From ef35deb727190363d17d693d10f27171787cc92c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Feb 2014 15:38:24 +0100 Subject: Solve some merge problems --- .../moa/id/auth/AuthenticationServer.java | 7 +- .../moa/id/auth/data/AuthenticationSession.java | 31 +-- .../moa/id/auth/servlet/GetForeignIDServlet.java | 4 + .../id/auth/servlet/GetMISSessionIDServlet.java | 4 + .../moa/id/auth/servlet/PEPSConnectorServlet.java | 14 ++ .../moa/id/auth/stork/CredentialProvider.java | 72 ------ .../id/auth/stork/KeyStoreCredentialProvider.java | 148 ------------ .../auth/stork/PEPSConnectorAssertionVerifier.java | 263 --------------------- .../auth/stork/PEPSConnectorResponseVerifier.java | 182 -------------- .../moa/id/auth/stork/ResponseVerifier.java | 66 ------ .../id/auth/stork/STORKAuthnRequestProcessor.java | 187 --------------- .../id/config/auth/AuthConfigurationProvider.java | 7 +- .../moa/id/config/auth/OAAuthParameter.java | 14 +- .../moa/id/protocols/pvp2x/PVPConstants.java | 1 + .../protocols/pvp2x/binding/RedirectBinding.java | 1 - .../builder/assertion/PVP2AssertionBuilder.java | 81 ++++--- .../attributes/BirthdateAttributeBuilder.java | 17 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 10 - .../protocols/pvp2x/signer/CredentialProvider.java | 1 - .../verification/MetadataSignatureFilter.java | 6 +- .../pvp2x/verification/TrustEngineFactory.java | 50 ++-- 21 files changed, 149 insertions(+), 1017 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e9c8dbc75..06d5b01bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -97,6 +97,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.stork.CPEPS; import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; @@ -1269,7 +1270,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setAuthenticatedUsed(false); session.setAuthenticated(true); - + + //set QAA Level four in case of card authentifcation + session.setQAALevel(PVPConstants.STORK_QAA_1_4); + + String oldsessionID = session.getSessionID(); //Session is implicte stored in changeSessionID!!! diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 767172823..896feed9e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -231,6 +231,8 @@ public class AuthenticationSession implements Serializable { private boolean ssoRequested = false; + private String QAALevel = null; + // private OAuth20SessionObject oAuth20SessionObject; // /** @@ -1005,20 +1007,21 @@ public class AuthenticationSession implements Serializable { public IPersonalAttributeList getStorkAttributes() { return this.storkAttributes; } - + /** -// * @return the oAuth20SessionObject -// */ -// public OAuth20SessionObject getoAuth20SessionObject() { -// return oAuth20SessionObject; -// } -// -// /** -// * @param oAuth20SessionObject -// * the oAuth20SessionObject to set -// */ -// public void setoAuth20SessionObject(OAuth20SessionObject oAuth20SessionObject) { -// this.oAuth20SessionObject = oAuth20SessionObject; -// } + * @return the qAALevel + */ + public String getQAALevel() { + return QAALevel; + } + + /** + * @param qAALevel the qAALevel to set + */ + public void setQAALevel(String qAALevel) { + QAALevel = qAALevel; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java index 7908578ef..f4212cc78 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java @@ -73,6 +73,7 @@ import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; @@ -197,6 +198,9 @@ public class GetForeignIDServlet extends AuthServlet { IdentityLink identitylink = ilParser.parseIdentityLink(); session.setIdentityLink(identitylink); + //set QAA Level four in case of card authentifcation + session.setQAALevel(PVPConstants.STORK_QAA_1_4); + String samlArtifactBase64 = AuthenticationServer.getInstance().getForeignAuthenticationData(session); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java index b2224e10c..8bf437cca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java @@ -72,6 +72,7 @@ import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.SSLUtils; @@ -218,6 +219,9 @@ public class GetMISSessionIDServlet extends AuthServlet { session.setAuthenticatedUsed(false); session.setAuthenticated(true); + //set QAA Level four in case of card authentifcation + session.setQAALevel(PVPConstants.STORK_QAA_1_4); + String oldsessionID = session.getSessionID(); //Session is implicite stored in changeSessionID!!! diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 23eb138d9..b356c6f35 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -54,9 +54,11 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.auth.stork.VelocityProvider; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; @@ -327,6 +329,18 @@ public class PEPSConnectorServlet extends AuthServlet { // stork did the authentication step moaSession.setAuthenticated(true); + //TODO: found better solution, but QAA Level in response could be not supported yet + try { + moasession.setQAALevel(authnResponse.getAssertions().get(0). + getAuthnStatements().get(0).getAuthnContext(). + getAuthnContextClassRef().getAuthnContextClassRef()); + + } catch (Throwable e) { + Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); + moasession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel()); + + } + //session is implicit stored in changeSessionID!!!! String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java deleted file mode 100644 index 80089a423..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java +++ /dev/null @@ -1,72 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -/** - * - */ -package at.gv.egovernment.moa.id.auth.stork; - -import org.opensaml.xml.security.credential.Credential; - -import eu.stork.vidp.messages.exception.SAMLException; - -/** - * Interface supporting different kinds of Credentials - * - * @author bzwattendorfer - * - */ -public interface CredentialProvider { - - /** - * Gets appropriate credentials - * @return Credential object - * @throws SAMLException - */ - public Credential getCredential() throws SAMLException; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java deleted file mode 100644 index cf167ba84..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java +++ /dev/null @@ -1,148 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.auth.stork; - -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; - -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import at.gv.egovernment.moa.util.KeyStoreUtils; -import at.gv.egovernment.moa.util.StringUtils; -import eu.stork.vidp.messages.exception.SAMLException; - -/** - * Provides credentials from a KeyStore - * @author bzwattendorfer - * - */ -public class KeyStoreCredentialProvider implements CredentialProvider { - - private final static Logger log = LoggerFactory.getLogger(KeyStoreCredentialProvider.class); - - /** KeyStore Path */ - private String keyStorePath; - - /** KeyStore Password */ - private String keyStorePassword; - - /** Specific Key Name as Credential */ - private String keyName; - - /** Key password */ - private String keyPassword; - - /** - * Creates a KeyStoreCredentialProvider object - * @param keyStorePath KeyStore Path - * @param keyStorePassword KeyStore Password - * @param keyName KeyName of the key to be retrieved - * @param keyPassword Password for the Key - */ - public KeyStoreCredentialProvider(String keyStorePath, - String keyStorePassword, String keyName, String keyPassword) { - super(); - this.keyStorePath = keyStorePath; - this.keyStorePassword = keyStorePassword; - this.keyName = keyName; - this.keyPassword = keyPassword; - } - - - /** - * Gets the credential object from the KeyStore - */ - public Credential getCredential() throws SAMLException { - log.trace("Retrieving credentials for signing SAML Response."); - - if (StringUtils.isEmpty(this.keyStorePath)) - throw new SAMLException("No keyStorePath specified"); - - //KeyStorePassword optional - //if (StringUtils.isEmpty(this.keyStorePassword)) - // throw new SAMLException("No keyStorePassword specified"); - - if (StringUtils.isEmpty(this.keyName)) - throw new SAMLException("No keyName specified"); - - //KeyStorePassword optional - //if (StringUtils.isEmpty(this.keyPassword)) - // throw new SAMLException("No keyPassword specified"); - - KeyStore ks; - try { - ks = KeyStoreUtils.loadKeyStore(this.keyStorePath, this.keyStorePassword); - } catch (Exception e) { - log.error("Failed to load keystore information", e); - throw new SAMLException(e); - } - - //return new KeyStoreX509CredentialAdapter(ks, keyName, keyPwd.toCharArray()); - BasicX509Credential credential = null; - try { - java.security.cert.X509Certificate certificate = (X509Certificate) ks.getCertificate(this.keyName); - PrivateKey privateKey = (PrivateKey) ks.getKey(this.keyName, this.keyPassword.toCharArray()); - credential = new BasicX509Credential(); - credential.setEntityCertificate(certificate); - credential.setPrivateKey(privateKey); - - } catch (Exception e) { - log.error("Error retrieving signing credentials.", e); - throw new SAMLException(e); - } - - return credential; - - } - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java deleted file mode 100644 index dcd1a8a1a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java +++ /dev/null @@ -1,263 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -/** - * - */ -package at.gv.egovernment.moa.id.auth.stork; - -import java.util.List; - -import org.joda.time.DateTime; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; -import org.opensaml.saml2.metadata.RequestedAttribute; - -import at.gv.egovernment.moa.logging.Logger; -import eu.stork.vidp.messages.saml.STORKAttribute; -import eu.stork.vidp.messages.util.SAMLUtil; - -/** - * Verifies the SAML assertion according to the STORK specification - * @author bzwattendorfer - * - */ -public class PEPSConnectorAssertionVerifier implements AssertionVerifier { - - private static final int CLOCK_SKEW_MINUTES = 5; - - private static final boolean IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY = false; - - /* (non-Javadoc) - * @see eu.stork.mw.peps.connector.validation.AssertionVerifier#verifyAssertion(org.opensaml.saml2.core.Assertion, java.lang.String, java.lang.String, java.lang.String) - */ - public void verify(Assertion assertion, String reqIPAddress, - String authnRequestID, String recipient, String audience, List reqAttrList) throws SecurityException { - - //SAML assertion need not to be signed, skipping signature validation - - verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient); - - Logger.debug("SubjectConfirmationData successfully verified"); - - verifyConditions(assertion, audience); - - Logger.debug("Conditions successfully verified"); - } - - - private void verifySubjectConfirmation(Assertion assertion, String reqAddress, String requestID, String recipient) throws SecurityException { - for (SubjectConfirmation sc : assertion.getSubject().getSubjectConfirmations()) { - verifySubjectConfirmationData(sc.getSubjectConfirmationData(), reqAddress, requestID, recipient); - } - - } - - private void verifySubjectConfirmationData(SubjectConfirmationData scData, String reqAddress, String requestID, String recipient) throws SecurityException { - //NotBefore not allowed in SSO profile - verifyNotOnOrAfter(scData.getNotOnOrAfter()); - - Logger.trace("NotOnOrAfter successfully verified"); - - if(IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY) { - verifyClientAddress(scData, reqAddress); - Logger.trace("User's client IP address successfully verified."); - } else { - Logger.warn("User's client IP address will not be verified."); - } - - verifyRecipient(scData, recipient); - Logger.trace("Recipient successfully verified"); - - verifyInResponseTo(scData, requestID); - Logger.trace("InResponseTo successfully verified"); - - } - - private void verifyNotBefore(DateTime notBefore) throws SecurityException { - if (notBefore.minusMinutes(CLOCK_SKEW_MINUTES).isAfterNow()) { - String msg = "Subject/Assertion not yet valid, Timestamp: "; - Logger.error(msg + notBefore); - throw new SecurityException(msg); - } - - Logger.trace("Subject/Assertion already valid, notBefore: " + notBefore); - - } - - private void verifyNotOnOrAfter(DateTime notOnOrAfter) throws SecurityException { - if (notOnOrAfter.plusMinutes(CLOCK_SKEW_MINUTES).isBeforeNow()) { - String msg = "Subject/Assertion no longer valid."; - Logger.error(msg); - throw new SecurityException(msg); - } - - Logger.trace("Subject/Assertion still valid, notOnOrAfter: " + notOnOrAfter); - } - - private void verifyClientAddress(SubjectConfirmationData scData, String reqAddress) throws SecurityException { - if (!reqAddress.equals(scData.getAddress())) { - String msg = "Response coming from wrong Client-Address"; - Logger.error("Response coming from wrong Client-Address " + reqAddress + ", expected " + scData.getAddress()); - throw new SecurityException(msg); - } - - } - - private void verifyInResponseTo(SubjectConfirmationData scData, String requestID) throws SecurityException { - if (!scData.getInResponseTo().equals(requestID)) { - String msg = "Assertion issued for wrong request"; - Logger.error(msg); - throw new SecurityException(msg); - } - } - - private void verifyRecipient(SubjectConfirmationData scData, String reqRecipient) throws SecurityException { - if (!scData.getRecipient().equals(reqRecipient)) { - String msg = "Assertion intended for another recipient"; - Logger.error("Assertion intended for recipient " + scData.getRecipient() + "but expected " + reqRecipient); - throw new SecurityException(msg); - } - - } - - private void verifyAudience(AudienceRestriction audienceRestriction, String reqAudience) throws SecurityException { - for (Audience audience : audienceRestriction.getAudiences()) { - if (audience.getAudienceURI().equals(reqAudience)) - return; - } - String msg = "Assertion sent to wrong audience"; - Logger.error("Assertion intended for wrong audience, expected " + reqAudience); - throw new SecurityException(msg); - } - - private void verifyOneTimeUse(String assertionID) { - //not necessarily required to check since notBefore and notOnOrAfter are verified - //check response Store for already existing assertion - - } - - private void verifyConditions(Assertion assertion, String reqAudience) throws SecurityException { - Conditions conditions = assertion.getConditions(); - - verifyNotBefore(conditions.getNotBefore()); - Logger.trace("NotBefore successfully verified"); - - verifyNotOnOrAfter(conditions.getNotOnOrAfter()); - Logger.trace("NotOnOrAfter successfully verified"); - - verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience); - - Logger.trace("Audience successfully verified"); - - } - - public static void validateRequiredAttributes( - List reqAttrList, - List attrList) - throws STORKException { - - Logger.debug("Starting required attribute validation"); - - if (reqAttrList == null || reqAttrList.isEmpty()) { - Logger.error("Requested Attributes list is empty."); - throw new STORKException("No attributes have been requested"); - } - - if (attrList == null || attrList.isEmpty()) { - Logger.error("STORK AttributeStatement is empty."); - throw new STORKException("No attributes have been received"); - } - - Logger.trace("These attributes have been requested and received: "); - int count = 0; - for (RequestedAttribute reqAttr : reqAttrList) { - Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired()); - for(Attribute attr : attrList) { - if (verifyRequestedAttribute(reqAttr, attr)) - count++; - } - } - - int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList); - Logger.trace("Number of requested required attributes: " + numRequiredReqAttr); - Logger.trace("Number of received required attributes: " + count); - - if (count != numRequiredReqAttr) { - Logger.error("Not all required attributes have been received"); - throw new STORKException("Not all required attributes have been received"); - } - Logger.debug("Received all required attributes!"); - - } - - private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) { - - if ((reqAttr.getName()).equals(attr.getName())) { - if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) { - Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr)); - return true; - } - } - return false; - } - - private static int getNumberOfRequiredAttributes(List reqAttrList) { - int count = 0; - for (RequestedAttribute reqAttr : reqAttrList) - if (reqAttr.isRequired()) count++; - - return count; - } - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java deleted file mode 100644 index f9589950f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java +++ /dev/null @@ -1,182 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -/** - * - */ -package at.gv.egovernment.moa.id.auth.stork; - -import org.opensaml.xml.validation.ValidationException; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; -import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; -import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.ServiceException; -import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; -import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.util.XMLUtil; -import at.gv.egovernment.moa.logging.Logger; -import eu.stork.mw.messages.saml.STORKResponse; -import eu.stork.vidp.messages.exception.SAMLValidationException; -import eu.stork.vidp.messages.util.SAMLUtil; - -/** - * Verifies the SMAL response according to the STORK specification - * @author bzwattendorfer - * - */ -public class PEPSConnectorResponseVerifier implements ResponseVerifier { - - - /* (non-Javadoc) - * @see eu.stork.mw.peps.connector.validation.ResponseVerifier#verify(org.opensaml.saml2.core.Response) - */ - public void verify(STORKResponse response) throws SecurityException { - - verifySignature(response); - Logger.debug("Signature of SAML response valid."); - - verifyStandardValidation(response); - - Logger.debug("SAML response format valid."); - - } - - - private void verifySignature(STORKResponse response) throws SecurityException { - //validate Signature - try { - if (response.isSigned()) { - - String trustProfileID = AuthConfigurationProvider.getInstance().getStorkConfig().getSignatureVerificationParameter().getTrustProfileID(); - - Logger.trace("Starting validation of Signature references"); - try { - SAMLUtil.validateSignatureReferences(response); - } catch (ValidationException e) { - Logger.error("Validation of XML Signature refrences failed: " + e.getMessage()); - throw new SecurityException(e); - } - Logger.debug("XML Signature references are OK."); - - Logger.debug("Invoking