diff options
Diffstat (limited to 'id/server/idserverlib')
14 files changed, 337 insertions, 93 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index c98af695b..5ff8b74b8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -24,6 +24,7 @@  package at.gv.egovernment.moa.id.auth; +import iaik.cms.ecc.IaikEccProvider;  import iaik.pki.PKIException;  import iaik.pki.jsse.IAIKX509TrustManager;  import iaik.security.ecc.provider.ECCProvider; @@ -31,6 +32,7 @@ import iaik.security.provider.IAIK;  import java.io.IOException;  import java.security.GeneralSecurityException; +import java.security.Security;  import java.util.Properties;  import javax.activation.CommandMap; @@ -76,6 +78,14 @@ public class MOAIDAuthInitializer {          Logger.info("Default java file.encoding: "                  + System.getProperty("file.encoding")); +         +		Logger.info("Loading security providers."); +		IAIK.addAsProvider(); +		 +		 +//		Security.insertProviderAt(new IAIK(), 1); +//		Security.insertProviderAt(new ECCProvider(), 1); +                  //JDK bug workaround according to:          // http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier          // register content data handlers for S/MIME types @@ -185,5 +195,4 @@ public class MOAIDAuthInitializer {          AuthConfigLoader.start();      } -  }
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index 27ac16157..1b7b317c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -23,9 +23,13 @@  package at.gv.egovernment.moa.id.auth.servlet; +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; +  import java.io.ByteArrayOutputStream;  import java.io.IOException;  import java.io.InputStream; +import java.security.Security;  import java.util.Enumeration;  import java.util.HashMap;  import java.util.List; @@ -34,6 +38,7 @@ import java.util.Map;  import javax.servlet.RequestDispatcher;  import javax.servlet.ServletConfig;  import javax.servlet.ServletContext; +import javax.servlet.ServletContextEvent;  import javax.servlet.ServletException;  import javax.servlet.http.HttpServlet;  import javax.servlet.http.HttpServletRequest; @@ -351,6 +356,12 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {  		super.init(servletConfig);  	} +	 +//	public void contextDestroyed(ServletContextEvent arg0) { +//		Security.removeProvider((new IAIK()).getName()); +//		Security.removeProvider((new ECCProvider()).getName()); +//	} +	  	/**  	 * Set response headers to avoid caching  	 *  diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 7130089ae..ef9b63606 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -2,7 +2,11 @@ package at.gv.egovernment.moa.id.entrypoints; +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; +  import java.io.IOException; +import java.security.Security;  import java.util.Iterator;  import java.util.Map;  import java.util.Set; @@ -481,7 +485,7 @@ public class DispatcherServlet extends AuthServlet{  	    }  	} - +	  	@Override  	protected void doGet(HttpServletRequest req, HttpServletResponse resp)  			throws ServletException, IOException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index bef58ab59..dc2330f40 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -124,7 +124,6 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  			RequestAbstractType samlReq =  moaRequest.getSamlRequest();  			//String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq)); -			  			//Logger.info("SAML : " + xml);  			if(!moaRequest.isVerified()) { @@ -137,6 +136,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  				throw new MOAIDException("Unsupported request", new Object[] {});  			} +			EntityDescriptor metadata = moaRequest.getEntityMetadata(); +			if(metadata == null) { +				throw new NoMetadataInformationException(); +			} +			SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); +			  			AuthnRequest authnRequest = (AuthnRequest)samlReq;  			Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); @@ -144,6 +149,9 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  			if(aIdx != null) {  				assertionidx = aIdx.intValue(); +				 +			} else {				 +				assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);  			}  			aIdx = authnRequest.getAttributeConsumingServiceIndex(); @@ -153,13 +161,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  				attributeIdx = aIdx.intValue();  			} -			EntityDescriptor metadata = moaRequest.getEntityMetadata(); -			if(metadata == null) { -				throw new NoMetadataInformationException(); -			} -			SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);  			AssertionConsumerService consumerService  = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); -			AttributeConsumingService attributeConsumer  = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); +			 +			AttributeConsumingService attributeConsumer = null; +			 +			if (spSSODescriptor.getAttributeConsumingServices() != null  &&  +					spSSODescriptor.getAttributeConsumingServices().size() > 0) { +				attributeConsumer  = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); +			}   			String oaURL = moaRequest.getEntityMetadata().getEntityID();  			String binding = consumerService.getBinding(); @@ -176,7 +185,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  			String useMandate = request.getParameter(PARAM_USEMANDATE);  			if(useMandate != null) { -				if(useMandate.equals("true")) { +				if(useMandate.equals("true") && attributeConsumer != null) {  					if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) {  						throw new MandateAttributesNotHandleAbleException();  					} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 232ad315f..9319c306b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -27,6 +27,7 @@ import org.opensaml.xml.security.credential.Credential;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger;  public class PostBinding implements IDecoder, IEncoder { @@ -45,6 +46,8 @@ public class PostBinding implements IDecoder, IEncoder {  			Credential credentials = CredentialProvider  					.getIDPSigningCredential(); +			Logger.debug("create SAML POSTBinding response"); +			  			// VelocityEngine engine =  			// VelocityProvider.getClassPathVelocityEngine();  			VelocityEngine engine = new VelocityEngine(); @@ -67,7 +70,7 @@ public class PostBinding implements IDecoder, IEncoder {  					.buildObject();  			service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);  			service.setLocation(targetLocation); -			context.setOutboundSAMLMessageSigningCredential(credentials); +			context.setOutboundSAMLMessageSigningCredential(credentials);			  			context.setPeerEntityEndpoint(service);  			// context.setOutboundMessage(authReq);  			context.setOutboundSAMLMessage(response); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 418c4a60c..78b63e041 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -3,11 +3,13 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; +import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer;  import org.opensaml.common.SAMLObject;  import org.opensaml.common.binding.BasicSAMLMessageContext;  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;  import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; +import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;  import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;  import org.opensaml.saml2.core.RequestAbstractType;  import org.opensaml.saml2.core.Response; @@ -31,6 +33,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils;  public class RedirectBinding implements IDecoder, IEncoder { @@ -47,6 +51,8 @@ public class RedirectBinding implements IDecoder, IEncoder {  			Credential credentials = CredentialProvider  					.getIDPSigningCredential(); +			Logger.debug("create SAML RedirectBinding response"); +			  			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();  			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(  					resp, true); @@ -84,13 +90,18 @@ public class RedirectBinding implements IDecoder, IEncoder {  		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(  				TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +		SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); +		 +		  		BasicSecurityPolicy policy = new BasicSecurityPolicy();  		policy.getPolicyRules().add(signatureRule); +		policy.getPolicyRules().add(signedRole); +		  		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(  				policy);  		messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);  		messageContext.setSecurityPolicyResolver(resolver); - +		  		decode.decode(messageContext);  		signatureRule.evaluate(messageContext); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 5e8206739..9e2c89583 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -21,6 +21,7 @@ import org.opensaml.saml2.core.RequestedAuthnContext;  import org.opensaml.saml2.core.Subject;  import org.opensaml.saml2.core.SubjectConfirmation;  import org.opensaml.saml2.core.SubjectConfirmationData; +import org.opensaml.saml2.metadata.AssertionConsumerService;  import org.opensaml.saml2.metadata.AttributeConsumingService;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.NameIDFormat; @@ -42,6 +43,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; @@ -55,53 +57,55 @@ import at.gv.egovernment.moa.util.Constants;  public class PVP2AssertionBuilder implements PVPConstants {  	public static Assertion buildAssertion(AuthnRequest authnRequest, -			AuthenticationSession