--use differend keys for SAML2 metadata signing and SAML2 assertion signing

-- move oAuth idToken generation to OAuth20AuthAction, because MOASession does not exits anymore in OAuth20TokenAction if no SSO is used.
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-24 11:32:38 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-24 11:32:38 +0100
commit: 653fd79254188db598c0b980640fab912c9e39f7 (patch)
tree: 9130bdec833580cba2146b41bbf4b744edec1795 /id
parent: 1f46df486fbab558fb3e935dfed160f26e698ac0 (diff)
download: moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.tar.gz
moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.tar.bz2
moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.zip
10 files changed, 177 insertions, 132 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
index 4c7d1a37b..d5dd70c11 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
@@ -1,6 +1,7 @@
 package at.gv.egovernment.moa.id.protocols.oauth20;
 
 import java.io.Serializable;
+import java.util.Map;
 
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 
@@ -15,7 +16,7 @@ public class OAuth20SessionObject implements Serializable {
 	
 	private String code;
 	
-	private String authDataSession;
+	private Map<String, Object> authDataSession;
 	
 	public String getScope() {
 		return scope;
@@ -40,12 +41,12 @@ public class OAuth20SessionObject implements Serializable {
 		this.code = code;
 	}
 	
-	public String getAuthDataSession() {
+	public Map<String, Object> getAuthDataSession() {
 		return authDataSession;
 	}
 	
-	public void setAuthDataSession(String authDataSession) {
-		this.authDataSession = authDataSession;
+	public void setAuthDataSession(Map<String, Object> idToken) {
+		this.authDataSession = idToken;
 	}
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 17649487a..a5c8bb16e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -1,18 +1,33 @@
 package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
 
+import java.security.SignatureException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
+import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.Random;
@@ -23,27 +38,24 @@ class OAuth20AuthAction implements IAction {
 	public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
 			AuthenticationSession moasession) throws MOAIDException {
 		
-		OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;
-		
-		// OAAuthParameter oaParam =
-		// AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
-		// AuthenticationData authData =
-		// AuthenticationServer.buildAuthenticationData(moasession, oaParam,
-		// oAuthRequest.getTarget());
-		
+		OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;		
 		String responseType = oAuthRequest.getResponseType();
-		AuthenticationSession session = null;
 		
 		String code = Random.nextRandom();
 		
 		try {
-					
+			
+			String accessToken = UUID.randomUUID().toString();
+			
 			Logger.debug("Stored session with id: " + code);
 			OAuth20SessionObject o = new OAuth20SessionObject();
 			if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) {
 				o.setScope(oAuthRequest.getScope());
 				o.setCode(code);
-				o.setAuthDataSession(moasession.getSessionID());
+				
+				//generate idToken from MOASession
+				Map<String, Object> idToken = generateIDToken(o, oAuthRequest, moasession, accessToken);
+				o.setAuthDataSession(idToken);
 				
 			} else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) {
 				throw new OAuth20ResponseTypeException();
@@ -65,6 +77,8 @@ class OAuth20AuthAction implements IAction {
 			String finalUrl = redirectURI;
 			httpResp.addHeader("Location", finalUrl);
 			Logger.debug("REDIRECT TO: " + finalUrl.toString());
+			
+			return accessToken;
 		}
 		catch (Exception e) {
 
@@ -79,7 +93,65 @@ class OAuth20AuthAction implements IAction {
 			throw new OAuth20ServerErrorException();
 		}
 		
