aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id/server/auth-edu/pom.xml14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java37
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties9
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties6
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/X509Utils.java62
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/pom.xml68
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java44
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java95
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationSpringResourceProvider.java28
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java58
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/data/VerificationResult.java39
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20Exception.java19
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20SecurityException.java20
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoBuildException.java17
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoParserException.java17
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java37
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java221
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java180
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java42
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java606
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java259
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java176
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java228
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider1
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml33
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml20
-rw-r--r--id/server/modules/pom.xml12
-rw-r--r--pom.xml6
32 files changed, 2379 insertions, 13 deletions
diff --git a/id/server/auth-edu/pom.xml b/id/server/auth-edu/pom.xml
index 34c74d926..455278edd 100644
--- a/id/server/auth-edu/pom.xml
+++ b/id/server/auth-edu/pom.xml
@@ -206,10 +206,16 @@
<dependency>
<groupId>MOA.id.server.modules</groupId>
<artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId>
- </dependency>
-
-
-<!-- <dependency>
+ </dependency>
+
+ <dependency>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-module-sl20_authentication</artifactId>
+ </dependency>
+
+
+<!--
+ <dependency>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
</dependency> -->
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
index c78361eda..583bb2ab4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
@@ -84,7 +84,9 @@ public class DataURLBuilder {
dataURL = authBaseURL + authServletName;
- dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+ if (sessionID != null)
+ dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+
return dataURL;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index f61b9a4da..50cafb4f6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -134,7 +134,12 @@ public abstract class AbstractController extends MOAIDAuthConstants {
try {
//switch to protocol-finalize method to generate a protocol-specific error message
-
+
+ //log error directly in debug mode
+ if (Logger.isDebugEnabled())
+ Logger.warn(loggedException.getMessage(), loggedException);
+
+
//put exception into transaction store for redirect
String key = Random.nextLongRandom();
if (pendingReq != null) {
@@ -147,7 +152,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
new ExceptionContainer(null, loggedException),-1);
}
-
+
//build up redirect URL
String redirectURL = null;
redirectURL = ServletUtils.getBaseUrl(req);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 32f103ca7..18641c090 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -55,7 +55,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
// wake up next task
processEngine.signal(pendingReq);
- } catch (Exception ex) {
+ } catch (Exception ex) {
handleError(null, ex, req, resp, pendingReq);
} finally {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 7f183c5eb..a24683545 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -92,6 +92,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class AuthenticationManager extends MOAIDAuthConstants {
private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
+ private static List<String> reqHeaderWhiteListeForModules = new ArrayList<String>();
public static final String MOA_SESSION = "MoaAuthenticationSession";
public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -321,6 +322,16 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
+ /**
+ * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext}
+ *
+ * @param httpReqParam http header name, but never null
+ */
+ public void addHeaderNameToWhiteList(String httpReqParam) {
+ if (MiscUtil.isNotEmpty(httpReqParam))
+ reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
+
+ }
/**
* Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
@@ -422,6 +433,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
}
+ //add additional http request parameter to context
+ if (!reqHeaderWhiteListeForModules.isEmpty()) {
+ Enumeration<String> reqHeaderNames = httpReq.getHeaderNames();
+ while(reqHeaderNames.hasMoreElements()) {
+ String paramName = reqHeaderNames.nextElement();
+ if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) {
+ executionContext.put(paramName,
+ StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName)));
+ }
+ }
+ }
+
//start process engine
startProcessEngine(pendingReq, executionContext);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index cd700c74a..611dff3b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -89,6 +89,43 @@ public class SSLUtils {
}
+ public static SSLSocketFactory getSSLSocketFactory(
+ ConfigurationProvider conf, String url )
+ throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
+
+ // else create new SSLSocketFactory
+ String trustStoreURL = conf.getTrustedCACertificates();
+
+ if (trustStoreURL == null)
+ throw new ConfigurationException(
+ "config.08", new Object[] {"TrustedCACertificates"});
+
+ String acceptedServerCertURL = "";
+
+ //INFO: MOA-ID 2.x always use defaultChainingMode
+
+ try {
+ SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
+ url,
+ null,
+ trustStoreURL,
+ acceptedServerCertURL,
+ AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(),
+ AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+ AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
+ null,
+ null,
+ "pkcs12");
+
+ return ssf;
+
+ } catch (SSLConfigurationException e) {
+ throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE());
+
+ }
+ }
+
+
/**
* Creates an <code>SSLSocketFactory</code> which utilizes an
* <code>IAIKX509TrustManager</code> for the given trust store,
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 4205f2175..9cc4b0b5e 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -336,3 +336,12 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin
process.01=Fehler beim Ausf\u00FChren des Prozesses.
process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
+
+sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
+sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
+sl20.02=Fehler beim Parsen des SL2.0 Kommandos. Msg: {0}
+sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0}
+sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer.
+sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}.
+sl20.06=Http transport-binding error. Reason: {0}
+
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 0a37fdc91..6de581cae 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -253,6 +253,12 @@ oauth20.06=1000
oauth20.09=9005
oauth20.10=9102
+sl20.00=14999
+sl20.01=14000
+sl20.02=14001
+sl20.03=14800
+sl20.04=14001
+
##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes
mis.301=1005
bku.6001=1005 \ No newline at end of file
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/X509Utils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/X509Utils.java
new file mode 100644
index 000000000..026b1a5fb
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/X509Utils.java
@@ -0,0 +1,62 @@
+package at.gv.egovernment.moa.id.commons.utils;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.security.auth.x500.X500Principal;
+
+public class X509Utils {
+
+ /**
+ * Sorts the Certificate Chain by IssuerDN and SubjectDN. The [0]-Element should be the Hostname,
+ * the last Element should be the Root Certificate.
+ *
+ * @param certs
+ * The first element must be the correct one.
+ * @return sorted Certificate Chain
+ */
+ public static List<X509Certificate> sortCertificates(
+ List<X509Certificate> certs)
+ {
+ int length = certs.size();
+ if (certs.size() <= 1)
+ {
+ return certs;
+ }
+
+ for (X509Certificate cert : certs)
+ {
+ if (cert == null)
+ {
+ throw new NullPointerException();
+ }
+ }
+
+ for (int i = 0; i < length; i++)
+ {
+ boolean found = false;
+ X500Principal issuer = certs.get(i).getIssuerX500Principal();
+ for (int j = i + 1; j < length; j++)
+ {
+ X500Principal subject = certs.get(j).getSubjectX500Principal();
+ if (issuer.equals(subject))
+ {
+ // sorting necessary?
+ if (i + 1 != j)
+ {
+ X509Certificate tmp = certs.get(i + 1);
+ certs.set(i + 1, certs.get(j));
+ certs.set(j, tmp);
+ }
+ found = true;
+ }
+ }
+ if (!found)
+ {
+ break;
+ }
+ }
+
+ return certs;
+ }
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/pom.xml b/id/server/modules/moa-id-module-sl20_authentication/pom.xml
new file mode 100644
index 000000000..d08e0f0ec
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-modules</artifactId>
+ <version>${moa-id-version}</version>
+ </parent>
+ <artifactId>moa-id-module-sl20_authentication</artifactId>
+ <name>moa-id-module-sl20_authentication</name>
+ <url>http://maven.apache.org</url>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <repositoryPath>${basedir}/../../../../repository</repositoryPath>
+ </properties>
+
+ <profiles>
+ <profile>
+ <id>default</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ </activation>
+ <repositories>
+ <repository>
+ <id>local</id>
+ <name>local</name>
+ <url>file:${basedir}/../../../../repository</url>
+ </repository>
+ <repository>
+ <id>egiz-commons</id>
+ <url>https://demo.egiz.gv.at/int-repo/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ </repository>
+ </repositories>
+ </profile>
+ </profiles>
+
+
+ <dependencies>
+ <dependency>
+ <groupId>MOA.id.server</groupId>
+ <artifactId>moa-id-lib</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>com.google.code.gson</groupId>
+ <artifactId>gson</artifactId>
+ <version>2.8.2</version>
+ </dependency>
+ <dependency>
+ <groupId>org.bitbucket.b_c</groupId>
+ <artifactId>jose4j</artifactId>
+ <version>0.6.3</version>
+ </dependency>
+
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+</project>
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
new file mode 100644
index 000000000..7a58648cc
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -0,0 +1,44 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth;
+
+public class Constants {
+
+ public static final String HTTP_ENDPOINT_DATAURL = "/sl20/dataUrl";
+
+ public static final String CONFIG_PROP_PREFIX = "modules.sl20";
+ public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
+ public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";
+
+ public static final String CONFIG_PROP_SECURITY_KEYSTORE_PATH = CONFIG_PROP_PREFIX + ".security.keystore.path";
+ public static final String CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD = CONFIG_PROP_PREFIX + ".security.keystore.password";
+ public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS = CONFIG_PROP_PREFIX + ".security.sign.alias";
+ public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD = CONFIG_PROP_PREFIX + ".security.sign.password";
+ public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS = CONFIG_PROP_PREFIX + ".security.encryption.alias";;
+ public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD = CONFIG_PROP_PREFIX + ".security.encryption.password";
+
+
+ public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";
+
+ /**
+ * Only dummy data for development!!!!!!
