From f51f447ed199dc1c3f5dc750d169462d42b2b6ad Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 17 Jan 2014 11:50:42 +0100 Subject: load IAIK JCE as security provider BugFix: @MandateReferenceValue has to to been added @SessionStorage hibernate RoleBack in case of no MOASession is found --- .../egovernment/moa/id/auth/MOAIDAuthInitializer.java | 13 ++++++++++++- .../egovernment/moa/id/auth/servlet/AuthServlet.java | 11 +++++++++++ .../moa/id/entrypoints/DispatcherServlet.java | 6 +++++- .../MandateReferenceValueAttributeBuilder.java | 19 ++++++++++--------- .../moa/id/storage/AuthenticationSessionStoreage.java | 1 + 5 files changed, 39 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 556d26c67..dbfbdad51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -24,11 +24,15 @@ package at.gv.egovernment.moa.id.auth; +import iaik.cms.ecc.IaikEccProvider; import iaik.pki.PKIException; import iaik.pki.jsse.IAIKX509TrustManager; +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; import java.io.IOException; import java.security.GeneralSecurityException; +import java.security.Security; import java.util.Properties; import javax.activation.CommandMap; @@ -74,6 +78,14 @@ public class MOAIDAuthInitializer { Logger.info("Default java file.encoding: " + System.getProperty("file.encoding")); + + Logger.info("Loading security providers."); + IAIK.addAsProvider(); + + +// Security.insertProviderAt(new IAIK(), 1); +// Security.insertProviderAt(new ECCProvider(), 1); + //JDK bug workaround according to: // http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier // register content data handlers for S/MIME types @@ -180,5 +192,4 @@ public class MOAIDAuthInitializer { AuthConfigLoader.start(); } - } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index 27ac16157..1b7b317c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -23,9 +23,13 @@ package at.gv.egovernment.moa.id.auth.servlet; +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; + import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.security.Security; import java.util.Enumeration; import java.util.HashMap; import java.util.List; @@ -34,6 +38,7 @@ import java.util.Map; import javax.servlet.RequestDispatcher; import javax.servlet.ServletConfig; import javax.servlet.ServletContext; +import javax.servlet.ServletContextEvent; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -351,6 +356,12 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { super.init(servletConfig); } + +// public void contextDestroyed(ServletContextEvent arg0) { +// Security.removeProvider((new IAIK()).getName()); +// Security.removeProvider((new ECCProvider()).getName()); +// } + /** * Set response headers to avoid caching * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 225ecb2a2..777081da0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -2,7 +2,11 @@ package at.gv.egovernment.moa.id.entrypoints; +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; + import java.io.IOException; +import java.security.Security; import java.util.Iterator; import java.util.Map; import java.util.Set; @@ -478,7 +482,7 @@ public class DispatcherServlet extends AuthServlet{ } } - + @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java index 5a50473d3..46c6ffb78 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java @@ -20,17 +20,18 @@ public class MandateReferenceValueAttributeBuilder extends BaseAttributeBuilder public Attribute build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData) throws PVP2Exception { if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); - if(mandate == null) { - throw new NoMandateDataAvailableException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAvailableException(); - } + +// Element mandate = authSession.getMandate(); +// if(mandate == null) { +// throw new NoMandateDataAvailableException(); +// } +// Mandate mandateObject = MandateBuilder.buildMandate(mandate); +// if(mandateObject == null) { +// throw new NoMandateDataAvailableException(); +// } return buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, - MANDATE_REFERENCE_VALUE_NAME, mandateObject.getMandateID()); + MANDATE_REFERENCE_VALUE_NAME, authSession.getMandateReferenceValue()); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index e40d11128..840c3f2be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -209,6 +209,7 @@ public class AuthenticationSessionStoreage { //Assertion requires an unique artifact if (result.size() != 1) { Logger.trace("No entries found."); + tx.rollback(); throw new MOADatabaseException("No session found with this sessionID"); } -- cgit v1.2.3 From 51c45b375485399d36e33f1ab4cf76e9273222e3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jan 2014 13:00:34 +0100 Subject: implement SAML2 assertion encryption --- .../id/protocols/pvp2x/binding/PostBinding.java | 2 +- .../builder/assertion/PVP2AssertionBuilder.java | 2 +- .../InvalidAssertionEncryptionException.java | 14 ++++ .../pvp2x/requestHandler/AuthnRequestHandler.java | 94 +++++++++++++++++++++- 4 files changed, 107 insertions(+), 5 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 232ad315f..2fe52d032 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -67,7 +67,7 @@ public class PostBinding implements IDecoder, IEncoder { .buildObject(); service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); service.setLocation(targetLocation); - context.setOutboundSAMLMessageSigningCredential(credentials); + context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); // context.setOutboundMessage(authReq); context.setOutboundSAMLMessage(response); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index f21567245..eaa570ab1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -144,7 +144,7 @@ public class PVP2AssertionBuilder implements PVPConstants { SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); - + Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); int idx = 0; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java new file mode 100644 index 000000000..142227a59 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java @@ -0,0 +1,14 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +import org.opensaml.saml2.core.StatusCode; + +public class InvalidAssertionEncryptionException extends PVP2Exception { + + private static final long serialVersionUID = 6513388841485355549L; + + public InvalidAssertionEncryptionException() { + super("pvp2.16", new Object[]{}); + this.statusCodeValue = StatusCode.REQUESTER_URI; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index fec21df9e..c3884f9d8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -1,22 +1,45 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; +import java.util.ArrayList; import java.util.Date; +import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.joda.time.DateTime; +import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder; +import org.opensaml.saml2.encryption.Encrypter; +import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCriteria; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.encryption.EncryptionException; +import org.opensaml.xml.encryption.EncryptionParameters; +import org.opensaml.xml.encryption.KeyEncryptionParameters; +import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; +import org.opensaml.xml.security.x509.BasicX509Credential; +import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.signature.KeyInfo; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -30,6 +53,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -49,10 +74,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { EntityDescriptor peerEntity = obj.getEntityMetadata(); Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity); - + Response authResponse = SAML2Utils.createSAMLObject(Response.class); - Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); //TODO: check! @@ -67,7 +91,6 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { //SAML2 response required IssueInstant authResponse.setIssueInstant(new DateTime()); - authResponse.getAssertions().add(assertion); authResponse.setStatus(SAML2Utils.getSuccessStatus()); Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); @@ -84,10 +107,75 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { .getAssertionConsumerServices().get(idx); if (consumerService == null) { + //TODO: maybe use default ConsumerService + throw new InvalidAssertionConsumerServiceException(idx); + } String oaURL = consumerService.getLocation(); + //check, if metadata includes an encryption key + MetadataCredentialResolver mdCredResolver = + new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); + + CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) ); + criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); + + X509Credential encryptionCredentials = null; + try { + encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); + + } catch (SecurityException e2) { + Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); + throw new InvalidAssertionEncryptionException(); + + } + + if (encryptionCredentials != null) { + //encrypt SAML2 assertion + + try { + + EncryptionParameters dataEncParams = new EncryptionParameters(); + dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); + + List keyEncParamList = new ArrayList(); + KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); + + keyEncParam.setEncryptionCredential(encryptionCredentials); + keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); + KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() + .getKeyInfoGeneratorManager().getDefaultManager() + .getFactory(encryptionCredentials); + keyEncParam.setKeyInfoGenerator(kigf.newInstance()); + keyEncParamList.add(keyEncParam); + + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); + //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); + samlEncrypter.setKeyPlacement(KeyPlacement.PEER); + + EncryptedAssertion encryptAssertion = null; + + encryptAssertion = samlEncrypter.encrypt(assertion); + + authResponse.getEncryptedAssertions().add(encryptAssertion); + + } catch (EncryptionException e1) { + Logger.warn("Can not encrypt the PVP2 assertion", e1); + throw new InvalidAssertionEncryptionException(); + + } + + } else { + authResponse.getAssertions().add(assertion); + + } + + + + IEncoder binding = null; if (consumerService.getBinding().equals( -- cgit v1.2.3 From dd4a77caa66368ca257fcf5a1f87d0dab90477f5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jan 2014 18:00:41 +0100 Subject: BUGFIX: RedirectBinding validate signatures which exists, but signature is not required changes for WKO: Allow Metadata with no AttributeConsumerService Allow AuthnRequest with no RequestedAuthnContext Allow AuthnRequest with no AssertionConsumerServiceIndex Use Metadata->AssertionConsumerService->isDefaut flag --- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 25 +++-- .../protocols/pvp2x/binding/RedirectBinding.java | 10 +- .../builder/assertion/PVP2AssertionBuilder.java | 122 +++++++++++---------- .../pvp2x/requestHandler/AuthnRequestHandler.java | 26 ++++- .