aboutsummaryrefslogtreecommitdiff
path: root/id/server/moa-id-commons/src
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/moa-id-commons/src')
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java29
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java14
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java68
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java3
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java16
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java6
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java88
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java14
-rw-r--r--id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd35
9 files changed, 206 insertions, 67 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index d8d3dbeee..6f6735d48 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -9,6 +9,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import iaik.asn1.ObjectID;
@@ -123,12 +124,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{
/** List of OWs */
public static final List<ObjectID> OW_LIST = Arrays.asList(
new ObjectID(OW_ORGANWALTER));
-
- /**BKU type identifiers to use bkuURI from configuration*/
- public static final String REQ_BKU_TYPE_LOCAL = "local";
- public static final String REQ_BKU_TYPE_ONLINE = "online";
- public static final String REQ_BKU_TYPE_HANDY = "handy";
- public static final List<String> REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY);
+
+ public static final List<String> REQ_BKU_TYPES = Arrays.asList(
+ IOAAuthParameters.HANDYBKU,
+ IOAAuthParameters.LOCALBKU,
+ IOAAuthParameters.THIRDBKU,
+ IOAAuthParameters.ONLINEBKU);
public static final List<String> LEGACYPARAMETERWHITELIST
= Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID);
@@ -178,19 +179,25 @@ public class MOAIDAuthConstants extends MOAIDConstants{
//AuthnRequest IssueInstant validation
public static final int TIME_JITTER = 5; //all 5 minutes time jitter
-
+
+ //General MOASession data-store keys
+ public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
+
+ //Process context keys
public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication";
public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication";
public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection";
public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest";
public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId";
+ public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE;
//General protocol-request data-store keys
+ public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
+
+ @Deprecated
public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target";
+ @Deprecated
public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";
- public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
- //General MOASession data-store keys
- public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
-
+
}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
index e9f9a7e80..98f0616a5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
@@ -28,6 +28,8 @@ import java.util.Hashtable;
import java.util.List;
import java.util.Map;
+import at.gv.egovernment.moa.util.Constants;
+
/**
* @author tlenz
*
@@ -40,9 +42,15 @@ public class MOAIDConstants {
public static final String FILE_URI_PREFIX = "file:/";
- public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
- public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+";
- public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+";
+ public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID;
+ public static final String PREFIX_PBK = Constants.URN_PREFIX_BPK;
+ public static final String PREFIX_HPI = Constants.URN_PREFIX_HPI;
+
+ public static final String PREFIX_CDID = Constants.URN_PREFIX_CDID + "+";
+ public static final String PREFIX_WPBK = Constants.URN_PREFIX_WBPK + "+";
+ public static final String PREFIX_STORK = Constants.URN_PREFIX_STORK + "+";
+ public static final String PREFIX_EIDAS = Constants.URN_PREFIX_EIDAS + "+";
+
public static final String IDENIFICATIONTYPE_FN = "FN";
public static final String IDENIFICATIONTYPE_ERSB = "ERSB";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index bba6d0541..1e1bfa94b 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -38,9 +39,16 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
*/
public interface IOAAuthParameters {
- public static final String ONLINEBKU = "online";
+ public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing";
+ public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission";
+
+ public static final String THIRDBKU = "thirdBKU";
public static final String HANDYBKU = "handy";
public static final String LOCALBKU = "local";
+
+ @Deprecated
+ public static final String ONLINEBKU = "online";
+
public static final String INDERFEDERATEDIDP = "interfederated";
public static final String EIDAS = "eIDAS";
public static final String AUTHTYPE_OTHERS = "others";
@@ -63,20 +71,52 @@ public interface IOAAuthParameters {
public String getFriendlyName();
public String getPublicURLPrefix();
-
- public String getOaType();
- public boolean getBusinessService();
+ /**
+ * Indicates if this online applications has private area restrictions that disallow baseId processing in general
+ * This restriction is evaluated from area-identifier of this online application and a policy from configuration.
+ * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values
+ * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix
+ * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
+ *
+ * @return true if there is a restriction, otherwise false
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException;
+
/**
- * Get target of a public service-provider
+ * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA
+ * This restriction is evaluated from area-identifier of this online application and a policy from configuration.
+ * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values
+ * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix
+ * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
*
- * @return target identifier without prefix
+ * @return true if there is a restriction, otherwise false
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
*/
- public String getTarget();
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException;
- public String getTargetFriendlyName();
+ /**
+ * Get the full area-identifier for this online application to calculate the
+ * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...).
+ * This identifier always contains the full prefix
+ *
+ * @return area identifier with prefix
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException;
+
+ /**
+ * Get a friendly name for the specific area-identifier of this online application
+ *
+ * @return fiendly name of the area-identifier
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException;
+
+
public boolean isInderfederationIDP();
public boolean isSTORKPVPGateway();
@@ -84,13 +124,6 @@ public interface IOAAuthParameters {
public boolean isRemovePBKFromAuthBlock();
/**
- * Return the private-service domain-identifier with PreFix
- *
- * @return the identityLinkDomainIdentifier
- */
- public String getIdentityLinkDomainIdentifier();
-
- /**
* @return the keyBoxIdentifier
*/
public String getKeyBoxIdentifier();
@@ -138,11 +171,6 @@ public interface IOAAuthParameters {
*/
public List<String> getMandateProfiles();
- /**
- * @return the identityLinkDomainIdentifierType
- */
- public String getIdentityLinkDomainIdentifierType();
-
public boolean isShowMandateCheckBox();
public boolean isOnlyMandateAllowed();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
index b2d90aed4..bc4cd72af 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
@@ -44,7 +44,8 @@ public interface IStorkConfig {
boolean isSTORKAuthentication(String ccc);
- CPEPS getCPEPS(String ccc);
+ CPEPS getCPEPSWithFullName(String ccc);
+ CPEPS getCPEPSWithCC(String ccc);
List<StorkAttribute> getStorkAttributes();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
index 5091195d8..93f26051c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
@@ -208,7 +208,7 @@ public class ConfigurationMigrationUtils {
if (bkuurls != null) {
result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, bkuurls.getHandyBKU());
result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, bkuurls.getLocalBKU());
- result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, bkuurls.getOnlineBKU());
+ result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, bkuurls.getOnlineBKU());
}
@@ -831,7 +831,7 @@ public class ConfigurationMigrationUtils {
authoa.setBKUURLS(bkuruls);
bkuruls.setHandyBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
bkuruls.setLocalBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL));
- bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+ bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
//store SecurtiyLayerTemplates
TemplatesType templates = authoa.getTemplates();
@@ -1438,7 +1438,7 @@ public class ConfigurationMigrationUtils {
defaultbkus.getHandyBKU());
result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL,
defaultbkus.getLocalBKU());
- result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE,
+ result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD,
defaultbkus.getOnlineBKU());
}
@@ -1448,7 +1448,7 @@ public class ConfigurationMigrationUtils {
slreq.getHandyBKU());
result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL,
slreq.getLocalBKU());
- result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE,
+ result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD,
slreq.getOnlineBKU());
}
@@ -1711,8 +1711,8 @@ public class ConfigurationMigrationUtils {
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY)))
dbbkus.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY));
- if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)))
- dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+ if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)))
+ dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)))
dbbkus.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
@@ -1900,8 +1900,8 @@ public class ConfigurationMigrationUtils {
slrequesttempl.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)))
