From 7e42dd36309d1113ce85d26fde15303059743b90 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Thu, 17 Jul 2014 16:13:37 +0200 Subject: todo --- .../gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- .../moa/id/protocols/stork2/MandateRetrievalRequest.java | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 64447b20e..40c358b7e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -244,7 +244,7 @@ public class PEPSConnectorServlet extends AuthServlet { //extract signed doc element and citizen signature String citizenSignature = null; try { - String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 139c438f9..ba849f959 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction { httpResp.reset(); this.representingIdentityLink = authData.getIdentityLink(); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); @@ -96,7 +97,7 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContain er(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); @@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction { } if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType()); + Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)"); + Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() + ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue()); throw new MOAIDException("stork.20", new Object[]{}); // TODO } @@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction { represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute)); } else if (mandateContainer instanceof PhyPersonMandateContainer) { PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer; - represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE + represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName()); represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName()); represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate()); -- cgit v1.2.3 From 708009bbfc5433c3338278b95e9f150b424d2a03 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Thu, 17 Jul 2014 16:18:30 +0200 Subject: typo --- .../gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index ba849f959..baa91a854 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -97,7 +97,7 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContain er(new String(authData.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); -- cgit v1.2.3 From 078c7784e9e278bd5fdd96465a38558776cacb04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 4 Aug 2014 12:57:39 +0200 Subject: MOA federation with USP - add some initial methodes --- .../id/auth/builder/AuthenticationDataBuilder.java | 72 ++++++++++++---------- .../moa/id/entrypoints/DispatcherServlet.java | 2 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 14 +++++ 3 files changed, 54 insertions(+), 34 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 17d6898ee..ddcc6e1d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; @@ -76,6 +77,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -239,11 +241,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { attributs = reqQueryAttr; //IDP is a service provider IDP and request interfederated IDP to collect attributes - } else { - - //TODO: check if response include attributes and map this attributes to requested attributes - //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst - + } else { //get PVP 2.1 attributes from protocol specific requested attributes attributs = req.getRequestedAttributes(); @@ -255,44 +253,52 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); } + + + //TODO: check if response include attributes and map this attributes to requested attributes + //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst + Response intfResp = (Response) req.getInterfederationResponse().getResponse(); + AssertionAttributeExtractor extractor = + new AssertionAttributeExtractor(intfResp); - //build attributQuery request - AttributeQuery query = - AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); + if (!extractor.containsAllRequiredAttributes()) { + //build attributQuery request + AttributeQuery query = + AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); - //build SOAP request - List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + //build SOAP request + List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); - } + } - if (xmlObjects.get(0) instanceof Response) { - Response intfResp = (Response) xmlObjects.get(0); + if (xmlObjects.get(0) instanceof Response) { + intfResp = (Response) xmlObjects.get(0); - //validate PVP 2.1 response - try { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + //validate PVP 2.1 response + try { + SAMLVerificationEngine engine = new SAMLVerificationEngine(); + engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - SAMLVerificationEngine.validateAssertion(intfResp, false); + SAMLVerificationEngine.validateAssertion(intfResp, false); - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); - } - - //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + } + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + } } - + //parse response information to authData + buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + } catch (SOAPException e) { throw new BuildException("builder.06", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 0d34fcb87..1e38bd4ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{ info = ModulStorage.getModuleByPath(protocolRequest.requestedModule()); moduleAction = info.getAction(protocolRequest.requestedAction()); - //create interfederated mOASession + //create interfederated MOASession String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId); req.getParameterMap().put(PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index ee0088576..9aadfdc28 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; import java.util.List; import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; @@ -54,6 +55,19 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption(); } + public boolean containsAllRequiredAttributes() { + //TODO: add default attribute list + return containsAllRequiredAttributes(null); + + } + + public boolean containsAllRequiredAttributes(List attributs) { + //TODO: add validation + return false; + + } + + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); -- cgit v1.2.3 From 296ebbfb36ef207abe4611cb8d3727d2f86a692b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:00:17 +0200 Subject: update PVP 2.1 SAML2 bindings --- .../id/protocols/pvp2x/binding/PostBinding.java | 20 ++++++++------- .../protocols/pvp2x/binding/RedirectBinding.java | 20 ++++++++++----- .../id/protocols/pvp2x/binding/SoapBinding.java | 30 +++++++++++++++++++--- 3 files changed, 51 insertions(+), 19 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 7f73b1ed7..1a268c812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); - + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } + } catch (ConfigurationException e) { throw new SecurityException(e); } messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - //set metadata descriptor type - if (isSPEndPoint) - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - else - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - + decode.decode(messageContext); InboundMessage msg = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 26f6f3a62..f11561c14 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); + messageContext + .