From 6e409edd540fb7e2bb6a66f14adeb72e550669c1 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Wed, 2 Jul 2014 16:02:45 +0200 Subject: added support for splitting authnrequest &signrequest --- .../moa/id/auth/AuthenticationServer.java | 44 +- .../moa/id/auth/data/AuthenticationSession.java | 57 +- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 8 +- .../PEPSConnectorWithLocalSigningServlet.java | 790 +++++++++++++++++++++ .../gv/egovernment/moa/id/config/stork/CPEPS.java | 20 +- .../moa/id/config/stork/STORKConfig.java | 2 +- .../id/protocols/stork2/AuthenticationRequest.java | 46 +- .../SignedDocAttributeRequestProvider.java | 8 +- 8 files changed, 925 insertions(+), 50 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a8cf5014f..c2eefa3d8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -76,6 +76,7 @@ import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; +import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -1795,12 +1796,37 @@ public class AuthenticationServer implements MOAIDAuthConstants { PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName("signedDoc"); List value = new ArrayList(); - value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), - "application/xhtml+xml", - moasession.getCcc())); - newAttribute.setValue(value); - attributeList.add(newAttribute); - + + Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported()); + if(cpeps.isXMLSignatureSupported())//Send SignRequest to PEPS + { + value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", moasession.getCcc())); + newAttribute.setValue(value); + attributeList.add(newAttribute); + } + else//Process SignRequest locally with MOCCA + { + String target = moasession.getTarget(); + moasession.setTarget("AT"); + String signedDoc = (generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", "AT"));//moasession.getCcc() + moasession.setTarget(target); + Logger.warn("signedDoc to store:"+signedDoc); + //attributeList.add(newAttribute); + + //store SignRequest for later... + moasession.setSignedDoc(signedDoc); + + acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + try { + AuthenticationSessionStoreage.storeSession(moasession); + } catch (MOADatabaseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + } if (Logger.isDebugEnabled()) { Logger.debug("The following attributes are requested for this OA:"); @@ -1817,7 +1843,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { //generate AuthnRquest STORKAuthnRequest authnRequest = new STORKAuthnRequest(); authnRequest.setDestination(destination); - authnRequest.setAssertionConsumerServiceURL(acsURL); + authnRequest.setAssertionConsumerServiceURL(acsURL);//PEPSConnectorWithLocalSigning authnRequest.setProviderName(providerName); authnRequest.setIssuer(issuerValue); authnRequest.setQaa(oaParam.getQaaLevel()); @@ -1834,7 +1860,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { authnRequest.setCitizenCountryCode(moasession.getCcc()); - Logger.debug("STORK AuthnRequest succesfully assembled."); STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); @@ -1842,7 +1867,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (samlEngine == null) { Logger.error("Could not initalize STORK SAML engine."); throw new MOAIDException("stork.00", null); - } try { @@ -1905,7 +1929,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { idGenerator = new SecureRandomIdentifierGenerator(); DocumentType doc = new DocumentType(); - doc.setBase64XML(text.getBytes()); + doc.setBase64XML(text.getBytes("UTF-8")); doc.setID(idGenerator.generateIdentifier()); SignRequest request = new SignRequest(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 8726c1618..26c22fb4a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -51,6 +51,7 @@ import org.w3c.dom.Element; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; @@ -291,9 +292,58 @@ public class AuthenticationSession implements Serializable { private boolean isForeigner; private IPersonalAttributeList storkAttributes; - + + + //Temporary store SignRequest for local processing + private String signedDoc; + //Temporary store SAMLResponse for processing after user signed signedDoc locally + private String SAMLResponse; + // + private StringBuffer returnURL; + private IPersonalAttributeList authnResponseGetPersonalAttributeList; + private String authnContextClassRef; // private String requestedProtocolURL = null; + public String getAuthnContextClassRef() { + return authnContextClassRef; + } + + public void setAuthnContextClassRef(String authnContextClassRef) { + this.authnContextClassRef = authnContextClassRef; + } + + public IPersonalAttributeList getAuthnResponseGetPersonalAttributeList() { + return authnResponseGetPersonalAttributeList; + } + + public void setAuthnResponseGetPersonalAttributeList(IPersonalAttributeList authnResponseGetPersonalAttributeList) { + this.authnResponseGetPersonalAttributeList = authnResponseGetPersonalAttributeList; + } + + public String getSAMLResponse() { + return SAMLResponse; + } + + public void setSAMLResponse(String samlResponse) { + SAMLResponse = samlResponse; + } + + public StringBuffer getReturnURL() { + return returnURL; + } + + public void setReturnURL(StringBuffer returnURL) { + this.returnURL = returnURL; + } + + public String getSignedDoc() { + return signedDoc; + } + + public void setSignedDoc(String signedDoc) { + this.signedDoc = signedDoc; + } + public String getModul() { return modul; } @@ -1060,9 +1110,6 @@ public class AuthenticationSession implements Serializable { */ public Date getSessionCreated() { return sessionCreated; - } - - - + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index a82a51d07..0ba144b80 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -23,16 +23,17 @@ package at.gv.egovernment.moa.id.auth.servlet; import iaik.x509.X509Certificate; + import java.io.IOException; import java.io.InputStream; import java.io.StringWriter; import java.util.ArrayList; + import javax.activation.DataSource; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; import javax.xml.transform.stream.StreamSource; @@ -50,18 +51,15 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.ModulUtils; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.StringUtils; @@ -188,7 +186,6 @@ public class PEPSConnectorServlet extends AuthServlet { //load MOASession from database AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); - //change MOASessionID moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); @@ -248,6 +245,7 @@ public class PEPSConnectorServlet extends AuthServlet { String citizenSignature = null; try { String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); // fetch signed doc diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java new file mode 100644 index 000000000..ee0ae4b87 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -0,0 +1,790 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +package at.gv.egovernment.moa.id.auth.servlet; + +import iaik.x509.X509Certificate; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.StringWriter; +import java.io.UnsupportedEncodingException; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import javax.activation.DataSource; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Source; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.stream.StreamSource; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.velocity.Template; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; +import org.opensaml.saml2.core.StatusCode; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.BKUException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.auth.exception.ServiceException; +import at.gv.egovernment.moa.id.auth.stork.STORKException; +import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.VelocityProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.SignatureVerificationService; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureLocation; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.xmldsig.SignatureType; +import at.gv.util.xsd.xmldsig.X509DataType; +import eu.stork.oasisdss.api.ApiUtils; +import eu.stork.oasisdss.api.LightweightSourceResolver; +import eu.stork.oasisdss.api.exceptions.ApiUtilsException; +import eu.stork.oasisdss.api.exceptions.UtilsException; +import eu.stork.oasisdss.profile.SignRequest; +import eu.stork.oasisdss.profile.SignResponse; +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.PEPSUtil; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse; +import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.exceptions.STORKSAMLEngineException; +//import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; + +/** + * Endpoint for receiving STORK response messages + */ +public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { + private static final long serialVersionUID = 1L; + + public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnectorWithLocalSigning"; + + private String oasisDssWebFormURL = "http://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//TODO load from config + + + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) + */ + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + super.doGet(request, response); + } + + /** + * Handles the reception of a STORK response message + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) + */ + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException + { + String moaSessionID1 = request.getParameter("moaSessionID"); + String signResponse = request.getParameter("signresponse"); + Logger.info("moaSessionID1:"+moaSessionID1); + Logger.info("signResponse:"+signResponse); + if(moaSessionID1!=null) + { + if(signResponse!=null) + { + //redirect from oasis with signresponse + handleSignResponse(request, response); + } + else + { + //should not occur + throw new IOException("should not occur"); + } + } + else + { + if(signResponse!=null) + { + //should not occur + throw new IOException("should not occur"); + } + else + { + //normal saml response + handleSAMLResponse(request, response); + } + } + return; + } + + private void handleSignResponse(HttpServletRequest request, HttpServletResponse response) { + Logger.info("handleSignResponse started"); + String moaSessionID = request.getParameter("moaSessionID"); + String signResponse = request.getParameter("signresponse"); + Logger.info("moaSessionID:"+moaSessionID); + Logger.info("signResponse:"+signResponse); + String pendingRequestID = null; + try{ + + + //load MOASession from database + AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); + //change MOASessionID + moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); + Logger.info("pendingRequestID:"+pendingRequestID); + String signResponseString = new String(Base64.decodeBase64(signResponse), "UTF8"); + Logger.info("RECEIVED signresponse:"+signResponseString); + //create SignResponse object + Source response1 = new StreamSource(new java.io.StringReader(signResponseString)); + SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class); + + // SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(Base64.signResponse))); + + String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + + // memorize signature into authblock + moaSession.setAuthBlock(citizenSignature); + + X509Certificate cert = getSignerCertificate(citizenSignature); + moaSession.setSignerCertificate(cert); + VerifyXMLSignatureResponse xMLVerifySignatureResponse = verifyXMLSignature(citizenSignature); + at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse tmp = convert(xMLVerifySignatureResponse); + + + moaSession.setXMLVerifySignatureResponse(tmp); + try{ + IPersonalAttributeList personalAttributeList = moaSession.getAuthnResponseGetPersonalAttributeList(); + //Add signResponse + List values = new ArrayList(); + //values.add(signResponseString); + values.add(citizenSignature); + Logger.debug("Assembling signedDoc attribute"); + PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, + "Available"); + personalAttributeList.add(signedDocAttribute); + + String authnContextClassRef = moaSession.getAuthnContextClassRef(); + SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef); + } catch (STORKException e) { + // this is really nasty but we work against the system here. We are supposed to get the gender attribute from + // stork. If we do not, we cannot register the person in the ERnP - we have to have the + // gender for the represented person. So here comes the dirty hack. + if(e.getCause() instanceof STORKException && e.getCause().getMessage().equals("gender not found in response")) { + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html"); + VelocityContext context = new VelocityContext(); + context.put("SAMLResponse", request.getParameter("SAMLResponse")); + context.put("action", request.getRequestURL()); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + response.getOutputStream().write(writer.toString().getBytes()); + } catch (Exception e1) { + Logger.error("Error sending gender retrival form.", e1); + // httpSession.invalidate(); + throw new MOAIDException("stork.10", null); + } + + return; + } + + Logger.error("Error connecting SZR Gateway", e); + throw new MOAIDException("stork.10", null); + } + + Logger.debug("Add full STORK AuthnResponse to MOA session"); + moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? + + //session is implicit stored in changeSessionID!!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID); + + //redirect + String redirectURL = null; + redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(), + ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); + redirectURL = response.encodeRedirectURL(redirectURL); + + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", redirectURL); + Logger.info("REDIRECT TO: " + redirectURL); + + } catch (AuthenticationException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (MOAIDException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (Exception e) { + Logger.error("PEPSConnector has an interal Error.", e); + } + + finally { + ConfigurationDBUtils.closeSession(); + } + } + + private void handleSAMLResponse(HttpServletRequest request, HttpServletResponse response) { + Logger.info("handleSAMLResponse started"); + String pendingRequestID = null; + + try { + Logger.info("PEPSConnector Servlet invoked, expecting C-PEPS message."); + Logger.debug("This ACS endpoint is: " + HTTPUtils.getBaseURL(request)); + + super.setNoCachingHeadersInHttpRespone(request, response); + Logger.trace("No Caching headers set for HTTP response"); + + //check if https or only http + super.checkIfHTTPisAllowed(request.getRequestURL().toString()); + + Logger.debug("Beginning to extract SAMLResponse out of HTTP Request"); + + //extract STORK Response from HTTP Request + //Decodes SAML Response + byte[] decSamlToken; + try { + decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse")); + Logger.debug("SAMLResponse: " + new String(decSamlToken)); + + } catch(NullPointerException e) { + Logger.error("Unable to retrieve STORK Response", e); + throw new MOAIDException("stork.04", null); + } + + //Get SAMLEngine instance + STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing"); + + STORKAuthnResponse authnResponse = null; + try { + //validate SAML Token + Logger.debug("Starting validation of SAML response"); + authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + Logger.info("SAML response succesfully verified!"); + }catch(STORKSAMLEngineException e){ + Logger.error("Failed to verify STORK SAML Response", e); + throw new MOAIDException("stork.05", null); + } + + Logger.info("STORK SAML Response message succesfully extracted"); + Logger.debug("STORK response: "); + Logger.debug(authnResponse.toString()); + + Logger.debug("Trying to find MOA Session-ID ..."); + //String moaSessionID = request.getParameter(PARAM_SESSIONID); + //first use SAML2 relayState + String moaSessionID = request.getParameter("RelayState"); + + // escape parameter strings + moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); + + //check if SAML2 relaystate includes a MOA sessionID + if (StringUtils.isEmpty(moaSessionID)) { + //if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier + + moaSessionID = authnResponse.getInResponseTo(); + moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); + + if (StringUtils.isEmpty(moaSessionID)) { + //No authentication session has been started before + Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started"); + Logger.debug("PEPSConnectorURL was: " + request.getRequestURL()); + throw new AuthenticationException("auth.02", new Object[] { moaSessionID }); + + } else + Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute."); + + } else + //Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter."); + Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState."); + + /*INFO!!!! + * SAML message IDs has an different format then MOASessionIDs + * This is only a workaround because many PEPS does not support SAML2 relayState or + * MOASessionID as AttributConsumerServiceURL GET parameter + */ + // if (!ParamValidatorUtils.isValidSessionID(moaSessionID)) + // throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12"); + + pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); + + //load MOASession from database + AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); + //change MOASessionID + moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + Logger.info("Found MOA sessionID: " + moaSessionID); + + + + String statusCodeValue = authnResponse.getStatusCode(); + + if (!statusCodeValue.equals(StatusCode.SUCCESS_URI)) { + Logger.error("Received ErrorResponse from PEPS: " + statusCodeValue); + throw new MOAIDException("stork.06", new Object[] { statusCodeValue }); + } + + Logger.info("Got SAML response with authentication success message."); + + Logger.debug("MOA session is still valid"); + + STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest(); + + if (storkAuthnRequest == null) { + Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); + throw new MOAIDException("stork.07", null); + } + + Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); + + ////////////// incorporate gender from parameters if not in stork response + + IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + + // but first, check if we have a representation case + if(STORKResponseProcessor.hasAttribute("mandateContent", attributeList) || STORKResponseProcessor.hasAttribute("representative", attributeList) || STORKResponseProcessor.hasAttribute("represented", attributeList)) { + // in a representation case... + moaSession.setUseMandate("true"); + + // and check if we have the gender value + PersonalAttribute gender = attributeList.get("gender"); + if(null == gender) { + String gendervalue = (String) request.getParameter("gender"); + if(null != gendervalue) { + gender = new PersonalAttribute(); + gender.setName("gender"); + ArrayList tmp = new ArrayList(); + tmp.add(gendervalue); + gender.setValue(tmp); + + authnResponse.getPersonalAttributeList().add(gender); + } + } + } + + ////////////////////////////////////////////////////////////////////////// + + Logger.debug("Starting extraction of signedDoc attribute"); + //extract signed doc element and citizen signature + String citizenSignature = null; + try { + PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + String signatureInfo = null; + if(signedDoc!=null) + { + signatureInfo = signedDoc.getValue().get(0); + //should not occur + } + else + { + + //store SAMLResponse + moaSession.setSAMLResponse(request.getParameter("SAMLResponse")); + //store authnResponse + + //moaSession.setAuthnResponse(authnResponse);//not serializable + moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList()); + + String authnContextClassRef = null; + try { + authnContextClassRef = authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(); + } catch (Throwable e) { + Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); + } + + moaSession.setAuthnContextClassRef(authnContextClassRef); + moaSession.setReturnURL(request.getRequestURL()); + + //load signedDoc + String signRequest = moaSession.getSignedDoc(); + + //session is implicit stored in changeSessionID!!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + //set return url to PEPSConnectorWithLocalSigningServlet and add newMOASessionID + //signRequest + + String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + String acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + + String url = acsURL+"?moaSessionID="+newMOASessionID; + //redirect to OASIS module and sign there + performRedirect(url,request,response,signRequest); + + return; + } + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); + + citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + + // memorize signature into authblock + moaSession.setAuthBlock(citizenSignature); + + X509Certificate cert = getSignerCertificate(citizenSignature); + moaSession.setSignerCertificate(cert); + + + } catch (Throwable e) { + Logger.error("Could not extract citizen signature from C-PEPS", e); + throw new MOAIDException("stork.09", null); + } + + try{ + SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); + } catch (STORKException e) { + // this is really nasty but we work against the system here. We are supposed to get the gender attribute from + // stork. If we do not, we cannot register the person in the ERnP - we have to have the + // gender for the represented person. So here comes the dirty hack. + if(e.getCause() instanceof STORKException && e.getCause().getMessage().equals("gender not found in response")) { + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html"); + VelocityContext context = new VelocityContext(); + context.put("SAMLResponse", request.getParameter("SAMLResponse")); + context.put("action", request.getRequestURL()); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + response.getOutputStream().write(writer.toString().getBytes()); + } catch (Exception e1) { + Logger.error("Error sending gender retrival form.", e1); + // httpSession.invalidate(); + throw new MOAIDException("stork.10", null); + } + + return; + } + + Logger.error("Error connecting SZR Gateway", e); + throw new MOAIDException("stork.10", null); + } + + Logger.debug("Add full STORK AuthnResponse to MOA session"); + moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? + + //session is implicit stored in changeSessionID!!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID); + + //redirect + String redirectURL = null; + redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(), + ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); + redirectURL = response.encodeRedirectURL(redirectURL); + + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", redirectURL); + Logger.info("REDIRECT TO: " + redirectURL); + + } catch (AuthenticationException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (MOAIDException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (Exception e) { + Logger.error("PEPSConnector has an interal Error.", e); + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + } + + private void performRedirect(String url, HttpServletRequest req, HttpServletResponse resp, String signRequestString) + throws MOAIDException { + + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/oasis_dss_webform_binding.vm"); + VelocityContext context = new VelocityContext(); + + Logger.debug("performRedirect, signrequest:"+signRequestString); + Source signDoc = new StreamSource(new java.io.StringReader(signRequestString)); + SignRequest signRequest = ApiUtils.unmarshal(signDoc, SignRequest.class); + signRequest.setReturnURL("TODO"); + signRequestString = IOUtils.toString(ApiUtils.marshalToInputStream(signRequest)); + context.put("signrequest", Base64.encodeBase64String(signRequestString.getBytes("UTF8"))); + context.put("clienturl", url); + context.put("action", oasisDssWebFormURL ); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + resp.getOutputStream().write(writer.toString().getBytes()); + } catch (Exception e) { + Logger.error("Error sending DSS signrequest.", e); + throw new MOAIDException("stork.11", null); + } + } + + private String getCitizienSignatureFromSignResponseFromSAML(STORKAuthnResponse authnResponse) throws ApiUtilsException, IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, MOAIDException + { + PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + String signatureInfo = null; + if(signedDoc==null) + { + Logger.error("SignedDoc = null, failed to extract Signresponse from authnResponse"); + throw new MOAIDException("stork.09", null); + } + signatureInfo = signedDoc.getValue().get(0); + + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); + String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + return citizenSignature; + + } + + private String getCitizienSignatureFromSignResponse(SignResponse dssSignResponse) throws IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, ApiUtilsException + { + // fetch signed doc + DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse); + if(ds == null){ + throw new ApiUtilsException("No datasource found in response"); + } + + InputStream incoming = ds.getInputStream(); + String citizenSignature = IOUtils.toString(incoming); + incoming.close(); + + return citizenSignature; + } + + private X509Certificate getSignerCertificate(String citizenSignature) throws CertificateException, JAXBException + { + JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName()); + SignatureType root = ((JAXBElement) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue(); + + // extract certificate + for(Object current : root.getKeyInfo().getContent()) + if(((JAXBElement) current).getValue() instanceof X509DataType) { + for(Object currentX509Data : ((JAXBElement) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) { + JAXBElement casted = ((JAXBElement) currentX509Data); + if(casted.getName().getLocalPart().equals("X509Certificate")) { + return new X509Certificate(((String)casted.getValue()).getBytes()); + } + } + } + return null; + } + + private void SZRGInsertion(AuthenticationSession moaSession, IPersonalAttributeList personalAttributeList, String authnContextClassRef) throws STORKException, MOAIDException + { + Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)"); + Logger.debug("Citizen signature will be verified by SZR Gateway!"); + + Logger.debug("fetching OAParameters from database"); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix()); + if (oaParam == null) + throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() }); + + // retrieve target + //TODO: check in case of SSO!!! + String targetType = null; + String targetValue = null; + if(oaParam.getBusinessService()) { + String id = oaParam.getIdentityLinkDomainIdentifier(); + if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + else + targetValue = moaSession.getDomainIdentifier(); + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_; + } else { + targetType = AuthenticationSession.TARGET_PREFIX_; + targetValue = oaParam.getTarget(); + } + + Logger.debug("Starting connecting SZR Gateway"); + //contact SZR Gateway + IdentityLink identityLink = null; + + identityLink = STORKResponseProcessor.connectToSZRGateway(personalAttributeList, + oaParam.getFriendlyName(), + targetType, targetValue, + oaParam.getMandateProfiles()); + Logger.debug("SZR communication was successfull"); + + if (identityLink == null) { + Logger.error("SZR Gateway did not return an identity link."); + throw new MOAIDException("stork.10", null); + } + Logger.info("Received Identity Link from SZR Gateway"); + moaSession.setIdentityLink(identityLink); + + Logger.debug("Adding addtional STORK attributes to MOA session"); + moaSession.setStorkAttributes(personalAttributeList); + + //We don't have BKUURL, setting from null to "Not applicable" + moaSession.setBkuURL("Not applicable (STORK Authentication)"); + + // free for single use + moaSession.setAuthenticatedUsed(false); + + // stork did the authentication step + moaSession.setAuthenticated(true); + + //TODO: found better solution, but QAA Level in response could be not supported yet + try { + if(authnContextClassRef==null) + authnContextClassRef = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel(); + moaSession.setQAALevel(authnContextClassRef); + + } catch (Throwable e) { + Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); + moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel()); + + } + + } + + private VerifyXMLSignatureResponse verifyXMLSignature(String signature) throws AuthenticationException, ParseException, BKUException, BuildException, ConfigurationException, ServiceException, UnsupportedEncodingException, SAXException, IOException, ParserConfigurationException, MOAException + { + //Based on MOA demo client + // Factory und Service instanzieren + SPSSFactory spssFac = SPSSFactory.getInstance(); + SignatureVerificationService sigVerifyService = SignatureVerificationService.getInstance(); + + Content sigDocContent1 = spssFac.createContent(IOUtils.toInputStream(signature, "UTF-8"), null); + + // Position der zu prüfenden Signatur im Dokument angeben + // (Nachdem im XPath-Ausdruck ein NS-Präfix verwendet wird, muss in einer Lookup-Tabelle + // der damit bezeichnete Namenraum mitgegeben werden) + HashMap nSMap = new HashMap(); + nSMap.put("dsig", "http://www.w3.org/2000/09/xmldsig#"); + VerifySignatureLocation sigLocation = spssFac.createVerifySignatureLocation("//dsig:Signature", nSMap); + + // Zu prüfendes Dokument und Signaturposition zusammenfassen + + VerifySignatureInfo sigInfo = spssFac.createVerifySignatureInfo(sigDocContent1, sigLocation); + + // Prüfrequest zusammenstellen + VerifyXMLSignatureRequest verifyRequest = spssFac.createVerifyXMLSignatureRequest( + null, // Wird Prüfzeit nicht angegeben, wird aktuelle Zeit verwendet + sigInfo, + null, // Keine Ergänzungsobjekte notwendig + null, // Signaturmanifest-Prüfung soll nicht durchgeführt werden + false, // Hash-Inputdaten, d.h. tatsächlich signierte Daten werden nicht zurückgeliefert + "MOAIDBuergerkartePersonenbindungMitTestkarten");//TODO load from config + //"Test-Signaturdienste"); // ID des verwendeten Vertrauensprofils + + VerifyXMLSignatureResponse verifyResponse = null; + try + { + // Aufruf der Signaturprüfung + verifyResponse = sigVerifyService.verifyXMLSignature(verifyRequest); + } + catch (MOAException e) + { + // Service liefert Fehler + System.err.println("Die Signaturprüfung hat folgenden Fehler geliefert:"); + System.err.println("Fehlercode: " + e.getMessageId()); + System.err.println("Fehlernachricht: " + e.getMessage()); + throw e; + } + +// // Auswertung der Response +// System.out.println(); +// System.out.println("Ergebnisse der Signaturprüfung:"); +// System.out.println(); +// +// // Besondere Eigenschaften des Signatorzertifikats +// SignerInfo signerInfo = verifyResponse.getSignerInfo(); +// System.out.println("*** Ist Zertifikat des Signators qualifiziert? " + ((signerInfo.isQualifiedCertificate()) ? "ja" : "nein")); +// System.out.println("*** Ist Zertifikat des Signators von einer Behörde? " + ((signerInfo.isPublicAuthority()) ? "ja" : "nein")); +// +// // Ergebnisse von Signatur- und Zertifikatsprüfung +// System.out.println(); +// System.out.println("Ergebniscode der Signaturprüfung: " + verifyResponse.getSignatureCheck().getCode()); +// System.out.println("Ergebniscode der Zertifikatsprüfung: " + verifyResponse.getCertificateCheck().getCode()); +// +// // Signatorzertifikat +// System.out.println(); +// System.out.println("*** Zertifikat des Signators:"); +// System.out.println("Aussteller: " + signerInfo.getSignerCertificate().getIssuerDN()); +// System.out.println("Subject: " + signerInfo.getSignerCertificate().getSubjectDN()); +// System.out.println("Seriennummer: " + signerInfo.getSignerCertificate().getSerialNumber()); + return verifyResponse; + } + + private at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse convert(VerifyXMLSignatureResponse xMLVerifySignatureResponse) { + at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse response = new at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse(); + response.setCertificateCheckCode(xMLVerifySignatureResponse.getCertificateCheck().getCode()); + response.setPublicAuthority(xMLVerifySignatureResponse.getSignerInfo().isPublicAuthority()); +// response.setPublicAuthorityCode(publicAuthorityCode) + response.setQualifiedCertificate(xMLVerifySignatureResponse.getSignerInfo().isQualifiedCertificate()); + response.setSignatureCheckCode(xMLVerifySignatureResponse.getSignatureCheck().getCode()); + response.setSignatureManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode()); +// response.setSigningDateTime() +// response.setX509certificate(x509certificate) + response.setXmlDSIGManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode()); +// response.setXmlDSIGManigest(xMLVerifySignatureResponse.getSignatureManifestCheck()) +// response.setXmlDsigSubjectName(xmlDsigSubjectName) + return response; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java index 6e67b4219..3f4be5093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java @@ -45,6 +45,8 @@ public class CPEPS { /** URL of C-PEPS */ private URL pepsURL; + private Boolean isXMLSignatureSupported; + /** Specific attributes to be requested for this C-PEPS */ private List countrySpecificRequestedAttributes = new ArrayList(); @@ -53,10 +55,11 @@ public class CPEPS { * @param countryCode ISO Country Code of C-PEPS * @param pepsURL URL of C-PEPS */ - public CPEPS(String countryCode, URL pepsURL) { + public CPEPS(String countryCode, URL pepsURL, Boolean isXMLSignatureSupported) { super(); this.countryCode = countryCode; this.pepsURL = pepsURL; + this.isXMLSignatureSupported = isXMLSignatureSupported; } /** @@ -91,6 +94,21 @@ public class CPEPS { this.pepsURL = pepsURL; } + /** + * Returns weather the C-PEPS supports XMl Signatures or not (important for ERnB) + */ + public Boolean isXMLSignatureSupported() { + return isXMLSignatureSupported; + } + + /** + * Sets weather the C-PEPS supports XMl Signatures or not (important for ERnB) + * @param isXMLSignatureSupported C-PEPS XML Signature support + */ + public void setXMLSignatureSupported(boolean isXMLSignatureSupported) { + this.isXMLSignatureSupported = isXMLSignatureSupported; + } + /** * Gets the country specific attributes of this C-PEPS * @return List of country specific attributes diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 2e243b3ae..136b40295 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -81,7 +81,7 @@ public class STORKConfig { for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) { try { - CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL())); + CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL()), cpep.isSupportsXMLSignature()); cpepsMap.put(cpep.getCountryCode(), moacpep); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index a5690a883..b62e6de32 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -75,7 +75,7 @@ public class AuthenticationRequest implements IAction { this.authData = authData; - if ((req instanceof MOASTORKRequest) && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { + if ((req instanceof MOASTORKRequest)) { // && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { this.moaStorkRequest = (MOASTORKRequest) req; @@ -134,10 +134,10 @@ public class AuthenticationRequest