aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/Base64Utils.java36
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/Constants.java6
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/KeyStoreUtils.java27
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java3
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java23
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java15
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java4
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java19
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java18
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java5
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java370
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java26
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java8
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java4
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java18
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java20
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java79
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java7
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_de.properties22
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_en.properties23
-rw-r--r--id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml4
-rw-r--r--id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp4
-rw-r--r--id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp75
-rw-r--r--id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp4
-rw-r--r--id/history.txt20
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java26
-rw-r--r--id/readme_2.1.1.txt220
-rw-r--r--id/server/auth/src/main/webapp/template_localBKU.html2
-rw-r--r--id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties2
-rw-r--r--id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer24
-rw-r--r--id/server/data/deploy/conf/moa-id/moa-id.properties1
-rw-r--r--id/server/data/deploy/tomcat/unix/tomcat-start.sh2
-rw-r--r--id/server/data/deploy/tomcat/win32/startTomcat.bat4
-rw-r--r--id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties2
-rw-r--r--id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml161
-rw-r--r--id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml161
-rw-r--r--id/server/doc/conf/moa-id/moa-id.properties1
-rw-r--r--id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml61
-rw-r--r--id/server/doc/handbook/config/config.html12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java461
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java94
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java46
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java36
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java127
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java20
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java30
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java70
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java93
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java98
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java157
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java71
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java132
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java2
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java2
-rw-r--r--id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd28
-rw-r--r--pom.xml26
-rw-r--r--repository/iaik/iaik_tsl/1.1/iaik_tsl-1.1.jarbin0 -> 605175 bytes
-rw-r--r--spss/server/history.txt6
-rw-r--r--spss/server/readme.update.txt44
-rw-r--r--spss/server/serverlib/pom.xml30
-rw-r--r--spss/server/serverws/pom.xml4
84 files changed, 2880 insertions, 437 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/Base64Utils.java b/common/src/main/java/at/gv/egovernment/moa/util/Base64Utils.java
index 27f12ab0f..66bf50316 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/Base64Utils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/Base64Utils.java
@@ -50,12 +50,12 @@ public class Base64Utils {
* @return byte[] The raw bytes contained in the <code>base64String</code>.
* @throws IOException Failed to read the Base64 data.
*/
- public static byte[] decode(String base64String, boolean ignoreInvalidChars)
+ public static byte[] decode(String base64String, boolean ignoreInvalidChars, String encoding)
throws IOException {
Base64InputStream in =
new Base64InputStream(
- new ByteArrayInputStream(base64String.getBytes("UTF-8")),
+ new ByteArrayInputStream(base64String.getBytes(encoding)),
ignoreInvalidChars);
ByteArrayOutputStream out = new ByteArrayOutputStream();
byte[] bytes = new byte[256];
@@ -64,10 +64,15 @@ public class Base64Utils {
while ((bytesRead = in.read(bytes)) > 0) {
out.write(bytes, 0, bytesRead);
}
-
+ in.close();
+
return out.toByteArray();
}
+ public static byte[] decode(String base64String, boolean ignoreInvalidChars) throws IOException {
+ return decode(base64String, ignoreInvalidChars, "UTF-8");
+ }
+
/**
* Read the bytes encoded in a Base64 encoded <code>String</code> and provide
* them via an <code>InputStream</code>.
@@ -80,11 +85,12 @@ public class Base64Utils {
*/
public static InputStream decodeToStream(
String base64String,
- boolean ignoreInvalidChars) {
+ boolean ignoreInvalidChars,
+ String encoding) {
try {
ByteArrayInputStream bin =
- new ByteArrayInputStream(base64String.getBytes("UTF-8"));
+ new ByteArrayInputStream(base64String.getBytes(encoding));
Base64InputStream in = new Base64InputStream(bin, ignoreInvalidChars);
return in;
@@ -94,6 +100,13 @@ public class Base64Utils {
}
}
+ public static InputStream decodeToStream(
+ String base64String,
+ boolean ignoreInvalidChars) {
+ return decodeToStream(base64String, ignoreInvalidChars, "UTF-8");
+
+ }
+
/**
* Convert a byte array to a Base64 encoded <code>String</code>.
*
@@ -102,9 +115,16 @@ public class Base64Utils {
* @throws IOException Failed to write the bytes as Base64 data.
*/
public static String encode(byte[] bytes) throws IOException {
- return encode(new ByteArrayInputStream(bytes));
+ return encode(new ByteArrayInputStream(bytes), "UTF-8");
}
+ public static String encode(byte[] bytes, String encoding) throws IOException {
+ return encode(new ByteArrayInputStream(bytes), encoding);
+ }
+
+ public static String encode(InputStream inputStream) throws IOException {
+ return encode(inputStream, "UTF-8");
+ }
/**
* Convert the data contained in the given stream to a Base64 encoded
* <code>String</code>.
@@ -114,7 +134,7 @@ public class Base64Utils {
* <code>String</code>.
* @throws IOException Failed to convert the data in the stream.
*/
- public static String encode(InputStream inputStream) throws IOException {
+ public static String encode(InputStream inputStream, String encoding) throws IOException {
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
Base64OutputStream base64Stream = new Base64OutputStream(byteStream, "\n".getBytes());
byte[] bytes = new byte[256];
@@ -127,7 +147,7 @@ public class Base64Utils {
base64Stream.close();
inputStream.close();
- return byteStream.toString("UTF-8");
+ return byteStream.toString(encoding);
}
}
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java
index ed75768ba..8d71f2e84 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -346,7 +346,7 @@ public interface Constants {
/** Local location of the TSL schema definition. */
public static final String TSL_SCHEMA_LOCATION =
- SCHEMA_ROOT + "ts_102231v030102_xsd.xsd";
+ SCHEMA_ROOT + "ts_119612v010201_xsd.xsd";
/** URI of the TSL SIE namespace. */
public static final String TSL_SIE_NS_URI =
@@ -357,7 +357,7 @@ public interface Constants {
/** Local location of the TSL SIE schema definition. */
public static final String TSL_SIE_SCHEMA_LOCATION =
- SCHEMA_ROOT + "ts_102231v030102_sie_xsd.xsd";
+ SCHEMA_ROOT + "ts_119612v010201_sie_xsd.xsd";
/** URI of the TSL additional types namespace. */
public static final String TSL_ADDTYPES_NS_URI =
@@ -368,7 +368,7 @@ public interface Constants {
/** Local location of the TSL additional types schema definition. */
public static final String TSL_ADDTYPES_SCHEMA_LOCATION =
- SCHEMA_ROOT + "ts_102231v030102_additionaltypes_xsd.xsd";
+ SCHEMA_ROOT + "ts_ts_119612v010201_additionaltypes_xsd.xsd";
/** URI of the XML Encryption namespace. */
public static final String XENC_NS_URI =
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/KeyStoreUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/KeyStoreUtils.java
index 9db3ca6e3..3d28f4f2b 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/KeyStoreUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/KeyStoreUtils.java
@@ -36,9 +36,7 @@ import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
/**
* Utility for creating and loading key stores.
@@ -187,16 +185,29 @@ public class KeyStoreUtils {
//InputStream is = new FileInputStream(keyStorePath);
URL keystoreURL = new URL(keyStorePath);
InputStream in = keystoreURL.openStream();
- InputStream isBuffered = new BufferedInputStream(in);
+ InputStream isBuffered = new BufferedInputStream(in);
+ return loadKeyStore(isBuffered, password);
- isBuffered.mark(1024*1024);
+ }
+
+ /**
+ * Loads a keyStore without knowing the keyStore type
+ * @param in input stream
+ * @param password Password protecting the keyStore
+ * @return keyStore loaded
+ * @throws KeyStoreException thrown if keyStore cannot be loaded
+ * @throws FileNotFoundException
+ * @throws IOException
+ */
+public static KeyStore loadKeyStore(InputStream is, String password) throws KeyStoreException, IOException{
+ is.mark(1024*1024);
KeyStore ks = null;
try {
try {
- ks = loadKeyStore(KEYSTORE_TYPE_PKCS12, isBuffered, password);
+ ks = loadKeyStore(KEYSTORE_TYPE_PKCS12, is, password);
} catch (IOException e2) {
- isBuffered.reset();
- ks = loadKeyStore(KEYSTORE_TYPE_JKS, isBuffered, password);
+ is.reset();
+ ks = loadKeyStore(KEYSTORE_TYPE_JKS, is, password);
}
} catch(Exception e) {
e.printStackTrace();
@@ -205,7 +216,7 @@ public class KeyStoreUtils {
return ks;
}
-
+
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java
index 567978cae..f549db9f3 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java
@@ -60,6 +60,7 @@ public class Constants {
public static final String SESSION_BKUSELECTIONTEMPLATE = "bkuSelectionTemplate";
public static final String SESSION_SENDASSERTIONTEMPLATE = "sendAssertionTemplate";
public static final String SESSION_SLTRANSFORMATION = "slTransformation";
+ public static final String SESSION_BPKENCRYPTIONDECRYPTION = "bPKEncDec";
public static final String SESSION_SLOERROR = "sloerrormessage";
public static final String SESSION_SLOSUCCESS = "slosuccessmessage";
@@ -115,4 +116,6 @@ public class Constants {
BUSINESSSERVICENAMES = Collections.unmodifiableMap(tmp);
}
+
+ public static final long ONE_MINUTE_IN_MILLIS=60000;//millisecs
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
index 036acf1f6..3bfe409c0 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
@@ -42,6 +42,7 @@ public class AuthenticatedUser {
private String institute;
private String userName;
private Date lastLogin;
+ private Date sessionExpired;
private boolean onlyBusinessService = false;
private String businessServiceType;
@@ -54,7 +55,7 @@ public class AuthenticatedUser {
}
- public static AuthenticatedUser generateDefaultUser() {
+ public static AuthenticatedUser generateDefaultUser(Date sessionExpired) {
AuthenticatedUser user = new AuthenticatedUser();
user.familyName = "TestUser";
@@ -67,12 +68,13 @@ public class AuthenticatedUser {
user.isMandateUser = false;
user.isPVP2Login = false;
user.lastLogin = new Date();
+ user.sessionExpired = sessionExpired;
return user;
}
public static AuthenticatedUser generateUserRequestUser(UserDatabaseFrom form,
- String nameID, String nameIDFormat) {
+ String nameID, String nameIDFormat, Date sessionExpired) {
AuthenticatedUser user = new AuthenticatedUser();
user.familyName = form.getFamilyName();
@@ -85,6 +87,7 @@ public class AuthenticatedUser {
user.isMandateUser = form.isIsmandateuser();
user.isPVP2Login = form.isPVPGenerated();
user.lastLogin = new Date();
+ user.sessionExpired = sessionExpired;
user.nameID = nameID;
user.nameIDFormat = nameIDFormat;
@@ -93,7 +96,7 @@ public class AuthenticatedUser {
}
public AuthenticatedUser(UserDatabase userdb, boolean isAuthenticated, boolean isMandateUser,
- boolean isPVP2Login, String nameID, String nameIDFormat) {
+ boolean isPVP2Login, String nameID, String nameIDFormat, Date sessionExpired) {
this.familyName = userdb.getFamilyname();
this.givenName = userdb.getGivenname();
@@ -105,6 +108,7 @@ public class AuthenticatedUser {
this.isMandateUser = isMandateUser;
this.isPVP2Login = isPVP2Login;
this.lastLogin = new Date();
+ this.sessionExpired = sessionExpired;
this.nameID = nameID;
this.nameIDFormat = nameIDFormat;
@@ -250,10 +254,13 @@ public class AuthenticatedUser {
public String getNameIDFormat() {
return nameIDFormat;
}
-
-
-
-
-
+
+ /**
+ * @return the sessionExpired
+ */
+ public Date getSessionExpired() {
+ return sessionExpired;
+ }
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java
index 6d3afffc9..58142b398 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java
@@ -22,6 +22,9 @@
*/
package at.gv.egovernment.moa.id.configuration.auth;
+import java.util.Date;
+import java.util.Iterator;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -81,4 +84,16 @@ public class AuthenticationManager {
activeUsers.removeUser(authUser.getNameID());
}
+
+ public void removeAllUsersAfterTimeOut() {
+ Iterator<AuthenticatedUser> expiredUsers = activeUsers.getUserWithSessionTimeOut(new Date());
+ while (expiredUsers.hasNext()) {
+ AuthenticatedUser user = expiredUsers.next();
+ activeUsers.removeUser(user.getNameID());
+ log.info("LogOut user with ID" + user.getNameID() + " after SessionTimeOut.");
+
+ }
+
+ }
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java
index c52fee140..80730c6e0 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java
@@ -22,6 +22,9 @@
*/
package at.gv.egovernment.moa.id.configuration.auth;
+import java.util.Date;
+import java.util.Iterator;
+
/**
* @author tlenz
*
@@ -31,5 +34,6 @@ public interface IActiveUserStorage {
public AuthenticatedUser getUser(String nameID);
public void setUser(String nameID, AuthenticatedUser authUser);
public void removeUser(String nameID);
+ public Iterator<AuthenticatedUser> getUserWithSessionTimeOut(Date date);
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java
index 145da2c35..186a2b931 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java
@@ -22,7 +22,12 @@
*/
package at.gv.egovernment.moa.id.configuration.auth;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Date;
import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
import java.util.Map;
/**
@@ -68,4 +73,18 @@ public class MemoryActiveUserStorageImpl implements IActiveUserStorage {
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.configuration.auth.IActiveUserStorage#getUserWithSessionTimeOut(java.util.Date)
+ */
+ @Override
+ public Iterator<AuthenticatedUser> getUserWithSessionTimeOut(Date date) {
+ List<AuthenticatedUser> expiredUsers = new ArrayList<AuthenticatedUser>();
+ for (AuthenticatedUser user : store.values()) {
+ if (date.after(user.getSessionExpired()))
+ expiredUsers.add(user);
+
+ }
+ return expiredUsers.iterator();
+ }
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
index 38c858918..dfcde4624 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
@@ -127,7 +127,6 @@ public class SLOBasicServlet extends HttpServlet {
HttpSession session = request.getSession(false);
if (session != null)
session.invalidate();
-
return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request);
} else {
@@ -198,11 +197,20 @@ public class SLOBasicServlet extends HttpServlet {
} else if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
- log.info("Single LogOut process complete.");
- request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS,
- LanguageHelper.getErrorString("webpages.slo.success", request));
-
+ if (sloResp.getStatus().getStatusCode().getStatusCode() != null &&
+ !sloResp.getStatus().getStatusCode().getStatusCode().equals(StatusCode.PARTIAL_LOGOUT_URI)) {
+ log.info("Single LogOut process complete.");
+ request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS,
+ LanguageHelper.getErrorString("webpages.slo.success", request));
+
+ } else {
+ log.warn("Single LogOut process is not completed.");
+ request.getSession().setAttribute(Constants.SESSION_SLOERROR,
+ LanguageHelper.getErrorString("webpages.slo.error", request));
+
+ }
+
} else {
log.warn("Single LogOut response sends an unsupported statustype " + sloResp.getStatus().getStatusCode().getValue());
request.getSession().setAttribute(Constants.SESSION_SLOERROR,
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index bea6220ff..957479b29 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -457,6 +457,11 @@ public class ConfigurationProvider {
}
+ public String getConfigurationEncryptionKey() {
+ return props.getProperty("general.moaconfig.key");
+
+ }
+
private void initalPVP2Login() throws ConfigurationException {
try {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java
new file mode 100644
index 000000000..6782987e5
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java
@@ -0,0 +1,370 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.configuration.data.oa;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.apache.commons.lang.SerializationUtils;
+import org.apache.log4j.Logger;
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
+import at.gv.egovernment.moa.id.commons.db.dao.config.BPKDecryption;
+import at.gv.egovernment.moa.id.commons.db.dao.config.EncBPKInformation;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
+import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