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } } catch (ConfigurationException e) { throw new SecurityException(e); } - - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index f0eafe272..a2583c706 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.soap.client.BasicSOAPMessageContext; @@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class SoapBinding implements IDecoder, IEncoder { @@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder { new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - + req)); + //messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + soapDecoder.decode(messageContext); Envelope inboundMessage = (Envelope) messageContext @@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); - MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); + + if (messageContext.getPeerEntityMetadata() != null) + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + + else if (attrReq instanceof RequestAbstractType) { + RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; + try { + if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) && + MOAMetadataProvider.getInstance().getRole( + attributeRequest.getIssuer().getValue(), + SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) + request.setEntityID(attributeRequest.getIssuer().getValue()); + + } catch (Exception e) { + Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue()); + } + } + request.setVerified(false); return request; -- cgit v1.2.3 From 1ab0f1d4d991464b906c34befefe2ecaf485d485 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:03:42 +0200 Subject: add interfederation without attributequery request which use encrypted bPKs (this functionality is required for federation with USP) --- .../id/auth/builder/AuthenticationDataBuilder.java | 355 +++++++++++++-------- .../moa/id/auth/builder/BPKBuilder.java | 94 ++++++ .../exception/DatabaseEncryptionException.java | 46 +++ .../id/config/auth/AuthConfigurationProvider.java | 11 + .../moa/id/config/auth/IOAAuthParameters.java | 4 + .../moa/id/config/auth/OAAuthParameter.java | 36 +++ .../config/auth/data/BPKDecryptionParameters.java | 127 ++++++++ .../config/auth/data/DynamicOAAuthParameters.java | 10 + .../moa/id/data/AuthenticationData.java | 21 +- .../gv/egovernment/moa/id/data/EncryptedbPK.java | 33 ++ .../at/gv/egovernment/moa/id/data/IAuthData.java | 3 + .../attributes/EncryptedBPKAttributeBuilder.java | 70 ++++ .../MandateFullMandateAttributeBuilder.java | 7 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 89 +++++- .../protocols/saml1/SAML1AuthenticationServer.java | 5 +- .../id/storage/AuthenticationSessionStoreage.java | 4 +- .../moa/id/util/AbstractEncrytionUtil.java | 157 +++++++++ .../moa/id/util/ConfigurationEncrytionUtil.java | 71 +++++ .../moa/id/util/SessionEncrytionUtil.java | 132 +++----- .../moa/id/util/client/mis/simple/MISMandate.java | 14 + .../id/util/client/mis/simple/MISSimpleClient.java | 2 + 21 files changed, 1058 insertions(+), 233 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index ddcc6e1d1..3c029f261 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -24,31 +24,35 @@ package at.gv.egovernment.moa.id.auth.builder; import iaik.x509.X509Certificate; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.security.PrivateKey; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; -import java.util.GregorianCalendar; import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; -import eu.stork.peps.auth.commons.PersonalAttribute; -import eu.stork.peps.auth.commons.PersonalAttributeList; - +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -151,7 +155,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - } InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); @@ -295,9 +298,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); } + + //create assertion attribute extractor from AttributeQuery response + extractor = new AssertionAttributeExtractor(intfResp); + } //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -320,146 +327,242 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session, - Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { + private static void buildAuthDataFormInterfederationResponse( + AuthenticationData authData, + AuthenticationSession session, + AssertionAttributeExtractor extractor, + IOAAuthParameters oaParam) + throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); - Assertion assertion = intfResp.getAssertions().get(0); + authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); + authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); + authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); + authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); + authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); + authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); + authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); + authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); - if (assertion.getAttributeStatements().size() == 0) { - Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); - throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); - + if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { + String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); + authData.setBPK(pvpbPK.split(":")[1]); } - AttributeStatement attrStat = assertion.getAttributeStatements().get(0); - for (Attribute attr : attrStat.getAttributes()) { - - if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) - authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) - authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) - authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BPK_NAME)) { - String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent(); - authData.setBPK(pvpbPK.split(":")[1]); - } - - if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) - authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) - authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); + if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { + List encbPKList = Arrays.asList( + extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); + authData.setEncbPKList(encbPKList); + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + if (oaParam.getTarget().equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + oaParam.