diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java | 989 |
1 files changed, 989 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java new file mode 100644 index 000000000..b5275cdd5 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -0,0 +1,989 @@ +/* +* Copyright 2003 Federal Chancellery Austria +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +package at.gv.egovernment.moa.id.config; + +import iaik.pki.pathvalidation.ChainingModes; +import iaik.utils.RFC2253NameParser; +import iaik.utils.RFC2253NameParserException; + +import java.math.BigInteger; +import java.security.Principal; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Vector; + +import org.w3c.dom.Attr; +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.w3c.dom.traversal.NodeIterator; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.Schema; +import at.gv.egovernment.moa.id.auth.data.SchemaImpl; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters; +import at.gv.egovernment.moa.id.data.IssuerAndSerial; +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.BoolUtils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.StringUtils; +import at.gv.egovernment.moa.util.XPathException; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * A class that builds configuration data from a DOM based representation. + * + * @author Patrick Peck + * @author Stefan Knirsch + * @version $Id$ + */ +public class ConfigurationBuilder { + + // + // XPath namespace prefix shortcuts + // + /** an XPATH-Expression */ + protected static final String CONF = Constants.MOA_ID_CONFIG_PREFIX + ":"; + /** an XPATH-Expression */ + protected static final String DSIG = Constants.DSIG_PREFIX + ":"; + + // + // chaining mode constants appearing in the configuration file + // + /** an XPATH-Expression */ + protected static final String CM_CHAINING = "chaining"; + /** an XPATH-Expression */ + protected static final String CM_PKIX = "pkix"; + /** an XPATH-Expression */ + protected static final String DEFAULT_ENCODING = "UTF-8"; + + // + // XPath expressions to select certain parts of the configuration + // + /** an XPATH-Expression */ + protected static final String ROOT = "/" + CONF + "MOA-IDConfiguration/"; + + /** an XPATH-Expression */ + protected static final String AUTH_BKU_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "BKUSelection"; + /** an XPATH-Expression */ + protected static final String AUTH_BKUSELECT_TEMPLATE_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "BKUSelectionTemplate/@URL"; + /** an XPATH-Expression */ + protected static final String AUTH_TEMPLATE_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "Template/@URL"; + /** an XPATH-Expression */ + protected static final String INPUT_PROCESSOR_TEMPLATE_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "InputProcessorSignTemplate/@URL"; + /** an XPATH-Expression */ + public static final String AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "SecurityLayer/" + CONF + "TransformsInfo/@filename"; + /** an XPATH-Expression */ + protected static final String AUTH_MOA_SP_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP"; + /** an XPATH-Expression */ + protected static final String AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyIdentityLink/" + CONF + "TrustProfileID"; + /** an XPATH-Expression */ + protected static final String AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF + "TrustProfileID"; + /** an XPATH-Expression */ + protected static final String AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF + "VerifyTransformsInfoProfileID"; + + /** an XPATH-Expression */ + protected static final String AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "IdentityLinkSigners/" + CONF + "X509SubjectName"; + + /** an XPATH-Expression */ + public static final String AUTH_VERIFY_INFOBOXES_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "VerifyInfoboxes"; + + /** an XPATH-Expression */ + public static final String AUTH_FOREIGN_IDENTITIES_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "ForeignIdentities"; + + /** an XPATH-Expression */ + public static final String AUTH_ONLINEMANDATES_XPATH = + ROOT + CONF + "AuthComponent/" + CONF + "OnlineMandates"; + + + + /** an XPATH-Expression */ + protected static final String OA_XPATH = ROOT + CONF + "OnlineApplication"; + /** an XPATH-Expression */ + protected static final String OA_LOGIN_XPATH = ROOT + CONF + "OnlineApplication/@loginURL"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_XPATH = CONF + "AuthComponent"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH = CONF + "IdentificationNumber"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH = + CONF + "Templates/" + CONF + "BKUSelectionTemplate/@URL"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_TEMPLATE_XPATH = + CONF + "Templates/" + CONF + "Template/@URL"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH = CONF + "TransformsInfo/@filename"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH = CONF + "VerifyInfoboxes"; + /** an XPATH-Expression */ + protected static final String OA_AUTH_COMPONENT_MANDATES_PROFILES_XPATH = CONF + "Mandates" + "/" + CONF + "Profiles"; + /** an XPATH-Expression */ + protected static final String CONNECTION_PARAMETER_URL_XPATH = + CONF + "ConnectionParameter/@URL"; + /** an XPATH-Expression */ + protected static final String CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH = + CONF + "ConnectionParameter/" + CONF + "AcceptedServerCertificates"; + /** an XPATH-Expression */ + protected static final String CONNECTION_PARAMETERN_KEYSTORE_XPATH = + CONF + "ConnectionParameter/" + CONF + "ClientKeyStore"; + /** an XPATH-Expression */ + protected static final String CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH = + CONNECTION_PARAMETERN_KEYSTORE_XPATH + "/@password"; + /** an XPATH-Expression */ + protected static final String GENERIC_CONFIGURATION_XPATH = + ROOT + CONF + "GenericConfiguration"; + + /** an XPATH-Expression */ + protected static final String TRUSTED_BKUS = + ROOT + CONF + "TrustedBKUs/" + CONF + "BKUURL"; + + /** an XPATH-Expression */ + protected static final String CHAINING_MODES_XPATH = + ROOT + CONF + "ChainingModes"; + /** an XPATH-Expression */ + protected static final String CHAINING_MODES_DEFAULT_XPATH = + CHAINING_MODES_XPATH + "/@systemDefaultMode"; + /** an XPATH-Expression */ + protected static final String TRUST_ANCHOR_XPATH = + ROOT + CONF + "ChainingModes/" + CONF + "TrustAnchor"; + /** an XPATH-Expression */ + protected static final String ISSUER_XPATH = DSIG + "X509IssuerName"; + /** an XPATH-Expression */ + protected static final String SERIAL_XPATH = DSIG + "X509SerialNumber"; + /** an XPATH-Expression */ + protected static final String TRUSTED_CA_CERTIFICATES_XPATH = + ROOT + CONF + "TrustedCACertificates"; + + /** an XPATH-Expression */ + protected static final String VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH = CONF + "DefaultTrustProfile"; + /** an XPATH-Expression */ + protected static final String VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH = CONF + "TrustProfileID"; + /** an XPATH-Expression */ + protected static final String VERIFY_INFOBOXES_INFOBOX_XPATH = CONF + "Infobox"; + + + + + /** + * main configuration file directory name used to configure MOA-ID + */ + protected String rootConfigFileDir_; + + /** The root element of the MOA-ID configuration */ + protected Element configElem_; + + /** + * Creates a new <code>MOAConfigurationProvider</code>. + * + * @param configElem The root element of the MOA-ID configuration. + */ + public ConfigurationBuilder(Element configElem, String rootConfigDir) { + configElem_ = configElem; + rootConfigFileDir_ = rootConfigDir; + } + + /** + * Returns the root element of the MOA-ID configuration. + * + * @return The root element of the MOA-ID configuration. + */ + public Element getConfigElem() { + return configElem_; + } + + /** + * Build a ConnectionParameter object containing all information + * of the moa-sp element in the authentication component + * @return ConnectionParameter of the authentication component moa-sp element + */ + public ConnectionParameter buildAuthBKUConnectionParameter() { + + Element authBKU = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_BKU_XPATH); + if (authBKU==null) return null; + return buildConnectionParameter(authBKU); + } + + /** + * Build a ConnectionParameter containing all information + * of the foreignid element in the authentication component + * @return ConnectionParameter of the authentication component foreignid element + */ + public ConnectionParameter buildForeignIDConnectionParameter() { + Element foreignid = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_FOREIGN_IDENTITIES_XPATH); + if (foreignid==null) return null; + return buildConnectionParameter(foreignid); + + } + + /** + * Build a ConnectionParameter containing all information + * of the OnlineMandates element in the authentication component + * @return ConnectionParameter of the authentication component OnlineMandates element + */ + public ConnectionParameter buildOnlineMandatesConnectionParameter() { + Element onlinemandates = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_ONLINEMANDATES_XPATH); + if (onlinemandates==null) return null; + return buildConnectionParameter(onlinemandates); + + } + + /** + * Method buildAuthBKUSelectionType. + * + * Build a string with the configuration value of BKUSelectionAlternative + * + * @return String + */ + public String buildAuthBKUSelectionType() { + + Element authBKU = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_BKU_XPATH); + if (authBKU==null) return null; + return (authBKU).getAttribute("BKUSelectionAlternative"); + } + + /** + * Build a string array with all filenames leading + * to the Transforms Information for the Security Layer + * @param contextNode The node from which should be searched + * @param xpathExpr The XPATH expression for the search + * @return String[] of filenames to the Security Layer Transforms Information + * or <code>null</code> if no transforms are included + */ + public String[] buildTransformsInfoFileNames(Node contextNode, String xpathExpr) { + + List transformsInfoFileNames = new ArrayList(); + + try { + NodeIterator tiIter = XPathUtils.selectNodeIterator(contextNode, xpathExpr); + + Attr tiElem; + while ((tiElem = (Attr) tiIter.nextNode()) != null) { + String tiFileName = tiElem.getNodeValue(); + transformsInfoFileNames.add(tiFileName); + } + + String[] result = new String[transformsInfoFileNames.size()]; + transformsInfoFileNames.toArray(result); + + return result; + } catch (XPathException xpe) { + return new String[0]; + } + } + + + /** + * Loads the <code>transformsInfos</code> from files. + * @throws Exception on any exception thrown + */ + public String[] loadTransformsInfos(String[] transformsInfoFileNames) throws Exception { + + String[] transformsInfos = new String[transformsInfoFileNames.length]; + for (int i = 0; i < transformsInfoFileNames.length; i++) { + String fileURL = transformsInfoFileNames[i]; + + //if fileURL is relative to rootConfigFileDir make it absolute + fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir_); + String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING); + transformsInfos[i] = transformsInfo; + } + return transformsInfos; + } + + /** + * Build a ConnectionParameter bean containing all information + * of the authentication component moa-sp element + * @return ConnectionParameter of the authentication component moa-sp element + */ + public ConnectionParameter buildMoaSpConnectionParameter() { + + Element connectionParameter = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_MOA_SP_XPATH); + if (connectionParameter==null) return null; + return buildConnectionParameter(connectionParameter); + } + + /** + * Return a string with a url-reference to the VerifyIdentityLink trust + * profile id within the moa-sp part of the authentication component + * @return String with a url-reference to the VerifyIdentityLink trust profile ID + */ + public String getMoaSpIdentityLinkTrustProfileID() { + return XPathUtils.getElementValue( + configElem_, + AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH, + ""); + } + /** + * Return a string representation of an URL pointing to trusted CA Certificates + * @return String representation of an URL pointing to trusted CA Certificates + */ + public String getTrustedCACertificates() { + return XPathUtils.getElementValue( + configElem_, + TRUSTED_CA_CERTIFICATES_XPATH,null); + } + + /** + * Return a string with a url-reference to the VerifyAuthBlock trust + * profile id within the moa-sp part of the authentication component + * @return String with a url-reference to the VerifyAuthBlock trust profile ID + */ + public String getMoaSpAuthBlockTrustProfileID() { + return XPathUtils.getElementValue( + configElem_, + AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH, + ""); + } + /** + * Build a string array with references to all verify transform info + * IDs within the moa-sp part of the authentication component + * @return A string array containing all urls to the + * verify transform info IDs + */ + public String[] buildMoaSpAuthBlockVerifyTransformsInfoIDs() { + + List verifyTransformsInfoIDs = new ArrayList(); + NodeIterator vtIter = + XPathUtils.selectNodeIterator( + configElem_, + AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH); + Element vtElem; + + while ((vtElem = (Element) vtIter.nextNode()) != null) { + + String vtInfoIDs = DOMUtils.getText(vtElem); + verifyTransformsInfoIDs.add(vtInfoIDs); + } + String[] result = new String[verifyTransformsInfoIDs.size()]; + verifyTransformsInfoIDs.toArray(result); + + return result; + } + + public List getTrustedBKUs() { + + List trustedBKUs = new ArrayList(); + + NodeIterator bkuIter = XPathUtils.selectNodeIterator(configElem_, TRUSTED_BKUS); + + Element vtElem; + + while ((vtElem = (Element) bkuIter.nextNode()) != null) { + String bkuURL = DOMUtils.getText(vtElem); + trustedBKUs.add(bkuURL); + } + + return trustedBKUs; + + } + + /** + * Returns a list containing all X509 Subject Names + * of the Identity Link Signers + * @return a list containing the configured identity-link signer X509 subject names + */ + public List getIdentityLink_X509SubjectNames() { + + Vector x509SubjectNameList = new Vector(); + NodeIterator x509Iter = + XPathUtils.selectNodeIterator( + configElem_, + AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH); + Element x509Elem; + + while ((x509Elem = (Element) x509Iter.nextNode()) != null) { + String vtInfoIDs = DOMUtils.getText(x509Elem); + x509SubjectNameList.add(vtInfoIDs); + } + + // now add the default identity link signers + String[] identityLinkSignersWithoutOID = MOAIDAuthConstants.IDENTITY_LINK_SIGNERS_WITHOUT_OID; + for (int i=0; i<identityLinkSignersWithoutOID.length; i++) { + String identityLinkSigner = identityLinkSignersWithoutOID[i]; + if (!x509SubjectNameList.contains(identityLinkSigner)) { + x509SubjectNameList.add(identityLinkSigner); + } + } + + return x509SubjectNameList; + } + + /** + * Build an array of the OnlineApplication Parameters containing information + * about the authentication component + * + * @param defaultVerifyInfoboxParameters Default parameters for verifying additional + * infoboxes. Maybe <code>null</code>. + * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating + * the identity link signer certificate. Needed for + * checking if this ID is not used for validating other + * infoboxes. + * + * @return An OAProxyParameter array containing beans + * with all relevant information for the authentication component of the online + * application + */ + public OAAuthParameter[] buildOnlineApplicationAuthParameters( + VerifyInfoboxParameters defaultVerifyInfoboxParameters, String moaSpIdentityLinkTrustProfileID) + throws ConfigurationException + { + + String bkuSelectionTemplateURL = + XPathUtils.getAttributeValue(configElem_, AUTH_BKUSELECT_TEMPLATE_XPATH, null); + String templateURL = + XPathUtils.getAttributeValue(configElem_, AUTH_TEMPLATE_XPATH, null); + String inputProcessorSignTemplateURL = + XPathUtils.getAttributeValue(configElem_, INPUT_PROCESSOR_TEMPLATE_XPATH, null); + + List OA_set = new ArrayList(); + NodeList OAIter = XPathUtils.selectNodeList(configElem_, OA_XPATH); + + for (int i = 0; i < OAIter.getLength(); i++) { + Element oAElem = (Element) OAIter.item(i); + Element authComponent = + (Element) XPathUtils.selectSingleNode(oAElem, OA_AUTH_COMPONENT_XPATH); + + OAAuthParameter oap = new OAAuthParameter(); + String publicURLPrefix = oAElem.getAttribute("publicURLPrefix"); + oap.setPublicURLPrefix(publicURLPrefix); + oap.setKeyBoxIdentier(oAElem.getAttribute("keyBoxIdentifier")); + oap.setFriendlyName(oAElem.getAttribute("friendlyName")); + + // get the type of the online application + String oaType = oAElem.getAttribute("type"); + oap.setOaType(oaType); + String slVersion = "1.1"; + if ("businessService".equalsIgnoreCase(oaType)) { + if (authComponent==null) { + Logger.error("Missing \"AuthComponent\" for OA of type \"businessService\""); + throw new ConfigurationException("config.02", null); + } + Element identificationNumberElem = + (Element) XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH); + if (identificationNumberElem==null) { + Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\""); + throw new ConfigurationException("config.02", null); + } + Element identificationNumberChild = DOMUtils.getElementFromNodeList(identificationNumberElem.getChildNodes()); + if (identificationNumberChild == null) { + Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\""); + throw new ConfigurationException("config.02", null); + } + if ("false".equalsIgnoreCase(oAElem.getAttribute("calculateHPI"))) { + oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild)); + //BZ.., setting type of IdLinkDomainIdentifier + oap.setIdentityLinkDomainIdentifierType(identificationNumberChild.getLocalName()); + //..BZ + } else { + // If we have business service and want to dealt with GDA, the security layer can be advised to calulate + // the Health Professional Identifier HPI instead of the wbPK + Logger.info("OA uses HPI for Identification"); + oap.setIdentityLinkDomainIdentifier(Constants.URN_PREFIX_HPI); + } + + // if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file + Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2"); + slVersion = "1.2"; + + } else { + + if (authComponent!