12 files changed, 419 insertions, 63 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java
new file mode 100644
index 000000000..c5a8d88b7
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKListAttributeBuilder.java
@@ -0,0 +1,56 @@
+
+package at.gv.egovernment.moa.id.protocols.builder.attributes;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.BPKAttributeBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
+
+@PVPMETADATA
+public class BPKListAttributeBuilder extends BPKAttributeBuilder implements IPVPAttributeBuilder {
+	
+	private static final Logger log = LoggerFactory.getLogger(BPKListAttributeBuilder.class);
+	
+	public static final String DELIMITER_BPK_LIST = ";";
+	public static final String LIST_ELEMENT_START = "(";
+	public static final String LIST_ELEMENT_END = ")";
+	
+	public String getName() {
+		return BPK_LIST_NAME;
+	}
+	
+	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+		String result = LIST_ELEMENT_START + getBpkForSP(authData) + LIST_ELEMENT_END;
+		
+		//add additional bPKs if someone are available
+		if (authData.getAdditionalbPKs() != null && !authData.getAdditionalbPKs().isEmpty()) {
+			log.info("Adding additional bPKs into bPK attribute");
+			for (Pair<String, String> el : authData.getAdditionalbPKs()) {
+				result += DELIMITER_BPK_LIST 
+							+ LIST_ELEMENT_START 
+								+ removeBpkTypePrefix(el.getSecond()) 
+								+ DELIMITER_BPKTYPE_BPK 
+								+ attrMaxSize(el.getFirst())
+							+ LIST_ELEMENT_END;
+				
+			}
+			log.trace("Authenticate user with bPK-List: " + result);
+		}
+		
+		log.trace("Authenticate user with bPK/wbPK: " + result);		
+		return g.buildStringAttribute(BPK_LIST_FRIENDLY_NAME, BPK_LIST_NAME, result);
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(BPK_LIST_FRIENDLY_NAME, BPK_LIST_NAME);
+	}
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDAuthBlock.java
index 139bb15cc..a1a5825b3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDAuthBlock.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDAuthBlock.java
@@ -37,6 +37,7 @@ import at.gv.egovernment.moa.id.data.IMOAAuthData;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
+@Deprecated
 @PVPMETADATA
 public class EIDAuthBlock implements IPVPAttributeBuilder {
 	
@@ -49,6 +50,13 @@ public class EIDAuthBlock implements IPVPAttributeBuilder {
 		
 		try {
 			if (authData instanceof IMOAAuthData) {
+				
+				if (((IMOAAuthData)authData).isIseIDNewDemoMode()) {
+					Logger.info(EID_AUTH_BLOCK_FRIENDLY_NAME + " is NOT available in Austrian eID demo-mode");
+					throw new UnavailableAttributeException(EID_AUTH_BLOCK_NAME);
+					
+				}
+				
 				String authblock = ((IMOAAuthData)authData).getAuthBlock();
 				if (MiscUtil.isNotEmpty(authblock)) {
 					return g.buildStringAttribute(EID_AUTH_BLOCK_FRIENDLY_NAME, EID_AUTH_BLOCK_NAME,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
index 44043ec40..bf7187e51 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -28,6 +28,7 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
 import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
 import at.gv.egovernment.moa.id.data.IMOAAuthData;
 import at.gv.egovernment.moa.logging.Logger;
@@ -35,6 +36,8 @@ import at.gv.egovernment.moa.logging.Logger;
 @PVPMETADATA
 public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 	
+	public static final String DELIMITER_ENCBPK_TARGET = "|";
+	
 	public String getName() {
 		return ENC_BPK_LIST_NAME;
 	}
@@ -45,12 +48,22 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 		if (authData instanceof IMOAAuthData) {
 			if (((IMOAAuthData)authData).getEncbPKList() != null &&
 					((IMOAAuthData)authData).getEncbPKList().size() > 0) {
-				String value = ((IMOAAuthData)authData).getEncbPKList().get(0);
-				for (int i=1; i<((IMOAAuthData)authData).getEncbPKList().size(); i++)
-					value += ";"+((IMOAAuthData)authData).getEncbPKList().get(i);			
+				Pair<String, String> value = ((IMOAAuthData)authData).getEncbPKList().get(0);				
+				String result = BPKListAttributeBuilder.LIST_ELEMENT_START 
+									+ value.getSecond() + DELIMITER_ENCBPK_TARGET +  value.getFirst() 
+								+ BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+				for (int i=1; i<((IMOAAuthData)authData).getEncbPKList().size(); i++) {
+					Pair<String, String> el = ((IMOAAuthData)authData).getEncbPKList().get(i);					
+					result += BPKListAttributeBuilder.DELIMITER_BPK_LIST 
+								+ BPKListAttributeBuilder.LIST_ELEMENT_START 
+									+ el.getSecond() + DELIMITER_ENCBPK_TARGET +  el.getFirst() 
+								+ BPKListAttributeBuilder.LIST_ELEMENT_END;		
+					
+				}
 			
