diff options
Diffstat (limited to 'id')
25 files changed, 1052 insertions, 114 deletions
| diff --git a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp index 21ba246c1..1e8e36d4e 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp @@ -249,11 +249,12 @@  								labelposition="left" />  							<h4><%=LanguageHelper.getGUIString("webpages.moaconfig.stork.pepslist", request) %></h4>                              <table id="stork_pepslist"> -								<tr><th>Country Shortcode</th><th>PEPS URL</th> +								<tr><th>Country Shortcode</th><th>PEPS URL</th><th>Supports XMLSignatures</th>  								<s:iterator value="storkconfig.cpepslist" status="stat">  								  <tr><td><s:hidden name="storkconfig.cpepslist[%{#stat.index}].hjid" property="%{hjid}"/>  								  	      <s:property value="%{countryCode}" /></td>  								      <td><s:textfield name="storkconfig.cpepslist[%{#stat.index}].URL" value="%{URL}" cssClass="textfield_long"/></td> +								      <td><s:checkbox name="storkconfig.cpepslist[%{#stat.index}].supportsXMLSignature" value="%{supportsXMLSignature}" /></td>  								      <td><input type="button" value="<%=LanguageHelper.getGUIString("webpages.moaconfig.stork.removepeps", request) %>" onclick='this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode);'/></td></tr>  								</s:iterator>                                  <s:if test="%{storkconfig.cpepslist == null}"> diff --git a/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml b/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml index 23737452a..54debca81 100644 --- a/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml +++ b/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml @@ -86,8 +86,8 @@          <to type="forward">/dispatcher?mod=id_stork2&action=AuthenticationRequest&%{query-string}</to>      </rule>      <rule match-type="regex"> -        <from>^/stork2/SendPEPSAuthnRequest$</from> -        <to type="forward">/dispatcher?mod=id_stork2&action=AuthenticationRequest&%{query-string}</to> +        <from>^/stork2/SendPEPSAuthnRequestWithoutSignedDoc$</from> +        <to type="forward">/dispatcher?mod=id_stork2&action=AuthenticationRequest1&%{query-string}</to>      </rule>      <rule match-type="regex">          <from>^/stork2/RetrieveMandate$</from> diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml index 4efda0c79..42085b01e 100644 --- a/id/server/auth/src/main/webapp/WEB-INF/web.xml +++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml @@ -107,6 +107,14 @@  		<servlet-class>  			at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet</servlet-class>  	</servlet> +	<servlet> +		<servlet-name>PEPSConnectorWithLocalSigningServlet</servlet-name> +		<display-name>PEPSConnectorWithLocalSigningServlet</display-name> +		<description>Servlet receiving STORK SAML Response Messages from +			different C-PEPS</description> +		<servlet-class> +			at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet</servlet-class> +	</servlet>  	<!-- Dispatcher servlets   	<servlet> @@ -219,7 +227,10 @@  		<servlet-name>PEPSConnectorServlet</servlet-name>  		<url-pattern>/PEPSConnector</url-pattern>  	</servlet-mapping> - +<servlet-mapping> +		<servlet-name>PEPSConnectorWithLocalSigningServlet</servlet-name> +		<url-pattern>/PEPSConnectorWithLocalSigning</url-pattern> +	</servlet-mapping>  	<!-- Filters -->  	<!-- <filter> <filter-name>DispatcherDecoratorFilter</filter-name> <filter-class>at.gv.egovernment.moa.id.sso.DispatcherDecoratorFilter</filter-class>   		</filter> --> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a8cf5014f..8d2684c9b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -11,6 +11,7 @@ import java.io.ByteArrayInputStream;  import java.io.IOException;  import java.io.InputStream;  import java.io.StringWriter; +import java.io.UnsupportedEncodingException;  import java.math.BigInteger;  import java.security.NoSuchAlgorithmException;  import java.security.Principal; @@ -76,6 +77,7 @@ import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;  import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser;  import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;  import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; +import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet;  import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator;  import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;  import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -1662,7 +1664,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {  	    	SZRGWClient client = new SZRGWClient(connectionParameters);  	    	CreateIdentityLinkRequest request = new CreateIdentityLinkRequest(); -	    	request.setSignature(citizenSignature.getBytes()); +	    	request.setSignature(citizenSignature.getBytes("UTF-8"));              PEPSData data = new PEPSData();              data.setDateOfBirth(PEPSDateOfBirth); @@ -1710,6 +1712,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {  	    catch (ConfigurationException e) {  	    	Logger.warn(e);  	    	Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null )); +		} catch (UnsupportedEncodingException e) { +			Logger.warn(e);  		}  	    return null; @@ -1795,12 +1799,37 @@ public class AuthenticationServer implements MOAIDAuthConstants {          PersonalAttribute newAttribute = new PersonalAttribute();          newAttribute.setName("signedDoc");          List<String> value = new ArrayList<String>(); -        value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im  Signaturzertifikat (as in my signature certificate)", oaParam, moasession), -                "application/xhtml+xml", -                moasession.getCcc())); -        newAttribute.setValue(value); -        attributeList.add(newAttribute); - +         +        Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported()); +        if(cpeps.isXMLSignatureSupported())//Send SignRequest to PEPS +        { +        	value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im  Signaturzertifikat (as in my signature certificate)", oaParam, moasession), +                "application/xhtml+xml", moasession.getCcc())); +        	newAttribute.setValue(value); +        	attributeList.add(newAttribute); +        } +        else//Process SignRequest locally with MOCCA +        { +        	String target = moasession.getTarget(); +        	moasession.setTarget("AT"); +        	String signedDoc = (generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im  Signaturzertifikat (as in my signature certificate)", oaParam, moasession), +                    "application/xhtml+xml", "AT"));//moasession.getCcc() +        	moasession.setTarget(target); +        	Logger.warn("signedDoc to store:"+signedDoc); +            //attributeList.add(newAttribute); +        	 +            //store SignRequest for later... +            moasession.setSignedDoc(signedDoc); +             +            acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; +            try { +				AuthenticationSessionStoreage.storeSession(moasession); +			} catch (MOADatabaseException e) { +				// TODO Auto-generated catch block +				e.printStackTrace(); +			} +             +        }          if (Logger.isDebugEnabled()) {              Logger.debug("The following attributes are requested for this OA:"); @@ -1817,7 +1846,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {          //generate AuthnRquest          STORKAuthnRequest authnRequest = new STORKAuthnRequest();          authnRequest.setDestination(destination); -        authnRequest.setAssertionConsumerServiceURL(acsURL); +        authnRequest.setAssertionConsumerServiceURL(acsURL);//PEPSConnectorWithLocalSigning          authnRequest.setProviderName(providerName);          authnRequest.setIssuer(issuerValue);          authnRequest.setQaa(oaParam.getQaaLevel()); @@ -1834,7 +1863,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {          authnRequest.setCitizenCountryCode(moasession.getCcc()); -          Logger.debug("STORK AuthnRequest succesfully assembled.");          STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); @@ -1842,7 +1870,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {          if (samlEngine == null) {              Logger.error("Could not initalize STORK SAML engine.");              throw new MOAIDException("stork.00", null); -        	          }          try { @@ -1888,7 +1915,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {              template.merge(context, writer);              resp.setContentType("text/html;charset=UTF-8");             -            resp.getOutputStream().write(writer.toString().getBytes()); +            