diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-02-03 08:51:45 +0100 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-02-03 08:51:45 +0100 | 
| commit | 2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2 (patch) | |
| tree | 28e34446dc263144a09441120b0483e50e8e95b2 /id/server/idserverlib | |
| parent | 3573f8ea5a4b269834723da4708bf0bace50fa65 (diff) | |
| parent | e25d9bfa5fb81fd275706fb7cbee21fe5add5b19 (diff) | |
| download | moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.tar.gz moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.tar.bz2 moa-id-spss-2b68b287aa55dc48e9f3a01bd42d6099bbe1deb2.zip | |
Merge branch 'eIDAS_node_implementation' into development_preview
Diffstat (limited to 'id/server/idserverlib')
6 files changed, 77 insertions, 576 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 8f6dff849..99e4b4cce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -83,10 +83,19 @@ public class STORKConfig implements IStorkConfig {          				if (MiscUtil.isNotEmpty(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY))) {
          					try {
 +        						
 +        						//Assertion encryption is enabled by default
 +        						boolean enableAssertionEncryption = true;
 +        						String enableAssertionEncryptionString = storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG);
 +        						if (MiscUtil.isNotEmpty(enableAssertionEncryptionString)) {
 +        							enableAssertionEncryption = Boolean.parseBoolean(enableAssertionEncryptionString);
 +        							
 +        						}
 +        						        						
          						CPEPS moacpep = 
          								new CPEPS(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY), 
          										new URL(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL)), 
 -        											Boolean.valueOf(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG)));
 +        										enableAssertionEncryption);
          						cpepsMap.put(moacpep.getCountryCode(), moacpep);
          					} catch (MalformedURLException e) {
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java index b6fed5934..16b179d89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java @@ -27,6 +27,7 @@ import java.io.IOException;  import javax.xml.transform.TransformerException;  import javax.xml.transform.TransformerFactoryConfigurationError; +import org.opensaml.saml2.metadata.EntitiesDescriptor;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.provider.FilterException;  import org.opensaml.saml2.metadata.provider.MetadataFilter; @@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;  import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil;  /**   * @author tlenz @@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter {  	@Override  	public void doFilter(XMLObject metadata) throws FilterException {  		if (metadata instanceof EntityDescriptor) { -			if (((EntityDescriptor) metadata).isSigned()) {				 -				EntityDescriptor entityDes = (EntityDescriptor) metadata; -				//check signature; -				try { -					byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8"); -					 -//					Transformer transformer = TransformerFactory.newInstance() -//							.newTransformer();	 -//					StringWriter sw = new StringWriter(); -//					StreamResult sr = new StreamResult(sw); -//					DOMSource source = new DOMSource(metadata.getDOM()); -//					transformer.transform(source, sr); -//					sw.close(); -//					String metadataXML = sw.toString(); -					 -					SignatureVerificationUtils sigVerify =  -							new SignatureVerificationUtils(); -					IVerifiyXMLSignatureResponse result = sigVerify.verify( -							serialized, trustProfileID); -					 -					//check signature-verification result -					if (result.getSignatureCheckCode() != 0) { -						Logger.warn("Metadata signature-verification FAILED!" -								+ " Metadata: " + entityDes.getEntityID() -								+ " StatusCode:" + result.getSignatureCheckCode()); -						throw new FilterException("Metadata signature-verification FAILED!" -								+ " Metadata: " + entityDes.getEntityID() -								+ " StatusCode:" + result.getSignatureCheckCode()); +			checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID()); -					} -					 -					if (result.getCertificateCheckCode() != 