aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-08-19 15:03:42 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-08-19 15:03:42 +0200
commit1ab0f1d4d991464b906c34befefe2ecaf485d485 (patch)
treee84f4deb090dda11b5fb318019b6e0bce9efc86c /id/server
parent296ebbfb36ef207abe4611cb8d3727d2f86a692b (diff)
downloadmoa-id-spss-1ab0f1d4d991464b906c34befefe2ecaf485d485.tar.gz
moa-id-spss-1ab0f1d4d991464b906c34befefe2ecaf485d485.tar.bz2
moa-id-spss-1ab0f1d4d991464b906c34befefe2ecaf485d485.zip
add interfederation without attributequery request which use encrypted bPKs
(this functionality is required for federation with USP)
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java355
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java94
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java46
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java36
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java127
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java70
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java89
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java157
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java71
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java132
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java2
-rw-r--r--id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd28
22 files changed, 1085 insertions, 234 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index ddcc6e1d1..3c029f261 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -24,31 +24,35 @@ package at.gv.egovernment.moa.id.auth.builder;
import iaik.x509.X509Certificate;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.security.PrivateKey;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
-import java.util.GregorianCalendar;
import java.util.List;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
-import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
-import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Response;
-import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.SecurityException;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-import eu.stork.peps.auth.commons.PersonalAttribute;
-import eu.stork.peps.auth.commons.PersonalAttributeList;
-
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator;
+import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
@@ -151,7 +155,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
-
}
InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
@@ -295,9 +298,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
}
+
+ //create assertion attribute extractor from AttributeQuery response
+ extractor = new AssertionAttributeExtractor(intfResp);
+
}
//parse response information to authData
- buildAuthDataFormInterfederationResponse(authdata, session, intfResp);
+ buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam);
} catch (SOAPException e) {
throw new BuildException("builder.06", null, e);
@@ -320,146 +327,242 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
- private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session,
- Response intfResp) throws BuildException, AssertionAttributeExtractorExeption {
+ private static void buildAuthDataFormInterfederationResponse(
+ AuthenticationData authData,
+ AuthenticationSession session,
+ AssertionAttributeExtractor extractor,
+ IOAAuthParameters oaParam)
+ throws BuildException, AssertionAttributeExtractorExeption {
Logger.debug("Build AuthData from assertion starts ....");
- Assertion assertion = intfResp.getAssertions().get(0);
+ authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME));
+ authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME));
+ authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME));
+ authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME));
+ authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME));
+ authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME));
+ authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME));
+ authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME));
- if (assertion.getAttributeStatements().size() == 0) {
- Logger.warn("Can not build AuthData from Assertion. NO Attributes included.");
- throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null);
-
+ if (extractor.containsAttribute(PVPConstants.BPK_NAME)) {
+ String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME);
+ authData.setBPK(pvpbPK.split(":")[1]);
}
- AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
- for (Attribute attr : attrStat.getAttributes()) {
-
- if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME))
- authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME))
- authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME))
- authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.BPK_NAME)) {
- String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent();
- authData.setBPK(pvpbPK.split(":")[1]);
- }
-
- if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))
- authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
- authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
- attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME))
- authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) {
