aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java25
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java13
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java153
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java131
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java1
13 files changed, 329 insertions, 85 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index c98af695b..5ff8b74b8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -24,6 +24,7 @@
package at.gv.egovernment.moa.id.auth;
+import iaik.cms.ecc.IaikEccProvider;
import iaik.pki.PKIException;
import iaik.pki.jsse.IAIKX509TrustManager;
import iaik.security.ecc.provider.ECCProvider;
@@ -31,6 +32,7 @@ import iaik.security.provider.IAIK;
import java.io.IOException;
import java.security.GeneralSecurityException;
+import java.security.Security;
import java.util.Properties;
import javax.activation.CommandMap;
@@ -76,6 +78,14 @@ public class MOAIDAuthInitializer {
Logger.info("Default java file.encoding: "
+ System.getProperty("file.encoding"));
+
+ Logger.info("Loading security providers.");
+ IAIK.addAsProvider();
+
+
+// Security.insertProviderAt(new IAIK(), 1);
+// Security.insertProviderAt(new ECCProvider(), 1);
+
//JDK bug workaround according to:
// http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier
// register content data handlers for S/MIME types
@@ -185,5 +195,4 @@ public class MOAIDAuthInitializer {
AuthConfigLoader.start();
}
-
} \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
index 27ac16157..1b7b317c1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
@@ -23,9 +23,13 @@
package at.gv.egovernment.moa.id.auth.servlet;
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.security.Security;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
@@ -34,6 +38,7 @@ import java.util.Map;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -351,6 +356,12 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
super.init(servletConfig);
}
+
+// public void contextDestroyed(ServletContextEvent arg0) {
+// Security.removeProvider((new IAIK()).getName());
+// Security.removeProvider((new ECCProvider()).getName());
+// }
+
/**
* Set response headers to avoid caching
*
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 7130089ae..ef9b63606 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -2,7 +2,11 @@ package at.gv.egovernment.moa.id.entrypoints;
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+
import java.io.IOException;
+import java.security.Security;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
@@ -481,7 +485,7 @@ public class DispatcherServlet extends AuthServlet{
}
}
-
+
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index bef58ab59..dc2330f40 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -124,7 +124,6 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
RequestAbstractType samlReq = moaRequest.getSamlRequest();
//String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq));
-
//Logger.info("SAML : " + xml);
if(!moaRequest.isVerified()) {
@@ -137,6 +136,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
throw new MOAIDException("Unsupported request", new Object[] {});
}
+ EntityDescriptor metadata = moaRequest.getEntityMetadata();
+ if(metadata == null) {
+ throw new NoMetadataInformationException();
+ }
+ SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
AuthnRequest authnRequest = (AuthnRequest)samlReq;
Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
@@ -144,6 +149,9 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
if(aIdx != null) {
assertionidx = aIdx.intValue();
+
+ } else {
+ assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
}
aIdx = authnRequest.getAttributeConsumingServiceIndex();
@@ -153,13 +161,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
attributeIdx = aIdx.intValue();
}
- EntityDescriptor metadata = moaRequest.getEntityMetadata();
- if(metadata == null) {
- throw new NoMetadataInformationException();
- }
- SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx);
- AttributeConsumingService attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+
+ AttributeConsumingService attributeConsumer = null;
+
+ if (spSSODescriptor.getAttributeConsumingServices() != null &&
+ spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+ attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+ }
String oaURL = moaRequest.getEntityMetadata().getEntityID();
String binding = consumerService.getBinding();
@@ -176,7 +185,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
String useMandate = request.getParameter(PARAM_USEMANDATE);
if(useMandate != null) {
- if(useMandate.equals("true")) {
+ if(useMandate.equals("true") && attributeConsumer != null) {
if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) {
throw new MandateAttributesNotHandleAbleException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 232ad315f..9319c306b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -27,6 +27,7 @@ import org.opensaml.xml.security.credential.Credential;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.logging.Logger;