0) { -						Logger.warn("Metadata certificate-verification FAILED!" -								+ " Metadata: " + entityDes.getEntityID() -								+ " StatusCode:" + result.getCertificateCheckCode()); -						throw new FilterException("Metadata certificate-verification FAILED!" -								+ " Metadata: " + entityDes.getEntityID() -								+ " StatusCode:" + result.getCertificateCheckCode()); -						 -					} -					 -					Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid"); +		} else if (metadata instanceof EntitiesDescriptor) { +			EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; +			if (entitiesDesc.getEntityDescriptors() != null &&  +					entitiesDesc.getEntityDescriptors().size() > 1) { +				String nameForLogging = entitiesDesc.getName(); +				if (MiscUtil.isEmpty(nameForLogging)) +					nameForLogging = entitiesDesc.getID(); +				 +				checkSignature(metadata, nameForLogging); +				 +			} else { +				Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'"); +				throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor"); +				 +			} +			 +		} else { +			Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'"); +			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'"); +			 +		} +		 +	} +	 +	private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException { +		if (((EntityDescriptor) metadata).isSigned()) {				 +			//check signature; +			try { +				byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8"); +				 +				SignatureVerificationUtils sigVerify =  +						new SignatureVerificationUtils(); +				IVerifiyXMLSignatureResponse result = sigVerify.verify( +						serialized, trustProfileID); -				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { -					Logger.error("Metadata verification for Entity:" + entityDes.getEntityID()  -							+ " has an interal error.", e); -					throw new FilterException("Metadata verification has an interal error." -							+ " Message:" + e.getMessage()); +				//check signature-verification result +				if (result.getSignatureCheckCode() != 0) { +					Logger.warn("Metadata signature-verification FAILED!" +							+ " Metadata: " + nameForLogging +							+ " StatusCode:" + result.getSignatureCheckCode());  				} +				if (result.getCertificateCheckCode() != 0) { +					Logger.warn("Metadata certificate-verification FAILED!" +							+ " Metadata: " + nameForLogging +							+ " StatusCode:" + result.getCertificateCheckCode()); +					throw new FilterException("Metadata certificate-verification FAILED!" +							+ " Metadata: " + nameForLogging +							+ " StatusCode:" + result.getCertificateCheckCode()); +					 +				} -			} else { -				Logger.warn("Metadata root-element MUST be signed."); -				throw new FilterException("Metadata root-element MUST be signed.'"); +				Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid"); +			 +			} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { +				Logger.error("Metadata verification for Entity:" + nameForLogging  +						+ " has an interal error.", e); +				throw new FilterException("Metadata verification has an interal error." +						+ " Message:" + e.getMessage());  			} -						 +			 +			  		} else { -			Logger.warn("Metadata root-element is not of type 'EntityDescriptor'"); -			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'"); +			Logger.warn("Metadata root-element MUST be signed."); +			throw new FilterException("Metadata root-element MUST be signed.'");  		} diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html index 2f93428b5..64e88a688 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html @@ -1,9 +1,9 @@  ## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity -context may contain the following properties ## action - String - the -action URL for the form ## RelayState - String - the relay state for the -message ## SAMLRequest - String - the Base64 encoded SAML Request ## -SAMLResponse - String - the Base64 encoded SAML Response - +##context may contain the following properties ## action - String - the +##action URL for the form ## RelayState - String - the relay state for the +##message ## SAMLRequest - String - the Base64 encoded SAML Request ## +##SAMLResponse - String - the Base64 encoded SAML Response +<!DOCTYPE html>  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">  <body onload="document.forms[0].submit()"> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm b/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm deleted file mode 100644 index 8beb601c6..