diff options
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/parser')
7 files changed, 1172 insertions, 0 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java new file mode 100644 index 000000000..1079a48de --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java @@ -0,0 +1,140 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +import org.w3c.dom.Element; +import org.w3c.dom.traversal.NodeIterator; + +import at.gv.egovernment.moa.id.*; +import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * Parses an <code><InfoboxReadResponse></code> returned from + * the security layer + * + * @author Stefan Knirsch + * @version $Id$ + */ + +public class CreateXMLSignatureResponseParser { + // + // XPath namespace prefix shortcuts + // + /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ + private static final String SL10 = Constants.SL10_PREFIX + ":"; + /** Xpath prefix for reaching SecurityLayer 1.1 Namespaces */ + private static final String SL11 = Constants.SL11_PREFIX + ":"; + /** Xpath prefix for reaching SAML Namespaces */ + private static final String SAML = Constants.SAML_PREFIX + ":"; + /** Xpath prefix for reaching XML-DSIG Namespaces */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = "/" + SL11 + "CreateXMLSignatureResponse/"; + /** Xpath expression to the SAML:Assertion element */ + private static final String SAML_ASSERTION_XPATH = ROOT + SAML + "Assertion"; + /** Xpath expression to the SAML:NameIdentifier element */ + private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH = SAML_ASSERTION_XPATH + "/" + SAML + "AttributeStatement/" + SAML + "Subject/" + SAML + "NameIdentifier"; + /** Xpath expression to the AttributeStatement element */ + private static final String SAML_ATTRIBUTE_XPATH = SAML_ASSERTION_XPATH + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; + /** Xpath expression to the AttributeValue element */ + private static final String SAML_ATTRIBUTE_VALUE_XPATH = SAML + "AttributeValue"; + + /** This is the root element of the XML-Document provided by the Security Layer Card */ + private Element sigResponse; + + /** + * Constructor for CreateXMLSignatureResponseParser. + * A DOM-representation of the incoming String will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as String + * @throws AuthenticationException if any authentication error occurs + * @throws ParseException if an element cannot be parsed + */ + public CreateXMLSignatureResponseParser(String xmlResponse) throws AuthenticationException, ParseException { + ErrorResponseParser erp = new ErrorResponseParser(xmlResponse); + if (erp.getErrorCode() != null) { + throw new AuthenticationException("auth.08", new Object[] { erp.getErrorCode(), erp.getErrorInfo()}); + } + + try { + + InputStream s = new ByteArrayInputStream(xmlResponse.getBytes("UTF-8")); + sigResponse = DOMUtils.parseXmlValidating(s); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Constructor for CreateXMLSignatureResponseParser. + * A DOM-representation of the incoming Inputstream will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as InputStream + * @throws AuthenticationException if any Authentication error occurs + * @throws ParseException if an element cannot be parsed + */ + public CreateXMLSignatureResponseParser(InputStream is) throws AuthenticationException, ParseException { + + ErrorResponseParser erp = new ErrorResponseParser(is); + if (erp.getErrorCode() != null) { + throw new AuthenticationException("auth.08", new Object[] { erp.getErrorCode(), erp.getErrorInfo()}); + } + + try { + + sigResponse = DOMUtils.parseXmlValidating(is); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Constructor for CreateXMLSignatureResponseParser. + * The incoming Element will be used for further operations + * @param xmlResponse <code><InfoboxReadResponse></code> as InputStream + */ + public CreateXMLSignatureResponseParser(Element xmlResponse) { + sigResponse = xmlResponse; + + } + + /** + * Parses the identity link from <code><InfoboxReadResponse></code> + * @return Identity link + * @throws ParseException + */ + + public CreateXMLSignatureResponse parseResponse() throws ParseException { + CreateXMLSignatureResponse cResp; + try { + + cResp = new CreateXMLSignatureResponse(); + cResp.setSamlNameIdentifier(XPathUtils.getElementValue(sigResponse, SAML_SUBJECT_NAME_IDENTIFIER_XPATH, null)); + cResp.setSamlAssertion((Element) XPathUtils.selectSingleNode(sigResponse, SAML_ASSERTION_XPATH)); + NodeIterator attrIter = XPathUtils.selectNodeIterator(sigResponse, SAML_ATTRIBUTE_XPATH); + Element samlAttr; + List samlAttributes = new ArrayList(); + while ((samlAttr = (Element) attrIter.nextNode()) != null) { + String attrName = XPathUtils.getAttributeValue(samlAttr, "@AttributeName", ""); + String attrNamespace = XPathUtils.getAttributeValue(samlAttr, "@AttributeNamespace", ""); + String attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, ""); + samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue)); + } + SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()]; + samlAttributes.toArray(result); + cResp.setSamlAttributes(result); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + return cResp; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ECDSAKeyValueConverter.