diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java')
6 files changed, 99 insertions, 14 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 89adbce3f..ff2cee559 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2301,9 +2301,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { try { - //TODO: resign the IdentityLink!!! - - if (session.getUseMandate() && session.isOW()) { MISMandate mandate = session.getMISMandate(); authData.setBPK(mandate.getOWbPK()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java index 6004f251f..1624a59c0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java @@ -25,10 +25,13 @@ package at.gv.egovernment.moa.id.auth.parser; import java.io.ByteArrayInputStream; +import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.List; +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.NodeList; import org.w3c.dom.traversal.NodeIterator; @@ -157,6 +160,7 @@ public class CreateXMLSignatureResponseParser { Element dsigSignatureNode = (Element) list.item(0); Element dsigSignatureElement = (Element) dsigSignatureNode; + cResp.setDsigSignature(dsigSignatureElement); } catch (Throwable t) { @@ -201,6 +205,11 @@ public class CreateXMLSignatureResponseParser { SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()]; samlAttributes.toArray(result); cResp.setSamlAttributes(result); + + NodeList list = sigResponse_.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); + Element dsigSignatureNode = (Element) list.item(0); + cResp.setDsigSignature(dsigSignatureNode); + } catch (Throwable t) { throw new ParseException("parser.01", new Object[] { t.toString()}, t); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java index 4ddad2429..2c957603b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java @@ -151,6 +151,8 @@ public class VerifyXMLSignatureResponseParser { VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse(); try { + + String s = DOMUtils.serializeNode(verifyXMLSignatureResponse); respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,"")); Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH); respData.setQualifiedCertificate(e!=null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index d0fb1f87f..b2ef2d000 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -24,9 +24,14 @@ package at.gv.egovernment.moa.id.auth.validator; +import java.util.Calendar; +import java.util.GregorianCalendar; import java.util.Iterator; import java.util.List; +import javax.xml.bind.DatatypeConverter; + +import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; @@ -59,11 +64,25 @@ public class CreateXMLSignatureResponseValidator { /** Xpath expression to the dsig:Signature element */ private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature"; - //private static final String XADES_SIGNINGTIME_PATH = Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime"; - + private static final String XADES_1_1_1_SIGNINGTIME_PATH = "//" + Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime"; + private static final String XADES_1_3_2_SIGNINGTIME_PATH = "//" + Constants.XADES_1_3_2_NS_PREFIX + ":SigningTime"; + + + private static final long MAX_DIFFERENCE_IN_MILLISECONDS = 600000; // 10min + /** Singleton instance. <code>null</code>, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; + private static SimpleNamespaceContext NS_CONTEXT; + static { + NS_CONTEXT = new SimpleNamespaceContext(); + NS_CONTEXT.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI); + NS_CONTEXT.addNamespace(Constants.XADES_1_2_2_NS_PREFIX, Constants.XADES_1_2_2_NS_URI); + NS_CONTEXT.addNamespace(Constants.XADES_1_3_2_NS_PREFIX, Constants.XADES_1_3_2_NS_URI); + NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI); + } + + /** * Constructor for a singleton CreateXMLSignatureResponseValidator. * @return an instance of CreateXMLSignatureResponseValidator @@ -550,8 +569,36 @@ public class CreateXMLSignatureResponseValidator { public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException { - //TODO: insert Time validation!!!! - + Element dsigSignatureElement = csresp.getDsigSignature(); + if (dsigSignatureElement == null) { + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } + else { + Element signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_1_1_SIGNINGTIME_PATH); + if (signingTimeElem == null) { + signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_3_2_SIGNINGTIME_PATH); + if (signingTimeElem == null) + throw new ValidateException("validator.68", null) ; + } + + + String signingTimeStr = signingTimeElem.getTextContent(); + if (signingTimeStr == null) + throw new ValidateException("validator.68", null) ; + + Calendar signingTimeCal = DatatypeConverter.parseDate(signingTimeStr); + Calendar serverTimeCal = new GregorianCalendar(); + + long diff = Math.abs(signingTimeCal.getTimeInMillis() - serverTimeCal.getTimeInMillis()); + + if (diff > MAX_DIFFERENCE_IN_MILLISECONDS) + throw new ValidateException("validator.69", new Object[] {"mehr als " + MAX_DIFFERENCE_IN_MILLISECONDS + " Millisekunden"}) ; + + Logger.debug("Compare \"" + signingTimeCal.getTime() + "\" (SigningTime) with \"" + serverTimeCal.getTime() + "\" (server time)"); + + + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index bc53a876c..28288815a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -830,6 +830,23 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return prop; } + public boolean isIdentityLinkResigning() { + String prop = props.getProperty("configuration.resignidentitylink", "false"); + if (Boolean.valueOf(prop)) + return true; + else + return false; + } + + public String getIdentityLinkResigningKey() { + String prop = props.getProperty("configuration.resignidentitylink.keygroup"); + + if (MiscUtil.isNotEmpty(prop)) + return prop; + else + return null; + } + /** * Retruns the STORK Configuration * @return STORK Configuration diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index fec2d2b35..ee0b4e7e2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; @@ -193,14 +194,26 @@ public class SAML1AuthenticationServer extends AuthenticationServer { .getAuthBlock() : ""; //set IdentityLink for assortion - String ilAssertion = saml1parameter.isProvideIdentityLink() ? authData.getIdentityLink() - .getSerializedSamlAssertion() - : ""; - if (!saml1parameter.isProvideStammzahl()) { - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); + String ilAssertion = ""; + if (saml1parameter.isProvideIdentityLink()) { + if (session.getBusinessService()) { + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + + Element resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() + .getSamlAssertion()); + + ilAssertion = DOMUtils.serializeNode(resignedilAssertion); + + } else { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); + + if (!saml1parameter.isProvideStammzahl()) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); + + } } - + String samlAssertion; if (session.getUseMandate()) { |