 				return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, 
-						value);
+						result);
 			
 			}
 			
@@ -59,16 +72,6 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 		
 		throw new UnavailableAttributeException(ENC_BPK_LIST_NAME);
 		
-//		String encbpk = "XXX01234567890XXX";
-//		String type = "Bereich";
-//		String vkz = "Verfahrenskennzeichen";
-//		
-//		//TODO: implement encrypted bPK support
-//		
-//		Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk);
-//		
-//		return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, 
-//				vkz + "+" + type + "|" + encbpk);
 	}
 	
 	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java
index a40c0fefb..fb101467a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java
@@ -48,8 +48,16 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder
 
 	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
-		if (authData instanceof IMOAAuthData) {
+		if (authData instanceof IMOAAuthData) {					
 			if (((IMOAAuthData)authData).isUseMandate()) {
+				
+				if (((IMOAAuthData)authData).isIseIDNewDemoMode()) {
+					Logger.info(MANDATE_FULL_MANDATE_FRIENDLY_NAME + " is NOT available in Austrian eID demo-mode");
+					return null;
+					
+				}
+				
+				
 				//only provide full mandate if it is included. 
 				//In case of federation only a short mandate could be include 
 				if (((IMOAAuthData)authData).getMandate() != null) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index f67f79dcf..4d41cc19b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -22,11 +22,13 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.builder.attributes;
 
+import org.apache.commons.lang3.StringUtils;
 import org.w3c.dom.Element;
 
 import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
 import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
@@ -36,9 +38,9 @@ import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException;
 import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.BPKAttributeBuilder;
 import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
-import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.data.IMOAAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
@@ -57,42 +59,10 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeBuilderException {						
 		try {			
-			Pair<String, String> calcResult = internalBPKGenerator((IOAAuthParameters)oaParam, authData);
-			if (calcResult != null) {					
-				String bpk = calcResult.getFirst();
-				String type = calcResult.getSecond();
-				
-				if (MiscUtil.isEmpty(bpk))
-					throw new UnavailableAttributeException(BPK_NAME);
-				
-				if (type != null) {	
-					if (type.startsWith(Constants.URN_PREFIX_WBPK))
-						type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
-				
-					else if (type.startsWith(Constants.URN_PREFIX_CDID)) 
-						type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
-				
-					else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) 
-						type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
-					
-				} else {
-					Logger.debug("bPK type is 'null' --> use it as it is");
-					
-				}
-				
-				if (bpk.length() > BPK_MAX_LENGTH) {
-					bpk = bpk.substring(0, BPK_MAX_LENGTH);
-				}
-				
-				Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
-				
-				if (type != null)
-					return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk);
-				else
-					return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
-			
-			}
-			
+			String bPKResult = getBpkAttributeStringForSP(oaParam, authData);
+			if (StringUtils.isNoneEmpty(bPKResult))
+				return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bPKResult);
+						
 		}
 		catch (BuildException | ConfigurationException | EAAFBuilderException e) {
 			Logger.error("Failed to generate IdentificationType");
@@ -103,12 +73,109 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 		return null;
 		