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ECDSAKeyValueConverter.java new file mode 100644 index 000000000..c28cfac76 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ECDSAKeyValueConverter.java @@ -0,0 +1,350 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import iaik.security.ecc.ecdsa.ECDSAParameter; +import iaik.security.ecc.ecdsa.ECPublicKey; +import iaik.security.ecc.math.ecgroup.ECGroupFactory; +import iaik.security.ecc.math.ecgroup.ECPoint; +import iaik.security.ecc.math.ecgroup.EllipticCurve; +import iaik.security.ecc.math.ecgroup.ProjectiveCoordinate; +import iaik.security.ecc.math.field.Field; +import iaik.security.ecc.math.field.FieldElement; +import iaik.security.ecc.math.field.FieldFactory; +import iaik.security.ecc.math.field.Value; +import iaik.security.ecc.parameter.ECCParameterFactory; +import iaik.security.ecc.spec.ECCParameterSpec; +import java.math.BigInteger; +import java.security.PublicKey; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Vector; +import java.net.URL; +import org.w3c.dom.Attr; +import org.w3c.dom.Element; +import org.w3c.dom.NamedNodeMap; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; + +import at.gv.egovernment.moa.util.Constants; + +/** + * @author Stefan Knirsch + * @version $Id$ + * + */ +public class ECDSAKeyValueConverter +{ + /** Namespaces */ + public static final String NAMESPACE_XSI = "http://www.w3.org/2001/XMLSchema-instance"; + + /** + * Method element2ECDSAPublicKey. + * @param keyValueElem a DomElement containing an ECDSA Public Key + * @return PublicKey a java.security.publicKey - object + * @throws Exception on any error + */ + + public static PublicKey element2ECDSAPublicKey(Element keyValueElem) throws Exception + { + String ecdsaNS = Constants.ECDSA_NS_URI; + // Domain parameters + Element domainParams = getChildElement(keyValueElem, ecdsaNS, "DomainParameters", 1); + if (domainParams == null) throw new Exception("Domain parameters must not be implicit."); + Element namedCurve = getChildElement(domainParams, ecdsaNS, "NamedCurve", 1); + ECCParameterSpec eccParameterSpec; + if (namedCurve != null) + { + URL curveNameURN = new URL(namedCurve.getAttributeNS(null, "URN")); + ECCParameterFactory eccParamFactory = ECCParameterFactory.getInstance(); + eccParameterSpec = eccParamFactory.getParameterByOID(curveNameURN.getPath().substring(4)); + } + else + { + Element excplicitParams = getChildElement(domainParams, ecdsaNS, "ExplicitParams", 1); + Element fieldParams = getChildElement(excplicitParams, ecdsaNS, "FieldParams", 1); + Element curveParams = getChildElement(excplicitParams, ecdsaNS, "CurveParams", 1); + Element basePointParams = getChildElement(excplicitParams, ecdsaNS, "BasePointParams", 1); + + // Field parameters + String fieldParamsTypeStr = fieldParams.getAttributeNS(NAMESPACE_XSI, "type"); + String ecdsaNSPrefix = getECDSANSPrefix(fieldParams); + BigInteger p = null; + int fieldParamsType = 0; + final int FIELD_TYPE_PRIME = 1; + final int FIELD_TYPE_TNB = 2; + final int FIELD_TYPE_PNB = 3; + int m = -1, k = -1, k1 = -1, k2 = -1, k3 = -1; + if (fieldParamsTypeStr.equals(ecdsaNSPrefix + ":PrimeFieldParamsType")) + { + fieldParamsType = FIELD_TYPE_PRIME; + String pStr = getChildElementText(fieldParams, ecdsaNS, "P", 1); + p = new BigInteger(pStr, 10); + } + else if (fieldParamsTypeStr.equals(ecdsaNSPrefix + ":TnBFieldParamsType")) + { + fieldParamsType = FIELD_TYPE_TNB; + String mStr = getChildElementText(fieldParams, ecdsaNS, "M", 1); + m = Integer.parseInt(mStr); + String kStr = getChildElementText(fieldParams, ecdsaNS, "K", 1); + k = Integer.parseInt(kStr); + } + else if (fieldParamsTypeStr.equals(ecdsaNSPrefix + ":PnBFieldParamsType")) + { + fieldParamsType = FIELD_TYPE_PNB; + String mStr = getChildElementText(fieldParams, ecdsaNS, "M", 1); + m = Integer.parseInt(mStr); + String k1Str = getChildElementText(fieldParams, ecdsaNS, "K1", 1); + k1 = Integer.parseInt(k1Str); + String k2Str = getChildElementText(fieldParams, ecdsaNS, "K2", 1); + k2 = Integer.parseInt(k2Str); + String k3Str = getChildElementText(fieldParams, ecdsaNS, "K3", 1); + k3 = Integer.parseInt(k3Str); + } + else throw new Exception("Unknown field parameters."); + + // Curve parameters + Element aElem = getChildElement(curveParams, ecdsaNS, "A", 1); + String aStr = aElem.getAttributeNS(null, "Value"); + Element bElem = getChildElement(curveParams, ecdsaNS, "B", 1); + String bStr = bElem.getAttributeNS(null, "Value"); + String seedStr = getChildElementText(curveParams, ecdsaNS, "Seed", 1); + BigInteger seed = (seedStr != null) ? new BigInteger(seedStr, 10) : null; + + // Base point parameters + Element basePoint = getChildElement(basePointParams, ecdsaNS, "BasePoint", 1); + Element basePointXElem = getChildElement(basePoint, ecdsaNS, "X", 1); + String basePointXStr = basePointXElem.getAttributeNS(null, "Value"); + Element basePointYElem = getChildElement(basePoint, ecdsaNS, "Y", 1); + String basePointYStr = basePointYElem.getAttributeNS(null, "Value"); + String orderStr = getChildElementText(basePointParams, ecdsaNS, "Order", 1); + BigInteger order = new BigInteger(orderStr, 10); + String cofactorStr = getChildElementText(basePointParams, ecdsaNS, "Cofactor", 1); + BigInteger cofactor = (cofactorStr != null) ? new BigInteger(cofactorStr, 10) : null; + + if (fieldParamsType == FIELD_TYPE_PRIME) + { + BigInteger a = new BigInteger(aStr, 10); + BigInteger b = new BigInteger(bStr, 10); + BigInteger basePointX = new BigInteger(basePointXStr, 10); + BigInteger basePointY = new BigInteger(basePointYStr, 10); + eccParameterSpec = new ECCParameterSpec(p, cofactor, order, seed, null, a, b, basePointX, + basePointY, null); + } + else + { + int[] irreducible = new int[m/32 + ((m % 32 != 0) ? 1 : 0)]; + if (fieldParamsType == FIELD_TYPE_TNB) + { + irreducible[m/32] = 1 << m % 32; + irreducible[k/32] += 1 << k % 32; + irreducible[0] += 1; + } + else + { + irreducible[m/32] = 1 << m % 32; + irreducible[k3/32] += 1 << k3 % 32; + irreducible[k2/32] += 1 << k2 % 32; + irreducible[k1/32] += 1 << k1 % 32; + irreducible[0] += 1; + } + eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr), + octetString2IntArray(bStr), octetString2IntArray(basePointXStr), + octetString2IntArray(basePointYStr), null); + } + } + + // Public key + Element publicKeyElem = getChildElement(keyValueElem, ecdsaNS, "PublicKey", 1); + Element publicKeyXElem = getChildElement(publicKeyElem, ecdsaNS, "X", 1); + String publicKeyXStr = publicKeyXElem.getAttributeNS(null, "Value"); + Element publicKeyYElem = getChildElement(publicKeyElem, ecdsaNS, "Y", 1); + String publicKeyYStr = publicKeyYElem.getAttributeNS(null, "Value"); + + ECDSAParameter ecdsaParams = new ECDSAParameter(eccParameterSpec, false); + ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance(); + EllipticCurve eCurve = ecGroupFactory.getCurveWithProjective(eccParameterSpec.getA(), + eccParameterSpec.getB(), eccParameterSpec.getR()); + Field field = eCurve.getField(); + + // Detect type of public key field elements + String elementType = publicKeyXElem.getAttributeNS(NAMESPACE_XSI, "type"); + String elementTypeLocalName = elementType.substring(elementType.indexOf(':') + 1); + int FIELD_TYPE_PRIME = 1, FIELD_TYPE_CHAR_TWO = 2; + int fieldElemType = ("PrimeFieldElemType".equals(elementTypeLocalName)) + ? FIELD_TYPE_PRIME + : FIELD_TYPE_CHAR_TWO; + + FieldElement publicKeyPointX, publicKeyPointY; + if (fieldElemType == FIELD_TYPE_PRIME) + { + Value xValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyXStr, 10)); + publicKeyPointX = field.newElement(xValue); + Value yValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyYStr, 10)); + publicKeyPointY = field.newElement(yValue); + } + else + { + publicKeyPointX = field.newElement(octetString2ByteArray(publicKeyXStr)); + publicKeyPointY = field.newElement(octetString2ByteArray(publicKeyYStr)); + } + ProjectiveCoordinate publicKeyPointCoordinate = new ProjectiveCoordinate(publicKeyPointX, + publicKeyPointY, field.getONEelement()); + ECPoint publicKeyPoint = eCurve.newPoint(publicKeyPointCoordinate); + ECPublicKey publicKey = new ECPublicKey(ecdsaParams, publicKeyPoint); + + return publicKey; + } + + /** + * Method getECDSANSPrefix. + * @param element to get the prefix + * @return String the prefix + */ + private static String getECDSANSPrefix(Element element) + { + // FIXXME: Review this function (GK, 11.06.2002) - should return a list of strings, since more than + // one NS prefix can be bound to the ECDSA namespace + + HashMap inScopeNSAttrs = getInScopeNSAttrs(element); + Iterator inScopeNSAttrsIt = inScopeNSAttrs.keySet().iterator(); + while (inScopeNSAttrsIt.hasNext()) + { + Attr currentAttr = (Attr)inScopeNSAttrs.get(inScopeNSAttrsIt.next()); + if (Constants.ECDSA_NS_URI.equals(currentAttr.getValue())) + { + return ("xmlns".equals(currentAttr.getNodeName())) ? "" : currentAttr.getNodeName().substring(6); + } + } + return null; + } + + /** + * Method octetString2IntArray. + * Converts an octet string representation into an int array as needed for the IAIK ECC library + * @param octetString rightmost byte is least significant byte + * @return int[] rightmost byte is LEAST significant byte + */ + private static int[] octetString2IntArray(String octetString) + { + int byteCount = octetString.length()/2; + int[] intArray = new int[byteCount/4 + ((byteCount % 4 != 0) ? 