aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-12-10 14:31:55 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-12-10 14:31:55 +0100
commit9128d32d0bbbdc4d7183d3e189ffd3f59905aad5 (patch)
tree30d25a3a302b3a68edaf6eb9e796dc108d5b23ec /id/server/idserverlib
parentab5efe91d1779893723a7085e1f8984a4b9b466f (diff)
parent13a046b8df16ed037d2b9bc84969b583e89b8e53 (diff)
downloadmoa-id-spss-9128d32d0bbbdc4d7183d3e189ffd3f59905aad5.tar.gz
moa-id-spss-9128d32d0bbbdc4d7183d3e189ffd3f59905aad5.tar.bz2
moa-id-spss-9128d32d0bbbdc4d7183d3e189ffd3f59905aad5.zip
Merge branch 'development_preview' into 'master'
Development preview See merge request egiz/moa-idspss!2
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/pom.xml12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java314
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/MOASPSSTestCase.java2
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java3
4 files changed, 172 insertions, 159 deletions
diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml
index eed5f5669..28d0b3f68 100644
--- a/id/server/idserverlib/pom.xml
+++ b/id/server/idserverlib/pom.xml
@@ -4,7 +4,7 @@
<parent>
<groupId>MOA.id</groupId>
<artifactId>moa-id</artifactId>
- <version>4.1.4</version>
+ <version>4.1.5</version>
</parent>
<groupId>MOA.id.server</groupId>
@@ -16,14 +16,6 @@
<repositoryPath>${basedir}/../../../repository</repositoryPath>
</properties>
- <repositories>
- <repository>
- <id>shibboleth.internet2.edu</id>
- <name>Internet2</name>
- <url>https://apps.egiz.gv.at/shibboleth_nexus/</url>
- </repository>
- </repositories>
-
<dependencies>
<!-- TestNG -->
<dependency>
@@ -503,7 +495,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-pool2</artifactId>
- <version>2.8.1</version>
+ <version>2.9.0</version>
</dependency>
<dependency>
<groupId>redis.clients</groupId>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index b9c15e75e..d20ba5582 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -2,19 +2,19 @@
* Copyright 2014 Federal Chancellery Austria
* MOA-ID has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
+ *
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
* the European Commission - subsequent versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
* http://www.osor.eu/eupl/
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the Licence is distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and
* limitations under the Licence.
- *
+ *
* This product combines work with different licenses. See the "NOTICE" text
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
@@ -43,7 +43,6 @@
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
-
package at.gv.egovernment.moa.id.auth.validator;
import java.security.InvalidKeyException;
@@ -58,6 +57,7 @@ import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
@@ -71,19 +71,19 @@ import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
/**
- * This class is used to validate an {@link VerifyXMLSignatureResponse}
- * returned by MOA-SPSS
- *
+ * This class is used to validate an {@link VerifyXMLSignatureResponse} returned
+ * by MOA-SPSS
+ *
* @author Stefan Knirsch
* @version $Id$
*/
public class VerifyXMLSignatureResponseValidator {
-
+
/** Identification string for checking identity link */
public static final String CHECK_IDENTITY_LINK = "IdentityLink";
/** Identification string for checking authentication block */
public static final String CHECK_AUTH_BLOCK = "AuthBlock";
-
+
/** Singleton instance. <code>null</code>, if none has been created. */
private static VerifyXMLSignatureResponseValidator instance;
@@ -91,7 +91,7 @@ public class VerifyXMLSignatureResponseValidator {
* Constructor for a singleton VerifyXMLSignatureResponseValidator.
*/
public static synchronized VerifyXMLSignatureResponseValidator getInstance()
- throws ValidateException {
+ throws ValidateException {
if (instance == null) {
instance = new VerifyXMLSignatureResponseValidator();
}
@@ -99,121 +99,139 @@ public class VerifyXMLSignatureResponseValidator {
}
/**
- * Validates a {@link VerifyXMLSignatureResponse} returned by MOA-SPSS.
- *
- * @param verifyXMLSignatureResponse the <code>&lt;VerifyXMLSignatureResponse&gt;</code>
+ * Validates a {@link VerifyXMLSignatureResponse} returned by MOA-SPSS.