resp.getOutputStream().write(writer.toString().getBytes("UTF-8"));          } catch (Exception e) {              Logger.error("Error sending STORK SAML AuthnRequest.", e); @@ -1905,7 +1932,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {              idGenerator = new SecureRandomIdentifierGenerator();              DocumentType doc = new DocumentType(); -            doc.setBase64XML(text.getBytes()); +            doc.setBase64XML(text.getBytes("UTF-8"));              doc.setID(idGenerator.generateIdentifier());              SignRequest request = new SignRequest(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java index 9f2d5b641..484fe1f9e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java @@ -56,7 +56,7 @@ public class StartAuthenticationBuilder {  	    STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); -	    Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc()));     +	    Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc()));  	    // STORK or normal authentication  	    if (storkConfig.isSTORKAuthentication(moasession.getCcc())) {  	    	//STORK authentication diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 8726c1618..26c22fb4a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -51,6 +51,7 @@ import org.w3c.dom.Element;  import eu.stork.peps.auth.commons.IPersonalAttributeList;  import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse;  import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator;  import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;  import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; @@ -291,9 +292,58 @@ public class AuthenticationSession implements Serializable {  	private boolean isForeigner;  	private IPersonalAttributeList storkAttributes; - +	 +	 +	//Temporary store SignRequest for local processing +	private String signedDoc; +	//Temporary store SAMLResponse for processing after user signed signedDoc locally +	private String SAMLResponse; +	// +	private StringBuffer returnURL; +	private IPersonalAttributeList authnResponseGetPersonalAttributeList; +	private String authnContextClassRef;  	// private String requestedProtocolURL = null; +	public String getAuthnContextClassRef() { +		return authnContextClassRef; +	} + +	public void setAuthnContextClassRef(String authnContextClassRef) { +		this.authnContextClassRef = authnContextClassRef; +	} + +	public IPersonalAttributeList getAuthnResponseGetPersonalAttributeList() { +		return authnResponseGetPersonalAttributeList; +	} + +	public void setAuthnResponseGetPersonalAttributeList(IPersonalAttributeList authnResponseGetPersonalAttributeList) { +		this.authnResponseGetPersonalAttributeList = authnResponseGetPersonalAttributeList; +	} + +	public String getSAMLResponse() { +		return SAMLResponse; +	} + +	public void setSAMLResponse(String samlResponse) { +		SAMLResponse = samlResponse; +	} + +	public StringBuffer getReturnURL() { +		return returnURL; +	} + +	public void setReturnURL(StringBuffer returnURL) { +		this.returnURL = returnURL; +	} + +	public String getSignedDoc() { +		return signedDoc; +	} + +	public void setSignedDoc(String signedDoc) { +		this.signedDoc = signedDoc; +	} +  	public String getModul() {  		return modul;  	} @@ -1060,9 +1110,6 @@ public class AuthenticationSession implements Serializable {  	 */  	public Date getSessionCreated() {  		return sessionCreated; -	} - -	 -	 +	}	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java index f11489dd2..bbc704f22 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java @@ -161,7 +161,6 @@ public class GetForeignIDServlet extends AuthServlet {  	    AuthenticationSession session = null;
  	    try {
  	    	String xmlCreateXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
 -	    	
            // check parameter
            if (!ParamValidatorUtils.isValidSessionID(sessionID))
               throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12");
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 670ce8b3d..5a2fda67f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -23,16 +23,17 @@  package at.gv.egovernment.moa.id.auth.servlet;
  import iaik.x509.X509Certificate;
 +
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.StringWriter;
  import java.util.ArrayList;
 +
  import javax.activation.DataSource;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
 -import javax.servlet.http.HttpSession;
  import javax.xml.bind.JAXBContext;
  import javax.xml.bind.JAXBElement;
  import javax.xml.transform.stream.StreamSource;
 @@ -50,18 +51,15 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.data.IdentityLink;
  import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
  import at.gv.egovernment.moa.id.auth.stork.STORKException;
  import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
  import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
  import at.gv.egovernment.moa.id.moduls.ModulUtils;
  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
  import at.gv.egovernment.moa.id.util.HTTPUtils;
 -import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
  import at.gv.egovernment.moa.id.util.VelocityProvider;
  import at.gv.egovernment.moa.logging.Logger;
  import at.gv.egovernment.moa.util.StringUtils;
 @@ -188,7 +186,6 @@ public class PEPSConnectorServlet extends AuthServlet {  			//load MOASession from database
  			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID);
 -			
  			//change MOASessionID
  			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
 @@ -248,6 +245,7 @@ public class PEPSConnectorServlet extends AuthServlet {  			String citizenSignature = null;
  			try {
  				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
 +								 
  				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
  				// fetch signed doc
 @@ -272,7 +270,7 @@ public class PEPSConnectorServlet extends AuthServlet {  						for(Object currentX509Data : ((JAXBElement<X509DataType>) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
  							JAXBElement<?> casted = ((JAXBElement<?>) currentX509Data);
  							if(casted.getName().getLocalPart().equals("X509Certificate")) {
 -								moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes()));
 +								moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes("UTF-8")));
  								break;
  							}
  						}
 @@ -338,7 +336,7 @@ public class PEPSConnectorServlet extends AuthServlet {  						StringWriter writer = new StringWriter();
  						template.merge(context, writer);
 -						response.getOutputStream().write(writer.toString().getBytes());
 +						response.getOutputStream().write(writer.toString().getBytes("UTF-8"));
  					} catch (Exception e1) {
  						Logger.error("Error sending gender retrival form.", e1);
  //						httpSession.invalidate();
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java new file mode 100644 index 000000000..129494cbe --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -0,0 +1,789 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + *  + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + *  + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + *  + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +package at.gv.egovernment.moa.id.auth.servlet; + +import iaik.x509.X509Certificate; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.StringWriter; +import java.io.UnsupportedEncodingException; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import javax.activation.DataSource; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Source; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.stream.StreamSource; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.velocity.Template; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; +import org.opensaml.saml2.core.StatusCode; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.BKUException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.auth.exception.ServiceException; +import at.gv.egovernment.moa.id.auth.stork.STORKException; +import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.VelocityProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.SignatureVerificationService; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureLocation; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.xmldsig.SignatureType; +import at.gv.util.xsd.xmldsig.X509DataType; +import eu.stork.oasisdss.api.ApiUtils; +import eu.stork.oasisdss.api.LightweightSourceResolver; +import eu.stork.oasisdss.api.exceptions.ApiUtilsException; +import eu.stork.oasisdss.api.exceptions.UtilsException; +import eu.stork.oasisdss.profile.SignRequest; +import eu.stork.oasisdss.profile.SignResponse; +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.PEPSUtil; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse; +import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.exceptions.STORKSAMLEngineException; +//import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; + +/** + * Endpoint for receiving STORK response messages + */ +public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { +	private static final long serialVersionUID = 1L; + +	public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnectorWithLocalSigning"; + +	private String oasisDssWebFormURL = "http://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//TODO load from config + + +	/** +	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) +	 */ +	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { +		super.doGet(request, response); +	} + +	/** +	 * Handles the reception of a STORK response message +	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) +	 */ +	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException  +	{ +		String moaSessionID1 = request.getParameter("moaSessionID");	 +		String signResponse = request.getParameter("signresponse");	 +		Logger.info("moaSessionID1:"+moaSessionID1); +		Logger.info("signResponse:"+signResponse); +		if(moaSessionID1!