MOA-SP with TrustProfileID: " + trustProfileID); - - // builds a for a call of MOA-SP - Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() - .build(XMLUtil.printXML(response.getDOM()).getBytes(), trustProfileID); - - Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); - - Logger.trace("Calling MOA-SP"); - // invokes the call - Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() - .verifyXMLSignature(domVerifyXMLSignatureRequest); - - // parses the - VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( - domVerifyXMLSignatureResponse).parseData(); - - Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP"); - - if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) { - String msg = "Signature of SAMLResponse not valid"; - Logger.error(msg); - throw new SecurityException(msg); - } - - Logger.debug("Signature of SAML response successfully verified"); - - if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { - String msg = "Certificate of SAMLResponse not valid"; - Logger.error(msg); - throw new SecurityException(msg); - } - - Logger.debug("Signing certificate of SAML response succesfully verified"); - - } else { - String msg = "SAML Response is not signed."; - throw new SecurityException(msg); - } - - } catch (ConfigurationException e) { - String msg = "Unable to load STORK configuration for STORK SAML Response signature verification."; - Logger.error(msg, e); - throw new SecurityException(msg, e); - } catch (ParseException e) { - String msg = "Unable to parse VerifyXMLSignature Request or Response."; - Logger.error(msg, e); - throw new SecurityException(msg, e); - } catch (BuildException e) { - String msg = "Unable to parse VerifyXMLSignature Request or Response."; - Logger.error(msg, e); - throw new SecurityException(msg, e); - } catch (ServiceException e) { - String msg = "Unable to invoke MOA-SP."; - Logger.error(msg, e); - throw new SecurityException(msg, e); - } - - } - - private void verifyStandardValidation(STORKResponse response) throws SecurityException { - try { - SAMLUtil.verifySAMLObjectStandardValidation(response, "saml2-core-schema-and-stork-validator"); - } catch (SAMLValidationException e) { - String msg ="SAML Response received not valid."; - throw new SecurityException(msg, e); - } - - } - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java deleted file mode 100644 index ea3d4101b..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java +++ /dev/null @@ -1,66 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.auth.stork; - -import eu.stork.mw.messages.saml.STORKResponse; - -/** - * Interface to be implemented for SAML response verification - * @author bzwattendorfer - * - */ -public interface ResponseVerifier { - - /** - * Verifies a STORK response - * @param response STORK response - * @throws SecurityException - */ - public void verify(STORKResponse response) throws SecurityException; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java deleted file mode 100644 index 5dc615b6c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java +++ /dev/null @@ -1,187 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/** - * - */ -package at.gv.egovernment.moa.id.auth.stork; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.velocity.app.VelocityEngine; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.Endpoint; -import org.opensaml.ws.transport.http.HTTPOutTransport; -import org.opensaml.ws.transport.http.HttpServletResponseAdapter; -import org.opensaml.xml.security.credential.Credential; - -import at.gv.egovernment.moa.logging.Logger; -import eu.stork.mw.messages.saml.STORKAuthnRequest; -import eu.stork.vidp.messages.builder.STORKMessagesBuilder; -import eu.stork.vidp.messages.exception.SAMLException; -import eu.stork.vidp.messages.exception.SAMLValidationException; -import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; -import eu.stork.vidp.messages.stork.RequestedAttributes; -import eu.stork.vidp.messages.util.SAMLUtil; - -/** - * Class handling all necessary functionality for STORK AuthnRequest processing - * - * @author bzwattendorfer - * - */ -public class STORKAuthnRequestProcessor { - - /** - * Creates a STORK AuthnRequest - * @param destination Destination URL - * @param acsURL Assertion Consumer Service URL - * @param providerName SP Provider Name - * @param issuerValue Issuer Name - * @param qaaLevel STORK QAALevel to be requested - * @param requestedAttributes Requested Attributes to be requested - * @param spSector Sp Sector - * @param spInstitution SP Institution - * @param spApplication SP Application - * @param spCountry SP Country - * @param textToBeSigned