diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-11-21 12:14:09 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-11-21 12:14:09 +0100 |
commit | b1940fc000b40808a7d173125d5552e9e0424024 (patch) | |
tree | ab96581fd3522525e8d30647de875d8f7834790b /id/server/moa-id-commons/src/main | |
parent | 27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (diff) | |
parent | 1b5e11112af6bbe48bfb5c95c8b75ae90f3edb22 (diff) | |
download | moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.gz moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.bz2 moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.zip |
Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation
Diffstat (limited to 'id/server/moa-id-commons/src/main')
9 files changed, 206 insertions, 67 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java index d8d3dbeee..6f6735d48 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java @@ -9,6 +9,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import iaik.asn1.ObjectID; @@ -123,12 +124,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{ /** List of OWs */ public static final List<ObjectID> OW_LIST = Arrays.asList( new ObjectID(OW_ORGANWALTER)); - - /**BKU type identifiers to use bkuURI from configuration*/ - public static final String REQ_BKU_TYPE_LOCAL = "local"; - public static final String REQ_BKU_TYPE_ONLINE = "online"; - public static final String REQ_BKU_TYPE_HANDY = "handy"; - public static final List<String> REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY); + + public static final List<String> REQ_BKU_TYPES = Arrays.asList( + IOAAuthParameters.HANDYBKU, + IOAAuthParameters.LOCALBKU, + IOAAuthParameters.THIRDBKU, + IOAAuthParameters.ONLINEBKU); public static final List<String> LEGACYPARAMETERWHITELIST = Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID); @@ -178,19 +179,25 @@ public class MOAIDAuthConstants extends MOAIDConstants{ //AuthnRequest IssueInstant validation public static final int TIME_JITTER = 5; //all 5 minutes time jitter - + + //General MOASession data-store keys + public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; + + //Process context keys public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication"; public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication"; public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection"; public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest"; public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId"; + public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE; //General protocol-request data-store keys + public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; + + @Deprecated public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; + @Deprecated public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName"; - public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; - //General MOASession data-store keys - public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; - + } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java index e9f9a7e80..98f0616a5 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java @@ -28,6 +28,8 @@ import java.util.Hashtable; import java.util.List; import java.util.Map; +import at.gv.egovernment.moa.util.Constants; + /** * @author tlenz * @@ -40,9 +42,15 @@ public class MOAIDConstants { public static final String FILE_URI_PREFIX = "file:/"; - public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; - public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+"; - public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+"; + public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID; + public static final String PREFIX_PBK = Constants.URN_PREFIX_BPK; + public static final String PREFIX_HPI = Constants.URN_PREFIX_HPI; + + public static final String PREFIX_CDID = Constants.URN_PREFIX_CDID + "+"; + public static final String PREFIX_WPBK = Constants.URN_PREFIX_WBPK + "+"; + public static final String PREFIX_STORK = Constants.URN_PREFIX_STORK + "+"; + public static final String PREFIX_EIDAS = Constants.URN_PREFIX_EIDAS + "+"; + public static final String IDENIFICATIONTYPE_FN = "FN"; public static final String IDENIFICATIONTYPE_ERSB = "ERSB"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java index bba6d0541..1e1bfa94b 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -38,9 +39,16 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; */ public interface IOAAuthParameters { - public static final String ONLINEBKU = "online"; + public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing"; + public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission"; + + public static final String THIRDBKU = "thirdBKU"; public static final String HANDYBKU = "handy"; public static final String LOCALBKU = "local"; + + @Deprecated + public static final String ONLINEBKU = "online"; + public static final String INDERFEDERATEDIDP = "interfederated"; public static final String EIDAS = "eIDAS"; public static final String AUTHTYPE_OTHERS = "others"; @@ -63,20 +71,52 @@ public interface IOAAuthParameters { public String getFriendlyName(); public String getPublicURLPrefix(); - - public