public class PostBinding implements IDecoder, IEncoder {
@@ -45,6 +46,8 @@ public class PostBinding implements IDecoder, IEncoder {
Credential credentials = CredentialProvider
.getIDPSigningCredential();
+ Logger.debug("create SAML POSTBinding response");
+
// VelocityEngine engine =
// VelocityProvider.getClassPathVelocityEngine();
VelocityEngine engine = new VelocityEngine();
@@ -67,7 +70,7 @@ public class PostBinding implements IDecoder, IEncoder {
.buildObject();
service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
service.setLocation(targetLocation);
- context.setOutboundSAMLMessageSigningCredential(credentials);
+ context.setOutboundSAMLMessageSigningCredential(credentials);
context.setPeerEntityEndpoint(service);
// context.setOutboundMessage(authReq);
context.setOutboundSAMLMessage(response);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 418c4a60c..78b63e041 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -3,11 +3,13 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
@@ -31,6 +33,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
public class RedirectBinding implements IDecoder, IEncoder {
@@ -47,6 +51,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
Credential credentials = CredentialProvider
.getIDPSigningCredential();
+ Logger.debug("create SAML RedirectBinding response");
+
HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
resp, true);
@@ -84,13 +90,18 @@ public class RedirectBinding implements IDecoder, IEncoder {
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+
+
BasicSecurityPolicy policy = new BasicSecurityPolicy();
policy.getPolicyRules().add(signatureRule);
+ policy.getPolicyRules().add(signedRole);
+
SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
policy);
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
messageContext.setSecurityPolicyResolver(resolver);
-
+
decode.decode(messageContext);
signatureRule.evaluate(messageContext);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 5e8206739..9e2c89583 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -21,6 +21,7 @@ import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.NameIDFormat;
@@ -42,6 +43,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
@@ -55,53 +57,55 @@ import at.gv.egovernment.moa.util.Constants;
public class PVP2AssertionBuilder implements PVPConstants {
public static Assertion buildAssertion(AuthnRequest authnRequest,
- AuthenticationSession authSession, EntityDescriptor peerEntity)
+ AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date)
throws MOAIDException {
Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
RequestedAuthnContext reqAuthnContext = authnRequest
.getRequestedAuthnContext();
- if (reqAuthnContext == null) {
- throw new NoAuthContextException();
- }
-
- boolean stork_qaa_1_4_found = false;
-
AuthnContextClassRef authnContextClassRef = SAML2Utils
.createSAMLObject(AuthnContextClassRef.class);
-
- List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
- .getAuthnContextClassRefs();
- if (reqAuthnContextClassRefIt.size() == 0) {
- stork_qaa_1_4_found = true;
+ if (reqAuthnContext == null) {
authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
-
- } else {
- for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
- String qaa_uri = authnClassRef.getAuthnContextClassRef();
- if (qaa_uri.trim().equals(STORK_QAA_1_4)
- || qaa_uri.trim().equals(STORK_QAA_1_3)
- || qaa_uri.trim().equals(STORK_QAA_1_2)
- || qaa_uri.trim().equals(STORK_QAA_1_1)) {
-
- if (authSession.isForeigner()) {
- //TODO: insert QAA check
-
- stork_qaa_1_4_found = false;
-
- } else {
- stork_qaa_1_4_found = true;
- authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+
+ } else {
+
+ boolean stork_qaa_1_4_found = false;
+
+ List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+ .getAuthnContextClassRefs();
+
+ if (reqAuthnContextClassRefIt.size() == 0) {
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+
+ } else {
+ for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+ String qaa_uri = authnClassRef.getAuthnContextClassRef();
+ if (qaa_uri.trim().equals(STORK_QAA_1_4)
+ || qaa_uri.trim().equals(STORK_QAA_1_3)
+ || qaa_uri.trim().equals(STORK_QAA_1_2)
+ || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+
+ if (authSession.isForeigner()) {
+ //TODO: insert QAA check
+
+ stork_qaa_1_4_found = false;
+
+ } else {
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+ }
+ break;
}
- break;
}
}
- }
-
- if (!stork_qaa_1_4_found) {
- throw new QAANotSupportedException(STORK_QAA_1_4);
+
+ if (!stork_qaa_1_4_found) {
+ throw new QAANotSupportedException(STORK_QAA_1_4);
+ }
}
// reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
@@ -133,7 +137,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
AuthnStatement authnStatement = SAML2Utils
.createSAMLObject(AuthnStatement.class);
String remoteSessionID = SAML2Utils.getSecureIdentifier();
- authnStatement.setAuthnInstant(new DateTime());
+ authnStatement.setAuthnInstant(date);
// currently dummy id ...