-		return null;
+	}
+	
+	private Map<String, Object> generateIDToken(OAuth20SessionObject auth20SessionObject, 
+			OAuth20AuthRequest oAuthRequest, AuthenticationSession moasession, String accessToken) throws SignatureException, MOAIDException {
+		
+		// create response
+		Map<String, Object> params = new HashMap<String, Object>();
+		params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
+		params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
+		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
+		
+		// build id token and scope
+		Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
+				moasession);
+		Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
+		params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
+		Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
+		params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
+		
+		return params;
+		
+	}
+	
+	private Pair<String, String> buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, AuthenticationSession session)
+			throws MOAIDException, SignatureException {
+		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
+		AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget());
+		
+		OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer());
+		OAuthJsonToken token = new OAuthJsonToken(signer);
+		
+		StringBuilder resultScopes = new StringBuilder();
+		// always fill with open id
+		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData);
+		resultScopes.append("openId");
+		
+		for (String s : scope.split(" ")) {
+			if (s.equalsIgnoreCase("profile")) {
+				OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData);
+				resultScopes.append(" profile");
+			} else if (s.equalsIgnoreCase("eID")) {
+				OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData);
+				resultScopes.append(" eID");
+			} else if (s.equalsIgnoreCase("eID_gov")) {
+				OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData);
+				resultScopes.append(" eID_gov");
+			} else if (s.equalsIgnoreCase("mandate")) {
+				OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData);
+				resultScopes.append(" mandate");
+			}
+			// TODO parser STORK
+		}
+		
+		// add properties and sign
+		// HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id",
+		// "super_secure_pwd".getBytes());
+		// Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config());
+		
+		return Pair.newInstance(token.serializeAndSign(), resultScopes.toString());
 	}
 	
 	/*
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
index b975b5594..f3638d63e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
@@ -1,35 +1,19 @@
 package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
 
-import java.security.SignatureException;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
-import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
-import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
-import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException;
-import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
-import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
-import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
 
 import com.google.gson.JsonObject;
@@ -61,38 +45,10 @@ class OAuth20TokenAction implements IAction {
 			} else {
 				Logger.debug("Loaded of OAuth20SessionObject was successful");
 			}
-
-			
-			Logger.debug("Load MOASession from database");
-			AuthenticationSession session = AuthenticationSessionStoreage.getSession(auth20SessionObject.getAuthDataSession());
-			if (session == null) {
-				Logger.warn("NO MOASession found with SessionID " + auth20SessionObject.getAuthDataSession());
-				throw new OAuth20UnauthorizedClientException();
-				
-			} else {
-				Logger.debug("Loading of MOASession was successful.");
-				
-			}
-						
-			final String accessToken = UUID.randomUUID().toString();
-			
-			// create response
-			Map<String, Object> params = new HashMap<String, Object>();
-			params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
-			params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
-			params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
-			
-			// build id token and scope
-			Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
-					session);
-			Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
-			params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
-			Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
-			params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
 			
 			// create response
 			JsonObject jsonObject = new JsonObject();
-			OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
+			OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession());
 			String jsonResponse = jsonObject.toString();
 			Logger.debug("JSON Response: " + jsonResponse);
 			
@@ -137,43 +93,5 @@ class OAuth20TokenAction implements IAction {
 	public String getDefaultActionName() {
 		return OAuth20Protocol.TOKEN_ACTION;
 	}
-	
-	private Pair<String, String> buildIdToken(String scope, OAuth20TokenRequest oAuthRequest, AuthenticationSession session)
-			throws MOAIDException, SignatureException {
-		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
-		AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget());
-		
-		OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer());
-		OAuthJsonToken token = new OAuthJsonToken(signer);
-		
-		StringBuilder resultScopes = new StringBuilder();
-		// always fill with open id
-		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData);
-		resultScopes.append("openId");
 		
-		for (String s : scope.split(" ")) {
-			if (s.equalsIgnoreCase("profile")) {
-				OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData);
-				resultScopes.append(" profile");
-			} else if (s.equalsIgnoreCase("eID")) {
-				OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData);
-				resultScopes.append(" eID");
-			} else if (s.equalsIgnoreCase("eID_gov")) {
-				OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData);
-				resultScopes.append(" eID_gov");
-			} else if (s.equalsIgnoreCase("mandate")) {
-				OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData);
-				resultScopes.append(" mandate");
-			}
-			// TODO parser STORK
-		}
-		
-		// add properties and sign
-		// HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id",
-		// "super_secure_pwd".getBytes());
-		// Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config());
-		
-		return Pair.newInstance(token.serializeAndSign(), resultScopes.toString());
-	}
-	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index e6a8c9661..1c7b1c718 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -78,17 +78,10 @@ public class MetadataAction implements IAction {
 			keyInfoFactory.setEmitEntityIDAsKeyName(true);
 			keyInfoFactory.setEmitEntityCertificate(true);
 			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
-
-			Credential credential = CredentialProvider
-					.getIDPSigningCredential();
-
-			KeyDescriptor signKeyDescriptor = SAML2Utils
-					.createSAMLObject(KeyDescriptor.class);
-			signKeyDescriptor.setUse(UsageType.SIGNING);
-			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
-
+			
+			Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();
 			Signature signature = CredentialProvider
-					.getIDPSignature(credential);
+					.getIDPSignature(metadataSigningCredential);
 			
 			idpEntitiesDescriptor.setSignature(signature);
 