text to be included in signedDoc element - * @param mimeType mimeType for the text to be signed in signedDoc - * @return STORK AuthnRequest - */ - public static STORKAuthnRequest generateSTORKAuthnRequest( - String destination, - String acsURL, - String providerName, - String issuerValue, - QualityAuthenticationAssuranceLevel qaaLevel, - RequestedAttributes requestedAttributes, - String spSector, - String spInstitution, - String spApplication, - String spCountry, - String textToBeSigned, - String mimeType) { - - - STORKAuthnRequest storkAuthnRequest = - STORKMessagesBuilder.buildSTORKAuthnRequest( - destination, - acsURL, - providerName, - issuerValue, - qaaLevel, - requestedAttributes, - spSector, - spInstitution, - spApplication, - spCountry); - - STORKMessagesBuilder.buildAndAddSignatureRequestToAuthnRequest(storkAuthnRequest, textToBeSigned, mimeType, true); - - Logger.debug("Added signedDoc attribute to STORK AuthnRequest"); - - return storkAuthnRequest; - - } - - /** - * Signs a STORK AuthnRequest - * @param storkAuthnRequest STORK AuthRequest to sign - * @param keyStorePath KeyStorePath to the signing key - * @param keyStorePassword KeyStore Password - * @param keyName Signing key name - * @param keyPassword Signing key password - * @return Signed STORK AuthnRequest - * @throws SAMLException - */ - public static STORKAuthnRequest signSTORKAuthnRequest( - STORKAuthnRequest storkAuthnRequest, - String keyStorePath, - String keyStorePassword, - String keyName, - String keyPassword) throws SAMLException { - - Logger.trace("Building Credential Provider for signing process"); - - CredentialProvider credentialProvider = new KeyStoreCredentialProvider(keyStorePath, keyStorePassword, keyName, keyPassword); - - Credential credential = credentialProvider.getCredential(); - - Logger.trace("Credentials found"); - - SAMLUtil.signSAMLObject(storkAuthnRequest, credential); - - return storkAuthnRequest; - } - - /** - * Validates a STORK AuthnRequest - * @param storkAuthnRequest STORK AuthnRequest to validate - * @throws SAMLValidationException - */ - public static void validateSTORKAuthnRequest(STORKAuthnRequest storkAuthnRequest) throws SAMLValidationException { - - SAMLUtil.verifySAMLObjectStandardValidation(storkAuthnRequest, "saml2-core-schema-and-stork-validator"); - - } - - /** - * Sends a STORK AuthnRequest (Endpoint taken out of AuthnRequest) - * @param request HttpServletRequest - * @param response HttpServletResponse - * @param storkAuthnRequest STORK AuthnRequest to send - * @throws Exception - */ - public static void sendSTORKAuthnRequest(HttpServletRequest request, HttpServletResponse response, STORKAuthnRequest storkAuthnRequest) throws Exception { - - Logger.trace("Create endpoint..."); - Endpoint endpoint = STORKMessagesBuilder.buildSAMLObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME); - endpoint.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); - endpoint.setLocation(storkAuthnRequest.getDestination()); - - - Logger.trace("Prepare SAMLMessageContext..."); - HTTPOutTransport outTransport = new HttpServletResponseAdapter(response, request.isSecure()); - BasicSAMLMessageContext samlMessageContext = new BasicSAMLMessageContext(); - samlMessageContext.setOutboundMessageTransport(outTransport); - samlMessageContext.setPeerEntityEndpoint(endpoint); - - Logger.trace("Set STORK SAML AuthnRequest to SAMLMessageContext..."); - samlMessageContext.setOutboundSAMLMessage(storkAuthnRequest); - - Logger.trace("Initialize VelocityEngine..."); - - VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); - -// HTTPPostEncoder encoder = new HTTPPostEncoder(velocityEngine, "/templates/saml2-post-binding.vm"); - HTTPPostEncoder encoder = new HTTPPostEncoder(velocityEngine, "/saml2-post-binding-moa.vm"); - - Logger.trace("HTTP-Post encode SAMLMessageContext..."); - encoder.encode(samlMessageContext); - } - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 1fa7e5eb2..1804b5fd5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -63,6 +63,7 @@ import javax.xml.bind.JAXBContext; import javax.xml.bind.Unmarshaller; import org.hibernate.cfg.Configuration; +import org.opensaml.DefaultBootstrap; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; @@ -363,9 +364,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //Initialize OpenSAML for STORK -// Logger.info("Starting initialization of OpenSAML..."); -// STORKBootstrap.bootstrap(); -// Logger.debug("OpenSAML successfully initialized"); + Logger.info("Starting initialization of OpenSAML..."); + DefaultBootstrap.bootstrap(); + Logger.debug("OpenSAML successfully initialized"); String