From c8223bd5aaf9466fb6c72fe8a5a13b1b105b7c17 Mon Sep 17 00:00:00 2001 From: "harald.bratko" Date: Fri, 22 Jul 2005 15:11:48 +0000 Subject: updated for wbPK git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@398 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/auth/AuthenticationServer.java | 171 ++++++++++++++++----- .../moa/id/auth/MOAIDAuthConstants.java | 2 + .../AuthenticationBlockAssertionBuilder.java | 96 +++++++++--- .../AuthenticationDataAssertionBuilder.java | 65 ++++++-- .../CertInfoVerifyXMLSignatureRequestBuilder.java | 54 +++++-- .../builder/CreateXMLSignatureRequestBuilder.java | 72 ++++++--- .../auth/builder/GetIdentityLinkFormBuilder.java | 8 +- .../id/auth/builder/InfoboxReadRequestBuilder.java | 71 +++++++-- .../moa/id/auth/data/AuthenticationSession.java | 49 +++++- .../moa/id/auth/data/SAMLAttribute.java | 109 ++++++------- .../parser/CreateXMLSignatureResponseParser.java | 65 ++++++-- .../moa/id/auth/parser/ErrorResponseParser.java | 37 ++--- .../id/auth/parser/InfoboxReadResponseParser.java | 38 +++-- .../parser/VerifyXMLSignatureResponseParser.java | 1 + .../moa/id/auth/servlet/SelectBKUServlet.java | 3 +- .../servlet/VerifyAuthenticationBlockServlet.java | 7 +- .../CreateXMLSignatureResponseValidator.java | 98 ++++++++---- .../VerifyXMLSignatureResponseValidator.java | 21 ++- 18 files changed, 701 insertions(+), 266 deletions(-) (limited to 'id.server/src/at/gv/egovernment/moa/id/auth') diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 4c44e807c..8cb71402f 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.id.auth; import iaik.pki.PKIException; +import iaik.x509.X509Certificate; import java.io.IOException; import java.security.GeneralSecurityException; @@ -12,6 +13,8 @@ import java.util.Iterator; import java.util.Map; import java.util.Set; +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import at.gv.egovernment.moa.id.AuthenticationException; @@ -47,6 +50,7 @@ import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidat import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; +import at.gv.egovernment.moa.id.config.OAParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; @@ -55,7 +59,9 @@ import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.BoolUtils; +import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; @@ -139,8 +145,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new AuthenticationException("auth.07", new Object[] { authURL + "*" }); if (isEmpty(authURL)) throw new WrongParametersException("StartAuthentication", "AuthURL"); - if (isEmpty(target)) - throw new WrongParametersException("StartAuthentication", PARAM_TARGET); if (isEmpty(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA); @@ -154,6 +158,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { oaURL }); + + if (!oaParam.getBusinessService()) { + if (isEmpty(target)) + throw new WrongParametersException("StartAuthentication", PARAM_TARGET); + } else { + if (!isEmpty(target)) { + Logger.info("Ignoring target parameter thus application type is \"businessService\""); + } + target = null; + } + AuthenticationSession session = newSession(); Logger.info("MOASession " + session.getSessionID() + " angelegt"); session.setTarget(target); @@ -161,6 +176,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); session.setAuthURL(authURL); session.setTemplateURL(templateURL); + session.setBusinessService(oaParam.getBusinessService()); String returnURL = new DataURLBuilder().buildDataURL(authURL, REQ_START_AUTHENTICATION, session.getSessionID()); String bkuSelectionType = AuthConfigurationProvider.getInstance().getBKUSelectionType(); @@ -258,28 +274,45 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider.FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY); if ((!authURL.startsWith("https:")) && (false == BoolUtils.valueOf(boolStr))) throw new AuthenticationException("auth.07", new Object[] { authURL + "*" }); - if (isEmpty(target)) - throw new WrongParametersException("StartAuthentication", PARAM_TARGET); if (isEmpty(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA); } AuthenticationSession session; - if (sessionID != null) + OAAuthParameter oaParam; + if (sessionID != null) { session = getSession(sessionID); - else { - OAAuthParameter oaParam = + oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + } else { + oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { oaURL }); + if (!oaParam.getBusinessService()) { + if (isEmpty(target)) + throw new WrongParametersException("StartAuthentication", PARAM_TARGET); + } else { + target = null; + } session = newSession(); Logger.info("MOASession " + session.getSessionID() + " angelegt"); session.setTarget(target); session.setOAURLRequested(oaURL); session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); session.setAuthURL(authURL); - session.setTemplateURL(templateURL); + session.setTemplateURL(templateURL); + session.setBusinessService(oaParam.getBusinessService()); + } + // BKU URL has not been set yet, even if session already exists + if (bkuURL == null) { + bkuURL = DEFAULT_BKU; } - String infoboxReadRequest = new InfoboxReadRequestBuilder().build(); + session.setBkuURL(bkuURL); + String infoboxReadRequest = + new InfoboxReadRequestBuilder().build(oaParam.getSlVersion12(), + oaParam.getBusinessService(), + oaParam.getIdentityLinkDomainIdentifier()); String dataURL = new DataURLBuilder().buildDataURL( session.getAuthURL(), @@ -296,7 +329,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { ex); } } - String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(); + String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(oaParam.getSlVersion12()); String certInfoDataURL = new