=null) +		{ +			if(signResponse!=null) +			{ +				//redirect from oasis with signresponse +				handleSignResponse(request, response); +			} +			else +			{ +				//should not occur +				throw new IOException("should not occur"); +			} +		} +		else +		{ +			if(signResponse!=null) +			{ +				//should not occur +				throw new IOException("should not occur"); +			} +			else +			{ +				//normal saml response +				handleSAMLResponse(request, response); +			} +		} +		return; +	} + +	private void handleSignResponse(HttpServletRequest request, HttpServletResponse response) { +		Logger.info("handleSignResponse started"); +		String moaSessionID = request.getParameter("moaSessionID");	 +		String signResponse = request.getParameter("signresponse");	 +		Logger.info("moaSessionID:"+moaSessionID); +		Logger.info("signResponse:"+signResponse); +		String pendingRequestID = null; +		try{ + + +			//load MOASession from database +			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); +			//change MOASessionID +			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + +			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); +			Logger.info("pendingRequestID:"+pendingRequestID); +			String signResponseString = new String(Base64.decodeBase64(signResponse), "UTF8"); +			Logger.info("RECEIVED signresponse:"+signResponseString); +			//create SignResponse object +			Source response1 = new StreamSource(new java.io.StringReader(signResponseString)); +			SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class); + +			//			SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(Base64.signResponse))); + +			String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + +			// memorize signature into authblock +			moaSession.setAuthBlock(citizenSignature); + +			X509Certificate cert = getSignerCertificate(citizenSignature); +			moaSession.setSignerCertificate(cert);	 +			VerifyXMLSignatureResponse xMLVerifySignatureResponse = verifyXMLSignature(citizenSignature); +			at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse tmp = convert(xMLVerifySignatureResponse); +			 +			 +			moaSession.setXMLVerifySignatureResponse(tmp); +			try{ +				IPersonalAttributeList personalAttributeList = moaSession.getAuthnResponseGetPersonalAttributeList(); +				//Add signResponse +				List<String> values = new ArrayList<String>(); +				//values.add(signResponseString); +				values.add(citizenSignature); +				Logger.debug("Assembling signedDoc attribute"); +				PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, +						"Available"); +				personalAttributeList.add(signedDocAttribute); + +				String authnContextClassRef = moaSession.getAuthnContextClassRef(); +				SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef); +			} catch (STORKException e) { +				// this is really nasty but we work against the system here. We are supposed to get the gender attribute from +				// stork. If we do not, we cannot register the person in the ERnP - we have to have the +				// gender for the represented person. So here comes the dirty hack.  +				if(e.getCause() instanceof STORKException && e.getCause().getMessage().equals("gender not found in response")) { +					try { +						Logger.trace("Initialize VelocityEngine..."); + +						VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); +						Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html"); +						VelocityContext context = new VelocityContext(); +						context.put("SAMLResponse", request.getParameter("SAMLResponse")); +						context.put("action", request.getRequestURL()); + +						StringWriter writer = new StringWriter(); +						template.merge(context, writer); + +						response.getOutputStream().write(writer.toString().getBytes("UTF-8")); +					} catch (Exception e1) { +						Logger.error("Error sending gender retrival form.", e1); +						//						httpSession.invalidate(); +						throw new MOAIDException("stork.10", null); +					} + +					return; +				} + +				Logger.error("Error connecting SZR Gateway", e); +				throw new MOAIDException("stork.10", null); +			}	 + +			Logger.debug("Add full STORK AuthnResponse to MOA session"); +			moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? + +			//session is implicit stored in changeSessionID!!!! +			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + +			Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID); + +			//redirect +			String redirectURL = null; +			redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(),  +					ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); +			redirectURL = response.encodeRedirectURL(redirectURL); + +			response.setContentType("text/html"); +			response.setStatus(302); +			response.addHeader("Location", redirectURL); +			Logger.info("REDIRECT TO: " + redirectURL); + +		} catch (AuthenticationException e) { +			handleError(null, e, request, response, pendingRequestID); + +		} catch (MOAIDException e) { +			handleError(null, e, request, response, pendingRequestID); + +		} catch (Exception e) { +			Logger.error("PEPSConnector has an interal Error.", e); +		} + +		finally { +			ConfigurationDBUtils.closeSession(); +		}	 +	} + +	private void handleSAMLResponse(HttpServletRequest request, HttpServletResponse response) { +		Logger.info("handleSAMLResponse started");	 +		String pendingRequestID = null; + +		try { +			Logger.info("PEPSConnector Servlet invoked, expecting C-PEPS message."); +			Logger.debug("This ACS endpoint is: " + HTTPUtils.getBaseURL(request)); + +			super.setNoCachingHeadersInHttpRespone(request, response); +			Logger.trace("No Caching headers set for HTTP response"); + +			//check if https or only http +			super.checkIfHTTPisAllowed(request.getRequestURL().toString()); + +			Logger.debug("Beginning to extract SAMLResponse out of HTTP Request"); + +			//extract STORK Response from HTTP Request +			//Decodes SAML Response +			byte[] decSamlToken; +			try { +				decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse")); +				Logger.debug("SAMLResponse: " + new String(decSamlToken)); + +			} catch(NullPointerException e) { +				Logger.error("Unable to retrieve STORK Response", e); +				throw new MOAIDException("stork.04", null); +			}		 + +			//Get SAMLEngine instance +			STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing"); + +			STORKAuthnResponse authnResponse = null; +			try { +				//validate SAML Token +				Logger.debug("Starting validation of SAML response"); +				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); +				Logger.info("SAML response succesfully verified!"); +			}catch(STORKSAMLEngineException e){ +				Logger.error("Failed to verify STORK SAML Response", e); +				throw new MOAIDException("stork.05", null); +			} + +			Logger.info("STORK SAML Response message succesfully extracted"); +			Logger.debug("STORK response: "); +			Logger.debug(authnResponse.toString()); + +			Logger.debug("Trying to find MOA Session-ID ...");			 +			//String moaSessionID = request.getParameter(PARAM_SESSIONID); +			//first use SAML2 relayState  +			String moaSessionID = request.getParameter("RelayState"); + +			// escape parameter strings +			moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); + +			//check if SAML2 relaystate includes a MOA sessionID +			if (StringUtils.isEmpty(moaSessionID)) { +				//if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier + +				moaSessionID = authnResponse.getInResponseTo(); +				moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); + +				if (StringUtils.isEmpty(moaSessionID)) {				 +					//No authentication session has been started before +					Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started"); +					Logger.debug("PEPSConnectorURL was: " + request.getRequestURL()); +					throw new AuthenticationException("auth.02", new Object[] { moaSessionID }); + +				} else  +					Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute."); + +			} else  +				//Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter."); +				Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState."); + +			/*INFO!!!! +			 * SAML message IDs has an different format then MOASessionIDs +			 * This is only a workaround because many PEPS does not support SAML2 relayState or +			 * MOASessionID as AttributConsumerServiceURL GET parameter +			 */ +			//	         if (!ParamValidatorUtils.isValidSessionID(moaSessionID)) +			//	             throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12"); + +			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); + +			//load MOASession from database +			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); +			//change MOASessionID +			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + +			Logger.info("Found MOA sessionID: " + moaSessionID); + + + +			String statusCodeValue = authnResponse.getStatusCode(); + +			if (!statusCodeValue.equals(StatusCode.SUCCESS_URI)) { +				Logger.error("Received ErrorResponse from PEPS: " + statusCodeValue); +				throw new MOAIDException("stork.06", new Object[] { statusCodeValue }); +			} + +			Logger.info("Got SAML response with authentication success message."); + +			Logger.debug("MOA session is still valid"); + +			STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest(); + +			if (storkAuthnRequest == null) { +				Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); +				throw new MOAIDException("stork.07", null); +			} + +			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); + +			////////////// incorporate gender from parameters if not in stork response + +			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + +			// but first, check if we have a representation case +			if(STORKResponseProcessor.hasAttribute("mandateContent", attributeList) || STORKResponseProcessor.hasAttribute("representative", attributeList) || STORKResponseProcessor.hasAttribute("represented", attributeList)) { +				// in a representation case... +				moaSession.setUseMandate("true"); + +				// and check if we have the gender value +				PersonalAttribute gender = attributeList.get("gender"); +				if(null == gender) { +					String gendervalue = (String) request.getParameter("gender"); +					if(null != gendervalue) { +						gender = new PersonalAttribute(); +						gender.setName("gender"); +						ArrayList<String> tmp = new ArrayList<String>(); +						tmp.add(gendervalue); +						gender.setValue(tmp); + +						authnResponse.getPersonalAttributeList().add(gender); +					} +				} +			} + +			////////////////////////////////////////////////////////////////////////// + +			Logger.debug("Starting extraction of signedDoc attribute"); +			//extract signed doc element and citizen signature +			String citizenSignature = null; +			try { +				PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); +				String signatureInfo = null; +				if(signedDoc!=null) +				{ +					signatureInfo = signedDoc.getValue().get(0); +					//should not occur +				} +				else +				{ + +					//store SAMLResponse +					moaSession.setSAMLResponse(request.getParameter("SAMLResponse")); +					//store authnResponse + +					//moaSession.setAuthnResponse(authnResponse);//not serializable +					moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList()); + +					String authnContextClassRef = null; +					try { +						authnContextClassRef = authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef();	 +					} catch (Throwable e) { +						Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); +					} + +					moaSession.setAuthnContextClassRef(authnContextClassRef); +					moaSession.setReturnURL(request.getRequestURL()); + +					//load signedDoc +					String signRequest = moaSession.getSignedDoc(); + +					//session is implicit stored in changeSessionID!!!! +					String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + +					//set return url to PEPSConnectorWithLocalSigningServlet and add newMOASessionID  +					//signRequest + +					String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); +					String acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + +					String url = acsURL+"?moaSessionID="+newMOASessionID; +					//redirect to OASIS module and sign there +					performRedirect(url,request,response,signRequest); + +					return; +				} +				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); + +				citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + +				// memorize signature into authblock +				moaSession.setAuthBlock(citizenSignature); + +				X509Certificate cert = getSignerCertificate(citizenSignature); +				moaSession.setSignerCertificate(cert);	 + + +			} catch (Throwable e) { +				Logger.error("Could not extract citizen signature from C-PEPS", e); +				throw new MOAIDException("stork.09", null); +			} + +			try{ +				SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); +			} catch (STORKException e) { +				// this is really nasty but we work against the system here. We are supposed to get the gender attribute from +				// stork. If we do not, we cannot register the person in the ERnP - we have to have the +				// gender for the represented person. So here comes the dirty hack.  +				if(e.getCause() instanceof STORKException && e.getCause().getMessage().equals("gender not found in response")) { +					try { +						Logger.trace("Initialize VelocityEngine..."); + +						VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); +						Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html"); +						VelocityContext context = new VelocityContext(); +						context.put("SAMLResponse", request.getParameter("SAMLResponse")); +						context.put("action", request.getRequestURL()); + +						StringWriter writer = new StringWriter(); +						template.merge(context, writer); + +						response.getOutputStream().write(writer.toString().getBytes("UTF-8")); +					} catch (Exception e1) { +						Logger.error("Error sending gender retrival form.", e1); +						//						httpSession.invalidate(); +						throw new MOAIDException("stork.10", null); +					} + +					return; +				} + +				Logger.error("Error connecting SZR Gateway", e); +				throw new MOAIDException("stork.10", null); +			}	 + +			Logger.debug("Add full STORK AuthnResponse to MOA session"); +			moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? + +			//session is implicit stored in changeSessionID!!!! +			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + +			Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID); + +			//redirect +			String redirectURL = null; +			redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(),  +					ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); +			redirectURL = response.encodeRedirectURL(redirectURL); + +			response.setContentType("text/html"); +			response.setStatus(302); +			response.addHeader("Location", redirectURL); +			Logger.info("REDIRECT TO: " + redirectURL); + +		} catch (AuthenticationException e) { +			handleError(null, e, request, response, pendingRequestID); + +		} catch (MOAIDException e) { +			handleError(null, e, request, response, pendingRequestID); + +		} catch (Exception e) { +			Logger.error("PEPSConnector has an interal Error.", e); +		} + +		finally { +			ConfigurationDBUtils.closeSession(); +		}	 + +	} + +	private void performRedirect(String url, HttpServletRequest req, HttpServletResponse resp, String signRequestString) +			throws MOAIDException { + +		try { +			Logger.trace("Initialize VelocityEngine..."); + +			VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); +			Template template = velocityEngine.getTemplate("/resources/templates/oasis_dss_webform_binding.vm"); +			VelocityContext context = new VelocityContext(); + +			Logger.debug("performRedirect, signrequest:"+signRequestString); +			Source signDoc = new StreamSource(new java.io.StringReader(signRequestString)); +			SignRequest signRequest = ApiUtils.unmarshal(signDoc, SignRequest.class); +			signRequest.setReturnURL("TODO"); +			signRequestString = IOUtils.toString(ApiUtils.marshalToInputStream(signRequest)); +			context.put("signrequest", Base64.encodeBase64String(signRequestString.getBytes("UTF8"))); +			context.put("clienturl", url); +			