authnStatement.setSessionIndex(remoteSessionID);
authnStatement.setAuthnContext(authnContext);
@@ -142,16 +146,14 @@ public class PVP2AssertionBuilder implements PVPConstants {
SPSSODescriptor spSSODescriptor = peerEntity
.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
-
+
Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
int idx = 0;
if (aIdx != null) {
idx = aIdx.intValue();
- }
-
- AttributeConsumingService attributeConsumingService = spSSODescriptor
- .getAttributeConsumingServices().get(idx);
+
+ }
AttributeStatement attributeStatement = SAML2Utils
.createSAMLObject(AttributeStatement.class);
@@ -195,32 +197,38 @@ public class PVP2AssertionBuilder implements PVPConstants {
.buildAuthenticationData(authSession, oaParam,
oaParam.getTarget());
- Iterator<RequestedAttribute> it = attributeConsumingService
- .getRequestAttributes().iterator();
- while (it.hasNext()) {
- RequestedAttribute reqAttribut = it.next();
- try {
- Attribute attr = PVPAttributeBuilder.buildAttribute(
- reqAttribut.getName(), authSession, oaParam, authData);
- if (attr == null) {
+ if (spSSODescriptor.getAttributeConsumingServices() != null &&
+ spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+
+ AttributeConsumingService attributeConsumingService = spSSODescriptor
+ .getAttributeConsumingServices().get(idx);
+
+ Iterator<RequestedAttribute> it = attributeConsumingService
+ .getRequestAttributes().iterator();
+ while (it.hasNext()) {
+ RequestedAttribute reqAttribut = it.next();
+ try {
+ Attribute attr = PVPAttributeBuilder.buildAttribute(
+ reqAttribut.getName(), authSession, oaParam, authData);
+ if (attr == null) {
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(
+ reqAttribut.getName());
+ }
+ } else {
+ attributeStatement.getAttributes().add(attr);
+ }
+ } catch (PVP2Exception e) {
+ Logger.error(
+ "Attribute generation failed! for "
+ + reqAttribut.getFriendlyName(), e);
if (reqAttribut.isRequired()) {
throw new UnprovideableAttributeException(
reqAttribut.getName());
}
- } else {
- attributeStatement.getAttributes().add(attr);
- }
- } catch (PVP2Exception e) {
- Logger.error(
- "Attribute generation failed! for "
- + reqAttribut.getFriendlyName(), e);
- if (reqAttribut.isRequired()) {
- throw new UnprovideableAttributeException(
- reqAttribut.getName());
}
}
}
-
if (attributeStatement.getAttributes().size() > 0) {
assertion.getAttributeStatements().add(attributeStatement);
}
@@ -292,8 +300,17 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = SAML2Utils
.createSAMLObject(SubjectConfirmationData.class);
subjectConfirmationData.setInResponseTo(authnRequest.getID());
- subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
- subjectConfirmationData.setRecipient(peerEntity.getEntityID());
+ subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5));
+
+ //TL: change from entityID to destination URL
+ AssertionConsumerService consumerService = spSSODescriptor
+ .getAssertionConsumerServices().get(idx);
+
+ if (consumerService == null) {
+ throw new InvalidAssertionConsumerServiceException(idx);
+ }
+
+ subjectConfirmationData.setRecipient(consumerService.getLocation());
subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
@@ -303,12 +320,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
AudienceRestriction audienceRestriction = SAML2Utils
.createSAMLObject(AudienceRestriction.class);
Audience audience = SAML2Utils.createSAMLObject(Audience.class);
-
+
audience.setAudienceURI(peerEntity.getEntityID());
audienceRestriction.getAudiences().add(audience);
- conditions.setNotBefore(new DateTime());
+ conditions.setNotBefore(date);
- conditions.setNotOnOrAfter(new DateTime().plusMinutes(20));
+ conditions.setNotOnOrAfter(date.plusMinutes(5));
// conditions.setNotOnOrAfter(new DateTime());
conditions.getAudienceRestrictions().add(audienceRestriction);
@@ -316,12 +333,16 @@ public class PVP2AssertionBuilder implements PVPConstants {
assertion.setConditions(conditions);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+
+ //TODO: check!
