From 3b7776e9020ea8affdf9fcd10b12d2da28adcd08 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 4 Sep 2013 23:51:25 +0200 Subject: Validation signing time (auth block) against server time Update MOA-ID sample configs (new ES Test-PEPS Url) WAI compliant template --- .../parser/CreateXMLSignatureResponseParser.java | 9 ++++ .../parser/VerifyXMLSignatureResponseParser.java | 2 + .../CreateXMLSignatureResponseValidator.java | 55 ++++++++++++++++++++-- 3 files changed, 62 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java index 6004f251f..1624a59c0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java @@ -25,10 +25,13 @@ package at.gv.egovernment.moa.id.auth.parser; import java.io.ByteArrayInputStream; +import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.List; +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.NodeList; import org.w3c.dom.traversal.NodeIterator; @@ -157,6 +160,7 @@ public class CreateXMLSignatureResponseParser { Element dsigSignatureNode = (Element) list.item(0); Element dsigSignatureElement = (Element) dsigSignatureNode; + cResp.setDsigSignature(dsigSignatureElement); } catch (Throwable t) { @@ -201,6 +205,11 @@ public class CreateXMLSignatureResponseParser { SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()]; samlAttributes.toArray(result); cResp.setSamlAttributes(result); + + NodeList list = sigResponse_.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); + Element dsigSignatureNode = (Element) list.item(0); + cResp.setDsigSignature(dsigSignatureNode); + } catch (Throwable t) { throw new ParseException("parser.01", new Object[] { t.toString()}, t); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java index 4ddad2429..2c957603b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java @@ -151,6 +151,8 @@ public class VerifyXMLSignatureResponseParser { VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse(); try { + + String s = DOMUtils.serializeNode(verifyXMLSignatureResponse); respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,"")); Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH); respData.setQualifiedCertificate(e!=null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index d0fb1f87f..b2ef2d000 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -24,9 +24,14 @@ package at.gv.egovernment.moa.id.auth.validator; +import java.util.Calendar; +import java.util.GregorianCalendar; import java.util.Iterator; import java.util.List; +import javax.xml.bind.DatatypeConverter; + +import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; @@ -59,11 +64,25 @@ public class CreateXMLSignatureResponseValidator { /** Xpath expression to the dsig:Signature element */ private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature"; - //private static final String XADES_SIGNINGTIME_PATH = Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime"; - + private static final String XADES_1_1_1_SIGNINGTIME_PATH = "//" + Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime"; + private static final String XADES_1_3_2_SIGNINGTIME_PATH = "//" + Constants.XADES_1_3_2_NS_PREFIX + ":SigningTime"; + + + private static final long MAX_DIFFERENCE_IN_MILLISECONDS = 600000; // 10min + /** Singleton instance. null, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; + private static SimpleNamespaceContext NS_CONTEXT; + static { + NS_CONTEXT = new SimpleNamespaceContext(); + NS_CONTEXT.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI); + NS_CONTEXT.addNamespace(Constants.XADES_1_2_2_NS_PREFIX, Constants.XADES_1_2_2_NS_URI); + NS_CONTEXT.addNamespace(Constants.XADES_1_3_2_NS_PREFIX, Constants.XADES_1_3_2_NS_URI); + NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI); + } + + /** * Constructor for a singleton CreateXMLSignatureResponseValidator. * @return an instance of CreateXMLSignatureResponseValidator @@ -550,8 +569,36 @@ public class CreateXMLSignatureResponseValidator { public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException { - //TODO: insert Time validation!!!! - + Element dsigSignatureElement = csresp.getDsigSignature(); + if (dsigSignatureElement == null) { + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } + else { + Element signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_1_1_SIGNINGTIME_PATH); + if (signingTimeElem == null) { + signingTimeElem = (Element) XPathUtils.selectSingleNode(dsigSignatureElement, NS_CONTEXT, XADES_1_3_2_SIGNINGTIME_PATH); + if (signingTimeElem == null) + throw new ValidateException("validator.68", null) ; + } + + + String signingTimeStr = signingTimeElem.getTextContent(); + if (signingTimeStr == null) + throw new ValidateException("validator.68", null) ; + + Calendar signingTimeCal = DatatypeConverter.parseDate(signingTimeStr); + Calendar serverTimeCal = new GregorianCalendar(); + + long diff = Math.abs(signingTimeCal.getTimeInMillis() - serverTimeCal.getTimeInMillis()); + + if (diff > MAX_DIFFERENCE_IN_MILLISECONDS) + throw new ValidateException("validator.69", new Object[] {"mehr als " + MAX_DIFFERENCE_IN_MILLISECONDS + " Millisekunden"}) ; + + Logger.debug("Compare \"" + signingTimeCal.getTime() + "\" (SigningTime) with \"" + serverTimeCal.getTime() + "\" (server time)"); + + + } + } } -- cgit v1.2.3