slrequesttempl.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
- if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)))
- slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+ if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)))
+ slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL)))
dbconfig.setTrustedCACertificates(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL));
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
index b72034002..695df3123 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
@@ -70,7 +70,7 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
public static final String SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME = SERVICE_AUTH_TARGET_PUBLIC + ".own.name";
private static final String SERVICE_AUTH_BKU = AUTH + "." + BKU;
- public static final String SERVICE_AUTH_BKU_ONLINE = SERVICE_AUTH_BKU + ".onlineBKU";
+ public static final String SERVICE_AUTH_BKU_THIRD = SERVICE_AUTH_BKU + ".onlineBKU";
public static final String SERVICE_AUTH_BKU_LOCAL = SERVICE_AUTH_BKU + ".localBKU";
public static final String SERVICE_AUTH_BKU_HANDY = SERVICE_AUTH_BKU + ".handyBKU";
public static final String SERVICE_AUTH_BKU_KEYBOXIDENTIFIER = SERVICE_AUTH_BKU + ".keyBoxIdentifier";
@@ -196,13 +196,13 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
private static final String GENERAL_DEFAULTS = PREFIX_MOAID_GENERAL + ".defaults";
private static final String GENERAL_DEFAULTS_BKU = GENERAL_DEFAULTS + "." + BKU;
- public static final String GENERAL_DEFAULTS_BKU_ONLINE = GENERAL_DEFAULTS_BKU + ".onlineBKU";
+ public static final String GENERAL_DEFAULTS_BKU_THIRD = GENERAL_DEFAULTS_BKU + ".onlineBKU";
public static final String GENERAL_DEFAULTS_BKU_HANDY = GENERAL_DEFAULTS_BKU + ".handyBKU";
public static final String GENERAL_DEFAULTS_BKU_LOCAL = GENERAL_DEFAULTS_BKU + ".localBKU";
private static final String GENERAL_DEFAULTS_TEMPLATES = GENERAL_DEFAULTS + "." + TEMPLATES;
public static final String GENERAL_DEFAULTS_TEMPLATES_LOCAL = GENERAL_DEFAULTS_TEMPLATES + ".localBKU";
public static final String GENERAL_DEFAULTS_TEMPLATES_HANDY = GENERAL_DEFAULTS_TEMPLATES + ".handyBKU";
- public static final String GENERAL_DEFAULTS_TEMPLATES_ONLINE = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
+ public static final String GENERAL_DEFAULTS_TEMPLATES_THIRD = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
private static final String GENERAL_AUTH = PREFIX_MOAID_GENERAL + ".auth";
private static final String GENERAL_AUTH_CERTIFICATE = GENERAL_AUTH + ".certificate";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index 9fc6f799d..dd606ea18 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -57,6 +57,8 @@ import java.util.ArrayList;
import java.util.List;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moaspss.logging.LoggingContext;
import at.gv.egovernment.moaspss.logging.LoggingContextManager;
import iaik.pki.jsse.IAIKX509TrustManager;
@@ -72,21 +74,27 @@ import iaik.pki.jsse.IAIKX509TrustManager;
public class MOAIDTrustManager extends IAIKX509TrustManager {
/** an x509Certificate array containing all accepted server certificates*/
- private X509Certificate[] acceptedServerCertificates;
+ private X509Certificate[] acceptedServerCertificates = null;
/**
* Constructor
* @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store
* @throws GeneralSecurityException occurs on security errors
* @throws IOException occurs on IO errors
+ * @throws SSLConfigurationException
*/
public MOAIDTrustManager(String acceptedServerCertificateStoreURL)
- throws IOException, GeneralSecurityException {
+ throws IOException, GeneralSecurityException, SSLConfigurationException {
- if (acceptedServerCertificateStoreURL != null)
- buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
- else
- acceptedServerCertificates = null;
+ if (acceptedServerCertificateStoreURL != null && MiscUtil.isNotEmpty(acceptedServerCertificateStoreURL.trim())) {
+ Logger.info("Initialize SSL-TrustStore with explicit accepted server-certificates");
+ buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
+
+ } else {
+ Logger.info("Initialize SSL-TrustStore without explicit accepted server-certificates");
+ acceptedServerCertificates = null;
+
+ }
}
@@ -111,26 +119,72 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
* containing accepted server X509 certificates
* @throws GeneralSecurityException on security errors
* @throws IOException on any IO errors
+ * @throws SSLConfigurationException
*/
private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL)
- throws IOException, GeneralSecurityException {
-
+ throws IOException, GeneralSecurityException, SSLConfigurationException {
List<X509Certificate> certList = new ArrayList<X509Certificate>();
URL storeURL = new URL(acceptedServerCertificateStoreURL);
+
+ //check URL to TrustStore