+ */
+ public static final String DUMMY_SIGNING_CERT =
+ "MIIC9zCCAd8CBFretWcwDQYJKoZIhvcNAQEOBQAwQDELMAkGA1UEBhMCQVQxDTAL\n" +
+ "BgNVBAoMBEVHSVoxIjAgBgNVBAMMGW93biBkdW1teSBtZXRhZGF0YSBzaWduZXIw\n" +
+ "HhcNMTgwNDI0MDQ0MTExWhcNMjEwMTE3MDQ0MTExWjBAMQswCQYDVQQGEwJBVDEN\n" +
+ "MAsGA1UECgwERUdJWjEiMCAGA1UEAwwZb3duIGR1bW15IG1ldGFkYXRhIHNpZ25l\n" +
+ "cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvN3l1pjzlnmoW5trHH\n" +
+ "Rb1s60QtGNp2v1nfMg1R6h7SzygtmO869v5bqrVBBVGmujslr7W8cZ2DLmJoQx1N\n" +
+ "WwhccjXTHpNPw0B70qHGch2uRNkqkizSOlwth0Ll2DJtzxTolbajYdg+xppXScUq\n" +
+ "WNlNZndauPSnB2CESgNkaUou4x4YVSDInugAtLvdLx8rf2YcuidI6UIXxeSZr3VO\n" +
+ "Z12YtddzcJ+lwh7OX8B0UvLsdYjKjefjEudyuNBmVwLv4K2LsFhSqgE1CAzk3oCb\n" +
+ "V2A84klaWVPiXoBiOucyouvX781WVp1aCBp0QA8gpJH7/2wRsdPQ90tjMzM7dcgY\n" +
+ "LDkCAwEAATANBgkqhkiG9w0BAQ4FAAOCAQEAQuYRQcCNLDYU1ItliYz9f28+KDyU\n" +
+ "8WjF3NDZrlJbGSKQ4n7wkBfxdK3zprmpHadWDB+aZaPt/+voE2FduzPiLUDlpazN\n" +
+ "60JJ5/YHZ3q9MZvdoNg6rjkpioWatoj/smUkT6oUWL/gp8tH12fOd2oJygBqXMve\n" +
+ "3y3qVCghnjRaMYuXcScTZcjH9yebkTLygirtw34oGVb7t+HwbtcN65fUIBly6Rcl\n" +
+ "8NV3pwOKhXFKDAqXUpvhebL4+tWOqPdqfIfGaE6rELfTf3icGY3CQCzDz5Gp0Ptc\n" +
+ "TfQqm64xnhtAruXNJXWg2ptg+GuQgWnJUgQ8wLNMxw9XdeEwlQo5dL6xmg==";
+
+ public static final String DUMMY_SIGNING_CERT_FINGERPRINT = "IwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvN3l1pjzlnmoW";
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
new file mode 100644
index 000000000..a4044ce21
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SL20AuthenticationModulImpl implements AuthModule {
+
+ private int priority = 3;
+
+ @Autowired(required=true) protected AuthConfiguration authConfig;
+ @Autowired(required=true) private AuthenticationManager authManager;
+
+ @Override
+ public int getPriority() {
+ return priority;
+ }
+
+ /**
+ * Sets the priority of this module. Default value is {@code 0}.
+ * @param priority The priority.
+ */
+ public void setPriority(int priority) {
+ this.priority = priority;
+ }
+
+ @PostConstruct
+ protected void initalSL20Authentication() {
+ //parameter to whiteList
+ authManager.addHeaderNameToWhiteList(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE);
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+ */
+ @Override
+ public String selectProcess(ExecutionContext context) {
+ if (StringUtils.isNotBlank((String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase())) ||
+ StringUtils.isNotBlank((String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE))) {
+ Logger.trace(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "' header found");
+ return "SL20Authentication";
+
+ } else {
+ Logger.trace("No '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "' header found");
+ return null;
+
+ }
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+ */
+ @Override
+ public String[] getProcessDefinitions() {
+ return new String[] { "classpath:sl20.Authentication.process.xml" };
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationSpringResourceProvider.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationSpringResourceProvider.java
new file mode 100644
index 000000000..2658a363d
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationSpringResourceProvider.java
@@ -0,0 +1,28 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+public class SL20AuthenticationSpringResourceProvider implements SpringResourceProvider {
+
+ @Override
+ public String getName() {
+ return "MOA-ID Security-Layer 2.0 Authentication SpringResourceProvider";
+ }
+
+ @Override
+ public String[] getPackagesToScan() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Resource[] getResourcesToLoad() {
+ ClassPathResource sl20AuthConfig = new ClassPathResource("/moaid_sl20_auth.beans.xml", SL20AuthenticationSpringResourceProvider.class);
+
+ return new Resource[] {sl20AuthConfig};
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java
new file mode 100644
index 000000000..87d306822
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class SL20SignalServlet extends AbstractProcessEngineSignalController {
+
+ public SL20SignalServlet() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName() +
+ " with mappings '"+ Constants.HTTP_ENDPOINT_DATAURL + "'.");
+
+ }
+
+ @RequestMapping(value = { Constants.HTTP_ENDPOINT_DATAURL
+ },
+ method = {RequestMethod.POST, RequestMethod.GET})
+ public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ signalProcessManagement(req, resp);
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/data/VerificationResult.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/data/VerificationResult.java
new file mode 100644
index 000000000..2a24096f9
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/data/VerificationResult.java
@@ -0,0 +1,39 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.data;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import com.google.gson.JsonObject;
+
+public class VerificationResult {
+
+ private Boolean validSigned = null;
+ private List<X509Certificate> certs = null;
+ private JsonObject payload = null;
+
+ public VerificationResult(JsonObject payload) {
+ this.payload = payload;
+
+ }
+
+ public VerificationResult(JsonObject string, List<X509Certificate> certs, boolean wasValidSigned) {
+ this.payload = string;
+ this.certs = certs;
+ this.validSigned = wasValidSigned;
+
+ }
+
+ public Boolean isValidSigned() {
+ return validSigned;
+ }
+ public List<X509Certificate> getCertChain() {
+ return certs;
+ }
+ public JsonObject getPayload() {
+ return payload;
+ }
+
+
+
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20Exception.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20Exception.java
new file mode 100644
index 000000000..898bd7097
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20Exception.java
@@ -0,0 +1,19 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions;
+
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+
+public class SL20Exception extends MOAIDException {
+
+ private static final long serialVersionUID = 1L;
+
+ public SL20Exception(String messageId, Object[] parameters) {
+ super(messageId, parameters);
+
+ }
+
+ public SL20Exception(String messageId, Object[] parameters, Throwable wrapped) {
+ super(messageId, parameters, wrapped);
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20SecurityException.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20SecurityException.java
new file mode 100644
index 000000000..3bea12cb1
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20SecurityException.java
@@ -0,0 +1,20 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions;
+
+public class SL20SecurityException extends SL20Exception {
+
+ private static final long serialVersionUID = 3281385988027147449L;
+
+ public SL20SecurityException(Object[] parameters) {
+ super("sl20.05", parameters);
+ }
+
+ public SL20SecurityException(String parameter) {
+ super("sl20.05", new Object[] {parameter});
+ }
+
+ public SL20SecurityException(Object[] parameters, Throwable wrapped) {
+ super("sl20.05", parameters, wrapped);
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoBuildException.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoBuildException.java
new file mode 100644
index 000000000..35cf728f6
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoBuildException.java
@@ -0,0 +1,17 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions;
+
+public class SLCommandoBuildException extends SL20Exception {
+
+ private static final long serialVersionUID = 1L;
+
+
+ public SLCommandoBuildException(String msg) {
+ super("sl20.01", new Object[]{msg});
+
+ }
+
+ public SLCommandoBuildException(String msg, Throwable e) {
+ super("sl20.01", new Object[]{msg}, e);
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoParserException.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoParserException.java
new file mode 100644
index 000000000..f36e8ad82
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SLCommandoParserException.java
@@ -0,0 +1,17 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions;
+
+public class SLCommandoParserException extends SL20Exception {
+
+ private static final long serialVersionUID = 1L;
+
+
+ public SLCommandoParserException(String msg) {
+ super("sl20.02", new Object[]{msg});
+
+ }
+
+ public SLCommandoParserException(String msg, Throwable e) {
+ super("sl20.02", new Object[]{msg}, e);
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
new file mode 100644
index 000000000..bcbda3faf
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java
@@ -0,0 +1,37 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
+
+import java.security.cert.X509Certificate;
+
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuildException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
+
+public interface IJOSETools {
+
+ /**
+ * Create a JWS signature
+ *
+ * @param payLoad Payload to sign
+ * @throws SLCommandoBuildException
+ */
+ public String createSignature(String payLoad) throws SLCommandoBuildException;
+
+ /**
+ * Validates a JWS signature
+ *
+ * @param serializedContent
+ * @return
+ * @throws SLCommandoParserException
+ * @throws SL20Exception
+ */
+ public VerificationResult validateSignature(String serializedContent) throws SL20Exception;
+
+ /**
+ * Get the encryption certificate for SL2.0 End-to-End encryption
+ *
+ * @return
+ */
+ public X509Certificate getEncryptionCertificate();
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
new file mode 100644
index 000000000..7dd5c39ab
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -0,0 +1,221 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
+
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.annotation.PostConstruct;
+
+import org.jose4j.jwa.AlgorithmConstraints;
+import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.lang.JoseException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParser;
+
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20SecurityException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuildException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.utils.X509Utils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+
+@Service
+public class JsonSecurityUtils implements IJOSETools{
+
+ @Autowired(required=true) AuthConfiguration authConfig;
+ private Key signPrivKey = null;
+ private X509Certificate[] signCertChain = null;
+
+ private Key encPrivKey = null;
+ private X509Certificate[] encCertChain = null;
+
+ @PostConstruct
+ protected void initalize() {
+ Logger.info("Initialize SL2.0 authentication security constrains ... ");
+ try {
+ KeyStore keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),
+ getKeyStorePassword());
