diff options
18 files changed, 575 insertions, 217 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 05bb16d0d..5b1d952ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -196,6 +196,12 @@ public class AssertionAttributeExtractor {  //	} +	public String getAssertionID() { +		return assertion.getID(); +		 +	} +	 +	  	public String getNameID() throws AssertionAttributeExtractorExeption {		  		if (assertion.getSubject() != null) {  			Subject subject = assertion.getSubject(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 28a85b4af..da4b54a5a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -31,9 +31,13 @@ import javax.xml.parsers.DocumentBuilder;  import javax.xml.parsers.DocumentBuilderFactory;  import javax.xml.parsers.ParserConfigurationException;  import javax.xml.transform.TransformerException; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator;  import org.opensaml.Configuration;  import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLSchemaBuilder;  import org.opensaml.saml2.core.Status;  import org.opensaml.saml2.core.StatusCode;  import org.opensaml.saml2.metadata.AssertionConsumerService; @@ -47,6 +51,7 @@ import org.opensaml.xml.io.MarshallingException;  import org.w3c.dom.Document;  import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger;  public class SAML2Utils { @@ -142,4 +147,20 @@ public class SAML2Utils {          return envelope;      } +     +    public static void schemeValidation(XMLObject xmlObject) throws Exception { +    	try { +			Schema test = SAMLSchemaBuilder.getSAML11Schema(); +			Validator val = test.newValidator(); +			DOMSource source = new DOMSource(xmlObject.getDOM());		 +			val.validate(source); +			Logger.debug("SAML2 Scheme validation successful"); +			return; +		 +		} catch (Exception e) { +			Logger.warn("SAML2 scheme validation FAILED.", e); +			throw e; +			 +		} +    }  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 83a2b61d2..489d2fb4a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,11 +22,6 @@   */  package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLSchemaBuilder;  import org.opensaml.saml2.metadata.provider.MetadataFilter;  import org.opensaml.xml.XMLObject;  import org.xml.sax.SAXException; @@ -34,6 +29,7 @@ import org.xml.sax.SAXException;  import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger;  /** @@ -71,10 +67,7 @@ public class SchemaValidationFilter implements MetadataFilter {  		if (isActive) {  			try { -				Schema test = SAMLSchemaBuilder.getSAML11Schema(); -				Validator val = test.newValidator(); -				DOMSource source = new DOMSource(arg0.getDOM());		 -				val.validate(source); +				SAML2Utils.schemeValidation(arg0);  				Logger.info("Metadata Schema validation check done OK");  				return; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 9cc4b0b5e..84fd93773 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -344,4 +344,5 @@ sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0}  sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer.
  sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}.
  sl20.06=Http transport-binding error. Reason: {0} 
 -
 +sl20.07=Fehler beim Validieren der eID information. Type: {0} Reason: {1}
 +sl20.08=SL2.0 Teilnehmer antwortet mit einem Fehler. Code: {0} Reason: {1}
 diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 6de581cae..d77ea437b 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -258,6 +258,10 @@ sl20.01=14000  sl20.02=14001  sl20.03=14800  sl20.04=14001 +sl20.05=xxxxx +sl20.06=xxxxx +sl20.07=xxxxx +sl20.08=xxxxx  ##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes  mis.301=1005 diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java index 920187bfb..a3648220d 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth;  public class Constants {  	public static final String HTTP_ENDPOINT_DATAURL = "/sl20/dataUrl"; +	public static final String HTTP_ENDPOINT_RESUME = "/sl20/resume";  	public static final String CONFIG_PROP_PREFIX = "modules.sl20";  	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint"; @@ -17,6 +18,9 @@ public class Constants {  	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST = CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ".";  	public static final String CONFIG_PROP_SP_LIST = CONFIG_PROP_PREFIX + ".sp.entityIds."; +	public static final String CONFIG_PROP_DISABLE_EID_VALIDATION = CONFIG_PROP_PREFIX + ".security.eID.validation.disable"; +	public static final String CONFIG_PROP_DISABLE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.enabled"; +	  	public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";  	/** diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java index 87d306822..4f8ef0a76 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java @@ -44,11 +44,14 @@ public class SL20SignalServlet extends AbstractProcessEngineSignalController {  	public SL20SignalServlet() {  		super();  		Logger.debug("Registering servlet " + getClass().getName() +  -				" with mappings '"+ Constants.HTTP_ENDPOINT_DATAURL + "'."); +				" with mappings '"+ Constants.HTTP_ENDPOINT_DATAURL +  +				" and " + Constants.HTTP_ENDPOINT_RESUME +  +				"'.");  	} -	@RequestMapping(value = { Constants.HTTP_ENDPOINT_DATAURL 							   +	@RequestMapping(value = { Constants.HTTP_ENDPOINT_DATAURL, +							  Constants.HTTP_ENDPOINT_RESUME  							},   					method = {RequestMethod.POST, RequestMethod.GET})  	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java new file mode 100644 index 000000000..957ace0fb --- /dev/null +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java @@ -0,0 +1,16 @@ +package at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions; + +public class SL20eIDDataValidationException extends SL20Exception { +	private static final long serialVersionUID = 1L; + +	public SL20eIDDataValidationException(Object[] parameters) { +		super("sl20.07", parameters); +		 +	} +	 +	public SL20eIDDataValidationException(Object[] parameters, Throwable e) { +		super("sl20.07", parameters, e); +		 +	} + +} diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java index d00ef8a04..2563c7f7d 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java @@ -105,7 +105,7 @@ public class JsonSecurityUtils implements IJOSETools{  				}  			} -			 +  			//some short validation  			if (signPrivKey == null || !