DataURLBuilder().buildDataURL( session.getAuthURL(), @@ -371,25 +404,38 @@ public class AuthenticationServer implements MOAIDAuthConstants { // debug output if(null != domVerifyXMLSignatureResponse) OutputXML2File.debugOutputXML2File("VerifyIdentityLinkResponse.xml", domVerifyXMLSignatureResponse, DEBUG_OUTPUT_HIERARCHY); + if (identityLink.getIdentificationType().equalsIgnoreCase(Constants.URN_PREFIX_BASEID)) { + } + + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + + // if OA is type is business service the manifest validation result has to be ignored + boolean ignoreManifestValidationResult = oaParam.getBusinessService() ? true : false; + // validates the VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, authConf.getIdentityLinkX509SubjectNames(), - VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK); + VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, + ignoreManifestValidationResult); session.setIdentityLink(identityLink); // builds the AUTH-block String authBlock = buildAuthenticationBlock(session); - session.setAuthBlock(authBlock); +// session.setAuthBlock(authBlock); // builds the - String[] transformInfos = authConf.getTransformsInfos(); - - OAAuthParameter oaParam = - AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - + String[] transformsInfos = oaParam.getTransformsInfos(); + if ((transformsInfos == null) || (transformsInfos.length == 0)) { + // no OA specific transforms specified, use default ones + transformsInfos = authConf.getTransformsInfos(); + } String createXMLSignatureRequest = - new CreateXMLSignatureRequestBuilder().build(authBlock, oaParam.getKeyBoxIdentifier(), transformInfos); + new CreateXMLSignatureRequestBuilder().build(authBlock, + oaParam.getKeyBoxIdentifier(), + transformsInfos, + oaParam.getSlVersion12()); return createXMLSignatureRequest; } /** @@ -401,12 +447,21 @@ public class AuthenticationServer implements MOAIDAuthConstants { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getGivenName() + " " + identityLink.getFamilyName(); String gebDat = identityLink.getDateOfBirth(); + String identificationValue = identityLink.getIdentificationValue(); + String identificationType = identityLink.getIdentificationType(); String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); String authURL = session.getAuthURL(); String target = session.getTarget(); String oaURL = session.getPublicOAURLPrefix(); - String authBlock = - new AuthenticationBlockAssertionBuilder().build(issuer, issueInstant, authURL, target, oaURL, gebDat); + String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(issuer, + issueInstant, + authURL, + target, + identificationValue, + identificationType, + oaURL, + gebDat); + return authBlock; } /** @@ -450,13 +505,18 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); // parses CreateXMLSignatureResponse csresp = - new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse(); + new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse(); + try { + String serializedAssertion = DOMUtils.serializeNode(csresp.getSamlAssertion()); + session.setAuthBlock(serializedAssertion); + } catch (TransformerException e) { + throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + } catch (IOException e) { + throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + } // validates - new CreateXMLSignatureResponseValidator().validate( - csresp, - session.getTarget(), - session.getPublicOAURLPrefix()); - // builds a for a MOA-SPSS call + new CreateXMLSignatureResponseValidator().validate(csresp, session); + // builds a for a MOA-SPSS call String[] vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); Element domVsreq = new VerifyXMLSignatureRequestBuilder().build(csresp, vtids, tpid); @@ -474,7 +534,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { VerifyXMLSignatureResponseValidator.getInstance().validate( vsresp, null, - VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK); + VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, + true); // compares the public keys from the identityLink with the AuthBlock VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( vsresp, @@ -507,36 +568,64 @@ public class AuthenticationServer implements MOAIDAuthConstants { IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + boolean businessService = oaParam.getBusinessService(); authData.setMajorVersion(1); authData.setMinorVersion(0); authData.setAssertionID(Random.nextRandom()); authData.setIssuer(session.getAuthURL()); authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance())); - String bpkBase64 = - new BPKBuilder().buildBPK( - identityLink.getIdentificationValue(), - session.getTarget()); - authData.setIdentificationType(identityLink.getIdentificationType()); - authData.setPBK(bpkBase64); + + authData.setIdentificationType(identityLink.getIdentificationType()); authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); authData.setQualifiedCertificate(verifyXMLSigResp.isQualifiedCertificate()); authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); authData.setPublicAuthorityCode(verifyXMLSigResp.getPublicAuthorityCode()); - OAAuthParameter oaParam = - AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - String prPerson = new PersonDataBuilder().build(identityLink, oaParam.getProvideStammzahl()); - - try { + authData.setBkuURL(session.getBkuURL()); + boolean provideStammzahl = oaParam.getProvideStammzahl(); + if (provideStammzahl) { + authData.setIdentificationValue(identityLink.getIdentificationValue()); + } + String prPerson = new PersonDataBuilder().build(identityLink, provideStammzahl); + + try { + String signerCertificateBase64 = ""; + if (oaParam.getProvideCertifcate()) { + X509Certificate