From 52ad604e54cb91073503d708cd0c50ff0121174a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 30 May 2018 06:29:29 +0200
Subject: add additional validation to SL20 module

---
 .../auth/builder/SignatureVerificationUtils.java   |  27 +-
 .../id/auth/validator/IdentityLinkValidator.java   | 210 +++++++++++
 .../VerifyXMLSignatureRequestBuilder.java          | 408 +++++++++++++++++++++
 .../VerifyXMLSignatureResponseValidator.java       | 307 ++++++++++++++++
 .../pvp2x/utils/AssertionAttributeExtractor.java   |  98 +++--
 5 files changed, 1018 insertions(+), 32 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java
index 9ca15c76f..27d983785 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java
@@ -22,6 +22,8 @@
  */
 package at.gv.egovernment.moa.id.auth.builder;
 
+import java.util.List;
+
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 
@@ -74,10 +76,15 @@ public class SignatureVerificationUtils {
 		  }
 	  }
 	  
-	  public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException {		  
+	  public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException {	
+		  return verify(signature, trustProfileID, null);
+		  
+	  }
+	  
+	  public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID,  List<String> verifyTransformsInfoProfileID) throws MOAIDException {		  
 		  try {
 			  //build signature-verification request
-			  Element domVerifyXMLSignatureRequest = build(signature, trustProfileID);
+			  Element domVerifyXMLSignatureRequest = build(signature, trustProfileID, verifyTransformsInfoProfileID);
 
 			  //send signature-verification to MOA-SP 
 			  Element domVerifyXMLSignatureResponse = SignatureVerificationInvoker.getInstance()
@@ -112,7 +119,7 @@ public class SignatureVerificationUtils {
 	   * 
 	   * @throws ParseException
 	   */
-	  private Element build(byte[] signature, String trustProfileID)
+	  private Element build(byte[] signature, String trustProfileID, List<String> verifyTransformsInfoProfileID)
 	    throws ParseException 
 	  { 
 	    try {
@@ -153,6 +160,20 @@ public class SignatureVerificationUtils {
 	      requestElem_.appendChild(signatureManifestCheckParamsElem);
 	      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false");
 
