aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java384
1 files changed, 161 insertions, 223 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index d7083ec81..4709f8c68 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -2,6 +2,7 @@
package at.gv.egovernment.moa.id.auth;
import iaik.asn1.ObjectID;
+import iaik.pki.PKIRuntimeException;
import iaik.util.logging.Log;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
@@ -314,12 +315,18 @@ public class AuthenticationServer implements MOAIDAuthConstants {
appletwidth = StringEscapeUtils.escapeHtml(appletwidth);
- //TODO: cleanup before MOA-ID 2.1 release
- String htmlForm = new GetIdentityLinkFormBuilder().build(template,
- session.getBkuURL(), infoboxReadRequest, dataURL, null,
- null, pushInfobox, oaParam, appletheigth, appletwidth);
-
- return htmlForm;
+ //TODO: cleanup before MOA-ID 2.1 release
+ try {
+ String htmlForm = new GetIdentityLinkFormBuilder().build(template,
+ session.getBkuURL(), infoboxReadRequest, dataURL, null,
+ null, pushInfobox, oaParam, appletheigth, appletwidth);
+
+ return htmlForm;
+
+ } catch (BuildException e) {
+ throw new BuildException("builder.07", null, e);
+
+ }
}
/**
@@ -524,16 +531,16 @@ public class AuthenticationServer implements MOAIDAuthConstants {
} catch (SAXException e) {
- throw new AuthenticationException("auth.16",
+ throw new AuthenticationException("auth.15",
new Object[]{GET_MIS_SESSIONID}, e);
} catch (IOException e) {
- throw new AuthenticationException("auth.16",
+ throw new AuthenticationException("auth.15",
new Object[]{GET_MIS_SESSIONID}, e);
} catch (ParserConfigurationException e) {
- throw new AuthenticationException("auth.16",
+ throw new AuthenticationException("auth.15",
new Object[]{GET_MIS_SESSIONID}, e);
} catch (TransformerException e) {
- throw new AuthenticationException("auth.16",
+ throw new AuthenticationException("auth.15",
new Object[]{GET_MIS_SESSIONID}, e);
}
@@ -553,9 +560,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {
OAAuthParameter oaParam) throws ConfigurationException,
BuildException, ValidateException {
- // check for intermediate processing of the infoboxes
- if (session.isValidatorInputPending())
- return "Redirect to Input Processor";
+// // check for intermediate processing of the infoboxes
+// if (session.isValidatorInputPending())
+// return "Redirect to Input Processor";
if (authConf == null)
authConf = AuthConfigurationProvider.getInstance();
@@ -611,9 +618,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {
OAAuthParameter oaParam, X509Certificate cert)
throws ConfigurationException {
- // check for intermediate processing of the infoboxes
- if (session.isValidatorInputPending())
- return "Redirect to Input Processor";
+// // check for intermediate processing of the infoboxes
+// if (session.isValidatorInputPending())
+// return "Redirect to Input Processor";
if (authConf == null)
authConf = AuthConfigurationProvider.getInstance();
@@ -1164,11 +1171,31 @@ public class AuthenticationServer implements MOAIDAuthConstants {
vtids, tpid);
// debug output
- // invokes the call
- Element domVsresp = new SignatureVerificationInvoker()
- .verifyXMLSignature(domVsreq);
- // debug output
+ Element domVsresp = null;
+
+// try {
+ // invokes the call
+ domVsresp = new SignatureVerificationInvoker()
+ .verifyXMLSignature(domVsreq);
+ // debug output
+
+// } catch ( ServiceException e) {
+// Logger.error("Signature verification error. ", e);
+// Logger.error("Signed Data: " + session.getAuthBlock());
+// try {
+// Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq));
+// } catch (TransformerException e1) {
+// e1.printStackTrace();
+//
+// } catch (IOException e1) {
+// e1.printStackTrace();
+//
+// }
+//
+// throw e;
+// }
+
// parses the <VerifyXMLSignatureResponse>
VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponseParser(
domVsresp).parseData();
@@ -1196,48 +1223,66 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// date and time
CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp);
- // compares the public keys from the identityLink with the AuthBlock
- VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(
- vsresp, session.getIdentityLink());