(signPrivKey instanceof PrivateKey)) {  				Logger.info("Can NOT open privateKey for SL2.0 signing. KeyStore=" + getKeyStoreFilePath()); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java index b855c3cac..33bb4fe36 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java @@ -12,6 +12,8 @@ public class SL20Constants {  	//http binding parameters  	public static final String PARAM_SL20_REQ_COMMAND_PARAM = "slcommand"; +	public static final String PARAM_SL20_REQ_COMMAND_PARAM_OLD = "sl2command"; +	  	public static final String PARAM_SL20_REQ_ICP_RETURN_URL_PARAM = "slIPCReturnUrl";  	public static final String PARAM_SL20_REQ_TRANSACTIONID = "slTransactionID"; diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java index e01945df0..6949b7a18 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java @@ -9,6 +9,7 @@ import java.util.Map;  import java.util.Map.Entry;  import org.apache.http.Header; +import org.apache.http.HttpEntity;  import org.apache.http.HttpResponse;  import org.apache.http.client.utils.URIBuilder;  import org.apache.log4j.Logger; @@ -163,19 +164,23 @@ public class SL20JSONExtractorUtils {  			return result;  		else if (encryptedResult != null && encryptedResult.isJsonPrimitive()) { -			/*TODO: -			 *  -			 * Remove dummy code and test real decryption!!!!! -			 *  -			 */			 - -			//return decrypter.decryptPayload(encryptedResult.getAsString()); +			try { +				return decrypter.decryptPayload(encryptedResult.getAsString()); +				 +			} catch (Exception e) { +				log.info("Can NOT decrypt SL20 result. Reason:" + e.getMessage()); +				if (!mustBeEncrypted) { +					log.warn("Decrypted results are disabled by configuration. Parse result in plain if it is possible"); -			//dummy code -			String[] signedPayload = encryptedResult.toString().split("\\."); -			JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1]))); -			return payLoad; -			 +					//dummy code +					String[] signedPayload = encryptedResult.toString().split("\\."); +					JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1]))); +					return payLoad; +					 +				} else +					throw e;	 +				 +			}  		} else  			throw new SLCommandoParserException("Internal build error"); @@ -241,13 +246,21 @@ public class SL20JSONExtractorUtils {  			} else if (httpResp.getStatusLine().getStatusCode() == 200) {  				if (!httpResp.getEntity().getContentType().getValue().equals("application/json;charset=UTF-8")) -					throw new SLCommandoParserException("SL20 response with a wrong ContentType: " + httpResp.getEntity().getContentType().getValue()); -					 -				sl20Resp = new JsonParser().parse(new InputStreamReader(httpResp.getEntity().getContent())).getAsJsonObject(); +					throw new SLCommandoParserException("SL20 response with a wrong ContentType: " + httpResp.getEntity().getContentType().getValue());					 +				sl20Resp = parseSL20ResultFromResponse(httpResp.getEntity()); +			} else if ( (httpResp.getStatusLine().getStatusCode() == 500) ||  +					(httpResp.getStatusLine().getStatusCode() == 401) ||  +					(httpResp.getStatusLine().getStatusCode() == 400) ) { +				log.info("SL20 response with http-code: " + httpResp.getStatusLine().getStatusCode()  +						+ ". Search for error message");				 +				sl20Resp = parseSL20ResultFromResponse(httpResp.getEntity()); +				 +				  			} else  				throw new SLCommandoParserException("SL20 response with http-code: " + httpResp.getStatusLine().getStatusCode()); -				 + +			log.info("Find JSON object in http response");  			return sl20Resp;  		} catch (Exception e) { @@ -256,6 +269,22 @@ public class SL20JSONExtractorUtils {  		}		  	} +	private static JsonObject parseSL20ResultFromResponse(HttpEntity resp) throws Exception { +		if (resp != null && resp.getContent() != null) {			 +			JsonElement sl20Resp = new JsonParser().parse(new InputStreamReader(resp.getContent())); +			if (sl20Resp != null && sl20Resp.isJsonObject()) { +				return sl20Resp.getAsJsonObject(); +				 +			} else +				throw new SLCommandoParserException("SL2.0 can NOT parse to a JSON object"); +			 +			 +		} else +			throw new SLCommandoParserException("Can NOT find content in http response"); + 					 +	} +	 +	  	private static JsonElement getAndCheck(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {  		JsonElement internal = input.get(keyID); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java index 7d03a43ac..d07d7a78a 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java @@ -1,24 +1,17 @@  package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;  import java.io.IOException; -import java.util.Calendar;  import java.util.Date; -import java.util.GregorianCalendar;  import java.util.List; -import javax.xml.bind.DatatypeConverter; -import javax.xml.transform.TransformerException; -  import org.jaxen.SimpleNamespaceContext;  import org.w3c.dom.Element;  import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; -import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; -import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.ServiceException;  