From 52ad604e54cb91073503d708cd0c50ff0121174a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 30 May 2018 06:29:29 +0200 Subject: add additional validation to SL20 module --- .../auth/builder/SignatureVerificationUtils.java | 27 +- .../id/auth/validator/IdentityLinkValidator.java | 210 +++++++++++ .../VerifyXMLSignatureRequestBuilder.java | 408 +++++++++++++++++++++ .../VerifyXMLSignatureResponseValidator.java | 307 ++++++++++++++++ .../pvp2x/utils/AssertionAttributeExtractor.java | 98 +++-- 5 files changed, 1018 insertions(+), 32 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java index 9ca15c76f..27d983785 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java @@ -22,6 +22,8 @@ */ package at.gv.egovernment.moa.id.auth.builder; +import java.util.List; + import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -74,10 +76,15 @@ public class SignatureVerificationUtils { } } - public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException { + public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException { + return verify(signature, trustProfileID, null); + + } + + public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID, List verifyTransformsInfoProfileID) throws MOAIDException { try { //build signature-verification request - Element domVerifyXMLSignatureRequest = build(signature, trustProfileID); + Element domVerifyXMLSignatureRequest = build(signature, trustProfileID, verifyTransformsInfoProfileID); //send signature-verification to MOA-SP Element domVerifyXMLSignatureResponse = SignatureVerificationInvoker.getInstance() @@ -112,7 +119,7 @@ public class SignatureVerificationUtils { * * @throws ParseException */ - private Element build(byte[] signature, String trustProfileID) + private Element build(byte[] signature, String trustProfileID, List verifyTransformsInfoProfileID) throws ParseException { try { @@ -153,6 +160,20 @@ public class SignatureVerificationUtils { requestElem_.appendChild(signatureManifestCheckParamsElem); signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); + //verify transformations + if (verifyTransformsInfoProfileID != null && !verifyTransformsInfoProfileID.isEmpty()) { + Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); + signatureManifestCheckParamsElem.appendChild(referenceInfoElem); + for (String element : verifyTransformsInfoProfileID) { + Element verifyTransformsInfoProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID"); + referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem); + verifyTransformsInfoProfileIDElem.appendChild(requestDoc_.createTextNode(element)); + + } + } + + + //hashinput data Element returnHashInputDataElem = requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); requestElem_.appendChild(returnHashInputDataElem); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java new file mode 100644 index 000000000..f3ce6888b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java @@ -0,0 +1,210 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.auth.validator; + +import org.w3c.dom.Element; +import org.w3c.dom.NodeList; + +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.exception.ValidateException; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * This class is used to validate an {@link IdentityLink} + * returned by the security layer + * + * @author Stefan Knirsch + * @version $Id$ + */ +public class IdentityLinkValidator implements Constants { + + // + // XPath namespace prefix shortcuts + // + /** Xpath prefix for reaching PersonData Namespaces */ + private static final String PDATA = PD_PREFIX + ":"; + /** Xpath prefix for reaching SAML Namespaces */ + private static final String SAML = SAML_PREFIX + ":"; + /** Xpath prefix for reaching XML-DSIG Namespaces */ + private static final String DSIG = DSIG_PREFIX + ":"; + /** Xpath prefix for reaching ECDSA Namespaces */ + private static final String ECDSA = ECDSA_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = ""; + /** Xpath expression to the SAML:SubjectConfirmationData element */ + private static final String SAML_SUBJECT_CONFIRMATION_DATA_XPATH = + ROOT + + SAML + + "AttributeStatement/" + + SAML + + "Subject/" + + SAML + + "SubjectConfirmation/" + + SAML + + "SubjectConfirmationData"; +/** Xpath expression to the PersonData:Person element */ + private static final String PERSON_XPATH = + SAML_SUBJECT_CONFIRMATION_DATA_XPATH + "/" + PDATA + "Person"; + /** Xpath expression to the SAML:Attribute element */ + private static final String ATTRIBUTE_XPATH = + ROOT + SAML + "AttributeStatement/" + SAML + "Attribute"; +// /** Xpath expression to the SAML:AttributeName attribute */ +// private static final String ATTRIBUTE_NAME_XPATH = +// ROOT + SAML + "AttributeStatement/" + SAML + "Attribute/@AttributeName"; +// /** Xpath expression to the SAML:AttributeNamespace attribute */ +// private static final String ATTRIBUTE_NAMESPACE_XPATH = +// ROOT +// + SAML +// + "AttributeStatement/" +// + SAML +// + "Attribute/@AttributeNamespace"; +// /** Xpath expression to the SAML:AttributeValue element */ +// private static final String ATTRIBUTE_VALUE_XPATH = +// ROOT +// + SAML +// + "AttributeStatement/" +// + SAML +// + "Attribute/" +// + SAML +// + "AttributeValue"; + + /** Singleton instance. null, if none has been created. */ + private static IdentityLinkValidator instance; + + /** + * Constructor for a singleton IdentityLinkValidator. + * @return a new IdentityLinkValidator instance + * @throws ValidateException if no instance can be created + */ + public static synchronized IdentityLinkValidator getInstance() + throws ValidateException { + if (instance == null) { + instance = new IdentityLinkValidator(); + } + return instance; + } + + /** + * Method validate. Validates the {@link IdentityLink} + * @param identityLink The identityLink to validate + * @throws ValidateException on any validation error + */ + public void validate(IIdentityLink identityLink) throws ValidateException { + + Element samlAssertion = identityLink.getSamlAssertion(); + //Search the SAML:ASSERTION Object (A2.054) + if (samlAssertion == null) { + throw new ValidateException("validator.00", null); + } + + // Check how many saml:Assertion/saml:AttributeStatement/ + // saml:Subject/ saml:SubjectConfirmation/ + // saml:SubjectConfirmationData/pr:Person of type + // PhysicalPersonType exist (A2.056) + NodeList nl = XPathUtils.selectNodeList(samlAssertion, PERSON_XPATH); + // If we have just one Person-Element we don't need to check the attributes + int counterPhysicalPersonType = 0; + if (nl.getLength() > 1) + for (int i = 0; i < nl.getLength(); i++) { + String xsiType = + ((Element) nl.item(i)) + .getAttributeNodeNS( + "http://www.w3.org/2001/XMLSchema-instance", + "type") + .getNodeValue(); + // We have to check if xsiType contains "PhysicalPersonType" + // An equal-check will fail because of the Namespace-prefix of the attribute value + if (xsiType.indexOf("PhysicalPersonType") > -1) + counterPhysicalPersonType++; + } + if (counterPhysicalPersonType > 1) + throw new ValidateException("validator.01", null); + + //Check the SAML:ATTRIBUTES + nl = XPathUtils.selectNodeList(samlAssertion, ATTRIBUTE_XPATH); + for (int i = 0; i < nl.getLength(); i++) { + String attributeName = + XPathUtils.getAttributeValue( + (Element) nl.item(i), + "@AttributeName", + null); + String attributeNS = + XPathUtils.getAttributeValue( + (Element) nl.item(i), + "@AttributeNamespace", + null); + if (attributeName.equals("CitizenPublicKey")) { + + if (attributeNS.equals("http://www.buergerkarte.at/namespaces/personenbindung/20020506#") || + attributeNS.equals("urn:publicid:gv.at:namespaces:identitylink:1.2")) { + Element attributeValue = + (Element) XPathUtils.selectSingleNode((Element) nl.item(i),nSMap, SAML + "AttributeValue/" + DSIG + "RSAKeyValue"); + if (attributeValue==null) + attributeValue = + (Element) XPathUtils.selectSingleNode((Element)nl.item(i), nSMap, SAML + "AttributeValue/" + ECDSA + "ECDSAKeyValue"); + if (attributeValue==null) + attributeValue = + (Element) XPathUtils.selectSingleNode((Element)nl.item(i), nSMap, SAML + "AttributeValue/" + DSIG + "DSAKeyValue"); + if (attributeValue == null) + throw new ValidateException("validator.02", null); + + } + else + throw new ValidateException("validator.03", new Object [] {attributeNS} ); + } + else + throw new ValidateException("validator.04", new Object [] {attributeName} ); + } + + //Check if dsig:Signature exists + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion,ROOT + DSIG + "Signature"); + if (dsigSignature==null) throw new ValidateException("validator.05", new Object[] {"in der Personenbindung"}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java new file mode 100644 index 000000000..ae9ff80ae --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureRequestBuilder.java @@ -0,0 +1,408 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.auth.validator; + +import java.util.List; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.Constants; + +/** + * Builder for the <VerifyXMLSignatureRequestBuilder> structure + * used for sending the DSIG-Signature of the Security Layer card for validating to MOA-SP. + * + * @author Stefan Knirsch + * @version $Id$ + */ +public class VerifyXMLSignatureRequestBuilder { + + /** shortcut for XMLNS namespace URI */ + private static final String XMLNS_NS_URI = Constants.XMLNS_NS_URI; + /** shortcut for MOA namespace URI */ + private static final String MOA_NS_URI = Constants.MOA_NS_URI; + /** The DSIG-Prefix */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + + /** The document containing the VerifyXMLsignatureRequest */ + private Document requestDoc_; + /** the VerifyXMLsignatureRequest root element */ + private Element requestElem_; + + + /** + * Builds the body for a VerifyXMLsignatureRequest including the root + * element and namespace declarations. + * + * @throws BuildException If an error occurs on building the document. + */ + public VerifyXMLSignatureRequestBuilder() throws BuildException { + try { + DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + requestDoc_ = docBuilder.newDocument(); + requestElem_ = requestDoc_.createElementNS(MOA_NS_URI, "VerifyXMLSignatureRequest"); + requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns", MOA_NS_URI); + requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns:" + Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); + requestDoc_.appendChild(requestElem_); + } catch (Throwable t) { + throw new BuildException( + "builder.00", + new Object[] {"VerifyXMLSignatureRequest", t.toString()}, + t); + } + } + + + /** + * Builds a <VerifyXMLSignatureRequest> + * from an IdentityLink with a known trustProfileID which + * has to exist in MOA-SP + * @param identityLink - The IdentityLink + * @param trustProfileID - a preconfigured TrustProfile at MOA-SP + * + * @return Element - The complete request as Dom-Element + * + * @throws ParseException + */ + public Element build(IIdentityLink identityLink, String trustProfileID) + throws ParseException + { + try { + // build the request + Element dateTimeElem = requestDoc_.createElementNS(MOA_NS_URI, "DateTime"); + requestElem_.appendChild(dateTimeElem); + Node dateTime = requestDoc_.createTextNode(identityLink.getIssueInstant()); + dateTimeElem.appendChild(dateTime); + Element verifiySignatureInfoElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); + requestElem_.appendChild(verifiySignatureInfoElem); + Element verifySignatureEnvironmentElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment"); + verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem); + Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content"); + verifySignatureEnvironmentElem.appendChild(base64ContentElem); + // insert the base64 encoded identity link SAML assertion + String serializedAssertion = identityLink.getSerializedSamlAssertion(); + String base64EncodedAssertion = Base64Utils.encode(serializedAssertion.getBytes("UTF-8")); + //replace all '\r' characters by no char. + StringBuffer replaced = new StringBuffer(); + for (int i = 0; i < base64EncodedAssertion.length(); i ++) { + char c = base64EncodedAssertion.charAt(i); + if (c != '\r') { + replaced.append(c); + } + } + base64EncodedAssertion = replaced.toString(); + Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion); + base64ContentElem.appendChild(base64Content); + // specify the signature location + Element verifySignatureLocationElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation"); + verifiySignatureInfoElem.appendChild(verifySignatureLocationElem); + Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature"); + verifySignatureLocationElem.appendChild(signatureLocation); + // signature manifest params + Element signatureManifestCheckParamsElem = + requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); + // add the transforms + Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); + signatureManifestCheckParamsElem.appendChild(referenceInfoElem); + Element[] dsigTransforms = identityLink.getDsigReferenceTransforms(); + + for (int i = 0; i < dsigTransforms.length; i++) { + Element verifyTransformsInfoProfileElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfile"); + referenceInfoElem.appendChild(verifyTransformsInfoProfileElem); + verifyTransformsInfoProfileElem.appendChild(requestDoc_.importNode(dsigTransforms[i], true)); + } + Element returnHashInputDataElem = + requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); + requestElem_.appendChild(returnHashInputDataElem); + Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID"); + trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID)); + requestElem_.appendChild(trustProfileIDElem); + } catch (Throwable t) { + throw new ParseException("builder.00", + new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t); + } + + return requestElem_; + } + + /** + * Builds a <VerifyXMLSignatureRequest> + * from an IdentityLink with a known trustProfileID which + * has to exist in MOA-SP + * @param identityLink - The IdentityLink + * @param trustProfileID - a preconfigured TrustProfile at MOA-SP + * + * @return Element - The complete request as Dom-Element + * + * @throws ParseException + */ + public Element build(byte[]mandate, String trustProfileID) + throws ParseException + { + try { + // build the request +// Element dateTimeElem = requestDoc_.createElementNS(MOA_NS_URI, "DateTime"); +// requestElem_.appendChild(dateTimeElem); +// Node dateTime = requestDoc_.createTextNode(identityLink.getIssueInstant()); +// dateTimeElem.appendChild(dateTime); + Element verifiySignatureInfoElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); + requestElem_.appendChild(verifiySignatureInfoElem); + Element verifySignatureEnvironmentElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment"); + verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem); + Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content"); + verifySignatureEnvironmentElem.appendChild(base64ContentElem); + // insert the base64 encoded identity link SAML assertion + //String serializedAssertion = identityLink.getSerializedSamlAssertion(); + //String base64EncodedAssertion = Base64Utils.encode(mandate.getBytes("UTF-8")); + String base64EncodedAssertion = Base64Utils.encode(mandate); + //replace all '\r' characters by no char. + StringBuffer replaced = new StringBuffer(); + for (int i = 0; i < base64EncodedAssertion.length(); i ++) { + char c = base64EncodedAssertion.charAt(i); + if (c != '\r') { + replaced.append(c); + } + } + base64EncodedAssertion = replaced.toString(); + Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion); + base64ContentElem.appendChild(base64Content); + // specify the signature location + Element verifySignatureLocationElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation"); + verifiySignatureInfoElem.appendChild(verifySignatureLocationElem); + Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature"); + verifySignatureLocationElem.appendChild(signatureLocation); + // signature manifest params + Element signatureManifestCheckParamsElem = + requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); +// // add the transforms +// Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); +// signatureManifestCheckParamsElem.appendChild(referenceInfoElem); +// Element[] dsigTransforms = identityLink.getDsigReferenceTransforms(); +// +// for (int i = 0; i < dsigTransforms.length; i++) { +// Element verifyTransformsInfoProfileElem = +// requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfile"); +// referenceInfoElem.appendChild(verifyTransformsInfoProfileElem); +// verifyTransformsInfoProfileElem.appendChild(requestDoc_.importNode(dsigTransforms[i], true)); +// } + Element returnHashInputDataElem = + requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); + requestElem_.appendChild(returnHashInputDataElem); + Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID"); + trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID)); + requestElem_.appendChild(trustProfileIDElem); + } catch (Throwable t) { + throw new ParseException("builder.00", + new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t); + } + + return requestElem_; + } + + + /** + * Builds a <VerifyXMLSignatureRequest> + * from the signed AUTH-Block with a known trustProfileID which + * has to exist in MOA-SP + * @param csr - signed AUTH-Block + * @param verifyTransformsInfoProfileID - allowed verifyTransformsInfoProfileID + * @param trustProfileID - a preconfigured TrustProfile at MOA-SP + * @return Element - The complete request as Dom-Element + * @throws ParseException + */ + public Element build( + CreateXMLSignatureResponse csr, + List verifyTransformsInfoProfileID, + String trustProfileID) + throws BuildException { //samlAssertionObject + + try { + // build the request +// requestElem_.setAttributeNS(Constants.XMLNS_NS_URI, "xmlns:" +// + Constants.XML_PREFIX, Constants.XMLNS_NS_URI); + Element verifiySignatureInfoElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); + requestElem_.appendChild(verifiySignatureInfoElem); + Element verifySignatureEnvironmentElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment"); + verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem); + Element xmlContentElem = requestDoc_.createElementNS(MOA_NS_URI, "XMLContent"); + verifySignatureEnvironmentElem.appendChild(xmlContentElem); + xmlContentElem.setAttribute(Constants.XML_PREFIX + ":space", "preserve"); + // insert the SAML assertion + xmlContentElem.appendChild(requestDoc_.importNode(csr.getSamlAssertion(), true)); + // specify the signature location + Element verifySignatureLocationElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation"); + verifiySignatureInfoElem.appendChild(verifySignatureLocationElem); + Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature"); + verifySignatureLocationElem.appendChild(signatureLocation); + // signature manifest params + Element signatureManifestCheckParamsElem = + requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "true"); + // add the transform profile IDs + Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); + signatureManifestCheckParamsElem.appendChild(referenceInfoElem); + +// for (int i = 0; i < verifyTransformsInfoProfileID.length; i++) { +// +// Element verifyTransformsInfoProfileIDElem = +// requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID"); +// referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem); +// verifyTransformsInfoProfileIDElem.appendChild( +// requestDoc_.createTextNode(verifyTransformsInfoProfileID[i])); +// } + + for (String element : verifyTransformsInfoProfileID) { + + Element verifyTransformsInfoProfileIDElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID"); + referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem); + verifyTransformsInfoProfileIDElem.appendChild( + requestDoc_.createTextNode(element)); + } + + Element returnHashInputDataElem = + requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); + requestElem_.appendChild(returnHashInputDataElem); + Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID"); + trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID)); + requestElem_.appendChild(trustProfileIDElem); + + } catch (Throwable t) { + throw new BuildException("builder.00", new Object[] { "VerifyXMLSignatureRequest" }, t); + } + + return requestElem_; + } + + /** + * Builds a <VerifyXMLSignatureRequest> + * from the signed data with a known trustProfileID which + * has to exist in MOA-SP + * @param csr - signed AUTH-Block + * @param trustProfileID - a preconfigured TrustProfile at MOA-SP + * @return Element - The complete request as Dom-Element + * @throws ParseException + */ + public Element buildDsig( + CreateXMLSignatureResponse csr, + String trustProfileID) + throws BuildException { //samlAssertionObject + + try { + // build the request +// requestElem_.setAttributeNS(Constants.XMLNS_NS_URI, "xmlns:" +// + Constants.XML_PREFIX, Constants.XMLNS_NS_URI); + + Element verifiySignatureInfoElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); + requestElem_.appendChild(verifiySignatureInfoElem); + Element verifySignatureEnvironmentElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment"); + verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem); + + Element xmlContentElem = requestDoc_.createElementNS(MOA_NS_URI, "XMLContent"); + verifySignatureEnvironmentElem.appendChild(xmlContentElem); + xmlContentElem.setAttribute(Constants.XML_PREFIX + ":space", "preserve"); + + // insert the dsig:Signature + xmlContentElem.appendChild(requestDoc_.importNode(csr.getDsigSignature(), true)); + // specify the signature location + Element verifySignatureLocationElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation"); + verifiySignatureInfoElem.appendChild(verifySignatureLocationElem); + Node signatureLocation = requestDoc_.createTextNode("/"+ DSIG + "Signature"); + verifySignatureLocationElem.appendChild(signatureLocation); + // signature manifest params + Element signatureManifestCheckParamsElem = + requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "true"); + // add the transform profile IDs + Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); + signatureManifestCheckParamsElem.appendChild(referenceInfoElem); + + Element returnHashInputDataElem = + requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); + requestElem_.appendChild(returnHashInputDataElem); + Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID"); + + trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID)); + requestElem_.appendChild(trustProfileIDElem); + + } catch (Throwable t) { + throw new BuildException("builder.00", new Object[] { "VerifyXMLSignatureRequest" }, t); + } + + return requestElem_; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java new file mode 100644 index 000000000..832aa58c6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -0,0 +1,307 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.auth.validator; + +import java.security.InvalidKeyException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.ValidateException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.logging.Logger; +import iaik.asn1.structures.Name; +import iaik.security.ec.common.ECPublicKey; +import iaik.utils.RFC2253NameParserException; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; + +/** + * This class is used to validate an {@link VerifyXMLSignatureResponse} + * returned by MOA-SPSS + * + * @author Stefan Knirsch + * @version $Id$ + */ +public class VerifyXMLSignatureResponseValidator { + + /** Identification string for checking identity link */ + public static final String CHECK_IDENTITY_LINK = "IdentityLink"; + /** Identification string for checking authentication block */ + public static final String CHECK_AUTH_BLOCK = "AuthBlock"; + + /** Singleton instance. null, if none has been created. */ + private static VerifyXMLSignatureResponseValidator instance; + + /** + * Constructor for a singleton VerifyXMLSignatureResponseValidator. + */ + public static synchronized VerifyXMLSignatureResponseValidator getInstance() + throws ValidateException { + if (instance == null) { + instance = new VerifyXMLSignatureResponseValidator(); + } + return instance; + } + + /** + * Validates a {@link VerifyXMLSignatureResponse} returned by MOA-SPSS. + * + * @param verifyXMLSignatureResponse the <VerifyXMLSignatureResponse> + * @param identityLinkSignersSubjectDNNames subject names configured + * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated + * @param oaParam specifies whether the validation result of the + * manifest has to be ignored (identityLink validation if + * the OA is a business service) or not + * @throws ValidateException on any validation error + * @throws ConfigurationException + */ + public void validate(IVerifiyXMLSignatureResponse verifyXMLSignatureResponse, + List identityLinkSignersSubjectDNNames, + String whatToCheck, + IOAAuthParameters oaParam) + throws ValidateException, ConfigurationException { + + if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) + throw new ValidateException("validator.06", null); + + if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { + String checkFailedReason =""; + if (verifyXMLSignatureResponse.getCertificateCheckCode() == 1) + checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.21", null); + if (verifyXMLSignatureResponse.getCertificateCheckCode() == 2) + checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.22", null); + if (verifyXMLSignatureResponse.getCertificateCheckCode() == 3) + checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.23", null); + if (verifyXMLSignatureResponse.getCertificateCheckCode() == 4) + checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.24", null); + if (verifyXMLSignatureResponse.getCertificateCheckCode() == 5) + checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.25", null); + +// TEST CARDS + if (whatToCheck.equals(CHECK_IDENTITY_LINK)) + throw new ValidateException("validator.07", new Object[] { checkFailedReason } ); + else + throw new ValidateException("validator.19", new Object[] { checkFailedReason } ); + } + + //check QC + if (AuthConfigurationProviderFactory.getInstance().isCertifiacteQCActive() && + !whatToCheck.equals(CHECK_IDENTITY_LINK) && + !verifyXMLSignatureResponse.isQualifiedCertificate()) { + + //check