From 1ab0f1d4d991464b906c34befefe2ecaf485d485 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:03:42 +0200 Subject: add interfederation without attributequery request which use encrypted bPKs (this functionality is required for federation with USP) --- .../id/auth/builder/AuthenticationDataBuilder.java | 355 +++++++++++++-------- .../moa/id/auth/builder/BPKBuilder.java | 94 ++++++ .../exception/DatabaseEncryptionException.java | 46 +++ .../id/config/auth/AuthConfigurationProvider.java | 11 + .../moa/id/config/auth/IOAAuthParameters.java | 4 + .../moa/id/config/auth/OAAuthParameter.java | 36 +++ .../config/auth/data/BPKDecryptionParameters.java | 127 ++++++++ .../config/auth/data/DynamicOAAuthParameters.java | 10 + .../moa/id/data/AuthenticationData.java | 21 +- .../gv/egovernment/moa/id/data/EncryptedbPK.java | 33 ++ .../at/gv/egovernment/moa/id/data/IAuthData.java | 3 + .../attributes/EncryptedBPKAttributeBuilder.java | 70 ++++ .../MandateFullMandateAttributeBuilder.java | 7 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 89 +++++- .../protocols/saml1/SAML1AuthenticationServer.java | 5 +- .../id/storage/AuthenticationSessionStoreage.java | 4 +- .../moa/id/util/AbstractEncrytionUtil.java | 157 +++++++++ .../moa/id/util/ConfigurationEncrytionUtil.java | 71 +++++ .../moa/id/util/SessionEncrytionUtil.java | 132 +++----- .../moa/id/util/client/mis/simple/MISMandate.java | 14 + .../id/util/client/mis/simple/MISSimpleClient.java | 2 + 21 files changed, 1058 insertions(+), 233 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index ddcc6e1d1..3c029f261 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -24,31 +24,35 @@ package at.gv.egovernment.moa.id.auth.builder; import iaik.x509.X509Certificate; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.security.PrivateKey; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; -import java.util.GregorianCalendar; import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; -import eu.stork.peps.auth.commons.PersonalAttribute; -import eu.stork.peps.auth.commons.PersonalAttributeList; - +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -151,7 +155,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - } InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); @@ -295,9 +298,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); } + + //create assertion attribute extractor from AttributeQuery response + extractor = new AssertionAttributeExtractor(intfResp); + } //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -320,146 +327,242 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session, - Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { + private static void buildAuthDataFormInterfederationResponse( + AuthenticationData authData, + AuthenticationSession session, + AssertionAttributeExtractor extractor, + IOAAuthParameters oaParam) + throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); - Assertion assertion = intfResp.getAssertions().get(0); + authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); + authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); + authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); + authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); + authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); + authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); + authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); + authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); - if (assertion.getAttributeStatements().size() == 0) { - Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); - throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); - + if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { + String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); + authData.setBPK(pvpbPK.split(":")[1]); } - AttributeStatement attrStat = assertion.getAttributeStatements().get(0); - for (Attribute attr : attrStat.getAttributes()) { - - if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) - authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) - authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) - authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BPK_NAME)) { - String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent(); - authData.setBPK(pvpbPK.split(":")[1]); - } - - if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) - authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) - authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); + if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { + List encbPKList = Arrays.asList( + extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); + authData.setEncbPKList(encbPKList); + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + if (oaParam.getTarget().equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + oaParam.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); + if (MiscUtil.isNotEmpty(bPK)) { + if (MiscUtil.isEmpty(authData.getBPK())) { + authData.setBPK(bPK); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + Logger.info("bPK decryption process finished successfully."); + } + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + + } + + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } + + } else { + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); + + } + } + } + } + } + + if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { + Logger.error("Federated assertion include no bPK or encrypted bPK"); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); - if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) - authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + + if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { + try { + byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); - if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { - try { - byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - authData.setAuthBlock(new String(authBlock, "UTF-8")); + } catch (IOException e) { + Logger.error("Received AuthBlock is not valid", e); - } catch (IOException e) { - Logger.error("Received AuthBlock is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { - try { - authData.setSignerCertificate(Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); - - } catch (IOException e) { - Logger.error("Received SignerCertificate is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) - authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) - authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { - try { - InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - authData.setIdentityLink(idl); - - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) - authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - - if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { - try { - byte[] mandate = Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - - if (authData.getMISMandate() == null) - authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setMandate(mandate); + } + + if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { + try { + authData.setSignerCertificate(Base64Utils.decode( + extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + + } catch (IOException e) { + Logger.error("Received SignerCertificate is not valid", e); + + } + } + + if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { + try { + InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); + IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + authData.setIdentityLink(idl); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); - authData.setUseMandate(true); - - } catch (Exception e) { - Logger.error("Received Mandate is not valid", e); - throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + } + + + // set mandate attributes + authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); + + if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { + try { + byte[] mandate = Base64Utils.decode( + (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setProfRep( - attr.getAttributeValues().get(0).getDOM().getTextContent()); + authData.getMISMandate().setMandate(mandate); + authData.getMISMandate().setFullMandateIncluded(true); + authData.setUseMandate(true); + + } catch (Exception e) { + Logger.error("Received Mandate is not valid", e); + throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + } + } + + //TODO: build short mandate if full mandate is no included. + if (authData.getMISMandate() == null && + (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { + Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); + + MISMandate misMandate = new MISMandate(); + misMandate.setFullMandateIncluded(false); + + Mandate mandateObject = new Mandate(); + Mandator mandator = new Mandator(); + mandateObject.setMandator(mandator); + + //build legal person short mandate + if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + CorporateBodyType legalperson = new CorporateBodyType(); + IdentificationType legalID = new IdentificationType(); + Value idvalue = new Value(); + legalID.setValue(idvalue ); + legalperson.getIdentification().add(legalID ); + mandator.setCorporateBody(legalperson ); + + legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); + legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); + idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); + + //build natural person short mandate + } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { + throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); + + + + } else { + Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary."); + throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null); - } - - if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) { - authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent()); - authData.setForeigner(true); } - if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + try { + JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_"); + Marshaller m = jc.createMarshaller(); + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal(mandateObject, stream); + misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes()); + stream.close(); - if (authData.getStorkAttributes() == null) - authData.setStorkAttributes(new PersonalAttributeList()); + } catch (JAXBException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); + + } catch (IOException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); - List storkAttrValues = new ArrayList(); - storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); - PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), - false, storkAttrValues , "Available"); - authData.getStorkAttributes().put(attr.getName(), storkAttr ); - authData.setForeigner(true); - } - + } + authData.setUseMandate(true); + } + + if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setProfRep( + extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); + + } + + + //set STORK attributes + if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { + authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME)); + authData.setForeigner(true); + + } + + if (!extractor.getSTORKAttributes().isEmpty()) { + authData.setStorkAttributes(extractor.getSTORKAttributes()); + authData.setForeigner(true); + + } + authData.setSsoSession(true); - if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) - authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate()); + if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) + authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); //only for SAML1 if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 20641ca7c..b122ba17e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,13 +46,27 @@ package at.gv.egovernment.moa.id.auth.builder; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import java.io.UnsupportedEncodingException; +import java.security.InvalidKeyException; import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.text.SimpleDateFormat; +import java.util.Date; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; /** * Builder for the bPK, as defined in @@ -135,6 +149,58 @@ public class BPKBuilder { } } + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { + MiscUtil.assertNotNull(bpk, "BPK"); + MiscUtil.assertNotNull(publicKey, "publicKey"); + + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" + + bpk + "::" + + sdf.format(new Date()); + System.out.println(input); + byte[] result; + try { + byte[] inputBytes = input.getBytes("ISO-8859-1"); + result = encrypt(inputBytes, publicKey); + return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); + + } catch (Exception e) { + throw new BuildException("bPK encryption FAILED", null, e); + } + } + + public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { + MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); + MiscUtil.assertNotNull(privateKey, "Private key"); + String decryptedString; + try { + byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1"); + byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); + decryptedString = new String(decryptedBytes, "ISO-8859-1"); + + } catch (Exception e) { + throw new BuildException("bPK decryption FAILED", null, e); + } + String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); + String sector = tmp.substring(0, tmp.indexOf("::")); + tmp = tmp.substring(tmp.indexOf("::") + 2); + String bPK = tmp.substring(0, tmp.indexOf("::")); + + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + if (target.equals(sector)) + return