-
- // post processing of the infoboxes
- Iterator iter = session.getInfoboxValidatorIterator();
- boolean formpending = false;
- if (iter != null) {
- while (!formpending && iter.hasNext()) {
- Vector infoboxValidatorVector = (Vector) iter.next();
- String identifier = (String) infoboxValidatorVector.get(0);
- String friendlyName = (String) infoboxValidatorVector.get(1);
- InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
- .get(2);
- InfoboxValidationResult infoboxValidationResult = null;
- try {
- infoboxValidationResult = infoboxvalidator.validate(csresp
- .getSamlAssertion());
- } catch (ValidateException e) {
- Logger.error("Error validating " + identifier + " infobox:"
- + e.getMessage());
- throw new ValidateException("validator.44",
- new Object[]{friendlyName});
- }
- if (!infoboxValidationResult.isValid()) {
- Logger.info("Validation of " + identifier
- + " infobox failed.");
- throw new ValidateException("validator.40", new Object[]{
- friendlyName,
- infoboxValidationResult.getErrorMessage()});
- }
- String form = infoboxvalidator.getForm();
- if (ParepUtils.isEmpty(form)) {
- AddAdditionalSAMLAttributes(
- session,
- infoboxValidationResult.getExtendedSamlAttributes(),
- identifier, friendlyName);
- } else {
- return "Redirect to Input Processor";
- }
- }
- }
+ try {
+ // compares the public keys from the identityLink with the AuthBlock
+ VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(
+ vsresp, session.getIdentityLink());
+
+ } catch ( ValidateException e) {
+ Logger.error("Signature verification error. ", e);
+ Logger.error("Signed Data: " + session.getAuthBlock());
+ try {
+ Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq));
+ Logger.error("VerifyResponse: " + DOMUtils.serializeNode(domVsresp));
+ } catch (TransformerException e1) {
+ e1.printStackTrace();
+
+ } catch (IOException e1) {
+ e1.printStackTrace();
+
+ }
+
+ throw e;
+ }
+
+// // post processing of the infoboxes
+// Iterator iter = session.getInfoboxValidatorIterator();
+// boolean formpending = false;
+// if (iter != null) {
+// while (!formpending && iter.hasNext()) {
+// Vector infoboxValidatorVector = (Vector) iter.next();
+// String identifier = (String) infoboxValidatorVector.get(0);
+// String friendlyName = (String) infoboxValidatorVector.get(1);
+// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
+// .get(2);
+// InfoboxValidationResult infoboxValidationResult = null;
+// try {
+// infoboxValidationResult = infoboxvalidator.validate(csresp
+// .getSamlAssertion());
+// } catch (ValidateException e) {
+// Logger.error("Error validating " + identifier + " infobox:"
+// + e.getMessage());
+// throw new ValidateException("validator.44",
+// new Object[]{friendlyName});
+// }
+// if (!infoboxValidationResult.isValid()) {
+// Logger.info("Validation of " + identifier
+// + " infobox failed.");
+// throw new ValidateException("validator.40", new Object[]{
+// friendlyName,
+// infoboxValidationResult.getErrorMessage()});
+// }
+// String form = infoboxvalidator.getForm();
+// if (ParepUtils.isEmpty(form)) {
+// AddAdditionalSAMLAttributes(
+// session,
+// infoboxValidationResult.getExtendedSamlAttributes(),
+// identifier, friendlyName);
+// } else {
+// return "Redirect to Input Processor";
+// }
+// }
+// }
session.setXMLVerifySignatureResponse(vsresp);
session.setSignerCertificate(vsresp.getX509certificate());
@@ -1358,44 +1403,44 @@ public class AuthenticationServer implements MOAIDAuthConstants {
throw new AuthenticationException("auth.10", new Object[]{
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID});
- // post processing of the infoboxes
- Iterator iter = session.getInfoboxValidatorIterator();
- boolean formpending = false;
- if (iter != null) {
- while (!formpending && iter.hasNext()) {
- Vector infoboxValidatorVector = (Vector) iter.next();
- String identifier = (String) infoboxValidatorVector.get(0);
- String friendlyName = (String) infoboxValidatorVector.get(1);
- InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
- .get(2);
- InfoboxValidationResult infoboxValidationResult = null;
- try {
- infoboxValidationResult = infoboxvalidator.validate(session
