aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
Diffstat (limited to 'id')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java45
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java13
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java56
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties16
7 files changed, 82 insertions, 72 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 773155934..4f35b084f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -24,6 +24,7 @@
package at.gv.egovernment.moa.id.auth;
import iaik.pki.PKIException;
+import iaik.security.provider.IAIK;
import iaik.x509.X509Certificate;
import java.io.ByteArrayInputStream;
@@ -3020,7 +3021,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
CertificateFactory cf;
X509Certificate cert = null;
- cf = CertificateFactory.getInstance("X.509");
+ cf = CertificateFactory.getInstance("X.509", IAIK.getInstance());
cert = (X509Certificate)cf.generateCertificate(is);
return cert;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
index 531ec0756..0f82d9a3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
@@ -6,14 +6,16 @@ import javax.servlet.http.HttpServletResponse;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.xml.security.SecurityException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+
public interface IDecoder {
public MOARequest decodeRequest(HttpServletRequest req,
HttpServletResponse resp)
- throws MessageDecodingException, SecurityException;
+ throws MessageDecodingException, SecurityException, PVP2Exception;
public MOAResponse decodeRespone(HttpServletRequest req,
HttpServletResponse resp)
- throws MessageDecodingException, SecurityException;
+ throws MessageDecodingException, SecurityException, PVP2Exception;
public boolean handleDecode(String action, HttpServletRequest req);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
index f2c392a2a..66526534d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
@@ -8,12 +8,23 @@ import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+
public interface IEncoder {
public void encodeRequest(HttpServletRequest req,
HttpServletResponse resp, RequestAbstractType request, String targetLocation)
- throws MessageEncodingException, SecurityException;
+ throws MessageEncodingException, SecurityException, PVP2Exception;
+ /**
+ * Encoder SAML Response
+ * @param req The http request
+ * @param resp The http response
+ * @param response The repsonse object
+ * @param targetLocation
+ * @throws MessageEncodingException
+ * @throws SecurityException
+ */
public void encodeRespone(HttpServletRequest req,
HttpServletResponse resp, StatusResponseType response, String targetLocation)
- throws MessageEncodingException, SecurityException;
+ throws MessageEncodingException, SecurityException, PVP2Exception;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 048ad8b38..97e7ef80c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -7,33 +7,25 @@ import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeConstants;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
-import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.opensaml.ws.security.SecurityPolicyResolver;
-import org.opensaml.ws.security.provider.BasicSecurityPolicy;
-import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.signature.Signature;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
public class PostBinding implements IDecoder, IEncoder {
@@ -68,7 +60,7 @@ public class PostBinding implements IDecoder, IEncoder {
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
SingleSignOnService service = new SingleSignOnServiceBuilder()
.buildObject();
- service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT");
+ service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
service.setLocation(targetLocation);
context.setOutboundSAMLMessageSigningCredential(credentials);
context.setPeerEntityEndpoint(service);
@@ -92,27 +84,8 @@ public class PostBinding implements IDecoder, IEncoder {
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(req));
- // TODO: used to verify signature!
- SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
- TrustEngineFactory.getSignatureKnownKeysTrustEngine());
-
- // signatureRule.evaluate(messageContext);
- BasicSecurityPolicy policy = new BasicSecurityPolicy();
- policy.getPolicyRules().add(signatureRule);
- SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
- policy);
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- messageContext.setSecurityPolicyResolver(resolver);
-
- MOAMetadataProvider provider = null;
- try {
- provider = new MOAMetadataProvider();
- } catch (MetadataProviderException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
- messageContext.setMetadataProvider(provider);
-
+
decode.decode(messageContext);
RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
@@ -133,18 +106,8 @@ public class PostBinding implements IDecoder, IEncoder {
BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(req));
-
- // TODO: used to verify signature!
- SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
- TrustEngineFactory.getSignatureKnownKeysTrustEngine());
-
- // signatureRule.evaluate(messageContext);
- BasicSecurityPolicy policy = new BasicSecurityPolicy();
- policy.getPolicyRules().add(signatureRule);
- SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
- policy);
+
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- messageContext.setSecurityPolicyResolver(resolver);
decode.decode(messageContext);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index d90e59c35..c0cf6ac63 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -5,6 +5,7 @@ import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
@@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
public class RedirectBinding implements IDecoder, IEncoder {
@@ -53,7 +55,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
SingleSignOnService service = new SingleSignOnServiceBuilder()
.buildObject();
- service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT");
+ service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
service.setLocation(targetLocation);
context.setOutboundSAMLMessageSigningCredential(credentials);
context.setPeerEntityEndpoint(service);
@@ -81,8 +83,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
try {
messageContext.setMetadataProvider(new MOAMetadataProvider());
} catch (MetadataProviderException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ Logger.error("Failed to get Metadata Provider");
+ throw new SecurityException("Failed to get Metadata Provider");
}
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
@@ -117,7 +119,6 @@ public class RedirectBinding implements IDecoder, IEncoder {
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(req));
- // TODO: used to verify signature!