import at.gv.egovernment.moa.id.auth.exception.ValidateException;  import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;  import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;  import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;  import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureRequestBuilder; @@ -27,13 +20,12 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;  import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;  import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;  import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;  import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.spss.api.impl.VerifyXMLSignatureRequestImpl; +import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil; +import at.gv.egovernment.moa.util.Base64Utils;  import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.DOMUtils; -import at.gv.egovernment.moa.util.XPathUtils;  public class QualifiedeIDVerifier { @@ -57,7 +49,7 @@ public class QualifiedeIDVerifier {  	    NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI);  	  } -	public static boolean verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {		 +	public static void verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {		  		// validates the identity link  		IdentityLinkValidator.getInstance().validate(idl); @@ -79,17 +71,15 @@ public class QualifiedeIDVerifier {  			VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,  			oaParam); -		 -		return false; -		 +				  	} -	public static IVerifiyXMLSignatureResponse verifyAuthBlock(byte[] authblock, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException { +	public static IVerifiyXMLSignatureResponse verifyAuthBlock(String authBlockB64, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException, IOException {  		String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore());  		List<String> verifyTransformsInfoProfileID = null;  		SignatureVerificationUtils sigVerify = new SignatureVerificationUtils(); -		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(authblock, trustProfileId , verifyTransformsInfoProfileID); +		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(Base64Utils.decode(authBlockB64, false), trustProfileId , verifyTransformsInfoProfileID);  		// validates the <VerifyXMLSignatureResponse>  		VerifyXMLSignatureResponseValidator.getInstance().validate(sigVerifyResult, @@ -99,20 +89,43 @@ public class QualifiedeIDVerifier {  	} -	public static boolean checkIDLAgainstAuthblock(IVerifiyXMLSignatureResponse sigVerifyResult, IIdentityLink idl, byte[] authBlock) throws ValidateException { +	public static boolean checkConsistencyOfeIDData(String sl20ReqId, IIdentityLink idl, AssertionAttributeExtractor authBlockExtractor, IVerifiyXMLSignatureResponse sigVerifyResult) throws SL20eIDDataValidationException {  		try {          			// compares the public keys from the identityLink with the AuthBlock  			VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(sigVerifyResult, idl); +			//compare requestId from SL20 qualifiedeID command to ID from SAML2 assertion +			String authBlockId = authBlockExtractor.getAssertionID(); +			if (MiscUtil.isEmpty(authBlockId)) { +				Logger.info("AuthBlock containts no ID, but ID MUST be included"); +				throw new SL20eIDDataValidationException(new Object[] { +						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +						"AuthBlock containts no ID, but ID MUST be included" +				}); +			} +			if (!authBlockId.equals(sl20ReqId)) { +				Logger.info("SL20 'requestId' does NOT match to AuthBlock Id." +						+ " Expected : " + sl20ReqId +						+ " Authblock: " + authBlockId); +				throw new SL20eIDDataValidationException(new Object[] { +						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +						"SL20 'requestId' does NOT match to AuthBlock Id." +				}); +			} +			 +						  			// Compare AuthBlock Data with information stored in session, especially  			// date and time -			validateSigningDateTime(sigVerifyResult); +			validateSigningDateTime(sigVerifyResult, authBlockExtractor);  		} catch ( ValidateException e) { -			Logger.error("Signature verification error. ", e); -			throw e;  +			Logger.warn("Validation of eID information FAILED. ", e); +			throw new SL20eIDDataValidationException(new Object[] { +					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, +					e.getMessage() +			});  		} @@ -121,12 +134,46 @@ public class QualifiedeIDVerifier {  	} -	private static boolean validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult) throws ValidateException { +	private static void validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult, AssertionAttributeExtractor authBlockExtractor) throws SL20eIDDataValidationException {  		Date signingDate = sigVerifyResult.getSigningDateTime(); +		Date notBefore = authBlockExtractor.getAssertionNotBefore(); +		Date notOrNotAfter = authBlockExtractor.getAssertionNotOnOrAfter(); +		if (signingDate == null) { +			Logger.info("AuthBlock signature contains NO signing data"); +			throw new SL20eIDDataValidationException(new Object[] { +					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +					"AuthBlock signature contains NO signing data" +			}); +			 +		} -			   -		return false; +		Logger.debug("AuthBlock signing data: " + signingDate.toString()); + +		if (notBefore == null || notOrNotAfter == null) { +			Logger.info("AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates"); +			throw new SL20eIDDataValidationException(new Object[] { +					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +					"AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates" +			}); +			 +		