diff options
Diffstat (limited to 'id/server')
25 files changed, 347 insertions, 633 deletions
diff --git a/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml b/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml index 9fef4fa2e..46052053a 100644 --- a/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml +++ b/id/server/data/deploy/conf/moa-id/eIDAS/EncryptModule.xml @@ -3,14 +3,32 @@ <properties> <comment>SWModule encrypt with JKS.</comment> - <entry key="keystorePath">keys/eidasKeyStore.jks</entry> + + <entry key="check_certificate_validity_period">false</entry> + <entry key="disallow_self_signed_certificate">false</entry> + <entry key="response.encryption.mandatory">false</entry> + + <!-- Data Encryption algorithm --> + <entry key="data.encryption.algorithm">http://www.w3.org/2009/xmlenc11#aes256-gcm</entry> + + <!-- Decryption algorithm Whitelist--> + <entry key="encryption.algorithm.whitelist"> + http://www.w3.org/2009/xmlenc11#aes128-gcm; + http://www.w3.org/2009/xmlenc11#aes256-gcm; + http://www.w3.org/2009/xmlenc11#aes192-gcm + </entry> + + <!-- Key Encryption algorithm --> + <entry key="key.encryption.algorithm">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</entry> + + <entry key="keyStorePath">keys/eidasKeyStore.jks</entry> + <entry key="keyStoreType">JKS</entry> <entry key="keyStorePassword">local-demo</entry> <entry key="keyPassword">local-demo</entry> <!-- Management of the encryption activation --> <entry key="encryptionActivation">eIDAS/encryptionConf.xml</entry> - <entry key="responseToPointIssuer.BE">CN=local-demo-cert, OU=DIGIT, O=European Comission, L=Brussels, ST=Belgium,C=BE</entry> <entry key="responseToPointSerialNumber.BE">54C8F779</entry> @@ -18,5 +36,5 @@ <entry key="responseDecryptionIssuer">CN=local-demo-cert, OU=DIGIT, O=European Comission, L=Brussels, ST=Belgium, C=BE</entry> <entry key="serialNumber">54C8F779</entry> - <entry key="keystoreType">JKS</entry> + </properties>
\ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml b/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml index 745580428..bf7215cb5 100644 --- a/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml +++ b/id/server/data/deploy/conf/moa-id/eIDAS/SignModule.xml @@ -3,17 +3,46 @@ <properties> <comment>SWModule sign with JKS.</comment> - <entry key="keystorePath">keys/eidasKeyStore_Service_CB.jks</entry> + <entry key="check_certificate_validity_period">false</entry> + <entry key="disallow_self_signed_certificate">false</entry> + + <!-- signing Algorithm SHA_512(default),SHA_384,SHA_256 --> + <!-- http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 --> + <!-- http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 --> + <!-- http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 --> + <entry key="signature.algorithm">http://www.w3.org/2001/04/xmldsig-more#rsa-sha512</entry> + + <!-- List of incoming Signature algorithms white list separated by ; (default all) --> + <entry key="signature.algorithm.whitelist"> + http://www.w3.org/2001/04/xmldsig-more#rsa-sha256; + http://www.w3.org/2001/04/xmldsig-more#rsa-sha384; + http://www.w3.org/2001/04/xmldsig-more#rsa-sha512; + http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160; + http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256; + http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384; + http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512; + http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1; + http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-mgf1 + </entry> + + <!-- signing response assertion true/false (default false) --> + <entry key="response.sign.assertions">true</entry> + + <!--AuthnRequest / Assertion signing keyStore--> + <entry key="keyStorePath">keys/eidasKeyStore_Service_CB.jks</entry> + <entry key="keyStoreType">JKS</entry> <entry key="keyStorePassword">local-demo</entry> <entry key="keyPassword">local-demo</entry> <entry key="issuer">CN=cpeps-cb-demo-certificate, OU=STORK, O=CPEPS, L=EU, ST=EU, C=CB</entry> <entry key="serialNumber">54C8F839</entry> - <entry key="keystoreType">JKS</entry> - <entry key="metadata.keystorePath">keys/eidasKeyStore_METADATA.jks</entry> + + <!--Metadata signing keystore--> + <entry key="metadata.keyStorePath">keys/eidasKeyStore_METADATA.jks</entry> + <entry key="metadata.keyStoreType">JKS</entry> <entry key="metadata.keyStorePassword">local-demo</entry> <entry key="metadata.keyPassword">local-demo</entry> <entry key="metadata.issuer">CN=metadata, OU=DIGIT, O=EC, L=Brussels, ST=EU, C=BE</entry> <entry key="metadata.serialNumber">561BC0C8</entry> - <entry key="metadata.keystoreType">JKS</entry> + </properties> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 8f6dff849..99e4b4cce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -83,10 +83,19 @@ public class STORKConfig implements IStorkConfig { if (MiscUtil.isNotEmpty(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY))) {
try {
+
+ //Assertion encryption is enabled by default
+ boolean enableAssertionEncryption = true;
+ String enableAssertionEncryptionString = storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG);