+import at.gv.egovernment.moa.id.configuration.utils.ConfigurationEncryptionUtils;
+import at.gv.egovernment.moa.id.configuration.validation.oa.OAFileUploadValidation;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class OABPKEncryption implements IOnlineApplicationData {
+
+ private static final Logger log = Logger.getLogger(OABPKEncryption.class);
+
+ private static final String MODULENAME = "bPKEncryptionDecryption";
+
+ private String keyStorePassword = null;
+ private String keyAlias = null;
+ private String keyPassword = null;
+
+ private Map<String, byte[]> keyStoreForm = new HashMap<String, byte[]>();
+
+ private List<File> keyStoreFileUpload = null;
+ private List<String> keyStoreFileUploadContentType = null;
+ private List<String> keyStoreFileUploadFileName = new ArrayList<String>();;
+ private boolean deletekeyStore = false;
+ private boolean validationError = false;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#getName()
+ */
+ @Override
+ public String getName() {
+ // TODO Auto-generated method stub
+ return MODULENAME;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#parse(at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication, at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser, javax.servlet.http.HttpServletRequest)
+ */
+ @Override
+ public List<String> parse(OnlineApplication dbOA,
+ AuthenticatedUser authUser, HttpServletRequest request) {
+ AuthComponentOA oaAuth = dbOA.getAuthComponentOA();
+ if (oaAuth != null) {
+ EncBPKInformation bPKEncDec = oaAuth.getEncBPKInformation();
+ if (bPKEncDec != null) {
+ BPKDecryption bPKDec = bPKEncDec.getBPKDecryption();
+ if (bPKDec != null) {
+ keyAlias = bPKDec.getKeyAlias();
+ if (bPKDec.getKeyStoreFileName() != null)
+ keyStoreFileUploadFileName.add(bPKDec.getKeyStoreFileName());
+
+ }
+ }
+ }
+
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#store(at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication, at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser, javax.servlet.http.HttpServletRequest)
+ */
+ @Override
+ public String store(OnlineApplication dbOA, AuthenticatedUser authUser,
+ HttpServletRequest request) {
+ AuthComponentOA oaAuth = dbOA.getAuthComponentOA();
+ if (oaAuth == null) {
+ oaAuth = new AuthComponentOA();
+ dbOA.setAuthComponentOA(oaAuth);
+
+ }
+ EncBPKInformation bPKEncDec = oaAuth.getEncBPKInformation();
+ if (bPKEncDec == null) {
+ bPKEncDec = new EncBPKInformation();
+ oaAuth.setEncBPKInformation(bPKEncDec);
+
+ }
+
+ BPKDecryption bPKDec = bPKEncDec.getBPKDecryption();
+ if (bPKDec == null) {
+ bPKDec = new BPKDecryption();
+ bPKEncDec.setBPKDecryption(bPKDec);
+ }
+
+ if (isDeletekeyStore()) {
+ bPKDec.setIv(null);
+ bPKDec.setKeyAlias(null);
+ bPKDec.setKeyInformation(null);
+ bPKDec.setKeyStoreFileName(null);
+
+ }
+
+ BPKDecryptionParameters keyInfo = new BPKDecryptionParameters();
+ if (keyStoreForm != null && keyStoreForm.size() > 0) {
+ keyInfo.setKeyAlias(keyAlias);
+ keyInfo.setKeyPassword(keyPassword);
+ keyInfo.setKeyStorePassword(keyStorePassword);
+
+ Iterator<String> interator = keyStoreForm.keySet().iterator();
+ bPKDec.setKeyStoreFileName(interator.next());
+ bPKDec.setKeyAlias(keyAlias);
+ keyInfo.setKeyStore(keyStoreForm.get(
+ bPKDec.getKeyStoreFileName()));
+
+ //encrypt key information
+ byte[] serKeyInfo = SerializationUtils.serialize(keyInfo);
+ try {
+ EncryptedData encryptkeyInfo = ConfigurationEncryptionUtils.getInstance().encrypt(serKeyInfo);
+ bPKDec.setIv(encryptkeyInfo.getIv());
+ bPKDec.setKeyInformation(encryptkeyInfo.getEncData());
+
+ } catch (BuildException e) {
+ log.error("Configuration encryption FAILED.", e);
+ return LanguageHelper.getErrorString("error.general.text", request);
+
+ }
+ }
+
+ request.getSession().setAttribute(Constants.SESSION_BPKENCRYPTIONDECRYPTION, null);
+
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#validate(at.gv.egovernment.moa.id.configuration.data.oa.OAGeneralConfig, at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser, javax.servlet.http.HttpServletRequest)
+ */
+ @Override
+ public List<String> validate(OAGeneralConfig general,
+ AuthenticatedUser authUser, HttpServletRequest request) {
+ HttpSession session = request.getSession();
+ List<String> errors = new ArrayList<String>();
+
+ String check = null;
+
+ OAFileUploadValidation valiator_fileUpload = new OAFileUploadValidation();
+ //validate BKU-selection template
+ List<String> templateError = valiator_fileUpload.validate(getKeyStoreFileUploadFileName()
+ , getKeyStoreFileUpload(), "validation.bPKDec.keyStore", keyStoreForm, request);
+ if (templateError != null && templateError.size() == 0) {
+ if (keyStoreForm != null && keyStoreForm.size() > 0) {
+ session.setAttribute(Constants.SESSION_BPKENCRYPTIONDECRYPTION, keyStoreForm);
+
+ } else
+ keyStoreForm = (Map<String, byte[]>) session.getAttribute(Constants.SESSION_BPKENCRYPTIONDECRYPTION);
+
+ } else {
+ errors.addAll(templateError);
+
+ }
+
+ if (keyStoreForm != null && keyStoreForm.size() > 0) {
+ check = getKeyStorePassword();
+ if (MiscUtil.isEmpty(check)) {
+ log.info("bPK decryption keystore password is empty");
+ errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStorePassword.empty", request));
+
+ } else {
+ if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+ log.warn("bPK decryption keystore password contains potentail XSS characters: " + check);
+ errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStorePassword.valid",
+ new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request ));
+
+ }
+ }
+
+ check = getKeyAlias();
+ if (MiscUtil.isEmpty(check)) {
+ log.info("bPK decryption key alias is empty");
+ errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyAlias.empty", request));
+
+ } else {
+ if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+ log.warn("bPK decryption key alias contains potentail XSS characters: " + check);
+ errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyAlias.valid",
+ new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request ));
+
+ }
+ }
+
+ check = getKeyPassword();
+ if (MiscUtil.isNotEmpty(check)) {
+ if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+ log.warn("bPK decryption key password contains potentail XSS characters: " + check);
+ errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyPassword.valid",
+ new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request ));
+
+ }
+ }
+
+ BPKDecryptionParameters keyInfo = new BPKDecryptionParameters();
+ keyInfo.setKeyAlias(keyAlias);
+ keyInfo.setKeyPassword(keyPassword);
+ keyInfo.setKeyStorePassword(keyStorePassword);
+ Iterator<String> interator = keyStoreForm.keySet().iterator();
+ String fileName = interator.next();
+ keyInfo.setKeyStore(keyStoreForm.get(fileName));
+ if (keyInfo.getPrivateKey() == null) {
+ log.info("Open keyStore FAILED.");
+ errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStore.file.valid", request));
+
+ }
+ }
+
+ if (errors.size() > 0) {
+ validationError = true;
+
+ }
+
+ return errors;
+
+ }
+
+ /**
+ * @return the keyStorePassword
+ */
+ public String getKeyStorePassword() {
+ return keyStorePassword;
+ }
+
+ /**
+ * @param keyStorePassword the keyStorePassword to set
+ */
+ public void setKeyStorePassword(String keyStorePassword) {
+ this.keyStorePassword = keyStorePassword;
+ }
+
+ /**
+ * @return the keyAlias
+ */
+ public String getKeyAlias() {
+ return keyAlias;
+ }
+
+ /**
+ * @param keyAlias the keyAlias to set
+ */
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+ /**
+ * @return the keyPassword
+ */
+ public String getKeyPassword() {
+ return keyPassword;
+ }
+
+ /**
+ * @param keyPassword the keyPassword to set
+ */
+ public void setKeyPassword(String keyPassword) {
+ this.keyPassword = keyPassword;
+ }
+
+ /**
+ * @return the keyStoreFileUpload
+ */
+ public List<File> getKeyStoreFileUpload() {
+ return keyStoreFileUpload;
+ }
+
+ /**
+ * @param keyStoreFileUpload the keyStoreFileUpload to set
+ */
+ public void setKeyStoreFileUpload(List<File> keyStoreFileUpload) {
+ this.keyStoreFileUpload = keyStoreFileUpload;
+ }
+
+ /**
+ * @return the keyStoreFileUploadContentType
+ */
+ public List<String> getKeyStoreFileUploadContentType() {
+ return keyStoreFileUploadContentType;
+ }
+
+ /**
+ * @param keyStoreFileUploadContentType the keyStoreFileUploadContentType to set
+ */
+ public void setKeyStoreFileUploadContentType(
+ List<String> keyStoreFileUploadContentType) {
+ this.keyStoreFileUploadContentType = keyStoreFileUploadContentType;
+ }
+
+ /**
+ * @return the keyStoreFileUploadFileName
+ */
+ public List<String> getKeyStoreFileUploadFileName() {
+ return keyStoreFileUploadFileName;
+ }
+
+ /**
+ * @param keyStoreFileUploadFileName the keyStoreFileUploadFileName to set
+ */
+ public void setKeyStoreFileUploadFileName(
+ List<String> keyStoreFileUploadFileName) {
+ this.keyStoreFileUploadFileName = keyStoreFileUploadFileName;
+ }
+
+ /**
+ * @return the deletekeyStore
+ */
+ public boolean isDeletekeyStore() {
+ return deletekeyStore;
+ }
+
+ /**
+ * @param deletekeyStore the deletekeyStore to set
+ */
+ public void setDeletekeyStore(boolean deletekeyStore) {
+ this.deletekeyStore = deletekeyStore;
+ }
+
+ /**
+ * @return the validationError
+ */
+ public boolean isValidationError() {
+ return validationError;
+ }
+
+
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java
index e988cc292..150cd959e 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java
@@ -82,9 +82,7 @@ public class OATargetConfiguration implements IOnlineApplicationData {
*/
@Override
public List<String> parse(OnlineApplication dbOA,
- AuthenticatedUser authUser, HttpServletRequest request) {
- subTargetSet = MiscUtil.isNotEmpty(getTarget_subsector());
-
+ AuthenticatedUser authUser, HttpServletRequest request) {
String target_full = dbOA.getTarget();
if (MiscUtil.isNotEmpty(target_full)) {
if (TargetValidator.isValidTarget(target_full)) {
@@ -95,8 +93,10 @@ public class OATargetConfiguration implements IOnlineApplicationData {
if (TargetValidator.isValidTarget(target_split[0])) {
target = target_split[0];
- if (target_split.length > 1)
+ if (target_split.length > 1) {
target_subsector = target_split[1];
+ subTargetSet = true;
+ }
} else {
target = "";
@@ -367,4 +367,22 @@ public class OATargetConfiguration implements IOnlineApplicationData {
public void setDeaktivededBusinessService(boolean deaktivededBusinessService) {
this.deaktivededBusinessService = deaktivededBusinessService;
}
+
+
+ /**
+ * @return the subTargetSet
+ */
+ public boolean isSubTargetSet() {
+ return subTargetSet;
+ }
+
+
+ /**
+ * @param subTargetSet the subTargetSet to set
+ */
+ public void setSubTargetSet(boolean subTargetSet) {
+ this.subTargetSet = subTargetSet;
+ }
+
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
index 1f631afea..d13696d51 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
@@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.configuration.filter;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.Date;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
@@ -153,8 +154,11 @@ public class AuthenticationFilter implements Filter{
log.warn("Authentication is deaktivated. Dummy authentication-information are used!");
if (authuser == null) {
-
- authuser = AuthenticatedUser.generateDefaultUser();
+ int sessionTimeOut = session.getMaxInactiveInterval();
+ Date sessionExpired = new Date(new Date().getTime() +
+ (sessionTimeOut * Constants.ONE_MINUTE_IN_MILLIS));
+
+ authuser = AuthenticatedUser.generateDefaultUser(sessionExpired);
authManager.setActiveUser(authuser);
//authuser = new AuthenticatedUser(1, "Max", "TestUser", true, false);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
index cd6c699b9..dc97dd2c8 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.configuration.helper;
import java.util.ArrayList;
+import java.util.Date;
import java.util.List;
import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
@@ -88,7 +89,8 @@ public class FormDataHelper {
userlist.add(new AuthenticatedUser(dbuser,
dbuser.isIsActive(),
ismandate,
- false, null, null));
+ false, null, null, new Date())
+ );
}
return userlist;
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
index 9509f9712..3d96cc1e5 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
@@ -57,6 +57,9 @@ public class EditOAAction extends BasicOAAction {
OAAuthenticationData authOA = new OAAuthenticationData();
formList.put(authOA.getName(), authOA);
+ OABPKEncryption bPKEncDec = new OABPKEncryption();
+ formList.put(bPKEncDec.getName(), bPKEncDec);
+
OASSOConfig ssoOA = new OASSOConfig();
formList.put(ssoOA.getName(), ssoOA);
@@ -472,4 +475,19 @@ public class EditOAAction extends BasicOAAction {
formList.put(formOA.getName(), formOA);
}
+ /**
+ * @return the bPK encryption/decryption form
+ */
+ public OABPKEncryption getBPKEncDecr() {
+ return (OABPKEncryption) formList.get(new OABPKEncryption().getName());
+ }
+
+ /**
+ * @param bPK encryption/decryption form
+ * the bPK encryption/decryption form to set
+ */
+ public void setBPKEncDecr(OABPKEncryption formOA) {
+ formList.put(formOA.getName(), formOA);
+ }
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index 4762f1518..f4a3d0c75 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -215,12 +215,17 @@ public class IndexAction extends BasicAction {
if (dbuser.isIsMandateUser() != null)
ismandateuser = dbuser.isIsMandateUser();
+ int sessionTimeOut = session.getMaxInactiveInterval();
+ Date sessionExpired = new Date(new Date().getTime() +
+ (sessionTimeOut * Constants.ONE_MINUTE_IN_MILLIS));
+
AuthenticatedUser authuser = new AuthenticatedUser(dbuser,
true,
ismandateuser,
false,
dbuser.getHjid()+"dbID",
- "username/password");
+ "username/password",
+ sessionExpired);
//store user as authenticated user
AuthenticationManager authManager = AuthenticationManager.getInstance();
@@ -390,6 +395,10 @@ public class IndexAction extends BasicAction {
String bpkwbpk = nameID.getNameQualifier() + "+" + nameID.getValue();
+ int sessionTimeOut = session.getMaxInactiveInterval();
+ Date sessionExpired = new Date(new Date().getTime() +
+ (sessionTimeOut * Constants.ONE_MINUTE_IN_MILLIS));
+
//search user
UserDatabase dbuser = ConfigurationDBRead.getUserWithUserBPKWBPK(bpkwbpk);
if (dbuser == null) {
@@ -434,7 +443,8 @@ public class IndexAction extends BasicAction {
//create AuthUser data element
authUser = AuthenticatedUser.generateUserRequestUser(user,
nameID.getValue(),
- nameID.getFormat());
+ nameID.getFormat(),
+ sessionExpired);
//store user as authenticated user
AuthenticationManager authManager = AuthenticationManager.getInstance();
@@ -464,7 +474,8 @@ public class IndexAction extends BasicAction {
dbuser.isIsMandateUser(),
true,
nameID.getValue(),
- nameID.getFormat());
+ nameID.getFormat(),
+ sessionExpired);
//store user as authenticated user
AuthenticationManager authManager = AuthenticationManager.getInstance();
@@ -491,7 +502,8 @@ public class IndexAction extends BasicAction {
ismandateuser,
true,
nameID.getValue(),
- nameID.getFormat());
+ nameID.getFormat(),
+ sessionExpired);
//store user as authenticated user
AuthenticationManager authManager = AuthenticationManager.getInstance();
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java
new file mode 100644
index 000000000..08cd7c59d
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.configuration.utils;
+
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.util.AbstractEncrytionUtil;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ConfigurationEncryptionUtils extends AbstractEncrytionUtil {
+
+ private static ConfigurationEncryptionUtils instance = null;
+ private static String key = null;
+
+ public static ConfigurationEncryptionUtils getInstance() {
+ if (instance == null) {
+ try {
+ key = ConfigurationProvider.getInstance().getConfigurationEncryptionKey();
+ instance = new ConfigurationEncryptionUtils();
+
+ } catch (Exception e) {
+ Logger.warn("MOAConfiguration encryption initialization FAILED.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ public ConfigurationEncryptionUtils() throws DatabaseEncryptionException {
+ super();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Configuration-Salt";
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+
+ }
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java
index 9ec8db858..a75f8307d 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java
@@ -31,6 +31,7 @@ import org.apache.log4j.Logger;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager;
import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper;
@@ -40,13 +41,14 @@ public class UserRequestCleaner implements Runnable {
private static final Logger log = Logger.getLogger(UserRequestCleaner.class);
- private static final long SESSION_CLEANUP_INTERVAL = 60 * 60; // 60 min
+ private static final long SESSION_CLEANUP_INTERVAL = 5 * 60; // 5 min
public void run() {
while (true) {
try {
ConfigurationProvider config = ConfigurationProvider.getInstance();
+ //clean up user request storage
List<UserDatabase> userrequests = ConfigurationDBRead.getAllOpenUsersRequests();
if (userrequests != null) {
Calendar cal = Calendar.getInstance();
@@ -63,6 +65,9 @@ public class UserRequestCleaner implements Runnable {
}
}
+
+ //clean up active user storage
+ AuthenticationManager.getInstance().removeAllUsersAfterTimeOut();
Thread.sleep(SESSION_CLEANUP_INTERVAL * 1000);
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index 2c71d86a5..39bfcd36b 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -8,8 +8,8 @@ config.04=OpenSAML (PVP2 Login) can not be initialized
config.05=Configuration file not defined
error.title=Fehler:
-error.login.internal=W\u00E4hrend der Verarbeitung ist ein interner Fehler auftetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator.