@@ -139,9 +132,17 @@ public class MetadataAction implements IAction {
 				idpSSODescriptor.getArtifactResolutionServices().add(
 						artifactResolutionService);
 			}*/
+		
+			//set assertion signing key
+			Credential assertionSigingCredential = CredentialProvider
+					.getIDPAssertionSigningCredential();
 
+			KeyDescriptor signKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			signKeyDescriptor.setUse(UsageType.SIGNING);
+			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential));
 			idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
-			
+						
 			idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes());
 			
 			NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
@@ -184,7 +185,7 @@ public class MetadataAction implements IAction {
 
 			String metadataXML = sw.toString();
 
-			System.out.println("METADATA: " + metadataXML);
+			//System.out.println("METADATA: " + metadataXML);
 
 			httpResp.setContentType("text/xml");
 			httpResp.getOutputStream().write(metadataXML.getBytes());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
index c486d3ff2..57fa50384 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
@@ -37,7 +37,7 @@ public class ArtifactBinding implements IDecoder, IEncoder {
 			throws MessageEncodingException, SecurityException {
 		try {
 			Credential credentials = CredentialProvider
-					.getIDPSigningCredential();
+					.getIDPAssertionSigningCredential();
 
 			Signature signer = CredentialProvider.getIDPSignature(credentials);
 			response.setSignature(signer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 9319c306b..625782cab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -44,7 +44,7 @@ public class PostBinding implements IDecoder, IEncoder {
 
 		try {
 			Credential credentials = CredentialProvider
-					.getIDPSigningCredential();
+					.getIDPAssertionSigningCredential();
 
 			Logger.debug("create SAML POSTBinding response");
 			
@@ -103,7 +103,7 @@ public class PostBinding implements IDecoder, IEncoder {
 
 		RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
 				.getInboundMessage();
-
+		
 		MOARequest request = new MOARequest(inboundMessage);
 		request.setVerified(false);
 		request.setEntityMetadata(messageContext.getPeerEntityMetadata());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 78b63e041..0fd639c1b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -49,7 +49,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
 			throws MessageEncodingException, SecurityException {
 		try {
 			Credential credentials = CredentialProvider
-					.getIDPSigningCredential();
+					.getIDPAssertionSigningCredential();
 
 			Logger.debug("create SAML RedirectBinding response");
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 3974e7fd5..1cfb0103e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -65,7 +65,7 @@ public class SoapBinding implements IDecoder, IEncoder {
 			throws MessageEncodingException, SecurityException, PVP2Exception {
 		try {
 			Credential credentials = CredentialProvider
-					.getIDPSigningCredential();
+					.getIDPAssertionSigningCredential();
 			
 			HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder();
 			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 116d3b740..b41331dab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -46,10 +46,15 @@ public class PVPConfiguration {
 	public static final String PVP2_POST = "/pvp2/post";
 	
 	public static final String PVP_CONFIG_FILE = "pvp2config.properties";
+	
 	public static final String IDP_JAVAKEYSTORE = "idp.ks.file";
-	public static final String IDP_KEYALIAS = "idp.ks.alias";
 	public static final String IDP_KS_PASS = "idp.ks.kspassword";
-	public static final String IDP_KEY_PASS = "idp.ks.keypassword";
+	
+	public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias";	
+	public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword";
+
+	public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias";	
+	public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword";
 
 	public static final String IDP_ISSUER_NAME = "idp.issuer.name";
 