+ if (MiscUtil.isNotEmpty(enableAssertionEncryptionString)) {
+ enableAssertionEncryption = Boolean.parseBoolean(enableAssertionEncryptionString);
+
+ }
+
CPEPS moacpep =
new CPEPS(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_COUNTRY),
new URL(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL)),
- Boolean.valueOf(storkCPEPSProps.get(listCounter + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_SUPPORT_XMLDSIG)));
+ enableAssertionEncryption);
cpepsMap.put(moacpep.getCountryCode(), moacpep);
} catch (MalformedURLException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java index b6fed5934..16b179d89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java @@ -27,6 +27,7 @@ import java.io.IOException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactoryConfigurationError; +import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; @@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -61,67 +63,75 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter { @Override public void doFilter(XMLObject metadata) throws FilterException { if (metadata instanceof EntityDescriptor) { - if (((EntityDescriptor) metadata).isSigned()) { - EntityDescriptor entityDes = (EntityDescriptor) metadata; - //check signature; - try { - byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8"); - -// Transformer transformer = TransformerFactory.newInstance() -// .newTransformer(); -// StringWriter sw = new StringWriter(); -// StreamResult sr = new StreamResult(sw); -// DOMSource source = new DOMSource(metadata.getDOM()); -// transformer.transform(source, sr); -// sw.close(); -// String metadataXML = sw.toString(); - - SignatureVerificationUtils sigVerify = - new SignatureVerificationUtils(); - IVerifiyXMLSignatureResponse result = sigVerify.verify( - serialized, trustProfileID); - - //check signature-verification result - if (result.getSignatureCheckCode() != 0) { - Logger.warn("Metadata signature-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getSignatureCheckCode()); - throw new FilterException("Metadata signature-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getSignatureCheckCode()); + checkSignature(metadata, ((EntityDescriptor)metadata).getEntityID()); - } - - if (result.getCertificateCheckCode() != 0) { - Logger.warn("Metadata certificate-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getCertificateCheckCode()); - throw new FilterException("Metadata certificate-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getCertificateCheckCode()); - - } - - Logger.debug("SAML metadata for entityID:" + entityDes.getEntityID() + " is valid"); + } else if (metadata instanceof EntitiesDescriptor) { + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null && + entitiesDesc.getEntityDescriptors().size() > 1) { + String nameForLogging = entitiesDesc.getName(); + if (MiscUtil.isEmpty(nameForLogging)) + nameForLogging = entitiesDesc.getID(); + + checkSignature(metadata, nameForLogging); + + } else { + Logger.warn("Metadata root-element is of type 'EntitiesDescriptor' but only include one 'EntityDescriptor'"); + throw new FilterException("Metadata root-element is not of type 'EntitiesDescriptor' but only include one 'EntityDescriptor"); + + } + + } else { + Logger.warn("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'"); + throw new FilterException("Metadata root-element is not of type 'EntityDescriptor' or 'EntitiesDescriptor'"); + + } + + } + + private void checkSignature(XMLObject metadata, String nameForLogging) throws FilterException { + if (((EntityDescriptor) metadata).isSigned()) { + //check signature; + try { + byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8"); + + SignatureVerificationUtils sigVerify = + new SignatureVerificationUtils(); + IVerifiyXMLSignatureResponse result = sigVerify.verify( + serialized, trustProfileID); - } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { - Logger.error("Metadata verification for Entity:" + entityDes.getEntityID() - + " has an interal error.", e); - throw new FilterException("Metadata verification has an interal error." - + " Message:" + e.getMessage()); + //check signature-verification result + if (result.getSignatureCheckCode() != 0) { + Logger.warn("Metadata signature-verification FAILED!" + + " Metadata: " + nameForLogging + + " StatusCode:" + result.getSignatureCheckCode()); } + if (result.getCertificateCheckCode() != 0) { + Logger.warn("Metadata certificate-verification FAILED!" + + " Metadata: " + nameForLogging + + " StatusCode:" + result.getCertificateCheckCode()); + throw new FilterException("Metadata certificate-verification FAILED!" + + " Metadata: " + nameForLogging + + " StatusCode:" + result.getCertificateCheckCode()); + + } - } else { - Logger.warn("Metadata root-element MUST be signed."); - throw new FilterException("Metadata root-element MUST be signed.'"); + Logger.debug("SAML metadata for entityID:" + nameForLogging + " is valid"); + + } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { + Logger.error("Metadata verification for Entity:" + nameForLogging + + " has an interal error.", e); + throw new FilterException("Metadata verification has an interal error." + + " Message:" + e.getMessage()); } - + + } else { - Logger.warn("Metadata root-element is not of type 'EntityDescriptor'"); - throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'"); + Logger.warn("Metadata root-element MUST be signed."); + throw new FilterException("Metadata root-element MUST be signed.'"); } diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html index 2f93428b5..64e88a688 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html @@ -1,9 +1,9 @@ ## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity -context may contain the following properties ## action - String - the -action URL for the form ## RelayState - String - the relay state for the -message ## SAMLRequest - String - the Base64 encoded SAML Request ## -SAMLResponse - String - the Base64 encoded SAML Response - +##context may contain the following properties ## action - String - the +##action URL for the form ## RelayState - String - the relay state for the +##message ## SAMLRequest - String - the Base64 encoded SAML Request ## +##SAMLResponse - String - the Base64 encoded SAML Response +<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <body onload="document.forms[0].submit()"> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm b/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm deleted file mode 100644 index 8beb601c6..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/saml2-post-binding-moa.vm +++ /dev/null @@ -1,38 +0,0 @@ -## -## Velocity Template for SAML 2 HTTP-POST binding -## -## Velocity context may contain the following properties -## action - String - the action URL for the form -## RelayState - String - the relay state for the message -## SAMLRequest - String - the Base64 encoded SAML Request -## SAMLResponse - String - the Base64 encoded SAML Response -## Contains target attribute to delegate PEPS authentication out of iFrame - -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> - - <body onload="document.forms[0].submit()"> - <noscript> - <p> - <strong>Note:</strong> Since your browser does not support JavaScript, - you must press the Continue button once to proceed. - </p> - </noscript> - - <form action="${action}" method="post" target="_top"> - <div> - #if($RelayState)<input type="hidden" name="RelayState" value="${RelayState}"/>#end - - #if($SAMLRequest)<input type="hidden" name="SAMLRequest" value="${SAMLRequest}"/>#end - - #if($SAMLResponse)<input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>#end - - </div> - <noscript> - <div> - <input type="submit" value="Continue"/> - </div> - </noscript> - </form> - - </body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html b/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html deleted file mode 100644 index 0ab41f146..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/stork2_consent.html +++ /dev/null @@ -1,438 +0,0 @@ -<!DOCTYPE html> -<html> -<head> -<meta content="text/html; charset=utf-8" http-equiv="Content-Type"> - - <!-- MOA-ID 2.x BKUSelection Layout CSS --> - <style type="text/css"> - @media screen and (min-width: 650px) { - - body { - margin:0; - padding:0; - color : #000; - background-color : #fff; - text-align: center; - background-color: #6B7B8B; - } - - #bku_header h2 { - font-size: 0.8em; - } - - - #page { - display: block; - border: 2px solid rgb(0,0,0); - width: 650px; - height: 460px; - margin: 0 auto; - margin-top: 5%; - position: relative; - border-radius: 25px; - background: rgb(255,255,255); - } - - #page1 { - text-align: center; - } - - #main { - /* clear:both; */ - position:relative; - margin: 0 auto; - width: 250px; - text-align: center; - } - - .OA_header { - /* background-color: white;*/ - font-size: 20pt; - margin-bottom: 25px; - margin-top: 25px; - } - - #leftcontent { - /*float:left; */ - width:250px; - margin-bottom: 25px; - text-align: left; - border: 1px solid rgb(0,0,0); - } - - #selectArea { - font-size: 15px; - padding-bottom: 65px; - } - - #leftcontent { - width: 300px; - margin-top: 30px; - } - - #bku_header { - height: 5%; - padding-bottom: 3px; - padding-top: 3px; - } - - #bkulogin { - overflow:auto; - min-width: 190px; - height: 260px; - padding: 20px; - } - - h2#tabheader{ - font-size: 1.1em; - padding-left: 2%; - padding-right: 2%; - position: relative; - } - - .setAssertionButton_full { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 100px; - height: 30px - } - - #leftbutton { - width: 30%; - float:left; - margin-left: 40px; - } - - #rightbutton { - width: 30%; - float:right; - margin-right: 45px; - text-align: right; - } - - button { - height: 25px; - width: 75px; - margin-bottom: 10px; - } - - #validation { - position: absolute; - bottom: 0px; - margin-left: 270px; - padding-bottom: 10px; - } - - } - - @media screen and (max-width: 205px) { - #bku_header h2 { - font-size: 0.8em; - margin-top: -0.4em; - padding-top: 0.4em; - } - - #bkulogin { - min-height: 150px; - padding: 20px; - } - } - - @media screen and (max-width: 249px) and (min-width: 206px) { - #bku_header h2 { - font-size: 0.9em; - margin-top: -0.45em; - padding-top: 0.45em; - } - - #bkulogin { - height: 180px; - padding: 20px; - } - } - - @media screen and (max-width: 299px) and (min-width: 250px) { - #bku_header