diff options
19 files changed, 225 insertions, 113 deletions
| diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index df1786402..bf75a3068 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -39,7 +39,6 @@ import org.apache.log4j.Logger;  import org.joda.time.DateTime;  import org.opensaml.common.SAMLObject;  import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;  import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.AttributeStatement; @@ -51,34 +50,18 @@ import org.opensaml.saml2.core.StatusCode;  import org.opensaml.saml2.core.Subject;  import org.opensaml.saml2.encryption.Decrypter;  import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.security.MetadataCredentialResolverFactory; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.security.SAMLSignatureProfileValidator;  import org.opensaml.ws.transport.http.HttpServletRequestAdapter;  import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;  import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;  import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;  import org.opensaml.xml.parse.BasicParserPool; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoProvider;  import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; -import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; -import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;  import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;  import org.opensaml.xml.security.x509.X509Credential;  import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; -import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;  import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;  import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; @@ -86,7 +69,6 @@ import at.gv.egovernment.moa.id.configuration.Constants;  import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;  import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager;  import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils; -import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;  import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;  import at.gv.egovernment.moa.id.configuration.exception.BasicActionException;  import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; @@ -160,7 +142,7 @@ public class IndexAction extends BasicAction {  		if (MiscUtil.isNotEmpty(username)) {  			if (ValidationHelper.containsNotValidCharacter(username, false)) { -				log.warn("Username contains potentail XSS characters: " + username); +				log.warn("Username contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(username));  				addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid",   						new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));  				return Constants.STRUTS_ERROR; @@ -197,13 +179,13 @@ public class IndexAction extends BasicAction {  				dbuser.setIsUsernamePasswordAllowed(true);  			if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) { -				log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed"); +				log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " is not active or Username/Password login is not allowed");  				addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));  				return Constants.STRUTS_ERROR;  			}  			if (!dbuser.getPassword().equals(key)) { -				log.warn("Username " + dbuser.getUsername() + " use a false password"); +				log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " use a false password");  				addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));  				return Constants.STRUTS_ERROR;  			} @@ -615,7 +597,7 @@ public class IndexAction extends BasicAction {  				check = user.getInstitut();  				if (MiscUtil.isNotEmpty(check)) {  					if (ValidationHelper.containsNotValidCharacter(check, false)) { -						log.warn("Organisation contains potentail XSS characters: " + check); +						log.warn("Organisation contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(check));  						addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid",   								new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));  					} @@ -628,7 +610,7 @@ public class IndexAction extends BasicAction {  			check = user.getMail();  			if (MiscUtil.isNotEmpty(check)) {  				if (!ValidationHelper.isEmailAddressFormat(check)) { -					log.warn("Mailaddress is not valid: " + check); +					log.warn("Mailaddress is not valid: " + StringEscapeUtils.escapeHtml(check));  					addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid",   							new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));  				} @@ -640,7 +622,7 @@ public class IndexAction extends BasicAction {  			check = user.getPhone();  			if (MiscUtil.isNotEmpty(check)) {  				if (!ValidationHelper.validatePhoneNumber(check)) { -					log.warn("No valid Phone Number: " + check); +					log.warn("No valid Phone Number: " + StringEscapeUtils.escapeHtml(check));  					addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid",   							new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));  				} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 5a5d0bcf6..cc716f9f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -352,6 +352,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  				authData.setBkuURL(session.getGenericDataFromSession(PVPConstants.EID_CCS_URL_NAME, String.class)); +			//TODO: fully switch from STORK QAA to eIDAS LoA  			//####################################################  			//set QAA level  			includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 19f3fdc54..0397bd501 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -117,7 +117,7 @@ public class IDPSingleLogOutServlet extends AbstractController {  					config.putCustomParameter("successMsg",  							MOAIDMessageProvider.getInstance().getMessage("slo.00", null));  				else -					config.putCustomParameter("errorMsg",  +					config.putCustomParameterWithOutEscaption("errorMsg",   							MOAIDMessageProvider.getInstance().getMessage("slo.01", null));			  				guiBuilder.build(resp, config, "Single-LogOut GUI"); @@ -213,7 +213,7 @@ public class IDPSingleLogOutServlet extends AbstractController {  								DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT,   								null);					 -						config.putCustomParameter("errorMsg",  +						config.putCustomParameterWithOutEscaption("errorMsg",   								MOAIDMessageProvider.getInstance().getMessage("slo.01", null));		                	  						guiBuilder.build(resp, config, "Single-LogOut GUI"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java index e0484eb1b..4e7a72da6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java @@ -22,12 +22,19 @@   */  package at.gv.egovernment.moa.id.data; +import java.io.Serializable; +  /**   * @author tlenz   *   */ -public class EncryptedData { +public class EncryptedData implements Serializable{ +	/** +	 *  +	 */ +	private static final long serialVersionUID = 1L; +	  	private byte[] encData = null;  	private byte[] iv = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 3770dad2f..bb849a8d0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -659,7 +659,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  			        } else {  			        	revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); -			        	config.putCustomParameter("errorMsg",  +			        	config.putCustomParameterWithOutEscaption("errorMsg",   			        			MOAIDMessageProvider.getInstance().getMessage("slo.01", null));  			        } @@ -690,7 +690,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  						null);  				revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); -				config.putCustomParameter("errorMsg",  +				config.putCustomParameterWithOutEscaption("errorMsg",   	        			MOAIDMessageProvider.getInstance().getMessage("slo.01", null));  	        	try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java index f17e4a99a..2395b913d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java @@ -38,8 +38,11 @@ import org.springframework.stereotype.Repository;  import org.springframework.transaction.annotation.Transactional;  import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -106,18 +109,36 @@ public class DBTransactionStorage implements ITransactionStorage {  		}	  	} -	 -	public Object getAssertionStore(String key) throws MOADatabaseException{ -		return searchInDatabase(key); -	} -	 +		  	public Object get(String key) throws MOADatabaseException {  		  AssertionStore element = searchInDatabase(key);  		  if (element == null)  			  return null; +		  		   +		  Object data = SerializationUtils.deserialize(element.getAssertion()); -		  return SerializationUtils.deserialize(element.getAssertion()); +		//decrypt data if required +		  Object resultData = null; +		  if (data instanceof EncryptedData) { +			  Logger.trace("Find encrypted data. --> Starting decryption process ..."); +			  try { +				byte[] decData = decryptData((EncryptedData)data); +				resultData = SerializationUtils.deserialize(decData); +				 +			  } catch (BuildException e) { +				  Logger.warn("Transaction information decryption FAILED.", e); +				  throw new MOADatabaseException("Transaction information decryption FAILED.", e); +				   +			  } +			  		   +		  } else { +			  Logger.trace("Find unencrypted data. --> Use it as is"); +			  resultData = data; +			   +		  } +		   +		  return resultData;  	} @@ -141,13 +162,34 @@ public class DBTransactionStorage implements ITransactionStorage {  	  } -	  //Deserialize Assertion +	  //Deserialize Assertion	    	  Object data = SerializationUtils.deserialize(element.getAssertion()); +	  //decrypt data if required +	  Object resultData = null; +	  if (data instanceof EncryptedData) { +		  Logger.trace("Find encrypted data. --> Starting decryption process ..."); +		  try { +			byte[] decData = decryptData((EncryptedData)data); +			resultData = SerializationUtils.deserialize(decData); +			 +		  } catch (BuildException e) { +			  Logger.warn("Transaction information decryption FAILED.", e); +			  throw new MOADatabaseException("Transaction