aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java79
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java28
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java61
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java129
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java41
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java4
19 files changed, 405 insertions, 79 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 3d38efa9f..003fdfbe9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -265,10 +265,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (domainIdentifier.startsWith(PREFIX_WPBK)) {
- isbuisness = false;
+ isbuisness = true;
} else {
- isbuisness = true;
+ isbuisness = false;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
index 70aa1a160..2e08fad6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
@@ -167,8 +167,10 @@ public class GetIdentityLinkFormBuilder extends Builder {
htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL);
htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL);
+ Map<String, String> map = null;
+
if (oaParam != null) {
- Map<String, String> map = oaParam.getFormCustomizaten();
+ map = oaParam.getFormCustomizaten();
htmlForm = replaceTag(htmlForm, COLOR_TAG, map.get(FormBuildUtils.MAIN_BACKGROUNDCOLOR), false, ALL);
htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, map.get(FormBuildUtils.REDIRECTTARGET), false, ALL);
@@ -179,11 +181,15 @@ public class GetIdentityLinkFormBuilder extends Builder {
if (MiscUtil.isNotEmpty(appletheigth))
htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, appletheigth, false, ALL);
+ else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_HEIGHT)))
+ htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, map.get(FormBuildUtils.APPLET_HEIGHT), false, ALL);
else
htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, "160", false, ALL);
if (MiscUtil.isNotEmpty(appletwidth))
htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, appletwidth, false, ALL);
+ else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_WIDTH)))
+ htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, map.get(FormBuildUtils.APPLET_WIDTH), false, ALL);
else
htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, "250", false, ALL);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java
index 90ad3cf42..ff3b7b170 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java
@@ -22,6 +22,7 @@
******************************************************************************/
package at.gv.egovernment.moa.id.auth.builder;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
@@ -58,7 +59,7 @@ public class LoginFormBuilder {
private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate";
- public static String getTemplate() {
+ private static String getTemplate() {
String pathLocation ="";
InputStream input = null;
@@ -118,8 +119,21 @@ public class LoginFormBuilder {
}
public static String buildLoginForm(String modul, String action, OAAuthParameter oaParam, String contextpath, String moaSessionID) {
- String value = getTemplate();
+ String value = null;
+
+ byte[] oatemplate = oaParam.getBKUSelectionTemplate();
+ // OA specific template requires a size of 8 bits minimum
+ if (oatemplate != null && oatemplate.length > 7) {
+ InputStream is = new ByteArrayInputStream(oatemplate);
+ value = getTemplate(is);
+
+ } else {
+ //load default BKU-selection template
+ value = getTemplate();
+
+ }
+
if(value != null) {
if(modul == null) {
modul = SAML1Protocol.PATH;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
index f65a3c011..24b848176 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
@@ -22,6 +22,7 @@
******************************************************************************/
package at.gv.egovernment.moa.id.auth.builder;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
@@ -58,32 +59,50 @@ public class SendAssertionFormBuilder {
private static String SERVLET = CONTEXTPATH+"/SSOSendAssertionServlet";
private static String getTemplate() {
-
- String template = null;
- InputStream input = null;
- try {
- String pathLocation;
-
- String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir();
- pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL;
+ String pathLocation;
+ InputStream input = null;
+ try {
+ String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir();
+ pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL;
+
+ try {
+ File file = new File(new URI(pathLocation));
+ input = new FileInputStream(file);
+
+ } catch (FileNotFoundException e) {
- try {
- File file = new File(new URI(pathLocation));
- input = new FileInputStream(file);
-
- } catch (FileNotFoundException e) {
-
- Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package.");
-
- pathLocation = "resources/templates/" + HTMLTEMPLATEFULL;
-
- input = Thread.currentThread()
- .getContextClassLoader()
- .getResourceAsStream(pathLocation);
-
- }
+ Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package.");
+
+ pathLocation = "resources/templates/" + HTMLTEMPLATEFULL;
+
+ input = Thread.currentThread()
+ .getContextClassLoader()
+ .getResourceAsStream(pathLocation);
+
+ }
+
+ return getTemplate(input);
+
+ } catch (Exception e) {
+ try {
+ input.close();
+ } catch (IOException e1) {
+ Logger.warn("SendAssertionTemplate inputstream can not be closed.", e);