h2 { - font-size: 1.1em; - margin-top: -0.55em; - padding-top: 0.55em; - } - } - - @media screen and (max-width: 649px) and (min-width: 400px) { - #bku_header h2 { - font-size: 1.3em; - margin-top: -0.65em; - padding-top: 0.65em; - } - } - - - - @media screen and (max-width: 649px) { - - body { - margin:0; - padding:0; - color : #000; - text-align: center; - font-size: 100%; - background-color: ${MAIN_BACKGOUNDCOLOR}; - } - - #page { - visibility: hidden; - margin-top: 0%; - } - - #page1 { - visibility: hidden; - } - - #main { - visibility: hidden; - } - - #validation { - visibility: hidden; - display: none; - } - - .OA_header { - margin-bottom: 0px; - margin-top: 0px; - font-size: 0pt; - visibility: hidden; - } - - #leftcontent { - visibility: visible; - margin-bottom: 0px; - text-align: left; - border:none; - vertical-align: middle; - min-height: 173px; - min-width: 204px; - - } - - #bku_header { - height: 10%; - min-height: 1.2em; - margin-top: 1%; - } - - h2#tabheader{ - padding-left: 2%; - padding-right: 2%; - position: relative; - top: 50%; - } - - #bkulogin { - min-width: 190px; - height: 155px; - padding: 20px; - } - - .setAssertionButton_full { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 70px; - height: 25px; - } - - input[type=button] { -/* height: 11%; */ - width: 70%; - } - } - - * { - margin: 0; - padding: 0; - font-family: ${FONTTYPE}; - } - - #selectArea { - padding-top: 10px; - padding-bottom: 55px; - padding-left: 10px; - } - - .setAssertionButton { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 70px; - height: 25px; - } - - #leftbutton { - width: 35%; - float:left; - margin-left: 15px; - } - - #rightbutton { - width: 35%; - float:right; - margin-right: 25px; - text-align: right; - } - - .verticalcenter { - vertical-align: middle; - } - - input { - /*border:1px solid #000;*/ - cursor: pointer; - } - - - #installJava, #BrowserNOK { - clear:both; - font-size:0.8em; - padding:4px; - } - - .selectText{ - - } - - .selectTextHeader{ - - } - - .sendButton { - width: 30%; - margin-bottom: 1%; - } - - #leftcontent a { - text-decoration:none; - color: #000; - /* display:block;*/ - padding:4px; - } - - #leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active { - text-decoration:underline; - color: #000; - } - - .infobutton { - background-color: #005a00; - color: white; - font-family: serif; - text-decoration: none; - padding-top: 2px; - padding-right: 4px; - padding-bottom: 2px; - padding-left: 4px; - font-weight: bold; - } - - .hell { - background-color : ${MAIN_BACKGOUNDCOLOR}; - color: ${MAIN_COLOR}; - } - - .dunkel { - background-color: ${HEADER_BACKGROUNDCOLOR}; - color: ${HEADER_COLOR}; - } - - .main_header { - color: black; - font-size: 32pt; - position: absolute; - right: 10%; - top: 40px; - - } - - #controls { - text-align: right; - } - - </style> -<!-- MOA-ID 2.x BKUSelection JavaScript fucnctions--> -<script type="text/javascript"> - function isIE() { - return (/MSIE (\d+\.\d+);/.test(navigator.userAgent)); - } - function isFullscreen() { - try { - return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height)); - } catch (e) { - return false; - } - } - function isActivexEnabled() { - var supported = null; - try { - supported = !!new ActiveXObject("htmlfile"); - } catch (e) { - supported = false; - } - return supported; - } - function generateIFrame(iFrameURL) { - var el = document.getElementById("bkulogin"); - var width = el.clientWidth; - var heigth = el.clientHeight - 20; - var parent = el.parentNode; - - iFrameURL += "&heigth=" + heigth; - iFrameURL += "&width=" + width; - - var iframe = document.createElement("iframe"); - iframe.setAttribute("src", iFrameURL); - iframe.setAttribute("width", el.clientWidth - 1); - iframe.setAttribute("height", el.clientHeight - 1); - iframe.setAttribute("frameborder", "0"); - iframe.setAttribute("scrolling", "no"); - iframe.setAttribute("title", "Login"); - parent.replaceChild(iframe, el); - } - function onChangeChecks() { - if (top.innerWidth < 650) { - document.getElementById("moaidform").setAttribute("target","_parent"); - } else { - document.getElementById("moaidform").removeAttribute("target"); - } - - } - </script> -<title>Informationsfreigabe</title> -</head> -<body onload="onChangeChecks();" onresize="onChangeChecks();"> - <div id="page"> - <div id="page1" class="case selected-case" role="main"> - <h2 class="OA_header" role="heading">STORK Informationsfreigabe</h2> - <div id="main"> - <div id="leftcontent" class="hell" role="application"> - <form method="POST" action="${action}"> - <div id="bku_header" class="dunkel"> - <h2 id="tabheader" class="dunkel" role="heading">STORK Informationsfreigabe</h2> - </div> - <div id="bkulogin" class="hell" role="form"> - Wählen Sie jene Daten, die, wenn verfügbar, an ein Drittland weitergegeben werden sollen:</br> - <table> - ${tablecontent} - </table> - </div> - <div id="controls" class="hell"> - <input type="submit" value="weiter" /> - </div> - </form> - </div> - </div> - </div> - </div> -</body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html deleted file mode 100644 index f901351a2..