+	      //verify transformations
+	      if (verifyTransformsInfoProfileID != null && !verifyTransformsInfoProfileID.isEmpty()) {
+	    	  Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo");
+	    	  signatureManifestCheckParamsElem.appendChild(referenceInfoElem);
+	    	  for (String element : verifyTransformsInfoProfileID) {
+	    		  Element verifyTransformsInfoProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID");
+	              referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem);
+	              verifyTransformsInfoProfileIDElem.appendChild(requestDoc_.createTextNode(element));
+	            
+	    	  }
+	      }
+	      
+	      
+	      //hashinput data
 	      Element returnHashInputDataElem = 
 	        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
 	      requestElem_.appendChild(returnHashInputDataElem);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java
new file mode 100644
index 000000000..f3ce6888b
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java
@@ -0,0 +1,210 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ * 
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ * 
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.validator;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.exception.ValidateException;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.XPathUtils;
+
+/**
+ * This class is used to validate an {@link IdentityLink} 
+ * returned by the security layer
+ * 
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class IdentityLinkValidator implements Constants {
+
+  //
+  // XPath namespace prefix shortcuts
+  //
+  /** Xpath prefix for reaching PersonData Namespaces */
+  private static final String PDATA = PD_PREFIX + ":";
+  /** Xpath prefix for reaching SAML Namespaces */
+  private static final String SAML = SAML_PREFIX + ":";
+  /** Xpath prefix for reaching XML-DSIG Namespaces */
+  private static final String DSIG = DSIG_PREFIX + ":";
+  /** Xpath prefix for reaching ECDSA Namespaces */
+  private static final String ECDSA = ECDSA_PREFIX + ":";
+  /** Xpath expression to the root element */
+  private static final String ROOT = "";
+  /** Xpath expression to the SAML:SubjectConfirmationData element */
+  private static final String SAML_SUBJECT_CONFIRMATION_DATA_XPATH =
+    ROOT
+      + SAML
+      + "AttributeStatement/"
+      + SAML
+      + "Subject/"
+      + SAML
+      + "SubjectConfirmation/"
+      + SAML
+      + "SubjectConfirmationData";
+/** Xpath expression to the PersonData:Person element */
+  private static final String PERSON_XPATH =
+    SAML_SUBJECT_CONFIRMATION_DATA_XPATH + "/" + PDATA + "Person";
+  /** Xpath expression to the SAML:Attribute element */
+  private static final String ATTRIBUTE_XPATH =
+    ROOT + SAML + "AttributeStatement/" + SAML + "Attribute";
+//  /** Xpath expression to the SAML:AttributeName attribute */
+//  private static final String ATTRIBUTE_NAME_XPATH =
+//    ROOT + SAML + "AttributeStatement/" + SAML + "Attribute/@AttributeName";
+//  /** Xpath expression to the SAML:AttributeNamespace attribute */
+//  private static final String ATTRIBUTE_NAMESPACE_XPATH =
+//    ROOT
+//      + SAML
+//      + "AttributeStatement/"
+//      + SAML
+//      + "Attribute/@AttributeNamespace";
+//  /** Xpath expression to the SAML:AttributeValue element */
+//  private static final String ATTRIBUTE_VALUE_XPATH =
+//    ROOT
+//      + SAML
+//      + "AttributeStatement/"
+//      + SAML
+//      + "Attribute/"
+//      + SAML
+//      + "AttributeValue";
+
+  /** Singleton instance. <code>null</code>, if none has been created. */
+  private static IdentityLinkValidator instance;
+
+  /**
+   * Constructor for a singleton IdentityLinkValidator.
+   * @return a new IdentityLinkValidator instance
+   * @throws ValidateException if no instance can be created
+   */
+  public static synchronized IdentityLinkValidator getInstance()
+    throws ValidateException {
+    if (instance == null) {
+      instance = new IdentityLinkValidator();
+    }
+    return instance;
+  }
+
+  /**
+   * Method validate. Validates the {@link IdentityLink} 
+   * @param identityLink The identityLink to validate
+   * @throws ValidateException on any validation error
+   */
+  public void validate(IIdentityLink identityLink) throws ValidateException {
+
+    Element samlAssertion = identityLink.getSamlAssertion();
+    //Search the SAML:ASSERTION Object (A2.054)
+    if (samlAssertion == null) {
+      throw new ValidateException("validator.00", null);
+    }
+
+    // Check how many saml:Assertion/saml:AttributeStatement/
+    //      saml:Subject/ saml:SubjectConfirmation/
+    //      saml:SubjectConfirmationData/pr:Person of type
+    //      PhysicalPersonType exist (A2.056)
+    NodeList nl = XPathUtils.selectNodeList(samlAssertion, PERSON_XPATH);
+    // If we have just one Person-Element we don't need to check the attributes
+    int counterPhysicalPersonType = 0;
+    if (nl.getLength() > 1)
+      for (int i = 0; i < nl.getLength(); i++) {
+        String xsiType =
+          ((Element) nl.item(i))
+            .getAttributeNodeNS(
+              "http://www.w3.org/2001/XMLSchema-instance",
+              "type")
+            .getNodeValue();
+        // We have to check if xsiType contains "PhysicalPersonType"
+        // An equal-check will fail because of the Namespace-prefix of the attribute value
+        if (xsiType.indexOf("PhysicalPersonType") > -1)
+          counterPhysicalPersonType++;
+      }
+    if (counterPhysicalPersonType > 1)
+      throw new ValidateException("validator.01", null);
+
+    //Check the SAML:ATTRIBUTES
+    nl = XPathUtils.selectNodeList(samlAssertion, ATTRIBUTE_XPATH);
+    for (int i = 0; i < nl.getLength(); i++) {
+      String attributeName =
+        XPathUtils.getAttributeValue(
+          (Element) nl.item(i),
+          "@AttributeName",
+          null);
+      String attributeNS =
+        XPathUtils.getAttributeValue(
+          (Element) nl.item(i),
+          "@AttributeNamespace",
+          null);
+      if (attributeName.equals("CitizenPublicKey")) {
+                
+        if (attributeNS.equals("http://www.buergerkarte.at/namespaces/personenbindung/20020506#") ||
+            attributeNS.equals("urn:publicid:gv.at:namespaces:identitylink:1.2")) {
+          Element attributeValue = 
+              (Element) XPathUtils.selectSingleNode((Element) nl.item(i),nSMap, SAML + "AttributeValue/" + DSIG + "RSAKeyValue");          
+           if (attributeValue==null) 
+             attributeValue = 
+               (Element) XPathUtils.selectSingleNode((Element)nl.item(i), nSMap, SAML + "AttributeValue/" + ECDSA + "ECDSAKeyValue");
+           if (attributeValue==null) 
+               attributeValue = 
+                 (Element) XPathUtils.selectSingleNode((Element)nl.item(i), nSMap, SAML + "AttributeValue/" + DSIG + "DSAKeyValue");
+           if (attributeValue == null)
+            throw new ValidateException("validator.02", null);
+                      
+        }
+        else
+          throw new ValidateException("validator.03", new Object [] {attributeNS} );
+      }
+      else
+        throw new ValidateException("validator.04", new Object [] {attributeName} );
+    }
+    
+    //Check if dsig:Signature exists
+     Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion,ROOT + DSIG + "Signature");
+     if (dsigSignature==null) throw new ValidateException("validator.05", new Object[] {"in der Personenbindung"});
+  }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java
new file mode 100644
index 000000000..ae9ff80ae
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java
@@ -0,0 +1,408 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ * 
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ * 
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.validator;
+
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.Constants;
+
+/**
+ * Builder for the <code>&lt;VerifyXMLSignatureRequestBuilder&gt;</code> structure
+ * used for sending the DSIG-Signature of the Security Layer card for validating to MOA-SP.
+ * 
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class VerifyXMLSignatureRequestBuilder {
+  
+  /** shortcut for XMLNS namespace URI */
+  private static final String XMLNS_NS_URI = Constants.XMLNS_NS_URI;
+  /** shortcut for MOA namespace URI */
+  private static final String MOA_NS_URI = Constants.MOA_NS_URI;
+  /** The DSIG-Prefix */
+  private static final String DSIG = Constants.DSIG_PREFIX + ":";
+  
+  /** The document containing the <code>VerifyXMLsignatureRequest</code> */
+  private Document requestDoc_;
+  /** the <code>VerifyXMLsignatureRequest</code> root element */
+  private Element requestElem_;
+  
+  
+  /**
+   * Builds the body for a <code>VerifyXMLsignatureRequest</code> including the root
+   * element and namespace declarations.
+   * 
+   * @throws BuildException If an error occurs on building the document.
+   */
+  public VerifyXMLSignatureRequestBuilder() throws BuildException {
+    try {
+      DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();        
+      requestDoc_ = docBuilder.newDocument();
+      requestElem_ = requestDoc_.createElementNS(MOA_NS_URI, "VerifyXMLSignatureRequest");
+      requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns", MOA_NS_URI);
+      requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns:" + Constants.DSIG_PREFIX, Constants.DSIG_NS_URI);
+      requestDoc_.appendChild(requestElem_);       
+    } catch (Throwable t) {
+      throw new BuildException(
+        "builder.00", 
+        new Object[] {"VerifyXMLSignatureRequest", t.toString()}, 
+        t);
+    }
+  }
+  
+  
+  /**
+   * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
+   * from an IdentityLink with a known trustProfileID which 
+   * has to exist in MOA-SP
+   * @param identityLink - The IdentityLink
+   * @param trustProfileID - a preconfigured TrustProfile at MOA-SP
+   * 
+   * @return Element - The complete request as Dom-Element
+   * 
+   * @throws ParseException
+   */
+  public Element build(IIdentityLink identityLink, String trustProfileID)
+    throws ParseException 
+  { 
+    try {
+      // build the request
+      Element dateTimeElem = requestDoc_.createElementNS(MOA_NS_URI, "DateTime");
+      requestElem_.appendChild(dateTimeElem);
+      Node dateTime = requestDoc_.createTextNode(identityLink.getIssueInstant());
+      dateTimeElem.appendChild(dateTime);
+      Element verifiySignatureInfoElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo");
+      requestElem_.appendChild(verifiySignatureInfoElem);
+      Element verifySignatureEnvironmentElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment");
+      verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem);
+      Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content");
+      verifySignatureEnvironmentElem.appendChild(base64ContentElem);
+      // insert the base64 encoded identity link SAML assertion
+      String serializedAssertion = identityLink.getSerializedSamlAssertion();
+      String base64EncodedAssertion = Base64Utils.encode(serializedAssertion.getBytes("UTF-8"));
+      //replace all '\r' characters by no char.
+      StringBuffer replaced = new StringBuffer();
+      for (int i = 0; i < base64EncodedAssertion.length(); i ++) {
+        char c = base64EncodedAssertion.charAt(i);
+        if (c != '\r') {
+          replaced.append(c);
+        }
+      }
+      base64EncodedAssertion = replaced.toString();
+      Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion);
+      base64ContentElem.appendChild(base64Content);      
+      // specify the signature location
+      Element verifySignatureLocationElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation");
+      verifiySignatureInfoElem.appendChild(verifySignatureLocationElem);
+      Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature");
+      verifySignatureLocationElem.appendChild(signatureLocation);      
+      // signature manifest params
+      Element signatureManifestCheckParamsElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams");
+      requestElem_.appendChild(signatureManifestCheckParamsElem);
+      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false");
+      // add the transforms
+      Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo");
+      signatureManifestCheckParamsElem.appendChild(referenceInfoElem);
+      Element[] dsigTransforms = identityLink.getDsigReferenceTransforms();
+      
+      for (int i = 0; i < dsigTransforms.length; i++) {        
+        Element verifyTransformsInfoProfileElem = 
+          requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfile");
+        referenceInfoElem.appendChild(verifyTransformsInfoProfileElem);
+        verifyTransformsInfoProfileElem.appendChild(requestDoc_.importNode(dsigTransforms[i], true));        
+      }
+      Element returnHashInputDataElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
+      requestElem_.appendChild(returnHashInputDataElem);
+      Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID");
+      trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID));
+      requestElem_.appendChild(trustProfileIDElem);
+    } catch (Throwable t) {
+      throw new ParseException("builder.00", 
+        new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t);
+    }
+
+    return requestElem_;
+  }
+  
+  /**
+   * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
+   * from an IdentityLink with a known trustProfileID which 
+   * has to exist in MOA-SP
+   * @param identityLink - The IdentityLink
+   * @param trustProfileID - a preconfigured TrustProfile at MOA-SP
+   * 
+   * @return Element - The complete request as Dom-Element
+   * 
+   * @throws ParseException
+   */
+  public Element build(byte[]mandate, String trustProfileID)
+    throws ParseException 
+  { 
+    try {
+      // build the request
+//      Element dateTimeElem = requestDoc_.createElementNS(MOA_NS_URI, "DateTime");
+//      requestElem_.appendChild(dateTimeElem);
+//      Node dateTime = requestDoc_.createTextNode(identityLink.getIssueInstant());
+//      dateTimeElem.appendChild(dateTime);
+      Element verifiySignatureInfoElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo");
+      requestElem_.appendChild(verifiySignatureInfoElem);
+      Element verifySignatureEnvironmentElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment");
+      verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem);
+      Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content");
+      verifySignatureEnvironmentElem.appendChild(base64ContentElem);
+      // insert the base64 encoded identity link SAML assertion
+      //String serializedAssertion = identityLink.getSerializedSamlAssertion();
+      //String base64EncodedAssertion = Base64Utils.encode(mandate.getBytes("UTF-8"));
+      String base64EncodedAssertion = Base64Utils.encode(mandate);
+      //replace all '\r' characters by no char.
+      StringBuffer replaced = new StringBuffer();
+      for (int i = 0; i < base64EncodedAssertion.length(); i ++) {
+        char c = base64EncodedAssertion.charAt(i);
+        if (c != '\r') {
+          replaced.append(c);
+        }
+      }
+      base64EncodedAssertion = replaced.toString();
+      Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion);
+      base64ContentElem.appendChild(base64Content);      
+      // specify the signature location
+      Element verifySignatureLocationElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation");
+      verifiySignatureInfoElem.appendChild(verifySignatureLocationElem);
+      Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature");
+      verifySignatureLocationElem.appendChild(signatureLocation);      
+      // signature manifest params
+      Element signatureManifestCheckParamsElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams");
+      requestElem_.appendChild(signatureManifestCheckParamsElem);
+      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false");
+//      // add the transforms
+//      Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo");
+//      signatureManifestCheckParamsElem.appendChild(referenceInfoElem);
+//      Element[] dsigTransforms = identityLink.getDsigReferenceTransforms();
+//      
+//      for (int i = 0; i < dsigTransforms.length; i++) {        
+//        Element verifyTransformsInfoProfileElem = 
+//          requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfile");
+//        referenceInfoElem.appendChild(verifyTransformsInfoProfileElem);
+//        verifyTransformsInfoProfileElem.appendChild(requestDoc_.importNode(dsigTransforms[i], true));        
+//      }
+      Element returnHashInputDataElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
+      requestElem_.appendChild(returnHashInputDataElem);
+      Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID");
+      trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID));
+      requestElem_.appendChild(trustProfileIDElem);
+    } catch (Throwable t) {
+      throw new ParseException("builder.00", 
+        new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t);
+    }
+
+    return requestElem_;
+  }
+  
+  
+  /**
+   * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
+   * from the signed AUTH-Block with a known trustProfileID which 
+   * has to exist in MOA-SP
+   * @param csr - signed AUTH-Block
+   * @param verifyTransformsInfoProfileID - allowed verifyTransformsInfoProfileID 
+   * @param trustProfileID - a preconfigured TrustProfile at MOA-SP
+   * @return Element - The complete request as Dom-Element
+   * @throws ParseException
+   */
+  public Element build(
+    CreateXMLSignatureResponse csr,
+    List<String> verifyTransformsInfoProfileID,
+    String trustProfileID)
+    throws BuildException { //samlAssertionObject
+    
+    try {
+      // build the request
+//      requestElem_.setAttributeNS(Constants.XMLNS_NS_URI, "xmlns:" 
+//        + Constants.XML_PREFIX, Constants.XMLNS_NS_URI);
+      Element verifiySignatureInfoElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo");
+      requestElem_.appendChild(verifiySignatureInfoElem);
+      Element verifySignatureEnvironmentElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment");
+      verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem);
+      Element xmlContentElem = requestDoc_.createElementNS(MOA_NS_URI, "XMLContent");
+      verifySignatureEnvironmentElem.appendChild(xmlContentElem);
+      xmlContentElem.setAttribute(Constants.XML_PREFIX + ":space", "preserve");
+      // insert the SAML assertion
+      xmlContentElem.appendChild(requestDoc_.importNode(csr.getSamlAssertion(), true));          
+      // specify the signature location
+      Element verifySignatureLocationElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation");
+      verifiySignatureInfoElem.appendChild(verifySignatureLocationElem);
+      Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature");
+      verifySignatureLocationElem.appendChild(signatureLocation);      
+      // signature manifest params
+      Element signatureManifestCheckParamsElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams");
+      requestElem_.appendChild(signatureManifestCheckParamsElem);
+      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "true");
+      // add the transform profile IDs
+      Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo");
+        signatureManifestCheckParamsElem.appendChild(referenceInfoElem);
+        
+//      for (int i = 0; i < verifyTransformsInfoProfileID.length; i++) {
+//    	  
+//        Element verifyTransformsInfoProfileIDElem = 
+//          requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID");
+//        referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem);
+//        verifyTransformsInfoProfileIDElem.appendChild(
+//          requestDoc_.createTextNode(verifyTransformsInfoProfileID[i]));        
+//      }
+      
+        for (String element : verifyTransformsInfoProfileID) {
+      	  
+            Element verifyTransformsInfoProfileIDElem = 
+              requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID");
+            referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem);
+            verifyTransformsInfoProfileIDElem.appendChild(
+              requestDoc_.createTextNode(element));        
+          }
+        
+      Element returnHashInputDataElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
+      requestElem_.appendChild(returnHashInputDataElem);
+      Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID");
+      trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID));
+      requestElem_.appendChild(trustProfileIDElem);
+
+    } catch (Throwable t) {
+      throw new BuildException("builder.00", new Object[] { "VerifyXMLSignatureRequest" }, t);
+    }
+
+    return requestElem_;
+  }
+  
+  /**
+   * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
+   * from the signed data with a known trustProfileID which 
+   * has to exist in MOA-SP
+   * @param csr - signed AUTH-Block
+   * @param trustProfileID - a preconfigured TrustProfile at MOA-SP
+   * @return Element - The complete request as Dom-Element
+   * @throws ParseException
+   */
+  public Element buildDsig(
+    CreateXMLSignatureResponse csr,
+    String trustProfileID)
+    throws BuildException { //samlAssertionObject
+    
+    try {
+      // build the request
+//      requestElem_.setAttributeNS(Constants.XMLNS_NS_URI, "xmlns:" 
+//        + Constants.XML_PREFIX, Constants.XMLNS_NS_URI);
+     
+      Element verifiySignatureInfoElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo");
+      requestElem_.appendChild(verifiySignatureInfoElem);
+      Element verifySignatureEnvironmentElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment");
+      verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem);
+      
+      Element xmlContentElem = requestDoc_.createElementNS(MOA_NS_URI, "XMLContent");
+      verifySignatureEnvironmentElem.appendChild(xmlContentElem);
+      xmlContentElem.setAttribute(Constants.XML_PREFIX + ":space", "preserve");
+      
+      // insert the dsig:Signature
+      xmlContentElem.appendChild(requestDoc_.importNode(csr.getDsigSignature(), true));          
+      // specify the signature location
+      Element verifySignatureLocationElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation");
+      verifiySignatureInfoElem.appendChild(verifySignatureLocationElem);
+      Node signatureLocation = requestDoc_.createTextNode("/"+ DSIG + "Signature");
+      verifySignatureLocationElem.appendChild(signatureLocation);      
+      // signature manifest params
+      Element signatureManifestCheckParamsElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams");
+      requestElem_.appendChild(signatureManifestCheckParamsElem);
+      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "true");
+      // add the transform profile IDs
+      Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo");
+        signatureManifestCheckParamsElem.appendChild(referenceInfoElem);
+        
+      Element returnHashInputDataElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
+      requestElem_.appendChild(returnHashInputDataElem);
+      Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID");
+      
+      trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID));
+      requestElem_.appendChild(trustProfileIDElem);
+
+    } catch (Throwable t) {
+      throw new BuildException("builder.00", new Object[] { "VerifyXMLSignatureRequest" }, t);
+    }
+
+    return requestElem_;
+  }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
new file mode 100644
index 000000000..832aa58c6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -0,0 +1,307 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ * 
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ * 
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.validator;
+
+import java.security.InvalidKeyException;
+import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.ValidateException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import iaik.asn1.structures.Name;
+import iaik.security.ec.common.ECPublicKey;
+import iaik.utils.RFC2253NameParserException;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+
+/**
+ * This class is used to validate an {@link VerifyXMLSignatureResponse} 
+ * returned by MOA-SPSS
+ * 
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class VerifyXMLSignatureResponseValidator {
+  
+  /** Identification string for checking identity link */
+  public static final String CHECK_IDENTITY_LINK = "IdentityLink";
+  /** Identification string for checking authentication block */
+  public static final String CHECK_AUTH_BLOCK = "AuthBlock";
+  
+  /** Singleton instance. <code>null</code>, if none has been created. */
+  private static VerifyXMLSignatureResponseValidator instance;
+
+  /**
+   * Constructor for a singleton VerifyXMLSignatureResponseValidator.
+   */
+  public static synchronized VerifyXMLSignatureResponseValidator getInstance()
+    throws ValidateException {
+    if (instance == null) {
+      instance = new VerifyXMLSignatureResponseValidator();
+    }
+    return instance;
+  }
+
+  /**
+   * Validates a {@link VerifyXMLSignatureResponse} returned by MOA-SPSS. 
+   * 
+   * @param verifyXMLSignatureResponse the <code>&lt;VerifyXMLSignatureResponse&gt;</code>
+   * @param identityLinkSignersSubjectDNNames subject names configured
+   * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated
+   * @param oaParam specifies whether the validation result of the 
+   *                                       manifest has to be ignored (identityLink validation if
+   *                                       the OA is a business service) or not
+   * @throws ValidateException on any validation error
+ * @throws ConfigurationException 
+   */
+  public void validate(IVerifiyXMLSignatureResponse verifyXMLSignatureResponse,
+                       List<String> identityLinkSignersSubjectDNNames, 
+                       String whatToCheck,
+                       IOAAuthParameters oaParam)
+    throws ValidateException, ConfigurationException {
+
+    if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
+      throw new ValidateException("validator.06", null);
+      
+    if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
+			String checkFailedReason ="";
+			if (verifyXMLSignatureResponse.getCertificateCheckCode() == 1) 
+				checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.21", null);
+			if (verifyXMLSignatureResponse.getCertificateCheckCode() == 2) 
+				checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.22", null);
+			if (verifyXMLSignatureResponse.getCertificateCheckCode() == 3) 
+				checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.23", null);
+			if (verifyXMLSignatureResponse.getCertificateCheckCode() == 4) 
+				checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.24", null);
+			if (verifyXMLSignatureResponse.getCertificateCheckCode() == 5) 
+				checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.25", null);
+
+//     TEST CARDS
+      if (whatToCheck.equals(CHECK_IDENTITY_LINK))
+        throw new ValidateException("validator.07", new Object[] { checkFailedReason } );
+      else
+        throw new ValidateException("validator.19", new Object[] { checkFailedReason } );
+    }
+    
+    //check QC 
+    if (AuthConfigurationProviderFactory.getInstance().isCertifiacteQCActive() &&
+    		!whatToCheck.equals(CHECK_IDENTITY_LINK) &&
+    		!verifyXMLSignatureResponse.isQualifiedCertificate()) {
+    	    	
+    	//check if testcards are active and certificate has an extension for test credentials
+    	if (oaParam.isTestCredentialEnabled()) {
+        	boolean foundTestCredentialOID = false;
+        	try {
+        		X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate();
+    		
+        		List<String> validOIDs = new ArrayList<String>();
+        		if (oaParam.getTestCredentialOIDs() != null)
+        			validOIDs.addAll(oaParam.getTestCredentialOIDs());
+        		else
+        			validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID);
+    		
+        		Set<String> extentsions = signerCert.getCriticalExtensionOIDs();
+        		extentsions.addAll(signerCert.getNonCriticalExtensionOIDs());
+        		Iterator<String> extit = extentsions.iterator();
+        		while(extit.hasNext()) {
+        			String certOID = extit.next();
+        			for (String el : validOIDs) {
+        				if (certOID.startsWith(el))
+        					foundTestCredentialOID = true;
+        			}    			
+        		}
+        		
+        	} catch (Exception e) {
+        		Logger.warn("Test credential OID extraction FAILED.", e);
+        		
+        	}
+        	//throw Exception if not TestCredentialOID is found
+        	if (!foundTestCredentialOID)
+        		throw new ValidateException("validator.72", null);
+    		
+    	} else    	
+    		throw new ValidateException("validator.71", null);        
+    }
+    
+    // if OA is type is business service the manifest validation result has
+    // to be ignored
+    boolean ignoreManifestValidationResult = false;
+    if (whatToCheck.equals(CHECK_IDENTITY_LINK))    	
+    	ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true
+            : false;
+    
+    if (ignoreManifestValidationResult) {
+      Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
+    } else {
+      if (verifyXMLSignatureResponse.isXmlDSIGManigest())
+        if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0)
+          throw new ValidateException("validator.08", null);
+    }
+    
+    
+    // Check the signature manifest only when verifying the signed AUTHBlock
+    if (whatToCheck.equals(CHECK_AUTH_BLOCK)) {
+      if (verifyXMLSignatureResponse.getSignatureManifestCheckCode() > 0) {
+        throw new ValidateException("validator.50", null);
+      }
+    }
+        
+    //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not
+    if (identityLinkSignersSubjectDNNames != null) {
+      String subjectDN = "";
+      X509Certificate x509Cert = verifyXMLSignatureResponse.getX509certificate();
+      try {
+        subjectDN = ((Name) x509Cert.getSubjectDN()).getRFC2253String();
+      }
+      catch (RFC2253NameParserException e) {
+        throw new ValidateException("validator.17", null);
+      }
+      //System.out.println("subjectDN: " + subjectDN);
+      // check the authorisation to sign the identity link
+      if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
+        // subject DN check failed, try OID check:
+        try {
+          if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
+            throw new ValidateException("validator.18", new Object[] { subjectDN });
+          } else {
+            Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                         "subjectDN check failed, but OID check successfully passed.");
+          }
+        } catch (X509ExtensionInitException e) {
+          throw new ValidateException("validator.49", null);
+        }
+      } else {
+        Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                     "subjectDN check successfully passed.");
+      }
+      
+    }
+  }
+  
+  /**
+   * Method validateCertificate.
+   * @param verifyXMLSignatureResponse The VerifyXMLSignatureResponse
+   * @param idl The Identitylink
+   * @throws ValidateException
+   */
+  public void validateCertificate(
+    IVerifiyXMLSignatureResponse verifyXMLSignatureResponse,
+    IIdentityLink idl)
+    throws ValidateException {
+
+    X509Certificate x509Response = verifyXMLSignatureResponse.getX509certificate();
+    PublicKey[] pubKeysIdentityLink = (PublicKey[]) idl.getPublicKey();
+
+    PublicKey pubKeySignature = x509Response.getPublicKey();
+    checkIDLAgainstSignatureCertificate(pubKeysIdentityLink, pubKeySignature);
+    
+  }
+  
+  
+  public void checkIDLAgainstSignatureCertificate( PublicKey[] pubKeysIdentityLink, PublicKey pubKeySignature) throws ValidateException {
+    boolean found = false;
+    for (int i = 0; i < pubKeysIdentityLink.length; i++) {
+      PublicKey idlPubKey = pubKeysIdentityLink[i];
+      //compare RSAPublicKeys
+      if ((idlPubKey instanceof java.security.interfaces.RSAPublicKey) &&  
+      		(pubKeySignature instanceof java.security.interfaces.RSAPublicKey)) {
+
+          RSAPublicKey rsaPubKeySignature = (RSAPublicKey) pubKeySignature;
+          RSAPublicKey rsakey = (RSAPublicKey) pubKeysIdentityLink[i];
+          
+          if (rsakey.getModulus().equals(rsaPubKeySignature.getModulus())
+              && rsakey.getPublicExponent().equals(rsaPubKeySignature.getPublicExponent()))
+          found = true;      
+      }
+      
+      //compare ECDSAPublicKeys
+      if( ( (idlPubKey instanceof java.security.interfaces.ECPublicKey) || 
+    		  (idlPubKey instanceof ECPublicKey)) && 
+         ( (pubKeySignature instanceof java.security.interfaces.ECPublicKey) || 
+        		(pubKeySignature instanceof ECPublicKey) ) ) {
+
+		try {
+			ECPublicKey ecdsaPubKeySignature = new ECPublicKey(pubKeySignature.getEncoded());
+			ECPublicKey ecdsakey = new ECPublicKey(pubKeysIdentityLink[i].getEncoded());
+			
+	        if(ecdsakey.equals(ecdsaPubKeySignature))
+	              found = true;
+			
+		} catch (InvalidKeyException e) {
+			Logger.warn("ECPublicKey can not parsed into a iaik.ECPublicKey", e);
+			throw new ValidateException("validator.09", null);
+		}
+          
+          
+
+      }
+      
+//  		Logger.debug("IDL-Pubkey=" + idl.getPublicKey()[i].getClass().getName()
+//  				+ "  Resp-Pubkey=" + pubKeySignature.getClass().getName());
+      
+    }
+
+    if (!found) {
+       	
+      throw new ValidateException("validator.09", null);
+            
+    }
+  }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 9d585bc86..05bb16d0d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -63,6 +63,7 @@ public class AssertionAttributeExtractor {
 			PVPConstants.EID_SOURCE_PIN_NAME,
 			PVPConstants.EID_SOURCE_PIN_TYPE_NAME);
 	
+
 	/**
 	 * Parse the SAML2 Response element and extracts included information
 	 * <br><br>
@@ -81,36 +82,25 @@ public class AssertionAttributeExtractor {
 				Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used.");
 			
 			assertion = assertions.get(0);
-
-			if (assertion.getAttributeStatements() != null &&
-					assertion.getAttributeStatements().size() > 0) {
-				AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
-				for (Attribute attr : attrStat.getAttributes()) {
-					if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {							
-						List<String> storkAttrValues = new ArrayList<String>();
-						for (XMLObject el : attr.getAttributeValues())
-							storkAttrValues.add(el.getDOM().getTextContent());
-						
-//						PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), 
-//								false, storkAttrValues , "Available");
-//						storkAttributes.put(attr.getName(), storkAttr );
-						
-					} else {
-						List<String> attrList = new ArrayList<String>();
-						for (XMLObject el : attr.getAttributeValues())
-							attrList.add(el.getDOM().getTextContent());
-
-						attributs.put(attr.getName(), attrList);
-												
-					}
-			}
-				
-			}
-						
+			internalInitialize();
+			
 		} else 
-			throw new AssertionAttributeExtractorExeption();		
+			throw new AssertionAttributeExtractorExeption();
 	}
-
+	
+	/**
+	 * Parse the SAML2 Assertion element and extracts included information
+	 * <br><br>
+	 * 
+	 * @param assertion SAML2 Assertion
+	 * @throws AssertionAttributeExtractorExeption
+	 */
+	public AssertionAttributeExtractor(Assertion assertion) throws AssertionAttributeExtractorExeption {			
+			this.assertion = assertion;
+			internalInitialize();
+			
+	}
+	
 	/**
 	 * Get all SAML2 attributes from first SAML2 AttributeStatement element
 	 * 
@@ -274,7 +264,30 @@ public class AssertionAttributeExtractor {
 			