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); + if (MiscUtil.isNotEmpty(bPK)) { + if (MiscUtil.isEmpty(authData.getBPK())) { + authData.setBPK(bPK); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + Logger.info("bPK decryption process finished successfully."); + } + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + + } + + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } + + } else { + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); + + } + } + } + } + } + + if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { + Logger.error("Federated assertion include no bPK or encrypted bPK"); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); - if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) - authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + + if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { + try { + byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); - if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { - try { - byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - authData.setAuthBlock(new String(authBlock, "UTF-8")); + } catch (IOException e) { + Logger.error("Received AuthBlock is not valid", e); - } catch (IOException e) { - Logger.error("Received AuthBlock is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { - try { - authData.setSignerCertificate(Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); - - } catch (IOException e) { - Logger.error("Received SignerCertificate is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) - authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) - authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { - try { - InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - authData.setIdentityLink(idl); - - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) - authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - - if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { - try { - byte[] mandate = Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - - if (authData.getMISMandate() == null) - authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setMandate(mandate); + } + + if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { + try { + authData.setSignerCertificate(Base64Utils.decode( + extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + + } catch (IOException e) { + Logger.error("Received SignerCertificate is not valid", e); + + } + } + + if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { + try { + InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); + IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + authData.setIdentityLink(idl); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); - authData.setUseMandate(true); - - } catch (Exception e) { - Logger.error("Received Mandate is not valid", e); - throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + } + + + // set mandate attributes + authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); + + if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { + try { + byte[] mandate = Base64Utils.decode( + (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setProfRep( - attr.getAttributeValues().get(0).getDOM().getTextContent()); + authData.getMISMandate().setMandate(mandate); + authData.getMISMandate().setFullMandateIncluded(true); + authData.setUseMandate(true); + + } catch (Exception e) { + Logger.error("Received Mandate is not valid", e); + throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + } + } + + //TODO: build short mandate if full mandate is no included. + if (authData.getMISMandate() == null && + (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { + Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); + + MISMandate misMandate = new MISMandate(); + misMandate.setFullMandateIncluded(false); + + Mandate mandateObject = new Mandate(); + Mandator mandator = new Mandator(); + mandateObject.setMandator(mandator); + + //build legal person short mandate + if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + CorporateBodyType legalperson = new CorporateBodyType(); + IdentificationType legalID = new IdentificationType(); + Value idvalue = new Value(); + legalID.setValue(idvalue ); + legalperson.getIdentification().add(legalID ); + mandator.setCorporateBody(legalperson ); + + legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); + legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); + idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); + + //build natural person short mandate + } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { + throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); + + + + } else { + Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary."); + throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null); - } - - if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) { - authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent()); - authData.setForeigner(true); } - if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + try { + JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_"); + Marshaller m = jc.createMarshaller(); + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal(mandateObject, stream); + misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes()); + stream.close(); - if (authData.getStorkAttributes() == null) - authData.setStorkAttributes(new PersonalAttributeList()); + } catch (JAXBException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); + + } catch (IOException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); - List storkAttrValues = new ArrayList(); - storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); - PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), - false, storkAttrValues , "Available"); - authData.getStorkAttributes().put(attr.getName(), storkAttr ); - authData.setForeigner(true); - } - + } + authData.setUseMandate(true); + } + + if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setProfRep( + extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); + + } + + + //set STORK attributes + if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { + authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME)); + authData.setForeigner(true); + + } + + if (!extractor.getSTORKAttributes().isEmpty()) { + authData.setStorkAttributes(extractor.getSTORKAttributes()); + authData.setForeigner(true); + + } + authData.setSsoSession(true); - if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) - authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate()); + if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) + authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); //only for SAML1 if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 20641ca7c..b122ba17e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,13 +46,27 @@ package at.gv.egovernment.moa.id.auth.builder; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import java.io.UnsupportedEncodingException; +import java.security.InvalidKeyException; import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.text.SimpleDateFormat; +import java.util.Date; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; /** * Builder for the bPK, as defined in @@ -135,6 +149,58 @@ public class BPKBuilder { } } + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { + MiscUtil.assertNotNull(bpk, "BPK"); + MiscUtil.assertNotNull(publicKey, "publicKey"); + + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" + + bpk + "::" + + sdf.format(new Date()); + System.out.println(input); + byte[] result; + try { + byte[] inputBytes = input.getBytes("ISO-8859-1"); + result = encrypt(inputBytes, publicKey); + return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); + + } catch (Exception e) { + throw new BuildException("bPK encryption FAILED", null, e); + } + } + + public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { + MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); + MiscUtil.assertNotNull(privateKey, "Private key"); + String decryptedString; + try { + byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1"); + byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); + decryptedString = new String(decryptedBytes, "ISO-8859-1"); + + } catch (Exception e) { + throw new BuildException("bPK decryption FAILED", null, e); + } + String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); + String sector = tmp.substring(0, tmp.indexOf("::")); + tmp = tmp.substring(tmp.indexOf("::") + 2); + String bPK = tmp.substring(0, tmp.indexOf("::")); + + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + if (target.equals(sector)) + return bPK; + + else { + Logger.error("Decrypted bPK does not match to request bPK target."); + return null; + } + } + /** * Builds the storkeid from the given parameters. * @@ -214,6 +280,34 @@ public class BPKBuilder { throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex); } } + + private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.ENCRYPT_MODE, publicKey); + result = cipher.doFinal(inputBytes); + + return result; + } + + private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey) + throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.DECRYPT_MODE, privateKey); + result = cipher.doFinal(encryptedBytes); + return result; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java new file mode 100644 index 000000000..69802d7e6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java @@ -0,0 +1,46 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DatabaseEncryptionException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = 6387519847869308880L; + + /** + * @param messageId + * @param parameters + * @param wrapped + */ + public DatabaseEncryptionException(String messageId, Object[] parameters, + Throwable wrapped) { + super(messageId, parameters, wrapped); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..a62de27fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return prop; } + /** + * @return + */ + public String getMOAConfigurationEncryptionKey() { + String prop = props.getProperty("configuration.moaconfig.key"); + if (MiscUtil.isEmpty(prop)) + return null; + else + return prop; + } + public boolean isIdentityLinkResigning() { String prop = props.getProperty("configuration.resignidentitylink.active", "false"); return Boolean.valueOf(prop); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 6398de34f..4c6519b57 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; /** * @author tlenz @@ -149,4 +151,6 @@ public interface IOAAuthParameters { List getTestCredentialOIDs(); + PrivateKey getBPKDecBpkDecryptionKey(); + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f58fe2495..673d23373 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -46,11 +46,15 @@ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType; @@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.config.ConfigurationUtils; import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -555,4 +562,33 @@ public List getTestCredentialOIDs() { return null; } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ +@Override +public PrivateKey getBPKDecBpkDecryptionKey() { + + try { + EncryptedData encdata = new EncryptedData( + oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(), + oa_auth.getEncBPKInformation().getBPKDecryption().getIv()); + byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata); + BPKDecryptionParameters data = + (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData); + + return data.getPrivateKey(); + + } catch (BuildException e) { + // TODO Auto-generated catch block + Logger.error("Can not decrypt key information for bPK decryption", e); + + } catch (NullPointerException e) { + Logger.error("No keyInformation found for bPK decryption"); + + } + return null; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java new file mode 100644 index 000000000..787a480f0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java @@ -0,0 +1,127 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; + +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.KeyStoreUtils; + + +/** + * @author tlenz + * + */ +public class BPKDecryptionParameters implements Serializable{ + + private static final long serialVersionUID = 1L; + + private byte[] keyStore = null; + private String keyStorePassword = null; + private String keyAlias = null; + private String keyPassword = null; + + /** + * @return + */ + public PrivateKey getPrivateKey() { + try { + InputStream in = new ByteArrayInputStream(keyStore); + KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword); + + char[] chPassword = " ".toCharArray(); + if (keyPassword != null) + chPassword = keyPassword.toCharArray(); + +// Certificate test = store.getCertificate(keyAlias); +// Base64Utils.encode(test.getPublicKey().getEncoded()); + + return (PrivateKey) store.getKey(keyAlias, chPassword); + + + } catch (KeyStoreException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (IOException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (UnrecoverableKeyException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Can not load private key from keystore.", e); + + } + + return null; + } + + public byte[] serialize() { + return SerializationUtils.serialize(this); + + } + + /** + * @param keyStore the keyStore to set + */ + public void setKeyStore(byte[] keyStore) { + this.keyStore = keyStore; + } + + /** + * @param keyStorePassword the keyStorePassword to set + */ + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = keyStorePassword; + } + + /** + * @param keyAlias the keyAlias to set + */ + public void setKeyAlias(String keyAlias) { + this.keyAlias = keyAlias; + } + + /** + * @param keyPassword the keyPassword to set + */ + public void setKeyPassword(String keyPassword) { + this.keyPassword = keyPassword; + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index eddf605a6..7dbdcfa52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth.data; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ + @Override + public PrivateKey getBPKDecBpkDecryptionKey() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 5685977bc..6fd327add 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,7 @@ import java.text.DateFormat; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable { private byte[] signerCertificate = null; private String authBlock = null; - + private List encbPKList = null; + + private boolean useMandate = false; private MISMandate mandate = null; private String mandateReferenceValue = null; @@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable { this.ssoSessionValidTo = ssoSessionValidTo; } + /** + * @return the encbPKList + */ + public List getEncbPKList() { + return encbPKList; + } + + /** + * @param encbPKList the encbPKList to set + */ + public void setEncbPKList(List encbPKList) { + this.encbPKList = encbPKList; + } + + + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java new file mode 100644 index 000000000..da6840fd7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java @@ -0,0 +1,33 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public class EncryptedbPK { + private String vkz = null; + private String target = null; + private String encbPK = null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 7e421da0f..8ce33021d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.data; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -62,6 +63,8 @@ public interface IAuthData { String getBkuURL(); + List getEncbPKList(); + IdentityLink getIdentityLink(); byte[] getSignerCertificate(); String getAuthBlock(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java new file mode 100644 index 000000000..b3256ac9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { + + public String getName() { + return ENC_BPK_LIST_NAME; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + + if (authData.getEncbPKList() != null && + authData.getEncbPKList().size() > 0) { + String value = authData.getEncbPKList().get(0); + for (int i=1; i ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 670398ff6..790c1e8ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.DOMUtils; @@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - if (authData.getMandate() != null) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) { String fullMandate; try { fullMandate = DOMUtils.serializeNode(authData @@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder Logger.error("Failed to generate Full Mandate", e); } } + throw new NoMandateDataAttributeException(); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9aadfdc28..1c12e7398 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -22,16 +22,25 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.core.Subject; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -39,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AssertionAttributeExtractor { private Assertion assertion = null; + private Map attributs = new HashMap(); + private PersonalAttributeList storkAttributes = new PersonalAttributeList(); + + private final List minimalAttributeNameList = Arrays.asList( + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.BIRTHDATE_NAME); + public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { if (samlResponse != null && samlResponse instanceof Response) { @@ -49,24 +66,80 @@ public class AssertionAttributeExtractor { else if (assertions.size() > 1) Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); - assertion = assertions.get(0); - + assertion = assertions.get(0); + + if (assertion.getAttributeStatements() != null && + assertion.getAttributeStatements().size() > 0) { + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + List storkAttrValues = new ArrayList(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + storkAttributes.put(attr.getName(), storkAttr ); + + } else + attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + } + + attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); + } else throw new AssertionAttributeExtractorExeption(); } + /** + * check attributes from assertion with minimal required attribute list + * @return + */ public boolean containsAllRequiredAttributes() { - //TODO: add default attribute list - return containsAllRequiredAttributes(null); + return containsAllRequiredAttributes(minimalAttributeNameList); } - public boolean containsAllRequiredAttributes(List attributs) { - //TODO: add validation + /** + * check attributes from assertion with attributeNameList + * bPK or enc_bPK is always needed + * + * @param List of attributes which are required + * + * @return + */ + public boolean containsAllRequiredAttributes(List attributeNameList) { + + //first check if a bPK or an encrypted bPK is available + if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || + (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + boolean flag = true; + for (String attr : attributeNameList) { + if (!attributs.containsKey(attr)) + flag = false; + } + + return flag; + + } return false; } + public boolean containsAttribute(String attributeName) { + return attributs.containsKey(attributeName); + + } + + public String getAttribute(String attributeName) { + return attributs.get(attributeName); + + } + + public PersonalAttributeList getSTORKAttributes() { + return storkAttributes; + } + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { @@ -113,6 +186,10 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); } + public Assertion getFullAssertion() { + return assertion; + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 08f40f888..fe0d27804 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -208,7 +208,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer { if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); - if (saml1parameter.isProvideFullMandatorData()) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (saml1parameter.isProvideFullMandatorData() + && authData.getMISMandate().isFullMandateIncluded()) { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 350c4e9da..a9f5ed60a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage { private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException { byte[] serialized = SerializationUtils.serialize(session); - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized); dbsession.setSession(encdata.getEncData()); dbsession.setIv(encdata.getIv()); } @@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage { private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException { EncryptedData encdata = new EncryptedData(dbsession.getSession(), dbsession.getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata); return (AuthenticationSession) SerializationUtils.deserialize(decrypted); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java new file mode 100644 index 000000000..f246c55e1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -0,0 +1,157 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + + +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public abstract class AbstractEncrytionUtil { + protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + protected static final String KEYNAME = "AES"; + + private SecretKey secret = null; + + public AbstractEncrytionUtil() throws DatabaseEncryptionException { + initialize(getKey(), getSalt()); + } + + protected abstract String getSalt(); + protected abstract String getKey(); + + protected void initialize(String key, String salt) throws DatabaseEncryptionException { + try { + if (MiscUtil.isNotEmpty(key)) { + if (MiscUtil.isEmpty(salt)) + salt = "TestSalt"; + + PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); + PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); + + SecureRandom random = new SecureRandom(); + KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); + + PBEKeyAndParameterSpec parameterSpec = + new PBEKeyAndParameterSpec(pbeKey.getEncoded(), + salt.getBytes(), + 2000, + 16); + + pbkdf2.init(parameterSpec, random); + SecretKey derivedKey = pbkdf2.generateKey(); + + SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); + SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); + secret = kf.generateSecret(spec); + + } else { + Logger.error("Database encryption can not initialized. No key found!"); + + } + + } catch (NoSuchAlgorithmException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (NoSuchProviderException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidKeySpecException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidAlgorithmParameterException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } + } + + public EncryptedData