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/stork2_postbinding_template.html +++ /dev/null @@ -1,42 +0,0 @@ -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> - -<body onload="document.forms[0].submit()"> - <noscript> - <p> - <strong>Note:</strong> Since your browser does not support - JavaScript, you must press the Continue button once to proceed. - </p> - </noscript> - - - <div id="alert">Your login is being processed. Thank you for - waiting.</div> - - <style type="text/css"> -<!-- -#alert { - margin: 100px 250px; - font-family: Verdana, Arial, Helvetica, sans-serif; - font-size: 14px; - font-weight: normal; -} ---> -</style> - - <form action="${action}" method="post" target="_self"> - <div> - #if($RelayState)<input type="hidden" name="RelayState" - value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden" - name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input - type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end - - </div> - <noscript> - <div> - <input type="submit" value="Continue" /> - </div> - </noscript> - </form> - -</body> -</html> diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index d8d2e0d3d..c4007fc80 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -317,15 +317,16 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> - <version>2.0.2</version> + <version>3.6.1</version> <configuration> <source>1.7</source> <target>1.7</target> </configuration> </plugin> - <plugin> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jar-plugin</artifactId> + <version>3.0.2</version> <configuration> <archive> <addMavenDescriptor>false</addMavenDescriptor> @@ -375,7 +376,7 @@ </executions> </plugin> - <plugin> +<!-- <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jar-plugin</artifactId> <configuration> @@ -390,7 +391,7 @@ </goals> </execution> </executions> - </plugin> + </plugin> --> <plugin> <artifactId>maven-enforcer-plugin</artifactId> <version>1.1.1</version> diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java index 6d573efe8..e9f9a7e80 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java @@ -36,6 +36,8 @@ public class MOAIDConstants { //general configuration constants + public static final String DEFAULT_CONTENT_TYPE_HTML_UTF8 = "text/html; charset=UTF-8"; + public static final String FILE_URI_PREFIX = "file:/"; public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 4ecda435d..109390132 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -61,6 +61,8 @@ import javax.net.ssl.TrustManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moaspss.logging.LoggingContext; +import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.DefaultPKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; @@ -94,6 +96,21 @@ public class SSLUtils { } + /** + * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging + * check if current thread has set this variable and set loggingcontext otherwise + * + * @param url transactionID for logging + */ + private static void checkMoaSigLoggingContext(String url) { + LoggingContextManager logMgr = LoggingContextManager.getInstance(); + if (logMgr.getLoggingContext() == null) { + LoggingContext ctx = new LoggingContext(url); + logMgr.setLoggingContext(ctx); + + } + } + public static SSLSocketFactory getSSLSocketFactory( String url, String certStoreRootDirParam, @@ -111,8 +128,11 @@ public class SSLUtils { Logger.debug("Get SSLSocketFactory for " + url); // retrieve SSLSocketFactory if already created SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url); - if (ssf != null) - return ssf; + if (ssf != null) { + checkMoaSigLoggingContext(url); + return ssf; + + } TrustManager[] tms = getTrustManagers( certStoreRootDirParam, @@ -129,6 +149,9 @@ public class SSLUtils { ssf = ctx.getSocketFactory(); // store SSLSocketFactory sslSocketFactories.put(url, ssf); + + checkMoaSigLoggingContext(url); + return ssf; } diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java index e77933986..e8cd60afb 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java @@ -43,6 +43,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -54,7 +55,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("guiFormBuilder") public class GUIFormBuilderImpl implements IGUIFormBuilder { - private static final String DEFAULT_CONTENT_TYPE = "text/html; charset=UTF-8"; + private static final String DEFAULT_CONTENT_TYPE = MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8; private static final String CONFIG_HTMLTEMPLATES_DIR = "htmlTemplates/"; private static final String CLASSPATH_HTMLTEMPLATES_DIR = "templates/"; diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java index 21fe110ca..015d8e321 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java @@ -62,19 +62,22 @@ import org.apache.velocity.runtime.RuntimeConstants; */
public class VelocityProvider {
+ private static VelocityEngine velocityEngine = null;
+
/**
* Gets velocityEngine from Classpath
* @return VelocityEngine
* @throws Exception
*/
public static VelocityEngine getClassPathVelocityEngine() throws Exception {
- VelocityEngine velocityEngine = getBaseVelocityEngine();
- velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
- velocityEngine.setProperty("classpath.resource.loader.class",
