diff options
| author | Bojan Suzic <bojan.suzic@iaik.tugraz.at> | 2014-02-13 12:06:41 +0100 | 
|---|---|---|
| committer | Bojan Suzic <bojan.suzic@iaik.tugraz.at> | 2014-02-13 12:06:41 +0100 | 
| commit | 4b3324b88ed5246bb27de86f19f6de49c98f0615 (patch) | |
| tree | b17cbecffdd33208537aaace8430b1bcff2083e0 /id/server/idserverlib | |
| parent | b6076468ae4c2fda384d051adece37a351faae31 (diff) | |
| parent | 713ca50cbcb276254689088ea558401af018ffcd (diff) | |
| download | moa-id-spss-4b3324b88ed5246bb27de86f19f6de49c98f0615.tar.gz moa-id-spss-4b3324b88ed5246bb27de86f19f6de49c98f0615.tar.bz2 moa-id-spss-4b3324b88ed5246bb27de86f19f6de49c98f0615.zip | |
Merge branch 'moa2_0_tlenz' of gitlab.iaik.tugraz.at:afitzek/moa-idspss into moa2_0_tlenz_bs_2
Diffstat (limited to 'id/server/idserverlib')
20 files changed, 409 insertions, 80 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 3d38efa9f..003fdfbe9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -265,10 +265,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {  			if (domainIdentifier.startsWith(PREFIX_WPBK)) { -				isbuisness = false; +				isbuisness = true;  			} else { -				isbuisness = true; +				isbuisness = false;  			} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index 70aa1a160..2e08fad6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -167,8 +167,10 @@ public class GetIdentityLinkFormBuilder extends Builder {      htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL);      htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL); +    Map<String, String> map = null; +          if (oaParam != null) { -    	Map<String, String> map = oaParam.getFormCustomizaten(); +    	map = oaParam.getFormCustomizaten();      	htmlForm = replaceTag(htmlForm, COLOR_TAG, map.get(FormBuildUtils.MAIN_BACKGROUNDCOLOR), false, ALL);      	htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, map.get(FormBuildUtils.REDIRECTTARGET), false, ALL); @@ -179,11 +181,15 @@ public class GetIdentityLinkFormBuilder extends Builder {      if (MiscUtil.isNotEmpty(appletheigth))      	htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, appletheigth, false, ALL); +    else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_HEIGHT))) +    	htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, map.get(FormBuildUtils.APPLET_HEIGHT), false, ALL);      else      	htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, "160", false, ALL);      if (MiscUtil.isNotEmpty(appletwidth))      	htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, appletwidth, false, ALL); +    else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_WIDTH))) +    	htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, map.get(FormBuildUtils.APPLET_WIDTH), false, ALL);      else      	htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, "250", false, ALL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index 90ad3cf42..ff3b7b170 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -22,6 +22,7 @@   ******************************************************************************/  package at.gv.egovernment.moa.id.auth.builder; +import java.io.ByteArrayInputStream;  import java.io.File;  import java.io.FileInputStream;  import java.io.FileNotFoundException; @@ -58,7 +59,7 @@ public class LoginFormBuilder {  	private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate"; -	public static String getTemplate() { +	private static String getTemplate() {  		String pathLocation ="";  		InputStream input = null; @@ -118,8 +119,21 @@ public class LoginFormBuilder {  	}  	public static String buildLoginForm(String modul, String action, OAAuthParameter oaParam, String contextpath, String moaSessionID) { -		String value = getTemplate(); +		String value = null; +		 +		byte[] oatemplate = oaParam.getBKUSelectionTemplate(); +		// OA specific template requires a size of 8 bits minimum +		if (oatemplate != null && oatemplate.length > 7) { +			InputStream is = new ByteArrayInputStream(oatemplate); +			value = getTemplate(is); +			 +		} else { +			//load default BKU-selection template +			value = getTemplate(); +			 +		} +			  		if(value != null) {  			if(modul == null) {  				modul = SAML1Protocol.PATH; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java index f65a3c011..24b848176 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java @@ -22,6 +22,7 @@   ******************************************************************************/  package at.gv.egovernment.moa.id.auth.builder; +import java.io.ByteArrayInputStream;  import java.io.File;  import java.io.FileInputStream;  import java.io.FileNotFoundException; @@ -58,32 +59,50 @@ public class SendAssertionFormBuilder {  	private static String SERVLET = CONTEXTPATH+"/SSOSendAssertionServlet";  	private static String getTemplate() { - -			String template = null; -			InputStream input = null; -			try {				 -				String pathLocation; -					 -				String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir();	 -				pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; +		String pathLocation; +		InputStream input = null; +		try { +			String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir();	 +			pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; +		 +			try { +				File file = new File(new URI(pathLocation)); +				input = new  FileInputStream(file); +			 +			} catch (FileNotFoundException e)  { -				try { -					File file = new File(new URI(pathLocation)); -					input = new  FileInputStream(file); -					 -				} catch (FileNotFoundException e)  { -					 -					Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); -					 -					pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; -					 -					input = Thread.currentThread() -							.getContextClassLoader() -							.getResourceAsStream(pathLocation); -					 -				} +				Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); +			 +				pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; +			 +				input = Thread.currentThread() +						.getContextClassLoader() +						.getResourceAsStream(pathLocation); +			 +			} +			 +			return getTemplate(input); +			 +		} catch (Exception e) { +			try { +				input.close(); +			} catch (IOException e1) { +				Logger.warn("SendAssertionTemplate inputstream can not be closed.", e); +			} +			 +			return null; +		} +		 +	} +	 +	private static String getTemplate(InputStream input) { + +			String template = null; +			 +			try {				 +	  				StringWriter writer = new StringWriter();  				IOUtils.copy(input, writer);  				template = writer.toString(); @@ -105,7 +124,19 @@ public class SendAssertionFormBuilder {  	}  	public static String buildForm(String modul, String action, String id, OAAuthParameter oaParam, String contextpath) { -		String value = getTemplate(); +		String value = null; +		 +		byte[] oatemplate = oaParam.getSendAssertionTemplate(); +		// OA specific template requires a size of 8 bits minimum +		if (oatemplate != null && oatemplate.length > 7) { +			InputStream is = new ByteArrayInputStream(oatemplate); +			value = getTemplate(is); +			 +		} else { +			//load default BKU-selection template +			value = getTemplate(); +			 +		}  		if(value != null) {  			if(modul == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index c66e19eb0..d2d458e74 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -82,9 +82,12 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {  	    	AuthenticationSession moasession = null; -	    	try { -	    	    //moasessionid = (String) req.getSession().getAttribute(AuthenticationManager.MOA_SESSION); -	    		 +	    	if (MiscUtil.isEmpty(bkuid) || MiscUtil.isEmpty(moasessionid)) { +	    		Logger.warn("MOASessionID or BKU-type is empty. Maybe an old BKU-selection template is in use."); +	    		throw new MOAIDException("auth.23", new Object[] {}); +	    	} +	    	 +	    	try {	    		  	    	    pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moasessionid);  	    	    moasession = AuthenticationSessionStoreage.getSession(moasessionid); @@ -112,7 +115,7 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {  				//load Parameters from config  		    	String target = oaParam.getTarget(); -		    			    	 +		    	  		    	String bkuURL = oaParam.getBKUURL(bkuid);  		    	if (MiscUtil.isEmpty(bkuURL)) {  		    		Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 304b63de0..c0f47d781 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -110,6 +110,7 @@ import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed;  import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig;  import at.gv.egovernment.moa.id.config.stork.STORKConfig;  import at.gv.egovernment.moa.id.data.IssuerAndSerial; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -365,7 +366,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider {  		//Initialize OpenSAML for STORK  		Logger.info("Starting initialization of OpenSAML..."); -		DefaultBootstrap.bootstrap(); +		MOADefaultBootstrap.bootstrap(); +		//DefaultBootstrap.bootstrap();  		Logger.debug("OpenSAML successfully initialized"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 7a38e2afd..8e7ca0779 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -320,6 +320,12 @@ public Map<String, String> getFormCustomizaten() {  			if (MiscUtil.isNotEmpty(bkuselection.getAppletRedirectTarget()))  				map.put(FormBuildUtils.REDIRECTTARGET, bkuselection.getAppletRedirectTarget()); +			if (MiscUtil.isNotEmpty(bkuselection.getAppletHeight())) +				map.put(FormBuildUtils.APPLET_HEIGHT, bkuselection.getAppletHeight()); +			 +			if (MiscUtil.isNotEmpty(bkuselection.getAppletWidth())) +				map.put(FormBuildUtils.APPLET_WIDTH, bkuselection.getAppletWidth()); +			  		}  	} @@ -343,6 +349,27 @@ public List<OAStorkAttribute> getRequestedAttributes() {  } +public byte[] getBKUSelectionTemplate() { +	 +	TemplatesType templates = oa_auth.getTemplates(); +	if (templates != null && templates.getBKUSelectionTemplate() != null) { +		return templates.getBKUSelectionTemplate().getTransformation(); + +	} +	 +	return null;	 +} + +public byte[] getSendAssertionTemplate() { +	 +	TemplatesType templates = oa_auth.getTemplates(); +	if (templates != null && templates.getSendAssertionTemplate() != null) { +		return templates.getSendAssertionTemplate().getTransformation(); + +	} +	 +	return null;	 +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java index 93de902ef..66d330d20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java @@ -118,7 +118,7 @@ public class ProxyConfigurationProvider extends ConfigurationProvider {      throws ConfigurationException {      String fileName = System.getProperty(PROXY_CONFIG_PROPERTY_NAME);      if (fileName == null) { -      throw new ConfigurationException("config.01", null); +      throw new ConfigurationException("config.20", null);      }      Logger.info("Loading MOA-ID-PROXY configuration " + fileName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 01b80a93f..6cc17231c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -22,14 +22,8 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.entrypoints; - - -import iaik.security.ecc.provider.ECCProvider; -import iaik.security.provider.IAIK; -  import java.io.IOException; -import java.io.PrintWriter; -import java.security.Security; +  import java.util.Iterator;  import java.util.Map;  import java.util.Set; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 78fe43daa..1668c31ce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -66,7 +66,7 @@ import at.gv.egovernment.moa.logging.Logger;  public class MetadataAction implements IAction { -	private static final int VALIDUNTIL_IN_DAYES = 30; +	private static final int VALIDUNTIL_IN_HOURS = 24;  	public String processRequest(IRequest req, HttpServletRequest httpReq,  			HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { @@ -81,7 +81,7 @@ public class MetadataAction implements IAction {  			DateTime date = new DateTime(); -			idpEntitiesDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES)); +			idpEntitiesDescriptor.setValidUntil(date.plusHours(VALIDUNTIL_IN_HOURS));  			EntityDescriptor idpEntityDescriptor = SAML2Utils  					.createSAMLObject(EntityDescriptor.class); @@ -95,7 +95,7 @@ public class MetadataAction implements IAction {  			idpEntityDescriptor  			.setEntityID(PVPConfiguration.getInstance().getIDPPublicPath()); -			idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES)); +			idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS));  			List<ContactPerson> persons = PVPConfiguration.getInstance()  					.getIDPContacts(); @@ -114,13 +114,31 @@ public class MetadataAction implements IAction {  			Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();  			Signature signature = CredentialProvider  					.getIDPSignature(metadataSigningCredential); +						 +			idpEntitiesDescriptor.setSignature(signature); +			 +//			//set SignatureMethode +//			signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +//			 +//			//set DigestMethode +//			List<ContentReference> contentList = signature.getContentReferences(); +//			for (ContentReference content : contentList) { +//				 +//				if (content instanceof SAMLObjectContentReference) { +//					 +//					SAMLObjectContentReference el = (SAMLObjectContentReference) content; +//					el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +//					 +//				} +//			} +			  //			KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder();  //			KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject();  //			//KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.);  //			signature.setKeyInfo(metadataKeyInfo ); -			idpEntitiesDescriptor.setSignature(signature); +  			IDPSSODescriptor idpSSODescriptor = SAML2Utils  					.createSAMLObject(IDPSSODescriptor.class); @@ -222,7 +240,7 @@ public class MetadataAction implements IAction {  			String metadataXML = sw.toString(); -			//System.out.println("METADATA: " + metadataXML); +			System.out.println("METADATA: " + metadataXML);  			httpResp.setContentType("text/xml");  			httpResp.getOutputStream().write(metadataXML.getBytes()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 0172cce2d..7946c7596 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -22,8 +22,17 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x; +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.signature.SignatureConstants; +  public interface PVPConstants { +	public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; +	public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; +	public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; +	public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP; +	 +	  	public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/";  	public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1";  	public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java new file mode 100644 index 000000000..80789cd12 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java @@ -0,0 +1,61 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.Configuration; +import org.opensaml.DefaultBootstrap; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder; +import org.opensaml.xml.ConfigurationException; + +/** + * @author tlenz + * + */ +public class MOADefaultBootstrap extends DefaultBootstrap { + +    public static synchronized void bootstrap() throws ConfigurationException { + +        initializeXMLSecurity(); + +        initializeXMLTooling(); + +        initializeArtifactBuilderFactories(); + +        