-error.general.text=W\u00E4hrend der Verarbeitung ist ein interner Fehler auftetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator.
+error.login.internal=W\u00E4hrend der Verarbeitung ist ein interner Fehler aufgetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator.
+error.general.text=W\u00E4hrend der Verarbeitung ist ein interner Fehler aufgetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator.
errors.listOAs.noOA=Es wurden keine Online-Applikationen in der Datenbank gefunden.
errors.listIDPs.noIDP=Es wurden kein IdentityProvider f\u00FCr Interfederation in der Datenbank gefunden.
errors.edit.oa.oaid=Es wurde keine g\u00FCtige Online-Applikations-ID \u00FCbergeben.
@@ -200,6 +200,15 @@ webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template
webpages.oaconfig.general.bku.sendassertion.filename=Dateiname
webpages.oaconfig.general.bku.sendassertion.upload=Neues Template hochladen
+webpages.oaconfig.bPKEncDec.header=Fremd-bPK Konfiguration
+webpages.oaconfig.bPKEncDec.keystore.header=KeyStore Konfiguration
+webpages.oaconfig.bPKEncDec.filename=Dateiname
+webpages.oaconfig.bPKEncDec.delete=L\u00F6schen
+webpages.oaconfig.bPKEncDec.upload=KeyStore hochladen
+webpages.oaconfig.bPKEncDec.keyStorePassword=KeyStore Password
+webpages.oaconfig.bPKEncDec.keyAlias=Schl\u00FCsselname
+webpages.oaconfig.bPKEncDec.keyPassword=Schl\u00FCsselpassword
+
webpages.oaconfig.general.identification=Eindeutiger Identifikatior (PublicURLPrefix)
webpages.oaconfig.general.mandate.header=Vollmachten
webpages.oaconfig.general.mandate.profiles=Profile
@@ -449,6 +458,15 @@ validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte
validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden.
validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig.
+validation.bPKDec.keyStorePassword.empty=Das Password f\u00FCr den KeyStore ist leer.
+validation.bPKDec.keyStorePassword.valid=Das Password f\u00FCr den KeyStore enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
+validation.bPKDec.keyAlias.empty=Der Schl\u00FCsselname ist leer.
+validation.bPKDec.keyAlias.valid=Der Schl\u00FCsselname enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
+validation.bPKDec.keyPassword.empty=Das Password f\u00FCr den privaten Schl\u00FCssel ist leer.
+validation.bPKDec.keyPassword.valid=Das Password f\u00FCr den privaten Schl\u00FCssel enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
+validation.bPKDec.keyStore.filename.valid=Der Dateiname des KeyStores enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
+validation.bPKDec.keyStore.file.valid=Der KeyStore konnte nicht geladen oder ge\u00F6ffnet werden. Eventuell sind das Passwort oder der Schl\u00FCsselname nicht korrekt.
+validation.bPKDec.keyStore.file.selected=Es kann nur EIN KeyStore angegeben werden.
validation.stork.cpeps.cc=CPEPS L\u00E4ndercode folgt nicht ISO 3166-2
validation.stork.cpeps.empty=CPEPS Konfiguration ist unvollst\u00E4ndig
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index a494ef089..22b063099 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -196,12 +196,21 @@ webpages.oaconfig.general.testing.oids=Use special test credential OIDs
webpages.oaconfig.general.bku.delete=Remove
webpages.oaconfig.general.bku.bkuselection.header=CCE-Selection Template
-webpages.oaconfig.general.bku.bkuselection.filename=File name
+webpages.oaconfig.general.bku.bkuselection.filename=Filename
webpages.oaconfig.general.bku.bkuselection.upload=Upload new template
webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template
-webpages.oaconfig.general.bku.sendassertion.filename=File name
+webpages.oaconfig.general.bku.sendassertion.filename=Filename
webpages.oaconfig.general.bku.sendassertion.upload=Upload new template
+webpages.oaconfig.bPKEncDec.header=Foreign-bPK Configuration
+webpages.oaconfig.bPKEncDec.keystore.header=Keystore configuration
+webpages.oaconfig.bPKEncDec.filename=Filename
+webpages.oaconfig.bPKEncDec.delete=Remove
+webpages.oaconfig.bPKEncDec.upload=Upload new keystore
+webpages.oaconfig.bPKEncDec.keyStorePassword=Keystore password
+webpages.oaconfig.bPKEncDec.keyAlias=Key alias
+webpages.oaconfig.bPKEncDec.keyPassword=Key password
+
webpages.oaconfig.general.identification=Unique identifier (PublicURLPrefix)
webpages.oaconfig.general.mandate.header=Mandates
webpages.oaconfig.general.mandate.profiles=Profile
@@ -447,6 +456,16 @@ validation.general.sendassertion.file.valid=Send-Assertion Templates could not b
validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided.
validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid.
+validation.bPKDec.keyStorePassword.empty=KeyStore password is blank.
+validation.bPKDec.keyStorePassword.valid=The keyStore password contains forbidden characters. The following characters are not allowed\: {0}
+validation.bPKDec.keyAlias.empty=Key alias is blank.
+validation.bPKDec.keyAlias.valid=The key alias contains forbidden characters. The following characters are not allowed\: {0}
+validation.bPKDec.keyPassword.empty=Key password is blank.
+validation.bPKDec.keyPassword.valid=The key password contains forbidden characters. The following characters are not allowed\: {0}
+validation.bPKDec.keyStore.filename.valid=The keyStore filename contains forbidden characters. The following characters are not allowed\: {0}
+validation.bPKDec.keyStore.file.valid=KeyStore can not loaded. Maybe keyStore password or key alias are wrong.
+validation.bPKDec.keyStore.file.selected=Only one keyStore can be provided.
+
validation.stork.cpeps.cc=CPEPS country code is not based on 3166-2
validation.stork.cpeps.empty=CPEPS configuration is incomplete
validation.stork.cpeps.url=CPEPS URL is invalid
diff --git a/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml b/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml
index a6fe50269..d247faa1e 100644
--- a/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml
+++ b/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml
@@ -120,6 +120,10 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
+ <session-config>
+ <session-timeout>45</session-timeout>
+ </session-config>
+
<welcome-file-list>
<welcome-file>/index.action</welcome-file>
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp b/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp
index a3541c9a7..c56ad4847 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp
@@ -39,6 +39,8 @@
<s:include value="snippets/OA/targetConfiguration.jsp"></s:include>
<s:include value="snippets/OA/authentication.jsp"></s:include>
+
+ <s:include value="snippets/OA/bPKDecryption.jsp"></s:include>
<s:include value="snippets/OA/sso.jsp"></s:include>
@@ -82,7 +84,7 @@
</div>
<s:include value="snippets/OA/formCustomization.jsp"></s:include>
-
+
<s:hidden name="formID"
value="%{formID}"></s:hidden>
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp
new file mode 100644
index 000000000..9f506e7da
--- /dev/null
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp
@@ -0,0 +1,75 @@
+<%@page import="at.gv.egovernment.moa.id.configuration.helper.LanguageHelper"%>
+<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ taglib prefix="s" uri="/struts-tags" %>
+
+<html>
+ <div class="oa_config_block">
+ <h3><%=LanguageHelper.getGUIString("webpages.oaconfig.bPKEncDec.header", request) %></h3>
+
+<!-- <div class="oa_protocol_area"> -->
+ <%-- <h4><%=LanguageHelper.getGUIString("webpages.oaconfig.bPKEncDec.keystore.header", request) %></h4> --%>
+ <s:iterator value="%{BPKEncDecr.keyStoreFileUploadFileName}" var="fileNameBKU">
+ <div class="floatClass">
+ <s:label key="webpages.oaconfig.bPKEncDec.filename"
+ value="%{fileNameBKU}"/>
+ <s:label key="webpages.oaconfig.bPKEncDec.keyAlias"
+ value="%{BPKEncDecr.keyAlias}"/>
+ <s:checkbox key="webpages.oaconfig.bPKEncDec.delete"
+ labelposition="left"
+ cssClass="checkbox"
+ name="BPKEncDecr.deletekeyStore"></s:checkbox>
+ </div>
+ <s:if test="BPKEncDecr.validationError">
+ <div id="pvp2_certificate_upload">
+ <s:file name="BPKEncDecr.keyStoreFileUpload" key="webpages.oaconfig.bPKEncDec.upload" cssClass="textfield_long"></s:file>
+ <s:password name="BPKEncDecr.keyStorePassword"
+ labelposition="left"
+ key="webpages.oaconfig.bPKEncDec.keyStorePassword"
+ cssClass="textfield_long"
+ showPassword="false">
+ </s:password>
+
+ <s:textfield name="BPKEncDecr.keyAlias"
+ value="%{BPKEncDecr.keyAlias}"
+ labelposition="left"
+ key="webpages.oaconfig.bPKEncDec.keyAlias"
+ cssClass="textfield_long">
+ </s:textfield>
+
+ <s:password name="BPKEncDecr.keyPassword"
+ labelposition="left"
+ key="webpages.oaconfig.bPKEncDec.keyPassword"
+ cssClass="textfield_long"
+ showPassword="false">
+ </s:password>
+ </div>
+ </s:if>
+ </s:iterator>
+ <s:if test="BPKEncDecr.keyStoreFileUploadFileName.size() == 0">
+ <div id="pvp2_certificate_upload">
+ <s:file name="BPKEncDecr.keyStoreFileUpload" key="webpages.oaconfig.bPKEncDec.upload" cssClass="textfield_long"></s:file>
+
+ <s:password name="BPKEncDecr.keyStorePassword"
+ labelposition="left"
+ key="webpages.oaconfig.bPKEncDec.keyStorePassword"
+ cssClass="textfield_long">
+ </s:password>
+
+ <s:textfield name="BPKEncDecr.keyAlias"
+ value="%{BPKEncDecr.keyAlias}"
+ labelposition="left"
+ key="webpages.oaconfig.bPKEncDec.keyAlias"
+ cssClass="textfield_long">
+ </s:textfield>
+
+ <s:password name="BPKEncDecr.keyPassword"
+ labelposition="left"
+ key="webpages.oaconfig.bPKEncDec.keyPassword"
+ cssClass="textfield_long">
+ </s:password>
+ </div>
+ </s:if>
+<!-- </div> -->
+
+ </div>
+</html> \ No newline at end of file
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp
index 261966a86..b8bd1dc02 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp
@@ -46,8 +46,8 @@
</s:select>
</s:else>
- <s:checkbox name="subTargetSet"
- value="%{subTargetSet}"
+ <s:checkbox name="targetConfig.subTargetSet"
+ value="%{targetConfig.subTargetSet}"
labelposition="left"
key="webpages.oaconfig.general.target.subsector.checkbox"
cssClass="checkbox"
diff --git a/id/history.txt b/id/history.txt
index 8321e2085..a3146066b 100644
--- a/id/history.txt
+++ b/id/history.txt
@@ -1,7 +1,16 @@
Dieses Dokument zeigt die Veränderungen und Erweiterungen
von MOA-ID auf.
-History MOA-ID:
+Version MOA-ID Release 2.1.1: Änderungen seit Version MOA-ID 2.1.0
+- Neuerungen:
+ - Verarbeitung von verschlüsselten bPKs auf Seiten von MOA-ID-Auth
+
+- Änderungen
+ - Anpassung VIDP Code für STORK
+ - Anpassung des Codes für IDP Interfederation
+ - Kleinere Bug-Fixes
+
+
Version MOA-ID Release 2.1.0: Änderungen seit Version MOA-ID 2.0.1
- Änderungen
- Anpassung VIDP Code für STORK
@@ -14,6 +23,7 @@ Version MOA-ID Release 2.1.0: Änderungen seit Version MOA-ID 2.0.1
- MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet.
- Definition neuer Fehlercodes
+
Version MOA-ID Release 2.0.1: Änderungen seit Version MOA-ID 2.0.0
- Änderungen:
- Anpassungen VIDP Code für STORK
@@ -570,7 +580,7 @@ Version MOA-ID 1.2.0d3: Änderungen seit Version MOA-ID 1.1.1:
Verbesserungen/Erweiterungen:
- Umstellung von vPK auf bPK; von ZMR auf Stammzahl.
https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=70
+
- Anpassbare JSP Errorpage und Messagepage für Proxy und Auth
Damit die Formatierungen der Benutzermeldungen an die Kundenwünsche
und das CI der Kunden angepasst werden können, wird JSP
@@ -586,7 +596,7 @@ Verbesserungen/Erweiterungen:
Durch die Angabe des Attributs ‚keyBoxIdentifier’ im Element
OnlineApplication eine Auswahl des Schlüsselpaars erfolgen.
https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=105
+
- Anpassbare JSP Errorpage für MOA-ID Proxy und MOA-ID Auth
https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=70
@@ -595,8 +605,8 @@ Verbesserungen/Erweiterungen:
- Ergänzung der mitgelieferten Konfiguration
(certstore, trustprofiles auch für Testbürgerkarten)
- https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=120 
+ https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=120
+
Fixes:
- Daten die aus MOA-ID-PROXY an eine OA mittels der
Authentisierungsvariante ParamAuth weitergegeben werden,
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java
index 11cc020ff..b87865989 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java
@@ -43,6 +43,7 @@ import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
@@ -163,7 +164,7 @@ public class SingleLogOut extends HttpServlet {
idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
//Get the service address for the binding you wish to use
- if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
redirectEndpoint = sss;
}
}
@@ -182,28 +183,15 @@ public class SingleLogOut extends HttpServlet {
signer.setSigningCredential(authcredential);
sloReq.setSignature(signer);
- //generate Http-POST Binding message
- VelocityEngine engine = new VelocityEngine();
- engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
- engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
- engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
- engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
- engine.setProperty("classpath.resource.loader.class",
- "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
- engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
- "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
- engine.init();
-
- HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
- "templates/pvp_postbinding_template.html");
+ HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
- response, true);
+ response
+ , true);
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
SingleSignOnService service = new SingleSignOnServiceBuilder()
.buildObject();
- service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
- service.setLocation(redirectEndpoint.getLocation());;
-
+ service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ service.setLocation(redirectEndpoint.getLocation());
context.setOutboundSAMLMessageSigningCredential(authcredential);
context.setPeerEntityEndpoint(service);
context.setOutboundSAMLMessage(sloReq);
diff --git a/id/readme_2.1.1.txt b/id/readme_2.1.1.txt
new file mode 100644
index 000000000..44f591bed
--- /dev/null
+++ b/id/readme_2.1.1.txt
@@ -0,0 +1,220 @@
+===============================================================================
+MOA ID Version Release 2.1.1 - Wichtige Informationen zur Installation
+===============================================================================
+
+-------------------------------------------------------------------------------
+A. Neuerungen/Änderungen
+-------------------------------------------------------------------------------
+
+Mit MOA ID Version 2.1.1 wurden folgende Neuerungen eingeführt, die jetzt
+erstmals in der Veröffentlichung enthalten sind (siehe auch history.txt im
+gleichen Verzeichnis):
+
+- Neuerungen:
+ - Verarbeitung von verschlüsselten bPKs auf Seiten von MOA-ID-Auth
+
+- Änderungen
+ - Anpassung VIDP Code für STORK
+ - Anpassung des Codes für IDP Interfederation
+ - Kleinere Bug-Fixes
+
+-------------------------------------------------------------------------------
+B. Durchführung eines Updates
+-------------------------------------------------------------------------------
+
+Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch
+eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher
+MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend angebebenen Updateschritte.
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 2.1.0 auf Version 2.1.1
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
+ auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Hinzufügen der zusätzlichen Konfigurationsparameter in der
+ MOA-ID-Configuration Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+ a.) general.moaconfig.key=..... (Passwort zum Ver- und
+ Entschlüsseln von Konfigurationsparametern in der Datenbank)
+
+7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+ a.) configuration.moaconfig.key=..... (Passwort zum Ver- und
+ Entschlüsseln von Konfigurationsparametern in der Datenbank)
+
+8 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+...............................................................................
+B.2 Durchführung eines Updates von Version 2.0.1 auf Version 2.1.0
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
+ auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Update der STORK Konfiguration
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
+ 2.4 Konfiguration des SamlEngines an.
+
+7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+ a.) general.ssl.certstore=certs/certstore
+ b.) general.ssl.truststore=certs/truststore
+
+8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs
+ nach CATALINA_HOME\conf\moa-id-configuration\
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar.
+ a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion
+ protocols.pvp2.idp.ks.assertion.encryption.keypassword=password
+
+10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/
+ nach CATALINA_HOME\conf\moa-id\
+ a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\
+ b.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html ->
+ CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html
+
+11. Neuinitialisieren des Datenbank Schema für die MOA-Session. Hierfür stehen
+ zwei Varianten zur Verfügung.