- "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
-
-
- velocityEngine.init();
+ if (velocityEngine == null) {
+ velocityEngine = getBaseVelocityEngine();
+ velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+ velocityEngine.setProperty("classpath.resource.loader.class",
+ "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+ velocityEngine.init();
+
+ }
return velocityEngine;
}
@@ -86,13 +89,16 @@ public class VelocityProvider { * @throws Exception
*/
public static VelocityEngine getFileVelocityEngine(String rootPath) throws Exception {
- VelocityEngine velocityEngine = getBaseVelocityEngine();
- velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");
- velocityEngine.setProperty("file.resource.loader.class",
- "org.apache.velocity.runtime.resource.loader.FileResourceLoader");
- velocityEngine.setProperty("file.resource.loader.path", rootPath);
+ if (velocityEngine == null) {
+ velocityEngine = getBaseVelocityEngine();
+ velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");
+ velocityEngine.setProperty("file.resource.loader.class",
+ "org.apache.velocity.runtime.resource.loader.FileResourceLoader");
+ velocityEngine.setProperty("file.resource.loader.path", rootPath);
- velocityEngine.init();
+ velocityEngine.init();
+
+ }
return velocityEngine;
}
diff --git a/id/server/moa-id-jaxb_classes/pom.xml b/id/server/moa-id-jaxb_classes/pom.xml index 9dbb28dfe..3d205bb06 100644 --- a/id/server/moa-id-jaxb_classes/pom.xml +++ b/id/server/moa-id-jaxb_classes/pom.xml @@ -52,4 +52,18 @@ </profiles> <version>${moa-id-version}</version> + + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + <configuration> + <source>1.7</source> + <target>1.7</target> + </configuration> + </plugin> + </plugins> + </build> + </project>
\ No newline at end of file diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java index b0efb100a..7caf2f5a1 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java @@ -26,8 +26,9 @@ public class DefaultCitizenCardAuthModuleImpl implements AuthModule { if (performBKUSelectionObj != null && performBKUSelectionObj instanceof Boolean) performBKUSelection = (boolean) performBKUSelectionObj; - if (StringUtils.isBlank((String) context.get("ccc")) && - StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) && + if ( (StringUtils.isBlank((String) context.get("ccc")) && + StringUtils.isBlank((String) context.get("CCC")) ) && + StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) && !performBKUSelection) return "DefaultAuthentication"; diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index 174ce40cb..55d02e82a 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -12,11 +12,11 @@ <properties> <repositoryPath>${basedir}/../../../../repository</repositoryPath> - <eidas-commons.version>1.1.0</eidas-commons.version> - <eidas-light-commons.version>1.1.0</eidas-light-commons.version> - <eidas-saml-engine.version>1.1.0</eidas-saml-engine.version> - <eidas-encryption.version>1.1.0</eidas-encryption.version> - <eidas-configmodule.version>1.1.0</eidas-configmodule.version> + <eidas-commons.version>1.2.0</eidas-commons.version> + <eidas-light-commons.version>1.2.0</eidas-light-commons.version> + <eidas-saml-engine.version>1.2.0</eidas-saml-engine.version> + <eidas-encryption.version>1.2.0</eidas-encryption.version> + <eidas-configmodule.version>1.2.0</eidas-configmodule.version> </properties> @@ -166,6 +166,12 @@ <!-- <scope>provided</scope> --> </dependency> + <dependency> + <groupId>com.ibm.icu</groupId> + <artifactId>icu4j</artifactId> + <version>58.2</version> + </dependency> + </dependencies> diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java index 9ad5f0db3..de4f3fc9c 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java @@ -90,17 +90,21 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption { */ @Override public boolean isEncryptionEnabled(String countryCode) { - // - encrypt if so configured + //encryption is enabled by default in MOA-ID configuration object try { AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance(); Boolean useEncryption = moaconfig.getStorkConfig().getCPEPS(countryCode).isXMLSignatureSupported(); - Logger.info(useEncryption ? "using encryption" : "do not use encrpytion"); + String logResult = useEncryption ? " using encryption" : " do not use encrpytion"; + Logger.debug("eIDAS respone for country " + countryCode + logResult); return useEncryption; + } catch(NullPointerException | ConfigurationException e) { Logger.warn("failed to gather information about encryption for countryCode " + countryCode + " - thus, enabling encryption"); if(Logger.isDebugEnabled()) e.printStackTrace(); return true; + } + } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java new file mode 100644 index 000000000..d8fcd1694 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java @@ -0,0 +1,68 @@ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.security.cert.X509Certificate; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml2.core.Response; + +import at.gv.egovernment.moa.logging.Logger; +import eu.eidas.auth.commons.EidasErrorKey; +import eu.eidas.auth.commons.protocol.IAuthenticationRequest; +import