aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-05-17 08:37:48 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-05-17 08:37:48 +0200
commit5fe7b654e6526b34ab917411424faf93586df85f (patch)
treee60d8fb2be5d5a142d0b179e8b99a010ead07dd3 /id/server
parentc61850c5607d066a3c322794c1220f26b31103a0 (diff)
downloadmoa-id-spss-5fe7b654e6526b34ab917411424faf93586df85f.tar.gz
moa-id-spss-5fe7b654e6526b34ab917411424faf93586df85f.tar.bz2
moa-id-spss-5fe7b654e6526b34ab917411424faf93586df85f.zip
add result decryption for SL2.0 authentication module
Diffstat (limited to 'id/server')
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java12
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java39
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java25
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java3
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java21
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java5
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java12
7 files changed, 93 insertions, 24 deletions
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
index bcbda3faf..6fd1c3c4d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
@@ -2,8 +2,11 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
import java.security.cert.X509Certificate;
+import com.google.gson.JsonElement;
+
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20SecurityException;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuildException;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
@@ -33,5 +36,14 @@ public interface IJOSETools {
* @return
*/
public X509Certificate getEncryptionCertificate();
+
+ /**
+ * Decrypt a serialized JWE token
+ *
+ * @param compactSerialization Serialized JWE token
+ * @return decrypted payload
+ * @throws SL20Exception
+ */
+ public JsonElement decryptPayload(String compactSerialization) throws SL20Exception;
}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index 7dd5c39ab..e0965c712 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -11,6 +11,7 @@ import javax.annotation.PostConstruct;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;
@@ -19,6 +20,7 @@ import org.springframework.stereotype.Service;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
@@ -177,6 +179,43 @@ public class JsonSecurityUtils implements IJOSETools{
}
+
+ @Override
+ public JsonElement decryptPayload(String compactSerialization) throws SL20Exception {
+ try {
+ JsonWebEncryption receiverJwe = new JsonWebEncryption();
+
+ //set security constrains
+ receiverJwe.setAlgorithmConstraints(
+ new AlgorithmConstraints(ConstraintType.WHITELIST,
+ SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()])));
+ receiverJwe.setContentEncryptionAlgorithmConstraints(
+ new AlgorithmConstraints(ConstraintType.WHITELIST,
+ SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()])));
+
+ //set payload
+ receiverJwe.setCompactSerialization(compactSerialization);
+
+ //TODO: validate key from header against key from config
+
+ //decrypt payload
+ receiverJwe.setKey(encPrivKey);
+
+ return new JsonParser().parse(receiverJwe.getPlaintextString());
+
+ } catch (JoseException e) {
+ Logger.warn("SL2.0 result decryption FAILED", e);
+ throw new SL20SecurityException(new Object[]{e.getMessage()}, e);
+
+ } catch ( JsonSyntaxException e) {
+ Logger.warn("Decrypted SL2.0 result is NOT a valid JSON.", e);
+ throw new SLCommandoParserException("Decrypted SL2.0 result is NOT a valid JSON.", e);
+
+ }
+
+ }
+
+
@Override
public X509Certificate getEncryptionCertificate() {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
index e84dacc23..b855c3cac 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
@@ -3,6 +3,8 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
import java.util.Arrays;
import java.util.List;
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.jws.AlgorithmIdentifiers;
public class SL20Constants {
@@ -41,14 +43,25 @@ public class SL20Constants {
JSON_ALGORITHM_SIGNING_PS512
);
- public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = "RSA-OAEP";
- public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = "RSA-OAEP-256";
+ public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = KeyManagementAlgorithmIdentifiers.RSA_OAEP;
+ public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = KeyManagementAlgorithmIdentifiers.RSA_OAEP_256;
- public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = "A128CBC-HS256";
- public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = "A256CBC-HS512";
- public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = "A128GCM";
- public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = "A256GCM";
+ public static final List<String> SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = Arrays.asList(
+ JSON_ALGORITHM_ENC_KEY_RSAOAEP,
+ JSON_ALGORITHM_ENC_KEY_RSAOAEP256
+ );
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256;
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = ContentEncryptionAlgorithmIdentifiers.AES_256_CBC_HMAC_SHA_512;
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = ContentEncryptionAlgorithmIdentifiers.AES_128_GCM;