information decryption FAILED.", e); +			   +		  } +		  		   +	  } else { +		  Logger.trace("Find unencrypted data. --> Use it as is"); +		  resultData = data; +		   +	  } +		   +	    	  //check if assertion has the correct class type   	  try {  		  @SuppressWarnings("unchecked") -		T test = (T) Class.forName(element.getType()).cast(data); +		T test = (T) Class.forName(element.getType()).cast(resultData);  		return test;  	  } catch (Exception e) { @@ -198,6 +240,17 @@ public class DBTransactionStorage implements ITransactionStorage {  		}  	} +	public Object getAssertionStore(String key) throws MOADatabaseException{ +		return searchInDatabase(key); +		 +	} +	 +	@Override +	public void putAssertionStore(Object element) throws MOADatabaseException{ +		entityManager.merge(element); +		 +	} +	  	private void cleanDelete(AssertionStore element) { @@ -245,30 +298,33 @@ public class DBTransactionStorage implements ITransactionStorage {  			throw new MOADatabaseException("Transaction-Storage can only store objects which implements the 'Seralizable' interface", null);  		}	 -		 -		//serialize the Assertion for Database storage -		byte[] data = SerializationUtils.serialize((Serializable) value); -		element.setAssertion(data); -		 -		//store AssertionStore element to Database -		//try { +	 +		try { +			//serialize the Assertion for Database storage +			byte[] data = SerializationUtils.serialize((Serializable) value); +			element.setAssertion(encryptData(data)); + +			//store AssertionStore element to Database  			entityManager.persist(element); -			//MOASessionDBUtils.saveOrUpdate(element); -			Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database"); -//			 -//		} catch (MOADatabaseException e) { -//			Logger.warn("Sessioninformation could not be stored."); -//			throw new MOADatabaseException(e); -//			 -//		} +			Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database");			 +			 +		} catch (BuildException e) { +			Logger.warn("Sessioninformation could not be stored."); +			throw new MOADatabaseException(e); +			 +		}  	} +	 +	private static byte[] encryptData(byte[] data) throws BuildException {		 +		EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(data); +		return SerializationUtils.serialize(encdata); -	@Override -	public void putAssertionStore(Object element) throws MOADatabaseException{ -		// TODO Auto-generated method stub -		entityManager.merge(element); -		 +	} +	 +	private static byte[] decryptData(EncryptedData encdata) throws BuildException { +		return SessionEncrytionUtil.getInstance().decrypt(encdata); +						  	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java index 53a7f4f5e..51a36d426 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java @@ -114,6 +114,8 @@ public interface ITransactionStorage {  	/**  	 * Get whole AssertionStoreObject, required for SLO +	 * <br> +	 * <b>IMPORTANT:</b> This method does NOT decrypt information before storage  	 *   	 * @param key key Id which identifiers the data object  	 * @return The transaction-data object, or null @@ -123,6 +125,8 @@ public interface ITransactionStorage {  	/**  	 * Put whole AssertionStoreObject to db, required for SLO + 	 * <br> +	 * <b>IMPORTANT:</b> This method does NOT encrypt information before storage  	 *   	 * @param element assertion store object  	 */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java index b0d166951..84d40f619 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -22,9 +22,6 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; -  import java.security.InvalidAlgorithmParameterException;  import java.security.NoSuchAlgorithmException;  import java.security.NoSuchProviderException; @@ -35,19 +32,26 @@ import javax.crypto.Cipher;  import javax.crypto.KeyGenerator;  import javax.crypto.SecretKey;  import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.GCMParameterSpec;  import javax.crypto.spec.IvParameterSpec;  import javax.crypto.spec.PBEKeySpec;  import javax.crypto.spec.SecretKeySpec; -  import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException;  import at.gv.egovernment.moa.id.data.EncryptedData;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec;  public abstract class AbstractEncrytionUtil { -	protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; +	//protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; +	 +	protected static final String CIPHER_MODE = "AES/GCM/NoPadding"; +	public static final int GCM_NONCE_LENGTH = 12; // in bytes +	public static final int GCM_TAG_LENGTH = 16; // in bytes +	  	protected static final String KEYNAME = "AES";  	private SecretKey secret = null; @@ -114,8 +118,15 @@ public abstract class AbstractEncrytionUtil {  		if (secret != null) {  			try { -				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); -			    cipher.init(Cipher.ENCRYPT_MODE, secret); +				final byte[] nonce = Random.nextBytes(GCM_NONCE_LENGTH); +				 +//				final byte[] nonce = new byte[GCM_NONCE_LENGTH];				 +//				SecureRandom.getInstanceStrong().nextBytes(nonce); +		         +				GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce); +		         +				cipher = Cipher.getInstance(CIPHER_MODE, "IAIK");				 +			    cipher.init(Cipher.ENCRYPT_MODE, secret, spec);  			    Logger.debug("Encrypt MOASession"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index ac2b3c415..38c384c3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -151,6 +151,16 @@ public class Random {    } +/** + * Creates a new random byte[] + * 	 + * @param size Size of random number in byte + * @return + */ +public static byte[] nextBytes(int size) { +	return  nextByteRandom(size); +	 +}    public static void seedRandom() { @@ -165,7 +175,7 @@ public class Random {    /**     * Generate a new random number     *  -   * @param size Size of random number in bits +   * @param size Size of random number in byte     * @return     */    private static synchronized byte[] nextByteRandom(int size) { diff --git a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java index e28b154f4..b3a9d367f 100644 --- a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java +++ b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java @@ -56,10 +56,8 @@ import org.w3c.dom.Element;  import at.gv.egovernment.moa.util.Constants;  import at.gv.egovernment.moa.util.DOMUtils; -import at.gv.egovernment.moa.util.FileUtils;  import at.gv.egovernment.moa.util.StreamUtils;  import at.gv.egovernment.moa.util.XPathUtils; -  import iaik.ixsil.algorithms.Transform;  import iaik.ixsil.algorithms.TransformImplExclusiveCanonicalXML;  import iaik.ixsil.exceptions.AlgorithmException; @@ -68,6 +66,7 @@ import iaik.ixsil.exceptions.URIException;  import iaik.ixsil.init.IXSILInit;  import iaik.ixsil.util.URI;  import test.at.gv.egovernment.moa.MOATestCase; +import test.at.gv.egovernment.moa.util.FileUtils;  /*   * @author Paul Ivancsics diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java index 3730b36ce..9152f2549 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java @@ -27,6 +27,9 @@ package at.gv.egovernment.moa.logging;  import java.util.HashMap;  import java.util.Map; +import org.apache.commons.lang3.StringEscapeUtils; + +  /**   * A utility class acting as a facade to the logging subsystem.   *  @@ -88,7 +91,7 @@ public class Logger {    private static String prepareMessage(Object message) {        if(null == message)            return "no message given"; -      return message.toString(); +      return StringEscapeUtils.escapeHtml4(message.toString());    }    /** diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java index 3291f8a15..8d6aea164 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/FileUtils.java @@ -53,40 +53,7 @@ public class FileUtils {      in.close();      return content;    } -//  /** -//   * Reads a file, given by URL, into a String. -//   * @param urlString file URL -//   * @param encoding character encoding -//   * @return file content -//   * @throws IOException on any exception thrown -//   */ -//  public static String readURL(String urlString, String encoding) throws IOException { -//    byte[] content = readURL(urlString); -//    return new String(content, encoding); -//  } -//  /** -//   * Reads a file, given by filename, into a byte array. -//   * @param filename filename -//   * @return file content -//   * @throws IOException on any exception thrown -//   */ -//  public static byte[] readFile(String filename) throws IOException { -//    BufferedInputStream in = new BufferedInputStream(new FileInputStream(filename)); -//    byte[] content = StreamUtils.readStream(in); -//    in.close(); -//    return content; -//  } -//  /** -//   * Reads a file, given by filename, into a String. -//   * @param filename filename -//   * @param encoding character encoding -//   * @return file content -//   * @throws IOException on any exception thrown -//   */ -//  public static String readFile(String filename, String encoding) throws IOException { -//    byte[] content = readFile(filename); -//    return new String(content, encoding); -//  } +    /**     * Reads a file from a resource.     * @param name resource name diff --git a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java new file mode 100644 index 000000000..8941ab4cf --- /dev/null +++ b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/FileUtils.java @@ -0,0 +1,72 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package test.at.gv.egovernment.moa.util; + +import java.io.BufferedInputStream; +import java.io.FileInputStream; +import java.io.IOException; + +import at.gv.egovernment.moa.util.StreamUtils; + +/** + * @author tlenz + * + */ +public class FileUtils extends at.gv.egovernment.moa.util.FileUtils { + +  /** +  * Reads a file, given by URL, into a String. +  * @param urlString file URL +  * @param encoding character encoding +  * @return file content +  * @throws IOException on any exception thrown +  */ + public static String readURL(String urlString, String encoding) throws IOException { +   byte[] content = readURL(urlString); +   