From 583b352de3eda9dd57f427c9d59aa1c395f182a2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 14 Mar 2017 08:35:56 +0100 Subject: workaround to fix possible problem with OpenSAML SecureRandomIdentifierGenerator in combination with JDK 8.121 and IAIK_JCE that cause in a java.lang.ArrayIndexOutOfBoundsException --- .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 16 +++++++++++++++- .../main/java/at/gv/egovernment/moa/id/util/Random.java | 12 +++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 9d57c2bae..28a85b4af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -46,6 +46,8 @@ import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; import org.w3c.dom.Document; +import at.gv.egovernment.moa.id.util.Random; + public class SAML2Utils { public static T createSAMLObject(final Class clazz) { @@ -66,7 +68,19 @@ public class SAML2Utils { } public static String getSecureIdentifier() { - return idGenerator.generateIdentifier(); + return "_".concat(Random.nextHexRandom16()); + + /*Bug-Fix: There are open problems with RandomNumberGenerator via Java SPI and Java JDK 8.121 + * Generation of a 16bit Random identifier FAILES with an Caused by: java.lang.ArrayIndexOutOfBoundsException + * Caused by: java.lang.ArrayIndexOutOfBoundsException + at iaik.security.random.o.engineNextBytes(Unknown Source) + at iaik.security.random.SecRandomSpi.engineNextBytes(Unknown Source) + at java.security.SecureRandom.nextBytes(SecureRandom.java:468) + at org.opensaml.common.impl.SecureRandomIdentifierGenerator.generateIdentifier(SecureRandomIdentifierGenerator.java:62) + at org.opensaml.common.impl.SecureRandomIdentifierGenerator.generateIdentifier(SecureRandomIdentifierGenerator.java:56) + at at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils.getSecureIdentifier(SAML2Utils.java:69) + */ + //return idGenerator.generateIdentifier(); } private static SecureRandomIdentifierGenerator idGenerator; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index ba45a3679..1f9050a31 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -114,9 +114,19 @@ public class Random { * * @return random hex encoded value [256bit] */ - public static String nextHexRandom() { + public static String nextHexRandom32() { return new String(Hex.encodeHex(nextByteRandom(32))); // 32 bytes = 256 bits + } + + /** + * Creates a new random number [128bit], and encode it as hex value. + * + * @return random hex encoded value [128bit] + */ + public static String nextHexRandom16() { + return new String(Hex.encodeHex(nextByteRandom(16))); // 16 bytes = 128 bits + } /** -- cgit v1.2.3 From 60e6b93ead4df30f24dc08d92ddcf4e0c04a8ec4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 15 Mar 2017 22:20:39 +0100 Subject: Fix bug in statistic logger that broke the authentication process on some protocols if database persist operation failes --- .../moa/id/advancedlogging/StatisticLogger.java | 27 ++++++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 5b0f5115d..dfea14a72 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -205,8 +205,14 @@ public class StatisticLogger implements IStatisticLogger{ } } } - - entityManager.persist(dblog); + + try { + entityManager.persist(dblog); + + } catch (Exception e) { + Logger.warn("Write 'success' statisticLog to database FAILED.", e); + + } } } @@ -227,8 +233,13 @@ public class StatisticLogger implements IStatisticLogger{ } - - entityManager.persist(dblog); + try { + entityManager.persist(dblog); + + } catch (Exception e) { + Logger.warn("Write 'error' statisticLog to database FAILED.", e); + + } } @@ -282,7 +293,13 @@ public class StatisticLogger implements IStatisticLogger{ generateErrorLogFormThrowable(throwable, dblog); - entityManager.persist(dblog); + try { + entityManager.persist(dblog); + + } catch (Exception e) { + Logger.warn("Write 'error' statisticLog to database FAILED.", e); + + } } } -- cgit v1.2.3 From dcd4734b89908ad91bf9a537bdb5c3d615537fc2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 16 Mar 2017 06:07:06 +0100 Subject: make nextByteRandom synchronized to additionally prevent problems with IAIK_JCE and Java JDK => 8u111 --- .../idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index 1f9050a31..ac2b3c415 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -168,7 +168,7 @@ public class Random { * @param size Size of random number in bits * @return */ - private static byte[] nextByteRandom(int size) { + private static synchronized byte[] nextByteRandom(int size) { byte[] b = new byte[size]; random.nextBytes(b); return b; -- cgit v1.2.3 From 05646346f18cf24471d05f1124f61d80feb1e69e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 16 Mar 2017 06:27:23 +0100 Subject: limit length of some logged identifier to max length of 254 characters --- .../moa/id/advancedlogging/StatisticLogger.java | 27 ++++++++++++++-------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index dfea14a72..6f700d1cb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -74,6 +74,7 @@ public class StatisticLogger implements IStatisticLogger{ private static final String MANTATORTYPE_NAT = "nat"; private static final int MAXERRORLENGTH = 200; + private static final int MAXOAIDENTIFIER_LENGTH = 254; private static final String ERRORTYPE_UNKNOWN = "unkown"; private static final String ERRORTYPE_BKU = "bku"; @@ -119,7 +120,7 @@ public class StatisticLogger implements IStatisticLogger{ //dblog.setOaID(dbOA.getHjid()); //log basic AuthInformation - dblog.setOaurlprefix(protocolRequest.getOAURL()); + dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); boolean isbusinessservice = isBusinessService(dbOA); @@ -254,12 +255,15 @@ public class StatisticLogger implements IStatisticLogger{ dblog.setTimestamp(new Date()); - dblog.setOaurlprefix(errorRequest.getOAURL()); + dblog.setOaurlprefix(getMessageWithMaxLength(errorRequest.getOAURL(), MAXOAIDENTIFIER_LENGTH)); dblog.setProtocoltype(errorRequest.requestedModule()); dblog.setProtocolsubtype(errorRequest.requestedAction()); + generateErrorLogFormThrowable(throwable, dblog); + IOAAuthParameters dbOA = errorRequest.getOnlineApplicationConfiguration(); if (dbOA != null) { + dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); dblog.setOatarget(dbOA.getTarget()); //dblog.setOaID(dbOA.getHjid()); @@ -291,17 +295,18 @@ public class StatisticLogger implements IStatisticLogger{ dblog.setMandatelogin(moasession.isMandateUsed()); } - generateErrorLogFormThrowable(throwable, dblog); - try { - entityManager.persist(dblog); + + } - } catch (Exception e) { - Logger.warn("Write 'error' statisticLog to database FAILED.", e); + try { + entityManager.persist(dblog); - } - + } catch (Exception e) { + Logger.warn("Write 'error' statisticLog to database FAILED.", e); + } + } } @@ -313,6 +318,10 @@ public class StatisticLogger implements IStatisticLogger{ return false; } + private String getMessageWithMaxLength(String msg, int maxlength) { + return getErrorMessageWithMaxLength(msg, maxlength); + + } private String getErrorMessageWithMaxLength(String error, int maxlength) { if (error != null) { -- cgit v1.2.3