+
+ //load signing key
+ signPrivKey = keyStore.getKey(getSigningKeyAlias(), getSigningKeyPassword().toCharArray());
+ Certificate[] certChainSigning = keyStore.getCertificateChain(getSigningKeyAlias());
+ signCertChain = new X509Certificate[certChainSigning.length];
+ for (int i=0; i<certChainSigning.length; i++) {
+ if (certChainSigning[i] instanceof X509Certificate) {
+ signCertChain[i] = (X509Certificate)certChainSigning[i];
+ } else
+ Logger.warn("NO X509 certificate for signing: " + certChainSigning[i].getType());
+
+ }
+
+ //load encryption key
+ try {
+ encPrivKey = keyStore.getKey(getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
+ if (encPrivKey != null) {
+ Certificate[] certChainEncryption = keyStore.getCertificateChain(getSigningKeyAlias());
+ encCertChain = new X509Certificate[certChainEncryption.length];
+ for (int i=0; i<certChainEncryption.length; i++) {
+ if (certChainEncryption[i] instanceof X509Certificate) {
+ encCertChain[i] = (X509Certificate)certChainEncryption[i];
+ } else
+ Logger.warn("NO X509 certificate for encryption: " + certChainEncryption[i].getType());
+ }
+ } else
+ Logger.info("No encryption key for SL2.0 found. End-to-End encryption is not used.");
+
+ } catch (Exception e) {
+ Logger.warn("No encryption key for SL2.0 found. End-to-End encryption is not used. Reason: " + e.getMessage(), e);
+
+ }
+
+ //some short validation
+ if (signPrivKey == null || !(signPrivKey instanceof PrivateKey)) {
+ Logger.info("Can NOT open privateKey for SL2.0 signing. KeyStore=" + getKeyStoreFilePath());
+ throw new SL20Exception("sl20.03", new Object[]{"Can NOT open private key for signing"});
+
+ }
+
+ if (signCertChain == null || signCertChain.length == 0) {
+ Logger.info("NO certificate for SL2.0 signing. KeyStore=" + getKeyStoreFilePath());
+ throw new SL20Exception("sl20.03", new Object[]{"NO certificate for SL2.0 signing"});
+
+ }
+
+ Logger.info("SL2.0 authentication security constrains initialized.");
+
+ } catch ( Exception e) {
+ Logger.error("SL2.0 security constrains initialization FAILED.", e);
+
+ }
+
+ }
+
+
+ @Override
+ public String createSignature(String payLoad) throws SLCommandoBuildException {
+ try {
+ JsonWebSignature jws = new JsonWebSignature();
+
+ //set payload
+ jws.setPayload(payLoad);
+
+ //set basic header
+ jws.setContentTypeHeaderValue(SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND);
+
+ //set signing information
+ jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
+ jws.setKey(signPrivKey);
+ jws.setCertificateChainHeaderValue(signCertChain);
+
+ return jws.getCompactSerialization();
+
+ } catch (JoseException e) {
+ Logger.warn("Can NOT sign SL2.0 command.", e);
+ throw new SLCommandoBuildException("Can NOT sign SL2.0 command.", e);
+
+ }
+
+ }
+
+ @Override
+ public VerificationResult validateSignature(String serializedContent) throws SL20Exception {
+ try {
+ JsonWebSignature jws = new JsonWebSignature();
+ //set payload
+ jws.setCompactSerialization(serializedContent);
+
+ //set security constrains
+ jws.setAlgorithmConstraints(new AlgorithmConstraints(ConstraintType.WHITELIST,
+ SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])));
+
+ //load signinc certs
+ List<X509Certificate> x5cCerts = jws.getCertificateChainHeaderValue();
+ List<X509Certificate> sortedX5cCerts = null;
+ if (x5cCerts == null || x5cCerts.size() < 1) {
+ Logger.info("Signed SL2.0 response contains NO signature certificate");
+ throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate");
+
+ }
+ Logger.trace("Sorting received X509 certificates ... ");
+ sortedX5cCerts = X509Utils.sortCertificates(x5cCerts);
+
+ //set verification key
+ jws.setKey(sortedX5cCerts.get(0).getPublicKey());
+
+ //validate signature
+ boolean valid = jws.verifySignature();
+ if (!valid) {
+ Logger.info("JWS signature invalide. Stopping authentication process ...");
+ Logger.debug("Received JWS msg: " + serializedContent);
+ throw new SL20SecurityException("JWS signature invalide.");
+
+ }
+
+ //load payLoad
+ JsonElement sl20Req = new JsonParser().parse(jws.getPayload());
+
+ return new VerificationResult(sl20Req.getAsJsonObject(), sortedX5cCerts, valid) ;
+
+ } catch (JoseException e) {
+ Logger.warn("SL2.0 commando signature validation FAILED", e);
+ throw new SL20SecurityException(new Object[]{e.getMessage()}, e);
+
+ }
+
+ }
+
+
+ @Override
+ public X509Certificate getEncryptionCertificate() {
+ //TODO: maybe update after SL2.0 update on encryption certificate parts
+ if (encCertChain !=null && encCertChain.length > 0)
+ return encCertChain[0];
+ else
+ return null;
+ }
+
+ private String getKeyStoreFilePath() {
+ return FileUtils.makeAbsoluteURL(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PATH),
+ authConfig.getRootConfigFileDir());
+ }
+
+ private String getKeyStorePassword() {
+ return authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD).trim();
+
+ }
+
+ private String getSigningKeyAlias() {
+ return authConfig.getBasicMOAIDConfiguration(
+ Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS).trim();
+ }
+
+ private String getSigningKeyPassword() {
+ return authConfig.getBasicMOAIDConfiguration(
+ Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD).trim();
+ }
+
+ private String getEncryptionKeyAlias() {
+ return authConfig.getBasicMOAIDConfiguration(
+ Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS).trim();
+ }
+
+ private String getEncryptionKeyPassword() {
+ return authConfig.getBasicMOAIDConfiguration(
+ Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD).trim();
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
new file mode 100644
index 000000000..e84dacc23
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
@@ -0,0 +1,180 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.jose4j.jws.AlgorithmIdentifiers;
+
+public class SL20Constants {
+ public static final String CURRENT_SL20_VERSION = "10";
+
+ //http binding parameters
+ public static final String PARAM_SL20_REQ_COMMAND_PARAM = "slcommand";
+ public static final String PARAM_SL20_REQ_ICP_RETURN_URL_PARAM = "slIPCReturnUrl";
+ public static final String PARAM_SL20_REQ_TRANSACTIONID = "slTransactionID";
+
+ public static final String HTTP_HEADER_SL20_CLIENT_TYPE = "SL2ClientType";
+ public static final String HTTP_HEADER_VALUE_NATIVE = "nativeApp";
+
+
+ //*******************************************************************************************
+ //JSON signing and encryption headers
+ public static final String JSON_ALGORITHM = "alg";
+ public static final String JSON_CONTENTTYPE = "cty";
+ public static final String JSON_X509_CERTIFICATE = "x5c";
+ public static final String JSON_X509_FINGERPRINT = "x5t#S256";
+ public static final String JSON_ENCRYPTION_PAYLOAD = "enc";
+
+ public static final String JSON_ALGORITHM_SIGNING_RS256 = AlgorithmIdentifiers.RSA_USING_SHA256;
+ public static final String JSON_ALGORITHM_SIGNING_RS512 = AlgorithmIdentifiers.RSA_USING_SHA512;
+ public static final String JSON_ALGORITHM_SIGNING_ES256 = AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256;
+ public static final String JSON_ALGORITHM_SIGNING_ES512 = AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512;
+ public static final String JSON_ALGORITHM_SIGNING_PS256 = AlgorithmIdentifiers.RSA_PSS_USING_SHA256;
+ public static final String JSON_ALGORITHM_SIGNING_PS512 = AlgorithmIdentifiers.RSA_PSS_USING_SHA512;
+
+ public static final List<String> SL20_ALGORITHM_WHITELIST_SIGNING = Arrays.asList(
+ JSON_ALGORITHM_SIGNING_RS256,
+ JSON_ALGORITHM_SIGNING_RS512,
+ JSON_ALGORITHM_SIGNING_ES256,
+ JSON_ALGORITHM_SIGNING_ES512,
+ JSON_ALGORITHM_SIGNING_PS256,
+ JSON_ALGORITHM_SIGNING_PS512
+ );
+
+ public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = "RSA-OAEP";
+ public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = "RSA-OAEP-256";
+
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = "A128CBC-HS256";
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = "A256CBC-HS512";
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = "A128GCM";
+ public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = "A256GCM";
+
+
+
+ //*********************************************************************************************
+ //Object identifier for generic transport container
+ public static final String SL20_CONTENTTYPE_SIGNED_COMMAND ="application/sl2.0;command";
+ public static final String SL20_CONTENTTYPE_ENCRYPTED_RESULT ="application/sl2.0;result";
+
+ public static final String SL20_VERSION = "v";
+ public static final String SL20_REQID = "reqID";
+ public static final String SL20_RESPID = "respID";
+ public static final String SL20_INRESPTO = "inResponseTo";
+ public static final String SL20_TRANSACTIONID = "transactionID";
+ public static final String SL20_PAYLOAD = "payload";
+ public static final String SL20_SIGNEDPAYLOAD = "signedPayload";
+
+ //Generic Object identifier for commands
+ public static final String SL20_COMMAND_CONTAINER_NAME = "name";
+ public static final String SL20_COMMAND_CONTAINER_PARAMS = "params";
+ public static final String SL20_COMMAND_CONTAINER_RESULT = "result";
+ public static final String SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT = "encryptedResult";
+
+ //COMMAND Object identifier
+ public static final String SL20_COMMAND_IDENTIFIER_REDIRECT = "redirect";
+ public static final String SL20_COMMAND_IDENTIFIER_CALL = "call";
+ public static final String SL20_COMMAND_IDENTIFIER_ERROR = "error";
+ public static final String SL20_COMMAND_IDENTIFIER_QUALIFIEDEID = "qualifiedeID";
+ public static final String SL20_COMMAND_IDENTIFIER_QUALIFIEDSIG = "qualifiedSig";
+
+ public static final String SL20_COMMAND_IDENTIFIER_BINDING_CREATE_KEY = "createBindingKey";
+ public static final String SL20_COMMAND_IDENTIFIER_BINDING_STORE_CERT = "storeBindingCert";
+
+ public static final String SL20_COMMAND_IDENTIFIER_AUTH_IDANDPASSWORD = "idAndPassword";
+ public static final String SL20_COMMAND_IDENTIFIER_AUTH_JWSTOKENFACTOR = "jwsTokenAuth";
+ public static final String SL20_COMMAND_IDENTIFIER_AUTH_QRCODEFACTOR = "qrCodeFactor";
+
+ //*****COMMAND parameter identifier******
+ //general Identifier
+ public static final String SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_VALUE = "value";
+ public static final String SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_KEY = "key";
+ public static final String SL20_COMMAND_PARAM_GENERAL_DATAURL = "dataUrl";
+ public static final String SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE = "x5cEnc";
+
+ //Redirect command
+ public static final String SL20_COMMAND_PARAM_GENERAL_REDIRECT_URL = "url";