+ *
+ * @param verifyXMLSignatureResponse the
+ * <code>&lt;VerifyXMLSignatureResponse&gt;</code>
* @param identityLinkSignersSubjectDNNames subject names configured
- * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated
- * @param oaParam specifies whether the validation result of the
- * manifest has to be ignored (identityLink validation if
- * the OA is a business service) or not
- * @throws ValidateException on any validation error
- * @throws ConfigurationException
+ * @param whatToCheck is used to identify whether the
+ * identityLink or the Auth-Block is
+ * validated
+ * @param oaParam specifies whether the validation
+ * result of the manifest has to be
+ * ignored (identityLink validation if
+ * the OA is a business service) or not
+ * @throws ValidateException on any validation error
+ * @throws ConfigurationException
*/
public void validate(IVerifiyXMLSignatureResponse verifyXMLSignatureResponse,
- List<String> identityLinkSignersSubjectDNNames,
- String whatToCheck,
- IOAAuthParameters oaParam,
- AuthConfiguration authConfig)
- throws ValidateException, ConfigurationException {
-
- if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
- throw new ValidateException("validator.06", new Object[] {whatToCheck});
-
+ List<String> identityLinkSignersSubjectDNNames,
+ String whatToCheck,
+ IOAAuthParameters oaParam,
+ AuthConfiguration authConfig)
+ throws ValidateException, ConfigurationException {
+
+ if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) {
+ throw new ValidateException("validator.06", new Object[] { whatToCheck });
+ }
+
if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
- String checkFailedReason ="";
- if (verifyXMLSignatureResponse.getCertificateCheckCode() == 1)
- checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.21", null);
- if (verifyXMLSignatureResponse.getCertificateCheckCode() == 2)
- checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.22", null);
- if (verifyXMLSignatureResponse.getCertificateCheckCode() == 3)
- checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.23", null);
- if (verifyXMLSignatureResponse.getCertificateCheckCode() == 4)
- checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.24", null);
- if (verifyXMLSignatureResponse.getCertificateCheckCode() == 5)
- checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.25", null);
+ String checkFailedReason = "";
+ if (verifyXMLSignatureResponse.getCertificateCheckCode() == 1) {
+ checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.21", null);
+ }
+ if (verifyXMLSignatureResponse.getCertificateCheckCode() == 2) {
+ checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.22", null);
+ }
+ if (verifyXMLSignatureResponse.getCertificateCheckCode() == 3) {
+ checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.23", null);
+ }
+ if (verifyXMLSignatureResponse.getCertificateCheckCode() == 4) {
+ checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.24", null);
+ }
+ if (verifyXMLSignatureResponse.getCertificateCheckCode() == 5) {
+ checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.25", null);
+ }
// TEST CARDS
- if (whatToCheck.equals(CHECK_IDENTITY_LINK))
- throw new ValidateException("validator.07", new Object[] { checkFailedReason } );
- else
- throw new ValidateException("validator.19", new Object[] { checkFailedReason } );
+ if (whatToCheck.equals(CHECK_IDENTITY_LINK)) {
+ throw new ValidateException("validator.07", new Object[] { checkFailedReason });
+ } else {
+ throw new ValidateException("validator.19", new Object[] { checkFailedReason });
+ }
}
-
- //check QC
+
+ // check QC
if (authConfig.isCertifiacteQCActive() &&
- !whatToCheck.equals(CHECK_IDENTITY_LINK) &&
- !verifyXMLSignatureResponse.isQualifiedCertificate()) {
-
- //check if testcards are active and certificate has an extension for test credentials
- if (oaParam.isTestCredentialEnabled()) {
- boolean foundTestCredentialOID = false;
- try {
- X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate();
-
- List<String> validOIDs = new ArrayList<String>();
- if (oaParam.getTestCredentialOIDs() != null)
- validOIDs.addAll(oaParam.getTestCredentialOIDs());
- else
- validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID);
-
- Set<String> extentsions = signerCert.getCriticalExtensionOIDs();
- extentsions.addAll(signerCert.getNonCriticalExtensionOIDs());
- Iterator<String> extit = extentsions.iterator();
