add result decryption for SL2.0 authentication module

7 files changed, 93 insertions, 24 deletions

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
index bcbda3faf..6fd1c3c4d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
@@ -2,8 +2,11 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
 
 import java.security.cert.X509Certificate;
 
+import com.google.gson.JsonElement;
+
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20SecurityException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuildException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
 
@@ -33,5 +36,14 @@ public interface IJOSETools {
 	 * @return
 	 */
 	public X509Certificate getEncryptionCertificate();
+
+	/**
+	 * Decrypt a serialized JWE token
+	 * 
+	 * @param compactSerialization Serialized JWE token
+	 * @return decrypted payload
+	 * @throws SL20Exception 
+	 */
+	public JsonElement decryptPayload(String compactSerialization) throws SL20Exception;
 	 
 }
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index 7dd5c39ab..e0965c712 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -11,6 +11,7 @@ import javax.annotation.PostConstruct;
 
 import org.jose4j.jwa.AlgorithmConstraints;
 import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jwe.JsonWebEncryption;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.lang.JoseException;
@@ -19,6 +20,7 @@ import org.springframework.stereotype.Service;
 
 import com.google.gson.JsonElement;
 import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
 
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
@@ -177,6 +179,43 @@ public class JsonSecurityUtils implements IJOSETools{
 					
 	}
 	
+
+	@Override
+	public JsonElement decryptPayload(String compactSerialization) throws SL20Exception {
+		try {
+			JsonWebEncryption receiverJwe = new JsonWebEncryption();
+		
+			//set security constrains
+			receiverJwe.setAlgorithmConstraints(
+					new AlgorithmConstraints(ConstraintType.WHITELIST,
+							SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()])));
+			receiverJwe.setContentEncryptionAlgorithmConstraints(
+					new AlgorithmConstraints(ConstraintType.WHITELIST,
+							SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()])));
+		
+			//set payload
+			receiverJwe.setCompactSerialization(compactSerialization);
+					
+			//TODO: validate key from header against key from config
+		
+			//decrypt payload
+			receiverJwe.setKey(encPrivKey);
+			
+			return new JsonParser().parse(receiverJwe.getPlaintextString());
+			
+		} catch (JoseException e) {
+			Logger.warn("SL2.0 result decryption FAILED", e);
+			throw new SL20SecurityException(new Object[]{e.getMessage()}, e);
+			
+		} catch ( JsonSyntaxException e) {
+			Logger.warn("Decrypted SL2.0 result is NOT a valid JSON.", e);
+			throw new SLCommandoParserException("Decrypted SL2.0 result is NOT a valid JSON.", e);
+			
+		}
+		
+	}
+	
+	
 	
 	@Override
 	public X509Certificate getEncryptionCertificate() {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
index e84dacc23..b855c3cac 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
@@ -3,6 +3,8 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
 import java.util.Arrays;
 import java.util.List;
 
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
 import org.jose4j.jws.AlgorithmIdentifiers;
 
 public class SL20Constants {
@@ -41,14 +43,25 @@ public class SL20Constants {
 			JSON_ALGORITHM_SIGNING_PS512
 			);
 	
-	public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = "RSA-OAEP";
-	public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = "RSA-OAEP-256";
+	public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = KeyManagementAlgorithmIdentifiers.RSA_OAEP;
+	public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = KeyManagementAlgorithmIdentifiers.RSA_OAEP_256;
 	
-	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = "A128CBC-HS256";
-	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = "A256CBC-HS512";
-	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = "A128GCM";
-	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = "A256GCM";
+	public static final List<String> SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = Arrays.asList(
+			JSON_ALGORITHM_ENC_KEY_RSAOAEP,
+			JSON_ALGORITHM_ENC_KEY_RSAOAEP256
+			);
 	
+	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256;
+	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = ContentEncryptionAlgorithmIdentifiers.AES_256_CBC_HMAC_SHA_512;
+	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = ContentEncryptionAlgorithmIdentifiers.AES_128_GCM;
+	public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = ContentEncryptionAlgorithmIdentifiers.AES_256_GCM;
+	
+	public static final List<String> SL20_ALGORITHM_WHITELIST_ENCRYPTION = Arrays.asList(
+			JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256,
+			JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512,
+			JSON_ALGORITHM_ENC_PAYLOAD_A128GCM,
+			JSON_ALGORITHM_ENC_PAYLOAD_A256GCM
+		);
 	