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 16 +++ .../pvp2x/verification/SAMLVerificationEngine.java | 1 + 6 files changed, 130 insertions(+), 70 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index bef58ab59..dc2330f40 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -124,7 +124,6 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { RequestAbstractType samlReq = moaRequest.getSamlRequest(); //String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq)); - //Logger.info("SAML : " + xml); if(!moaRequest.isVerified()) { @@ -137,6 +136,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { throw new MOAIDException("Unsupported request", new Object[] {}); } + EntityDescriptor metadata = moaRequest.getEntityMetadata(); + if(metadata == null) { + throw new NoMetadataInformationException(); + } + SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + AuthnRequest authnRequest = (AuthnRequest)samlReq; Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); @@ -144,6 +149,9 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { if(aIdx != null) { assertionidx = aIdx.intValue(); + + } else { + assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); } aIdx = authnRequest.getAttributeConsumingServiceIndex(); @@ -153,13 +161,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { attributeIdx = aIdx.intValue(); } - EntityDescriptor metadata = moaRequest.getEntityMetadata(); - if(metadata == null) { - throw new NoMetadataInformationException(); - } - SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); - AttributeConsumingService attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + + AttributeConsumingService attributeConsumer = null; + + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + } String oaURL = moaRequest.getEntityMetadata().getEntityID(); String binding = consumerService.getBinding(); @@ -176,7 +185,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { String useMandate = request.getParameter(PARAM_USEMANDATE); if(useMandate != null) { - if(useMandate.equals("true")) { + if(useMandate.equals("true") && attributeConsumer != null) { if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { throw new MandateAttributesNotHandleAbleException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 418c4a60c..9b43fb999 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -3,11 +3,13 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; +import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; @@ -31,6 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.util.DOMUtils; public class RedirectBinding implements IDecoder, IEncoder { @@ -84,13 +87,18 @@ public class RedirectBinding implements IDecoder, IEncoder { SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); + + BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add(signatureRule); + policy.getPolicyRules().add(signedRole); + SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( policy); messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); messageContext.setSecurityPolicyResolver(resolver); - + decode.decode(messageContext); signatureRule.evaluate(messageContext); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index eaa570ab1..d1d79373c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -64,46 +64,48 @@ public class PVP2AssertionBuilder implements PVPConstants { RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); - if (reqAuthnContext == null) { - throw new NoAuthContextException(); - } - - boolean stork_qaa_1_4_found = false; - AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); - - List reqAuthnContextClassRefIt = reqAuthnContext - .getAuthnContextClassRefs(); - if (reqAuthnContextClassRefIt.size() == 0) { - stork_qaa_1_4_found = true; + if (reqAuthnContext == null) { authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); - - } else { - for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { - String qaa_uri = authnClassRef.getAuthnContextClassRef(); - if (qaa_uri.trim().equals(STORK_QAA_1_4) - || qaa_uri.trim().equals(STORK_QAA_1_3) - || qaa_uri.trim().equals(STORK_QAA_1_2) - || qaa_uri.trim().equals(STORK_QAA_1_1)) { - - if (authSession.isForeigner()) { - //TODO: insert QAA check - - stork_qaa_1_4_found = false; - - } else { - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + + } else { + + boolean stork_qaa_1_4_found = false; + + List reqAuthnContextClassRefIt = reqAuthnContext + .getAuthnContextClassRefs(); + + if (reqAuthnContextClassRefIt.size() == 0) { + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + + } else { + for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { + String qaa_uri = authnClassRef.getAuthnContextClassRef(); + if (qaa_uri.trim().equals(STORK_QAA_1_4) + || qaa_uri.trim().equals(STORK_QAA_1_3) + || qaa_uri.trim().equals(STORK_QAA_1_2) + || qaa_uri.trim().equals(STORK_QAA_1_1)) { + + if (authSession.isForeigner()) { + //TODO: insert QAA check + + stork_qaa_1_4_found = false; + + } else { + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + } + break; } - break; } } - } - - if (!stork_qaa_1_4_found) { - throw new