+ public static final String SL20_COMMAND_PARAM_GENERAL_REDIRECT_COMMAND = "command";
+ public static final String SL20_COMMAND_PARAM_GENERAL_REDIRECT_SIGNEDCOMMAND = "signedCommand";
+ public static final String SL20_COMMAND_PARAM_GENERAL_REDIRECT_IPCREDIRECT = "IPCRedirect";
+
+ //Call command
+ public static final String SL20_COMMAND_PARAM_GENERAL_CALL_URL = SL20_COMMAND_PARAM_GENERAL_REDIRECT_URL;
+ public static final String SL20_COMMAND_PARAM_GENERAL_CALL_METHOD = "method";
+ public static final String SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET = "get";
+ public static final String SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_POST = "post";
+ public static final String SL20_COMMAND_PARAM_GENERAL_CALL_INCLUDETRANSACTIONID = "includeTransactionID";
+ public static final String SL20_COMMAND_PARAM_GENERAL_CALL_REQPARAMETER = "reqParams";
+
+ //error command
+ public static final String SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE = "errorCode";
+ public static final String SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE = "errorMessage";
+
+ //qualified eID command
+ public static final String SL20_COMMAND_PARAM_EID_AUTHBLOCKID = "authBlockTemplateID";
+ public static final String SL20_COMMAND_PARAM_EID_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+ public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES = "attributes";
+ public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE = "MANDATE-REFERENCE-VALUE";
+ public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID = "SP-FRIENDLYNAME";
+ public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME = "SP-UNIQUEID";
+ public static final String SL20_COMMAND_PARAM_EID_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+ public static final String SL20_COMMAND_PARAM_EID_RESULT_IDL = "EID-IDENTITY-LINK";
+ public static final String SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK = "EID-AUTH-BLOCK";
+ public static final String SL20_COMMAND_PARAM_EID_RESULT_CCSURL = "EID-CCS-URL";
+ public static final String SL20_COMMAND_PARAM_EID_RESULT_LOA = "EID-CITIZEN-QAA-LEVEL";
+
+ //qualified Signature comamnd
+ public static final String SL20_COMMAND_PARAM_QUALSIG_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+ public static final String SL20_COMMAND_PARAM_QUALSIG_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+
+ //create binding key command
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_KONTOID = "kontoID";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_SN = "SN";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_KEYLENGTH = "keyLength";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_KEYALG = "keyAlg";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_POLICIES = "policies";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_X5CVDATRUST = "x5cVdaTrust";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_REQUESTUSERPASSWORD = "reqUserPassword";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_KEYALG_RSA = "RSA";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_KEYALG_SECPR256R1 = "secp256r1";
+
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_POLICIES_LIFETIME = "lifeTime";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_POLICIES_USESECUREELEMENT = "useSecureElement";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_POLICIES_KEYTIMEOUT = "keyTimeout";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_POLICIES_NEEDUSERAUTH = "needUserAuth";
+
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_APPID = "appID";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_CSR = "csr";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_KEYATTESTATIONZERTIFICATE = "attCert";
+ public static final String SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_USERPASSWORD = "encodedPass";
+
+
+ //store binding certificate command
+ public static final String SL20_COMMAND_PARAM_BINDING_STORE_CERTIFICATE = "x5c";
+ public static final String SL20_COMMAND_PARAM_BINDING_STORE_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+ public static final String SL20_COMMAND_PARAM_BINDING_STORE_RESULT_SUCESS = "success";
+ public static final String SL20_COMMAND_PARAM_BINDING_STORE_RESULT_SUCESS_VALUE = "OK";
+
+ // Username and password authentication
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_KEYALG = "keyAlg";
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_KEYALG_VALUE_PLAIN = "plain";
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_KEYALG_VALUE_PBKDF2 = "PBKDF2";
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_RESULT_KONTOID = SL20_COMMAND_PARAM_BINDING_CREATE_KONTOID;
+ public static final String SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_RESULT_USERPASSWORD = SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_USERPASSWORD;
+
+ //JWS Token authentication
+ public static final String SL20_COMMAND_PARAM_AUTH_JWSTOKEN_NONCE = "nonce";
+ public static final String SL20_COMMAND_PARAM_AUTH_JWSTOKEN_DISPLAYDATA = "displayData";
+ public static final String SL20_COMMAND_PARAM_AUTH_JWSTOKEN_DISPLAYURL = "displayUrl";
+ public static final String SL20_COMMAND_PARAM_AUTH_JWSTOKEN_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+ public static final String SL20_COMMAND_PARAM_AUTH_JWSTOKEN_RESULT_NONCE = SL20_COMMAND_PARAM_AUTH_JWSTOKEN_NONCE;
+
+ //QR-Code authentication
+ public static final String SL20_COMMAND_PARAM_AUTH_QRCODE_QRCODE = "qrCode";
+ public static final String SL20_COMMAND_PARAM_AUTH_QRCODE_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
new file mode 100644
index 000000000..cfffed881
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
@@ -0,0 +1,42 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
+import java.net.URISyntaxException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.entity.ContentType;
+
+import com.google.gson.JsonObject;
+
+import at.gv.egovernment.moaspss.logging.Logger;
+
+public class SL20HttpBindingUtils {
+
+ public static void writeIntoResponse(HttpServletRequest request, HttpServletResponse response, JsonObject sl20Forward, String redirectURL) throws IOException, URISyntaxException {
+ //forward SL2.0 command
+ if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null &&
+ request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {
+ Logger.debug("Client request containts 'native client' header ... ");
+ StringWriter writer = new StringWriter();
+ writer.write(sl20Forward.toString());
+ final byte[] content = writer.toString().getBytes("UTF-8");
+ response.setStatus(HttpServletResponse.SC_OK);
+ response.setContentLength(content.length);
+ response.setContentType(ContentType.APPLICATION_JSON.toString());
+ response.getOutputStream().write(content);
+
+ } else {
+ Logger.debug("Client request containts is no native client ... ");
+ URIBuilder clientRedirectURI = new URIBuilder(redirectURL);
+ clientRedirectURI.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Forward.toString());
+ response.sendRedirect(clientRedirectURI.build().toString());
+
+ }
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java
new file mode 100644
index 000000000..52d7e1e67
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java
@@ -0,0 +1,606 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuildException;
+
+public class SL20JSONBuilderUtils {
+
+ /**
+ * Create command request
+ * @param name
+ * @param params
+ * @throws SLCommandoBuildException
+ * @return
+ */
+ public static JsonObject createCommand(String name, JsonElement params) throws SLCommandoBuildException {
+ JsonObject command = new JsonObject();
+ addSingleStringElement(command, SL20Constants.SL20_COMMAND_CONTAINER_NAME, name, true);
+ addSingleJSONElement(command, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, params, true);
+ return command;
+
+ }
+
+ /**
+ * Create signed command request
+ *
+ * @param name
+ * @param params
+ * @param signer
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static String createSignedCommand(String name, JsonElement params, IJOSETools signer) throws SLCommandoBuildException {
+ JsonObject command = new JsonObject();
+ addSingleStringElement(command, SL20Constants.SL20_COMMAND_CONTAINER_NAME, name, true);
+ addSingleJSONElement(command, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, params, true);
+ return signer.createSignature(command.toString());
+
+ }
+
+
+ /**
+ * Create encrypted command result
+ *
+ * @param result
+ * @param encrypter
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static String createEncryptedCommandoResult(JsonObject result, JsonSecurityUtils encrypter) throws SLCommandoBuildException {
+ //TODO: add real implementation
+ //create header and footer
+ String dummyHeader = createJsonEncryptionHeader(encrypter).toString();
+ String payLoad = result.toString();
+ String dummyFooter = createJsonSignedFooter(encrypter);
+
+ return Base64.getUrlEncoder().encodeToString(dummyHeader.getBytes()) + "."
+ + Base64.getUrlEncoder().encodeToString(payLoad.getBytes()) + "."
+ + Base64.getUrlEncoder().encodeToString(dummyFooter.getBytes());
+
+ }
+
+
+ /**
+ * Create command result
+ *
+ * @param name
+ * @param result
+ * @param encryptedResult
+ * @throws SLCommandoBuildException
+ * @return
+ */
+ public static JsonObject createCommandResponse(String name, JsonElement result, String encryptedResult) throws SLCommandoBuildException {
+ JsonObject command = new JsonObject();
+ addSingleStringElement(command, SL20Constants.SL20_COMMAND_CONTAINER_NAME, name, true);
+ addOnlyOnceOfTwo(command,
+ SL20Constants.SL20_COMMAND_CONTAINER_RESULT, SL20Constants.SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT,
+ result, encryptedResult);
+ return command;
+
+ }
+
+ /**
+ * Create command result
+ *
+ * @param name
+ * @param result
+ * @param encryptedResult
+ * @throws SLCommandoBuildException
+ * @return
+ */
+ public static String createSignedCommandResponse(String name, JsonElement result, String encryptedResult, JsonSecurityUtils signer) throws SLCommandoBuildException {
+ JsonObject command = new JsonObject();
+ addSingleStringElement(command, SL20Constants.SL20_COMMAND_CONTAINER_NAME, name, true);
+ addOnlyOnceOfTwo(command,
+ SL20Constants.SL20_COMMAND_CONTAINER_RESULT, SL20Constants.SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT,
+ result, encryptedResult);
+ String encodedCommand = command.toString();
+
+ //TODO: add real implementation
+ //create header and footer
+ String dummyHeader = createJsonSignedHeader(signer).toString();
+ String dummyFooter = createJsonSignedFooter(signer);
+
+ return Base64.getUrlEncoder().encodeToString(dummyHeader.getBytes()) + "."