+ }
+
+ return null;
+ }
+
+ }
+
+ private static String getTemplate(InputStream input) {
+
+ String template = null;
+
+ try {
+
StringWriter writer = new StringWriter();
IOUtils.copy(input, writer);
template = writer.toString();
@@ -105,7 +124,19 @@ public class SendAssertionFormBuilder {
}
public static String buildForm(String modul, String action, String id, OAAuthParameter oaParam, String contextpath) {
- String value = getTemplate();
+ String value = null;
+
+ byte[] oatemplate = oaParam.getSendAssertionTemplate();
+ // OA specific template requires a size of 8 bits minimum
+ if (oatemplate != null && oatemplate.length > 7) {
+ InputStream is = new ByteArrayInputStream(oatemplate);
+ value = getTemplate(is);
+
+ } else {
+ //load default BKU-selection template
+ value = getTemplate();
+
+ }
if(value != null) {
if(modul == null) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
index c66e19eb0..d2d458e74 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
@@ -82,9 +82,12 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
AuthenticationSession moasession = null;
- try {
- //moasessionid = (String) req.getSession().getAttribute(AuthenticationManager.MOA_SESSION);
-
+ if (MiscUtil.isEmpty(bkuid) || MiscUtil.isEmpty(moasessionid)) {
+ Logger.warn("MOASessionID or BKU-type is empty. Maybe an old BKU-selection template is in use.");
+ throw new MOAIDException("auth.23", new Object[] {});
+ }
+
+ try {
pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moasessionid);
moasession = AuthenticationSessionStoreage.getSession(moasessionid);
@@ -112,7 +115,7 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
//load Parameters from config
String target = oaParam.getTarget();
-
+
String bkuURL = oaParam.getBKUURL(bkuid);
if (MiscUtil.isEmpty(bkuURL)) {
Logger.info("No OA specific BKU defined. Use BKU from default configuration");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 304b63de0..c0f47d781 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -110,6 +110,7 @@ import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed;
import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig;
import at.gv.egovernment.moa.id.config.stork.STORKConfig;
import at.gv.egovernment.moa.id.data.IssuerAndSerial;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -365,7 +366,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
//Initialize OpenSAML for STORK
Logger.info("Starting initialization of OpenSAML...");
- DefaultBootstrap.bootstrap();
+ MOADefaultBootstrap.bootstrap();
+ //DefaultBootstrap.bootstrap();
Logger.debug("OpenSAML successfully initialized");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 7a38e2afd..8e7ca0779 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -320,6 +320,12 @@ public Map<String, String> getFormCustomizaten() {
if (MiscUtil.isNotEmpty(bkuselection.getAppletRedirectTarget()))
map.put(FormBuildUtils.REDIRECTTARGET, bkuselection.getAppletRedirectTarget());
+ if (MiscUtil.isNotEmpty(bkuselection.getAppletHeight()))
+ map.put(FormBuildUtils.APPLET_HEIGHT, bkuselection.getAppletHeight());
+
+ if (MiscUtil.isNotEmpty(bkuselection.getAppletWidth()))
+ map.put(FormBuildUtils.APPLET_WIDTH, bkuselection.getAppletWidth());
+
}
}
@@ -343,6 +349,27 @@ public List<OAStorkAttribute> getRequestedAttributes() {
}
+public byte[] getBKUSelectionTemplate() {
+
+ TemplatesType templates = oa_auth.getTemplates();
+ if (templates != null && templates.getBKUSelectionTemplate() != null) {
+ return templates.getBKUSelectionTemplate().getTransformation();
+
+ }
+
+ return null;
+}
+
+public byte[] getSendAssertionTemplate() {
+
+ TemplatesType templates = oa_auth.getTemplates();
+ if (templates != null && templates.getSendAssertionTemplate() != null) {
+ return templates.getSendAssertionTemplate().getTransformation();
+
+ }
+
+ return null;
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java
index 93de902ef..66d330d20 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java
@@ -118,7 +118,7 @@ public class ProxyConfigurationProvider extends ConfigurationProvider {
throws ConfigurationException {
String fileName = System.getProperty(PROXY_CONFIG_PROPERTY_NAME);
if (fileName == null) {
- throw new ConfigurationException("config.01", null);
+ throw new ConfigurationException("config.20", null);
}
Logger.info("Loading MOA-ID-PROXY configuration " + fileName);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 01b80a93f..6cc17231c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -22,14 +22,8 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.entrypoints;
-
-
-import iaik.security.ecc.provider.ECCProvider;
-import iaik.security.provider.IAIK;
-
import java.io.IOException;
-import java.io.PrintWriter;
-import java.security.Security;
+
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 78fe43daa..1668c31ce 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -66,7 +66,7 @@ import at.gv.egovernment.moa.logging.Logger;
public class MetadataAction implements IAction {
- private static final int VALIDUNTIL_IN_DAYES = 30;
+ private static final int VALIDUNTIL_IN_HOURS = 24;
public String processRequest(IRequest req, HttpServletRequest httpReq,
HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException {
@@ -81,7 +81,7 @@ public class MetadataAction implements IAction {