+ List<String> encbPKList = Arrays.asList(
+ extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";"));
+ authData.setEncbPKList(encbPKList);
+ for (String fullEncbPK : encbPKList) {
+ int index = fullEncbPK.indexOf("|");
+ if (index >= 0) {
+ String encbPK = fullEncbPK.substring(index+1);
+ String second = fullEncbPK.substring(0, index);
+ int secIndex = second.indexOf("+");
+ if (secIndex >= 0) {
+ if (oaParam.getTarget().equals(second.substring(secIndex+1))) {
+ Logger.debug("Found encrypted bPK for online-application "
+ + oaParam.getPublicURLPrefix()
+ + " Start decryption process ...");
+ PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey();
+ if (privKey != null) {
+ try {
+ String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey);
+ if (MiscUtil.isNotEmpty(bPK)) {
+ if (MiscUtil.isEmpty(authData.getBPK())) {
+ authData.setBPK(bPK);
+ authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+ Logger.info("bPK decryption process finished successfully.");
+ }
+
+ } else {
+ Logger.error("bPK decryption FAILED.");
+
+ }
+ } catch (BuildException e) {
+ Logger.error("bPK decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+
+ }
+
+ } else {
+ Logger.info("Found encrypted bPK but " +
+ "encrypted bPK target does not match to online-application target");
+
+ }
+ }
+ }
+ }
+ }
+
+ if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) {
+ Logger.error("Federated assertion include no bPK or encrypted bPK");
+ throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME
+ + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME);
- if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME))
- authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
+ authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
+ extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) {
+ try {
+ byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false);
+ authData.setAuthBlock(new String(authBlock, "UTF-8"));
- if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) {
- try {
- byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
- authData.setAuthBlock(new String(authBlock, "UTF-8"));
+ } catch (IOException e) {
+ Logger.error("Received AuthBlock is not valid", e);
- } catch (IOException e) {
- Logger.error("Received AuthBlock is not valid", e);
-
- }
- }
-
- if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) {
- try {
- authData.setSignerCertificate(Base64Utils.decode(
- attr.getAttributeValues().get(0).getDOM().getTextContent(), false));
-
- } catch (IOException e) {
- Logger.error("Received SignerCertificate is not valid", e);
-
- }
- }
-
- if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME))
- authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME))
- authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) {
- try {
- InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
- IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();
- authData.setIdentityLink(idl);
-
- } catch (ParseException e) {
- Logger.error("Received IdentityLink is not valid", e);
-
- } catch (Exception e) {
- Logger.error("Received IdentityLink is not valid", e);
-
- }
}
-
- if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME))
- authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
-
- if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) {
- try {
- byte[] mandate = Base64Utils.decode(
- attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
-
- if (authData.getMISMandate() == null)
- authData.setMISMandate(new MISMandate());
- authData.getMISMandate().setMandate(mandate);
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) {
+ try {
+ authData.setSignerCertificate(Base64Utils.decode(
+ extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false));
+
+ } catch (IOException e) {
+ Logger.error("Received SignerCertificate is not valid", e);
+
+ }
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) {
+ try {
+ InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false);
+ IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();
+ authData.setIdentityLink(idl);
+
+ } catch (ParseException e) {
+ Logger.error("Received IdentityLink is not valid", e);
+
+ } catch (Exception e) {
+ Logger.error("Received IdentityLink is not valid", e);
- authData.setUseMandate(true);
-
- } catch (Exception e) {
- Logger.error("Received Mandate is not valid", e);
- throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME);
-
- }
}
-
- if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) {
+ }
+
+
+ // set mandate attributes
+ authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) {
+ try {
+ byte[] mandate = Base64Utils.decode(
+ (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false);
+
if (authData.getMISMandate() == null)
authData.setMISMandate(new MISMandate());
- authData.getMISMandate().setProfRep(
- attr.getAttributeValues().get(0).getDOM().getTextContent());
+ authData.getMISMandate().setMandate(mandate);
+ authData.getMISMandate().setFullMandateIncluded(true);
+ authData.setUseMandate(true);
+
+ } catch (Exception e) {
+ Logger.error("Received Mandate is not valid", e);
+ throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME);
+
+ }
+ }
+
+ //TODO: build short mandate if full mandate is no included.