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm +++ /dev/null @@ -1,38 +0,0 @@ -## -## Velocity Template for SAML 2 HTTP-POST binding -## -## Velocity context may contain the following properties -## action - String - the action URL for the form -## RelayState - String - the relay state for the message -## SAMLRequest - String - the Base64 encoded SAML Request -## SAMLResponse - String - the Base64 encoded SAML Response -## Contains target attribute to delegate PEPS authentication out of iFrame - -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> - -    <body onload="document.forms[0].submit()"> -        <noscript> -            <p> -                <strong>Note:</strong> Since your browser does not support JavaScript, -                you must press the Continue button once to proceed. -            </p> -        </noscript> -         -        <form action="${action}" method="post" target="_top"> -            <div> -                #if($RelayState)<input type="hidden" name="RelayState" value="${RelayState}"/>#end -                 -                #if($SAMLRequest)<input type="hidden" name="SAMLRequest" value="${SAMLRequest}"/>#end -                 -                #if($SAMLResponse)<input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>#end -                 -            </div> -            <noscript> -                <div> -                    <input type="submit" value="Continue"/> -                </div> -            </noscript> -        </form> -         -    </body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html b/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html deleted file mode 100644 index 0ab41f146..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html +++ /dev/null @@ -1,438 +0,0 @@ -<!DOCTYPE html> -<html> -<head> -<meta content="text/html; charset=utf-8" http-equiv="Content-Type"> - -   <!-- MOA-ID 2.x BKUSelection Layout CSS -->                -    <style type="text/css"> -			@media screen and (min-width: 650px) { -			 -				body { -					margin:0; -					padding:0; -					color : #000; -					background-color : #fff; -			  	text-align: center; -			  	background-color: #6B7B8B; -				} -         -        #bku_header h2 { -          font-size: 0.8em; -        }  -         -         -			  #page { -			    display: block; -			    border: 2px solid rgb(0,0,0); -			    width: 650px; -			    height: 460px; -			    margin: 0 auto; -			    margin-top: 5%; -			    position: relative; -			    border-radius: 25px; -			    background: rgb(255,255,255); -			  } -			   -			  #page1 { -			    text-align: center; -			  } -			   -			  #main { -			    /*	clear:both; */ -				  position:relative; -			    margin: 0 auto; -			    width: 250px; -			    text-align: center; -			  } -			   -			  .OA_header { -			/*	  background-color: white;*/ -			    font-size: 20pt; -			    margin-bottom: 25px; -			    margin-top: 25px; -			  } -			 -			  #leftcontent { -			    /*float:left; */ -				  width:250px; -				  margin-bottom: 25px; -			    text-align: left; -			    border: 1px solid rgb(0,0,0); -			  } -			  			   -			  #selectArea { -				 font-size: 15px; -				 padding-bottom: 65px; -			  } -			 -			  #leftcontent { -				 width: 300px; -				 margin-top: 30px; -			  } -			 -        #bku_header { -          height: 5%; -          padding-bottom: 3px; -          padding-top: 3px; -        } -       -        #bkulogin { -				  overflow:auto;	 -          min-width: 190px; -          height: 260px; -          padding: 20px; -			  } -       -        h2#tabheader{ -				  font-size: 1.1em;  -          padding-left: 2%; -          padding-right: 2%; -          position: relative; -			  } -        		   -			  .setAssertionButton_full { -			  	background: #efefef; -				  cursor: pointer; -				  margin-top: 15px; -			    width: 100px; -			    height: 30px -			  } -			 -			  #leftbutton  { -				 width: 30%;  -				 float:left;  -				 margin-left: 40px; -			  } -			 -			  #rightbutton { -				 width: 30%;  -				 float:right;  -				 margin-right: 45px;  -				 text-align: