aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java170
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java31
5 files changed, 221 insertions, 18 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index a2c1d6131..d783c74d9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -647,6 +647,58 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
/**
+ * Processes an <code>&lt;InfoboxReadResponse&gt;</code> sent by the
+ * security layer implementation.<br>
+ * <ul>
+ * <li>Validates given <code>&lt;InfoboxReadResponse&gt;</code></li>
+ * <li>Parses identity link enclosed in
+ * <code>&lt;InfoboxReadResponse&gt;</code></li>
+ * <li>Verifies identity link by calling the MOA SP component</li>
+ * <li>Checks certificate authority of identity link</li>
+ * <li>Stores identity link in the session</li>
+ * <li>Verifies all additional infoboxes returned from the BKU</li>
+ * <li>Creates an authentication block to be signed by the user</li>
+ * <li>Creates and returns a <code>&lt;CreateXMLSignatureRequest&gt;</code>
+ * containg the authentication block, meant to be returned to the security
+ * layer implementation</li>
+ * </ul>
+ *
+ * @param sessionID
+ * ID of associated authentication session data
+ * @param infoboxReadResponseParameters
+ * The parameters from the response returned from the BKU
+ * including the <code>&lt;InfoboxReadResponse&gt;</code>
+ * @return String representation of the
+ * <code>&lt;CreateXMLSignatureRequest&gt;</code>
+ */
+ public String verifyCertificate(String sessionID,
+ X509Certificate certificate) throws AuthenticationException,
+ BuildException, ParseException, ConfigurationException,
+ ValidateException, ServiceException {
+
+ if (isEmpty(sessionID))
+ throw new AuthenticationException("auth.10", new Object[] {
+ REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID });
+
+ // check if person is a Organwalter
+ // if true - don't show bPK in AUTH Block
+ boolean isOW = false;
+// String oid = null;
+// if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER))
+// isOW = true;
+//
+ AuthenticationSession session = getSession(sessionID);
+ AuthConfigurationProvider authConf = AuthConfigurationProvider
+ .getInstance();
+
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
+ .getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+
+ return getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session,
+ authConf, oaParam, isOW);
+ }
+
+ /**
* Processes an <code>Mandate</code> sent by the MIS.<br>
* <ul>
* <li>Validates given <code>Mandate</code></li>
@@ -781,6 +833,70 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
/**
+ *
+ * @param session
+ * @param authConf
+ * @param oaParam
+ * @return
+ * @throws ConfigurationException
+ * @throws BuildException
+ * @throws ValidateException
+ */
+ public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
+ AuthenticationSession session, AuthConfigurationProvider authConf,
+ OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
+ BuildException, ValidateException {
+
+ // check for intermediate processing of the infoboxes
+ if (session.isValidatorInputPending())
+ return "Redirect to Input Processor";
+
+ if (authConf == null)
+ authConf = AuthConfigurationProvider.getInstance();
+ if (oaParam == null)
+ oaParam = AuthConfigurationProvider.getInstance()
+ .getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+
+ // BZ.., calculate bPK for signing to be already present in AuthBlock
+ IdentityLink identityLink = session.getIdentityLink();
+ if (identityLink.getIdentificationType().equals(
+ Constants.URN_PREFIX_BASEID)) {
+ // only compute bPK if online application is a public service and we
+ // have the Stammzahl
+ if (isOW) {
+ // if person is OW, delete identification value (bPK is calculated via MIS)
+ identityLink.setIdentificationValue(null);
+ identityLink.setIdentificationType(null);
+ }
+ else {
+ String bpkBase64 = new BPKBuilder().buildBPK(identityLink
+ .getIdentificationValue(), session.getTarget());
+ identityLink.setIdentificationValue(bpkBase64);
+ }
+ }
+ // ..BZ
+ // }
+
+ // builds the AUTH-block
+ String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
+
+ // session.setAuthBlock(authBlock);
+ // builds the <CreateXMLSignatureRequest>
+ String[] transformsInfos = oaParam.getTransformsInfos();
+ if ((transformsInfos == null) || (transformsInfos.length == 0)) {
+ // no OA specific transforms specified, use default ones
+ transformsInfos = authConf.getTransformsInfos();
+ }
+ String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
+ .build(authBlock, oaParam.getKeyBoxIdentifier(),
+ transformsInfos, oaParam.getSlVersion12());
+
+ System.out.println("XML: " + createXMLSignatureRequest);
+
+ return createXMLSignatureRequest;
+ }
+ /**
* Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br>
* <ul>
* <li>Creates an CreateXMLSignatureRequest to be signed by the user</li>
@@ -988,6 +1104,60 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
/**
+ * Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from
+ * given session data.