- .getIdentityLink().getSamlAssertion());
- } catch (ValidateException e) {
- Logger.error("Error validating " + identifier + " infobox:"
- + e.getMessage());
- throw new ValidateException("validator.44",
- new Object[]{friendlyName});
- }
- if (!infoboxValidationResult.isValid()) {
- Logger.info("Validation of " + identifier
- + " infobox failed.");
- throw new ValidateException("validator.40", new Object[]{
- friendlyName,
- infoboxValidationResult.getErrorMessage()});
- }
- String form = infoboxvalidator.getForm();
- if (ParepUtils.isEmpty(form)) {
- AddAdditionalSAMLAttributes(
- session,
- infoboxValidationResult.getExtendedSamlAttributes(),
- identifier, friendlyName);
- } else {
- return "Redirect to Input Processor";
- }
- }
- }
+// // post processing of the infoboxes
+// Iterator iter = session.getInfoboxValidatorIterator();
+// boolean formpending = false;
+// if (iter != null) {
+// while (!formpending && iter.hasNext()) {
+// Vector infoboxValidatorVector = (Vector) iter.next();
+// String identifier = (String) infoboxValidatorVector.get(0);
+// String friendlyName = (String) infoboxValidatorVector.get(1);
+// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
+// .get(2);
+// InfoboxValidationResult infoboxValidationResult = null;
+// try {
+// infoboxValidationResult = infoboxvalidator.validate(session
+// .getIdentityLink().getSamlAssertion());
+// } catch (ValidateException e) {
+// Logger.error("Error validating " + identifier + " infobox:"
+// + e.getMessage());
+// throw new ValidateException("validator.44",
+// new Object[]{friendlyName});
+// }
+// if (!infoboxValidationResult.isValid()) {
+// Logger.info("Validation of " + identifier
+// + " infobox failed.");
+// throw new ValidateException("validator.40", new Object[]{
+// friendlyName,
+// infoboxValidationResult.getErrorMessage()});
+// }
+// String form = infoboxvalidator.getForm();
+// if (ParepUtils.isEmpty(form)) {
+// AddAdditionalSAMLAttributes(
+// session,
+// infoboxValidationResult.getExtendedSamlAttributes(),
+// identifier, friendlyName);
+// } else {
+// return "Redirect to Input Processor";
+// }
+// }
+// }
VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse();
X509Certificate cert = session.getSignerCertificate();
@@ -1415,127 +1460,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
/**
- * Builds the AuthenticationData object together with the corresponding
- * <code>&lt;saml:Assertion&gt;</code>
- *
- * @param session authentication session
- * @param verifyXMLSigResp VerifyXMLSignatureResponse from MOA-SP
- * @param useUTC uses correct UTC time format
- * @param useUTC indicates that authenticated citizen is a foreigner
- * @param isForeigner indicates whether Austrian (false) or foreigner (true) authenticates
- * @return AuthenticationData object
- * @throws ConfigurationException while accessing configuration data
- * @throws BuildException while building the <code>&lt;saml:Assertion&gt;</code>
- */
- public static AuthenticationData buildAuthenticationData(
- AuthenticationSession session, OAAuthParameter oaParam, String target)
- throws ConfigurationException, BuildException {
-
- IdentityLink identityLink = session.getIdentityLink();
- AuthenticationData authData = new AuthenticationData();
-
- VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse();
-
- boolean businessService = oaParam.getBusinessService();
-
- authData.setMajorVersion(1);
- authData.setMinorVersion(0);
- authData.setAssertionID(Random.nextRandom());
- authData.setIssuer(session.getAuthURL());
-
- authData.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar
- .getInstance()));
-
- //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO
- authData.setIdentificationValue(identityLink.getIdentificationValue());
- authData.setIdentificationType(identityLink.getIdentificationType());
-
- authData.setGivenName(identityLink.getGivenName());
- authData.setFamilyName(identityLink.getFamilyName());
- authData.setDateOfBirth(identityLink.getDateOfBirth());
- authData.setQualifiedCertificate(verifyXMLSigResp
- .isQualifiedCertificate());
- authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority());
- authData.setPublicAuthorityCode(verifyXMLSigResp
