aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java81
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java50
8 files changed, 88 insertions, 79 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
index 5b4843752..0172cce2d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x;
public interface PVPConstants {
+ public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/";
public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1";
public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2";
public static final String STORK_QAA_1_3 = "http://www.stork.gov.eu/1.0/citizenQAALevel/3";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 28299871c..7c9cc6259 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -25,7 +25,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 17f76d35a..bc90da8df 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -74,6 +74,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedExcept
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.id.util.MandateBuilder;
+import at.gv.egovernment.moa.id.util.QAALevelVerifier;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -89,45 +90,59 @@ public class PVP2AssertionBuilder implements PVPConstants {
AuthnContextClassRef authnContextClassRef = SAML2Utils
.createSAMLObject(AuthnContextClassRef.class);
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
+ .getOnlineApplicationParameter(
+ peerEntity.getEntityID());
+
if (reqAuthnContext == null) {
authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
- } else {
+ }
- boolean stork_qaa_1_4_found = false;
+ boolean stork_qaa_1_4_found = false;
+
+ List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+ .getAuthnContextClassRefs();
- List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
- .getAuthnContextClassRefs();
+ if (reqAuthnContextClassRefIt.size() == 0) {
+
+ QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(),
+ STORK_QAA_1_4);
- if (reqAuthnContextClassRefIt.size() == 0) {
- stork_qaa_1_4_found = true;
- authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
-
- } else {
- for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
- String qaa_uri = authnClassRef.getAuthnContextClassRef();
- if (qaa_uri.trim().equals(STORK_QAA_1_4)
- || qaa_uri.trim().equals(STORK_QAA_1_3)
- || qaa_uri.trim().equals(STORK_QAA_1_2)
- || qaa_uri.trim().equals(STORK_QAA_1_1)) {
-
- if (authSession.isForeigner()) {
- //TODO: insert QAA check
-
- stork_qaa_1_4_found = false;
-
- } else {
- stork_qaa_1_4_found = true;
- authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
- }
- break;
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+
+ } else {
+ for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+ String qaa_uri = authnClassRef.getAuthnContextClassRef();
+ if (qaa_uri.trim().equals(STORK_QAA_1_4)
+ || qaa_uri.trim().equals(STORK_QAA_1_3)
+ || qaa_uri.trim().equals(STORK_QAA_1_2)
+ || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+
+ if (authSession.isForeigner()) {
+ QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(),
+ STORK_QAA_PREFIX + oaParam.getQaaLevel());
+
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel());
+
+ } else {
+
+ QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(),
+ qaa_uri.trim());
+
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel());
+
}
+ break;
}
}
-
- if (!stork_qaa_1_4_found) {
- throw new QAANotSupportedException(STORK_QAA_1_4);
- }
+ }
+
+ if (!stork_qaa_1_4_found) {
+ throw new QAANotSupportedException(STORK_QAA_1_4);
}
// reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
@@ -209,12 +224,6 @@ public class PVP2AssertionBuilder implements PVPConstants {
* null, true); } }
*/
- // TODO: LOAD oaParam from request and not from MOASession in case of
- // SSO
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
- .getOnlineApplicationParameter(
- peerEntity.getEntityID());
-
AuthenticationData authData = AuthenticationServer
.buildAuthenticationData(authSession, oaParam,
oaParam.getTarget());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java
index 523063c6e..f3d815e7d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
public class BirthdateAttributeBuilder implements IPVPAttributeBuilder {
@@ -44,11 +45,19 @@ public class BirthdateAttributeBuilder implements IPVPAttributeBuilder {
IAttributeGenerator<ATT> g) throws AttributeException {
try {
DateFormat identityLinkFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT);
- Date date = identityLinkFormat.parse(authSession.getIdentityLink().getDateOfBirth());
- DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN);
- String dateString = pvpDateFormat.format(date);
- return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString);
+ if (MiscUtil.isNotEmpty(authSession.getIdentityLink().getDateOfBirth())) {
+ Date date = identityLinkFormat.parse(authSession.getIdentityLink().getDateOfBirth());
+ DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN);
+ String dateString = pvpDateFormat.format(date);
+
+ return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString);
+
+ } else {
+ //build empty attribute if no Birthday date is found (STORK2)
+ return g.buildEmptyAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME);
+
+ }
//return buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index d318792f1..f4b48ece3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -22,14 +22,11 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
-import java.io.IOException;
import java.util.ArrayList;
-import java.util.Date;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.xml.transform.TransformerException;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
@@ -40,12 +37,10 @@ import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
-import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder;
import org.opensaml.saml2.encryption.Encrypter;
import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
@@ -54,17 +49,13 @@ import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.encryption.EncryptionException;
import org.opensaml.xml.encryption.EncryptionParameters;
import org.opensaml.xml.encryption.KeyEncryptionParameters;
-import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
-import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
-import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.X509Credential;
-import org.opensaml.xml.signature.KeyInfo;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -80,7 +71,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
index 1963115da..e3e25b1a9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
@@ -37,7 +37,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.KeyStoreUtils;
-import at.gv.egovernment.moa.util.MiscUtil;
public class CredentialProvider {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
index d398ca533..f0ae6f446 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
@@ -113,10 +113,12 @@ public class MetadataSignatureFilter implements MetadataFilter {
throw new MOAIDException("Root element of metadata file has to be signed", null);
}
processEntitiesDescriptor(entitiesDescriptor);
- } /*else if (metadata instanceof EntityDescriptor) {
+
+ } else if (metadata instanceof EntityDescriptor) {
EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
processEntityDescriptorr(entityDescriptor);
- } */else {
+
+ } else {
throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
index e48c7bb98..67a91f6e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
@@ -34,36 +34,36 @@ import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
-import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;
+//import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver;
+//import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver;
public class TrustEngineFactory {
- public static SignatureTrustEngine getSignatureTrustEngine() {
- try {
- MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver(
- MOAMetadataProvider.getInstance());
-
- List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
- keyInfoProvider.add(new DSAKeyValueProvider());
- keyInfoProvider.add(new RSAKeyValueProvider());
- keyInfoProvider.add(new InlineX509DataProvider());
-
- KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
- keyInfoProvider);
-
- PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine(
- mdResolver, keyInfoResolver);
-
- return engine;
-
- } catch (Exception e) {
- e.printStackTrace();
- return null;
- }
- }
+// public static SignatureTrustEngine getSignatureTrustEngine() {
+// try {
+// MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver(
+// MOAMetadataProvider.getInstance());
+//
+// List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+// keyInfoProvider.add(new DSAKeyValueProvider());
+// keyInfoProvider.add(new RSAKeyValueProvider());
+// keyInfoProvider.add(new InlineX509DataProvider());
+//
+// KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+// keyInfoProvider);
+//
+// PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine(
+// mdResolver, keyInfoResolver);
+//
+// return engine;
+//
+// } catch (Exception e) {
+// e.printStackTrace();
+// return null;
+// }
+// }
public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() {
MetadataCredentialResolver resolver;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-26 03:13:43 +0000