From a7c22b659f5bc760cb46d5892409dab12cc047d6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Oct 2013 09:57:38 +0200 Subject: Add an unique random tokken to AuthBlock to prevent replay attacks. The timestamp, which was previously in use, can be predicted. --- .../moa/id/auth/AuthenticationServer.java | 4 +-- .../AuthenticationBlockAssertionBuilder.java | 32 +++++++++++++---- .../moa/id/auth/data/AuthenticationSession.java | 18 ++++++++++ .../CreateXMLSignatureResponseValidator.java | 41 ++++++++++++++++++++-- 4 files changed, 85 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 84f85b3d6..af23d4c78 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -553,7 +553,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getPublicOAURLPrefix()); // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session, oaParam); + String authBlock = buildAuthenticationBlock(session, oaParam); // builds the List transformsInfos = oaParam.getTransformsInfos(); @@ -1141,7 +1141,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { String xmlCreateXMLSignatureReadResponse) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException, BKUException { - + if (session == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index 0421a868c..f5d603480 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -84,6 +84,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion " " + NL + "{7}" + "{8}" + + "{9}" + " " + NL + ""; @@ -107,6 +108,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion " {0}" + NL + " " + NL; + private static String AUTHBLOCKTOKKEN_ATTRIBUTE = + " " + NL + + " {0}" + NL + + " " + NL; + private static String PR_IDENTIFICATION_ATTRIBUTE = " " + NL + @@ -117,8 +123,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion /** * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes). */ - public static final int NUM_OF_SAML_ATTRIBUTES = 4; - public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3; + public static final int NUM_OF_SAML_ATTRIBUTES = 5; + public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4; /** * Constructor for AuthenticationBlockAssertionBuilder. @@ -170,6 +176,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion AuthenticationSession session, OAAuthParameter oaParam) throws BuildException + { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; @@ -264,11 +271,13 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); } - - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); + //generate unique AuthBlock tokken + String uniquetokken = Random.nextRandom(); + session.setAuthBlockTokken(uniquetokken); + String assertion; try { assertion = MessageFormat.format( @@ -281,6 +290,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion oaURL, gebDat, specialText, + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, + new Object[] { uniquetokken }), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); @@ -415,6 +426,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); + //generate unique AuthBlock tokken + String uniquetokken = Random.nextRandom(); + session.setAuthBlockTokken(uniquetokken); + String assertion; try { assertion = MessageFormat.format( @@ -427,6 +442,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion oaURL, gebDat, specialText, + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, + new Object[] { uniquetokken }), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); @@ -521,9 +538,10 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); - + //generate unique AuthBlock tokken + String uniquetokken = Random.nextRandom(); + session.setAuthBlockTokken(uniquetokken); - String assertion; assertion = MessageFormat.format( @@ -536,6 +554,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion oaURL, gebDat, specialText, + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, + new Object[] { uniquetokken }), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); return assertion; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 4cb174e1c..9eaa13f04 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -158,6 +158,8 @@ public class AuthenticationSession implements Serializable { */ private String authBlock; + private String authBlockTokken; + /** * The issuing time of the AUTH-Block SAML assertion. */ @@ -974,6 +976,22 @@ public class AuthenticationSession implements Serializable { public void setOW(boolean isOW) { this.isOW = isOW; } + + /** + * @return the authBlockTokken + */ + public String getAuthBlockTokken() { + return authBlockTokken; + } + + /** + * @param authBlockTokken the authBlockTokken to set + */ + public void setAuthBlockTokken(String authBlockTokken) { + this.authBlockTokken = authBlockTokken; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 9e98b73b4..ed7f9df0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -262,7 +262,7 @@ public class CreateXMLSignatureResponseValidator { if (!samlAttribute.getName().equals("SpecialText")) { throw new ValidateException( "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); @@ -285,6 +285,25 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.35", null); } + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); + + if (!uniquetokken.equals(session.getAuthBlockTokken())) { + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; if (extendedSAMLAttributes != null) { @@ -471,7 +490,7 @@ public class CreateXMLSignatureResponseValidator { if (!samlAttribute.getName().equals("SpecialText")) { throw new ValidateException( "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); @@ -495,6 +514,24 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.35", null); } + //check unique AuthBlock tokken + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); + + if (!uniquetokken.equals(session.getAuthBlockTokken())) { + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset; if (extendedSAMLAttributes != null) { -- cgit v1.2.3