diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java')
| -rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 782 |
1 files changed, 437 insertions, 345 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 278f93f14..06d5b01bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1,41 +1,20 @@ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ package at.gv.egovernment.moa.id.auth; import iaik.asn1.ObjectID; -import iaik.pki.PKIException; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; -import java.security.GeneralSecurityException; +import java.io.StringWriter; +import java.math.BigInteger; +import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.cert.CertificateException; -//import java.security.cert.CertificateFactory; import java.util.ArrayList; +//import java.security.cert.CertificateFactory; import java.util.Calendar; import java.util.Date; import java.util.Iterator; @@ -49,12 +28,17 @@ import javax.servlet.http.HttpSession; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; +import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringEscapeUtils; +import org.apache.velocity.Template; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; import org.apache.xpath.XPathAPI; -import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.common.IdentifierGenerator; +import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.xml.util.Base64; import org.opensaml.xml.util.XMLHelper; -import org.springframework.util.xml.DomUtils; +import org.w3c.dom.DOMException; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -90,7 +74,7 @@ import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; -import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor; +import at.gv.egovernment.moa.id.auth.stork.VelocityProvider; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -103,6 +87,8 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants import at.gv.egovernment.moa.id.client.SZRGWClient; import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConnectionParameter; @@ -111,13 +97,14 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.stork.CPEPS; import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; -import at.gv.egovernment.moa.id.util.SSLUtils; +import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; @@ -128,22 +115,33 @@ import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; import at.gv.egovernment.moa.util.XPathUtils; +import at.gv.util.xsd.mis.MandateIdentifiers; +import at.gv.util.xsd.mis.Target; import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest; +import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest.PEPSData; import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; -import eu.stork.mw.messages.saml.STORKAuthnRequest; -import eu.stork.vidp.messages.builder.STORKMessagesBuilder; -import eu.stork.vidp.messages.common.STORKConstants; -import eu.stork.vidp.messages.exception.SAMLException; -import eu.stork.vidp.messages.exception.SAMLValidationException; -import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; -import eu.stork.vidp.messages.stork.RequestedAttributes; -import eu.stork.vidp.messages.util.SAMLUtil; -import eu.stork.vidp.messages.util.XMLUtil; +import at.gv.util.xsd.srzgw.MISType; +import at.gv.util.xsd.srzgw.MISType.Filters; +import eu.stork.oasisdss.api.AdditionalProfiles; +import eu.stork.oasisdss.api.ApiUtils; +import eu.stork.oasisdss.api.ApiUtilsException; +import eu.stork.oasisdss.api.Profiles; +import eu.stork.oasisdss.api.QualityLevels; +import eu.stork.oasisdss.api.SignatureTypes; +import eu.stork.oasisdss.profile.AnyType; +import eu.stork.oasisdss.profile.DocumentType; +import eu.stork.oasisdss.profile.SignRequest; +import eu.stork.peps.auth.commons.PEPSUtil; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.exceptions.STORKSAMLEngineException; /** * API for MOA ID Authentication Service.<br> {@link AuthenticationSession} is * stored in a session store and retrieved by giving the session ID. - * + * * @author Paul Ivancsics * @version $Id: AuthenticationServer.java 1273 2012-02-27 14:50:18Z kstranacher * $ @@ -166,7 +164,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Returns the single instance of <code>AuthenticationServer</code>. - * + * * @return the single instance of <code>AuthenticationServer</code> */ public static AuthenticationServer getInstance() { @@ -197,7 +195,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * response to</li> * </ul> * </ul> - * + * * @param authURL * URL of the servlet to be used as data URL * @param target @@ -232,13 +230,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (session == null) { throw new AuthenticationException("auth.18", new Object[] { }); } - + //load OnlineApplication configuration OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { session.getPublicOAURLPrefix() }); - + //load Template String template = null; if (session.getTemplateURL() != null) { @@ -251,7 +249,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } String infoboxReadRequest = ""; - + if (session.isSsoRequested()) { //load identityLink with SSO Target boolean isbuisness = false; @@ -261,50 +259,50 @@ public class AuthenticationServer implements MOAIDAuthConstants { isbuisness = true; domainIdentifier = ssobusiness.getValue(); } - + //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( isbuisness, domainIdentifier); - + } else { //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( oaParam.getBusinessService(), oaParam .getIdentityLinkDomainIdentifier()); } - + String dataURL = new DataURLBuilder().buildDataURL( session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session .getSessionID()); - + //removed in MOAID 2.0 String pushInfobox = ""; - + // VerifyInfoboxParameters verifyInfoboxParameters = oaParam // .getVerifyInfoboxParameters(); // if (verifyInfoboxParameters != null) { // pushInfobox = verifyInfoboxParameters.getPushInfobox(); // session.setPushInfobox(pushInfobox); // } - + //build CertInfo request String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder() .build(); String certInfoDataURL = new DataURLBuilder() .buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION, session.getSessionID()); - + //get Applet Parameters String appletwidth = req.getParameter(PARAM_APPLET_WIDTH); String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH); appletheigth = StringEscapeUtils.escapeHtml(appletheigth); appletwidth = StringEscapeUtils.escapeHtml(appletwidth); - + String htmlForm = new GetIdentityLinkFormBuilder().build(template, session.getBkuURL(), infoboxReadRequest, dataURL, certInfoRequest, certInfoDataURL, pushInfobox, oaParam, appletheigth, appletwidth); - + return htmlForm; } @@ -324,7 +322,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * containg the authentication block, meant to be returned to the security * layer implementation</li> * </ul> - * + * * @param sessionID * ID of associated authentication session data * @param infoboxReadResponseParameters @@ -332,7 +330,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * including the <code><InfoboxReadResponse></code> * @return String representation of the * <code><CreateXMLSignatureRequest></code> - * @throws BKUException + * @throws BKUException */ public String verifyIdentityLink(AuthenticationSession session, Map<String, String> infoboxReadResponseParameters) throws AuthenticationException, @@ -349,7 +347,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (isEmpty(xmlInfoboxReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE }); - + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); @@ -409,7 +407,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setIdentityLink(identityLink); // now validate the extended infoboxes - + //Removed in MOA-ID 2.0 //verifyInfoboxes(session, infoboxReadResponseParameters, false); @@ -432,7 +430,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * containg the authentication block, meant to be returned to the security * layer implementation</li> * </ul> - * + * * @param sessionID * ID of associated authentication session data * @param infoboxReadResponseParameters @@ -457,14 +455,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (certificate.getExtension(OWid) != null) { session.setOW(true); } - + } - + } catch (X509ExtensionInitException e) { Logger.warn("Certificate extension is not readable."); session.setOW(false); } - + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); @@ -473,10 +471,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam); - + return returnvalue; } - + /** * Processes an <code>Mandate</code> sent by the MIS.<br> * <ul> @@ -487,7 +485,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * containg the authentication block, meant to be returned to the security * layer implementation</li> * </ul> - * + * * @param sessionID * ID of associated authentication session data * @param infoboxReadResponseParameters @@ -511,10 +509,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { // sets the extended SAML attributes for OID (Organwalter) setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam .getBusinessService()); - + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); - - + + } catch (SAXException e) { throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID }, e); @@ -528,11 +526,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID }, e); } - + } /** - * + * * @param session * @param authConf * @param oaParam @@ -577,7 +575,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <ul> * <li>Creates an CreateXMLSignatureRequest to be signed by the user</li> * </ul> - * + * * @param sessionID * ID of associated authentication session data * @param cert @@ -599,7 +597,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - + return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam, cert); } @@ -637,13 +635,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <li>Verifies signature by calling the MOA SP component</li> * <li>Returns the signer certificate</li> * </ul> - * + * * @param sessionID * ID of associated authentication session data * @param createXMLSignatureResponseParameters * The parameters from the response returned from the BKU * including the <code><CreateXMLSignatureResponse></code> - * @throws BKUException + * @throws BKUException */ public X509Certificate verifyXMLSignature(String sessionID, Map<String, String> createXMLSignatureResponseParameters) @@ -697,13 +695,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <li>Verifies signature by calling the MOA SP component</li> * <li>Returns the signer certificate</li> * </ul> - * + * * @param sessionID * ID of associated authentication session data * @param readInfoboxResponseParameters * The parameters from the response returned from the BKU * including the <code><ReadInfoboxResponse></code> - * @throws BKUException + * @throws BKUException */ public X509Certificate getCertificate(String sessionID, Map<String, String> readInfoboxResponseParameters) throws AuthenticationException, @@ -733,80 +731,80 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Builds an authentication block <code><saml:Assertion></code> from * given session data. - * + * * @param session * authentication session - * + * * @return <code><saml:Assertion></code> as a String - * + * * @throws BuildException * If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ private String buildAuthenticationBlock(AuthenticationSession session, OAAuthParameter oaParam) throws BuildException { - + IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); String identificationValue = null; String identificationType = null; - + //set empty AuthBlock BPK in case of OW or SSO or bpk is not requested if (session.isOW() || session.isSsoRequested() || oaParam.isRemovePBKFromAuthBlock()) { identificationType = ""; identificationValue = ""; - + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { if (oaParam.getBusinessService()) { - + String bpkBase64 = new BPKBuilder().buildWBPK(identityLink .