authSession, EntityDescriptor peerEntity) +			AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date)  			throws MOAIDException {  		Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);  		RequestedAuthnContext reqAuthnContext = authnRequest  				.getRequestedAuthnContext(); -		if (reqAuthnContext == null) { -			throw new NoAuthContextException(); -		} - -		boolean stork_qaa_1_4_found = false; -  		AuthnContextClassRef authnContextClassRef = SAML2Utils  				.createSAMLObject(AuthnContextClassRef.class); - -		 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext -				.getAuthnContextClassRefs(); -		 if (reqAuthnContextClassRefIt.size() == 0) { -			 stork_qaa_1_4_found = true; +		if (reqAuthnContext == null) {  			 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); -			  -		 } else { -			 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { -				 String qaa_uri = authnClassRef.getAuthnContextClassRef(); -				 if (qaa_uri.trim().equals(STORK_QAA_1_4) -						 || qaa_uri.trim().equals(STORK_QAA_1_3) -						 || qaa_uri.trim().equals(STORK_QAA_1_2) -						 || qaa_uri.trim().equals(STORK_QAA_1_1)) { -					 -					 if (authSession.isForeigner()) { -						 //TODO: insert QAA check -					 -						 stork_qaa_1_4_found = false; -					 -					 } else { -						 stork_qaa_1_4_found = true; -						 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); +			 +		} else { + +			boolean stork_qaa_1_4_found = false; +		 +			 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext +					.getAuthnContextClassRefs(); +			 +			 if (reqAuthnContextClassRefIt.size() == 0) { +				 stork_qaa_1_4_found = true; +				 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); +				  +			 } else { +				 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { +					 String qaa_uri = authnClassRef.getAuthnContextClassRef(); +					 if (qaa_uri.trim().equals(STORK_QAA_1_4) +							 || qaa_uri.trim().equals(STORK_QAA_1_3) +							 || qaa_uri.trim().equals(STORK_QAA_1_2) +							 || qaa_uri.trim().equals(STORK_QAA_1_1)) { +						 +						 if (authSession.isForeigner()) { +							 //TODO: insert QAA check +						 +							 stork_qaa_1_4_found = false; +						 +						 } else { +							 stork_qaa_1_4_found = true; +							 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); +						 } +						 break;  					 } -					 break;  				 }  			 } -		 } - -		if (!stork_qaa_1_4_found) { -			throw new QAANotSupportedException(STORK_QAA_1_4); +	 +			if (!stork_qaa_1_4_found) { +				throw new QAANotSupportedException(STORK_QAA_1_4); +			}  		}  //		reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() @@ -133,7 +137,7 @@ public class PVP2AssertionBuilder implements PVPConstants {  		AuthnStatement authnStatement = SAML2Utils  				.createSAMLObject(AuthnStatement.class);  		String remoteSessionID = SAML2Utils.getSecureIdentifier(); -		authnStatement.setAuthnInstant(new DateTime()); +		authnStatement.setAuthnInstant(date);  		// currently dummy id ...  		authnStatement.setSessionIndex(remoteSessionID);  		authnStatement.setAuthnContext(authnContext); @@ -142,16 +146,14 @@ public class PVP2AssertionBuilder implements PVPConstants {  		SPSSODescriptor spSSODescriptor = peerEntity  				.getSPSSODescriptor(SAMLConstants.SAML20P_NS); - +		  		Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();  		int idx = 0;  		if (aIdx != null) {  			idx = aIdx.intValue(); -		} - -		AttributeConsumingService attributeConsumingService = spSSODescriptor -				.getAttributeConsumingServices().get(idx); +			 +		}   		AttributeStatement attributeStatement = SAML2Utils  				.createSAMLObject(AttributeStatement.class); @@ -195,32 +197,38 @@ public class PVP2AssertionBuilder implements PVPConstants {  				.buildAuthenticationData(authSession, oaParam,  						oaParam.getTarget()); -		Iterator<RequestedAttribute> it = attributeConsumingService -				.getRequestAttributes().iterator(); -		while (it.hasNext()) { -			RequestedAttribute reqAttribut = it.next(); -			try { -				Attribute attr = PVPAttributeBuilder.buildAttribute( -						reqAttribut.getName(), authSession, oaParam, authData); -				if (attr == null) { +		if (spSSODescriptor.getAttributeConsumingServices() != null &&  +				spSSODescriptor.getAttributeConsumingServices().size() > 0) { +		 +			AttributeConsumingService attributeConsumingService = spSSODescriptor +					.getAttributeConsumingServices().get(idx); +			 +			Iterator<RequestedAttribute> it = attributeConsumingService +					.getRequestAttributes().iterator(); +			while (it.hasNext()) { +				RequestedAttribute reqAttribut = it.next(); +				try { +					Attribute attr = PVPAttributeBuilder.buildAttribute( +							reqAttribut.getName(), authSession, oaParam, authData); +					