} +		 +		Logger.debug("AuthBlock valid period." +				+ " NotBefore:" + notBefore.toString()  +				+ " NotOrNotAfter:" + notOrNotAfter.toString()); +		 +		if (signingDate.after(notBefore) || signingDate.before(notOrNotAfter)) +			Logger.debug("Signing date validation successfull"); +		 +		else { +			Logger.info("AuthBlock signing date does NOT match to AuthBlock constrains"); +			throw new SL20eIDDataValidationException(new Object[] { +					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +					"AuthBlock signing date does NOT match to AuthBlock constrains" +			}); +			 +		}		  	  }  } diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java index d9ff9d93c..763454639 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java @@ -5,7 +5,6 @@ import java.util.HashMap;  import java.util.List;  import java.util.Map;  import java.util.Map.Entry; -import java.util.UUID;  import javax.net.ssl.SSLSocketFactory;  import javax.servlet.http.HttpServletRequest; @@ -30,6 +29,7 @@ import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.IJOSETools;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20HttpBindingUtils; @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;  import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;  import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;  import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.id.util.SSLUtils;  import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moaspss.logging.Logger; @@ -91,7 +92,8 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {  						qualifiedeIDParams,   						joseTools.getEncryptionCertificate()); -				String qualeIDReqId = UUID.randomUUID().toString(); +				//String qualeIDReqId = UUID.randomUUID().toString(); +				String qualeIDReqId = SAML2Utils.getSecureIdentifier();  				String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools);  				JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand); @@ -107,9 +109,16 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {  				HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build());								  				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);  				List<NameValuePair> parameters = new ArrayList<NameValuePair>();; -				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Req.toString())); +				 +				//correct one +				//parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes()))); +				 +				//A-Trust current version +				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM_OLD, sl20Req.toString()));  				httpReq.setEntity(new UrlEncodedFormEntity(parameters ));				 +				 +				  				//request VDA  				HttpResponse httpResp = httpClient.execute(httpReq); @@ -147,10 +156,22 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {  					//TODO: maybe add SL2ClientType Header from execution context  					SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL); +				} else if (respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString() +						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR)) {  +					JsonObject result = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_RESULT, false); +					if (result  == null) +						result = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, false); +					 +					String errorCode = SL20JSONExtractorUtils.getStringValue(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE, true); +					String errorMsg = SL20JSONExtractorUtils.getStringValue(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE, true); +					 +					Logger.info("Receive SL2.0 error. Code:" + errorCode + " Msg:" + errorMsg); +					throw new SL20Exception("sl20.08", new Object[]{errorCode, errorMsg}); +					  				} else {  					//TODO: update to add error handling  					Logger.warn("Received an unrecognized command: " + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString()); -				 +					throw new SLCommandoParserException("Received an unrecognized command: \" + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString()");  				} diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java index 90e19326e..b7fe579a3 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java @@ -1,9 +1,8 @@  package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks; -import java.io.ByteArrayInputStream; +import java.io.IOException;  import java.io.StringWriter;  import java.security.cert.X509Certificate; -import java.util.Calendar;  import java.util.HashMap;  import java.util.List;  import java.util.Map; @@ -13,7 +12,6 @@ import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  import org.apache.http.entity.ContentType; -import org.jose4j.keys.X509Util;  import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Component; @@ -35,18 +33,12 @@ import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.IJOSETools;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONBuilderUtils;  import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONExtractorUtils; -import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;  import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;  import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;  import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; -import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.DateTimeUtils;  import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moaspss.logging.Logger; -import iaik.esi.sva.util.X509Utils; -import iaik.utils.Util; +  @Component("ReceiveQualeIDTask")  public class ReceiveQualeIDTask extends AbstractAuthServletTask { @@ -57,173 +49,210 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {  	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)  			throws TaskExecutionException { -		