if testcards are active and certificate has an extension for test credentials + if (oaParam.isTestCredentialEnabled()) { + boolean foundTestCredentialOID = false; + try { + X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate(); + + List validOIDs = new ArrayList(); + if (oaParam.getTestCredentialOIDs() != null) + validOIDs.addAll(oaParam.getTestCredentialOIDs()); + else + validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID); + + Set extentsions = signerCert.getCriticalExtensionOIDs(); + extentsions.addAll(signerCert.getNonCriticalExtensionOIDs()); + Iterator extit = extentsions.iterator(); + while(extit.hasNext()) { + String certOID = extit.next(); + for (String el : validOIDs) { + if (certOID.startsWith(el)) + foundTestCredentialOID = true; + } + } + + } catch (Exception e) { + Logger.warn("Test credential OID extraction FAILED.", e); + + } + //throw Exception if not TestCredentialOID is found + if (!foundTestCredentialOID) + throw new ValidateException("validator.72", null); + + } else + throw new ValidateException("validator.71", null); + } + + // if OA is type is business service the manifest validation result has + // to be ignored + boolean ignoreManifestValidationResult = false; + if (whatToCheck.equals(CHECK_IDENTITY_LINK)) + ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true + : false; + + if (ignoreManifestValidationResult) { + Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result"); + } else { + if (verifyXMLSignatureResponse.isXmlDSIGManigest()) + if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) + throw new ValidateException("validator.08", null); + } + + + // Check the signature manifest only when verifying the signed AUTHBlock + if (whatToCheck.equals(CHECK_AUTH_BLOCK)) { + if (verifyXMLSignatureResponse.getSignatureManifestCheckCode() > 0) { + throw new ValidateException("validator.50", null); + } + } + + //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not + if (identityLinkSignersSubjectDNNames != null) { + String subjectDN = ""; + X509Certificate x509Cert = verifyXMLSignatureResponse.getX509certificate(); + try { + subjectDN = ((Name) x509Cert.getSubjectDN()).getRFC2253String(); + } + catch (RFC2253NameParserException e) { + throw new ValidateException("validator.17", null); + } + //System.out.println("subjectDN: " + subjectDN); + // check the authorisation to sign the identity link + if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) { + // subject DN check failed, try OID check: + try { + if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) { + throw new ValidateException("validator.18", new Object[] { subjectDN }); + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check failed, but OID check successfully passed."); + } + } catch (X509ExtensionInitException e) { + throw new ValidateException("validator.49", null); + } + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check successfully passed."); + } + + } + } + + /** + * Method validateCertificate. + * @param verifyXMLSignatureResponse The VerifyXMLSignatureResponse + * @param idl The Identitylink + * @throws ValidateException + */ + public void validateCertificate( + IVerifiyXMLSignatureResponse verifyXMLSignatureResponse, + IIdentityLink idl) + throws ValidateException { + + X509Certificate x509Response = verifyXMLSignatureResponse.getX509certificate(); + PublicKey[] pubKeysIdentityLink = (PublicKey[]) idl.getPublicKey(); + + PublicKey pubKeySignature = x509Response.getPublicKey(); + checkIDLAgainstSignatureCertificate(pubKeysIdentityLink, pubKeySignature); + + } + + + public void checkIDLAgainstSignatureCertificate( PublicKey[] pubKeysIdentityLink, PublicKey pubKeySignature) throws ValidateException { + boolean found = false; + for (int i = 0; i < pubKeysIdentityLink.length; i++) { + PublicKey idlPubKey = pubKeysIdentityLink[i]; + //compare RSAPublicKeys + if ((idlPubKey instanceof java.security.interfaces.RSAPublicKey) && + (pubKeySignature instanceof java.security.interfaces.RSAPublicKey)) { + + RSAPublicKey rsaPubKeySignature = (RSAPublicKey) pubKeySignature; + RSAPublicKey rsakey = (RSAPublicKey) pubKeysIdentityLink[i]; + + if (rsakey.getModulus().equals(rsaPubKeySignature.getModulus()) + && rsakey.getPublicExponent().equals(rsaPubKeySignature.getPublicExponent())) + found = true; + } + + //compare ECDSAPublicKeys + if( ( (idlPubKey instanceof java.security.interfaces.ECPublicKey) || + (idlPubKey instanceof ECPublicKey)) && + ( (pubKeySignature instanceof java.security.interfaces.ECPublicKey) || + (pubKeySignature instanceof ECPublicKey) ) ) { + + try { + ECPublicKey ecdsaPubKeySignature = new ECPublicKey(pubKeySignature.getEncoded()); + ECPublicKey ecdsakey = new ECPublicKey(pubKeysIdentityLink[i].getEncoded()); + + if(ecdsakey.equals(ecdsaPubKeySignature)) + found = true; + + } catch (InvalidKeyException e) { + Logger.warn("ECPublicKey can not parsed into a iaik.ECPublicKey", e); + throw new ValidateException("validator.09", null); + } + + + + } + +// Logger.debug("IDL-Pubkey=" + idl.getPublicKey()[i].getClass().getName() +// + " Resp-Pubkey=" + pubKeySignature.getClass().getName()); + + } + + if (!found) { + + throw new ValidateException("validator.09", null); + + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9d585bc86..05bb16d0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -63,6 +63,7 @@ public class AssertionAttributeExtractor { PVPConstants.EID_SOURCE_PIN_NAME, PVPConstants.EID_SOURCE_PIN_TYPE_NAME); + /** * Parse the SAML2 Response element and extracts included information *

@@ -81,36 +82,25 @@ public class AssertionAttributeExtractor { Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); assertion = assertions.get(0); - - if (assertion.getAttributeStatements() != null && - assertion.getAttributeStatements().size() > 0) { - AttributeStatement attrStat = assertion.getAttributeStatements().get(0); - for (Attribute attr : attrStat.getAttributes()) { - if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { - List storkAttrValues = new ArrayList(); - for (XMLObject el : attr.getAttributeValues()) - storkAttrValues.add(el.getDOM().getTextContent()); - -// PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), -// false, storkAttrValues , "Available"); -// storkAttributes.put(attr.getName(), storkAttr ); - - } else { - List attrList = new ArrayList(); - for (XMLObject el : attr.getAttributeValues()) - attrList.add(el.getDOM().getTextContent()); - - attributs.put(attr.getName(), attrList); - - } - } - - } - + internalInitialize(); + } else - throw new AssertionAttributeExtractorExeption(); + throw new AssertionAttributeExtractorExeption(); } - + + /** + * Parse the SAML2 Assertion element and extracts included information + *

+ * + * @param assertion SAML2 Assertion + * @throws AssertionAttributeExtractorExeption + */ + public AssertionAttributeExtractor(Assertion assertion) throws AssertionAttributeExtractorExeption { + this.assertion = assertion; + internalInitialize(); + + } + /** * Get all SAML2 attributes from first SAML2 AttributeStatement element * @@ -274,7 +264,30 @@ public class AssertionAttributeExtractor { } - return getFullAssertion().getConditions().getNotOnOrAfter().toDate(); + try { + return getFullAssertion().getConditions().getNotOnOrAfter().toDate(); + + } catch (NullPointerException e) { + return null; + + } + } + + /** + * Get the Assertion validFrom period + * + * This method returns value of SAML 'Conditions' element. + * + * @return Date, after this SAML2 assertion is valid, otherwise null + */ + public Date getAssertionNotBefore() { + try { + return getFullAssertion().getConditions().getNotBefore().toDate(); + + } catch (NullPointerException e) { + return null; + + } } @@ -288,5 +301,32 @@ public class AssertionAttributeExtractor { return authnList.get(0); } + + private void internalInitialize() { + internalInitialize(); + if (assertion.getAttributeStatements() != null && + assertion.getAttributeStatements().size() > 0) { + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + List storkAttrValues = new ArrayList(); + for (XMLObject el : attr.getAttributeValues()) + storkAttrValues.add(el.getDOM().getTextContent()); + +// PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), +// false, storkAttrValues , "Available"); +// storkAttributes.put(attr.getName(), storkAttr ); + + } else { + List attrList = new ArrayList(); + for (XMLObject el : attr.getAttributeValues()) + attrList.add(el.getDOM().getTextContent()); + + attributs.put(attr.getName(), attrList); + + } + } + } + } } -- cgit v1.2.3 From ecf9de84e76dde785ced8c1632c7909d1d57f94a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 30 May 2018 14:36:39 +0200 Subject: add error handling and some more validation to SL2.0 module --- .../pvp2x/utils/AssertionAttributeExtractor.java | 6 ++++++ .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 21 +++++++++++++++++++++ .../metadata/SchemaValidationFilter.java | 11 ++--------- .../resources/properties/id_messages_de.properties | 3 ++- .../protocol_response_statuscodes_de.properties | 4 ++++ 5 files changed, 35 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 05bb16d0d..5b1d952ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -196,6 +196,12 @@ public class AssertionAttributeExtractor { // } + public String getAssertionID() { + return assertion.getID(); + + } + + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 28a85b4af..da4b54a5a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -31,9 +31,13 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; import org.opensaml.Configuration; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; @@ -47,6 +51,7 @@ import org.opensaml.xml.io.MarshallingException; import org.w3c.dom.Document; import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; public class SAML2Utils { @@ -142,4 +147,20 @@ public class SAML2Utils { return envelope; } + + public static void schemeValidation(XMLObject xmlObject) throws Exception { + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + DOMSource source = new DOMSource(xmlObject.getDOM()); + val.validate(source); + Logger.debug("SAML2 Scheme validation successful"); + return; + + } catch (Exception e) { + Logger.warn("SAML2 scheme validation FAILED.", e); + throw e; + + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 83a2b61d2..489d2fb4a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,11 +22,6 @@ */ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.xml.sax.SAXException; @@ -34,6 +29,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; /** @@ -71,10 +67,7 @@ public class SchemaValidationFilter implements MetadataFilter { if (isActive) { try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - DOMSource source = new DOMSource(arg0.getDOM()); - val.validate(source); + SAML2Utils.schemeValidation(arg0); Logger.info("Metadata Schema validation check done OK"); return; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 9cc4b0b5e..84fd93773 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -344,4 +344,5 @@ sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0} sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer. sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}. sl20.06=Http transport-binding error. Reason: {0} - +sl20.07=Fehler beim Validieren der eID information. Type: {0} Reason: {1} +sl20.08=SL2.0 Teilnehmer antwortet mit einem Fehler. Code: {0} Reason: {1} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 6de581cae..d77ea437b 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -258,6 +258,10 @@ sl20.01=14000 sl20.02=14001 sl20.03=14800 sl20.04=14001 +sl20.05=xxxxx +sl20.06=xxxxx +sl20.07=xxxxx +sl20.08=xxxxx ##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes mis.301=1005 -- cgit v1.2.3 From 709197ce12c5502f86e16da1167b97ca318f47fa Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 5 Jun 2018 10:44:40 +0200 Subject: implement user restriction based on whitelisting --- .../internal/tasks/UserRestrictionTask.java | 85 ++++++++++++++++++++++ .../id/config/auth/data/UserWhitelistStore.java | 73 +++++++++++++++++++ .../main/resources/moaid.authentication.beans.xml | 9 ++- .../resources/properties/id_messages_de.properties | 2 + .../protocol_response_statuscodes_de.properties | 2 + 5 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java new file mode 100644 index 000000000..4853a5ab6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java @@ -0,0 +1,85 @@ +package at.gv.egovernment.moa.id.auth.modules.internal.tasks; + +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore; +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class UserRestrictionTask extends AbstractAuthServletTask { + + public static final String CONFIG_PROPS_SP_LIST = "configuration.restrictions.sp.entityIds"; + public static final String CONFIG_PROPS_CSV_USER_FILE = "configuration.restrictions.sp.users.url"; + public static final String CONFIG_PROPS_CSV_USER_SECTOR = "configuration.restrictions.sp.users.sector"; + + @Autowired(required=true) UserWhitelistStore whitelist; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + String spEntityId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix(); + List