 		} 
 		
-		return getFullAssertion().getConditions().getNotOnOrAfter().toDate();
+		try {
+			return getFullAssertion().getConditions().getNotOnOrAfter().toDate();
+			
+		} catch (NullPointerException e) {
+			return null;
+			
+		}
+	}
+	
+	/**
+	 * Get the Assertion validFrom period
+	 * 
+     * This method returns value of  SAML 'Conditions' element. 
+	 * 
+	 * @return Date, after this SAML2 assertion is valid, otherwise null
+	 */
+	public Date getAssertionNotBefore() {
+		try {
+			return getFullAssertion().getConditions().getNotBefore().toDate();
+			
+		} catch (NullPointerException e) {
+			return null;
+			
+		}
 					
 	}
 	
@@ -288,5 +301,32 @@ public class AssertionAttributeExtractor {
 		
 		return authnList.get(0);
 	}
+	
+	private void internalInitialize() {
+		internalInitialize();
+		if (assertion.getAttributeStatements() != null &&
+				assertion.getAttributeStatements().size() > 0) {
+			AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
+			for (Attribute attr : attrStat.getAttributes()) {
+				if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) {							
+					List<String> storkAttrValues = new ArrayList<String>();
+					for (XMLObject el : attr.getAttributeValues())
+						storkAttrValues.add(el.getDOM().getTextContent());
+					
+//					PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), 
+//							false, storkAttrValues , "Available");
+//					storkAttributes.put(attr.getName(), storkAttr );
+					
+				} else {
+					List<String> attrList = new ArrayList<String>();
+					for (XMLObject el : attr.getAttributeValues())
+						attrList.add(el.getDOM().getTextContent());
+
+					attributs.put(attr.getName(), attrList);
+											
+				}
+			}	
+		}	
+	}
 
 }
-- 
cgit v1.2.3


From ecf9de84e76dde785ced8c1632c7909d1d57f94a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 30 May 2018 14:36:39 +0200
Subject: add error handling and some more validation to SL2.0 module

---
 .../pvp2x/utils/AssertionAttributeExtractor.java    |  6 ++++++
 .../moa/id/protocols/pvp2x/utils/SAML2Utils.java    | 21 +++++++++++++++++++++
 .../metadata/SchemaValidationFilter.java            | 11 ++---------
 .../resources/properties/id_messages_de.properties  |  3 ++-
 .../protocol_response_statuscodes_de.properties     |  4 ++++
 5 files changed, 35 insertions(+), 10 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 05bb16d0d..5b1d952ff 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -196,6 +196,12 @@ public class AssertionAttributeExtractor {
 //	}
 	
 	
+	public String getAssertionID() {
+		return assertion.getID();
+		
+	}
+	
+	
 	public String getNameID() throws AssertionAttributeExtractorExeption {		
 		if (assertion.getSubject() != null) {
 			Subject subject = assertion.getSubject();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
index 28a85b4af..da4b54a5a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
@@ -31,9 +31,13 @@ import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.Validator;
 
 import org.opensaml.Configuration;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLSchemaBuilder;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
@@ -47,6 +51,7 @@ import org.opensaml.xml.io.MarshallingException;
 import org.w3c.dom.Document;
 
 import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.logging.Logger;
 
 public class SAML2Utils {
 
@@ -142,4 +147,20 @@ public class SAML2Utils {
          
         return envelope;
     }
+    
+    public static void schemeValidation(XMLObject xmlObject) throws Exception {
+    	try {
+			Schema test = SAMLSchemaBuilder.getSAML11Schema();
+			Validator val = test.newValidator();
+			DOMSource source = new DOMSource(xmlObject.getDOM());		
+			val.validate(source);
+			Logger.debug("SAML2 Scheme validation successful");
+			return;
+		
+		} catch (Exception e) {
+			Logger.warn("SAML2 scheme validation FAILED.", e);
+			throw e;
+			
+		}
+    }
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
index 83a2b61d2..489d2fb4a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
@@ -22,11 +22,6 @@
  */
 package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
 
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.validation.Schema;
-import javax.xml.validation.Validator;
-
-import org.opensaml.common.xml.SAMLSchemaBuilder;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
 import org.opensaml.xml.XMLObject;
 import org.xml.sax.SAXException;
@@ -34,6 +29,7 @@ import org.xml.sax.SAXException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
 
 /**
@@ -71,10 +67,7 @@ public class SchemaValidationFilter implements MetadataFilter {
 		
 		if (isActive) {
 			try {
-				Schema test = SAMLSchemaBuilder.getSAML11Schema();
-				Validator val = test.newValidator();
-				DOMSource source = new DOMSource(arg0.getDOM());		
-				val.validate(source);
+				SAML2Utils.schemeValidation(arg0);
 				Logger.info("Metadata Schema validation check done OK");
 				return;
 			
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 9cc4b0b5e..84fd93773 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -344,4 +344,5 @@ sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0}
 sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer.
 sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}.
 sl20.06=Http transport-binding error. Reason: {0} 
-
+sl20.07=Fehler beim Validieren der eID information. Type: {0} Reason: {1}
+sl20.08=SL2.0 Teilnehmer antwortet mit einem Fehler. Code: {0} Reason: {1}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 6de581cae..d77ea437b 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -258,6 +258,10 @@ sl20.01=14000
 sl20.02=14001
 sl20.03=14800
 sl20.04=14001
+sl20.05=xxxxx
+sl20.06=xxxxx
+sl20.07=xxxxx
+sl20.08=xxxxx
 
 ##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes
 mis.301=1005
-- 
cgit v1.2.3


From 709197ce12c5502f86e16da1167b97ca318f47fa Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 10:44:40 +0200
Subject: implement user restriction based on whitelisting

---
 .../internal/tasks/UserRestrictionTask.java        | 85 ++++++++++++++++++++++
 .../id/config/auth/data/UserWhitelistStore.java    | 73 +++++++++++++++++++
 .../main/resources/moaid.authentication.beans.xml  |  9 ++-
 .../resources/properties/id_messages_de.properties |  2 +
 .../protocol_response_statuscodes_de.properties    |  2 +
 5 files changed, 170 insertions(+), 1 deletion(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
new file mode 100644
index 000000000..4853a5ab6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
@@ -0,0 +1,85 @@
+package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class UserRestrictionTask extends AbstractAuthServletTask {
+		
+	public static final String CONFIG_PROPS_SP_LIST = "configuration.restrictions.sp.entityIds";
+	public static final String CONFIG_PROPS_CSV_USER_FILE = "configuration.restrictions.sp.users.url";
+	public static final String CONFIG_PROPS_CSV_USER_SECTOR = "configuration.restrictions.sp.users.sector";
+	
+	@Autowired(required=true) UserWhitelistStore whitelist;
+	
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		try {			
+			String spEntityId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();			
+			List<String> restrictedSPs = KeyValueUtils.getListOfCSVValues(authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_SP_LIST));						
+			if (restrictedSPs.contains(spEntityId)) {
+				Logger.debug("SP:" + spEntityId + " has a user restrication. Check users bPK ... ");				
+				defaultTaskInitialization(request, executionContext);;
+				
+				//check if user idl is already loaded
+				if (moasession.getIdentityLink() == null) {
+					Logger.warn("PendingRequest contains NO IdentityLink. User restrictation NOT possible!");
+					throw new MOAIDException("process.03", null);
+					
+				}
+				
+				//calculate whitelist bPK for current user
+				String bpkTarget = authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_CSV_USER_SECTOR);
+				if (MiscUtil.isEmpty(bpkTarget)) {
+					Logger.info("NO bPK sector for user whitelist in configuration");
+					throw new MOAIDException("config.05", new Object[] {CONFIG_PROPS_CSV_USER_SECTOR});
+					
+				}
+				
+				Pair<String, String> pseudonym = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+						moasession.getIdentityLink().getIdentificationValue(), 
+						moasession.getIdentityLink().getIdentificationType(), 
+						bpkTarget);
+				
+				
+				//check if user's bPK is whitelisted 
+				if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) {
+					Logger.info("User's bPK is not whitelisted. Authentication process stops ...");
+					Logger.trace("User's bPK: " + pseudonym.getFirst());
+					throw new MOAIDException("auth.35", null);
+					
+				}
+				
+				Logger.debug("User was found in whitelist. Continue authentication process ... ");
+				
+			} else
+				Logger.trace("SP: " + spEntityId + " has no user restrication.");
+			
+			
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.warn("RestartAuthProzessManagement has an internal error", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}		
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
new file mode 100644
index 000000000..a300739b3
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -0,0 +1,73 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.io.IOUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+@Service("UserWhiteList_Store")
+public class UserWhitelistStore {
+
+	@Autowired(required=true) AuthConfiguration authConfig;
+	
+	private List<String> whitelist = new ArrayList<String>();
+	
+	@PostConstruct
+	private void initialize() {
+		String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE);
+		if (MiscUtil.isEmpty(whiteListUrl)) 
+			Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file.");
+		
+		else {
+			String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir());
+			try {			
+				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
+				String whiteListString = IOUtils.toString(new InputStreamReader(is));
+				whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString));
+				Logger.info("User whitelist is initialized with " + whitelist.size() + " entries.");
+				 
+			} catch (FileNotFoundException e) {
+				Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e);
+
+			} catch (IOException e) {
+				Logger.warn("Do not initialize user whitelist. Reason: CSV file is NOT readable", e);
+				
+			} catch (URISyntaxException e) {
+				Logger.warn("Do not initialize user whitelist. Reason: CSV file looks wrong", e);
+				
+			}
+			
+		}
+		
+	}
+	
+	/**
+	 * Check if bPK is in whitelist
+	 * 
+	 * @param bPK
+	 * @return true if bPK is in whitelist, otherwise false
+	 */
+	public boolean isUserbPKInWhitelist(String bPK) {		
+		return whitelist.contains(bPK);
+		
+	}
+}
diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
index ba8c47304..dc3022ab4 100644
--- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
+++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
@@ -42,6 +42,9 @@
 	<bean id="MOAID_SSOManager" 
 				class="at.gv.egovernment.moa.id.moduls.SSOManager"/>
 
+	<bean id="UserWhiteList_Store" 
+				class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/>
+
 	
 
 	<bean id="AuthenticationSessionStoreage" 
@@ -91,7 +94,11 @@
 				
 	<bean id="EvaluateSSOConsentsTaskImpl" 
 				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl"
-				scope="prototype"/>		
+				scope="prototype"/>
+				
+	<bean id="UserRestrictionTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask"
+				scope="prototype"/>			
 				
 	<beans profile="advancedLogOn">
 		<bean id="StatisticLogger" 
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 84fd93773..799b32025 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -52,6 +52,7 @@ auth.31=Federated authentication FAILED. No information for AttributeQuery, mayb
 auth.32=Federated authentication FAILED. No configuration for IDP {0}
 auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages. 
 auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
+auth.35=Der Anmeldevorgang wurde automatisiert abgebrochen, da der Benutzer nicht für dieses Onlineapplikation berechtigt ist. 
 
 init.00=MOA-ID-Auth wurde erfolgreich gestartet
 init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -336,6 +337,7 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin
 process.01=Fehler beim Ausf\u00FChren des Prozesses.
 process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
 process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
+process.03=Fehler beim Ausf\u00FChren des Prozesses. Interner state ung\u00FCltig.
 
 sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
 sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index d77ea437b..dae88889f 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -32,6 +32,7 @@ auth.31=4400
 auth.32=4401
 auth.33=4401
 auth.34=4401
+auth.35=1111
 
 init.00=9199
 init.01=9199
@@ -103,6 +104,7 @@ service.10=4500
 process.01=9104
 process.02=9104
 process.03=9105
+process.03=9104
  
 sp.pvp2.00=4501
 sp.pvp2.01=4501
-- 
cgit v1.2.3


From 84a55fe8bec3924102bd2217f7e39e7a698f2829 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 10:46:09 +0200
Subject: update moa-sig to 3.1.2 to get signing time in XML signature
 verification result

---
 .../auth/invoke/SignatureVerificationInvoker.java  | 77 ++++++++++------------
 .../parser/VerifyXMLSignatureResponseParser.java   | 20 ++++--
 2 files changed, 52 insertions(+), 45 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
index d5ca89656..d2d39e9e6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
@@ -52,10 +52,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.exception.ServiceException;
-import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
-import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.spss.MOAException;
 import at.gv.egovernment.moa.spss.api.SignatureVerificationService;
 import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
@@ -64,7 +61,6 @@ import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser;
 import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder;
 import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
 import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moaspss.logging.Logger;
 
 /**
@@ -93,22 +89,22 @@ public class SignatureVerificationInvoker {
   }
   
   private SignatureVerificationInvoker() {	  
-    try {
-    	AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance();
-		ConnectionParameterInterface authConnParam = authConfigProvider.getMoaSpConnectionParameter();
+//    try {
+//    	AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance();
+//		ConnectionParameterInterface authConnParam = authConfigProvider.getMoaSpConnectionParameter();
 		
-		if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) {
-			
-			
-		} else {
+//		if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) {
+//			
+//			
+//		} else {
 			svs = SignatureVerificationService.getInstance();
 			
-		}
+//		}
 		
-	} catch (ConfigurationException e) {
-		// TODO Auto-generated catch block
-		e.printStackTrace();
-	}
+//	} catch (ConfigurationException e) {
+//		// TODO Auto-generated catch block
+//		e.printStackTrace();
+//	}
 	  
   }
   
@@ -144,35 +140,34 @@ public class SignatureVerificationInvoker {
   protected Element doCall(QName serviceName, Element request) throws ServiceException {
 	  ConnectionParameterInterface authConnParam = null;
     try {      
-      AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance();
-      authConnParam = authConfigProvider.getMoaSpConnectionParameter();
-      //If the ConnectionParameter do NOT exist, we try to get the api to work....
-      if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) {
-    	  
-    	  throw new ServiceException("service.00", new Object[]{"MOA-SP connection via Web-Service is not allowed any more!!!!!!"});
-//        Service service = ServiceFactory.newInstance().createService(serviceName);
-//        Call call = service.createCall();
-//        SOAPBodyElement body = new SOAPBodyElement(request);
-//        SOAPBodyElement[] params = new SOAPBodyElement[] { body };
-//        Vector responses;
-//        SOAPBodyElement response;
+//      AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance();
+//      authConnParam = authConfigProvider.getMoaSpConnectionParameter();
+//      //If the ConnectionParameter do NOT exist, we try to get the api to work....
+//      if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) {
 //    	  
-//        Logger.debug("Connecting using auth url: " + authConnParam.getUrl() + ", service " + serviceName.getNamespaceURI() + " : " + serviceName.getLocalPart() + " : "+ serviceName.getPrefix());
-//        call.setTargetEndpointAddress(authConnParam.getUrl());
-//        responses = (Vector) call.invoke(serviceName, params);
-//        Logger.debug("Got responses: " + responses.size()); // TODO handle axis 302 response when incorrect service url is used
-//        response = (SOAPBodyElement) responses.get(0);
-//        return response.getAsDOM();
-      }
-      else {
-        VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(request);
-		
+//    	  throw new ServiceException("service.00", new Object[]{"MOA-SP connection via Web-Service is not allowed any more!!!!!!"});
+////        Service service = ServiceFactory.newInstance().createService(serviceName);
+////        Call call = service.createCall();
+////        SOAPBodyElement body = new SOAPBodyElement(request);
+////        SOAPBodyElement[] params = new SOAPBodyElement[] { body };
+////        Vector responses;
+////        SOAPBodyElement response;
+////    	  
+////        Logger.debug("Connecting using auth url: " + authConnParam.getUrl() + ", service " + serviceName.getNamespaceURI() + " : " + serviceName.getLocalPart() + " : "+ serviceName.getPrefix());
+////        call.setTargetEndpointAddress(authConnParam.getUrl());
+////        responses = (Vector) call.invoke(serviceName, params);
+////        Logger.debug("Got responses: " + responses.size()); // TODO handle axis 302 response when incorrect service url is used
+////        response = (SOAPBodyElement) responses.get(0);
+////        return response.getAsDOM();
+//      }
+//      else {
+        VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(request);		
         VerifyXMLSignatureResponse vsresponse = svs.verifyXMLSignature(vsrequest);
-        Document result = new VerifyXMLSignatureResponseBuilder().build(vsresponse);
-
+        Document result = new VerifyXMLSignatureResponseBuilder(true).build(vsresponse);
+       
         //Logger.setHierarchy("moa.id.auth");
         return result.getDocumentElement();
-      }
+//      }
     }
     catch (Exception ex) {
       if (authConnParam != null) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
index b54a43fff..0fba2d3f6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
@@ -46,12 +46,11 @@
 
 package at.gv.egovernment.moa.id.auth.parser;
 
