From 9122bf6862fe34881e5454f54c69692b7f5ed083 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Fri, 31 Jan 2014 16:21:13 +0100 Subject: fixed outgoing signrequest - mostly tested --- .../moa/id/auth/AuthenticationServer.java | 40 +++++++++++++---- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 52 +++++++++++++++++----- .../moa/id/auth/stork/STORKResponseProcessor.java | 51 --------------------- 3 files changed, 73 insertions(+), 70 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 209743f45..146137a2c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -31,6 +31,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.StringWriter; +import java.math.BigInteger; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.cert.CertificateException; @@ -49,6 +50,7 @@ import javax.servlet.http.HttpSession; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; +import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringEscapeUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; @@ -123,7 +125,6 @@ import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; -import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.LogMsg; @@ -142,10 +143,14 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest.PEPSData; import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; import at.gv.util.xsd.srzgw.MISType; import at.gv.util.xsd.srzgw.MISType.Filters; +import eu.stork.oasisdss.api.AdditionalProfiles; import eu.stork.oasisdss.api.ApiUtils; import eu.stork.oasisdss.api.ApiUtilsException; +import eu.stork.oasisdss.api.Profiles; +import eu.stork.oasisdss.api.QualityLevels; +import eu.stork.oasisdss.api.SignatureTypes; +import eu.stork.oasisdss.profile.AnyType; import eu.stork.oasisdss.profile.DocumentType; -import eu.stork.oasisdss.profile.InputDocuments; import eu.stork.oasisdss.profile.SignRequest; import eu.stork.peps.auth.commons.PEPSUtil; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -1912,7 +1917,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName("signedDoc"); List value = new ArrayList(); - value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), "application/xhtml+xml")); + value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", + moasession.getCcc())); newAttribute.setValue(value); attributeList.add(newAttribute); @@ -2004,20 +2011,37 @@ public class AuthenticationServer implements MOAIDAuthConstants { Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); } - private static String generateDssSignRequest(String text, String mimeType) { + private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) { IdentifierGenerator idGenerator; try { idGenerator = new SecureRandomIdentifierGenerator(); DocumentType doc = new DocumentType(); - doc.setBase64XML(Base64.encodeBytes(text.getBytes()).getBytes()); + doc.setBase64XML(text.getBytes()); + doc.setID(idGenerator.generateIdentifier()); SignRequest request = new SignRequest(); request.setInputDocuments(ApiUtils.createInputDocuments(doc)); - request.setRequestID(idGenerator.generateIdentifier()); + String id = idGenerator.generateIdentifier(); + request.setRequestID(id); + request.setDocUI(id); - return ApiUtils.marshalToDocument(request).getTextContent(); + request.setProfile(Profiles.XADES_BES.toString()); + request.setNumberOfSigners(BigInteger.ONE); + request.setTargetCountry(citizenCountry); + + // no, no todo. PEPS will alter this value anyhow. + request.setReturnURL("http://invalid_return"); + + AnyType required = new AnyType(); + required.getAny().add(ApiUtils.createSignatureType(SignatureTypes.XMLSIG_RFC3275.toString())); + required.getAny().add(ApiUtils.createAdditionalProfile(AdditionalProfiles.XADES.toString())); + required.getAny().add(ApiUtils.createQualityRequirements(QualityLevels.QUALITYLEVEL_QUALIFIEDSIG)); + required.getAny().add(ApiUtils.createIncludeObject(doc)); + request.setOptionalInputs(required); + + return IOUtils.toString(ApiUtils.marshalToInputStream(request)); } catch (NoSuchAlgorithmException e) { Logger.error("Cannot generate id", e); throw new RuntimeException(e); @@ -2027,7 +2051,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } catch (DOMException e) { Logger.error("Could not create SignRequest", e); throw new RuntimeException(e); - } catch (ParserConfigurationException e) { + } catch (IOException e) { Logger.error("Could not create SignRequest", e); throw new RuntimeException(e); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 9dfce7838..a3c8ebe4d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -1,7 +1,10 @@ package at.gv.egovernment.moa.id.auth.servlet; +import iaik.x509.X509Certificate; import java.io.IOException; +import java.io.InputStream; import java.io.StringWriter; +import