right; -			  } -         -        button { -          height: 25px; -          width: 75px; -          margin-bottom: 10px; -        } -         -       #validation { -        position: absolute; -        bottom: 0px; -        margin-left: 270px; -        padding-bottom: 10px; -      } -			 -			} - -      @media screen and (max-width: 205px) {         -        #bku_header h2 { -          font-size: 0.8em; -          margin-top: -0.4em; -          padding-top: 0.4em; -        } -         -        #bkulogin { -        min-height: 150px; -        padding: 20px; -        }  -      } - -      @media screen and (max-width: 249px) and (min-width: 206px) {         -        #bku_header h2 { -          font-size: 0.9em; -          margin-top: -0.45em; -          padding-top: 0.45em; -        } -         -        #bkulogin { -          height: 180px; -          padding: 20px; -        }   -      } - -      @media screen and (max-width: 299px) and (min-width: 250px) { -        #bku_header h2 { -          font-size: 1.1em; -          margin-top: -0.55em; -          padding-top: 0.55em; -        }  -      } -       -      @media screen and (max-width: 649px) and (min-width: 400px) { -        #bku_header h2 { -          font-size: 1.3em; -          margin-top: -0.65em; -          padding-top: 0.65em; -        }  -      } - - -			 -			@media screen and (max-width: 649px) { -				 -        body { -					margin:0; -					padding:0; -					color : #000; -			  	text-align: center; -          font-size: 100%; -			  	background-color: ${MAIN_BACKGOUNDCOLOR}; -				} -        				 -			  #page { -			     visibility: hidden; -			     margin-top: 0%; -			  } -			   -			  #page1 { -			    visibility: hidden; -			  } -			   -			  #main { -			    visibility: hidden; -			  } -         -        #validation { -          visibility: hidden; -          display: none; -        } -			   -			  .OA_header { -			    margin-bottom: 0px; -			    margin-top: 0px; -			    font-size: 0pt; -			    visibility: hidden; -			  } -			 -			  #leftcontent { -			    visibility: visible; -			    margin-bottom: 0px; -			    text-align: left; -			    border:none; -          vertical-align: middle; -          min-height: 173px; -          min-width: 204px; -           -			  } -			   -        #bku_header { -          height: 10%; -          min-height: 1.2em; -          margin-top: 1%; -        } -         -        h2#tabheader{ -          padding-left: 2%; -          padding-right: 2%; -          position: relative; -          top: 50%; -			  } -         -       	#bkulogin {	 -          min-width: 190px; -          height: 155px;	 -          padding: 20px; -			 } -         -			 .setAssertionButton_full { -			     	background: #efefef; -				    cursor: pointer; -				    margin-top: 15px; -			      width: 70px; -			      height: 25px; -			 } -        -        input[type=button] { -/*          height: 11%;  */ -          width: 70%; -        } -			} -			       -			* { -				margin: 0; -				padding: 0; -        font-family: ${FONTTYPE}; -			} -							      			 -			#selectArea { -				padding-top: 10px; -				padding-bottom: 55px; -				padding-left: 10px; -			} -			 -			.setAssertionButton { -				background: #efefef; -				cursor: pointer; -				margin-top: 15px; -			  width: 70px; -			  height: 25px; -			} -			 -			#leftbutton  { -				width: 35%;  -				float:left;  -				margin-left: 15px; -			} -			 -			#rightbutton { -				width: 35%;  -				float:right;  -				margin-right: 25px;  -				text-align: right; -			} -       -      .verticalcenter { -        vertical-align: middle; -      } -       -			input { -				/*border:1px solid #000;*/ -				cursor: pointer; -			} -       - -			#installJava, #BrowserNOK { -				clear:both; -				font-size:0.8em; -				padding:4px; -			} -						 -			.selectText{ -			 -			} -			 -			.selectTextHeader{ -			 -			} -			 -			.sendButton { -        width: 30%; -        margin-bottom: 1%;	 -			} -			 -			#leftcontent a { -				text-decoration:none;  -				color: #000; -			/*	display:block;*/ -				padding:4px;	 -			} -			 -			#leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active { -				text-decoration:underline; -				color: #000;	 -			} -						 -			.infobutton { -				background-color: #005a00; -				color: white; -				