restrictedSPs = KeyValueUtils.getListOfCSVValues(authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_SP_LIST)); + if (restrictedSPs.contains(spEntityId)) { + Logger.debug("SP:" + spEntityId + " has a user restrication. Check users bPK ... "); + defaultTaskInitialization(request, executionContext);; + + //check if user idl is already loaded + if (moasession.getIdentityLink() == null) { + Logger.warn("PendingRequest contains NO IdentityLink. User restrictation NOT possible!"); + throw new MOAIDException("process.03", null); + + } + + //calculate whitelist bPK for current user + String bpkTarget = authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_CSV_USER_SECTOR); + if (MiscUtil.isEmpty(bpkTarget)) { + Logger.info("NO bPK sector for user whitelist in configuration"); + throw new MOAIDException("config.05", new Object[] {CONFIG_PROPS_CSV_USER_SECTOR}); + + } + + Pair pseudonym = new BPKBuilder().generateAreaSpecificPersonIdentifier( + moasession.getIdentityLink().getIdentificationValue(), + moasession.getIdentityLink().getIdentificationType(), + bpkTarget); + + + //check if user's bPK is whitelisted + if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) { + Logger.info("User's bPK is not whitelisted. Authentication process stops ..."); + Logger.trace("User's bPK: " + pseudonym.getFirst()); + throw new MOAIDException("auth.35", null); + + } + + Logger.debug("User was found in whitelist. Continue authentication process ... "); + + } else + Logger.trace("SP: " + spEntityId + " has no user restrication."); + + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (Exception e) { + Logger.warn("RestartAuthProzessManagement has an internal error", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java new file mode 100644 index 000000000..a300739b3 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -0,0 +1,73 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.net.URISyntaxException; +import java.net.URL; +import java.util.ArrayList; +import java.util.List; + +import javax.annotation.PostConstruct; + +import org.apache.commons.io.IOUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.Logger; + +@Service("UserWhiteList_Store") +public class UserWhitelistStore { + + @Autowired(required=true) AuthConfiguration authConfig; + + private List whitelist = new ArrayList(); + + @PostConstruct + private void initialize() { + String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE); + if (MiscUtil.isEmpty(whiteListUrl)) + Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file."); + + else { + String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()); + try { + InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); + String whiteListString = IOUtils.toString(new InputStreamReader(is)); + whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString)); + Logger.info("User whitelist is initialized with " + whitelist.size() + " entries."); + + } catch (FileNotFoundException e) { + Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e); + + } catch (IOException e) { + Logger.warn("Do not initialize user whitelist. Reason: CSV file is NOT readable", e); + + } catch (URISyntaxException e) { + Logger.warn("Do not initialize user whitelist. Reason: CSV file looks wrong", e); + + } + + } + + } + + /** + * Check if bPK is in whitelist + * + * @param bPK + * @return true if bPK is in whitelist, otherwise false + */ + public boolean isUserbPKInWhitelist(String bPK) { + return whitelist.contains(bPK); + + } +} diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index ba8c47304..dc3022ab4 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -42,6 +42,9 @@ + + + scope="prototype"/> + + Date: Tue, 5 Jun 2018 10:46:09 +0200 Subject: update moa-sig to 3.1.2 to get signing time in XML signature verification result --- .../auth/invoke/SignatureVerificationInvoker.java | 77 ++++++++++------------ .../parser/VerifyXMLSignatureResponseParser.java | 20 ++++-- 2 files changed, 52 insertions(+), 45 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java index d5ca89656..d2d39e9e6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java @@ -52,10 +52,7 @@ import org.w3c.dom.Document; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.exception.ServiceException; -import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.SignatureVerificationService; import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; @@ -64,7 +61,6 @@ import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser; import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; -import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.Logger; /** @@ -93,22 +89,22 @@ public class SignatureVerificationInvoker { } private SignatureVerificationInvoker() { - try { - AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance(); - ConnectionParameterInterface authConnParam = authConfigProvider.getMoaSpConnectionParameter(); +// try { +// AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance(); +// ConnectionParameterInterface authConnParam = authConfigProvider.getMoaSpConnectionParameter(); - if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) { - - - } else { +// if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) { +// +// +// } else { svs = SignatureVerificationService.getInstance(); - } +// } - } catch (ConfigurationException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } +// } catch (ConfigurationException e) { +// // TODO Auto-generated catch block +// e.printStackTrace(); +// } } @@ -144,35 +140,34 @@ public class SignatureVerificationInvoker { protected Element doCall(QName serviceName, Element request) throws ServiceException { ConnectionParameterInterface authConnParam = null; try { - AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance(); - authConnParam = authConfigProvider.getMoaSpConnectionParameter(); - //If the ConnectionParameter do NOT exist, we try to get the api to work.... - if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) { - - throw new ServiceException("service.00", new Object[]{"MOA-SP connection via Web-Service is not allowed any more!!!!!!"}); -// Service service = ServiceFactory.newInstance().createService(serviceName); -// Call call = service.createCall(); -// SOAPBodyElement body = new SOAPBodyElement(request); -// SOAPBodyElement[] params = new SOAPBodyElement[] { body }; -// Vector responses; -// SOAPBodyElement response; +// AuthConfiguration authConfigProvider = AuthConfigurationProviderFactory.getInstance(); +// authConnParam = authConfigProvider.getMoaSpConnectionParameter(); +// //If the ConnectionParameter do NOT exist, we try to get the api to work.... +// if (authConnParam != null && MiscUtil.isNotEmpty(authConnParam.getUrl())) { // -// Logger.debug("Connecting using auth url: " + authConnParam.getUrl() + ", service " + serviceName.getNamespaceURI() + " : " + serviceName.getLocalPart() + " : "+ serviceName.getPrefix()); -// call.setTargetEndpointAddress(authConnParam.getUrl()); -// responses = (Vector) call.invoke(serviceName, params); -// Logger.debug("Got responses: " + responses.size()); // TODO handle axis 302 response when incorrect service url is used -// response = (SOAPBodyElement) responses.get(0); -// return response.getAsDOM(); - } - else { - VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(request); - +// throw new ServiceException("service.00", new Object[]{"MOA-SP connection via Web-Service is not allowed any more!!!!!!"}); +//// Service service = ServiceFactory.newInstance().createService(serviceName); +//// Call call = service.createCall(); +//// SOAPBodyElement body = new SOAPBodyElement(request); +//// SOAPBodyElement[] params = new SOAPBodyElement[] { body }; +//// Vector responses; +//// SOAPBodyElement response; +//// +//// Logger.debug("Connecting using auth url: " + authConnParam.getUrl() + ", service " + serviceName.getNamespaceURI() + " : " + serviceName.getLocalPart() + " : "+ serviceName.getPrefix()); +//// call.setTargetEndpointAddress(authConnParam.getUrl()); +//// responses = (Vector) call.invoke(serviceName, params); +//// Logger.debug("Got responses: " + responses.size()); // TODO handle axis 302 response when incorrect service url is used +//// response = (SOAPBodyElement) responses.get(0); +//// return response.getAsDOM(); +// } +// else { + VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(request); VerifyXMLSignatureResponse vsresponse = svs.verifyXMLSignature(vsrequest); - Document result = new VerifyXMLSignatureResponseBuilder().build(vsresponse); - + Document result = new VerifyXMLSignatureResponseBuilder(true).build(vsresponse); + //Logger.setHierarchy("moa.id.auth"); return result.getDocumentElement(); - } +// } } catch (Exception ex) { if (authConnParam != null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java index b54a43fff..0fba2d3f6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java @@ -46,12 +46,11 @@ package at.gv.egovernment.moa.id.auth.parser; -import iaik.utils.Base64InputStream; -import iaik.x509.X509Certificate; - import java.io.ByteArrayInputStream; import java.io.InputStream; +import org.joda.time.DateTime; +import org.joda.time.format.ISODateTimeFormat; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; @@ -59,7 +58,10 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.XPathUtils; +import iaik.utils.Base64InputStream; +import iaik.x509.X509Certificate; /** * Parses a <VerifyXMLSignatureResponse> returned by @@ -115,6 +117,9 @@ public class VerifyXMLSignatureResponseParser { private static final String CERTIFICATE_CHECK_CODE_XPATH = ROOT + MOA + "CertificateCheck/" + MOA + "Code"; + private static final String SIGNING_TIME_XPATH = + ROOT + MOA + "SigningTime"; + /** This is the root element of the XML-Document provided by the Security Layer Card*/ private Element verifyXMLSignatureResponse; @@ -200,7 +205,14 @@ public class VerifyXMLSignatureResponseParser { if (signatureManifestCheckCode != null) { respData.setSignatureManifestCheckCode(new Integer(signatureManifestCheckCode).intValue()); } - respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue()); + respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue()); + + String signingTimeElement = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNING_TIME_XPATH,""); + if (MiscUtil.isNotEmpty(signingTimeElement)) { + DateTime datetime = ISODateTimeFormat.dateTimeNoMillis().parseDateTime(signingTimeElement); + respData.setSigningDateTime(datetime.toDate()); + + } } catch (Throwable t) { throw new ParseException("parser.01", null, t); -- cgit v1.2.3 From cd5cef47db73c85cbb2defdec3b283655fdc859b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 5 Jun 2018 10:46:41 +0200 Subject: update SL20 implementation --- .../validator/VerifyXMLSignatureResponseValidator.java | 7 ++++--- .../moa/id/moduls/AuthenticationManager.java | 18 +++++++++++------- .../pvp2x/utils/AssertionAttributeExtractor.java | 1 - 3 files changed, 15 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 832aa58c6..407454c2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -57,12 +57,12 @@ import java.util.Set; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.logging.Logger; import iaik.asn1.structures.Name; import iaik.security.ec.common.ECPublicKey; @@ -113,7 +113,8 @@ public class VerifyXMLSignatureResponseValidator { public void validate(IVerifiyXMLSignatureResponse verifyXMLSignatureResponse, List identityLinkSignersSubjectDNNames, String whatToCheck, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + AuthConfiguration authConfig) throws ValidateException, ConfigurationException { if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) @@ -140,7 +141,7 @@ public class VerifyXMLSignatureResponseValidator { } //check QC - if (AuthConfigurationProviderFactory.getInstance().isCertifiacteQCActive() && + if (authConfig.isCertifiacteQCActive() && !whatToCheck.equals(CHECK_IDENTITY_LINK) && !verifyXMLSignatureResponse.isQualifiedCertificate()) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index a24683545..e093ce1e2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -317,9 +317,10 @@ public class AuthenticationManager extends MOAIDAuthConstants { * @param httpReqParam http parameter name, but never null */ public void addParameterNameToWhiteList(String httpReqParam) { - if (MiscUtil.isNotEmpty(httpReqParam)) - reqParameterWhiteListeForModules.add(httpReqParam); - + if (MiscUtil.isNotEmpty(httpReqParam)) { + if (!reqParameterWhiteListeForModules.contains(httpReqParam)) + reqParameterWhiteListeForModules.add(httpReqParam); + } } /** @@ -328,8 +329,11 @@ public class AuthenticationManager extends MOAIDAuthConstants { * @param httpReqParam http header name, but never null */ public void addHeaderNameToWhiteList(String httpReqParam) { - if (MiscUtil.isNotEmpty(httpReqParam)) - reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase()); + if (MiscUtil.isNotEmpty(httpReqParam)) { + if (!reqHeaderWhiteListeForModules.contains(httpReqParam.toLowerCase())) + reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase()); + + } } @@ -439,8 +443,8 @@ public class AuthenticationManager extends MOAIDAuthConstants { while(reqHeaderNames.hasMoreElements()) { String paramName = reqHeaderNames.nextElement(); if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) { - executionContext.put(paramName, - StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName))); + executionContext.put(paramName.toLowerCase(), + StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName.toLowerCase()))); } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 5b1d952ff..4a0cec6e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -309,7 +309,6 @@ public class AssertionAttributeExtractor { } private void internalInitialize() { - internalInitialize(); if (assertion.getAttributeStatements() != null && assertion.getAttributeStatements().size() > 0) { AttributeStatement attrStat = assertion.getAttributeStatements().get(0); -- cgit v1.2.3 From a06f94c9da130af5cf755b7d6465c8905d37d75b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 5 Jun 2018 15:05:50 +0200 Subject: add one method to AssertionAttributeExtractor and add some log messages --- .../pvp2x/utils/AssertionAttributeExtractor.java | 57 +++++++++++++++++++--- 1 file changed, 50 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 4a0cec6e4..bdfb11d34 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -34,6 +34,8 @@ import java.util.Set; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; +import org.opensaml.saml2.core.Audience; +import org.opensaml.saml2.core.AudienceRestriction; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; @@ -191,17 +193,22 @@ public class AssertionAttributeExtractor { } -// public PersonalAttributeList getSTORKAttributes() { -// return storkAttributes; -// } - - + /** + * Get the Id attribute from SAML2 assertion + * + * @return + */ public String getAssertionID() { return assertion.getID(); } - + /** + * Get the subjectNameId from SAML2 Assertion + * + * @return nameId but never null + * @throws AssertionAttributeExtractorExeption + */ public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); @@ -218,6 +225,12 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("nameID"); } + /** + * Get get SessionIndex from SAML2 assertion + * + * @return sessionIndex but never null + * @throws AssertionAttributeExtractorExeption + */ public String getSessionIndex() throws AssertionAttributeExtractorExeption { AuthnStatement authn = getAuthnStatement(); @@ -229,7 +242,9 @@ public class AssertionAttributeExtractor { } /** - * @return + * Get the LoA (QAA level) from assertion. This information is extracted from AuthnContext and AuthnContextClassRef + * + * @return LoA but never null * @throws AssertionAttributeExtractorExeption */ public String getQAALevel() throws AssertionAttributeExtractorExeption { @@ -247,6 +262,11 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); } + /** + * Get full SAML2 assertion + * + * @return + */ public Assertion getFullAssertion() { return assertion; } @@ -297,6 +317,29 @@ public class AssertionAttributeExtractor { } + /** + * Get the AudienceRestriction from SAML2 Assertion + * + * @return AudienceRestriction, but never null + * @throws AssertionAttributeExtractorExeption + */ + public List getAudienceRestriction( ) throws AssertionAttributeExtractorExeption { + try { + List rest = getFullAssertion().getConditions().getAudienceRestrictions(); + if (rest != null && rest.size() != 0) { + if (rest.size() == 1 && rest.get(0) != null) + return rest.get(0).getAudiences(); + + else + Logger.warn("More than one 'AudienceRestriction'! Extraction currently NOT supported"); + } + + } catch (NullPointerException e) { } + + throw new AssertionAttributeExtractorExeption("AudienceRestriction"); + + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) -- cgit v1.2.3 From ac21c6be50070c34dd20abe07e0f95ff33751804 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Jun 2018 11:22:25 +0200 Subject: refactor user whitelist to allow list updates without restarting the IDP --- .../internal/tasks/UserRestrictionTask.java | 2 +- .../id/config/auth/data/UserWhitelistStore.java | 27 +++++++++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java index 4853a5ab6..5d0580464 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java @@ -58,7 +58,7 @@ public class UserRestrictionTask extends AbstractAuthServletTask { //check if user's bPK is whitelisted - if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) { + if (!whitelist.isUserbPKInWhitelistDynamic(pseudonym.getFirst())) { Logger.info("User's bPK is not whitelisted. Authentication process stops ..."); Logger.trace("User's bPK: " + pseudonym.getFirst()); throw new MOAIDException("auth.35", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java index a300739b3..71bd0f3c0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -30,6 +30,7 @@ public class UserWhitelistStore { @Autowired(required=true) AuthConfiguration authConfig; private List whitelist = new ArrayList(); + private String absWhiteListUrl = null; @PostConstruct private void initialize() { @@ -38,7 +39,7 @@ public class UserWhitelistStore { Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file."); else { - String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()); + absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()); try { InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); String whiteListString = IOUtils.toString(new InputStreamReader(is)); @@ -70,4 +71,28 @@ public class UserWhitelistStore { return whitelist.contains(bPK); } + + public boolean isUserbPKInWhitelistDynamic(String bPK) { + try { + if (absWhiteListUrl != null) { + InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); + String whiteListString = IOUtils.toString(new InputStreamReader(is)); + if (whiteListString != null && whiteListString.contains(bPK)) { + Logger.trace("Find user with dynamic whitelist check"); + return true; + + } else { + Logger.debug("Can NOT find user in dynamic loaded user whitelist. Switch to static version ... "); + return isUserbPKInWhitelist(bPK); + } + + } + } catch (Exception e) { + Logger.warn("Dynamic user whitelist check FAILED. Switch to static version ... ", e); + + } + + return isUserbPKInWhitelist(bPK); + } + } -- cgit v1.2.3 From ad02267b4f5c7e21cc929dd3d322771da087b0db Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Jun 2018 14:13:38 +0200 Subject: return checkcode false if no whitelist was loaded --- .../gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java index 71bd0f3c0..38bcfa2af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -67,8 +67,11 @@ public class UserWhitelistStore { * @param bPK * @return true if bPK is in whitelist, otherwise false */ - public boolean isUserbPKInWhitelist(String bPK) { - return whitelist.contains(bPK); + public boolean isUserbPKInWhitelist(String bPK) { + if (whitelist != null) + return whitelist.contains(bPK); + else + return false; } -- cgit v1.2.3 From ea49cd41d7ae571f8156f7b2ac02c9e2a6f86ca6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 11 Jun 2018 20:08:41 +0200 Subject: add jUnit for user-restrication whitelist-store --- .../id/config/auth/data/UserWhitelistStore.java | 40 ++- .../moa/id/config/auth/data/DummyAuthConfig.java | 387 +++++++++++++++++++++ .../auth/data/UserRestrictionWhiteListTest.java | 136 ++++++++ .../src/test/resources/BPK-Whitelist_20180607.csv | 10 + .../SpringTest-context_basic_user_whitelist.xml | 18 + 5 files changed, 588 insertions(+), 3 deletions(-) create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java create mode 100644 id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv create mode 100644 id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java index 38bcfa2af..a90d71a18 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -43,8 +43,24 @@ public class UserWhitelistStore { try { InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); String whiteListString = IOUtils.toString(new InputStreamReader(is)); - whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString)); + List preWhitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString)); + + //remove prefix if required + for (String bPK : preWhitelist) { + String[] bPKSplit = bPK.split(":"); + if (bPKSplit.length == 1) + whitelist.add(bPK); + + else if (bPKSplit.length ==2 ) + whitelist.add(bPKSplit[1]); + + else + Logger.info("Whitelist entry: " + bPK + " has an unsupported format. Entry will be removed ..."); + + } + Logger.info("User whitelist is initialized with " + whitelist.size() + " entries."); + } catch (FileNotFoundException e) { Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e); @@ -61,6 +77,15 @@ public class UserWhitelistStore { } + /** + * Get the number of entries of the static whitelist + * + * @return + */ + public int getNumberOfEntries() { + return whitelist.size(); + } + /** * Check if bPK is in whitelist * @@ -76,6 +101,11 @@ public class UserWhitelistStore { } public boolean isUserbPKInWhitelistDynamic(String bPK) { + return isUserbPKInWhitelistDynamic(bPK, false); + + } + + public boolean isUserbPKInWhitelistDynamic(String bPK, boolean onlyDynamic) { try { if (absWhiteListUrl != null) { InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); @@ -86,7 +116,8 @@ public class UserWhitelistStore { } else { Logger.debug("Can NOT find user in dynamic loaded user whitelist. Switch to static version ... "); - return isUserbPKInWhitelist(bPK); + if (!onlyDynamic) + return isUserbPKInWhitelist(bPK); } } @@ -94,8 +125,11 @@ public class UserWhitelistStore { Logger.warn("Dynamic user whitelist check FAILED. Switch to static version ... ", e); } + if (!onlyDynamic) + return isUserbPKInWhitelist(bPK); - return isUserbPKInWhitelist(bPK); + + return false; } } diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java new file mode 100644 index 000000000..d72e2f28c --- /dev/null +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -0,0 +1,387 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.IOException; +import java.util.List; +import java.util.Map; +import java.util.Properties; + +import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IStorkConfig; +import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.util.config.EgovUtilPropertiesConfiguration; + +public class DummyAuthConfig implements AuthConfiguration { + + @Override + public String getRootConfigFileDir() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getDefaultChainingMode() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getTrustedCACertificates() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isTrustmanagerrevoationchecking() { + // TODO Auto-generated method stub + return false; + } + + @Override + public String[] getActiveProfiles() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Properties getGeneralPVP2ProperiesConfig() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Properties getGeneralOAuth20ProperiesConfig() { + // TODO Auto-generated method stub + return null; + } + + @Override + public ProtocolAllowed getAllowedProtocols() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Map getConfigurationWithPrefix(String Prefix) { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getConfigurationWithKey(String key) { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getBasicMOAIDConfiguration(String key) { + if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE.equals(key)) { + String current; + try { + current = new java.io.File( "." ).getCanonicalPath(); + return "file:" + current + "/src/test/resources/BPK-Whitelist_20180607.csv"; + } catch (IOException e) { + e.printStackTrace(); + } + } + + return null; + } + + @Override + public String getBasicMOAIDConfiguration(String key, String defaultValue) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Map getBasicMOAIDConfigurationWithPrefix(String prefix) { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getTransactionTimeOut() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public int getSSOCreatedTimeOut() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public int getSSOUpdatedTimeOut() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getAlternativeSourceID() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getLegacyAllowedProtocols() { + // TODO Auto-generated method stub + return null; + } + + @Override + public IOAAuthParameters getOnlineApplicationParameter(String oaURL) { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMoaSpAuthBlockTrustProfileID(boolean useTestTrustStore) throws ConfigurationException { + if (useTestTrustStore) + return "MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten"; + else + return "MOAIDBuergerkarteAuthentisierungsDaten"; + } + + @Override + public List getMoaSpAuthBlockVerifyTransformsInfoIDs() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public ConnectionParameterInterface getMoaSpConnectionParameter() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public ConnectionParameterInterface getForeignIDConnectionParameter(IOAAuthParameters oaParameters) + throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public ConnectionParameterInterface getOnlineMandatesConnectionParameter(IOAAuthParameters oaParameters) + throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMoaSpIdentityLinkTrustProfileID(boolean useTestTrustStore) throws