aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:33:37 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:45:37 +0100
commitf6ef9b2e21af5a55b9f2b360de3cff38c56904d6 (patch)
tree71c3e2dcdade53d820655a9b5f1aa1b451278f5f /id
parent75c7ab602fe14d56217f268ea80e787a5316288a (diff)
downloadmoa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.tar.gz
moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.tar.bz2
moa-id-spss-f6ef9b2e21af5a55b9f2b360de3cff38c56904d6.zip
add some more escaptions
Diffstat (limited to 'id')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java32
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java112
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java25
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java12
-rw-r--r--id/server/idserverlib/src/test/java/test/MOAIDTestCase.java3
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java5
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java35
-rw-r--r--id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java72
-rw-r--r--id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java2
-rw-r--r--id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java1
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java11
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java2
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java2
19 files changed, 225 insertions, 113 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index df1786402..bf75a3068 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -39,7 +39,6 @@ import org.apache.log4j.Logger;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
-import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
@@ -51,34 +50,18 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.security.MetadataCredentialResolver;
-import org.opensaml.security.MetadataCredentialResolverFactory;
-import org.opensaml.security.MetadataCriteria;
-import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.parse.BasicParserPool;
-import org.opensaml.xml.security.CriteriaSet;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.criteria.EntityIDCriteria;
-import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
-import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
-import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
-import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
@@ -86,7 +69,6 @@ import at.gv.egovernment.moa.id.configuration.Constants;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager;
import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils;
-import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;
import at.gv.egovernment.moa.id.configuration.exception.BasicActionException;
import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper;
@@ -160,7 +142,7 @@ public class IndexAction extends BasicAction {
if (MiscUtil.isNotEmpty(username)) {
if (ValidationHelper.containsNotValidCharacter(username, false)) {
- log.warn("Username contains potentail XSS characters: " + username);
+ log.warn("Username contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(username));
addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
return Constants.STRUTS_ERROR;
@@ -197,13 +179,13 @@ public class IndexAction extends BasicAction {
dbuser.setIsUsernamePasswordAllowed(true);
if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) {
- log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed");
+ log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " is not active or Username/Password login is not allowed");
addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));
return Constants.STRUTS_ERROR;
}
if (!dbuser.getPassword().equals(key)) {
- log.warn("Username " + dbuser.getUsername() + " use a false password");
+ log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " use a false password");
addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));
return Constants.STRUTS_ERROR;
}
@@ -615,7 +597,7 @@ public class IndexAction extends BasicAction {
check = user.getInstitut();
if (MiscUtil.isNotEmpty(check)) {
if (ValidationHelper.containsNotValidCharacter(check, false)) {
- log.warn("Organisation contains potentail XSS characters: " + check);
+ log.warn("Organisation contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(check));
addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
}
@@ -628,7 +610,7 @@ public class IndexAction extends BasicAction {
check = user.getMail();
if (MiscUtil.isNotEmpty(check)) {
if (!ValidationHelper.isEmailAddressFormat(check)) {
- log.warn("Mailaddress is not valid: " + check);
+ log.warn("Mailaddress is not valid: " + StringEscapeUtils.escapeHtml(check));
addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
}
@@ -640,7 +622,7 @@ public class IndexAction extends BasicAction {
check = user.getPhone();
if (MiscUtil.isNotEmpty(check)) {
if (!ValidationHelper.validatePhoneNumber(check)) {
- log.warn("No valid Phone Number: " + check);
+ log.warn("No valid Phone Number: " + StringEscapeUtils.escapeHtml(check));
addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 5a5d0bcf6..cc716f9f8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -352,6 +352,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
authData.setBkuURL(session.getGenericDataFromSession(PVPConstants.EID_CCS_URL_NAME, String.class));
+ //TODO: fully switch from STORK QAA to eIDAS LoA
//####################################################
//set QAA level
includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
index 19f3fdc54..0397bd501 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
