From 74e5abe316de5748073cc69ca7ad1202b48daa5a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 13 Mar 2018 13:55:21 +0100 Subject: add configuration parameter to disable 'targetFriendlyName' validation in signed AuthBlock --- id/server/data/deploy/conf/moa-id/moa-id.properties | 2 ++ id/server/doc/handbook/config/config.html | 9 ++++++++- id/server/idserverlib/pom.xml | 11 +++++++++++ .../egovernment/moa/id/auth/MOAIDAuthInitializer.java | 5 +++++ .../moa/id/config/ConfigurationProviderImpl.java | 6 +++++- .../moa/id/config/auth/OAAuthParameter.java | 4 ++-- id/server/moa-id-commons/pom.xml | 1 + .../egovernment/moa/id/auth/AuthenticationServer.java | 9 +++++++-- .../internal/tasks/VerifyAuthenticationBlockTask.java | 8 +++++++- .../CreateXMLSignatureResponseValidator.java | 19 ++++++++++++++----- 10 files changed, 62 insertions(+), 12 deletions(-) diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index fa6bccef0..24fe78261 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -18,6 +18,8 @@ configuration.moasession.key=SessionEncryptionKey configuration.moaconfig.key=ConfigurationEncryptionKey configuration.ssl.validation.revocation.method.order=ocsp,crl #configuration.ssl.validation.hostname=false +#configuration.validate.authblock.targetfriendlyname=true< + #MOA-ID 3.x Monitoring Servlet configuration.monitoring.active=false diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 8b2f6a632..9e70c073d 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -422,6 +422,13 @@ UNIX: moa.id.configuration=file:C:/Programme/apache/tomcat-8.x.x/conf/moa-id/moa

Hiermit kann die SSL Hostname validation für das abholen von PVP Metadaten deaktiviert werden.

Hinweis: Workaround, da der httpClient der openSAML2 Implementierung kein SNI (Server Name Indication) unterstützt.

+ + configuration.validate.authblock.targetfriendlyname + true / false + Hiermit kann die Überprüfung des 'TargetFriendlyName', welcher Teil des vom Benutzer signierten Authblock ist, deaktiviert werden. Eine Deaktivierung hat keinen Einfluss auf die Sicherheit des Authentifizierungsvorgangs mittels qualifizierter Signatur, jedoch kann der 'TargetFriendlyName im Authblock nicht als gesichert betrachtet werden.' Die Validierung ist deaktiviert wenn der Parameter auf false gesetzt wird.
+ Hinweis: Hierbei handelt es sich um einen Workaround für Systeme auf denen die Validierung des 'TargetFriendlyName' wegen Problemen mit der Zeichencodierung fehlschlägt, die Signatur des AuthBlocks jedoch gültig ist.
+ Defaultwert: true + configuration.monitoring.active true / false @@ -2190,7 +2197,7 @@ Alle in diesem Abschnitt angegebenen Parameter sind Optional und werden bei Beda

Hinweis: Bei Verwendung einer online-applikationsspezifischen Bürgerkartenauswahl stehen alle Parameter die die Bürgerkartenauswahl betreffen nicht zur Verfügung.

Hinweis: Bei Verwendung eines online-applikationsspezifischen Security-Layer-Request Templates stehen alle Parameter die das SL-Template betreffen nicht zur Verfügung.

3.2.10 Revisionslogging
-

Ab MOA-ID 3.x steht ein erweitertes speziell für Revisionsaufgaben abgestimmtest Logging zur Verfügung. Über dieses Feld können die zu loggenden Events als CSV codierte Eventcodes konfiguriert werden. Werden keine Eventcodes konfiguriert wird eine in MOA-ID hinterlegte Defaultkonfiguration verwendet. Eine Liste aller möglichen Eventcodes finden Sie hier.

+

Ab MOA-ID 3.x steht ein erweitertes speziell für Revisionsaufgaben abgestimmtest Logging zur Verfügung. Über dieses Feld können die zu loggenden Events spezifisch nach Online Applikationen als CSV codierte Eventcodes konfiguriert werden. Hierfür muss die online-applikationsspezifische Konfiguration des Loggings mittels Checkbox aktiviert und zumindesdt ein Eventcode definiert werden. Werden keine Eventcodes konfiguriert oder wird das OA spezifische Verhalten nicht aktiviertwird eine in MOA-ID hinterlegte Defaultkonfiguration verwendet. Eine Liste aller möglichen Eventcodes finden Sie hier.

