aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
diff options
context:
space:
mode:
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java171
1 files changed, 130 insertions, 41 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 4c44e807c..8cb71402f 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.id.auth;
import iaik.pki.PKIException;
+import iaik.x509.X509Certificate;
import java.io.IOException;
import java.security.GeneralSecurityException;
@@ -12,6 +13,8 @@ import java.util.Iterator;
import java.util.Map;
import java.util.Set;
+import javax.xml.transform.TransformerException;
+
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.AuthenticationException;
@@ -47,6 +50,7 @@ import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidat
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.OAParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
@@ -55,7 +59,9 @@ import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.BoolUtils;
+import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.DateTimeUtils;
import at.gv.egovernment.moa.util.FileUtils;
@@ -139,8 +145,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {
throw new AuthenticationException("auth.07", new Object[] { authURL + "*" });
if (isEmpty(authURL))
throw new WrongParametersException("StartAuthentication", "AuthURL");
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
if (isEmpty(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA);
@@ -154,6 +158,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL);
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { oaURL });
+
+ if (!oaParam.getBusinessService()) {
+ if (isEmpty(target))
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
+ } else {
+ if (!isEmpty(target)) {
+ Logger.info("Ignoring target parameter thus application type is \"businessService\"");
+ }
+ target = null;
+ }
+
AuthenticationSession session = newSession();
Logger.info("MOASession " + session.getSessionID() + " angelegt");
session.setTarget(target);
@@ -161,6 +176,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
session.setAuthURL(authURL);
session.setTemplateURL(templateURL);
+ session.setBusinessService(oaParam.getBusinessService());
String returnURL =
new DataURLBuilder().buildDataURL(authURL, REQ_START_AUTHENTICATION, session.getSessionID());
String bkuSelectionType = AuthConfigurationProvider.getInstance().getBKUSelectionType();
@@ -258,28 +274,45 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthConfigurationProvider.FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY);
if ((!authURL.startsWith("https:")) && (false == BoolUtils.valueOf(boolStr)))
throw new AuthenticationException("auth.07", new Object[] { authURL + "*" });
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
if (isEmpty(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA);
}
AuthenticationSession session;
- if (sessionID != null)
+ OAAuthParameter oaParam;
+ if (sessionID != null) {
session = getSession(sessionID);
- else {
- OAAuthParameter oaParam =
+ oaParam =
+ AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+ } else {
+ oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL);
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { oaURL });
+ if (!oaParam.getBusinessService()) {
+ if (isEmpty(target))
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
+ } else {
+ target = null;
+ }
session = newSession();
Logger.info("MOASession " + session.getSessionID() + " angelegt");
session.setTarget(target);
session.setOAURLRequested(oaURL);
session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
session.setAuthURL(authURL);
- session.setTemplateURL(templateURL);
+ session.setTemplateURL(templateURL);
+ session.setBusinessService(oaParam.getBusinessService());
+ }
+ // BKU URL has not been set yet, even if session already exists
+ if (bkuURL == null) {
+ bkuURL = DEFAULT_BKU;
}
- String infoboxReadRequest = new InfoboxReadRequestBuilder().build();
+ session.setBkuURL(bkuURL);
+ String infoboxReadRequest =
+ new InfoboxReadRequestBuilder().build(oaParam.getSlVersion12(),
+ oaParam.getBusinessService(),
+ oaParam.getIdentityLinkDomainIdentifier());
String dataURL =
new DataURLBuilder().buildDataURL(
session.getAuthURL(),
@@ -296,7 +329,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
ex);
}
}
- String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build();
+ String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(oaParam.getSlVersion12());
String certInfoDataURL =
new DataURLBuilder().buildDataURL(
session.getAuthURL(),
@@ -371,25 +404,38 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// debug output
if(null != domVerifyXMLSignatureResponse)
OutputXML2File.debugOutputXML2File("VerifyIdentityLinkResponse.xml", domVerifyXMLSignatureResponse, DEBUG_OUTPUT_HIERARCHY);
+ if (identityLink.getIdentificationType().equalsIgnoreCase(Constants.URN_PREFIX_BASEID)) {
+ }
+
+ OAAuthParameter oaParam =
+ AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+
+ // if OA is type is business service the manifest validation result has to be ignored
+ boolean ignoreManifestValidationResult = oaParam.getBusinessService() ? true : false;
+
// validates the <VerifyXMLSignatureResponse>
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,
authConf.getIdentityLinkX509SubjectNames(),
- VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK);
+ VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
+ ignoreManifestValidationResult);
session.setIdentityLink(identityLink);
// builds the AUTH-block
String authBlock = buildAuthenticationBlock(session);
- session.setAuthBlock(authBlock);
+// session.setAuthBlock(authBlock);
// builds the <CreateXMLSignatureRequest>
- String[] transformInfos = authConf.getTransformsInfos();
-
- OAAuthParameter oaParam =
- AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
- session.getPublicOAURLPrefix());
-
+ String[] transformsInfos = oaParam.getTransformsInfos();
+ if ((transformsInfos == null) || (transformsInfos.length == 0)) {
