diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java')
6 files changed, 226 insertions, 20 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a2c1d6131..d783c74d9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -647,6 +647,58 @@ public class AuthenticationServer implements MOAIDAuthConstants {  	}  	/** +	 * Processes an <code><InfoboxReadResponse></code> sent by the +	 * security layer implementation.<br> +	 * <ul> +	 * <li>Validates given <code><InfoboxReadResponse></code></li> +	 * <li>Parses identity link enclosed in +	 * <code><InfoboxReadResponse></code></li> +	 * <li>Verifies identity link by calling the MOA SP component</li> +	 * <li>Checks certificate authority of identity link</li> +	 * <li>Stores identity link in the session</li> +	 * <li>Verifies all additional infoboxes returned from the BKU</li> +	 * <li>Creates an authentication block to be signed by the user</li> +	 * <li>Creates and returns a <code><CreateXMLSignatureRequest></code> +	 * containg the authentication block, meant to be returned to the security +	 * layer implementation</li> +	 * </ul> +	 *  +	 * @param sessionID +	 *            ID of associated authentication session data +	 * @param infoboxReadResponseParameters +	 *            The parameters from the response returned from the BKU +	 *            including the <code><InfoboxReadResponse></code> +	 * @return String representation of the +	 *         <code><CreateXMLSignatureRequest></code> +	 */ +	public String verifyCertificate(String sessionID, +			X509Certificate certificate) throws AuthenticationException, +			BuildException, ParseException, ConfigurationException, +			ValidateException, ServiceException { + +		if (isEmpty(sessionID)) +			throw new AuthenticationException("auth.10", new Object[] { +					REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID }); + +		// check if person is a Organwalter +		// if true - don't show bPK in AUTH Block +		boolean isOW = false; +//		String oid = null; +//		if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER)) +//			isOW = true; +//		 +		AuthenticationSession session = getSession(sessionID); +		AuthConfigurationProvider authConf = AuthConfigurationProvider +				.getInstance(); + +		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() +				.getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + +		return getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session, +				authConf, oaParam, isOW); +	} +	 +	/**  	 * Processes an <code>Mandate</code> sent by the MIS.<br>  	 * <ul>  	 * <li>Validates given <code>Mandate</code></li> @@ -781,6 +833,70 @@ public class AuthenticationServer implements MOAIDAuthConstants {  	}  	/** +	 *  +	 * @param session +	 * @param authConf +	 * @param oaParam +	 * @return +	 * @throws ConfigurationException +	 * @throws BuildException +	 * @throws ValidateException +	 */ +	public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW( +			AuthenticationSession session, AuthConfigurationProvider authConf, +			OAAuthParameter oaParam, boolean isOW) throws ConfigurationException, +			BuildException, ValidateException { + +		// check for intermediate processing of the infoboxes +		if (session.isValidatorInputPending()) +			return "Redirect to Input Processor"; + +		if (authConf == null) +			authConf = AuthConfigurationProvider.getInstance(); +		if (oaParam == null) +			oaParam = AuthConfigurationProvider.getInstance() +					.getOnlineApplicationParameter( +							session.getPublicOAURLPrefix()); + +		// BZ.., calculate bPK for signing to be already present in AuthBlock +		IdentityLink identityLink = session.getIdentityLink(); +		if (identityLink.getIdentificationType().equals( +				Constants.URN_PREFIX_BASEID)) { +			// only compute bPK if online application is a public service and we +			// have the Stammzahl +			if (isOW) { +				// if person is OW, delete identification value (bPK is calculated via MIS) +				identityLink.setIdentificationValue(null); +				identityLink.setIdentificationType(null); +			} +			else { +			String bpkBase64 = new BPKBuilder().buildBPK(identityLink +					.getIdentificationValue(), session.getTarget()); +				identityLink.setIdentificationValue(bpkBase64); +			} +		} +		// ..BZ +		// } + +		// builds the AUTH-block +		String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW); + +		// session.setAuthBlock(authBlock); +		// builds the <CreateXMLSignatureRequest> +		String[] transformsInfos = oaParam.getTransformsInfos(); +		if ((transformsInfos == null) || (transformsInfos.length == 0)) { +			// no OA specific transforms specified, use default ones +			transformsInfos = authConf.getTransformsInfos(); +		} +		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() +				.build(authBlock, oaParam.getKeyBoxIdentifier(), +						transformsInfos, oaParam.getSlVersion12()); +		 +		System.out.println("XML: " + createXMLSignatureRequest); +		 +		return createXMLSignatureRequest; +	} +	/**  	 * Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br>  	 * <ul>  	 * <li>Creates an CreateXMLSignatureRequest to be signed by the user</li> @@ -988,6 +1104,60 @@ public class AuthenticationServer implements MOAIDAuthConstants {  	}  	/** +	 * Builds an authentication block <code><saml:Assertion></code> from +	 * given session data. +	 *  +	 * @param session +	 *            authentication session +	 *  +	 * @return <code><saml:Assertion></code> as a String +	 *  +	 * @throws BuildException +	 *             If an error occurs on serializing an extended SAML attribute +	 *             to be appended to the AUTH-Block. +	 */ +	private String buildAuthenticationBlockForOW(AuthenticationSession session, +			OAAuthParameter oaParam, boolean isOW) throws BuildException { +		IdentityLink identityLink = session.getIdentityLink(); +		String issuer = identityLink.getName(); +		String gebDat = identityLink.getDateOfBirth(); +		String identificationValue = identityLink.getIdentificationValue(); +		String identificationType = identityLink.getIdentificationType(); + +		String issueInstant = DateTimeUtils.buildDateTime(Calendar +				.getInstance(), oaParam.getUseUTC()); +		session.setIssueInstant(issueInstant); +		String authURL = session.getAuthURL(); +		String target = session.getTarget(); +		String targetFriendlyName = session.getTargetFriendlyName(); +		// Bug #485 +		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) +		