 	}
-	
+		
 	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
 		return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME);
 	}
 	
-	protected Pair<String, String> internalBPKGenerator(ISPConfiguration oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException, EAAFBuilderException {		
+	protected Pair<String, String> getBpkForSp(ISPConfiguration oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException, EAAFBuilderException {
+		Pair<String, String> baseId = getBaseIdFromMandate(oaParam, authData);
+		Pair<String, String> bPKResult = null;
+		
+		if (baseId != null) {			
+			if (baseId.getSecond() != null && baseId.getSecond().equals(Constants.URN_PREFIX_BASEID))									
+				bPKResult  = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseId.getFirst(), 
+						oaParam.getAreaSpecificTargetIdentifier());								
+			else {
+				Logger.debug("No BaseId target in mandate. Use it as it is ... ");
+				bPKResult = Pair.newInstance(baseId.getFirst(), null);
+			
+			}
+		}
+		
+		return bPKResult;
+		
+	}
+	
+	
+	/**
+	 * Generate the bPK String for this specific SP
+	 * 
+	 * @param oaParam
+	 * @param authData
+	 * @return
+	 * @throws UnavailableAttributeException
+	 * @throws EAAFBuilderException 
+	 * @throws ConfigurationException 
+	 * @throws BuildException 
+	 * @throws NoMandateDataAttributeException 
+	 */
+	protected String getBpkAttributeStringForSP(ISPConfiguration oaParam, IAuthData authData) throws UnavailableAttributeException, EAAFBuilderException, NoMandateDataAttributeException, BuildException, ConfigurationException {				
+		Pair<String, String> bPKResult = getBpkForSp(oaParam, authData);
+		if (bPKResult != null) {					
+			String bpk = bPKResult.getFirst();
+			String type = bPKResult.getSecond();
+			
+			if (MiscUtil.isEmpty(bpk))
+				throw new UnavailableAttributeException(BPK_NAME);
+			
+			if (type != null)
+				type = removeBpkTypePrefix(type);					
+			else
+				Logger.debug("bPK type is 'null' --> use it as it is");
+								
+			bpk = attrMaxSize(bpk);
+			
+			Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
+			
+			if (type != null)
+				return type + BPKAttributeBuilder.DELIMITER_BPKTYPE_BPK + bpk;
+			else
+				return bpk;
+		
+		}
+		
+		return null;
+		
+	}
+	
+	
+	/**
+	 * Limit the attribute value to maximum size
+	 * 
+	 * @param attr
+	 * @return
+	 */
+	protected String attrMaxSize(String attr) {
+		if (attr != null && attr.length() > BPK_MAX_LENGTH) {
+			attr = attr.substring(0, BPK_MAX_LENGTH);
+		}
+		return attr;
+		
+	}
+	
+	/**
+	 * Remove bPKType prefix if available
+	 * 
+	 * @param type
+	 * @return
+	 */
+	protected String removeBpkTypePrefix(String type) {
+		if (type.startsWith(EAAFConstants.URN_PREFIX_WBPK))
+			return type.substring((EAAFConstants.URN_PREFIX_WBPK).length());
+		
+		else if (type.startsWith(EAAFConstants.URN_PREFIX_CDID)) 
+			return type.substring((EAAFConstants.URN_PREFIX_CDID).length());
+		
+		else if (type.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) 
+			return type.substring((EAAFConstants.URN_PREFIX_EIDAS).length());
+		
+		else
+			return type;
+		
+	}
+	
+	protected Pair<String, String> getBaseIdFromMandate(ISPConfiguration oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException, EAAFBuilderException {		
 		//get PVP attribute directly, if exists 
 		Pair<String, String> calcResult = null;
 		if (authData instanceof IMOAAuthData) {
@@ -136,13 +203,8 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 						Logger.info("Failed to generate IdentificationType");
 						throw new NoMandateDataAttributeException();
 					}
-				
-									
-					if (id.getType().equals(Constants.URN_PREFIX_BASEID))									
-						calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), 
-								oaParam.getAreaSpecificTargetIdentifier());								
-					else
-						calcResult = Pair.newInstance(id.getValue().getValue(), id.getType());
+													
+					calcResult = Pair.newInstance(id.getValue().getValue(), id.getType());
 	