implements IAction { return (new AttributeCollector()).processRequest(container, httpReq, httpResp, authData, oaParam); } - // check if we are getting request for citizen of some other country - else if (req instanceof MOASTORKRequest) { - return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); - } +// // check if we are getting request for citizen of some other country +// else if (req instanceof MOASTORKRequest) { +// return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); +// } // Check if we got the response from PEPS // If so then process it and forward to SP @@ -390,24 +390,24 @@ public class AuthenticationRequest implements IAction { public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { - // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country - if (req instanceof MOASTORKRequest) { - MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; - if (moastorkRequest.getStorkAuthnRequest() != null) { - String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); - // check if citizen country is configured in the system - try { - if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { - return false; - } - } catch (MOAIDException e) { - Logger.error("Could not initialize AuthConfigurationProvider"); - } - } - // authentication is not required if received authentication response - } else if (req instanceof MOASTORKResponse) { - return false; - } +// // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country +// if (req instanceof MOASTORKRequest) { +// MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; +// if (moastorkRequest.getStorkAuthnRequest() != null) { +// String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); +// // check if citizen country is configured in the system +// try { +// if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { +// return false; +// } +// } catch (MOAIDException e) { +// Logger.error("Could not initialize AuthConfigurationProvider"); +// } +// } +// // authentication is not required if received authentication response +// } else if (req instanceof MOASTORKResponse) { +// return false; +// } return true; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 72274bada..af973475b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -104,8 +104,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { public SignedDocAttributeRequestProvider(String oasisDssWebFormURL, String attributes) { super(attributes); this.oasisDssWebFormURL = oasisDssWebFormURL; - //TODO load dtlUrl from config - + Properties props = new Properties(); try { props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties")); @@ -144,11 +143,10 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { * .servlet.http.HttpServletRequest) */ public IPersonalAttributeList parse(HttpServletRequest httpReq) throws MOAIDException, UnsupportedAttributeException { - Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request2"); + Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request"); try { - String base64 = httpReq. - getParameter("signresponse"); + String base64 = httpReq.getParameter("signresponse"); Logger.debug("signresponse url: " + httpReq.getRequestURI().toString()); Logger.debug("signresponse querystring: " + httpReq.getQueryString()); Logger.debug("signresponse method: " + httpReq.getMethod()); -- cgit v1.2.3 From 8b8ea32ebd30b542a9b4ea1c797078377443f251 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Mon, 7 Jul 2014 17:14:55 +0200 Subject: Encoding fix, getAttributeValue now optionally returns null instead of throwing an exception --- .../moa/id/auth/AuthenticationServer.java | 7 ++- .../auth/builder/StartAuthenticationBuilder.java | 2 +- .../moa/id/auth/servlet/GetForeignIDServlet.java | 1 - .../moa/id/auth/servlet/PEPSConnectorServlet.java | 4 +- .../PEPSConnectorWithLocalSigningServlet.java | 10 ++-- .../servlet/VerifyAuthenticationBlockServlet.java | 4 +- .../moa/id/auth/stork/STORKResponseProcessor.java | 56 ++++++++++++---------- .../gv/egovernment/moa/id/moduls/SSOManager.java | 2 +- .../moa/id/protocols/pvp2x/MetadataAction.java | 2 +- .../pvp2x/builder/attributes/EIDAuthBlock.java | 2 +- .../builder/attributes/EIDIdentityLinkBuilder.java | 2 +- .../pvp2x/builder/attributes/EIDSTORKTOKEN.java | 2 +- .../pvp2x/verification/SAMLVerifierMOASP.java | 2 +- .../id/protocols/stork2/AuthenticationRequest.java | 4 +- .../moa/id/protocols/stork2/ConsentEvaluator.java | 4 +- .../MandateAttributeRequestProvider.java | 2 +- .../SignedDocAttributeRequestProvider.java | 45 ++++++++++++++++- .../StorkAttributeRequestProvider.java | 2 +- 18 files changed, 102 insertions(+), 51 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index c2eefa3d8..8d2684c9b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -11,6 +11,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.StringWriter; +import java.io.UnsupportedEncodingException; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; import java.security.Principal; @@ -1663,7 +1664,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { SZRGWClient client = new SZRGWClient(connectionParameters); CreateIdentityLinkRequest request = new CreateIdentityLinkRequest(); - request.setSignature(citizenSignature.getBytes()); + request.setSignature(citizenSignature.getBytes("UTF-8")); PEPSData data = new PEPSData(); data.setDateOfBirth(PEPSDateOfBirth); @@ -1711,6 +1712,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { catch (ConfigurationException e) { Logger.warn(e); Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null )); + } catch (UnsupportedEncodingException e) { + Logger.warn(e); } return null; @@ -1912,7 +1915,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { template.merge(context, writer); resp.setContentType("text/html;charset=UTF-8"); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending STORK SAML AuthnRequest.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java index 9f2d5b641..484fe1f9e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java @@ -56,7 +56,7 @@ public class StartAuthenticationBuilder { STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); - Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc())); + Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc())); // STORK or normal authentication if (storkConfig.isSTORKAuthentication(moasession.getCcc())) { //STORK authentication diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java index f11489dd2..bbc704f22 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java @@ -161,7 +161,6 @@ public class GetForeignIDServlet extends AuthServlet { AuthenticationSession session = null; try { String xmlCreateXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE); - // check parameter if (!ParamValidatorUtils.isValidSessionID(sessionID)) throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 0ba144b80..2d49eb809 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -270,7 +270,7 @@ public class PEPSConnectorServlet extends AuthServlet { for(Object currentX509Data : ((JAXBElement) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) { JAXBElement casted = ((JAXBElement) currentX509Data); if(casted.getName().getLocalPart().equals("X509Certificate")) { - moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes())); + moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes("UTF-8"))); break; } } @@ -339,7 +339,7 @@ public class PEPSConnectorServlet extends AuthServlet { StringWriter writer = new StringWriter(); template.merge(context, writer); - response.getOutputStream().write(writer.toString().getBytes()); + response.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e1) { Logger.error("Error sending gender retrival form.", e1); // httpSession.invalidate(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index ee0ae4b87..dfb2753ec 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -233,7 +233,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { StringWriter writer = new StringWriter(); template.merge(context, writer); - response.getOutputStream().write(writer.toString().getBytes()); + response.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e1) { Logger.error("Error sending gender retrival form.", e1); // httpSession.invalidate(); @@ -505,7 +505,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { StringWriter writer = new StringWriter(); template.merge(context, writer); - response.getOutputStream().write(writer.toString().getBytes()); + response.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e1) { Logger.error("Error sending gender retrival form.", e1); // httpSession.invalidate(); @@ -576,7 +576,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending DSS signrequest.", e); throw new MOAIDException("stork.11", null); @@ -615,7 +615,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { return citizenSignature; } - private X509Certificate getSignerCertificate(String citizenSignature) throws CertificateException, JAXBException + private X509Certificate getSignerCertificate(String citizenSignature) throws CertificateException, JAXBException, UnsupportedEncodingException { JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName()); SignatureType root = ((JAXBElement) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue(); @@ -626,7 +626,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { for(Object currentX509Data : ((JAXBElement) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) { JAXBElement casted = ((JAXBElement) currentX509Data); if(casted.getName().getLocalPart().equals("X509Certificate")) { - return new X509Certificate(((String)casted.getValue()).getBytes()); + return new X509Certificate(((String)casted.getValue()).getBytes("UTF-8")); } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 98edf1fe4..e7fa9cbd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -207,7 +207,7 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { //System.out.println("IDL: " + s); - byte[] idl = s.getBytes(); + byte[] idl = s.getBytes("UTF-8"); // redirect url // build redirect(to the GetMISSessionIdSerlvet) @@ -238,7 +238,7 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String oaFriendlyName = oaParam.getFriendlyName(); String mandateReferenceValue = session.getMandateReferenceValue(); byte[] cert = session.getEncodedSignerCertificate(); - byte[] authBlock = session.getAuthBlock().getBytes(); + byte[] authBlock = session.getAuthBlock().getBytes("UTF-8"); //TODO: check in case of SSO!!! String targetType = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index 2c8b44404..46fd06741 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -105,13 +105,19 @@ public class STORKResponseProcessor { * @throws STORKException the sTORK exception */ private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList) throws STORKException { + return getAttributeValue(attributeName, attributeList, true); + } + private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException { try { String result = attributeList.get(attributeName).getValue().get(0); Logger.trace(attributeName + " : " + result); return result; - } catch(NullPointerException e) { + } catch(Exception e) { Logger.error(attributeName + " not found in response"); - throw new STORKException(attributeName + " not found in response"); + if(throwException) + throw new STORKException(attributeName + " not found in response"); + else + return null; } } @@ -137,29 +143,29 @@ public class STORKResponseProcessor { // if there is no signedDoc attribute, we cannot go on String citizenSignature = getAttributeValue("signedDoc", attributeList); - String fiscalNumber = getAttributeValue("fiscalNumber", attributeList); + String fiscalNumber = getAttributeValue("fiscalNumber", attributeList, false); // if we have a signedDoc we test for a representation case // - according to stork samlengine and commons if(hasAttribute("mandate", attributeList)) { // we have a representation case - String mandate = getAttributeValue("mandate", attributeList); + String mandate = getAttributeValue("mandate", attributeList, false); if(!hasAttribute("dateOfBirth", attributeList)) { // if we get here, we have a natural person representing a legal person - String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList); - String organizationType = getAttributeValue("translateableType", attributeList); + String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList, false); + String organizationType = getAttributeValue("translateableType", attributeList, false); identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(citizenSignature, null, null, mandate, organizationAddress, organizationType, targetType, targetValue, oaFriendlyName, filters, fiscalNumber); } else { // if we get here, we have a natural person representing another natural person - String eIdentifier = getAttributeValue("eIdentifier", attributeList); - String givenName = getAttributeValue("givenName", attributeList); - String lastName = getAttributeValue("surname", attributeList); - String dateOfBirth = getAttributeValue("dateOfBirth", attributeList); + String eIdentifier = getAttributeValue("eIdentifier", attributeList, false); + String givenName = getAttributeValue("givenName", attributeList, false); + String lastName = getAttributeValue("surname", attributeList, false); + String dateOfBirth = getAttributeValue("dateOfBirth", attributeList, false); // gender attribute is mandatory here because of some legal stuff - String gender = getAttributeValue("gender", attributeList); + String gender = getAttributeValue("gender", attributeList, false); if (!StringUtils.isEmpty(dateOfBirth)) dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth); @@ -172,25 +178,25 @@ public class STORKResponseProcessor { // - according to stork spec else if(hasAttribute("mandateContent", attributeList) || hasAttribute("representative", attributeList) || hasAttribute("represented", attributeList)) { // we have a representation case - String representative = getAttributeValue("representative", attributeList); - String represented = getAttributeValue("represented", attributeList); - String mandate = getAttributeValue("mandateContent", attributeList); + String representative = getAttributeValue("representative", attributeList, false); + String represented = getAttributeValue("represented", attributeList, false); + String mandate = getAttributeValue("mandateContent", attributeList, false); if(!hasAttribute("dateOfBirth", attributeList)) { // if we get here, we have a natural person representing a legal person - String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList); - String organizationType = getAttributeValue("translateableType", attributeList); + String organizationAddress = getAttributeValue("canonicalRegisteredAddress", attributeList, false); + String organizationType = getAttributeValue("translateableType", attributeList, false); identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(citizenSignature, representative, represented, mandate, organizationAddress, organizationType, targetType, targetValue, oaFriendlyName, filters, fiscalNumber); } else { // if we get here, we have a natural person representing another natural person - String eIdentifier = getAttributeValue("eIdentifier", attributeList); - String givenName = getAttributeValue("givenName", attributeList); - String lastName = getAttributeValue("surname", attributeList); - String dateOfBirth = getAttributeValue("dateOfBirth", attributeList); + String eIdentifier = getAttributeValue("eIdentifier", attributeList, false); + String givenName = getAttributeValue("givenName", attributeList, false); + String lastName = getAttributeValue("surname", attributeList, false); + String dateOfBirth = getAttributeValue("dateOfBirth", attributeList, false); // gender attribute is mandatory here because of some legal stuff - String gender = getAttributeValue("gender", attributeList); + String gender = getAttributeValue("gender", attributeList, false); if (!StringUtils.isEmpty(dateOfBirth)) dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth); @@ -201,10 +207,10 @@ public class STORKResponseProcessor { } } else { // we do not have a representation case - String eIdentifier = getAttributeValue("eIdentifier", attributeList); - String givenName = getAttributeValue("givenName", attributeList); - String lastName = getAttributeValue("surname", attributeList); - String dateOfBirth = getAttributeValue("dateOfBirth", attributeList); + String eIdentifier = getAttributeValue("eIdentifier", attributeList, false); + String givenName = getAttributeValue("givenName", attributeList, false); + String lastName = getAttributeValue("surname", attributeList, false); + String dateOfBirth = getAttributeValue("dateOfBirth", attributeList, false); if (!StringUtils.isEmpty(dateOfBirth)) dateOfBirth = DateTimeUtils.formatPEPSDateToMOADate(dateOfBirth); identityLinkResponse = AuthenticationServer.getInstance().getIdentityLink(eIdentifier, givenName, lastName, dateOfBirth, citizenSignature, fiscalNumber); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index cb12bc5bd..ca3117a79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -342,7 +342,7 @@ public class SSOManager { httpResp.setContentType("text/html;charset=UTF-8"); - httpResp.getOutputStream().write(writer.toString().getBytes()); + httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index fec8e3b98..dbf54951f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -165,7 +165,7 @@ public class MetadataAction implements IAction { Logger.debug("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); - httpResp.getOutputStream().write(metadataXML.getBytes()); + httpResp.getOutputStream().write(metadataXML.getBytes("UTF-8")); httpResp.getOutputStream().close(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index ded9e7166..4f3aff469 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -46,7 +46,7 @@ public class EIDAuthBlock implements IPVPAttributeBuilder { String authblock = authData.getAuthBlock(); if (MiscUtil.isNotEmpty(authblock)) { return g.buildStringAttribute(EID_AUTH_BLOCK_FRIENDLY_NAME, EID_AUTH_BLOCK_NAME, - Base64Utils.encode(authblock.getBytes())); + Base64Utils.encode(authblock.getBytes("UTF-8"))); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index 531369e9a..e8aeb8fcd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -43,7 +43,7 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, - EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes())); + EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes("UTF-8"))); } catch (IOException e) { Logger.warn("IdentityLink serialization error.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java index 04cc59b10..5e723baab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java @@ -54,7 +54,7 @@ public class EIDSTORKTOKEN implements IPVPAttributeBuilder { } else { try { return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME, - Base64Utils.encode(storkResponse.getBytes())); + Base64Utils.encode(storkResponse.getBytes("UTF-8"))); } catch (IOException e) { Logger.warn("Encode AuthBlock BASE64 failed.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java index 8dfebc06c..4de783323 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -70,7 +70,7 @@ public class SAMLVerifierMOASP implements ISAMLVerifier { // builds a for a call of MOA-SP Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() - .build(XMLUtil.printXML(request.getDOM()).getBytes(), + .build(XMLUtil.printXML(request.getDOM()).getBytes("UTF-8"), trustProfileID); Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index b62e6de32..c64c5b488 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -318,7 +318,7 @@ public class AuthenticationRequest implements IAction { Logger.debug("Sending html content: " + writer.getBuffer().toString()); Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); + httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (IOException e) { Logger.error("Velocity IO error: " + e.getMessage()); @@ -380,7 +380,7 @@ public class AuthenticationRequest implements IAction { Logger.debug("Sending html content: " + writer.getBuffer().toString()); Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); + httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index 2b00f15e2..3159574fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -142,7 +142,7 @@ public class ConsentEvaluator implements IAction { StringWriter writer = new StringWriter(); template.merge(context, writer); - response.getOutputStream().write(writer.getBuffer().toString().getBytes()); + response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); @@ -209,7 +209,7 @@ public class ConsentEvaluator implements IAction { Logger.debug("Sending html content: " + writer.getBuffer().toString()); Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); + httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java index 8df3c00aa..07e5b70ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java @@ -192,7 +192,7 @@ public class MandateAttributeRequestProvider extends AttributeProvider { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending STORK SAML AttrRequest.", e); throw new MOAIDException("stork.11", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index af973475b..2aa10b9dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -217,6 +217,49 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { { //No document service used? // do nothing.... + //TODO temporary fix because document is deleted after fetching => SP can't download Doc + //Add doc to Signresponse + + DocumentWithSignature documentWithSignature = new DocumentWithSignature(); + DocumentType value = new DocumentType(); + if(signResponse.getProfile().toLowerCase().contains("xades")) + { + value.setBase64XML(data); + } + else + { + Base64Data base64data = new Base64Data(); + base64data.setValue(data); + base64data.setMimeType(dataSource.getContentType()); + value.setBase64Data(base64data); + } + documentWithSignature.setDocument(value); + if(signResponse.getOptionalOutputs()!=null) + { + //signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + for(Object o :signResponse.getOptionalOutputs().getAny()) + { + if(o instanceof DocumentWithSignature) + { + signResponse.getOptionalOutputs().getAny().remove(o); + signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + break; + } + } + } + else + { + AnyType anytype = new AnyType(); + anytype.getAny().add(documentWithSignature); + signResponse.setOptionalOutputs(anytype ); + } + +// System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); + InputStream istr = ApiUtils.marshalToInputStream(signResponse); + StringWriter writer = new StringWriter(); + IOUtils.copy(istr, writer, "UTF-8"); + signResponseString = writer.toString(); + Logger.info("SignResponse overwritten:"+signResponseString); } } else @@ -335,7 +378,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending DSS signrequest.", e); throw new MOAIDException("stork.11", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java index d7e2cdf58..cb3a33c69 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java @@ -172,7 +172,7 @@ public class StorkAttributeRequestProvider extends AttributeProvider { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending STORK SAML AttrRequest.", e); throw new MOAIDException("stork.11", null); -- cgit v1.2.3 From 625ad07c6fb159cecd59b532ccfc35ce6b8b3e31 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Mon, 7 Jul 2014 17:34:33 +0200 Subject: added missing catch block --- .../moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java index 4de783323..885de6805 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.io.UnsupportedEncodingException; + import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.validation.ValidationException; @@ -123,6 +125,10 @@ public class SAMLVerifierMOASP implements ISAMLVerifier { String msg = "Unable to invoke MOA-SP."; Logger.error(msg, e); throw new SecurityException(msg, e); + } catch (UnsupportedEncodingException e) { + String msg = "Unsupported Encoding."; + Logger.error(msg, e); + throw new SecurityException(msg, e); } } -- cgit v1.2.3 From 9d07e7a6dcd66c0ebff241e4f0113b787fcbcffb Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Mon, 7 Jul 2014 17:42:03 +0200 Subject: copied changes from "set correct target type element" to PEPSConnectorWithLocalSigningServlet --- .../PEPSConnectorWithLocalSigningServlet.java | 29 +++++++++++----------- 1 file changed, 14 insertions(+), 15 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index dfb2753ec..129494cbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -213,7 +213,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, "Available"); personalAttributeList.add(signedDocAttribute); - + String authnContextClassRef = moaSession.getAuthnContextClassRef(); SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef); } catch (STORKException e) { @@ -646,19 +646,18 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { // retrieve target //TODO: check in case of SSO!!! - String targetType = null; - String targetValue = null; - if(oaParam.getBusinessService()) { - String id = oaParam.getIdentityLinkDomainIdentifier(); - if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - else - targetValue = moaSession.getDomainIdentifier(); - targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_; - } else { - targetType = AuthenticationSession.TARGET_PREFIX_; - targetValue = oaParam.getTarget(); - } + String targetType = null; + if(oaParam.getBusinessService()) { + String id = oaParam.getIdentityLinkDomainIdentifier(); + if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + targetType = id; + else + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier(); + } else { + targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); + } + + Logger.debug("Starting connecting SZR Gateway"); //contact SZR Gateway @@ -666,7 +665,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { identityLink = STORKResponseProcessor.connectToSZRGateway(personalAttributeList, oaParam.getFriendlyName(), - targetType, targetValue, + targetType, null, oaParam.getMandateProfiles()); Logger.debug("SZR communication was successfull"); -- cgit v1.2.3 From 5f01c76acc4bcb0539f3de39b3e38e0bd25e336f Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Tue, 8 Jul 2014 14:58:58 +0200 Subject: szrg connector now extracts signature form Signresponse --- .../PEPSConnectorWithLocalSigningServlet.java | 8 +-- .../moa/id/auth/stork/STORKResponseProcessor.java | 78 ++++++++++++++++------ 2 files changed, 61 insertions(+), 25 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index 129494cbe..bf2df9d7a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -205,15 +205,15 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { moaSession.setXMLVerifySignatureResponse(tmp); try{ IPersonalAttributeList personalAttributeList = moaSession.getAuthnResponseGetPersonalAttributeList(); - //Add signResponse + //Add SignResponse TODO Add signature (extracted from signResponse)? List values = new ArrayList(); - //values.add(signResponseString); - values.add(citizenSignature); + values.add(signResponseString); +// values.add(citizenSignature); Logger.debug("Assembling signedDoc attribute"); PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, "Available"); personalAttributeList.add(signedDocAttribute); - + String authnContextClassRef = moaSession.getAuthnContextClassRef(); SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef); } catch (STORKException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index 46fd06741..5d7eefe0a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -26,28 +26,19 @@ package at.gv.egovernment.moa.id.auth.stork; import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; import java.util.List; import java.util.Vector; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.xml.namespace.QName; +import javax.activation.DataSource; +import javax.xml.transform.Source; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.stream.StreamSource; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.ws.transport.http.HTTPInTransport; -import org.opensaml.ws.transport.http.HTTPOutTransport; -import org.opensaml.ws.transport.http.HttpServletRequestAdapter; -import org.opensaml.ws.transport.http.HttpServletResponseAdapter; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.schema.XSAny; -import org.opensaml.xml.schema.XSString; -import org.opensaml.xml.util.Base64; -import org.opensaml.xml.util.XMLHelper; -import org.w3c.dom.Element; -import org.w3c.dom.NodeList; +import org.apache.commons.io.IOUtils; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -57,12 +48,16 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.client.SZRGWClientException; -import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.StringUtils; import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; +import eu.stork.oasisdss.api.ApiUtils; +import eu.stork.oasisdss.api.LightweightSourceResolver; +import eu.stork.oasisdss.api.exceptions.ApiUtilsException; +import eu.stork.oasisdss.api.exceptions.UtilsException; +import eu.stork.oasisdss.profile.SignResponse; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -142,7 +137,13 @@ public class STORKResponseProcessor { Logger.trace("Starting call..."); // if there is no signedDoc attribute, we cannot go on - String citizenSignature = getAttributeValue("signedDoc", attributeList); + String signResponseString = getAttributeValue("signedDoc", attributeList); + + //Extract signature from SIgnResponse + Source response1 = new StreamSource(new java.io.StringReader(signResponseString)); + SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class); + String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + String fiscalNumber = getAttributeValue("fiscalNumber", attributeList, false); // if we have a signedDoc we test for a representation case @@ -235,7 +236,27 @@ public class STORKResponseProcessor { } catch (ParseException e) { Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); throw new MOAIDException("auth.25", null, e); - + } catch (ApiUtilsException e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); + } catch (IllegalArgumentException e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); + } catch (TransformerConfigurationException e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); + } catch (UtilsException e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); + } catch (TransformerException e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); + } catch (TransformerFactoryConfigurationError e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); + } catch (IOException e) { + Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e); + throw new MOAIDException("auth.25", null, e); } return identityLink; @@ -272,5 +293,20 @@ public class STORKResponseProcessor { return moaExtendedSAMLAttributeList; } + + private static String getCitizienSignatureFromSignResponse(SignResponse dssSignResponse) throws IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, ApiUtilsException + { + // fetch signed doc + DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse); + if(ds == null){ + throw new ApiUtilsException("No datasource found in response"); + } + + InputStream incoming = ds.getInputStream(); + String citizenSignature = IOUtils.toString(incoming); + incoming.close(); + + return citizenSignature; + } } -- cgit v1.2.3 From 2c08cd2206340912411e092a99c6874be179d211 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Tue, 8 Jul 2014 15:00:05 +0200 Subject: attribute provider fix If one attribute failed all followings were skipped --- .../gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index c64c5b488..3bd827667 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -455,8 +455,12 @@ public class AuthenticationRequest implements IAction { try { for (PersonalAttribute personalAttribute : attrLst) { + try { Logger.debug("Personal attribute found in request: " + personalAttribute.getName() + " isRequired: " + personalAttribute.isRequired()); moaAttributeProvider.populateAttribute(attributeList, personalAttribute); + } catch (Exception e) { + Logger.error("Exception, attributes: " + e.getMessage()); + } } } catch (Exception e) { Logger.error("Exception, attributes: " + e.getMessage()); -- cgit v1.2.3 From 8594d17a97f1e53a81719141ce70f55d6269553e Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Tue, 8 Jul 2014 15:35:03 +0200 Subject: pass signature to szrg connector and only try to parse it there from SignedDoc if it is missing --- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- .../servlet/PEPSConnectorWithLocalSigningServlet.java | 8 ++++---- .../moa/id/auth/stork/STORKResponseProcessor.java | 18 +++++++++++------- 3 files changed, 16 insertions(+), 12 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 5a2fda67f..ee1d1728a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -318,7 +318,7 @@ public class PEPSConnectorServlet extends AuthServlet { identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(), oaParam.getFriendlyName(), targetType, null, - oaParam.getMandateProfiles()); + oaParam.getMandateProfiles(), citizenSignature); } catch (STORKException e) { // this is really nasty but we work against the system here. We are supposed to get the gender attribute from // stork. If we do not, we cannot register the person in the ERnP - we have to have the diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index bf2df9d7a..e2f6e50b1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -215,7 +215,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { personalAttributeList.add(signedDocAttribute); String authnContextClassRef = moaSession.getAuthnContextClassRef(); - SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef); + SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef, citizenSignature); } catch (STORKException e) { // this is really nasty but we work against the system here. We are supposed to get the gender attribute from // stork. If we do not, we cannot register the person in the ERnP - we have to have the @@ -487,7 +487,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { } try{ - SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); + SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(),citizenSignature); } catch (STORKException e) { // this is really nasty but we work against the system here. We are supposed to get the gender attribute from // stork. If we do not, we cannot register the person in the ERnP - we have to have the @@ -633,7 +633,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { return null; } - private void SZRGInsertion(AuthenticationSession moaSession, IPersonalAttributeList personalAttributeList, String authnContextClassRef) throws STORKException, MOAIDException + private void SZRGInsertion(AuthenticationSession moaSession, IPersonalAttributeList personalAttributeList, String authnContextClassRef, String citizenSignature) throws STORKException, MOAIDException { Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)"); Logger.debug("Citizen signature will be verified by SZR Gateway!"); @@ -666,7 +666,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { identityLink = STORKResponseProcessor.connectToSZRGateway(personalAttributeList, oaParam.getFriendlyName(), targetType, null, - oaParam.getMandateProfiles()); + oaParam.getMandateProfiles(),citizenSignature); Logger.debug("SZR communication was successfull"); if (identityLink == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index 5d7eefe0a..7113dcf70 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -124,11 +124,12 @@ public class STORKResponseProcessor { * @param targetType the target type * @param targetValue the target value * @param filters the filters + * @param citizenSignature2 * @return Identity Link * @throws STORKException the sTORK exception * @throws MOAIDException */ - public static IdentityLink connectToSZRGateway(IPersonalAttributeList attributeList, String oaFriendlyName, String targetType, String targetValue, List filters) throws STORKException, MOAIDException { + public static IdentityLink connectToSZRGateway(IPersonalAttributeList attributeList, String oaFriendlyName, String targetType, String targetValue, List filters, String citizenSignature) throws STORKException, MOAIDException { Logger.trace("Calling SZR Gateway with the following attributes:"); CreateIdentityLinkResponse identityLinkResponse = null; @@ -137,12 +138,15 @@ public class STORKResponseProcessor { Logger.trace("Starting call..."); // if there is no signedDoc attribute, we cannot go on - String signResponseString = getAttributeValue("signedDoc", attributeList); - - //Extract signature from SIgnResponse - Source response1 = new StreamSource(new java.io.StringReader(signResponseString)); - SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class); - String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + if(citizenSignature==null || citizenSignature.length()==0) + { + String signResponseString = getAttributeValue("signedDoc", attributeList); + + //Extract signature from SIgnResponse + Source response1 = new StreamSource(new java.io.StringReader(signResponseString)); + SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class); + citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + } String fiscalNumber = getAttributeValue("fiscalNumber", attributeList, false); -- cgit v1.2.3 From 8f0153f4c6e2fd63dab1f3820b1f61521d1c2220 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 9 Jul 2014 10:49:32 +0200 Subject: use country code from certificate as default --- .../id/auth/builder/AuthenticationDataBuilder.java | 48 +++++++++++----------- 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 9af2f5ee5..3fd83bbe6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -238,6 +238,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } else { //TODO: check if response include attributes and map this attributes to requested attributes + //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst //get PVP 2.1 attributes from protocol specific requested attributes attributs = req.getRequestedAttributes(); @@ -504,33 +505,33 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setQAALevel(session.getQAALevel()); if (session.isForeigner()) { - if (authData.getStorkAuthnRequest() != null) { - authData.setCcc(authData.getStorkAuthnRequest() - .getCitizenCountryCode()); - - } else { - - try { - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); - - if (certificate != null) { - - LdapName ln = new LdapName(certificate.getIssuerDN() - .getName()); - for (Rdn rdn : ln.getRdns()) { - if (rdn.getType().equalsIgnoreCase("C")) { - Logger.info("C is: " + rdn.getValue()); - authData.setCcc(rdn.getValue().toString()); - break; - } + try { + //TODO: replace with TSL lookup when TSL is ready! + X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); + if (certificate != null) { + LdapName ln = new LdapName(certificate.getIssuerDN() + .getName()); + for (Rdn rdn : ln.getRdns()) { + if (rdn.getType().equalsIgnoreCase("C")) { + Logger.info("C is: " + rdn.getValue()); + authData.setCcc(rdn.getValue().toString()); + break; } } - - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate", e); + } + + } catch (Exception e) { + Logger.error("Failed to extract country code from certificate", e); + + } + + if (MiscUtil.isEmpty(authData.getCcc())) { + if (authData.getStorkAuthnRequest() != null) { + authData.setCcc(authData.getStorkAuthnRequest().getCitizenCountryCode()); + Logger.info("Can not extract country from certificate -> Use country from STORK request."); } + } } else { @@ -539,7 +540,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } try { - authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID())); //set max. SSO session time -- cgit v1.2.3 From df1bce487e003b50e403730069ed7343df4f86fc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 9 Jul 2014 10:50:09 +0200 Subject: set foreigner to true --- .../at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 4 +++- .../moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index ee1d1728a..64447b20e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -354,7 +354,9 @@ public class PEPSConnectorServlet extends AuthServlet { if (identityLink == null) { Logger.error("SZR Gateway did not return an identity link."); throw new MOAIDException("stork.10", null); - } + } + moaSession.setForeigner(true); + Logger.info("Received Identity Link from SZR Gateway"); moaSession.setIdentityLink(identityLink); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index e2f6e50b1..62e15a379 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -249,7 +249,8 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { Logger.debug("Add full STORK AuthnResponse to MOA session"); moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? - + moaSession.setForeigner(true); + //session is implicit stored in changeSessionID!!!! String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); @@ -479,7 +480,8 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { X509Certificate cert = getSignerCertificate(citizenSignature); moaSession.setSignerCertificate(cert); - + moaSession.setForeigner(true); + } catch (Throwable e) { Logger.error("Could not extract citizen signature from C-PEPS", e); -- cgit v1.2.3 From fd0c34ddeb83f1b8e88837837e513491d66e8f2f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Jul 2014 11:28:13 +0200 Subject: fix problem with extended SAML1 attributes and STORK authentication --- .../egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 3fd83bbe6..17d6898ee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -50,6 +50,7 @@ import eu.stork.peps.auth.commons.PersonalAttributeList; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.BuildException; @@ -116,7 +117,10 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (protocolRequest instanceof SAML1RequestImpl) { //request is SAML1 SAML1AuthenticationData saml1authdata = new SAML1AuthenticationData(); - saml1authdata.setExtendedSAMLAttributesOA(session.getExtendedSAMLAttributesOA()); + if (session.getExtendedSAMLAttributesOA() == null) + saml1authdata.setExtendedSAMLAttributesOA(new ArrayList()); + else + saml1authdata.setExtendedSAMLAttributesOA(session.getExtendedSAMLAttributesOA()); authdata = saml1authdata; -- cgit v1.2.3 From 31e11e635b2dc72542ea2af1e302d83c6a8c7c13 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Jul 2014 12:26:21 +0200 Subject: set default TrustManagerRevocationCheck value --- .../java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java | 2 +- .../egovernment/moa/id/config/auth/AuthConfigurationProvider.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index 88ed7885f..24def1e02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -124,7 +124,7 @@ public class ConfigurationProvider { protected String certstoreDirectory; - protected boolean trustmanagerrevoationchecking; + protected boolean trustmanagerrevoationchecking = true; /** * Returns the main configuration file directory used to configure MOA-ID diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..ccf390153 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -1038,11 +1038,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private void setTrustManagerRevocationChecking() throws ConfigurationException { AuthComponentGeneral auth = getAuthComponentGeneral(); - if (auth.getGeneralConfiguration() != null) + if (auth.getGeneralConfiguration() != null && + auth.getGeneralConfiguration().isTrustManagerRevocationChecking() != null) trustmanagerrevoationchecking = auth.getGeneralConfiguration().isTrustManagerRevocationChecking(); else { - Logger.warn("Error in MOA-ID Configuration. No CertStoreDirectory defined."); - throw new ConfigurationException("config.02", null); + Logger.warn("No info found in MOA-ID Configuration. Set TrustManagerRevocationCheck to TRUE."); } } -- cgit v1.2.3 From 62b8a5dd94c29c8bd551dfb86c390e1dd992c7bc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Jul 2014 12:56:17 +0200 Subject: set default TrustManagerRevocationCheck value --- .../java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java | 2 +- .../egovernment/moa/id/config/auth/AuthConfigurationProvider.java | 6 +++--- .../gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index 24def1e02..88ed7885f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -124,7 +124,7 @@ public class ConfigurationProvider { protected String certstoreDirectory; - protected boolean trustmanagerrevoationchecking = true; + protected boolean trustmanagerrevoationchecking; /** * Returns the main configuration file directory used to configure MOA-ID diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index ccf390153..6fc1d28c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -1038,11 +1038,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private void setTrustManagerRevocationChecking() throws ConfigurationException { AuthComponentGeneral auth = getAuthComponentGeneral(); - if (auth.getGeneralConfiguration() != null && - auth.getGeneralConfiguration().isTrustManagerRevocationChecking() != null) + if (auth.getGeneralConfiguration() != null) trustmanagerrevoationchecking = auth.getGeneralConfiguration().isTrustManagerRevocationChecking(); else { - Logger.warn("No info found in MOA-ID Configuration. Set TrustManagerRevocationCheck to TRUE."); + Logger.warn("Error in MOA-ID Configuration. No CertStoreDirectory defined."); + throw new ConfigurationException("config.02", null); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 864be253a..9067d8fc4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -155,6 +155,8 @@ public class BuildFromLegacyConfig { if (genericConfiguration.containsKey(ConfigurationProvider.DIRECTORY_CERTSTORE_PARAMETER_PROPERTY)) authGeneral.setCertStoreDirectory( (String)genericConfiguration.get(ConfigurationProvider.DIRECTORY_CERTSTORE_PARAMETER_PROPERTY)); + else + authGeneral.setTrustManagerRevocationChecking(true); //Load Assertion and Session timeouts -- cgit v1.2.3 From 7212f4902eb4c2b3cf8026075ee04dd4506965ce Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Jul 2014 13:45:12 +0200 Subject: update SAML1 attribute builder for STORK2 attributes --- .../moa/id/auth/builder/AuthenticationAssertionBuilder.java | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java index 35109dfea..89f42ab7d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java @@ -92,6 +92,15 @@ public class AuthenticationAssertionBuilder { String namespace = extendedSAMLAttribute.getNameSpace(); if (value instanceof String) { sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, value})); + + } else if (value instanceof List) { + if (!((List)value).isEmpty()) { + Object firstEl = ((List)value).get(0); + if (firstEl instanceof String) { + sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, ((String)firstEl)})); + } + } + } else if (value instanceof Element) { try { String serializedValue = DOMUtils.serializeNode((Element)(value)); -- cgit v1.2.3 From c599f3bdc249c9b5bfcfcdc2a3e290734077aa8c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 11 Jul 2014 09:58:46 +0200 Subject: remove unused class --- .../moa/id/protocols/pvp2x/PVPProcessor.java | 34 ---------------------- 1 file changed, 34 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPProcessor.java (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPProcessor.java deleted file mode 100644 index 7509c51d8..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPProcessor.java +++ /dev/null @@ -1,34 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x; - -import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; - -public class PVPProcessor extends AuthServlet { - - /** - * - */ - private static final long serialVersionUID = 4102075202310068260L; - -} -- cgit v1.2.3 From 92db89befcaa7bb0a94bc9488574fe108e0202f5 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Mon, 14 Jul 2014 14:04:03 +0200 Subject: SignedDocAttrributeProvider - check if attribute is accessable --- .../attributeproviders/SignedDocAttributeRequestProvider.java | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 2aa10b9dd..13b14b0be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -131,6 +131,14 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { } requestedAttribute = attribute; + try + { + String tmp = requestedAttribute.getValue().get(0); + }catch(Exception e) + { + Logger.info("SignedDocAttributeProvide failed:"+e.toString()); + throw new UnsupportedAttributeException(); + } throw new ExternalAttributeRequestRequiredException(this); } -- cgit v1.2.3 From a2b550988cf86a41be95ff9ad50e62d2adf7ce1c Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Mon, 14 Jul 2014 14:05:50 +0200 Subject: do not send empty PEPSData --- .../moa/id/auth/AuthenticationServer.java | 3604 ++++++++++---------- 1 file changed, 1804 insertions(+), 1800 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 8d2684c9b..33fed945b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -156,1434 +156,1434 @@ import eu.stork.peps.exceptions.STORKSAMLEngineException; */ public class AuthenticationServer implements MOAIDAuthConstants { - /** - * single instance - */ - private static AuthenticationServer instance; - - /** - * time out in milliseconds used by {@link cleanup} for session store - */ - private long sessionTimeOutCreated = 15 * 60 * 1000; // default 10 minutes - private long sessionTimeOutUpdated = 10 * 60 * 1000; // default 10 minutes - /** - * time out in milliseconds used by {@link cleanup} for authentication data - * store - */ - private long authDataTimeOut = 2 * 60 * 1000; // default 2 minutes - - /** - * Returns the single instance of AuthenticationServer. - * - * @return the single instance of AuthenticationServer - */ - public static AuthenticationServer getInstance() { - if (instance == null) - instance = new AuthenticationServer(); - return instance; - } - - /** - * Constructor for AuthenticationServer. - */ - public AuthenticationServer() { - super(); - } - - - /** - * Processes the beginning of an authentication session. - *
    - *
  • Starts an authentication session
  • - *
  • Creates an <InfoboxReadRequest>
  • - *
  • Creates an HTML form for querying the identity link from the security - * layer implementation.
    - * Form parameters include - *
      - *
    • the <InfoboxReadRequest>
    • - *
    • the data URL where the security layer implementation sends it - * response to
    • - *
    - *
- * - * @param authURL URL of the servlet to be used as data URL - * @param target "Geschäftsbereich" of the online application requested - * @param targetFriendlyName Friendly name of the target if the target is configured via - * configuration - * @param oaURL online application URL requested - * @param bkuURL URL of the "Bürgerkartenumgebung" to be used; may be - * null; in this case, the default location will be - * used - * @param useMandate Indicates if mandate is used or not - * @param templateURL URL providing an HTML template for the HTML form generated - * @param templateMandteURL URL providing an HTML template for the HTML form generated - * (for signing in mandates mode) - * @param req determines the protocol used - * @param sourceID - * @return HTML form - * @throws AuthenticationException - * @see GetIdentityLinkFormBuilder - * @see InfoboxReadRequestBuilder - */ - public String startAuthentication(AuthenticationSession session, HttpServletRequest req) throws WrongParametersException, - AuthenticationException, ConfigurationException, BuildException { - - if (session == null) { - throw new AuthenticationException("auth.18", new Object[]{}); - } - - //load OnlineApplication configuration - OAAuthParameter oaParam = - AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - if (oaParam == null) - throw new AuthenticationException("auth.00", new Object[]{session.getPublicOAURLPrefix()}); - - //load Template - String template = null; - if (session.getTemplateURL() != null) { - try { - - template = new String(FileUtils.readURL(session.getTemplateURL())); - } catch (IOException ex) { - throw new AuthenticationException("auth.03", new Object[]{ - session.getTemplateURL(), ex.toString()}, ex); - } - } - - String infoboxReadRequest = ""; - - String domainIdentifier = AuthConfigurationProvider.getInstance().getSSOTagetIdentifier().trim(); - if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) { - //do not use SSO if no Target is set - Log.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); - session.setSsoRequested(false); - - } - - if (session.isSsoRequested()) { - Log.info("SSO Login requested"); - //load identityLink with SSO Target - boolean isbuisness = false; - - if (domainIdentifier.startsWith(PREFIX_WPBK)) { - - isbuisness = true; - - } else { - isbuisness = false; - - } - - //build ReadInfobox request - infoboxReadRequest = new InfoboxReadRequestBuilder().build( - isbuisness, domainIdentifier); - - } else { - Log.info("Non-SSO Login requested"); - //build ReadInfobox request - infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.getBusinessService(), oaParam - .getIdentityLinkDomainIdentifier()); - - } - - - String dataURL = new DataURLBuilder().buildDataURL( - session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session - .getSessionID()); - - //removed in MOAID 2.0 - String pushInfobox = ""; - -// VerifyInfoboxParameters verifyInfoboxParameters = oaParam -// .getVerifyInfoboxParameters(); -// if (verifyInfoboxParameters != null) { -// pushInfobox = verifyInfoboxParameters.getPushInfobox(); -// session.setPushInfobox(pushInfobox); -// } + /** + * single instance + */ + private static AuthenticationServer instance; + + /** + * time out in milliseconds used by {@link cleanup} for session store + */ + private long sessionTimeOutCreated = 15 * 60 * 1000; // default 10 minutes + private long sessionTimeOutUpdated = 10 * 60 * 1000; // default 10 minutes + /** + * time out in milliseconds used by {@link cleanup} for authentication data + * store + */ + private long authDataTimeOut = 2 * 60 * 1000; // default 2 minutes + + /** + * Returns the single instance of AuthenticationServer. + * + * @return the single instance of AuthenticationServer + */ + public static AuthenticationServer getInstance() { + if (instance == null) + instance = new AuthenticationServer(); + return instance; + } + + /** + * Constructor for AuthenticationServer. + */ + public AuthenticationServer() { + super(); + } + + + /** + * Processes the beginning of an authentication session. + *
    + *
  • Starts an authentication session
  • + *
  • Creates an <InfoboxReadRequest>
  • + *
  • Creates an HTML form for querying the identity link from the security + * layer implementation.
    + * Form parameters include + *
      + *
    • the <InfoboxReadRequest>
    • + *
    • the data URL where the security layer implementation sends it + * response to
    • + *
    + *
+ * + * @param authURL URL of the servlet to be used as data URL + * @param target "Geschäftsbereich" of the online application requested + * @param targetFriendlyName Friendly name of the target if the target is configured via + * configuration + * @param oaURL online application URL requested + * @param bkuURL URL of the "Bürgerkartenumgebung" to be used; may be + * null; in this case, the default location will be + * used + * @param useMandate Indicates if mandate is used or not + * @param templateURL URL providing an HTML template for the HTML form generated + * @param templateMandteURL URL providing an HTML template for the HTML form generated + * (for signing in mandates mode) + * @param req determines the protocol used + * @param sourceID + * @return HTML form + * @throws AuthenticationException + * @see GetIdentityLinkFormBuilder + * @see InfoboxReadRequestBuilder + */ + public String startAuthentication(AuthenticationSession session, HttpServletRequest req) throws WrongParametersException, + AuthenticationException, ConfigurationException, BuildException { + + if (session == null) { + throw new AuthenticationException("auth.18", new Object[]{}); + } + + //load OnlineApplication configuration + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (oaParam == null) + throw new AuthenticationException("auth.00", new Object[]{session.getPublicOAURLPrefix()}); + + //load Template + String template = null; + if (session.getTemplateURL() != null) { + try { + + template = new String(FileUtils.readURL(session.getTemplateURL())); + } catch (IOException ex) { + throw new AuthenticationException("auth.03", new Object[]{ + session.getTemplateURL(), ex.toString()}, ex); + } + } + + String infoboxReadRequest = ""; + + String domainIdentifier = AuthConfigurationProvider.getInstance().getSSOTagetIdentifier().trim(); + if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) { + //do not use SSO if no Target is set + Log.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); + session.setSsoRequested(false); + + } + + if (session.isSsoRequested()) { + Log.info("SSO Login requested"); + //load identityLink with SSO Target + boolean isbuisness = false; + + if (domainIdentifier.startsWith(PREFIX_WPBK)) { + + isbuisness = true; + + } else { + isbuisness = false; + + } + + //build ReadInfobox request + infoboxReadRequest = new InfoboxReadRequestBuilder().build( + isbuisness, domainIdentifier); + + } else { + Log.info("Non-SSO Login requested"); + //build ReadInfobox request + infoboxReadRequest = new InfoboxReadRequestBuilder().build( + oaParam.getBusinessService(), oaParam + .getIdentityLinkDomainIdentifier()); + + } + + + String dataURL = new DataURLBuilder().buildDataURL( + session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session + .getSessionID()); + + //removed in MOAID 2.0 + String pushInfobox = ""; + + // VerifyInfoboxParameters verifyInfoboxParameters = oaParam + // .getVerifyInfoboxParameters(); + // if (verifyInfoboxParameters != null) { + // pushInfobox = verifyInfoboxParameters.getPushInfobox(); + // session.setPushInfobox(pushInfobox); + // } //build CertInfo request //removed in MOA-ID 2.0 -// String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder() -// .build(); -// String certInfoDataURL = new DataURLBuilder() -// .buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION, -// session.getSessionID()); - - //get Applet Parameters - String appletwidth = req.getParameter(PARAM_APPLET_WIDTH); - String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH); - appletheigth = StringEscapeUtils.escapeHtml(appletheigth); - appletwidth = StringEscapeUtils.escapeHtml(appletwidth); - - - //TODO: cleanup before MOA-ID 2.1 release - try { - String htmlForm = new GetIdentityLinkFormBuilder().build(template, - session.getBkuURL(), infoboxReadRequest, dataURL, null, - null, pushInfobox, oaParam, appletheigth, appletwidth); - - return htmlForm; - - } catch (BuildException e) { - throw new BuildException("builder.07", null, e); - - } - } - - /** - * Processes an <InfoboxReadResponse> sent by the - * security layer implementation.
- *
    - *
  • Validates given <InfoboxReadResponse>
  • - *
  • Parses identity link enclosed in - * <InfoboxReadResponse>
  • - *
  • Verifies identity link by calling the MOA SP component
  • - *
  • Checks certificate authority of identity link
  • - *
  • Stores identity link in the session
  • - *
  • Verifies all additional infoboxes returned from the BKU
  • - *
  • Creates an authentication block to be signed by the user
  • - *
  • Creates and returns a <CreateXMLSignatureRequest> - * containg the authentication block, meant to be returned to the security - * layer implementation
  • - *
- * - * @param sessionID ID of associated authentication session data - * @param infoboxReadResponseParameters The parameters from the response returned from the BKU - * including the <InfoboxReadResponse> - * @return String representation of the - * <CreateXMLSignatureRequest> - * @throws BKUException - */ - public String verifyIdentityLink(AuthenticationSession session, - Map infoboxReadResponseParameters) throws AuthenticationException, - BuildException, ParseException, ConfigurationException, - ValidateException, ServiceException, BKUException { - - if (session == null) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_IDENTITY_LINK, PARAM_SESSIONID}); - - String xmlInfoboxReadResponse = (String) infoboxReadResponseParameters - .get(PARAM_XMLRESPONSE); - - if (isEmpty(xmlInfoboxReadResponse)) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE}); - - AuthConfigurationProvider authConf = AuthConfigurationProvider - .getInstance(); - - // check if an identity link was found - // Errorcode 2911 von Trustdesk BKU (nicht spezifikationskonform - // (SL1.2)) - // CharSequence se = "ErrorCode>2911".substring(0); - // boolean b = xmlInfoboxReadResponse.contains(se); - String se = "ErrorCode>2911"; - int b = xmlInfoboxReadResponse.indexOf(se); - if (b != -1) { // no identity link found - Logger - .info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als auslaendische eID."); - return null; - } - // spezifikationsgemaess (SL1.2) Errorcode - se = "ErrorCode>4002"; - // b = xmlInfoboxReadResponse.contains(se); - b = xmlInfoboxReadResponse.indexOf(se); - if (b != -1) { // Unbekannter Infoboxbezeichner - Logger - .info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als auslaendische eID."); - return null; - } - - // parses the - IdentityLink identityLink = new InfoboxReadResponseParser( - xmlInfoboxReadResponse).parseIdentityLink(); - // validates the identity link - IdentityLinkValidator.getInstance().validate(identityLink); - // builds a for a call of MOA-SP - Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() - .build(identityLink, authConf - .getMoaSpIdentityLinkTrustProfileID()); - - // invokes the call - Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() - .verifyXMLSignature(domVerifyXMLSignatureRequest); - // parses the - VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( - domVerifyXMLSignatureResponse).parseData(); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - // validates the - VerifyXMLSignatureResponseValidator.getInstance().validate( - verifyXMLSignatureResponse, - authConf.getIdentityLinkX509SubjectNames(), - VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, - oaParam); - - session.setIdentityLink(identityLink); - // now validate the extended infoboxes - - //Removed in MOA-ID 2.0 - //verifyInfoboxes(session, infoboxReadResponseParameters, false); - - return "found!"; - } - - /** - * Processes an <InfoboxReadResponse> sent by the - * security layer implementation.
- *
    - *
  • Validates given <InfoboxReadResponse>
  • - *
  • Parses identity link enclosed in - * <InfoboxReadResponse>
  • - *
  • Verifies identity link by calling the MOA SP component
  • - *
  • Checks certificate authority of identity link
  • - *
  • Stores identity link in the session
  • - *
  • Verifies all additional infoboxes returned from the BKU
  • - *
  • Creates an authentication block to be signed by the user
  • - *
  • Creates and returns a <CreateXMLSignatureRequest> - * containg the authentication block, meant to be returned to the security - * layer implementation
  • - *
- * - * @param sessionID ID of associated authentication session data - * @param infoboxReadResponseParameters The parameters from the response returned from the BKU - * including the <InfoboxReadResponse> - * @return String representation of the - * <CreateXMLSignatureRequest> - */ - public String verifyCertificate(AuthenticationSession session, - X509Certificate certificate) throws AuthenticationException, - BuildException, ParseException, ConfigurationException, - ValidateException, ServiceException, MOAIDException { - - if (session == null) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID}); - - // check if person is a Organwalter - // if true - don't show bPK in AUTH Block - try { - for (ObjectID OWid : MOAIDAuthConstants.OW_LIST) { - if (certificate.getExtension(OWid) != null) { - session.setOW(true); - } - - } - - } catch (X509ExtensionInitException e) { - Logger.warn("Certificate extension is not readable."); - session.setOW(false); - } - - AuthConfigurationProvider authConf = AuthConfigurationProvider - .getInstance(); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session, - authConf, oaParam); - - return returnvalue; - } - - /** - * Processes an Mandate sent by the MIS.
- *
    - *
  • Validates given Mandate
  • - *
  • Verifies Mandate by calling the MOA SP component
  • - *
  • Creates an authentication block to be signed by the user
  • - *
  • Creates and returns a <CreateXMLSignatureRequest> - * containg the authentication block, meant to be returned to the security - * layer implementation
  • - *
- * - * @param sessionID ID of associated authentication session data - * @param infoboxReadResponseParameters The parameters from the response returned from the BKU - * including the <InfoboxReadResponse> - * @return String representation of the - * <CreateXMLSignatureRequest> - */ - public void verifyMandate(AuthenticationSession session, MISMandate mandate) - throws AuthenticationException, BuildException, ParseException, - ConfigurationException, ValidateException, ServiceException { - - if (session == null) - throw new AuthenticationException("auth.10", new Object[]{ - GET_MIS_SESSIONID, PARAM_SESSIONID}); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - try { - // sets the extended SAML attributes for OID (Organwalter) - setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam - .getBusinessService()); - - validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); - - - } catch (SAXException e) { - throw new AuthenticationException("auth.15", - new Object[]{GET_MIS_SESSIONID}, e); - } catch (IOException e) { - throw new AuthenticationException("auth.15", - new Object[]{GET_MIS_SESSIONID}, e); - } catch (ParserConfigurationException e) { - throw new AuthenticationException("auth.15", - new Object[]{GET_MIS_SESSIONID}, e); - } catch (TransformerException e) { - throw new AuthenticationException("auth.15", - new Object[]{GET_MIS_SESSIONID}, e); - } - - } - - /** - * @param session - * @param authConf - * @param oaParam - * @return - * @throws ConfigurationException - * @throws BuildException - * @throws ValidateException - */ - public String getCreateXMLSignatureRequestAuthBlockOrRedirect( - AuthenticationSession session, AuthConfigurationProvider authConf, - OAAuthParameter oaParam) throws ConfigurationException, - BuildException, ValidateException { - -// // check for intermediate processing of the infoboxes -// if (session.isValidatorInputPending()) -// return "Redirect to Input Processor"; - - if (authConf == null) - authConf = AuthConfigurationProvider.getInstance(); - if (oaParam == null) - oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - - // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session, oaParam); - - // builds the - List transformsInfos = authConf.getTransformsInfos(); - - String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() - .build(authBlock, oaParam.getKeyBoxIdentifier(), - transformsInfos); - return createXMLSignatureRequest; - } - - /** - * Returns an CreateXMLSignatureRequest for signing the ERnP statement.
- *
    - *
  • Creates an CreateXMLSignatureRequest to be signed by the user
  • - *
- * - * @param sessionID ID of associated authentication session data - * @param cert The certificate from the user - * @return String representation of the - * <CreateXMLSignatureRequest> - */ - public String createXMLSignatureRequestForeignID(AuthenticationSession session, - X509Certificate cert) throws AuthenticationException, - BuildException, ParseException, ConfigurationException, - ValidateException, ServiceException { - - if (session == null) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID}); - - AuthConfigurationProvider authConf = AuthConfigurationProvider - .getInstance(); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam, - cert); - } - - public String getCreateXMLSignatureRequestForeigID( - AuthenticationSession session, AuthConfigurationProvider authConf, - OAAuthParameter oaParam, X509Certificate cert) - throws ConfigurationException { - -// // check for intermediate processing of the infoboxes -// if (session.isValidatorInputPending()) -// return "Redirect to Input Processor"; - - if (authConf == null) - authConf = AuthConfigurationProvider.getInstance(); - if (oaParam == null) - oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - - Principal subject = cert.getSubjectDN(); - - String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() - .buildForeignID(subject.toString(), oaParam, session); - return createXMLSignatureRequest; - } - - /** - * Processes an <CreateXMLSignatureResponse> sent by the - * security layer implementation.
- *
    - *
  • Validates given <CreateXMLSignatureResponse>
  • - *
  • Parses response enclosed in - * <CreateXMLSignatureResponse>
  • - *
  • Verifies signature by calling the MOA SP component
  • - *
  • Returns the signer certificate
  • - *
- * - * @param sessionID ID of associated authentication session data - * @param createXMLSignatureResponseParameters The parameters from the response returned from the BKU - * including the <CreateXMLSignatureResponse> - * @throws BKUException - */ - public X509Certificate verifyXMLSignature(String sessionID, - Map createXMLSignatureResponseParameters) - throws AuthenticationException, BuildException, ParseException, - ConfigurationException, ValidateException, ServiceException, BKUException { - - if (isEmpty(sessionID)) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_GET_FOREIGN_ID, PARAM_SESSIONID}); - - String xmlCreateXMLSignatureResponse = (String) createXMLSignatureResponseParameters - .get(PARAM_XMLRESPONSE); - - if (isEmpty(xmlCreateXMLSignatureResponse)) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_GET_FOREIGN_ID, PARAM_XMLRESPONSE}); - - AuthConfigurationProvider authConf = AuthConfigurationProvider - .getInstance(); - - // parses the - CreateXMLSignatureResponseParser p = new CreateXMLSignatureResponseParser( - xmlCreateXMLSignatureResponse); - CreateXMLSignatureResponse createXMLSignatureResponse = p - .parseResponseDsig(); - - // builds a for a call of MOA-SP - Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() - .buildDsig(createXMLSignatureResponse, authConf - .getMoaSpAuthBlockTrustProfileID()); - - // invokes the call - Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() - .verifyXMLSignature(domVerifyXMLSignatureRequest); - - // parses the - VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( - domVerifyXMLSignatureResponse).parseData(); - - return verifyXMLSignatureResponse.getX509certificate(); - - } - - /** - * Processes an <CreateXMLSignatureResponse> sent by the - * security layer implementation.