Logger.debug("Receiving SL2.0 response process .... ");  		try { -			//get SL2.0 command or result from HTTP request -			Map<String, String> reqParams = getParameters(request); -			String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); 			 -			if (MiscUtil.isEmpty(sl20Result)) { -				Logger.info("NO SL2.0 commando or result FOUND."); -				throw new SL20Exception("sl20.04", null); -				 -			} -			 -			 -			//parse SL2.0 command/result into JSON +			Logger.debug("Receiving SL2.0 response process .... ");  			JsonObject sl20ReqObj = null;  			try { -				JsonParser jsonParser = new JsonParser(); -				JsonElement sl20Req = jsonParser.parse(sl20Result); -				sl20ReqObj = sl20Req.getAsJsonObject(); +				//get SL2.0 command or result from HTTP request +				Map<String, String> reqParams = getParameters(request); +				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); 			 +				if (MiscUtil.isEmpty(sl20Result)) { +					Logger.info("NO SL2.0 commando or result FOUND."); +					throw new SL20Exception("sl20.04", null); +					 +				} +							 +				//parse SL2.0 command/result into JSON			 +				try { +					JsonParser jsonParser = new JsonParser(); +					JsonElement sl20Req = jsonParser.parse(sl20Result); +					sl20ReqObj = sl20Req.getAsJsonObject(); +					 +				} catch (JsonSyntaxException e) { +					Logger.warn("SL2.0 command or result is NOT valid JSON.", e); +					Logger.debug("SL2.0 msg: " + sl20Result); +					throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e); +					 +				} -			} catch (JsonSyntaxException e) { -				Logger.warn("SL2.0 command or result is NOT valid JSON.", e); -				Logger.debug("SL2.0 msg: " + sl20Result); -				throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e); +				//validate reqId with inResponseTo  +				String sl20ReqId = pendingReq.getGenericData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class); +				String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true); +				if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) { +					Logger.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); +					throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); +				} -			} -			 -			//validate reqId with inResponseTo  -			String sl20ReqId = pendingReq.getGenericData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class); -			String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true); -			if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) { -				Logger.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); -				throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); -			} -			 -			 -			//validate signature -			VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true); -			if (payLoadContainer.isValidSigned() == null ||  -					!payLoadContainer.isValidSigned()) { -				Logger.info("SL20 result from VDA was not valid signed"); -				throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."}); -			} -			 -			//TODO validate certificate -			List<X509Certificate> sigCertChain = payLoadContainer.getCertChain(); -			 -			 -			//extract payloaf -			JsonObject payLoad = payLoadContainer.getPayload(); -			 -			//check response type -			if (SL20JSONExtractorUtils.getStringValue( -					payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true) -						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) { -				Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... "); -								 -				//TODO: activate decryption in 'SL20JSONExtractorUtils.extractSL20Result' -				JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, joseTools, false); -								 -				//extract attributes from result -				String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  -										SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true); -				String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  -						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true); -				String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  -						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true); -				String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  -						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true); +				//validate signature +				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true); +				if (payLoadContainer.isValidSigned() == null ||  +						!payLoadContainer.isValidSigned()) { +					Logger.info("SL20 result from VDA was not valid signed"); +					throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."}); +					 +				} +				/*TODO validate certificate by using MOA-SPSS +				* currently, the certificate is validated in IJOSETools by using a pkcs12 or jks keystore +				*/ +				List<X509Certificate> sigCertChain = payLoadContainer.getCertChain(); -				//TODO: validate results -				IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink(); +				//extract payloaf +				JsonObject payLoad = payLoadContainer.getPayload(); +				//check response type +				if (SL20JSONExtractorUtils.getStringValue( +						payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true) +							.