ConfigurationException { + if (useTestTrustStore) + return "MOAIDBuergerkartePersonenbindungMitTestkarten"; + else + return "MOAIDBuergerkartePersonenbindung"; + } + + @Override + public List getTransformsInfos() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getIdentityLinkX509SubjectNames() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getSLRequestTemplates() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getSLRequestTemplates(String type) throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getDefaultBKUURLs() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getDefaultBKUURL(String type) throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getSSOTagetIdentifier() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getSSOFriendlyName() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getSSOSpecialText() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMOASessionEncryptionKey() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMOAConfigurationEncryptionKey() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isIdentityLinkResigning() { + // TODO Auto-generated method stub + return false; + } + + @Override + public String getIdentityLinkResigningKey() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isMonitoringActive() { + // TODO Auto-generated method stub + return false; + } + + @Override + public String getMonitoringTestIdentityLinkURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMonitoringMessageSuccess() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isAdvancedLoggingActive() { + // TODO Auto-generated method stub + return false; + } + + @Override + public List getPublicURLPrefix() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isVirtualIDPsEnabled() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isPVP2AssertionEncryptionActive() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isCertifiacteQCActive() { + return true; + } + + @Override + public IStorkConfig getStorkConfig() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public EgovUtilPropertiesConfiguration geteGovUtilsConfig() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getDocumentServiceUrl() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isStorkFakeIdLActive() { + // TODO Auto-generated method stub + return false; + } + + @Override + public List getStorkFakeIdLCountries() { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getStorkNoSignatureCountries() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getStorkFakeIdLResigningKey() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isPVPSchemaValidationActive() { + // TODO Auto-generated method stub + return false; + } + + @Override + public Map getConfigurationWithWildCard(String key) { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getDefaultRevisionsLogEventCodes() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isHTTPAuthAllowed() { + // TODO Auto-generated method stub + return false; + } + + @Override + public String[] getRevocationMethodOrder() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean getBasicMOAIDConfigurationBoolean(String key, boolean defaultValue) { + // TODO Auto-generated method stub + return false; + } + +} diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java new file mode 100644 index 000000000..71956990e --- /dev/null +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java @@ -0,0 +1,136 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.IOException; +import java.io.InputStreamReader; + +import org.apache.commons.io.IOUtils; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.xml.ConfigurationException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/SpringTest-context_basic_user_whitelist.xml") +public class UserRestrictionWhiteListTest { + + @Autowired(required=true) UserWhitelistStore whitelistStore; + + private static String bPK_1 = "/7eNkLgqP71U8dBwa0lSI8/2EFY="; + private static String bPK_2 = "gr88V4oH5KLlurBCcCAbKJNMF18="; + private static String bPK_3 = "0Fq3KqgYTbK8MsxymLe7tbuXhpA="; + private static String bPK_4 = "JWiLzwktCITGg+ztRKEAwWloSNM="; + + private static String bPK_5 = "JWiLzwktCIXXX+ztRKEAwWloSNM="; + private static String bPK_6 = "WtHxBxLqOThNU9YF8fzXXXcZLBs="; + + @Test + public void checkNumberOfEntries() throws Exception { + if (whitelistStore.getNumberOfEntries() != 12) + throw new Exception("Number of entries not valid"); + + } + + + @Test + public void checkEntry_1() throws Exception { + String bPK = bPK_1; + if (!whitelistStore.isUserbPKInWhitelist(bPK)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntryDynamic_1() throws Exception { + String bPK = bPK_1; + if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntry_2() throws Exception { + String bPK = bPK_2; + if (!whitelistStore.isUserbPKInWhitelist(bPK)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntryDynamic_2() throws Exception { + String bPK = bPK_2; + if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + + @Test + public void checkEntry_3() throws Exception { + String bPK = bPK_3; + if (!whitelistStore.isUserbPKInWhitelist(bPK)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntryDynamic_3() throws Exception { + String bPK = bPK_3; + if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntry_4() throws Exception { + String bPK = bPK_4; + if (!whitelistStore.isUserbPKInWhitelist(bPK)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntryDynamic_4() throws Exception { + String bPK = bPK_4; + if (!whitelistStore.isUserbPKInWhitelistDynamic(bPK, true)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntry_5() throws Exception { + String bPK = bPK_5; + if (whitelistStore.isUserbPKInWhitelist(bPK)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntryDynamic_5() throws Exception { + String bPK = bPK_5; + if (whitelistStore.isUserbPKInWhitelistDynamic(bPK, true)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntry_6() throws Exception { + String bPK = bPK_6; + if (whitelistStore.isUserbPKInWhitelist(bPK)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + @Test + public void checkEntryDynamic_6() throws Exception { + String bPK = bPK_6; + if (whitelistStore.isUserbPKInWhitelistDynamic(bPK, true)) + throw new Exception("bPK: " + bPK + " is NOT found in whitelist"); + + } + + +} diff --git a/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv new file mode 100644 index 000000000..099fc0f7e --- /dev/null +++ b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv @@ -0,0 +1,10 @@ +/7eNkLgqP71U8dBwa0lSI8/2EFY=,ZP-MH:xm1zT43aGLfTRLnDsxYoFk3XwDU=,ZP-MH:gr88V4oH5KLlurBCcCAbKJNMF18=, +ZP-MH:LvrdIGoL4MXTjy7EJgPhoz3koL4=, +ZP-MH:EcILNYQIZ4qfhLlZFzHivCu0Hfc=, +ZP-MH:WtHxBxLqOThNU9YF8fzyvXcZLBs=, +ZP-MH:0Fq3KqgYTbK8MsxymLe7tbuXhpA=, +ZP-MH:DJ6nGg2JgcPH768BhqTNXVsGhOY=, +JWiLzwktCITGg+ztRKEAwWloSNM=, +ZP-MH:+cyQbhr1fQ8hLhazL62tFRq47iY=, +ZP-MH:AFmfywfYPHcl2Lxp138upielmrs=, +ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0= diff --git a/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml new file mode 100644 index 000000000..85788714a --- /dev/null +++ b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml @@ -0,0 +1,18 @@ + + + + + + + + -- cgit v1.2.3 From b53d2f387282b731ea72806ec7d410a1c27a878d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 12 Jun 2018 06:25:41 +0200 Subject: add foreign bPK generation into AuthenticationDataBuilder --- .../id/auth/builder/AuthenticationDataBuilder.java | 87 +++++++++++++++++++++- .../moa/id/auth/builder/BPKBuilder.java | 26 +++++-- .../parser/VerifyXMLSignatureResponseParser.java | 2 +- .../moa/id/config/auth/OAAuthParameter.java | 14 +++- .../config/auth/data/DynamicOAAuthParameters.java | 6 ++ .../moa/id/data/AuthenticationData.java | 2 + .../attributes/EncryptedBPKAttributeBuilder.java | 2 +- 7 files changed, 128 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index b93de5119..91159ad4e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -30,9 +30,13 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Date; +import java.util.HashMap; import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import javax.annotation.PostConstruct; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; @@ -102,12 +106,32 @@ import iaik.x509.X509Certificate; @Service("AuthenticationDataBuilder") public class AuthenticationDataBuilder extends MOAIDAuthConstants { + private static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey"; + @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + private Map encKeyMap = new HashMap(); + + @PostConstruct + private void initialize() { + Map pubKeyMap = authConfig.getBasicMOAIDConfigurationWithPrefix(CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS); + for (Entry el : pubKeyMap.entrySet()) { + try { + encKeyMap.put(el.getKey(), new X509Certificate(Base64Utils.decode(el.getValue(), false))); + Logger.info("Load foreign bPK encryption certificate for sector: " + el.getKey()); + + } catch (Exception e) { + Logger.warn("Can NOT load foreign bPK encryption certificate for sector: \" + el.getKey()", e); + + } + + } + } + public IAuthData buildAuthenticationData(IRequest pendingReq, IAuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { @@ -648,7 +672,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { Logger.info("Can NOT set Organwalter IdentityLink. Msg: No IdentityLink found"); - //set bPK and IdenityLink for all other + //set bPK and IdentityLink for all other } else { //build bPK String pvpbPKValue = getbPKValueFromPVPAttribute(session); @@ -724,7 +748,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } - + + //build foreign bPKs + generateForeignbPK(authData, oaParam.foreignbPKSectorsRequested()); + + //build IdentityLink if (identityLink != null) authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, identityLink, authData.getBPK(), authData.getBPKType())); @@ -810,6 +838,61 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } + private void generateForeignbPK(AuthenticationData authData, List foreignSectors) { + if (foreignSectors != null && !foreignSectors.isEmpty()) { + Logger.debug("Sectors for foreign bPKs are configurated. Starting foreign bPK generation ... "); + for (String foreignSector : foreignSectors) { + Logger.trace("Process sector: " + foreignSector + " ... "); + if (encKeyMap.containsKey(foreignSector)) { + try { + String sector = null; + //splitt sector into VKZ and target + if (foreignSector.startsWith("wbpk")) { + Logger.trace("Find foreign private sector " + foreignSector); + sector = Constants.URN_PREFIX + ":" + foreignSector; + + } else { + String[] split = foreignSector.split("+"); + if (split.length != 2) { + Logger.warn("Foreign sector: " + foreignSector + " looks WRONG. IGNORE IT!"); + + } else { + Logger.trace("Find foreign public sector. VKZ: " + split[0] + " Target: " + split[1]); + sector = Constants.URN_PREFIX_CDID + "+" + split[1]; + + } + + } + + if (sector != null) { + Pair bpk = new BPKBuilder().generateAreaSpecificPersonIdentifier( + authData.getIdentificationValue(), + authData.getIdentificationType(), + sector); + String foreignbPK = BPKBuilder.encryptBPK(bpk.getFirst(), bpk.getSecond(), encKeyMap.get(foreignSector).getPublicKey()); + authData.getEncbPKList().add("(" + foreignSector + "|" + foreignbPK + ")"); + Logger.debug("Foreign bPK for sector: " + foreignSector + " created."); + + } + + } catch (Exception e) { + Logger.warn("Foreign bPK generation FAILED for sector: " + foreignSector, e); + + } + + } else { + Logger.info("NO encryption cerfificate FOUND in configuration for sector: " + foreignSector); + Logger.info("Foreign bPK for sector: " + foreignSector + " is NOT possible"); + + } + } + + } else + Logger.debug("No foreign bPKs required for this service provider"); + + } + + /** * Check a bPK-Type against a Service-Provider configuration