encrypt(byte[] data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.ENCRYPT_MODE, secret); + + Logger.debug("Encrypt MOASession"); + + byte[] encdata = cipher.doFinal(data); + byte[] iv = cipher.getIV(); + + return new EncryptedData(encdata, iv); + + } catch (Exception e) { + Logger.warn("MOASession is not encrypted",e); + throw new BuildException("MOASession is not encrypted", new Object[]{}, e); + } + } else + return new EncryptedData(data, null); + } + + public byte[] decrypt(EncryptedData data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + IvParameterSpec iv = new IvParameterSpec(data.getIv()); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.DECRYPT_MODE, secret, iv); + + Logger.debug("Decrypt MOASession"); + return cipher.doFinal(data.getEncData()); + + } catch (Exception e) { + Logger.warn("MOASession is not decrypted",e); + throw new BuildException("MOASession is not decrypted", new Object[]{}, e); + } + } else + return data.getEncData(); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java new file mode 100644 index 000000000..10221604c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil { + + private static ConfigurationEncrytionUtil instance = null; + private static String key = null; + + public static ConfigurationEncrytionUtil getInstance() { + if (instance == null) { + try { + key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey(); + instance = new ConfigurationEncrytionUtil(); + + } catch (Exception e) { + Logger.warn("MOAConfiguration encryption initialization FAILED.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private ConfigurationEncrytionUtil() throws DatabaseEncryptionException { + super(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Configuration-Salt"; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index acc2a7273..8660f7c09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -22,110 +22,50 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; - -import java.security.SecureRandom; -import java.security.spec.KeySpec; - -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.SecretKeySpec; - -import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; -public class SessionEncrytionUtil { - - private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; - private static final String KEYNAME = "AES"; - - static private SecretKey secret = null; +public class SessionEncrytionUtil extends AbstractEncrytionUtil { - static { - try { - String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); - - if (key != null) { - - PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); - SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); - PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); - - - SecureRandom random = new SecureRandom(); - KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); - - PBEKeyAndParameterSpec parameterSpec = - new PBEKeyAndParameterSpec(pbeKey.getEncoded(), - "TestSALT".getBytes(), - 2000, - 16); - - pbkdf2.init(parameterSpec, random); - SecretKey derivedKey = pbkdf2.generateKey(); - - SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); - SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); - secret = kf.generateSecret(spec); - - } else { - Logger.warn("MOASession encryption is deaktivated."); - } - - } catch (Exception e) { - Logger.warn("MOASession encryption can not be inizialized.", e); - } - - } + private static SessionEncrytionUtil instance = null; + private static String key = null; - public static EncryptedData encrypt(byte[] data) throws BuildException { - Cipher cipher; - - if (secret != null) { + public static SessionEncrytionUtil getInstance() { + if (instance == null) { try { - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.ENCRYPT_MODE, secret); - - Logger.debug("Encrypt MOASession"); - - byte[] encdata = cipher.doFinal(data); - byte[] iv = cipher.getIV(); - - return new EncryptedData(encdata, iv); - + key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); + instance = new SessionEncrytionUtil(); + } catch (Exception e) { - Logger.warn("MOASession is not encrypted",e); - throw new BuildException("MOASession is not encrypted", new Object[]{}, e); - } - } else - return new EncryptedData(data, null); + Logger.warn("MOASession encryption can not be inizialized.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private SessionEncrytionUtil() throws DatabaseEncryptionException { + super(); } - public static byte[] decrypt(EncryptedData data) throws BuildException { - Cipher cipher; - - if (secret != null) { - try { - IvParameterSpec iv = new IvParameterSpec(data.getIv()); - - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.DECRYPT_MODE, secret, iv); - - Logger.debug("Decrypt MOASession"); - return cipher.doFinal(data.getEncData()); - - } catch (Exception e) { - Logger.warn("MOASession is not decrypted",e); - throw new BuildException("MOASession is not decrypted", new Object[]{}, e); - } - } else - return data.getEncData(); + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Session-Salt"; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index f7785d2c2..20cabaf4d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -70,6 +70,7 @@ public class MISMandate implements Serializable{ private String oid = null; private byte[] mandate = null; private String owBPK = null; + private boolean isFullMandateIncluded = false; public String getProfRep() { return oid; @@ -109,5 +110,18 @@ public class MISMandate implements Serializable{ } } + /** + * @return the isFullMandateIncluded + */ + public boolean isFullMandateIncluded() { + return isFullMandateIncluded; + } + /** + * @param isFullMandateIncluded the isFullMandateIncluded to set + */ + public void setFullMandateIncluded(boolean isFullMandateIncluded) { + this.isFullMandateIncluded = isFullMandateIncluded; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index aaf793987..15b2a89b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -145,6 +145,8 @@ public class MISSimpleClient { //misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate))); misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes())); + misMandate.setFullMandateIncluded(true); + foundMandates.add(misMandate); } return foundMandates; -- cgit v1.2.3 From a3e490800378eaaa4d9189bc1d1d606caa8fb41d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:21:50 +0200 Subject: remove debug code --- .../moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 1c12e7398..a16fed9cd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -84,9 +84,7 @@ public class AssertionAttributeExtractor { } } - - attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); - + } else throw new AssertionAttributeExtractorExeption(); } -- cgit v1.2.3 From 3993a8fab1cc23ac1f5e82da88b7e09e27cac563 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 11:18:52 +0200 Subject: update attribute builder --- .../protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java | 9 ++++++++- .../pvp2x/builder/attributes/EIDIdentityLinkBuilder.java | 5 +++++ .../pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java | 8 +++++++- .../moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 3dd1dd064..a38446826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class BPKAttributeBuilder implements IPVPAttributeBuilder { @@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { String bpk = authData.getBPK(); String type = authData.getBPKType(); + if (MiscUtil.isEmpty(bpk)) + throw new UnavailableAttributeException(BPK_NAME); + if (type.startsWith(Constants.URN_PREFIX_WBPK)) type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); - else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index e8aeb8fcd..29d6df040 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -27,6 +27,7 @@ import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,6 +41,10 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { IAttributeGenerator g) throws AttributeException { try { String ilAssertion = null; + + if (authData.getIdentityLink() == null) + throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME); + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 7f52e1d47..463658a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { } public ATT build(OAAuthParameter oaParam, IAuthData authData, - IAttributeGenerator g) throws AttributeException { + IAttributeGenerator g) throws AttributeException { String bpktype = authData.getBPKType(); + + if (MiscUtil.isEmpty(authData.getBPKType())) + throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME); + return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index a8b703fc2..16de43e11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSourcePIN implements IPVPAttributeBuilder { @@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { + if (MiscUtil.isEmpty(authData.getIdentificationValue())) + throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); + return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue()); } } -- cgit v1.2.3 From 4e18f04f6956db297e4902fc5c55e920816ef903 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 11:20:20 +0200 Subject: add build process for natural person short mandates in case of IDP federation --- .../id/auth/builder/AuthenticationDataBuilder.java | 54 ++++++++++++++++++++-- 1 file changed, 49 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 3c029f261..ed2cd3ecb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -31,7 +31,10 @@ import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; +import java.util.Iterator; import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; @@ -53,6 +56,9 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -487,7 +493,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //build legal person short mandate if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + Logger.debug("Build short mandate for legal person ..."); CorporateBodyType legalperson = new CorporateBodyType(); IdentificationType legalID = new IdentificationType(); Value idvalue = new Value(); @@ -505,10 +512,47 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { - throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); - - - + Logger.debug("Build short mandate for natural person ..."); + PhysicalPersonType physPerson = new PhysicalPersonType(); + PersonNameType persName = new PersonNameType(); + mandator.setPhysicalPerson(physPerson ); + physPerson.setName(persName ); + FamilyName familyName = new FamilyName(); + persName.getFamilyName().add(familyName ); + IdentificationType persID = new IdentificationType(); + physPerson.getIdentification().add(persID ); + Value idValue = new Value(); + persID.setValue(idValue ); + + String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); + for(int i=0; i Date: Wed, 20 Aug 2014 11:21:11 +0200 Subject: add SAML1 'PersonData' attribute builder if no identitylink is available --- .../moa/id/auth/MOAIDAuthConstants.java | 1 + .../protocols/saml1/SAML1AuthenticationServer.java | 93 ++++++++++++++++++---- 2 files changed, 78 insertions(+), 16 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 4cec99b9a..db8b4dd80 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -164,5 +164,6 @@ public interface MOAIDAuthConstants { } }); + public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index fe0d27804..7d3c72630 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -22,15 +22,22 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.saml1; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.List; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import com.sun.xml.bind.marshaller.NamespacePrefixMapper; + import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; @@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.persondata.IdentificationType; +import at.gv.util.xsd.persondata.IdentificationType.Value; +import at.gv.util.xsd.persondata.PersonNameType; +import at.gv.util.xsd.persondata.PersonNameType.FamilyName; +import at.gv.util.xsd.persondata.PhysicalPersonType; public class SAML1AuthenticationServer extends AuthenticationServer { @@ -185,26 +197,75 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() || oaParam.getBusinessService(); - String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), - provideStammzahl); - //set Authblock - String authBlock = saml1parameter.isProvideAUTHBlock() ? authData - .getAuthBlock() : ""; - - //set IdentityLink for assortion + String prPerson = ""; String ilAssertion = ""; - if (saml1parameter.isProvideIdentityLink()) { - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - if (!provideStammzahl) - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); - } - + if (authData.getIdentityLink() != null) { + prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), + provideStammzahl); - String samlAssertion; + //set IdentityLink for assortion + if (saml1parameter.isProvideIdentityLink()) { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); + + if (!provideStammzahl) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); + } + } else { + Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. "); + PhysicalPersonType person = new PhysicalPersonType(); + PersonNameType name = new PersonNameType(); + person.setName(name); + FamilyName familyName = new FamilyName(); + name.getFamilyName().add(familyName ); + IdentificationType id = new IdentificationType(); + person.getIdentification().add(id ); + Value value = new Value(); + id.setValue(value ); + + id.setType(Constants.URN_PREFIX_BASEID); + value.setValue(""); + familyName.setValue(authData.getFamilyName()); + familyName.setPrimary("undefined"); + name.getGivenName().add(authData.getGivenName()); + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata"); + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); + + m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { + public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { + if (Constants.PD_NS_URI.equals(arg0)) + return Constants.PD_PREFIX; + else + return arg1; + } + }); + + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal( + new JAXBElement(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person), + stream); + prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8")); + stream.close(); + + + + } + + //set Authblock + String authBlock = ""; + if (authData.getAuthBlock() != null) { + authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : ""; + + } else { + Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available"); + + } + String samlAssertion; if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); -- cgit v1.2.3 From 7af9d603860dab1b618de7981ae3f0a27ea130db Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 16:47:11 +0200 Subject: solve SLO bug --- .../moa/id/protocols/pvp2x/binding/RedirectBinding.