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) { +					Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... "); +									 +					JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result( +							payLoad, joseTools,  +							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true)); +					 +					//extract attributes from result +					String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  +											SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true); +					String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  +							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true); +					String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  +							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true); +					String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(),  +							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true); +					 +					//cache qualified eID data into pending request +					pendingReq.setGenericDataToSession( +							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL,  +							idlB64); +					pendingReq.setGenericDataToSession( +							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,  +							authBlockB64); +					pendingReq.setGenericDataToSession( +							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL,  +							ccsURL); +					pendingReq.setGenericDataToSession( +							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA,  +							LoA); +																										 +				} else { +					Logger.info("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result"); +					throw new SLCommandoParserException("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result"); +				} -				//add into session -				defaultTaskInitialization(request, executionContext); -				moasession.setIdentityLink(idl); -				moasession.setBkuURL(ccsURL); -				//TODO: from AuthBlock -				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance())); -				moasession.setQAALevel(LoA); -				//mark as authenticated -				moasession.setAuthenticated(true); -				pendingReq.setAuthenticated(true); -								 -				//store pending request -				requestStoreage.storePendingRequest(pendingReq); -								 -				//create response  -				Map<String, String> reqParameters = new HashMap<String, String>(); -				reqParameters.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID()); -				JsonObject callReqParams = SL20JSONBuilderUtils.createCallCommandParameters( -						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, null),  -						SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET,  -						false,  -						reqParameters); -				JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams); +			} catch (MOAIDException  e) { +				Logger.warn("SL2.0 processing error:", e); +				pendingReq.setGenericDataToSession( +						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR,  +						new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e)); -				//build first redirect command for app -				JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true); -				JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams); -								 -				//build second redirect command for IDP -				JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters( -						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, null),  -						redirectOneCommand, null, true); -				JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams); +			} catch (Exception e) { +				Logger.warn("ERROR:", e); +				Logger.warn("SL2.0 Authentication FAILED with a generic error.", e); +				pendingReq.setGenericDataToSession( +						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR,  +						new TaskExecutionException(pendingReq, e.getMessage(), e)); -				//build generic SL2.0 response container								 -				String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false); -				JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest( -						UUID.randomUUID().toString(),  -						transactionId,  -						redirectTwoCommand,  -						null);  +			} finally { +					//store pending request +					requestStoreage.storePendingRequest(pendingReq); -				if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null &&  -						request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					 -					Logger.debug("Client request containts 'native client' header ... ");												 -					StringWriter writer = new StringWriter(); -					writer.write(respContainer.toString());						 -					final byte[] content = writer.toString().getBytes("UTF-8"); -					response.setStatus(HttpServletResponse.SC_OK); -					response.setContentLength(content.length); -					response.setContentType(ContentType.APPLICATION_JSON.toString());						 -					response.getOutputStream().write(content); +					//write SL2.0 response +					if (sl20ReqObj != null)				 +						buildResponse(request, response, sl20ReqObj); +					else  +						buildErrorResponse(request, response, "2000", "General transport Binding error");					 -					 -				} else { -					Logger.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"); -					throw new SL20Exception("sl20.06",  -							new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"}); -					 -				} -												 -			} else { -				Logger.info("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result"); -				throw new SLCommandoParserException("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");  			} -			 -			 -		} catch (MOAIDException  e) { -			Logger.warn("ERROR:", e); -			throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e); -			 +		  		} catch (Exception e) { -			Logger.warn("ERROR:", e); -			Logger.warn("SL2.0 Authentication FAILED with a generic error.", e); -			throw new TaskExecutionException(pendingReq, e.getMessage(), e); +			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding +			Logger.