From ac7930ec5d3505dc9ef47fef045d6b5bae53eadb Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 26 Jul 2017 15:35:42 +0200 Subject: fix some bugs in combination with eIDAS saml-engine 1.3 --- .../java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java | 3 ++- .../modules/eidas/engine/validation/MoaEidasConditionsValidator.java | 4 ++-- .../moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java | 4 ++-- .../gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java | 1 + 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index adf6c4979..c0101b553 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -72,7 +72,8 @@ public class Constants { //timeouts and clock skews - public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation + public static final long CONFIG_PROPS_SKEWTIME_BEFORE = -2 * 60 * 1000; //5 minutes skew time for response validation + public static final long CONFIG_PROPS_SKEWTIME_AFTER = 2 * 60 * 1000; //5 minutes skew time for response validation public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days //eIDAS request parameters diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java index d9453322f..9895ca79f 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java @@ -56,7 +56,7 @@ public class MoaEidasConditionsValidator extends ConditionsSpecValidator { throw new ValidationException("NotBefore is required."); } - if (conditions.getNotBefore().minusMillis(Constants.CONFIG_PROPS_SKEWTIME).isAfterNow()) { + if (conditions.getNotBefore().plusMillis((int)Constants.CONFIG_PROPS_SKEWTIME_BEFORE).isAfterNow()) { throw new ValidationException("Current time is before NotBefore condition"); } @@ -64,7 +64,7 @@ public class MoaEidasConditionsValidator extends ConditionsSpecValidator { throw new ValidationException("NotOnOrAfter is required."); } - if (conditions.getNotOnOrAfter().isBeforeNow()) { + if (conditions.getNotOnOrAfter().plusMillis((int)Constants.CONFIG_PROPS_SKEWTIME_AFTER).isBeforeNow()) { throw new ValidationException("Current time is after NotOnOrAfter condition"); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index a31bbaf02..17e112c4c 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -57,8 +57,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //validate SAML token IAuthenticationResponse samlResp = engine.unmarshallResponseAndValidate(decSamlToken, request.getRemoteHost(), - Constants.CONFIG_PROPS_SKEWTIME, - Constants.CONFIG_PROPS_SKEWTIME, + Constants.CONFIG_PROPS_SKEWTIME_BEFORE, + Constants.CONFIG_PROPS_SKEWTIME_AFTER, pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA); if (samlResp.isEncrypted()) { diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java index bfe410fc2..cc9b09107 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java @@ -126,6 +126,7 @@ public class EidasMetaDataRequest implements IAction { metadataConfigBuilder.entityID(metadata_url); metadataConfigBuilder.assertionConsumerUrl(sp_return_url); + metadataConfigBuilder.addProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); metadataConfigBuilder.addProtocolBindingLocation( SAMLConstants.SAML2_POST_BINDING_URI, pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST); -- cgit v1.2.3