- while(extit.hasNext()) {
- String certOID = extit.next();
- for (String el : validOIDs) {
- if (certOID.startsWith(el))
- foundTestCredentialOID = true;
- }
- }
-
- } catch (Exception e) {
- Logger.warn("Test credential OID extraction FAILED.", e);
-
- }
- //throw Exception if not TestCredentialOID is found
- if (!foundTestCredentialOID)
- throw new ValidateException("validator.72", null);
-
- } else
- throw new ValidateException("validator.71", null);
+ !whatToCheck.equals(CHECK_IDENTITY_LINK) &&
+ !verifyXMLSignatureResponse.isQualifiedCertificate()) {
+
+ // check if testcards are active and certificate has an extension for test
+ // credentials
+ if (oaParam.isTestCredentialEnabled()) {
+ boolean foundTestCredentialOID = false;
+ try {
+ final X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate();
+
+ final List<String> validOIDs = new ArrayList<>();
+ if (oaParam.getTestCredentialOIDs() != null) {
+ validOIDs.addAll(oaParam.getTestCredentialOIDs());
+ } else {
+ validOIDs.add(MOAIDConstants.TESTCREDENTIALROOTOID);
+ }
+
+ final Set<String> extentsions = signerCert.getCriticalExtensionOIDs();
+ extentsions.addAll(signerCert.getNonCriticalExtensionOIDs());
+ final Iterator<String> extit = extentsions.iterator();
+ while (extit.hasNext()) {
+ final String certOID = extit.next();
+ for (final String el : validOIDs) {
+ if (certOID.startsWith(el)) {
+ foundTestCredentialOID = true;
+ }
+ }
+ }
+
+ } catch (final Exception e) {
+ Logger.warn("Test credential OID extraction FAILED.", e);
+
+ }
+ // throw Exception if not TestCredentialOID is found
+ if (!foundTestCredentialOID) {
+ throw new ValidateException("validator.72", null);
+ }
+
+ } else {
+ throw new ValidateException("validator.71", null);
+ }
}
-
+
// if OA is type is business service the manifest validation result has
// to be ignored
boolean ignoreManifestValidationResult = false;
- if (whatToCheck.equals(CHECK_IDENTITY_LINK))
- ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true
- : false;
-
+ if (whatToCheck.equals(CHECK_IDENTITY_LINK)) {
+ ignoreManifestValidationResult = oaParam.hasBaseIdInternalProcessingRestriction() ? true
+ : false;
+ }
+
if (ignoreManifestValidationResult) {
Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
} else {
- if (verifyXMLSignatureResponse.isXmlDSIGManigest())
- if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0)
+ if (verifyXMLSignatureResponse.isXmlDSIGManigest()) {
+ if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) {
throw new ValidateException("validator.08", null);
+ }
+ }
}
-
-
+
// Check the signature manifest only when verifying the signed AUTHBlock
if (whatToCheck.equals(CHECK_AUTH_BLOCK)) {
if (verifyXMLSignatureResponse.getSignatureManifestCheckCode() > 0) {
throw new ValidateException("validator.50", null);
}
}
-
- //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not
+
+ // Check whether the returned X509 SubjectName is in the MOA-ID configuration or
+ // not
if (identityLinkSignersSubjectDNNames != null) {
String subjectDN = "";
- X509Certificate x509Cert = verifyXMLSignatureResponse.getX509certificate();
+ final X509Certificate x509Cert = verifyXMLSignatureResponse.getX509certificate();
try {
subjectDN = ((Name) x509Cert.getSubjectDN()).getRFC2253String();
- }
- catch (RFC2253NameParserException e) {
+ } catch (final RFC2253NameParserException e) {
throw new ValidateException("validator.17", null);
}
- //System.out.println("subjectDN: " + subjectDN);
+ // System.out.println("subjectDN: " + subjectDN);
// check the authorisation to sign the identity link
if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
// subject DN check failed, try OID check:
@@ -222,86 +240,86 @@ public class VerifyXMLSignatureResponseValidator {
throw new ValidateException("validator.18", new Object[] { subjectDN });
} else {
Logger.debug("Identity link signer cert accepted for signing identity link: " +
- "subjectDN check failed, but OID check successfully passed.");
+ "subjectDN check failed, but OID check successfully passed.");
}
- } catch (X509ExtensionInitException e) {
+ } catch (final X509ExtensionInitException e) {
throw new ValidateException("validator.49", null);
}
} else {
Logger.debug("Identity link signer cert accepted for signing identity link: " +
- "subjectDN check successfully passed.");
+ "subjectDN check successfully passed.");
}
-
+
}
}
-
+
/**
* Method validateCertificate.