QAANotSupportedException(STORK_QAA_1_4); + + if (!stork_qaa_1_4_found) { + throw new QAANotSupportedException(STORK_QAA_1_4); + } } // reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() @@ -150,10 +152,8 @@ public class PVP2AssertionBuilder implements PVPConstants { if (aIdx != null) { idx = aIdx.intValue(); - } - - AttributeConsumingService attributeConsumingService = spSSODescriptor - .getAttributeConsumingServices().get(idx); + + } AttributeStatement attributeStatement = SAML2Utils .createSAMLObject(AttributeStatement.class); @@ -197,32 +197,38 @@ public class PVP2AssertionBuilder implements PVPConstants { .buildAuthenticationData(authSession, oaParam, oaParam.getTarget()); - Iterator it = attributeConsumingService - .getRequestAttributes().iterator(); - while (it.hasNext()) { - RequestedAttribute reqAttribut = it.next(); - try { - Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), authSession, oaParam, authData); - if (attr == null) { + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + + AttributeConsumingService attributeConsumingService = spSSODescriptor + .getAttributeConsumingServices().get(idx); + + Iterator it = attributeConsumingService + .getRequestAttributes().iterator(); + while (it.hasNext()) { + RequestedAttribute reqAttribut = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttribut.getName(), authSession, oaParam, authData); + if (attr == null) { + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + } else { + attributeStatement.getAttributes().add(attr); + } + } catch (PVP2Exception e) { + Logger.error( + "Attribute generation failed! for " + + reqAttribut.getFriendlyName(), e); if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); } - } else { - attributeStatement.getAttributes().add(attr); - } - } catch (PVP2Exception e) { - Logger.error( - "Attribute generation failed! for " - + reqAttribut.getFriendlyName(), e); - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); } } } - if (attributeStatement.getAttributes().size() > 0) { assertion.getAttributeStatements().add(attributeStatement); } @@ -294,7 +300,7 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); - subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20)); + subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(5)); //TL: change from entityID to destination URL AssertionConsumerService consumerService = spSSODescriptor @@ -319,7 +325,7 @@ public class PVP2AssertionBuilder implements PVPConstants { audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(new DateTime()); - conditions.setNotOnOrAfter(new DateTime().plusMinutes(20)); + conditions.setNotOnOrAfter(new DateTime().plusMinutes(5)); // conditions.setNotOnOrAfter(new DateTime()); conditions.getAudienceRestrictions().add(audienceRestriction); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index c3884f9d8..4128a406b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -1,11 +1,13 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; +import java.io.IOException; import java.util.ArrayList; import java.util.Date; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; import org.joda.time.DateTime; import org.opensaml.Configuration; @@ -30,6 +32,7 @@ import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.encryption.EncryptionException; import org.opensaml.xml.encryption.EncryptionParameters; import org.opensaml.xml.encryption.KeyEncryptionParameters; +import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; @@ -55,6 +58,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -93,15 +97,18 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.setStatus(SAML2Utils.getSuccessStatus()); + SPSSODescriptor spSSODescriptor = peerEntity + .getSPSSODescriptor(SAMLConstants.SAML20P_NS); + Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); int idx = 0; if (aIdx != null) { idx = aIdx.intValue(); + + } else { + idx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); } - - SPSSODescriptor spSSODescriptor = peerEntity - .getSPSSODescriptor(SAMLConstants.SAML20P_NS); AssertionConsumerService consumerService = spSSODescriptor .getAssertionConsumerServices().get(idx); @@ -201,6 +208,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { binding.encodeRespone(req, resp, authResponse, oaURL); // TODO add remoteSessionID to AuthSession ExternalPVPSessionStore +// Logger logger = new Logger(); +// logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse))); + + return assertion.getID(); } catch (MessageEncodingException e) { @@ -209,6 +220,15 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { } catch (SecurityException e) { Logger.error("Security exception", e); throw new MOAIDException("pvp2.01", null, e); +// } catch (TransformerException e) { +// Logger.error("Security exception", e); +// throw new MOAIDException("pvp2.01", null, e); +// } catch (IOException e) { +// Logger.error("Security exception", e); +// throw new MOAIDException("pvp2.01", null, e); +// } catch (MarshallingException e) { +// Logger.error("Security exception", e); +// throw new MOAIDException("pvp2.01", null, e); } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 7bb5b052f..373bca902 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; import java.io.IOException; import java.security.NoSuchAlgorithmException; +import java.util.List; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; @@ -13,6 +14,8 @@ import