- *
    - *
  • Validates given <CreateXMLSignatureResponse>
  • - *
  • Parses response enclosed in - * <CreateXMLSignatureResponse>
  • - *
  • Verifies signature by calling the MOA SP component
  • - *
  • Returns the signer certificate
  • - *
- * - * @param sessionID ID of associated authentication session data - * @param readInfoboxResponseParameters The parameters from the response returned from the BKU - * including the <ReadInfoboxResponse> - * @throws BKUException - */ - public X509Certificate getCertificate(String sessionID, - Map readInfoboxResponseParameters) throws AuthenticationException, - BuildException, ParseException, ConfigurationException, - ValidateException, ServiceException, BKUException { - - if (isEmpty(sessionID)) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID}); - - String xmlReadInfoboxResponse = (String) readInfoboxResponseParameters - .get(PARAM_XMLRESPONSE); - - if (isEmpty(xmlReadInfoboxResponse)) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_CERTIFICATE, PARAM_XMLRESPONSE}); - - // parses the - InfoboxReadResponseParser p = new InfoboxReadResponseParser( - xmlReadInfoboxResponse); - X509Certificate cert = p.parseCertificate(); - - return cert; - - } - - /** - * Builds an authentication block <saml:Assertion> from - * given session data. - * - * @param session authentication session - * @return <saml:Assertion> as a String - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. - */ - private String buildAuthenticationBlock(AuthenticationSession session, - OAAuthParameter oaParam) throws BuildException { - - IdentityLink identityLink = session.getIdentityLink(); - String issuer = identityLink.getName(); - String gebDat = identityLink.getDateOfBirth(); - - String identificationValue = null; - String identificationType = null; - - //set empty AuthBlock BPK in case of OW or SSO or bpk is not requested - if (session.isOW() || session.isSsoRequested() || oaParam.isRemovePBKFromAuthBlock()) { - identificationType = ""; - identificationValue = ""; - - } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - - if (oaParam.getBusinessService()) { - - String bpkBase64 = new BPKBuilder().buildWBPK(identityLink - .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); - identificationValue = bpkBase64; - - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = oaParam.getIdentityLinkDomainIdentifier(); - else - identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), session.getTarget()); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); - } - - - } else { - identificationValue = identityLink.getIdentificationValue(); - identificationType = identityLink.getIdentificationType(); - - } - - String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance()); - session.setIssueInstant(issueInstant); - String authURL = session.getAuthURL(); - String target = session.getTarget(); - String targetFriendlyName = session.getTargetFriendlyName(); - - // Bug #485 - // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) - // String oaURL = session.getPublicOAURLPrefix(); - - List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - - - if (session.isSsoRequested()) { - String oaURL = new String(); - try { - oaURL = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); - - if (MiscUtil.isNotEmpty(oaURL)) - oaURL = oaURL.replaceAll("&", "&"); - - } catch (ConfigurationException e) { - } - String authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlockSSO(issuer, issueInstant, authURL, target, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - return authBlock; - - } else { - String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); - String authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlock(issuer, issueInstant, authURL, target, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - return authBlock; - } - } - - - /** - * Verifies the infoboxes (except of the identity link infobox) returned by - * the BKU by calling appropriate validator classes. - * - * @param session The actual authentication session. - * @param mandate The Mandate from the MIS - * @throws AuthenticationException - * @throws ConfigurationException - * @throws TransformerException - * @throws ParserConfigurationException - * @throws IOException - * @throws SAXException - */ - private void validateExtendedSAMLAttributeForMandates( - AuthenticationSession session, MISMandate mandate, - boolean business) - throws ValidateException, ConfigurationException, SAXException, - IOException, ParserConfigurationException, TransformerException { - - ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - mandate, business, false); - - int length = extendedSAMLAttributes.length; - for (int i = 0; i < length; i++) { - ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; - - verifySAMLAttribute(samlAttribute, i, "MISService", - "MISService"); - - } - } - - /** - * Verifies the infoboxes (except of the identity link infobox) returned by - * the BKU by calling appropriate validator classes. - * - * @param session The actual authentication session. - * @param mandate The Mandate from the MIS - * @throws AuthenticationException - * @throws ConfigurationException - * @throws TransformerException - * @throws ParserConfigurationException - * @throws IOException - * @throws SAXException - */ - private void setExtendedSAMLAttributeForMandatesOID( - AuthenticationSession session, MISMandate mandate, boolean business) - throws ValidateException, ConfigurationException, SAXException, - IOException, ParserConfigurationException, TransformerException { - - ExtendedSAMLAttribute[] extendedSamlAttributes = addExtendedSamlAttributesOID( - mandate, business); - - AddAdditionalSAMLAttributes(session, extendedSamlAttributes, - "MISService", "MISService"); - - } - - /** - * Adds given SAML Attributes to the current session. They will be appended - * to the final SAML Assertion or the AUTH block. If the attributes are - * already in the list, they will be replaced. - * - * @param session The current session - * @param extendedSAMLAttributes The SAML attributes to add - * @param identifier The infobox identifier for debug purposes - * @param friendlyNam The friendly name of the infobox for debug purposes - */ - private static void AddAdditionalSAMLAttributes( - AuthenticationSession session, - ExtendedSAMLAttribute[] extendedSAMLAttributes, String identifier, - String friendlyName) throws ValidateException { - if (extendedSAMLAttributes == null) - return; - List oaAttributes = session.getExtendedSAMLAttributesOA(); - if (oaAttributes == null) - oaAttributes = new Vector(); - List authAttributes = session.getExtendedSAMLAttributesAUTH(); - if (authAttributes == null) - authAttributes = new Vector(); - int length = extendedSAMLAttributes.length; - for (int i = 0; i < length; i++) { - ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; - - Object value = verifySAMLAttribute(samlAttribute, i, identifier, - friendlyName); - - if ((value instanceof String) || (value instanceof Element)) { - switch (samlAttribute.getAddToAUTHBlock()) { - case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY: - replaceExtendedSAMLAttribute(authAttributes, samlAttribute); - break; - case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK: - replaceExtendedSAMLAttribute(authAttributes, samlAttribute); - replaceExtendedSAMLAttribute(oaAttributes, samlAttribute); - break; - case ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK: - replaceExtendedSAMLAttribute(oaAttributes, samlAttribute); - break; - default: - Logger - .info("Invalid return value from method \"getAddToAUTHBlock()\" (" - + samlAttribute.getAddToAUTHBlock() - + ") in SAML attribute number " - + (i + 1) - + " for infobox " + identifier); - throw new ValidateException("validator.47", new Object[]{ - friendlyName, String.valueOf((i + 1))}); - } - } else { - Logger - .info("The type of SAML-Attribute number " - + (i + 1) - + " returned from " - + identifier - + "-infobox validator is not valid. Must be either \"java.Lang.String\"" - + " or \"org.w3c.dom.Element\""); - throw new ValidateException("validator.46", new Object[]{ - identifier, String.valueOf((i + 1))}); - } - } - session.setExtendedSAMLAttributesAUTH(authAttributes); - session.setExtendedSAMLAttributesOA(oaAttributes); - } - - /** - * Adds the AUTH block related SAML attributes to the validation result. - * This is needed always before the AUTH block is to be signed, because the - * name of the mandator has to be set - * - * @throws ParserConfigurationException - * @throws IOException - * @throws SAXException - * @throws TransformerException - */ - - protected static ExtendedSAMLAttribute[] addExtendedSamlAttributes( - MISMandate mandate, boolean business, boolean provideStammzahl) - throws SAXException, IOException, ParserConfigurationException, - TransformerException { - Vector extendedSamlAttributes = new Vector(); - - extendedSamlAttributes.clear(); - - // Name - Element domMandate = mandateToElement(mandate); - Element nameSpaceNode = domMandate.getOwnerDocument().createElement( - "NameSpaceNode"); - nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, - Constants.PD_NS_URI); - nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.MANDATE_POSTFIX, - SZRGWConstants.MANDATE_NS); - - Element mandator = (Element) XPathAPI.selectSingleNode(domMandate, - "//md:Mandate/md:Mandator", nameSpaceNode); - - // Mandate - extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - EXT_SAML_MANDATE_RAW, domMandate, - SZRGWConstants.MANDATE_NS, - ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); - - // (w)bpk - String wbpk = ParepUtils.extractMandatorWbpk(mandator); - if (!ParepUtils.isEmpty(wbpk)) { - if (!ParepUtils.isPhysicalPerson(mandator)) { - String idType = ParepUtils - .extractMandatorIdentificationType(mandator); - if (!ParepUtils.isEmpty(idType) - && idType.startsWith(Constants.URN_PREFIX_BASEID)) { - extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - EXT_SAML_MANDATE_CB_BASE_ID, - ParepUtils.getRegisterString(idType) + ": " + wbpk, - SZRGWConstants.MANDATE_NS, - ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); - } - } else if (business) { - extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - EXT_SAML_MANDATE_WBPK, wbpk, - SZRGWConstants.MANDATE_NS, - ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); - } - } - - ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes - .size()]; - extendedSamlAttributes.copyInto(ret); - Logger.debug("ExtendedSAML Attributes: " + ret.length); - return ret; - - } - - /** - * Adds the AUTH block related SAML attributes to the validation result. - * This is needed always before the AUTH block is to be signed, because the - * name of the mandator has to be set - * - * @throws ParserConfigurationException - * @throws IOException - * @throws SAXException - * @throws TransformerException - */ - private static ExtendedSAMLAttribute[] addExtendedSamlAttributesOID( - MISMandate mandate, boolean business) throws SAXException, - IOException, ParserConfigurationException, TransformerException { - - Vector extendedSamlAttributes = new Vector(); - - extendedSamlAttributes.clear(); - - // RepresentationType - extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - EXT_SAML_MANDATE_REPRESENTATIONTYPE, - EXT_SAML_MANDATE_REPRESENTATIONTEXT, - SZRGWConstants.MANDATE_NS, - ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); - - String oid = mandate.getProfRep(); - - if (oid != null) { - extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - EXT_SAML_MANDATE_OID, oid, - SZRGWConstants.MANDATE_NS, - ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); - String oidDescription = mandate.getTextualDescriptionOfOID(); - extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, - oidDescription, SZRGWConstants.MANDATE_NS, - ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); - - } - - ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes - .size()]; - extendedSamlAttributes.copyInto(ret); - Logger.debug("ExtendedSAML Attributes: " + ret.length); - return ret; - - } - - /** - * @param mandate - * @return - * @throws ParserConfigurationException - * @throws IOException - * @throws SAXException - */ - private static Element mandateToElement(MISMandate mandate) - throws SAXException, IOException, ParserConfigurationException { - ByteArrayInputStream bais = new ByteArrayInputStream(mandate - .getMandate()); - Document doc = DOMUtils.parseDocumentSimple(bais); - return doc.getDocumentElement(); - } - - protected static void replaceExtendedSAMLAttribute(List attributes, - ExtendedSAMLAttribute samlAttribute) { - if (null == attributes) { - attributes = new Vector(); - } else { - String id = samlAttribute.getName(); - int length = attributes.size(); - for (int i = 0; i < length; i++) { - ExtendedSAMLAttribute att = (ExtendedSAMLAttribute) attributes - .get(i); - if (id.equals(att.getName())) { - // replace attribute - attributes.set(i, samlAttribute); - return; - } - } - attributes.add(samlAttribute); - } - } - - /** - * Processes a <CreateXMLSignatureResponse> sent by the - * security layer implementation.
- *
    - *
  • Validates given <CreateXMLSignatureResponse>
  • - *
  • Parses <CreateXMLSignatureResponse> for error - * codes
  • - *
  • Parses authentication block enclosed in - * <CreateXMLSignatureResponse>
  • - *
  • Verifies authentication block by calling the MOA SP component
  • - *
  • Creates authentication data
  • - *
  • Creates a corresponding SAML artifact
  • - *
  • Stores authentication data in the authentication data store indexed - * by the SAML artifact
  • - *
  • Deletes authentication session
  • - *
  • Returns the SAML artifact, encoded BASE64
  • - *
- * - * @param sessionID session ID of the running authentication session - * @param xmlCreateXMLSignatureReadResponse String representation of the - * <CreateXMLSignatureResponse> - * @return SAML artifact needed for retrieving authentication data, encoded - * BASE64 - * @throws BKUException - */ - public String verifyAuthenticationBlock(AuthenticationSession session, - String xmlCreateXMLSignatureReadResponse) - throws AuthenticationException, BuildException, ParseException, - ConfigurationException, ServiceException, ValidateException, BKUException { - - if (session == null) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); - if (isEmpty(xmlCreateXMLSignatureReadResponse)) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); - - AuthConfigurationProvider authConf = AuthConfigurationProvider - .getInstance(); - // parses - CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser( - xmlCreateXMLSignatureReadResponse).parseResponse(); - - try { - String serializedAssertion = DOMUtils.serializeNode(csresp - .getSamlAssertion()); - session.setAuthBlock(serializedAssertion); - } catch (TransformerException e) { - throw new ParseException("parser.04", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); - } catch (IOException e) { - throw new ParseException("parser.04", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); - } - // validates - if (session.isSsoRequested()) - new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); - else - new CreateXMLSignatureResponseValidator().validate(csresp, session); - - // builds a for a MOA-SPSS call - List vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); - String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); - Element domVsreq = new VerifyXMLSignatureRequestBuilder().build(csresp, - vtids, tpid); - // debug output - - Element domVsresp = null; - -// try { - // invokes the call - domVsresp = new SignatureVerificationInvoker() - .verifyXMLSignature(domVsreq); - // debug output - -// } catch ( ServiceException e) { -// Logger.error("Signature verification error. ", e); -// Logger.error("Signed Data: " + session.getAuthBlock()); -// try { -// Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq)); -// } catch (TransformerException e1) { -// e1.printStackTrace(); -// -// } catch (IOException e1) { -// e1.printStackTrace(); -// -// } -// -// throw e; -// } - - - // parses the - VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponseParser( - domVsresp).parseData(); - - if (Logger.isTraceEnabled()) { - if (domVsresp != null) { - try { - String xmlVerifyXMLSignatureResponse = DOMUtils - .serializeNode(domVsresp, true); - Logger.trace(new LogMsg(xmlCreateXMLSignatureReadResponse)); - Logger.trace(new LogMsg(xmlVerifyXMLSignatureResponse)); - } catch (Throwable t) { - t.printStackTrace(); - Logger.info(new LogMsg(t.getStackTrace())); - } - } - } - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - // validates the - VerifyXMLSignatureResponseValidator.getInstance().validate(vsresp, - null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, - oaParam); - - // Compare AuthBlock Data with information stored in session, especially - // date and time - CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); - - try { - // compares the public keys from the identityLink with the AuthBlock - VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( - vsresp, session.getIdentityLink()); - - } catch ( ValidateException e) { - Logger.error("Signature verification error. ", e); - Logger.error("Signed Data: " + session.getAuthBlock()); - try { + // String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder() + // .build(); + // String certInfoDataURL = new DataURLBuilder() + // .buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION, + // session.getSessionID()); + + //get Applet Parameters + String appletwidth = req.getParameter(PARAM_APPLET_WIDTH); + String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH); + appletheigth = StringEscapeUtils.escapeHtml(appletheigth); + appletwidth = StringEscapeUtils.escapeHtml(appletwidth); + + + //TODO: cleanup before MOA-ID 2.1 release + try { + String htmlForm = new GetIdentityLinkFormBuilder().build(template, + session.getBkuURL(), infoboxReadRequest, dataURL, null, + null, pushInfobox, oaParam, appletheigth, appletwidth); + + return htmlForm; + + } catch (BuildException e) { + throw new BuildException("builder.07", null, e); + + } + } + + /** + * Processes an <InfoboxReadResponse> sent by the + * security layer implementation.
+ *
    + *
  • Validates given <InfoboxReadResponse>
  • + *
  • Parses identity link enclosed in + * <InfoboxReadResponse>
  • + *
  • Verifies identity link by calling the MOA SP component
  • + *
  • Checks certificate authority of identity link
  • + *
  • Stores identity link in the session
  • + *
  • Verifies all additional infoboxes returned from the BKU
  • + *
  • Creates an authentication block to be signed by the user
  • + *
  • Creates and returns a <CreateXMLSignatureRequest> + * containg the authentication block, meant to be returned to the security + * layer implementation
  • + *
+ * + * @param sessionID ID of associated authentication session data + * @param infoboxReadResponseParameters The parameters from the response returned from the BKU + * including the <InfoboxReadResponse> + * @return String representation of the + * <CreateXMLSignatureRequest> + * @throws BKUException + */ + public String verifyIdentityLink(AuthenticationSession session, + Map infoboxReadResponseParameters) throws AuthenticationException, + BuildException, ParseException, ConfigurationException, + ValidateException, ServiceException, BKUException { + + if (session == null) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_IDENTITY_LINK, PARAM_SESSIONID}); + + String xmlInfoboxReadResponse = (String) infoboxReadResponseParameters + .get(PARAM_XMLRESPONSE); + + if (isEmpty(xmlInfoboxReadResponse)) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE}); + + AuthConfigurationProvider authConf = AuthConfigurationProvider + .getInstance(); + + // check if an identity link was found + // Errorcode 2911 von Trustdesk BKU (nicht spezifikationskonform + // (SL1.2)) + // CharSequence se = "ErrorCode>2911".substring(0); + // boolean b = xmlInfoboxReadResponse.contains(se); + String se = "ErrorCode>2911"; + int b = xmlInfoboxReadResponse.indexOf(se); + if (b != -1) { // no identity link found + Logger + .info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als auslaendische eID."); + return null; + } + // spezifikationsgemaess (SL1.2) Errorcode + se = "ErrorCode>4002"; + // b = xmlInfoboxReadResponse.contains(se); + b = xmlInfoboxReadResponse.indexOf(se); + if (b != -1) { // Unbekannter Infoboxbezeichner + Logger + .info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als auslaendische eID."); + return null; + } + + // parses the + IdentityLink identityLink = new InfoboxReadResponseParser( + xmlInfoboxReadResponse).parseIdentityLink(); + // validates the identity link + IdentityLinkValidator.getInstance().validate(identityLink); + // builds a for a call of MOA-SP + Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() + .build(identityLink, authConf + .getMoaSpIdentityLinkTrustProfileID()); + + // invokes the call + Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + // parses the + VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( + domVerifyXMLSignatureResponse).parseData(); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + + // validates the + VerifyXMLSignatureResponseValidator.getInstance().validate( + verifyXMLSignatureResponse, + authConf.getIdentityLinkX509SubjectNames(), + VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, + oaParam); + + session.setIdentityLink(identityLink); + // now validate the extended infoboxes + + //Removed in MOA-ID 2.0 + //verifyInfoboxes(session, infoboxReadResponseParameters, false); + + return "found!"; + } + + /** + * Processes an <InfoboxReadResponse> sent by the + * security layer implementation.
+ *
    + *
  • Validates given <InfoboxReadResponse>
  • + *
  • Parses identity link enclosed in + * <InfoboxReadResponse>
  • + *
  • Verifies identity link by calling the MOA SP component
  • + *
  • Checks certificate authority of identity link
  • + *
  • Stores identity link in the session
  • + *
  • Verifies all additional infoboxes returned from the BKU
  • + *
  • Creates an authentication block to be signed by the user
  • + *
  • Creates and returns a <CreateXMLSignatureRequest> + * containg the authentication block, meant to be returned to the security + * layer implementation
  • + *
+ * + * @param sessionID ID of associated authentication session data + * @param infoboxReadResponseParameters The parameters from the response returned from the BKU + * including the <InfoboxReadResponse> + * @return String representation of the + * <CreateXMLSignatureRequest> + */ + public String verifyCertificate(AuthenticationSession session, + X509Certificate certificate) throws AuthenticationException, + BuildException, ParseException, ConfigurationException, + ValidateException, ServiceException, MOAIDException { + + if (session == null) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID}); + + // check if person is a Organwalter + // if true - don't show bPK in AUTH Block + try { + for (ObjectID OWid : MOAIDAuthConstants.OW_LIST) { + if (certificate.getExtension(OWid) != null) { + session.setOW(true); + } + + } + + } catch (X509ExtensionInitException e) { + Logger.warn("Certificate extension is not readable."); + session.setOW(false); + } + + AuthConfigurationProvider authConf = AuthConfigurationProvider + .getInstance(); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + + String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session, + authConf, oaParam); + + return returnvalue; + } + + /** + * Processes an Mandate sent by the MIS.
+ *
    + *
  • Validates given Mandate
  • + *
  • Verifies Mandate by calling the MOA SP component
  • + *
  • Creates an authentication block to be signed by the user
  • + *
  • Creates and returns a <CreateXMLSignatureRequest> + * containg the authentication block, meant to be returned to the security + * layer implementation
  • + *
+ * + * @param sessionID ID of associated authentication session data + * @param infoboxReadResponseParameters The parameters from the response returned from the BKU + * including the <InfoboxReadResponse> + * @return String representation of the + * <CreateXMLSignatureRequest> + */ + public void verifyMandate(AuthenticationSession session, MISMandate mandate) + throws AuthenticationException, BuildException, ParseException, + ConfigurationException, ValidateException, ServiceException { + + if (session == null) + throw new AuthenticationException("auth.10", new Object[]{ + GET_MIS_SESSIONID, PARAM_SESSIONID}); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + + try { + // sets the extended SAML attributes for OID (Organwalter) + setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam + .getBusinessService()); + + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + + + } catch (SAXException e) { + throw new AuthenticationException("auth.15", + new Object[]{GET_MIS_SESSIONID}, e); + } catch (IOException e) { + throw new AuthenticationException("auth.15", + new Object[]{GET_MIS_SESSIONID}, e); + } catch (ParserConfigurationException e) { + throw new AuthenticationException("auth.15", + new Object[]{GET_MIS_SESSIONID}, e); + } catch (TransformerException e) { + throw new AuthenticationException("auth.15", + new Object[]{GET_MIS_SESSIONID}, e); + } + + } + + /** + * @param session + * @param authConf + * @param oaParam + * @return + * @throws ConfigurationException + * @throws BuildException + * @throws ValidateException + */ + public String getCreateXMLSignatureRequestAuthBlockOrRedirect( + AuthenticationSession session, AuthConfigurationProvider authConf, + OAAuthParameter oaParam) throws ConfigurationException, + BuildException, ValidateException { + + // // check for intermediate processing of the infoboxes + // if (session.isValidatorInputPending()) + // return "Redirect to Input Processor"; + + if (authConf == null) + authConf = AuthConfigurationProvider.getInstance(); + if (oaParam == null) + oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + + // builds the AUTH-block + String authBlock = buildAuthenticationBlock(session, oaParam); + + // builds the + List transformsInfos = authConf.getTransformsInfos(); + + String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() + .build(authBlock, oaParam.getKeyBoxIdentifier(), + transformsInfos); + return createXMLSignatureRequest; + } + + /** + * Returns an CreateXMLSignatureRequest for signing the ERnP statement.
+ *
    + *
  • Creates an CreateXMLSignatureRequest to be signed by the user
  • + *
+ * + * @param sessionID ID of associated authentication session data + * @param cert The certificate from the user + * @return String representation of the + * <CreateXMLSignatureRequest> + */ + public String createXMLSignatureRequestForeignID(AuthenticationSession session, + X509Certificate cert) throws AuthenticationException, + BuildException, ParseException, ConfigurationException, + ValidateException, ServiceException { + + if (session == null) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID}); + + AuthConfigurationProvider authConf = AuthConfigurationProvider + .getInstance(); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + + return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam, + cert); + } + + public String getCreateXMLSignatureRequestForeigID( + AuthenticationSession session, AuthConfigurationProvider authConf, + OAAuthParameter oaParam, X509Certificate cert) + throws ConfigurationException { + + // // check for intermediate processing of the infoboxes + // if (session.isValidatorInputPending()) + // return "Redirect to Input Processor"; + + if (authConf == null) + authConf = AuthConfigurationProvider.getInstance(); + if (oaParam == null) + oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + + Principal subject = cert.getSubjectDN(); + + String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder() + .buildForeignID(subject.toString(), oaParam, session); + return createXMLSignatureRequest; + } + + /** + * Processes an <CreateXMLSignatureResponse> sent by the + * security layer implementation.
+ *
    + *
  • Validates given <CreateXMLSignatureResponse>
  • + *
  • Parses response enclosed in + * <CreateXMLSignatureResponse>
  • + *
  • Verifies signature by calling the MOA SP component
  • + *
  • Returns the signer certificate
  • + *
+ * + * @param sessionID ID of associated authentication session data + * @param createXMLSignatureResponseParameters The parameters from the response returned from the BKU + * including the <CreateXMLSignatureResponse> + * @throws BKUException + */ + public X509Certificate verifyXMLSignature(String sessionID, + Map createXMLSignatureResponseParameters) + throws AuthenticationException, BuildException, ParseException, + ConfigurationException, ValidateException, ServiceException, BKUException { + + if (isEmpty(sessionID)) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_GET_FOREIGN_ID, PARAM_SESSIONID}); + + String xmlCreateXMLSignatureResponse = (String) createXMLSignatureResponseParameters + .get(PARAM_XMLRESPONSE); + + if (isEmpty(xmlCreateXMLSignatureResponse)) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_GET_FOREIGN_ID, PARAM_XMLRESPONSE}); + + AuthConfigurationProvider authConf = AuthConfigurationProvider + .getInstance(); + + // parses the + CreateXMLSignatureResponseParser p = new CreateXMLSignatureResponseParser( + xmlCreateXMLSignatureResponse); + CreateXMLSignatureResponse createXMLSignatureResponse = p + .parseResponseDsig(); + + // builds a for a call of MOA-SP + Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() + .buildDsig(createXMLSignatureResponse, authConf + .getMoaSpAuthBlockTrustProfileID()); + + // invokes the call + Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + + // parses the + VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( + domVerifyXMLSignatureResponse).parseData(); + + return verifyXMLSignatureResponse.getX509certificate(); + + } + + /** + * Processes an <CreateXMLSignatureResponse> sent by the + * security layer implementation.