legacyconfig = props.getProperty("configuration.xml.legacy"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 998e28f6a..7a38e2afd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -273,7 +273,12 @@ public boolean isOnlyMandateAllowed() { * @return true, if is we should show stork login */ public boolean isShowStorkLogin() { - return oa_auth.getOASTORK().isStorkLogonEnabled(); + try { + return oa_auth.getOASTORK().isStorkLogonEnabled(); + + } catch (NullPointerException e) { + return false; + } } public Map getFormCustomizaten() { @@ -322,7 +327,12 @@ public Map getFormCustomizaten() { } public Integer getQaaLevel() { - return oa_auth.getOASTORK().getQaa(); + + if (oa_auth.getOASTORK() != null && oa_auth.getOASTORK().getQaa() != null) + return oa_auth.getOASTORK().getQaa(); + + else + return 4; } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 5b4843752..0172cce2d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; public interface PVPConstants { + public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/"; public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1"; public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2"; public static final String STORK_QAA_1_3 = "http://www.stork.gov.eu/1.0/citizenQAALevel/3"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 28299871c..7c9cc6259 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -25,7 +25,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 17f76d35a..bc90da8df 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -74,6 +74,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedExcept import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.id.util.QAALevelVerifier; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -89,45 +90,59 @@ public class PVP2AssertionBuilder implements PVPConstants { AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter( + peerEntity.getEntityID()); + if (reqAuthnContext == null) { authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); - } else { + } - boolean stork_qaa_1_4_found = false; + boolean stork_qaa_1_4_found = false; + + List reqAuthnContextClassRefIt = reqAuthnContext + .getAuthnContextClassRefs(); - List reqAuthnContextClassRefIt = reqAuthnContext - .getAuthnContextClassRefs(); + if (reqAuthnContextClassRefIt.size() == 0) { + + QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + STORK_QAA_1_4); - if (reqAuthnContextClassRefIt.size() == 0) { - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); - - } else { - for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { - String qaa_uri = authnClassRef.getAuthnContextClassRef(); - if (qaa_uri.trim().equals(STORK_QAA_1_4) - || qaa_uri.trim().equals(STORK_QAA_1_3) - || qaa_uri.trim().equals(STORK_QAA_1_2) - || qaa_uri.trim().equals(STORK_QAA_1_1)) { - - if (authSession.isForeigner()) { - //TODO: insert QAA check - - stork_qaa_1_4_found = false; - - } else { - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); - } - break; + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + + } else { + for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { + String qaa_uri = authnClassRef.getAuthnContextClassRef(); + if (qaa_uri.trim().equals(STORK_QAA_1_4) + || qaa_uri.trim().equals(STORK_QAA_1_3) + || qaa_uri.trim().equals(STORK_QAA_1_2) + || qaa_uri.trim().equals(STORK_QAA_1_1)) { + + if (authSession.isForeigner()) { + QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + STORK_QAA_PREFIX + oaParam.getQaaLevel()); + + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + + } else { + + QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + qaa_uri.trim()); + + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + } + break; } } - - if (!stork_qaa_1_4_found) { - throw new QAANotSupportedException(STORK_QAA_1_4); - } + } + + if (!stork_qaa_1_4_found) { + throw new QAANotSupportedException(STORK_QAA_1_4); } // reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() @@ -209,12 +224,6 @@ public class PVP2AssertionBuilder implements PVPConstants { * null, true); } } */ - // TODO: LOAD oaParam from request and not from MOASession in case of - // SSO - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter( - peerEntity.getEntityID()); - AuthenticationData authData = AuthenticationServer .buildAuthenticationData(authSession, oaParam, oaParam.getTarget()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java index 523063c6e..f3d815e7d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class BirthdateAttributeBuilder implements IPVPAttributeBuilder { @@ -44,11 +45,19 @@ public class BirthdateAttributeBuilder implements IPVPAttributeBuilder { IAttributeGenerator