java.net.URL; import java.util.ArrayList; import java.util.List; @@ -10,19 +13,19 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; import javax.xml.transform.stream.StreamSource; +import org.apache.commons.io.IOUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.StatusCode; -import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -33,14 +36,14 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.ModulUtils; -import at.gv.egovernment.moa.id.proxy.parser.SAMLResponseParser; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.xmldsig.SignatureType; +import at.gv.util.xsd.xmldsig.X509DataType; import eu.stork.oasisdss.api.ApiUtils; -import eu.stork.oasisdss.api.LightweightSourceResolver; +import eu.stork.oasisdss.profile.DocumentWithSignature; import eu.stork.oasisdss.profile.SignResponse; import eu.stork.peps.auth.commons.PEPSUtil; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -173,14 +176,41 @@ public class PEPSConnectorServlet extends AuthServlet { //extract signed doc element and citizen signature String citizenSignature = null; try { - citizenSignature = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); + + List doclocations = ApiUtils.findNamedElement(dssSignResponse.getOptionalOutputs(), DocumentWithSignature.class.getSimpleName(), DocumentWithSignature.class); + // TODO handle multiple docs? + Logger.debug("trying first doclocation"); + String docUrl = doclocations.get(0).getDocument().getDocumentURL(); + Logger.debug("trying first doclocation successful"); + + // fetch signed doc + URL url = new URL(docUrl); + InputStream incomming = url.openStream(); + citizenSignature = IOUtils.toString(incomming); + incomming.close(); + + JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName()); + SignatureType root = ((JAXBElement) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue(); + + // memorize signature into authblock moaSession.setAuthBlock(citizenSignature); + + // extract certificate + for(Object current : root.getKeyInfo().getContent()) + if(((JAXBElement) current).getValue() instanceof X509DataType) { + for(Object currentX509Data : ((JAXBElement) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) { + JAXBElement casted = ((JAXBElement) currentX509Data); + if(casted.getName().getLocalPart().equals("X509Certificate")) { + moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes())); + break; + } + } + } - // FIXME untested - Element sepp = (Element) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(citizenSignature))); - moaSession.setSignerCertificate(AuthenticationServer.getCertificateFromXML(sepp)); - } catch (Exception e) { + } catch (Throwable e) { Logger.error("Could not extract citizen signature from C-PEPS", e); throw new MOAIDException("stork.09", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index 20ceb2128..2534110d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -57,57 +57,6 @@ public class STORKResponseProcessor { /** OASIS DSS Success Message */ public static final String OASIS_DSS_SUCCESS_MSG = "urn:oasis:names:tc:dss:1.0:resultmajor:Success"; - /** - * Extracts the signature value out of a DSS response - * @param signatureResponse DSS signature response - * @return signature - * @throws STORKException - */ - private static Element getSignature(Element signatureResponse) throws STORKException { - - NodeList nList = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "ResultMajor"); - - String resultMajor = XMLUtil.getFirstTextValueFromNodeList(nList); - - if (StringUtils.isEmpty(resultMajor)) { - String msg = "DSS response not correct, ResultMajor element missing."; - Logger.error(msg); - throw new STORKException(msg); - } - - Logger.trace("ResultMajor of DSS response: " + resultMajor); - - if (!OASIS_DSS_SUCCESS_MSG.equals(resultMajor)) { - String msg = "DSS response not correct, ResultMajor is " + resultMajor; - Logger.error(msg); - throw new STORKException(msg); - } - - NodeList nList2 = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "Base64Signature");; - - String base64SigString = XMLUtil.getFirstTextValueFromNodeList(nList2); - - if (StringUtils.isEmpty(base64SigString)) { - String msg = "DSS response not correct, Base64Signature element missing."; - Logger.error(msg); - throw new STORKException(msg); - } - - Logger.trace("Base64Signature element of DSS response: " + base64SigString); - - String sigString = new String(Base64.decode(base64SigString)); - - try { - return XMLUtil.stringToDOM(sigString); - } catch (Exception e) { - String msg = "Unable to extract signature from DSS response"; - Logger.error(msg); - throw new STORKException(msg); - } - - - } - /** * Checks for attribute. * -- cgit v1.2.3