+ *
    + *
  • Validates given <CreateXMLSignatureResponse>
  • + *
  • Parses response enclosed in + * <CreateXMLSignatureResponse>
  • + *
  • Verifies signature by calling the MOA SP component
  • + *
  • Returns the signer certificate
  • + *
+ * + * @param sessionID ID of associated authentication session data + * @param readInfoboxResponseParameters The parameters from the response returned from the BKU + * including the <ReadInfoboxResponse> + * @throws BKUException + */ + public X509Certificate getCertificate(String sessionID, + Map readInfoboxResponseParameters) throws AuthenticationException, + BuildException, ParseException, ConfigurationException, + ValidateException, ServiceException, BKUException { + + if (isEmpty(sessionID)) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID}); + + String xmlReadInfoboxResponse = (String) readInfoboxResponseParameters + .get(PARAM_XMLRESPONSE); + + if (isEmpty(xmlReadInfoboxResponse)) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_CERTIFICATE, PARAM_XMLRESPONSE}); + + // parses the + InfoboxReadResponseParser p = new InfoboxReadResponseParser( + xmlReadInfoboxResponse); + X509Certificate cert = p.parseCertificate(); + + return cert; + + } + + /** + * Builds an authentication block <saml:Assertion> from + * given session data. + * + * @param session authentication session + * @return <saml:Assertion> as a String + * @throws BuildException If an error occurs on serializing an extended SAML attribute + * to be appended to the AUTH-Block. + */ + private String buildAuthenticationBlock(AuthenticationSession session, + OAAuthParameter oaParam) throws BuildException { + + IdentityLink identityLink = session.getIdentityLink(); + String issuer = identityLink.getName(); + String gebDat = identityLink.getDateOfBirth(); + + String identificationValue = null; + String identificationType = null; + + //set empty AuthBlock BPK in case of OW or SSO or bpk is not requested + if (session.isOW() || session.isSsoRequested() || oaParam.isRemovePBKFromAuthBlock()) { + identificationType = ""; + identificationValue = ""; + + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + if (oaParam.getBusinessService()) { + + String bpkBase64 = new BPKBuilder().buildWBPK(identityLink + .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); + identificationValue = bpkBase64; + + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+")) + identificationType = oaParam.getIdentityLinkDomainIdentifier(); + else + identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); + + } else { + String bpkBase64 = new BPKBuilder().buildBPK(identityLink + .getIdentificationValue(), session.getTarget()); + identificationValue = bpkBase64; + identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); + } + + + } else { + identificationValue = identityLink.getIdentificationValue(); + identificationType = identityLink.getIdentificationType(); + + } + + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar + .getInstance()); + session.setIssueInstant(issueInstant); + String authURL = session.getAuthURL(); + String target = session.getTarget(); + String targetFriendlyName = session.getTargetFriendlyName(); + + // Bug #485 + // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) + // String oaURL = session.getPublicOAURLPrefix(); + + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + + + if (session.isSsoRequested()) { + String oaURL = new String(); + try { + oaURL = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + + if (MiscUtil.isNotEmpty(oaURL)) + oaURL = oaURL.replaceAll("&", "&"); + + } catch (ConfigurationException e) { + } + String authBlock = new AuthenticationBlockAssertionBuilder() + .buildAuthBlockSSO(issuer, issueInstant, authURL, target, + targetFriendlyName, identificationValue, + identificationType, oaURL, gebDat, + extendedSAMLAttributes, session, oaParam); + return authBlock; + + } else { + String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); + String authBlock = new AuthenticationBlockAssertionBuilder() + .buildAuthBlock(issuer, issueInstant, authURL, target, + targetFriendlyName, identificationValue, + identificationType, oaURL, gebDat, + extendedSAMLAttributes, session, oaParam); + return authBlock; + } + } + + + /** + * Verifies the infoboxes (except of the identity link infobox) returned by + * the BKU by calling appropriate validator classes. + * + * @param session The actual authentication session. + * @param mandate The Mandate from the MIS + * @throws AuthenticationException + * @throws ConfigurationException + * @throws TransformerException + * @throws ParserConfigurationException + * @throws IOException + * @throws SAXException + */ + private void validateExtendedSAMLAttributeForMandates( + AuthenticationSession session, MISMandate mandate, + boolean business) + throws ValidateException, ConfigurationException, SAXException, + IOException, ParserConfigurationException, TransformerException { + + ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( + mandate, business, false); + + int length = extendedSAMLAttributes.length; + for (int i = 0; i < length; i++) { + ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; + + verifySAMLAttribute(samlAttribute, i, "MISService", + "MISService"); + + } + } + + /** + * Verifies the infoboxes (except of the identity link infobox) returned by + * the BKU by calling appropriate validator classes. + * + * @param session The actual authentication session. + * @param mandate The Mandate from the MIS + * @throws AuthenticationException + * @throws ConfigurationException + * @throws TransformerException + * @throws ParserConfigurationException + * @throws IOException + * @throws SAXException + */ + private void setExtendedSAMLAttributeForMandatesOID( + AuthenticationSession session, MISMandate mandate, boolean business) + throws ValidateException, ConfigurationException, SAXException, + IOException, ParserConfigurationException, TransformerException { + + ExtendedSAMLAttribute[] extendedSamlAttributes = addExtendedSamlAttributesOID( + mandate, business); + + AddAdditionalSAMLAttributes(session, extendedSamlAttributes, + "MISService", "MISService"); + + } + + /** + * Adds given SAML Attributes to the current session. They will be appended + * to the final SAML Assertion or the AUTH block. If the attributes are + * already in the list, they will be replaced. + * + * @param session The current session + * @param extendedSAMLAttributes The SAML attributes to add + * @param identifier The infobox identifier for debug purposes + * @param friendlyNam The friendly name of the infobox for debug purposes + */ + private static void AddAdditionalSAMLAttributes( + AuthenticationSession session, + ExtendedSAMLAttribute[] extendedSAMLAttributes, String identifier, + String friendlyName) throws ValidateException { + if (extendedSAMLAttributes == null) + return; + List oaAttributes = session.getExtendedSAMLAttributesOA(); + if (oaAttributes == null) + oaAttributes = new Vector(); + List authAttributes = session.getExtendedSAMLAttributesAUTH(); + if (authAttributes == null) + authAttributes = new Vector(); + int length = extendedSAMLAttributes.length; + for (int i = 0; i < length; i++) { + ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; + + Object value = verifySAMLAttribute(samlAttribute, i, identifier, + friendlyName); + + if ((value instanceof String) || (value instanceof Element)) { + switch (samlAttribute.getAddToAUTHBlock()) { + case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY: + replaceExtendedSAMLAttribute(authAttributes, samlAttribute); + break; + case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK: + replaceExtendedSAMLAttribute(authAttributes, samlAttribute); + replaceExtendedSAMLAttribute(oaAttributes, samlAttribute); + break; + case ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK: + replaceExtendedSAMLAttribute(oaAttributes, samlAttribute); + break; + default: + Logger + .info("Invalid return value from method \"getAddToAUTHBlock()\" (" + + samlAttribute.getAddToAUTHBlock() + + ") in SAML attribute number " + + (i + 1) + + " for infobox " + identifier); + throw new ValidateException("validator.47", new Object[]{ + friendlyName, String.valueOf((i + 1))}); + } + } else { + Logger + .info("The type of SAML-Attribute number " + + (i + 1) + + " returned from " + + identifier + + "-infobox validator is not valid. Must be either \"java.Lang.String\"" + + " or \"org.w3c.dom.Element\""); + throw new ValidateException("validator.46", new Object[]{ + identifier, String.valueOf((i + 1))}); + } + } + session.setExtendedSAMLAttributesAUTH(authAttributes); + session.setExtendedSAMLAttributesOA(oaAttributes); + } + + /** + * Adds the AUTH block related SAML attributes to the validation result. + * This is needed always before the AUTH block is to be signed, because the + * name of the mandator has to be set + * + * @throws ParserConfigurationException + * @throws IOException + * @throws SAXException + * @throws TransformerException + */ + + protected static ExtendedSAMLAttribute[] addExtendedSamlAttributes( + MISMandate mandate, boolean business, boolean provideStammzahl) + throws SAXException, IOException, ParserConfigurationException, + TransformerException { + Vector extendedSamlAttributes = new Vector(); + + extendedSamlAttributes.clear(); + + // Name + Element domMandate = mandateToElement(mandate); + Element nameSpaceNode = domMandate.getOwnerDocument().createElement( + "NameSpaceNode"); + nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, + Constants.PD_NS_URI); + nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.MANDATE_POSTFIX, + SZRGWConstants.MANDATE_NS); + + Element mandator = (Element) XPathAPI.selectSingleNode(domMandate, + "//md:Mandate/md:Mandator", nameSpaceNode); + + // Mandate + extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_RAW, domMandate, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + // (w)bpk + String wbpk = ParepUtils.extractMandatorWbpk(mandator); + if (!ParepUtils.isEmpty(wbpk)) { + if (!ParepUtils.isPhysicalPerson(mandator)) { + String idType = ParepUtils + .extractMandatorIdentificationType(mandator); + if (!ParepUtils.isEmpty(idType) + && idType.startsWith(Constants.URN_PREFIX_BASEID)) { + extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_CB_BASE_ID, + ParepUtils.getRegisterString(idType) + ": " + wbpk, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); + } + } else if (business) { + extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_WBPK, wbpk, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); + } + } + + ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes + .size()]; + extendedSamlAttributes.copyInto(ret); + Logger.debug("ExtendedSAML Attributes: " + ret.length); + return ret; + + } + + /** + * Adds the AUTH block related SAML attributes to the validation result. + * This is needed always before the AUTH block is to be signed, because the + * name of the mandator has to be set + * + * @throws ParserConfigurationException + * @throws IOException + * @throws SAXException + * @throws TransformerException + */ + private static ExtendedSAMLAttribute[] addExtendedSamlAttributesOID( + MISMandate mandate, boolean business) throws SAXException, + IOException, ParserConfigurationException, TransformerException { + + Vector extendedSamlAttributes = new Vector(); + + extendedSamlAttributes.clear(); + + // RepresentationType + extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_REPRESENTATIONTYPE, + EXT_SAML_MANDATE_REPRESENTATIONTEXT, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + String oid = mandate.getProfRep(); + + if (oid != null) { + extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_OID, oid, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + String oidDescription = mandate.getTextualDescriptionOfOID(); + extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, + oidDescription, SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + } + + ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes + .size()]; + extendedSamlAttributes.copyInto(ret); + Logger.debug("ExtendedSAML Attributes: " + ret.length); + return ret; + + } + + /** + * @param mandate + * @return + * @throws ParserConfigurationException + * @throws IOException + * @throws SAXException + */ + private static Element mandateToElement(MISMandate mandate) + throws SAXException, IOException, ParserConfigurationException { + ByteArrayInputStream bais = new ByteArrayInputStream(mandate + .getMandate()); + Document doc = DOMUtils.parseDocumentSimple(bais); + return doc.getDocumentElement(); + } + + protected static void replaceExtendedSAMLAttribute(List attributes, + ExtendedSAMLAttribute samlAttribute) { + if (null == attributes) { + attributes = new Vector(); + } else { + String id = samlAttribute.getName(); + int length = attributes.size(); + for (int i = 0; i < length; i++) { + ExtendedSAMLAttribute att = (ExtendedSAMLAttribute) attributes + .get(i); + if (id.equals(att.getName())) { + // replace attribute + attributes.set(i, samlAttribute); + return; + } + } + attributes.add(samlAttribute); + } + } + + /** + * Processes a <CreateXMLSignatureResponse> sent by the + * security layer implementation.
+ *
    + *
  • Validates given <CreateXMLSignatureResponse>
  • + *
  • Parses <CreateXMLSignatureResponse> for error + * codes
  • + *
  • Parses authentication block enclosed in + * <CreateXMLSignatureResponse>
  • + *
  • Verifies authentication block by calling the MOA SP component
  • + *
  • Creates authentication data
  • + *
  • Creates a corresponding SAML artifact
  • + *
  • Stores authentication data in the authentication data store indexed + * by the SAML artifact
  • + *
  • Deletes authentication session
  • + *
  • Returns the SAML artifact, encoded BASE64
  • + *
+ * + * @param sessionID session ID of the running authentication session + * @param xmlCreateXMLSignatureReadResponse String representation of the + * <CreateXMLSignatureResponse> + * @return SAML artifact needed for retrieving authentication data, encoded + * BASE64 + * @throws BKUException + */ + public String verifyAuthenticationBlock(AuthenticationSession session, + String xmlCreateXMLSignatureReadResponse) + throws AuthenticationException, BuildException, ParseException, + ConfigurationException, ServiceException, ValidateException, BKUException { + + if (session == null) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); + if (isEmpty(xmlCreateXMLSignatureReadResponse)) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + + AuthConfigurationProvider authConf = AuthConfigurationProvider + .getInstance(); + // parses + CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser( + xmlCreateXMLSignatureReadResponse).parseResponse(); + + try { + String serializedAssertion = DOMUtils.serializeNode(csresp + .getSamlAssertion()); + session.setAuthBlock(serializedAssertion); + } catch (TransformerException e) { + throw new ParseException("parser.04", new Object[]{ + REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + } catch (IOException e) { + throw new ParseException("parser.04", new Object[]{ + REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + } + // validates + if (session.isSsoRequested()) + new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); + else + new CreateXMLSignatureResponseValidator().validate(csresp, session); + + // builds a for a MOA-SPSS call + List vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); + String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); + Element domVsreq = new VerifyXMLSignatureRequestBuilder().build(csresp, + vtids, tpid); + // debug output + + Element domVsresp = null; + + // try { + // invokes the call + domVsresp = new SignatureVerificationInvoker() + .verifyXMLSignature(domVsreq); + // debug output + + // } catch ( ServiceException e) { + // Logger.error("Signature verification error. ", e); + // Logger.error("Signed Data: " + session.getAuthBlock()); + // try { + // Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq)); + // } catch (TransformerException e1) { + // e1.printStackTrace(); + // + // } catch (IOException e1) { + // e1.printStackTrace(); + // + // } + // + // throw e; + // } + + + // parses the + VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponseParser( + domVsresp).parseData(); + + if (Logger.isTraceEnabled()) { + if (domVsresp != null) { + try { + String xmlVerifyXMLSignatureResponse = DOMUtils + .serializeNode(domVsresp, true); + Logger.trace(new LogMsg(xmlCreateXMLSignatureReadResponse)); + Logger.trace(new LogMsg(xmlVerifyXMLSignatureResponse)); + } catch (Throwable t) { + t.printStackTrace(); + Logger.info(new LogMsg(t.getStackTrace())); + } + } + } + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + + // validates the + VerifyXMLSignatureResponseValidator.getInstance().validate(vsresp, + null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, + oaParam); + + // Compare AuthBlock Data with information stored in session, especially + // date and time + CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); + + try { + // compares the public keys from the identityLink with the AuthBlock + VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( + vsresp, session.getIdentityLink()); + + } catch ( ValidateException e) { + Logger.error("Signature verification error. ", e); + Logger.error("Signed Data: " + session.getAuthBlock()); + try { Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq)); Logger.error("VerifyResponse: " + DOMUtils.serializeNode(domVsresp)); } catch (TransformerException e1) { e1.printStackTrace(); - + } catch (IOException e1) { e1.printStackTrace(); - + } - - throw e; - } - -// // post processing of the infoboxes -// Iterator iter = session.getInfoboxValidatorIterator(); -// boolean formpending = false; -// if (iter != null) { -// while (!formpending && iter.hasNext()) { -// Vector infoboxValidatorVector = (Vector) iter.next(); -// String identifier = (String) infoboxValidatorVector.get(0); -// String friendlyName = (String) infoboxValidatorVector.get(1); -// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector -// .get(2); -// InfoboxValidationResult infoboxValidationResult = null; -// try { -// infoboxValidationResult = infoboxvalidator.validate(csresp -// .getSamlAssertion()); -// } catch (ValidateException e) { -// Logger.error("Error validating " + identifier + " infobox:" -// + e.getMessage()); -// throw new ValidateException("validator.44", -// new Object[]{friendlyName}); -// } -// if (!infoboxValidationResult.isValid()) { -// Logger.info("Validation of " + identifier -// + " infobox failed."); -// throw new ValidateException("validator.40", new Object[]{ -// friendlyName, -// infoboxValidationResult.getErrorMessage()}); -// } -// String form = infoboxvalidator.getForm(); -// if (ParepUtils.isEmpty(form)) { -// AddAdditionalSAMLAttributes( -// session, -// infoboxValidationResult.getExtendedSamlAttributes(), -// identifier, friendlyName); -// } else { -// return "Redirect to Input Processor"; -// } -// } -// } - - session.setXMLVerifySignatureResponse(vsresp); - session.setSignerCertificate(vsresp.getX509certificate()); - vsresp.setX509certificate(null); - session.setForeigner(false); - - if (session.getUseMandate()) { - // mandate mode - return null; - - } else { - - session.setAuthenticatedUsed(false); - session.setAuthenticated(true); - - //set QAA Level four in case of card authentifcation - session.setQAALevel(PVPConstants.STORK_QAA_1_4); - - - String oldsessionID = session.getSessionID(); - - //Session is implicte stored in changeSessionID!!! - String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session); - - Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID); - Logger.info("Daten angelegt zu MOASession " + newMOASessionID); - - return newMOASessionID; - } - } - - /** - * Processes a <CreateXMLSignatureResponse> sent by the - * security layer implementation.
- *
    - *
  • Validates given <CreateXMLSignatureResponse>
  • - *
  • Parses <CreateXMLSignatureResponse> for error - * codes
  • - *
  • Parses authentication block enclosed in - * <CreateXMLSignatureResponse>
  • - *
  • Verifies authentication block by calling the MOA SP component
  • - *
  • Creates authentication data
  • - *
  • Creates a corresponding SAML artifact
  • - *
  • Stores authentication data in the authentication data store indexed - * by the SAML artifact
  • - *
  • Deletes authentication session
  • - *
  • Returns the SAML artifact, encoded BASE64
  • - *
- * - * @param sessionID session ID of the running authentication session - * @param xmlCreateXMLSignatureReadResponse String representation of the - * <CreateXMLSignatureResponse> - * @return SAML artifact needed for retrieving authentication data, encoded - * BASE64 - */ - - protected Element createIdentificationBPK(Element mandatePerson, - String baseid, String target) throws BuildException { - Element identificationBpK = mandatePerson.getOwnerDocument() - .createElementNS(Constants.PD_NS_URI, "Identification"); - Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( - Constants.PD_NS_URI, "Value"); - - String bpkBase64 = new BPKBuilder().buildBPK(baseid, target); - valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( - bpkBase64)); - Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( - Constants.PD_NS_URI, "Type"); - typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( - "urn:publicid:gv.at:cdid+bpk")); - identificationBpK.appendChild(valueBpK); - identificationBpK.appendChild(typeBpK); - - return identificationBpK; - - } - - protected String getBaseId(Element mandatePerson) - throws TransformerException, IOException { - NodeList list = mandatePerson.getElementsByTagNameNS( - Constants.PD_NS_URI, "Identification"); - for (int i = 0; i < list.getLength(); i++) { - Element identification = (Element) list.item(i); - Element type = (Element) identification.getElementsByTagNameNS( - Constants.PD_NS_URI, "Type").item(0); - if (type.getTextContent().compareToIgnoreCase( - "urn:publicid:gv.at:baseid") == 0) { - Element value = (Element) identification - .getElementsByTagNameNS(Constants.PD_NS_URI, "Value") - .item(0); - return value.getTextContent(); - } - } - return null; - - } - - /** - * Gets the foreign authentication data.
- *
    - *
  • Creates authentication data
  • - *
  • Creates a corresponding SAML artifact
  • - *
  • Stores authentication data in the authentication data store indexed - * by the SAML artifact
  • - *
  • Deletes authentication session
  • - *
  • Returns the SAML artifact, encoded BASE64
  • - *
- * - * @param sessionID session ID of the running authentication session - * @return SAML artifact needed for retrieving authentication data, encoded - * BASE64 - */ - public String getForeignAuthenticationData(AuthenticationSession session) - throws AuthenticationException, BuildException, ParseException, - ConfigurationException, ServiceException, ValidateException { - - if (session == null) - throw new AuthenticationException("auth.10", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); - -// // post processing of the infoboxes -// Iterator iter = session.getInfoboxValidatorIterator(); -// boolean formpending = false; -// if (iter != null) { -// while (!formpending && iter.hasNext()) { -// Vector infoboxValidatorVector = (Vector) iter.next(); -// String identifier = (String) infoboxValidatorVector.get(0); -// String friendlyName = (String) infoboxValidatorVector.get(1); -// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector -// .get(2); -// InfoboxValidationResult infoboxValidationResult = null; -// try { -// infoboxValidationResult = infoboxvalidator.validate(session -// .getIdentityLink().getSamlAssertion()); -// } catch (ValidateException e) { -// Logger.error("Error validating " + identifier + " infobox:" -// + e.getMessage()); -// throw new ValidateException("validator.44", -// new Object[]{friendlyName}); -// } -// if (!infoboxValidationResult.isValid()) { -// Logger.info("Validation of " + identifier -// + " infobox failed."); -// throw new ValidateException("validator.40", new Object[]{ -// friendlyName, -// infoboxValidationResult.getErrorMessage()}); -// } -// String form = infoboxvalidator.getForm(); -// if (ParepUtils.isEmpty(form)) { -// AddAdditionalSAMLAttributes( -// session, -// infoboxValidationResult.getExtendedSamlAttributes(), -// identifier, friendlyName); -// } else { -// return "Redirect to Input Processor"; -// } -// } -// } - - VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); - X509Certificate cert = session.getSignerCertificate(); - vsresp.setX509certificate(cert); - - session.setAuthenticatedUsed(false); - session.setAuthenticated(true); - - - session.setXMLVerifySignatureResponse(vsresp); - session.setSignerCertificate(vsresp.getX509certificate()); - vsresp.setX509certificate(null); - session.setForeigner(true); - - //TODO: regenerate MOASession ID! - return "new Session"; - } - - /** - * Retrieves a session from the session store. - * - * @param id session ID - * @return AuthenticationSession stored with given session ID, - * null if session ID unknown - */ - public static AuthenticationSession getSession(String id) - throws AuthenticationException { - AuthenticationSession session; - try { - session = AuthenticationSessionStoreage.getSession(id); - - if (session == null) - throw new AuthenticationException("auth.02", new Object[]{id}); - return session; - - } catch (MOADatabaseException e) { - throw new AuthenticationException("auth.02", new Object[]{id}); - - } catch (Exception e) { - throw new AuthenticationException("parser.04", new Object[]{id}); - } - } - - /** - * Cleans up expired session and authentication data stores. - */ - public void cleanup() { - long now = new Date().getTime(); - - //clean AuthenticationSessionStore - - AuthenticationSessionStoreage.clean(now, sessionTimeOutCreated, sessionTimeOutUpdated); - - //clean AssertionStore - AssertionStorage assertionstore = AssertionStorage.getInstance(); - assertionstore.clean(now, authDataTimeOut); - - //clean ExeptionStore - DBExceptionStoreImpl exstore = DBExceptionStoreImpl.getStore(); - exstore.clean(now, authDataTimeOut); - - } - - /** - * Sets the sessionTimeOut. - * - * @param seconds Time out of the session in seconds - */ - public void setSecondsSessionTimeOutCreated(long seconds) { - sessionTimeOutCreated = seconds * 1000; - } - - public void setSecondsSessionTimeOutUpdated(long seconds) { - sessionTimeOutUpdated = seconds * 1000; - } - - /** - * Sets the authDataTimeOut. - * - * @param seconds Time out for signing AuthData in seconds - */ - public void setSecondsAuthDataTimeOut(long seconds) { - authDataTimeOut = seconds * 1000; - } - - /** - * Checks a parameter. - * - * @param param parameter - * @return true if the parameter is null or empty - */ - private boolean isEmpty(String param) { - return param == null || param.length() == 0; - } - - /** - * Checks the correctness of SAML attributes and returns its value. - * - * @param param samlAttribute - * @param i the number of the verified attribute for messages - * @param identifier the infobox identifier for messages - * @param friendlyname the friendly name of the infobox for messages - * @return the SAML attribute value (Element or String) - */ - protected static Object verifySAMLAttribute( - ExtendedSAMLAttribute samlAttribute, int i, String identifier, - String friendlyName) throws ValidateException { - String name = samlAttribute.getName(); - - if (name == null) { - Logger.info("The name of SAML-Attribute number " + (i + 1) - + " returned from " + identifier - + "-infobox validator is null."); - throw new ValidateException("validator.45", new Object[]{ - friendlyName, "Name", String.valueOf((i + 1)), "null"}); - } - if (name == "") { - Logger.info("The name of SAML-Attribute number " + (i + 1) - + " returned from " + identifier - + "-infobox validator is empty."); - throw new ValidateException("validator.45", new Object[]{ - friendlyName, "Name", String.valueOf((i + 1)), "leer"}); - } - if (samlAttribute.getNameSpace() == null) { - Logger.info("The namespace of SAML-Attribute number " + (i + 1) - + " returned from " + identifier - + "-infobox validator is null."); - throw new ValidateException("validator.45", - new Object[]{friendlyName, "Namespace", - String.valueOf((i + 1)), "null"}); - } - Object value = samlAttribute.getValue(); - if (value == null) { - Logger.info("The value of SAML-Attribute number " + (i + 1) - + " returned from " + identifier - + "-infobox validator is null."); - throw new ValidateException("validator.45", new Object[]{ - friendlyName, "Wert", String.valueOf((i + 1)), "null"}); - } - - return value; - } - + + throw e; + } + + // // post processing of the infoboxes + // Iterator iter = session.getInfoboxValidatorIterator(); + // boolean formpending = false; + // if (iter != null) { + // while (!formpending && iter.hasNext()) { + // Vector infoboxValidatorVector = (Vector) iter.next(); + // String identifier = (String) infoboxValidatorVector.get(0); + // String friendlyName = (String) infoboxValidatorVector.get(1); + // InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector + // .get(2); + // InfoboxValidationResult infoboxValidationResult = null; + // try { + // infoboxValidationResult = infoboxvalidator.validate(csresp + // .getSamlAssertion()); + // } catch (ValidateException e) { + // Logger.error("Error validating " + identifier + " infobox:" + // + e.getMessage()); + // throw new ValidateException("validator.44", + // new Object[]{friendlyName}); + // } + // if (!infoboxValidationResult.isValid()) { + // Logger.info("Validation of " + identifier + // + " infobox failed."); + // throw new ValidateException("validator.40", new Object[]{ + // friendlyName, + // infoboxValidationResult.getErrorMessage()}); + // } + // String form = infoboxvalidator.getForm(); + // if (ParepUtils.isEmpty(form)) { + // AddAdditionalSAMLAttributes( + // session, + // infoboxValidationResult.getExtendedSamlAttributes(), + // identifier, friendlyName); + // } else { + // return "Redirect to Input Processor"; + // } + // } + // } + + session.setXMLVerifySignatureResponse(vsresp); + session.setSignerCertificate(vsresp.getX509certificate()); + vsresp.setX509certificate(null); + session.setForeigner(false); + + if (session.getUseMandate()) { + // mandate mode + return null; + + } else { + + session.setAuthenticatedUsed(false); + session.setAuthenticated(true); + + //set QAA Level four in case of card authentifcation + session.setQAALevel(PVPConstants.STORK_QAA_1_4); + + + String oldsessionID = session.getSessionID(); + + //Session is implicte stored in changeSessionID!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session); + + Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID); + Logger.info("Daten angelegt zu MOASession " + newMOASessionID); + + return newMOASessionID; + } + } + + /** + * Processes a <CreateXMLSignatureResponse> sent by the + * security layer implementation.
+ *
    + *
  • Validates given <CreateXMLSignatureResponse>
  • + *
  • Parses <CreateXMLSignatureResponse> for error + * codes
  • + *
  • Parses authentication block enclosed in + * <CreateXMLSignatureResponse>
  • + *
  • Verifies authentication block by calling the MOA SP component
  • + *
  • Creates authentication data
  • + *
  • Creates a corresponding SAML artifact
  • + *
  • Stores authentication data in the authentication data store indexed + * by the SAML artifact
  • + *
  • Deletes authentication session
  • + *
  • Returns the SAML artifact, encoded BASE64
  • + *
+ * + * @param sessionID session ID of the running authentication session + * @param xmlCreateXMLSignatureReadResponse String representation of the + * <CreateXMLSignatureResponse> + * @return SAML artifact needed for retrieving authentication data, encoded + * BASE64 + */ + + protected Element createIdentificationBPK(Element mandatePerson, + String baseid, String target) throws BuildException { + Element identificationBpK = mandatePerson.getOwnerDocument() + .createElementNS(Constants.PD_NS_URI, "Identification"); + Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( + Constants.PD_NS_URI, "Value"); + + String bpkBase64 = new BPKBuilder().buildBPK(baseid, target); + valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( + bpkBase64)); + Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( + Constants.PD_NS_URI, "Type"); + typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( + "urn:publicid:gv.at:cdid+bpk")); + identificationBpK.appendChild(valueBpK); + identificationBpK.appendChild(typeBpK); + + return identificationBpK; + + } + + protected String getBaseId(Element mandatePerson) + throws TransformerException, IOException { + NodeList list = mandatePerson.getElementsByTagNameNS( + Constants.PD_NS_URI, "Identification"); + for (int i = 0; i < list.getLength(); i++) { + Element identification = (Element) list.item(i); + Element type = (Element) identification.getElementsByTagNameNS( + Constants.PD_NS_URI, "Type").item(0); + if (type.getTextContent().compareToIgnoreCase( + "urn:publicid:gv.at:baseid") == 0) { + Element value = (Element) identification + .getElementsByTagNameNS(Constants.PD_NS_URI, "Value") + .item(0); + return value.getTextContent(); + } + } + return null; + + } + + /** + * Gets the foreign authentication data.