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); identificationValue = bpkBase64; - + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+" )) identificationType = oaParam.getIdentityLinkDomainIdentifier(); else identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - + } else { String bpkBase64 = new BPKBuilder().buildBPK(identityLink .getIdentificationValue(), session.getTarget()); identificationValue = bpkBase64; identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); } - + } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); - + } - + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar .getInstance()); session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); String targetFriendlyName = session.getTargetFriendlyName(); - + // Bug #485 // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) // String oaURL = session.getPublicOAURLPrefix(); - + List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - - + + if (session.isSsoRequested()) { String oaURL =new String(); try { oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); - + if (MiscUtil.isNotEmpty(oaURL)) oaURL = oaURL.replaceAll("&", "&"); - + } catch (ConfigurationException e) { } String authBlock = new AuthenticationBlockAssertionBuilder() @@ -815,7 +813,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, extendedSAMLAttributes, session, oaParam); return authBlock; - + } else { String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); String authBlock = new AuthenticationBlockAssertionBuilder() @@ -824,20 +822,20 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, extendedSAMLAttributes, session, oaParam); return authBlock; - } + } } - + /** * Verifies the infoboxes (except of the identity link infobox) returned by * the BKU by calling appropriate validator classes. - * + * * @param session * The actual authentication session. * @param mandate * The Mandate from the MIS - * + * * @throws AuthenticationException * @throws ConfigurationException * @throws TransformerException @@ -860,19 +858,19 @@ public class AuthenticationServer implements MOAIDAuthConstants { verifySAMLAttribute(samlAttribute, i, "MISService", "MISService"); - + } } /** * Verifies the infoboxes (except of the identity link infobox) returned by * the BKU by calling appropriate validator classes. - * + * * @param session * The actual authentication session. * @param mandate * The Mandate from the MIS - * + * * @throws AuthenticationException * @throws ConfigurationException * @throws TransformerException @@ -897,7 +895,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * Adds given SAML Attributes to the current session. They will be appended * to the final SAML Assertion or the AUTH block. If the attributes are * already in the list, they will be replaced. - * + * * @param session * The current session * @param extendedSAMLAttributes @@ -968,7 +966,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * Adds the AUTH block related SAML attributes to the validation result. * This is needed always before the AUTH block is to be signed, because the * name of the mandator has to be set - * + * * @throws ParserConfigurationException * @throws IOException * @throws SAXException @@ -1035,7 +1033,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * Adds the AUTH block related SAML attributes to the validation result. * This is needed always before the AUTH block is to be signed, because the * name of the mandator has to be set - * + * * @throws ParserConfigurationException * @throws IOException * @throws SAXException @@ -1080,7 +1078,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } /** - * + * * @param mandate * @return * @throws ParserConfigurationException @@ -1132,7 +1130,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <li>Deletes authentication session</li> * <li>Returns the SAML artifact, encoded BASE64</li> * </ul> - * + * * @param sessionID * session ID of the running authentication session * @param xmlCreateXMLSignatureReadResponse @@ -1140,20 +1138,20 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <code><CreateXMLSignatureResponse></code> * @return SAML artifact needed for retrieving authentication data, encoded * BASE64 - * @throws BKUException + * @throws BKUException */ public String verifyAuthenticationBlock(AuthenticationSession session, String xmlCreateXMLSignatureReadResponse) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException, BKUException { - + if (session == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); if (isEmpty(xmlCreateXMLSignatureReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE }); - + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); // parses <CreateXMLSignatureResponse> @@ -1176,7 +1174,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); else new