initializeGlobalSecurityConfiguration(); +         +        initializeParserPool(); +         +        initializeESAPI(); +         +    } +   +     +     +    /** +     * Initializes the default global security configuration. +     */ +    protected static void initializeGlobalSecurityConfiguration() { +        Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig()); +    } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java new file mode 100644 index 000000000..1563ba9be --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java @@ -0,0 +1,129 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.security.BasicSecurityConfiguration; +import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; +import org.opensaml.xml.signature.SignatureConstants; + +/** + * @author tlenz + * + */ +public class MOADefaultSecurityConfigurationBootstrap extends +		DefaultSecurityConfigurationBootstrap { +	 +	public static BasicSecurityConfiguration buildDefaultConfig() { +		BasicSecurityConfiguration config = new BasicSecurityConfiguration(); + +		populateSignatureParams(config); +		populateEncryptionParams(config); +		populateKeyInfoCredentialResolverParams(config); +		populateKeyInfoGeneratorManager(config); +		populateKeyParams(config); + +		return config; +	} + +	protected static void populateSignatureParams( +			BasicSecurityConfiguration config) { +		 +		//use SHA256 instead of SHA1 +		config.registerSignatureAlgorithmURI("RSA", +				SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); +	 +		config.registerSignatureAlgorithmURI("DSA", +				"http://www.w3.org/2000/09/xmldsig#dsa-sha1"); +		 +		//use SHA256 instead of SHA1 +		config.registerSignatureAlgorithmURI("EC", +				SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); + +		//use SHA256 instead of SHA1 +		config.registerSignatureAlgorithmURI("AES", +				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); +		 +		 +		config.registerSignatureAlgorithmURI("DESede", +				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); + +		config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); +		config.setSignatureHMACOutputLength(null); +		 +		//use SHA256 instead of SHA1 +		config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); +	} + +	protected static void populateEncryptionParams( +			BasicSecurityConfiguration config) { +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), +				"http://www.w3.org/2001/04/xmlenc#aes128-cbc"); +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), +				"http://www.w3.org/2001/04/xmlenc#aes192-cbc"); +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), +				"http://www.w3.org/2001/04/xmlenc#aes256-cbc"); +		 +		//support GCM mode +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),  +				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM); +		 +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),  +				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM); +		 +		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),  +				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM); +		 +		 +		config.registerDataEncryptionAlgorithmURI("DESede", +				Integer.valueOf(168), +				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); +		config.registerDataEncryptionAlgorithmURI("DESede", +				Integer.valueOf(192), +				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); + +		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", +				"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); +		 +		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, +				"DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); + +		config.registerKeyTransportEncryptionAlgorithmURI("AES", +				Integer.valueOf(128), null, +				"http://www.w3.org/2001/04/xmlenc#kw-aes128"); +		config.registerKeyTransportEncryptionAlgorithmURI("AES", +				Integer.valueOf(192), null, +				"http://www.w3.org/2001/04/xmlenc#kw-aes192"); +		config.registerKeyTransportEncryptionAlgorithmURI("AES", +				Integer.valueOf(256), null, +				"http://www.w3.org/2001/04/xmlenc#kw-aes256"); +		config.registerKeyTransportEncryptionAlgorithmURI("DESede", +				Integer.valueOf(168), null, +				"http://www.w3.org/2001/04/xmlenc#kw-tripledes"); +		config.registerKeyTransportEncryptionAlgorithmURI("DESede", +				Integer.valueOf(192), null, +				"http://www.w3.org/2001/04/xmlenc#kw-tripledes"); + +		config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); +	} +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 5d71b915f..bf82efb79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -33,6 +33,7 @@ import java.util.Properties;  import java.util.jar.Attributes;  import java.util.jar.Manifest; +import org.opensaml.Configuration;  import org.opensaml.saml2.metadata.Company;  import org.opensaml.saml2.metadata.ContactPerson;  import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; @@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.OrganizationName;  import org.opensaml.saml2.metadata.OrganizationURL;  import org.opensaml.saml2.metadata.SurName;  import org.opensaml.saml2.metadata.TelephoneNumber; +import org.opensaml.xml.security.SecurityConfiguration;  import