DateTime date = new DateTime();
- idpEntitiesDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES));
+ idpEntitiesDescriptor.setValidUntil(date.plusHours(VALIDUNTIL_IN_HOURS));
EntityDescriptor idpEntityDescriptor = SAML2Utils
.createSAMLObject(EntityDescriptor.class);
@@ -95,7 +95,7 @@ public class MetadataAction implements IAction {
idpEntityDescriptor
.setEntityID(PVPConfiguration.getInstance().getIDPPublicPath());
- idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES));
+ idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS));
List<ContactPerson> persons = PVPConfiguration.getInstance()
.getIDPContacts();
@@ -114,13 +114,31 @@ public class MetadataAction implements IAction {
Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();
Signature signature = CredentialProvider
.getIDPSignature(metadataSigningCredential);
+
+ idpEntitiesDescriptor.setSignature(signature);
+
+// //set SignatureMethode
+// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE);
+//
+// //set DigestMethode
+// List<ContentReference> contentList = signature.getContentReferences();
+// for (ContentReference content : contentList) {
+//
+// if (content instanceof SAMLObjectContentReference) {
+//
+// SAMLObjectContentReference el = (SAMLObjectContentReference) content;
+// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE);
+//
+// }
+// }
+
// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder();
// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject();
// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.);
// signature.setKeyInfo(metadataKeyInfo );
- idpEntitiesDescriptor.setSignature(signature);
+
IDPSSODescriptor idpSSODescriptor = SAML2Utils
.createSAMLObject(IDPSSODescriptor.class);
@@ -222,7 +240,7 @@ public class MetadataAction implements IAction {
String metadataXML = sw.toString();
- //System.out.println("METADATA: " + metadataXML);
+ System.out.println("METADATA: " + metadataXML);
httpResp.setContentType("text/xml");
httpResp.getOutputStream().write(metadataXML.getBytes());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
index 0172cce2d..7946c7596 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -22,8 +22,17 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x;
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.signature.SignatureConstants;
+
public interface PVPConstants {
+ public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
+ public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256;
+ public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128;
+ public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP;
+
+
public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/";
public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1";
public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java
new file mode 100644
index 000000000..80789cd12
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.config;
+
+import org.opensaml.Configuration;
+import org.opensaml.DefaultBootstrap;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder;
+import org.opensaml.xml.ConfigurationException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOADefaultBootstrap extends DefaultBootstrap {
+
+ public static synchronized void bootstrap() throws ConfigurationException {
+
+ initializeXMLSecurity();
+
+ initializeXMLTooling();
+
+ initializeArtifactBuilderFactories();
+
+ initializeGlobalSecurityConfiguration();
+
+ initializeParserPool();
+
+ initializeESAPI();
+
+ }
+
+
+
+ /**
+ * Initializes the default global security configuration.
+ */
+ protected static void initializeGlobalSecurityConfiguration() {
+ Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig());
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
new file mode 100644
index 000000000..1563ba9be
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.config;
+
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xml.signature.SignatureConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOADefaultSecurityConfigurationBootstrap extends
+ DefaultSecurityConfigurationBootstrap {
+
+ public static BasicSecurityConfiguration buildDefaultConfig() {
+ BasicSecurityConfiguration config = new BasicSecurityConfiguration();
+
+ populateSignatureParams(config);
+ populateEncryptionParams(config);
+ populateKeyInfoCredentialResolverParams(config);
+ populateKeyInfoGeneratorManager(config);
+ populateKeyParams(config);
+
+ return config;
+ }
+
+ protected static void populateSignatureParams(
+ BasicSecurityConfiguration config) {
+
+ //use SHA256 instead of SHA1
+ config.registerSignatureAlgorithmURI("RSA",
+ SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+
+ config.registerSignatureAlgorithmURI("DSA",
+ "http://www.w3.org/2000/09/xmldsig#dsa-sha1");
+
+ //use SHA256 instead of SHA1
+ config.registerSignatureAlgorithmURI("EC",
+ SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
+
+ //use SHA256 instead of SHA1
+ config.registerSignatureAlgorithmURI("AES",
+ SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
+
+
+ config.registerSignatureAlgorithmURI("DESede",
+ SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
+
+ config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
+ config.setSignatureHMACOutputLength(null);
+
+ //use SHA256 instead of SHA1
+ config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+ }