* If bPK-Type is null the result is false. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index a7f6e873f..04df32309 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -266,16 +266,21 @@ public class BPKBuilder { public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); + MiscUtil.assertNotNull(target, "sector"); MiscUtil.assertNotNull(publicKey, "publicKey"); - + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); - String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" + if (!target.startsWith(Constants.URN_PREFIX)) { + throw new BuildException("bPK encryption FAILED. bPK target does NOT starts with a valid prefix", null); + + } + + String input = "V1::" + + target + "::" + bpk + "::" + sdf.format(new Date()); - System.out.println(input); + Logger.trace("Foreign bPK: " + input); byte[] result; try { byte[] inputBytes = input.getBytes("ISO-8859-1"); @@ -287,6 +292,17 @@ public class BPKBuilder { } } + + /** + * Currently only works for bPKs!!!! + * + * + * @param encryptedBpk + * @param target + * @param privateKey + * @return + * @throws BuildException + */ public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); MiscUtil.assertNotNull(privateKey, "Private key"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java index 0fba2d3f6..3a0a002e8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java @@ -209,7 +209,7 @@ public class VerifyXMLSignatureResponseParser { String signingTimeElement = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNING_TIME_XPATH,""); if (MiscUtil.isNotEmpty(signingTimeElement)) { - DateTime datetime = ISODateTimeFormat.dateTimeNoMillis().parseDateTime(signingTimeElement); + DateTime datetime = ISODateTimeFormat.dateOptionalTimeParser().parseDateTime(signingTimeElement); respData.setSigningDateTime(datetime.toDate()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 59bd3893d..140ebcfc8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -54,10 +54,8 @@ import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashMap; -import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Map.Entry; import java.util.Set; import org.apache.commons.lang.SerializationUtils; @@ -935,4 +933,16 @@ public String toString() { return "Object not initialized"; } + +@Override +public List foreignbPKSectorsRequested() { + String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_FOREIGN); + if (MiscUtil.isNotEmpty(value)) + return KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(value)); + + else + return null; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index f3db82315..31b894604 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -531,5 +531,11 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return false; } + @Override + public List foreignbPKSectorsRequested() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 7f56f519b..4cd9ecd6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -691,6 +691,8 @@ public class AuthenticationData implements IAuthData, Serializable { * @return the encbPKList */ public List getEncbPKList() { + if (encbPKList == null) + encbPKList = new ArrayList(); return encbPKList; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java index 9dfbe00b2..f5c48b826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -41,7 +41,7 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { if (authData.getEncbPKList() != null && authData.getEncbPKList().size() > 0) { - String value = authData.getEncbPKList().get(0); + String value = "(" + authData.getEncbPKList().get(0) + ")"; for (int i=1; i Date: Tue, 12 Jun 2018 09:20:52 +0200 Subject: add jUnit simple test for AuthDataBuilder and foreign bPK generation --- .../id/auth/builder/AuthenticationDataBuilder.java | 13 +- .../moa/id/auth/builder/BPKBuilder.java | 158 +++-------- .../id/config/auth/data/UserWhitelistStore.java | 39 ++- .../auth/data/AuthenticationDataBuilderTest.java | 85 ++++++ .../moa/id/config/auth/data/DummyAuthConfig.java | 49 +++- .../moa/id/config/auth/data/DummyAuthSession.java | 287 ++++++++++++++++++++ .../moa/id/config/auth/data/DummyAuthStorage.java | 186 +++++++++++++ .../moa/id/config/auth/data/DummyOAConfig.java | 289 +++++++++++++++++++++ .../auth/data/UserRestrictionWhiteListTest.java | 8 +- .../moa/id/module/test/TestRequestImpl.java | 5 +- .../src/test/resources/BPK-Whitelist_20180607.csv | 4 +- .../SpringTest-context_basic_user_whitelist.xml | 11 + 12 files changed, 991 insertions(+), 143 deletions(-) create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java create mode 100644 id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 91159ad4e..afac80df9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -106,13 +106,14 @@ import iaik.x509.X509Certificate; @Service("AuthenticationDataBuilder") public class AuthenticationDataBuilder extends MOAIDAuthConstants { - private static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey"; + public static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey"; + + @Autowired(required=true) private IAuthenticationSessionStoreage authenticatedSessionStorage; + @Autowired(required=true) protected AuthConfiguration authConfig; + @Autowired(required=false) private MOAMetadataProvider metadataProvider; + @Autowired(required=false) private AttributQueryBuilder attributQueryBuilder; + @Autowired(required=false) private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; - @Autowired protected AuthConfiguration authConfig; - @Autowired private AttributQueryBuilder attributQueryBuilder; - @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; private Map encKeyMap = new HashMap(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 04df32309..14de65e36 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -149,121 +149,7 @@ public class BPKBuilder { } } } - - - /** - * Builds the storkeid from the given parameters. - * - * @param baseID baseID of the citizen - * @param baseIDType Type of the baseID - * @param sourceCountry CountryCode of that country, which build the eIDAs ID - * @param destinationCountry CountryCode of that country, which receives the eIDAs ID - * - * @return Pair in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - private Pair buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) - throws BuildException { - String bPK = null; - String bPKType = null; - - // check if we have been called by public sector application - if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { - bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; - Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); - bPK = calculatebPKwbPK(baseID + "+" + bPKType); - - } else { // if not, sector identification value is already calculated by BKU - Logger.debug("eIDAS eIdentifier already provided by BKU"); - bPK = baseID; - } - - if ((MiscUtil.isEmpty(bPK) || - MiscUtil.isEmpty(sourceCountry) || - MiscUtil.isEmpty(destinationCountry))) { - throw new BuildException("builder.00", - new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + - bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); - } - - Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); - String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; - - return Pair.newInstance(eIdentifier, bPKType); - } - -// /** -// * Builds the bPK from the given parameters. -// * -// * @param identificationValue Base64 encoded "Stammzahl" -// * @param target "Bereich lt. Verordnung des BKA" -// * @return bPK in a BASE64 encoding -// * @throws BuildException if an error occurs on building the bPK -// */ -// private String buildBPK(String identificationValue, String target) -// throws BuildException { -// -// if ((identificationValue == null || -// identificationValue.length() == 0 || -// target == null || -// target.length() == 0)) { -// throw new BuildException("builder.00", -// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + -// identificationValue + ",target=" + target}); -// } -// String basisbegriff; -// if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) -// basisbegriff = identificationValue + "+" + target; -// else -// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; -// -// return calculatebPKwbPK(basisbegriff); -// } -// -// /** -// * Builds the wbPK from the given parameters. -// * -// * @param identificationValue Base64 encoded "Stammzahl" -// * @param registerAndOrdNr type of register + "+" + number in register. -// * @return wbPK in a BASE64 encoding -// * @throws BuildException if an error occurs on building the wbPK -// */ -// private String buildWBPK(String identificationValue, String registerAndOrdNr) -// throws BuildException { -// -// if ((identificationValue == null || -// identificationValue.length() == 0 || -// registerAndOrdNr == null || -// registerAndOrdNr.length() == 0)) { -// throw new BuildException("builder.00", -// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + -// identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); -// } -// -// String basisbegriff; -// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) -// basisbegriff = identificationValue + "+" + registerAndOrdNr; -// else -// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; -// -// return calculatebPKwbPK(basisbegriff); -// } -// -// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { -// if (MiscUtil.isEmpty(baseID) || -// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || -// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || -// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { -// throw new BuildException("builder.00", -// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget -// + " has an unkown prefix."}); -// -// } -// -// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); -// -// } - + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); MiscUtil.assertNotNull(target, "sector"); @@ -332,6 +218,48 @@ public class BPKBuilder { } } + + /** + * Builds the storkeid from the given parameters. + * + * @param baseID baseID of the citizen + * @param baseIDType Type of the baseID + * @param sourceCountry CountryCode of that country, which build the eIDAs ID + * @param destinationCountry CountryCode of that country, which receives the eIDAs ID + * + * @return Pair in a BASE64 encoding + * @throws BuildException if an error occurs on building the wbPK + */ + private Pair buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) + throws BuildException { + String bPK = null; + String bPKType = null; + + // check if we have been called by public sector application + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; + Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); + bPK = calculatebPKwbPK(baseID + "+" + bPKType); + + } else { // if not, sector identification value is already calculated by BKU + Logger.debug("eIDAS eIdentifier already provided by BKU"); + bPK = baseID; + } + + if ((MiscUtil.isEmpty(bPK) || + MiscUtil.isEmpty(sourceCountry) || + MiscUtil.isEmpty(destinationCountry))) { + throw new BuildException("builder.00", + new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + + bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); + } + + Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); + String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; + + return Pair.newInstance(eIdentifier, bPKType); + } + private String calculatebPKwbPK(String basisbegriff) throws BuildException { try { MessageDigest md = MessageDigest.getInstance("SHA-1"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java index a90d71a18..a32159dd0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -18,6 +18,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.util.FileUtils; @@ -35,26 +36,44 @@ public class UserWhitelistStore { @PostConstruct private void initialize() { String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE); - if (MiscUtil.isEmpty(whiteListUrl)) - Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file."); + String internalTarget = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR); + if (MiscUtil.isEmpty(whiteListUrl) || MiscUtil.isEmpty(internalTarget)) + Logger.debug("Do not initialize user whitelist. Reason: NO configuration path to CSV file or NO internal bPK target for whitelist"); else { - absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()); - try { - InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); + if (internalTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + internalTarget = internalTarget.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + else if (internalTarget.startsWith(MOAIDAuthConstants.PREFIX_WPBK)) + internalTarget = internalTarget.substring(MOAIDAuthConstants.PREFIX_WPBK.length()); + else if (internalTarget.