if (attr == null) { +						if (reqAttribut.isRequired()) { +							throw new UnprovideableAttributeException( +									reqAttribut.getName()); +						} +					} else { +						attributeStatement.getAttributes().add(attr); +					} +				} catch (PVP2Exception e) { +					Logger.error( +							"Attribute generation failed! for " +									+ reqAttribut.getFriendlyName(), e);  					if (reqAttribut.isRequired()) {  						throw new UnprovideableAttributeException(  								reqAttribut.getName());  					} -				} else { -					attributeStatement.getAttributes().add(attr); -				} -			} catch (PVP2Exception e) { -				Logger.error( -						"Attribute generation failed! for " -								+ reqAttribut.getFriendlyName(), e); -				if (reqAttribut.isRequired()) { -					throw new UnprovideableAttributeException( -							reqAttribut.getName());  				}  			}  		} -  		if (attributeStatement.getAttributes().size() > 0) {  			assertion.getAttributeStatements().add(attributeStatement);  		} @@ -292,8 +300,17 @@ public class PVP2AssertionBuilder implements PVPConstants {  		SubjectConfirmationData subjectConfirmationData = SAML2Utils  				.createSAMLObject(SubjectConfirmationData.class);  		subjectConfirmationData.setInResponseTo(authnRequest.getID()); -		subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20)); -		subjectConfirmationData.setRecipient(peerEntity.getEntityID()); +		subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5)); +		 +		//TL: change from entityID to destination URL  +		AssertionConsumerService consumerService = spSSODescriptor +				.getAssertionConsumerServices().get(idx); + +		if (consumerService == null) { +			throw new InvalidAssertionConsumerServiceException(idx); +		} +		 +		subjectConfirmationData.setRecipient(consumerService.getLocation());  		subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); @@ -303,12 +320,12 @@ public class PVP2AssertionBuilder implements PVPConstants {  		AudienceRestriction audienceRestriction = SAML2Utils  				.createSAMLObject(AudienceRestriction.class);  		Audience audience = SAML2Utils.createSAMLObject(Audience.class); - +		  		audience.setAudienceURI(peerEntity.getEntityID());  		audienceRestriction.getAudiences().add(audience); -		conditions.setNotBefore(new DateTime()); +		conditions.setNotBefore(date); -		conditions.setNotOnOrAfter(new DateTime().plusMinutes(20)); +		conditions.setNotOnOrAfter(date.plusMinutes(5));  //		conditions.setNotOnOrAfter(new DateTime());  		conditions.getAudienceRestrictions().add(audienceRestriction); @@ -316,12 +333,16 @@ public class PVP2AssertionBuilder implements PVPConstants {  		assertion.setConditions(conditions);  		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); -		issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); +		 +		//TODO: check! +		//change to entity value from entity name to IDP EntityID (URL) +		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());  		issuer.setFormat(NameID.ENTITY); +		  		assertion.setIssuer(issuer);  		assertion.setSubject(subject);  		assertion.setID(SAML2Utils.getSecureIdentifier()); -		assertion.setIssueInstant(new DateTime()); +		assertion.setIssueInstant(date);  		return assertion;  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java index ad664486b..2c4eb15de 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java @@ -15,6 +15,7 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild  	public String getName() {  		return MANDATE_REFERENCE_VALUE_NAME;  	} +	public Attribute build(AuthenticationSession authSession,   	public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData,  			IAttributeGenerator<ATT> g) throws AttributeException { @@ -39,3 +40,29 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild  		return g.buildEmptyAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME);  	}  } + +	public Attribute build(AuthenticationSession authSession,  +			OAAuthParameter oaParam, AuthenticationData authData) throws PVP2Exception { +		if(authSession.getUseMandate()) { +			 +//			Element mandate = authSession.getMandate(); +//			if(mandate == null) { +//				throw new NoMandateDataAvailableException(); +//			} +//			Mandate mandateObject = MandateBuilder.buildMandate(mandate); +//			if(mandateObject == null) { +//				throw new NoMandateDataAvailableException(); +//			} +			 +			return buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME,  +					MANDATE_REFERENCE_VALUE_NAME, authSession.getMandateReferenceValue()); +		} +		return null; +		 +	} +	 +	public Attribute buildEmpty() { +		return buildemptyAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME,  +				MANDATE_REFERENCE_VALUE_NAME); +	} +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java new