at.gv.egovernment.moa.id.commons.db.dao.config.Contact;  import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; @@ -115,7 +117,7 @@ public class PVPConfiguration {  		 try {  			//generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig();  			props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); -			 +						  		} catch (ConfigurationException e) {  			e.printStackTrace();  		} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 21c0d85a1..229158778 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;  import java.util.ArrayList;  import java.util.List; -  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; @@ -45,7 +44,6 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.security.MetadataCredentialResolver;  import org.opensaml.security.MetadataCriteria;  import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.encryption.EncryptionConstants;  import org.opensaml.xml.encryption.EncryptionException;  import org.opensaml.xml.encryption.EncryptionParameters;  import org.opensaml.xml.encryption.KeyEncryptionParameters; @@ -57,6 +55,7 @@ import org.opensaml.xml.security.criteria.UsageCriteria;  import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;  import org.opensaml.xml.security.x509.X509Credential; +  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -125,12 +124,11 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  		AssertionConsumerService consumerService = spSSODescriptor  				.getAssertionConsumerServices().get(idx); -		if (consumerService == null) { -			//TODO: maybe use default ConsumerService -			 +		if (consumerService == null) {			  			throw new InvalidAssertionConsumerServiceException(idx);  		} +		  		String oaURL = consumerService.getLocation();  		//check, if metadata includes an encryption key				 @@ -158,19 +156,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  			try {  				EncryptionParameters dataEncParams = new EncryptionParameters(); -				dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); -			 +				dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); +								  				List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();  				KeyEncryptionParameters  keyEncParam = new KeyEncryptionParameters();  				keyEncParam.setEncryptionCredential(encryptionCredentials); -				keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); +				keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE);  				KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()  						.getKeyInfoGeneratorManager().getDefaultManager()  						.getFactory(encryptionCredentials);  				keyEncParam.setKeyInfoGenerator(kigf.newInstance());  				keyEncParamList.add(keyEncParam); -			 +											  				Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);   				//samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);  				samlEncrypter.setKeyPlacement(KeyPlacement.PEER); @@ -178,7 +176,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  				EncryptedAssertion encryptAssertion = null;  				encryptAssertion = samlEncrypter.encrypt(assertion); - +				  				authResponse.getEncryptedAssertions().add(encryptAssertion);  				} catch (EncryptionException e1) { @@ -191,10 +189,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  				authResponse.getAssertions().add(assertion);  			} -			 - - -		 +					  		IEncoder binding = null;  		if (consumerService.getBinding().equals( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 4ef9919ca..550643da1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -22,7 +22,6 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x.verification; -import java.util.Iterator;  import java.util.List;  import org.opensaml.saml2.metadata.EntitiesDescriptor; @@ -44,18 +43,25 @@ import at.gv.egovernment.moa.logging.Logger;  public class EntityVerifier {  	public static byte[] fetchSavedCredential(String entityID) { -		List<OnlineApplication> oaList = ConfigurationDBRead -				.getAllActiveOnlineApplications(); -		Iterator<OnlineApplication> oaIt = oaList.iterator(); -		while (oaIt.hasNext()) { -			OnlineApplication oa = oaIt.next(); -			if (oa.getPublicURLPrefix().equals(entityID)) { +//		List<OnlineApplication> oaList = ConfigurationDBRead +//				.getAllActiveOnlineApplications(); +		 +		OnlineApplication oa = ConfigurationDBRead +				.getActiveOnlineApplication(entityID); +		 +//		Iterator<OnlineApplication> oaIt = oaList.iterator(); +//		while (oaIt.hasNext()) { +//			OnlineApplication oa = oaIt.next(); +//			if (oa.getPublicURLPrefix().equals(entityID)) { +		 +			if (oa != null && oa.getAuthComponentOA() != null) { +		  				OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2();  				if (pvp2Config != null) {  					return pvp2Config.getCertificate();  				}  			} -		} +//		}  		return null;  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java index f0ae6f446..ed0cf9c62 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -25,7 +25,9 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;  import iaik.x509.X509Certificate;  import java.security.cert.CertificateException; +import java.util.ArrayList;  import java.util.Iterator; +import java.util.List;  import org.opensaml.saml2.metadata.EntitiesDescriptor;  