@@ -117,7 +117,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
config.putCustomParameter("successMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.00", null));
else
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
guiBuilder.build(resp, config, "Single-LogOut GUI");
@@ -213,7 +213,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT,
null);
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
guiBuilder.build(resp, config, "Single-LogOut GUI");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
index e0484eb1b..4e7a72da6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java
@@ -22,12 +22,19 @@
*/
package at.gv.egovernment.moa.id.data;
+import java.io.Serializable;
+
/**
* @author tlenz
*
*/
-public class EncryptedData {
+public class EncryptedData implements Serializable{
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
private byte[] encData = null;
private byte[] iv = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 3770dad2f..bb849a8d0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -659,7 +659,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} else {
revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
}
@@ -690,7 +690,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
null);
revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
- config.putCustomParameter("errorMsg",
+ config.putCustomParameterWithOutEscaption("errorMsg",
MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
index f17e4a99a..2395b913d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java
@@ -38,8 +38,11 @@ import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -106,18 +109,36 @@ public class DBTransactionStorage implements ITransactionStorage {
}
}
-
- public Object getAssertionStore(String key) throws MOADatabaseException{
- return searchInDatabase(key);
- }
-
+
public Object get(String key) throws MOADatabaseException {
AssertionStore element = searchInDatabase(key);
if (element == null)
return null;
+
+ Object data = SerializationUtils.deserialize(element.getAssertion());
- return SerializationUtils.deserialize(element.getAssertion());
+ //decrypt data if required
+ Object resultData = null;
+ if (data instanceof EncryptedData) {
+ Logger.trace("Find encrypted data. --> Starting decryption process ...");
+ try {
+ byte[] decData = decryptData((EncryptedData)data);
+ resultData = SerializationUtils.deserialize(decData);
+
+ } catch (BuildException e) {
+ Logger.warn("Transaction information decryption FAILED.", e);
+ throw new MOADatabaseException("Transaction information decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.trace("Find unencrypted data. --> Use it as is");
+ resultData = data;
+
+ }
+
+ return resultData;
}
@@ -141,13 +162,34 @@ public class DBTransactionStorage implements ITransactionStorage {
}
- //Deserialize Assertion
+ //Deserialize Assertion
Object data = SerializationUtils.deserialize(element.getAssertion());
+ //decrypt data if required
+ Object resultData = null;
+ if (data instanceof EncryptedData) {
+ Logger.trace("Find encrypted data. --> Starting decryption process ...");
+ try {
+ byte[] decData = decryptData((EncryptedData)data);
+ resultData = SerializationUtils.deserialize(decData);
+
+ } catch (BuildException e) {
+ Logger.warn("Transaction information decryption FAILED.", e);
+ throw new MOADatabaseException("Transaction information decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.trace("Find unencrypted data. --> Use it as is");
+ resultData = data;
+
+ }
+
+
//check if assertion has the correct class type
try {
@SuppressWarnings("unchecked")
- T test = (T) Class.forName(element.getType()).cast(data);
+ T test = (T) Class.forName(element.getType()).cast(resultData);
return test;
} catch (Exception e) {
@@ -198,6 +240,17 @@ public class DBTransactionStorage implements ITransactionStorage {
}
}
+ public Object getAssertionStore(String key) throws MOADatabaseException{
+ return searchInDatabase(key);
+
+ }
+
+ @Override
+ public void putAssertionStore(Object element) throws MOADatabaseException{
+ entityManager.merge(element);
+
+ }
+
private void cleanDelete(AssertionStore element) {
@@ -245,30 +298,33 @@ public class DBTransactionStorage implements ITransactionStorage {
throw new MOADatabaseException("Transaction-Storage can only store objects which implements the 'Seralizable' interface", null);
}
-
- //serialize the Assertion for Database storage
- byte[] data = SerializationUtils.serialize((Serializable) value);
- element.setAssertion(data);
-
- //store AssertionStore element to Database
- //try {
+
+ try {
+ //serialize the Assertion for Database storage
+ byte[] data = SerializationUtils.serialize((Serializable) value);
+ element.setAssertion(encryptData(data));
+
+ //store AssertionStore element to Database
entityManager.persist(element);
- //MOASessionDBUtils.saveOrUpdate(element);
- Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");
-//
-// } catch (MOADatabaseException e) {
-// Logger.warn("Sessioninformation could not be stored.");
-// throw new MOADatabaseException(e);
-//
-// }
+ Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");
+
+ } catch (BuildException e) {
+ Logger.warn("Sessioninformation could not be stored.");
+ throw new MOADatabaseException(e);
+
+ }
}
+
+ private static byte[] encryptData(byte[] data) throws BuildException {
+ EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(data);
+ return SerializationUtils.serialize(encdata);
- @Override
