diff options
Diffstat (limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java')
-rw-r--r-- | id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java | 221 |
1 files changed, 221 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java new file mode 100644 index 000000000..599a67dfd --- /dev/null +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java @@ -0,0 +1,221 @@ +package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.util.Date; +import java.util.List; + +import org.opensaml.Configuration; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants; +import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; +import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; +import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureRequestBuilder; +import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil; +import at.gv.egovernment.moa.util.Base64Utils; + + +public class QualifiedeIDVerifier { + public static void verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException { + // validates the identity link + IdentityLinkValidator.getInstance().validate(idl); + + // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP + Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() + .build(idl, authConfig.getMoaSpIdentityLinkTrustProfileID(oaParam.isUseIDLTestTrustStore())); + + // invokes the call + Element domVerifyXMLSignatureResponse = SignatureVerificationInvoker.getInstance() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + + // parses the <VerifyXMLSignatureResponse> + IVerifiyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(domVerifyXMLSignatureResponse).parseData(); + + // validates the <VerifyXMLSignatureResponse> + VerifyXMLSignatureResponseValidator.getInstance().validate( + verifyXMLSignatureResponse, + authConfig.getIdentityLinkX509SubjectNames(), + VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, + oaParam, + authConfig); + + + } + + public static IVerifiyXMLSignatureResponse verifyAuthBlock(String authBlockB64, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException, IOException { + String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore()); + List<String> verifyTransformsInfoProfileID = + KeyValueUtils.getListOfCSVValues( + KeyValueUtils.normalizeCSVValueString( + authConfig.getBasicConfiguration( + at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants.CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID))); + + SignatureVerificationUtils sigVerify = new SignatureVerificationUtils(); + IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(Base64Utils.decode(authBlockB64, false), trustProfileId , verifyTransformsInfoProfileID); + + // validates the <VerifyXMLSignatureResponse> + VerifyXMLSignatureResponseValidator.getInstance().validate(sigVerifyResult, + null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, oaParam, authConfig); + + return sigVerifyResult; + + } + + public static boolean checkConsistencyOfeIDData(String sl20ReqId, IIdentityLink idl, AssertionAttributeExtractor authBlockExtractor, IVerifiyXMLSignatureResponse sigVerifyResult) throws SL20eIDDataValidationException { + + try { + // compares the public keys from the identityLink with the AuthBlock + VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(sigVerifyResult, idl); + + //compare requestId from SL20 qualifiedeID command to ID from SAML2 assertion + String authBlockId = authBlockExtractor.getAssertionID(); + if (MiscUtil.isEmpty(authBlockId)) { + Logger.info("AuthBlock containts no ID, but ID MUST be included"); + throw new SL20eIDDataValidationException(new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + "AuthBlock containts no ID, but ID MUST be included" + }); + } + + if (!authBlockId.equals(sl20ReqId)) { + Logger.info("SL20 'requestId' does NOT match to AuthBlock Id." + + " Expected : " + sl20ReqId + + " Authblock: " + authBlockId); + throw new SL20eIDDataValidationException(new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + "SL20 'requestId' does NOT match to AuthBlock Id." + }); + } + + + // Compare AuthBlock Data with information stored in session, especially + // date and time + validateSigningDateTime(sigVerifyResult, authBlockExtractor); + + } catch ( Exception e) { + Logger.warn("Validation of eID information FAILED. ", e); + throw new SL20eIDDataValidationException(new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, + e.getMessage() + }); + + } + + + return false; + + } + + public static Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException { + try { + //parse authBlock into SAML2 Assertion + byte[] authBlockBytes = Base64Utils.decode(authblockB64, false); + Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes)); + + UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM); + XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM); + + //validate SAML2 Assertion + SAML2Utils.schemeValidation(samlAssertion); + + if (samlAssertion instanceof Assertion) + return (Assertion) samlAssertion; + else + throw new SL20eIDDataValidationException( + new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + "AuthBlock is NOT of type SAML2 Assertion" + }); + + } catch (SL20eIDDataValidationException e) { + throw e; + + } catch (SAXException e) { + Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage()); + throw new SL20eIDDataValidationException( + new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + e.getMessage() + }, + e); + + } catch (Exception e) { + Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage()); + Logger.trace("FullAuthBlock: " + authblockB64); + throw new SL20eIDDataValidationException( + new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + e.getMessage() + }, + e); + + } + + } + + private static void validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult, AssertionAttributeExtractor authBlockExtractor) throws SL20eIDDataValidationException { + Date signingDate = sigVerifyResult.getSigningDateTime(); + Date notBefore = authBlockExtractor.getAssertionNotBefore(); + Date notOrNotAfter = authBlockExtractor.getAssertionNotOnOrAfter(); + + if (signingDate == null) { + Logger.info("AuthBlock signature contains NO signing data"); + throw new SL20eIDDataValidationException(new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + "AuthBlock signature contains NO signing data" + }); + + } + + Logger.debug("AuthBlock signing data: " + signingDate.toString()); + + if (notBefore == null || notOrNotAfter == null) { + Logger.info("AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates"); + throw new SL20eIDDataValidationException(new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + "AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates" + }); + + } + + Logger.debug("AuthBlock valid period." + + " NotBefore:" + notBefore.toString() + + " NotOrNotAfter:" + notOrNotAfter.toString()); + + if ((signingDate.after(notBefore) || signingDate.equals(notBefore)) + && signingDate.before(notOrNotAfter)) + Logger.debug("Signing date validation successfull"); + + + else { + Logger.info("AuthBlock signing date does NOT match to AuthBlock constrains"); + throw new SL20eIDDataValidationException(new Object[] { + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, + "AuthBlock signing date does NOT match to AuthBlock constrains" + }); + + } + } + +} |