eu.eidas.auth.engine.ProtocolEngine; +import eu.eidas.auth.engine.configuration.ProtocolConfigurationAccessor; +import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils; +import eu.eidas.engine.exceptions.EIDASSAMLEngineException; + +public class MOAProtocolEngine extends ProtocolEngine { + + public MOAProtocolEngine(ProtocolConfigurationAccessor configurationAccessor) { + super(configurationAccessor); + + } + +// @Override +// protected X509Certificate getEncryptionCertificate(String requestIssuer, +// String destinationCountryCode) throws EIDASSAMLEngineException { +// if ((StringUtils.isNotBlank(destinationCountryCode)) && (null != getProtocolEncrypter()) +// && (getProtocolEncrypter().isEncryptionEnabled(destinationCountryCode))) { +// X509Certificate encryptionCertificate = getProtocolProcessor().getEncryptionCertificate(requestIssuer); +// +// if (null == encryptionCertificate) { +// return getProtocolEncrypter().getEncryptionCertificate(destinationCountryCode); +// +// } +// return encryptionCertificate; +// } +// return null; +// } +// +// @Override +// protected Response signResponse(IAuthenticationRequest request, Response response) +// throws EIDASSAMLEngineException { +// Response responseToSign = response; +// +// if ((null != getProtocolEncrypter()) && (!(SAMLEngineUtils.isErrorSamlResponse(responseToSign)))) { +// X509Certificate destinationCertificate = getEncryptionCertificate(request.getIssuer(), +// request.getOriginCountryCode()); +// +// if (null != destinationCertificate) { +// responseToSign = getProtocolEncrypter().encryptSamlResponse(responseToSign, destinationCertificate); +// +// } else if (getProtocolEncrypter().isEncryptionEnabled(request.getOriginCountryCode())) { +//// Logger.error(SAML_EXCHANGE, +//// "BUSINESS EXCEPTION : encryption cannot be performed, no matching certificate for issuer=" +//// + request.getIssuer() + " and country=" + request.getOriginCountryCode()); +// +// throw new EIDASSAMLEngineException(EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorCode(), +// EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorMessage()); +// } +// +// } else if (!(SAMLEngineUtils.isErrorSamlResponse(responseToSign))) { +// checkSendingUnencryptedResponsesAllowed(); +// +// } +// +// Logger.debug("Signing SAML Response."); +// return ((Response) getSigner().sign(responseToSign)); +// } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index a9c4d5d3a..0eb067c5a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -211,8 +211,13 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT); - //set minimum required eIDAS LoA from OA config - authnRequestBuilder.levelOfAssurance(LevelOfAssurance.fromString(oaConfig.getQaaLevel())); + //set minimum required eIDAS LoA from OA config + String LoA = oaConfig.getQaaLevel(); + if (MiscUtil.isNotEmpty(LoA)) + authnRequestBuilder.levelOfAssurance(LevelOfAssurance.fromString(oaConfig.getQaaLevel())); + else + authnRequestBuilder.levelOfAssurance(LevelOfAssurance.HIGH); + authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); //set correct SPType for this online application @@ -234,7 +239,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { IRequestMessage authnRequest = engine.generateRequestMessage(authnRequestBuilder.build(), issur); - + //encode AuthnRequest byte[] token = authnRequest.getMessageBytes(); String SAMLRequest = EidasStringUtil.encodeToBase64(token); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java index f29d2bb65..47cdb4ade 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java @@ -95,5 +95,22 @@ public class MOAProtocolEngineFactory extends ProtocolEngineFactory { } +// public static ProtocolEngineI createProtocolEngine(String instanceName, +// ProtocolEngineConfigurationFactory protocolEngineConfigurationFactory, +// ProtocolProcessorI protocolProcessor, SamlEngineClock samlEngineClock) +// throws SamlEngineConfigurationException { +// +// ProtocolEngineConfiguration preConfiguration = protocolEngineConfigurationFactory +// .getConfiguration(instanceName); +// +// protocolProcessor.configure(); +// +// ProtocolEngineConfiguration configuration = ProtocolEngineConfiguration.builder(preConfiguration) +// .protocolProcessor(protocolProcessor).clock(samlEngineClock).build(); +// +// ProtocolEngineI samlEngine = new MOAProtocolEngine(new FixedProtocolConfigurationAccessor(configuration)); +// +// return samlEngine; +// } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java index dd14972e3..171d5c8e2 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java @@ -210,10 +210,15 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator { addAssertionConsumerService(); } fillNameIDFormat(spSSODescriptor); - if (params.getSpEngine() != null) { - ProtocolEngineI spEngine = params.getSpEngine(); - ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor); - } + + /**FIXME: + * Double signing of SPSSODescribtor is not required + */ +// if (params.getSpEngine() != null) { +// ProtocolEngineI spEngine = params.getSpEngine(); +// ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor); +// } + entityDescriptor.getRoleDescriptors().add(spSSODescriptor); } @@ -266,6 +271,8 