@@ -115,17 +120,25 @@ public class PVPConfiguration {
 	public String getIDPKeyStoreFilename() {
 		return props.getProperty(IDP_JAVAKEYSTORE);
 	}
-
+	
 	public String getIDPKeyStorePassword() {
 		return props.getProperty(IDP_KS_PASS);
 	}
 
-	public String getIDPKeyAlias() {
-		return props.getProperty(IDP_KEYALIAS);
+	public String getIDPKeyAliasMetadata() {
+		return props.getProperty(IDP_KEYALIASMETADATA);
+	}
+
+	public String getIDPKeyPasswordMetadata() {
+		return props.getProperty(IDP_KEY_PASSMETADATA);
+	}
+	
+	public String getIDPKeyAliasAssertionSign() {
+		return props.getProperty(IDP_KEYALIASASSERTION);
 	}
 
-	public String getIDPKeyPassword() {
-		return props.getProperty(IDP_KEY_PASS);
+	public String getIDPKeyPasswordAssertionSign() {
+		return props.getProperty(IDP_KEY_PASSASSERTION);
 	}
 
 	public String getIDPIssuerName() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
index cf0f48f1c..511caa908 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
@@ -1,6 +1,8 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
 
 import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPrivateKey;
 
 import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.security.credential.UsageType;
@@ -13,35 +15,73 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.KeyStoreUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 public class CredentialProvider {
-	public static Credential getIDPSigningCredential()
+	
+	private static KeyStore keyStore = null;
+	
+	public static Credential getIDPMetaDataSigningCredential()
 			throws CredentialsNotAvailableException {
-		KeyStore keyStore;
 		PVPConfiguration config = PVPConfiguration.getInstance();
 		try {
-			keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), 
-					config.getIDPKeyStorePassword());
+			
+			if (keyStore == null)
+				keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), 
+						config.getIDPKeyStorePassword());
 
 			KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(
-					keyStore, config.getIDPKeyAlias(), config
-							.getIDPKeyPassword().toCharArray());
+					keyStore, config.getIDPKeyAliasMetadata(), config
+							.getIDPKeyPasswordMetadata().toCharArray());
 
 			credentials.setUsageType(UsageType.SIGNING);
 			return credentials;
 		} catch (Exception e) {
-			Logger.error("Failed to generate IDP Signing credentials");
+			Logger.error("Failed to generate IDP Metadata Signing credentials");
 			e.printStackTrace();
 			throw new CredentialsNotAvailableException(e.getMessage(), null);
 		}
 	}
 
+	public static Credential getIDPAssertionSigningCredential()
+			throws CredentialsNotAvailableException {
+		PVPConfiguration config = PVPConfiguration.getInstance();
+		try {
+			if (keyStore == null)
+				keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), 
+						config.getIDPKeyStorePassword());
+
+			KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(
+					keyStore, config.getIDPKeyAliasAssertionSign(), config
+							.getIDPKeyPasswordAssertionSign().toCharArray());
+
+			credentials.setUsageType(UsageType.SIGNING);
+			return credentials;
+		} catch (Exception e) {
+			Logger.error("Failed to generate IDP Assertion Signing credentials");
+			e.printStackTrace();
+			throw new CredentialsNotAvailableException(e.getMessage(), null);
+		}
+	}
+		
 	public static Signature getIDPSignature(Credential credentials) {
+		
+		PrivateKey privatekey = credentials.getPrivateKey();
+		
 		Signature signer = SAML2Utils.createSAMLObject(Signature.class);
-		signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+		
+		if (privatekey instanceof RSAPrivateKey) {
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+			
+		} else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
+
+		}
+
+		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);		
 		signer.setSigningCredential(credentials);
 		return signer;
+		
 	}
 
 	public static Credential getSPTrustedCredential(String entityID)
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-24 11:32:38 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-24 11:32:38 +0100
commit	653fd79254188db598c0b980640fab912c9e39f7 (patch)
tree	9130bdec833580cba2146b41bbf4b744edec1795 /id
parent	1f46df486fbab558fb3e935dfed160f26e698ac0 (diff)
download	moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.tar.gz moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.tar.bz2 moa-id-spss-653fd79254188db598c0b980640fab912c9e39f7.zip