bPK; + + else { + Logger.error("Decrypted bPK does not match to request bPK target."); + return null; + } + } + /** * Builds the storkeid from the given parameters. * @@ -214,6 +280,34 @@ public class BPKBuilder { throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex); } } + + private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.ENCRYPT_MODE, publicKey); + result = cipher.doFinal(inputBytes); + + return result; + } + + private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey) + throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.DECRYPT_MODE, privateKey); + result = cipher.doFinal(encryptedBytes); + return result; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java new file mode 100644 index 000000000..69802d7e6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java @@ -0,0 +1,46 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DatabaseEncryptionException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = 6387519847869308880L; + + /** + * @param messageId + * @param parameters + * @param wrapped + */ + public DatabaseEncryptionException(String messageId, Object[] parameters, + Throwable wrapped) { + super(messageId, parameters, wrapped); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..a62de27fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return prop; } + /** + * @return + */ + public String getMOAConfigurationEncryptionKey() { + String prop = props.getProperty("configuration.moaconfig.key"); + if (MiscUtil.isEmpty(prop)) + return null; + else + return prop; + } + public boolean isIdentityLinkResigning() { String prop = props.getProperty("configuration.resignidentitylink.active", "false"); return Boolean.valueOf(prop); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 6398de34f..4c6519b57 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; /** * @author tlenz @@ -149,4 +151,6 @@ public interface IOAAuthParameters { List getTestCredentialOIDs(); + PrivateKey getBPKDecBpkDecryptionKey(); + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f58fe2495..673d23373 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -46,11 +46,15 @@ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType; @@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.config.ConfigurationUtils; import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -555,4 +562,33 @@ public List getTestCredentialOIDs() { return null; } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ +@Override +public PrivateKey getBPKDecBpkDecryptionKey() { + + try { + EncryptedData encdata = new EncryptedData( + oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(), + oa_auth.getEncBPKInformation().getBPKDecryption().getIv()); + byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata); + BPKDecryptionParameters data = + (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData); + + return data.getPrivateKey(); + + } catch (BuildException e) { + // TODO Auto-generated catch block + Logger.error("Can not decrypt key information for bPK decryption", e); + + } catch (NullPointerException e) { + Logger.error("No keyInformation found for bPK decryption"); + + } + return null; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java new file mode 100644 index 000000000..787a480f0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java @@ -0,0 +1,127 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; + +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.KeyStoreUtils; + + +/** + * @author tlenz + * + */ +public class BPKDecryptionParameters implements Serializable{ + + private static final long serialVersionUID = 1L; + + private byte[] keyStore = null; + private String keyStorePassword = null; + private String keyAlias = null; + private String keyPassword = null; + + /** + * @return + */ + public PrivateKey getPrivateKey() { + try { + InputStream in = new ByteArrayInputStream(keyStore); + KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword); + + char[] chPassword = " ".toCharArray(); + if (keyPassword != null) + chPassword = keyPassword.toCharArray(); + +// Certificate test = store.getCertificate(keyAlias); +// Base64Utils.encode(test.getPublicKey().getEncoded()); + + return (PrivateKey) store.getKey(keyAlias, chPassword); + + + } catch (KeyStoreException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (IOException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (UnrecoverableKeyException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Can not load private key from keystore.", e); + + } + + return null; + } + + public byte[] serialize() { + return SerializationUtils.serialize(this); + + } + + /** + * @param keyStore the keyStore to set + */ + public void setKeyStore(byte[] keyStore) { + this.keyStore = keyStore; + } + + /** + * @param keyStorePassword the keyStorePassword to set + */ + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = keyStorePassword; + } + + /** + * @param keyAlias the keyAlias to set + */ + public void setKeyAlias(String keyAlias) { + this.keyAlias = keyAlias; + } + + /** + * @param keyPassword the keyPassword to set + */ + public void setKeyPassword(String keyPassword) { + this.keyPassword = keyPassword; + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index eddf605a6..7dbdcfa52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth.data; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ + @Override + public PrivateKey getBPKDecBpkDecryptionKey() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 5685977bc..6fd327add 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,7 @@ import java.text.DateFormat; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable { private byte[] signerCertificate = null; private String authBlock = null; - + private List encbPKList = null; + + private boolean useMandate = false; private MISMandate mandate = null; private String mandateReferenceValue = null; @@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable { this.ssoSessionValidTo = ssoSessionValidTo; } + /** + * @return the encbPKList + */ + public List getEncbPKList() { + return encbPKList; + } + + /** + * @param encbPKList the encbPKList to set + */ + public void setEncbPKList(List encbPKList) { + this.encbPKList = encbPKList; + } + + + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java new file mode 100644 index 000000000..da6840fd7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java @@ -0,0 +1,33 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public class EncryptedbPK { + private String vkz = null; + private String target = null; + private String encbPK = null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 7e421da0f..8ce33021d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.data; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -62,6 +63,8 @@ public interface IAuthData { String getBkuURL(); + List getEncbPKList(); + IdentityLink getIdentityLink(); byte[] getSignerCertificate(); String getAuthBlock(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java new file mode 100644 index 000000000..b3256ac9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { + + public String getName() { + return ENC_BPK_LIST_NAME; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + + if (authData.getEncbPKList() != null && + authData.getEncbPKList().size() > 0) { + String value = authData.getEncbPKList().get(0); + for (int i=1; i ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 670398ff6..790c1e8ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.DOMUtils; @@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - if (authData.getMandate() != null) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) { String fullMandate; try { fullMandate = DOMUtils.serializeNode(authData @@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder Logger.error("Failed to generate Full Mandate", e); } } + throw new NoMandateDataAttributeException(); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9aadfdc28..1c12e7398 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -22,16 +22,25 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.core.Subject; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -39,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AssertionAttributeExtractor { private Assertion assertion = null; + private Map attributs = new HashMap(); + private PersonalAttributeList storkAttributes = new PersonalAttributeList(); + + private final List minimalAttributeNameList = Arrays.asList( + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.BIRTHDATE_NAME); + public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { if (samlResponse != null && samlResponse instanceof Response) { @@ -49,24 +66,80 @@ public class AssertionAttributeExtractor { else if (assertions.size() > 1) Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); - assertion = assertions.get(0); - + assertion = assertions.get(0); + + if (assertion.getAttributeStatements() != null && + assertion.getAttributeStatements().size() > 0) { + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + List storkAttrValues = new ArrayList(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + storkAttributes.put(attr.getName(), storkAttr ); + + } else + attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + } + + attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); + } else throw new AssertionAttributeExtractorExeption(); } + /** + * check attributes from assertion with minimal required attribute list + * @return + */ public boolean containsAllRequiredAttributes() { - //TODO: add default attribute list - return containsAllRequiredAttributes(null); + return containsAllRequiredAttributes(minimalAttributeNameList); } - public boolean containsAllRequiredAttributes(List attributs) { - //TODO: add validation + /** + * check attributes from assertion with attributeNameList + * bPK or enc_bPK is always needed + * + * @param List of attributes which are required + * + * @return + */ + public boolean containsAllRequiredAttributes(List attributeNameList) { + + //first check if a bPK or an encrypted bPK is available + if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || + (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + boolean flag = true; + for (String attr : attributeNameList) { + if (!attributs.containsKey(attr)) + flag = false; + } + + return flag; + + } return false; } + public boolean containsAttribute(String attributeName) { + return attributs.containsKey(attributeName); + + } + + public String getAttribute(String attributeName) { + return attributs.get(attributeName); + + } + + public PersonalAttributeList getSTORKAttributes() { + return storkAttributes; + } + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { @@ -113,6 +186,10 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); } + public Assertion getFullAssertion() { + return assertion; + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 08f40f888..fe0d27804 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -208,7 +208,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer { if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); - if (saml1parameter.isProvideFullMandatorData()) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (saml1parameter.isProvideFullMandatorData() + && authData.getMISMandate().isFullMandateIncluded()) { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 350c4e9da..a9f5ed60a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage { private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException { byte[] serialized = SerializationUtils.serialize(session); - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized); dbsession.setSession(encdata.getEncData()); dbsession.setIv(encdata.getIv()); } @@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage { private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException { EncryptedData encdata = new EncryptedData(dbsession.getSession(), dbsession.getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata); return (AuthenticationSession) SerializationUtils.deserialize(decrypted); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java new file mode 100644 index 000000000..f246c55e1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -0,0 +1,157 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + + +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public abstract class AbstractEncrytionUtil { + protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + protected static final String KEYNAME = "AES"; + + private SecretKey secret = null; + + public AbstractEncrytionUtil() throws DatabaseEncryptionException { + initialize(getKey(), getSalt()); + } + + protected abstract String getSalt(); + protected abstract String getKey(); + + protected void initialize(String key, String salt) throws DatabaseEncryptionException { + try { + if (MiscUtil.isNotEmpty(key)) { + if (MiscUtil.isEmpty(salt)) + salt = "TestSalt"; + + PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); + PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); + + SecureRandom random = new SecureRandom(); + KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); + + PBEKeyAndParameterSpec parameterSpec = + new PBEKeyAndParameterSpec(pbeKey.getEncoded(), + salt.getBytes(), + 2000, + 16); + + pbkdf2.init(parameterSpec, random); + SecretKey derivedKey = pbkdf2.generateKey(); + + SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); + SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); + secret = kf.generateSecret(spec); + + } else { + Logger.error("Database encryption can not initialized. No key found!"); + + } + + } catch (NoSuchAlgorithmException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (NoSuchProviderException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidKeySpecException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidAlgorithmParameterException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } + } + + public EncryptedData encrypt(byte[] data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.ENCRYPT_MODE, secret); + + Logger.debug("Encrypt MOASession"); + + byte[] encdata = cipher.doFinal(data); + byte[] iv = cipher.getIV(); + + return new EncryptedData(encdata, iv); + + } catch (Exception e) { + Logger.warn("MOASession is not encrypted",e); + throw new BuildException("MOASession is not encrypted", new Object[]{}, e); + } + } else + return new EncryptedData(data, null); + } + + public byte[] decrypt(EncryptedData data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + IvParameterSpec iv = new IvParameterSpec(data.getIv()); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.DECRYPT_MODE, secret, iv); + + Logger.debug("Decrypt MOASession"); + return cipher.doFinal(data.getEncData()); + + } catch (Exception e) { + Logger.warn("MOASession is not decrypted",e); + throw new BuildException("MOASession is not decrypted", new Object[]{}, e); + } + } else + return data.getEncData(); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java new file mode 100644 index 000000000..10221604c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil { + + private static ConfigurationEncrytionUtil instance = null; + private static String key = null; + + public static ConfigurationEncrytionUtil getInstance() { + if (instance == null) { + try { + key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey(); + instance = new ConfigurationEncrytionUtil(); + + } catch (Exception e) { + Logger.warn("MOAConfiguration encryption initialization FAILED.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private ConfigurationEncrytionUtil() throws DatabaseEncryptionException { + super(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Configuration-Salt"; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index acc2a7273..8660f7c09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -22,110 +22,50 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; - -import java.security.SecureRandom; -import java.security.spec.KeySpec; - -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.SecretKeySpec; - -import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; -public class SessionEncrytionUtil { - - private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; - private static final String KEYNAME = "AES"; - - static private SecretKey secret = null; +public class SessionEncrytionUtil extends AbstractEncrytionUtil { - static { - try { - String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); - - if (key != null) { - - PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); - SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); - PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); - - - SecureRandom random = new SecureRandom(); - KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); - - PBEKeyAndParameterSpec parameterSpec = - new PBEKeyAndParameterSpec(pbeKey.getEncoded(), - "TestSALT".getBytes(), - 2000, - 16); - - pbkdf2.init(parameterSpec, random); - SecretKey derivedKey = pbkdf2.generateKey(); - - SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); - SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); - secret = kf.generateSecret(spec); - - } else { - Logger.warn("MOASession encryption is deaktivated."); - } - - } catch (Exception e) { - Logger.warn("MOASession encryption can not be inizialized.", e); - } - - } + private static SessionEncrytionUtil instance = null; + private static String key = null; - public static EncryptedData encrypt(byte[] data) throws BuildException { - Cipher cipher; - - if (secret != null) { + public static SessionEncrytionUtil getInstance() { + if (instance == null) { try { - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.ENCRYPT_MODE, secret); - - Logger.debug("Encrypt MOASession"); - - byte[] encdata = cipher.doFinal(data); - byte[] iv = cipher.getIV(); - - return new EncryptedData(encdata, iv); - + key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); + instance = new SessionEncrytionUtil(); + } catch (Exception e) { - Logger.warn("MOASession is not encrypted",e); - throw new BuildException("MOASession is not encrypted", new Object[]{}, e); - } - } else - return new EncryptedData(data, null); + Logger.warn("MOASession encryption can not be inizialized.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private SessionEncrytionUtil() throws DatabaseEncryptionException { + super(); } - public static byte[] decrypt(EncryptedData data) throws BuildException { - Cipher cipher; - - if (secret != null) { - try { - IvParameterSpec iv = new IvParameterSpec(data.getIv()); - - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.DECRYPT_MODE, secret, iv); - - Logger.debug("Decrypt MOASession"); - return cipher.doFinal(data.getEncData()); - - } catch (Exception e) { - Logger.warn("MOASession is not decrypted",e); - throw new BuildException("MOASession is not decrypted", new Object[]{}, e); - } - } else - return data.getEncData(); + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Session-Salt"; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index f7785d2c2..20cabaf4d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -70,6 +70,7 @@ public class MISMandate implements Serializable{ private String oid = null; private byte[] mandate = null; private String owBPK = null; + private boolean isFullMandateIncluded = false; public String getProfRep() { return oid; @@ -109,5 +110,18 @@ public class MISMandate implements Serializable{ } } + /** + * @return the isFullMandateIncluded + */ + public boolean isFullMandateIncluded() { + return isFullMandateIncluded; + } + /** + * @param isFullMandateIncluded the isFullMandateIncluded to set + */ + public void setFullMandateIncluded(boolean isFullMandateIncluded) { + this.isFullMandateIncluded = isFullMandateIncluded; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index aaf793987..15b2a89b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -145,6 +145,8 @@ public class MISSimpleClient { //misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate))); misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes())); + misMandate.setFullMandateIncluded(true); + foundMandates.add(misMandate); } return foundMandates; -- cgit v1.2.3