// String oaURL = session.getPublicOAURLPrefix(); +		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); +		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); +		Iterator it = extendedSAMLAttributes.iterator(); +		// delete bPK attribute from extended SAML attributes +		if (isOW) { +			ExtendedSAMLAttribute toDelete = null; +			while (it.hasNext()) { +				ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next(); +				if (attr.getName().equalsIgnoreCase("bPK")) +					toDelete = attr; +			}		 +			if (toDelete != null) +				extendedSAMLAttributes.remove(toDelete); +		} +		 +		String authBlock = new AuthenticationBlockAssertionBuilder() +				.buildAuthBlock(issuer, issueInstant, authURL, target, +						targetFriendlyName, identificationValue, +						identificationType, oaURL, gebDat, +						extendedSAMLAttributes, session); + +		return authBlock; +	} +	 +	/**  	 * Verifies the infoboxes (except of the identity link infobox) returned by  	 * the BKU by calling appropriate validator classes.  	 *  diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index 53c1168c5..412f1db81 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -204,22 +204,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion        gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });        //no business service, adding bPK + +      System.out.println("identityLinkValue: " + identityLinkValue); +      if (identityLinkValue != null) { +    	  Element bpkSamlValueElement; +    	  try { +    		  bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); +    	  } catch (Exception e) { +    		  Logger.error("Error on building AUTH-Block: " + e.getMessage()); +    		  throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); +    	  }  +	       +	//      String s = xmlToString(bpkSamlValueElement); +	//      System.out.println("bpkSamlValueElement: " + s); +	       +    	  ExtendedSAMLAttribute bpkAttribute =  +    		  new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); +    	  extendedSAMLAttributes.add(bpkAttribute); +      } -      Element bpkSamlValueElement; -      try { -         bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); -      } catch (Exception e) { -         Logger.error("Error on building AUTH-Block: " + e.getMessage()); -          throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); -      }  -       -//      String s = xmlToString(bpkSamlValueElement); -//      System.out.println("bpkSamlValueElement: " + s); -       -      ExtendedSAMLAttribute bpkAttribute =  -    	  new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); -      extendedSAMLAttributes.add(bpkAttribute); -    	          boolean useMandate = session.getUseMandate();        if (useMandate) {      	  String mandateReferenceValue = Random.nextRandom(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java index a1b03fcad..04fbc0588 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java @@ -171,7 +171,8 @@ public class GetMISSessionIDServlet extends AuthServlet {  	    	Element mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement();  	    	//TODO OW bPK (Offen: was bei saml:NameIdentifier NameQualifier="urn:publicid:gv.at:cdid+bpk"> und <saml:Attribute AttributeName="bPK" ) -	    	//System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK()); +	    	System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK()); +	    	// TODO wenn OW bPK vorhanden - in SAML Assertion setzen!  	    	String redirectURL = null;  	    	String samlArtifactBase64 =  diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index acd96dee0..51ec82e2d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -138,8 +138,11 @@ public class VerifyCertificateServlet extends AuthServlet {  	    	if (useMandate) {
 -	    		Logger.error("Online-Mandate Mode for foreign citizencs not supported."); -    			throw new AuthenticationException("auth.13", null);    	          
 + +	    		// verify certificate for OrganWalter +	    		String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(sessionID, cert); +	    		 +	    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
  	    	}
  	    	else {
  	    		// Foreign Identities Modus	
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 17f7deb9b..5178e27d3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -173,7 +173,36 @@ public class VerifyIdentityLinkServlet extends AuthServlet {      	}      	else { -    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink"); +    		// @TODO: unteren InfoboxReadRequest zu, Signer-Cert auslesen (wegen Cert Abfrage auf Organwalter OID), +    		// nach oben verschoben vor verifyIdentityLink (da hier schon bPK berechnet, die aber für OW nicht in +    		// AUTH Block aufscheinen darf. --> D.h. verifyIdentityLink umbauen - verify und AUTH Block bauen trennen) +    		boolean useMandate = session.getUseMandate(); +    		if (useMandate) { // Mandate modus +    			// read certificate and set dataurl to  +    			Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); +    			 +     +     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); + +     		   // build dataurl (to the GetForeignIDSerlvet) +     		   String dataurl = +                 new DataURLBuilder().buildDataURL( +                   session.getAuthURL(), +                   REQ_VERIFY_CERTIFICATE, +                   session.getSessionID()); +            +           +     		  //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); +     		  //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); +     		  Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); +     		  ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); +    			 +    		} +    		else { +    			ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink"); +    		} +    		 +    		      	}      } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index 80f2d744c..d97953270 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -35,7 +35,7 @@ public class MISMandate {  	final static private String OID_ZIVILTECHNIKER = "1.2.40.0.10.3.3";
  	final static private String TEXT_ZIVILTECHNIKER = "berufsmäßige(r) Parteienvertreter(in) mit Ziviltechnikerinneneigenschaft";
 -	final static private String OID_ORGANWALTER = "1.2.40.0.10.3.4";
 +	final static public String OID_ORGANWALTER = "1.2.40.0.10.3.4";
  	final static private String TEXT_ORGANWALTER = "Organwalter";
 | 