+ *
* @param verifyXMLSignatureResponse The VerifyXMLSignatureResponse
- * @param idl The Identitylink
+ * @param idl The Identitylink
* @throws ValidateException
*/
public void validateCertificate(
- IVerifiyXMLSignatureResponse verifyXMLSignatureResponse,
- IIdentityLink idl)
- throws ValidateException {
+ IVerifiyXMLSignatureResponse verifyXMLSignatureResponse,
+ IIdentityLink idl)
+ throws ValidateException {
- X509Certificate x509Response = verifyXMLSignatureResponse.getX509certificate();
- PublicKey[] pubKeysIdentityLink = (PublicKey[]) idl.getPublicKey();
+ final X509Certificate x509Response = verifyXMLSignatureResponse.getX509certificate();
+ final PublicKey[] pubKeysIdentityLink = idl.getPublicKey();
- PublicKey pubKeySignature = x509Response.getPublicKey();
+ final PublicKey pubKeySignature = x509Response.getPublicKey();
checkIDLAgainstSignatureCertificate(pubKeysIdentityLink, pubKeySignature);
-
+
}
-
-
- public void checkIDLAgainstSignatureCertificate( PublicKey[] pubKeysIdentityLink, PublicKey pubKeySignature) throws ValidateException {
+
+ public void checkIDLAgainstSignatureCertificate(PublicKey[] pubKeysIdentityLink, PublicKey pubKeySignature)
+ throws ValidateException {
boolean found = false;
- for (int i = 0; i < pubKeysIdentityLink.length; i++) {
- PublicKey idlPubKey = pubKeysIdentityLink[i];
- //compare RSAPublicKeys
- if ((idlPubKey instanceof java.security.interfaces.RSAPublicKey) &&
- (pubKeySignature instanceof java.security.interfaces.RSAPublicKey)) {
-
- RSAPublicKey rsaPubKeySignature = (RSAPublicKey) pubKeySignature;
- RSAPublicKey rsakey = (RSAPublicKey) pubKeysIdentityLink[i];
-
- if (rsakey.getModulus().equals(rsaPubKeySignature.getModulus())
- && rsakey.getPublicExponent().equals(rsaPubKeySignature.getPublicExponent()))
- found = true;
+ for (final PublicKey idlPubKey : pubKeysIdentityLink) {
+ // compare RSAPublicKeys
+ if (idlPubKey instanceof java.security.interfaces.RSAPublicKey &&
+ pubKeySignature instanceof java.security.interfaces.RSAPublicKey) {
+
+ final RSAPublicKey rsaPubKeySignature = (RSAPublicKey) pubKeySignature;
+ final RSAPublicKey rsakey = (RSAPublicKey) idlPubKey;
+
+ if (rsakey.getModulus().equals(rsaPubKeySignature.getModulus())
+ && rsakey.getPublicExponent().equals(rsaPubKeySignature.getPublicExponent())) {
+ found = true;
+ }
}
-
- //compare ECDSAPublicKeys
- if( ( (idlPubKey instanceof java.security.interfaces.ECPublicKey) ||
- (idlPubKey instanceof ECPublicKey)) &&
- ( (pubKeySignature instanceof java.security.interfaces.ECPublicKey) ||
- (pubKeySignature instanceof ECPublicKey) ) ) {
-
- try {
- ECPublicKey ecdsaPubKeySignature = new ECPublicKey(pubKeySignature.getEncoded());
- ECPublicKey ecdsakey = new ECPublicKey(pubKeysIdentityLink[i].getEncoded());
-
- if(ecdsakey.equals(ecdsaPubKeySignature))
- found = true;
-
- } catch (InvalidKeyException e) {
- Logger.warn("ECPublicKey can not parsed into a iaik.ECPublicKey", e);
- throw new ValidateException("validator.09", null);
- }
-
-
+
+ // compare ECDSAPublicKeys
+ if ((idlPubKey instanceof java.security.interfaces.ECPublicKey ||
+ idlPubKey instanceof ECPublicKey) &&
+ (pubKeySignature instanceof java.security.interfaces.ECPublicKey ||
+ pubKeySignature instanceof ECPublicKey)) {
+
+ try {
+ final ECPublicKey ecdsaPubKeySignature = new ECPublicKey(pubKeySignature.getEncoded());
+ final ECPublicKey ecdsakey = new ECPublicKey(idlPubKey.getEncoded());
+
+ if (ecdsakey.equals(ecdsaPubKeySignature)) {
+ found = true;
+ }
+
+ } catch (final InvalidKeyException e) {
+ Logger.warn("ECPublicKey can not parsed into a iaik.ECPublicKey", e);
+ throw new ValidateException("validator.09", null);
+ }
}
-
+
// Logger.debug("IDL-Pubkey=" + idl.getPublicKey()[i].getClass().getName()
// + " Resp-Pubkey=" + pubKeySignature.getClass().getName());
-
+
}
if (!found) {
-
+
throw new ValidateException("validator.09", null);
-
+
}
}
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/MOASPSSTestCase.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/MOASPSSTestCase.java
index e79fa6aa4..721144106 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/MOASPSSTestCase.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/MOASPSSTestCase.java
@@ -67,7 +67,7 @@ public class MOASPSSTestCase extends UnitTestCase {
protected void setupSSL() {
System.setProperty("javax.net.debug", "all");
- Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
+ //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty(
"java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
index d7cc2bd3a..74efff39f 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -28,6 +28,7 @@ import javax.servlet.http.Part;
import org.junit.Assert;
import org.junit.BeforeClass;
+import org.junit.Ignore;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.BlockJUnit4ClassRunner;
@@ -231,6 +232,7 @@ public class ParamValidatorUtilsTest {
}
+ @Ignore
@Test
public void templateLazyWhitelistNine() {
@@ -247,6 +249,7 @@ public class ParamValidatorUtilsTest {
}
+ @Ignore
@Test
public void templateLazyWhitelistTen() {