file mode 100644 index 000000000..142227a59 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java @@ -0,0 +1,14 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +import org.opensaml.saml2.core.StatusCode; + +public class InvalidAssertionEncryptionException extends PVP2Exception { + +	private static final long serialVersionUID = 6513388841485355549L; + +	public InvalidAssertionEncryptionException() { +		super("pvp2.16", new Object[]{}); +		this.statusCodeValue = StatusCode.REQUESTER_URI; +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 1d494c512..0c7dea3c8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -1,19 +1,47 @@  package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; +  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; +import org.opensaml.Configuration;  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.core.Assertion;  import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.EncryptedAssertion;  import org.opensaml.saml2.core.Issuer;  import org.opensaml.saml2.core.NameID;  import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder; +import org.opensaml.saml2.encryption.Encrypter; +import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;  import org.opensaml.saml2.metadata.AssertionConsumerService;  import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.KeyDescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCriteria;  import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.encryption.EncryptionException; +import org.opensaml.xml.encryption.EncryptionParameters; +import org.opensaml.xml.encryption.KeyEncryptionParameters; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.CriteriaSet;  import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; +import org.opensaml.xml.security.x509.BasicX509Credential; +import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.signature.KeyInfo;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -27,6 +55,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger; @@ -45,37 +76,110 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  		AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest();  		EntityDescriptor peerEntity = obj.getEntityMetadata(); -		Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity); - +		DateTime date = new DateTime(); +		 +		Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity, date); +		  		Response authResponse = SAML2Utils.createSAMLObject(Response.class); -  		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);  		nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());  		nissuer.setFormat(NameID.ENTITY);  		authResponse.setIssuer(nissuer);  		authResponse.setInResponseTo(authnRequest.getID()); -		authResponse.getAssertions().add(assertion); + +		 +		//SAML2 response required IssueInstant +		authResponse.setIssueInstant(date); +		  		authResponse.setStatus(SAML2Utils.getSuccessStatus()); +		SPSSODescriptor spSSODescriptor = peerEntity +				.getSPSSODescriptor(SAMLConstants.SAML20P_NS); +		  		Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();  		int idx = 0;  		if (aIdx != null) {  			idx = aIdx.intValue(); +			 +		} else {				 +			idx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);  		} -		 -		SPSSODescriptor spSSODescriptor = peerEntity -				.getSPSSODescriptor(SAMLConstants.SAML20P_NS);  		AssertionConsumerService consumerService = spSSODescriptor  				.getAssertionConsumerServices().get(idx);  		if (consumerService == null) { +			//TODO: maybe use default ConsumerService +			  			throw new InvalidAssertionConsumerServiceException(idx); +			  		}  		String oaURL = consumerService.getLocation(); +		//check, if metadata includes an encryption key				 +		MetadataCredentialResolver mdCredResolver =  +				new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); +	 +		CriteriaSet criteriaSet = new CriteriaSet(); +		criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) ); +		criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); +		criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); +	 +		X509Credential encryptionCredentials = null; +		try { +			encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); +				 +		} catch (SecurityException e2) { +			Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); +			throw new InvalidAssertionEncryptionException(); +			 +		} +	 +		if (encryptionCredentials != null) { +			//encrypt SAML2 assertion +				 +			try { +				 +				EncryptionParameters dataEncParams = new EncryptionParameters(); +				dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); +			 +				List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>(); +				KeyEncryptionParameters  keyEncParam = new KeyEncryptionParameters(); +			 +				