+ a.) Ändern Sie in der Konfigurationsdatei für das Modul MOA-ID-Auth
+ CATALINA_HOME\conf\moa-id\moa-id.properties die Zeile
+ moasession.hibernate.hbm2ddl.auto=update
+ zu
+ moasession.hibernate.hbm2ddl.auto=create
+ Danach werden die Tabellen beim nächsten Startvorgang neu generiert.
+
+ b.) Löschen Sie alle Tabellen aus dem Datenbank Schema für die MOA-Sessixson
+ Informationen per Hand. Alle Tabellen werden beim nächsten Start autmatisch neu generiert.
+
+12 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.3 Durchführung eines Updates von Version 2.0-RC1 auf Version 2.0.1
+...............................................................................
+
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+ Für MOA ID Proxy:
+ Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
+ auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Update des Cert-Stores.
+ Kopieren Sie den Inhalt des Verzeichnisses
+ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
+ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
+ bejahen sie das.
+
+7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
+ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
+ beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+ 2) Kopieren Sie das Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss.
+
+ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
+ folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
+ entsprechenden Profilen im Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
+ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
+ der einzelnen Profile aus der Distribution
+ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
+ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
+ kopieren und dabei die vorhandenen gleichnamigen Zertifikate
+ überschreiben), also z.B: Kopieren des Inhalts von
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
+ CATALINA_HOME\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+
+8. Update der Default html-Templates für die Bürgerkartenauswahl.
+
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.
+ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates.
+
+9. Update der STORK Konfiguration
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
+ 2.4 Konfiguration des SamlEngines an.
+
+10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id\moa-id.properties
+
+ a.) configuration.validation.certificate.QC.ignore=false
+ b.) protocols.pvp2.assertion.encryption.active=false
+
+11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.4 Durchführung eines Updates von Version <= 1.5.1
+...............................................................................
+
+Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen
+Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter
+Zuhilfenahme Ihrer bisherigen Konfiguration an.
+
diff --git a/id/server/auth/src/main/webapp/template_localBKU.html b/id/server/auth/src/main/webapp/template_localBKU.html
index f197d2c5c..88fad25ae 100644
--- a/id/server/auth/src/main/webapp/template_localBKU.html
+++ b/id/server/auth/src/main/webapp/template_localBKU.html
@@ -11,7 +11,7 @@
</script>
</head>
<body onLoad="onAnmeldeSubmit()">
- <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
+ <form target=<REDIRECTTARGET> name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
<input class="button" type="submit" value="Starte Anmeldung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
index db158ed23..7c71fadcb 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
+++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
@@ -13,6 +13,8 @@ general.defaultlanguage=de
general.ssl.certstore=certs/certstore
general.ssl.truststore=certs/truststore
+general.moaconfig.key=ConfigurationEncryptionKey
+
##Mail
general.mail.host=smtp.localhost...
#general.mail.host.port=
diff --git a/id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer b/id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer
new file mode 100644
index 000000000..bd9640b37
--- /dev/null
+++ b/id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIJAIHjIpba8E6mMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
+BAYTAkFUMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMTEE1ldGFkYXRhIFNpZ25pbmcwHhcNMTQw
+MjA0MTA0MTA4WhcNMjQwMjAyMTA0MTA4WjBgMQswCQYDVQQGEwJBVDETMBEGA1UE
+CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
+MRkwFwYDVQQDExBNZXRhZGF0YSBTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAvfDn2hbBnvywRNc7wmToItDzXitkl9nfM9Q3ubEN9qAh4/PD
+ICrKdzFBq08a7NR5xNJhDCUhhZ/W20ZJvh+1dwQdgSzanA91iVKbL4YFYKbnM9/x
+tarTAMZMWH34qIkfwkKyTEDWeOqFG2653azO5e+0DFiBV7AytR3dmy1ZnJoqhGIY
+O4EzINikof1M7t5I8xBS3gAyQKyu0yhbj5AyUujpNIPX0JeE1C1DsrHaeuAHZXLh
+zHEWSG3NVXrn8HAXAAtqGJ+E9SRztqsigDjNjbqrrp/vmPUag9Rb2o8/flEZTPRS
+ttCQTHK8jst/I2qgLkePB5kSp65caXUf4xuFqQIDAQABo4HFMIHCMB0GA1UdDgQW
+BBQFbqjmW9JHVCWwocMdO0EodAfy/jCBkgYDVR0jBIGKMIGHgBQFbqjmW9JHVCWw
+ocMdO0EodAfy/qFkpGIwYDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3Rh
+dGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAxMQ
+TWV0YWRhdGEgU2lnbmluZ4IJAIHjIpba8E6mMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADggEBAECK58eJgkd54gQAV9gGXRC2LV1tdBzn89Q57Ff/UwBQzN0M
++uytem8lwVCpUeAk6N01/krzmSbJojqpXId+O/iHhQ8lwDmJnXRrCZH7APiQ3yC0
+p4ufWtxhqixc+Itl96HzHDRXb7eZkXdVERGM26UGwyaBfxkIcLdpMoojlHBJlHaA
+oHDYiJHQBmqk5+YMOuEOnpsKY0115MZ38DoppNfeAFG8K4ZDI5vH9VWk8PDJu+jv
+tWbhXNsKiiCMdZrsnvGjxPpk/6zJpJpBcwCzhIvnaEobijKMO+6aH/6zfbB6JKn/
+Dz3Rw+0WbypFYbbpIzWRCkXSAQju/w3vHBGnCyI=
+-----END CERTIFICATE-----
diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties
index e8a75c348..4290b1985 100644
--- a/id/server/data/deploy/conf/moa-id/moa-id.properties
+++ b/id/server/data/deploy/conf/moa-id/moa-id.properties
@@ -17,6 +17,7 @@ protocols.pvp2.assertion.encryption.active=false
##General MOA-ID 2.0 operations
#MOA-ID 2.0 session information encryption key (PassPhrase)
configuration.moasession.key=SessionEncryptionKey
+configuration.moaconfig.key=ConfigurationEncryptionKey
#MOA-ID 2.0 Monitoring Servlet
configuration.monitoring.active=false
diff --git a/id/server/data/deploy/tomcat/unix/tomcat-start.sh b/id/server/data/deploy/tomcat/unix/tomcat-start.sh
index 10bade1bd..59cf2d0a9 100644
--- a/id/server/data/deploy/tomcat/unix/tomcat-start.sh
+++ b/id/server/data/deploy/tomcat/unix/tomcat-start.sh
@@ -18,7 +18,7 @@ PROXY_OPT=-Dmoa.id.proxy.configuration=$CATALINA_BASE/conf/moa-id-proxy/MOAIDCon
#TRUST_STORE_PASS_OPT=-Djavax.net.ssl.trustStorePassword=changeit
#TRUST_STORE_TYPE_OPT=-Djavax.net.ssl.trustStoreType=jks
-export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $SPSS_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT $CONFIGTOOL_OPT $DEMOOA_OPT $STORK_OPT $PROXY_OPT"
+export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $SPSS_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT $CONFIGTOOL_OPT $DEMOOA_OPT $STORK_OPT $PROXY_OPT -Xms512m -Xmx1536m -XX:PermSize=256m"
echo CATALINA_HOME: $CATALINA_HOME
echo CATALINA_BASE: $CATALINA_BASE
diff --git a/id/server/data/deploy/tomcat/win32/startTomcat.bat b/id/server/data/deploy/tomcat/win32/startTomcat.bat
index 7730137c5..8d6d670bc 100644
--- a/id/server/data/deploy/tomcat/win32/startTomcat.bat
+++ b/id/server/data/deploy/tomcat/win32/startTomcat.bat
@@ -17,8 +17,8 @@ set CONFIGTOOL_OPT=-Dmoa.id.webconfig=%CATALINA_HOME%/conf/moa-id-configuration/
set DEMOOA_OPT=-Dmoa.id.demoOA=%CATALINA_HOME%/conf/moa-id-oa/oa.properties
set STORK_OPT=-Deu.stork.samlengine.config.location=%CATALINA_HOME%/conf/moa-id/stork/
set PROXY_OPT=-Dmoa.id.proxy.configuration=%CATALINA_HOME%/conf/moa-id-proxy/MOAIDConfiguration.xml
-
-set PARAMS_MOA=%CONFIG_OPT_SPSS% %CONFIG_OPT_ID% %LOGGING_OPT% %CONFIGTOOL_OPT% %DEMOOA_OPT% %STORK_OPT% %PROXY_OPT%
+
+set PARAMS_MOA=%CONFIG_OPT_SPSS% %CONFIG_OPT_ID% %LOGGING_OPT% %CONFIGTOOL_OPT% %DEMOOA_OPT% %STORK_OPT% %PROXY_OPT% -Xms512m -Xmx1536m -XX:PermSize=256m
rem set PARAM_TRUST_STORE=-Djavax.net.ssl.trustStore=truststore.jks
rem set PARAM_TRUST_STORE_PASS=-Djavax.net.ssl.trustStorePassword=changeit
diff --git a/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties
index db158ed23..7c71fadcb 100644
--- a/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties
+++ b/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties
@@ -13,6 +13,8 @@ general.defaultlanguage=de
general.ssl.certstore=certs/certstore
general.ssl.truststore=certs/truststore
+general.moaconfig.key=ConfigurationEncryptionKey
+
##Mail
general.mail.host=smtp.localhost...
#general.mail.host.port=
diff --git a/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml
new file mode 100644
index 000000000..1165d8b32
--- /dev/null
+++ b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml
@@ -0,0 +1,161 @@
+<sl10:TransformsInfo>
+ <dsig:Transforms xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+ <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
+ <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" exclude-result-prefixes="pr saml">
+ <xsl:output method="xml" xml:space="default"/>
+ <xsl:template match="/" xmlns="http://www.w3.org/1999/xhtml">
+ <html>
+ <head>
+ <title>Signatur der Anmeldedaten</title>
+ <style type="text/css" media="screen">
+ .normalstyle { font-size: medium; }
+ .italicstyle { font-size: medium; font-style: italic; }
+ .titlestyle{ text-decoration:underline; font-weight:bold; font-size: medium; }
+ .h4style{ font-size: large; }
+ </style>
+ </head>
+ <body>
+ <h4 class="h4style">Anmeldedaten:</h4>
+ <p class="titlestyle">Daten zur Person</p>
+ <table class="parameters">
+ <xsl:if test="normalize-space(//@Issuer)">
+ <tr>
+ <td class="italicstyle">Name:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//@Issuer"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="string(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue)">
+ <tr>
+ <td class="italicstyle">Geburtsdatum:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="substring(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue,9,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue,6,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue,1,4)"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='OIDTextualDescription']">
+ <tr>
+ <td class="italicstyle">Rolle:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='OIDTextualDescription']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='mandateReferenceValue']">
+ <tr>
+ <td class="italicstyle">Vollmacht:</td>
+ <td class="normalstyle">
+ <xsl:text>Ich melde mich in Vertretung an. Im nächsten Schritt wird mir eine Liste der für mich verfügbaren Vertretungsverhältnisse angezeigt, aus denen ich eines auswählen werde.</xsl:text>
+ </td>
+ </tr>
+ </xsl:if>
+ </table>
+ <p class="titlestyle">Daten zur Anwendung</p>
+ <table class="parameters">
+ <tr>
+ <td class="italicstyle">Name:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='oaFriendlyName']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="italicstyle">Staat:</td>
+ <td class="normalstyle">Österreich</td>
+ </tr>
+ </table>
+ <p class="titlestyle">Technische Parameter</p>
+ <table class="parameters">
+ <tr>
+ <td class="italicstyle">URL:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='OA']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ <xsl:if test="//saml:Attribute[@AttributeName='Geschaeftsbereich']">
+ <tr>
+ <td class="italicstyle">Bereich:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='Geschaeftsbereich']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='mandateReferenceValue']">
+ <tr>
+ <td class="italicstyle">
+ Vollmachten-Referenz:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='mandateReferenceValue']"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='IdentityLinkDomainIdentifierType']">
+ <tr>
+ <td class="italicstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='IdentityLinkDomainIdentifierType']"/>:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='wbPK']/saml:AttributeValue/pr:Identification/pr:Type"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='bPK'] or //saml:Attribute[@AttributeName='wbPK']">
+ <tr>
+ <td class="italicstyle">Identifikator:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='bPK']/saml:AttributeValue/pr:Identification/pr:Value"/>
+ <xsl:value-of select="//saml:Attribute[@AttributeName='wbPK']/saml:AttributeValue/pr:Identification/pr:Value"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='OIDTextualDescription']">
+ <tr>
+ <td class="italicstyle">OID:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='OID']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='HPI']">
+ <tr>
+ <td class="italicstyle">HPI:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='HPI']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <tr>
+ <td class="italicstyle">Datum:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="substring(//@IssueInstant,9,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,6,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,1,4)"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="italicstyle">Uhrzeit:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="substring(//@IssueInstant,12,2)"/>
+ <xsl:text>:</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,15,2)"/>
+ <xsl:text>:</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,18,2)"/>
+ </td>
+ </tr>
+ </table>
+ </body>
+ </html>
+ </xsl:template>
+ </xsl:stylesheet>
+ </dsig:Transform>
+ <dsig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
+ </dsig:Transforms>
+ <sl10:FinalDataMetaInfo>
+ <sl10:MimeType>application/xhtml+xml</sl10:MimeType>
+ </sl10:FinalDataMetaInfo>
+</sl10:TransformsInfo>
diff --git a/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml
new file mode 100644
index 000000000..e220b8f82
--- /dev/null
+++ b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml
@@ -0,0 +1,161 @@
+<sl10:TransformsInfo>
+ <dsig:Transforms xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+ <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
+ <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" exclude-result-prefixes="pr saml">
+ <xsl:output method="xml" xml:space="default"/>
+ <xsl:template match="/" xmlns="http://www.w3.org/1999/xhtml">
+ <html>
+ <head>
+ <title>Signing the authentication data</title>
+ <style type="text/css" media="screen">
+ .normalstyle { font-size: medium; }
+ .italicstyle { font-size: medium; font-style: italic; }
+ .titlestyle{ text-decoration:underline; font-weight:bold; font-size: medium; }
+ .h4style{ font-size: large; }
+ </style>
+ </head>
+ <body>
+ <h4 class="h4style">Authentication Data:</h4>
+ <p class="titlestyle">Personal Data</p>
+ <table class="parameters">
+ <xsl:if test="normalize-space(//@Issuer)">
+ <tr>
+ <td class="italicstyle">Name:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//@Issuer"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="string(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue)">
+ <tr>
+ <td class="italicstyle">Date of Birth:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="substring(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue,9,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue,6,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//saml:Attribute[@AttributeName='Geburtsdatum']/saml:AttributeValue,1,4)"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='OIDTextualDescription']">
+ <tr>
+ <td class="italicstyle">Role:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='OIDTextualDescription']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='mandateReferenceValue']">
+ <tr>
+ <td class="italicstyle">Mandate:</td>
+ <td class="normalstyle">
+ <xsl:text>I log in as representative. In the next step a list of available mandates is shown. Here I select one mandate.</xsl:text>
+ </td>
+ </tr>
+ </xsl:if>
+ </table>
+ <p class="titlestyle">Application Data</p>
+ <table class="parameters">
+ <tr>
+ <td class="italicstyle">Name:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='oaFriendlyName']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="italicstyle">Country:</td>
+ <td class="normalstyle">Austria</td>
+ </tr>
+ </table>
+ <p class="titlestyle">Technical Parameters</p>
+ <table class="parameters">
+ <tr>
+ <td class="italicstyle">URL:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='OA']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ <xsl:if test="//saml:Attribute[@AttributeName='Geschaeftsbereich']">
+ <tr>
+ <td class="italicstyle">Sector:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='Geschaeftsbereich']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='mandateReferenceValue']">
+ <tr>
+ <td class="italicstyle">
+ Mandate Reference:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='mandateReferenceValue']"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='IdentityLinkDomainIdentifierType']">
+ <tr>
+ <td class="italicstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='IdentityLinkDomainIdentifierType']"/>:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='wbPK']/saml:AttributeValue/pr:Identification/pr:Type"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='bPK'] or //saml:Attribute[@AttributeName='wbPK']">
+ <tr>
+ <td class="italicstyle">Identifier:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='bPK']/saml:AttributeValue/pr:Identification/pr:Value"/>
+ <xsl:value-of select="//saml:Attribute[@AttributeName='wbPK']/saml:AttributeValue/pr:Identification/pr:Value"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='OIDTextualDescription']">
+ <tr>
+ <td class="italicstyle">OID:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='OID']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <xsl:if test="//saml:Attribute[@AttributeName='HPI']">
+ <tr>
+ <td class="italicstyle">HPI:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="//saml:Attribute[@AttributeName='HPI']/saml:AttributeValue"/>
+ </td>
+ </tr>
+ </xsl:if>
+ <tr>
+ <td class="italicstyle">Date:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="substring(//@IssueInstant,9,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,6,2)"/>
+ <xsl:text>.</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,1,4)"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="italicstyle">Time:</td>
+ <td class="normalstyle">
+ <xsl:value-of select="substring(//@IssueInstant,12,2)"/>
+ <xsl:text>:</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,15,2)"/>
+ <xsl:text>:</xsl:text>
+ <xsl:value-of select="substring(//@IssueInstant,18,2)"/>
+ </td>
+ </tr>
+ </table>
+ </body>
+ </html>
+ </xsl:template>
+ </xsl:stylesheet>
+ </dsig:Transform>
+ <dsig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
+ </dsig:Transforms>
+ <sl10:FinalDataMetaInfo>
+ <sl10:MimeType>application/xhtml+xml</sl10:MimeType>
+ </sl10:FinalDataMetaInfo>
+</sl10:TransformsInfo>
diff --git a/id/server/doc/conf/moa-id/moa-id.properties b/id/server/doc/conf/moa-id/moa-id.properties
index e8a75c348..4290b1985 100644
--- a/id/server/doc/conf/moa-id/moa-id.properties
+++ b/id/server/doc/conf/moa-id/moa-id.properties
@@ -17,6 +17,7 @@ protocols.pvp2.assertion.encryption.active=false
##General MOA-ID 2.0 operations
#MOA-ID 2.0 session information encryption key (PassPhrase)
configuration.moasession.key=SessionEncryptionKey
+configuration.moaconfig.key=ConfigurationEncryptionKey
#MOA-ID 2.0 Monitoring Servlet
configuration.monitoring.active=false
diff --git a/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml b/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
index 5aff0d1fa..ef5dc23d2 100644
--- a/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
+++ b/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
@@ -23,10 +23,7 @@
<!--Only HTTP-POST binding is only supported for inter PEPS-->
<!--The SOAP binding is only supported for direct communication between SP-MW and VIdP-->
- <entry key="protocolBinding">HTTP-POST</entry>
-
-
-
+ <entry key="protocolBinding">HTTP-POST</entry>
<!--URI representing the classification of the identifier
Allow values: 'entity'.