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e); +			try { +				response.sendError(500, "Internal Server Error."); +				 +			} catch (IOException e1) { +				Logger.error("Can NOT send error message. SOMETHING IS REALY WRONG!", e); +				 +			}	 -		} finally {				 +		} finally {  			TransactionIDUtils.removeTransactionId();  			TransactionIDUtils.removeSessionId();  		}  	} -	 -	private JsonObject createRedirectCommand() { -		 +	private void buildErrorResponse(HttpServletRequest request, HttpServletResponse response, String errorCode, String errorMsg) throws Exception {				 +		JsonObject error = SL20JSONBuilderUtils.createErrorCommandResult(errorCode, errorMsg); +		JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest( +				UUID.randomUUID().toString(),  +				null,  +				error ,  +				null); +			 +		Logger.debug("Client request containts 'native client' header ... ");												 +		StringWriter writer = new StringWriter(); +		writer.write(respContainer.toString());						 +		final byte[] content = writer.toString().getBytes("UTF-8"); +		response.setStatus(HttpServletResponse.SC_OK); +		response.setContentLength(content.length); +		response.setContentType(ContentType.APPLICATION_JSON.toString());						 +		response.getOutputStream().write(content); +				 +	} + +	private void buildResponse(HttpServletRequest request, HttpServletResponse response, JsonObject sl20ReqObj) throws IOException, SL20Exception {		 +		//create response  +		Map<String, String> reqParameters = new HashMap<String, String>(); +		reqParameters.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID()); +		JsonObject callReqParams = SL20JSONBuilderUtils.createCallCommandParameters( +				new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null),  +				SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET,  +				false,  +				reqParameters); +		JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams); -		return null; +		//build first redirect command for app +		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true); +		JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams); +						 +		//build second redirect command for IDP +		JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters( +				new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null),  +				redirectOneCommand, null, true); +		JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams); +		//build generic SL2.0 response container								 +		String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false); +		JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest( +				UUID.randomUUID().toString(),  +				transactionId,  +				redirectTwoCommand,  +				null);  +		if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null &&  +				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					 +			Logger.debug("Client request containts 'native client' header ... ");												 +			StringWriter writer = new StringWriter(); +			writer.write(respContainer.toString());						 +			final byte[] content = writer.toString().getBytes("UTF-8"); +			response.setStatus(HttpServletResponse.SC_OK); +			response.setContentLength(content.length); +			response.setContentType(ContentType.APPLICATION_JSON.toString());						 +			response.getOutputStream().write(content); +			 +			 +		} else { +			Logger.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"); +			throw new SL20Exception("sl20.06",  +					new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"}); +			 +		}  	} + +	  } diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java new file mode 100644 index 000000000..b5c84d315 --- /dev/null +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java @@ -0,0 +1,180 @@ +package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks; + +import java.io.ByteArrayInputStream; +import java.util.Calendar; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.opensaml.Configuration; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.springframework.stereotype.Component; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier.QualifiedeIDVerifier; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moaspss.logging.Logger; + + +@Component("VerifyQualifiedeIDTask") +public class VerifyQualifiedeIDTask extends AbstractAuthServletTask { +	 +	@Override +	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) +			throws TaskExecutionException { +		 +		Logger.debug("Verify qualified eID data from SL20 response .... "); +		try { +			//check if there was an error  +			TaskExecutionException sl20Error = pendingReq.getGenericData( +					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, +					TaskExecutionException.class);			 +			if (sl20Error != null) { +				Logger.info("Found SL2.0 error after redirect ... "); +				throw sl20Error; +				 +			} +			 +			//get data from pending request +			String sl20ReqId = pendingReq.getGenericData( +					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID,  +					String.class); +			String idlB64 =  pendingReq.getGenericData( +					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, +					String.class); +			String authBlockB64 = pendingReq.getGenericData( +					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,  +					String.class); +			String ccsURL = pendingReq.getGenericData( +					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL,  +					String.class); +			String LoA = pendingReq.getGenericData( +					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA,  +					String.class); +							 +			//parse eID data +			IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink(); +			IVerifiyXMLSignatureResponse authBlockVerificationResult = null; +			try {				 +				Assertion authBlock = parseAuthBlockToSaml2Assertion(authBlockB64); +				AssertionAttributeExtractor authBlockExtractor = new AssertionAttributeExtractor(authBlock); + +			 +				//validate eID data			 +				QualifiedeIDVerifier.verifyIdentityLink(idl, pendingReq.getOnlineApplicationConfiguration(), authConfig); +				authBlockVerificationResult = QualifiedeIDVerifier.verifyAuthBlock( +							authBlockB64, pendingReq.getOnlineApplicationConfiguration(), authConfig); +				