+ if (authData.getMISMandate() == null &&
+ (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) {
+ Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... ");
+
+ MISMandate misMandate = new MISMandate();
+ misMandate.setFullMandateIncluded(false);
+
+ Mandate mandateObject = new Mandate();
+ Mandator mandator = new Mandator();
+ mandateObject.setMandator(mandator);
+
+ //build legal person short mandate
+ if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) {
+ CorporateBodyType legalperson = new CorporateBodyType();
+ IdentificationType legalID = new IdentificationType();
+ Value idvalue = new Value();
+ legalID.setValue(idvalue );
+ legalperson.getIdentification().add(legalID );
+ mandator.setCorporateBody(legalperson );
+
+ legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME));
+ legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME));
+ idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME));
+
+ //build natural person short mandate
+ } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) ||
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) {
+ throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null);
+
+
+
+ } else {
+ Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary.");
+ throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null);
- }
-
- if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) {
- authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent());
- authData.setForeigner(true);
}
- if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {
+ try {
+ JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_");
+ Marshaller m = jc.createMarshaller();
+ ByteArrayOutputStream stream = new ByteArrayOutputStream();
+ m.marshal(mandateObject, stream);
+ misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes());
+ stream.close();
- if (authData.getStorkAttributes() == null)
- authData.setStorkAttributes(new PersonalAttributeList());
+ } catch (JAXBException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new AssertionAttributeExtractorExeption();
+
+ } catch (IOException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new AssertionAttributeExtractorExeption();
- List<String> storkAttrValues = new ArrayList<String>();
- storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent());
- PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),
- false, storkAttrValues , "Available");
- authData.getStorkAttributes().put(attr.getName(), storkAttr );
- authData.setForeigner(true);
- }
-
+ }
+ authData.setUseMandate(true);
+
}
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) {
+ if (authData.getMISMandate() == null)
+ authData.setMISMandate(new MISMandate());
+ authData.getMISMandate().setProfRep(
+ extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME));
+
+ }
+
+
+ //set STORK attributes
+ if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) {
+ authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME));
+ authData.setForeigner(true);
+
+ }
+
+ if (!extractor.getSTORKAttributes().isEmpty()) {
+ authData.setStorkAttributes(extractor.getSTORKAttributes());
+ authData.setForeigner(true);
+
+ }
+
authData.setSsoSession(true);
- if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null)
- authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate());
+ if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null)
+ authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate());
//only for SAML1
if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 20641ca7c..b122ba17e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -46,13 +46,27 @@
package at.gv.egovernment.moa.id.auth.builder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
+import java.io.UnsupportedEncodingException;
+import java.security.InvalidKeyException;
import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
/**
* Builder for the bPK, as defined in
@@ -135,6 +149,58 @@ public class BPKBuilder {
}
}
+ public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
+ MiscUtil.assertNotNull(bpk, "BPK");
+ MiscUtil.assertNotNull(publicKey, "publicKey");
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
+ if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+ target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ String input = "V1::urn:publicid:gv.at:cdid+" + target + "::"
+ + bpk + "::"
+ + sdf.format(new Date());
+ System.out.println(input);
+ byte[] result;
+ try {
+ byte[] inputBytes = input.getBytes("ISO-8859-1");
+ result = encrypt(inputBytes, publicKey);
+ return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", "");
+
+ } catch (Exception e) {
+ throw new BuildException("bPK encryption FAILED", null, e);
+ }
+ }
+
+ public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException {
+ MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK");
+ MiscUtil.assertNotNull(privateKey, "Private key");
+ String decryptedString;
+ try {
+ byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1");
+ byte[] decryptedBytes = decrypt(encryptedBytes, privateKey);
+ decryptedString = new String(decryptedBytes, "ISO-8859-1");
+
+ } catch (Exception e) {
+ throw new BuildException("bPK decryption FAILED", null, e);
+ }
+ String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1);
+ String sector = tmp.substring(0, tmp.indexOf("::"));
+ tmp = tmp.substring(tmp.indexOf("::") + 2);
+ String bPK = tmp.substring(0, tmp.indexOf("::"));
+
+ if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+ target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ if (target.equals(sector))
+ return bPK;
+
+ else {
+ Logger.error("Decrypted bPK does not match to request bPK target.");
+ return null;
+ }
+ }
+
/**
* Builds the storkeid from the given parameters.