CreateXMLSignatureResponseValidator().validate(csresp, session); - + // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call List<String> vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); @@ -1215,7 +1213,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // Compare AuthBlock Data with information stored in session, especially // date and time CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); - + // compares the public keys from the identityLink with the AuthBlock VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( vsresp, session.getIdentityLink()); @@ -1258,29 +1256,33 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } } - + session.setXMLVerifySignatureResponse(vsresp); session.setSignerCertificate(vsresp.getX509certificate()); vsresp.setX509certificate(null); session.setForeigner(false); - + if (session.getUseMandate()) { // mandate mode return null; - + } else { - + session.setAuthenticatedUsed(false); session.setAuthenticated(true); - - String oldsessionID = session.getSessionID(); + //set QAA Level four in case of card authentifcation + session.setQAALevel(PVPConstants.STORK_QAA_1_4); + + + String oldsessionID = session.getSessionID(); + //Session is implicte stored in changeSessionID!!! String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session); - + Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID); Logger.info("Daten angelegt zu MOASession " + newMOASessionID); - + return newMOASessionID; } } @@ -1302,7 +1304,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <li>Deletes authentication session</li> * <li>Returns the SAML artifact, encoded BASE64</li> * </ul> - * + * * @param sessionID * session ID of the running authentication session * @param xmlCreateXMLSignatureReadResponse @@ -1363,7 +1365,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <li>Deletes authentication session</li> * <li>Returns the SAML artifact, encoded BASE64</li> * </ul> - * + * * @param sessionID * session ID of the running authentication session * @return SAML artifact needed for retrieving authentication data, encoded @@ -1372,11 +1374,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { public String getForeignAuthenticationData(AuthenticationSession session) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException { - + if (session == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); - + // post processing of the infoboxes Iterator iter = session.getInfoboxValidatorIterator(); boolean formpending = false; @@ -1419,10 +1421,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); X509Certificate cert = session.getSignerCertificate(); vsresp.setX509certificate(cert); - + session.setAuthenticatedUsed(false); session.setAuthenticated(true); - + session.setXMLVerifySignatureResponse(vsresp); session.setSignerCertificate(vsresp.getX509certificate()); @@ -1436,7 +1438,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Builds the AuthenticationData object together with the corresponding * <code><saml:Assertion></code> - * + * * @param session * authentication session * @param verifyXMLSigResp @@ -1456,23 +1458,23 @@ public class AuthenticationServer implements MOAIDAuthConstants { IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); - + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - + boolean businessService = oaParam.getBusinessService(); - + authData.setMajorVersion(1); authData.setMinorVersion(0); authData.setAssertionID(Random.nextRandom()); authData.setIssuer(session.getAuthURL()); - + authData.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar .getInstance())); - + //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO authData.setIdentificationValue(identityLink.getIdentificationValue()); authData.setIdentificationType(identityLink.getIdentificationType()); - + authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); @@ -1482,25 +1484,25 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setPublicAuthorityCode(verifyXMLSigResp .getPublicAuthorityCode()); authData.setBkuURL(session.getBkuURL()); - + try { - + if (session.getUseMandate() && session.isOW()) { MISMandate mandate = session.getMISMandate(); authData.setBPK(mandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); authData.setIdentityLink(identityLink); - + Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - + } else { - + if (businessService) { //since we have foreigner, wbPK is not calculated in BKU if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { // If domainIdentifier starts with prefix // "urn:publicid:gv.at:wbpk+"; remove this prefix @@ -1508,47 +1510,47 @@ public class AuthenticationServer implements MOAIDAuthConstants { .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + registerAndOrdNr); - } - + } + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); authData.setBPK(wbpkBase64); authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - + } else { authData.setBPK(identityLink.getIdentificationValue()); authData.setBPKType(identityLink.getIdentificationType()); - + } - + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - + Element idlassertion = session.getIdentityLink().getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type + //set bkp/wpbk type Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); IdentityLink idl = idlparser.parseIdentityLink(); authData.setIdentityLink(idl); - + } else { - - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we have the Stammzahl String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); authData.setBPK(bpkBase64); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } - + Logger.trace("Authenticate