+
+ protected static void populateEncryptionParams(
+ BasicSecurityConfiguration config) {
+ config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
+ "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+ config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
+ "http://www.w3.org/2001/04/xmlenc#aes192-cbc");
+ config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
+ "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+
+ //support GCM mode
+ config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM);
+
+ config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM);
+
+ config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
+ EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM);
+
+
+ config.registerDataEncryptionAlgorithmURI("DESede",
+ Integer.valueOf(168),
+ "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+ config.registerDataEncryptionAlgorithmURI("DESede",
+ Integer.valueOf(192),
+ "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
+
+ config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES",
+ "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+
+ config.registerKeyTransportEncryptionAlgorithmURI("RSA", null,
+ "DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+
+ config.registerKeyTransportEncryptionAlgorithmURI("AES",
+ Integer.valueOf(128), null,
+ "http://www.w3.org/2001/04/xmlenc#kw-aes128");
+ config.registerKeyTransportEncryptionAlgorithmURI("AES",
+ Integer.valueOf(192), null,
+ "http://www.w3.org/2001/04/xmlenc#kw-aes192");
+ config.registerKeyTransportEncryptionAlgorithmURI("AES",
+ Integer.valueOf(256), null,
+ "http://www.w3.org/2001/04/xmlenc#kw-aes256");
+ config.registerKeyTransportEncryptionAlgorithmURI("DESede",
+ Integer.valueOf(168), null,
+ "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+ config.registerKeyTransportEncryptionAlgorithmURI("DESede",
+ Integer.valueOf(192), null,
+ "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+
+ config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 5d71b915f..bf82efb79 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -33,6 +33,7 @@ import java.util.Properties;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
+import org.opensaml.Configuration;
import org.opensaml.saml2.metadata.Company;
import org.opensaml.saml2.metadata.ContactPerson;
import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration;
@@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.OrganizationName;
import org.opensaml.saml2.metadata.OrganizationURL;
import org.opensaml.saml2.metadata.SurName;
import org.opensaml.saml2.metadata.TelephoneNumber;
+import org.opensaml.xml.security.SecurityConfiguration;
import at.gv.egovernment.moa.id.commons.db.dao.config.Contact;
import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
@@ -115,7 +117,7 @@ public class PVPConfiguration {
try {
//generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig();
props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig();
-
+
} catch (ConfigurationException e) {
e.printStackTrace();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 21c0d85a1..229158778 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
import java.util.ArrayList;
import java.util.List;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -45,7 +44,6 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.encryption.EncryptionException;
import org.opensaml.xml.encryption.EncryptionParameters;
import org.opensaml.xml.encryption.KeyEncryptionParameters;
@@ -57,6 +55,7 @@ import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
import org.opensaml.xml.security.x509.X509Credential;
+
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
@@ -125,12 +124,11 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
AssertionConsumerService consumerService = spSSODescriptor
.getAssertionConsumerServices().get(idx);
- if (consumerService == null) {
- //TODO: maybe use default ConsumerService
-
+ if (consumerService == null) {
throw new InvalidAssertionConsumerServiceException(idx);
}
+
String oaURL = consumerService.getLocation();
//check, if metadata includes an encryption key
@@ -158,19 +156,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
try {
EncryptionParameters dataEncParams = new EncryptionParameters();
- dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
-
+ dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE);
+
List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();
KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
keyEncParam.setEncryptionCredential(encryptionCredentials);
- keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
+ keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE);
KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()
.getKeyInfoGeneratorManager().getDefaultManager()
.getFactory(encryptionCredentials);
keyEncParam.setKeyInfoGenerator(kigf.newInstance());
keyEncParamList.add(keyEncParam);
-
+
Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
//samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
@@ -178,7 +176,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
EncryptedAssertion encryptAssertion = null;
encryptAssertion = samlEncrypter.encrypt(assertion);
-
+
authResponse.getEncryptedAssertions().add(encryptAssertion);
} catch (EncryptionException e1) {