*
@@ -214,6 +280,34 @@ public class BPKBuilder {
throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex);
}
}
+
+ private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+ byte[] result;
+ Cipher cipher = null;
+ try {
+ cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
+ } catch(NoSuchAlgorithmException e) {
+ cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
+ }
+ cipher.init(Cipher.ENCRYPT_MODE, publicKey);
+ result = cipher.doFinal(inputBytes);
+
+ return result;
+ }
+
+ private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey)
+ throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{
+ byte[] result;
+ Cipher cipher = null;
+ try {
+ cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
+ } catch(NoSuchAlgorithmException e) {
+ cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
+ }
+ cipher.init(Cipher.DECRYPT_MODE, privateKey);
+ result = cipher.doFinal(encryptedBytes);
+ return result;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java
new file mode 100644
index 000000000..69802d7e6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.exception;
+
+/**
+ * @author tlenz
+ *
+ */
+public class DatabaseEncryptionException extends MOAIDException {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 6387519847869308880L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ * @param wrapped
+ */
+ public DatabaseEncryptionException(String messageId, Object[] parameters,
+ Throwable wrapped) {
+ super(messageId, parameters, wrapped);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 6fc1d28c1..a62de27fc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return prop;
}
+ /**
+ * @return
+ */
+ public String getMOAConfigurationEncryptionKey() {
+ String prop = props.getProperty("configuration.moaconfig.key");
+ if (MiscUtil.isEmpty(prop))
+ return null;
+ else
+ return prop;
+ }
+
public boolean isIdentityLinkResigning() {
String prop = props.getProperty("configuration.resignidentitylink.active", "false");
return Boolean.valueOf(prop);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
index 6398de34f..4c6519b57 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.config.auth;
+import java.security.PrivateKey;
import java.util.List;
import java.util.Map;
@@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
/**
* @author tlenz
@@ -149,4 +151,6 @@ public interface IOAAuthParameters {
List<String> getTestCredentialOIDs();
+ PrivateKey getBPKDecBpkDecryptionKey();
+
} \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index f58fe2495..673d23373 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -46,11 +46,15 @@
package at.gv.egovernment.moa.id.config.auth;
+import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.SerializationUtils;
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin;
import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType;
@@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;
import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
import at.gv.egovernment.moa.id.config.ConfigurationUtils;
import at.gv.egovernment.moa.id.config.OAParameter;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil;
import at.gv.egovernment.moa.id.util.FormBuildUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -555,4 +562,33 @@ public List<String> getTestCredentialOIDs() {
return null;
}
+
+/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters()
+ */
+@Override
+public PrivateKey getBPKDecBpkDecryptionKey() {
+
+ try {
+ EncryptedData encdata = new EncryptedData(
+ oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(),
+ oa_auth.getEncBPKInformation().getBPKDecryption().getIv());
+ byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata);
+ BPKDecryptionParameters data =
+ (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData);
+
+ return data.getPrivateKey();
+
+ } catch (BuildException e) {
+ // TODO Auto-generated catch block
+ Logger.error("Can not decrypt key information for bPK decryption", e);
+
+ } catch (NullPointerException e) {
+ Logger.error("No keyInformation found for bPK decryption");
+
+ }
+ return null;
+
+}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java
new file mode 100644
index 000000000..787a480f0
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java
@@ -0,0 +1,127 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+
+import org.apache.commons.lang.SerializationUtils;
+
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+
+
+/**
+ * @author tlenz
+ *
+ */
+public class BPKDecryptionParameters implements Serializable{
+
+ private static final long serialVersionUID = 1L;
+
+ private byte[] keyStore = null;
+ private String keyStorePassword = null;
+ private String keyAlias = null;
+ private String keyPassword = null;
+
+ /**
+ * @return