user with bPK " + authData.getBPK()); - + authData.setIdentityLink(identityLink); } } - + return authData; } catch (Throwable ex) { @@ -1559,7 +1561,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Retrieves a session from the session store. - * + * * @param id * session ID * @return <code>AuthenticationSession</code> stored with given session ID, @@ -1567,7 +1569,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public static AuthenticationSession getSession(String id) throws AuthenticationException { - + AuthenticationSession session; try { session = AuthenticationSessionStoreage.getSession(id); @@ -1575,10 +1577,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (session == null) throw new AuthenticationException("auth.02", new Object[] { id }); return session; - + } catch (MOADatabaseException e) { throw new AuthenticationException("parser.04", new Object[] { id }); - } + } } /** @@ -1586,38 +1588,38 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public void cleanup() { long now = new Date().getTime(); - - //clean AuthenticationSessionStore - + + //clean AuthenticationSessionStore + AuthenticationSessionStoreage.clean(now, sessionTimeOutCreated, sessionTimeOutUpdated); - + //clean AssertionStore AssertionStorage assertionstore = AssertionStorage.getInstance(); assertionstore.clean(now, authDataTimeOut); - - //clean ExeptionStore + + //clean ExeptionStore DBExceptionStoreImpl exstore = DBExceptionStoreImpl.getStore(); exstore.clean(now, authDataTimeOut); - + } /** * Sets the sessionTimeOut. - * + * * @param seconds * Time out of the session in seconds */ public void setSecondsSessionTimeOutCreated(long seconds) { sessionTimeOutCreated = seconds * 1000; } - + public void setSecondsSessionTimeOutUpdated(long seconds) { sessionTimeOutUpdated = seconds * 1000; } /** * Sets the authDataTimeOut. - * + * * @param seconds * Time out for signing AuthData in seconds */ @@ -1627,7 +1629,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Checks a parameter. - * + * * @param param * parameter * @return true if the parameter is null or empty @@ -1638,7 +1640,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Checks the correctness of SAML attributes and returns its value. - * + * * @param param * samlAttribute * @param i @@ -1687,94 +1689,151 @@ public class AuthenticationServer implements MOAIDAuthConstants { return value; } - + /** * Does the request to the SZR-GW - * @param signature XMLDSIG signature + * @param oaFriendlyName + * @param signature XMLDSIG signature * @return Identity link assertion * @throws SZRGWClientException */ - public at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse - getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException { - SZRGWClient client = null; - + public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, String gender, String citizenSignature, String represented, String representative, String mandateContent, String organizationAddress, String organizationType, String targetType, String targetValue, String oaFriendlyName, String filters) throws SZRGWClientException { + try { AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter(); - client = new SZRGWClient(connectionParameters); + SZRGWClient client = new SZRGWClient(connectionParameters); CreateIdentityLinkRequest request = new CreateIdentityLinkRequest(); - request.setSignature(DOMUtils.serializeNode(signature).getBytes()); + request.setSignature(citizenSignature.getBytes()); + + PEPSData data = new PEPSData(); + data.setDateOfBirth(PEPSDateOfBirth); + data.setFamilyname(PEPSFamilyname); + data.setFirstname(PEPSFirstname); + data.setIdentifier(PEPSIdentifier); + + data.setRepresentative(representative); + data.setRepresented(represented); + data.setMandateContent(mandateContent); - CreateIdentityLinkResponse response = client.sentCreateIDLRequest(request , connectionParameters.getUrl()); + data.setLegalPersonCanonicalRegisteredAddress(organizationAddress); + data.setLegalPersonTranslatableType(organizationType); + + if(null != mandateContent) { + MISType mis = new MISType(); + + Target targetObject = new Target(); + targetObject.setType(targetType); + targetObject.setValue(targetValue); + mis.setTarget(targetObject); + + mis.setOAFriendlyName(oaFriendlyName); + + Filters filterObject = new Filters(); + MandateIdentifiers mandateIds = new MandateIdentifiers(); + for(String current : filters.split(",")) + mandateIds.getMandateIdentifier().add(current.trim()); + filterObject.setMandateIdentifiers(mandateIds); + mis.setFilters(filterObject); + + request.setMIS(mis); + } - - -// client.setAddress(connectionParameters.getUrl()); -// if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) { -// Logger.debug("Initialisiere SSL Verbindung"); -// try { -// client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters)); -// } catch (IOException e) { -// Logger.error("Could not initialize SSL Factory", e); -// throw new SZRGWClientException("Could not initialize SSL Factory"); -// } catch (GeneralSecurityException e) { -// Logger.error("Could not initialize SSL Factory", e); -// throw new SZRGWClientException("Could not initialize SSL Factory"); -// } catch (PKIException e) { -// Logger.error("Could not initialize SSL Factory", e); -// throw new SZRGWClientException("Could not initialize SSL Factory"); -// } -// } Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")..."); + CreateIdentityLinkResponse response = client.sentCreateIDLRequest(request , connectionParameters.getUrl()); + return response; + } catch (ConfigurationException