operations
+ *
+ * @return SAML2 Metadata Provider, or null if the metadata provider can not initialized
+ */
+ protected MetadataProvider createNewMoaMetadataProvider(String metadataLocation, MetadataFilter filter,
+ String IdForLogging, Timer timer, ParserPool pool) {
+ if (metadataLocation.startsWith(URI_PREFIX_HTTP) || metadataLocation.startsWith(URI_PREFIX_HTTPS))
+ return createNewHTTPMetaDataProvider(metadataLocation, filter, IdForLogging, timer, pool);
+
+ else {
+ String absoluteMetadataLocation = FileUtils.makeAbsoluteURL(
+ metadataLocation,
+ authConfig.getRootConfigFileDir());
+
+ if (absoluteMetadataLocation.startsWith(URI_PREFIX_FILE)) {
+ File metadataFile = new File(absoluteMetadataLocation);
+ if (metadataFile.exists())
+ return createNewFileSystemMetaDataProvider(metadataFile, filter, IdForLogging, timer, pool);
+
+ else {
+ Logger.warn("SAML2 metadata file: " + absoluteMetadataLocation + " not found or not exist");
+ return null;
+ }
+
+ }
+ }
+
+ Logger.warn("SAML2 metadata has an unsupported metadata location prefix: " + metadataLocation);
+ return null;
+
+ }
+
+
+ /**
+ * Create a single SAML2 filesystem based metadata provider
+ *
+ * @param metadataFile File, where the metadata should be loaded
+ * @param filter Filters, which should be used to validate the metadata
+ * @param IdForLogging Id, which is used for Logging
+ * @param timer {@link Timer} which is used to schedule metadata refresh operations
+ * @param pool
+ *
+ * @return SAML2 Metadata Provider
+ */
+ private MetadataProvider createNewFileSystemMetaDataProvider(File metadataFile, MetadataFilter filter, String IdForLogging, Timer timer, ParserPool pool) {
+ FilesystemMetadataProvider fileSystemProvider = null;
+ try {
+ fileSystemProvider = new FilesystemMetadataProvider(timer, metadataFile);
+ fileSystemProvider.setParserPool(pool);
+ fileSystemProvider.setRequireValidMetadata(true);
+ fileSystemProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+ fileSystemProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+ //httpProvider.setRefreshDelayFactor(0.1F);
+
+ fileSystemProvider.setMetadataFilter(filter);
+ fileSystemProvider.initialize();
+
+ fileSystemProvider.setRequireValidMetadata(true);
+
+ return fileSystemProvider;
+
+ } catch (Exception e) {
+ Logger.warn(
+ "Failed to load Metadata file for "
+ + IdForLogging + "[ "
+ + "File: " + metadataFile.getAbsolutePath()
+ + " Msg: " + e.getMessage() + " ]", e);
+
+
+ Logger.warn("Can not initialize SAML2 metadata provider from filesystem: " + metadataFile.getAbsolutePath()
+ + " Reason: " + e.getMessage(), e);
+
+ if (fileSystemProvider != null)
+ fileSystemProvider.destroy();
+
+ }
+
+ return null;
+
+ }
+
+
+
/**
* Create a single SAML2 HTTP metadata provider
*
@@ -54,27 +156,32 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
* @param filter Filters, which should be used to validate the metadata
* @param IdForLogging Id, which is used for Logging
* @param timer {@link Timer} which is used to schedule metadata refresh operations
+ * @param pool
*
* @return SAML2 Metadata Provider
*/
- protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer) {
+ private MetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer, ParserPool pool) {
HTTPMetadataProvider httpProvider = null;
//Timer timer= null;
MOAHttpClient httpClient = null;
try {
httpClient = new MOAHttpClient();
+ HttpClientParams httpClientParams = new HttpClientParams();
+ httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+ httpClient.setParams(httpClientParams);
+
if (metadataURL.startsWith("https:")) {
try {
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
PVPConstants.SSLSOCKETFACTORYNAME,
- AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
+ authConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
- AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
- AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
- AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean(
+ authConfig.isTrustmanagerrevoationchecking(),
+ authConfig.getRevocationMethodOrder(),
+ authConfig.getBasicMOAIDConfigurationBoolean(
AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
@@ -88,7 +195,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
// timer = new Timer(true);
httpProvider = new HTTPMetadataProvider(timer, httpClient,
metadataURL);
- httpProvider.setParserPool(new BasicParserPool());
+ httpProvider.setParserPool(pool);
httpProvider.setRequireValidMetadata(true);
httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
@@ -115,7 +222,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
+ metadataURL + " FAILED.", e);
}
- Logger.error(
+ Logger.warn(
"Failed to load Metadata file for "
+ IdForLogging + "[ "
+ e.getMessage() + " ]", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
index df4866c30..af9ba0180 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
@@ -200,7 +200,7 @@ public abstract class AbstractCredentialProvider {
signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
} else if (privatekey instanceof ECPrivateKey) {
- signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
+ signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
} else {
Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential.");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index 2ded32bac..d05d180e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -55,6 +55,12 @@ public class EntityVerifier {
try {
IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
+ if (oa == null) {
+ Logger.debug("No OnlineApplication with EntityID: " + entityID);
+ return null;
+
+ }
+
String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
if (MiscUtil.isNotEmpty(certBase64)) {
return Base64Utils.decode(certBase64, false);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
index f37ae0b0b..d30ce4924 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
@@ -44,9 +44,9 @@ import iaik.security.ec.common.ECParameterSpec;
import iaik.security.ec.common.ECPublicKey;
import iaik.security.ec.common.ECStandardizedParameterFactory;
import iaik.security.ec.common.EllipticCurve;
+import iaik.security.ec.math.field.AbstractPrimeField;
import iaik.security.ec.math.field.Field;
import iaik.security.ec.math.field.FieldElement;
-import iaik.security.ec.math.field.PrimeField;
public class ECDSAKeyValueConverter
{
@@ -221,7 +221,7 @@ public class ECDSAKeyValueConverter
// Value xValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyXStr, 10));
// publicKeyPointX = field.newElement(xValue);
- PrimeField pf = (PrimeField) field;
+ AbstractPrimeField pf = (AbstractPrimeField) field;
publicKeyPointX = pf.newElement(new BigInteger(publicKeyXStr, 10));
// Value yValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyYStr, 10));
// publicKeyPointY = field.newElement(yValue);
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 1a2f0d1d3..50b2c5ece 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -53,7 +53,7 @@ auth.32=Federated authentication FAILED. No configuration for IDP {0}
auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages.
auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
-init.00=MOA ID Authentisierung wurde erfolgreich gestartet
+init.00=MOA-ID-Auth wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
init.02=Fehler beim Starten des Service MOA-ID-Auth
init.04=Fehler beim Datenbankzugriff mit der SessionID {0}