implement SAML2 assertion encryption

9 files changed, 192 insertions, 15 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
index 8684b8cc1..7e00b8084 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
@@ -150,7 +150,7 @@ public class Authenticate extends HttpServlet {
 					redirectEndpoint = sss;  
 				}  
 			}
-						
+			
 			authReq.setDestination(redirectEndpoint.getLocation());
 			
 			RequestedAuthnContext reqAuthContext = 
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
index fa02443dc..cdb28922c 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
@@ -142,21 +142,38 @@ public class BuildMetadata extends HttpServlet {
 			entitiesSignKeyDescriptor.setUse(UsageType.SIGNING);
 			entitiesSignKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingcredential));
 			Signature entitiesSignature = getSignature(signingcredential);
-			
+			spEntitiesDescriptor.setSignature(entitiesSignature);
+
+			//Set AuthRequest Signing certificate
 			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
 					keyStore, 
 					config.getPVP2KeystoreAuthRequestKeyAlias(), 
-					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
-			
-			
-			//Set AuthRequest Signing certificate
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());			
 			KeyDescriptor signKeyDescriptor = SAML2Utils
 					.createSAMLObject(KeyDescriptor.class);
 			signKeyDescriptor.setUse(UsageType.SIGNING);
 			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	
-			spEntitiesDescriptor.setSignature(entitiesSignature);
 			spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
 			
+			
+			//set AuthRequest encryption certificate
+			if (MiscUtil.isNotEmpty(config.getPVP2KeystoreAuthRequestEncryptionKeyAlias())) {
+				X509Credential authEncCredential = new KeyStoreX509CredentialAdapter(
+						keyStore, 
+						config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+						config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());			
+				KeyDescriptor encryKeyDescriptor = SAML2Utils
+						.createSAMLObject(KeyDescriptor.class);
+				encryKeyDescriptor.setUse(UsageType.ENCRYPTION);
+				encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));	
+				spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor);
+				
+			} else {
+				log.warn("No Assertion Encryption-Key defined. This setting is not recommended!");
+				
+			}
+			
+			
 			NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
 			persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
 			
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index fb468967c..6b30c0cfa 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -258,6 +258,14 @@ public class ConfigurationProvider {
 		return props.getProperty("general.login.pvp2.keystore.authrequest.key.password");
 	}
 	
+	public String getPVP2KeystoreAuthRequestEncryptionKeyAlias() {
+		return props.getProperty("general.login.pvp2.keystore.authrequest.encryption.key.alias");
+	}
+	
+	public String getPVP2KeystoreAuthRequestEncryptionKeyPassword() {
+		return props.getProperty("general.login.pvp2.keystore.authrequest.encryption.key.password");
+	}
+	
 	public String getPVP2IDPMetadataURL() {
 		return props.getProperty("general.login.pvp2.idp.metadata.url");
 	}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index c82746dbc..b5896aecf 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -1,5 +1,6 @@
 package at.gv.egovernment.moa.id.configuration.struts.action;
 
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.Enumeration;
@@ -23,18 +24,24 @@ import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeStatement;
 import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.NameID;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCredentialResolverFactory;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.security.SAMLSignatureProfileValidator;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
 import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.CriteriaSet;
 import org.opensaml.xml.security.credential.UsageType;
@@ -43,9 +50,12 @@ import org.opensaml.xml.security.criteria.UsageCriteria;
 import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
 import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
 import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
 import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
 import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
 import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
 import org.opensaml.xml.signature.Signature;
 import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
 
@@ -261,8 +271,47 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 				
 				if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
 			
-					List<org.opensaml.saml2.core.Assertion> saml2assertions = samlResponse.getAssertions();
-										
+					List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+					
+					//check encrypted Assertion
+					List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+					if (encryAssertionList != null && encryAssertionList.size() > 0) {
+						//decrypt assertions
+						
+						log.debug("Found encryped assertion. Start decryption ...");
+						
+						KeyStore keyStore = config.getPVP2KeyStore();
+						
+						X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+								keyStore, 
+								config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+								config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+						
+						
+						StaticKeyInfoCredentialResolver skicr =
+								  new StaticKeyInfoCredentialResolver(authDecCredential);
+						
+						ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+						encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+						encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+						encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+						
+						Decrypter samlDecrypter =
+								  new Decrypter(null, skicr, encryptedKeyResolver);
+						
+						for (EncryptedAssertion encAssertion : encryAssertionList) {							
+							saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+
+						}
+						
+						log.debug("Assertion decryption finished. ");
+						
+					} else {
+						saml2assertions = samlResponse.getAssertions();
+				
+					}
+					
+								
 					if (MiscUtil.isEmpty(authID)) {
 						log.info("NO AuthRequestID");
 						return Constants.STRUTS_ERROR;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 232ad315f..2fe52d032 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -67,7 +67,7 @@ public class PostBinding implements IDecoder, IEncoder {
 					.buildObject();
 			service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
 			service.setLocation(targetLocation);
-			context.setOutboundSAMLMessageSigningCredential(credentials);
+			context.setOutboundSAMLMessageSigningCredential(credentials);			
 			context.setPeerEntityEndpoint(service);
 			// context.setOutboundMessage(authReq);
 			context.setOutboundSAMLMessage(response);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index f21567245..eaa570ab1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -144,7 +144,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
 