context.put("action", oasisDssWebFormURL ); + +			StringWriter writer = new StringWriter(); +			template.merge(context, writer); + +			resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); +		} catch (Exception e) { +			Logger.error("Error sending DSS signrequest.", e); +			throw new MOAIDException("stork.11", null); +		} +	} + +	private String getCitizienSignatureFromSignResponseFromSAML(STORKAuthnResponse authnResponse) throws ApiUtilsException, IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, MOAIDException +	{ +		PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); +		String signatureInfo = null; +		if(signedDoc==null) +		{ +			Logger.error("SignedDoc = null, failed to extract Signresponse from authnResponse"); +			throw new MOAIDException("stork.09", null); +		} +		signatureInfo = signedDoc.getValue().get(0); + +		SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); +		String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); +		return citizenSignature; + +	} + +	private String getCitizienSignatureFromSignResponse(SignResponse dssSignResponse) throws IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, ApiUtilsException +	{ +		// fetch signed doc +		DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse); +		if(ds == null){ +			throw new ApiUtilsException("No datasource found in response"); +		}				 + +		InputStream incoming  = ds.getInputStream(); +		String citizenSignature = IOUtils.toString(incoming); +		incoming.close(); + +		return citizenSignature; +	} + +	private X509Certificate getSignerCertificate(String citizenSignature) throws CertificateException, JAXBException, UnsupportedEncodingException +	{ +		JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName()); +		SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue(); + +		// extract certificate +		for(Object current : root.getKeyInfo().getContent()) +			if(((JAXBElement<?>) current).getValue() instanceof X509DataType) { +				for(Object currentX509Data : ((JAXBElement<X509DataType>) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) { +					JAXBElement<?> casted = ((JAXBElement<?>) currentX509Data); +					if(casted.getName().getLocalPart().equals("X509Certificate")) { +						return new X509Certificate(((String)casted.getValue()).getBytes("UTF-8")); +					} +				} +			} +		return null; +	} + +	private void SZRGInsertion(AuthenticationSession moaSession, IPersonalAttributeList personalAttributeList, String authnContextClassRef) throws STORKException, MOAIDException +	{ +		Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)"); +		Logger.debug("Citizen signature will be verified by SZR Gateway!"); + +		Logger.debug("fetching OAParameters from database"); + +		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix()); +		if (oaParam == null) +			throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() }); + +		// retrieve target +		//TODO: check in case of SSO!!! +        String targetType = null; +        if(oaParam.getBusinessService()) { +        	String id = oaParam.getIdentityLinkDomainIdentifier(); +        	if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) +        		targetType = id; +        	else +        		targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier(); +        } else { +        	targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); +        } +         +		 + +		Logger.debug("Starting connecting SZR Gateway"); +		//contact SZR Gateway +		IdentityLink identityLink = null; + +		identityLink = STORKResponseProcessor.connectToSZRGateway(personalAttributeList, +				oaParam.getFriendlyName(),  +				targetType, null,  +				oaParam.getMandateProfiles()); +		Logger.debug("SZR communication was successfull"); + +		if (identityLink == null) { +			Logger.error("SZR Gateway did not return an identity link."); +			throw new MOAIDException("stork.10", null);	 +		} +		Logger.info("Received Identity Link from SZR Gateway"); +		moaSession.setIdentityLink(identityLink); + +		Logger.debug("Adding addtional STORK attributes to MOA session"); +		moaSession.setStorkAttributes(personalAttributeList); + +		//We don't have BKUURL, setting from null to "Not applicable" +		moaSession.setBkuURL("Not applicable (STORK Authentication)"); + +		// free for single use +		moaSession.setAuthenticatedUsed(false); + +		// stork did the authentication step +		moaSession.setAuthenticated(true); + +		//TODO: found better solution, but QAA Level in response could be not supported yet +		try { +			if(authnContextClassRef==null) +				authnContextClassRef = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel(); +			moaSession.setQAALevel(authnContextClassRef); + +		} catch (Throwable e) { +			Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); +			moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel()); + +		} + +	} + +	private VerifyXMLSignatureResponse verifyXMLSignature(String signature) throws AuthenticationException, ParseException, BKUException, BuildException, ConfigurationException, ServiceException, UnsupportedEncodingException, SAXException, IOException, ParserConfigurationException, MOAException +	{ +		//Based on MOA demo client +		    // Factory und Service instanzieren +		    SPSSFactory spssFac = SPSSFactory.getInstance(); +		    SignatureVerificationService sigVerifyService = SignatureVerificationService.getInstance(); +		     +		    Content sigDocContent1 = spssFac.createContent(IOUtils.toInputStream(signature, "UTF-8"), null); +		     +		    // Position der zu prüfenden Signatur im Dokument angeben +		    // (Nachdem im XPath-Ausdruck ein NS-Präfix verwendet wird, muss in einer Lookup-Tabelle +		    // der damit bezeichnete Namenraum mitgegeben werden) +		    HashMap nSMap = new HashMap(); +		    nSMap.put("dsig", "http://www.w3.org/2000/09/xmldsig#"); +		    VerifySignatureLocation sigLocation = spssFac.createVerifySignatureLocation("//dsig:Signature", nSMap); +		     +		    // Zu prüfendes Dokument und Signaturposition zusammenfassen +		    +		    VerifySignatureInfo sigInfo = spssFac.createVerifySignatureInfo(sigDocContent1, sigLocation); +		     +		    // Prüfrequest zusammenstellen +		    VerifyXMLSignatureRequest verifyRequest = spssFac.createVerifyXMLSignatureRequest( +		      null,    // Wird Prüfzeit nicht angegeben, wird aktuelle Zeit verwendet  +		      sigInfo,  +		      null,    // Keine Ergänzungsobjekte notwendig +		      null,    // Signaturmanifest-Prüfung soll nicht durchgeführt werden +		      false,   // Hash-Inputdaten, d.h. tatsächlich signierte Daten werden nicht zurückgeliefert +		      "MOAIDBuergerkartePersonenbindungMitTestkarten");//TODO load from config +		      //"Test-Signaturdienste");  // ID des verwendeten Vertrauensprofils +		     +		    VerifyXMLSignatureResponse verifyResponse = null; +		    try +		    { +		      // Aufruf der Signaturprüfung +		      verifyResponse = sigVerifyService.verifyXMLSignature(verifyRequest); +		    } +		    catch (MOAException e) +		    { +		      // Service liefert Fehler +		      System.err.println("Die Signaturprüfung hat folgenden Fehler geliefert:"); +		      System.err.println("Fehlercode: " + e.getMessageId()); +		      System.err.println("Fehlernachricht: " + e.getMessage()); +		      throw e; +		    } +		     +//		    // Auswertung der Response +//		    System.out.println(); +//		    System.out.println("Ergebnisse der Signaturprüfung:"); +//		    System.out.println(); +//		     +//		    // Besondere Eigenschaften des Signatorzertifikats +//		    SignerInfo signerInfo = verifyResponse.getSignerInfo(); +//		    System.out.println("*** Ist Zertifikat des Signators qualifiziert? " + ((signerInfo.isQualifiedCertificate()) ? "ja" : "nein")); +//		    System.out.println("*** Ist Zertifikat des Signators von einer Behörde? " + ((signerInfo.isPublicAuthority()) ? "ja" : "nein")); +//		     +//		    // Ergebnisse von Signatur- und Zertifikatsprüfung +//		    System.out.println(); +//		    System.out.println("Ergebniscode der Signaturprüfung: " + verifyResponse.getSignatureCheck().getCode()); +//		    System.out.println("Ergebniscode der Zertifikatsprüfung: " + verifyResponse.getCertificateCheck().getCode()); +//		     +//		    // Signatorzertifikat +//		    System.out.println(); +//		    System.out.println("*** Zertifikat des Signators:"); +//		    System.out.println("Aussteller: " + signerInfo.getSignerCertificate().getIssuerDN()); +//		    System.out.println("Subject: " + signerInfo.getSignerCertificate().getSubjectDN()); +//		    System.out.println("Seriennummer: " + signerInfo.getSignerCertificate().getSerialNumber()); +		  return verifyResponse; +	} + +	private at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse convert(VerifyXMLSignatureResponse xMLVerifySignatureResponse) { +		at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse response = new at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse(); +		response.setCertificateCheckCode(xMLVerifySignatureResponse.getCertificateCheck().getCode()); +		response.setPublicAuthority(xMLVerifySignatureResponse.getSignerInfo().isPublicAuthority()); +//		response.setPublicAuthorityCode(publicAuthorityCode) +		response.setQualifiedCertificate(xMLVerifySignatureResponse.getSignerInfo().isQualifiedCertificate()); +		response.setSignatureCheckCode(xMLVerifySignatureResponse.getSignatureCheck().getCode()); +		response.setSignatureManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode()); +//		response.setSigningDateTime() +//		response.setX509certificate(x509certificate) +		response.setXmlDSIGManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode()); +//		response.setXmlDSIGManigest(xMLVerifySignatureResponse.getSignatureManifestCheck()) +//		response.setXmlDsigSubjectName(xmlDsigSubjectName)	 +		return response; +	} +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 98edf1fe4..e7fa9cbd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -207,7 +207,7 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {  					//System.out.println("IDL: " + s); -					byte[] idl = s.getBytes(); +					byte[] idl = s.getBytes("UTF-8");  					// redirect url  					// build redirect(to the GetMISSessionIdSerlvet) @@ -238,7 +238,7 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {  			        String oaFriendlyName = oaParam.getFriendlyName();  			        String mandateReferenceValue = session.getMandateReferenceValue();  			        byte[] cert = session.getEncodedSignerCertificate(); -			        byte[] authBlock = session.getAuthBlock().getBytes(); +			        byte[] authBlock = session.getAuthBlock().getBytes("UTF-8");  			        //TODO: check in case of SSO!!!  			        String targetType = null;   diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index 2f1e50a05..46fd06741 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -105,13 +105,19 @@ public class STORKResponseProcessor {  	 * @throws STORKException the sTORK exception
  	 */
  	private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList) throws STORKException {
 +		return getAttributeValue(attributeName, attributeList, true);
 +	}
 +	private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {
  		try {
  			String result = attributeList.get(attributeName).getValue().get(0);
  			Logger.trace(attributeName + " : " + result);
  			return result;
 -		} catch(NullPointerException e) {
 +		} catch(Exception e) {
  			Logger.error(attributeName + " not found in response");
 -			throw new STORKException(attributeName + " not found in response");
 +			if(throwException)
 +				throw new STORKException(attributeName + " not found in response");
 +			else
 +				return null;
  		}
  	}
 @@ -136,37 +142,34 @@ public class STORKResponseProcessor {  			Logger.trace("Starting call...");
  			// if there is no signedDoc attribute, we cannot go on
 -			String fiscalNumber = null;
  			String citizenSignature = getAttributeValue("signedDoc", attributeList);
 -			if (hasAttribute("fiscalNumber", attributeList))
 -				fiscalNumber = getAttributeValue("fiscalNumber", attributeList);
 +			String fiscalNumber = getAttributeValue("fiscalNumber", attributeList, false);
  			// if we have a signedDoc we test for a representation case
  			// - according to stork samlengine and commons
  			if(hasAttribute("mandate", attributeList)) {
  				// we have a representation case
 -				String mandate = getAttributeValue("mandate", attributeList);
 +				String mandate = getAttributeValue("mandate", attributeList, false);
  				if(!hasAttribute("dateOfBirth", attributeList)) {
  					// if we get here, we have a natural person representing a legal person
 -					String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList);
 -					String organizationType = getAttributeValue("translateableType", attributeList);
 +					String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList, false);
 +					String organizationType = getAttributeValue("translateableType", attributeList, false);
  					identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(citizenSignature, null, null, mandate, organizationAddress, organizationType, targetType, targetValue, oaFriendlyName, filters, fiscalNumber);
  				} else {
  					// if we get here, we have a natural person representing another natural person
 -					String eIdentifier = getAttributeValue("eIdentifier", attributeList);
 -					String givenName = getAttributeValue("givenName", attributeList);
 -					String lastName = getAttributeValue("surname", attributeList);
 -					String dateOfBirth = null;
 -					if (hasAttribute("dateOfBirth", attributeList)) {
 -						dateOfBirth = getAttributeValue("dateOfBirth", attributeList);
 -						dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth);
 -					}
 +					String eIdentifier = getAttributeValue("eIdentifier", attributeList, false);
 +					String givenName = getAttributeValue("givenName", attributeList, false);
 +					String lastName = getAttributeValue("surname", attributeList, false);
 +					String dateOfBirth = getAttributeValue("dateOfBirth", attributeList, false);
  					// gender attribute is mandatory here because of some legal stuff
 -					String gender = getAttributeValue("gender", attributeList);
 +					String gender = getAttributeValue("gender", attributeList, false);
 +					if (!StringUtils.isEmpty(dateOfBirth))
 +						dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth);
 +
  					identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(eIdentifier, 
  							givenName, lastName, dateOfBirth, gender, citizenSignature, null,
  							null, mandate, targetType, targetValue, oaFriendlyName, filters, fiscalNumber);
 @@ -175,44 +178,41 @@ public class STORKResponseProcessor {  			// - according to stork spec
  			else if(hasAttribute("mandateContent", attributeList) || hasAttribute("representative", attributeList) || hasAttribute("represented", attributeList)) {
  				// we have a representation case
 -				String representative = getAttributeValue("representative", attributeList);
 -				String represented = getAttributeValue("represented", attributeList);
 -				String mandate = getAttributeValue("mandateContent", attributeList);
 +				String representative = getAttributeValue("representative", attributeList, false);
 +				String represented = getAttributeValue("represented", attributeList, false);
 +				String mandate = getAttributeValue("mandateContent", attributeList, false);
  				if(!hasAttribute("dateOfBirth", attributeList)) {
  					// if we get here, we have a natural person representing a legal person
 -					String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList);
 -					String organizationType = getAttributeValue("translateableType", attributeList);
 +					String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList, false);
 +					String organizationType = getAttributeValue("translateableType", attributeList, false);
  					identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(citizenSignature, representative, represented, mandate, organizationAddress, organizationType, targetType, targetValue, oaFriendlyName, filters, fiscalNumber);
  				} else {
  					// if we get here, we have a natural person representing another natural person
 -					String eIdentifier = getAttributeValue("eIdentifier", attributeList);
 -					String givenName = getAttributeValue("givenName", attributeList);
 -					String lastName = getAttributeValue("surname", attributeList);
 -					String dateOfBirth = null;
 -					if (hasAttribute("dateOfBirth", attributeList)) {
 -						dateOfBirth = getAttributeValue("dateOfBirth", attributeList);
 -						dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth);
 -					}
 +					String eIdentifier = getAttributeValue("eIdentifier", attributeList, false);
 +					String givenName = getAttributeValue("givenName", attributeList, false);
 +					String lastName = getAttributeValue("surname", attributeList, false);
 +					String dateOfBirth = getAttributeValue("dateOfBirth", attributeList, false);
  					// gender attribute is mandatory here because of some legal stuff
 -					String gender = getAttributeValue("gender", attributeList);
 -				
 +					String gender = getAttributeValue("gender", attributeList, false);
 +					
 +					if (!StringUtils.isEmpty(dateOfBirth))
 +						dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth);
 +