+ *
    + *
  • Creates authentication data
  • + *
  • Creates a corresponding SAML artifact
  • + *
  • Stores authentication data in the authentication data store indexed + * by the SAML artifact
  • + *
  • Deletes authentication session
  • + *
  • Returns the SAML artifact, encoded BASE64
  • + *
+ * + * @param sessionID session ID of the running authentication session + * @return SAML artifact needed for retrieving authentication data, encoded + * BASE64 + */ + public String getForeignAuthenticationData(AuthenticationSession session) + throws AuthenticationException, BuildException, ParseException, + ConfigurationException, ServiceException, ValidateException { + + if (session == null) + throw new AuthenticationException("auth.10", new Object[]{ + REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); + + // // post processing of the infoboxes + // Iterator iter = session.getInfoboxValidatorIterator(); + // boolean formpending = false; + // if (iter != null) { + // while (!formpending && iter.hasNext()) { + // Vector infoboxValidatorVector = (Vector) iter.next(); + // String identifier = (String) infoboxValidatorVector.get(0); + // String friendlyName = (String) infoboxValidatorVector.get(1); + // InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector + // .get(2); + // InfoboxValidationResult infoboxValidationResult = null; + // try { + // infoboxValidationResult = infoboxvalidator.validate(session + // .getIdentityLink().getSamlAssertion()); + // } catch (ValidateException e) { + // Logger.error("Error validating " + identifier + " infobox:" + // + e.getMessage()); + // throw new ValidateException("validator.44", + // new Object[]{friendlyName}); + // } + // if (!infoboxValidationResult.isValid()) { + // Logger.info("Validation of " + identifier + // + " infobox failed."); + // throw new ValidateException("validator.40", new Object[]{ + // friendlyName, + // infoboxValidationResult.getErrorMessage()}); + // } + // String form = infoboxvalidator.getForm(); + // if (ParepUtils.isEmpty(form)) { + // AddAdditionalSAMLAttributes( + // session, + // infoboxValidationResult.getExtendedSamlAttributes(), + // identifier, friendlyName); + // } else { + // return "Redirect to Input Processor"; + // } + // } + // } + + VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); + X509Certificate cert = session.getSignerCertificate(); + vsresp.setX509certificate(cert); + + session.setAuthenticatedUsed(false); + session.setAuthenticated(true); + + + session.setXMLVerifySignatureResponse(vsresp); + session.setSignerCertificate(vsresp.getX509certificate()); + vsresp.setX509certificate(null); + session.setForeigner(true); + + //TODO: regenerate MOASession ID! + return "new Session"; + } + + /** + * Retrieves a session from the session store. + * + * @param id session ID + * @return AuthenticationSession stored with given session ID, + * null if session ID unknown + */ + public static AuthenticationSession getSession(String id) + throws AuthenticationException { + AuthenticationSession session; + try { + session = AuthenticationSessionStoreage.getSession(id); + + if (session == null) + throw new AuthenticationException("auth.02", new Object[]{id}); + return session; + + } catch (MOADatabaseException e) { + throw new AuthenticationException("auth.02", new Object[]{id}); + + } catch (Exception e) { + throw new AuthenticationException("parser.04", new Object[]{id}); + } + } + + /** + * Cleans up expired session and authentication data stores. + */ + public void cleanup() { + long now = new Date().getTime(); + + //clean AuthenticationSessionStore + + AuthenticationSessionStoreage.clean(now, sessionTimeOutCreated, sessionTimeOutUpdated); + + //clean AssertionStore + AssertionStorage assertionstore = AssertionStorage.getInstance(); + assertionstore.clean(now, authDataTimeOut); + + //clean ExeptionStore + DBExceptionStoreImpl exstore = DBExceptionStoreImpl.getStore(); + exstore.clean(now, authDataTimeOut); + + } + + /** + * Sets the sessionTimeOut. + * + * @param seconds Time out of the session in seconds + */ + public void setSecondsSessionTimeOutCreated(long seconds) { + sessionTimeOutCreated = seconds * 1000; + } + + public void setSecondsSessionTimeOutUpdated(long seconds) { + sessionTimeOutUpdated = seconds * 1000; + } + + /** + * Sets the authDataTimeOut. + * + * @param seconds Time out for signing AuthData in seconds + */ + public void setSecondsAuthDataTimeOut(long seconds) { + authDataTimeOut = seconds * 1000; + } + + /** + * Checks a parameter. + * + * @param param parameter + * @return true if the parameter is null or empty + */ + private boolean isEmpty(String param) { + return param == null || param.length() == 0; + } + + /** + * Checks the correctness of SAML attributes and returns its value. + * + * @param param samlAttribute + * @param i the number of the verified attribute for messages + * @param identifier the infobox identifier for messages + * @param friendlyname the friendly name of the infobox for messages + * @return the SAML attribute value (Element or String) + */ + protected static Object verifySAMLAttribute( + ExtendedSAMLAttribute samlAttribute, int i, String identifier, + String friendlyName) throws ValidateException { + String name = samlAttribute.getName(); + + if (name == null) { + Logger.info("The name of SAML-Attribute number " + (i + 1) + + " returned from " + identifier + + "-infobox validator is null."); + throw new ValidateException("validator.45", new Object[]{ + friendlyName, "Name", String.valueOf((i + 1)), "null"}); + } + if (name == "") { + Logger.info("The name of SAML-Attribute number " + (i + 1) + + " returned from " + identifier + + "-infobox validator is empty."); + throw new ValidateException("validator.45", new Object[]{ + friendlyName, "Name", String.valueOf((i + 1)), "leer"}); + } + if (samlAttribute.getNameSpace() == null) { + Logger.info("The namespace of SAML-Attribute number " + (i + 1) + + " returned from " + identifier + + "-infobox validator is null."); + throw new ValidateException("validator.45", + new Object[]{friendlyName, "Namespace", + String.valueOf((i + 1)), "null"}); + } + Object value = samlAttribute.getValue(); + if (value == null) { + Logger.info("The value of SAML-Attribute number " + (i + 1) + + " returned from " + identifier + + "-infobox validator is null."); + throw new ValidateException("validator.45", new Object[]{ + friendlyName, "Wert", String.valueOf((i + 1)), "null"}); + } + + return value; + } + /** * Does the request to the SZR-GW. * @@ -1595,7 +1595,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { public CreateIdentityLinkResponse getIdentityLink(Element signature) throws SZRGWClientException, ConfigurationException { return getIdentityLink(null, null, null, null, XMLHelper.nodeToString(signature), null); } - + /** * Does the request to the SZR-GW. * @@ -1611,396 +1611,400 @@ public class AuthenticationServer implements MOAIDAuthConstants { public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, String signature, String PEPSFiscalNumber) throws SZRGWClientException { return getIdentityLink(PEPSIdentifier, PEPSFirstname, PEPSFamilyname, PEPSDateOfBirth, null, signature, null, null, null, null, null, null, null, PEPSFiscalNumber); } - - /** - * SZR-GW Client interface. - * - * @param eIdentifier the e identifier - * @param givenName the given name - * @param lastName the last name - * @param dateOfBirth the date of birth - * @param citizenSignature the citizen signature - * @param representative the representative - * @param represented the represented - * @param mandate the mandate - * @return the identity link - * @throws SZRGWClientException the sZRGW client exception - */ - public CreateIdentityLinkResponse getIdentityLink(String eIdentifier, - String givenName, String lastName, String dateOfBirth, String gender, - String citizenSignature, String representative, String represented, - String mandate, String targetType, String targetValue, String oaFriendlyName, List filters, String PEPSFiscalNumber) throws SZRGWClientException { - return getIdentityLink(eIdentifier, givenName, lastName, dateOfBirth, gender, - citizenSignature, representative, represented, mandate, null, - null, targetType, targetValue, oaFriendlyName, filters, PEPSFiscalNumber); - } - - /** - * Gets the identity link. - * - * @param citizenSignature the citizen signature - * @param representative the representative - * @param represented the represented - * @param mandate the mandate - * @param organizationAddress the organization address - * @param organizationType the organization type - * @return the identity link - * @throws SZRGWClientException - */ - public CreateIdentityLinkResponse getIdentityLink(String citizenSignature, - String representative, String represented, String mandateContent, - String organizationAddress, String organizationType, String targetType, String targetValue, String oaFriendlyName, List filters, String PEPSFiscalNumber) throws SZRGWClientException { - return getIdentityLink(null, null, null, null, null, - citizenSignature, represented, representative, mandateContent, organizationAddress, - organizationType, targetType, targetValue, oaFriendlyName, filters, PEPSFiscalNumber); - } - - public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, String gender, String citizenSignature, String represented, String representative, String mandateContent, String organizationAddress, String organizationType, String targetType, String targetValue, String oaFriendlyName, List filters, String PEPSFiscalNumber) throws SZRGWClientException { + + /** + * SZR-GW Client interface. + * + * @param eIdentifier the e identifier + * @param givenName the given name + * @param lastName the last name + * @param dateOfBirth the date of birth + * @param citizenSignature the citizen signature + * @param representative the representative + * @param represented the represented + * @param mandate the mandate + * @return the identity link + * @throws SZRGWClientException the sZRGW client exception + */ + public CreateIdentityLinkResponse getIdentityLink(String eIdentifier, + String givenName, String lastName, String dateOfBirth, String gender, + String citizenSignature, String representative, String represented, + String mandate, String targetType, String targetValue, String oaFriendlyName, List filters, String PEPSFiscalNumber) throws SZRGWClientException { + return getIdentityLink(eIdentifier, givenName, lastName, dateOfBirth, gender, + citizenSignature, representative, represented, mandate, null, + null, targetType, targetValue, oaFriendlyName, filters, PEPSFiscalNumber); + } + + /** + * Gets the identity link. + * + * @param citizenSignature the citizen signature + * @param representative the representative + * @param represented the represented + * @param mandate the mandate + * @param organizationAddress the organization address + * @param organizationType the organization type + * @return the identity link + * @throws SZRGWClientException + */ + public CreateIdentityLinkResponse getIdentityLink(String citizenSignature, + String representative, String represented, String mandateContent, + String organizationAddress, String organizationType, String targetType, String targetValue, String oaFriendlyName, List filters, String PEPSFiscalNumber) throws SZRGWClientException { + return getIdentityLink(null, null, null, null, null, + citizenSignature, represented, representative, mandateContent, organizationAddress, + organizationType, targetType, targetValue, oaFriendlyName, filters, PEPSFiscalNumber); + } + + public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, String gender, String citizenSignature, String represented, String representative, String mandateContent, String organizationAddress, String organizationType, String targetType, String targetValue, String oaFriendlyName, List filters, String PEPSFiscalNumber) throws SZRGWClientException { try { - AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); - ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter(); - - SZRGWClient client = new SZRGWClient(connectionParameters); - - CreateIdentityLinkRequest request = new CreateIdentityLinkRequest(); - request.setSignature(citizenSignature.getBytes("UTF-8")); - - PEPSData data = new PEPSData(); - data.setDateOfBirth(PEPSDateOfBirth); - data.setFamilyname(PEPSFamilyname); - data.setFirstname(PEPSFirstname); - data.setIdentifier(PEPSIdentifier); - - data.setRepresentative(representative); - data.setRepresented(represented); - data.setMandateContent(mandateContent); - - data.setLegalPersonCanonicalRegisteredAddress(organizationAddress); - data.setLegalPersonTranslatableType(organizationType); - - if (null != mandateContent) { - MISType mis = new MISType(); - - Target targetObject = new Target(); - targetObject.setType(targetType); - targetObject.setValue(targetValue); - mis.setTarget(targetObject); - - mis.setOAFriendlyName(oaFriendlyName); - - Filters filterObject = new Filters(); - MandateIdentifiers mandateIds = new MandateIdentifiers(); - for(String current : filters) - mandateIds.getMandateIdentifier().add(current.trim()); - filterObject.setMandateIdentifiers(mandateIds); - mis.setFilters(filterObject); - - request.setMIS(mis); - } - - if (MiscUtil.isEmpty(connectionParameters.getUrl())) { - Logger.warn("SZR-Gateway Service URL is empty"); - throw new SZRGWClientException("service.07"); - } - - Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")..."); - CreateIdentityLinkResponse response = client.sentCreateIDLRequest(request, connectionParameters.getUrl()); - return response; - - } - catch (ConfigurationException e) { - Logger.warn(e); - Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null )); + AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); + ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter(); + + SZRGWClient client = new SZRGWClient(connectionParameters); + + CreateIdentityLinkRequest request = new CreateIdentityLinkRequest(); + request.setSignature(citizenSignature.getBytes("UTF-8")); + + if(PEPSDateOfBirth!=null || PEPSFamilyname!=null || PEPSFirstname!=null || PEPSIdentifier!=null || representative!=null || represented!=null || mandateContent!=null || organizationAddress!=null || organizationType!=null) + { + PEPSData data = new PEPSData(); + data.setDateOfBirth(PEPSDateOfBirth); + data.setFamilyname(PEPSFamilyname); + data.setFirstname(PEPSFirstname); + data.setIdentifier(PEPSIdentifier); + + data.setRepresentative(representative); + data.setRepresented(represented); + data.setMandateContent(mandateContent); + + data.setLegalPersonCanonicalRegisteredAddress(organizationAddress); + data.setLegalPersonTranslatableType(organizationType); + + request.setPEPSData(data); + } + if (null != mandateContent) { + MISType mis = new MISType(); + + Target targetObject = new Target(); + targetObject.setType(targetType); + targetObject.setValue(targetValue); + mis.setTarget(targetObject); + + mis.setOAFriendlyName(oaFriendlyName); + + Filters filterObject = new Filters(); + MandateIdentifiers mandateIds = new MandateIdentifiers(); + for(String current : filters) + mandateIds.getMandateIdentifier().add(current.trim()); + filterObject.setMandateIdentifiers(mandateIds); + mis.setFilters(filterObject); + + request.setMIS(mis); + } + + if (MiscUtil.isEmpty(connectionParameters.getUrl())) { + Logger.warn("SZR-Gateway Service URL is empty"); + throw new SZRGWClientException("service.07"); + } + + Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")..."); + CreateIdentityLinkResponse response = client.sentCreateIDLRequest(request, connectionParameters.getUrl()); + return response; + + } + catch (ConfigurationException e) { + Logger.warn(e); + Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null )); } catch (UnsupportedEncodingException e) { Logger.warn(e); } - - return null; - - } - - /** - * Starts a MOA-ID authentication process using STORK - * - * @param req HttpServletRequest - * @param resp HttpServletResponse - * @param ccc Citizen country code - * @param oaURL URL of the online application - * @param target Target parameter - * @param targetFriendlyName Friendly Name of Target - * @param authURL Authentication URL - * @param sourceID SourceID parameter - * @throws MOAIDException - * @throws AuthenticationException - * @throws WrongParametersException - * @throws ConfigurationException - */ - public static void startSTORKAuthentication( - HttpServletRequest req, - HttpServletResponse resp, - AuthenticationSession moasession) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException { - - if (moasession == null) { - throw new AuthenticationException("auth.18", new Object[]{}); - } - - //read configuration paramters of OA - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); - if (oaParam == null) - throw new AuthenticationException("auth.00", new Object[]{moasession.getPublicOAURLPrefix()}); - - //Start of STORK Processing - STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); - - CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc()); - - Logger.debug("Preparing to assemble STORK AuthnRequest with the following values:"); - String destination = cpeps.getPepsURL().toExternalForm(); - Logger.debug("C-PEPS URL: " + destination); - - - String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); -// String acsURL = new DataURLBuilder().buildDataURL(issuerValue, -// PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID()); - - //solve Problem with sessionIDs - String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; - - Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); - - String providerName = oaParam.getFriendlyName(); - Logger.debug("Issuer value: " + issuerValue); - - // prepare collection of required attributes - // - attributes for online application - List attributesFromConfig = oaParam.getRequestedAttributes(); - - // - prepare attribute list - PersonalAttributeList attributeList = new PersonalAttributeList(); - - // - fill container - for (OAStorkAttribute current : attributesFromConfig) { - PersonalAttribute newAttribute = new PersonalAttribute(); - newAttribute.setName(current.getName()); - - boolean globallyMandatory = false; - for (StorkAttribute currentGlobalAttribute : storkConfig.getStorkAttributes()) - if (current.getName().equals(currentGlobalAttribute.getName())) { - globallyMandatory = currentGlobalAttribute.isMandatory(); - break; - } - - newAttribute.setIsRequired(current.isMandatory() || globallyMandatory); - attributeList.add(newAttribute); - } - - // add sign request - PersonalAttribute newAttribute = new PersonalAttribute(); - newAttribute.setName("signedDoc"); - List value = new ArrayList(); - - Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported()); - if(cpeps.isXMLSignatureSupported())//Send SignRequest to PEPS - { - value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), - "application/xhtml+xml", moasession.getCcc())); - newAttribute.setValue(value); - attributeList.add(newAttribute); - } - else//Process SignRequest locally with MOCCA - { - String target = moasession.getTarget(); - moasession.setTarget("AT"); - String signedDoc = (generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), - "application/xhtml+xml", "AT"));//moasession.getCcc() - moasession.setTarget(target); - Logger.warn("signedDoc to store:"+signedDoc); - //attributeList.add(newAttribute); - - //store SignRequest for later... - moasession.setSignedDoc(signedDoc); - - acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; - try { + + return null; + + } + + /** + * Starts a MOA-ID authentication process using STORK + * + * @param req HttpServletRequest + * @param resp HttpServletResponse + * @param ccc Citizen country code + * @param oaURL URL of the online application + * @param target Target parameter + * @param targetFriendlyName Friendly Name of Target + * @param authURL Authentication URL + * @param sourceID SourceID parameter + * @throws MOAIDException + * @throws AuthenticationException + * @throws WrongParametersException + * @throws ConfigurationException + */ + public static void startSTORKAuthentication( + HttpServletRequest req, + HttpServletResponse resp, + AuthenticationSession moasession) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException { + + if (moasession == null) { + throw new AuthenticationException("auth.18", new Object[]{}); + } + + //read configuration paramters of OA + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); + if (oaParam == null) + throw new AuthenticationException("auth.00", new Object[]{moasession.getPublicOAURLPrefix()}); + + //Start of STORK Processing + STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); + + CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc()); + + Logger.debug("Preparing to assemble STORK AuthnRequest with the following values:"); + String destination = cpeps.getPepsURL().toExternalForm(); + Logger.debug("C-PEPS URL: " + destination); + + + String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + // String acsURL = new DataURLBuilder().buildDataURL(issuerValue, + // PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID()); + + //solve Problem with sessionIDs + String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + + Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); + + String providerName = oaParam.getFriendlyName(); + Logger.debug("Issuer value: " + issuerValue); + + // prepare collection of required attributes + // - attributes for online application + List attributesFromConfig = oaParam.getRequestedAttributes(); + + // - prepare attribute list + PersonalAttributeList attributeList = new PersonalAttributeList(); + + // - fill container + for (OAStorkAttribute current : attributesFromConfig) { + PersonalAttribute newAttribute = new PersonalAttribute(); + newAttribute.setName(current.getName()); + + boolean globallyMandatory = false; + for (StorkAttribute currentGlobalAttribute : storkConfig.getStorkAttributes()) + if (current.getName().equals(currentGlobalAttribute.getName())) { + globallyMandatory = currentGlobalAttribute.isMandatory(); + break; + } + + newAttribute.setIsRequired(current.isMandatory() || globallyMandatory); + attributeList.add(newAttribute); + } + + // add sign request + PersonalAttribute newAttribute = new PersonalAttribute(); + newAttribute.setName("signedDoc"); + List value = new ArrayList(); + + Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported()); + if(cpeps.isXMLSignatureSupported())//Send SignRequest to PEPS + { + value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", moasession.getCcc())); + newAttribute.setValue(value); + attributeList.add(newAttribute); + } + else//Process SignRequest locally with MOCCA + { + String target = moasession.getTarget(); + moasession.setTarget("AT"); + String signedDoc = (generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", "AT"));//moasession.getCcc() + moasession.setTarget(target); + Logger.warn("signedDoc to store:"+signedDoc); + //attributeList.add(newAttribute); + + //store SignRequest for later... + moasession.setSignedDoc(signedDoc); + + acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + try { AuthenticationSessionStoreage.storeSession(moasession); } catch (MOADatabaseException e) { // TODO Auto-generated catch block e.printStackTrace(); } - - } - - if (Logger.isDebugEnabled()) { - Logger.debug("The following attributes are requested for this OA:"); - for (OAStorkAttribute logReqAttr : attributesFromConfig) - Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isMandatory()); - } - - //TODO: check Target in case of SSO!! - String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); - String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); - String spApplication = spInstitution; - String spCountry = "AT"; - - //generate AuthnRquest - STORKAuthnRequest authnRequest = new STORKAuthnRequest(); - authnRequest.setDestination(destination); - authnRequest.setAssertionConsumerServiceURL(acsURL);//PEPSConnectorWithLocalSigning - authnRequest.setProviderName(providerName); - authnRequest.setIssuer(issuerValue); - authnRequest.setQaa(oaParam.getQaaLevel()); - authnRequest.setSpInstitution(spInstitution); - authnRequest.setCountry(spCountry); - authnRequest.setSpApplication(spApplication); - authnRequest.setSpSector(spSector); - authnRequest.setPersonalAttributeList(attributeList); - - //TODO change - authnRequest.setEIDCrossBorderShare(true); - authnRequest.setEIDCrossSectorShare(true); - authnRequest.setEIDSectorShare(true); - - authnRequest.setCitizenCountryCode(moasession.getCcc()); - - Logger.debug("STORK AuthnRequest succesfully assembled."); - - STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); - - if (samlEngine == null) { - Logger.error("Could not initalize STORK SAML engine."); - throw new MOAIDException("stork.00", null); - } - - try { - authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest); - } catch (STORKSAMLEngineException e) { - Logger.error("Could not sign STORK SAML AuthnRequest.", e); - throw new MOAIDException("stork.00", null); - } - - Logger.info("STORK AuthnRequest successfully signed!"); - - //validate AuthnRequest - try { - samlEngine.validateSTORKAuthnRequest(authnRequest.getTokenSaml()); - } catch (STORKSAMLEngineException e) { - Logger.error("STORK SAML AuthnRequest not valid.", e); - throw new MOAIDException("stork.01", null); - } - - Logger.debug("STORK AuthnRequest successfully internally validated."); - - //send - moasession.setStorkAuthnRequest(authnRequest); - - AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId()); - - - Logger.info("Preparing to send STORK AuthnRequest."); - Logger.info("prepared STORKAuthnRequest: "); - Logger.info(new String(authnRequest.getTokenSaml())); - - try { - Logger.trace("Initialize VelocityEngine..."); - - VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); - Template template = velocityEngine.getTemplate("/resources/templates/saml2-post-binding-moa.vm"); - VelocityContext context = new VelocityContext(); - context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authnRequest.getTokenSaml())); - context.put("RelayState", moasession.getSessionID()); - context.put("action", destination); - - StringWriter writer = new StringWriter(); - template.merge(context, writer); - - resp.setContentType("text/html;charset=UTF-8"); - resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); - - } catch (Exception e) { - Logger.error("Error sending STORK SAML AuthnRequest.", e); - throw new MOAIDException("stork.02", new Object[]{destination}); - - } - - Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); - } - - private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) { - IdentifierGenerator idGenerator; - try { - idGenerator = new SecureRandomIdentifierGenerator(); - - DocumentType doc = new DocumentType(); - doc.setBase64XML(text.getBytes("UTF-8")); - doc.setID(idGenerator.generateIdentifier()); - - SignRequest request = new SignRequest(); - request.setInputDocuments(ApiUtils.createInputDocuments(doc)); - - String id = idGenerator.generateIdentifier(); - request.setRequestID(id); - request.setDocUI(id); - - request.setProfile(Profiles.XADES_BES.toString()); - request.setNumberOfSigners(BigInteger.ONE); - request.setTargetCountry(citizenCountry); - - // no, no todo. PEPS will alter this value anyhow. - request.setReturnURL("http://invalid_return"); - - AnyType required = new AnyType(); - required.getAny().add(ApiUtils.createSignatureType(SignatureTypes.XMLSIG_RFC3275.toString())); - required.getAny().add(ApiUtils.createAdditionalProfile(AdditionalProfiles.XADES.toString())); - required.getAny().add(ApiUtils.createQualityRequirements(QualityLevels.QUALITYLEVEL_QUALIFIEDSIG)); - required.getAny().add(ApiUtils.createIncludeObject(doc)); - request.setOptionalInputs(required); - - return IOUtils.toString(ApiUtils.marshalToInputStream(request)); - } catch (NoSuchAlgorithmException e) { - Logger.error("Cannot generate id", e); - throw new RuntimeException(e); - } catch (ApiUtilsException e) { - Logger.error("Could not create SignRequest", e); - throw new RuntimeException(e); - } catch (DOMException e) { - Logger.error("Could not create SignRequest", e); - throw new RuntimeException(e); - } catch (IOException e) { - Logger.error("Could not create SignRequest", e); - throw new RuntimeException(e); - } - } - - /** - * Extracts an X509 Certificate out of an XML signagture element - * - * @param signedXML XML signature element - * @return X509Certificate - * @throws CertificateException - */ - public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException { - - NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate"); - - String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList); - - if (StringUtils.isEmpty(base64CertString)) { - String msg = "XML does not contain a X509Certificate element."; - Logger.error(msg); - throw new CertificateException(msg); - } - - InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString)); - - X509Certificate cert; - try { - cert = new X509Certificate(is); - return cert; - - } catch (Throwable e) { - throw new CertificateException(e); - } - } + + } + + if (Logger.isDebugEnabled()) { + Logger.debug("The following attributes are requested for this OA:"); + for (OAStorkAttribute logReqAttr : attributesFromConfig) + Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isMandatory()); + } + + //TODO: check Target in case of SSO!! + String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); + String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); + String spApplication = spInstitution; + String spCountry = "AT"; + + //generate AuthnRquest + STORKAuthnRequest authnRequest = new STORKAuthnRequest(); + authnRequest.setDestination(destination); + authnRequest.setAssertionConsumerServiceURL(acsURL);//PEPSConnectorWithLocalSigning + authnRequest.setProviderName(providerName); + authnRequest.setIssuer(issuerValue); + authnRequest.setQaa(oaParam.getQaaLevel()); + authnRequest.setSpInstitution(spInstitution); + authnRequest.setCountry(spCountry); + authnRequest.setSpApplication(spApplication); + authnRequest.setSpSector(spSector); + authnRequest.setPersonalAttributeList(attributeList); + + //TODO change + authnRequest.setEIDCrossBorderShare(true); + authnRequest.setEIDCrossSectorShare(true); + authnRequest.setEIDSectorShare(true); + + authnRequest.setCitizenCountryCode(moasession.getCcc()); + + Logger.debug("STORK AuthnRequest succesfully assembled."); + + STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); + + if (samlEngine == null) { + Logger.error("Could not initalize STORK SAML engine."); + throw new MOAIDException("stork.00", null); + } + + try { + authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest); + } catch (STORKSAMLEngineException e) { + Logger.error("Could not sign STORK SAML AuthnRequest.", e); + throw new MOAIDException("stork.00", null); + } + + Logger.info("STORK AuthnRequest successfully signed!"); + + //validate AuthnRequest + try { + samlEngine.validateSTORKAuthnRequest(authnRequest.getTokenSaml()); + } catch (STORKSAMLEngineException e) { + Logger.error("STORK SAML AuthnRequest not valid.", e); + throw new MOAIDException("stork.01", null); + } + + Logger.debug("STORK AuthnRequest successfully internally validated."); + + //send + moasession.setStorkAuthnRequest(authnRequest); + + AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId()); + + + Logger.info("Preparing to send STORK AuthnRequest."); + Logger.info("prepared STORKAuthnRequest: "); + Logger.info(new String(authnRequest.getTokenSaml())); + + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/saml2-post-binding-moa.vm"); + VelocityContext context = new VelocityContext(); + context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authnRequest.getTokenSaml())); + context.put("RelayState", moasession.getSessionID()); + context.put("action", destination); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + resp.setContentType("text/html;charset=UTF-8"); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); + + } catch (Exception e) { + Logger.error("Error sending STORK SAML AuthnRequest.", e); + throw new MOAIDException("stork.02", new Object[]{destination}); + + } + + Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); + } + + private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) { + IdentifierGenerator idGenerator; + try { + idGenerator = new SecureRandomIdentifierGenerator(); + + DocumentType doc = new DocumentType(); + doc.setBase64XML(text.getBytes("UTF-8")); + doc.setID(idGenerator.generateIdentifier()); + + SignRequest request = new SignRequest(); + request.setInputDocuments(ApiUtils.createInputDocuments(doc)); + + String id = idGenerator.generateIdentifier(); + request.setRequestID(id); + request.setDocUI(id); + + request.setProfile(Profiles.XADES_BES.toString()); + request.setNumberOfSigners(BigInteger.ONE); + request.setTargetCountry(citizenCountry); + + // no, no todo. PEPS will alter this value anyhow. + request.setReturnURL("http://invalid_return"); + + AnyType required = new AnyType(); + required.getAny().add(ApiUtils.createSignatureType(SignatureTypes.XMLSIG_RFC3275.toString())); + required.getAny().add(ApiUtils.createAdditionalProfile(AdditionalProfiles.XADES.toString())); + required.getAny().add(ApiUtils.createQualityRequirements(QualityLevels.QUALITYLEVEL_QUALIFIEDSIG)); + required.getAny().add(ApiUtils.createIncludeObject(doc)); + request.setOptionalInputs(required); + + return IOUtils.toString(ApiUtils.marshalToInputStream(request)); + } catch (NoSuchAlgorithmException e) { + Logger.error("Cannot generate id", e); + throw new RuntimeException(e); + } catch (ApiUtilsException e) { + Logger.error("Could not create SignRequest", e); + throw new RuntimeException(e); + } catch (DOMException e) { + Logger.error("Could not create SignRequest", e); + throw new RuntimeException(e); + } catch (IOException e) { + Logger.error("Could not create SignRequest", e); + throw new RuntimeException(e); + } + } + + /** + * Extracts an X509 Certificate out of an XML signagture element + * + * @param signedXML XML signature element + * @return X509Certificate + * @throws CertificateException + */ + public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException { + + NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate"); + + String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList); + + if (StringUtils.isEmpty(base64CertString)) { + String msg = "XML does not contain a X509Certificate element."; + Logger.error(msg); + throw new CertificateException(msg); + } + + InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString)); + + X509Certificate cert; + try { + cert = new X509Certificate(is); + return cert; + + } catch (Throwable e) { + throw new CertificateException(e); + } + } } -- cgit v1.2.3 From d2b55c814089cd667115c6c2e46daf14c8c2611c Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Wed, 16 Jul 2014 17:04:17 +0200 Subject: iFrame leaving problem fixed, redirect code changed --- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 7 ++-- .../PEPSConnectorWithLocalSigningServlet.java | 38 +++++++++++++++++----- 2 files changed, 34 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 64447b20e..397eebd9b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -399,9 +399,10 @@ public class PEPSConnectorServlet extends AuthServlet { ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); redirectURL = response.encodeRedirectURL(redirectURL); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", redirectURL); +// response.setContentType("text/html"); +// response.setStatus(302); +// response.addHeader("Location", redirectURL); + response.sendRedirect(redirectURL); Logger.info("REDIRECT TO: " + redirectURL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index 62e15a379..cd7427913 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.auth.servlet; import iaik.x509.X509Certificate; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.StringWriter; @@ -42,7 +41,6 @@ import javax.servlet.http.HttpServletResponse; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; import javax.xml.bind.JAXBException; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.TransformerConfigurationException; @@ -57,7 +55,6 @@ import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.opensaml.saml2.core.StatusCode; -import org.w3c.dom.Element; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; @@ -73,6 +70,7 @@ import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; @@ -86,7 +84,7 @@ import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.SPSSFactory; import at.gv.egovernment.moa.spss.api.SignatureVerificationService; import at.gv.egovernment.moa.spss.api.common.Content; -import at.gv.egovernment.moa.spss.api.common.SignerInfo; + import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureInfo; import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureLocation; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; @@ -117,7 +115,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnectorWithLocalSigning"; - private String oasisDssWebFormURL = "http://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//TODO load from config + private String oasisDssWebFormURL = "https://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//TODO load from config /** @@ -262,9 +260,10 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); redirectURL = response.encodeRedirectURL(redirectURL); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", redirectURL); +// response.setContentType("text/html"); +// response.setStatus(302); +// response.addHeader("Location", redirectURL); + response.sendRedirect(redirectURL); Logger.info("REDIRECT TO: " + redirectURL); } catch (AuthenticationException e) { @@ -467,6 +466,29 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { String url = acsURL+"?moaSessionID="+newMOASessionID; //redirect to OASIS module and sign there + + boolean found = false; + try{ + List aps = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix()).getStorkAPs(); + for(AttributeProviderPlugin ap : aps) + { + if(ap.getAttributes().equalsIgnoreCase("signedDoc")) + { + oasisDssWebFormURL = ap.getUrl(); + found = true; + Logger.info("Loaded signedDoc attribute provider url from config:"+oasisDssWebFormURL); + break; + } + } + }catch(Exception e) + { + e.printStackTrace(); + Logger.error("Loading the signedDoc attribute provider url from config failed"); + } + if(!found) + { + Logger.error("Failed to load the signedDoc attribute provider url from config"); + } performRedirect(url,request,response,signRequest); return; -- cgit v1.2.3 From 7e42dd36309d1113ce85d26fde15303059743b90 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Thu, 17 Jul 2014 16:13:37 +0200 Subject: todo --- .../gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- .../moa/id/protocols/stork2/MandateRetrievalRequest.java | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 64447b20e..40c358b7e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -244,7 +244,7 @@ public class PEPSConnectorServlet extends AuthServlet { //extract signed doc element and citizen signature String citizenSignature = null; try { - String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 139c438f9..ba849f959 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction { httpResp.reset(); this.representingIdentityLink = authData.getIdentityLink(); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); @@ -96,7 +97,7 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContain er(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); @@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction { } if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType()); + Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)"); + Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() + ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue()); throw new MOAIDException("stork.20", new Object[]{}); // TODO } @@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction { represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute)); } else if (mandateContainer instanceof PhyPersonMandateContainer) { PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer; - represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE + represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName()); represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName()); represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate()); -- cgit v1.2.3 From 708009bbfc5433c3338278b95e9f150b424d2a03 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Thu, 17 Jul 2014 16:18:30 +0200 Subject: typo --- .../gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index ba849f959..baa91a854 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -97,7 +97,7 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContain er(new String(authData.