String getOaType(); - public boolean getBusinessService(); + /** + * Indicates if this online applications has private area restrictions that disallow baseId processing in general + * This restriction is evaluated from area-identifier of this online application and a policy from configuration. + * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values + * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix + * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs + * + * @return true if there is a restriction, otherwise false + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException; + /** - * Get target of a public service-provider + * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA + * This restriction is evaluated from area-identifier of this online application and a policy from configuration. + * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values + * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix + * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs * - * @return target identifier without prefix + * @return true if there is a restriction, otherwise false + * @throws ConfigurationException In case of online-application configuration has public and private identifies */ - public String getTarget(); + public boolean hasBaseIdTransferRestriction() throws ConfigurationException; - public String getTargetFriendlyName(); + /** + * Get the full area-identifier for this online application to calculate the + * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...). + * This identifier always contains the full prefix + * + * @return area identifier with prefix + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public String getAreaSpecificTargetIdentifier() throws ConfigurationException; + + /** + * Get a friendly name for the specific area-identifier of this online application + * + * @return fiendly name of the area-identifier + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException; + + public boolean isInderfederationIDP(); public boolean isSTORKPVPGateway(); @@ -84,13 +124,6 @@ public interface IOAAuthParameters { public boolean isRemovePBKFromAuthBlock(); /** - * Return the private-service domain-identifier with PreFix - * - * @return the identityLinkDomainIdentifier - */ - public String getIdentityLinkDomainIdentifier(); - - /** * @return the keyBoxIdentifier */ public String getKeyBoxIdentifier(); @@ -138,11 +171,6 @@ public interface IOAAuthParameters { */ public List<String> getMandateProfiles(); - /** - * @return the identityLinkDomainIdentifierType - */ - public String getIdentityLinkDomainIdentifierType(); - public boolean isShowMandateCheckBox(); public boolean isOnlyMandateAllowed(); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java index b2d90aed4..bc4cd72af 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java @@ -44,7 +44,8 @@ public interface IStorkConfig { boolean isSTORKAuthentication(String ccc); - CPEPS getCPEPS(String ccc); + CPEPS getCPEPSWithFullName(String ccc); + CPEPS getCPEPSWithCC(String ccc); List<StorkAttribute> getStorkAttributes(); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java index 5091195d8..93f26051c 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java @@ -208,7 +208,7 @@ public class ConfigurationMigrationUtils { if (bkuurls != null) { result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, bkuurls.getHandyBKU()); result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, bkuurls.getLocalBKU()); - result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, bkuurls.getOnlineBKU()); + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, bkuurls.getOnlineBKU()); } @@ -831,7 +831,7 @@ public class ConfigurationMigrationUtils { authoa.setBKUURLS(bkuruls); bkuruls.setHandyBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY)); bkuruls.setLocalBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL)); - bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE)); + bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD)); //store SecurtiyLayerTemplates TemplatesType templates = authoa.getTemplates(); @@ -1438,7 +1438,7 @@ public class ConfigurationMigrationUtils { defaultbkus.getHandyBKU()); result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL, defaultbkus.getLocalBKU()); - result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, + result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, defaultbkus.getOnlineBKU()); } @@ -1448,7 +1448,7 @@ public class ConfigurationMigrationUtils { slreq.getHandyBKU()); result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL, slreq.getLocalBKU()); - result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, + result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, slreq.getOnlineBKU()); } @@ -1711,8 +1711,8 @@ public class ConfigurationMigrationUtils { if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY))) dbbkus.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY)); - if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE))) - dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)); + if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD))) + dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)); if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL))) dbbkus.