e) { Logger.warn(e); Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null )); - } catch (TransformerException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (IOException e) { - // TODO Auto-generated catch block - e.printStackTrace(); } -// // create request -// CreateIdentityLinkResponse response = null; -// Element request = null; -// try { -// Document doc = client.buildGetIdentityLinkRequest(PEPSIdentifier, PEPSFirstname, PEPSFamilyname, PEPSDateOfBirth, signature); -// request = doc.getDocumentElement(); -// -// // send request -// response = client.createIdentityLinkResponse(request, connectionParameters.getUrl()); -// -// -// -// } catch (SZRGWClientException e) { -// // give him a second try - Nach dem Starten des Tomcat wird beim ersten Mal das Client-Zertifikat offenbar vom HTTPClient nicht mitgeschickt. -//// try { -//// response = client.createIdentityLinkResponse(request); -//// } -//// catch (SZRGWClientException e1) { -//// throw new SZRGWClientException(e1); -//// } -// } - - return null; } + + /** + * Does the request to the SZR-GW. + * + * @param signature the signature + * @return the identity link + * @throws SZRGWClientException the sZRGW client exception + * @throws ConfigurationException the configuration exception + */ + public CreateIdentityLinkResponse getIdentityLink(Element signature) throws SZRGWClientException, ConfigurationException { + return getIdentityLink(null, null, null, null, XMLHelper.nodeToString(signature)); + } + + /** + * Does the request to the SZR-GW. + * + * @param PEPSIdentifier the pEPS identifier + * @param PEPSFirstname the pEPS firstname + * @param PEPSFamilyname the pEPS familyname + * @param PEPSDateOfBirth the pEPS date of birth + * @param signature XMLDSIG signature + * @return Identity link assertion + * @throws SZRGWClientException the sZRGW client exception + * @throws ConfigurationException the configuration exception + */ + public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, String signature) throws SZRGWClientException { + return getIdentityLink(PEPSIdentifier, PEPSFirstname, PEPSFamilyname, PEPSDateOfBirth, null, signature, null, null, null, null, null, null, null); + } + + /** + * Gets the identity link. + * + * @param citizenSignature the citizen signature + * @param representative the representative + * @param represented the represented + * @param mandate the mandate + * @param organizationAddress the organization address + * @param organizationType the organization type + * @return the identity link + * @throws SZRGWClientException + */ + public CreateIdentityLinkResponse getIdentityLink(String citizenSignature, + String representative, String represented, String mandateContent, + String organizationAddress, String organizationType, String targetType, String targetValue, String oaFriendlyName, String filters) throws SZRGWClientException { + return getIdentityLink(null, null, null, null, null, + citizenSignature, represented, representative, mandateContent, organizationAddress, + organizationType, targetType, targetValue, oaFriendlyName, filters); + } + /** + * SZR-GW Client interface. + * + * @param eIdentifier the e identifier + * @param givenName the given name + * @param lastName the last name + * @param dateOfBirth the date of birth + * @param citizenSignature the citizen signature + * @param representative the representative + * @param represented the represented + * @param mandate the mandate + * @return the identity link + * @throws SZRGWClientException the sZRGW client exception + */ + public CreateIdentityLinkResponse getIdentityLink(String eIdentifier, + String givenName, String lastName, String dateOfBirth, String gender, + String citizenSignature, String representative, String represented, + String mandate, String targetType, String targetValue, String oaFriendlyName, String filters) throws SZRGWClientException { + return getIdentityLink(eIdentifier, givenName, lastName, dateOfBirth, gender, + citizenSignature, representative, represented, mandate, null, + null, targetType, targetValue, oaFriendlyName, filters); + } + /** * Starts a MOA-ID authentication process using STORK * @param req HttpServletRequest * @param resp HttpServletResponse * @param ccc Citizen country code - * @param oaURL URL of the online application + * @param oaURL URL of the online application * @param target Target parameter * @param targetFriendlyName Friendly Name of Target * @param authURL Authentication URL @@ -1786,138 +1845,116 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public static void startSTORKAuthentication( HttpServletRequest req, - HttpServletResponse resp, + HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException { - + if (moasession == null) { throw new AuthenticationException("auth.18", new Object[] { }); } - + //read configuration paramters of OA OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { moasession.getPublicOAURLPrefix() }); - - //Start of STORK Processing + + //Start of STORK Processing STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); - + CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc()); - - Logger.debug("Preparing to assemble STORK AuthnRequest witht the following values:"); - String destination = cpeps.getPepsURL().toExternalForm(); + + Logger.debug("Preparing to assemble STORK AuthnRequest witt the following values:"); + String destination = cpeps.getPepsURL().toExternalForm(); Logger.debug("C-PEPS URL: " + destination); - + String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); - + String providerName= oaParam.getFriendlyName(); String