keyEncParam.setEncryptionCredential(encryptionCredentials); +				keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); +				KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() +						.getKeyInfoGeneratorManager().getDefaultManager() +						.getFactory(encryptionCredentials); +				keyEncParam.setKeyInfoGenerator(kigf.newInstance()); +				keyEncParamList.add(keyEncParam); +			 +				Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);  +				//samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); +				samlEncrypter.setKeyPlacement(KeyPlacement.PEER); +				 +				EncryptedAssertion encryptAssertion = null; +				 +				encryptAssertion = samlEncrypter.encrypt(assertion); + +				authResponse.getEncryptedAssertions().add(encryptAssertion); +				 +				} catch (EncryptionException e1) { +					Logger.warn("Can not encrypt the PVP2 assertion", e1); +					throw new InvalidAssertionEncryptionException(); +					 +				}  + +			} else { +				authResponse.getAssertions().add(assertion); +				 +			} +			 + + +		  		IEncoder binding = null;  		if (consumerService.getBinding().equals( @@ -101,6 +205,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  			binding.encodeRespone(req, resp, authResponse, oaURL);  			// TODO add remoteSessionID to AuthSession ExternalPVPSessionStore +//			Logger logger = new Logger(); +//			logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse))); +			 +  			return assertion.getID();  		} catch (MessageEncodingException e) { @@ -109,6 +217,15 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  		} catch (SecurityException e) {  			Logger.error("Security exception", e);  			throw new MOAIDException("pvp2.01", null, e); +//		} catch (TransformerException e) { +//			Logger.error("Security exception", e); +//			throw new MOAIDException("pvp2.01", null, e); +//		} catch (IOException e) { +//			Logger.error("Security exception", e); +//			throw new MOAIDException("pvp2.01", null, e); +//		} catch (MarshallingException e) { +//			Logger.error("Security exception", e); +//			throw new MOAIDException("pvp2.01", null, e);  		}  	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 7bb5b052f..373bca902 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;  import java.io.IOException;  import java.security.NoSuchAlgorithmException; +import java.util.List;  import javax.xml.namespace.QName;  import javax.xml.parsers.DocumentBuilder; @@ -13,6 +14,8 @@ import org.opensaml.Configuration;  import org.opensaml.common.impl.SecureRandomIdentifierGenerator;  import org.opensaml.saml2.core.Status;  import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.xml.XMLObject;  import org.opensaml.xml.XMLObjectBuilderFactory;  import org.opensaml.xml.io.Marshaller; @@ -77,4 +80,17 @@ public class SAML2Utils {  		status.setStatusCode(statusCode);  		return status;  	} +	 +	public static int getDefaultAssertionConsumerServiceIndex(SPSSODescriptor spSSODescriptor) { +		 +		List<AssertionConsumerService> assertionConsumerList = spSSODescriptor.getAssertionConsumerServices(); +		 +		for (AssertionConsumerService el : assertionConsumerList) { +			if (el.isDefault()) +				return el.getIndex(); +			 +		} +		 +		return 0; +	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 628da6773..4823d7629 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -41,6 +41,7 @@ public class SAMLVerificationEngine {  	public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {  		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); +		  		try {  		    profileValidator.validate(samlObj.getSignature());  		} catch (ValidationException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index e40d11128..840c3f2be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -209,6 +209,7 @@ public class AuthenticationSessionStoreage {  				  //Assertion requires an unique artifact  				  if (result.size() != 1) {  					 Logger.trace("No entries found."); +					 tx.rollback();  				   	throw new MOADatabaseException("No session found with this sessionID");  				  } diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 37e35b6ce..05d24ffac 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -96,7 +96,7 @@ cleaner.03=Abgelaufene Anmeldedaten zur SAML-Assertion ID {0} wurden aus dem Spe  proxy.00=MOA ID Proxy wurde erfolgreich gestartet
  proxy.01=Unbekannter URL {0}, erwarteter URL auf {1}
 -proxy.02=Unbekannter URL {0}. <br>Es wurde keine Übereinstimmung zum Attribut publicURLPrefix im Element 'OnlineApplication' der verwendeten MOA-ID Konfigurationsdatei gefunden.
 +proxy.02=Unbekannter URL {0}. <br>Es wurde keine Übereinstimmung zum Attribut publicURLPrefix im Element 'OnlineApplication' der verwendeten MOA-ID Konfigurationsdatei gefunden.