+ + Base64.getUrlEncoder().encodeToString(encodedCommand.getBytes()) + "."
+ + Base64.getUrlEncoder().encodeToString(dummyFooter.getBytes());
+
+ }
+
+ /**
+ * Create parameters for Redirect command
+ *
+ * @param url
+ * @param command
+ * @param signedCommand
+ * @param ipcRedirect
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createRedirectCommandParameters(String url, JsonElement command, JsonElement signedCommand, Boolean ipcRedirect) throws SLCommandoBuildException{
+ JsonObject redirectReqParams = new JsonObject();
+ addOnlyOnceOfTwo(redirectReqParams,
+ SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_COMMAND, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_SIGNEDCOMMAND,
+ command, signedCommand);
+ addSingleStringElement(redirectReqParams, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_URL, url, false);
+ addSingleBooleanElement(redirectReqParams, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_IPCREDIRECT, ipcRedirect, false);
+ return redirectReqParams;
+
+ }
+
+ /**
+ * Create parameters for Call command
+ *
+ * @param url
+ * @param method
+ * @param includeTransactionId
+ * @param reqParameters
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createCallCommandParameters(String url, String method, Boolean includeTransactionId, Map<String, String> reqParameters) throws SLCommandoBuildException {
+ JsonObject callReqParams = new JsonObject();
+ addSingleStringElement(callReqParams, SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_URL, url, true);
+ addSingleStringElement(callReqParams, SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD, method, true);
+ addSingleBooleanElement(callReqParams, SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_INCLUDETRANSACTIONID, includeTransactionId, false);
+ addArrayOfStringElements(callReqParams, SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_REQPARAMETER, reqParameters);
+ return callReqParams;
+
+ }
+
+ /**
+ * Create result for Error command
+ *
+ * @param errorCode
+ * @param errorMsg
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createErrorCommandResult(String errorCode, String errorMsg) throws SLCommandoBuildException {
+ JsonObject result = new JsonObject();
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE, errorCode, true);
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE, errorMsg, true);
+ return result;
+
+ }
+
+
+ /**
+ * Create parameters for qualifiedeID command
+ *
+ * @param authBlockId
+ * @param dataUrl
+ * @param additionalReqParameters
+ * @param x5cEnc
+ * @return
+ * @throws CertificateEncodingException
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createQualifiedeIDCommandParameters(String authBlockId, String dataUrl,
+ Map<String, String> additionalReqParameters, X509Certificate x5cEnc) throws CertificateEncodingException, SLCommandoBuildException {
+ JsonObject params = new JsonObject();
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_EID_AUTHBLOCKID, authBlockId, true);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_EID_DATAURL, dataUrl, true);
+ addArrayOfStringElements(params, SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES, additionalReqParameters);
+ addSingleCertificateElement(params, SL20Constants.SL20_COMMAND_PARAM_EID_X5CENC, x5cEnc, false);
+ return params;
+
+ }
+
+ /**
+ * Create result for qualifiedeID command
+ *
+ * @param idl
+ * @param authBlock
+ * @param ccsURL
+ * @param LoA
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createQualifiedeIDCommandResult(byte[] idl, byte[] authBlock, String ccsURL, String LoA) throws SLCommandoBuildException {
+ JsonObject result = new JsonObject();
+ addSingleByteElement(result, SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, idl, true);
+ addSingleByteElement(result, SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, authBlock, true);
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, ccsURL, true);
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, LoA, true);
+ return result;
+
+ }
+
+
+ /**
+ * Create Binding-Key command parameters
+ *
+ * @param kontoId
+ * @param subjectName
+ * @param keySize
+ * @param keyAlg
+ * @param policies
+ * @param dataUrl
+ * @param x5cVdaTrust
+ * @param reqUserPassword
+ * @param x5cEnc
+ * @return
+ * @throws SLCommandoBuildException
+ * @throws CertificateEncodingException
+ */
+ public static JsonObject createBindingKeyCommandParams(String kontoId, String subjectName, int keySize, String keyAlg,
+ Map<String, String> policies, String dataUrl, X509Certificate x5cVdaTrust, Boolean reqUserPassword, X509Certificate x5cEnc) throws SLCommandoBuildException, CertificateEncodingException {
+ JsonObject params = new JsonObject();
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_KONTOID, kontoId, true);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_SN, subjectName, true);
+ addSingleNumberElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_KEYLENGTH, keySize, true);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_KEYALG, keyAlg, true);
+ addArrayOfStringElements(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_POLICIES, policies);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_DATAURL, dataUrl, true);
+ addSingleCertificateElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_X5CVDATRUST, x5cVdaTrust, false);
+ addSingleBooleanElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_REQUESTUSERPASSWORD, reqUserPassword, false);
+ addSingleCertificateElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_X5CENC, x5cEnc, false);
+ return params;
+
+ }
+
+ /**
+ * Create Binding-Key command result
+ *
+ * @param appId
+ * @param csr
+ * @param attCert
+ * @param password
+ * @return
+ * @throws SLCommandoBuildException
+ * @throws CertificateEncodingException
+ */
+ public static JsonObject createBindingKeyCommandResult(String appId, byte[] csr, X509Certificate attCert, byte[] password) throws SLCommandoBuildException, CertificateEncodingException {
+ JsonObject result = new JsonObject();
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_APPID, appId, true);
+ addSingleByteElement(result, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_CSR, csr, true);
+ addSingleCertificateElement(result, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_KEYATTESTATIONZERTIFICATE, attCert, false);
+ addSingleByteElement(result, SL20Constants.SL20_COMMAND_PARAM_BINDING_CREATE_RESULT_USERPASSWORD, password, false);
+ return result;
+
+ }
+
+ /**
+ * Create Store Binding-Certificate command parameters
+ *
+ * @param cert
+ * @param dataUrl
+ * @return
+ * @throws CertificateEncodingException
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createStoreBindingCertCommandParams(X509Certificate cert, String dataUrl) throws CertificateEncodingException, SLCommandoBuildException {
+ JsonObject params = new JsonObject();
+ addSingleCertificateElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_STORE_CERTIFICATE, cert, true);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_BINDING_STORE_DATAURL, dataUrl, true);
+ return params;
+
+ }
+
+ /**
+ * Create Store Binding-Certificate command result
+ *
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createStoreBindingCertCommandSuccessResult() throws SLCommandoBuildException {
+ JsonObject result = new JsonObject();
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_BINDING_STORE_RESULT_SUCESS,
+ SL20Constants.SL20_COMMAND_PARAM_BINDING_STORE_RESULT_SUCESS_VALUE, true);
+ return result;
+
+ }
+
+
+ /**
+ * Create idAndPassword command parameters
+ *
+ * @param keyAlg
+ * @param dataUrl
+ * @param x5cEnc
+ * @return
+ * @throws SLCommandoBuildException
+ * @throws CertificateEncodingException
+ */
+ public static JsonObject createIdAndPasswordCommandParameters(String keyAlg, String dataUrl, X509Certificate x5cEnc) throws SLCommandoBuildException, CertificateEncodingException {
+ JsonObject params = new JsonObject();
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_KEYALG, keyAlg, true);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_DATAURL, dataUrl, true);
+ addSingleCertificateElement(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_X5CENC, x5cEnc, false);
+ return params;
+
+ }
+
+ /**
+ * Create idAndPassword command result
+ *
+ * @param kontoId
+ * @param password
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createIdAndPasswordCommandResult(String kontoId, byte[] password) throws SLCommandoBuildException {
+ JsonObject result = new JsonObject();
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_RESULT_KONTOID, kontoId, true);
+ addSingleByteElement(result, SL20Constants.SL20_COMMAND_PARAM_AUTH_IDANDPASSWORD_RESULT_USERPASSWORD, password, true);
+ return result;
+
+ }
+
+ /**
+ * Create JWS Token Authentication command
+ *
+ * @param nonce
+ * @param dataUrl
+ * @param displayData
+ * @param displayUrl
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createJwsTokenAuthCommandParams(String nonce, String dataUrl, List<String> displayData, List<String> displayUrl) throws SLCommandoBuildException {
+ JsonObject params = new JsonObject();
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_JWSTOKEN_NONCE, nonce, true);
+ addSingleStringElement(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_JWSTOKEN_DATAURL, dataUrl, true);
+ addArrayOfStrings(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_JWSTOKEN_DISPLAYDATA, displayData);
+ addArrayOfStrings(params, SL20Constants.SL20_COMMAND_PARAM_AUTH_JWSTOKEN_DISPLAYURL, displayUrl);
+ return params;
+
+ }
+
+ /**
+ * Create JWS Token Authentication command result
+ *
+ * @param nonce
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createJwsTokenAuthCommandResult(String nonce) throws SLCommandoBuildException {
+ JsonObject result = new JsonObject();
+ addSingleStringElement(result, SL20Constants.SL20_COMMAND_PARAM_AUTH_JWSTOKEN_RESULT_NONCE, nonce, true);
+ return result;
+
+ }
+
+
+ /**
+ * Create Generic Request Container
+ *
+ * @param reqId
+ * @param transactionId
+ * @param payLoad
+ * @param signedPayload
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static JsonObject createGenericRequest(String reqId, String transactionId, JsonElement payLoad, String signedPayload) throws SLCommandoBuildException {
+ JsonObject req = new JsonObject();
+ addSingleStringElement(req, SL20Constants.SL20_VERSION, SL20Constants.CURRENT_SL20_VERSION, true);
+ addSingleStringElement(req, SL20Constants.SL20_REQID, reqId, true);
+ addSingleStringElement(req, SL20Constants.SL20_TRANSACTIONID, transactionId, false);
+ addOnlyOnceOfTwo(req, SL20Constants.SL20_PAYLOAD, SL20Constants.SL20_SIGNEDPAYLOAD,
+ payLoad, signedPayload);
+ return req;
+
+ }
+
+ /**
+ * Create Generic Response Container
+ *
+ * @param respId
+ * @param inResponseTo
+ * @param transactionId
+ * @param payLoad
+ * @param signedPayload
+ * @return
+ * @throws SLCommandoBuildException
+ */
+ public static final JsonObject createGenericResponse(String respId, String inResponseTo, String transactionId,
+ JsonElement payLoad, String signedPayload) throws SLCommandoBuildException {
+
+ JsonObject req = new JsonObject();
+ addSingleStringElement(req, SL20Constants.SL20_VERSION, SL20Constants.CURRENT_SL20_VERSION, true);
+ addSingleStringElement(req, SL20Constants.SL20_RESPID, respId, true);
+ addSingleStringElement(req, SL20Constants.SL20_INRESPTO, inResponseTo, true);
+ addSingleStringElement(req, SL20Constants.SL20_TRANSACTIONID, transactionId, false);
+ addOnlyOnceOfTwo(req, SL20Constants.SL20_PAYLOAD, SL20Constants.SL20_SIGNEDPAYLOAD,
+ payLoad, signedPayload);
+ return req;
+
+ }
+
+ /**
+ * Add one element of two possible elements <br>
+ * This method adds either the first element or the second element to parent JSON, but never both.