- public void putAssertionStore(Object element) throws MOADatabaseException{
- // TODO Auto-generated method stub
- entityManager.merge(element);
-
+ }
+
+ private static byte[] decryptData(EncryptedData encdata) throws BuildException {
+ return SessionEncrytionUtil.getInstance().decrypt(encdata);
+
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
index 53a7f4f5e..51a36d426 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java
@@ -114,6 +114,8 @@ public interface ITransactionStorage {
/**
* Get whole AssertionStoreObject, required for SLO
+ * <br>
+ * <b>IMPORTANT:</b> This method does NOT decrypt information before storage
*
* @param key key Id which identifiers the data object
* @return The transaction-data object, or null
@@ -123,6 +125,8 @@ public interface ITransactionStorage {
/**
* Put whole AssertionStoreObject to db, required for SLO
+ * <br>
+ * <b>IMPORTANT:</b> This method does NOT encrypt information before storage
*
* @param element assertion store object
*/
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
index b0d166951..84d40f619 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
@@ -22,9 +22,6 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.util;
-import iaik.security.cipher.PBEKey;
-import iaik.security.spec.PBEKeyAndParameterSpec;
-
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
@@ -35,19 +32,26 @@ import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
-
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
public abstract class AbstractEncrytionUtil {
- protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+ //protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+
+ protected static final String CIPHER_MODE = "AES/GCM/NoPadding";
+ public static final int GCM_NONCE_LENGTH = 12; // in bytes
+ public static final int GCM_TAG_LENGTH = 16; // in bytes
+
protected static final String KEYNAME = "AES";
private SecretKey secret = null;
@@ -114,8 +118,15 @@ public abstract class AbstractEncrytionUtil {
if (secret != null) {
try {
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.ENCRYPT_MODE, secret);
+ final byte[] nonce = Random.nextBytes(GCM_NONCE_LENGTH);
+
+// final byte[] nonce = new byte[GCM_NONCE_LENGTH];
+// SecureRandom.getInstanceStrong().nextBytes(nonce);
+
+ GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce);
+
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.ENCRYPT_MODE, secret, spec);
Logger.debug("Encrypt MOASession");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
index ac2b3c415..38c384c3a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
@@ -151,6 +151,16 @@ public class Random {
}
+/**
+ * Creates a new random byte[]
+ *
+ * @param size Size of random number in byte
+ * @return
+ */
+public static byte[] nextBytes(int size) {
+ return nextByteRandom(size);
+
+}
public static void seedRandom() {
@@ -165,7 +175,7 @@ public class Random {
/**
* Generate a new random number
*
- * @param size Size of random number in bits
+ * @param size Size of random number in byte
* @return
*/
private static synchronized byte[] nextByteRandom(int size) {
diff --git a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java
index e28b154f4..b3a9d367f 100644
--- a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java
+++ b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java
@@ -56,10 +56,8 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.StreamUtils;
import at.gv.egovernment.moa.util.XPathUtils;
-
import iaik.ixsil.algorithms.Transform;
import iaik.ixsil.algorithms.TransformImplExclusiveCanonicalXML;
import iaik.ixsil.exceptions.AlgorithmException;
@@ -68,6 +66,7 @@ import iaik.ixsil.exceptions.URIException;
import iaik.ixsil.init.IXSILInit;
import iaik.ixsil.util.URI;
import test.at.gv.egovernment.moa.MOATestCase;
+import test.at.gv.egovernment.moa.util.FileUtils;
/*
* @author Paul Ivancsics
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
index 3730b36ce..9152f2549 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
@@ -27,6 +27,9 @@ package at.gv.egovernment.moa.logging;
import java.util.HashMap;
import java.util.Map;
+import org.apache.commons.lang3.StringEscapeUtils;
+
+
/**
* A utility class acting as a facade to the logging subsystem.
*
@@ -88,7 +91,7 @@ public class Logger {
private static String prepareMessage(Object message) {
if(null == message)
return "no message given";
- return message.toString();
+ return StringEscapeUtils.escapeHtml4(message.toString());
}
/**
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java
index 3291f8a15..8d6aea164 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java
@@ -53,40 +53,7 @@ public class FileUtils {
in.close();
return content;
}
-// /**
-// * Reads a file, given by URL, into a String.
-// * @param urlString file URL
-// * @param encoding character encoding
-// * @return file content
-// * @throws IOException on any exception thrown
-// */
-// public static String readURL(String urlString, String encoding) throws IOException {
-// byte[] content = readURL(urlString);
-// return new String(content, encoding);
-// }
-// /**
-// * Reads a file, given by filename, into a byte array.
-// * @param filename filename
-// * @return file content
-// * @throws IOException on any exception thrown
-// */
-// public static byte[] readFile(String filename) throws IOException {
-// BufferedInputStream in = new BufferedInputStream(new FileInputStream(filename));
-// byte[] content = StreamUtils.readStream(in);
-// in.close();
-// return content;
-// }
-// /**
-// * Reads a file, given by filename, into a String.