+ */
+ public PrivateKey getPrivateKey() {
+ try {
+ InputStream in = new ByteArrayInputStream(keyStore);
+ KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword);
+
+ char[] chPassword = " ".toCharArray();
+ if (keyPassword != null)
+ chPassword = keyPassword.toCharArray();
+
+// Certificate test = store.getCertificate(keyAlias);
+// Base64Utils.encode(test.getPublicKey().getEncoded());
+
+ return (PrivateKey) store.getKey(keyAlias, chPassword);
+
+
+ } catch (KeyStoreException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (IOException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (UnrecoverableKeyException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ }
+
+ return null;
+ }
+
+ public byte[] serialize() {
+ return SerializationUtils.serialize(this);
+
+ }
+
+ /**
+ * @param keyStore the keyStore to set
+ */
+ public void setKeyStore(byte[] keyStore) {
+ this.keyStore = keyStore;
+ }
+
+ /**
+ * @param keyStorePassword the keyStorePassword to set
+ */
+ public void setKeyStorePassword(String keyStorePassword) {
+ this.keyStorePassword = keyStorePassword;
+ }
+
+ /**
+ * @param keyAlias the keyAlias to set
+ */
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+ /**
+ * @param keyPassword the keyPassword to set
+ */
+ public void setKeyPassword(String keyPassword) {
+ this.keyPassword = keyPassword;
+ }
+
+
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index eddf605a6..7dbdcfa52 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.config.auth.data;
+import java.security.PrivateKey;
import java.util.List;
import java.util.Map;
@@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters {
return null;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters()
+ */
+ @Override
+ public PrivateKey getBPKDecBpkDecryptionKey() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 5685977bc..6fd327add 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -27,6 +27,7 @@ import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
+import java.util.List;
import org.w3c.dom.Element;
@@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable {
private byte[] signerCertificate = null;
private String authBlock = null;
-
+ private List<String> encbPKList = null;
+
+
private boolean useMandate = false;
private MISMandate mandate = null;
private String mandateReferenceValue = null;
@@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable {
this.ssoSessionValidTo = ssoSessionValidTo;
}
+ /**
+ * @return the encbPKList
+ */
+ public List<String> getEncbPKList() {
+ return encbPKList;
+ }
+
+ /**
+ * @param encbPKList the encbPKList to set
+ */
+ public void setEncbPKList(List<String> encbPKList) {
+ this.encbPKList = encbPKList;
+ }
+
+
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java
new file mode 100644
index 000000000..da6840fd7
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.data;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EncryptedbPK {
+ private String vkz = null;
+ private String target = null;
+ private String encbPK = null;
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 7e421da0f..8ce33021d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.data;
import java.util.Date;
+import java.util.List;
import org.w3c.dom.Element;
@@ -62,6 +63,8 @@ public interface IAuthData {
String getBkuURL();
+ List<String> getEncbPKList();
+
IdentityLink getIdentityLink();
byte[] getSignerCertificate();
String getAuthBlock();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java
new file mode 100644
index 000000000..b3256ac9a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+
+public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
+
+ public String getName() {
+ return ENC_BPK_LIST_NAME;
+ }
+
+ public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+
+ if (authData.getEncbPKList() != null &&
+ authData.getEncbPKList().size() > 0) {
+ String value = authData.getEncbPKList().get(0);
+ for (int i=1; i<authData.getEncbPKList().size(); i++)
+ value += ";"+authData.getEncbPKList().get(i);
+
+ return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,
+ value);
+
+ }
+
+ throw new UnavailableAttributeException(ENC_BPK_LIST_NAME);
+
+// String encbpk = "XXX01234567890XXX";
+// String type = "Bereich";
+// String vkz = "Verfahrenskennzeichen";
+//
+// //TODO: implement encrypted bPK support
+//
+// Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk);
+//
+// return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,
+// vkz + "+" + type + "|" + encbpk);
+ }
+
+ public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
index 670398ff6..790c1e8ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if (authData.isUseMandate()) {
- if (authData.getMandate() != null) {
+ //only provide full mandate if it is included.