+ //change to entity value from entity name to IDP EntityID (URL)
+ issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
issuer.setFormat(NameID.ENTITY);
+
assertion.setIssuer(issuer);
assertion.setSubject(subject);
assertion.setID(SAML2Utils.getSecureIdentifier());
- assertion.setIssueInstant(new DateTime());
+ assertion.setIssueInstant(date);
return assertion;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
index ad664486b..2c4eb15de 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
@@ -15,6 +15,7 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild
public String getName() {
return MANDATE_REFERENCE_VALUE_NAME;
}
+ public Attribute build(AuthenticationSession authSession,
public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
@@ -39,3 +40,29 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild
return g.buildEmptyAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME);
}
}
+
+ public Attribute build(AuthenticationSession authSession,
+ OAAuthParameter oaParam, AuthenticationData authData) throws PVP2Exception {
+ if(authSession.getUseMandate()) {
+
+// Element mandate = authSession.getMandate();
+// if(mandate == null) {
+// throw new NoMandateDataAvailableException();
+// }
+// Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+// if(mandateObject == null) {
+// throw new NoMandateDataAvailableException();
+// }
+
+ return buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME,
+ MANDATE_REFERENCE_VALUE_NAME, authSession.getMandateReferenceValue());
+ }
+ return null;
+
+ }
+
+ public Attribute buildEmpty() {
+ return buildemptyAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME,
+ MANDATE_REFERENCE_VALUE_NAME);
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
new file mode 100644
index 000000000..142227a59
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
@@ -0,0 +1,14 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+import org.opensaml.saml2.core.StatusCode;
+
+public class InvalidAssertionEncryptionException extends PVP2Exception {
+
+ private static final long serialVersionUID = 6513388841485355549L;
+
+ public InvalidAssertionEncryptionException() {
+ super("pvp2.16", new Object[]{});
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 1d494c512..0c7dea3c8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,19 +1,47 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+import org.opensaml.Configuration;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder;
+import org.opensaml.saml2.encryption.Encrypter;
+import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.encryption.EncryptionException;
+import org.opensaml.xml.encryption.EncryptionParameters;
+import org.opensaml.xml.encryption.KeyEncryptionParameters;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.KeyInfo;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -27,6 +55,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
@@ -45,37 +76,110 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest();
EntityDescriptor peerEntity = obj.getEntityMetadata();
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity);
-
+ DateTime date = new DateTime();
+
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity, date);
+
Response authResponse = SAML2Utils.createSAMLObject(Response.class);
-
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
nissuer.setFormat(NameID.ENTITY);
authResponse.setIssuer(nissuer);
authResponse.setInResponseTo(authnRequest.getID());
- authResponse.getAssertions().add(assertion);
+
+
+ //SAML2 response required IssueInstant
+ authResponse.setIssueInstant(date);
+
authResponse.setStatus(SAML2Utils.getSuccessStatus());
+ SPSSODescriptor spSSODescriptor = peerEntity
+ .getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
int idx = 0;
if (aIdx != null) {
idx = aIdx.intValue();
+
+ } else {
+ idx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
}
-
- SPSSODescriptor spSSODescriptor = peerEntity
- .getSPSSODescriptor(SAMLConstants.SAML20P_NS);
AssertionConsumerService consumerService = spSSODescriptor
.getAssertionConsumerServices().get(idx);
if (consumerService == null) {
+ //TODO: maybe use default ConsumerService
+
throw new InvalidAssertionConsumerServiceException(idx);
+
}
String oaURL = consumerService.getLocation();
+ //check, if metadata includes an encryption key
+ MetadataCredentialResolver mdCredResolver =