-import iaik.utils.Base64InputStream;
-import iaik.x509.X509Certificate;
-
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 
+import org.joda.time.DateTime;
+import org.joda.time.format.ISODateTimeFormat;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
@@ -59,7 +58,10 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.XPathUtils;
+import iaik.utils.Base64InputStream;
+import iaik.x509.X509Certificate;
 
 /**
  * Parses a <code>&lt;VerifyXMLSignatureResponse&gt;</code> returned by
@@ -115,6 +117,9 @@ public class VerifyXMLSignatureResponseParser {
   private static final String CERTIFICATE_CHECK_CODE_XPATH = 
    ROOT + MOA + "CertificateCheck/" + MOA + "Code";
   
+  private static final String SIGNING_TIME_XPATH = 
+		  ROOT + MOA + "SigningTime";
+  
     
   /** This is the root element of the XML-Document provided by the Security Layer Card*/
   private Element verifyXMLSignatureResponse;
@@ -200,7 +205,14 @@ public class VerifyXMLSignatureResponseParser {
       if (signatureManifestCheckCode != null) {
         respData.setSignatureManifestCheckCode(new Integer(signatureManifestCheckCode).intValue());
       }
-      respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue());             
+      respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue());
+      
+      String signingTimeElement = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNING_TIME_XPATH,"");
+      if (MiscUtil.isNotEmpty(signingTimeElement)) {
+    	  DateTime datetime = ISODateTimeFormat.dateTimeNoMillis().parseDateTime(signingTimeElement);
+    	  respData.setSigningDateTime(datetime.toDate());
+    	  
+      }
     }
     catch (Throwable t) {
       throw new ParseException("parser.01", null, t);
-- 
cgit v1.2.3


From cd5cef47db73c85cbb2defdec3b283655fdc859b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 10:46:41 +0200
Subject: update SL20 implementation

---
 .../validator/VerifyXMLSignatureResponseValidator.java |  7 ++++---
 .../moa/id/moduls/AuthenticationManager.java           | 18 +++++++++++-------
 .../pvp2x/utils/AssertionAttributeExtractor.java       |  1 -
 3 files changed, 15 insertions(+), 11 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 832aa58c6..407454c2a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -57,12 +57,12 @@ import java.util.Set;
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.exception.ValidateException;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.logging.Logger;
 import iaik.asn1.structures.Name;
 import iaik.security.ec.common.ECPublicKey;
@@ -113,7 +113,8 @@ public class VerifyXMLSignatureResponseValidator {
   public void validate(IVerifiyXMLSignatureResponse verifyXMLSignatureResponse,
                        List<String> identityLinkSignersSubjectDNNames, 
                        String whatToCheck,
-                       IOAAuthParameters oaParam)
+                       IOAAuthParameters oaParam,
+                       AuthConfiguration authConfig)
     throws ValidateException, ConfigurationException {
 
     if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
@@ -140,7 +141,7 @@ public class VerifyXMLSignatureResponseValidator {
     }
     
     //check QC 
-    if (AuthConfigurationProviderFactory.getInstance().isCertifiacteQCActive() &&
+    if (authConfig.isCertifiacteQCActive() &&
     		!whatToCheck.equals(CHECK_IDENTITY_LINK) &&
     		!verifyXMLSignatureResponse.isQualifiedCertificate()) {
     	    	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index a24683545..e093ce1e2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -317,9 +317,10 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	 * @param httpReqParam http parameter name, but never null
 	 */
 	public void addParameterNameToWhiteList(String httpReqParam) {
-		if (MiscUtil.isNotEmpty(httpReqParam))
-			reqParameterWhiteListeForModules.add(httpReqParam);
-		
+		if (MiscUtil.isNotEmpty(httpReqParam)) {
+			if (!reqParameterWhiteListeForModules.contains(httpReqParam))
+				reqParameterWhiteListeForModules.add(httpReqParam);
+		}
 	}
 	
 	/**
@@ -328,8 +329,11 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	 * @param httpReqParam http header name, but never null
 	 */
 	public void addHeaderNameToWhiteList(String httpReqParam) {
-		if (MiscUtil.isNotEmpty(httpReqParam))
-			reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
+		if (MiscUtil.isNotEmpty(httpReqParam)) {
+			if (!reqHeaderWhiteListeForModules.contains(httpReqParam.toLowerCase()))
+				reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
+			
+		}
 		
 	}
 	
@@ -439,8 +443,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			while(reqHeaderNames.hasMoreElements()) { 
 				String paramName = reqHeaderNames.nextElement();
 				if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) {
-					executionContext.put(paramName, 
-							StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName)));				
+					executionContext.put(paramName.toLowerCase(), 
+							StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName.toLowerCase())));				
 				}
 			}			
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 5b1d952ff..4a0cec6e4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -309,7 +309,6 @@ public class AssertionAttributeExtractor {
 	}
 	
 	private void internalInitialize() {
-		internalInitialize();
 		if (assertion.getAttributeStatements() != null &&
 				assertion.getAttributeStatements().size() > 0) {
 			AttributeStatement attrStat = assertion.getAttributeStatements().get(0);
-- 
cgit v1.2.3


From a06f94c9da130af5cf755b7d6465c8905d37d75b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 15:05:50 +0200
Subject: add one method to AssertionAttributeExtractor and add some log
 messages

---
 .../pvp2x/utils/AssertionAttributeExtractor.java   | 57 +++++++++++++++++++---
 1 file changed, 50 insertions(+), 7 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 4a0cec6e4..bdfb11d34 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -34,6 +34,8 @@ import java.util.Set;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
 import org.opensaml.saml2.core.AuthnContextClassRef;
 import org.opensaml.saml2.core.AuthnStatement;
 import org.opensaml.saml2.core.Response;
@@ -191,17 +193,22 @@ public class AssertionAttributeExtractor {
 		
 	}
 	
-//	public PersonalAttributeList getSTORKAttributes() {
-//		return storkAttributes;
-//	}
-	
-	
+	/**
+	 * Get the Id attribute from SAML2 assertion
+	 * 
+	 * @return
+	 */
 	public String getAssertionID() {
 		return assertion.getID();
 		
 	}
 	
-	
+	/**
+	 * Get the subjectNameId from SAML2 Assertion
+	 * 
+	 * @return nameId but never null
+	 * @throws AssertionAttributeExtractorExeption
+	 */
 	public String getNameID() throws AssertionAttributeExtractorExeption {		
 		if (assertion.getSubject() != null) {
 			Subject subject = assertion.getSubject();
@@ -218,6 +225,12 @@ public class AssertionAttributeExtractor {
 		throw new AssertionAttributeExtractorExeption("nameID");
 	}
 	
+	/**
+	 * Get get SessionIndex from SAML2 assertion
+	 * 
+	 * @return sessionIndex but never null
+	 * @throws AssertionAttributeExtractorExeption
+	 */
 	public String getSessionIndex() throws AssertionAttributeExtractorExeption {		
 		AuthnStatement authn = getAuthnStatement();
 		
@@ -229,7 +242,9 @@ public class AssertionAttributeExtractor {
 	}
 
 	/**
-	 * @return
+	 * Get the LoA (QAA level) from assertion. This information is extracted from AuthnContext and AuthnContextClassRef
+	 * 
+	 * @return LoA but never null
 	 * @throws AssertionAttributeExtractorExeption 
 	 */
 	public String getQAALevel() throws AssertionAttributeExtractorExeption {
@@ -247,6 +262,11 @@ public class AssertionAttributeExtractor {
 		throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");		
 	}
 	
+	/**
+	 * Get full SAML2 assertion
+	 * 
+	 * @return
+	 */
 	public Assertion getFullAssertion() {
 		return assertion;
 	}
@@ -297,6 +317,29 @@ public class AssertionAttributeExtractor {
 					
 	}
 	
+	/**
+	 * Get the AudienceRestriction from SAML2 Assertion
+	 * 
+	 * @return AudienceRestriction, but never null
+	 * @throws AssertionAttributeExtractorExeption 
+	 */
+	public List<Audience> getAudienceRestriction( ) throws AssertionAttributeExtractorExeption {
+		try {
+			List<AudienceRestriction> rest = getFullAssertion().getConditions().getAudienceRestrictions();
+			if (rest != null && rest.size() != 0) {
+				if (rest.size() == 1 && rest.get(0) != null)
+					return rest.get(0).getAudiences();
+				
+				else
+					Logger.warn("More than one 'AudienceRestriction'! Extraction currently NOT supported");
+			}
+			
+		} catch (NullPointerException e) { }
+		
+		throw new AssertionAttributeExtractorExeption("AudienceRestriction");
+		
+	}
+	
 	private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {
 		List<AuthnStatement> authnList = assertion.getAuthnStatements();
 		if (authnList.size() == 0)
-- 
cgit v1.2.3


From ac21c6be50070c34dd20abe07e0f95ff33751804 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 6 Jun 2018 11:22:25 +0200
Subject: refactor user whitelist to allow list updates without restarting the
 IDP

---
 .../internal/tasks/UserRestrictionTask.java        |  2 +-
 .../id/config/auth/data/UserWhitelistStore.java    | 27 +++++++++++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
index 4853a5ab6..5d0580464 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
@@ -58,7 +58,7 @@ public class UserRestrictionTask extends AbstractAuthServletTask {
 				
 				
 				//check if user's bPK is whitelisted 
-				if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) {
+				if (!whitelist.isUserbPKInWhitelistDynamic(pseudonym.getFirst())) {
 					Logger.info("User's bPK is not whitelisted. Authentication process stops ...");
 					Logger.trace("User's bPK: " + pseudonym.getFirst());
 					throw new MOAIDException("auth.35", null);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
index a300739b3..71bd0f3c0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -30,6 +30,7 @@ public class UserWhitelistStore {
 	@Autowired(required=true) AuthConfiguration authConfig;
 	
 	private List<String> whitelist = new ArrayList<String>();
+	private String absWhiteListUrl = null;
 	
 	@PostConstruct
 	private void initialize() {
@@ -38,7 +39,7 @@ public class UserWhitelistStore {
 			Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file.");
 		
 		else {
-			String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir());
+			absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir());
 			try {			
 				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
 				String whiteListString = IOUtils.toString(new InputStreamReader(is));
@@ -70,4 +71,28 @@ public class UserWhitelistStore {
 		return whitelist.contains(bPK);
 		
 	}
+	
+	public boolean isUserbPKInWhitelistDynamic(String bPK) {
+		try {
+			if (absWhiteListUrl != null) {
+				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
+				String whiteListString = IOUtils.toString(new InputStreamReader(is));
+				if (whiteListString != null && whiteListString.contains(bPK)) {
+					Logger.trace("Find user with dynamic whitelist check");
+					return true;
+							
+				} else {
+					Logger.debug("Can NOT find user in dynamic loaded user whitelist. Switch to static version ... ");
+					return isUserbPKInWhitelist(bPK);
+				}
+			
+			}
+		} catch (Exception e) {
+			Logger.warn("Dynamic user whitelist check FAILED. Switch to static version ... ", e);
+			
+		}
+		
+		return isUserbPKInWhitelist(bPK);
+	}
+	
 }
-- 
cgit v1.2.3


From ad02267b4f5c7e21cc929dd3d322771da087b0db Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 6 Jun 2018 14:13:38 +0200
Subject: return checkcode false if no whitelist was loaded

---
 .../gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
index 71bd0f3c0..38bcfa2af 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -67,8 +67,11 @@ public class UserWhitelistStore {
 	 * @param bPK
 	 * @return true if bPK is in whitelist, otherwise false
 	 */
-	public boolean isUserbPKInWhitelist(String bPK) {		
-		return whitelist.contains(bPK);
+	public boolean isUserbPKInWhitelist(String bPK) {
+		if (whitelist != null)
+			return whitelist.contains(bPK);
+		else
+			return false;
 		
 	}
 	
-- 
cgit v1.2.3


From ea49cd41d7ae571f8156f7b2ac02c9e2a6f86ca6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Mon, 11 Jun 2018 20:08:41 +0200
Subject: add jUnit for user-restrication whitelist-store

---
 .../id/config/auth/data/UserWhitelistStore.java    |  40 ++-
 .../moa/id/config/auth/data/DummyAuthConfig.java   | 387 +++++++++++++++++++++
 .../auth/data/UserRestrictionWhiteListTest.java    | 136 ++++++++
 .../src/test/resources/BPK-Whitelist_20180607.csv  |  10 +
 .../SpringTest-context_basic_user_whitelist.xml    |  18 +
 5 files changed, 588 insertions(+), 3 deletions(-)
 create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
 create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java
 create mode 100644 id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv
 create mode 100644 id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
index 38bcfa2af..a90d71a18 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -43,8 +43,24 @@ public class UserWhitelistStore {
 			try {			
 				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
 				String whiteListString = IOUtils.toString(new InputStreamReader(is));
-				whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString));
+				List<String> preWhitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString));
+				
+				//remove prefix if required
+				for (String bPK : preWhitelist) {
+					String[] bPKSplit = bPK.split(":");
+					if (bPKSplit.length == 1)
+						whitelist.add(bPK);
+					
+					else if (bPKSplit.length ==2 )
+						whitelist.add(bPKSplit[1]);
+					
+					else
+						Logger.info("Whitelist entry: " + bPK + " has an unsupported format. Entry will be removed ...");
+						
+				}
+				
 				Logger.info("User whitelist is initialized with " + whitelist.size() + " entries.");
+					
 				 
 			} catch (FileNotFoundException e) {
 				Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e);
@@ -61,6 +77,15 @@ public class UserWhitelistStore {
 		
 	}
 	
+	/**
+	 * Get the number of entries of the static whitelist
+	 * 
+	 * @return
+	 */
+	public int getNumberOfEntries() {
+		return whitelist.size();
+	}
+	
 	/**
 	 * Check if bPK is in whitelist
 	 * 
@@ -76,6 +101,11 @@ public class UserWhitelistStore {
 	}
 	
 	public boolean isUserbPKInWhitelistDynamic(String bPK) {
+		return isUserbPKInWhitelistDynamic(bPK, false);
+		
+	}
+	
+	public boolean isUserbPKInWhitelistDynamic(String bPK, boolean onlyDynamic) {
 		try {
 			if (absWhiteListUrl != null) {
 				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
@@ -86,7 +116,8 @@ public class UserWhitelistStore {
 							
 				} else {
 					Logger.debug("Can NOT find user in dynamic loaded user whitelist. Switch to static version ... ");
-					return isUserbPKInWhitelist(bPK);
+					if (!onlyDynamic)
+						return isUserbPKInWhitelist(bPK);
 				}
 			
 			}
@@ -94,8 +125,11 @@ public class UserWhitelistStore {
 			Logger.warn("Dynamic user whitelist check FAILED. Switch to static version ... ", e);
 			
 		}
+		if (!onlyDynamic)
+			return isUserbPKInWhitelist(bPK);
 		