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)); @@ -1900,8 +1900,8 @@ public class ConfigurationMigrationUtils { slrequesttempl.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY)); if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL))) slrequesttempl.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)); - if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE))) - slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)); + if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD))) + slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)); if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL))) dbconfig.setTrustedCACertificates(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL)); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java index b72034002..695df3123 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java @@ -70,7 +70,7 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants { public static final String SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME = SERVICE_AUTH_TARGET_PUBLIC + ".own.name"; private static final String SERVICE_AUTH_BKU = AUTH + "." + BKU; - public static final String SERVICE_AUTH_BKU_ONLINE = SERVICE_AUTH_BKU + ".onlineBKU"; + public static final String SERVICE_AUTH_BKU_THIRD = SERVICE_AUTH_BKU + ".onlineBKU"; public static final String SERVICE_AUTH_BKU_LOCAL = SERVICE_AUTH_BKU + ".localBKU"; public static final String SERVICE_AUTH_BKU_HANDY = SERVICE_AUTH_BKU + ".handyBKU"; public static final String SERVICE_AUTH_BKU_KEYBOXIDENTIFIER = SERVICE_AUTH_BKU + ".keyBoxIdentifier"; @@ -196,13 +196,13 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants { private static final String GENERAL_DEFAULTS = PREFIX_MOAID_GENERAL + ".defaults"; private static final String GENERAL_DEFAULTS_BKU = GENERAL_DEFAULTS + "." + BKU; - public static final String GENERAL_DEFAULTS_BKU_ONLINE = GENERAL_DEFAULTS_BKU + ".onlineBKU"; + public static final String GENERAL_DEFAULTS_BKU_THIRD = GENERAL_DEFAULTS_BKU + ".onlineBKU"; public static final String GENERAL_DEFAULTS_BKU_HANDY = GENERAL_DEFAULTS_BKU + ".handyBKU"; public static final String GENERAL_DEFAULTS_BKU_LOCAL = GENERAL_DEFAULTS_BKU + ".localBKU"; private static final String GENERAL_DEFAULTS_TEMPLATES = GENERAL_DEFAULTS + "." + TEMPLATES; public static final String GENERAL_DEFAULTS_TEMPLATES_LOCAL = GENERAL_DEFAULTS_TEMPLATES + ".localBKU"; public static final String GENERAL_DEFAULTS_TEMPLATES_HANDY = GENERAL_DEFAULTS_TEMPLATES + ".handyBKU"; - public static final String GENERAL_DEFAULTS_TEMPLATES_ONLINE = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU"; + public static final String GENERAL_DEFAULTS_TEMPLATES_THIRD = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU"; private static final String GENERAL_AUTH = PREFIX_MOAID_GENERAL + ".auth"; private static final String GENERAL_AUTH_CERTIFICATE = GENERAL_AUTH + ".certificate"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java index 9fc6f799d..dd606ea18 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java @@ -57,6 +57,8 @@ import java.util.ArrayList; import java.util.List; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.jsse.IAIKX509TrustManager; @@ -72,21 +74,27 @@ import iaik.pki.jsse.IAIKX509TrustManager; public class MOAIDTrustManager extends IAIKX509TrustManager { /** an x509Certificate array containing all accepted server certificates*/ - private X509Certificate[] acceptedServerCertificates; + private X509Certificate[] acceptedServerCertificates = null; /** * Constructor * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store * @throws GeneralSecurityException occurs on security errors * @throws IOException occurs on IO errors + * @throws SSLConfigurationException */ public MOAIDTrustManager(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { + throws IOException, GeneralSecurityException, SSLConfigurationException { - if (acceptedServerCertificateStoreURL != null) - buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); - else - acceptedServerCertificates = null; + if (acceptedServerCertificateStoreURL != null && MiscUtil.isNotEmpty(acceptedServerCertificateStoreURL.trim())) { + Logger.info("Initialize SSL-TrustStore with explicit accepted server-certificates"); + buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); + + } else { + Logger.info("Initialize SSL-TrustStore without explicit accepted server-certificates"); + acceptedServerCertificates = null; + + } } @@ -111,26 +119,72 @@ public class MOAIDTrustManager extends IAIKX509TrustManager { * containing accepted server X509 certificates * @throws GeneralSecurityException on security errors * @throws IOException on any IO errors + * @throws SSLConfigurationException */ private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { - + throws IOException, GeneralSecurityException, SSLConfigurationException { List<X509Certificate> certList = new ArrayList<X509Certificate>(); URL storeURL = new URL(acceptedServerCertificateStoreURL); + + //check URL to TrustStore + if (storeURL.getFile() == null) { + Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL + + " is NOT found"); + throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "File or Directory NOT found!"