@@ -191,10 +189,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
authResponse.getAssertions().add(assertion);
}
-
-
-
-
+
IEncoder binding = null;
if (consumerService.getBinding().equals(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index 4ef9919ca..550643da1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -22,7 +22,6 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
-import java.util.Iterator;
import java.util.List;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
@@ -44,18 +43,25 @@ import at.gv.egovernment.moa.logging.Logger;
public class EntityVerifier {
public static byte[] fetchSavedCredential(String entityID) {
- List<OnlineApplication> oaList = ConfigurationDBRead
- .getAllActiveOnlineApplications();
- Iterator<OnlineApplication> oaIt = oaList.iterator();
- while (oaIt.hasNext()) {
- OnlineApplication oa = oaIt.next();
- if (oa.getPublicURLPrefix().equals(entityID)) {
+// List<OnlineApplication> oaList = ConfigurationDBRead
+// .getAllActiveOnlineApplications();
+
+ OnlineApplication oa = ConfigurationDBRead
+ .getActiveOnlineApplication(entityID);
+
+// Iterator<OnlineApplication> oaIt = oaList.iterator();
+// while (oaIt.hasNext()) {
+// OnlineApplication oa = oaIt.next();
+// if (oa.getPublicURLPrefix().equals(entityID)) {
+
+ if (oa != null && oa.getAuthComponentOA() != null) {
+
OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2();
if (pvp2Config != null) {
return pvp2Config.getCertificate();
}
}
- }
+// }
return null;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
index f0ae6f446..ed0cf9c62 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
@@ -25,7 +25,9 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
import iaik.x509.X509Certificate;
import java.security.cert.CertificateException;
+import java.util.ArrayList;
import java.util.Iterator;
+import java.util.List;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
@@ -69,13 +71,17 @@ public class MetadataSignatureFilter implements MetadataFilter {
while(entID.hasNext()) {
processEntitiesDescriptor(entID.next());
}
-
+
Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
-
- //check every Entity
+
+ List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>();
+
+ //check every Entity
+
while(entIT.hasNext()) {
EntityDescriptor entity = entIT.next();
+
String entityID = entity.getEntityID();
//CHECK if Entity also match MetaData signature.
@@ -92,17 +98,31 @@ public class MetadataSignatureFilter implements MetadataFilter {
EntityVerifier.verify(desc, entityCrendential);
+ //add entity to verified entity-list
+ verifiedEntIT.add(entity);
+
} catch (Exception e) {
- throw new MOAIDException("The App", null, e);
+
+ //remove entity of signature can not be verified.
+ Logger.info("Entity " + entityID + " is removed from metadata "
+ + desc.getName() + ". Entity verification error: " + e.getMessage());
+// throw new MOAIDException("The App", null, e);
}
} else {
- throw new NoCredentialsException("NO Certificate found for OA " + entityID);
+ //remove entity if it is not registrated as OA
+ Logger.info("Entity " + entityID + " is removed from metadata "
+ + desc.getName() + ". Entity is not registrated or no certificate is found!");
+// throw new NoCredentialsException("NO Certificate found for OA " + entityID);
}
-
+
//TODO: insert to support signed Entity-Elements
//processEntityDescriptorr(entIT.next());
- }
+ }
+
+ //set only verified entity elements
+ desc.getEntityDescriptors().clear();
+ desc.getEntityDescriptors().addAll(verifiedEntIT);
}
public void doFilter(XMLObject metadata) throws FilterException {
@@ -114,6 +134,13 @@ public class MetadataSignatureFilter implements MetadataFilter {
}
processEntitiesDescriptor(entitiesDescriptor);
+
+ if (entitiesDescriptor.getEntityDescriptors().size() == 0) {
+ throw new MOAIDException("No valid entity in metadata "
+ + entitiesDescriptor.getName() + ". Metadata is not loaded.", null);
+ }
+
+
} else if (metadata instanceof EntityDescriptor) {
EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
processEntityDescriptorr(entityDescriptor);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java
index 37ead5cff..d3ac574f8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java
@@ -43,6 +43,8 @@ public class FormBuildUtils {
public static String FONTFAMILY = "#FONTTYPE#";
public static String HEADER_TEXT = "#HEADER_TEXT#";
public static String REDIRECTTARGET = "#REDIRECTTARGET#";
+ public static String APPLET_HEIGHT = "#APPLETHEIGHT#";
+ public static String APPLET_WIDTH = "#APPLETWIDTH#";
private static String MANDATEVISIBLE = "#MANDATEVISIBLE#";
private static String MANDATECHECKED = "#MANDATECHECKED#";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 327170054..bd6514c5c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -513,8 +513,8 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{
throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12");
if (MiscUtil.isEmpty(bkuURL))
throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12");
- if (MiscUtil.isEmpty(templateURL))
- throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
+// if (MiscUtil.isEmpty(templateURL))
+// throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
if (!ParamValidatorUtils.isValidUseMandate(useMandate))
throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12");
if (!ParamValidatorUtils.isValidCCC(ccc))