aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS/src/main
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-09-20 16:00:31 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-09-20 16:00:31 +0200
commit5f690a9ddc9a28a91e6f78ffebd859be9c4eb430 (patch)
treeb53de02d96729086bc3601594763a49e9db6859f /id/server/modules/moa-id-module-eIDAS/src/main
parenta2555b24a8a956fa2fa65bd69e2cac3227e9405f (diff)
downloadmoa-id-spss-5f690a9ddc9a28a91e6f78ffebd859be9c4eb430.tar.gz
moa-id-spss-5f690a9ddc9a28a91e6f78ffebd859be9c4eb430.tar.bz2
moa-id-spss-5f690a9ddc9a28a91e6f78ffebd859be9c4eb430.zip
fix bug in eIDAS SAML-engine to allow 2 minutes time jitter in Assertion->Conditions element
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src/main')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java7
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java83
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java20
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml42
5 files changed, 151 insertions, 3 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 7664eec86..035a9e7f6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -67,7 +67,7 @@ public class Constants {
//timeouts and clock skews
- public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
+ public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout
public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
index f214efc90..c24c5efca 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
@@ -32,6 +32,8 @@ import eu.eidas.auth.engine.metadata.MetadataSignerI;
*/
public class MOAEidasProtocolProcesser extends EidasProtocolProcessor {
+ private static final String OWN_EIDAS_RESPONSE_VALIDATOR_SUITE_ID = "moaEidasResponseValidatorSuiteId";
+
private final MetadataFetcherI metadataFetcher;
private final MetadataSignerI metadataSigner;
@@ -46,5 +48,10 @@ public class MOAEidasProtocolProcesser extends EidasProtocolProcessor {
this.metadataSigner = metadataSigner;
}
+
+ @Override
+ public String getResponseValidatorId() {
+ return OWN_EIDAS_RESPONSE_VALIDATOR_SUITE_ID;
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
new file mode 100644
index 000000000..d9453322f
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine.validation;
+
+import org.joda.time.DateTime;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.validator.ConditionsSpecValidator;
+import org.opensaml.xml.validation.ValidationException;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ * MOA-ID specific eIDAS Response Condition validator
+ *
+ * This validator allows time jitter in 'notBefore' validation
+ *
+ */
+
+public class MoaEidasConditionsValidator extends ConditionsSpecValidator {
+
+
+
+ @Override
+ public void validate(Conditions conditions) throws ValidationException {
+ Logger.debug("conditions.getNotBefore() "+ conditions.getNotBefore());
+ Logger.debug("conditions.getNotOnOrAfter() "+ conditions.getNotOnOrAfter());
+ Logger.debug("dateTime.now() "+ DateTime.now());
+
+ super.validate(conditions);
+
+ if (conditions.getNotBefore() == null) {
+
+ throw new ValidationException("NotBefore is required.");
+ }
+
+ if (conditions.getNotBefore().minusMillis(Constants.CONFIG_PROPS_SKEWTIME).isAfterNow()) {
+ throw new ValidationException("Current time is before NotBefore condition");
+ }
+
+ if (conditions.getNotOnOrAfter() == null) {
+
+ throw new ValidationException("NotOnOrAfter is required.");
+ }
+ if (conditions.getNotOnOrAfter().isBeforeNow()) {
+
+ throw new ValidationException("Current time is after NotOnOrAfter condition");
+ }
+
+ if (conditions.getAudienceRestrictions() == null || conditions.getAudienceRestrictions().isEmpty()) {
+
+ throw new ValidationException("AudienceRestriction is required.");
+ }
+
+ if (conditions.getOneTimeUse() == null) {
+
+ throw new ValidationException("OneTimeUse is required.");
+ }
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index b95d4359f..eb50c113f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -22,9 +22,13 @@
*/
package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+import java.io.InputStream;
import java.util.HashMap;
import java.util.Map;
+import org.opensaml.xml.ConfigurationException;
+import org.opensaml.xml.XMLConfigurator;
+
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl;
import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOASWSigner;
@@ -38,6 +42,7 @@ import eu.eidas.auth.engine.ProtocolEngineI;
import eu.eidas.auth.engine.SamlEngineSystemClock;
import eu.eidas.auth.engine.metadata.MetadataFetcherI;
import eu.eidas.auth.engine.metadata.MetadataSignerI;
+import eu.eidas.auth.engine.xml.opensaml.SAMLBootstrap;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
import eu.eidas.samlengineconfig.CertificateConfigurationManager;
@@ -76,10 +81,15 @@ public class SAMLEngineUtils {
//build a map with all actually supported attributes
for (AttributeDefinition<?> el : engine.getProtocolProcessor().getAllSupportedAttributes())
allSupportedAttributeMap.put(el.getFriendlyName(), el);
-
+
+ //TODO: check if bug is fixed in next eIDAS SAML-engine version
+ //overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
+ initOpenSAMLConfig("own-saml-eidasnode-config.xml");
+
+
eIDASEngine = engine;
- } catch (EIDASSAMLEngineException e) {
+ } catch (EIDASSAMLEngineException | ConfigurationException e) {
Logger.error("eIDAS SAMLengine initialization FAILED!", e);
throw new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e);
@@ -127,6 +137,12 @@ public class SAMLEngineUtils {
}
}
+ private static void initOpenSAMLConfig(String xmlConfig) throws ConfigurationException {
+ XMLConfigurator configurator = new XMLConfigurator();
+ InputStream is = SAMLBootstrap.class.getClassLoader().getResourceAsStream(xmlConfig);
+ configurator.load(is);
+
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml b/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml
new file mode 100644
index 000000000..856ebd96a
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<XMLTooling xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.opensaml.org/xmltooling-config ../../src/schema/xmltooling-config.xsd"
+ xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:stork="urn:eu:stork:names:tc:STORK:1.0:assertion"
+ xmlns:storkp="urn:eu:stork:names:tc:STORK:1.0:protocol"
+ xmlns:eidas="http://eidas.europa.eu/saml-extensions"
+ xmlns="http://www.opensaml.org/xmltooling-config">
+
+<!-- SAML 2.0 Protocol Object providers -->
+ <ValidatorSuites>
+ <!-- SAML 2.0 Schema Validation Rules -->
+
+ <ValidatorSuite id="moaEidasResponseValidatorSuiteId">
+
+ <Validator qualifiedName="saml2p:Response"
+ className="eu.eidas.auth.engine.core.validator.eidas.EidasResponseOneAssertionValidator"/>
+
+ <Validator qualifiedName="saml2p:Response"
+ className="eu.eidas.auth.engine.core.validator.eidas.EidasResponseValidator"/>
+
+ <Validator qualifiedName="saml2:Assertion"
+ className="eu.eidas.auth.engine.core.validator.eidas.EidasAssertionValidator"/>
+
+
+ <Validator qualifiedName="saml2:Conditions"
+ className="at.gv.egovernment.moa.id.auth.modules.eidas.engine.validation.MoaEidasConditionsValidator"/>
+
+ <Validator qualifiedName="saml2:AuthnStatement"
+ className="eu.eidas.auth.engine.core.validator.eidas.EidasAuthnStatementValidator"/>
+
+ <Validator qualifiedName="saml2:Attribute"
+ className="eu.eidas.auth.engine.core.validator.eidas.EidasAttributeValidator"/>
+
+ </ValidatorSuite>
+
+
+ </ValidatorSuites>
+
+
+</XMLTooling> \ No newline at end of file