org.opensaml.Configuration; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.xml.io.Marshaller; @@ -77,4 +80,17 @@ public class SAML2Utils { status.setStatusCode(statusCode); return status; } + + public static int getDefaultAssertionConsumerServiceIndex(SPSSODescriptor spSSODescriptor) { + + List assertionConsumerList = spSSODescriptor.getAssertionConsumerServices(); + + for (AssertionConsumerService el : assertionConsumerList) { + if (el.isDefault()) + return el.getIndex(); + + } + + return 0; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 628da6773..4823d7629 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -41,6 +41,7 @@ public class SAMLVerificationEngine { public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); + try { profileValidator.validate(samlObj.getSignature()); } catch (ValidationException e) { -- cgit v1.2.3 From f5f8575182680e61068e6225e3fc67b92187ac54 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 22 Jan 2014 11:47:59 +0100 Subject: add additional log messages --- .../at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java | 3 +++ .../gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java | 3 +++ 2 files changed, 6 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 2fe52d032..9319c306b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -27,6 +27,7 @@ import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; public class PostBinding implements IDecoder, IEncoder { @@ -45,6 +46,8 @@ public class PostBinding implements IDecoder, IEncoder { Credential credentials = CredentialProvider .getIDPSigningCredential(); + Logger.debug("create SAML POSTBinding response"); + // VelocityEngine engine = // VelocityProvider.getClassPathVelocityEngine(); VelocityEngine engine = new VelocityEngine(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 9b43fb999..78b63e041 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; public class RedirectBinding implements IDecoder, IEncoder { @@ -50,6 +51,8 @@ public class RedirectBinding implements IDecoder, IEncoder { Credential credentials = CredentialProvider .getIDPSigningCredential(); + Logger.debug("create SAML RedirectBinding response"); + HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); -- cgit v1.2.3 From d9550b5e3f24a0f6013502dcc632c4d2730a6749 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 22 Jan 2014 13:28:46 +0100 Subject: change PVP2 AssertionBuilder to use the same DateTime at every position --- .../pvp2x/builder/assertion/PVP2AssertionBuilder.java | 12 ++++++------ .../protocols/pvp2x/requestHandler/AuthnRequestHandler.java | 6 ++++-- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index d1d79373c..9e2c89583 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -57,7 +57,7 @@ import at.gv.egovernment.moa.util.Constants; public class PVP2AssertionBuilder implements PVPConstants { public static Assertion buildAssertion(AuthnRequest authnRequest, - AuthenticationSession authSession, EntityDescriptor peerEntity) + AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date) throws MOAIDException { Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); @@ -137,7 +137,7 @@ public class PVP2AssertionBuilder implements PVPConstants { AuthnStatement authnStatement = SAML2Utils .createSAMLObject(AuthnStatement.class); String remoteSessionID = SAML2Utils.getSecureIdentifier(); - authnStatement.setAuthnInstant(new DateTime()); + authnStatement.setAuthnInstant(date); // currently dummy id ... authnStatement.setSessionIndex(remoteSessionID); authnStatement.setAuthnContext(authnContext); @@ -300,7 +300,7 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); - subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(5)); + subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5)); //TL: change from entityID to destination URL AssertionConsumerService consumerService = spSSODescriptor @@ -323,9 +323,9 @@ public class PVP2AssertionBuilder implements PVPConstants { audience.setAudienceURI(peerEntity.getEntityID()); audienceRestriction.getAudiences().add(audience); - conditions.setNotBefore(new DateTime()); + conditions.setNotBefore(date); - conditions.setNotOnOrAfter(new DateTime().plusMinutes(5)); + conditions.setNotOnOrAfter(date.plusMinutes(5)); // conditions.setNotOnOrAfter(new DateTime()); conditions.getAudienceRestrictions().add(audienceRestriction); @@ -342,7 +342,7 @@ public class PVP2AssertionBuilder implements PVPConstants { assertion.setIssuer(issuer); assertion.setSubject(subject); assertion.setID(SAML2Utils.getSecureIdentifier()); - assertion.setIssueInstant(new DateTime()); + assertion.setIssueInstant(date); return assertion; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 4128a406b..89285bad1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -77,7 +77,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest(); EntityDescriptor peerEntity = obj.getEntityMetadata(); - Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity); + DateTime date = new DateTime(); + + Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity, date); Response authResponse = SAML2Utils.createSAMLObject(Response.class); @@ -93,7 +95,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.setInResponseTo(authnRequest.getID()); //SAML2 response required IssueInstant - authResponse.setIssueInstant(new DateTime()); + authResponse.setIssueInstant(date); authResponse.setStatus(SAML2Utils.getSuccessStatus()); -- cgit v1.2.3