import org.opensaml.saml2.metadata.EntityDescriptor; @@ -69,13 +71,17 @@ public class MetadataSignatureFilter implements MetadataFilter {  		while(entID.hasNext()) {  			processEntitiesDescriptor(entID.next());  		} -		 +				  		Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); -	 -		//check every Entity  + +		List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>(); +		 +		//check every Entity +		  		while(entIT.hasNext()) {  			EntityDescriptor entity = entIT.next(); +			  			String entityID = entity.getEntityID();  			//CHECK if Entity also match MetaData signature. @@ -92,17 +98,31 @@ public class MetadataSignatureFilter implements MetadataFilter {  					EntityVerifier.verify(desc, entityCrendential); +					//add entity to verified entity-list +					verifiedEntIT.add(entity); +					  				} catch (Exception e) { -					throw new MOAIDException("The App", null, e); + +					//remove entity of signature can not be verified. +					Logger.info("Entity " + entityID + " is removed from metadata "  +							+ desc.getName() + ". Entity verification error: " + e.getMessage()); +//					throw new MOAIDException("The App", null, e);  				}  			} else { -				throw new NoCredentialsException("NO Certificate found for OA " + entityID); +				//remove entity if it is not registrated as OA +				Logger.info("Entity " + entityID + " is removed from metadata "  +						+ desc.getName() + ". Entity is not registrated or no certificate is found!");				 +//				throw new NoCredentialsException("NO Certificate found for OA " + entityID);  			} - +			  			//TODO: insert to support signed Entity-Elements  			//processEntityDescriptorr(entIT.next()); -		} +		}		 +		 +		//set only verified entity elements +		desc.getEntityDescriptors().clear(); +		desc.getEntityDescriptors().addAll(verifiedEntIT);  	}  	public void doFilter(XMLObject metadata) throws FilterException { @@ -114,6 +134,13 @@ public class MetadataSignatureFilter implements MetadataFilter {  				}  				processEntitiesDescriptor(entitiesDescriptor); +				 +				if (entitiesDescriptor.getEntityDescriptors().size() == 0) { +					throw new MOAIDException("No valid entity in metadata " +							+ entitiesDescriptor.getName() + ". Metadata is not loaded.", null); +				} +				 +				  			} else if (metadata instanceof EntityDescriptor) {  				EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;  				processEntityDescriptorr(entityDescriptor); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java index 37ead5cff..d3ac574f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java @@ -43,6 +43,8 @@ public class FormBuildUtils {  	public static String FONTFAMILY = "#FONTTYPE#";  	public static String HEADER_TEXT = "#HEADER_TEXT#";  	public static String REDIRECTTARGET = "#REDIRECTTARGET#"; +	public static String APPLET_HEIGHT = "#APPLETHEIGHT#"; +	public static String APPLET_WIDTH = "#APPLETWIDTH#";  	private static String MANDATEVISIBLE = "#MANDATEVISIBLE#";  	private static String MANDATECHECKED = "#MANDATECHECKED#"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 327170054..bd6514c5c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -513,8 +513,8 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{  				throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12");
  		    if (MiscUtil.isEmpty(bkuURL))
  		       throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12");
 -		    if (MiscUtil.isEmpty(templateURL))
 -		       throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
 +//		    if (MiscUtil.isEmpty(templateURL))
 +//		       throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
  		    if (!ParamValidatorUtils.isValidUseMandate(useMandate))
  	           throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12");		    
  		    if (!ParamValidatorUtils.isValidCCC(ccc))
 diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index a6c0601e4..93e8cdb99 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -41,6 +41,8 @@ auth.19=Die Authentifizierung kann nicht passiv durchgef\u00FChrt werden.  auth.20=No valid MOA session found. Authentification process is abourted.
  auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen.
  auth.22=Das Protokoll {0} ist deaktiviert.
 +auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID 2.x.
 +auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x.
  init.00=MOA ID Authentisierung wurde erfolgreich gestartet
  init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
 @@ -67,7 +69,8 @@ config.15=Das Personenbindungs-Trust-Profil (TrustProfileID \= {0}) darf nicht f  config.16=MOA ID Proxy konnte nicht gestartet werden. Das Element ConnnectionParameter im allgemeinen Konfigurationsteil der MOA-ID-PROXY Konfigurationsdatei fehlt. 
  config.17=Fehler beim initialisieren von Hibernate
  config.18=Keine MOA-ID 2.x Konfiguration gefunden.
 -config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden. 
 +config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden.
 +config.20=Umgebungsvariable "moa.id.proxy.configuration" nicht gesetzt 
  parser.00=Leichter Fehler beim Parsen: {0}
  parser.01=Fehler beim Parsen: {0}
 | 