return new String(content, encoding); + } + /** +  * Reads a file, given by filename, into a byte array. +  * @param filename filename +  * @return file content +  * @throws IOException on any exception thrown +  */ + public static byte[] readFile(String filename) throws IOException { +   BufferedInputStream in = new BufferedInputStream(new FileInputStream(filename)); +   byte[] content = StreamUtils.readStream(in); +   in.close(); +   return content; + } + /** +  * Reads a file, given by filename, into a String. +  * @param filename filename +  * @param encoding character encoding +  * @return file content +  * @throws IOException on any exception thrown +  */ + public static String readFile(String filename, String encoding) throws IOException { +   byte[] content = readFile(filename); +   return new String(content, encoding); + } +	 +} diff --git a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java index 2ded896d0..9196a8718 100644 --- a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java +++ b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLDecoderTest.java @@ -26,9 +26,7 @@ package test.at.gv.egovernment.moa.util;  import java.net.URLEncoder; -import at.gv.egovernment.moa.util.FileUtils;  import at.gv.egovernment.moa.util.URLDecoder; -  import junit.framework.TestCase;  /* diff --git a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java index 5f72c8aad..d89e9f21f 100644 --- a/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java +++ b/id/server/moa-id-commons/src/test/java/test/at/gv/egovernment/moa/util/URLEncoderTest.java @@ -24,7 +24,6 @@  package test.at.gv.egovernment.moa.util; -import at.gv.egovernment.moa.util.FileUtils;  import at.gv.egovernment.moa.util.URLDecoder;  import at.gv.egovernment.moa.util.URLEncoder;  import junit.framework.TestCase; diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html index f54484307..cbc16cb38 100644 --- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html +++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html @@ -19,7 +19,7 @@  		parent.setBKUAvailable(false);  		document.write('<form name="bkudetectform" method="POST" target="bkudetect" action="' + bkuurl + '" enctype="application/x-www-form-urlencoded">');  		document.write('<input type="hidden" name="XMLRequest" value="<?xml version="1.0" encoding="UTF-8"?><NullOperationRequest xmlns="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>" />'); -		document.write('<input type="hidden" name="RedirectURL" value="' + $contextPath + '/iframeLBKUdetected.html"/>'); +		document.write('<input type="hidden" name="RedirectURL" value="$contextPath/iframeLBKUdetected.html"/>');  		document.write('</form>');  		try {  			document.bkudetectform.submit(); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index c9bc31f6c..faeb0158b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -67,7 +67,6 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;  import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;  import at.gv.egovernment.moa.id.data.Pair;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.util.XMLUtil;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants;  import at.gv.egovernment.moa.util.DOMUtils; @@ -1203,9 +1202,13 @@ public class AuthenticationServer extends BaseAuthenticationServer {  	public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException {  		NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate"); - -		String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList); - +	 +		String base64CertString = null; +		if (nList != null && nList.getLength() != 0) { +			base64CertString = nList.item(0).getTextContent(); +			 +		} +		  		if (StringUtils.isEmpty(base64CertString)) {  			String msg = "XML does not contain a X509Certificate element.";  			Logger.error(msg); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java index dc55df05b..af64e745e 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -558,7 +558,7 @@ public class SSOTransferServlet{  		String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray());							  		config.putCustomParameter("QRImage", base64EncodedImage); -		config.putCustomParameter("successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation."); +		config.putCustomParameterWithOutEscaption("successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation.");  		guiBuilder.build(resp, config, "SSO-Session Transfer-Module"); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index fe164c514..5c66f257d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -104,7 +104,7 @@ public class GUIUtils {  					null);  			config.putCustomParameter("QRImage", base64EncodedImage);		 -			config.putCustomParameter("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process.");			 +			config.putCustomParameterWithOutEscaption("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process.");			  			config.putCustomParameterWithOutEscaption("timeoutURL", containerURL);  			config.putCustomParameter("timeout", REFESH_TIMEOUT); | 