+ *
+ * @param parent Parent JSON element
+ * @param firstKeyId first element Id
+ * @param secondKeyId second element Id
+ * @param first first element
+ * @param second second element
+ * @throws SLCommandoBuildException
+ */
+ public static void addOnlyOnceOfTwo(JsonObject parent, String firstKeyId, String secondKeyId, JsonElement first, String second) throws SLCommandoBuildException {
+ if (first == null && (second == null || second.isEmpty()))
+ throw new SLCommandoBuildException(firstKeyId + " and " + secondKeyId + " is NULL");
+
+ else if (first != null && second != null)
+ throw new SLCommandoBuildException(firstKeyId + " and " + secondKeyId + " can not SET TWICE");
+
+ else if (first != null)
+ parent.add(firstKeyId, first);
+
+ else if (second != null && !second.isEmpty())
+ parent.addProperty(secondKeyId, second);
+
+ else
+ throw new SLCommandoBuildException("Internal build error");
+ }
+
+
+
+ //TODO!!!!
+ private static JsonObject createJsonSignedHeader(JsonSecurityUtils signer) throws SLCommandoBuildException {
+ JsonObject header = new JsonObject();
+ addSingleStringElement(header, SL20Constants.JSON_ALGORITHM, SL20Constants.JSON_ALGORITHM_SIGNING_RS256, true);
+ addSingleStringElement(header, SL20Constants.JSON_CONTENTTYPE, SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND, true);
+ addArrayOfStrings(header, SL20Constants.JSON_X509_CERTIFICATE, Arrays.asList(Constants.DUMMY_SIGNING_CERT));
+
+ return header;
+ }
+
+ //TODO!!!!
+ private static JsonObject createJsonEncryptionHeader(JsonSecurityUtils signer) throws SLCommandoBuildException {
+ JsonObject header = new JsonObject();
+ addSingleStringElement(header, SL20Constants.JSON_ALGORITHM, SL20Constants.JSON_ALGORITHM_ENC_KEY_RSAOAEP, true);
+ addSingleStringElement(header, SL20Constants.JSON_ENCRYPTION_PAYLOAD, SL20Constants.JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256, true);
+ addSingleStringElement(header, SL20Constants.JSON_CONTENTTYPE, SL20Constants.SL20_CONTENTTYPE_ENCRYPTED_RESULT, true);
+ addSingleStringElement(header, SL20Constants.JSON_X509_FINGERPRINT, Constants.DUMMY_SIGNING_CERT_FINGERPRINT, true);
+
+ return header;
+ }
+
+ //TODO!!!!
+ private static String createJsonSignedFooter(JsonSecurityUtils signer) {
+ return "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7\n" +
+ " AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4\n" +
+ " BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K\n" +
+ " 0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv\n" +
+ " hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB\n" +
+ " p0igcN_IoypGlUPQGe77Rw";
+ }
+
+
+
+ private static void addArrayOfStrings(JsonObject parent, String keyId, List<String> values) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+ if (values != null) {
+ JsonArray callReqParamsArray = new JsonArray();
+ parent.add(keyId, callReqParamsArray );
+ for(String el : values)
+ callReqParamsArray.add(el);
+
+ }
+ }
+
+
+ private static void addArrayOfStringElements(JsonObject parent, String keyId, Map<String, String> keyValuePairs) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+ if (keyValuePairs != null) {
+ JsonArray callReqParamsArray = new JsonArray();
+ parent.add(keyId, callReqParamsArray );
+
+ for(Entry<String, String> el : keyValuePairs.entrySet()) {
+ JsonObject callReqParams = new JsonObject();
+ //callReqParams.addProperty(SL20Constants.SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_KEY, el.getKey());
+ //callReqParams.addProperty(SL20Constants.SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_VALUE, el.getValue());
+ callReqParams.addProperty(el.getKey(), el.getValue());
+ callReqParamsArray.add(callReqParams);
+
+ }
+ }
+ }
+
+ private static void addSingleCertificateElement(JsonObject parent, String keyId, X509Certificate cert, boolean isRequired) throws CertificateEncodingException, SLCommandoBuildException {
+ if (cert != null)
+ addSingleByteElement(parent, keyId, cert.getEncoded(), isRequired);
+
+ else if (isRequired)
+ throw new SLCommandoBuildException(keyId + " is marked as REQUIRED");
+
+ }
+
+
+
+ private static void addSingleByteElement(JsonObject parent, String keyId, byte[] value, boolean isRequired) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+
+ if (isRequired && value == null)
+ throw new SLCommandoBuildException(keyId + " has NULL value");
+
+ else if (value != null)
+ parent.addProperty(keyId, Base64.getEncoder().encodeToString(value));
+
+ }
+
+ private static void addSingleBooleanElement(JsonObject parent, String keyId, Boolean value, boolean isRequired) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+
+ if (isRequired && value == null)
+ throw new SLCommandoBuildException(keyId + " has a NULL value");
+
+ else if (value != null)
+ parent.addProperty(keyId, value);
+
+ }
+
+ private static void addSingleNumberElement(JsonObject parent, String keyId, Integer value, boolean isRequired) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+
+ if (isRequired && value == null)
+ throw new SLCommandoBuildException(keyId + " has a NULL value");
+
+ else if (value != null)
+ parent.addProperty(keyId, value);;
+
+ }
+
+ private static void addSingleStringElement(JsonObject parent, String keyId, String value, boolean isRequired) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+
+ if (isRequired && (value == null || value.isEmpty()))
+ throw new SLCommandoBuildException(keyId + " has an empty value");
+
+ else if (value != null && !value.isEmpty())
+ parent.addProperty(keyId, value);
+
+ }
+
+ private static void addSingleJSONElement(JsonObject parent, String keyId, JsonElement element, boolean isRequired) throws SLCommandoBuildException {
+ validateParentAndKey(parent, keyId);
+
+ if (isRequired && element == null)
+ throw new SLCommandoBuildException("No commando name included");
+
+ else if (element != null)
+ parent.add(keyId, element);
+
+ }
+
+ private static void addOnlyOnceOfTwo(JsonObject parent, String firstKeyId, String secondKeyId, JsonElement first, JsonElement second) throws SLCommandoBuildException {
+ if (first == null && second == null)
+ throw new SLCommandoBuildException(firstKeyId + " and " + secondKeyId + " is NULL");
+
+ else if (first != null && second != null)
+ throw new SLCommandoBuildException(firstKeyId + " and " + secondKeyId + " can not SET TWICE");
+
+ else if (first != null)
+ parent.add(firstKeyId, first);
+
+ else if (second != null)
+ parent.add(secondKeyId, second);
+
+ else
+ throw new SLCommandoBuildException("Internal build error");
+ }
+
+ private static void validateParentAndKey(JsonObject parent, String keyId) throws SLCommandoBuildException {
+ if (parent == null)
+ throw new SLCommandoBuildException("NO parent JSON element");
+
+ if (keyId == null || keyId.isEmpty())
+ throw new SLCommandoBuildException("NO JSON element identifier");
+ }
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
new file mode 100644
index 000000000..e1444c95f
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -0,0 +1,259 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
+
+import java.io.InputStreamReader;
+import java.net.URLDecoder;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.http.Header;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.utils.URIBuilder;
+import org.apache.log4j.Logger;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
+
+public class SL20JSONExtractorUtils {
+ private static final Logger log = Logger.getLogger(SL20JSONExtractorUtils.class);
+
+ /**
+ * Extract String value from JSON
+ *
+ * @param input
+ * @param keyID
+ * @param isRequired
+ * @return
+ * @throws SLCommandoParserException
+ */
+ public static String getStringValue(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {
+ try {
+ JsonElement internal = getAndCheck(input, keyID, isRequired);
+
+ if (internal != null)
+ return internal.getAsString();
+ else
+ return null;
+
+ } catch (SLCommandoParserException e) {
+ throw e;
+
+ } catch (Exception e) {
+ throw new SLCommandoParserException("Can not extract String value with keyId: " + keyID, e);
+
+ }
+ }
+
+ /**
+ * Extract Boolean value from JSON
+ *
+ * @param input
+ * @param keyID
+ * @param isRequired
+ * @return
+ * @throws SLCommandoParserException
+ */
+ public static boolean getBooleanValue(JsonObject input, String keyID, boolean isRequired, boolean defaultValue) throws SLCommandoParserException {
+ try {
+ JsonElement internal = getAndCheck(input, keyID, isRequired);
+
+ if (internal != null)
+ return internal.getAsBoolean();
+ else
+ return defaultValue;
+
+ } catch (SLCommandoParserException e) {
+ throw e;
+
+ } catch (Exception e) {
+ throw new SLCommandoParserException("Can not extract Boolean value with keyId: " + keyID, e);
+
+ }
+ }
+
+ /**
+ * Extract JSONObject value from JSON
+ *
+ * @param input
+ * @param keyID
+ * @param isRequired
+ * @return
+ * @throws SLCommandoParserException
+ */
+ public static JsonObject getJSONObjectValue(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {
+ try {
+ JsonElement internal = getAndCheck(input, keyID, isRequired);
+
+ if (internal != null)
+ return internal.getAsJsonObject();
+ else
+ return null;
+
+ } catch (SLCommandoParserException e) {
+ throw e;
+
+ } catch (Exception e) {
+ throw new SLCommandoParserException("Can not extract Boolean value with keyId: " + keyID, e);
+
+ }
+ }
+
+ /**
+ * Extract Map of Key/Value pairs from a JSON Array
+ *
+ * @param input
+ * @param keyID
+ * @param isRequired
+ * @return
+ * @throws SLCommandoParserException
+ */
+ public static Map<String, String> getMapOfStringElements(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {
+ JsonElement internal = getAndCheck(input, keyID, isRequired);
+
+ Map<String, String> result = new HashMap<String, String>();
+
+ if (internal != null) {
+ if (!internal.isJsonArray())
+ throw new SLCommandoParserException("JSON Element IS NOT a JSON array");
+
+ Iterator<JsonElement> arrayIterator = internal.getAsJsonArray().iterator();
+ while(arrayIterator.hasNext()) {
+ //JsonObject next = arrayIterator.next().getAsJsonObject();
+ //result.put(
+ // next.get(SL20Constants.SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_KEY).getAsString(),