-		return isUserbPKInWhitelist(bPK);
+
+		return false;
 	}
 	
 }
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
new file mode 100644
index 000000000..d72e2f28c
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -0,0 +1,387 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
+import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.util.config.EgovUtilPropertiesConfiguration;
+
+public class DummyAuthConfig implements AuthConfiguration {
+
+	@Override
+	public String getRootConfigFileDir() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getDefaultChainingMode() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getTrustedCACertificates() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isTrustmanagerrevoationchecking() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public String[] getActiveProfiles() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Properties getGeneralPVP2ProperiesConfig() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Properties getGeneralOAuth20ProperiesConfig() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public ProtocolAllowed getAllowedProtocols() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Map<String, String> getConfigurationWithPrefix(String Prefix) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getConfigurationWithKey(String key) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getBasicMOAIDConfiguration(String key) {
+		if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE.equals(key)) {
+			String current;
+			try {
+				current = new java.io.File( "." ).getCanonicalPath();
+				return "file:" + current + "/src/test/resources/BPK-Whitelist_20180607.csv";
+			} catch (IOException e) {
+				e.printStackTrace();
+			}
+		} 
+		
+		return null;
+	}
+
+	@Override
+	public String getBasicMOAIDConfiguration(String key, String defaultValue) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Map<String, String> getBasicMOAIDConfigurationWithPrefix(String prefix) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public int getTransactionTimeOut() {
+		// TODO Auto-generated method stub
+		return 0;
+	}
+
+	@Override
+	public int getSSOCreatedTimeOut() {
+		// TODO Auto-generated method stub
+		return 0;
+	}
+
+	@Override
+	public int getSSOUpdatedTimeOut() {
+		// TODO Auto-generated method stub
+		return 0;
+	}
+
+	@Override
+	public String getAlternativeSourceID() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getLegacyAllowedProtocols() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public IOAAuthParameters getOnlineApplicationParameter(String oaURL) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getMoaSpAuthBlockTrustProfileID(boolean useTestTrustStore) throws ConfigurationException {
+		if (useTestTrustStore)
+			return "MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten";
+		else
+			return "MOAIDBuergerkarteAuthentisierungsDaten";
+	}
+
+	@Override
+	public List<String> getMoaSpAuthBlockVerifyTransformsInfoIDs() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public ConnectionParameterInterface getMoaSpConnectionParameter() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public ConnectionParameterInterface getForeignIDConnectionParameter(IOAAuthParameters oaParameters)
+			throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public ConnectionParameterInterface getOnlineMandatesConnectionParameter(IOAAuthParameters oaParameters)
+			throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getMoaSpIdentityLinkTrustProfileID(boolean useTestTrustStore) throws ConfigurationException {
+		if (useTestTrustStore)			
+			return "MOAIDBuergerkartePersonenbindungMitTestkarten";
+		else
+			return "MOAIDBuergerkartePersonenbindung";
+	}
+
+	@Override
+	public List<String> getTransformsInfos() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getIdentityLinkX509SubjectNames() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getSLRequestTemplates() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getSLRequestTemplates(String type) throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getDefaultBKUURLs() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getDefaultBKUURL(String type) throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getSSOTagetIdentifier() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getSSOFriendlyName() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getSSOSpecialText() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getMOASessionEncryptionKey() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getMOAConfigurationEncryptionKey() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isIdentityLinkResigning() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public String getIdentityLinkResigningKey() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isMonitoringActive() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public String getMonitoringTestIdentityLinkURL() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getMonitoringMessageSuccess() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isAdvancedLoggingActive() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public List<String> getPublicURLPrefix() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isVirtualIDPsEnabled() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isPVP2AssertionEncryptionActive() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isCertifiacteQCActive() {
+		return true;
+	}
+
+	@Override
+	public IStorkConfig getStorkConfig() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public EgovUtilPropertiesConfiguration geteGovUtilsConfig() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getDocumentServiceUrl() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isStorkFakeIdLActive() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public List<String> getStorkFakeIdLCountries() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getStorkNoSignatureCountries() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getStorkFakeIdLResigningKey() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isPVPSchemaValidationActive() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public Map<String, String> getConfigurationWithWildCard(String key) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<Integer> getDefaultRevisionsLogEventCodes() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isHTTPAuthAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public String[] getRevocationMethodOrder() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean getBasicMOAIDConfigurationBoolean(String key, boolean defaultValue) {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java
new file mode 100644
index 000000000..71956990e
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java
@@ -0,0 +1,136 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.xml.ConfigurationException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration("/SpringTest-context_basic_user_whitelist.xml")
+public class UserRestrictionWhiteListTest {
+
+	@Autowired(required=true) UserWhitelistStore whitelistStore;
+	
+	private static String bPK_1 = "/7eNkLgqP71U8dBwa0lSI8/2EFY=";
+	private static String bPK_2 = "gr88V4oH5KLlurBCcCAbKJNMF18=";
+	private static String bPK_3 = "0Fq3KqgYTbK8MsxymLe7tbuXhpA=";
+	private static String bPK_4 = "JWiLzwktCITGg+ztRKEAwWloSNM=";
+	
+	private static String bPK_5 = "JWiLzwktCIXXX+ztRKEAwWloSNM=";
+	private static String bPK_6 = "WtHxBxLqOThNU9YF8fzXXXcZLBs=";
+	
+	@Test
+	public void checkNumberOfEntries() throws Exception {
+		if (whitelistStore.getNumberOfEntries() != 12)
+			throw new Exception("Number of entries not valid");
+			
+	}
+	
+	
+	@Test
+	public void checkEntry_1() throws Exception {
+		String bPK = bPK_1;
+		if (!whitelistStore.isUserbPKInWhitelist(bPK))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntryDynamic_1() throws Exception {
+		String bPK = bPK_1;
+		if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+
+	@Test
+	public void checkEntry_2() throws Exception {
+		String bPK = bPK_2;
+		if (!whitelistStore.isUserbPKInWhitelist(bPK))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntryDynamic_2() throws Exception {
+		String bPK = bPK_2;
+		if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	
+	@Test
+	public void checkEntry_3() throws Exception {
+		String bPK = bPK_3;
+		if (!whitelistStore.isUserbPKInWhitelist(bPK))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntryDynamic_3() throws Exception {
+		String bPK = bPK_3;
+		if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntry_4() throws Exception {
+		String bPK = bPK_4;
+		if (!whitelistStore.isUserbPKInWhitelist(bPK))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntryDynamic_4() throws Exception {
+		String bPK = bPK_4;
+		if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntry_5() throws Exception {
+		String bPK = bPK_5;
+		if (whitelistStore.isUserbPKInWhitelist(bPK))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntryDynamic_5() throws Exception {
+		String bPK = bPK_5;
+		if (whitelistStore.isUserbPKInWhitelistDynamic(bPK, true))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntry_6() throws Exception {
+		String bPK = bPK_6;
+		if (whitelistStore.isUserbPKInWhitelist(bPK))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	@Test
+	public void checkEntryDynamic_6() throws Exception {
+		String bPK = bPK_6;
+		if (whitelistStore.isUserbPKInWhitelistDynamic(bPK, true))
+			throw new Exception("bPK: " + bPK + " is NOT found in whitelist");
+			
+	}
+	
+	
+}
diff --git a/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv
new file mode 100644
index 000000000..099fc0f7e
--- /dev/null
+++ b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv
@@ -0,0 +1,10 @@
+/7eNkLgqP71U8dBwa0lSI8/2EFY=,ZP-MH:xm1zT43aGLfTRLnDsxYoFk3XwDU=,ZP-MH:gr88V4oH5KLlurBCcCAbKJNMF18=,
+ZP-MH:LvrdIGoL4MXTjy7EJgPhoz3koL4=,
+ZP-MH:EcILNYQIZ4qfhLlZFzHivCu0Hfc=,
+ZP-MH:WtHxBxLqOThNU9YF8fzyvXcZLBs=,
+ZP-MH:0Fq3KqgYTbK8MsxymLe7tbuXhpA=,
+ZP-MH:DJ6nGg2JgcPH768BhqTNXVsGhOY=,
+JWiLzwktCITGg+ztRKEAwWloSNM=,
+ZP-MH:+cyQbhr1fQ8hLhazL62tFRq47iY=,
+ZP-MH:AFmfywfYPHcl2Lxp138upielmrs=,
+ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0=
diff --git a/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml
new file mode 100644
index 000000000..85788714a
--- /dev/null
+++ b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:aop="http://www.springframework.org/schema/aop"
+	xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+			
+	<bean id="UserWhiteList_Store" 
+				class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/>
+				
+	<bean id="DummyAuthConfig" 
+				class="at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig"/>
+</beans>
-- 
cgit v1.2.3


From b53d2f387282b731ea72806ec7d410a1c27a878d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 12 Jun 2018 06:25:41 +0200
Subject: add foreign bPK generation into AuthenticationDataBuilder

---
 .../id/auth/builder/AuthenticationDataBuilder.java | 87 +++++++++++++++++++++-
 .../moa/id/auth/builder/BPKBuilder.java            | 26 +++++--
 .../parser/VerifyXMLSignatureResponseParser.java   |  2 +-
 .../moa/id/config/auth/OAAuthParameter.java        | 14 +++-
 .../config/auth/data/DynamicOAAuthParameters.java  |  6 ++
 .../moa/id/data/AuthenticationData.java            |  2 +
 .../attributes/EncryptedBPKAttributeBuilder.java   |  2 +-
 7 files changed, 128 insertions(+), 11 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index b93de5119..91159ad4e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -30,9 +30,13 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
 
+import javax.annotation.PostConstruct;
 import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
 
@@ -102,12 +106,32 @@ import iaik.x509.X509Certificate;
 @Service("AuthenticationDataBuilder")
 public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 
+	private static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey";
+	
 	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;
 	@Autowired protected AuthConfiguration authConfig;
 	@Autowired private AttributQueryBuilder attributQueryBuilder;
 	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
 	
+	private Map<String, X509Certificate> encKeyMap = new HashMap<String, X509Certificate>();
+	
+	@PostConstruct
+	private void initialize() {
+		 Map<String, String> pubKeyMap = authConfig.getBasicMOAIDConfigurationWithPrefix(CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS);
+		 for (Entry<String, String> el : pubKeyMap.entrySet()) {
+			 try {
+				encKeyMap.put(el.getKey(), new X509Certificate(Base64Utils.decode(el.getValue(), false)));
+				Logger.info("Load foreign bPK encryption certificate for sector: " + el.getKey()); 
+				
+			 } catch (Exception e) {
+				Logger.warn("Can NOT load foreign bPK encryption certificate for sector: \" + el.getKey()", e); 
+				 
+			 }
+			 			 
+		 }		
+	}
+	
 	
 	public IAuthData buildAuthenticationData(IRequest pendingReq, 
             IAuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException {
@@ -648,7 +672,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 					Logger.info("Can NOT set Organwalter IdentityLink. Msg: No IdentityLink found");				
 
 				
-				//set bPK and IdenityLink for all other
+				//set bPK and IdentityLink for all other
 			} else {
 				//build bPK
 				String pvpbPKValue = getbPKValueFromPVPAttribute(session);
@@ -724,7 +748,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 						
 					}					
 				}
-								
+				
+				//build foreign bPKs
+				generateForeignbPK(authData, oaParam.foreignbPKSectorsRequested()); 
+				
+				
 				//build IdentityLink
 				if (identityLink != null)
 					authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, identityLink, authData.getBPK(), authData.getBPKType()));
@@ -810,6 +838,61 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 		
 	}
 
+	private void generateForeignbPK(AuthenticationData authData, List<String> foreignSectors) {
+		if (foreignSectors != null && !foreignSectors.isEmpty()) {
+			Logger.debug("Sectors for foreign bPKs are configurated. Starting foreign bPK generation ... ");					
+			for (String foreignSector : foreignSectors) {
+				Logger.trace("Process sector: " + foreignSector + " ... ");
+				if (encKeyMap.containsKey(foreignSector)) {
+					try {
+						String sector = null;
+						//splitt sector into VKZ and target
+						if (foreignSector.startsWith("wbpk")) {
+							Logger.trace("Find foreign private sector " + foreignSector);
+							sector = Constants.URN_PREFIX + ":" + foreignSector;
+							
+						} else {
+							String[] split = foreignSector.split("+");
+							if (split.length != 2)  {
+								Logger.warn("Foreign sector: " + foreignSector + " looks WRONG. IGNORE IT!");
+								
+							} else {
+								Logger.trace("Find foreign public sector. VKZ: " + split[0] + " Target: " + split[1]);	
+								sector = Constants.URN_PREFIX_CDID + "+" + split[1];
+								
+							}
+															
+						}
+						
+						if (sector != null) {								
+							Pair<String, String> bpk = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+									authData.getIdentificationValue(), 
+									authData.getIdentificationType(), 										
+									sector);								
+							String foreignbPK = BPKBuilder.encryptBPK(bpk.getFirst(), bpk.getSecond(), encKeyMap.get(foreignSector).getPublicKey());																		
+							authData.getEncbPKList().add("(" + foreignSector + "|" +  foreignbPK + ")");
+							Logger.debug("Foreign bPK for sector: " + foreignSector + " created.");
+							
+						}
+														
+					} catch (Exception e) {
+						Logger.warn("Foreign bPK generation FAILED for sector: " + foreignSector, e);
+						
+					}
+																		
+				} else { 
+					Logger.info("NO encryption cerfificate FOUND in configuration for sector: " + foreignSector);
+					Logger.info("Foreign bPK for sector: " + foreignSector + " is NOT possible");
+					
+				}				
+			}
+			
+		} else
+			Logger.debug("No foreign bPKs required for this service provider");
+		
+	}
+	
+	
 	/**
 	 * Check a bPK-Type against a Service-Provider configuration <br>
 	 * If bPK-Type is <code>null</code> the result is <code>false</code>.
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index a7f6e873f..04df32309 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -266,16 +266,21 @@ public class BPKBuilder {
     
 	public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
 		MiscUtil.assertNotNull(bpk, "BPK");
+		MiscUtil.assertNotNull(target, "sector");
 		MiscUtil.assertNotNull(publicKey, "publicKey");
-		
+			
 		SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
-		if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
-			target = target.substring((Constants.URN_PREFIX_CDID + "+").length());
 		
-		String input = "V1::urn:publicid:gv.at:cdid+" + target + "::"
+		if (!target.startsWith(Constants.URN_PREFIX)) {
+			throw new BuildException("bPK encryption FAILED. bPK target does NOT starts with a valid prefix", null);
+			
+		}
+		
+		String input = "V1::" 
+			+ target + "::"
 		    + bpk + "::"
 		    + sdf.format(new Date());
-		System.out.println(input);
+		Logger.trace("Foreign bPK: " + input);
 		byte[] result;
 		try {
 			byte[] inputBytes = input.getBytes("ISO-8859-1");
@@ -287,6 +292,17 @@ public class BPKBuilder {
 		}		
 	}
 
+	
+	/**
+	 * Currently only works for bPKs!!!!
+	 * 
+	 * 
+	 * @param encryptedBpk
+	 * @param target
+	 * @param privateKey
+	 * @return
+	 * @throws BuildException
+	 */
 	public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException {
 		MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK");
 		MiscUtil.assertNotNull(privateKey, "Private key");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
index 0fba2d3f6..3a0a002e8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
@@ -209,7 +209,7 @@ public class VerifyXMLSignatureResponseParser {
       
       String signingTimeElement = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNING_TIME_XPATH,"");
       if (MiscUtil.isNotEmpty(signingTimeElement)) {
-    	  DateTime datetime = ISODateTimeFormat.dateTimeNoMillis().parseDateTime(signingTimeElement);
+    	  DateTime datetime = ISODateTimeFormat.dateOptionalTimeParser().parseDateTime(signingTimeElement);
     	  respData.setSigningDateTime(datetime.toDate());
     	  
       }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 59bd3893d..140ebcfc8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -54,10 +54,8 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Set;
 
 import org.apache.commons.lang.SerializationUtils;
@@ -935,4 +933,16 @@ public String toString() {
 	return "Object not initialized";
 }
 
+
+@Override
+public List<String> foreignbPKSectorsRequested() {
+	String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_FOREIGN);
+	if (MiscUtil.isNotEmpty(value))
+		return KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(value));
+		
+	else
+		return null;
+	
+}
+
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index f3db82315..31b894604 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -531,5 +531,11 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
 		return false;
 	}
 
+	@Override
+	public List<String> foreignbPKSectorsRequested() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 7f56f519b..4cd9ecd6a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -691,6 +691,8 @@ public class AuthenticationData  implements IAuthData, Serializable {
 	 * @return the encbPKList
 	 */
 	public List<String> getEncbPKList() {
+		if (encbPKList == null)
+			encbPKList = new ArrayList<String>();
 		return encbPKList;
 	}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
index 9dfbe00b2..f5c48b826 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -41,7 +41,7 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 
 		if (authData.getEncbPKList() != null &&
 				authData.getEncbPKList().size() > 0) {
-			String value = authData.getEncbPKList().get(0);
+			String value = "(" + authData.getEncbPKList().get(0) + ")";
 			for (int i=1; i<authData.getEncbPKList().size(); i++)
 				value += ";"+authData.getEncbPKList().get(i);			
 			
-- 
cgit v1.2.3


From 721d4261b72a12dc6147687d72b81738014be20b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 12 Jun 2018 09:20:52 +0200
Subject: add jUnit simple test for AuthDataBuilder and foreign bPK generation

---
 .../id/auth/builder/AuthenticationDataBuilder.java |  13 +-
 .../moa/id/auth/builder/BPKBuilder.java            | 158 +++--------
 .../id/config/auth/data/UserWhitelistStore.java    |  39 ++-
 .../auth/data/AuthenticationDataBuilderTest.java   |  85 ++++++
 .../moa/id/config/auth/data/DummyAuthConfig.java   |  49 +++-
 .../moa/id/config/auth/data/DummyAuthSession.java  | 287 ++++++++++++++++++++
 .../moa/id/config/auth/data/DummyAuthStorage.java  | 186 +++++++++++++
 .../moa/id/config/auth/data/DummyOAConfig.java     | 289 +++++++++++++++++++++
 .../auth/data/UserRestrictionWhiteListTest.java    |   8 +-
 .../moa/id/module/test/TestRequestImpl.java        |   5 +-
 .../src/test/resources/BPK-Whitelist_20180607.csv  |   4 +-
 .../SpringTest-context_basic_user_whitelist.xml    |  11 +
 12 files changed, 991 insertions(+), 143 deletions(-)
 create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java
 create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java
 create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java
 create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 91159ad4e..afac80df9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -106,13 +106,14 @@ import iaik.x509.X509Certificate;
 @Service("AuthenticationDataBuilder")
 public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 
-	private static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey";
+	public static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey";
+	
+	@Autowired(required=true) private IAuthenticationSessionStoreage authenticatedSessionStorage;
+	@Autowired(required=true) protected AuthConfiguration authConfig;
+	@Autowired(required=false) private MOAMetadataProvider metadataProvider;
+	@Autowired(required=false) private AttributQueryBuilder attributQueryBuilder;
+	@Autowired(required=false) private SAMLVerificationEngineSP samlVerificationEngine;
 	