@@ -36,25 +33,26 @@
-->
-
<!-- A friendly name for the attribute that can be displayed to a user -->
<entry key="friendlyName">false</entry>
<!-- A friendly name for the attribute that can be displayed to a user -->
<entry key="isRequired">true</entry>
- <!--PEPS in the Service Provider's country-->
- <entry key="requester">http://S-PEPS.gov.xx</entry>
+ <!--PEPS in the Service Provider's country-->
+ <entry key="requester">https://testvidp.buergerkarte.at/moa-id-auth/stork2/SendPEPSAuthnRequest</entry>
- <!--PEPS in the citizen's origin country-->
- <entry key="responder">http://C-PEPS.gov.xx</entry>
+ <!--PEPS in the citizen's origin country-->
+ <entry key="responder">https://testvidp.buergerkarte.at/moa-id-auth/stork2/SendPEPSAuthnRequest</entry>
<!--Subject cannot be confirmed on or after this seconds time (positive number)-->
- <entry key="timeNotOnOrAfter">300</entry>
+ <entry key="timeNotOnOrAfter">600</entry>
<!--Validation IP of the response-->
<entry key="ipAddrValidation">false</entry>
-
+
+ <!--One time use-->
+ <entry key="oneTimeUse">true</entry>
<!--Subject Attribute Definitions-->
<entry key="eIdentifier">http://www.stork.gov.eu/1.0/eIdentifier</entry>
@@ -73,7 +71,6 @@
<entry key="pseudonym">http://www.stork.gov.eu/1.0/pseudonym</entry>
<entry key="age">http://www.stork.gov.eu/1.0/age</entry>
<entry key="isAgeOver">http://www.stork.gov.eu/1.0/isAgeOver</entry>
- <entry key="fiscalNumber">http://www.stork.gov.eu/1.0/fiscalNumber</entry>
<entry key="textResidenceAddress">http://www.stork.gov.eu/1.0/textResidenceAddress</entry>
<entry key="canonicalResidenceAddress">http://www.stork.gov.eu/1.0/canonicalResidenceAddress</entry>
@@ -86,10 +83,38 @@
<entry key="newAttribute1">http://www.stork.gov.eu/1.0/newAttribute1</entry>
<entry key="newAttribute2">http://www.stork.gov.eu/1.0/newAttribute2</entry>
- <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry>
- <entry key="mandateContent">http://www.stork.gov.eu/1.0/mandateContent</entry>
- <entry key="representative">http://www.stork.gov.eu/1.0/representative</entry>
- <entry key="represented">http://www.stork.gov.eu/1.0/represented</entry>
- <entry key="mandateType">http://www.stork.gov.eu/1.0/mandateType</entry>
-
+ <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry>
+
+
+ <entry key="diplomaSupplement">http://www.stork.gov.eu/1.0/diplomaSupplement</entry>
+ <entry key="currentStudiesSupplement">http://www.stork.gov.eu/1.0/currentStudiesSupplement</entry>
+ <entry key="isStudent">http://www.stork.gov.eu/1.0/isStudent</entry>
+ <entry key="isAcademicStaff">http://www.stork.gov.eu/1.0/isAcademicStaff</entry>
+ <entry key="isTeacherOf">http://www.stork.gov.eu/1.0/isTeacherOf</entry>
+ <entry key="isCourseCoordinator">http://www.stork.gov.eu/1.0/isCourseCoordinator</entry>
+ <entry key="isAdminStaff">http://www.stork.gov.eu/1.0/isAdminStaff</entry>
+ <entry key="habilitation">http://www.stork.gov.eu/1.0/habilitation</entry>
+ <entry key="Title">http://www.stork.gov.eu/1.0/Title</entry>
+ <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry>
+ <entry key="hasAccountInBank">http://www.stork.gov.eu/1.0/hasAccountInBank</entry>
+ <entry key="isHealthCareProfessional">http://www.stork.gov.eu/1.0/isHealthCareProfessional</entry>
+
+ <entry key="eLPIdentifier">http://www.stork.gov.eu/1.0/eLPIdentifier</entry>
+ <entry key="legalName">http://www.stork.gov.eu/1.0/legalName</entry>
+ <entry key="alternativeName">http://www.stork.gov.eu/1.0/alternativeName</entry>
+ <entry key="type">http://www.stork.gov.eu/1.0/type</entry>
+ <entry key="translatableType">http://www.stork.gov.eu/1.0/translatableType</entry>
+ <entry key="status">http://www.stork.gov.eu/1.0/status</entry>
+ <entry key="activity">http://www.stork.gov.eu/1.0/activity</entry>
+ <entry key="registeredAddress">http://www.stork.gov.eu/1.0/registeredAddress</entry>
+ <entry key="registeredCanonicalAddress">http://www.stork.gov.eu/1.0/registeredCanonicalAddress</entry>
+ <entry key="contactInformation">http://www.stork.gov.eu/1.0/contactInformation</entry>
+ <entry key="LPFiscalNumber">http://www.stork.gov.eu/1.0/LPFiscalNumber</entry>
+ <entry key="mandate">http://www.stork.gov.eu/1.0/mandate</entry>
+ <entry key="docRequest">http://www.stork.gov.eu/1.0/docRequest</entry>
+
+ <entry key="mandateContent">http://www.stork.gov.eu/1.0/mandateContent</entry>
+ <entry key="representative">http://www.stork.gov.eu/1.0/representative</entry>
+ <entry key="represented">http://www.stork.gov.eu/1.0/represented</entry>
+
</properties>
diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html
index 24e80c588..e21aaf421 100644
--- a/id/server/doc/handbook/config/config.html
+++ b/id/server/doc/handbook/config/config.html
@@ -217,6 +217,12 @@
<td>TrustedCACertificates enth&auml;lt das Verzeichnis (relativ zur MOA-ID-Auth Basiskonfigurationsdatei), das jene Zertifikate enth&auml;lt, die als vertrauensw&uuml;rdig betrachtet werden. Im Zuge der &Uuml;berpr&uuml;fung der TLS-Serverzertifikate wird die Zertifikatspfaderstellung an einem dieser Zertifikate beendet. Dieses Verzeichnis wird zur Pr&uuml;fung der SSL Serverzertifikate beim Download von PVP 2.1 Metadaten verwendet.</td>
</tr>
<tr>
+ <td>general.moaconfig.key</td>
+ <td>ConfigurationEncryptionKey</td>
+ <td><p>Passwort zum Verschl&uuml;sseln von Konfigurationsteilen welche in der Datenbank abgelegt werden. Hierbei kann jede beliebige Zeichenfolge aus Buchstaben, Zahlen und Sonderzeichen verwendet werden.</p>
+ <p><strong>Hinweis:</strong> Dieses Passwort muss identisch zu dem im <a href="#basisconfig_moa_id_auth_param_general">Modul MOA-ID-Auth</a> hinterlegten Passwort sein.</p></td>
+ </tr>
+ <tr>
<td>general.userrequests.cleanup.delay</td>
<td>18</td>
<td>Innerhalb dieses Zeitraums muss ein neuer Benutzer die im Benutzerprofil hinterlegte eMail Adresse validieren. </td>
@@ -571,6 +577,12 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-configuration/secure/usermanagementInit
<td>Passwort zum Verschl&uuml;sseln von personenbezogenen Session Daten die w&auml;hrend eines Anmeldevorgangs und f&uuml;r Single Sign-On in der Datenbank abgelegt werden. Hierbei kann jede beliebige Zeichenfolge aus Buchstaben, Zahlen und Sonderzeichen verwendet werden.</td>
</tr>
<tr>
+ <td>configuration.moaconfig.key</td>
+ <td>ConfigurationEncryptionKey</td>
+ <td><p>Passwort zum Verschl&uuml;sseln von Konfigurationsteilen welche in der Datenbank abgelegt werden. Hierbei kann jede beliebige Zeichenfolge aus Buchstaben, Zahlen und Sonderzeichen verwendet werden.</p>
+ <p><strong>Hinweis:</strong> Dieses Passwort muss identisch zu dem im Modul <a href="#moa_id_config_parameters_generel">MOA-ID-Configuration</a> hinterlegten Passwort sein.</p></td>
+ </tr>
+ <tr>
<td>configuration.monitoring.active</td>
<td>true / false</td>
<td>Aktiviert das Modul f&uuml;r internes Monitoring / Testing.</td>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 33fed945b..d06298efa 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1845,7 +1845,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget();
String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName();
String spApplication = spInstitution;
- String spCountry = "AT";
+ String spCountry = "AT"; // intentionally set AT - the flow is limited on that use case only
//generate AuthnRquest
STORKAuthnRequest authnRequest = new STORKAuthnRequest();
@@ -1855,7 +1855,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
authnRequest.setIssuer(issuerValue);
authnRequest.setQaa(oaParam.getQaaLevel());
authnRequest.setSpInstitution(spInstitution);
- authnRequest.setCountry(spCountry);
+ authnRequest.setSpCountry(spCountry);
authnRequest.setSpApplication(spApplication);
authnRequest.setSpSector(spSector);
authnRequest.setPersonalAttributeList(attributeList);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 4cec99b9a..db8b4dd80 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -164,5 +164,6 @@ public interface MOAIDAuthConstants {
}
});
+ public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 17d6898ee..ed2cd3ecb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -24,20 +24,26 @@ package at.gv.egovernment.moa.id.auth.builder;
import iaik.x509.X509Certificate;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.security.PrivateKey;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
-import java.util.GregorianCalendar;
+import java.util.Iterator;
import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
-import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
-import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.xml.XMLObject;
@@ -45,9 +51,14 @@ import org.opensaml.xml.security.SecurityException;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-import eu.stork.peps.auth.commons.PersonalAttribute;
-import eu.stork.peps.auth.commons.PersonalAttributeList;
-
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator;
+import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
@@ -76,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
@@ -149,7 +161,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
-
}
InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
@@ -239,11 +250,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
attributs = reqQueryAttr;
//IDP is a service provider IDP and request interfederated IDP to collect attributes
- } else {
-
- //TODO: check if response include attributes and map this attributes to requested attributes
- //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst
-
+ } else {
//get PVP 2.1 attributes from protocol specific requested attributes
attributs = req.getRequestedAttributes();
@@ -255,44 +262,56 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix());
throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null);
}
+
+
+ //TODO: check if response include attributes and map this attributes to requested attributes
+ //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst
+ Response intfResp = (Response) req.getInterfederationResponse().getResponse();
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor(intfResp);
- //build attributQuery request
- AttributeQuery query =
- AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
+ if (!extractor.containsAllRequiredAttributes()) {
+ //build attributQuery request
+ AttributeQuery query =
+ AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
- //build SOAP request
- List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+ //build SOAP request
+ List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
- if (xmlObjects.size() == 0) {
- Logger.error("Receive emptry AttributeQuery response-body.");
- throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
+ if (xmlObjects.size() == 0) {
+ Logger.error("Receive emptry AttributeQuery response-body.");
+ throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
- }
+ }
- if (xmlObjects.get(0) instanceof Response) {
- Response intfResp = (Response) xmlObjects.get(0);
+ if (xmlObjects.get(0) instanceof Response) {
+ intfResp = (Response) xmlObjects.get(0);
- //validate PVP 2.1 response
- try {
- SAMLVerificationEngine engine = new SAMLVerificationEngine();
- engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ //validate PVP 2.1 response
+ try {
+ SAMLVerificationEngine engine = new SAMLVerificationEngine();
+ engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
- SAMLVerificationEngine.validateAssertion(intfResp, false);
+ SAMLVerificationEngine.validateAssertion(intfResp, false);
- } catch (Exception e) {
- Logger.warn("PVP 2.1 assertion validation FAILED.", e);
- throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ } catch (Exception e) {
+ Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+ throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ }
+
+ } else {
+ Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+ throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
+
}
- //parse response information to authData
- buildAuthDataFormInterfederationResponse(authdata, session, intfResp);
-
- } else {
- Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
- throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
+ //create assertion attribute extractor from AttributeQuery response
+ extractor = new AssertionAttributeExtractor(intfResp);
}
-
+ //parse response information to authData
+ buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam);
+
} catch (SOAPException e) {
throw new BuildException("builder.06", null, e);
@@ -314,146 +333,280 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
- private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session,
- Response intfResp) throws BuildException, AssertionAttributeExtractorExeption {
+ private static void buildAuthDataFormInterfederationResponse(
+ AuthenticationData authData,
+ AuthenticationSession session,
+ AssertionAttributeExtractor extractor,
+ IOAAuthParameters oaParam)
+ throws BuildException, AssertionAttributeExtractorExeption {
Logger.debug("Build AuthData from assertion starts ....");
- Assertion assertion = intfResp.getAssertions().get(0);
+ authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME));
+ authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME));
+ authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME));
+ authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME));
+ authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME));
+ authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME));
+ authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME));
+ authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME));
- if (assertion.getAttributeStatements().size() == 0) {
- Logger.warn("Can not build AuthData from Assertion. NO Attributes included.");
- throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null);
-
+ if (extractor.containsAttribute(PVPConstants.BPK_NAME)) {
+ String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME);
+ authData.setBPK(pvpbPK.split(":")[1]);
}
- AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
- for (Attribute attr : attrStat.getAttributes()) {
-
- if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME))
- authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME))
- authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME))
- authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.BPK_NAME)) {
- String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent();
- authData.setBPK(pvpbPK.split(":")[1]);
- }
-
- if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))
- authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
- authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
- attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME))
- authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) {
+ List<String> encbPKList = Arrays.asList(
+ extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";"));
+ authData.setEncbPKList(encbPKList);
+ for (String fullEncbPK : encbPKList) {
+ int index = fullEncbPK.indexOf("|");
+ if (index >= 0) {
+ String encbPK = fullEncbPK.substring(index+1);
+ String second = fullEncbPK.substring(0, index);
+ int secIndex = second.indexOf("+");
+ if (secIndex >= 0) {
+ if (oaParam.getTarget().equals(second.substring(secIndex+1))) {
+ Logger.debug("Found encrypted bPK for online-application "
+ + oaParam.getPublicURLPrefix()
+ + " Start decryption process ...");
+ PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey();
+ if (privKey != null) {
+ try {
+ String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey);
+ if (MiscUtil.isNotEmpty(bPK)) {
+ if (MiscUtil.isEmpty(authData.getBPK())) {
+ authData.setBPK(bPK);
+ authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+ Logger.info("bPK decryption process finished successfully.");
+ }
+
+ } else {
+ Logger.error("bPK decryption FAILED.");
+
+ }
+ } catch (BuildException e) {
+ Logger.error("bPK decryption FAILED.", e);
+
+ }
+
+ } else {
+ Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+
+ }
+
+ } else {
+ Logger.info("Found encrypted bPK but " +
+ "encrypted bPK target does not match to online-application target");
+
+ }
+ }
+ }
+ }
+ }
+
+ if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) {
+ Logger.error("Federated assertion include no bPK or encrypted bPK");
+ throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME
+ + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME);
- if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME))
- authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
+ authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
+ extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) {
+ try {
+ byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false);
+ authData.setAuthBlock(new String(authBlock, "UTF-8"));
- if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) {
- try {
- byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
- authData.setAuthBlock(new String(authBlock, "UTF-8"));
+ } catch (IOException e) {
+ Logger.error("Received AuthBlock is not valid", e);
- } catch (IOException e) {
- Logger.error("Received AuthBlock is not valid", e);
-
- }
}
-
- if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) {
- try {
- authData.setSignerCertificate(Base64Utils.decode(
- attr.getAttributeValues().get(0).getDOM().getTextContent(), false));
-
- } catch (IOException e) {
- Logger.error("Received SignerCertificate is not valid", e);
-
- }
- }
-
- if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME))
- authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME))
- authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
- if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) {
- try {
- InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
- IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();
- authData.setIdentityLink(idl);
-
- } catch (ParseException e) {
- Logger.error("Received IdentityLink is not valid", e);
-
- } catch (Exception e) {
- Logger.error("Received IdentityLink is not valid", e);
-
- }
- }
-
- if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME))
- authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent());
-
-
- if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) {
- try {
- byte[] mandate = Base64Utils.decode(
- attr.getAttributeValues().get(0).getDOM().getTextContent(), false);
-
- if (authData.getMISMandate() == null)
- authData.setMISMandate(new MISMandate());
- authData.getMISMandate().setMandate(mandate);
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) {
+ try {
+ authData.setSignerCertificate(Base64Utils.decode(
+ extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false));
+
+ } catch (IOException e) {
+ Logger.error("Received SignerCertificate is not valid", e);
+
+ }
+ }
+
+ if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) {
+ try {
+ InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false);
+ IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink();
+ authData.setIdentityLink(idl);
+
+ } catch (ParseException e) {
+ Logger.error("Received IdentityLink is not valid", e);
+
+ } catch (Exception e) {
+ Logger.error("Received IdentityLink is not valid", e);
- authData.setUseMandate(true);
-
- } catch (Exception e) {
- Logger.error("Received Mandate is not valid", e);
- throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME);
-
- }
}
-
- if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) {
+ }
+
+
+ // set mandate attributes
+ authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) {
+ try {
+ byte[] mandate = Base64Utils.decode(
+ (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false);
+
if (authData.getMISMandate() == null)
authData.setMISMandate(new MISMandate());
- authData.getMISMandate().setProfRep(
- attr.getAttributeValues().get(0).getDOM().getTextContent());
+ authData.getMISMandate().setMandate(mandate);
+ authData.getMISMandate().setFullMandateIncluded(true);
+ authData.setUseMandate(true);
+
+ } catch (Exception e) {
+ Logger.error("Received Mandate is not valid", e);
+ throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME);
- }
+ }
+ }
+
+ //TODO: build short mandate if full mandate is no included.