=null) { + slVersion = authComponent.getAttribute("slVersion"); + } + + } + oap.setSlVersion(slVersion); + //Check if there is an Auth-Block to read from configuration + + if (authComponent!=null) + { + oap.setProvideStammzahl(BoolUtils.valueOf(authComponent.getAttribute("provideStammzahl"))); + oap.setProvideAuthBlock(BoolUtils.valueOf(authComponent.getAttribute("provideAUTHBlock"))); + oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink"))); + oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate"))); + oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL)); + oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL)); + oap.setInputProcessorSignTemplateURL(buildTemplateURL(authComponent, INPUT_PROCESSOR_TEMPLATE_XPATH, inputProcessorSignTemplateURL)); + // load OA specific transforms if present + String[] transformsInfoFileNames = buildTransformsInfoFileNames(authComponent, OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH); + try { + oap.setTransformsInfos(loadTransformsInfos(transformsInfoFileNames)); + } catch (Exception ex) { + Logger.error("Error loading transforms specified for OA \"" + publicURLPrefix + "\"; using default transforms."); + } + Node verifyInfoboxParamtersNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH); + oap.setVerifyInfoboxParameters(buildVerifyInfoboxParameters( + verifyInfoboxParamtersNode, defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID)); + + Node mandateProfilesNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_MANDATES_PROFILES_XPATH); + if (mandateProfilesNode != null) { + if ("businessService".equalsIgnoreCase(oaType)) { + Logger.error("No Online Mandate Modus for OA of type \"businessService\" allowed."); + throw new ConfigurationException("config.02", null); + } + else { + String profiles = DOMUtils.getText(mandateProfilesNode); + oap.setMandateProfiles(profiles); + } + } + } + OA_set.add(oap); + } + OAAuthParameter[] result = + new OAAuthParameter[OA_set.size()]; + OA_set.toArray(result); + + return result; + + } + + /** + * Builds the URL for a BKUSelectionTemplate or a Template. The method selects + * the uri string from the MOA ID configuration file via the given xpath expression + * and returns either this string or the default value. + * + * @param oaAuthComponent The AuthComponent element to get the template from. + * @param xpathExpr The xpath expression for selecting the template uri. + * @param defaultURL The default template url. + * @return The template url. This may either the via xpath selected uri + * or, if no template is specified within the online appliacation, + * the default url. Both may be <code>null</code>. + */ + protected String buildTemplateURL(Element oaAuthComponent, String xpathExpr, String defaultURL) { + String templateURL = XPathUtils.getAttributeValue(oaAuthComponent, xpathExpr, defaultURL); + if (templateURL != null) { + templateURL = FileUtils.makeAbsoluteURL(templateURL, rootConfigFileDir_); + } + return templateURL; + } + + + /** + * Method buildConnectionParameter: internal Method for creating a + * ConnectionParameter object with all data found in the incoming element + * @param root This Element contains the ConnectionParameter + * @return ConnectionParameter + */ + protected ConnectionParameter buildConnectionParameter(Element root) + { + ConnectionParameter result = new ConnectionParameter(); + result.setAcceptedServerCertificates( + XPathUtils.getElementValue(root,CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH,null)); + + result.setAcceptedServerCertificates(FileUtils.makeAbsoluteURL( + result.getAcceptedServerCertificates(), rootConfigFileDir_)); + + result.setUrl( + XPathUtils.getAttributeValue(root, CONNECTION_PARAMETER_URL_XPATH, "")); + result.setClientKeyStore( + XPathUtils.getElementValue(root,CONNECTION_PARAMETERN_KEYSTORE_XPATH,null)); + + result.setClientKeyStore(FileUtils.makeAbsoluteURL( + result.getClientKeyStore(), rootConfigFileDir_)); + + result.setClientKeyStorePassword( + XPathUtils.getAttributeValue(root,CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH,"")); + + if ((result.getAcceptedServerCertificates()==null) + && (result.getUrl()=="") + && (result.getClientKeyStore()==null) + && (result.getClientKeyStorePassword()=="")) + return null; + + return result; + } + + + /** + * Build the mapping of generic configuration properties. + * + * @return a {@link Map} of generic configuration properties (a name to value + * mapping) from the configuration. + */ + public Map buildGenericConfiguration() { + + Map genericConfiguration = new HashMap(); + NodeIterator gcIter = + XPathUtils.selectNodeIterator( + configElem_, + GENERIC_CONFIGURATION_XPATH); + Element gcElem; + + while ((gcElem = (Element) gcIter.nextNode()) != null) { + String gcName = gcElem.getAttribute("name"); + String gcValue = gcElem.getAttribute("value"); + + genericConfiguration.put(gcName, gcValue); + } + + return genericConfiguration; + } + + + /** + * Returns the default chaining mode from the configuration. + * + * @return The default chaining mode. + */ + public String getDefaultChainingMode() { + String defaultChaining = + XPathUtils.getAttributeValue( + configElem_, + CHAINING_MODES_DEFAULT_XPATH, + CM_CHAINING); + + return translateChainingMode(defaultChaining); + + } + /** + * Build the chaining modes for all configured trust anchors. + * + * @return The mapping from trust anchors to chaining modes. + */ + public Map buildChainingModes() { + Map chainingModes = new HashMap(); + NodeIterator trustIter = + XPathUtils.selectNodeIterator(configElem_, TRUST_ANCHOR_XPATH); + Element trustAnchorElem; + + while ((trustAnchorElem = (Element) trustIter.nextNode()) != null) { + IssuerAndSerial issuerAndSerial = buildIssuerAndSerial(trustAnchorElem); + String mode = trustAnchorElem.getAttribute("mode"); + + if (issuerAndSerial != null) { + chainingModes.put(issuerAndSerial, translateChainingMode(mode)); + } + } + + return chainingModes; + } + + /** + * Build an <code>IssuerAndSerial</code> from the DOM representation. + * + * @param root The root element (being of type <code>dsig: + * X509IssuerSerialType</code>. + * @return The issuer and serial number contained in the <code>root</code> + * element or <code>null</code> if could not be built for any reason. + */ + protected IssuerAndSerial buildIssuerAndSerial(Element root) { + String issuer = XPathUtils.getElementValue(root, ISSUER_XPATH, null); + String serial = XPathUtils.getElementValue(root, SERIAL_XPATH, null); + + if (issuer != null && serial != null) { + try { + RFC2253NameParser nameParser = new RFC2253NameParser(issuer); + Principal issuerDN = nameParser.parse(); + + return new IssuerAndSerial(issuerDN, new BigInteger(serial)); + } catch (RFC2253NameParserException e) { + warn("config.09", new Object[] { issuer, serial }, e); + return null; + } catch (NumberFormatException e) { + warn("config.09", new Object[] { issuer, serial }, e); + return null; + } + } + return null; + } + + /** + * Translate the chaining mode from the configuration file to one used in the + * IAIK MOA API. + * + * @param chainingMode The chaining mode from the configuration. + * @return The chaining mode as provided by the <code>ChainingModes</code> + * interface. + * @see iaik.pki.pathvalidation.ChainingModes + */ + protected String translateChainingMode(String chainingMode) { + if (chainingMode.equals(CM_CHAINING)) { + return ChainingModes.CHAIN_MODE; + } else if (chainingMode.equals(CM_PKIX)) { + return ChainingModes.PKIX_MODE; + } else { + return ChainingModes.CHAIN_MODE; + } + } + + /** + * Builds the IdentityLinkDomainIdentifier as needed for providing it to the + * SecurityLayer for computation of the wbPK. + * <p>e.g.:<br> + * input element: + * <br> + * <code><pr:Firmenbuchnummer Identifier="FN">000468 i</pr:Firmenbuchnummer></code> + * <p> + * return value: <code>urn:publicid:gv.at+wbpk+FN468i</code> + * + * @param number The element holding the identification number of the business + * company. + * @return The domain identifier + */ + protected String buildIdentityLinkDomainIdentifier(Element number) { + if (number == null) { + return null; + } + String identificationNumber = number.getFirstChild().getNodeValue(); + String identifier = number.getAttribute("Identifier"); + // remove all blanks + identificationNumber = StringUtils.removeBlanks(identificationNumber); + if (number.getLocalName().equals("Firmenbuchnummer") || identifier.equalsIgnoreCase("fn") || identifier.equalsIgnoreCase("xfn")) { + // delete zeros from the beginning of the number + identificationNumber = StringUtils.deleteLeadingZeros(identificationNumber); + // remove hyphens + identificationNumber = StringUtils.removeToken(identificationNumber, "-"); + } + StringBuffer identityLinkDomainIdentifier = new StringBuffer(Constants.URN_PREFIX_WBPK); + identityLinkDomainIdentifier.append("+"); + if (!identificationNumber.startsWith(identifier)) { + identityLinkDomainIdentifier.append(identifier); + } + identityLinkDomainIdentifier.append("+"); + identityLinkDomainIdentifier.append(identificationNumber); + return identityLinkDomainIdentifier.toString(); + } + + /** + * Builds the parameters for verifying additional infoboxes (additional to the + * IdentityLink infobox). + * + * @param verifyInfoboxesElem The <code>VerifyInfoboxes</code> element from the + * config file. This maybe the global element or the + * elment from an Online application. + * @param defaultVerifyInfoboxParameters Default parameters to be used, if no + * <code>VerifyInfoboxes</code> element is present. + * This only applies to parameters + * of an specific online application and is set to + * <code>null</code> when building the global parameters. + * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating + * the identity link signer certificate. Needed for + * checking if this ID is not used for validating other + * infoboxes. + * + * @return A {@link at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters VerifyInfoboxParameters} + * object needed for verifying additional infoboxes. + * + * @throws ConfigurationException If the trust profile for validating the identity link + * signer certificate is used for validating another infobox. + */ + public VerifyInfoboxParameters buildVerifyInfoboxParameters( + Node verifyInfoboxesElem, + VerifyInfoboxParameters defaultVerifyInfoboxParameters, + String moaSpIdentityLinkTrustProfileID) + throws ConfigurationException + { + + if ((verifyInfoboxesElem == null) && (defaultVerifyInfoboxParameters == null)) { + return null; + } + Vector identifiers = new Vector(); + List defaultIdentifiers = null; + Map defaultInfoboxParameters = null; + if (defaultVerifyInfoboxParameters != null) { + defaultIdentifiers = defaultVerifyInfoboxParameters.getIdentifiers(); + defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters(); + } + Hashtable infoboxParameters = new Hashtable(); + if (verifyInfoboxesElem != null) { + // get the DefaultTrustProfileID + String defaultTrustProfileID = null; + Node defaultTrustProfileNode = + XPathUtils.selectSingleNode(verifyInfoboxesElem, VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH); + if (defaultTrustProfileNode != null) { + Node trustProfileIDNode = + XPathUtils.selectSingleNode(defaultTrustProfileNode, VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH); + defaultTrustProfileID = trustProfileIDNode.getFirstChild().getNodeValue(); + if (defaultTrustProfileID.equals(moaSpIdentityLinkTrustProfileID)) { + throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID}); + } + } + // get the Infoboxes + NodeList infoboxes = + XPathUtils.selectNodeList(verifyInfoboxesElem, VERIFY_INFOBOXES_INFOBOX_XPATH); + for (int i=0; i<infoboxes.getLength(); i++) { + Element infoBoxElem = (Element)infoboxes.item(i); + // get the identifier of the infobox + String identifier = infoBoxElem.getAttribute("Identifier"); + identifiers.add(identifier); + VerifyInfoboxParameter verifyInfoboxParameter = new VerifyInfoboxParameter(identifier); + verifyInfoboxParameter.setFriendlyName(identifier); + // get the attributes + // (1) required: override global value in any case + verifyInfoboxParameter.setRequired(BoolUtils.valueOf( + infoBoxElem.getAttribute("required"))); + // (2) provideStammzahl: override global value in any case + verifyInfoboxParameter.setProvideStammzahl(BoolUtils.valueOf( + infoBoxElem.getAttribute("provideStammzahl"))); + // (3) proviedIdentityLink: override global value in any case + verifyInfoboxParameter.setProvideIdentityLink(BoolUtils.valueOf( + infoBoxElem.getAttribute("provideIdentityLink"))); + // set default trustprofileID + if (defaultTrustProfileID != null) { + verifyInfoboxParameter.setTrustProfileID(defaultTrustProfileID); + } + // get the parameter elements + boolean localValidatorClass = false; + boolean localFriendlyName = false; + List params = DOMUtils.getChildElements(infoBoxElem); + Iterator it = params.iterator(); + while (it.hasNext()) { + Element paramElem = (Element)it.next(); + String paramName = paramElem.getLocalName(); + if (paramName.equals("FriendlyName")) { + verifyInfoboxParameter.setFriendlyName(paramElem.getFirstChild().getNodeValue()); + localFriendlyName = true; + } else if (paramName.equals("TrustProfileID")) { + String trustProfileID = paramElem.getFirstChild().getNodeValue(); + if (trustProfileID != null) { + if (trustProfileID.equals(moaSpIdentityLinkTrustProfileID)) { + throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID}); + } + verifyInfoboxParameter.setTrustProfileID(trustProfileID); + } + } else if (paramName.equals("ValidatorClass")) { + String validatorClassName = paramElem.getFirstChild().getNodeValue(); + if (validatorClassName != null) { + verifyInfoboxParameter.setValidatorClassName(validatorClassName); + localValidatorClass = true; + } + } else if (paramName.equals("SchemaLocations")) { + List schemaElems = DOMUtils.getChildElements(paramElem); + List schemaLocations = new Vector(schemaElems.size()); + Iterator schemaIterator = schemaElems.iterator(); + while (schemaIterator.hasNext()) { + Element schemaElem = (Element)schemaIterator.next(); + String namespace = schemaElem.getAttribute("namespace"); + String schemaLocation = schemaElem.getAttribute("schemaLocation"); + // avoid adding the same schema twice + Iterator schemaLocationIterator = schemaLocations.iterator(); + boolean add = true; + while (schemaLocationIterator.hasNext()) { + String existingNamespace = ((Schema)schemaLocationIterator.next()).getNamespace(); + if (namespace.equals(existingNamespace)) { + Logger.warn("Multiple schemas specified for namespace \"" + namespace + + "\"; only using the first one."); + add = false; + break; + } + } + if (add) { + schemaLocations.add(new SchemaImpl(namespace, schemaLocation)); + } + } + verifyInfoboxParameter.setSchemaLocations(schemaLocations); + } else if (paramName.equals("ApplicationSpecificParameters")) { + verifyInfoboxParameter.setApplicationSpecificParams(paramElem); + } else if (paramName.equals("ParepSpecificParameters")) { + verifyInfoboxParameter.appendParepSpecificParams(paramElem); + } + } + // use default values for those parameters not yet set by local configuration + if (defaultInfoboxParameters != null) { + Object defaultVerifyIP = defaultInfoboxParameters.get(identifier); + if (defaultVerifyIP != null) { + VerifyInfoboxParameter defaultVerifyInfoboxParameter = + (VerifyInfoboxParameter)defaultVerifyIP; + // if no friendly is set, use default + if (!localFriendlyName) { + verifyInfoboxParameter.setFriendlyName( + defaultVerifyInfoboxParameter.getFriendlyName()); + } + // if no TrustProfileID is set, use default, if available + if (verifyInfoboxParameter.getTrustProfileID() == null) { + verifyInfoboxParameter.setTrustProfileID( + defaultVerifyInfoboxParameter.getTrustProfileID()); + } + // if no local validator class is set, use default + if (!localValidatorClass) { + verifyInfoboxParameter.setValidatorClassName( + defaultVerifyInfoboxParameter.getValidatorClassName()); + } + // if no schema locations set, use default + if (verifyInfoboxParameter.getSchemaLocations() == null) { + verifyInfoboxParameter.setSchemaLocations( + defaultVerifyInfoboxParameter.getSchemaLocations()); + } + // if no application specific parameters set, use default + if (verifyInfoboxParameter.getApplicationSpecificParams() == null) { + verifyInfoboxParameter.setApplicationSpecificParams( + defaultVerifyInfoboxParameter.getApplicationSpecificParams()); + } + } + } + infoboxParameters.put(identifier, verifyInfoboxParameter); + } + // add the infobox identifiers not present within the local configuration to the + // identifier list + if (defaultIdentifiers != null) { + Iterator identifierIterator = defaultIdentifiers.iterator(); + while (identifierIterator.hasNext()) { + String defaultIdentifier = (String)identifierIterator.next(); + if (!identifiers.contains(defaultIdentifier)) { + identifiers.add(defaultIdentifier); + } + } + } + return new VerifyInfoboxParameters(identifiers, infoboxParameters); + } else { + return new VerifyInfoboxParameters(defaultIdentifiers, infoboxParameters); + } + } + + /** + * Method warn. + * @param messageId to identify a country-specific message + * @param parameters for the logger + */ + // + // various utility methods + // + + protected static void warn(String messageId, Object[] parameters) { + Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters)); + } + + /** + * Method warn. + * @param messageId to identify a country-specific message + * @param args for the logger + * @param t as throwabl + */ + protected static void warn(String messageId, Object[] args, Throwable t) { + Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, args), t); + } +} |