+ //In case of federation only a short mandate could be include
+ if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) {
String fullMandate;
try {
fullMandate = DOMUtils.serializeNode(authData
@@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
Logger.error("Failed to generate Full Mandate", e);
}
}
+ throw new NoMandateDataAttributeException();
+
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 9aadfdc28..1c12e7398 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -22,16 +22,25 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.core.Subject;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.PersonalAttributeList;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -39,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class AssertionAttributeExtractor {
private Assertion assertion = null;
+ private Map<String, String> attributs = new HashMap<String, String>();
+ private PersonalAttributeList storkAttributes = new PersonalAttributeList();
+
+ private final List<String> minimalAttributeNameList = Arrays.asList(
+ PVPConstants.PRINCIPAL_NAME_NAME,
+ PVPConstants.GIVEN_NAME_NAME,
+ PVPConstants.BIRTHDATE_NAME);
+
public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption {
if (samlResponse != null && samlResponse instanceof Response) {
@@ -49,24 +66,80 @@ public class AssertionAttributeExtractor {
else if (assertions.size() > 1)
Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used.");
- assertion = assertions.get(0);
-
+ assertion = assertions.get(0);
+
+ if (assertion.getAttributeStatements() != null &&
+ assertion.getAttributeStatements().size() > 0) {
+ AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
+ for (Attribute attr : attrStat.getAttributes()) {
+ if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {
+ List<String> storkAttrValues = new ArrayList<String>();
+ storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),
+ false, storkAttrValues , "Available");
+ storkAttributes.put(attr.getName(), storkAttr );
+
+ } else
+ attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent());
+ }
+
+ }
+
+ attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw==");
+
} else
throw new AssertionAttributeExtractorExeption();
}
+ /**
+ * check attributes from assertion with minimal required attribute list
+ * @return
+ */
public boolean containsAllRequiredAttributes() {
- //TODO: add default attribute list
- return containsAllRequiredAttributes(null);
+ return containsAllRequiredAttributes(minimalAttributeNameList);
}
- public boolean containsAllRequiredAttributes(List<Attribute> attributs) {
- //TODO: add validation
+ /**
+ * check attributes from assertion with attributeNameList
+ * bPK or enc_bPK is always needed
+ *
+ * @param List of attributes which are required
+ *
+ * @return
+ */
+ public boolean containsAllRequiredAttributes(List<String> attributeNameList) {
+
+ //first check if a bPK or an encrypted bPK is available
+ if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||
+ (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) {
+ boolean flag = true;
+ for (String attr : attributeNameList) {
+ if (!attributs.containsKey(attr))
+ flag = false;
+ }
+
+ return flag;
+
+ }
return false;
}
+ public boolean containsAttribute(String attributeName) {
+ return attributs.containsKey(attributeName);
+
+ }
+
+ public String getAttribute(String attributeName) {
+ return attributs.get(attributeName);
+
+ }
+
+ public PersonalAttributeList getSTORKAttributes() {
+ return storkAttributes;
+ }
+
public String getNameID() throws AssertionAttributeExtractorExeption {
if (assertion.getSubject() != null) {
@@ -113,6 +186,10 @@ public class AssertionAttributeExtractor {
throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");
}
+ public Assertion getFullAssertion() {
+ return assertion;
+ }
+
private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {
List<AuthnStatement> authnList = assertion.getAuthnStatements();
if (authnList.size() == 0)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 08f40f888..fe0d27804 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -208,7 +208,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
if (authData.isUseMandate()) {
List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA();
- if (saml1parameter.isProvideFullMandatorData()) {
+ //only provide full mandate if it is included.