  					identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(eIdentifier, 
  							givenName, lastName, dateOfBirth, gender, citizenSignature, representative,
  							represented, mandate, targetType, targetValue, oaFriendlyName, filters, fiscalNumber);
  				}
  			} else {
  				// we do not have a representation case
 -				String eIdentifier = getAttributeValue("eIdentifier", attributeList);
 -				String givenName = getAttributeValue("givenName", attributeList);
 -				String lastName = getAttributeValue("surname", attributeList);
 -				String dateOfBirth = null;
 -				if (hasAttribute("dateOfBirth", attributeList)) {
 -					dateOfBirth = getAttributeValue("dateOfBirth", attributeList);
 +				String eIdentifier = getAttributeValue("eIdentifier", attributeList, false);
 +				String givenName = getAttributeValue("givenName", attributeList, false);
 +				String lastName = getAttributeValue("surname", attributeList, false);
 +				String dateOfBirth = getAttributeValue("dateOfBirth", attributeList, false);
 +				if (!StringUtils.isEmpty(dateOfBirth))
  					dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth);
 -				}
  				identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(eIdentifier, givenName, lastName, dateOfBirth, citizenSignature, fiscalNumber);
  			}
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java index 6e67b4219..3f4be5093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java @@ -45,6 +45,8 @@ public class CPEPS {  	/**  URL of C-PEPS */
  	private URL pepsURL;
 +	private Boolean isXMLSignatureSupported;
 +
  	/** Specific attributes to be requested for this C-PEPS */
  	private List<RequestedAttribute> countrySpecificRequestedAttributes = new ArrayList<RequestedAttribute>();
 @@ -53,10 +55,11 @@ public class CPEPS {  	 * @param countryCode ISO Country Code of C-PEPS
  	 * @param pepsURL URL of C-PEPS
  	 */
 -	public CPEPS(String countryCode, URL pepsURL) {
 +	public CPEPS(String countryCode, URL pepsURL, Boolean isXMLSignatureSupported) {
  		super();
  		this.countryCode = countryCode;
  		this.pepsURL = pepsURL;
 +		this.isXMLSignatureSupported = isXMLSignatureSupported;
  	}
  	/**
 @@ -92,6 +95,21 @@ public class CPEPS {  	}
  	/**
 +	 * Returns weather the C-PEPS supports XMl Signatures or not (important for ERnB)
 +	 */
 +	public Boolean isXMLSignatureSupported() {
 +		return isXMLSignatureSupported;
 +	}
 +
 +	/**
 +	 * Sets weather the C-PEPS supports XMl Signatures or not (important for ERnB)
 +	 * @param isXMLSignatureSupported C-PEPS XML Signature support
 +	 */
 +	public void setXMLSignatureSupported(boolean isXMLSignatureSupported) {
 +		this.isXMLSignatureSupported = isXMLSignatureSupported;
 +	}
 +	
 +	/**
  	 * Gets the country specific attributes of this C-PEPS
  	 * @return List of country specific attributes
  	 */
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 2e243b3ae..136b40295 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -81,7 +81,7 @@ public class STORKConfig {  			for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) {
  				try {
 -					CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL()));
 +					CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL()), cpep.isSupportsXMLSignature());
  					cpepsMap.put(cpep.getCountryCode(), moacpep);
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index cb12bc5bd..ca3117a79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -342,7 +342,7 @@ public class SSOManager {  		httpResp.setContentType("text/html;charset=UTF-8");             -		httpResp.getOutputStream().write(writer.toString().getBytes()); +		httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8"));  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index fec8e3b98..dbf54951f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -165,7 +165,7 @@ public class MetadataAction implements IAction {  			Logger.debug("METADATA: " + metadataXML);  			httpResp.setContentType("text/xml"); -			httpResp.getOutputStream().write(metadataXML.getBytes()); +			httpResp.getOutputStream().write(metadataXML.getBytes("UTF-8"));  			httpResp.getOutputStream().close(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index ded9e7166..4f3aff469 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -46,7 +46,7 @@ public class EIDAuthBlock implements IPVPAttributeBuilder {  			String authblock = authData.getAuthBlock();  			if (MiscUtil.isNotEmpty(authblock)) {  				return g.buildStringAttribute(EID_AUTH_BLOCK_FRIENDLY_NAME, EID_AUTH_BLOCK_NAME, -						Base64Utils.encode(authblock.getBytes())); +						Base64Utils.encode(authblock.getBytes("UTF-8")));  			}  		} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index 531369e9a..e8aeb8fcd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -43,7 +43,7 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder {  			ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion();  			return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, -					EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes())); +					EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes("UTF-8")));  		} catch (IOException e) {  			Logger.warn("IdentityLink serialization error.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java index 04cc59b10..5e723baab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java @@ -54,7 +54,7 @@ public class EIDSTORKTOKEN implements IPVPAttributeBuilder  {  			} else {				  				try {  					return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME,  -							Base64Utils.encode(storkResponse.getBytes())); +							Base64Utils.encode(storkResponse.getBytes("UTF-8")));  				} catch (IOException e) {  					Logger.warn("Encode AuthBlock BASE64 failed.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java index 8dfebc06c..885de6805 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -22,6 +22,8 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.io.UnsupportedEncodingException; +  import org.opensaml.saml2.core.RequestAbstractType;  import org.opensaml.security.SAMLSignatureProfileValidator;  import org.opensaml.xml.validation.ValidationException; @@ -70,7 +72,7 @@ public class SAMLVerifierMOASP implements ISAMLVerifier {  				// builds a <VerifyXMLSignatureRequest> for a call of MOA-SP  				Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() -						.build(XMLUtil.printXML(request.getDOM()).getBytes(), +						.build(XMLUtil.printXML(request.getDOM()).getBytes("UTF-8"),  								trustProfileID);  				Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); @@ -123,6 +125,10 @@ public class SAMLVerifierMOASP implements ISAMLVerifier {  			String msg = "Unable to invoke MOA-SP.";  			Logger.error(msg, e);  			throw new SecurityException(msg, e); +		} catch (UnsupportedEncodingException e) { +			String msg = "Unsupported Encoding."; +			Logger.error(msg, e); +			throw new SecurityException(msg, e);  		}  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index a5690a883..c64c5b488 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -75,7 +75,7 @@ public class AuthenticationRequest implements IAction {          this.authData = authData; -        if ((req instanceof MOASTORKRequest) && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { +        if ((req instanceof MOASTORKRequest)) { // && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) {              this.moaStorkRequest = (MOASTORKRequest) req; @@ -134,10 +134,10 @@ public class AuthenticationRequest implements IAction {              return (new AttributeCollector()).processRequest(container, httpReq, httpResp, authData, oaParam);          } -        // check if we are getting request for citizen of some other country -        else if (req instanceof MOASTORKRequest) { -            return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); -        } +//        // check if we are getting request for citizen of some other country +//        else if (req instanceof MOASTORKRequest) { +//            return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); +//        }          // Check if we got the response from PEPS          // If so then process it and forward to SP @@ -318,7 +318,7 @@ public class AuthenticationRequest implements IAction {              Logger.debug("Sending html content: " + writer.getBuffer().toString());              Logger.debug("Sending html content2  : " + new String(writer.getBuffer())); -            httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); +            httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8"));          } catch (IOException e) {              Logger.error("Velocity IO error: " + e.getMessage()); @@ -380,7 +380,7 @@ public class