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
TrustEngineFactory.getSignatureKnownKeysTrustEngine());
@@ -132,8 +133,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
try {
provider = new MOAMetadataProvider();
} catch (MetadataProviderException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ Logger.error("Failed to get Metadata Provider");
+ throw new SecurityException("Failed to get Metadata Provider");
}
messageContext.setMetadataProvider(provider);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index acadd3cb4..0820b5d4f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -5,23 +5,31 @@ import javax.servlet.http.HttpServletResponse;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
public class SoapBinding implements IDecoder, IEncoder {
public MOARequest decodeRequest(HttpServletRequest req,
HttpServletResponse resp) throws MessageDecodingException,
- SecurityException {
+ SecurityException, PVP2Exception {
HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder();
BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext =
new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>();
@@ -40,20 +48,8 @@ public class SoapBinding implements IDecoder, IEncoder {
public MOAResponse decodeRespone(HttpServletRequest req,
HttpServletResponse resp) throws MessageDecodingException,
- SecurityException {
- HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder();
- BasicSAMLMessageContext<Response, ?, ?> messageContext =
- new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
- messageContext
- .setInboundMessageTransport(new HttpServletRequestAdapter(
- req));
- soapDecoder.decode(messageContext);
-
- Response inboundMessage = (Response) messageContext
- .getInboundMessage();
-
- MOAResponse moaResponse = new MOAResponse(inboundMessage);
- return moaResponse;
+ SecurityException, PVP2Exception {
+ throw new BindingNotSupportedException(SAMLConstants.SAML2_SOAP11_BINDING_URI + " response");
}
public boolean handleDecode(String action, HttpServletRequest req) {
@@ -62,15 +58,35 @@ public class SoapBinding implements IDecoder, IEncoder {
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
RequestAbstractType request, String targetLocation)
- throws MessageEncodingException, SecurityException {
- // TODO Auto-generated method stub
+ throws MessageEncodingException, SecurityException, PVP2Exception {
}
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
StatusResponseType response, String targetLocation)
- throws MessageEncodingException, SecurityException {
-
+ throws MessageEncodingException, SecurityException, PVP2Exception {
+ try {
+ Credential credentials = CredentialProvider
+ .getIDPSigningCredential();
+
+ HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder();
+ HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+ resp, true);
+ BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ SingleSignOnService service = new SingleSignOnServiceBuilder()
+ .buildObject();
+ service.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
+ service.setLocation(targetLocation);
+ context.setOutboundSAMLMessageSigningCredential(credentials);
+ context.setPeerEntityEndpoint(service);
+ context.setOutboundSAMLMessage(response);
+ context.setOutboundMessageTransport(responseAdapter);
+
+ encoder.encode(context);
+ } catch (CredentialsNotAvailableException e) {
+ e.printStackTrace();
+ throw new SecurityException(e);
+ }
}
}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 8089b851c..aa0418e77 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -35,6 +35,7 @@ auth.14=Zertifikat konnte nicht ausgelesen werden.
auth.15=Fehler bei Anfrage an Vollmachten Service.
auth.16=Fehler bei Abarbeitung der Vollmacht in "{0}"
auth.17=Vollmachtenmodus für nicht-öffentlichen Bereich wird nicht unterstützt.
+auth.18=Die Authentifizierung kann nicht passiv durchgeführt werden.
init.00=MOA ID Authentisierung wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround: SSL ist möglicherweise nicht verfügbar
@@ -184,3 +185,18 @@ stork.07=Es existiert kein STORK AuthnRequest für diese STORK Response
stork.08=STORK SAML Assertion Validierung fehlgeschlagen
stork.09=Fehler beim Überprüfen der STORK BürgerInnen Signatur
stork.10=Fehler in der Verbindung zum SZR-Gateway
+
+pvp2.00={0} ist kein gueltiger consumer service index
+pvp2.01=Fehler beim kodieren der PVP2 Antwort
+pvp2.02=Ungueltiges Datumsformat
+pvp2.03=Vollmachtattribute nicht in Metadaten verfuegbar
+pvp2.04=Kein Authorisierungs Context verfuegbar
+pvp2.05=Es wird nur {0} als QAA unterstuetzt
+pvp2.06=Keine Vollmacht verfuegbar
+pvp2.07=SAML Anfrage nicht korrekt digital signiert
+pvp2.08=Keine Credentials fuer {0} verfuegbar
+pvp2.09=SAML Anfrage wird nicht unterstuetzt
+pvp2.10=Attribut {0} nicht verfuegbar
+pvp2.11=Binding {0} wird nicht unterstuetzt
+pvp2.12=NameID Format {0} wird nicht unterstuetzt
+pvp2.13=Interner Server Fehler \ No newline at end of file