-	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;
-	@Autowired protected AuthConfiguration authConfig;
-	@Autowired private AttributQueryBuilder attributQueryBuilder;
-	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
-	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
 	
 	private Map<String, X509Certificate> encKeyMap = new HashMap<String, X509Certificate>();
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 04df32309..14de65e36 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -149,121 +149,7 @@ public class BPKBuilder {
 			}			
 		}						
 	}
-	
-	
-    /**
-     * Builds the storkeid from the given parameters.
-     *
-     * @param baseID baseID of the citizen
-     * @param baseIDType Type of the baseID
-     * @param sourceCountry CountryCode of that country, which build the eIDAs ID
-     * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
-     * 
-     * @return Pair<eIDAs, bPKType> in a BASE64 encoding
-     * @throws BuildException if an error occurs on building the wbPK
-     */
-    private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
-            throws BuildException {        
-        String bPK = null;
-        String bPKType = null;
-        
-        // check if we have been called by public sector application
-        if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
-        	bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
-            Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);         
-            bPK = calculatebPKwbPK(baseID + "+"  + bPKType);
-            
-        } else { // if not, sector identification value is already calculated by BKU
-            Logger.debug("eIDAS eIdentifier already provided by BKU");
-            bPK = baseID;
-        }
-
-        if ((MiscUtil.isEmpty(bPK) ||
-                MiscUtil.isEmpty(sourceCountry) ||
-                	MiscUtil.isEmpty(destinationCountry))) {
-            throw new BuildException("builder.00",
-                    new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
-                            bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
-        }
-        
-        Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
-        String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
-        
-        return Pair.newInstance(eIdentifier, bPKType);
-    }
-	
-//    /**
-//     * Builds the bPK from the given parameters.
-//     *
-//     * @param identificationValue Base64 encoded "Stammzahl"
-//     * @param target              "Bereich lt. Verordnung des BKA"
-//     * @return bPK in a BASE64 encoding
-//     * @throws BuildException if an error occurs on building the bPK
-//     */
-//    private String buildBPK(String identificationValue, String target)
-//            throws BuildException {
-//
-//        if ((identificationValue == null ||
-//                identificationValue.length() == 0 ||
-//                target == null ||
-//                target.length() == 0)) {
-//            throw new BuildException("builder.00",
-//                    new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
-//                            identificationValue + ",target=" + target});
-//        }
-//        String basisbegriff;
-//        if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
-//            basisbegriff = identificationValue + "+" + target;
-//        else
-//            basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
-//
-//        return calculatebPKwbPK(basisbegriff);
-//    }
-//
-//    /**
-//     * Builds the wbPK from the given parameters.
-//     *
-//     * @param identificationValue Base64 encoded "Stammzahl"
-//     * @param registerAndOrdNr    type of register + "+" + number in register.
-//     * @return wbPK in a BASE64 encoding
-//     * @throws BuildException if an error occurs on building the wbPK
-//     */
-//    private String buildWBPK(String identificationValue, String registerAndOrdNr)
-//            throws BuildException {
-//
-//        if ((identificationValue == null ||
-//                identificationValue.length() == 0 ||
-//                registerAndOrdNr == null ||
-//                registerAndOrdNr.length() == 0)) {
-//            throw new BuildException("builder.00",
-//                    new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
-//                            identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
-//        }
-//
-//        String basisbegriff;
-//        if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
-//            basisbegriff = identificationValue + "+" + registerAndOrdNr;
-//        else
-//            basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
-//
-//        return calculatebPKwbPK(basisbegriff);
-//    }
-//
-//    private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
-//    	if (MiscUtil.isEmpty(baseID) || 
-//    			!(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || 
-//    					bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || 
-//    					bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
-//    		throw new BuildException("builder.00",
-//                    new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget 
-//    					+ " has an unkown prefix."});
-//    		
-//    	}
-//    	
-//    	return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
-//    	
-//    }
-    
+		    
 	public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
 		MiscUtil.assertNotNull(bpk, "BPK");
 		MiscUtil.assertNotNull(target, "sector");
@@ -332,6 +218,48 @@ public class BPKBuilder {
 		}		
 	}
         
+	
+    /**
+     * Builds the storkeid from the given parameters.
+     *
+     * @param baseID baseID of the citizen
+     * @param baseIDType Type of the baseID
+     * @param sourceCountry CountryCode of that country, which build the eIDAs ID
+     * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
+     * 
+     * @return Pair<eIDAs, bPKType> in a BASE64 encoding
+     * @throws BuildException if an error occurs on building the wbPK
+     */
+    private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
+            throws BuildException {        
+        String bPK = null;
+        String bPKType = null;
+        
+        // check if we have been called by public sector application
+        if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
+        	bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
+            Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);         
+            bPK = calculatebPKwbPK(baseID + "+"  + bPKType);
+            
+        } else { // if not, sector identification value is already calculated by BKU
+            Logger.debug("eIDAS eIdentifier already provided by BKU");
+            bPK = baseID;
+        }
+
+        if ((MiscUtil.isEmpty(bPK) ||
+                MiscUtil.isEmpty(sourceCountry) ||
+                	MiscUtil.isEmpty(destinationCountry))) {
+            throw new BuildException("builder.00",
+                    new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
+                            bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
+        }
+        
+        Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
+        String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
+        
+        return Pair.newInstance(eIdentifier, bPKType);
+    }
+	
     private String calculatebPKwbPK(String basisbegriff) throws BuildException {
     	try {
             MessageDigest md = MessageDigest.getInstance("SHA-1");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
index a90d71a18..a32159dd0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -18,6 +18,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.util.FileUtils;
@@ -35,26 +36,44 @@ public class UserWhitelistStore {
 	@PostConstruct
 	private void initialize() {
 		String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE);
-		if (MiscUtil.isEmpty(whiteListUrl)) 
-			Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file.");
+		String internalTarget = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR);		
+		if (MiscUtil.isEmpty(whiteListUrl) || MiscUtil.isEmpty(internalTarget)) 
+			Logger.debug("Do not initialize user whitelist. Reason: NO configuration path to CSV file or NO internal bPK target for whitelist");
 		
 		else {
-			absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir());
-			try {			
-				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
+			if (internalTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+				internalTarget = internalTarget.substring(MOAIDAuthConstants.PREFIX_CDID.length());			
+			else if (internalTarget.startsWith(MOAIDAuthConstants.PREFIX_WPBK))
+				internalTarget = internalTarget.substring(MOAIDAuthConstants.PREFIX_WPBK.length());
+			else if (internalTarget.startsWith(MOAIDAuthConstants.PREFIX_EIDAS))
+				internalTarget = internalTarget.substring(MOAIDAuthConstants.PREFIX_EIDAS.length());
+			else {
+				Logger.warn("Sector: " + internalTarget + " is NOT supported for user whitelist.");
+				Logger.info("User whitelist-store MAY NOT contains all user from whitelist");
+			}
+			
+			try {				
+				absWhiteListUrl = new URL(FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()))
+											.toURI().toString().substring("file:".length());						
+				InputStream is = new FileInputStream(new File(absWhiteListUrl));
 				String whiteListString = IOUtils.toString(new InputStreamReader(is));
 				List<String> preWhitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString));
 				
+				
+				
 				//remove prefix if required
 				for (String bPK : preWhitelist) {
 					String[] bPKSplit = bPK.split(":");
 					if (bPKSplit.length == 1)
 						whitelist.add(bPK);
 					
-					else if (bPKSplit.length ==2 )
-						whitelist.add(bPKSplit[1]);
-					
-					else
+					else if (bPKSplit.length ==2 ) {
+						if (internalTarget.equals(bPKSplit[0]))
+							whitelist.add(bPKSplit[1]);
+						else
+							Logger.info("Whitelist entry: " + bPK + " has an unsupported target. Entry will be removed ...");
+						
+					} else
 						Logger.info("Whitelist entry: " + bPK + " has an unsupported format. Entry will be removed ...");
 						