- .getPublicAuthorityCode());
- authData.setBkuURL(session.getBkuURL());
-
- try {
-
- MISMandate mandate = session.getMISMandate();
-
- if (session.getUseMandate() && session.isOW()
- && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) {
- authData.setBPK(mandate.getOWbPK());
- authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW");
- authData.setIdentityLink(identityLink);
- Logger.trace("Authenticated User is OW: " + mandate.getOWbPK());
-
- } else {
-
- if (businessService) {
- //since we have foreigner, wbPK is not calculated in BKU
- if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
-
- String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
-
- if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
- // If domainIdentifier starts with prefix
- // "urn:publicid:gv.at:wbpk+"; remove this prefix
- registerAndOrdNr = registerAndOrdNr
- .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
- Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
- + registerAndOrdNr);
- }
-
- String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
- authData.setBPK(wbpkBase64);
- authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
-
- } else {
- authData.setBPK(identityLink.getIdentificationValue());
- authData.setBPKType(identityLink.getIdentificationType());
-
- }
-
- Logger.trace("Authenticate user with wbPK " + authData.getBPK());
-
- Element idlassertion = session.getIdentityLink().getSamlAssertion();
- //set bpk/wpbk;
- Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
- prIdentification.getFirstChild().setNodeValue(authData.getBPK());
- //set bkp/wpbk type
- Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH);
- prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType());
-
- IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion);
- IdentityLink idl = idlparser.parseIdentityLink();
- authData.setIdentityLink(idl);
-
- } else {
-
- if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
- // only compute bPK if online application is a public service and we have the Stammzahl
- String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
- authData.setBPK(bpkBase64);
- authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
- }
-
- Logger.trace("Authenticate user with bPK " + authData.getBPK());
-
- authData.setIdentityLink(identityLink);
- }
- }
-
- return authData;
-
- } catch (Throwable ex) {
- throw new BuildException("builder.00", new Object[]{
- "AuthenticationData", ex.toString()}, ex);
- }
- }
-
- /**
* Retrieves a session from the session store.
*
* @param id session ID
@@ -1773,6 +1697,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
request.setMIS(mis);
}
+ if (MiscUtil.isEmpty(connectionParameters.getUrl())) {
+ Logger.warn("SZR-Gateway Service URL is empty");
+ throw new SZRGWClientException("service.07");
+ }
+
Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
CreateIdentityLinkResponse response = client.sentCreateIDLRequest(request, connectionParameters.getUrl());
return response;
@@ -1826,11 +1755,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String destination = cpeps.getPepsURL().toExternalForm();
Logger.debug("C-PEPS URL: " + destination);
- String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN;
+
+ String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix();
+ String acsURL = new DataURLBuilder().buildDataURL(issuerValue,
+ PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID());
Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL);
String providerName = oaParam.getFriendlyName();
- String issuerValue = HTTPUtils.getBaseURL(req);
Logger.debug("Issuer value: " + issuerValue);
// prepare collection of required attributes
@@ -1903,6 +1834,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
Logger.debug("STORK AuthnRequest succesfully assembled.");
STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing");
+
+ if (samlEngine == null) {
+ Logger.error("Could not initalize STORK SAML engine.");
+ throw new MOAIDException("stork.00", null);
+
+ }
+
try {
authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest);
} catch (STORKSAMLEngineException e) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-19 07:03:25 +0000