QualifiedeIDVerifier.checkConsistencyOfeIDData(sl20ReqId, idl, authBlockExtractor, authBlockVerificationResult); +			 +				//TODO: add LoA verification +				 +			} catch (SL20eIDDataValidationException e) { +				if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_VALIDATION, false)) { +					Logger.warn("SL20 eID data validation IS DISABLED!!"); +					Logger.warn("SL20 eID data IS NOT VALID!!! Reason: " + e.getMessage(), e); +					 +				} else +					throw e; +				 +			} +							 +			//add into session +			defaultTaskInitialization(request, executionContext); +			moasession.setIdentityLink(idl); +			moasession.setBkuURL(ccsURL); +			//TODO: from AuthBlock +			if (authBlockVerificationResult != null) +				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(authBlockVerificationResult.getSigningDateTime())); +			else +				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance())); +			 +			moasession.setQAALevel(LoA); + +			//store pending request +			requestStoreage.storePendingRequest(pendingReq); +						 +		} catch (MOAIDException  e) { +			Logger.warn("ERROR:", e); +			throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e); +			 +		} catch (Exception e) { +			Logger.warn("ERROR:", e); +			Logger.warn("SL2.0 Authentication FAILED with a generic error.", e); +			throw new TaskExecutionException(pendingReq, e.getMessage(), e); +			 +		} finally {				 +			TransactionIDUtils.removeTransactionId(); +			TransactionIDUtils.removeSessionId(); +			 +		} +	} + +	private Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException { +		try { +			//parse authBlock into SAML2 Assertion +			byte[] authBlockBytes = Base64Utils.decode(authblockB64, false);			 +			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes)); +			UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); +			Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM);			  +			XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM); +			 +			//validate SAML2 Assertion +			SAML2Utils.schemeValidation(samlAssertion); +			 +			if (samlAssertion instanceof Assertion)			 +				return (Assertion) samlAssertion;			 +			else  +				throw new SL20eIDDataValidationException( +						new Object[] { +							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +							"AuthBlock is NOT of type SAML2 Assertion" +						}); +				 +		} catch (SL20eIDDataValidationException e) { +			throw e; +				 +		} catch (SAXException e) { +			Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage()); +			throw new SL20eIDDataValidationException( +					new Object[] { +						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +						e.getMessage() +					},  +					e); +			 +		} catch (Exception e) { +			Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage()); +			Logger.trace("FullAuthBlock: " + authblockB64); +			throw new SL20eIDDataValidationException( +					new Object[] { +						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, +						e.getMessage() +					},  +					e); +		 +		} +						 +	} + +	 +	 +} diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml index 37551b3f5..a9c9bac8e 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/moaid_sl20_auth.beans.xml @@ -29,5 +29,9 @@  	<bean id="ReceiveQualeIDResponseTask"   				class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks.ReceiveQualeIDTask"  				scope="prototype"/> +				 +	<bean id="VerifyQualifiedeIDTask"  +				class="at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks.VerifyQualifiedeIDTask" +				scope="prototype"/>				  </beans>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml index bcd74f84c..4975dc2d7 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml @@ -3,17 +3,15 @@  	<pd:Task id="createQualifiedeIDRequest" class="CreateQualeIDRequestTask" />  	<pd:Task id="receiveQualifiedeID" class="ReceiveQualeIDResponseTask"  async="true"/> -	 -	<!-- <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" /> --> +	<pd:Task id="verifyQualifiedeIDTask" class="VerifyQualifiedeIDTask" async="true"/>	 +	<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />  	<pd:StartEvent id="start" />  	<pd:Transition from="start" to="createQualifiedeIDRequest" />	 -	<pd:Transition from="createQualifiedeIDRequest" to="receiveQualifiedeID" /> -	<pd:Transition from="receiveQualifiedeID" to="end" /> - -	<!-- It's only required if we can not use the finalize redirect on SL20 redirect command --> -	<!-- <pd:Transition from="receiveQualifiedeID" to="finalizeAuthentication" />		 -	<pd:Transition from="finalizeAuthentication"    to="end" />	 --> +	<pd:Transition from="createQualifiedeIDRequest" to="receiveQualifiedeID" />	 +	<pd:Transition from="receiveQualifiedeID" to="verifyQualifiedeIDTask" /> +	<pd:Transition from="verifyQualifiedeIDTask" to="finalizeAuthentication" />			 +	<pd:Transition from="finalizeAuthentication"    to="end" />  	<pd:EndEvent id="end" /> diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index a56be1f46..fa4a50992 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -28,12 +28,12 @@ import java.util.List;  import org.w3c.dom.Element; -import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;  import at.gv.egovernment.moa.id.auth.exception.ValidateException;  import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;  import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;  import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;  import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; +import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureRequestBuilder;  import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;  import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;  import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; | 