1 : 0)]; + for (int i = 0; i < byteCount; i++) + { + int oSStartPos = octetString.length() - (i + 1) * 2; + int currentByte = Integer.parseInt(octetString.substring(oSStartPos, oSStartPos + 2), 16); + intArray[i/4] += (currentByte & 0xFF) << ((i % 4) * 8); + } + return intArray; + } + + /** + * Converts an octet string representation into a byte array as needed for the IAIK ECC library + * @param octetString rightmost byte is least significant byte + * @return byte[] rightmost byte is MOST significant byte + */ + private static byte[] octetString2ByteArray(String octetString) + { + int byteCount = octetString.length()/2; + byte[] byteArray = new byte[byteCount]; + for (int i = 0; i < byteCount; i++) + { + int oSStartPos = octetString.length() - (i + 1) * 2; + byteArray[byteCount - i - 1] = (byte) Integer.parseInt(octetString.substring( + oSStartPos, oSStartPos + 2), 16); + } + return byteArray; + } + + /** + * Method evenStringLength. + * @param hexString + * @return String + */ + + private static String evenStringLength(String hexString) + { + return (hexString.length() % 2 != 0) ? "0" + hexString : hexString; + } + + /** + * Method getChildElement. + * @param parent + * @param namespace + * @param localName + * @param instance + * @return Element + */ + + private static Element getChildElement(Element parent, String namespace, String localName, + int instance) + { + NodeList namedElements = parent.getElementsByTagNameNS(namespace, localName); + if (namedElements.getLength() < instance) return null; + return (Element)namedElements.item(instance - 1); + } + + /** + * Method getChildElementText. + * @param parent Element + * @param namespace String + * @param localName String + * @param instance int + * @return String + */ + + private static String getChildElementText(Element parent, String namespace, String localName, + int instance) + { + Element child = getChildElement(parent, namespace, localName, instance); + if (child == null) return null; + NodeList childNodes = child.getChildNodes(); + int nodeCount = 0; + while (nodeCount < childNodes.getLength()) + { + Node currentNode = childNodes.item(nodeCount); + if (currentNode.getNodeType() == Node.TEXT_NODE) return currentNode.getNodeValue(); + nodeCount++; + } + return null; + } + + /** + * Method getInScopeNSAttrs. + * @param element element + * @return HashMap + */ + public static HashMap getInScopeNSAttrs(Element element) + { + // Get all ancestors of element + Vector ancestors = new Vector(); + ancestors.add(element); + Node currentAncestor = element; + while ((currentAncestor = currentAncestor.getParentNode()) != null && + currentAncestor.getNodeType() == Node.ELEMENT_NODE) + { + ancestors.add(currentAncestor); + } + + // Scan all ancestors for NS attributes + HashMap inScopeNSAttrs = new HashMap(); + for (int i = ancestors.size() - 1; i >= 0; i--) + { + Element currentAncestorElem = (Element)ancestors.get(i); + NamedNodeMap attrs = currentAncestorElem.getAttributes(); + for (int j = 0; j < attrs.getLength(); j++) + { + Attr currentAttr = (Attr)attrs.item(j); + String currentAttrName = currentAttr.getNodeName(); + if ("xmlns".equals(currentAttrName) || currentAttrName.startsWith("xmlns:")) + { + inScopeNSAttrs.put(currentAttrName, currentAttr); + } + } + } + + // Check if default NS attribute is in list; if value is empty remove it from list + Attr defaultNSAttr = (Attr)inScopeNSAttrs.get("xmlns"); + if (defaultNSAttr != null && "".equals(defaultNSAttr.getValue())) inScopeNSAttrs.remove("xmlns"); + + return inScopeNSAttrs; + } +}
\ No newline at end of file diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java new file mode 100644 index 000000000..4fbc58977 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java @@ -0,0 +1,89 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * Parses an <code><InfoboxReadResponse></code>. + * + * @author Stefan Knirsch + * @version $Id$ + */ + +public class ErrorResponseParser { + // + // XPath namespace prefix shortcuts + // + /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ + private static final String SL10 = Constants.SL10_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = "/" + SL10 + "ErrorResponse/"; + /** Xpath expression to the ErrorCode element */ + private static final String ERROR_CODE_XPATH = + ROOT + SL10 + "ErrorCode"; + /** Xpath expression to the Info element */ + private static final String ERROR_INFO_XPATH = + ROOT + SL10 + "Info"; + + + /** This is the root element of the XML-Document provided by the Security Layer Card */ + private Element errorElement; + + /** + * Constructor for InfoboxReadResponseParser. + * A DOM-representation of the incoming String will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as String + * @throws ParseException on any error + */ + public ErrorResponseParser(String xmlResponse) throws ParseException { + try { + InputStream s = new ByteArrayInputStream(xmlResponse.getBytes("UTF-8")); + errorElement = DOMUtils.parseXmlValidating(s); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Constructor