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = ContentEncryptionAlgorithmIdentifiers.AES_256_GCM;
+
+ public static final List<String> SL20_ALGORITHM_WHITELIST_ENCRYPTION = Arrays.asList(
+ JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256,
+ JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512,
+ JSON_ALGORITHM_ENC_PAYLOAD_A128GCM,
+ JSON_ALGORITHM_ENC_PAYLOAD_A256GCM
+ );
//*********************************************************************************************
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
index cfffed881..cc7137a0f 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
@@ -34,7 +34,8 @@ public class SL20HttpBindingUtils {
Logger.debug("Client request containts is no native client ... ");
URIBuilder clientRedirectURI = new URIBuilder(redirectURL);
clientRedirectURI.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Forward.toString());
- response.sendRedirect(clientRedirectURI.build().toString());
+ response.setStatus(307);
+ response.setHeader("Location", clientRedirectURI.build().toString());
}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index e1444c95f..e01945df0 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -146,7 +146,7 @@ public class SL20JSONExtractorUtils {
}
- public static JsonElement extractSL20Result(JsonObject command, JsonSecurityUtils encrypter, boolean mustBeEncrypted) throws SLCommandoParserException {
+ public static JsonElement extractSL20Result(JsonObject command, IJOSETools decrypter, boolean mustBeEncrypted) throws SL20Exception {
JsonElement result = command.get(SL20Constants.SL20_COMMAND_CONTAINER_RESULT);
JsonElement encryptedResult = command.get(SL20Constants.SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT);
@@ -162,12 +162,21 @@ public class SL20JSONExtractorUtils {
else if (result != null)
return result;
- else if (encryptedResult != null) {
- //TODO: Add correct signature validation
+ else if (encryptedResult != null && encryptedResult.isJsonPrimitive()) {
+ /*TODO:
+ *
+ * Remove dummy code and test real decryption!!!!!
+ *
+ */
+
+ //return decrypter.decryptPayload(encryptedResult.getAsString());
+
+ //dummy code
String[] signedPayload = encryptedResult.toString().split("\\.");
JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
return payLoad;
+
} else
throw new SLCommandoParserException("Internal build error");
@@ -202,10 +211,10 @@ public class SL20JSONExtractorUtils {
else if (sl20Payload != null)
return new VerificationResult(sl20Payload.getAsJsonObject());
- else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive())
+ else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive()) {
return joseTools.validateSignature(sl20SignedPayload.getAsString());
-
- else
+
+ } else
throw new SLCommandoParserException("Internal build error");
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 1e15e893e..b1dfa9b0d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -1,6 +1,5 @@
package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
-import java.io.StringWriter;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -16,7 +15,6 @@ import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URIBuilder;
-import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.springframework.beans.factory.annotation.Autowired;
@@ -78,8 +76,6 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
//build DataURL for qualified eID response
String dataURL = new DataURLBuilder().buildDataURL(
pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID());
-// String dataURL = new DataURLBuilder().buildDataURL(
-// "http://labda.iaik.tugraz.at:8080/moa-id-auth/", Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID());
//build qualifiedeID command
Map<String, String> qualifiedeIDParams = new HashMap<String, String>();
@@ -146,6 +142,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
requestStoreage.storePendingRequest(pendingReq);
//forward SL2.0 command
+ //TODO: maybe add SL2ClientType Header from execution context
SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL);
} else {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 6d2163ff1..698546a4f 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -92,7 +92,6 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
//validate signature
- //TODO:
VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
if (payLoadContainer.isValidSigned() == null ||
!payLoadContainer.isValidSigned()) {
@@ -104,6 +103,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
//TODO validate certificate
List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
+
//extract payloaf
JsonObject payLoad = payLoadContainer.getPayload();
@@ -112,12 +112,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) {
Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... ");
-
-
- //TODO: add decryption
- JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, null, false);
-
-
+
+ //TODO: activate decryption in 'SL20JSONExtractorUtils.extractSL20Result'
+ JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, joseTools, false);
+
//extract attributes from result
String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),
SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);