add logging

add validation of decryption-key
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-06-26 10:29:39 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-06-26 10:29:39 +0200
commit: 7aded182c8ee6538c9b2fc55e1b73ada926ba6f6 (patch)
tree: 683699d1b162290fb90568a2bda643a42ab9aa5e /id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
parent: 30e324851d67bd900471457e3c30a19b4073ec77 (diff)
download: moa-id-spss-7aded182c8ee6538c9b2fc55e1b73ada926ba6f6.tar.gz
moa-id-spss-7aded182c8ee6538c9b2fc55e1b73ada926ba6f6.tar.bz2
moa-id-spss-7aded182c8ee6538c9b2fc55e1b73ada926ba6f6.zip
1 files changed, 44 insertions, 6 deletions
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index f7e635b3b..8456cfad5 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -20,6 +20,7 @@ import org.jose4j.jwe.JsonWebEncryption;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwx.JsonWebStructure;
+import org.jose4j.keys.X509Util;
 import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
 import org.jose4j.lang.JoseException;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -78,7 +79,7 @@ public class JsonSecurityUtils implements IJOSETools{
 			try {
 				encPrivKey = keyStore.getKey(getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
 				if (encPrivKey != null) {
-					Certificate[] certChainEncryption = keyStore.getCertificateChain(getSigningKeyAlias());
+					Certificate[] certChainEncryption = keyStore.getCertificateChain(getEncryptionKeyAlias());
 					encCertChain = new X509Certificate[certChainEncryption.length];
 					for (int i=0; i<certChainEncryption.length; i++) {
 						if (certChainEncryption[i] instanceof X509Certificate) {
@@ -242,9 +243,9 @@ public class JsonSecurityUtils implements IJOSETools{
 
 	@Override
 	public JsonElement decryptPayload(String compactSerialization) throws SL20Exception {
-		try {
+		try {			
 			JsonWebEncryption receiverJwe = new JsonWebEncryption();
-		
+					
 			//set security constrains
 			receiverJwe.setAlgorithmConstraints(
 					new AlgorithmConstraints(ConstraintType.WHITELIST,
@@ -255,12 +256,49 @@ public class JsonSecurityUtils implements IJOSETools{
 		
 			//set payload
 			receiverJwe.setCompactSerialization(compactSerialization);
+
+			
+			//validate key from header against key from config
+			List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue();
+			String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue();
+			if (x5cCerts != null) {
+				Logger.debug("Found x509 certificate in JOSE header ... ");
+				Logger.trace("Sorting received X509 certificates ... ");
+				List<X509Certificate> sortedX5cCerts  = X509Utils.sortCertificates(x5cCerts);
+				
+				if (!sortedX5cCerts.get(0).equals(encCertChain[0])) {
+					Logger.info("Certificate from JOSE header does NOT match encryption certificate");
+					Logger.debug("JOSE certificate: " + sortedX5cCerts.get(0).toString());
 					
-			//TODO: validate key from header against key from config
-		
-			//decrypt payload
+					try {
+						Logger.debug("Cert: " + Base64Utils.encode(sortedX5cCerts.get(0).getEncoded()));
+					} catch (CertificateEncodingException | IOException e) {
+						e.printStackTrace();
+					}
+					throw new SL20Exception("sl20.05", new Object[]{"Certificate from JOSE header does NOT match encryption certificate"});
+				}
+				
+			} else if (MiscUtil.isNotEmpty(x5t256)) {
+				Logger.debug("Found x5t256 fingerprint in JOSE header .... ");
+				String certFingerPrint = X509Util.x5tS256(encCertChain[0]);
+				if (!certFingerPrint.equals(x5t256)) {
+					Logger.info("X5t256 from JOSE header does NOT match encryption certificate");
+					Logger.debug("X5t256 from JOSE header: " + x5t256 + " Encrytption cert: " + certFingerPrint);
+					throw new SL20Exception("sl20.05", new Object[]{"X5t256 from JOSE header does NOT match encryption certificate"});
+					
+				}
+				
+			} else {
+				Logger.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
+				throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
+				
+			}
+						
+			//set key
 			receiverJwe.setKey(encPrivKey);
 			
+						
+			//decrypt payload			
 			return new JsonParser().parse(receiverJwe.getPlaintextString());
 			
 		} catch (JoseException e) {
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-06-26 10:29:39 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-06-26 10:29:39 +0200
commit	7aded182c8ee6538c9b2fc55e1b73ada926ba6f6 (patch)
tree	683699d1b162290fb90568a2bda643a42ab9aa5e /id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
parent	30e324851d67bd900471457e3c30a19b4073ec77 (diff)
download	moa-id-spss-7aded182c8ee6538c9b2fc55e1b73ada926ba6f6.tar.gz moa-id-spss-7aded182c8ee6538c9b2fc55e1b73ada926ba6f6.tar.bz2 moa-id-spss-7aded182c8ee6538c9b2fc55e1b73ada926ba6f6.zip