+ if (storeURL.getFile() == null) {
+ Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL
+ + " is NOT found");
+ throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "File or Directory NOT found!"});
+
+ }
File storeDir = new File(storeURL.getFile());
- // list certificate files in directory
- File[] certFiles = storeDir.listFiles();
+
+ //check directory and files
+ if (storeDir == null || storeDir.listFiles() == null) {
+ Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL
+ + " is NOT found");
+ throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "Files or Directory NOT found!"});
+
+ }
+
+ // list certificate files in directory
+ File[] certFiles = storeDir.listFiles();
for (int i = 0; i < certFiles.length; i++) {
- // for each: create an X509Certificate and store it in list
- File certFile = certFiles[i];
- FileInputStream fis = new FileInputStream(certFile.getPath());
- CertificateFactory certFact = CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
- fis.close();
- certList.add(cert);
+ // for each: create an X509Certificate and store it in list
+ File certFile = certFiles[i];
+ FileInputStream fis = null;
+ try {
+ fis = new FileInputStream(certFile.getPath());
+ CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
+ certList.add(cert);
+
+ } catch (Exception e) {
+ Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath()
+ + " is not loadable, Reason: " + e.getMessage());
+
+ if (Logger.isDebugEnabled()) {
+ try {
+ if (fis != null)
+ Logger.debug("Certificate: " + Base64Utils.encode(fis));
+
+ } catch (Exception e1) {
+ Logger.warn("Can NOT log content of certificate: " + certFile.getPath()
+ + ". Reason: " + e.getMessage(), e);
+
+ }
+ }
+
+ throw new SSLConfigurationException("config.28", new Object[]{certFile.getPath(), e.getMessage()}, e);
+
+ } finally {
+ if (fis != null)
+ fis.close();
+
+ }
}
+
// store acceptedServerCertificates
acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]);
+ Logger.debug("Add #" + acceptedServerCertificates.length
+ + " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL );
+
}
/**
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 2a4e3b362..c94222ea0 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -396,10 +396,16 @@ public interface Constants {
/* Prefix and Schema definition for eIDAS specific SAML2 extensions*/
- public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
+ public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions";
public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd";
+
+ /* Prefix and Schema for SAML2 Entity Attributes */
+ public static final String SAML2_MDATTR_EXTENSIONS_PREFIX = "mdattr";
+ public static final String SAML2_MDATTR_EXTENSIONS = "urn:oasis:names:tc:SAML:metadata:attribute";
+ public static final String SAML2_MDATTR_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "sstc-metadata-attr.xsd";
+
/**
* Contains all namespaces and local schema locations for XML schema
* definitions relevant for MOA. For use in validating XML parsers.
@@ -433,8 +439,9 @@ public interface Constants {
+ (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ")
+ (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ")
+ (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ")
- + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION)
- + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
+ + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION + " ")
+ + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION + " ")
+ + (SAML2_MDATTR_EXTENSIONS + " " + SAML2_MDATTR_EXTENSIONS_SCHEMA_LOCATION);
/** URN prefix for bPK and wbPK. */
public static final String URN_PREFIX = "urn:publicid:gv.at";
@@ -454,7 +461,6 @@ public interface Constants {
/** URN prefix for context dependent id (stork). */
public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid";
- //TODO: update to eIDAS prefix
/** URN prefix for context dependent id (eIDAS). */
public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid";
diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd
new file mode 100644
index 000000000..f23e462a5
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/sstc-metadata-attr.xsd
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:metadata:attribute"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+
+ <annotation>
+ <documentation>
+ Document title: SAML V2.0 Metadata Extention for Entity Attributes Schema
+ Document identifier: sstc-metadata-attr.xsd
+ Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+ Revision history:
+ V1.0 (November 2008):
+ Initial version.
+ </documentation>
+ </annotation>
+
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+
+ <element name="EntityAttributes" type="mdattr:EntityAttributesType"/>
+ <complexType name="EntityAttributesType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:Assertion"/>
+ </choice>
+ </complexType>
+
+</schema>
+