issuerValue = HTTPUtils.getBaseURL(req); Logger.debug("Issuer value: " + issuerValue); - - - QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); - //Logger.debug("QAALevel: " + qaaLevel.getValue()); - - RequestedAttributes requestedAttributes = null; - - requestedAttributes = oaParam.getRequestedAttributes(); - requestedAttributes.detach(); - List<RequestedAttribute> reqAttributeList = new ArrayList<RequestedAttribute>(); - List<RequestedAttribute> oaReqAttributeList = null; - oaReqAttributeList = new ArrayList<RequestedAttribute>(oaParam.getRequestedAttributes().getRequestedAttributes()); - - //check if country specific attributes must be additionally requested - if (!cpeps.getCountrySpecificRequestedAttributes().isEmpty()) { - //add country specific attributes to be requested (Hierarchy: default oa attributes > country specific attributes > oa specific attributes - Logger.debug("We have addtional country specific attributes to be requested from the C-PEPS of country: " + moasession.getCcc()); - Logger.debug("The following attributes are requested for this specific country:"); - List<RequestedAttribute> countrySpecificReqAttributeList = new ArrayList<RequestedAttribute>(cpeps.getCountrySpecificRequestedAttributes()); - for (RequestedAttribute csReqAttr : countrySpecificReqAttributeList) { - csReqAttr.detach(); - if (!STORKConstants.DEFAULT_STORK_REQUESTED_ATTRIBUTE_SET.contains(csReqAttr.getName())) { - //this country specific attribute does not override default attribute - if (SAMLUtil.containsAttribute(oaReqAttributeList, csReqAttr.getName())) { - //the same attribute is requested for OA, applying hierachy - //remove oa attribute - oaReqAttributeList.remove(SAMLUtil.getAttribute(oaReqAttributeList, csReqAttr.getName())); - //add country specific attribute instead - Logger.debug("Requested Attribute (" + csReqAttr.getName() + ") is also requested by OA but we use Country Specific value instead"); - } - oaReqAttributeList.add(csReqAttr); - Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired()); - } else { - Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired() + " tries to overwrite default requested and required attributes, hence we skip it."); - } - - } - reqAttributeList.addAll(oaReqAttributeList); - } else { - //no country specific requested attributes - reqAttributeList.addAll(oaReqAttributeList); + + // prepare collection of required attributes + // - attributes for online application + List<OAStorkAttribute> attributesFromConfig = oaParam.getRequestedAttributes(); + + // - prepare attribute list + PersonalAttributeList attributeList = new PersonalAttributeList(); + + // - fill container + for(OAStorkAttribute current : attributesFromConfig) { + PersonalAttribute newAttribute = new PersonalAttribute(); + newAttribute.setName(current.getName()); + + boolean globallyMandatory = false; + for(StorkAttribute currentGlobalAttribute : storkConfig.getStorkAttributes()) + if(current.getName().equals(currentGlobalAttribute.getName())) { + globallyMandatory = currentGlobalAttribute.isMandatory(); + break; + } + + newAttribute.setIsRequired(current.isMandatory() || globallyMandatory); + attributeList.add(newAttribute); } - - reqAttributeList = (List<RequestedAttribute>) SAMLUtil.releaseDOM(reqAttributeList); - requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes(reqAttributeList); - + + // add sign request + PersonalAttribute newAttribute = new PersonalAttribute(); + newAttribute.setName("signedDoc"); + List<String> value = new ArrayList<String>(); + value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", + moasession.getCcc())); + newAttribute.setValue(value); + attributeList.add(newAttribute); + + if (Logger.isDebugEnabled()) { Logger.debug("The following attributes are requested for this OA:"); - for (RequestedAttribute logReqAttr : reqAttributeList) { - Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isRequired()); - - } + for (OAStorkAttribute logReqAttr : attributesFromConfig) + Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isMandatory()); } - - + //TODO: check Target in case of SSO!! String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); String spApplication = spInstitution; String spCountry = "AT"; - - String textToBeSigned = - CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession); - - //generate AuthnRquest - STORKAuthnRequest storkAuthnRequest = STORKAuthnRequestProcessor.generateSTORKAuthnRequest( - destination, - acsURL, - providerName, - issuerValue, - qaaLevel, - requestedAttributes, - spSector, - spInstitution, - spApplication, - spCountry, - textToBeSigned, - "application/xhtml+xml"); - + + //generate AuthnRquest + STORKAuthnRequest authnRequest = new STORKAuthnRequest(); + authnRequest.setDestination(destination); + authnRequest.setAssertionConsumerServiceURL(acsURL); + authnRequest.setProviderName(providerName); + authnRequest.setIssuer(issuerValue); + authnRequest.setQaa(oaParam.getQaaLevel()); + authnRequest.setSpInstitution(spInstitution); + authnRequest.setCountry(spCountry); + authnRequest.setSpApplication(spApplication); + authnRequest.setSpSector(spSector); + authnRequest.setPersonalAttributeList(attributeList); + + authnRequest.setEIDCrossBorderShare(true); + authnRequest.setEIDCrossSectorShare(true); + authnRequest.setEIDSectorShare(true); + + authnRequest.setCitizenCountryCode(moasession.getCcc()); + + Logger.debug("STORK AuthnRequest succesfully assembled."); - - //sign AuthnRequest - String keyStorePath = storkConfig.getSignatureCreationParameter().getKeyStorePath(); - String