for InfoboxReadResponseParser. + * A DOM-representation of the incoming Inputstream will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as InputStream + * @throws ParseException on any error + */ + public ErrorResponseParser(InputStream xmlResponse) throws ParseException { + try { + errorElement = DOMUtils.parseXmlValidating(xmlResponse); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString() }, t); + } + } + + /** + * Method getErrorCode. returns the error code + * @return String + */ + public String getErrorCode() { + + return XPathUtils.getElementValue(errorElement,ERROR_CODE_XPATH,null); + } + + /** + * Method getErrorInfo: returns the information about the error + * @return String + */ + public String getErrorInfo() { + + return XPathUtils.getElementValue(errorElement,ERROR_INFO_XPATH,null); + } + + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java new file mode 100644 index 000000000..f9ef54884 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -0,0 +1,266 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.security.interfaces.RSAPublicKey; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.math.BigInteger; +import java.security.PublicKey; +import java.util.ArrayList; +import java.util.List; + +import org.w3c.dom.Element; +import org.w3c.dom.traversal.NodeIterator; + +import at.gv.egovernment.moa.id.*; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * Parses an identity link <code><saml:Assertion></code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class IdentityLinkAssertionParser { + + // + // XPath namespace prefix shortcuts + // + + /** Xpath prefix for reaching PersonData Namespaces */ + private static final String PDATA = Constants.PD_PREFIX + ":"; + /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ + private static final String SL10 = Constants.SL10_PREFIX + ":"; + /** Xpath prefix for reaching SAML Namespaces */ + private static final String SAML = Constants.SAML_PREFIX + ":"; + /** Xpath prefix for reaching XML-DSIG Namespaces */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + /** Xpath prefix for reaching ECDS Namespaces */ + private static final String ECDSA = Constants.ECDSA_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = "/" + SAML + "Assertion/"; + /** Xpath expression to the SAMLSubjectConfirmationData element */ + private static final String SAML_SUBJECT_CONFIRMATION_DATA_XPATH = + ROOT + + SAML + + "AttributeStatement/" + + SAML + + "Subject/" + + SAML + + "SubjectConfirmation/" + + SAML + + "SubjectConfirmationData"; + /** Xpath expression to the PersonData element */ + private static final String PERSON_XPATH = + SAML_SUBJECT_CONFIRMATION_DATA_XPATH + + "/" + + PDATA + + "Person"; + /** Xpath expression to the PersonData GivenName element */ + private static final String PERSON_GIVEN_NAME_XPATH = + PERSON_XPATH + + "/" + + PDATA + + "Name/" + + PDATA + + "GivenName"; + /** Xpath expression to the PersonData FamilyName element */ + private static final String PERSON_FAMILY_NAME_XPATH = + PERSON_XPATH + + "/" + + PDATA + + "Name/" + + PDATA + + "FamilyName"; + /** Xpath expression to the PersonData DateOfBirth element */ + private static final String PERSON_DATE_OF_BIRTH_XPATH = + PERSON_XPATH + + "/" + + PDATA + + "DateOfBirth"; + /** Xpath expression to the Identification element */ + private static final String PERSON_IDENT_XPATH = + PERSON_XPATH + + "/" + + PDATA + + "Identification"; + + /** Xpath expression to the Identification Value element */ + private static final String PERSON_IDENT_VALUE_XPATH = + PERSON_XPATH + + "/" + + PDATA + + "Identification/" + + PDATA + + "Value"; + /** Xpath expression to the RSAKeyValue element */ + private static final String RSA_KEY_VALUE_XPATH = + ROOT + + SAML + + "AttributeStatement/" + + SAML + + "Attribute/" + + SAML + + "AttributeValue/" + + DSIG + + "RSAKeyValue"; + /** Xpath expression to the RSA Modulus element */ + private static final String RSA_KEY_MODULUS_XPATH = DSIG + "Modulus"; + /** Xpath expression to the RSA Exponent element */ + private static final String RSA_KEY_EXPONENT_XPATH = DSIG + "Exponent"; + /** Xpath expression to the DSIG X509Certificate element */ + private static final String DSIG_CERTIFICATES_XPATH = + ROOT + + DSIG + + "Signature/" + + DSIG + + "KeyInfo/" + + DSIG + + "X509Data/" + + DSIG + + "X509Certificate"; + /** Xpath expression to the DSIG Transforms element */ + private static final String DSIG_REFERENCE_TRANSFORMATION_XPATH = + ROOT + + DSIG + + "Signature/" + + DSIG + + "SignedInfo/" + + DSIG + + "Reference/" + + DSIG + + "Transforms"; + + /**This is the root element of the XML-Document provided by the Security Layer Card*/ + private Element assertionElem; + + /** + * Constructor for <code>IdentityLinkAssertionParser</code>. + * A DOM-representation of the incoming String will be created + * @param xmlAssertion <code><saml:Assertion></code> as String + * @throws ParseException on any parsing error + */ + public IdentityLinkAssertionParser(String xmlAssertion) throws ParseException { + try { + InputStream s = new ByteArrayInputStream(xmlAssertion.getBytes("UTF-8")); + assertionElem = DOMUtils.parseXmlValidating(s); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Constructor for <code>IdentityLinkAssertionParser</code>. + * A DOM-representation of the incoming Inputstream will be created + * @param xmlAssertion <code><saml:Assertion></code> as InputStream + * @throws ParseException on any parsing error + */ + public IdentityLinkAssertionParser(InputStream xmlAssertion) throws Exception { + try { + assertionElem = DOMUtils.parseXmlValidating(xmlAssertion); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString() }, t); + } + } + + /** + * Parses the identity link from the <code><saml:Assertion></code> + * @return Identity link + * @throws ParseException on any parsing error + */ + + public IdentityLink parseIdentityLink() throws ParseException { + IdentityLink identityLink; + try { + identityLink = new IdentityLink(); + //ÄNDERN: NUR der Identification-Teil + identityLink.setSamlAssertion(assertionElem); + identityLink.setPrPerson((Element) + XPathUtils.selectSingleNode(assertionElem, PERSON_XPATH)); + identityLink.setIdentificationValue( + XPathUtils.getElementValue(assertionElem, PERSON_IDENT_VALUE_XPATH, "")); + identityLink.setGivenName( + XPathUtils.getElementValue(assertionElem, PERSON_GIVEN_NAME_XPATH, "")); + identityLink.setFamilyName( + XPathUtils.getElementValue(assertionElem, PERSON_FAMILY_NAME_XPATH, "")); + identityLink.setDateOfBirth( + XPathUtils.getElementValue(assertionElem, PERSON_DATE_OF_BIRTH_XPATH, "")); + NodeIterator dsigRefTransforms = + XPathUtils.selectNodeIterator(assertionElem, DSIG_REFERENCE_TRANSFORMATION_XPATH); + List transElems = new ArrayList(); + Element transformsElem; + while ((transformsElem = (Element) dsigRefTransforms.nextNode()) != null) { + transElems.add(transformsElem); + } + Element[] result = new Element[transElems.size()]; + transElems.toArray(result); + identityLink.setDsigReferenceTransforms(result); + + identityLink.setPublicKey(getPublicKeys()); + + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString() }, t); + } + + return identityLink; + } + + /** + * Parses an array of Public Keys from the <code><InfoboxReadResponse></code> + * @return RSAPublicKey[] + * @throws IOException can occur when decoding the base64 values of the modulus and exponent + */ + public PublicKey[] getPublicKeys() throws IOException{ + + + List pubKeys = new ArrayList(); + //Try to get RSA-Keys + NodeIterator rsaIter = + XPathUtils.selectNodeIterator(assertionElem, RSA_KEY_VALUE_XPATH); + Element rsaElem; + while ((rsaElem = (Element) rsaIter.nextNode()) != null) { + String modulus = + XPathUtils.getElementValue(rsaElem, RSA_KEY_MODULUS_XPATH, ""); + String exponent = + XPathUtils.getElementValue(rsaElem, RSA_KEY_EXPONENT_XPATH, ""); + + RSAPublicKey resPub = + new iaik.security.rsa.RSAPublicKey( + new BigInteger(1, Base64Utils.decode(modulus, true)), + new BigInteger(1, Base64Utils.decode(exponent, true))); + pubKeys.add(resPub);} + + PublicKey[] result = new PublicKey[pubKeys.size()]; + + pubKeys.toArray(result); + return result; + + } + /** + * Parses a string array of decoded base64 certificates from + * the <code><InfoboxReadResponse></code> found in the dsig-signature + * @return String[] with raw-certificates from the dsig-signature keyinfo + * @throws Exception + */ + public String[] getCertificates() throws Exception { + List certs = new ArrayList(); + NodeIterator rsaIter = + XPathUtils.selectNodeIterator(assertionElem, DSIG_CERTIFICATES_XPATH); + Element certElem; + while ((certElem = (Element) rsaIter.nextNode()) != null) { + String content = DOMUtils.getText(certElem); + certs.add(new String(Base64Utils.decode(content, true))); + } + String[] result = new String[certs.size()]; + certs.toArray(result); + return result; + + } +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java new file mode 100644 index 000000000..c1146218e --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java @@ -0,0 +1,110 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * Parses an <code><InfoboxReadResponse></code>. + * + * @author Stefan Knirsch + * @version $Id$ + */ + +public class InfoboxReadResponseParser { + // + // XPath namespace prefix shortcuts + // + /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ + private static final String SL10 = Constants.SL10_PREFIX + ":"; + /** Xpath prefix for reaching SAML Namespaces */ + private static final String SAML = Constants.SAML_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = "/" + SL10 + "InfoboxReadResponse/"; + /** Xpath expression to the SAML:Assertion element */ + private static final String SAML_ASSERTION_XPATH = ROOT + SL10 + "BinaryFileData/" + SL10 + "XMLContent/" + SAML + "Assertion"; + + /** This is the root element of the XML-Document provided by the Security Layer Card*/ + private Element infoBoxElem; + + /** + * Constructor for InfoboxReadResponseParser. + * A DOM-representation of the incoming String will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as String + * @throws ParseException on any parsing error + */ + public InfoboxReadResponseParser(String xmlResponse) throws ParseException, AuthenticationException { + + ErrorResponseParser erp = new ErrorResponseParser(xmlResponse); + if (erp.getErrorCode() != null) { + throw new AuthenticationException("auth.08", new Object[] { erp.getErrorCode(), erp.getErrorInfo()}); + } + + try { + + InputStream s = new ByteArrayInputStream(xmlResponse.getBytes("UTF-8")); + infoBoxElem = DOMUtils.parseXmlValidating(s); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Constructor for InfoboxReadResponseParser. + * A DOM-representation of the incoming Inputstream will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as InputStream + * @throws ParseException on any parsing error + */ + public InfoboxReadResponseParser(InputStream is) throws ParseException, AuthenticationException { + + ErrorResponseParser erp = new ErrorResponseParser(is); + if (erp.getErrorCode() != null) { + throw new AuthenticationException("auth.08", new Object[] { erp.getErrorCode(), erp.getErrorInfo()}); + } + + try { + + infoBoxElem = DOMUtils.parseXmlValidating(is); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Parses the embedded <code><saml:Assertion></code> element from <code><InfoboxReadResponse></code> + * @return <code><saml:Assertion></code> as String + * @throws ParseException on any parsing error + */ + public String parseSAMLAssertion() throws ParseException { + try { + Element samlAssertion = (Element) XPathUtils.selectSingleNode(infoBoxElem, SAML_ASSERTION_XPATH); + return DOMUtils.serializeNode(samlAssertion); + } + catch (Throwable t) { + throw new ParseException("parser.01", new Object[] { t.toString()}, t); + } + } + + /** + * Parses the identity link from the <code><saml:Assertion></code> + * @return Identity link + * @throws ParseException on any parsing error + */ + + public IdentityLink parseIdentityLink() throws ParseException { + String samlAssertionString = parseSAMLAssertion(); + IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(samlAssertionString); + return ilParser.parseIdentityLink(); + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java new file mode 100644 index 000000000..7c4c01abe --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java @@ -0,0 +1,58 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.io.IOException; + +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.util.Base64Utils; + +/** + * Parser for a SAML artifact. + * @author Paul Ivancsics + * @version $Id$ + */ +public class SAMLArtifactParser { + /** byte array containing the SamlArtifact bytes */ + private byte[] samlArtifactBytes; + + /** + * Constructor + * @param samlArtifact as String + * @throws ParseException on any parsing error + */ + public SAMLArtifactParser(String samlArtifact) throws ParseException { + try { + samlArtifactBytes = Base64Utils.decode(samlArtifact, false); + } + catch (IOException ex) { + throw new ParseException("parser.02", new Object[] {ex.toString()}, ex); + } + } + /** + * Parses the type code. + * @return type code + * @throws ParseException when SAML artifact is invalid + */ + public byte[] parseTypeCode() throws ParseException { + try { + byte[] typeCode = new byte[] {samlArtifactBytes[0], samlArtifactBytes[1]}; + return typeCode; + } + catch (Throwable ex) { + throw new ParseException("parser.02", new Object[] {ex.toString()}, ex); + } + } + /** + * Parses the assertion handle. + * @return assertion handle + * @throws ParseException when SAML artifact is invalid + */ + public String parseAssertionHandle() throws ParseException { + try { + return new String(samlArtifactBytes, 22, 20); + } + catch (Throwable ex) { + throw new ParseException("parser.02", new Object[] {ex.toString()}, ex); + } + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java new file mode 100644 index 000000000..c74dc64e8 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java @@ -0,0 +1,159 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import iaik.utils.Base64InputStream; +import iaik.x509.X509Certificate; +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.*; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * Parses a <code><VerifyXMLSignatureResponse></code> returned by + * MOA-SPSS. + * This class implements the Singleton pattern + * + * @author Stefan Knirsch + * @version $Id$ + */ + + +public class VerifyXMLSignatureResponseParser { + // + // XPath namespace prefix shortcuts + // + /** Xpath prefix for reaching MOA Namespaces */ + private static final String MOA = Constants.MOA_PREFIX + ":"; + /** Xpath prefix for reaching DSIG Namespaces */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + /** Xpath prefix for reaching SecurityLayer 1.1 Namespaces */ + private static final String SL11 = Constants.SL11_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = "/" + MOA + "VerifyXMLSignatureResponse/"; + + /** Xpath expression to the X509SubjectName element */ + private static final String DSIG_SUBJECT_NAME_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + DSIG + "X509SubjectName"; + /** Xpath expression to the X509Certificate element */ + private static final String DSIG_X509_CERTIFICATE_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + DSIG + "X509Certificate"; + /** Xpath expression to the PublicAuthority element */ + private static final String PUBLIC_AUTHORITY_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + MOA + "PublicAuthority"; + /** Xpath expression to the PublicAuthorityCode element */ + private static final String PUBLIC_AUTHORITY_CODE_XPATH = + PUBLIC_AUTHORITY_XPATH + "/" + MOA + "Code"; + /** Xpath expression to the QualifiedCertificate element */ + private static final String QUALIFIED_CERTIFICATE_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + SL11 + "QualifiedCertificate"; + + /** Xpath expression to the SignatureCheckCode element */ + private static final String SIGNATURE_CHECK_CODE_XPATH = + ROOT + MOA + "SignatureCheck/" + MOA + "Code"; + /** Xpath expression to the XMLDSIGManifestCheckCode element */ + private static final String XMLDSIG_MANIFEST_CHECK_CODE_XPATH = + ROOT + MOA + "XMLDSIGManifestCheck/" + MOA + "Code"; + /** Xpath expression to the CertificateCheckCode element */ + private static final String CERTIFICATE_CHECK_CODE_XPATH = + ROOT + MOA + "CertificateCheck/" + MOA + "Code"; + + + /** This is the root element of the XML-Document provided by the Security Layer Card*/ + private Element verifyXMLSignatureResponse; + + /** + * Constructor for VerifyXMLSignatureResponseParser. + * A DOM-representation of the incoming String will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as String + * @throws ParseException on any parsing error + */ + public VerifyXMLSignatureResponseParser(String xmlResponse) throws ParseException{ + try { + InputStream s = new ByteArrayInputStream(xmlResponse.getBytes("UTF-8")); + + verifyXMLSignatureResponse = DOMUtils.parseXmlValidating(s); + } + catch (Throwable t) { + throw new ParseException("parser.01", null, t); + } + } + + /** + * Constructor for VerifyXMLSignatureResponseParser. + * A DOM-representation of the incoming Inputstream will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as InputStream + * @throws Exception on any parsing error + */ + public VerifyXMLSignatureResponseParser(InputStream xmlResponse) throws Exception + { + try { + verifyXMLSignatureResponse = DOMUtils.parseXmlValidating(xmlResponse); + } + catch (Throwable t) { + throw new ParseException("parser.01", null, t); + } + } + + /** + * Constructor for VerifyXMLSignatureResponseParser. + * The incoming Element will be used for further operations + * @param xmlResponse <code><InfoboxReadResponse></code> as Element + */ + public VerifyXMLSignatureResponseParser(Element xmlResponse) + { + verifyXMLSignatureResponse =xmlResponse; + + } + + /** + * Parse identity link from <code><InfoboxReadResponse></code> + * @return Identity link + * @throws ParseException on any parsing error + */ + + public VerifyXMLSignatureResponse parseData() throws ParseException { + VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse(); + + try { + + respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,"")); + Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH); + respData.setQualifiedCertificate(e!=null); + + Base64InputStream in = new Base64InputStream(new ByteArrayInputStream(XPathUtils.getElementValue( + verifyXMLSignatureResponse,DSIG_X509_CERTIFICATE_XPATH,"").getBytes("UTF-8")),true); + + respData.setX509certificate(new X509Certificate(in)); + + Element publicAuthority = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,PUBLIC_AUTHORITY_CODE_XPATH); + respData.setPublicAuthority(publicAuthority != null); + respData.setPublicAuthorityCode(XPathUtils.getElementValue(verifyXMLSignatureResponse,PUBLIC_AUTHORITY_CODE_XPATH,"")); + respData.setSignatureCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNATURE_CHECK_CODE_XPATH,"")).intValue()); + + String xmlDsigCheckCode = XPathUtils.getElementValue(verifyXMLSignatureResponse,XMLDSIG_MANIFEST_CHECK_CODE_XPATH,null); + if (xmlDsigCheckCode!=null) + { + respData.setXmlDSIGManigest(true); + respData.setXmlDSIGManifestCheckCode(new Integer(xmlDsigCheckCode).intValue()); + } + else + respData.setXmlDSIGManigest(false); + respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue()); + } + catch (Throwable t) { + throw new ParseException("parser.01", null, t); + } + return respData; + } + + +} |