 				
 				} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java
new file mode 100644
index 000000000..fd00e2f61
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKListAttributeBuilder.java
@@ -0,0 +1,83 @@
+
+package at.gv.egovernment.moa.id.protocols.builder.attributes;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.BPKAttributeBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+
+@PVPMETADATA
+public class MandateNaturalPersonBPKListAttributeBuilder extends MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBuilder {
+			
+	public String getName() {
+		return MANDATE_NAT_PER_BPK_LIST_NAME;
+	}
+	
+	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+		
+		try {
+			String result = getBpkAttributeStringForSP(oaParam, authData);
+		
+			if (result != null) {
+				result = BPKListAttributeBuilder.LIST_ELEMENT_START + result + BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+				//add additional bPKs if someone are available
+				if (authData.getAdditionalbPKs() != null && !authData.getAdditionalbPKs().isEmpty()) {			
+					Logger.info("Additional bPKs available. Calculate additional bPKs for mandate ... ");			
+					Pair<String, String> baseId = getBaseIdFromMandate(oaParam, authData);			
+					if (baseId != null && StringUtils.isNotEmpty(baseId.getSecond()) 
+							&& baseId.getSecond().equals(Constants.URN_PREFIX_BASEID)) {			
+						for (Pair<String, String> el : authData.getAdditionalbPKs()) {
+							
+							Pair<String, String> addBpk = 
+									new BPKBuilder().generateAreaSpecificPersonIdentifier(
+											baseId.getFirst(), 
+											el.getSecond());	
+							
+							Logger.trace("Calculate bPK with " + addBpk.toString());
+							
+							result += BPKListAttributeBuilder.DELIMITER_BPK_LIST 
+										+ BPKListAttributeBuilder.LIST_ELEMENT_START 
+											+ removeBpkTypePrefix(addBpk.getSecond()) 
+											+ BPKAttributeBuilder.DELIMITER_BPKTYPE_BPK 
+											+ attrMaxSize(addBpk.getFirst())
+										+ BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+						}
+					}
+				}
+		
+				Logger.trace("Authenticate user with List of bPK/wbPK: " + result + " for mandate");		
+				return g.buildStringAttribute(MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_LIST_NAME, result);
+			
+			}
+			
+			return null;
+			
+		} catch (BuildException | ConfigurationException | EAAFBuilderException e) {
+			Logger.error("Failed to generate IdentificationType");
+			throw new NoMandateDataAttributeException();
+				
+		}
+		
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_LIST_NAME);
+	}
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java
new file mode 100644
index 000000000..220ccd94e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonEncBPKListAttributeBuilder.java
@@ -0,0 +1,62 @@
+
+package at.gv.egovernment.moa.id.protocols.builder.attributes;
+
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA;
+import at.gv.egovernment.moa.id.data.IMOAAuthData;
+import at.gv.egovernment.moa.logging.Logger;
+
+@PVPMETADATA
+public class MandateNaturalPersonEncBPKListAttributeBuilder implements IPVPAttributeBuilder {
+			
+	public String getName() {
+		return MANDATE_NAT_PER_ENC_BPK_LIST_NAME;
+	}
+	
+	public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+		
+		if (authData instanceof IMOAAuthData) {			
+			if (((IMOAAuthData) authData).isUseMandate()) {			
+				if (((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList() != null &&
+						((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().size() > 0) {
+					Pair<String, String> value = ((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().get(0);				
+					String result = BPKListAttributeBuilder.LIST_ELEMENT_START 
+										+ value.getSecond() + EncryptedBPKAttributeBuilder.DELIMITER_ENCBPK_TARGET +  value.getFirst() 
+									+ BPKListAttributeBuilder.LIST_ELEMENT_END;
+				
+					for (int i=1; i<((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().size(); i++) {
+						Pair<String, String> el = ((IMOAAuthData)authData).getEncMandateNaturalPersonbPKList().get(i);					
+						result += BPKListAttributeBuilder.DELIMITER_BPK_LIST 
+									+ BPKListAttributeBuilder.LIST_ELEMENT_START 