+ *
+ * @param session
+ * authentication session
+ *
+ * @return <code>&lt;saml:Assertion&gt;</code> as a String
+ *
+ * @throws BuildException
+ * If an error occurs on serializing an extended SAML attribute
+ * to be appended to the AUTH-Block.
+ */
+ private String buildAuthenticationBlockForOW(AuthenticationSession session,
+ OAAuthParameter oaParam, boolean isOW) throws BuildException {
+ IdentityLink identityLink = session.getIdentityLink();
+ String issuer = identityLink.getName();
+ String gebDat = identityLink.getDateOfBirth();
+ String identificationValue = identityLink.getIdentificationValue();
+ String identificationType = identityLink.getIdentificationType();
+
+ String issueInstant = DateTimeUtils.buildDateTime(Calendar
+ .getInstance(), oaParam.getUseUTC());
+ session.setIssueInstant(issueInstant);
+ String authURL = session.getAuthURL();
+ String target = session.getTarget();
+ String targetFriendlyName = session.getTargetFriendlyName();
+ // Bug #485
+ // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
+ // String oaURL = session.getPublicOAURLPrefix();
+ String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&amp;");
+ List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ Iterator it = extendedSAMLAttributes.iterator();
+ // delete bPK attribute from extended SAML attributes
+ if (isOW) {
+ ExtendedSAMLAttribute toDelete = null;
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
+ if (attr.getName().equalsIgnoreCase("bPK"))
+ toDelete = attr;
+ }
+ if (toDelete != null)
+ extendedSAMLAttributes.remove(toDelete);
+ }
+
+ String authBlock = new AuthenticationBlockAssertionBuilder()
+ .buildAuthBlock(issuer, issueInstant, authURL, target,
+ targetFriendlyName, identificationValue,
+ identificationType, oaURL, gebDat,
+ extendedSAMLAttributes, session);
+
+ return authBlock;
+ }
+
+ /**
* Verifies the infoboxes (except of the identity link infobox) returned by
* the BKU by calling appropriate validator classes.
*
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 53c1168c5..412f1db81 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -204,22 +204,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
//no business service, adding bPK
+
+ System.out.println("identityLinkValue: " + identityLinkValue);
+ if (identityLinkValue != null) {
+ Element bpkSamlValueElement;
+ try {
+ bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
+ } catch (Exception e) {
+ Logger.error("Error on building AUTH-Block: " + e.getMessage());
+ throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+ }
+
+ // String s = xmlToString(bpkSamlValueElement);
+ // System.out.println("bpkSamlValueElement: " + s);
+
+ ExtendedSAMLAttribute bpkAttribute =
+ new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(bpkAttribute);
+ }
- Element bpkSamlValueElement;
- try {
- bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
- } catch (Exception e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
-// String s = xmlToString(bpkSamlValueElement);
-// System.out.println("bpkSamlValueElement: " + s);
-
- ExtendedSAMLAttribute bpkAttribute =
- new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
- extendedSAMLAttributes.add(bpkAttribute);
-
boolean useMandate = session.getUseMandate();
if (useMandate) {
String mandateReferenceValue = Random.nextRandom();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
index a1b03fcad..04fbc0588 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -171,7 +171,8 @@ public class GetMISSessionIDServlet extends AuthServlet {
Element mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement();
//TODO OW bPK (Offen: was bei saml:NameIdentifier NameQualifier="urn:publicid:gv.at:cdid+bpk"> und <saml:Attribute AttributeName="bPK" )
- //System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK());
+ System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK());
+ // TODO wenn OW bPK vorhanden - in SAML Assertion setzen!
String redirectURL = null;
String samlArtifactBase64 =
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index acd96dee0..689510a9d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -138,7 +138,7 @@ public class VerifyCertificateServlet extends AuthServlet {
if (useMandate) {
- Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
+ Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
throw new AuthenticationException("auth.13", null);
}
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index 17f7deb9b..5178e27d3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -173,7 +173,36 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
}
else {
- ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+ // @TODO: unteren InfoboxReadRequest zu, Signer-Cert auslesen (wegen Cert Abfrage auf Organwalter OID),
+ // nach oben verschoben vor verifyIdentityLink (da hier schon bPK berechnet, die aber für OW nicht in
+ // AUTH Block aufscheinen darf. --> D.h. verifyIdentityLink umbauen - verify und AUTH Block bauen trennen)
+ boolean useMandate = session.getUseMandate();
+ if (useMandate) { // Mandate modus
+ // read certificate and set dataurl to
+ Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+
+ String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+ // build dataurl (to the GetForeignIDSerlvet)
+ String dataurl =
+ new DataURLBuilder().buildDataURL(
+ session.getAuthURL(),
+ REQ_VERIFY_CERTIFICATE,
+ session.getSessionID());
+
+
+ //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
+ //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+ Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
+ ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+ }
+ else {
+ ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+ }
+
+
}
}