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator { } idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol()); fillNameIDFormat(idpSSODescriptor); + + if (params.getIdpEngine() != null) { if (params.getIdpEngine().getProtocolProcessor() != null && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) { @@ -277,8 +284,13 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator { */ generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes()); } - ProtocolEngineI idpEngine = params.getIdpEngine(); - ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor); + + + /**FIXME: + * Double signing of IDPSSODescribtor is not required + */ +// ProtocolEngineI idpEngine = params.getIdpEngine(); +// ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor); } idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 13e64cdd0..aefae939b 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -36,7 +36,6 @@ import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.MediaType; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -51,6 +50,7 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASAuthnRequestV import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; @@ -367,7 +367,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { String token = EidasStringUtil.encodeToBase64(eIDASRespMsg.getMessageBytes()); VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); - Template template = velocityEngine.getTemplate("/resources/templates/stork2_postbinding_template.html"); + Template template = velocityEngine.getTemplate("/resources/templates/eidas_postbinding_template.vm"); VelocityContext context = new VelocityContext(); context.put("RelayState", eidasReq.getRemoteRelayState()); @@ -387,7 +387,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { Logger.trace("Sending html content : " + new String(writer.getBuffer())); byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); - response.setContentType(MediaType.TEXT_HTML.getType()); + response.setContentType(MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8); response.setContentLength(content.length); response.getOutputStream().write(content); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java index 174fa2c17..df96bef12 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java @@ -72,13 +72,19 @@ public class EidasMetaDataRequest implements IAction { String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA; String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST; + //generate eIDAS metadata String metaData = generateMetadata(req, metadata_url, sp_return_url); - + + //write content to response + byte[] content = metaData.getBytes("UTF-8"); + httpResp.setStatus(HttpServletResponse.SC_OK); + httpResp.setContentType(MediaType.APPLICATION_XML.toString()); + httpResp.setContentLength(content.length); + httpResp.getOutputStream().write(content); + + //write log if required Logger.trace(metaData); - - httpResp.setContentType(MediaType.APPLICATION_XML.getType()); - httpResp.getWriter().print(metaData); - httpResp.flushBuffer(); + } catch (Exception e) { Logger.error("eIDAS Metadata generation FAILED.", e); throw new MOAIDException("eIDAS.05", new Object[]{e.getMessage()}, e); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index 22ac37604..97241af6a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -34,7 +34,6 @@ import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.opensaml.saml2.core.StatusCode; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.MediaType; import org.springframework.stereotype.Service; import com.google.common.collect.ImmutableSet; @@ -44,6 +43,7 @@ import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SimpleEidasAttributeGenerator; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; @@ -233,7 +233,7 @@ public class eIDASAuthenticationRequest implements IAction { // send the response try { VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); - Template template = velocityEngine.getTemplate("/resources/templates/stork2_postbinding_template.html"); + Template template = velocityEngine.getTemplate("/resources/templates/eidas_postbinding_template.vm"); VelocityContext context = new VelocityContext(); context.put("RelayState", eidasRequest.getRemoteRelayState()); @@ -253,7 +253,7 @@ public class eIDASAuthenticationRequest implements IAction { Logger.trace("Sending html content : " + new String(writer.getBuffer())); byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); - httpResp.setContentType(MediaType.TEXT_HTML.getType()); + httpResp.setContentType(MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8); httpResp.setContentLength(content.length); httpResp.getOutputStream().write(content); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm b/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm index 3bd225b00..0535d48b6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/resources/templates/eidas_postbinding_template.vm @@ -7,7 +7,7 @@ ## SAMLRequest - String - the Base64 encoded SAML Request ## SAMLResponse - String - the Base64 encoded SAML Response ## Contains target attribute to delegate PEPS authentication out of iFrame - +<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> |