AuthenticationRequest implements IAction {              Logger.debug("Sending html content: " + writer.getBuffer().toString());              Logger.debug("Sending html content2  : " + new String(writer.getBuffer())); -            httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); +            httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8"));          } catch (Exception e) {              Logger.error("Velocity error: " + e.getMessage()); @@ -390,24 +390,24 @@ public class AuthenticationRequest implements IAction {      public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { -        // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country -        if (req instanceof MOASTORKRequest) { -            MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; -            if (moastorkRequest.getStorkAuthnRequest() != null) { -                String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); -                // check if citizen country is configured in the system -                try { -                    if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { -                        return false; -                    } -                } catch (MOAIDException e) { -                    Logger.error("Could not initialize AuthConfigurationProvider"); -                } -            } -            // authentication is not required if received authentication response -        } else if (req instanceof MOASTORKResponse) { -            return false; -        } +//        // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country +//        if (req instanceof MOASTORKRequest) { +//            MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; +//            if (moastorkRequest.getStorkAuthnRequest() != null) { +//                String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); +//                // check if citizen country is configured in the system +//                try { +//                    if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { +//                        return false; +//                    } +//                } catch (MOAIDException e) { +//                    Logger.error("Could not initialize AuthConfigurationProvider"); +//                } +//            } +//            // authentication is not required if received authentication response +//        } else if (req instanceof MOASTORKResponse) { +//            return false; +//        }          return true;      } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index 2b00f15e2..3159574fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -142,7 +142,7 @@ public class ConsentEvaluator implements IAction {  			StringWriter writer = new StringWriter();  			template.merge(context, writer); -			response.getOutputStream().write(writer.getBuffer().toString().getBytes()); +			response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8"));  		} catch (Exception e) {  			Logger.error("Velocity error: " + e.getMessage()); @@ -209,7 +209,7 @@ public class ConsentEvaluator implements IAction {              Logger.debug("Sending html content: " + writer.getBuffer().toString());              Logger.debug("Sending html content2  : " + new String(writer.getBuffer())); -            httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); +            httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8"));          } catch (Exception e) {              Logger.error("Velocity error: " + e.getMessage()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java index 8df3c00aa..07e5b70ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java @@ -192,7 +192,7 @@ public class MandateAttributeRequestProvider extends AttributeProvider {              StringWriter writer = new StringWriter();              template.merge(context, writer); -            resp.getOutputStream().write(writer.toString().getBytes()); +            resp.getOutputStream().write(writer.toString().getBytes("UTF-8"));          } catch (Exception e) {              Logger.error("Error sending STORK SAML AttrRequest.", e);              throw new MOAIDException("stork.11", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 72274bada..2aa10b9dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -104,8 +104,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {  	public SignedDocAttributeRequestProvider(String oasisDssWebFormURL, String attributes) {  		super(attributes);  		this.oasisDssWebFormURL = oasisDssWebFormURL; -		//TODO load dtlUrl from config -		 +  		Properties props = new Properties();  		try {  			props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties")); @@ -144,11 +143,10 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {  	 * .servlet.http.HttpServletRequest)  	 */  	public IPersonalAttributeList parse(HttpServletRequest httpReq) throws MOAIDException, UnsupportedAttributeException { -		Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request2"); +		Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request");  		try { -			String base64 = httpReq. -					getParameter("signresponse"); +			String base64 = httpReq.getParameter("signresponse");  			Logger.debug("signresponse url: " + httpReq.getRequestURI().toString());  			Logger.debug("signresponse querystring: " + httpReq.getQueryString());  			Logger.debug("signresponse method: " + httpReq.getMethod()); @@ -219,6 +217,49 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {  					{  						//No document service used?  						// do nothing.... +						//TODO temporary fix because document is deleted after fetching => SP can't download Doc +						//Add doc to Signresponse + +						DocumentWithSignature documentWithSignature = new DocumentWithSignature(); +						DocumentType value = new DocumentType(); +						if(signResponse.getProfile().toLowerCase().contains("xades")) +						{ +							value.setBase64XML(data); +						} +						else +						{ +							Base64Data base64data = new Base64Data(); +							base64data.setValue(data); +							base64data.setMimeType(dataSource.getContentType()); +							value.setBase64Data(base64data); +						} +						documentWithSignature.setDocument(value); +						if(signResponse.getOptionalOutputs()!=null) +						{ +							//signResponse.getOptionalOutputs().getAny().add(documentWithSignature); +							for(Object o :signResponse.getOptionalOutputs().getAny()) +							{ +								if(o instanceof DocumentWithSignature) +								{ +									signResponse.getOptionalOutputs().getAny().remove(o); +									signResponse.getOptionalOutputs().getAny().add(documentWithSignature); +									break; +								} +							} +						} +						else +						{ +							AnyType anytype = new AnyType(); +							anytype.getAny().add(documentWithSignature); +							signResponse.setOptionalOutputs(anytype ); +						} + +//						System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); +						InputStream istr = ApiUtils.marshalToInputStream(signResponse); +						StringWriter writer = new StringWriter(); +						IOUtils.copy(istr, writer, "UTF-8"); +						signResponseString = writer.toString(); +						Logger.info("SignResponse overwritten:"+signResponseString);  					}  			}  			else @@ -337,7 +378,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {  			StringWriter writer = new StringWriter();  			template.merge(context, writer); -			resp.getOutputStream().write(writer.toString().getBytes()); +			resp.getOutputStream().write(writer.toString().getBytes("UTF-8"));  		} catch (Exception e) {  			Logger.error("Error sending DSS signrequest.", e);  			throw new MOAIDException("stork.11", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java index d7e2cdf58..cb3a33c69 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java @@ -172,7 +172,7 @@ public class StorkAttributeRequestProvider extends AttributeProvider {  			StringWriter writer = new StringWriter();  			template.merge(context, writer); -			resp.getOutputStream().write(writer.toString().getBytes()); +			resp.getOutputStream().write(writer.toString().getBytes("UTF-8"));  		} catch (Exception e) {  			Logger.error("Error sending STORK SAML AttrRequest.", e);  			throw new MOAIDException("stork.11", null); diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index f99304dcc..066967b44 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -827,6 +827,7 @@  			</xsd:sequence>  			<xsd:attribute name="countryCode" type="CountryCodeType" use="required"/>  			<xsd:attribute name="URL" type="xsd:anyURI" use="required"/> +			<xsd:attribute name="supportsXMLSignature" type="xsd:boolean" default="true"></xsd:attribute>  		</xsd:complexType>  	</xsd:element>  	<xsd:element name="STORK"> | 