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); -- cgit v1.2.3 From 078c7784e9e278bd5fdd96465a38558776cacb04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 4 Aug 2014 12:57:39 +0200 Subject: MOA federation with USP - add some initial methodes --- .../id/auth/builder/AuthenticationDataBuilder.java | 72 ++++++++++++---------- .../moa/id/entrypoints/DispatcherServlet.java | 2 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 14 +++++ 3 files changed, 54 insertions(+), 34 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 17d6898ee..ddcc6e1d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; @@ -76,6 +77,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -239,11 +241,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { attributs = reqQueryAttr; //IDP is a service provider IDP and request interfederated IDP to collect attributes - } else { - - //TODO: check if response include attributes and map this attributes to requested attributes - //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst - + } else { //get PVP 2.1 attributes from protocol specific requested attributes attributs = req.getRequestedAttributes(); @@ -255,44 +253,52 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); } + + + //TODO: check if response include attributes and map this attributes to requested attributes + //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst + Response intfResp = (Response) req.getInterfederationResponse().getResponse(); + AssertionAttributeExtractor extractor = + new AssertionAttributeExtractor(intfResp); - //build attributQuery request - AttributeQuery query = - AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); + if (!extractor.containsAllRequiredAttributes()) { + //build attributQuery request + AttributeQuery query = + AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); - //build SOAP request - List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + //build SOAP request + List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); - } + } - if (xmlObjects.get(0) instanceof Response) { - Response intfResp = (Response) xmlObjects.get(0); + if (xmlObjects.get(0) instanceof Response) { + intfResp = (Response) xmlObjects.get(0); - //validate PVP 2.1 response - try { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + //validate PVP 2.1 response + try { + SAMLVerificationEngine engine = new SAMLVerificationEngine(); + engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - SAMLVerificationEngine.validateAssertion(intfResp, false); + SAMLVerificationEngine.validateAssertion(intfResp, false); - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); - } - - //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + } + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + } } - + //parse response information to authData + buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + } catch (SOAPException e) { throw new BuildException("builder.06", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 0d34fcb87..1e38bd4ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{ info = ModulStorage.getModuleByPath(protocolRequest.requestedModule()); moduleAction = info.getAction(protocolRequest.requestedAction()); - //create interfederated mOASession + //create interfederated MOASession String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId); req.getParameterMap().put(PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index ee0088576..9aadfdc28 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; import java.util.List; import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; @@ -54,6 +55,19 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption(); } + public boolean containsAllRequiredAttributes() { + //TODO: add default attribute list + return containsAllRequiredAttributes(null); + + } + + public boolean containsAllRequiredAttributes(List attributs) { + //TODO: add validation + return false; + + } + + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); -- cgit v1.2.3 From 296ebbfb36ef207abe4611cb8d3727d2f86a692b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:00:17 +0200 Subject: update PVP 2.1 SAML2 bindings --- .../id/protocols/pvp2x/binding/PostBinding.java | 20 ++++++++------- .../protocols/pvp2x/binding/RedirectBinding.java | 20 ++++++++++----- .../id/protocols/pvp2x/binding/SoapBinding.java | 30 +++++++++++++++++++--- 3 files changed, 51 insertions(+), 19 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 7f73b1ed7..1a268c812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); - + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } + } catch (ConfigurationException e) { throw new SecurityException(e); } messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - //set metadata descriptor type - if (isSPEndPoint) - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - else - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - + decode.decode(messageContext); InboundMessage msg = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 26f6f3a62..f11561c14 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); + messageContext + .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } } catch (ConfigurationException e) { throw new SecurityException(e); } - - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index f0eafe272..a2583c706 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.soap.client.BasicSOAPMessageContext; @@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class SoapBinding implements IDecoder, IEncoder { @@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder { new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - + req)); + //messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + soapDecoder.decode(messageContext); Envelope inboundMessage = (Envelope) messageContext @@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); - MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); + + if (messageContext.getPeerEntityMetadata() != null) + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + + else if (attrReq instanceof RequestAbstractType) { + RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; + try { + if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) && + MOAMetadataProvider.getInstance().getRole( + attributeRequest.getIssuer().getValue(), + SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) + request.setEntityID(attributeRequest.getIssuer().getValue()); + + } catch (Exception e) { + Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue()); + } + } + request.setVerified(false); return request; -- cgit v1.2.3 From 1ab0f1d4d991464b906c34befefe2ecaf485d485 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:03:42 +0200 Subject: add interfederation without attributequery request which use encrypted bPKs (this functionality is required for federation with USP) --- .../id/auth/builder/AuthenticationDataBuilder.java | 355 +++++++++++++-------- .../moa/id/auth/builder/BPKBuilder.java | 94 ++++++ .../exception/DatabaseEncryptionException.java | 46 +++ .../id/config/auth/AuthConfigurationProvider.java | 11 + .../moa/id/config/auth/IOAAuthParameters.java | 4 + .../moa/id/config/auth/OAAuthParameter.java | 36 +++ .../config/auth/data/BPKDecryptionParameters.java | 127 ++++++++ .../config/auth/data/DynamicOAAuthParameters.java | 10 + .../moa/id/data/AuthenticationData.java | 21 +- .../gv/egovernment/moa/id/data/EncryptedbPK.java | 33 ++ .../at/gv/egovernment/moa/id/data/IAuthData.java | 3 + .../attributes/EncryptedBPKAttributeBuilder.java | 70 ++++ .../MandateFullMandateAttributeBuilder.java | 7 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 89 +++++- .../protocols/saml1/SAML1AuthenticationServer.java | 5 +- .../id/storage/AuthenticationSessionStoreage.java | 4 +- .../moa/id/util/AbstractEncrytionUtil.java | 157 +++++++++ .../moa/id/util/ConfigurationEncrytionUtil.java | 71 +++++ .../moa/id/util/SessionEncrytionUtil.java | 132 +++----- .../moa/id/util/client/mis/simple/MISMandate.java | 14 + .../id/util/client/mis/simple/MISSimpleClient.java | 2 + 21 files changed, 1058 insertions(+), 233 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index ddcc6e1d1..3c029f261 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -24,31 +24,35 @@ package at.gv.egovernment.moa.id.auth.builder; import iaik.x509.X509Certificate; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.security.PrivateKey; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; -import java.util.GregorianCalendar; import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; -import eu.stork.peps.auth.commons.PersonalAttribute; -import eu.stork.peps.auth.commons.PersonalAttributeList; - +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -151,7 +155,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - } InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); @@ -295,9 +298,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); } + + //create assertion attribute extractor from AttributeQuery response + extractor = new AssertionAttributeExtractor(intfResp); + } //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -320,146 +327,242 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session, - Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { + private static void buildAuthDataFormInterfederationResponse( + AuthenticationData authData, + AuthenticationSession session, + AssertionAttributeExtractor extractor, + IOAAuthParameters oaParam) + throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); - Assertion assertion = intfResp.getAssertions().get(0); + authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); + authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); + authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); + authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); + authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); + authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); + authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); + authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); - if (assertion.getAttributeStatements().size() == 0) { - Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); - throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); - + if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { + String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); + authData.setBPK(pvpbPK.split(":")[1]); } - AttributeStatement attrStat = assertion.getAttributeStatements().get(0); - for (Attribute attr : attrStat.getAttributes()) { - - if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) - authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) - authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) - authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BPK_NAME)) { - String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent(); - authData.setBPK(pvpbPK.split(":")[1]); - } - - if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) - authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) - authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); + if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { + List encbPKList = Arrays.asList( + extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); + authData.setEncbPKList(encbPKList); + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + if (oaParam.getTarget().equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + oaParam.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); + if (MiscUtil.isNotEmpty(bPK)) { + if (MiscUtil.isEmpty(authData.getBPK())) { + authData.setBPK(bPK); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + Logger.info("bPK decryption process finished successfully."); + } + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + + } + + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } + + } else { + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); + + } + } + } + } + } + + if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { + Logger.error("Federated assertion include no bPK or encrypted bPK"); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); - if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) - authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + + if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { + try { + byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); - if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { - try { - byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - authData.setAuthBlock(new String(authBlock, "UTF-8")); + } catch (IOException e) { + Logger.error("Received AuthBlock is not valid", e); - } catch (IOException e) { - Logger.error("Received AuthBlock is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { - try { - authData.setSignerCertificate(Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); - - } catch (IOException e) { - Logger.error("Received SignerCertificate is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) - authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) - authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { - try { - InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - authData.setIdentityLink(idl); - - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) - authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - - if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { - try { - byte[] mandate = Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - - if (authData.getMISMandate() == null) - authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setMandate(mandate); + } + + if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { + try { + authData.setSignerCertificate(Base64Utils.decode( + extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + + } catch (IOException e) { + Logger.error("Received SignerCertificate is not valid", e); + + } + } + + if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { + try { + InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); + IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + authData.setIdentityLink(idl); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); - authData.setUseMandate(true); - - } catch (Exception e) { - Logger.error("Received Mandate is not valid", e); - throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + } + + + // set mandate attributes + authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); + + if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { + try { + byte[] mandate = Base64Utils.decode( + (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setProfRep( - attr.getAttributeValues().get(0).getDOM().getTextContent()); + authData.getMISMandate().setMandate(mandate); + authData.getMISMandate().setFullMandateIncluded(true); + authData.setUseMandate(true); + + } catch (Exception e) { + Logger.error("Received Mandate is not valid", e); + throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + } + } + + //TODO: build short mandate if full mandate is no included. + if (authData.getMISMandate() == null && + (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { + Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); + + MISMandate misMandate = new MISMandate(); + misMandate.setFullMandateIncluded(false); + + Mandate mandateObject = new Mandate(); + Mandator mandator = new Mandator(); + mandateObject.setMandator(mandator); + + //build legal person short mandate + if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + CorporateBodyType legalperson = new CorporateBodyType(); + IdentificationType legalID = new IdentificationType(); + Value idvalue = new Value(); + legalID.setValue(idvalue ); + legalperson.getIdentification().add(legalID ); + mandator.setCorporateBody(legalperson ); + + legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); + legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); + idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); + + //build natural person short mandate + } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { + throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); + + + + } else { + Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary."); + throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null); - } - - if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) { - authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent()); - authData.setForeigner(true); } - if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + try { + JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_"); + Marshaller m = jc.createMarshaller(); + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal(mandateObject, stream); + misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes()); + stream.close(); - if (authData.getStorkAttributes() == null) - authData.setStorkAttributes(new PersonalAttributeList()); + } catch (JAXBException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); + + } catch (IOException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); - List storkAttrValues = new ArrayList(); - storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); - PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), - false, storkAttrValues , "Available"); - authData.getStorkAttributes().put(attr.getName(), storkAttr ); - authData.setForeigner(true); - } - + } + authData.setUseMandate(true); + } + + if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setProfRep( + extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); + + } + + + //set STORK attributes + if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { + authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME)); + authData.setForeigner(true); + + } + + if (!extractor.getSTORKAttributes().isEmpty()) { + authData.setStorkAttributes(extractor.getSTORKAttributes()); + authData.setForeigner(true); + + } + authData.setSsoSession(true); - if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) - authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate()); + if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) + authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); //only for SAML1 if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 20641ca7c..b122ba17e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,13 +46,27 @@ package at.gv.egovernment.moa.id.auth.builder; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import java.io.UnsupportedEncodingException; +import java.security.InvalidKeyException; import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.text.SimpleDateFormat; +import java.util.Date; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; /** * Builder for the bPK, as defined in @@ -135,6 +149,58 @@ public class BPKBuilder { } } + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { + MiscUtil.assertNotNull(bpk, "BPK"); + MiscUtil.assertNotNull(publicKey, "publicKey"); + + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" + + bpk + "::" + + sdf.format(new Date()); + System.out.println(input); + byte[] result; + try { + byte[] inputBytes = input.getBytes("ISO-8859-1"); + result = encrypt(inputBytes, publicKey); + return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); + + } catch (Exception e) { + throw new BuildException("bPK encryption FAILED", null, e); + } + } + + public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { + MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); + MiscUtil.assertNotNull(privateKey, "Private key"); + String decryptedString; + try { + byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1"); + byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); + decryptedString = new String(decryptedBytes, "ISO-8859-1"); + + } catch (Exception e) { + throw new BuildException("bPK decryption FAILED", null, e); + } + String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); + String sector = tmp.substring(0, tmp.indexOf("::")); + tmp = tmp.substring(tmp.indexOf("::") + 2); + String bPK = tmp.substring(0, tmp.indexOf("::")); + + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + if (target.equals(sector)) + return bPK; + + else { + Logger.error("Decrypted bPK does not match to request bPK target."); + return null; + } + } + /** * Builds the storkeid from the given parameters. * @@ -214,6 +280,34 @@ public class BPKBuilder { throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex); } } + + private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.ENCRYPT_MODE, publicKey); + result = cipher.doFinal(inputBytes); + + return result; + } + + private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey) + throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.DECRYPT_MODE, privateKey); + result = cipher.doFinal(encryptedBytes); + return result; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java new file mode 100644 index 000000000..69802d7e6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java @@ -0,0 +1,46 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DatabaseEncryptionException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = 6387519847869308880L; + + /** + * @param messageId + * @param parameters + * @param wrapped + */ + public DatabaseEncryptionException(String messageId, Object[] parameters, + Throwable wrapped) { + super(messageId, parameters, wrapped); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..a62de27fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return prop; } + /** + * @return + */ + public String getMOAConfigurationEncryptionKey() { + String prop = props.getProperty("configuration.moaconfig.key"); + if (MiscUtil.isEmpty(prop)) + return null; + else + return prop; + } + public boolean isIdentityLinkResigning() { String prop = props.getProperty("configuration.resignidentitylink.active", "false"); return Boolean.valueOf(prop); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 6398de34f..4c6519b57 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; /** * @author tlenz @@ -149,4 +151,6 @@ public interface IOAAuthParameters { List getTestCredentialOIDs(); + PrivateKey getBPKDecBpkDecryptionKey(); + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f58fe2495..673d23373 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -46,11 +46,15 @@ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType; @@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.config.ConfigurationUtils; import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -555,4 +562,33 @@ public List getTestCredentialOIDs() { return null; } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ +@Override +public PrivateKey getBPKDecBpkDecryptionKey() { + + try { + EncryptedData encdata = new EncryptedData( + oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(), + oa_auth.getEncBPKInformation().getBPKDecryption().getIv()); + byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata); + BPKDecryptionParameters data = + (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData); + + return data.getPrivateKey(); + + } catch (BuildException e) { + // TODO Auto-generated catch block + Logger.error("Can not decrypt key information for bPK decryption", e); + + } catch (NullPointerException e) { + Logger.error("No keyInformation found for bPK decryption"); + + } + return null; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java new file mode 100644 index 000000000..787a480f0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java @@ -0,0 +1,127 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; + +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.KeyStoreUtils; + + +/** + * @author tlenz + * + */ +public class BPKDecryptionParameters implements Serializable{ + + private static final long serialVersionUID = 1L; + + private byte[] keyStore = null; + private String keyStorePassword = null; + private String keyAlias = null; + private String keyPassword = null; + + /** + * @return + */ + public PrivateKey getPrivateKey() { + try { + InputStream in = new ByteArrayInputStream(keyStore); + KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword); + + char[] chPassword = " ".toCharArray(); + if (keyPassword != null) + chPassword = keyPassword.toCharArray(); + +// Certificate test = store.getCertificate(keyAlias); +// Base64Utils.encode(test.getPublicKey().getEncoded()); + + return (PrivateKey) store.getKey(keyAlias, chPassword); + + + } catch (KeyStoreException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (IOException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (UnrecoverableKeyException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Can not load private key from keystore.", e); + + } + + return null; + } + + public byte[] serialize() { + return SerializationUtils.serialize(this); + + } + + /** + * @param keyStore the keyStore to set + */ + public void setKeyStore(byte[] keyStore) { + this.keyStore = keyStore; + } + + /** + * @param keyStorePassword the keyStorePassword to set + */ + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = keyStorePassword; + } + + /** + * @param keyAlias the keyAlias to set + */ + public void setKeyAlias(String keyAlias) { + this.keyAlias = keyAlias; + } + + /** + * @param keyPassword the keyPassword to set + */ + public void setKeyPassword(String keyPassword) { + this.keyPassword = keyPassword; + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index eddf605a6..7dbdcfa52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth.data; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ + @Override + public PrivateKey getBPKDecBpkDecryptionKey() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 5685977bc..6fd327add 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,7 @@ import java.text.DateFormat; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable { private byte[] signerCertificate = null; private String authBlock = null; - + private List encbPKList = null; + + private boolean useMandate = false; private MISMandate mandate = null; private String mandateReferenceValue = null; @@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable { this.ssoSessionValidTo = ssoSessionValidTo; } + /** + * @return the encbPKList + */ + public List getEncbPKList() { + return encbPKList; + } + + /** + * @param encbPKList the encbPKList to set + */ + public void setEncbPKList(List encbPKList) { + this.encbPKList = encbPKList; + } + + + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java new file mode 100644 index 000000000..da6840fd7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java @@ -0,0 +1,33 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public class EncryptedbPK { + private String vkz = null; + private String target = null; + private String encbPK = null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 7e421da0f..8ce33021d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.data; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -62,6 +63,8 @@ public interface IAuthData { String getBkuURL(); + List getEncbPKList(); + IdentityLink getIdentityLink(); byte[] getSignerCertificate(); String getAuthBlock(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java new file mode 100644 index 000000000..b3256ac9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { + + public String getName() { + return ENC_BPK_LIST_NAME; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + + if (authData.getEncbPKList() != null && + authData.getEncbPKList().size() > 0) { + String value = authData.getEncbPKList().get(0); + for (int i=1; i ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 670398ff6..790c1e8ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.DOMUtils; @@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - if (authData.getMandate() != null) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) { String fullMandate; try { fullMandate = DOMUtils.serializeNode(authData @@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder Logger.error("Failed to generate Full Mandate", e); } } + throw new NoMandateDataAttributeException(); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9aadfdc28..1c12e7398 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -22,16 +22,25 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.core.Subject; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -39,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AssertionAttributeExtractor { private Assertion assertion = null; + private Map attributs = new HashMap(); + private PersonalAttributeList storkAttributes = new PersonalAttributeList(); + + private final List minimalAttributeNameList = Arrays.asList( + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.BIRTHDATE_NAME); + public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { if (samlResponse != null && samlResponse instanceof Response) { @@ -49,24 +66,80 @@ public class AssertionAttributeExtractor { else if (assertions.size() > 1) Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); - assertion = assertions.get(0); - + assertion = assertions.get(0); + + if (assertion.getAttributeStatements() != null && + assertion.getAttributeStatements().size() > 0) { + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + List storkAttrValues = new ArrayList(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + storkAttributes.put(attr.getName(), storkAttr ); + + } else + attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + } + + attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); + } else throw new AssertionAttributeExtractorExeption(); } + /** + * check attributes from assertion with minimal required attribute list + * @return + */ public boolean containsAllRequiredAttributes() { - //TODO: add default attribute list - return containsAllRequiredAttributes(null); + return containsAllRequiredAttributes(minimalAttributeNameList); } - public boolean containsAllRequiredAttributes(List attributs) { - //TODO: add validation + /** + * check attributes from assertion with attributeNameList + * bPK or enc_bPK is always needed + * + * @param List of attributes which are required + * + * @return + */ + public boolean containsAllRequiredAttributes(List attributeNameList) { + + //first check if a bPK or an encrypted bPK is available + if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || + (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + boolean flag = true; + for (String attr : attributeNameList) { + if (!attributs.containsKey(attr)) + flag = false; + } + + return flag; + + } return false; } + public boolean containsAttribute(String attributeName) { + return attributs.containsKey(attributeName); + + } + + public String getAttribute(String attributeName) { + return attributs.get(attributeName); + + } + + public PersonalAttributeList getSTORKAttributes() { + return storkAttributes; + } + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { @@ -113,6 +186,10 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); } + public Assertion getFullAssertion() { + return assertion; + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 08f40f888..fe0d27804 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -208,7 +208,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer { if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); - if (saml1parameter.isProvideFullMandatorData()) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (saml1parameter.isProvideFullMandatorData() + && authData.getMISMandate().isFullMandateIncluded()) { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 350c4e9da..a9f5ed60a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage { private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException { byte[] serialized = SerializationUtils.serialize(session); - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized); dbsession.setSession(encdata.getEncData()); dbsession.setIv(encdata.getIv()); } @@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage { private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException { EncryptedData encdata = new EncryptedData(dbsession.getSession(), dbsession.getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata); return (AuthenticationSession) SerializationUtils.deserialize(decrypted); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java new file mode 100644 index 000000000..f246c55e1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -0,0 +1,157 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + + +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public abstract class AbstractEncrytionUtil { + protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + protected static final String KEYNAME = "AES"; + + private SecretKey secret = null; + + public AbstractEncrytionUtil() throws DatabaseEncryptionException { + initialize(getKey(), getSalt()); + } + + protected abstract String getSalt(); + protected abstract String getKey(); + + protected void initialize(String key, String salt) throws DatabaseEncryptionException { + try { + if (MiscUtil.isNotEmpty(key)) { + if (MiscUtil.isEmpty(salt)) + salt = "TestSalt"; + + PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); + PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); + + SecureRandom random = new SecureRandom(); + KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); + + PBEKeyAndParameterSpec parameterSpec = + new PBEKeyAndParameterSpec(pbeKey.getEncoded(), + salt.getBytes(), + 2000, + 16); + + pbkdf2.init(parameterSpec, random); + SecretKey derivedKey = pbkdf2.generateKey(); + + SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); + SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); + secret = kf.generateSecret(spec); + + } else { + Logger.error("Database encryption can not initialized. No key found!"); + + } + + } catch (NoSuchAlgorithmException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (NoSuchProviderException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidKeySpecException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidAlgorithmParameterException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } + } + + public EncryptedData encrypt(byte[] data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.ENCRYPT_MODE, secret); + + Logger.debug("Encrypt MOASession"); + + byte[] encdata = cipher.doFinal(data); + byte[] iv = cipher.getIV(); + + return new EncryptedData(encdata, iv); + + } catch (Exception e) { + Logger.warn("MOASession is not encrypted",e); + throw new BuildException("MOASession is not encrypted", new Object[]{}, e); + } + } else + return new EncryptedData(data, null); + } + + public byte[] decrypt(EncryptedData data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + IvParameterSpec iv = new IvParameterSpec(data.getIv()); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.DECRYPT_MODE, secret, iv); + + Logger.debug("Decrypt MOASession"); + return cipher.doFinal(data.getEncData()); + + } catch (Exception e) { + Logger.warn("MOASession is not decrypted",e); + throw new BuildException("MOASession is not decrypted", new Object[]{}, e); + } + } else + return data.getEncData(); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java new file mode 100644 index 000000000..10221604c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil { + + private static ConfigurationEncrytionUtil instance = null; + private static String key = null; + + public static ConfigurationEncrytionUtil getInstance() { + if (instance == null) { + try { + key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey(); + instance = new ConfigurationEncrytionUtil(); + + } catch (Exception e) { + Logger.warn("MOAConfiguration encryption initialization FAILED.