 	
 	//*********************************************************************************************
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
index cfffed881..cc7137a0f 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
@@ -34,7 +34,8 @@ public class SL20HttpBindingUtils {
 			Logger.debug("Client request containts is no native client ... ");
 			URIBuilder clientRedirectURI = new URIBuilder(redirectURL);
 			clientRedirectURI.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Forward.toString());
-			response.sendRedirect(clientRedirectURI.build().toString());
+			response.setStatus(307);
+			response.setHeader("Location", clientRedirectURI.build().toString());
 			
 		}
 		
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index e1444c95f..e01945df0 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -146,7 +146,7 @@ public class SL20JSONExtractorUtils {
 	}
 	
 	
-	public static JsonElement extractSL20Result(JsonObject command, JsonSecurityUtils encrypter, boolean mustBeEncrypted) throws SLCommandoParserException {
+	public static JsonElement extractSL20Result(JsonObject command, IJOSETools decrypter, boolean mustBeEncrypted) throws SL20Exception {
 		JsonElement result = command.get(SL20Constants.SL20_COMMAND_CONTAINER_RESULT);
 		JsonElement encryptedResult = command.get(SL20Constants.SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT);
 		
@@ -162,12 +162,21 @@ public class SL20JSONExtractorUtils {
 		else if (result != null)
 			return result;
 		
-		else if (encryptedResult != null) {
-			//TODO: Add correct signature validation			 
+		else if (encryptedResult != null && encryptedResult.isJsonPrimitive()) {
+			/*TODO:
+			 * 
+			 * Remove dummy code and test real decryption!!!!!
+			 * 
+			 */			
+
+			//return decrypter.decryptPayload(encryptedResult.getAsString());
+
+			//dummy code
 			String[] signedPayload = encryptedResult.toString().split("\\.");
 			JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
 			return payLoad;
 			
+			
 		} else
 			throw new SLCommandoParserException("Internal build error");
 		
@@ -202,10 +211,10 @@ public class SL20JSONExtractorUtils {
 		else if (sl20Payload != null)
 			return new VerificationResult(sl20Payload.getAsJsonObject());
 		
-		else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive())
+		else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive()) {	
 			return joseTools.validateSignature(sl20SignedPayload.getAsString());
-			
-		else
+						
+		} else
 			throw new SLCommandoParserException("Internal build error");
 			
 		
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 1e15e893e..b1dfa9b0d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -1,6 +1,5 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
 
-import java.io.StringWriter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -16,7 +15,6 @@ import org.apache.http.NameValuePair;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URIBuilder;
-import org.apache.http.entity.ContentType;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.message.BasicNameValuePair;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -78,8 +76,6 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				//build DataURL for qualified eID response
 				String dataURL = new DataURLBuilder().buildDataURL(
 						pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID());
-//				String dataURL = new DataURLBuilder().buildDataURL(
-//						"http://labda.iaik.tugraz.at:8080/moa-id-auth/", Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID());
 				
 				//build qualifiedeID command
 				Map<String, String> qualifiedeIDParams = new HashMap<String, String>();
@@ -146,6 +142,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 					requestStoreage.storePendingRequest(pendingReq);
 
 					//forward SL2.0 command
+					//TODO: maybe add SL2ClientType Header from execution context
 					SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL);
 													
 				} else {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 6d2163ff1..698546a4f 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -92,7 +92,6 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			
 			
 			//validate signature
-			//TODO:
 			VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
 			if (payLoadContainer.isValidSigned() == null || 
 					!payLoadContainer.isValidSigned()) {
@@ -104,6 +103,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			//TODO validate certificate
 			List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
 			
+			
 			//extract payloaf
 			JsonObject payLoad = payLoadContainer.getPayload();
 			
@@ -112,12 +112,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 					payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
 						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) {
 				Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... ");
-				
-				
-				//TODO: add decryption
-				JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, null, false);
-				
-				
+								
+				//TODO: activate decryption in 'SL20JSONExtractorUtils.extractSL20Result'
+				JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, joseTools, false);
+								
 				//extract attributes from result
 				String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
 										SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);