3.3 Import / Export

Üer diese Funktionalität besteht die Möglichkeit eine bestehende MOA-ID 2.x.x Konfiguration in MOA-ID 3.x zu importieren. Zusätzlich besteht die Möglichkeit eine MOA-ID-Auth 3.0 diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index f859b6a45..ce1430aa0 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -530,6 +530,17 @@ + + org.apache.maven.plugins + maven-compiler-plugin + 3.6.1 + + 1.7 + 1.7 + UTF-8 + + + org.apache.maven.plugins maven-jar-plugin diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 3d45e2468..d09aac0f4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -35,6 +35,7 @@ import org.springframework.web.context.support.GenericWebApplicationContext; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SSLUtils; @@ -163,6 +164,10 @@ public class MOAIDAuthInitializer { fixJava8_141ProblemWithSSLAlgorithms(); + if (!authConf.getBasicMOAIDConfigurationBoolean(ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true)) + Logger.info("AuthBlock 'TargetFriendlyName' validation deactivated"); + + if (Logger.isDebugEnabled()) { Logger.debug("Loaded Security Provider:"); Provider[] providerList = Security.getProviders(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java index 804b98a5f..8b0134f9c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java @@ -103,7 +103,11 @@ public abstract class ConfigurationProviderImpl implements ConfigurationProvider public static final String TRUST_MANAGER_REVOCATION_CHECKING = "TrustManager.RevocationChecking"; - + /** + * Deactivate TargetFriendlyName validation in Authblock + */ + public static final String VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME = "configuration.validate.authblock.targetfriendlyname"; + /** * A Map which contains generic configuration information. Maps a * configuration name (a String) to a configuration value (also a diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 59bd3893d..5642861c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -76,7 +76,7 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; -import at.gv.egovernment.moa.id.commons.validation.TargetValidator; +import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; @@ -245,7 +245,7 @@ private String getTargetFriendlyName() { return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME); else - return TargetValidator.getTargetFriendlyName(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_TARGET)); + return TargetToSectorNameMapper.getSectorNameViaTarget(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_TARGET)); } diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index fd8ddc7fb..31fe6af26 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -321,6 +321,7 @@ 1.7 1.7 + UTF-8 diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 7c435d0b0..3d0073276 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -4,6 +4,7 @@ package at.gv.egovernment.moa.id.auth; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; +import java.io.UnsupportedEncodingException; import java.security.Principal; import java.security.cert.CertificateException; import java.util.Calendar; @@ -20,6 +21,7 @@ import org.apache.xpath.XPathAPI; import org.opensaml.xml.util.Base64; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import org.springframework.util.Base64Utils; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; @@ -65,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.logging.SpecificTraceLogger; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -447,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer { .build(authBlock, oaParam.getKeyBoxIdentifier(), transformsInfos); - SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest); + SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes())); SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString()); SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class)); SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class)); @@ -962,7 +965,9 @@ public class AuthenticationServer extends BaseAuthenticationServer { new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq); else - new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq); + new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq, + authConfig.getBasicMOAIDConfigurationBoolean( + ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true)); // builds a for a MOA-SPSS call List vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs(); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java index ddd52c337..5730224e5 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.PARAM_XMLRESPONSE; import java.io.IOException; +import java.io.UnsupportedEncodingException; import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -12,6 +13,7 @@ import org.apache.commons.fileupload.FileUploadException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; +import org.springframework.util.Base64Utils; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.AuthenticationServer; @@ -19,9 +21,11 @@ import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.logging.SpecificTraceLogger; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).

@@ -79,7 +83,9 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask { } String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE); - + if (createXMLSignatureResponse != null) + SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes())); + try { //check if authblock is received if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse)) diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 8e3ccb01b..1d2887e6a 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -54,6 +54,7 @@ import java.util.List; import javax.xml.bind.DatatypeConverter; import org.jaxen.SimpleNamespaceContext; +import org.springframework.util.Base64Utils; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; @@ -135,7 +136,7 @@ public class CreateXMLSignatureResponseValidator { * @throws BuildException * @throws ConfigurationException */ - public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq) + public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName) throws ValidateException, BuildException, ConfigurationException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); @@ -272,8 +273,16 @@ public class CreateXMLSignatureResponseValidator { } String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; - if (!refValueSector.equals((String)samlAttribute.getValue())) - throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector}); + if (!refValueSector.equals((String)samlAttribute.getValue())) { + if (validateTargetFriendlyName) + throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector}); + + else { + Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector); + + } + + } } else throw new ValidateException("validator.12", null); @@ -429,7 +438,7 @@ public class CreateXMLSignatureResponseValidator { } catch (Exception e) { SpecificTraceLogger.trace("Validate AuthBlock without SSO"); - SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock()); + SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes())); SpecificTraceLogger.trace("OA config: " + oaParam.toString()); SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget); SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName); @@ -662,7 +671,7 @@ public class CreateXMLSignatureResponseValidator { } catch (Exception e) { SpecificTraceLogger.trace("Validate AuthBlock with SSO"); - SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock()); + SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes())); SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString()); throw e; -- cgit v1.2.3