From 011ce9576c780cba8a0f7b321366e08b557adcf6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 5 Sep 2013 16:03:17 +0200 Subject: -- Resign IdentityLink: if this feature is enabled, the identitylink is resigned in case of businessservice by using MOASS -- GeneralConfigReloadDaemon: Reload general MOA-ID configuration from database every minute if it has changed --- .../moa/id/util/IdentityLinkReSigner.java | 169 +++++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java new file mode 100644 index 000000000..da44a3905 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java @@ -0,0 +1,169 @@ +package at.gv.egovernment.moa.id.util; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import javax.xml.transform.TransformerException; + +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.SignatureCreationService; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.MetaInfo; +import at.gv.egovernment.moa.spss.api.common.Transform; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureEnvironmentProfile; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureInfo; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfo; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfoProfile; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; + +public class IdentityLinkReSigner { + + private static IdentityLinkReSigner instance; + + public static IdentityLinkReSigner getInstance() { + if (instance == null) { + instance = new IdentityLinkReSigner(); + } + return instance; + } + + public Element resignIdentityLink(Element idl) throws MOAIDException { + + try { + AuthConfigurationProvider config = AuthConfigurationProvider.getInstance(); + + if (config.isIdentityLinkResigning()) { + + if (idl == null) { + Logger.warn("IdentityLink is empty"); + return null; + + } else { + NodeList signatures = idl.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); + Node signature = signatures.item(0); + Node parent = signature.getParentNode(); + parent.removeChild(signature); + } + + SPSSFactory spssFac = SPSSFactory.getInstance(); + + String keyGroupId = config.getIdentityLinkResigningKey(); + if (MiscUtil.isEmpty(keyGroupId)) { + Logger.warn("No IdentityLink reSigning-Key definded"); + throw new MOAIDException("config.19", new Object[]{}); + } + + MetaInfo mi = spssFac.createMetaInfo("text/xml", null, null, null); + + Transform envelopedSignatureTransform = spssFac.createEnvelopedSignatureTransform(); + List transformsList = new ArrayList(); + transformsList.add(envelopedSignatureTransform); + + CreateTransformsInfo ct = spssFac.createCreateTransformsInfo(transformsList, mi); + CreateTransformsInfoProfile ctip = spssFac.createCreateTransformsInfoProfile(ct, null); + + Content content = spssFac.createContent(""); + DataObjectInfo doi = spssFac.createDataObjectInfo(DataObjectInfo.STRUCTURE_DETACHED, false, content, ctip); + + // create signature environment + HashMap nsMap = new HashMap(); + nsMap.put(Constants.SAML_PREFIX, Constants.SAML_NS_URI); + nsMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); + nsMap.put(Constants.PD_PREFIX, Constants.PD_NS_URI); + + CreateSignatureLocation csl = spssFac.createCreateSignatureLocation("/" + Constants.SAML_PREFIX + ":" + "Assertion", -1, nsMap); + CreateSignatureEnvironmentProfile csep = spssFac.createCreateSignatureEnvironmentProfile(csl, null); + + + InputStream serializedIdl = new ByteArrayInputStream(DOMUtils.serializeNode(idl).getBytes()); + + Content confirmationContent = spssFac.createContent(serializedIdl, null); + CreateSignatureInfo csi = spssFac.createCreateSignatureInfo(confirmationContent, csep); + + List dataobjectinfoList = new ArrayList(); + dataobjectinfoList.add(doi); + SingleSignatureInfo ssi = spssFac.createSingleSignatureInfo(dataobjectinfoList, csi, false); + + + List singlesignatureinfolist = new ArrayList(); + singlesignatureinfolist.add(ssi); + + CreateXMLSignatureRequest cxsreq = spssFac.createCreateXMLSignatureRequest(keyGroupId, singlesignatureinfolist); + + + // signature creation service + SignatureCreationService scs = SignatureCreationService.getInstance(); + CreateXMLSignatureResponse cxresp; + Logger.info("Creating MOA-SS signature"); + cxresp = scs.createXMLSignature(cxsreq); + + // evaluate response + List elements = cxresp.getResponseElements(); + + if (elements.get(0) instanceof ErrorResponse) { + ErrorResponse errResponse = (ErrorResponse) elements.get(0); + Logger.warn("Error while calling MOA-SS: " + errResponse.getErrorCode() + " / " + errResponse.getInfo()); + throw new MOAIDException("builder.04", new Object[]{errResponse.getErrorCode(), errResponse.getInfo()}); + + } else if (elements.get(0) instanceof SignatureEnvironmentResponse) { + Logger.debug("Successfully created signature."); + SignatureEnvironmentResponse ser = (SignatureEnvironmentResponse) elements.get(0); + int responseType = ser.getResponseType(); + if (responseType == SignatureEnvironmentResponse.ERROR_RESPONSE) { + Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); + throw new MOAIDException("builder.05", new Object[]{}); + + } else { + return ser.getSignatureEnvironment(); + } + + } else { + Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); + throw new MOAIDException("builder.05", new Object[]{}); + } + + } else + return idl; + + } catch (ConfigurationException e) { + Logger.warn("Configuration can not be loaded", e); + throw new MOAIDException("config.18", new Object[]{}); + + } catch (TransformerException e) { + Logger.warn("IdentityLink serialization error.", e); + throw new MOAIDException("builder.05", new Object[]{}); + + } catch (IOException e) { + Logger.warn("IdentityLink I/O error.", e); + throw new MOAIDException("builder.05", new Object[]{}); + + } catch (MOAException e) { + Logger.warn("General IdentityLink signing error.", e); + throw new MOAIDException("builder.05", new Object[]{}); + + } + } + +} -- cgit v1.2.3