+ new MetadataCredentialResolver(MOAMetadataProvider.getInstance());
+
+ CriteriaSet criteriaSet = new CriteriaSet();
+ criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) );
+ criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
+ criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) );
+
+ X509Credential encryptionCredentials = null;
+ try {
+ encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet);
+
+ } catch (SecurityException e2) {
+ Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
+ throw new InvalidAssertionEncryptionException();
+
+ }
+
+ if (encryptionCredentials != null) {
+ //encrypt SAML2 assertion
+
+ try {
+
+ EncryptionParameters dataEncParams = new EncryptionParameters();
+ dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
+
+ List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();
+ KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
+
+ keyEncParam.setEncryptionCredential(encryptionCredentials);
+ keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
+ KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()
+ .getKeyInfoGeneratorManager().getDefaultManager()
+ .getFactory(encryptionCredentials);
+ keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+ keyEncParamList.add(keyEncParam);
+
+ Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
+ //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
+ samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+
+ EncryptedAssertion encryptAssertion = null;
+
+ encryptAssertion = samlEncrypter.encrypt(assertion);
+
+ authResponse.getEncryptedAssertions().add(encryptAssertion);
+
+ } catch (EncryptionException e1) {
+ Logger.warn("Can not encrypt the PVP2 assertion", e1);
+ throw new InvalidAssertionEncryptionException();
+
+ }
+
+ } else {
+ authResponse.getAssertions().add(assertion);
+
+ }
+
+
+
+
IEncoder binding = null;
if (consumerService.getBinding().equals(
@@ -101,6 +205,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
binding.encodeRespone(req, resp, authResponse, oaURL);
// TODO add remoteSessionID to AuthSession ExternalPVPSessionStore
+// Logger logger = new Logger();
+// logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse)));
+
+
return assertion.getID();
} catch (MessageEncodingException e) {
@@ -109,6 +217,15 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
} catch (SecurityException e) {
Logger.error("Security exception", e);
throw new MOAIDException("pvp2.01", null, e);
+// } catch (TransformerException e) {
+// Logger.error("Security exception", e);
+// throw new MOAIDException("pvp2.01", null, e);
+// } catch (IOException e) {
+// Logger.error("Security exception", e);
+// throw new MOAIDException("pvp2.01", null, e);
+// } catch (MarshallingException e) {
+// Logger.error("Security exception", e);
+// throw new MOAIDException("pvp2.01", null, e);
}
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
index 7bb5b052f..373bca902 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
@@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
+import java.util.List;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
@@ -13,6 +14,8 @@ import org.opensaml.Configuration;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.io.Marshaller;
@@ -77,4 +80,17 @@ public class SAML2Utils {
status.setStatusCode(statusCode);
return status;
}
+
+ public static int getDefaultAssertionConsumerServiceIndex(SPSSODescriptor spSSODescriptor) {
+
+ List<AssertionConsumerService> assertionConsumerList = spSSODescriptor.getAssertionConsumerServices();
+
+ for (AssertionConsumerService el : assertionConsumerList) {
+ if (el.isDefault())
+ return el.getIndex();
+
+ }
+
+ return 0;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 628da6773..4823d7629 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -41,6 +41,7 @@ public class SAMLVerificationEngine {
public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+
try {
profileValidator.validate(samlObj.getSignature());
} catch (ValidationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index e40d11128..840c3f2be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -209,6 +209,7 @@ public class AuthenticationSessionStoreage {
//Assertion requires an unique artifact
if (result.size() != 1) {
Logger.trace("No entries found.");
+ tx.rollback();
throw new MOADatabaseException("No session found with this sessionID");
}