signerCertificate = verifyXMLSigResp.getX509certificate(); + if (signerCertificate != null) { + signerCertificateBase64 = Base64Utils.encode(signerCertificate.getEncoded()); + } else { + Logger.info("\"provideCertificate\" is \"true\", but no signer certificate available"); + } + } + authData.setSignerCertificate(signerCertificateBase64); + if (businessService) { + authData.setWPBK(identityLink.getIdentificationValue()); + } else { + // only compute bPK if online applcation is a public service + String bpkBase64 = + new BPKBuilder().buildBPK( + identityLink.getIdentificationValue(), + session.getTarget()); + authData.setPBK(bpkBase64); + } String ilAssertion = oaParam.getProvideIdentityLink() ? DOMUtils.serializeNode(identityLink.getSamlAssertion()) : ""; String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; String samlAssertion = - new AuthenticationDataAssertionBuilder().build(authData, prPerson, authBlock, ilAssertion); + new AuthenticationDataAssertionBuilder().build(authData, + prPerson, + authBlock, + ilAssertion, + session.getBkuURL(), + signerCertificateBase64, + businessService); authData.setSamlAssertion(samlAssertion); return authData; } catch (Throwable ex) { diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index ddba20049..15d21b4b9 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -16,6 +16,8 @@ public interface MOAIDAuthConstants { public static final String PARAM_BKU = "bkuURI"; /** servlet parameter "BKUSelectionTemplate" */ public static final String PARAM_BKUTEMPLATE = "BKUSelectionTemplate"; + /** default BKU URL */ + public static final String DEFAULT_BKU = "http://localhost:3495/http-security-layer-request"; /** servlet parameter "returnURI" */ public static final String PARAM_RETURN = "returnURI"; /** servlet parameter "Template" */ diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index 41f439d04..ec412deb3 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -12,26 +12,39 @@ import at.gv.egovernment.moa.util.Constants; * @version $Id$ */ public class AuthenticationBlockAssertionBuilder implements Constants { - /** private static String nl contains the NewLine representation in Java*/ + /** the NewLine representation in Java*/ private static String nl = "\n"; - /** private static String AUTH_BLOCK contains an XML-Auth-Block-Template */ + /** template for the Auth-Block */ private static String AUTH_BLOCK = - "" + nl + - " " + nl + - " " + nl + - " {2}" + nl + - " " + nl + - " " + nl + - " {3}" + nl + - " " + nl + - " " + nl + - " {4}" + nl + - " " + nl + - " " + nl + - " {5}" + nl + - " " + nl + - " " + nl + - ""; + "" + nl + + " " + nl + + " " + nl + + " {3}" + nl + + " " + nl + + "{4}" + + " " + nl + + " {5}" + nl + + " " + nl + + " " + nl + + " {6}" + nl + + " " + nl + + " " + nl + + ""; + + private static String GESCHAEFTS_BEREICH_ATTRIBUTE = + " " + nl + + " {0}" + nl + + " " + nl; + + private static String WBPK_ATTRIBUTE = + " " + nl + + " " + nl + + " " + nl + + " {0}" + nl + + " {1}" + nl + + " " + nl + + " " + nl + + " " + nl; /** * Constructor for AuthenticationBlockAssertionBuilder. @@ -39,21 +52,56 @@ public class AuthenticationBlockAssertionBuilder implements Constants { public AuthenticationBlockAssertionBuilder() { super(); } + /** - * Builds the authentication block <saml:Assertion>. + * Builds the authentication block <saml:Assertion> * * @param issuer authentication block issuer; "GivenName FamilyName" * @param issueInstant current timestamp * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich" + * @param target "Geschäftsbereich"; maybe null if the application + * is a business application + * @param identityLinkValue the content of the <pr:Value> + * child element of the <pr:Identification> + * element derived from the Identitylink; this is the + * value of the wbPK; + * maybe null if the application is a public service + * @param identiyLinkType the content of the <pr:Type> + * child element of the <pr:Identification> + * element derived from the Identitylink; this includes the + * URN prefix and the identification number of the business + * application used as input for wbPK computation; + * maybe null if the application is a public service * @param oaURL public URL of online application requested * @return String representation of authentication block * <saml:Assertion> built */ - public String build(String issuer, String issueInstant, String authURL, String target, String oaURL, String GebDat) { - String assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { issuer, issueInstant, authURL, target, oaURL, GebDat}); - return assertion; + public String buildAuthBlock(String issuer, + String issueInstant, + String authURL, + String target, + String identityLinkValue, + String identityLinkType, + String oaURL, + String GebDat) + { + + String gebeORwbpk = ""; + String wbpkNSDeclaration = ""; + if (target == null) { + // OA is a business application + gebeORwbpk = MessageFormat.format( + WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); + wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\" xmlns:si=\"" + PD_NS_URI + "\""; + } else { + gebeORwbpk = MessageFormat.format( + GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); + } + + String assertion = MessageFormat.format( + AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, issueInstant, authURL, gebeORwbpk, oaURL, GebDat}); + return assertion; + } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index eaf9aa0ae..cdb660010 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -26,19 +26,23 @@ public class AuthenticationDataAssertionBuilder implements Constants { " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + " " + NL + " " + NL + - " {3}" + NL + + " {4}" + NL + " " + NL + " " + MOA_NS_URI + "cm" + NL + - " {4}{5}" + NL + + " {5}{6}" + NL + " " + NL + " " + NL + " " + NL + - " {6}" + NL + + " {7}" + NL + " " + NL + " " + NL + - " {7}" + NL + + " {8}" + NL + " " + NL + - "{8}" + + " " + NL + + " {9}" + NL + + " " + NL + + "{10}" + + "{11}" + " " + NL + ""; /** @@ -49,6 +53,11 @@ public class AuthenticationDataAssertionBuilder implements Constants { " " + NL + " {0}" + NL + " " + NL; + + private static final String SIGNER_CERTIFICATE_ATT = + " " + NL + + " {0}" + NL + + " " + NL; /** * Constructor for AuthenticationDataAssertionBuilder. @@ -67,6 +76,12 @@ public class AuthenticationDataAssertionBuilder implements Constants { * lt;saml:SubjectConfirmationData> element; may include * the "Stammzahl" or not; may be empty * @param xmlIdentityLink the IdentityLink + * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe + * an empty string if the signer certificate should not be provided. + * Will be ignored if the businessService parameter is + * set to false. + * @param businessService true if the online application is a + * business service, otherwise false * @return the <saml:Assertion> * @throws BuildException if an error occurs during the build process */ @@ -74,7 +89,10 @@ public class AuthenticationDataAssertionBuilder implements Constants { AuthenticationData authData, String xmlPersonData, String xmlAuthBlock, - String xmlIdentityLink) throws BuildException { + String xmlIdentityLink, + String bkuURL, + String signerCertificateBase64, + boolean businessService) throws BuildException { String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; String publicAuthorityAttribute = ""; @@ -85,17 +103,38 @@ public class AuthenticationDataAssertionBuilder implements Constants { publicAuthorityAttribute = MessageFormat.format( PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification }); } - + + + String signerCertificateAttribute = ""; + if (signerCertificateBase64 != "") { + signerCertificateAttribute = MessageFormat.format( + SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 }); + } + + String pkType; + String pkValue; + if (businessService) { + pkType = authData.getIdentificationType(); + pkValue = authData.getWPBK(); + + } else { + pkType = URN_PREFIX_BPK; + pkValue = authData.getPBK(); + } + String assertion = MessageFormat.format(AUTH_DATA, new Object[] { - authData.getAssertionID(), + authData.getAssertionID(), authData.getIssuer(), authData.getIssueInstant(), - authData.getPBK(), - removeXMLDeclaration(xmlAuthBlock), - removeXMLDeclaration(xmlIdentityLink), + pkType, + pkValue, + removeXMLDeclaration(xmlAuthBlock), + removeXMLDeclaration(xmlIdentityLink), removeXMLDeclaration(xmlPersonData), - isQualifiedCertificate, - publicAuthorityAttribute}); + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute}); return assertion; } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java index 5ceb1d1c0..cb6c8b31b 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java @@ -1,9 +1,13 @@ package at.gv.egovernment.moa.id.auth.builder; +import java.io.File; import java.io.IOException; +import java.text.MessageFormat; import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.StringUtils; /** * Builder for the <VerifyXMLSignatureRequest> structure @@ -12,10 +16,26 @@ import at.gv.egovernment.moa.util.FileUtils; * @author Paul Ivancsics * @version $Id$ */ -public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder { +public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder implements Constants { /** special tag in the VerifyXMLRequest template to be substituted for a <dsig:Signature> */ private static final String SIGNATURE_TAG = ""; + + /** private static String nl contains the NewLine representation in Java*/ + private static final String nl = "\n"; + /** + * XML template for the CertInfoVerifyXMLSignatureRequest to be built + */ + static final String CERTINFO_REQUEST = + "" + nl + + "<{0}:VerifyXMLSignatureRequest {2} xmlns:xml=\"" + XML_NS_URI + "\" xmlns:dsig=\"" + DSIG_NS_URI + "\">" + nl + + " <{0}:SignatureInfo>" + nl + + " <{0}:SignatureEnvironment>" + nl + + " <{1}:XMLContent xml:space=\"preserve\">" + nl + + " " + nl + + " <{0}:SignatureLocation>//dsig:Signature" + nl + + " " + nl + + ""; /** * Constructor @@ -28,16 +48,30 @@ public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder { * @return the XML structure * @throws BuildException */ - public String build() throws BuildException { - String resCertInfoRequest = "resources/xmldata/CertInfoVerifyXMLSignatureRequest.xml"; - String resDsigSignature = "resources/xmldata/CertInfoDsigSignature.xml"; - String certInfoRequest; - try { - certInfoRequest = FileUtils.readResource(resCertInfoRequest, "UTF-8"); - } - catch (IOException ex) { - throw new BuildException("auth.04", new Object[] {resCertInfoRequest, ex.toString()}); + public String build(boolean slVersion12) throws BuildException { + + String sl10Prefix; + String sl11Prefix; + String slNsDeclaration; + + if (slVersion12) { + + sl10Prefix = SL12_PREFIX; + sl11Prefix = SL12_PREFIX; + slNsDeclaration = "xmlns:" + SL12_PREFIX + "=\"" + SL12_NS_URI + "\""; + + } else { + + sl10Prefix = SL10_PREFIX; + sl11Prefix = SL11_PREFIX; + slNsDeclaration = "xmlns:" + sl11Prefix + "=\"" + SL11_NS_URI + "\" xmlns:" + sl10Prefix + "=\"" + SL10_NS_URI + "\""; + } + + String certInfoRequest = MessageFormat.format(CERTINFO_REQUEST, new Object[] {sl11Prefix, sl10Prefix, slNsDeclaration}); + String resDsigSignature = "resources/xmldata/CertInfoDsigSignature.xml"; + + try { String dsigSignature = FileUtils.readResource(resDsigSignature, "UTF-8"); certInfoRequest = replaceTag(certInfoRequest, SIGNATURE_TAG, dsigSignature); diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index 48320c4f5..51429251e 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.StringUtils; /** * Builder for the <CreateXMLSignatureRequest> structure @@ -17,22 +18,23 @@ public class CreateXMLSignatureRequestBuilder implements Constants { private static final String nl = "\n"; /** * XML template for the <moa:CreateXMLSignatureRequest> to be built - */ + */ private static final String CREATE_XML_SIGNATURE_REQUEST = - "" + nl + - "" + nl + - " {1}" + nl + - " " + nl + - " " + nl + - "{2}" + - " " + nl + - " " + nl + - " " + nl + - " {0}" + nl + - " " + nl + - " /saml:Assertion" + nl + - " " + nl + - ""; + "" + nl + + "<{3}:CreateXMLSignatureRequest xmlns:dsig=''" + DSIG_NS_URI + "'' {5}>" + nl + + " <{3}:KeyboxIdentifier>{1}" + nl + + " <{3}:DataObjectInfo Structure=''detached''>" + nl + + " <{4}:DataObject Reference=''''/>" + nl + + "{2}" + + " " + nl + + " <{3}:SignatureInfo>" + nl + + " <{3}:SignatureEnvironment>" + nl + + " <{4}:XMLContent>{0}" + nl + + " " + nl + + " <{3}:SignatureLocation Index=''2''>/saml:Assertion" + nl + + " " + nl + + ""; + /** * Constructor for CreateXMLSignatureRequestBuilder. @@ -46,14 +48,46 @@ public class CreateXMLSignatureRequestBuilder implements Constants { * * @param authBlock String representation of XML authentication block * @param keyBoxIdentfier the key box identifier which will be used (e.g. CertifiedKeypair) + * @param slVersion12 specifies whether the Security Layer version number is 1.2 or not * @return String representation of <CreateXMLSignatureRequest> */ - public String build(String authBlock, String keyBoxIdentifier, String[] dsigTransformInfos) { - String dsigTransformInfosString = ""; - for (int i = 0; i < dsigTransformInfos.length; i++) + public String build(String authBlock, String keyBoxIdentifier, String[] dsigTransformInfos, boolean slVersion12) { + + String sl10Prefix; + String sl11Prefix; + String slNsDeclaration; + + String dsigTransformInfosString = ""; + for (int i = 0; i < dsigTransformInfos.length; i++) { dsigTransformInfosString += dsigTransformInfos[i]; + } + + if (slVersion12) { + + // replace the SecurityLayer namespace prefixes and URIs within the transforms + dsigTransformInfosString = StringUtils.changeSLVersion(dsigTransformInfosString, + SL10_PREFIX, SL12_PREFIX, + SL10_NS_URI, SL12_NS_URI); + sl10Prefix = SL12_PREFIX; + sl11Prefix = SL12_PREFIX; + slNsDeclaration = "xmlns:" + SL12_PREFIX + "='" + SL12_NS_URI + "'"; + + } else { + + sl10Prefix = SL10_PREFIX; + sl11Prefix = SL11_PREFIX; + slNsDeclaration = "xmlns:" + sl10Prefix + "='" + SL10_NS_URI + "' xmlns:" + sl11Prefix + "='" + SL11_NS_URI + "'"; + + } + String request = MessageFormat.format( - CREATE_XML_SIGNATURE_REQUEST, new Object[] { authBlock, keyBoxIdentifier, dsigTransformInfosString }); + CREATE_XML_SIGNATURE_REQUEST, new Object[] { authBlock, + keyBoxIdentifier, + dsigTransformInfosString, + sl11Prefix, + sl10Prefix, + slNsDeclaration }); + return request; } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index dbc14804d..4fb5b0837 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -27,8 +27,6 @@ public class GetIdentityLinkFormBuilder extends Builder { /** special tag in the HTML template to be substituted for the certificate info data URL */ private static final String CERTINFO_DATAURL_TAG = ""; - /** default BKU URL */ - private static final String DEFAULT_BKU = "http://localhost:3495/http-security-layer-request"; /** default HTML template */ private static final String DEFAULT_HTML_TEMPLATE = "" + nl + @@ -84,11 +82,11 @@ public class GetIdentityLinkFormBuilder extends Builder { throws BuildException { String htmlForm = htmlTemplate == null ? DEFAULT_HTML_TEMPLATE : htmlTemplate; - String bku = bkuURL == null ? DEFAULT_BKU : bkuURL; - htmlForm = replaceTag(htmlForm, BKU_TAG, bku); +// String bku = bkuURL == null ? DEFAULT_BKU : bkuURL; + htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL); htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest)); htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL); - htmlForm = replaceTag(htmlForm, BKU_TAG, bku); + htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL); htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest)); htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL); return htmlForm; diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java index d3e100671..c2bafe43b 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java @@ -11,29 +11,76 @@ import at.gv.egovernment.moa.util.Constants; */ public class InfoboxReadRequestBuilder implements Constants { - /** - * XML template for the <sl10:InfoboxReadRequest> to be built - */ - String INFOBOX_READ_REQUEST = - "" + - "" + - "IdentityLink" + - "" + - ""; /** * Constructor for InfoboxReadRequestBuilder. */ public InfoboxReadRequestBuilder() { } + + /** * Builds an <InfoboxReadRequest>. * + * @param slVersion12 specifies whether the Security Layer version is + * version 1.2 or not + * @param businessService specifies whether the online application is a + * business service or not + * @param identityLinkDomainIdentifier the identification number of the business + * company; maybe null if the OA + * is a public service; must not be null + * if the OA is a business service + * * @return <InfoboxReadRequest> as String */ - public String build() { - String request = INFOBOX_READ_REQUEST; - return request; + public String build(boolean slVersion12, boolean businessService, String identityLinkDomainIdentifier) { + + String slPrefix; + String slNsDeclaration; + + if (slVersion12) { + slPrefix = SL12_PREFIX; + slNsDeclaration = SL12_NS_URI; + } else { + slPrefix = SL10_PREFIX; + slNsDeclaration = SL10_NS_URI; + } + + StringBuffer sb = new StringBuffer(""); + sb.append("<"); + sb.append(slPrefix); + sb.append(":InfoboxReadRequest xmlns:"); + sb.append(slPrefix); + sb.append("=\""); + sb.append(slNsDeclaration); + sb.append("\">"); + sb.append("<"); + sb.append(slPrefix); + sb.append(":InfoboxIdentifier>IdentityLink"); + sb.append("<"); + sb.append(slPrefix); + sb.append(":BinaryFileParameters ContentIsXMLEntity=\"true\"/>"); + if (businessService) { + sb.append("<"); + sb.append(slPrefix); + sb.append(":BoxSpecificParameters>"); + sb.append("<"); + sb.append(slPrefix); + sb.append(":IdentityLinkDomainIdentifier>"); + sb.append(identityLinkDomainIdentifier); + sb.append(""); + sb.append(""); + } + sb.append(""); + + return sb.toString(); + } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index ba4a9e367..27d91bf1f 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -15,7 +15,8 @@ public class AuthenticationSession { */ private String sessionID; /** - * "Geschäftsbereich" the online application belongs to + * "Geschäftsbereich" the online application belongs to; maybe null + * if the online application is a business application */ private String target; /** @@ -34,6 +35,10 @@ public class AuthenticationSession { * HTML template URL */ private String templateURL; + /** + * URL of the BKU + */ + private String bkuURL; /** * identity link read from smartcard */ @@ -49,8 +54,13 @@ public class AuthenticationSession { /** * timestamp logging when identity link has been received */ - private Date timestampIdentityLink; - + private Date timestampIdentityLink; + /** + * Indicates whether the corresponding online application is a business + * service or not + */ + private boolean businessService; + /** * Constructor for AuthenticationSession. * @@ -108,6 +118,14 @@ public class AuthenticationSession { public String getPublicOAURLPrefix() { return oaPublicURLPrefix; } + + /** + * Returns the BKU URL. + * @return String + */ + public String getBkuURL() { + return bkuURL; + } /** * Returns the target. @@ -132,6 +150,14 @@ public class AuthenticationSession { public void setPublicOAURLPrefix(String url) { this.oaPublicURLPrefix = url; } + + /** + * Sets the bkuURL + * @param url The BKU URL to set + */ + public void setBkuURL(String url) { + this.bkuURL = url; + } /** * Sets the target. @@ -180,6 +206,23 @@ public class AuthenticationSession { public Date getTimestampIdentityLink() { return timestampIdentityLink; } + + /** + * Returns the businessService. + * @return true if the corresponding online application is + * a business application, otherwise false + */ + public boolean getBusinessService() { + return businessService; + } + + /** + * Sets the businessService variable. + * @param businessService the value for setting the businessService variable. + */ + public void setBusinessService(boolean businessService) { + this.businessService = businessService; + } /** * Returns the timestampStart. diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java index c787b2a81..76ba6366d 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java @@ -9,17 +9,18 @@ package at.gv.egovernment.moa.id.auth.data; * */ public class SAMLAttribute { -/** the name to be stored */ -private String name; -/** the namespace to be stored */ -private String namespace; -/** the value to be stored */ -private String value; + + /** the name to be stored */ + private String name; + /** the namespace to be stored */ + private String namespace; + /** the value to be stored */ + private Object value; /** * Constructor for SAMLAttribute. */ - public SAMLAttribute(String name, String namespace, String value) { + public SAMLAttribute(String name, String namespace, Object value) { this.name = name; this.namespace = namespace; @@ -27,52 +28,52 @@ private String value; } -/** - * Returns the name. - * @return String - */ -public String getName() { - return name; -} - -/** - * Returns the namespace. - * @return String - */ -public String getNamespace() { - return namespace; -} - -/** - * Returns the value. - * @return String - */ -public String getValue() { - return value; -} - -/** - * Sets the name. - * @param name The name to set - */ -public void setName(String name) { - this.name = name; -} - -/** - * Sets the namespace. - * @param namespace The namespace to set - */ -public void setNamespace(String namespace) { - this.namespace = namespace; -} - -/** - * Sets the value. - * @param value The value to set - */ -public void setValue(String value) { - this.value = value; -} + /** + * Returns the name. + * @return String + */ + public String getName() { + return name; + } + + /** + * Returns the namespace. + * @return String + */ + public String getNamespace() { + return namespace; + } + + /** + * Returns the value. + * @return String + */ + public Object getValue() { + return value; + } + + /** + * Sets the name. + * @param name The name to set + */ + public void setName(String name) { + this.name = name; + } + + /** + * Sets the namespace. + * @param namespace The namespace to set + */ + public void setNamespace(String namespace) { + this.namespace = namespace; + } + + /** + * Sets the value. + * @param value The value to set + */ + public void setValue(Object value) { + this.value = value; + } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java index 1079a48de..094fa091f 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java @@ -6,9 +6,11 @@ import java.util.ArrayList; import java.util.List; import org.w3c.dom.Element; +import org.w3c.dom.Node; import org.w3c.dom.traversal.NodeIterator; -import at.gv.egovernment.moa.id.