font-family: serif; -				text-decoration: none; -				padding-top: 2px; -				padding-right: 4px; -				padding-bottom: 2px; -				padding-left: 4px; -				font-weight: bold; -			} -			 -			.hell { -				background-color : ${MAIN_BACKGOUNDCOLOR}; -        color: ${MAIN_COLOR};	 -			} -			 -			.dunkel { -				background-color: ${HEADER_BACKGROUNDCOLOR}; -        color: ${HEADER_COLOR}; -			} -			       -			.main_header { -			   color: black; -			    font-size: 32pt; -			    position: absolute; -			    right: 10%; -			    top: 40px; -				 -			} -			 -			#controls { -				text-align: right; -			} -      			                         -    </style>        -<!-- MOA-ID 2.x BKUSelection JavaScript fucnctions--> -<script type="text/javascript"> -		function isIE() { -			return (/MSIE (\d+\.\d+);/.test(navigator.userAgent)); -		} -		function isFullscreen() { -			try { -				return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height)); -			} catch (e) { -				return false; -			} -		} -		function isActivexEnabled() { -			var supported = null; -			try { -				supported = !!new ActiveXObject("htmlfile"); -			} catch (e) { -				supported = false; -			} -			return supported; -		} -		function generateIFrame(iFrameURL) { -			var el = document.getElementById("bkulogin"); -      var width = el.clientWidth; -      var heigth = el.clientHeight - 20; -			var parent = el.parentNode; -             -      iFrameURL += "&heigth=" + heigth; -      iFrameURL += "&width=" + width; -       -			var iframe = document.createElement("iframe"); -			iframe.setAttribute("src", iFrameURL); -			iframe.setAttribute("width", el.clientWidth - 1); -			iframe.setAttribute("height", el.clientHeight - 1); -			iframe.setAttribute("frameborder", "0"); -			iframe.setAttribute("scrolling", "no"); -			iframe.setAttribute("title", "Login"); -			parent.replaceChild(iframe, el); -		} -		function onChangeChecks() { -      if (top.innerWidth < 650) { -         document.getElementById("moaidform").setAttribute("target","_parent"); -      } else { -         document.getElementById("moaidform").removeAttribute("target"); -      } -       -    } -	</script> -<title>Informationsfreigabe</title> -</head> -<body onload="onChangeChecks();" onresize="onChangeChecks();"> -	<div id="page"> -		<div id="page1" class="case selected-case" role="main"> -			<h2 class="OA_header" role="heading">STORK Informationsfreigabe</h2> -			<div id="main"> -				<div id="leftcontent" class="hell" role="application"> -					<form method="POST" action="${action}"> -						<div id="bku_header" class="dunkel"> -							<h2 id="tabheader" class="dunkel" role="heading">STORK Informationsfreigabe</h2> -						</div> -						<div id="bkulogin" class="hell" role="form"> -							Wählen Sie jene Daten, die, wenn verfügbar, an ein Drittland weitergegeben werden sollen:</br> -	  						<table> -	  							${tablecontent} -							</table> -						</div> -						<div id="controls" class="hell"> -							<input type="submit" value="weiter" /> -						</div> -					</form> -				</div> -			</div> -		</div> -	</div> -</body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html deleted file mode 100644 index f901351a2..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html +++ /dev/null @@ -1,42 +0,0 @@ -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> - -<body onload="document.forms[0].submit()"> -	<noscript> -		<p> -			<strong>Note:</strong> Since your browser does not support -			JavaScript, you must press the Continue button once to proceed. -		</p> -	</noscript> - - -	<div id="alert">Your login is being processed. Thank you for -		waiting.</div> - -	<style type="text/css"> -<!-- -#alert { -	margin: 100px 250px; -	font-family: Verdana, Arial, Helvetica, sans-serif; -	font-size: 14px; -	font-weight: normal; -} ---> -</style> - -	<form action="${action}" method="post" target="_self"> -		<div> -			#if($RelayState)<input type="hidden" name="RelayState" -				value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden" -				name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input -				type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end - -		</div> -		<noscript> -			<div> -				<input type="submit" value="Continue" /> -			</div> -		</noscript> -	</form> - -</body> -</html> | 