 		SPSSODescriptor spSSODescriptor = peerEntity
 				.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
-
+		
 		Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
 		int idx = 0;
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
new file mode 100644
index 000000000..142227a59
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
@@ -0,0 +1,14 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+import org.opensaml.saml2.core.StatusCode;
+
+public class InvalidAssertionEncryptionException extends PVP2Exception {
+
+	private static final long serialVersionUID = 6513388841485355549L;
+
+	public InvalidAssertionEncryptionException() {
+		super("pvp2.16", new Object[]{});
+		this.statusCodeValue = StatusCode.REQUESTER_URI;
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index fec21df9e..c3884f9d8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,22 +1,45 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
 
+import java.util.ArrayList;
 import java.util.Date;
+import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.joda.time.DateTime;
+import org.opensaml.Configuration;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.NameID;
 import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder;
+import org.opensaml.saml2.encryption.Encrypter;
+import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCriteria;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.encryption.EncryptionException;
+import org.opensaml.xml.encryption.EncryptionParameters;
+import org.opensaml.xml.encryption.KeyEncryptionParameters;
+import org.opensaml.xml.security.CriteriaSet;
 import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.KeyInfo;
 
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -30,6 +53,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -49,10 +74,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 		EntityDescriptor peerEntity = obj.getEntityMetadata();
 		
 		Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity);
-
+		
 		Response authResponse = SAML2Utils.createSAMLObject(Response.class);
 
-
 		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
 		
 		//TODO: check!
@@ -67,7 +91,6 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 		//SAML2 response required IssueInstant
 		authResponse.setIssueInstant(new DateTime());
 		
-		authResponse.getAssertions().add(assertion);
 		authResponse.setStatus(SAML2Utils.getSuccessStatus());
 
 		Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
@@ -84,10 +107,75 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 				.getAssertionConsumerServices().get(idx);
 
 		if (consumerService == null) {
+			//TODO: maybe use default ConsumerService
+			
 			throw new InvalidAssertionConsumerServiceException(idx);
+			
 		}
 		String oaURL = consumerService.getLocation();
 
+		//check, if metadata includes an encryption key				
+		MetadataCredentialResolver mdCredResolver = 
+				new MetadataCredentialResolver(MOAMetadataProvider.getInstance());
+	
+		CriteriaSet criteriaSet = new CriteriaSet();
+		criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) );
+		criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
+		criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) );
+	
+		X509Credential encryptionCredentials = null;
+		try {
+			encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet);
+				
+		} catch (SecurityException e2) {
+			Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
+			throw new InvalidAssertionEncryptionException();
+			
+		}
+	
+		if (encryptionCredentials != null) {
+			//encrypt SAML2 assertion
+				
+			try {
+				
+				EncryptionParameters dataEncParams = new EncryptionParameters();
+				dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
+			
+				List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();
+				KeyEncryptionParameters  keyEncParam = new KeyEncryptionParameters();
+			
+				keyEncParam.setEncryptionCredential(encryptionCredentials);
+				keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
+				KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()
+						.getKeyInfoGeneratorManager().getDefaultManager()
+						.getFactory(encryptionCredentials);
+				keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+				keyEncParamList.add(keyEncParam);
+			
+				Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); 
+				//samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
+				samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+				
+				EncryptedAssertion encryptAssertion = null;
+				
+				encryptAssertion = samlEncrypter.encrypt(assertion);
+
+				authResponse.getEncryptedAssertions().add(encryptAssertion);
+				
+				} catch (EncryptionException e1) {
+					Logger.warn("Can not encrypt the PVP2 assertion", e1);
+					throw new InvalidAssertionEncryptionException();
+					
+				} 
+
+			} else {
+				authResponse.getAssertions().add(assertion);
+				
+			}
+			
+
+
+		
 		IEncoder binding = null;
 
 		if (consumerService.getBinding().equals(
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index afe14daee..7e8f679b4 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -218,4 +218,5 @@ pvp2.11=Binding {0} wird nicht unterstuetzt
 pvp2.12=NameID Format {0} wird nicht unterstuetzt

 pvp2.13=Interner Server Fehler

 pvp2.14=SAML Anfrage verweigert

-pvp2.15=Keine Metadateninformation gefunden
+pvp2.15=Keine Metadateninformation gefunden

+pvp2.16=Fehler beim verschl\u00FCsseln der PVP2 Assertion