From a7c22b659f5bc760cb46d5892409dab12cc047d6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 15 Oct 2013 09:57:38 +0200
Subject: Add an unique random tokken to AuthBlock to prevent replay attacks.
 The timestamp, which was previously in use, can be predicted.

---
 .../moa/id/auth/AuthenticationServer.java          |  4 +--
 .../AuthenticationBlockAssertionBuilder.java       | 32 +++++++++++++----
 .../moa/id/auth/data/AuthenticationSession.java    | 18 ++++++++++
 .../CreateXMLSignatureResponseValidator.java       | 41 ++++++++++++++++++++--
 4 files changed, 85 insertions(+), 10 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 84f85b3d6..af23d4c78 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -553,7 +553,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 							session.getPublicOAURLPrefix());
 
 		// builds the AUTH-block
-		String authBlock = buildAuthenticationBlock(session, oaParam);
+	String authBlock = buildAuthenticationBlock(session, oaParam);
 
 		// builds the <CreateXMLSignatureRequest>
 		List<String> transformsInfos = oaParam.getTransformsInfos();
@@ -1141,7 +1141,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 			String xmlCreateXMLSignatureReadResponse)
 			throws AuthenticationException, BuildException, ParseException,
 			ConfigurationException, ServiceException, ValidateException, BKUException {
-
+		
 		if (session == null)
 			throw new AuthenticationException("auth.10", new Object[] {
 					REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 0421a868c..f5d603480 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -84,6 +84,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     "   </saml:Attribute>" + NL +
     "{7}" +
     "{8}" +
+    "{9}" +
     " </saml:AttributeStatement>" + NL +
     "</saml:Assertion>";
   
@@ -107,6 +108,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
 		    "     <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +  
 		    "   </saml:Attribute>" + NL;
   
+  private static String AUTHBLOCKTOKKEN_ATTRIBUTE =
+		    "   <saml:Attribute AttributeName=''UniqueTokken'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+		    "     <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +  
+		    "   </saml:Attribute>" + NL;
+  
   
   private static String PR_IDENTIFICATION_ATTRIBUTE =     
        "       <pr:Identification xmlns:pr=\"" + PD_NS_URI + "\">" + NL +
@@ -117,8 +123,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
   /**
    * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes).
    */
-  public static final int NUM_OF_SAML_ATTRIBUTES = 4;
-  public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3;
+  public static final int NUM_OF_SAML_ATTRIBUTES = 5;
+  public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4;
   
   /**
    * Constructor for AuthenticationBlockAssertionBuilder.
@@ -170,6 +176,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     AuthenticationSession session,
     OAAuthParameter oaParam)
   throws BuildException
+  
   {
     session.setSAMLAttributeGebeORwbpk(true);
     String gebeORwbpk = "";
@@ -264,11 +271,13 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
 		Logger.warn("Addional AuthBlock Text can not loaded from OA!", e);
 	}
     
-    
-    
    	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
    			new Object[] { generateSpecialText(text, issuer, issueInstant) });
     
+   	//generate unique AuthBlock tokken
+   	String uniquetokken = Random.nextRandom();
+   	session.setAuthBlockTokken(uniquetokken);
+   	
     String assertion;
     try {    	
       assertion = MessageFormat.format(
@@ -281,6 +290,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
           oaURL, 
           gebDat,
           specialText,
+          MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, 
+         			new Object[] { uniquetokken }),
           buildExtendedSAMLAttributes(extendedSAMLAttributes)});
     } catch (ParseException e) {
       Logger.error("Error on building AUTH-Block: " + e.getMessage());
@@ -415,6 +426,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
    	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
    			new Object[] { generateSpecialText(text, issuer, issueInstant) });
     
+   	//generate unique AuthBlock tokken
+   	String uniquetokken = Random.nextRandom();
+   	session.setAuthBlockTokken(uniquetokken);
+   	
     String assertion;
     try {
       assertion = MessageFormat.format(
@@ -427,6 +442,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
           oaURL, 
           gebDat,
           specialText,
+          MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, 
+       			new Object[] { uniquetokken }),
           buildExtendedSAMLAttributes(extendedSAMLAttributes)});
     } catch (ParseException e) {
       Logger.error("Error on building AUTH-Block: " + e.getMessage());
@@ -521,9 +538,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
 		   	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, 
 		   			new Object[] { generateSpecialText(text, issuer, issueInstant) });
 	
-
+		   	//generate unique AuthBlock tokken
+		   	String uniquetokken = Random.nextRandom();
+		   	session.setAuthBlockTokken(uniquetokken);
 		
-		   	
 		    String assertion;
     	
 		      assertion = MessageFormat.format(
@@ -536,6 +554,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
 		          oaURL, 
 		          gebDat,
 		          specialText,
+		          MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, 
+		         			new Object[] { uniquetokken }),
 		          buildExtendedSAMLAttributes(extendedSAMLAttributes)});
 		      
 			    return assertion;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index 4cb174e1c..9eaa13f04 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -158,6 +158,8 @@ public class AuthenticationSession implements Serializable {
 	 */
 	private String authBlock;
 	
+	private String authBlockTokken;
+	
 	/**
 	 * The issuing time of the AUTH-Block SAML assertion.
 	 */
@@ -974,6 +976,22 @@ public class AuthenticationSession implements Serializable {
 	public void setOW(boolean isOW) {
 		this.isOW = isOW;
 	}
+
+	/**
+	 * @return the authBlockTokken
+	 */
+	public String getAuthBlockTokken() {
+		return authBlockTokken;
+	}
+
+	/**
+	 * @param authBlockTokken the authBlockTokken to set
+	 */
+	public void setAuthBlockTokken(String authBlockTokken) {
+		this.authBlockTokken = authBlockTokken;
+	}
+	
+	
 	
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 9e98b73b4..ed7f9df0d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -262,7 +262,7 @@ public class CreateXMLSignatureResponseValidator {
     if (!samlAttribute.getName().equals("SpecialText")) {
       throw new ValidateException(
           "validator.37", 
-          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
     }
     if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
       String samlSpecialText = (String)samlAttribute.getValue();
@@ -285,6 +285,25 @@ public class CreateXMLSignatureResponseValidator {
       throw new ValidateException("validator.35", null);
     }
     
+    
+    //check unique AuthBlock tokken
+    samlAttribute = samlAttributes[4 + offset];
+    if (!samlAttribute.getName().equals("UniqueTokken")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      String uniquetokken = (String)samlAttribute.getValue();
+           
+      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+      }
+    } else {
+      throw new ValidateException("validator.35", null);
+    }
+    
+    
     // now check the extended SAML attributes
     int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
     if (extendedSAMLAttributes != null) {
@@ -471,7 +490,7 @@ public class CreateXMLSignatureResponseValidator {
     if (!samlAttribute.getName().equals("SpecialText")) {
       throw new ValidateException(
           "validator.37", 
-          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
     }
     if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
       String samlSpecialText = (String)samlAttribute.getValue();
@@ -495,6 +514,24 @@ public class CreateXMLSignatureResponseValidator {
       throw new ValidateException("validator.35", null);
     }
     
+    //check unique AuthBlock tokken
+    samlAttribute = samlAttributes[3 + offset];
+    if (!samlAttribute.getName().equals("UniqueTokken")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      String uniquetokken = (String)samlAttribute.getValue();
+           
+      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+      }
+    } else {
+      throw new ValidateException("validator.35", null);
+    }
+    
+    
     // now check the extended SAML attributes
     int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
     if (extendedSAMLAttributes != null) {
-- 
cgit v1.2.3