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private ConfigurationEncrytionUtil() throws DatabaseEncryptionException { + super(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Configuration-Salt"; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index acc2a7273..8660f7c09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -22,110 +22,50 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; - -import java.security.SecureRandom; -import java.security.spec.KeySpec; - -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.SecretKeySpec; - -import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; -public class SessionEncrytionUtil { - - private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; - private static final String KEYNAME = "AES"; - - static private SecretKey secret = null; +public class SessionEncrytionUtil extends AbstractEncrytionUtil { - static { - try { - String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); - - if (key != null) { - - PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); - SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); - PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); - - - SecureRandom random = new SecureRandom(); - KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); - - PBEKeyAndParameterSpec parameterSpec = - new PBEKeyAndParameterSpec(pbeKey.getEncoded(), - "TestSALT".getBytes(), - 2000, - 16); - - pbkdf2.init(parameterSpec, random); - SecretKey derivedKey = pbkdf2.generateKey(); - - SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); - SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); - secret = kf.generateSecret(spec); - - } else { - Logger.warn("MOASession encryption is deaktivated."); - } - - } catch (Exception e) { - Logger.warn("MOASession encryption can not be inizialized.", e); - } - - } + private static SessionEncrytionUtil instance = null; + private static String key = null; - public static EncryptedData encrypt(byte[] data) throws BuildException { - Cipher cipher; - - if (secret != null) { + public static SessionEncrytionUtil getInstance() { + if (instance == null) { try { - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.ENCRYPT_MODE, secret); - - Logger.debug("Encrypt MOASession"); - - byte[] encdata = cipher.doFinal(data); - byte[] iv = cipher.getIV(); - - return new EncryptedData(encdata, iv); - + key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); + instance = new SessionEncrytionUtil(); + } catch (Exception e) { - Logger.warn("MOASession is not encrypted",e); - throw new BuildException("MOASession is not encrypted", new Object[]{}, e); - } - } else - return new EncryptedData(data, null); + Logger.warn("MOASession encryption can not be inizialized.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private SessionEncrytionUtil() throws DatabaseEncryptionException { + super(); } - public static byte[] decrypt(EncryptedData data) throws BuildException { - Cipher cipher; - - if (secret != null) { - try { - IvParameterSpec iv = new IvParameterSpec(data.getIv()); - - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.DECRYPT_MODE, secret, iv); - - Logger.debug("Decrypt MOASession"); - return cipher.doFinal(data.getEncData()); - - } catch (Exception e) { - Logger.warn("MOASession is not decrypted",e); - throw new BuildException("MOASession is not decrypted", new Object[]{}, e); - } - } else - return data.getEncData(); + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Session-Salt"; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index f7785d2c2..20cabaf4d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -70,6 +70,7 @@ public class MISMandate implements Serializable{ private String oid = null; private byte[] mandate = null; private String owBPK = null; + private boolean isFullMandateIncluded = false; public String getProfRep() { return oid; @@ -109,5 +110,18 @@ public class MISMandate implements Serializable{ } } + /** + * @return the isFullMandateIncluded + */ + public boolean isFullMandateIncluded() { + return isFullMandateIncluded; + } + /** + * @param isFullMandateIncluded the isFullMandateIncluded to set + */ + public void setFullMandateIncluded(boolean isFullMandateIncluded) { + this.isFullMandateIncluded = isFullMandateIncluded; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index aaf793987..15b2a89b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -145,6 +145,8 @@ public class MISSimpleClient { //misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate))); misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes())); + misMandate.setFullMandateIncluded(true); + foundMandates.add(misMandate); } return foundMandates; -- cgit v1.2.3 From a3e490800378eaaa4d9189bc1d1d606caa8fb41d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:21:50 +0200 Subject: remove debug code --- .../moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 1c12e7398..a16fed9cd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -84,9 +84,7 @@ public class AssertionAttributeExtractor { } } - - attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); - + } else throw new AssertionAttributeExtractorExeption(); } -- cgit v1.2.3 From 3993a8fab1cc23ac1f5e82da88b7e09e27cac563 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 11:18:52 +0200 Subject: update attribute builder --- .../protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java | 9 ++++++++- .../pvp2x/builder/attributes/EIDIdentityLinkBuilder.java | 5 +++++ .../pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java | 8 +++++++- .../moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 3dd1dd064..a38446826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class BPKAttributeBuilder implements IPVPAttributeBuilder { @@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { String bpk = authData.getBPK(); String type = authData.getBPKType(); + if (MiscUtil.isEmpty(bpk)) + throw new UnavailableAttributeException(BPK_NAME); + if (type.startsWith(Constants.URN_PREFIX_WBPK)) type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); - else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index e8aeb8fcd..29d6df040 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -27,6 +27,7 @@ import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,6 +41,10 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { IAttributeGenerator g) throws AttributeException { try { String ilAssertion = null; + + if (authData.getIdentityLink() == null) + throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME); + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 7f52e1d47..463658a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { } public ATT build(OAAuthParameter oaParam, IAuthData authData, - IAttributeGenerator g) throws AttributeException { + IAttributeGenerator g) throws AttributeException { String bpktype = authData.getBPKType(); + + if (MiscUtil.isEmpty(authData.getBPKType())) + throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME); + return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index a8b703fc2..16de43e11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSourcePIN implements IPVPAttributeBuilder { @@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { + if (MiscUtil.isEmpty(authData.getIdentificationValue())) + throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); + return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue()); } } -- cgit v1.2.3 From 4e18f04f6956db297e4902fc5c55e920816ef903 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 11:20:20 +0200 Subject: add build process for natural person short mandates in case of IDP federation --- .../id/auth/builder/AuthenticationDataBuilder.java | 54 ++++++++++++++++++++-- 1 file changed, 49 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 3c029f261..ed2cd3ecb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -31,7 +31,10 @@ import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; +import java.util.Iterator; import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; @@ -53,6 +56,9 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -487,7 +493,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //build legal person short mandate if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + Logger.debug("Build short mandate for legal person ..."); CorporateBodyType legalperson = new CorporateBodyType(); IdentificationType legalID = new IdentificationType(); Value idvalue = new Value(); @@ -505,10 +512,47 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { - throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); - - - + Logger.debug("Build short mandate for natural person ..."); + PhysicalPersonType physPerson = new PhysicalPersonType(); + PersonNameType persName = new PersonNameType(); + mandator.setPhysicalPerson(physPerson ); + physPerson.setName(persName ); + FamilyName familyName = new FamilyName(); + persName.getFamilyName().add(familyName ); + IdentificationType persID = new IdentificationType(); + physPerson.getIdentification().add(persID ); + Value idValue = new Value(); + persID.setValue(idValue ); + + String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); + for(int i=0; i Date: Wed, 20 Aug 2014 11:21:11 +0200 Subject: add SAML1 'PersonData' attribute builder if no identitylink is available --- .../moa/id/auth/MOAIDAuthConstants.java | 1 + .../protocols/saml1/SAML1AuthenticationServer.java | 93 ++++++++++++++++++---- 2 files changed, 78 insertions(+), 16 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 4cec99b9a..db8b4dd80 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -164,5 +164,6 @@ public interface MOAIDAuthConstants { } }); + public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index fe0d27804..7d3c72630 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -22,15 +22,22 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.saml1; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.List; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import com.sun.xml.bind.marshaller.NamespacePrefixMapper; + import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; @@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.persondata.IdentificationType; +import at.gv.util.xsd.persondata.IdentificationType.Value; +import at.gv.util.xsd.persondata.PersonNameType; +import at.gv.util.xsd.persondata.PersonNameType.FamilyName; +import at.gv.util.xsd.persondata.PhysicalPersonType; public class SAML1AuthenticationServer extends AuthenticationServer { @@ -185,26 +197,75 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() || oaParam.getBusinessService(); - String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), - provideStammzahl); - //set Authblock - String authBlock = saml1parameter.isProvideAUTHBlock() ? authData - .getAuthBlock() : ""; - - //set IdentityLink for assortion + String prPerson = ""; String ilAssertion = ""; - if (saml1parameter.isProvideIdentityLink()) { - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - if (!provideStammzahl) - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); - } - + if (authData.getIdentityLink() != null) { + prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), + provideStammzahl); - String samlAssertion; + //set IdentityLink for assortion + if (saml1parameter.isProvideIdentityLink()) { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); + + if (!provideStammzahl) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); + } + } else { + Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. "); + PhysicalPersonType person = new PhysicalPersonType(); + PersonNameType name = new PersonNameType(); + person.setName(name); + FamilyName familyName = new FamilyName(); + name.getFamilyName().add(familyName ); + IdentificationType id = new IdentificationType(); + person.getIdentification().add(id ); + Value value = new Value(); + id.setValue(value ); + + id.setType(Constants.URN_PREFIX_BASEID); + value.setValue(""); + familyName.setValue(authData.getFamilyName()); + familyName.setPrimary("undefined"); + name.getGivenName().add(authData.getGivenName()); + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata"); + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); + + m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { + public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { + if (Constants.PD_NS_URI.equals(arg0)) + return Constants.PD_PREFIX; + else + return arg1; + } + }); + + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal( + new JAXBElement(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person), + stream); + prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8")); + stream.close(); + + + + } + + //set Authblock + String authBlock = ""; + if (authData.getAuthBlock() != null) { + authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : ""; + + } else { + Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available"); + + } + String samlAssertion; if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); -- cgit v1.2.3 From 7af9d603860dab1b618de7981ae3f0a27ea130db Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 16:47:11 +0200 Subject: solve SLO bug --- .../moa/id/protocols/pvp2x/binding/RedirectBinding.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f11561c14..587d8e935 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -143,11 +143,11 @@ public class RedirectBinding implements IDecoder, IEncoder { //set metadata descriptor type if (isSPEndPoint) { messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); } else { messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); } } catch (ConfigurationException e) { @@ -206,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder { } public boolean handleDecode(String action, HttpServletRequest req) { - return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() - .equals("GET")); + return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT)) + && req.getMethod().equals("GET")); } public String getSAML2BindingName() { -- cgit v1.2.3 From 5df1984c62b3f214ce9ed368beb9473bce0183e5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 21 Aug 2014 12:09:00 +0200 Subject: fix some problems with Single LogOut --- .../moa/id/moduls/AuthenticationManager.java | 7 ++++--- .../moa/id/protocols/pvp2x/SingleLogOutAction.java | 19 ++++++++++++++----- .../protocols/pvp2x/builder/SingleLogOutBuilder.java | 17 ++++++++++++----- 3 files changed, 30 insertions(+), 13 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 8f9417096..daa70efce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -49,6 +49,7 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleLogoutService; @@ -252,8 +253,8 @@ public class AuthenticationManager extends AuthServlet { VelocityContext context = new VelocityContext(); context.put("redirectURLs", sloReqList); - context.put("$timeoutURL", timeOutURL); - context.put("$timeout", SLOTIMEOUT); + context.put("timeoutURL", timeOutURL); + context.put("timeout", SLOTIMEOUT); ssomanager.printSingleLogOutInfo(context, httpResp); @@ -284,7 +285,7 @@ public class AuthenticationManager extends AuthServlet { Logger.error("MOA AssertionDatabase ERROR", e); if (pvpReq != null) { SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); }else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 46e02d048..b22941216 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction { if (MiscUtil.isEmpty(ssoID)) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction { } catch (MOADatabaseException e) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction { ((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { Logger.debug("Process Single LogOut response"); LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse(); - + + Transaction tx = null; + try { String relayState = pvpReq.getRequest().getRelayState(); if (MiscUtil.isEmpty(relayState)) { @@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction { //TODO: add counter to prevent deadlock while (!storageSuccess) { - Transaction tx = session.beginTransaction(); + tx = session.beginTransaction(); List result; Query query = session.getNamedQuery("getAssertionWithArtifact"); @@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction { try { session.delete(element); tx.commit(); - + } catch(HibernateException e) { tx.rollback(); Logger.error("SLOContainter could not deleted from database. "); @@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction { Logger.error("Finale SLO redirct not possible.", e); throw new AuthenticationException("pvp2.13", new Object[]{}); + } finally { + if (tx != null && !tx.wasCommitted()) { + tx.commit(); + + } } + + } else { Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index eeb1dd104..01139d95c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -213,12 +213,13 @@ public class SingleLogOutBuilder { } - + DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); - sloReq.setIssueInstant(new DateTime()); + sloReq.setIssueInstant(now); + sloReq.setNotOnOrAfter(now.plusMinutes(5)); sloReq.setDestination(sloInfo.getServiceURL()); @@ -230,14 +231,17 @@ public class SingleLogOutBuilder { return sloReq; } - public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { + public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException { LogoutResponse sloResp = buildBasicResponse(sloService, spRequest); Status status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(firstLevelStatusCode); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); sloResp.setStatus(status); @@ -255,8 +259,11 @@ public class SingleLogOutBuilder { status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(StatusCode.SUCCESS_URI); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); -- cgit v1.2.3 From a3fe7879ad2363d1bb37588485b6256bfe848d92 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 22 Aug 2014 12:28:35 +0200 Subject: saml1 target parameter update --- .../moa/id/auth/parser/StartAuthentificationParameterParser.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index ff5e62d96..e3f32d59d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -133,7 +133,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetConfig = oaParam.getTarget(); String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); - if (StringUtils.isEmpty(targetConfig)) { + if (StringUtils.isEmpty(targetConfig) + || (module.equals(SAML1Protocol.PATH) && + !StringUtils.isEmpty(target))) { // no target attribut is given in OA config // target is used from request // check parameter -- cgit v1.2.3 From 7d5c3f516ca56afcbee5b886557a5d682cadadcf Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Tue, 26 Aug 2014 16:14:56 +0200 Subject: fixing spcountry issue --- .../main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 33fed945b..d06298efa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1845,7 +1845,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); String spApplication = spInstitution; - String spCountry = "AT"; + String spCountry = "AT"; // intentionally set AT - the flow is limited on that use case only //generate AuthnRquest STORKAuthnRequest authnRequest = new STORKAuthnRequest(); @@ -1855,7 +1855,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authnRequest.setIssuer(issuerValue); authnRequest.setQaa(oaParam.getQaaLevel()); authnRequest.setSpInstitution(spInstitution); - authnRequest.setCountry(spCountry); + authnRequest.setSpCountry(spCountry); authnRequest.setSpApplication(spApplication); authnRequest.setSpSector(spSector); authnRequest.setPersonalAttributeList(attributeList); -- cgit v1.2.3 From c109c1e86a228bd3b3ed49b97e182b3cd2136d00 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Mon, 1 Sep 2014 14:53:36 +0200 Subject: todo gender question --- .../at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 40c358b7e..0ee003e4f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -223,7 +223,7 @@ public class PEPSConnectorServlet extends AuthServlet { moaSession.setUseMandate("true"); // and check if we have the gender value - PersonalAttribute gender = attributeList.get("gender"); + PersonalAttribute gender = attributeList.get("gender"); // TODO Do we need to check gender value if there is no representation case? if(null == gender) { String gendervalue = (String) request.getParameter("gender"); if(null != gendervalue) { -- cgit v1.2.3 From 33b76e7bb23d8772b3a2533aadd0c3313af4b29f Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Thu, 4 Sep 2014 13:34:40 +0200 Subject: added comments --- .../moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java index cd7427913..3bc79f8bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -115,7 +115,7 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnectorWithLocalSigning"; - private String oasisDssWebFormURL = "https://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//TODO load from config + private String oasisDssWebFormURL = "https://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//load from config below /** @@ -260,9 +260,6 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); redirectURL = response.encodeRedirectURL(redirectURL); -// response.setContentType("text/html"); -// response.setStatus(302); -// response.addHeader("Location", redirectURL); response.sendRedirect(redirectURL); Logger.info("REDIRECT TO: " + redirectURL); @@ -470,8 +467,10 @@ public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { boolean found = false; try{ List aps = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix()).getStorkAPs(); + Logger.info("Found AttributeProviderPlugins:"+aps.size()); for(AttributeProviderPlugin ap : aps) { + Logger.info("Found AttributeProviderPlugin attribute:"+ap.getAttributes()); if(ap.getAttributes().equalsIgnoreCase("signedDoc")) { oasisDssWebFormURL = ap.getUrl(); -- cgit v1.2.3 From e9bcc578b0501bc171fe1b6795c57249e9107ae1 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 10 Sep 2014 11:09:58 +0200 Subject: remove SAML1 start authentication target parameter --- .../moa/id/auth/parser/StartAuthentificationParameterParser.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index e3f32d59d..a3bf4af11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -134,8 +134,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); if (StringUtils.isEmpty(targetConfig) - || (module.equals(SAML1Protocol.PATH) && - !StringUtils.isEmpty(target))) { +// || (module.equals(SAML1Protocol.PATH) && +// !StringUtils.isEmpty(target)) + ) { // no target attribut is given in OA config // target is used from request // check parameter -- cgit v1.2.3 From 077054b6e3016e4cfeb6bae501eb52fc62f58208 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 10 Sep 2014 11:10:43 +0200 Subject: add metadata provider info message if not online-application is found --- .../moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index a57fb5717..cba64e080 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -261,6 +261,10 @@ public class MOAMetadataProvider implements MetadataProvider { List oaList = ConfigurationDBRead .getAllActiveOnlineApplications(); + + if (oaList.size() == 0) + Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); + Iterator oaIt = oaList.iterator(); while (oaIt.hasNext()) { HTTPMetadataProvider httpProvider = null; -- cgit v1.2.3 From b6f41b7108fa96427ddaaf32b0ada5d519b89089 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 10 Sep 2014 18:07:52 +0200 Subject: update SAML1 error messages if no OA is found --- .../gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 9c8c52e87..8f7f17e2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -33,6 +33,7 @@ import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -102,7 +103,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isSAML1Active()) { Logger.info("SAML1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new Object[] { NAME }); + throw new ProtocolNotActiveException("auth.22", new Object[] { "SAML 1" }); } @@ -145,14 +146,14 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { .getOnlineApplicationParameter(oaURL); if (oaParam == null) - throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + throw new InvalidProtocolRequestException("auth.00", + new Object[] { null }); OASAML1 saml1 = oaParam.getSAML1Parameter(); if (saml1 == null || !(saml1.isIsActive() != null && saml1.isIsActive()) ) { Logger.info("Online-Application " + oaURL + " can not use SAML1 for authentication."); - throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + throw new InvalidProtocolRequestException("auth.00", + new Object[] { null }); } config.setSourceID(sourceID); -- cgit v1.2.3 From daa29a7c602c092da50fd901aac26f3f712fae86 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 10 Sep 2014 18:08:34 +0200 Subject: Fix SAML1 assertion date formate --- .../moa/id/auth/builder/AuthenticationDataAssertionBuilder.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index ba4440bf8..fc04fa9a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -278,7 +278,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), pkType, pkValue, StringUtils.removeXMLDeclaration(xmlAuthBlock), @@ -303,7 +303,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA_WITH_CONDITIONS, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), notBefore, notOnOrAfter, pkType, @@ -401,7 +401,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), pkType, pkValue, StringUtils.removeXMLDeclaration(xmlAuthBlock), @@ -427,7 +427,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA_MANDATE_WITH_CONDITIONS, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), notBefore, notOnOrAfter, pkType, -- cgit v1.2.3 From a860c3d448cc136e8733d0827a0e46b72cd431e7 Mon Sep 17 00:00:00 2001 From: Samuel Weiser Date: Wed, 10 Sep 2014 16:48:19 +0200 Subject: TokenResponse Audience "aud" claim added --- .../attributes/OAuth20AttributeBuilder.java | 1 + .../attributes/OpenIdAudiencesAttribute.java | 47 ++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 3b0d07ce1..583120a86 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -115,6 +115,7 @@ public final class OAuth20AttributeBuilder { buildersOpenId.add(new OpenIdExpirationTimeAttribute()); buildersOpenId.add(new OpenIdIssueInstantAttribute()); buildersOpenId.add(new OpenIdAuthenticationTimeAttribute()); + buildersOpenId.add(new OpenIdAudiencesAttribute()); // profile buildersProfile.add(new ProfileGivenNameAttribute()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java new file mode 100644 index 000000000..404eb1b44 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java @@ -0,0 +1,47 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdAudiencesAttribute implements IAttributeBuilder { + + public String getName() { + return "aud"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", oaParam.getPublicURLPrefix()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} + -- cgit v1.2.3 From 7008b0cb31761563c268ebcb53b13e32333fd931 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 11 Sep 2014 07:51:25 +0200 Subject: add exact timeout validation for SSO sessions --- .../id/auth/servlet/IDPSingleLogOutServlet.java | 33 +++++++++++----------- .../gv/egovernment/moa/id/moduls/SSOManager.java | 16 +++++++++-- 2 files changed, 30 insertions(+), 19 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index a7ec4dcb6..c08d77f12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -97,32 +97,31 @@ public class IDPSingleLogOutServlet extends AuthServlet { return; - } else if (MiscUtil.isNotEmpty(ssoid)) { - if (ssomanager.isValidSSOSession(ssoid, null)) { + } else if (MiscUtil.isNotEmpty(ssoid)) { + try { + if (ssomanager.isValidSSOSession(ssoid, null)) { - AuthenticationManager authmanager = AuthenticationManager.getInstance(); - String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); + AuthenticationManager authmanager = AuthenticationManager.getInstance(); + String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); - if (MiscUtil.isNotEmpty(moaSessionID)) { - AuthenticationSession authSession; - try { - authSession = AuthenticationSessionStoreage + if (MiscUtil.isNotEmpty(moaSessionID)) { + AuthenticationSession authSession = AuthenticationSessionStoreage .getSession(moaSessionID); if(authSession != null) { authmanager.performSingleLogOut(req, resp, authSession, null); return; } - - } catch (MOADatabaseException e) { - //TODO: insert error Handling - - } catch (MOAIDException e) { - // TODO Auto-generated catch block - e.printStackTrace(); } - } - } + } + } catch (MOADatabaseException e) { + //TODO: insert error Handling + e.printStackTrace(); + + } catch (MOAIDException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } } else if (restartProcessObj != null && restartProcessObj instanceof String) { String restartProcess = (String) restartProcessObj; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index ca3117a79..ff294dc3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -31,6 +31,7 @@ import java.io.InputStreamReader; import java.io.Reader; import java.io.StringWriter; import java.net.URI; +import java.util.Date; import java.util.List; import javax.servlet.http.Cookie; @@ -132,7 +133,7 @@ public class SSOManager { } - public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) { + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) throws ConfigurationException { // search SSO Session if (ssoSessionID == null) { @@ -144,8 +145,19 @@ public class SSOManager { if (storedSession == null) return false; - + else { + + //check if session is out of lifetime + Date now = new Date(); + long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000; + Date ssoSessionValidTo = new Date(storedSession.getCreated().getTime() + maxSSOSessionTime); + if (now.after(ssoSessionValidTo)) { + Logger.info("Found outdated SSO session information. Start reauthentication process ... "); + return false; + } + + //check if request starts an interfederated SSO session if (protocolRequest != null && protocolRequest instanceof RequestImpl && storedSession.isInterfederatedSSOSession() && -- cgit v1.2.3 From 71eabf1848871783bac88c3254e660fb2199c233 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 11 Sep 2014 10:40:56 +0200 Subject: use SecurityLayer-Template from general configuration if legacy request and OA configuration define no template --- .../auth/parser/StartAuthentificationParameterParser.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index a3bf4af11..c912b4620 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -231,14 +231,22 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ if (MiscUtil.isEmpty(templateURL)) { List templateURLList = oaParam.getTemplateURL(); - + List defaulTemplateURLList = + AuthConfigurationProvider.getInstance().getSLRequestTemplates(); + if ( templateURLList != null && templateURLList.size() > 0 && MiscUtil.isNotEmpty(templateURLList.get(0).getURL()) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0).getURL(), AuthConfigurationProvider.getInstance().getRootConfigFileDir()); - Log.info("No SL-Template in request, load SL-Template from OA config (URL: " + templateURL + ")"); - + Log.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); + + } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { + templateURL = FileUtils.makeAbsoluteURL( + defaulTemplateURLList.get(0), + AuthConfigurationProvider.getInstance().getRootConfigFileDir()); + Log.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); + } else { Logger.error("NO SL-Tempalte found in OA config"); throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); -- cgit v1.2.3 From 8c69606529427f9b3684d67ff2c7b309a0c586b4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 11 Sep 2014 12:10:14 +0200 Subject: remove AttributQuery URL available check --- .../id/auth/builder/AuthenticationDataBuilder.java | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index ed2cd3ecb..a8a7d0c51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -256,21 +256,18 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } - //collect attributes by using BackChannel communication - String endpoint = idp.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); - throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); - } - - - //TODO: check if response include attributes and map this attributes to requested attributes - //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst Response intfResp = (Response) req.getInterfederationResponse().getResponse(); AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); - if (!extractor.containsAllRequiredAttributes()) { + if (!extractor.containsAllRequiredAttributes()) { + //collect attributes by using BackChannel communication + String endpoint = idp.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); + } + //build attributQuery request AttributeQuery query = AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); @@ -308,6 +305,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //create assertion attribute extractor from AttributeQuery response extractor = new AssertionAttributeExtractor(intfResp); + } else { + Logger.info("Interfedation response include all attributes with are required. Skip AttributQuery request step. "); + } //parse response information to authData buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); -- cgit v1.2.3 From 5e64f6a3958ac7b570757f02465598e8132f08f8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 12 Sep 2014 11:21:10 +0200 Subject: change logger class --- .../moa/id/auth/AuthenticationServer.java | 27 +++------------------- .../StartAuthentificationParameterParser.java | 6 ++--- .../pvp2x/builder/attributes/EIDAuthBlock.java | 5 ++-- .../builder/attributes/EIDSignerCertificate.java | 4 ++-- 4 files changed, 9 insertions(+), 33 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index d06298efa..a33c4fdf4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2,8 +2,6 @@ package at.gv.egovernment.moa.id.auth; import iaik.asn1.ObjectID; -import iaik.pki.PKIRuntimeException; -import iaik.util.logging.Log; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; @@ -20,14 +18,12 @@ import java.util.ArrayList; //import java.security.cert.CertificateFactory; import java.util.Calendar; import java.util.Date; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Vector; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; @@ -44,13 +40,11 @@ import org.opensaml.xml.util.XMLHelper; import org.w3c.dom.DOMException; import org.w3c.dom.Document; import org.w3c.dom.Element; -import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; @@ -61,7 +55,6 @@ import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BKUException; @@ -73,19 +66,14 @@ import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; -import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; -import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.client.SZRGWClient; import at.gv.egovernment.moa.id.client.SZRGWClientException; @@ -98,14 +86,11 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.stork.CPEPS; import at.gv.egovernment.moa.id.config.stork.STORKConfig; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; -import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -117,7 +102,6 @@ import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; -import at.gv.egovernment.moa.util.XPathUtils; import at.gv.util.xsd.mis.MandateIdentifiers; import at.gv.util.xsd.mis.Target; import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest; @@ -141,11 +125,6 @@ import eu.stork.peps.auth.commons.STORKAuthnRequest; import eu.stork.peps.auth.engine.STORKSAMLEngine; import eu.stork.peps.exceptions.STORKSAMLEngineException; -//import java.security.cert.CertificateFactory; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; - /** * API for MOA ID Authentication Service.
{@link AuthenticationSession} is * stored in a session store and retrieved by giving the session ID. @@ -255,13 +234,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { String domainIdentifier = AuthConfigurationProvider.getInstance().getSSOTagetIdentifier().trim(); if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) { //do not use SSO if no Target is set - Log.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); + Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); session.setSsoRequested(false); } if (session.isSsoRequested()) { - Log.info("SSO Login requested"); + Logger.info("SSO Login requested"); //load identityLink with SSO Target boolean isbuisness = false; @@ -279,7 +258,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { isbuisness, domainIdentifier); } else { - Log.info("Non-SSO Login requested"); + Logger.info("Non-SSO Login requested"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( oaParam.getBusinessService(), oaParam diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index c912b4620..1bc3702e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -22,8 +22,6 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.parser; -import iaik.util.logging.Log; - import java.io.UnsupportedEncodingException; import java.util.List; @@ -239,13 +237,13 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0).getURL(), AuthConfigurationProvider.getInstance().getRootConfigFileDir()); - Log.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); + Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { templateURL = FileUtils.makeAbsoluteURL( defaulTemplateURLList.get(0), AuthConfigurationProvider.getInstance().getRootConfigFileDir()); - Log.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); + Logger.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); } else { Logger.error("NO SL-Tempalte found in OA config"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index 4f3aff469..61840ea21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -22,14 +22,13 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.util.logging.Log; - import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; @@ -51,7 +50,7 @@ public class EIDAuthBlock implements IPVPAttributeBuilder { } catch (IOException e) { - Log.info("Encode AuthBlock BASE64 failed."); + Logger.info("Encode AuthBlock BASE64 failed."); } throw new UnavailableAttributeException(EID_AUTH_BLOCK_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java index df1bc1860..8a603f53a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java @@ -22,7 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.util.logging.Log; import java.io.IOException; @@ -30,6 +29,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; public class EIDSignerCertificate implements IPVPAttributeBuilder { @@ -49,7 +49,7 @@ public class EIDSignerCertificate implements IPVPAttributeBuilder { } }catch (IOException e) { - Log.info("Signer certificate BASE64 encoding error"); + Logger.info("Signer certificate BASE64 encoding error"); } throw new UnavailableAttributeException(EID_SIGNER_CERTIFICATE_NAME); -- cgit v1.2.3 From 0198de78115aea2cf9586c1dbc3e73bf08759465 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 12 Sep 2014 12:28:03 +0200 Subject: remove unused code --- .../java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 848bf94af..80afd9f82 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -72,10 +72,9 @@ public class MOAIDAuthInitializer { CommandMap.setDefaultCommandMap(mc); // create some properties and get the default Session - Properties props = new Properties(); - props.put("mail.smtp.host", "localhost"); - - Session session = Session.getDefaultInstance(props, null); +// Properties props = new Properties(); +// props.put("mail.smtp.host", "localhost"); +// Session session = Session.getDefaultInstance(props, null); // Restricts TLS cipher suites // System.setProperty( -- cgit v1.2.3