+ // next.get(SL20Constants.SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_VALUE).getAsString());
+ JsonElement next = arrayIterator.next();
+ Iterator<Entry<String, JsonElement>> entry = next.getAsJsonObject().entrySet().iterator();
+ while (entry.hasNext()) {
+ Entry<String, JsonElement> el = entry.next();
+ if (result.containsKey(el.getKey()))
+ log.info("Attr. Map already contains Element with Key: " + el.getKey() + ". Overwrite element ... ");
+
+ result.put(el.getKey(), el.getValue().getAsString());
+
+ }
+ }
+ }
+
+ return result;
+ }
+
+
+ public static JsonElement extractSL20Result(JsonObject command, JsonSecurityUtils encrypter, boolean mustBeEncrypted) throws SLCommandoParserException {
+ JsonElement result = command.get(SL20Constants.SL20_COMMAND_CONTAINER_RESULT);
+ JsonElement encryptedResult = command.get(SL20Constants.SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT);
+
+ if (result == null && encryptedResult == null)
+ throw new SLCommandoParserException("NO result OR encryptedResult FOUND.");
+
+ else if (result == null && encryptedResult == null)
+ throw new SLCommandoParserException("result AND encryptedResultFOUND. Can not used twice");
+
+ else if (encryptedResult == null && mustBeEncrypted)
+ throw new SLCommandoParserException("result MUST be signed.");
+
+ else if (result != null)
+ return result;
+
+ else if (encryptedResult != null) {
+ //TODO: Add correct signature validation
+ String[] signedPayload = encryptedResult.toString().split("\\.");
+ JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
+ return payLoad;
+
+ } else
+ throw new SLCommandoParserException("Internal build error");
+
+
+ }
+
+ /**
+ * Extract payLoad from generic transport container
+ *
+ * @param container
+ * @param joseTools
+ * @return
+ * @throws SLCommandoParserException
+ */
+ public static VerificationResult extractSL20PayLoad(JsonObject container, IJOSETools joseTools, boolean mustBeSigned) throws SL20Exception {
+
+ JsonElement sl20Payload = container.get(SL20Constants.SL20_PAYLOAD);
+ JsonElement sl20SignedPayload = container.get(SL20Constants.SL20_SIGNEDPAYLOAD);
+
+ if (mustBeSigned && joseTools == null)
+ throw new SLCommandoParserException("'joseTools' MUST be set if 'mustBeSigned' is 'true'");
+
+ if (sl20Payload == null && sl20SignedPayload == null)
+ throw new SLCommandoParserException("NO payLoad OR signedPayload FOUND.");
+
+ else if (sl20Payload == null && sl20SignedPayload == null)
+ throw new SLCommandoParserException("payLoad AND signedPayload FOUND. Can not used twice");
+
+ else if (sl20SignedPayload == null && mustBeSigned)
+ throw new SLCommandoParserException("payLoad MUST be signed.");
+
+ else if (sl20Payload != null)
+ return new VerificationResult(sl20Payload.getAsJsonObject());
+
+ else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive())
+ return joseTools.validateSignature(sl20SignedPayload.getAsString());
+
+ else
+ throw new SLCommandoParserException("Internal build error");
+
+
+ }
+
+
+ /**
+ * Extract generic transport container from httpResponse
+ *
+ * @param httpResp
+ * @return
+ * @throws SLCommandoParserException
+ */
+ public static JsonObject getSL20ContainerFromResponse(HttpResponse httpResp) throws SLCommandoParserException {
+ try {
+ JsonObject sl20Resp = null;
+ if (httpResp.getStatusLine().getStatusCode() == 307) {
+ Header[] locationHeader = httpResp.getHeaders("Location");
+ if (locationHeader == null)
+ throw new SLCommandoParserException("Find Redirect statuscode but not Location header");
+
+ String sl20RespString = new URIBuilder(locationHeader[0].getValue()).getQueryParams().get(0).getValue();
+ sl20Resp = new JsonParser().parse(URLDecoder.decode(sl20RespString)).getAsJsonObject();
+
+ } else if (httpResp.getStatusLine().getStatusCode() == 200) {
+ if (!httpResp.getEntity().getContentType().getValue().equals("application/json;charset=UTF-8"))
+ throw new SLCommandoParserException("SL20 response with a wrong ContentType: " + httpResp.getEntity().getContentType().getValue());
+
+ sl20Resp = new JsonParser().parse(new InputStreamReader(httpResp.getEntity().getContent())).getAsJsonObject();
+
+ } else
+ throw new SLCommandoParserException("SL20 response with http-code: " + httpResp.getStatusLine().getStatusCode());
+
+ return sl20Resp;
+
+ } catch (Exception e) {
+ throw new SLCommandoParserException("SL20 response parsing FAILED! Reason: " + e.getMessage(), e);
+
+ }
+ }
+
+ private static JsonElement getAndCheck(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {
+ JsonElement internal = input.get(keyID);
+
+ if (internal == null && isRequired)
+ throw new SLCommandoParserException("REQUIRED Element with keyId: " + keyID + " does not exist");
+
+ return internal;
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
new file mode 100644
index 000000000..1e15e893e
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -0,0 +1,176 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
+
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.net.ssl.SSLSocketFactory;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.entity.ContentType;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.message.BasicNameValuePair;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import com.google.gson.JsonObject;
+
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.IJOSETools;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20HttpBindingUtils;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONBuilderUtils;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONExtractorUtils;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+@Component("CreateQualeIDRequestTask")
+public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
+
+ @Autowired(required=true) private IJOSETools joseTools;
+
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+
+ Logger.debug("Starting SL2.0 authentication process .... ");
+
+ try {
+ //get service-provider configuration
+ IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration();
+
+ //get basic configuration parameters
+ String vdaQualeIDUrl = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID);
+ if (MiscUtil.isEmpty(vdaQualeIDUrl)) {
+ Logger.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID + ")");
+ throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"});
+
+ }
+
+ String authBlockId = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_AUTHBLOCK_ID);
+ if (MiscUtil.isEmpty(authBlockId)) {
+ Logger.error("NO AuthBlock Template identifier for qualified eID (" + Constants.CONFIG_PROP_VDA_AUTHBLOCK_ID + ")");
+ throw new SL20Exception("sl20.03", new Object[]{"NO AuthBlock Template identifier for qualified eID"});
+
+ }
+
+ //build DataURL for qualified eID response
+ String dataURL = new DataURLBuilder().buildDataURL(
+ pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID());
+// String dataURL = new DataURLBuilder().buildDataURL(
+// "http://labda.iaik.tugraz.at:8080/moa-id-auth/", Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID());
+
+ //build qualifiedeID command
+ Map<String, String> qualifiedeIDParams = new HashMap<String, String>();
+ qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID, oaConfig.getPublicURLPrefix());
+ qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName());
+ //qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE, UUID.randomUUID().toString());
+
+ JsonObject qualeIDCommandParams = SL20JSONBuilderUtils.createQualifiedeIDCommandParameters(
+ authBlockId,
+ dataURL,
+ qualifiedeIDParams,
+ joseTools.getEncryptionCertificate());
+
+ String qualeIDReqId = UUID.randomUUID().toString();
+ String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools);
+ JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand);
+
+ //open http client
+ SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(
+ authConfig,
+ vdaQualeIDUrl);
+ CloseableHttpClient httpClient = HttpClientWithProxySupport.getHttpClient(
+ sslFactory,
+ authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true));
+
+ //build post request
+ HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build());
+ httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
+ List<NameValuePair> parameters = new ArrayList<NameValuePair>();;
+ parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Req.toString()));
+ httpReq.setEntity(new UrlEncodedFormEntity(parameters ));
+
+ //request VDA
+ HttpResponse httpResp = httpClient.execute(httpReq);
+
+ //parse response
+ Logger.info("Receive response from VDA ... ");
+ JsonObject sl20Resp = SL20JSONExtractorUtils.getSL20ContainerFromResponse(httpResp);
+ VerificationResult respPayloadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20Resp, null, false);
+
+ if (respPayloadContainer.isValidSigned() == null) {
+ Logger.debug("Receive unsigned payLoad from VDA");
+
+ }
+
+ JsonObject respPayload = respPayloadContainer.getPayload();
+ if (respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString()
+ .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT)) {
+ Logger.debug("Find 'redirect' command in VDA response ... ");
+ JsonObject params = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, true);
+ String redirectURL = SL20JSONExtractorUtils.getStringValue(params, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_URL, true);
+ JsonObject command = SL20JSONExtractorUtils.getJSONObjectValue(params, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_COMMAND, false);
+ String signedCommand = SL20JSONExtractorUtils.getStringValue(params, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_SIGNEDCOMMAND, false);
+
+ //create forward SL2.0 command
+ JsonObject sl20Forward = sl20Resp.deepCopy().getAsJsonObject();
+ SL20JSONBuilderUtils.addOnlyOnceOfTwo(sl20Forward,
+ SL20Constants.SL20_PAYLOAD, SL20Constants.SL20_SIGNEDPAYLOAD,
+ command, signedCommand);
+
+ //store pending request
+ pendingReq.setGenericDataToSession(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID,
+ qualeIDReqId);
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //forward SL2.0 command
+ SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL);
+
+ } else {
+ //TODO: update to add error handling