+ //In case of federation only a short mandate could be include
+ if (saml1parameter.isProvideFullMandatorData()
+ && authData.getMISMandate().isFullMandateIncluded()) {
try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 350c4e9da..a9f5ed60a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage {
private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException {
byte[] serialized = SerializationUtils.serialize(session);
- EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized);
+ EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized);
dbsession.setSession(encdata.getEncData());
dbsession.setIv(encdata.getIv());
}
@@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage {
private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException {
EncryptedData encdata = new EncryptedData(dbsession.getSession(),
dbsession.getIv());
- byte[] decrypted = SessionEncrytionUtil.decrypt(encdata);
+ byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata);
return (AuthenticationSession) SerializationUtils.deserialize(decrypted);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
new file mode 100644
index 000000000..f246c55e1
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
@@ -0,0 +1,157 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.util;
+
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public abstract class AbstractEncrytionUtil {
+ protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+ protected static final String KEYNAME = "AES";
+
+ private SecretKey secret = null;
+
+ public AbstractEncrytionUtil() throws DatabaseEncryptionException {
+ initialize(getKey(), getSalt());
+ }
+
+ protected abstract String getSalt();
+ protected abstract String getKey();
+
+ protected void initialize(String key, String salt) throws DatabaseEncryptionException {
+ try {
+ if (MiscUtil.isNotEmpty(key)) {
+ if (MiscUtil.isEmpty(salt))
+ salt = "TestSalt";
+
+ PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
+ SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
+ PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
+
+ SecureRandom random = new SecureRandom();
+ KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
+
+ PBEKeyAndParameterSpec parameterSpec =
+ new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
+ salt.getBytes(),
+ 2000,
+ 16);
+
+ pbkdf2.init(parameterSpec, random);
+ SecretKey derivedKey = pbkdf2.generateKey();
+
+ SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
+ SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
+ secret = kf.generateSecret(spec);
+
+ } else {
+ Logger.error("Database encryption can not initialized. No key found!");
+
+ }
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (NoSuchProviderException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (InvalidKeySpecException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (InvalidAlgorithmParameterException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ }
+ }
+
+ public EncryptedData encrypt(byte[] data) throws BuildException {
+ Cipher cipher;
+
+ if (secret != null) {
+ try {
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.ENCRYPT_MODE, secret);
+
+ Logger.debug("Encrypt MOASession");
+
+ byte[] encdata = cipher.doFinal(data);
+ byte[] iv = cipher.getIV();
+
+ return new EncryptedData(encdata, iv);
+
+ } catch (Exception e) {
+ Logger.warn("MOASession is not encrypted",e);
+ throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
+ }
+ } else
+ return new EncryptedData(data, null);
+ }
+
+ public byte[] decrypt(EncryptedData data) throws BuildException {
+ Cipher cipher;
+
+ if (secret != null) {
+ try {
+ IvParameterSpec iv = new IvParameterSpec(data.getIv());
+
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.DECRYPT_MODE, secret, iv);
+
+ Logger.debug("Decrypt MOASession");
+ return cipher.doFinal(data.getEncData());
+
+ } catch (Exception e) {
+ Logger.warn("MOASession is not decrypted",e);
+ throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
+ }
+ } else
+ return data.getEncData();
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java
new file mode 100644
index 000000000..10221604c
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.util;
+
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil {
+
+ private static ConfigurationEncrytionUtil instance = null;
+ private static String key = null;
+
+ public static ConfigurationEncrytionUtil getInstance() {
+ if (instance == null) {
+ try {
+ key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey();
+ instance = new ConfigurationEncrytionUtil();
+
+ } catch (Exception e) {
+ Logger.warn("MOAConfiguration encryption initialization FAILED.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ private ConfigurationEncrytionUtil() throws DatabaseEncryptionException {
+ super();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Configuration-Salt";
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
index acc2a7273..8660f7c09 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
@@ -22,110 +22,50 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.util;
-import iaik.security.cipher.PBEKey;
-import iaik.security.spec.PBEKeyAndParameterSpec;
-
-import java.security.SecureRandom;
-import java.security.spec.KeySpec;
-
-import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.logging.Logger;
-public class SessionEncrytionUtil {
-
- private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
- private static final String KEYNAME = "AES";
-
- static private SecretKey secret = null;
+public class SessionEncrytionUtil extends AbstractEncrytionUtil {
- static {
- try {
- String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
-
- if (key != null) {
-
- PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
- SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
- PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
-
-
- SecureRandom random = new SecureRandom();
- KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
-
- PBEKeyAndParameterSpec parameterSpec =
- new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
- "TestSALT".getBytes(),
- 2000,
- 16);
-
- pbkdf2.init(parameterSpec, random);
- SecretKey derivedKey = pbkdf2.generateKey();
-
- SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
- SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
- secret = kf.generateSecret(spec);
-
- } else {
- Logger.warn("MOASession encryption is deaktivated.");
- }
-
- } catch (Exception e) {
- Logger.warn("MOASession encryption can not be inizialized.", e);
- }
-
- }
+ private static SessionEncrytionUtil instance = null;
+ private static String key = null;
- public static EncryptedData encrypt(byte[] data) throws BuildException {
- Cipher cipher;
-
- if (secret != null) {
+ public static SessionEncrytionUtil getInstance() {
+ if (instance == null) {
try {
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.ENCRYPT_MODE, secret);
-
- Logger.debug("Encrypt MOASession");
-
- byte[] encdata = cipher.doFinal(data);
- byte[] iv = cipher.getIV();
-
- return new EncryptedData(encdata, iv);
-
+ key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
+ instance = new SessionEncrytionUtil();
+
} catch (Exception e) {
- Logger.warn("MOASession is not encrypted",e);
- throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
- }
- } else
- return new EncryptedData(data, null);
+ Logger.warn("MOASession encryption can not be inizialized.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ private SessionEncrytionUtil() throws DatabaseEncryptionException {
+ super();
}
- public static byte[] decrypt(EncryptedData data) throws BuildException {
- Cipher cipher;
-
- if (secret != null) {
- try {
- IvParameterSpec iv = new IvParameterSpec(data.getIv());
-
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.DECRYPT_MODE, secret, iv);
-
- Logger.debug("Decrypt MOASession");
- return cipher.doFinal(data.getEncData());
-
- } catch (Exception e) {
- Logger.warn("MOASession is not decrypted",e);
- throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
- }
- } else
- return data.getEncData();
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Session-Salt";
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
index f7785d2c2..20cabaf4d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
@@ -70,6 +70,7 @@ public class MISMandate implements Serializable{
private String oid = null;
private byte[] mandate = null;
private String owBPK = null;
+ private boolean isFullMandateIncluded = false;
public String getProfRep() {
return oid;
@@ -109,5 +110,18 @@ public class MISMandate implements Serializable{
}
}
+ /**
+ * @return the isFullMandateIncluded
+ */
+ public boolean isFullMandateIncluded() {
+ return isFullMandateIncluded;
+ }
+ /**
+ * @param isFullMandateIncluded the isFullMandateIncluded to set
+ */
+ public void setFullMandateIncluded(boolean isFullMandateIncluded) {
+ this.isFullMandateIncluded = isFullMandateIncluded;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
index aaf793987..15b2a89b5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -145,6 +145,8 @@ public class MISSimpleClient {
//misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate)));
misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes()));
+ misMandate.setFullMandateIncluded(true);
+
foundMandates.add(misMandate);
}
return foundMandates;
diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
index 066967b44..f2f1949cc 100644
--- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
+++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
@@ -551,6 +551,7 @@
<xsd:element ref="OA_SAML1" minOccurs="0"/>
<xsd:element ref="OA_PVP2" minOccurs="0"/>
<xsd:element ref="OA_OAUTH20" minOccurs="0"/>
+ <xsd:element ref="EncBPKInformation" minOccurs="0" maxOccurs="1"/>
</xsd:sequence>
<!--xsd:element ref="pr:AbstractSimpleIdentification" minOccurs="0"
maxOccurs="1"/ -->
@@ -558,6 +559,31 @@
</xsd:element>
</xsd:sequence>
</xsd:complexType>
+ <xsd:element name="EncBPKInformation">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="bPKDecryption" minOccurs="0" maxOccurs="1">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="keyInformation" type="xsd:base64Binary" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="iv" type="xsd:base64Binary" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="keyStoreFileName" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+ <xsd:element name="keyAlias" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="bPKEncryption" minOccurs="0" maxOccurs="unbounded">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="publicKey" type="xsd:base64Binary" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="target" type="xsd:string" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="vkz" type="xsd:string" minOccurs="1" maxOccurs="1"/>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
<xsd:complexType name="ConnectionParameterServerAuthType">
<xsd:sequence>
<xsd:element name="AcceptedServerCertificates" type="xsd:anyURI" minOccurs="0">
@@ -827,7 +853,7 @@
</xsd:sequence>
<xsd:attribute name="countryCode" type="CountryCodeType" use="required"/>
<xsd:attribute name="URL" type="xsd:anyURI" use="required"/>
- <xsd:attribute name="supportsXMLSignature" type="xsd:boolean" default="true"></xsd:attribute>
+ <xsd:attribute name="supportsXMLSignature" type="xsd:boolean" default="true"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="STORK">