From a7c22b659f5bc760cb46d5892409dab12cc047d6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Oct 2013 09:57:38 +0200 Subject: Add an unique random tokken to AuthBlock to prevent replay attacks. The timestamp, which was previously in use, can be predicted. --- .../CreateXMLSignatureResponseValidator.java | 41 ++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 9e98b73b4..ed7f9df0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -262,7 +262,7 @@ public class CreateXMLSignatureResponseValidator { if (!samlAttribute.getName().equals("SpecialText")) { throw new ValidateException( "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); @@ -285,6 +285,25 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.35", null); } + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); + + if (!uniquetokken.equals(session.getAuthBlockTokken())) { + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; if (extendedSAMLAttributes != null) { @@ -471,7 +490,7 @@ public class CreateXMLSignatureResponseValidator { if (!samlAttribute.getName().equals("SpecialText")) { throw new ValidateException( "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); @@ -495,6 +514,24 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.35", null); } + //check unique AuthBlock tokken + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); + + if (!uniquetokken.equals(session.getAuthBlockTokken())) { + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset; if (extendedSAMLAttributes != null) { -- cgit v1.2.3