+ // no OA specific transforms specified, use default ones
+ transformsInfos = authConf.getTransformsInfos();
+ }
String createXMLSignatureRequest =
- new CreateXMLSignatureRequestBuilder().build(authBlock, oaParam.getKeyBoxIdentifier(), transformInfos);
+ new CreateXMLSignatureRequestBuilder().build(authBlock,
+ oaParam.getKeyBoxIdentifier(),
+ transformsInfos,
+ oaParam.getSlVersion12());
return createXMLSignatureRequest;
}
/**
@@ -401,12 +447,21 @@ public class AuthenticationServer implements MOAIDAuthConstants {
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getGivenName() + " " + identityLink.getFamilyName();
String gebDat = identityLink.getDateOfBirth();
+ String identificationValue = identityLink.getIdentificationValue();
+ String identificationType = identityLink.getIdentificationType();
String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance());
String authURL = session.getAuthURL();
String target = session.getTarget();
String oaURL = session.getPublicOAURLPrefix();
- String authBlock =
- new AuthenticationBlockAssertionBuilder().build(issuer, issueInstant, authURL, target, oaURL, gebDat);
+ String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(issuer,
+ issueInstant,
+ authURL,
+ target,
+ identificationValue,
+ identificationType,
+ oaURL,
+ gebDat);
+
return authBlock;
}
/**
@@ -450,13 +505,18 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
// parses <CreateXMLSignatureResponse>
CreateXMLSignatureResponse csresp =
- new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse();
+ new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse();
+ try {
+ String serializedAssertion = DOMUtils.serializeNode(csresp.getSamlAssertion());
+ session.setAuthBlock(serializedAssertion);
+ } catch (TransformerException e) {
+ throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE});
+ } catch (IOException e) {
+ throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE});
+ }
// validates <CreateXMLSignatureResponse>
- new CreateXMLSignatureResponseValidator().validate(
- csresp,
- session.getTarget(),
- session.getPublicOAURLPrefix());
- // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
+ new CreateXMLSignatureResponseValidator().validate(csresp, session);
+ // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
String[] vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs();
String tpid = authConf.getMoaSpAuthBlockTrustProfileID();
Element domVsreq = new VerifyXMLSignatureRequestBuilder().build(csresp, vtids, tpid);
@@ -474,7 +534,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
VerifyXMLSignatureResponseValidator.getInstance().validate(
vsresp,
null,
- VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK);
+ VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK,
+ true);
// compares the public keys from the identityLink with the AuthBlock
VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(
vsresp,
@@ -507,36 +568,64 @@ public class AuthenticationServer implements MOAIDAuthConstants {
IdentityLink identityLink = session.getIdentityLink();
AuthenticationData authData = new AuthenticationData();
+ OAAuthParameter oaParam =
+ AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+ boolean businessService = oaParam.getBusinessService();
authData.setMajorVersion(1);
authData.setMinorVersion(0);
authData.setAssertionID(Random.nextRandom());
authData.setIssuer(session.getAuthURL());
authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance()));
- String bpkBase64 =
- new BPKBuilder().buildBPK(
- identityLink.getIdentificationValue(),
- session.getTarget());
- authData.setIdentificationType(identityLink.getIdentificationType());
- authData.setPBK(bpkBase64);
+
+ authData.setIdentificationType(identityLink.getIdentificationType());
authData.setGivenName(identityLink.getGivenName());
authData.setFamilyName(identityLink.getFamilyName());
authData.setDateOfBirth(identityLink.getDateOfBirth());
authData.setQualifiedCertificate(verifyXMLSigResp.isQualifiedCertificate());
authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority());
authData.setPublicAuthorityCode(verifyXMLSigResp.getPublicAuthorityCode());
- OAAuthParameter oaParam =
- AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
- session.getPublicOAURLPrefix());
- String prPerson = new PersonDataBuilder().build(identityLink, oaParam.getProvideStammzahl());
-
- try {
+ authData.setBkuURL(session.getBkuURL());
+ boolean provideStammzahl = oaParam.getProvideStammzahl();
+ if (provideStammzahl) {
+ authData.setIdentificationValue(identityLink.getIdentificationValue());
+ }
+ String prPerson = new PersonDataBuilder().build(identityLink, provideStammzahl);
+
+ try {
+ String signerCertificateBase64 = "";
+ if (oaParam.getProvideCertifcate()) {
+ X509Certificate signerCertificate = verifyXMLSigResp.getX509certificate();
+ if (signerCertificate != null) {
+ signerCertificateBase64 = Base64Utils.encode(signerCertificate.getEncoded());
+ } else {
+ Logger.info("\"provideCertificate\" is \"true\", but no signer certificate available");
+ }
+ }
+ authData.setSignerCertificate(signerCertificateBase64);
+ if (businessService) {
+ authData.setWPBK(identityLink.getIdentificationValue());
+ } else {
+ // only compute bPK if online applcation is a public service
+ String bpkBase64 =
+ new BPKBuilder().buildBPK(
+ identityLink.getIdentificationValue(),
+ session.getTarget());
+ authData.setPBK(bpkBase64);
+ }
String ilAssertion =
oaParam.getProvideIdentityLink()
? DOMUtils.serializeNode(identityLink.getSamlAssertion())
: "";
String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : "";
String samlAssertion =
- new AuthenticationDataAssertionBuilder().build(authData, prPerson, authBlock, ilAssertion);
+ new AuthenticationDataAssertionBuilder().build(authData,
+ prPerson,
+ authBlock,
+ ilAssertion,
+ session.getBkuURL(),
+ signerCertificateBase64,
+ businessService);
authData.setSamlAssertion(samlAssertion);
return authData;
} catch (Throwable ex) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 18:25:46 +0000