-// * @param filename filename
-// * @param encoding character encoding
-// * @return file content
-// * @throws IOException on any exception thrown
-// */
-// public static String readFile(String filename, String encoding) throws IOException {
-// byte[] content = readFile(filename);
-// return new String(content, encoding);
-// }
+
/**
* Reads a file from a resource.
* @param name resource name
diff --git a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java
new file mode 100644
index 000000000..8941ab4cf
--- /dev/null
+++ b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package test.at.gv.egovernment.moa.util;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import at.gv.egovernment.moa.util.StreamUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FileUtils extends at.gv.egovernment.moa.util.FileUtils {
+
+ /**
+ * Reads a file, given by URL, into a String.
+ * @param urlString file URL
+ * @param encoding character encoding
+ * @return file content
+ * @throws IOException on any exception thrown
+ */
+ public static String readURL(String urlString, String encoding) throws IOException {
+ byte[] content = readURL(urlString);
+ return new String(content, encoding);
+ }
+ /**
+ * Reads a file, given by filename, into a byte array.
+ * @param filename filename
+ * @return file content
+ * @throws IOException on any exception thrown
+ */
+ public static byte[] readFile(String filename) throws IOException {
+ BufferedInputStream in = new BufferedInputStream(new FileInputStream(filename));
+ byte[] content = StreamUtils.readStream(in);
+ in.close();
+ return content;
+ }
+ /**
+ * Reads a file, given by filename, into a String.
+ * @param filename filename
+ * @param encoding character encoding
+ * @return file content
+ * @throws IOException on any exception thrown
+ */
+ public static String readFile(String filename, String encoding) throws IOException {
+ byte[] content = readFile(filename);
+ return new String(content, encoding);
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java
index 2ded896d0..9196a8718 100644
--- a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java
+++ b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java
@@ -26,9 +26,7 @@ package test.at.gv.egovernment.moa.util;
import java.net.URLEncoder;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.URLDecoder;
-
import junit.framework.TestCase;
/*
diff --git a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java
index 5f72c8aad..d89e9f21f 100644
--- a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java
+++ b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java
@@ -24,7 +24,6 @@
package test.at.gv.egovernment.moa.util;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.URLDecoder;
import at.gv.egovernment.moa.util.URLEncoder;
import junit.framework.TestCase;
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
index f54484307..cbc16cb38 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
@@ -19,7 +19,7 @@
parent.setBKUAvailable(false);
document.write('<form name="bkudetectform" method="POST" target="bkudetect" action="' + bkuurl + '" enctype="application/x-www-form-urlencoded">');
document.write('<input type="hidden" name="XMLRequest" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;NullOperationRequest xmlns=&quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&quot;/&gt;" />');
- document.write('<input type="hidden" name="RedirectURL" value="' + $contextPath + '/iframeLBKUdetected.html"/>');
+ document.write('<input type="hidden" name="RedirectURL" value="$contextPath/iframeLBKUdetected.html"/>');
document.write('</form>');
try {
document.bkudetectform.submit();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index c9bc31f6c..faeb0158b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -67,7 +67,6 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.util.XMLUtil;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -1203,9 +1202,13 @@ public class AuthenticationServer extends BaseAuthenticationServer {
public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException {
NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate");
-
- String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList);
-
+
+ String base64CertString = null;
+ if (nList != null && nList.getLength() != 0) {
+ base64CertString = nList.item(0).getTextContent();
+
+ }
+
if (StringUtils.isEmpty(base64CertString)) {
String msg = "XML does not contain a X509Certificate element.";
Logger.error(msg);
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index dc55df05b..af64e745e 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -558,7 +558,7 @@ public class SSOTransferServlet{
String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray());
config.putCustomParameter("QRImage", base64EncodedImage);
- config.putCustomParameter("successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation.");
+ config.putCustomParameterWithOutEscaption("successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation.");
guiBuilder.build(resp, config, "SSO-Session Transfer-Module");
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
index fe164c514..5c66f257d 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
@@ -104,7 +104,7 @@ public class GUIUtils {
null);
config.putCustomParameter("QRImage", base64EncodedImage);
- config.putCustomParameter("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process.");
+ config.putCustomParameterWithOutEscaption("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process.");
config.putCustomParameterWithOutEscaption("timeoutURL", containerURL);
config.putCustomParameter("timeout", REFESH_TIMEOUT);