From b53d2f387282b731ea72806ec7d410a1c27a878d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 12 Jun 2018 06:25:41 +0200 Subject: add foreign bPK generation into AuthenticationDataBuilder --- .../id/auth/builder/AuthenticationDataBuilder.java | 87 +++++++++++++++++++++- .../moa/id/auth/builder/BPKBuilder.java | 26 +++++-- .../parser/VerifyXMLSignatureResponseParser.java | 2 +- .../moa/id/config/auth/OAAuthParameter.java | 14 +++- .../config/auth/data/DynamicOAAuthParameters.java | 6 ++ .../moa/id/data/AuthenticationData.java | 2 + .../attributes/EncryptedBPKAttributeBuilder.java | 2 +- 7 files changed, 128 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index b93de5119..91159ad4e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -30,9 +30,13 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Date; +import java.util.HashMap; import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import javax.annotation.PostConstruct; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; @@ -102,12 +106,32 @@ import iaik.x509.X509Certificate; @Service("AuthenticationDataBuilder") public class AuthenticationDataBuilder extends MOAIDAuthConstants { + private static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey"; + @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + private Map encKeyMap = new HashMap(); + + @PostConstruct + private void initialize() { + Map pubKeyMap = authConfig.getBasicMOAIDConfigurationWithPrefix(CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS); + for (Entry el : pubKeyMap.entrySet()) { + try { + encKeyMap.put(el.getKey(), new X509Certificate(Base64Utils.decode(el.getValue(), false))); + Logger.info("Load foreign bPK encryption certificate for sector: " + el.getKey()); + + } catch (Exception e) { + Logger.warn("Can NOT load foreign bPK encryption certificate for sector: \" + el.getKey()", e); + + } + + } + } + public IAuthData buildAuthenticationData(IRequest pendingReq, IAuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { @@ -648,7 +672,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { Logger.info("Can NOT set Organwalter IdentityLink. Msg: No IdentityLink found"); - //set bPK and IdenityLink for all other + //set bPK and IdentityLink for all other } else { //build bPK String pvpbPKValue = getbPKValueFromPVPAttribute(session); @@ -724,7 +748,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } - + + //build foreign bPKs + generateForeignbPK(authData, oaParam.foreignbPKSectorsRequested()); + + //build IdentityLink if (identityLink != null) authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, identityLink, authData.getBPK(), authData.getBPKType())); @@ -810,6 +838,61 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } + private void generateForeignbPK(AuthenticationData authData, List foreignSectors) { + if (foreignSectors != null && !foreignSectors.isEmpty()) { + Logger.debug("Sectors for foreign bPKs are configurated. Starting foreign bPK generation ... "); + for (String foreignSector : foreignSectors) { + Logger.trace("Process sector: " + foreignSector + " ... "); + if (encKeyMap.containsKey(foreignSector)) { + try { + String sector = null; + //splitt sector into VKZ and target + if (foreignSector.startsWith("wbpk")) { + Logger.trace("Find foreign private sector " + foreignSector); + sector = Constants.URN_PREFIX + ":" + foreignSector; + + } else { + String[] split = foreignSector.split("+"); + if (split.length != 2) { + Logger.warn("Foreign sector: " + foreignSector + " looks WRONG. IGNORE IT!"); + + } else { + Logger.trace("Find foreign public sector. VKZ: " + split[0] + " Target: " + split[1]); + sector = Constants.URN_PREFIX_CDID + "+" + split[1]; + + } + + } + + if (sector != null) { + Pair bpk = new BPKBuilder().generateAreaSpecificPersonIdentifier( + authData.getIdentificationValue(), + authData.getIdentificationType(), + sector); + String foreignbPK = BPKBuilder.encryptBPK(bpk.getFirst(), bpk.getSecond(), encKeyMap.get(foreignSector).getPublicKey()); + authData.getEncbPKList().add("(" + foreignSector + "|" + foreignbPK + ")"); + Logger.debug("Foreign bPK for sector: " + foreignSector + " created."); + + } + + } catch (Exception e) { + Logger.warn("Foreign bPK generation FAILED for sector: " + foreignSector, e); + + } + + } else { + Logger.info("NO encryption cerfificate FOUND in configuration for sector: " + foreignSector); + Logger.info("Foreign bPK for sector: " + foreignSector + " is NOT possible"); + + } + } + + } else + Logger.debug("No foreign bPKs required for this service provider"); + + } + + /** * Check a bPK-Type against a Service-Provider configuration
* If bPK-Type is null the result is false. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index a7f6e873f..04df32309 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -266,16 +266,21 @@ public class BPKBuilder { public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); + MiscUtil.assertNotNull(target, "sector"); MiscUtil.assertNotNull(publicKey, "publicKey"); - + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); - String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" + if (!target.startsWith(Constants.URN_PREFIX)) { + throw new BuildException("bPK encryption FAILED. bPK target does NOT starts with a valid prefix", null); + + } + + String input = "V1::" + + target + "::" + bpk + "::" + sdf.format(new Date()); - System.out.println(input); + Logger.trace("Foreign bPK: " + input); byte[] result; try { byte[] inputBytes = input.getBytes("ISO-8859-1"); @@ -287,6 +292,17 @@ public class BPKBuilder { } } + + /** + * Currently only works for bPKs!!!! + * + * + * @param encryptedBpk + * @param target + * @param privateKey + * @return + * @throws BuildException + */ public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); MiscUtil.assertNotNull(privateKey, "Private key"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java index 0fba2d3f6..3a0a002e8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java @@ -209,7 +209,7 @@ public class VerifyXMLSignatureResponseParser { String signingTimeElement = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNING_TIME_XPATH,""); if (MiscUtil.isNotEmpty(signingTimeElement)) { - DateTime datetime = ISODateTimeFormat.dateTimeNoMillis().parseDateTime(signingTimeElement); + DateTime datetime = ISODateTimeFormat.dateOptionalTimeParser().parseDateTime(signingTimeElement); respData.setSigningDateTime(datetime.toDate()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 59bd3893d..140ebcfc8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -54,10 +54,8 @@ import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashMap; -import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Map.Entry; import java.util.Set; import org.apache.commons.lang.SerializationUtils; @@ -935,4 +933,16 @@ public String toString() { return "Object not initialized"; } + +@Override +public List foreignbPKSectorsRequested() { + String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_FOREIGN); + if (MiscUtil.isNotEmpty(value)) + return KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(value)); + + else + return null; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index f3db82315..31b894604 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -531,5 +531,11 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return false; } + @Override + public List foreignbPKSectorsRequested() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 7f56f519b..4cd9ecd6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -691,6 +691,8 @@ public class AuthenticationData implements IAuthData, Serializable { * @return the encbPKList */ public List getEncbPKList() { + if (encbPKList == null) + encbPKList = new ArrayList(); return encbPKList; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java index 9dfbe00b2..f5c48b826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -41,7 +41,7 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { if (authData.getEncbPKList() != null && authData.getEncbPKList().size() > 0) { - String value = authData.getEncbPKList().get(0); + String value = "(" + authData.getEncbPKList().get(0) + ")"; for (int i=1; i