+										+ el.getSecond() + EncryptedBPKAttributeBuilder.DELIMITER_ENCBPK_TARGET +  el.getFirst() 
+										+ BPKListAttributeBuilder.LIST_ELEMENT_END;		
+					
+					}
+			
+					return g.buildStringAttribute(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_ENC_BPK_LIST_NAME, 
+							result);
+			
+				}
+				
+			} else
+				Logger.trace(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME + " is only availabe if mandates are used");
+						
+		} else
+			Logger.info(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME + " is only available in MOA-ID context");
+		
+		throw new UnavailableAttributeException(MANDATE_NAT_PER_ENC_BPK_LIST_NAME);
+		
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, MANDATE_NAT_PER_ENC_BPK_LIST_NAME);
+	}
+		
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 32b45a595..88648b56e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.No
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 
+@Deprecated
 @PVPMETADATA
 public class MandateNaturalPersonSourcePinAttributeBuilder  implements IPVPAttributeBuilder {
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
index 90a0d61c9..223994e6e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.No
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 
+@Deprecated
 @PVPMETADATA
 public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAttributeBuilder  {
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/SimpleStringAttributeGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/SimpleStringAttributeGenerator.java
new file mode 100644
index 000000000..5daa71b1f
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/SimpleStringAttributeGenerator.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.builder.attributes;
+
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SimpleStringAttributeGenerator implements IAttributeGenerator<String> {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator#buildStringAttribute(java.lang.String, java.lang.String, java.lang.String)
+	 */
+	@Override
+	public String buildStringAttribute(String friendlyName, String name, String value) {
+		return value;
+		
+	} 
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator#buildIntegerAttribute(java.lang.String, java.lang.String, int)
+	 */
+	@Override
+	public String buildIntegerAttribute(String friendlyName, String name, int value) {
+		return String.valueOf(value);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator#buildLongAttribute(java.lang.String, java.lang.String, long)
+	 */
+	@Override
+	public String buildLongAttribute(String friendlyName, String name, long value) {
+		return String.valueOf(value);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator#buildEmptyAttribute(java.lang.String, java.lang.String)
+	 */
+	@Override
+	public String buildEmptyAttribute(String friendlyName, String name) {
+		return null;
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 1fa17c683..4fc37d88f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -145,7 +145,9 @@ public class MOAMetadataProvider extends AbstractChainingMetadataProvider {
 			try {
 				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 				MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-						PVPConstants.SSLSOCKETFACTORYNAME, 
+						PVPConstants.SSLSOCKETFACTORYNAME,
+						moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+								AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 						moaAuthConfig.getTrustedCACertificates(),
 						null,
 						AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
index d7ada1f36..bd908f894 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
@@ -75,7 +75,9 @@ public class MOASAMLSOAPClient {
 				//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 				SecureProtocolSocketFactory sslprotocolsocketfactory = 
 						new MOAHttpProtocolSocketFactory(
-								PVPConstants.SSLSOCKETFACTORYNAME,  
+								PVPConstants.SSLSOCKETFACTORYNAME,
+								AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean(
+										AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
 								AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
 								null,
 								AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(),