}); + + } File storeDir = new File(storeURL.getFile()); - // list certificate files in directory - File[] certFiles = storeDir.listFiles(); + + //check directory and files + if (storeDir == null || storeDir.listFiles() == null) { + Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL + + " is NOT found"); + throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "Files or Directory NOT found!"}); + + } + + // list certificate files in directory + File[] certFiles = storeDir.listFiles(); for (int i = 0; i < certFiles.length; i++) { - // for each: create an X509Certificate and store it in list - File certFile = certFiles[i]; - FileInputStream fis = new FileInputStream(certFile.getPath()); - CertificateFactory certFact = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); - fis.close(); - certList.add(cert); + // for each: create an X509Certificate and store it in list + File certFile = certFiles[i]; + FileInputStream fis = null; + try { + fis = new FileInputStream(certFile.getPath()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); + certList.add(cert); + + } catch (Exception e) { + Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath() + + " is not loadable, Reason: " + e.getMessage()); + + if (Logger.isDebugEnabled()) { + try { + if (fis != null) + Logger.debug("Certificate: " + Base64Utils.encode(fis)); + + } catch (Exception e1) { + Logger.warn("Can NOT log content of certificate: " + certFile.getPath() + + ". Reason: " + e.getMessage(), e); + + } + } + + throw new SSLConfigurationException("config.28", new Object[]{certFile.getPath(), e.getMessage()}, e); + + } finally { + if (fis != null) + fis.close(); + + } } + // store acceptedServerCertificates acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); + Logger.debug("Add #" + acceptedServerCertificates.length + + " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL ); + } /** diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java index 2a4e3b362..c94222ea0 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -396,10 +396,16 @@ public interface Constants { /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/ - public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas"; + public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas"; public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions"; public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd"; + + /* Prefix and Schema for SAML2 Entity Attributes */ + public static final String SAML2_MDATTR_EXTENSIONS_PREFIX = "mdattr"; + public static final String SAML2_MDATTR_EXTENSIONS = "urn:oasis:names:tc:SAML:metadata:attribute"; + public static final String SAML2_MDATTR_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "sstc-metadata-attr.xsd"; + /** * Contains all namespaces and local schema locations for XML schema * definitions relevant for MOA. For use in validating XML parsers. @@ -433,8 +439,9 @@ public interface Constants { + (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ") + (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ") + (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ") - + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION) - + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION); + + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION + " ") + + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION + " ") + + (SAML2_MDATTR_EXTENSIONS + " " + SAML2_MDATTR_EXTENSIONS_SCHEMA_LOCATION); /** URN prefix for bPK and wbPK. */ public static final String URN_PREFIX = "urn:publicid:gv.at"; @@ -454,7 +461,6 @@ public interface Constants { /** URN prefix for context dependent id (stork). */ public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid"; - //TODO: update to eIDAS prefix /** URN prefix for context dependent id (eIDAS). */ public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid"; diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd new file mode 100644 index 000000000..f23e462a5 --- /dev/null +++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="UTF-8"?> +<schema + targetNamespace="urn:oasis:names:tc:SAML:metadata:attribute" + xmlns="http://www.w3.org/2001/XMLSchema" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" + elementFormDefault="unqualified" + attributeFormDefault="unqualified" + blockDefault="substitution" + version="2.0"> + + <annotation> + <documentation> + Document title: SAML V2.0 Metadata Extention for Entity Attributes Schema + Document identifier: sstc-metadata-attr.xsd + Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security + Revision history: + V1.0 (November 2008): + Initial version. + </documentation> + </annotation> + + <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" + schemaLocation="saml-schema-assertion-2.0.xsd"/> + + <element name="EntityAttributes" type="mdattr:EntityAttributesType"/> + <complexType name="EntityAttributesType"> + <choice maxOccurs="unbounded"> + <element ref="saml:Attribute"/> + <element ref="saml:Assertion"/> + </choice> + </complexType> + +</schema> + |