+ if (authData.getMISMandate() == null &&
+ (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) {
+ Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... ");
+
+ MISMandate misMandate = new MISMandate();
+ misMandate.setFullMandateIncluded(false);
+
+ Mandate mandateObject = new Mandate();
+ Mandator mandator = new Mandator();
+ mandateObject.setMandator(mandator);
+
+ //build legal person short mandate
+ if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) {
+ Logger.debug("Build short mandate for legal person ...");
+ CorporateBodyType legalperson = new CorporateBodyType();
+ IdentificationType legalID = new IdentificationType();
+ Value idvalue = new Value();
+ legalID.setValue(idvalue );
+ legalperson.getIdentification().add(legalID );
+ mandator.setCorporateBody(legalperson );
+
+ legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME));
+ legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME));
+ idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME));
+
+ //build natural person short mandate
+ } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) ||
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) &&
+ extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) {
+ Logger.debug("Build short mandate for natural person ...");
+ PhysicalPersonType physPerson = new PhysicalPersonType();
+ PersonNameType persName = new PersonNameType();
+ mandator.setPhysicalPerson(physPerson );
+ physPerson.setName(persName );
+ FamilyName familyName = new FamilyName();
+ persName.getFamilyName().add(familyName );
+ IdentificationType persID = new IdentificationType();
+ physPerson.getIdentification().add(persID );
+ Value idValue = new Value();
+ persID.setValue(idValue );
+
+ String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" ");
+ for(int i=0; i<pvp2GivenName.length; i++)
+ persName.getGivenName().add(pvp2GivenName[i]);
+ familyName.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME));
+ physPerson.setDateOfBirth(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) {
+ persID.setType(Constants.URN_PREFIX_BASEID);
+ idValue.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME));
+
+ } else {
+ String[] pvp2bPK = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":");
+ if (pvp2bPK.length == 2) {
+ idValue.setValue(pvp2bPK[1]);
+
+ Pattern pattern = Pattern.compile(MOAIDAuthConstants.REGEX_PATTERN_TARGET);
+ Matcher matcher = pattern.matcher(pvp2bPK[0]);
+ if (matcher.matches())
+ persID.setType(Constants.URN_PREFIX_CDID + "+" + pvp2bPK[0]);
+ else
+ persID.setType(Constants.URN_PREFIX_WBPK + "+" + pvp2bPK[0]);
- if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) {
- authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent());
- authData.setForeigner(true);
+ } else {
+ Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME));
+ throw new AssertionAttributeExtractorExeption("Receive mandator bPK from federation with an unsupported format.");
+
+ }
+ }
+
+ } else {
+ Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary.");
+ throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null);
+
}
- if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {
+ try {
+ JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_");
+ Marshaller m = jc.createMarshaller();
+ ByteArrayOutputStream stream = new ByteArrayOutputStream();
+ m.marshal(mandateObject, stream);
+ misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes());
+ stream.close();
+
+ } catch (JAXBException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new AssertionAttributeExtractorExeption();
- if (authData.getStorkAttributes() == null)
- authData.setStorkAttributes(new PersonalAttributeList());
+ } catch (IOException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new AssertionAttributeExtractorExeption();
- List<String> storkAttrValues = new ArrayList<String>();
- storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent());
- PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),
- false, storkAttrValues , "Available");
- authData.getStorkAttributes().put(attr.getName(), storkAttr );
- authData.setForeigner(true);
- }
-
+ }
+ authData.setUseMandate(true);
+
}
+
+ if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) {
+ if (authData.getMISMandate() == null)
+ authData.setMISMandate(new MISMandate());
+ authData.getMISMandate().setProfRep(
+ extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME));
+
+ }
+
+
+ //set STORK attributes
+ if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) {
+ authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME));
+ authData.setForeigner(true);
+
+ }
+
+ if (!extractor.getSTORKAttributes().isEmpty()) {
+ authData.setStorkAttributes(extractor.getSTORKAttributes());
+ authData.setForeigner(true);
+
+ }
+
authData.setSsoSession(true);
- if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null)
- authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate());
+ if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null)
+ authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate());
//only for SAML1
if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 20641ca7c..b122ba17e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -46,13 +46,27 @@
package at.gv.egovernment.moa.id.auth.builder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
+import java.io.UnsupportedEncodingException;
+import java.security.InvalidKeyException;
import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
/**
* Builder for the bPK, as defined in
@@ -135,6 +149,58 @@ public class BPKBuilder {
}
}
+ public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
+ MiscUtil.assertNotNull(bpk, "BPK");
+ MiscUtil.assertNotNull(publicKey, "publicKey");
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
+ if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+ target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ String input = "V1::urn:publicid:gv.at:cdid+" + target + "::"
+ + bpk + "::"
+ + sdf.format(new Date());
+ System.out.println(input);
+ byte[] result;
+ try {
+ byte[] inputBytes = input.getBytes("ISO-8859-1");
+ result = encrypt(inputBytes, publicKey);
+ return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", "");
+
+ } catch (Exception e) {
+ throw new BuildException("bPK encryption FAILED", null, e);
+ }
+ }
+
+ public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException {
+ MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK");
+ MiscUtil.assertNotNull(privateKey, "Private key");
+ String decryptedString;
+ try {
+ byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1");
+ byte[] decryptedBytes = decrypt(encryptedBytes, privateKey);
+ decryptedString = new String(decryptedBytes, "ISO-8859-1");
+
+ } catch (Exception e) {
+ throw new BuildException("bPK decryption FAILED", null, e);
+ }
+ String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1);
+ String sector = tmp.substring(0, tmp.indexOf("::"));
+ tmp = tmp.substring(tmp.indexOf("::") + 2);
+ String bPK = tmp.substring(0, tmp.indexOf("::"));
+
+ if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+ target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ if (target.equals(sector))
+ return bPK;
+
+ else {
+ Logger.error("Decrypted bPK does not match to request bPK target.");
+ return null;
+ }
+ }
+
/**
* Builds the storkeid from the given parameters.
*
@@ -214,6 +280,34 @@ public class BPKBuilder {
throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex);
}
}
+
+ private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+ byte[] result;
+ Cipher cipher = null;
+ try {
+ cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
+ } catch(NoSuchAlgorithmException e) {
+ cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
+ }
+ cipher.init(Cipher.ENCRYPT_MODE, publicKey);
+ result = cipher.doFinal(inputBytes);
+
+ return result;
+ }
+
+ private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey)
+ throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{
+ byte[] result;
+ Cipher cipher = null;
+ try {
+ cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle
+ } catch(NoSuchAlgorithmException e) {
+ cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider
+ }
+ cipher.init(Cipher.DECRYPT_MODE, privateKey);
+ result = cipher.doFinal(encryptedBytes);
+ return result;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java
new file mode 100644
index 000000000..69802d7e6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.exception;
+
+/**
+ * @author tlenz
+ *
+ */
+public class DatabaseEncryptionException extends MOAIDException {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 6387519847869308880L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ * @param wrapped
+ */
+ public DatabaseEncryptionException(String messageId, Object[] parameters,
+ Throwable wrapped) {
+ super(messageId, parameters, wrapped);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index ff5e62d96..e3f32d59d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -133,7 +133,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
String targetConfig = oaParam.getTarget();
String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
- if (StringUtils.isEmpty(targetConfig)) {
+ if (StringUtils.isEmpty(targetConfig)
+ || (module.equals(SAML1Protocol.PATH) &&
+ !StringUtils.isEmpty(target))) {
// no target attribut is given in OA config
// target is used from request
// check parameter
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 397eebd9b..ade7d3f3c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -223,7 +223,7 @@ public class PEPSConnectorServlet extends AuthServlet {
moaSession.setUseMandate("true");
// and check if we have the gender value
- PersonalAttribute gender = attributeList.get("gender");
+ PersonalAttribute gender = attributeList.get("gender"); // TODO Do we need to check gender value if there is no representation case?
if(null == gender) {
String gendervalue = (String) request.getParameter("gender");
if(null != gendervalue) {
@@ -244,7 +244,7 @@ public class PEPSConnectorServlet extends AuthServlet {
//extract signed doc element and citizen signature
String citizenSignature = null;
try {
- String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+ String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 6fc1d28c1..a62de27fc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return prop;
}
+ /**
+ * @return
+ */
+ public String getMOAConfigurationEncryptionKey() {
+ String prop = props.getProperty("configuration.moaconfig.key");
+ if (MiscUtil.isEmpty(prop))
+ return null;
+ else
+ return prop;
+ }
+
public boolean isIdentityLinkResigning() {
String prop = props.getProperty("configuration.resignidentitylink.active", "false");
return Boolean.valueOf(prop);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
index 6398de34f..4c6519b57 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.config.auth;
+import java.security.PrivateKey;
import java.util.List;
import java.util.Map;
@@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
/**
* @author tlenz
@@ -149,4 +151,6 @@ public interface IOAAuthParameters {
List<String> getTestCredentialOIDs();
+ PrivateKey getBPKDecBpkDecryptionKey();
+
} \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index f58fe2495..673d23373 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -46,11 +46,15 @@
package at.gv.egovernment.moa.id.config.auth;
+import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.SerializationUtils;
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin;
import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType;
@@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;
import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
import at.gv.egovernment.moa.id.config.ConfigurationUtils;
import at.gv.egovernment.moa.id.config.OAParameter;
+import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil;
import at.gv.egovernment.moa.id.util.FormBuildUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -555,4 +562,33 @@ public List<String> getTestCredentialOIDs() {
return null;
}
+
+/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters()
+ */
+@Override
+public PrivateKey getBPKDecBpkDecryptionKey() {
+
+ try {
+ EncryptedData encdata = new EncryptedData(
+ oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(),
+ oa_auth.getEncBPKInformation().getBPKDecryption().getIv());
+ byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata);
+ BPKDecryptionParameters data =
+ (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData);
+
+ return data.getPrivateKey();
+
+ } catch (BuildException e) {
+ // TODO Auto-generated catch block
+ Logger.error("Can not decrypt key information for bPK decryption", e);
+
+ } catch (NullPointerException e) {
+ Logger.error("No keyInformation found for bPK decryption");
+
+ }
+ return null;
+
+}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java
new file mode 100644
index 000000000..787a480f0
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java
@@ -0,0 +1,127 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+
+import org.apache.commons.lang.SerializationUtils;
+
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+
+
+/**
+ * @author tlenz
+ *
+ */
+public class BPKDecryptionParameters implements Serializable{
+
+ private static final long serialVersionUID = 1L;
+
+ private byte[] keyStore = null;
+ private String keyStorePassword = null;
+ private String keyAlias = null;
+ private String keyPassword = null;
+
+ /**
+ * @return
+ */
+ public PrivateKey getPrivateKey() {
+ try {
+ InputStream in = new ByteArrayInputStream(keyStore);
+ KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword);
+
+ char[] chPassword = " ".toCharArray();
+ if (keyPassword != null)
+ chPassword = keyPassword.toCharArray();
+
+// Certificate test = store.getCertificate(keyAlias);
+// Base64Utils.encode(test.getPublicKey().getEncoded());
+
+ return (PrivateKey) store.getKey(keyAlias, chPassword);
+
+
+ } catch (KeyStoreException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (IOException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (UnrecoverableKeyException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Can not load private key from keystore.", e);
+
+ }
+
+ return null;
+ }
+
+ public byte[] serialize() {
+ return SerializationUtils.serialize(this);
+
+ }
+
+ /**
+ * @param keyStore the keyStore to set
+ */
+ public void setKeyStore(byte[] keyStore) {
+ this.keyStore = keyStore;
+ }
+
+ /**
+ * @param keyStorePassword the keyStorePassword to set
+ */
+ public void setKeyStorePassword(String keyStorePassword) {
+ this.keyStorePassword = keyStorePassword;
+ }
+
+ /**
+ * @param keyAlias the keyAlias to set
+ */
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+ /**
+ * @param keyPassword the keyPassword to set
+ */
+ public void setKeyPassword(String keyPassword) {
+ this.keyPassword = keyPassword;
+ }
+
+
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index eddf605a6..7dbdcfa52 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.config.auth.data;
+import java.security.PrivateKey;
import java.util.List;
import java.util.Map;
@@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters {
return null;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters()
+ */
+ @Override
+ public PrivateKey getBPKDecBpkDecryptionKey() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 5685977bc..6fd327add 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -27,6 +27,7 @@ import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
+import java.util.List;
import org.w3c.dom.Element;
@@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable {
private byte[] signerCertificate = null;
private String authBlock = null;
-
+ private List<String> encbPKList = null;
+
+
private boolean useMandate = false;
private MISMandate mandate = null;
private String mandateReferenceValue = null;
@@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable {
this.ssoSessionValidTo = ssoSessionValidTo;
}
+ /**
+ * @return the encbPKList
+ */
+ public List<String> getEncbPKList() {
+ return encbPKList;
+ }
+
+ /**
+ * @param encbPKList the encbPKList to set
+ */
+ public void setEncbPKList(List<String> encbPKList) {
+ this.encbPKList = encbPKList;
+ }
+
+
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java
new file mode 100644
index 000000000..da6840fd7
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.data;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EncryptedbPK {
+ private String vkz = null;
+ private String target = null;
+ private String encbPK = null;
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 7e421da0f..8ce33021d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.data;
import java.util.Date;
+import java.util.List;
import org.w3c.dom.Element;
@@ -62,6 +63,8 @@ public interface IAuthData {
String getBkuURL();
+ List<String> getEncbPKList();
+
IdentityLink getIdentityLink();
byte[] getSignerCertificate();
String getAuthBlock();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 0d34fcb87..1e38bd4ff 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{
info = ModulStorage.getModuleByPath(protocolRequest.requestedModule());
moduleAction = info.getAction(protocolRequest.requestedAction());
- //create interfederated mOASession
+ //create interfederated MOASession
String sessionID =
AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId);
req.getParameterMap().put(PARAM_SESSIONID, sessionID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 8f9417096..daa70efce 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -49,6 +49,7 @@ import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
@@ -252,8 +253,8 @@ public class AuthenticationManager extends AuthServlet {
VelocityContext context = new VelocityContext();
context.put("redirectURLs", sloReqList);
- context.put("$timeoutURL", timeOutURL);
- context.put("$timeout", SLOTIMEOUT);
+ context.put("timeoutURL", timeOutURL);
+ context.put("timeout", SLOTIMEOUT);
ssomanager.printSingleLogOutInfo(context, httpResp);
@@ -284,7 +285,7 @@ public class AuthenticationManager extends AuthServlet {
Logger.error("MOA AssertionDatabase ERROR", e);
if (pvpReq != null) {
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
}else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index 46e02d048..b22941216 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction {
if (MiscUtil.isEmpty(ssoID)) {
Logger.warn("Can not find active Session. Single LogOut not possible!");