  proxy.04=URL {0} : {1}
  proxy.05=Fehler beim Aufbauen der SSLSocketFactory f\u00FCr {0} \: {1}
  proxy.06=Fehler beim Starten des Service MOA ID Proxy
 @@ -125,7 +125,7 @@ validator.08=Das Manifest ist ung\u00FCltig  validator.09=Die \u00F6ffentlichen Schl\u00FCssel des Identitiy Link stimmen nicht mit dem retournierten Zertifikat \u00FCberein
  validator.10=Anzahl der URLs zur Authentisierungskomponente ung\u00FCltig {0}
 -validator.11="Gesch�ftsbereich" wurde nicht in den SAML-Attributen gefunden {0}
 +validator.11="Gesch�ftsbereich" wurde nicht in den SAML-Attributen gefunden {0}
  validator.12=Der Namespace des SAML-Attributs "Gesch\\u00E4ftsbereich" ist ung\u00FCltig {0}
  validator.13=Das Target des 'Gesch\u00E4ftsbereichs' ist ung\u00FCltig {0}
  validator.14="OA" wurde nicht in den SAML-Attributen gefunden {0}
 @@ -133,12 +133,12 @@ validator.15=Der Namespace des SAML-Attributs "OA" ist ung\u00FCltig {0}  validator.16=Die vorkonfigurierte URL der OnlineApplikation ist fehlerhaft {0}
  validator.17= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist ung\u00FCltig {0}
 -#validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als g�ltiger SubjectDN-Name f�r eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
 +#validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als g�ltiger SubjectDN-Name f�r eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
  validator.18= Das Zertifikat mit dem die Personenbindung signiert wurde, ist nicht zum Signieren der Personenbindung zul\u00E4ssig. Es konnte weder der SubjectDN ({0}) einem berechtigten Namen zugeordnet werden, noch enth?lt das Zertifikat die Erweiterung "Eigenschaft zur Ausstellung von Personenbindungen".
  validator.19=Das verwendete Zertifikat zum Signieren ist ung\u00FCltig.<br>{0}
 -validator.21=Es konnte keine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauensw�rdigen Wurzelzertifikat konstruiert werden.
 +validator.21=Es konnte keine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauensw�rdigen Wurzelzertifikat konstruiert werden.
  validator.22=Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauensw\u00FCrdigen Wurzelzertifikat konnte konstruiert werden. F\u00FCr zumindest ein Zertifikat dieser Kette f\u00E4llt der Pr?fzeitpunkt nicht in das G\u00FCltigkeitsintervall.
  validator.23=Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauensw\u00FCrdigen Wurzelzertifikat konnte konstruiert werden. F\u00FCr alle Zertifikate dieser Kette f\u00E4llt der Pr\u00FCfzeitpunkt in das jeweilige G\u00FCltigkeitsintervall. F\u00FCr zumindest ein Zertifikat konnte der Zertifikatstatus nicht festgestellt werden.
  validator.24=Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauensw\u00FCrdigen Wurzelzertifikat konnte konstruiert werden. F\u00FCr alle Zertifikate dieser Kette f\u00E4llt der Pr\u00FCfzeitpunkt in das jeweilige G\u00FCltigkeitsintervall. Zumindest ein Zertifikat ist zum Pr\u00FCfzeitpunkt widerrufen.
 @@ -148,7 +148,7 @@ validator.26=OA Applikation ist eine Wirtschaftsapplikation, trotzdem ist ein SA  validator.27=OA Applikation ist keine Wirtschaftsapplikation, trotzdem ist ein SAML-Attribut "wbPK" enthalten
  validator.28=Fehlerhafter Wert im "wbPK" SAML-Attribut {0}
  validator.29=Fehler beim Auslesen des "wbPK" SAML-Attributs {0}
 -validator.30=Der Namespace des SAML-Attributs "wbPK" ist ung�ltig {0}
 +validator.30=Der Namespace des SAML-Attributs "wbPK" ist ung�ltig {0}
  validator.31="wbPK" wurde nicht in den SAML-Attributen gefunden {0}
 @@ -218,7 +218,7 @@ pvp2.12=NameID Format {0} wird nicht unterstuetzt  pvp2.13=Interner Server Fehler
  pvp2.14=SAML Anfrage verweigert
  pvp2.15=Keine Metadateninformation gefunden
 -
 +pvp2.16=Fehler beim verschl\u00FCsseln der PVP2 Assertion
  oauth20.01=Fehlerhafte redirect url
  oauth20.02=Fehlender Parameter "{0}"
 @@ -227,5 +227,5 @@ oauth20.04=Die Art der Anmeldung wird nicht unterstuetzt  oauth20.05=Der angegebene Benutzer ist nicht berechtigt
  oauth20.06=Die angegebene OA kann nicht verwendet werden
  oauth20.07=Angeforderter grant_type ist nicht erlaubt
 -oauth20.08=Nicht berechtigt für Token-Request
 -oauth20.09=Zertifikat fuer JSON Web-Token ist falsch konfiguriert. Fehler bei "{0}" +oauth20.08=Nicht berechtigt für Token-Request
 +oauth20.09=Zertifikat fuer JSON Web-Token ist falsch konfiguriert. Fehler bei "{0}"
 | 