*; +import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; import at.gv.egovernment.moa.util.Constants; @@ -27,16 +29,13 @@ public class CreateXMLSignatureResponseParser { // // XPath namespace prefix shortcuts // - /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ - private static final String SL10 = Constants.SL10_PREFIX + ":"; - /** Xpath prefix for reaching SecurityLayer 1.1 Namespaces */ - private static final String SL11 = Constants.SL11_PREFIX + ":"; + /** Xpath prefix for reaching SAML Namespaces */ private static final String SAML = Constants.SAML_PREFIX + ":"; /** Xpath prefix for reaching XML-DSIG Namespaces */ private static final String DSIG = Constants.DSIG_PREFIX + ":"; /** Xpath expression to the root element */ - private static final String ROOT = "/" + SL11 + "CreateXMLSignatureResponse/"; + private static final String ROOT = ":CreateXMLSignatureResponse/"; /** Xpath expression to the SAML:Assertion element */ private static final String SAML_ASSERTION_XPATH = ROOT + SAML + "Assertion"; /** Xpath expression to the SAML:NameIdentifier element */ @@ -45,7 +44,8 @@ public class CreateXMLSignatureResponseParser { private static final String SAML_ATTRIBUTE_XPATH = SAML_ASSERTION_XPATH + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; /** Xpath expression to the AttributeValue element */ private static final String SAML_ATTRIBUTE_VALUE_XPATH = SAML + "AttributeValue"; - + + /** This is the root element of the XML-Document provided by the Security Layer Card */ private Element sigResponse; @@ -89,6 +89,7 @@ public class CreateXMLSignatureResponseParser { try { sigResponse = DOMUtils.parseXmlValidating(is); + } catch (Throwable t) { throw new ParseException("parser.01", new Object[] { t.toString()}, t); @@ -114,17 +115,23 @@ public class CreateXMLSignatureResponseParser { public CreateXMLSignatureResponse parseResponse() throws ParseException { CreateXMLSignatureResponse cResp; try { - cResp = new CreateXMLSignatureResponse(); - cResp.setSamlNameIdentifier(XPathUtils.getElementValue(sigResponse, SAML_SUBJECT_NAME_IDENTIFIER_XPATH, null)); - cResp.setSamlAssertion((Element) XPathUtils.selectSingleNode(sigResponse, SAML_ASSERTION_XPATH)); - NodeIterator attrIter = XPathUtils.selectNodeIterator(sigResponse, SAML_ATTRIBUTE_XPATH); + String slPrefix = sigResponse.getPrefix(); + cResp.setSamlNameIdentifier(XPathUtils.getElementValue(sigResponse, "/" + slPrefix + SAML_SUBJECT_NAME_IDENTIFIER_XPATH, null)); + cResp.setSamlAssertion((Element) XPathUtils.selectSingleNode(sigResponse, "/" + slPrefix + SAML_ASSERTION_XPATH)); + NodeIterator attrIter = XPathUtils.selectNodeIterator(sigResponse, "/" + slPrefix + SAML_ATTRIBUTE_XPATH); Element samlAttr; List samlAttributes = new ArrayList(); while ((samlAttr = (Element) attrIter.nextNode()) != null) { String attrName = XPathUtils.getAttributeValue(samlAttr, "@AttributeName", ""); String attrNamespace = XPathUtils.getAttributeValue(samlAttr, "@AttributeNamespace", ""); - String attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, ""); + Object attrValue; + if ("wbPK".equals(attrName)) { + Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH); + attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes()); + } else { + attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, ""); + } samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue)); } SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()]; @@ -136,5 +143,37 @@ public class CreateXMLSignatureResponseParser { } return cResp; } - + +// public CreateXMLSignatureResponse parseResponse1() throws ParseException { +// CreateXMLSignatureResponse cResp; +// try { +// cResp = new CreateXMLSignatureResponse(); +// Element samlAssertion = (Element)sigResponse.getElementsByTagNameNS(Constants.SAML_NS_URI, "Assertion").item(0); +// cResp.setSamlAssertion(samlAssertion); +// Element samlAttributeStatement = (Element)samlAssertion.getElementsByTagNameNS(Constants.SAML_NS_URI, "AttributeStatement").item(0); +// Element samlSubject = (Element)samlAttributeStatement.getElementsByTagNameNS(Constants.SAML_NS_URI, "Subject").item(0); +// Element samlNameIdentifier = (Element)samlSubject.getElementsByTagNameNS(Constants.SAML_NS_URI, "NameIdentifier").item(0); +// cResp.setSamlNameIdentifier(samlNameIdentifier.getFirstChild().getNodeValue()); +// NodeList nl = samlAttributeStatement.getElementsByTagNameNS(Constants.SAML_NS_URI, "Attribute"); +// List samlAttributes = new ArrayList(); +// for (int i=0; i *
  • Status: 302
    • *
  • Header "Location": URL of the online application requested, with - * parameters "Target" and "SAMLArtifact" added
    • + * parameters "Target"(only if the online application is + * a public service) and "SAMLArtifact" added *
  • Error status: 500 * * @see AuthenticationServer#verifyAuthenticationBlock @@ -80,7 +81,9 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String samlArtifactBase64 = AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse); String redirectURL = session.getOAURLRequested(); - redirectURL = addURLParameter(redirectURL, PARAM_TARGET, session.getTarget()); + if (!session.getBusinessService()) { + redirectURL = addURLParameter(redirectURL, PARAM_TARGET, session.getTarget()); + } redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); redirectURL = resp.encodeRedirectURL(redirectURL); resp.setContentType("text/html"); diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 3c15b9ec4..2eafaa297 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.auth.validator; import org.w3c.dom.Element; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; import at.gv.egovernment.moa.util.Constants; @@ -17,7 +18,7 @@ import at.gv.egovernment.moa.util.XPathUtils; */ public class CreateXMLSignatureResponseValidator { - /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ + /** Xpath prefix for reaching SAML Namespaces */ private static final String SAML = Constants.SAML_PREFIX + ":"; /** Xpath prefix for reaching XML-DSIG Namespaces */ private static final String DSIG = Constants.DSIG_PREFIX + ":"; @@ -59,45 +60,78 @@ public class CreateXMLSignatureResponseValidator { * @param oaURL * @throws ValidateException */ - public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, String gbTarget, String oaURL) + public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session) throws ValidateException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier - - - XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); + + String gbTarget = session.getTarget(); + String oaURL = session.getPublicOAURLPrefix(); + boolean businessService = session.getBusinessService(); + +// XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); - SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); + SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); - boolean foundOA = false; - boolean foundGB = false; - for (int i = 0; i < samlattributes.length; i++) - { - if (samlattributes[i].getName().equals("Geschaeftsbereich")) - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) - - { - foundGB = true; - if (!gbTarget.equals(samlattributes[i].getValue())) - { - throw new ValidateException("validator.13", null); - } + boolean foundOA = false; + boolean foundGB = false; + boolean foundWBPK = false; + + for (int i = 0; i < samlattributes.length; i++) { + if (samlattributes[i].getName().equals("Geschaeftsbereich")) { + if (businessService) { + throw new ValidateException("validator.26", null); + } + if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + if (!gbTarget.equals((String)samlattributes[i].getValue())) { + throw new ValidateException("validator.13", null); + } + } else { + throw new ValidateException("validator.12", null); + } + } + if (samlattributes[i].getName().equals("OA")) { + if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlattributes[i].getValue())) { // CHECKS für die AttributeVALUES fehlen noch + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); + } + } else { + throw new ValidateException("validator.15", null); + } + } + if (samlattributes[i].getName().equals("wbPK")) { + if (!businessService) { + throw new ValidateException("validator.27", null); + } + if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlattributes[i].getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(session.getIdentityLink().getIdentificationValue())) { + throw new ValidateException("validator.28", null); } - else throw new ValidateException("validator.12", null); - if (samlattributes[i].getName().equals("OA")) - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) - { - foundOA = true; - if (!oaURL.equals(samlattributes[i].getValue())) // CHECKS für die AttributeVALUES fehlen noch - { - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); - } - + if (!type.equals(session.getIdentityLink().getIdentificationType())) { + throw new ValidateException("validator.28", null); } - else throw new ValidateException("validator.15", null); - } - if (!foundOA) throw new ValidateException("validator.14", null); + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + } else { + throw new ValidateException("validator.30", null); + } + } + } + + if (!foundOA) throw new ValidateException("validator.14", null); + if (businessService) { + if (!foundWBPK) throw new ValidateException("validator.31", null); + } else { if (!foundGB) throw new ValidateException("validator.11", null); + } //Check if dsig:Signature exists Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 5adbc5b3d..1127b3f43 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -11,6 +11,7 @@ import iaik.x509.X509Certificate; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.logging.Logger; /** * This class is used to validate an {@link VerifyXMLSignatureResponse} @@ -46,11 +47,15 @@ public class VerifyXMLSignatureResponseValidator { * @param verifyXMLSignatureResponse the <VerifyXMLSignatureResponse> * @param identityLinkSignersSubjectDNNames subject names configured * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated + * @param ignoreManifestValidationResult specifies whether the validation result of the + * manifest has to be ignored (identityLink validation if + * the OA is a business service) or not * @throws ValidateException on any validation error */ - public void validate( - VerifyXMLSignatureResponse verifyXMLSignatureResponse, - String[] identityLinkSignersSubjectDNNames, String whatToCheck) + public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, + String[] identityLinkSignersSubjectDNNames, + String whatToCheck, + boolean ignoreManifestValidationResult) throws ValidateException { if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) @@ -74,9 +79,13 @@ public class VerifyXMLSignatureResponseValidator { else throw new ValidateException("validator.19", new Object[] { checkFailedReason } ); } - if (verifyXMLSignatureResponse.isXmlDSIGManigest()) - if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) - throw new ValidateException("validator.08", null); + if (ignoreManifestValidationResult) { + Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result"); + } else { + if (verifyXMLSignatureResponse.isXmlDSIGManigest()) + if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) + throw new ValidateException("validator.08", null); + } //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not if (identityLinkSignersSubjectDNNames != null) { String subjectDN = ""; -- cgit v1.2.3