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
@@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction {
} catch (MOADatabaseException e) {
Logger.warn("Can not find active Session. Single LogOut not possible!");
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
@@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction {
((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) {
Logger.debug("Process Single LogOut response");
LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse();
-
+
+ Transaction tx = null;
+
try {
String relayState = pvpReq.getRequest().getRelayState();
if (MiscUtil.isEmpty(relayState)) {
@@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction {
//TODO: add counter to prevent deadlock
while (!storageSuccess) {
- Transaction tx = session.beginTransaction();
+ tx = session.beginTransaction();
List result;
Query query = session.getNamedQuery("getAssertionWithArtifact");
@@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction {
try {
session.delete(element);
tx.commit();
-
+
} catch(HibernateException e) {
tx.rollback();
Logger.error("SLOContainter could not deleted from database. ");
@@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction {
Logger.error("Finale SLO redirct not possible.", e);
throw new AuthenticationException("pvp2.13", new Object[]{});
+ } finally {
+ if (tx != null && !tx.wasCommitted()) {
+ tx.commit();
+
+ }
}
+
+
} else {
Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse.");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 7f73b1ed7..1a268c812 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder {
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(req));
try {
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
-
+ //set metadata descriptor type
+ if (isSPEndPoint) {
+ messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService()));
+
+ } else {
+ messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
+ }
+
} catch (ConfigurationException e) {
throw new SecurityException(e);
}
messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
-
- //set metadata descriptor type
- if (isSPEndPoint)
- messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- else
- messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
-
+
decode.decode(messageContext);
InboundMessage msg = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 26f6f3a62..587d8e935 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder {
HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
new BasicParserPool());
+ BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ messageContext
+ .setInboundMessageTransport(new HttpServletRequestAdapter(req));
+
try {
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ //set metadata descriptor type
+ if (isSPEndPoint) {
+ messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService()));
+
+ } else {
+ messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ }
} catch (ConfigurationException e) {
throw new SecurityException(e);
}
-
- BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
- messageContext
- .setInboundMessageTransport(new HttpServletRequestAdapter(req));
-
+
messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
@@ -198,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
}
public boolean handleDecode(String action, HttpServletRequest req) {
- return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod()
- .equals("GET"));
+ return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT))
+ && req.getMethod().equals("GET"));
}
public String getSAML2BindingName() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index f0eafe272..a2583c706 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
@@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class SoapBinding implements IDecoder, IEncoder {
@@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder {
new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(
- req));
-
+ req));
+ //messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
+
soapDecoder.decode(messageContext);
Envelope inboundMessage = (Envelope) messageContext
@@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder {
if (!xmlElemList.isEmpty()) {
SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0);
- MOARequest request = new MOARequest(attrReq, getSAML2BindingName());
- request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
+ MOARequest request = new MOARequest(attrReq, getSAML2BindingName());
+
+ if (messageContext.getPeerEntityMetadata() != null)
+ request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
+
+ else if (attrReq instanceof RequestAbstractType) {
+ RequestAbstractType attributeRequest = (RequestAbstractType) attrReq;
+ try {
+ if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) &&
+ MOAMetadataProvider.getInstance().getRole(
+ attributeRequest.getIssuer().getValue(),
+ SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null)
+ request.setEntityID(attributeRequest.getIssuer().getValue());
+
+ } catch (Exception e) {
+ Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue());
+ }
+ }
+
request.setVerified(false);
return request;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index eeb1dd104..01139d95c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -213,12 +213,13 @@ public class SingleLogOutBuilder {
}
-
+ DateTime now = new DateTime();
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
- sloReq.setIssueInstant(new DateTime());
+ sloReq.setIssueInstant(now);
+ sloReq.setNotOnOrAfter(now.plusMinutes(5));
sloReq.setDestination(sloInfo.getServiceURL());
@@ -230,14 +231,17 @@ public class SingleLogOutBuilder {
return sloReq;
}
- public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
+ public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);
Status status = SAML2Utils.createSAMLObject(Status.class);
StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class);
- statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setValue(firstLevelStatusCode);
statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null));
+ StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class);
+ secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setStatusCode(secondLevelCode);
status.setStatusCode(statusCode);
status.setStatusMessage(statusMessage);
sloResp.setStatus(status);
@@ -255,8 +259,11 @@ public class SingleLogOutBuilder {
status = SAML2Utils.createSAMLObject(Status.class);
StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class);
- statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setValue(StatusCode.SUCCESS_URI);
statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null));
+ StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class);
+ secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI);
+ statusCode.setStatusCode(secondLevelCode);
status.setStatusCode(statusCode);
status.setStatusMessage(statusMessage);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
index 3dd1dd064..a38446826 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java
@@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
public class BPKAttributeBuilder implements IPVPAttributeBuilder {
@@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder {
String bpk = authData.getBPK();
String type = authData.getBPKType();
+ if (MiscUtil.isEmpty(bpk))
+ throw new UnavailableAttributeException(BPK_NAME);
+
if (type.startsWith(Constants.URN_PREFIX_WBPK))
type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
- else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ else if (type.startsWith(Constants.URN_PREFIX_CDID))
+ type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
if (bpk.length() > BPK_MAX_LENGTH) {
bpk = bpk.substring(0, BPK_MAX_LENGTH);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java
index e8aeb8fcd..29d6df040 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java
@@ -27,6 +27,7 @@ import java.io.IOException;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -40,6 +41,10 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder {
IAttributeGenerator<ATT> g) throws AttributeException {
try {
String ilAssertion = null;
+
+ if (authData.getIdentityLink() == null)
+ throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME);
+
ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
index 7f52e1d47..463658a3d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java
@@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder {
@@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder {
}
public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
- IAttributeGenerator<ATT> g) throws AttributeException {
+ IAttributeGenerator<ATT> g) throws AttributeException {
String bpktype = authData.getBPKType();
+
+ if (MiscUtil.isEmpty(authData.getBPKType()))
+ throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME);
+
return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME,
EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java
index a8b703fc2..16de43e11 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java
@@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
public class EIDSourcePIN implements IPVPAttributeBuilder {
@@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder {
throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
else {
+ if (MiscUtil.isEmpty(authData.getIdentificationValue()))
+ throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME);
+
return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue());
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java
new file mode 100644
index 000000000..b3256ac9a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+
+public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
+
+ public String getName() {
+ return ENC_BPK_LIST_NAME;
+ }
+
+ public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+
+ if (authData.getEncbPKList() != null &&
+ authData.getEncbPKList().size() > 0) {
+ String value = authData.getEncbPKList().get(0);
+ for (int i=1; i<authData.getEncbPKList().size(); i++)
+ value += ";"+authData.getEncbPKList().get(i);
+
+ return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,
+ value);
+
+ }
+
+ throw new UnavailableAttributeException(ENC_BPK_LIST_NAME);
+
+// String encbpk = "XXX01234567890XXX";
+// String type = "Bereich";
+// String vkz = "Verfahrenskennzeichen";
+//
+// //TODO: implement encrypted bPK support
+//
+// Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk);
+//
+// return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME,
+// vkz + "+" + type + "|" + encbpk);
+ }
+
+ public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
index 670398ff6..790c1e8ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if (authData.isUseMandate()) {
- if (authData.getMandate() != null) {
+ //only provide full mandate if it is included.
+ //In case of federation only a short mandate could be include
+ if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) {
String fullMandate;
try {
fullMandate = DOMUtils.serializeNode(authData
@@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
Logger.error("Failed to generate Full Mandate", e);
}
}
+ throw new NoMandateDataAttributeException();
+
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index ee0088576..a16fed9cd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -22,15 +22,25 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.core.Subject;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.PersonalAttributeList;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -38,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class AssertionAttributeExtractor {
private Assertion assertion = null;
+ private Map<String, String> attributs = new HashMap<String, String>();
+ private PersonalAttributeList storkAttributes = new PersonalAttributeList();
+
+ private final List<String> minimalAttributeNameList = Arrays.asList(
+ PVPConstants.PRINCIPAL_NAME_NAME,
+ PVPConstants.GIVEN_NAME_NAME,
+ PVPConstants.BIRTHDATE_NAME);
+
public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption {
if (samlResponse != null && samlResponse instanceof Response) {
@@ -48,12 +66,79 @@ public class AssertionAttributeExtractor {
else if (assertions.size() > 1)
Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used.");
- assertion = assertions.get(0);
-
+ assertion = assertions.get(0);
+
+ if (assertion.getAttributeStatements() != null &&
+ assertion.getAttributeStatements().size() > 0) {
+ AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
+ for (Attribute attr : attrStat.getAttributes()) {
+ if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {
+ List<String> storkAttrValues = new ArrayList<String>();
+ storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent());
+ PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(),
+ false, storkAttrValues , "Available");
+ storkAttributes.put(attr.getName(), storkAttr );
+
+ } else
+ attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent());
+ }
+
+ }
+
} else
throw new AssertionAttributeExtractorExeption();
}
+ /**
+ * check attributes from assertion with minimal required attribute list
+ * @return
+ */
+ public boolean containsAllRequiredAttributes() {
+ return containsAllRequiredAttributes(minimalAttributeNameList);
+
+ }
+
+ /**
+ * check attributes from assertion with attributeNameList
+ * bPK or enc_bPK is always needed
+ *
+ * @param List of attributes which are required
+ *
+ * @return
+ */
+ public boolean containsAllRequiredAttributes(List<String> attributeNameList) {
+
+ //first check if a bPK or an encrypted bPK is available
+ if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||
+ (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) {
+ boolean flag = true;
+ for (String attr : attributeNameList) {
+ if (!attributs.containsKey(attr))
+ flag = false;
+ }
+
+ return flag;
+
+ }
+ return false;
+
+ }
+
+ public boolean containsAttribute(String attributeName) {
+ return attributs.containsKey(attributeName);
+
+ }
+
+ public String getAttribute(String attributeName) {
+ return attributs.get(attributeName);
+
+ }
+
+ public PersonalAttributeList getSTORKAttributes() {
+ return storkAttributes;
+ }
+
+
public String getNameID() throws AssertionAttributeExtractorExeption {
if (assertion.getSubject() != null) {
Subject subject = assertion.getSubject();
@@ -99,6 +184,10 @@ public class AssertionAttributeExtractor {
throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");
}
+ public Assertion getFullAssertion() {
+ return assertion;
+ }
+
private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {
List<AuthnStatement> authnList = assertion.getAuthnStatements();
if (authnList.size() == 0)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 08f40f888..7d3c72630 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -22,15 +22,22 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.saml1;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.List;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.Marshaller;
+import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
+import com.sun.xml.bind.marshaller.NamespacePrefixMapper;
+
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
@@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.util.xsd.persondata.IdentificationType;
+import at.gv.util.xsd.persondata.IdentificationType.Value;
+import at.gv.util.xsd.persondata.PersonNameType;
+import at.gv.util.xsd.persondata.PersonNameType.FamilyName;
+import at.gv.util.xsd.persondata.PhysicalPersonType;
public class SAML1AuthenticationServer extends AuthenticationServer {
@@ -185,30 +197,82 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
//set prPersion
boolean provideStammzahl = saml1parameter.isProvideStammzahl()
|| oaParam.getBusinessService();
- String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(),
- provideStammzahl);
- //set Authblock
- String authBlock = saml1parameter.isProvideAUTHBlock() ? authData
- .getAuthBlock() : "";
-
- //set IdentityLink for assortion
+ String prPerson = "";
String ilAssertion = "";
- if (saml1parameter.isProvideIdentityLink()) {
- ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
-
- if (!provideStammzahl)
- ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()
- .getIdentificationValue(), "");
- }
-
+ if (authData.getIdentityLink() != null) {
+ prPerson = new PersonDataBuilder().build(authData.getIdentityLink(),
+ provideStammzahl);
- String samlAssertion;
+ //set IdentityLink for assortion
+ if (saml1parameter.isProvideIdentityLink()) {
+ ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();
+
+ if (!provideStammzahl)
+ ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()
+ .getIdentificationValue(), "");
+ }
+ } else {
+ Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. ");
+ PhysicalPersonType person = new PhysicalPersonType();
+ PersonNameType name = new PersonNameType();
+ person.setName(name);
+ FamilyName familyName = new FamilyName();
+ name.getFamilyName().add(familyName );
+ IdentificationType id = new IdentificationType();
+ person.getIdentification().add(id );
+ Value value = new Value();
+ id.setValue(value );
+
+ id.setType(Constants.URN_PREFIX_BASEID);
+ value.setValue("");
+ familyName.setValue(authData.getFamilyName());
+ familyName.setPrimary("undefined");
+ name.getGivenName().add(authData.getGivenName());
+ person.setDateOfBirth(authData.getFormatedDateOfBirth());
+
+ JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata");
+ Marshaller m = jc.createMarshaller();
+ m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE);
+
+ m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() {
+ public String getPreferredPrefix(String arg0, String arg1, boolean arg2) {
+ if (Constants.PD_NS_URI.equals(arg0))
+ return Constants.PD_PREFIX;
+ else
+ return arg1;
+ }
+ });
+
+ ByteArrayOutputStream stream = new ByteArrayOutputStream();
+ m.marshal(
+ new JAXBElement<PhysicalPersonType>(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person),
+ stream);
+ prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8"));
+ stream.close();
+
+
+
+ }
+
+ //set Authblock
+ String authBlock = "";
+ if (authData.getAuthBlock() != null) {
+ authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : "";
+
+ } else {
+ Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available");
+
+ }
+ String samlAssertion;
if (authData.isUseMandate()) {
List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA();
- if (saml1parameter.isProvideFullMandatorData()) {
+ //only provide full mandate if it is included.
