From 42e2547a52439611b52e6a42c6e1098acff997c6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 7 Feb 2014 12:46:53 +0100 Subject: * use MOADefaultBootstrap to set SHA256 as default security parameter * SAMLEngine: deaktivate DefaultBootStrap. --- .../id/demoOA/servlet/pvp2/DemoApplication.java | 13 ++++++----- .../moa/id/auth/AuthenticationServer.java | 4 ++-- .../id/config/auth/AuthConfigurationProvider.java | 4 +++- .../moa/id/protocols/pvp2x/MetadataAction.java | 26 ++++++++++++++++++++-- .../moa/id/protocols/pvp2x/PVPConstants.java | 9 ++++++++ .../protocols/pvp2x/config/PVPConfiguration.java | 4 +++- .../pvp2x/requestHandler/AuthnRequestHandler.java | 23 ++++++++----------- .../java/eu/stork/peps/auth/engine/SAMLEngine.java | 13 ++++++----- 8 files changed, 65 insertions(+), 31 deletions(-) diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java index 0b30d7d86..dcd478864 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.demoOA.servlet.pvp2; import java.io.IOException; +import java.security.Key; import java.security.KeyStore; import java.util.ArrayList; import java.util.List; @@ -55,6 +56,7 @@ import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; @@ -149,6 +151,11 @@ public class DemoApplication extends HttpServlet { Logger.info("PVP2 Assertion is valid"); + //set assertion + org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); + String assertion = DOMUtils.serializeNode(doc); + bean.setAssertion(assertion); + if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { List saml2assertions = new ArrayList(); @@ -177,7 +184,7 @@ public class DemoApplication extends HttpServlet { encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); + new Decrypter(null, skicr, encryptedKeyResolver); for (EncryptedAssertion encAssertion : encryAssertionList) { saml2assertions.add(samlDecrypter.decrypt(encAssertion)); @@ -219,10 +226,6 @@ public class DemoApplication extends HttpServlet { } } - org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); - String assertion = DOMUtils.serializeNode(doc); - - bean.setAssertion(assertion); bean.setDateOfBirth(birthday); bean.setFamilyName(familyName); bean.setGivenName(givenName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a5e92c701..d8d375db2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -265,10 +265,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (domainIdentifier.startsWith(PREFIX_WPBK)) { - isbuisness = false; + isbuisness = true; } else { - isbuisness = true; + isbuisness = false; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 304b63de0..c0f47d781 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -110,6 +110,7 @@ import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed; import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig; import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.IssuerAndSerial; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -365,7 +366,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //Initialize OpenSAML for STORK Logger.info("Starting initialization of OpenSAML..."); - DefaultBootstrap.bootstrap(); + MOADefaultBootstrap.bootstrap(); + //DefaultBootstrap.bootstrap(); Logger.debug("OpenSAML successfully initialized"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 78fe43daa..7e6d1e2c7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -36,6 +36,7 @@ import javax.xml.transform.stream.StreamResult; import org.joda.time.DateTime; import org.opensaml.Configuration; +import org.opensaml.common.impl.SAMLObjectContentReference; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.metadata.ContactPerson; @@ -45,12 +46,15 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.ContentReference; import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; @@ -114,13 +118,31 @@ public class MetadataAction implements IAction { Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); Signature signature = CredentialProvider .getIDPSignature(metadataSigningCredential); + + idpEntitiesDescriptor.setSignature(signature); + +// //set SignatureMethode +// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +// +// //set DigestMethode +// List contentList = signature.getContentReferences(); +// for (ContentReference content : contentList) { +// +// if (content instanceof SAMLObjectContentReference) { +// +// SAMLObjectContentReference el = (SAMLObjectContentReference) content; +// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +// +// } +// } + // KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); // KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); // //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); // signature.setKeyInfo(metadataKeyInfo ); - idpEntitiesDescriptor.setSignature(signature); + IDPSSODescriptor idpSSODescriptor = SAML2Utils .createSAMLObject(IDPSSODescriptor.class); @@ -222,7 +244,7 @@ public class MetadataAction implements IAction { String metadataXML = sw.toString(); - //System.out.println("METADATA: " + metadataXML); + System.out.println("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); httpResp.getOutputStream().write(metadataXML.getBytes()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 0172cce2d..7946c7596 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -22,8 +22,17 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.signature.SignatureConstants; + public interface PVPConstants { + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; + public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; + public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; + public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP; + + public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/"; public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1"; public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 5d71b915f..bf82efb79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -33,6 +33,7 @@ import java.util.Properties; import java.util.jar.Attributes; import java.util.jar.Manifest; +import org.opensaml.Configuration; import org.opensaml.saml2.metadata.Company; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; @@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.OrganizationName; import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; +import org.opensaml.xml.security.SecurityConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; @@ -115,7 +117,7 @@ public class PVPConfiguration { try { //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); - + } catch (ConfigurationException e) { e.printStackTrace(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 21c0d85a1..229158778 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import java.util.ArrayList; import java.util.List; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -45,7 +44,6 @@ import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCriteria; import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.encryption.EncryptionException; import org.opensaml.xml.encryption.EncryptionParameters; import org.opensaml.xml.encryption.KeyEncryptionParameters; @@ -57,6 +55,7 @@ import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xml.security.x509.X509Credential; + import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -125,12 +124,11 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { AssertionConsumerService consumerService = spSSODescriptor .getAssertionConsumerServices().get(idx); - if (consumerService == null) { - //TODO: maybe use default ConsumerService - + if (consumerService == null) { throw new InvalidAssertionConsumerServiceException(idx); } + String oaURL = consumerService.getLocation(); //check, if metadata includes an encryption key @@ -158,19 +156,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { try { EncryptionParameters dataEncParams = new EncryptionParameters(); - dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); - + dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); + List keyEncParamList = new ArrayList(); KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); + keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() .getKeyInfoGeneratorManager().getDefaultManager() .getFactory(encryptionCredentials); keyEncParam.setKeyInfoGenerator(kigf.newInstance()); keyEncParamList.add(keyEncParam); - + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); samlEncrypter.setKeyPlacement(KeyPlacement.PEER); @@ -178,7 +176,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { EncryptedAssertion encryptAssertion = null; encryptAssertion = samlEncrypter.encrypt(assertion); - + authResponse.getEncryptedAssertions().add(encryptAssertion); } catch (EncryptionException e1) { @@ -191,10 +189,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.getAssertions().add(assertion); } - - - - + IEncoder binding = null; if (consumerService.getBinding().equals( diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java index 48718242b..e993c0e46 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java @@ -143,12 +143,13 @@ public class SAMLEngine { LOG.info("SAMLEngine: Initialize OpenSAML"); - try { - DefaultBootstrap.bootstrap(); - } catch (ConfigurationException e) { - LOG.error("Problem initializing the OpenSAML library."); - throw new STORKSAMLEngineRuntimeException(e); - } + //TLenz: MOA-ID uses an own Bootstrap +// try { +// DefaultBootstrap.bootstrap(); +// } catch (ConfigurationException e) { +// LOG.error("Problem initializing the OpenSAML library."); +// throw new STORKSAMLEngineRuntimeException(e); +// } LOG.debug("Read all file configurations. (instances of SAMLEngine)"); try { -- cgit v1.2.3