 				}
@@ -108,7 +127,7 @@ public class UserWhitelistStore {
 	public boolean isUserbPKInWhitelistDynamic(String bPK, boolean onlyDynamic) {
 		try {
 			if (absWhiteListUrl != null) {
-				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
+				InputStream is = new FileInputStream(new File(absWhiteListUrl));
 				String whiteListString = IOUtils.toString(new InputStreamReader(is));
 				if (whiteListString != null && whiteListString.contains(bPK)) {
 					Logger.trace("Find user with dynamic whitelist check");
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java
new file mode 100644
index 000000000..e300c8ec8
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java
@@ -0,0 +1,85 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.ByteArrayInputStream;
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.module.test.TestRequestImpl;
+import at.gv.egovernment.moa.util.Base64Utils;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration("/SpringTest-context_basic_user_whitelist.xml")
+public class AuthenticationDataBuilderTest {
+
+	@Autowired private AuthenticationDataBuilder authBuilder;
+	
+	private static final String DUMMY_IDL = "PHNhbWw6QXNzZXJ0aW9uIEFzc2VydGlvbklEPSJzenIuYm1pLmd2LmF0LUFzc2VydGlvbklEMTUyNzY2OTEwMDU5MTI3NDQiIElzc3VlSW5zdGFudD0iMjAxOC0wNS0zMFQxMDozMTo0MCswMTowMCIgSXNzdWVyPSJodHRwOi8vcG9ydGFsLmJtaS5ndi5hdC9yZWYvc3pyL2lzc3VlciIgTWFqb3JWZXJzaW9uPSIxIiBNaW5vclZlcnNpb249IjAiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnByPSJodHRwOi8vcmVmZXJlbmNlLmUtZ292ZXJubWVudC5ndi5hdC9uYW1lc3BhY2UvcGVyc29uZGF0YS8yMDAyMDIyOCMiIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOmVjZHNhPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSMiIHhtbG5zOnNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+Cgk8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+CgkJPHNhbWw6U3ViamVjdD4KCQkJPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4KCQkJCTxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206c2VuZGVyLXZvdWNoZXM8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPgoJCQkJPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGE+CgkJCQkJPHByOlBlcnNvbiBzaTp0eXBlPSJwcjpQaHlzaWNhbFBlcnNvblR5cGUiPjxwcjpJZGVudGlmaWNhdGlvbj48cHI6VmFsdWU+dHFDUUVDNytBcUdFZWVMMzkwVjVKZz09PC9wcjpWYWx1ZT48cHI6VHlwZT51cm46cHVibGljaWQ6Z3YuYXQ6YmFzZWlkPC9wcjpUeXBlPjwvcHI6SWRlbnRpZmljYXRpb24+PHByOk5hbWU+PHByOkdpdmVuTmFtZT5NYXg8L3ByOkdpdmVuTmFtZT48cHI6RmFtaWx5TmFtZSBwcmltYXJ5PSJ1bmRlZmluZWQiPk11c3Rlcm1hbm48L3ByOkZhbWlseU5hbWU+PC9wcjpOYW1lPjxwcjpEYXRlT2ZCaXJ0aD4xOTQwLTAxLTAxPC9wcjpEYXRlT2ZCaXJ0aD48L3ByOlBlcnNvbj4KCQkJCTwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT4KCQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+CgkJPC9zYW1sOlN1YmplY3Q+Cgk8c2FtbDpBdHRyaWJ1dGUgQXR0cmlidXRlTmFtZT0iQ2l0aXplblB1YmxpY0tleSIgQXR0cmlidXRlTmFtZXNwYWNlPSJ1cm46cHVibGljaWQ6Z3YuYXQ6bmFtZXNwYWNlczppZGVudGl0eWxpbms6MS4yIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZT48ZHNpZzpSU0FLZXlWYWx1ZT48ZHNpZzpNb2R1bHVzPnMwWmhkR2E4REgwSW1iTlU3aTRxdDRtR25CUEFlTDk5Q0dkZmRCOEhWWE5CNWd3d2VMY1o5WE1TWUJvUHFHdFVqemh6S29zRkN5M0sNCmpsSEVrejB0L3JQemhOVGRsVjJRN0FGWEZlT2g3M3dPajQ3R1B2T2lVNzdwQjE3WnJaOHlObW1JTTEyUVE5MVN0RGFWRkUra0dxUEkNCmNFZHZiZk94blU4aGNpa3lYcWVheFZVV3oxbVdXTnRveUwyWG5wa1U0QkZVQnU1NWg5S2tYVEFQcnBUbEFMZjkvRDFKamZWb05tamwNCnBLWXh6Q3JBSmE4Sno4Ui9sNis0U0U3YXc3dGZuazNZUXkxcFVmNWZmellkeXZQS2ZxVTBUTUVKLzdpOW1ORHFCZlVwcVhBRWowdWUNCkpvRWs0UC9pa2Q5UnZuVUlsU0V1NzFHMyt1VEluSXBaaTd2UG93PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50PgoJPGRzaWc6U2lnbmF0dXJlPgoJCTxkc2lnOlNpZ25lZEluZm8+CgkJCTxkc2lnOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+CgkJCTxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz4KCQkJPGRzaWc6UmVmZXJlbmNlIFVSST0iIj4KCQkJCTxkc2lnOlRyYW5zZm9ybXM+CgkJCQkJPGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMteHBhdGgtMTk5OTExMTYiPgoJCQkJCQk8ZHNpZzpYUGF0aD5ub3QoYW5jZXN0b3Itb3Itc2VsZjo6cHI6SWRlbnRpZmljYXRpb24pPC9kc2lnOlhQYXRoPgoJCQkJCTwvZHNpZzpUcmFuc2Zvcm0+CgkJCQkJPGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+CgkJCQk8L2RzaWc6VHJhbnNmb3Jtcz4KCQkJCTxkc2lnOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiAvPgoJCQkJPGRzaWc6RGlnZXN0VmFsdWU+QmVIdUFyYXUzSFVQcXg5dHV3QTRGaDNOSDB3PTwvZHNpZzpEaWdlc3RWYWx1ZT4KCQkJPC9kc2lnOlJlZmVyZW5jZT4KCQkJPGRzaWc6UmVmZXJlbmNlIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNNYW5pZmVzdCIgVVJJPSIjbWFuaWZlc3QiPgoJCQkJPGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+CgkJCQk8ZHNpZzpEaWdlc3RWYWx1ZT5mVEUrMjRnRHlkUlgvd0p2QlAxOUlucU54Rkk9PC9kc2lnOkRpZ2VzdFZhbHVlPgoJCQk8L2RzaWc6UmVmZXJlbmNlPgoJCTwvZHNpZzpTaWduZWRJbmZvPgoJCTxkc2lnOlNpZ25hdHVyZVZhbHVlPgogICAgUHpLMWR2N2JFMGhQcGxlc1ZaRFhHSWxhbTlUK0JxWkd4ZWs5RHVuYkhNK21GWWI3a1NaZTN2eEszUmhRZjNBV3djbXFtVWZPRlJObg0KWndxYnovNGRZd2hJRld6VGdMelVmMlZkR0JsN2szbS8wSmJXSkV1bEtobE5vV2ZSTkRrdTRZcmI2THVrWjdaQzJFcWd2UXYxa1BRTg0Kb1BvQ1I5d3hUc1RKWFNCaHdLc0lERG9vZHY3aUVpWGFCM0xmVHQrQWdYdEdvbWRRaktjby9WamJSSzRUUEkvQUVNVU1KWm9zZlJYMg0KdmE2U1BaUnV4QjBlWkwwVGVzYittRjlFaUlOVnNTSU9nbTVSRE95V1ZRZkJnVG9nYjNoWmlLVmh0a1IvaWlSNmhZNlA2b1cwTDh4ag0KMG5ZVldPRHAxSlJML3Z0ZDFhUklVYzNCQTJQaFkrRmdJR1FHTUE9PQogIDwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlGdXpDQ0JLT2dBd0lCQWdJREdTa2VNQTBHQ1NxR1NJYjNEUUVCQlFVQU1JR2ZNUXN3Q1FZRFZRUUdFd0pCDQpWREZJTUVZR0ExVUVDZ3cvUVMxVWNuVnpkQ0JIWlhNdUlHWXVJRk5wWTJobGNtaGxhWFJ6YzNsemRHVnRaU0JwDQpiU0JsYkdWcmRISXVJRVJoZEdWdWRtVnlhMlZvY2lCSGJXSklNU0l3SUFZRFZRUUxEQmxoTFhOcFoyNHRZMjl5DQpjRzl5WVhSbExXeHBaMmgwTFRBeU1TSXdJQVlEVlFRRERCbGhMWE5wWjI0dFkyOXljRzl5WVhSbExXeHBaMmgwDQpMVEF5TUI0WERURTFNRGN5T0RFMU5Ea3dOVm9YRFRJd01EY3lPREV6TkRrd05Wb3dnYll4Q3pBSkJnTlZCQVlUDQpBa0ZVTVI0d0hBWURWUVFLREJWRVlYUmxibk5qYUhWMGVtdHZiVzFwYzNOcGIyNHhJakFnQmdOVkJBc01HVk4wDQpZVzF0ZW1Gb2JISmxaMmx6ZEdWeVltVm9iMlZ5WkdVeExqQXNCZ05WQkFNTUpWTnBaMjVoZEhWeWMyVnlkbWxqDQpaU0JFWVhSbGJuTmphSFYwZW10dmJXMXBjM05wYjI0eEZUQVRCZ05WQkFVVERETXlOVGt5T0RNeU16azVPREVjDQpNQm9HQ1NxR1NJYjNEUUVKQVF3TlpITnJRR1J6YXk1bmRpNWhkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEDQpnZ0VQQURDQ0FRb0NnZ0VCQU4rZEJTRUJHajJqVVhJSzFNcDNsVnhjL1phK3BKTWl5S3JYM0cxWnhnWC9pa3g3DQpEOXNjc1BZTXQ0NzNMbEFXbDljbUNiSGJKSytQVjJYTk5kVVJMTVVDSVgrNHZVTnMyTUhlRFRRdFg4QlhqSkZwDQp3SllTb2FSSlEzOUZWUy8xcjVzV2NyYTlIaGRtN3c1R3R4LzJ1a3lEWDBrZGt4YXdraFA0RVFFemkvU0krRnVnDQpuK1dxZ1ExbkFkbGJ4Yi9kY0J3NXcxaDliM2xtdXdVZjR6M29vUVdVRDJEZ0Eva0tkMUtlak5SNDNtTFVzbXZTDQp6ZXZQeFQ5enM3OHBPUjFPYWNCN0lzelRWSlBYZU9FYWFOWkhubkIvVWVPM2c4TEVWLzNPa1hjVWdjTWtiSUlpDQphQkhsbGw3MVBxMENPajlrcWpYb2U3T3JSakxZNWkzS3dPcGE2VE1DQXdFQUFhT0NBZVV3Z2dIaE1CRUdBMVVkDQpEZ1FLQkFoTUNBNmVHdlMxdWpBT0JnTlZIUThCQWY4RUJBTUNCTEF3RGdZSEtpZ0FDZ0VIQVFRREFRSC9NQk1HDQpBMVVkSXdRTU1BcUFDRWtjV0RwUDZBMERNQWtHQTFVZEV3UUNNQUF3RkFZSEtpZ0FDZ0VCQVFRSkRBZENVMEl0DQpSRk5MTUg4R0NDc0dBUVVGQndFQkJITXdjVEJHQmdnckJnRUZCUWN3QW9ZNmFIUjBjRG92TDNkM2R5NWhMWFJ5DQpkWE4wTG1GMEwyTmxjblJ6TDJFdGMybG5iaTFqYjNKd2IzSmhkR1V0YkdsbmFIUXRNREpoTG1OeWREQW5CZ2dyDQpCZ0VGQlFjd0FZWWJhSFIwY0RvdkwyOWpjM0F1WVMxMGNuVnpkQzVoZEM5dlkzTndNRlFHQTFVZElBUk5NRXN3DQpTUVlHS2lnQUVRRVNNRDh3UFFZSUt3WUJCUVVIQWdFV01XaDBkSEE2THk5M2QzY3VZUzEwY25WemRDNWhkQzlrDQpiMk56TDJOd0wyRXRjMmxuYmkxQmJYUnpjMmxuYm1GMGRYSXdnWjRHQTFVZEh3U0JsakNCa3pDQmtLQ0JqYUNCDQppb2FCaDJ4a1lYQTZMeTlzWkdGd0xtRXRkSEoxYzNRdVlYUXZiM1U5WVMxemFXZHVMV052Y25CdmNtRjBaUzFzDQphV2RvZEMwd01peHZQVUV0VkhKMWMzUXNZejFCVkQ5alpYSjBhV1pwWTJGMFpYSmxkbTlqWVhScGIyNXNhWE4wDQpQMkpoYzJVL2IySnFaV04wWTJ4aGMzTTlaV2xrUTJWeWRHbG1hV05oZEdsdmJrRjFkR2h2Y21sMGVUQU5CZ2txDQpoa2lHOXcwQkFRVUZBQU9DQVFFQUhRM1pDTXRBYmF6ZU1IbVdBMnpoWWxIcUhnS1ZvY1ZYRURnbU5tV0xHcUZlDQo4RUFERklzOHVHcmt0Qm1XQ1VJWGJYczdUSGNmeHMySjQ3dkh1Y29wc2RrYWJObFhFanpuZFJmbmMrMVZJbmJvDQp6TXJZZDdqZUROVEsvdElqaU9FWWRyeUlwZWtWOUNmYXc3eXU2bWVmTXpldTFhQXdmN0JuSy9odWl3SlduZW5wDQpCN2lEL1B2WittenVDN1JOZkpmRisrU3RpQlR4aTNWWXhOR01qTTFjVThHdzlWV2MwUjNFdWpPYVhXZ0NDOGk1DQpGR2hWdk9ZaE5YZnN4SlhiTnhld0VDanBBTHZEbEZMTCtpQzQ5RytBRFNvUnYwU2s5MU9QdStjSW1DajNyczNRDQp0YXNJL3A5TFlhY0c2Yy9nSTN0RTBpaHFnOVJic0tIWFFsM1BPdkVSSkE9PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjwvZHNpZzpLZXlJbmZvPgoJCTxkc2lnOk9iamVjdD4KCQkJPGRzaWc6TWFuaWZlc3QgSWQ9Im1hbmlmZXN0Ij4KCQkJCTxkc2lnOlJlZmVyZW5jZSBVUkk9IiI+CgkJCQkJPGRzaWc6VHJhbnNmb3Jtcz4KCQkJCQkJPGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMteHBhdGgtMTk5OTExMTYiPgoJCQkJCQkJPGRzaWc6WFBhdGg+bm90KGFuY2VzdG9yLW9yLXNlbGY6OmRzaWc6U2lnbmF0dXJlKTwvZHNpZzpYUGF0aD4KCQkJCQkJPC9kc2lnOlRyYW5zZm9ybT4KCQkJCQk8L2RzaWc6VHJhbnNmb3Jtcz4KCQkJCQk8ZHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz4KCQkJCQk8ZHNpZzpEaWdlc3RWYWx1ZT5wM1pwS1BvK0ZYT3ZXdEhidFJzR2VLWm9lSTQ9PC9kc2lnOkRpZ2VzdFZhbHVlPgoJCQkJPC9kc2lnOlJlZmVyZW5jZT4KCQkJPC9kc2lnOk1hbmlmZXN0PgoJCTwvZHNpZzpPYmplY3Q+Cgk8L2RzaWc6U2lnbmF0dXJlPgo8L3NhbWw6QXNzZXJ0aW9uPg==";
+	
+	@Test
+	public void dummyTest() throws Exception {
+		
+		
+	}
+	
+	
+	@Test
+	public void buildAuthDataWithIDLOnly() throws Exception {
+		IRequest pendingReq = new TestRequestImpl();
+		DummyOAConfig oaParam = new DummyOAConfig();
+		oaParam.setHasBaseIdTransferRestriction(false);
+		oaParam.setTarget("urn:publicid:gv.at:cdid+ZP-MH");
+		oaParam.setForeignbPKSectors(Arrays.asList("wbpk+FN+195738a"));
+		
+		IAuthenticationSession session = new DummyAuthSession();
+		session.setIdentityLink(new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(DUMMY_IDL, false))).parseIdentityLink());
+	
+		IAuthData authData = authBuilder.buildAuthenticationData(pendingReq, session, oaParam);
+		
+		if (!authData.getFamilyName().equals("Mustermann"))
+			throw new Exception("Familyname wrong");
+		
+		if (!authData.getGivenName().equals("Max"))
+			throw new Exception("GivenName wrong");
+						
+		if (!authData.getFormatedDateOfBirth().equals("1940-01-01"))
+			throw new Exception("DateOfBirth wrong");
+		 
+		
+		if (!authData.getIdentificationValue().equals("tqCQEC7+AqGEeeL390V5Jg=="))
+			throw new Exception("baseId wrong");
+		
+		if (!authData.getIdentificationType().equals("urn:publicid:gv.at:baseid"))
+			throw new Exception("baseIdType wrong");
+		
+	
+		if (!authData.getBPK().equals("DJ6nGg2JgcPH768BhqTNXVsGhOY="))
+			throw new Exception("bPK wrong");
+		
+		if (!authData.getBPKType().equals("urn:publicid:gv.at:cdid+ZP-MH"))
+			throw new Exception("bPKType wrong");
+		
+		
+		List<String> foreignbPKs = authData.getEncbPKList();
+		if (foreignbPKs.isEmpty())
+			throw new Exception("NO foreign bPK list is null");
+		
+		if (foreignbPKs.size() != 1)
+			throw new Exception("NO or MORE THAN ONE foreign bPK");
+		
+		if (!foreignbPKs.get(0).startsWith("(wbpk+FN+195738a|") && !(foreignbPKs.get(0).endsWith(")")))
+			throw new Exception("foreign bPK has wrong prefix");
+				
+	}
+	
+}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index d72e2f28c..2c31d82f9 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -1,10 +1,12 @@
 package at.gv.egovernment.moa.id.config.auth.data;
 
 import java.io.IOException;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 
+import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
 import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
@@ -86,8 +88,13 @@ public class DummyAuthConfig implements AuthConfiguration {
 			} catch (IOException e) {
 				e.printStackTrace();
 			}
+			 
+		} else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) {
+			return "urn:publicid:gv.at:cdid+ZP-MH";
+			
 		} 
 		
+		
 		return null;
 	}
 
@@ -99,8 +106,46 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public Map<String, String> getBasicMOAIDConfigurationWithPrefix(String prefix) {
-		// TODO Auto-generated method stub
-		return null;
+		Map<String, String> result = new HashMap<String, String>();
+		if (AuthenticationDataBuilder.CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS.equals(prefix)) {
+			result.put("BMI+T1", "MIICuTCCAaGgAwIBAgIEWQMr6TANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARyb290MB4XDTE3MDQyODExNDgyN1oXDTE4MDQyODExNDgyN1owDzENMAsGA1UEAwwEcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKavdekY9h6te6UoCvahSKqhlNk+ZMGq1aBvj129J10wJoz3BsO86cK/ounvzrE9g6FOOeEtlb/lRRTwhO601o9/dXhIvSalpKgAF4owTuhxKUEhEUNJr4pUxFSm8OkPHEXqSXsn6W7tg/G0r12z246RAApw5jpzDDdYYY8gEZFXURf1xYnbKFPoNlPIyFj0vN7Afe+Fo8v3Brb05iQkC3wBxMnL2LZ7XLK8uu93VG/mOrUrEtZkFzOWg0c3WBKQgxCD/F5BMouXBSsNu7lzV2qEyX0uIiEQrv75Fk32DjQqx41S31lByFnL8YbYWX4lsCv0O9Smhjrn6+k91JsvcDECAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAb4wDQYJKoZIhvcNAQELBQADggEBAAFQVd6PHrpBDTw+YUYj3yOgjFlKiSTEb4s59O74CZGbgElE2k36bqEJwki8W2ZiK+L3aeA1XCYF9cuI8QBWHJXg3UQFtDMF2zieOy/BBEA0HN6q4IjQKbt9cNR3w7nMp+lJ/BUlX6AIqfmSgJ6bKVlUsu4yuhstDBXy7QOAuQ8q76qkk7j6uiahWCyBRb5R9TDj7mQn0nM/tbeUUZa7Mxje/W4YhdatNYasTnExCyEE4S6lpSiJQdrkFGlRWp6Ia41/r6GZsAZ6pss+xyxDbJySqbVn2ro6WV4kMbrh/gX1HbmrF5UGIO/qvM+5yM6+wUfLtqPCK0PtLkI940E3WfM=");
+			result.put("wbpk+FN+468924i", "MIIDCzCCAfMCBFr9aB4wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxEzARBgNVBAsMCnZpZHAuZ3YuYXQxFzAVBgNVBAMMDlNBTUwyIG1ldGFkYXRhMB4XDTE4MDUxNzExMzE0MloXDTE5MDUxNzExMzE0MlowSjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxEzARBgNVBAsMCnZpZHAuZ3YuYXQxFzAVBgNVBAMMDlNBTUwyIG1ldGFkYXRhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi5yyZCJCW2MLQKmupDZTQBNItpIqMlLNAUMF5U8vwJ0uoAWqetOyJ65Q9Wx9TixcIIxXa+0qA/7xVr44LoE4sRXZtZvkS5TGXUgD81FLXU5WJdeJQeUa63TdKjpdcL6wCbMIDs+2fDClIB7gKUV7S56NMhdiQzfW6OLFFQyfu6aXzpLcAOqq+FVo5paPjvGNgmVGwMS/4W0c8FeaPceno98rjslYslKUu3gCMezhYmvson7fEsgRf6s/Ko4pZev4rK7N+ib25g0x0L+gJkq6gb46wH4TBemXr/WTi5II1pxdG0CuLLKewDgMCymeneXPFIewiIPF9ydSPdq2XsHlTwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBbNeQGGDB0RjWRtCoMPQ1tF4pTMOy1QXd362Qx6kbuScEsG/9fGLE3mgpyLx3zyjX/pP0hkVtygDu/5684KEj0aJ65dx6kgFkmvLNq4YUpvQUBjylQHmpO4fsL57q8ZMnoWow8rX4g18sP8lHvW1g+tfWa3r+RRN/NlHm0RYb559xq7NgfPu11gxp9O6RsSkrf0IkWnJ1dit4bx7RR8PY+ZZjPAfg8/eAZ98DSP8FPdlLkKQvRV5NCIjG4tU5tIV4z5yvZ/npdKMdqjiQxmA002U+inOzCcciRRZSdXhYgqvkuMEHYsaoGlLwj+wJbEviobPpWxcEeQoqEwIj6QpwX");
+			result.put("wbpk+FN+195738a", "MIIF2TCCA8GgAwIBAgIEL2AV4zANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMC\r\n" + 
+					"QVQxSDBGBgNVBAoMP0EtVHJ1c3QgR2VzLiBmLiBTaWNoZXJoZWl0c3N5c3RlbWUg\r\n" + 
+					"aW0gZWxla3RyLiBEYXRlbnZlcmtlaHIgR21iSDEYMBYGA1UECwwPYS1zaWduLWxp\r\n" + 
+					"Z2h0LTA1MRgwFgYDVQQDDA9hLXNpZ24tbGlnaHQtMDUwHhcNMTgwNjA4MTA0MzEy\r\n" + 
+					"WhcNMjMwNjA4MDg0MzEyWjBoMQswCQYDVQQGEwJBVDEbMBkGA1UEAwwSZS1UcmVz\r\n" + 
+					"b3IgRnJlbWQtYlBLMRIwEAYDVQQEDAlGcmVtZC1iUEsxETAPBgNVBCoMCGUtVHJl\r\n" + 
+					"c29yMRUwEwYDVQQFEwwxMTc3MDQwMzU4MjUwggEgMA0GCSqGSIb3DQEBAQUAA4IB\r\n" + 
+					"DQAwggEIAoIBAQC9jQHCrCK4r8bKsist/h53yP7RzqDZhDGy3j6BLiGMGeQ8Qekf\r\n" + 
+					"k+Onmy6k7PfOfBZgiOd/Zs8JXZMISycz5/G9WJp0d1iFjmRDNWmM4MEN8k+mAnW+\r\n" + 
+					"Omn7sTJStaL5hRME/YdJpI/k08MasQuc13M6i6szpKA0eMfLf0nTWgEWt5e/x3Gj\r\n" + 
+					"+Br7dxYtv8RDeHHVhk5EkXwbhuVi9fO/UCNEAEsKCkiTGCwVRek/c+LQ42cnuLKN\r\n" + 
+					"Kg4LKJaIrr9uyMkibYpDZi1nXwQR9Jxsg4lzfpyAvSJIZtqMN0C66cwnzflLt9M8\r\n" + 
+					"GwO08KzvONEo4oiodKx7IcMGGbjukHX2NY7BAgERo4IBZzCCAWMwdAYIKwYBBQUH\r\n" + 
+					"AQEEaDBmMDsGCCsGAQUFBzAChi9odHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMv\r\n" + 
+					"YS1zaWduLWxpZ2h0LTA1LmNydDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10\r\n" + 
+					"cnVzdC5hdC9vY3NwMBMGA1UdIwQMMAqACEhCh7VWr5ysMB0GA1UdEQQWMBSBEnRl\r\n" + 
+					"Y2huaWtAYS10cnVzdC5hdDARBgNVHQ4ECgQIRnNIDj8iCQcwDgYDVR0PAQH/BAQD\r\n" + 
+					"AgSwMAkGA1UdEwQCMAAwTQYDVR0gBEYwRDBCBgYqKAARAQkwODA2BggrBgEFBQcC\r\n" + 
+					"ARYqaHR0cDovL3d3dy5hLXRydXN0LmF0L2RvY3MvY3AvYS1zaWduLWxpZ2h0MDoG\r\n" + 
+					"A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuYS10cnVzdC5hdC9jcmwvYS1zaWdu\r\n" + 
+					"LWxpZ2h0LTA1MA0GCSqGSIb3DQEBCwUAA4ICAQAh7plfW9U3hh5brYS0OmWhKJrM\r\n" + 
+					"jBDn9TyKsdetZ3AU3/GJONSq1GrZbTv6dq6vAH0G20cNQaLSNl2/9U3WBqX2T2Ik\r\n" + 
+					"vek8925+9HAFRVZiwnNX5CT0dQGNkqkagVzfd8dj8n+KiQZZZN9WroR9MoRXNlw1\r\n" + 
+					"DERzlXLlYFtK+F4323LtbolSLnN793p/6al4k8RheKG0Jy+pEtpCy6KNohkl34ZE\r\n" + 
+					"xtGrQLrJDtRtbCJcJ1t2fsM8iP9vi+K+0hOolIM7qwELRftwhvLyB+Gtlke2zLod\r\n" + 
+					"SR0AA6fLoNISdKpSEIu1OJ88R70T3q3sEYWLHc8GHPO6WjaF/tq8iI/lPeUc0c2u\r\n" + 
+					"gZOpH6Q3jWZo9UmhAbcyIwQTtVg9lS35EM3xPt+GC9DTsyNkTJObICZXUGsUswCp\r\n" + 
+					"Vj76888biAR/ey9pr6fctj11w4jEwOP5pIcKdv1vX6KZl58O8kIUV3IUbvFY/M1n\r\n" + 
+					"bfCrmm8uT4780NAIv3v8jgB/wK6EjntXoACPyGwB3lbdWJ2lZ4y5QCYEbW/8LLzJ\r\n" + 
+					"6kGERNrFGBn4pK8GhZg8Tq1GigOyUrGteHeYUylKqLRoIvby53tYHnMx5fS/N/OU\r\n" + 
+					"uKuAqGNHDTNkYI2jWhS6gFjUdTiaVVdKo/GSS4eDU5hsKOBRHTKWLT9E1DryCUkD\r\n" + 
+					"u4SwB63SrCEshSczfA==\r\n");
+			
+		}
+		
+		return result;
 	}
 