+ //In case of federation only a short mandate could be include
+ if (saml1parameter.isProvideFullMandatorData()
+ && authData.getMISMandate().isFullMandateIncluded()) {
try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
index 139c438f9..baa91a854 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
@@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction {
httpResp.reset();
this.representingIdentityLink = authData.getIdentityLink();
+
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL());
if (oaParam == null)
throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()});
@@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction {
}
if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
- Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType());
+ Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)");
+ Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() + ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue());
throw new MOAIDException("stork.20", new Object[]{}); // TODO
}
@@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction {
represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute));
} else if (mandateContainer instanceof PhyPersonMandateContainer) {
PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer;
- represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE
+ represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer));
represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName());
represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName());
represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 350c4e9da..a9f5ed60a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage {
private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException {
byte[] serialized = SerializationUtils.serialize(session);
- EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized);
+ EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized);
dbsession.setSession(encdata.getEncData());
dbsession.setIv(encdata.getIv());
}
@@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage {
private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException {
EncryptedData encdata = new EncryptedData(dbsession.getSession(),
dbsession.getIv());
- byte[] decrypted = SessionEncrytionUtil.decrypt(encdata);
+ byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata);
return (AuthenticationSession) SerializationUtils.deserialize(decrypted);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
new file mode 100644
index 000000000..f246c55e1
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java
@@ -0,0 +1,157 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.util;
+
+import iaik.security.cipher.PBEKey;
+import iaik.security.spec.PBEKeyAndParameterSpec;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.data.EncryptedData;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public abstract class AbstractEncrytionUtil {
+ protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
+ protected static final String KEYNAME = "AES";
+
+ private SecretKey secret = null;
+
+ public AbstractEncrytionUtil() throws DatabaseEncryptionException {
+ initialize(getKey(), getSalt());
+ }
+
+ protected abstract String getSalt();
+ protected abstract String getKey();
+
+ protected void initialize(String key, String salt) throws DatabaseEncryptionException {
+ try {
+ if (MiscUtil.isNotEmpty(key)) {
+ if (MiscUtil.isEmpty(salt))
+ salt = "TestSalt";
+
+ PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
+ SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
+ PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
+
+ SecureRandom random = new SecureRandom();
+ KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
+
+ PBEKeyAndParameterSpec parameterSpec =
+ new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
+ salt.getBytes(),
+ 2000,
+ 16);
+
+ pbkdf2.init(parameterSpec, random);
+ SecretKey derivedKey = pbkdf2.generateKey();
+
+ SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
+ SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
+ secret = kf.generateSecret(spec);
+
+ } else {
+ Logger.error("Database encryption can not initialized. No key found!");
+
+ }
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (NoSuchProviderException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (InvalidKeySpecException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ } catch (InvalidAlgorithmParameterException e) {
+ Logger.error("Database encryption can not initialized", e);
+ throw new DatabaseEncryptionException("Database encryption can not initialized", null, e);
+
+ }
+ }
+
+ public EncryptedData encrypt(byte[] data) throws BuildException {
+ Cipher cipher;
+
+ if (secret != null) {
+ try {
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.ENCRYPT_MODE, secret);
+
+ Logger.debug("Encrypt MOASession");
+
+ byte[] encdata = cipher.doFinal(data);
+ byte[] iv = cipher.getIV();
+
+ return new EncryptedData(encdata, iv);
+
+ } catch (Exception e) {
+ Logger.warn("MOASession is not encrypted",e);
+ throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
+ }
+ } else
+ return new EncryptedData(data, null);
+ }
+
+ public byte[] decrypt(EncryptedData data) throws BuildException {
+ Cipher cipher;
+
+ if (secret != null) {
+ try {
+ IvParameterSpec iv = new IvParameterSpec(data.getIv());
+
+ cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
+ cipher.init(Cipher.DECRYPT_MODE, secret, iv);
+
+ Logger.debug("Decrypt MOASession");
+ return cipher.doFinal(data.getEncData());
+
+ } catch (Exception e) {
+ Logger.warn("MOASession is not decrypted",e);
+ throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
+ }
+ } else
+ return data.getEncData();
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java
new file mode 100644
index 000000000..10221604c
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.util;
+
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil {
+
+ private static ConfigurationEncrytionUtil instance = null;
+ private static String key = null;
+
+ public static ConfigurationEncrytionUtil getInstance() {
+ if (instance == null) {
+ try {
+ key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey();
+ instance = new ConfigurationEncrytionUtil();
+
+ } catch (Exception e) {
+ Logger.warn("MOAConfiguration encryption initialization FAILED.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ private ConfigurationEncrytionUtil() throws DatabaseEncryptionException {
+ super();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Configuration-Salt";
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
index acc2a7273..8660f7c09 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java
@@ -22,110 +22,50 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.util;
-import iaik.security.cipher.PBEKey;
-import iaik.security.spec.PBEKeyAndParameterSpec;
-
-import java.security.SecureRandom;
-import java.security.spec.KeySpec;
-
-import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.logging.Logger;
-public class SessionEncrytionUtil {
-
- private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding";
- private static final String KEYNAME = "AES";
-
- static private SecretKey secret = null;
+public class SessionEncrytionUtil extends AbstractEncrytionUtil {
- static {
- try {
- String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
-
- if (key != null) {
-
- PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray());
- SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK");
- PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec);
-
-
- SecureRandom random = new SecureRandom();
- KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK");
-
- PBEKeyAndParameterSpec parameterSpec =
- new PBEKeyAndParameterSpec(pbeKey.getEncoded(),
- "TestSALT".getBytes(),
- 2000,
- 16);
-
- pbkdf2.init(parameterSpec, random);
- SecretKey derivedKey = pbkdf2.generateKey();
-
- SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME);
- SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK");
- secret = kf.generateSecret(spec);
-
- } else {
- Logger.warn("MOASession encryption is deaktivated.");
- }
-
- } catch (Exception e) {
- Logger.warn("MOASession encryption can not be inizialized.", e);
- }
-
- }
+ private static SessionEncrytionUtil instance = null;
+ private static String key = null;
- public static EncryptedData encrypt(byte[] data) throws BuildException {
- Cipher cipher;
-
- if (secret != null) {
+ public static SessionEncrytionUtil getInstance() {
+ if (instance == null) {
try {
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.ENCRYPT_MODE, secret);
-
- Logger.debug("Encrypt MOASession");
-
- byte[] encdata = cipher.doFinal(data);
- byte[] iv = cipher.getIV();
-
- return new EncryptedData(encdata, iv);
-
+ key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey();
+ instance = new SessionEncrytionUtil();
+
} catch (Exception e) {
- Logger.warn("MOASession is not encrypted",e);
- throw new BuildException("MOASession is not encrypted", new Object[]{}, e);
- }
- } else
- return new EncryptedData(data, null);
+ Logger.warn("MOASession encryption can not be inizialized.", e);
+
+ }
+ }
+ return instance;
+ }
+
+ /**
+ * @throws DatabaseEncryptionException
+ */
+ private SessionEncrytionUtil() throws DatabaseEncryptionException {
+ super();
}
- public static byte[] decrypt(EncryptedData data) throws BuildException {
- Cipher cipher;
-
- if (secret != null) {
- try {
- IvParameterSpec iv = new IvParameterSpec(data.getIv());
-
- cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");
- cipher.init(Cipher.DECRYPT_MODE, secret, iv);
-
- Logger.debug("Decrypt MOASession");
- return cipher.doFinal(data.getEncData());
-
- } catch (Exception e) {
- Logger.warn("MOASession is not decrypted",e);
- throw new BuildException("MOASession is not decrypted", new Object[]{}, e);
- }
- } else
- return data.getEncData();
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt()
+ */
+ @Override
+ protected String getSalt() {
+ return "Session-Salt";
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey()
+ */
+ @Override
+ protected String getKey() {
+ return key;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
index f7785d2c2..20cabaf4d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
@@ -70,6 +70,7 @@ public class MISMandate implements Serializable{
private String oid = null;
private byte[] mandate = null;
private String owBPK = null;
+ private boolean isFullMandateIncluded = false;
public String getProfRep() {
return oid;
@@ -109,5 +110,18 @@ public class MISMandate implements Serializable{
}
}
+ /**
+ * @return the isFullMandateIncluded
+ */
+ public boolean isFullMandateIncluded() {
+ return isFullMandateIncluded;
+ }
+ /**
+ * @param isFullMandateIncluded the isFullMandateIncluded to set
+ */
+ public void setFullMandateIncluded(boolean isFullMandateIncluded) {
+ this.isFullMandateIncluded = isFullMandateIncluded;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
index aaf793987..15b2a89b5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -145,6 +145,8 @@ public class MISSimpleClient {
//misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate)));
misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes()));
+ misMandate.setFullMandateIncluded(true);
+
foundMandates.add(misMandate);
}
return foundMandates;
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java
index e890e2145..848f4ee07 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java
@@ -65,7 +65,7 @@ public class ConfigurationDBRead {
List result;
EntityManager session = ConfigurationDBUtils.getCurrentSession();
-
+
javax.persistence.Query query = session.createQuery(QUERIES.get("getActiveOnlineApplicationWithID"));
//query.setParameter("id", id+"%");
query.setParameter("id", StringEscapeUtils.escapeHtml(id));
diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
index 066967b44..f2f1949cc 100644
--- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
+++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
@@ -551,6 +551,7 @@
<xsd:element ref="OA_SAML1" minOccurs="0"/>
<xsd:element ref="OA_PVP2" minOccurs="0"/>
<xsd:element ref="OA_OAUTH20" minOccurs="0"/>
+ <xsd:element ref="EncBPKInformation" minOccurs="0" maxOccurs="1"/>
</xsd:sequence>
<!--xsd:element ref="pr:AbstractSimpleIdentification" minOccurs="0"
maxOccurs="1"/ -->
@@ -558,6 +559,31 @@
</xsd:element>
</xsd:sequence>
</xsd:complexType>
+ <xsd:element name="EncBPKInformation">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="bPKDecryption" minOccurs="0" maxOccurs="1">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="keyInformation" type="xsd:base64Binary" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="iv" type="xsd:base64Binary" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="keyStoreFileName" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+ <xsd:element name="keyAlias" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="bPKEncryption" minOccurs="0" maxOccurs="unbounded">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="publicKey" type="xsd:base64Binary" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="target" type="xsd:string" minOccurs="1" maxOccurs="1"/>
+ <xsd:element name="vkz" type="xsd:string" minOccurs="1" maxOccurs="1"/>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
<xsd:complexType name="ConnectionParameterServerAuthType">
<xsd:sequence>
<xsd:element name="AcceptedServerCertificates" type="xsd:anyURI" minOccurs="0">
@@ -827,7 +853,7 @@
</xsd:sequence>
<xsd:attribute name="countryCode" type="CountryCodeType" use="required"/>
<xsd:attribute name="URL" type="xsd:anyURI" use="required"/>
- <xsd:attribute name="supportsXMLSignature" type="xsd:boolean" default="true"></xsd:attribute>
+ <xsd:attribute name="supportsXMLSignature" type="xsd:boolean" default="true"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="STORK">
diff --git a/pom.xml b/pom.xml
index 52e2c8570..3457751f7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,7 +14,7 @@
<moa-commons-version>2.0.0</moa-commons-version>
<moa-id-version>2.1.1-Snapshot</moa-id-version>
<moa-id-proxy-version>2.0.0</moa-id-proxy-version>
- <moa-spss-version>2.0.1</moa-spss-version>
+ <moa-spss-version>2.0.2</moa-spss-version>
<configtool-version>1.1.1-Snapshot</configtool-version>
<demo-oa-version>2.0.2</demo-oa-version>
</properties>
@@ -403,14 +403,27 @@
<type>dll</type>
<scope>runtime</scope>
</dependency>
+
+ <dependency>
+ <groupId>javax.xml.bind</groupId>
+ <artifactId>jaxb-api</artifactId>
+ <version>2.2.11</version>
+ </dependency>
<!-- TSL -->
<dependency>
<groupId>iaik</groupId>
<artifactId>iaik_tsl</artifactId>
- <version>1.0</version>
+ <version>1.1</version>
</dependency>
- <dependency>
+
+ <dependency>
+ <groupId>iaik</groupId>
+ <artifactId>iaik_xsect_eval</artifactId>
+ <version>1.1709142</version>
+ </dependency>
+
+<!-- <dependency>
<groupId>iaik</groupId>
<artifactId>iaik_util</artifactId>
<version>0.23</version>
@@ -421,11 +434,6 @@
<version>1.1709142</version>
</dependency>
<dependency>
- <groupId>javax.xml.bind</groupId>
- <artifactId>jaxb-api</artifactId>
- <version>2.2.11</version>
- </dependency>
- <dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<version>2.2.7</version>
@@ -439,7 +447,7 @@
<groupId>iaik</groupId>
<artifactId>iaik_jsse</artifactId>
<version>4.4</version>
- </dependency>
+ </dependency> -->
<dependency>
<groupId>xerces</groupId>
diff --git a/repository/iaik/iaik_tsl/1.1/iaik_tsl-1.1.jar b/repository/iaik/iaik_tsl/1.1/iaik_tsl-1.1.jar
new file mode 100644
index 000000000..6fa0fef7c
--- /dev/null
+++ b/repository/iaik/iaik_tsl/1.1/iaik_tsl-1.1.jar
Binary files differ
diff --git a/spss/server/history.txt b/spss/server/history.txt
index 2e549f37a..5be2029b4 100644
--- a/spss/server/history.txt
+++ b/spss/server/history.txt
@@ -1,4 +1,10 @@
##############
+2.0.2
+##############
+- Libraries aktuallisert
+ - iaik-tsl Version 1.1 (Implementiert ETSI TS119612 V1.2.1)
+
+##############
2.0.1
##############
diff --git a/spss/server/readme.update.txt b/spss/server/readme.update.txt
index c7e6cd9d1..299cbb7b9 100644
--- a/spss/server/readme.update.txt
+++ b/spss/server/readme.update.txt
@@ -1,8 +1,38 @@
+-------------------------------------------------------------------------------
+ Update einer bestehenden MOA-SPSS-Installation auf Version 2.0.2
+-------------------------------------------------------------------------------
+Der Updateprozess auf die MOA-SPSS Version 2.0.2 unterscheidet sich,
+je nach dem welche welche MOA-SPSS Version aktuell verwendet wird.
-======================================================================
- Update einer bestehenden MOA-SPSS-Installation auf Version 2.0.1
-======================================================================
+--------------------------
+Update von Version 2.0.1
+--------------------------
+1.) Erstellen Sie eine Sicherungskopie des kompletten Tomcat-Verzeichnisses
+ Ihrer MOA-SPSS-Installation.
+
+2.) Entpacken Sie die Datei "moa-spss-2.0.2.zip" in das Verzeichnis MOA_SPSS_INST.
+3.) Loeschen Sie das Verzeichnis CATALINA_HOME\webapps\moa-spss.
+
+4.) Ersetzen Sie die Datei CATALINA_HOME\webapps\moa-spss.war durch die Datei
+ MOA_SPSS_INST\moa-spss.war.
+
+5.) Loeschen Sie das Verzeichnis CATALINA_HOME\work.
+
+--------------------------
+Update von einer Version < 2.0.1
+--------------------------
+1.) Führen Sie ein Update laut der Beschreibung
+ "Update einer bestehenden MOA-SPSS-Installation auf Version 2.0.1" durch.
+
+2.) Führen Sie das Update auf die Version 2.0.2 laut
+ "Update von Version 2.0.1" durch.
+
+
+
+-------------------------------------------------------------------------------
+ Update einer bestehenden MOA-SPSS-Installation auf Version 2.0.1
+-------------------------------------------------------------------------------
Es gibt zwei Moeglichkeiten (im Folgenden als "Update Variante A" und
"Update Variante B" bezeichnet), das Update von MOA-SPSS auf Version
2.0.1 durchzufuehren. Update Variante A geht dabei den Weg ueber eine
@@ -18,9 +48,9 @@ CATALINA_HOME bezeichnet das Wurzelverzeichnis der Tomcat-Installation
MOA_SPSS_INST bezeichnet das Verzeichnis, in das Sie die Datei
moa-spss-2.0.1.zip entpackt haben.
-=================
+--------------------------
Update Variante A
-=================
+--------------------------
1.) Erstellen Sie eine Sicherungskopie des kompletten Tomcat-Verzeichnisses
Ihrer MOA-SPSS-Installation.
@@ -46,9 +76,9 @@ Update Variante A
Details dazufinden Sie im MOA-SPSS-Installationshandbuch.
-=================
+--------------------------
Update Variante B
-=================
+--------------------------
1.) Erstellen Sie eine Sicherungskopie des kompletten Tomcat-Verzeichnisses
Ihrer MOA-SPSS-Installation.
diff --git a/spss/server/serverlib/pom.xml b/spss/server/serverlib/pom.xml
index f762ecdf6..cd9518d53 100644
--- a/spss/server/serverlib/pom.xml
+++ b/spss/server/serverlib/pom.xml
@@ -144,9 +144,33 @@
<dependency>
<groupId>iaik</groupId>
- <artifactId>iaik_tsl</artifactId>
+ <artifactId>iaik_tsl</artifactId>
+ <exclusions>
+ <exclusion>
+ <artifactId>iaik_pki_module</artifactId>
+ <groupId>iaik</groupId>
+ </exclusion>
+ <exclusion>
+ <artifactId>iaik_ecc_signed</artifactId>
+ <groupId>iaik</groupId>
+ </exclusion>
+ <exclusion>
+ <artifactId>iaik_jce_eval_signed</artifactId>
+ <groupId>iaik</groupId>
+ </exclusion>
+ </exclusions>
</dependency>
- <dependency>
+ <dependency>
+ <groupId>iaik</groupId>
+ <artifactId>iaik_xsect_eval</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.xerial</groupId>
+ <artifactId>sqlite-jdbc</artifactId>
+ <version>3.7.8-SNAPSHOT</version>
+ </dependency>
+
+<!-- <dependency>
<groupId>iaik</groupId>
<artifactId>iaik_util</artifactId>
</dependency>
@@ -169,7 +193,7 @@
<dependency>
<groupId>iaik</groupId>
<artifactId>iaik_jsse</artifactId>
- </dependency>
+ </dependency> -->
diff --git a/spss/server/serverws/pom.xml b/spss/server/serverws/pom.xml
index 9159242ef..79a16cbb5 100644
--- a/spss/server/serverws/pom.xml
+++ b/spss/server/serverws/pom.xml
@@ -115,7 +115,7 @@
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
- <dependency>
+<!-- <dependency>
<groupId>iaik</groupId>
<artifactId>iaik_util</artifactId>
</dependency>
@@ -138,7 +138,7 @@
<dependency>
<groupId>iaik</groupId>
<artifactId>iaik_jsse</artifactId>
- </dependency>
+ </dependency> -->
<!-- transitive dependencies we don't want to include into the war -->
<dependency>