keyStorePassword = storkConfig.getSignatureCreationParameter().getKeyStorePassword(); - String keyName = storkConfig.getSignatureCreationParameter().getKeyName(); - String keyPassword = storkConfig.getSignatureCreationParameter().getKeyPassword(); - - Logger.debug("Starting signing process of STORK AuthnRequest."); - Logger.trace("Using the following Keystore and Key for that:"); - Logger.trace("KeyStore: " + keyStorePath); - Logger.trace("KeyName: " + keyName); - + + STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); try { - storkAuthnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(storkAuthnRequest, keyStorePath, keyStorePassword, keyName, keyPassword); - } catch (SAMLException e) { + authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest); + } catch (STORKSAMLEngineException e) { Logger.error("Could not sign STORK SAML AuthnRequest.", e); throw new MOAIDException("stork.00", null); } - + Logger.info("STORK AuthnRequest successfully signed!"); //validate AuthnRequest try { - STORKAuthnRequestProcessor.validateSTORKAuthnRequest(storkAuthnRequest); - } catch (SAMLValidationException e) { + samlEngine.validateSTORKAuthnRequest(authnRequest.getTokenSaml()); + } catch (STORKSAMLEngineException e) { Logger.error("STORK SAML AuthnRequest not valid.", e); throw new MOAIDException("stork.01", null); } @@ -1925,28 +1962,83 @@ public class AuthenticationServer implements MOAIDAuthConstants { Logger.debug("STORK AuthnRequest successfully internally validated."); //send - moasession.setStorkAuthnRequest(storkAuthnRequest); + moasession.setStorkAuthnRequest(authnRequest); HttpSession httpSession = req.getSession(); httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID()); - - Logger.debug("Preparing to send STORK AuthnRequest."); - + + + Logger.info("Preparing to send STORK AuthnRequest."); + Logger.info("prepared STORKAuthnRequest: "); + Logger.info(new String(authnRequest.getTokenSaml())); + try { - STORKAuthnRequestProcessor.sendSTORKAuthnRequest(req, resp, storkAuthnRequest); + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/saml2-post-binding-moa.vm"); + VelocityContext context = new VelocityContext(); + context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authnRequest.getTokenSaml())); + context.put("action", destination); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + resp.getOutputStream().write(writer.toString().getBytes()); } catch (Exception e) { Logger.error("Error sending STORK SAML AuthnRequest.", e); httpSession.invalidate(); throw new MOAIDException("stork.02", new Object[] { destination }); } - - Logger.info("STORK AuthnRequest successfully sent to: " + storkAuthnRequest.getDestination()); - Logger.debug("STORKAuthnRequest sent (pretty print): "); - Logger.debug(XMLHelper.prettyPrintXML(storkAuthnRequest.getDOM())); - Logger.trace("STORKAuthnRequest sent (original): "); - Logger.trace(XMLUtil.printXML(storkAuthnRequest.getDOM())); - + + Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); } - + + private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) { + IdentifierGenerator idGenerator; + try { + idGenerator = new SecureRandomIdentifierGenerator(); + + DocumentType doc = new DocumentType(); + doc.setBase64XML(text.getBytes()); + doc.setID(idGenerator.generateIdentifier()); + + SignRequest request = new SignRequest(); + request.setInputDocuments(ApiUtils.createInputDocuments(doc)); + + String id = idGenerator.generateIdentifier(); + request.setRequestID(id); + request.setDocUI(id); + + request.setProfile(Profiles.XADES_BES.toString()); + request.setNumberOfSigners(BigInteger.ONE); + request.setTargetCountry(citizenCountry); + + // no, no todo. PEPS will alter this value anyhow. + request.setReturnURL("http://invalid_return"); + + AnyType required = new AnyType(); + required.getAny().add(ApiUtils.createSignatureType(SignatureTypes.XMLSIG_RFC3275.toString())); + required.getAny().add(ApiUtils.createAdditionalProfile(AdditionalProfiles.XADES.toString())); + required.getAny().add(ApiUtils.createQualityRequirements(QualityLevels.QUALITYLEVEL_QUALIFIEDSIG)); + required.getAny().add(ApiUtils.createIncludeObject(doc)); + request.setOptionalInputs(required); + + return IOUtils.toString(ApiUtils.marshalToInputStream(request)); + } catch (NoSuchAlgorithmException e) { + Logger.error("Cannot generate id", e); + throw new RuntimeException(e); + } catch (ApiUtilsException e) { + Logger.error("Could not create SignRequest", e); + throw new RuntimeException(e); + } catch (DOMException e) { + Logger.error("Could not create SignRequest", e); + throw new RuntimeException(e); + } catch (IOException e) { + Logger.error("Could not create SignRequest", e); + throw new RuntimeException(e); + } + } + /** * Extracts an X509 Certificate out of an XML signagture element * @param signedXML XML signature element @@ -1954,27 +2046,27 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws CertificateException */ public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException { - + NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate"); - + String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList); - - if (StringUtils.isEmpty(base64CertString)) { + + if (StringUtils.isEmpty(base64CertString)) { String msg = "XML does not contain a X509Certificate element."; Logger.error(msg); throw new CertificateException(msg); } - + InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString)); - + X509Certificate cert; try { cert = new X509Certificate(is); return cert; - + } catch (Throwable e) { throw new CertificateException(e); } } - + } |