+ Logger.warn("Received an unrecognized command: " + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString());
+
+ }
+
+
+ } catch (MOAIDException e) {
+ throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } finally {
+ TransactionIDUtils.removeTransactionId();
+ TransactionIDUtils.removeSessionId();
+
+ }
+
+
+
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
new file mode 100644
index 000000000..6d2163ff1
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -0,0 +1,228 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
+
+import java.io.ByteArrayInputStream;
+import java.io.StringWriter;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.http.entity.ContentType;
+import org.jose4j.keys.X509Util;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20SecurityException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.IJOSETools;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONBuilderUtils;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONExtractorUtils;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
+import iaik.esi.sva.util.X509Utils;
+import iaik.utils.Util;
+
+@Component("ReceiveQualeIDTask")
+public class ReceiveQualeIDTask extends AbstractAuthServletTask {
+
+ @Autowired(required=true) private IJOSETools joseTools;
+
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+
+ Logger.debug("Receiving SL2.0 response process .... ");
+ try {
+ //get SL2.0 command or result from HTTP request
+ Map<String, String> reqParams = getParameters(request);
+ String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+ if (MiscUtil.isEmpty(sl20Result)) {
+ Logger.info("NO SL2.0 commando or result FOUND.");
+ throw new SL20Exception("sl20.04", null);
+
+ }
+
+
+ //parse SL2.0 command/result into JSON
+ JsonObject sl20ReqObj = null;
+ try {
+ JsonParser jsonParser = new JsonParser();
+ JsonElement sl20Req = jsonParser.parse(sl20Result);
+ sl20ReqObj = sl20Req.getAsJsonObject();
+
+ } catch (JsonSyntaxException e) {
+ Logger.warn("SL2.0 command or result is NOT valid JSON.", e);
+ Logger.debug("SL2.0 msg: " + sl20Result);
+ throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e);
+
+ }
+
+ //validate reqId with inResponseTo
+ String sl20ReqId = pendingReq.getGenericData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class);
+ String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true);
+ if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) {
+ Logger.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+ throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+ }
+
+
+ //validate signature
+ //TODO:
+ VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
+ if (payLoadContainer.isValidSigned() == null ||
+ !payLoadContainer.isValidSigned()) {
+ Logger.info("SL20 result from VDA was not valid signed");
+ throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+
+ }
+
+ //TODO validate certificate
+ List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
+
+ //extract payloaf
+ JsonObject payLoad = payLoadContainer.getPayload();
+
+ //check response type
+ if (SL20JSONExtractorUtils.getStringValue(
+ payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
+ .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) {
+ Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... ");
+
+
+ //TODO: add decryption
+ JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, null, false);
+
+
+ //extract attributes from result
+ String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),
+ SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);
+ String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),
+ SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true);
+ String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),
+ SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true);
+ String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),
+ SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true);
+
+
+ //TODO: validate results
+
+
+ //add into session
+ defaultTaskInitialization(request, executionContext);
+ moasession.setIdentityLink(new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink());
+ moasession.setBkuURL(ccsURL);
+ //TODO: from AuthBlock
+ moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()));
+ moasession.setQAALevel(LoA);
+
+ //mark as authenticated
+ moasession.setAuthenticated(true);
+ pendingReq.setAuthenticated(true);
+
+ //store pending request
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //create response
+ Map<String, String> reqParameters = new HashMap<String, String>();
+ reqParameters.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID());
+ JsonObject callReqParams = SL20JSONBuilderUtils.createCallCommandParameters(
+ new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, null),
+ SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET,
+ false,
+ reqParameters);
+ JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
+
+ //build first redirect command for app
+ JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true);
+ JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
+
+ //build second redirect command for IDP
+ JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+ new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, null),
+ redirectOneCommand, null, true);
+ JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
+
+ //build generic SL2.0 response container
+ String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
+ JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest(
+ UUID.randomUUID().toString(),
+ transactionId,
+ redirectTwoCommand,
+ null);
+
+ if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null &&
+ request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {
+ Logger.debug("Client request containts 'native client' header ... ");
+ StringWriter writer = new StringWriter();
+ writer.write(respContainer.toString());
+ final byte[] content = writer.toString().getBytes("UTF-8");
+ response.setStatus(HttpServletResponse.SC_OK);
+ response.setContentLength(content.length);
+ response.setContentType(ContentType.APPLICATION_JSON.toString());
+ response.getOutputStream().write(content);
+
+
+ } else {
+ Logger.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'");
+ throw new SL20Exception("sl20.06",
+ new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"});
+
+ }
+
+ } else {
+ Logger.info("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
+ throw new SLCommandoParserException("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
+ }
+
+
+ } catch (MOAIDException e) {
+ Logger.warn("ERROR:", e);
+ throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.warn("ERROR:", e);
+ Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } finally {
+ TransactionIDUtils.removeTransactionId();
+ TransactionIDUtils.removeSessionId();
+
+ }
+ }
+
+
+ private JsonObject createRedirectCommand() {
+
+
+ return null;
+
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..48a3d2450
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.sl20_auth.SL20AuthenticationSpringResourceProvider \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml
new file mode 100644
index 000000000..37551b3f5
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+ <context:annotation-config />
+
+ <bean id="sl20AuthModule" class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.SL20AuthenticationModulImpl">
+ <property name="priority" value="3" />
+ </bean>
+
+ <bean id="SL20SignalServlet"
+ class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.SL20SignalServlet"/>
+
+ <bean id="firstJOSETests"
+ class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.JsonSecurityUtils"/>
+
+<!-- Authentication Process Tasks -->
+ <bean id="CreateQualeIDRequestTask"
+ class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks.CreateQualeIDRequestTask"
+ scope="prototype"/>
+
+ <bean id="ReceiveQualeIDResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks.ReceiveQualeIDTask"
+ scope="prototype"/>
+
+</beans> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml
new file mode 100644
index 000000000..bcd74f84c
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="SL20Authentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+ <pd:Task id="createQualifiedeIDRequest" class="CreateQualeIDRequestTask" />
+ <pd:Task id="receiveQualifiedeID" class="ReceiveQualeIDResponseTask" async="true"/>
+
+ <!-- <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" /> -->
+
+ <pd:StartEvent id="start" />
+ <pd:Transition from="start" to="createQualifiedeIDRequest" />
+ <pd:Transition from="createQualifiedeIDRequest" to="receiveQualifiedeID" />
+ <pd:Transition from="receiveQualifiedeID" to="end" />
+
+ <!-- It's only required if we can not use the finalize redirect on SL20 redirect command -->
+ <!-- <pd:Transition from="receiveQualifiedeID" to="finalizeAuthentication" />
+ <pd:Transition from="finalizeAuthentication" to="end" /> -->
+
+ <pd:EndEvent id="end" />
+
+</pd:ProcessDefinition>
diff --git a/id/server/modules/pom.xml b/id/server/modules/pom.xml
index f0779b26c..a9aed2d24 100644
--- a/id/server/modules/pom.xml
+++ b/id/server/modules/pom.xml
@@ -1,5 +1,5 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
@@ -28,13 +28,15 @@
<module>moa-id-module-openID</module>
<module>moa-id-module-eIDAS</module>
- <module>moa-id-module-eIDAS-v2</module>
+ <!-- <module>moa-id-module-eIDAS-v2</module> -->
<module>moa-id-modules-federated_authentication</module>
<module>moa-id-module-elga_mandate_service</module>
<module>moa-id-module-ssoTransfer</module>
<module>moa-id-module-bkaMobilaAuthSAML2Test</module>
- </modules>
+
+ <module>moa-id-module-sl20_authentication</module>
+ </modules>
<dependencies>
<dependency>
@@ -62,4 +64,4 @@
</dependency>
</dependencies>
-</project>
+</project> \ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 8eadbff39..e4aa52d33 100644
--- a/pom.xml
+++ b/pom.xml
@@ -538,6 +538,12 @@
</dependency>
<dependency>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-module-sl20_authentication</artifactId>
+ <version>${moa-id-version}</version>
+ </dependency>
+
+ <dependency>
<groupId>MOA.id.server</groupId>
<artifactId>moa-id-commons</artifactId>
<version>${moa-id-version}</version>