g) throws AttributeException { try { DateFormat identityLinkFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); - Date date = identityLinkFormat.parse(authSession.getIdentityLink().getDateOfBirth()); - DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN); - String dateString = pvpDateFormat.format(date); - return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); + if (MiscUtil.isNotEmpty(authSession.getIdentityLink().getDateOfBirth())) { + Date date = identityLinkFormat.parse(authSession.getIdentityLink().getDateOfBirth()); + DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN); + String dateString = pvpDateFormat.format(date); + + return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); + + } else { + //build empty attribute if no Birthday date is found (STORK2) + return g.buildEmptyAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME); + + } //return buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index d318792f1..f4b48ece3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -22,14 +22,11 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; -import java.io.IOException; import java.util.ArrayList; -import java.util.Date; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.xml.transform.TransformerException; import org.joda.time.DateTime; import org.opensaml.Configuration; @@ -40,12 +37,10 @@ import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder; import org.opensaml.saml2.encryption.Encrypter; import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCriteria; @@ -54,17 +49,13 @@ import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.encryption.EncryptionException; import org.opensaml.xml.encryption.EncryptionParameters; import org.opensaml.xml.encryption.KeyEncryptionParameters; -import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; -import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.security.x509.X509Credential; -import org.opensaml.xml.signature.KeyInfo; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -80,7 +71,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index 1963115da..e3e25b1a9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -37,7 +37,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; -import at.gv.egovernment.moa.util.MiscUtil; public class CredentialProvider { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java index d398ca533..f0ae6f446 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -113,10 +113,12 @@ public class MetadataSignatureFilter implements MetadataFilter { throw new MOAIDException("Root element of metadata file has to be signed", null); } processEntitiesDescriptor(entitiesDescriptor); - } /*else if (metadata instanceof EntityDescriptor) { + + } else if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; processEntityDescriptorr(entityDescriptor); - } */else { + + } else { throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java index e48c7bb98..67a91f6e1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java @@ -34,36 +34,36 @@ import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; -import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; +//import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; +//import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; public class TrustEngineFactory { - public static SignatureTrustEngine getSignatureTrustEngine() { - try { - MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver( - MOAMetadataProvider.getInstance()); - - List keyInfoProvider = new ArrayList(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); - - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); - - PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine( - mdResolver, keyInfoResolver); - - return engine; - - } catch (Exception e) { - e.printStackTrace(); - return null; - } - } +// public static SignatureTrustEngine getSignatureTrustEngine() { +// try { +// MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver( +// MOAMetadataProvider.getInstance()); +// +// List keyInfoProvider = new ArrayList(); +// keyInfoProvider.add(new DSAKeyValueProvider()); +// keyInfoProvider.add(new RSAKeyValueProvider()); +// keyInfoProvider.add(new InlineX509DataProvider()); +// +// KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( +// keyInfoProvider); +// +// PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine( +// mdResolver, keyInfoResolver); +// +// return engine; +// +// } catch (Exception e) { +// e.printStackTrace(); +// return null; +// } +// } public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() { MetadataCredentialResolver resolver; -- cgit v1.2.3