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f11561c14..587d8e935 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -143,11 +143,11 @@ public class RedirectBinding implements IDecoder, IEncoder { //set metadata descriptor type if (isSPEndPoint) { messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); } else { messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); } } catch (ConfigurationException e) { @@ -206,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder { } public boolean handleDecode(String action, HttpServletRequest req) { - return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() - .equals("GET")); + return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT)) + && req.getMethod().equals("GET")); } public String getSAML2BindingName() { -- cgit v1.2.3 From 5df1984c62b3f214ce9ed368beb9473bce0183e5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 21 Aug 2014 12:09:00 +0200 Subject: fix some problems with Single LogOut --- .../moa/id/moduls/AuthenticationManager.java | 7 ++++--- .../moa/id/protocols/pvp2x/SingleLogOutAction.java | 19 ++++++++++++++----- .../protocols/pvp2x/builder/SingleLogOutBuilder.java | 17 ++++++++++++----- 3 files changed, 30 insertions(+), 13 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 8f9417096..daa70efce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -49,6 +49,7 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleLogoutService; @@ -252,8 +253,8 @@ public class AuthenticationManager extends AuthServlet { VelocityContext context = new VelocityContext(); context.put("redirectURLs", sloReqList); - context.put("$timeoutURL", timeOutURL); - context.put("$timeout", SLOTIMEOUT); + context.put("timeoutURL", timeOutURL); + context.put("timeout", SLOTIMEOUT); ssomanager.printSingleLogOutInfo(context, httpResp); @@ -284,7 +285,7 @@ public class AuthenticationManager extends AuthServlet { Logger.error("MOA AssertionDatabase ERROR", e); if (pvpReq != null) { SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); }else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 46e02d048..b22941216 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction { if (MiscUtil.isEmpty(ssoID)) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction { } catch (MOADatabaseException e) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction { ((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { Logger.debug("Process Single LogOut response"); LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse(); - + + Transaction tx = null; + try { String relayState = pvpReq.getRequest().getRelayState(); if (MiscUtil.isEmpty(relayState)) { @@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction { //TODO: add counter to prevent deadlock while (!storageSuccess) { - Transaction tx = session.beginTransaction(); + tx = session.beginTransaction(); List result; Query query = session.getNamedQuery("getAssertionWithArtifact"); @@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction { try { session.delete(element); tx.commit(); - + } catch(HibernateException e) { tx.rollback(); Logger.error("SLOContainter could not deleted from database. "); @@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction { Logger.error("Finale SLO redirct not possible.", e); throw new AuthenticationException("pvp2.13", new Object[]{}); + } finally { + if (tx != null && !tx.wasCommitted()) { + tx.commit(); + + } } + + } else { Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index eeb1dd104..01139d95c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -213,12 +213,13 @@ public class SingleLogOutBuilder { } - + DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); - sloReq.setIssueInstant(new DateTime()); + sloReq.setIssueInstant(now); + sloReq.setNotOnOrAfter(now.plusMinutes(5)); sloReq.setDestination(sloInfo.getServiceURL()); @@ -230,14 +231,17 @@ public class SingleLogOutBuilder { return sloReq; } - public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { + public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException { LogoutResponse sloResp = buildBasicResponse(sloService, spRequest); Status status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(firstLevelStatusCode); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); sloResp.setStatus(status); @@ -255,8 +259,11 @@ public class SingleLogOutBuilder { status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(StatusCode.SUCCESS_URI); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); -- cgit v1.2.3 From a3fe7879ad2363d1bb37588485b6256bfe848d92 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 22 Aug 2014 12:28:35 +0200 Subject: saml1 target parameter update --- .../moa/id/auth/parser/StartAuthentificationParameterParser.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index ff5e62d96..e3f32d59d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -133,7 +133,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetConfig = oaParam.getTarget(); String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); - if (StringUtils.isEmpty(targetConfig)) { + if (StringUtils.isEmpty(targetConfig) + || (module.equals(SAML1Protocol.PATH) && + !StringUtils.isEmpty(target))) { // no target attribut is given in OA config // target is used from request // check parameter -- cgit v1.2.3 From 7d5c3f516ca56afcbee5b886557a5d682cadadcf Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Tue, 26 Aug 2014 16:14:56 +0200 Subject: fixing spcountry issue --- .../main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 33fed945b..d06298efa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1845,7 +1845,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); String spApplication = spInstitution; - String spCountry = "AT"; + String spCountry = "AT"; // intentionally set AT - the flow is limited on that use case only //generate AuthnRquest STORKAuthnRequest authnRequest = new STORKAuthnRequest(); @@ -1855,7 +1855,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authnRequest.setIssuer(issuerValue); authnRequest.setQaa(oaParam.getQaaLevel()); authnRequest.setSpInstitution(spInstitution); - authnRequest.setCountry(spCountry); + authnRequest.setSpCountry(spCountry); authnRequest.setSpApplication(spApplication); authnRequest.setSpSector(spSector); authnRequest.setPersonalAttributeList(attributeList); -- cgit v1.2.3 From c109c1e86a228bd3b3ed49b97e182b3cd2136d00 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Mon, 1 Sep 2014 14:53:36 +0200 Subject: todo gender question --- .../at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 40c358b7e..0ee003e4f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -223,7 +223,7 @@ public class PEPSConnectorServlet extends AuthServlet { moaSession.setUseMandate("true"); // and check if we have the gender value - PersonalAttribute gender = attributeList.get("gender"); + PersonalAttribute gender = attributeList.get("gender"); // TODO Do we need to check gender value if there is no representation case? if(null == gender) { String gendervalue = (String) request.getParameter("gender"); if(null != gendervalue) { -- cgit v1.2.3