 	@Override
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java
new file mode 100644
index 000000000..e340d4c86
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java
@@ -0,0 +1,287 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+
+import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
+import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException;
+import iaik.x509.X509Certificate;
+
+public class DummyAuthSession implements IAuthenticationSession {
+
+	private IIdentityLink idl;
+
+	@Override
+	public boolean isAuthenticated() {
+		return true;
+	}
+
+	@Override
+	public void setAuthenticated(boolean authenticated) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public X509Certificate getSignerCertificate() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public byte[] getEncodedSignerCertificate() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setSignerCertificate(X509Certificate signerCertificate) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public IIdentityLink getIdentityLink() {
+		return this.idl;
+	}
+
+	@Override
+	public String getSessionID() {
+		return "123456789abcd";
+	}
+
+	@Override
+	public void setIdentityLink(IIdentityLink identityLink) {
+		this.idl = identityLink;
+		
+	}
+
+	@Override
+	public void setSessionID(String sessionId) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public String getBkuURL() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setBkuURL(String bkuURL) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public String getAuthBlock() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setAuthBlock(String authBlock) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public List<ExtendedSAMLAttribute> getExtendedSAMLAttributesAUTH() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setExtendedSAMLAttributesAUTH(List<ExtendedSAMLAttribute> extendedSAMLAttributesAUTH) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public List<ExtendedSAMLAttribute> getExtendedSAMLAttributesOA() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setExtendedSAMLAttributesOA(List<ExtendedSAMLAttribute> extendedSAMLAttributesOA) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public boolean getSAMLAttributeGebeORwbpk() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public String getIssueInstant() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setIssueInstant(String issueInstant) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public void setUseMandate(String useMandate) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public void setUseMandates(boolean useMandates) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public boolean isMandateUsed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public void setMISSessionID(String misSessionID) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public String getMISSessionID() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getMandateReferenceValue() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setMandateReferenceValue(String mandateReferenceValue) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public boolean isForeigner() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public void setForeigner(boolean isForeigner) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public IVerifiyXMLSignatureResponse getXMLVerifySignatureResponse() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setXMLVerifySignatureResponse(IVerifiyXMLSignatureResponse xMLVerifySignatureResponse) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public IMISMandate getMISMandate() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setMISMandate(IMISMandate mandate) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public boolean isOW() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public void setOW(boolean isOW) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public String getAuthBlockTokken() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setAuthBlockTokken(String authBlockTokken) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public String getQAALevel() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setQAALevel(String qAALevel) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public Date getSessionCreated() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Map<String, Object> getGenericSessionDataStorage() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Object getGenericDataFromSession(String key) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public <T> T getGenericDataFromSession(String key, Class<T> clazz) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setGenericDataToSession(String key, Object object) throws SessionDataStorageException {
+		// TODO Auto-generated method stub
+		
+	}
+
+	
+}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java
new file mode 100644
index 000000000..76e0a83c6
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java
@@ -0,0 +1,186 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.util.Date;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
+import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.data.SLOInformationInterface;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
+
+public class DummyAuthStorage implements IAuthenticationSessionStoreage {
+
+	@Override
+	public boolean isAuthenticated(String internalSsoSessionID) {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public AuthenticationSession createInternalSSOSession(IRequest target) throws MOADatabaseException, BuildException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public AuthenticationSession getInternalSSOSession(String internalSsoSessionID) throws MOADatabaseException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public AuthenticationSessionExtensions getAuthenticationSessionExtensions(String internalSsoSessionID)
+			throws MOADatabaseException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void setAuthenticationSessionExtensions(String internalSsoSessionID,
+			AuthenticationSessionExtensions sessionExtensions) throws MOADatabaseException {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public void destroyInternalSSOSession(String internalSsoSessionID) throws MOADatabaseException {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public void setAuthenticated(String internalSsoSessionID, boolean isAuthenticated) {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public AuthenticationSession getInternalMOASessionWithSSOID(String SSOSessionID) throws MOADatabaseException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isSSOSession(String sessionID) throws MOADatabaseException {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public AuthenticatedSessionStore isValidSessionWithSSOID(String SSOId) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void addSSOInformation(String moaSessionID, String SSOSessionID, SLOInformationInterface SLOInfo,
+			IRequest protocolRequest) throws AuthenticationException {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public List<OASessionStore> getAllActiveOAFromMOASession(IAuthenticationSession moaSession) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(IAuthenticationSession moaSession) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public IAuthenticationSession searchMOASessionWithNameIDandOAID(String oaID, String userNameID) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public OASessionStore searchActiveOASSOSession(IAuthenticationSession moaSession, String oaID,
+			String protocolType) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public IAuthenticationSession getSessionWithUserNameID(String nameID) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASession(String sessionID) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASessionIDPID(String sessionID,
+			String idpID) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor)
+			throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean removeInterfederetedSession(String entityID, String pedingRequestID) {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public void clean(Date now, long authDataTimeOutCreated, long authDataTimeOutUpdated) {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public void markOAWithAttributeQueryUsedFlag(IAuthenticationSession session, String oaurl, String requestedModule) {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public void deleteIdpInformation(InterfederationSessionStore nextIDPInformation) {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public void persistIdpInformation(InterfederationSessionStore nextIDPInformation) {
+		// TODO Auto-generated method stub
+
+	}
+
+	@Override
+	public OldSSOSessionIDStore checkSSOTokenAlreadyUsed(String ssoId) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java
new file mode 100644
index 000000000..44e3d5e2a
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java
@@ -0,0 +1,289 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.security.PrivateKey;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
+import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
+import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
+import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+
+public class DummyOAConfig implements IOAAuthParameters {
+
+	private List<String> foreignbPKSectors;
+	private String target;
+	private boolean hasBaseIdTransferRestriction;
+	
+	@Override
+	public Map<String, String> getFullConfiguration() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getConfigurationValue(String key) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getFriendlyName() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getPublicURLPrefix() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+		return false;
+	}
+
+	@Override
+	public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+		return hasBaseIdTransferRestriction;
+	}
+
+	@Override
+	public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+		return target;
+	}
+
+	@Override
+	public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isInderfederationIDP() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isSTORKPVPGateway() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isRemovePBKFromAuthBlock() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public String getKeyBoxIdentifier() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public SAML1ConfigurationParameters getSAML1Parameter() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getTemplateURL() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getAditionalAuthBlockText() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getBKUURL(String bkutype) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> getBKUURL() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean useSSO() {
+		return false;
+	}
+
+	@Override
+	public boolean useSSOQuestion() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public List<String> getMandateProfiles() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isShowMandateCheckBox() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isOnlyMandateAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isShowStorkLogin() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public String getQaaLevel() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isRequireConsentForStorkAttributes() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public Collection<StorkAttribute> getRequestedSTORKAttributes() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public byte[] getBKUSelectionTemplate() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public byte[] getSendAssertionTemplate() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public Collection<CPEPS> getPepsList() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public String getIDPAttributQueryServiceURL() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isInboundSSOInterfederationAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isInterfederationSSOStorageAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isOutboundSSOInterfederationAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isTestCredentialEnabled() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public List<String> getTestCredentialOIDs() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isUseIDLTestTrustStore() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isUseAuthBlockTestTestStore() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public PrivateKey getBPKDecBpkDecryptionKey() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public boolean isPassivRequestUsedForInterfederation() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public boolean isPerformLocalAuthenticationOnInterfederationError() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	@Override
+	public Collection<StorkAttributeProviderPlugin> getStorkAPs() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<Integer> getReversionsLoggingEventCodes() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	@Override
+	public List<String> foreignbPKSectorsRequested() {
+		return foreignbPKSectors;
+		
+	}
+
+	public void setForeignbPKSectors(List<String> foreignSectors) {
+		this.foreignbPKSectors = foreignSectors;
+		
+	}
+
+	public void setTarget(String target) {
+		this.target = target;
+	}
+
+	public void setHasBaseIdTransferRestriction(boolean hasBaseIdTransferRestriction) {
+		this.hasBaseIdTransferRestriction = hasBaseIdTransferRestriction;
+	}
+	
+	
+}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java
index 71956990e..3cd9d9476 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java
@@ -1,16 +1,10 @@
 package at.gv.egovernment.moa.id.config.auth.data;
 
-import java.io.IOException;
-import java.io.InputStreamReader;
-
-import org.apache.commons.io.IOUtils;
-import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.opensaml.xml.ConfigurationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; 
 
 
 @RunWith(SpringJUnit4ClassRunner.class)
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java
index 3ecbb84a2..ebed519f1 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java
@@ -38,6 +38,8 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageExcepti
 public class TestRequestImpl implements IRequest {
 
 	private String processInstanceID = null; 
+
+	public static final String DUMMY_AUTH_URL = "http://dummyIDP/";
 	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.moduls.IRequest#requestedModule()
@@ -152,8 +154,7 @@ public class TestRequestImpl implements IRequest {
 	 */
 	@Override
 	public String getAuthURL() {
-		// TODO Auto-generated method stub
-		return null;
+		return DUMMY_AUTH_URL;
 	}
 
 	/* (non-Javadoc)
diff --git a/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv
index 099fc0f7e..c33de9970 100644
--- a/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv
+++ b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv
@@ -7,4 +7,6 @@ ZP-MH:DJ6nGg2JgcPH768BhqTNXVsGhOY=,
 JWiLzwktCITGg+ztRKEAwWloSNM=,
 ZP-MH:+cyQbhr1fQ8hLhazL62tFRq47iY=,
 ZP-MH:AFmfywfYPHcl2Lxp138upielmrs=,
-ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0=
+ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0=,
+ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0=:asdfadsfasdf,
+ZP-AT:yPAOTsc9LY5/jnbkWn2MWY6hjg0=
diff --git a/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml
index 85788714a..65e48987a 100644
--- a/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml
+++ b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml
@@ -9,10 +9,21 @@
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
 
+	<!-- Prod. classes from MOA-ID lib -->
 			
 	<bean id="UserWhiteList_Store" 
 				class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/>
+								
+	<bean id="AuthenticationDataBuilder" 
+				class="at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder"/>
+				
+				
+				
+	<!-- Dummy test classes -->				
 				
 	<bean id="DummyAuthConfig" 
 				class="at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig"/>
+				
+	<bean id="DummyAuthStorage" 
+				class="at.gv.egovernment.moa.id.config.auth.data.DummyAuthStorage"/>								
 </beans>
-- 
cgit v1.2.3


From 92982d1ee7f13e5206ea192776b0a042d2ddea2f Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 12 Jun 2018 12:08:12 +0200
Subject: fix wrong encoding in EncryptedBPKAttributeBuilder

---
 .../egovernment/moa/id/auth/builder/BPKBuilder.java   |  3 ++-
 .../attributes/EncryptedBPKAttributeBuilder.java      | 19 +++++++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 14de65e36..865f7e6b4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -171,7 +171,8 @@ public class BPKBuilder {
 		try {
 			byte[] inputBytes = input.getBytes("ISO-8859-1");
 			result = encrypt(inputBytes, publicKey);
-			return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", "");
+			
+			return new String(java.util.Base64.getEncoder().encode(result), "ISO-8859-1").replaceAll("\r\n", "");
 			
 		} catch (Exception e) {
 			throw new BuildException("bPK encryption FAILED", null, e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
index f5c48b826..d15f545ae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java
@@ -23,12 +23,9 @@
 package at.gv.egovernment.moa.id.protocols.builder.attributes;
 
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
 
 public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 	
@@ -40,10 +37,10 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 			IAttributeGenerator<ATT> g) throws AttributeException {
 
 		if (authData.getEncbPKList() != null &&
-				authData.getEncbPKList().size() > 0) {
-			String value = "(" + authData.getEncbPKList().get(0) + ")";
+				authData.getEncbPKList().size() > 0) {						
+			String value = addPreAndSufix(authData.getEncbPKList().get(0));						
 			for (int i=1; i<authData.getEncbPKList().size(); i++)
-				value += ";"+authData.getEncbPKList().get(i);			
+				value += ";"+addPreAndSufix(authData.getEncbPKList().get(i));			
 			
 			return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, 
 					value);
@@ -68,4 +65,14 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder {
 		return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME);
 	}
 	
+	private String addPreAndSufix(String value) {
+		if (!value.startsWith("("))
+			value = "(" + value;
+		
+		if (!value.endsWith(""))
+			value = value + ")";
+		
+		return value;
+	}
+	
 }
-- 
cgit v1.2.3


From 55f71502a0b62624d5ebc0e4aa749b3f5d5a0bf2 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 15 Jun 2018 13:33:59 +0200
Subject: Add operation identifier for signature validation step

---
 .../moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java      | 2 +-
 .../src/main/resources/resources/properties/id_messages_de.properties   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 407454c2a..cc26b8b6e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -118,7 +118,7 @@ public class VerifyXMLSignatureResponseValidator {
     throws ValidateException, ConfigurationException {
 
     if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
-      throw new ValidateException("validator.06", null);
+      throw new ValidateException("validator.06", new Object[] {whatToCheck});
       
     if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) {
 			String checkFailedReason ="";
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 799b32025..49ef8220d 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -154,7 +154,7 @@ validator.03=Der Namespace eines \u00F6ffentlicher Schl\u00FCssels ist ung\u00FC
 validator.04=Es wurde ein SAML\:Attribut ohne \u00F6ffentlichen Schl\u00FCssel gefunden {0}
 validator.05=Es wurde {0} keine DSIG:Signature gefunden
 
-validator.06=Die Signatur ist ung\u00FCltig
+validator.06=Die Signatur ist ung\u00FCltig. Operation: {0}
 validator.07=Das Zertifikat der Personenbindung ist ung\u00FCltig.<br>{0}
 validator.08=Das Manifest ist ung\u00FCltig
 validator.09=Die \u00F6ffentlichen Schl\u00FCssel des Identitiy Link stimmen nicht mit dem retournierten Zertifikat \u00FCberein
-- 
cgit v1.2.3


From 30e324851d67bd900471457e3c30a19b4073ec77 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 25 Jun 2018 13:22:20 +0200
Subject: add SP specific configuration for SL2.0

---
 .../java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index e093ce1e2..db0170e54 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -476,7 +476,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		try {
 			//put pending-request ID on execurtionContext
 			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID());			
-						
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SP_CONFIG, pendingReq.getOnlineApplicationConfiguration());
+			
+			
 			// create process instance
 			String processDefinitionId = ModuleRegistration.getInstance().selectProcess(executionContext);
 
-- 
cgit v1.2.3