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) + internalTarget = internalTarget.substring(MOAIDAuthConstants.PREFIX_EIDAS.length()); + else { + Logger.warn("Sector: " + internalTarget + " is NOT supported for user whitelist."); + Logger.info("User whitelist-store MAY NOT contains all user from whitelist"); + } + + try { + absWhiteListUrl = new URL(FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir())) + .toURI().toString().substring("file:".length()); + InputStream is = new FileInputStream(new File(absWhiteListUrl)); String whiteListString = IOUtils.toString(new InputStreamReader(is)); List preWhitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString)); + + //remove prefix if required for (String bPK : preWhitelist) { String[] bPKSplit = bPK.split(":"); if (bPKSplit.length == 1) whitelist.add(bPK); - else if (bPKSplit.length ==2 ) - whitelist.add(bPKSplit[1]); - - else + else if (bPKSplit.length ==2 ) { + if (internalTarget.equals(bPKSplit[0])) + whitelist.add(bPKSplit[1]); + else + Logger.info("Whitelist entry: " + bPK + " has an unsupported target. Entry will be removed ..."); + + } else Logger.info("Whitelist entry: " + bPK + " has an unsupported format. Entry will be removed ..."); } @@ -108,7 +127,7 @@ public class UserWhitelistStore { public boolean isUserbPKInWhitelistDynamic(String bPK, boolean onlyDynamic) { try { if (absWhiteListUrl != null) { - InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); + InputStream is = new FileInputStream(new File(absWhiteListUrl)); String whiteListString = IOUtils.toString(new InputStreamReader(is)); if (whiteListString != null && whiteListString.contains(bPK)) { Logger.trace("Find user with dynamic whitelist check"); diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java new file mode 100644 index 000000000..e300c8ec8 --- /dev/null +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/AuthenticationDataBuilderTest.java @@ -0,0 +1,85 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.ByteArrayInputStream; +import java.util.Arrays; +import java.util.List; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.module.test.TestRequestImpl; +import at.gv.egovernment.moa.util.Base64Utils; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/SpringTest-context_basic_user_whitelist.xml") +public class AuthenticationDataBuilderTest { + + @Autowired private AuthenticationDataBuilder authBuilder; + + private static final String DUMMY_IDL = "PHNhbWw6QXNzZXJ0aW9uIEFzc2VydGlvbklEPSJzenIuYm1pLmd2LmF0LUFzc2VydGlvbklEMTUyNzY2OTEwMDU5MTI3NDQiIElzc3VlSW5zdGFudD0iMjAxOC0wNS0zMFQxMDozMTo0MCswMTowMCIgSXNzdWVyPSJodHRwOi8vcG9ydGFsLmJtaS5ndi5hdC9yZWYvc3pyL2lzc3VlciIgTWFqb3JWZXJzaW9uPSIxIiBNaW5vclZlcnNpb249IjAiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnByPSJodHRwOi8vcmVmZXJlbmNlLmUtZ292ZXJubWVudC5ndi5hdC9uYW1lc3BhY2UvcGVyc29uZGF0YS8yMDAyMDIyOCMiIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOmVjZHNhPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSMiIHhtbG5zOnNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+Cgk8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+CgkJPHNhbWw6U3ViamVjdD4KCQkJPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4KCQkJCTxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206c2VuZGVyLXZvdWNoZXM8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPgoJCQkJPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGE+CgkJCQkJPHByOlBlcnNvbiBzaTp0eXBlPSJwcjpQaHlzaWNhbFBlcnNvblR5cGUiPjxwcjpJZGVudGlmaWNhdGlvbj48cHI6VmFsdWU+dHFDUUVDNytBcUdFZWVMMzkwVjVKZz09PC9wcjpWYWx1ZT48cHI6VHlwZT51cm46cHVibGljaWQ6Z3YuYXQ6YmFzZWlkPC9wcjpUeXBlPjwvcHI6SWRlbnRpZmljYXRpb24+PHByOk5hbWU+PHByOkdpdmVuTmFtZT5NYXg8L3ByOkdpdmVuTmFtZT48cHI6RmFtaWx5TmFtZSBwcmltYXJ5PSJ1bmRlZmluZWQiPk11c3Rlcm1hbm48L3ByOkZhbWlseU5hbWU+PC9wcjpOYW1lPjxwcjpEYXRlT2ZCaXJ0aD4xOTQwLTAxLTAxPC9wcjpEYXRlT2ZCaXJ0aD48L3ByOlBlcnNvbj4KCQkJCTwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT4KCQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+CgkJPC9zYW1sOlN1YmplY3Q+Cgk8c2FtbDpBdHRyaWJ1dGUgQXR0cmlidXRlTmFtZT0iQ2l0aXplblB1YmxpY0tleSIgQXR0cmlidXRlTmFtZXNwYWNlPSJ1cm46cHVibGljaWQ6Z3YuYXQ6bmFtZXNwYWNlczppZGVudGl0eWxpbms6MS4yIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZT48ZHNpZzpSU0FLZXlWYWx1ZT48ZHNpZzpNb2R1bHVzPnMwWmhkR2E4REgwSW1iTlU3aTRxdDRtR25CUEFlTDk5Q0dkZmRCOEhWWE5CNWd3d2VMY1o5WE1TWUJvUHFHdFVqemh6S29zRkN5M0sNCmpsSEVrejB0L3JQemhOVGRsVjJRN0FGWEZlT2g3M3dPajQ3R1B2T2lVNzdwQjE3WnJaOHlObW1JTTEyUVE5MVN0RGFWRkUra0dxUEkNCmNFZHZiZk94blU4aGNpa3lYcWVheFZVV3oxbVdXTnRveUwyWG5wa1U0QkZVQnU1NWg5S2tYVEFQcnBUbEFMZjkvRDFKamZWb05tamwNCnBLWXh6Q3JBSmE4Sno4Ui9sNis0U0U3YXc3dGZuazNZUXkxcFVmNWZmellkeXZQS2ZxVTBUTUVKLzdpOW1ORHFCZlVwcVhBRWowdWUNCkpvRWs0UC9pa2Q5UnZuVUlsU0V1NzFHMyt1VEluSXBaaTd2UG93PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50PgoJPGRzaWc6U2lnbmF0dXJlPgoJCTxkc2lnOlNpZ25lZEluZm8+CgkJCTxkc2lnOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+CgkJCTxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz4KCQkJPGRzaWc6UmVmZXJlbmNlIFVSST0iIj4KCQkJCTxkc2lnOlRyYW5zZm9ybXM+CgkJCQkJPGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMteHBhdGgtMTk5OTExMTYiPgoJCQkJCQk8ZHNpZzpYUGF0aD5ub3QoYW5jZXN0b3Itb3Itc2VsZjo6cHI6SWRlbnRpZmljYXRpb24pPC9kc2lnOlhQYXRoPgoJCQkJCTwvZHNpZzpUcmFuc2Zvcm0+CgkJCQkJPGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+CgkJCQk8L2RzaWc6VHJhbnNmb3Jtcz4KCQkJCTxkc2lnOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiAvPgoJCQkJPGRzaWc6RGlnZXN0VmFsdWU+QmVIdUFyYXUzSFVQcXg5dHV3QTRGaDNOSDB3PTwvZHNpZzpEaWdlc3RWYWx1ZT4KCQkJPC9kc2lnOlJlZmVyZW5jZT4KCQkJPGRzaWc6UmVmZXJlbmNlIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNNYW5pZmVzdCIgVVJJPSIjbWFuaWZlc3QiPgoJCQkJPGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+CgkJCQk8ZHNpZzpEaWdlc3RWYWx1ZT5mVEUrMjRnRHlkUlgvd0p2QlAxOUlucU54Rkk9PC9kc2lnOkRpZ2VzdFZhbHVlPgoJCQk8L2RzaWc6UmVmZXJlbmNlPgoJCTwvZHNpZzpTaWduZWRJbmZvPgoJCTxkc2lnOlNpZ25hdHVyZVZhbHVlPgogICAgUHpLMWR2N2JFMGhQcGxlc1ZaRFhHSWxhbTlUK0JxWkd4ZWs5RHVuYkhNK21GWWI3a1NaZTN2eEszUmhRZjNBV3djbXFtVWZPRlJObg0KWndxYnovNGRZd2hJRld6VGdMelVmMlZkR0JsN2szbS8wSmJXSkV1bEtobE5vV2ZSTkRrdTRZcmI2THVrWjdaQzJFcWd2UXYxa1BRTg0Kb1BvQ1I5d3hUc1RKWFNCaHdLc0lERG9vZHY3aUVpWGFCM0xmVHQrQWdYdEdvbWRRaktjby9WamJSSzRUUEkvQUVNVU1KWm9zZlJYMg0KdmE2U1BaUnV4QjBlWkwwVGVzYittRjlFaUlOVnNTSU9nbTVSRE95V1ZRZkJnVG9nYjNoWmlLVmh0a1IvaWlSNmhZNlA2b1cwTDh4ag0KMG5ZVldPRHAxSlJML3Z0ZDFhUklVYzNCQTJQaFkrRmdJR1FHTUE9PQogIDwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlGdXpDQ0JLT2dBd0lCQWdJREdTa2VNQTBHQ1NxR1NJYjNEUUVCQlFVQU1JR2ZNUXN3Q1FZRFZRUUdFd0pCDQpWREZJTUVZR0ExVUVDZ3cvUVMxVWNuVnpkQ0JIWlhNdUlHWXVJRk5wWTJobGNtaGxhWFJ6YzNsemRHVnRaU0JwDQpiU0JsYkdWcmRISXVJRVJoZEdWdWRtVnlhMlZvY2lCSGJXSklNU0l3SUFZRFZRUUxEQmxoTFhOcFoyNHRZMjl5DQpjRzl5WVhSbExXeHBaMmgwTFRBeU1TSXdJQVlEVlFRRERCbGhMWE5wWjI0dFkyOXljRzl5WVhSbExXeHBaMmgwDQpMVEF5TUI0WERURTFNRGN5T0RFMU5Ea3dOVm9YRFRJd01EY3lPREV6TkRrd05Wb3dnYll4Q3pBSkJnTlZCQVlUDQpBa0ZVTVI0d0hBWURWUVFLREJWRVlYUmxibk5qYUhWMGVtdHZiVzFwYzNOcGIyNHhJakFnQmdOVkJBc01HVk4wDQpZVzF0ZW1Gb2JISmxaMmx6ZEdWeVltVm9iMlZ5WkdVeExqQXNCZ05WQkFNTUpWTnBaMjVoZEhWeWMyVnlkbWxqDQpaU0JFWVhSbGJuTmphSFYwZW10dmJXMXBjM05wYjI0eEZUQVRCZ05WQkFVVERETXlOVGt5T0RNeU16azVPREVjDQpNQm9HQ1NxR1NJYjNEUUVKQVF3TlpITnJRR1J6YXk1bmRpNWhkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEDQpnZ0VQQURDQ0FRb0NnZ0VCQU4rZEJTRUJHajJqVVhJSzFNcDNsVnhjL1phK3BKTWl5S3JYM0cxWnhnWC9pa3g3DQpEOXNjc1BZTXQ0NzNMbEFXbDljbUNiSGJKSytQVjJYTk5kVVJMTVVDSVgrNHZVTnMyTUhlRFRRdFg4QlhqSkZwDQp3SllTb2FSSlEzOUZWUy8xcjVzV2NyYTlIaGRtN3c1R3R4LzJ1a3lEWDBrZGt4YXdraFA0RVFFemkvU0krRnVnDQpuK1dxZ1ExbkFkbGJ4Yi9kY0J3NXcxaDliM2xtdXdVZjR6M29vUVdVRDJEZ0Eva0tkMUtlak5SNDNtTFVzbXZTDQp6ZXZQeFQ5enM3OHBPUjFPYWNCN0lzelRWSlBYZU9FYWFOWkhubkIvVWVPM2c4TEVWLzNPa1hjVWdjTWtiSUlpDQphQkhsbGw3MVBxMENPajlrcWpYb2U3T3JSakxZNWkzS3dPcGE2VE1DQXdFQUFhT0NBZVV3Z2dIaE1CRUdBMVVkDQpEZ1FLQkFoTUNBNmVHdlMxdWpBT0JnTlZIUThCQWY4RUJBTUNCTEF3RGdZSEtpZ0FDZ0VIQVFRREFRSC9NQk1HDQpBMVVkSXdRTU1BcUFDRWtjV0RwUDZBMERNQWtHQTFVZEV3UUNNQUF3RkFZSEtpZ0FDZ0VCQVFRSkRBZENVMEl0DQpSRk5MTUg4R0NDc0dBUVVGQndFQkJITXdjVEJHQmdnckJnRUZCUWN3QW9ZNmFIUjBjRG92TDNkM2R5NWhMWFJ5DQpkWE4wTG1GMEwyTmxjblJ6TDJFdGMybG5iaTFqYjNKd2IzSmhkR1V0YkdsbmFIUXRNREpoTG1OeWREQW5CZ2dyDQpCZ0VGQlFjd0FZWWJhSFIwY0RvdkwyOWpjM0F1WVMxMGNuVnpkQzVoZEM5dlkzTndNRlFHQTFVZElBUk5NRXN3DQpTUVlHS2lnQUVRRVNNRDh3UFFZSUt3WUJCUVVIQWdFV01XaDBkSEE2THk5M2QzY3VZUzEwY25WemRDNWhkQzlrDQpiMk56TDJOd0wyRXRjMmxuYmkxQmJYUnpjMmxuYm1GMGRYSXdnWjRHQTFVZEh3U0JsakNCa3pDQmtLQ0JqYUNCDQppb2FCaDJ4a1lYQTZMeTlzWkdGd0xtRXRkSEoxYzNRdVlYUXZiM1U5WVMxemFXZHVMV052Y25CdmNtRjBaUzFzDQphV2RvZEMwd01peHZQVUV0VkhKMWMzUXNZejFCVkQ5alpYSjBhV1pwWTJGMFpYSmxkbTlqWVhScGIyNXNhWE4wDQpQMkpoYzJVL2IySnFaV04wWTJ4aGMzTTlaV2xrUTJWeWRHbG1hV05oZEdsdmJrRjFkR2h2Y21sMGVUQU5CZ2txDQpoa2lHOXcwQkFRVUZBQU9DQVFFQUhRM1pDTXRBYmF6ZU1IbVdBMnpoWWxIcUhnS1ZvY1ZYRURnbU5tV0xHcUZlDQo4RUFERklzOHVHcmt0Qm1XQ1VJWGJYczdUSGNmeHMySjQ3dkh1Y29wc2RrYWJObFhFanpuZFJmbmMrMVZJbmJvDQp6TXJZZDdqZUROVEsvdElqaU9FWWRyeUlwZWtWOUNmYXc3eXU2bWVmTXpldTFhQXdmN0JuSy9odWl3SlduZW5wDQpCN2lEL1B2WittenVDN1JOZkpmRisrU3RpQlR4aTNWWXhOR01qTTFjVThHdzlWV2MwUjNFdWpPYVhXZ0NDOGk1DQpGR2hWdk9ZaE5YZnN4SlhiTnhld0VDanBBTHZEbEZMTCtpQzQ5RytBRFNvUnYwU2s5MU9QdStjSW1DajNyczNRDQp0YXNJL3A5TFlhY0c2Yy9nSTN0RTBpaHFnOVJic0tIWFFsM1BPdkVSSkE9PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjwvZHNpZzpLZXlJbmZvPgoJCTxkc2lnOk9iamVjdD4KCQkJPGRzaWc6TWFuaWZlc3QgSWQ9Im1hbmlmZXN0Ij4KCQkJCTxkc2lnOlJlZmVyZW5jZSBVUkk9IiI+CgkJCQkJPGRzaWc6VHJhbnNmb3Jtcz4KCQkJCQkJPGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMteHBhdGgtMTk5OTExMTYiPgoJCQkJCQkJPGRzaWc6WFBhdGg+bm90KGFuY2VzdG9yLW9yLXNlbGY6OmRzaWc6U2lnbmF0dXJlKTwvZHNpZzpYUGF0aD4KCQkJCQkJPC9kc2lnOlRyYW5zZm9ybT4KCQkJCQk8L2RzaWc6VHJhbnNmb3Jtcz4KCQkJCQk8ZHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz4KCQkJCQk8ZHNpZzpEaWdlc3RWYWx1ZT5wM1pwS1BvK0ZYT3ZXdEhidFJzR2VLWm9lSTQ9PC9kc2lnOkRpZ2VzdFZhbHVlPgoJCQkJPC9kc2lnOlJlZmVyZW5jZT4KCQkJPC9kc2lnOk1hbmlmZXN0PgoJCTwvZHNpZzpPYmplY3Q+Cgk8L2RzaWc6U2lnbmF0dXJlPgo8L3NhbWw6QXNzZXJ0aW9uPg=="; + + @Test + public void dummyTest() throws Exception { + + + } + + + @Test + public void buildAuthDataWithIDLOnly() throws Exception { + IRequest pendingReq = new TestRequestImpl(); + DummyOAConfig oaParam = new DummyOAConfig(); + oaParam.setHasBaseIdTransferRestriction(false); + oaParam.setTarget("urn:publicid:gv.at:cdid+ZP-MH"); + oaParam.setForeignbPKSectors(Arrays.asList("wbpk+FN+195738a")); + + IAuthenticationSession session = new DummyAuthSession(); + session.setIdentityLink(new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(DUMMY_IDL, false))).parseIdentityLink()); + + IAuthData authData = authBuilder.buildAuthenticationData(pendingReq, session, oaParam); + + if (!authData.getFamilyName().equals("Mustermann")) + throw new Exception("Familyname wrong"); + + if (!authData.getGivenName().equals("Max")) + throw new Exception("GivenName wrong"); + + if (!authData.getFormatedDateOfBirth().equals("1940-01-01")) + throw new Exception("DateOfBirth wrong"); + + + if (!authData.getIdentificationValue().equals("tqCQEC7+AqGEeeL390V5Jg==")) + throw new Exception("baseId wrong"); + + if (!authData.getIdentificationType().equals("urn:publicid:gv.at:baseid")) + throw new Exception("baseIdType wrong"); + + + if (!authData.getBPK().equals("DJ6nGg2JgcPH768BhqTNXVsGhOY=")) + throw new Exception("bPK wrong"); + + if (!authData.getBPKType().equals("urn:publicid:gv.at:cdid+ZP-MH")) + throw new Exception("bPKType wrong"); + + + List foreignbPKs = authData.getEncbPKList(); + if (foreignbPKs.isEmpty()) + throw new Exception("NO foreign bPK list is null"); + + if (foreignbPKs.size() != 1) + throw new Exception("NO or MORE THAN ONE foreign bPK"); + + if (!foreignbPKs.get(0).startsWith("(wbpk+FN+195738a|") && !(foreignbPKs.get(0).endsWith(")"))) + throw new Exception("foreign bPK has wrong prefix"); + + } + +} diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index d72e2f28c..2c31d82f9 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -1,10 +1,12 @@ package at.gv.egovernment.moa.id.config.auth.data; import java.io.IOException; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Properties; +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; @@ -86,8 +88,13 @@ public class DummyAuthConfig implements AuthConfiguration { } catch (IOException e) { e.printStackTrace(); } + + } else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) { + return "urn:publicid:gv.at:cdid+ZP-MH"; + } + return null; } @@ -99,8 +106,46 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public Map getBasicMOAIDConfigurationWithPrefix(String prefix) { - // TODO Auto-generated method stub - return null; + Map result = new HashMap(); + if (AuthenticationDataBuilder.CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS.equals(prefix)) { + result.put("BMI+T1", "MIICuTCCAaGgAwIBAgIEWQMr6TANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARyb290MB4XDTE3MDQyODExNDgyN1oXDTE4MDQyODExNDgyN1owDzENMAsGA1UEAwwEcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKavdekY9h6te6UoCvahSKqhlNk+ZMGq1aBvj129J10wJoz3BsO86cK/ounvzrE9g6FOOeEtlb/lRRTwhO601o9/dXhIvSalpKgAF4owTuhxKUEhEUNJr4pUxFSm8OkPHEXqSXsn6W7tg/G0r12z246RAApw5jpzDDdYYY8gEZFXURf1xYnbKFPoNlPIyFj0vN7Afe+Fo8v3Brb05iQkC3wBxMnL2LZ7XLK8uu93VG/mOrUrEtZkFzOWg0c3WBKQgxCD/F5BMouXBSsNu7lzV2qEyX0uIiEQrv75Fk32DjQqx41S31lByFnL8YbYWX4lsCv0O9Smhjrn6+k91JsvcDECAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAb4wDQYJKoZIhvcNAQELBQADggEBAAFQVd6PHrpBDTw+YUYj3yOgjFlKiSTEb4s59O74CZGbgElE2k36bqEJwki8W2ZiK+L3aeA1XCYF9cuI8QBWHJXg3UQFtDMF2zieOy/BBEA0HN6q4IjQKbt9cNR3w7nMp+lJ/BUlX6AIqfmSgJ6bKVlUsu4yuhstDBXy7QOAuQ8q76qkk7j6uiahWCyBRb5R9TDj7mQn0nM/tbeUUZa7Mxje/W4YhdatNYasTnExCyEE4S6lpSiJQdrkFGlRWp6Ia41/r6GZsAZ6pss+xyxDbJySqbVn2ro6WV4kMbrh/gX1HbmrF5UGIO/qvM+5yM6+wUfLtqPCK0PtLkI940E3WfM="); + result.put("wbpk+FN+468924i", "MIIDCzCCAfMCBFr9aB4wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxEzARBgNVBAsMCnZpZHAuZ3YuYXQxFzAVBgNVBAMMDlNBTUwyIG1ldGFkYXRhMB4XDTE4MDUxNzExMzE0MloXDTE5MDUxNzExMzE0MlowSjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxEzARBgNVBAsMCnZpZHAuZ3YuYXQxFzAVBgNVBAMMDlNBTUwyIG1ldGFkYXRhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi5yyZCJCW2MLQKmupDZTQBNItpIqMlLNAUMF5U8vwJ0uoAWqetOyJ65Q9Wx9TixcIIxXa+0qA/7xVr44LoE4sRXZtZvkS5TGXUgD81FLXU5WJdeJQeUa63TdKjpdcL6wCbMIDs+2fDClIB7gKUV7S56NMhdiQzfW6OLFFQyfu6aXzpLcAOqq+FVo5paPjvGNgmVGwMS/4W0c8FeaPceno98rjslYslKUu3gCMezhYmvson7fEsgRf6s/Ko4pZev4rK7N+ib25g0x0L+gJkq6gb46wH4TBemXr/WTi5II1pxdG0CuLLKewDgMCymeneXPFIewiIPF9ydSPdq2XsHlTwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBbNeQGGDB0RjWRtCoMPQ1tF4pTMOy1QXd362Qx6kbuScEsG/9fGLE3mgpyLx3zyjX/pP0hkVtygDu/5684KEj0aJ65dx6kgFkmvLNq4YUpvQUBjylQHmpO4fsL57q8ZMnoWow8rX4g18sP8lHvW1g+tfWa3r+RRN/NlHm0RYb559xq7NgfPu11gxp9O6RsSkrf0IkWnJ1dit4bx7RR8PY+ZZjPAfg8/eAZ98DSP8FPdlLkKQvRV5NCIjG4tU5tIV4z5yvZ/npdKMdqjiQxmA002U+inOzCcciRRZSdXhYgqvkuMEHYsaoGlLwj+wJbEviobPpWxcEeQoqEwIj6QpwX"); + result.put("wbpk+FN+195738a", "MIIF2TCCA8GgAwIBAgIEL2AV4zANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMC\r\n" + + "QVQxSDBGBgNVBAoMP0EtVHJ1c3QgR2VzLiBmLiBTaWNoZXJoZWl0c3N5c3RlbWUg\r\n" + + "aW0gZWxla3RyLiBEYXRlbnZlcmtlaHIgR21iSDEYMBYGA1UECwwPYS1zaWduLWxp\r\n" + + "Z2h0LTA1MRgwFgYDVQQDDA9hLXNpZ24tbGlnaHQtMDUwHhcNMTgwNjA4MTA0MzEy\r\n" + + "WhcNMjMwNjA4MDg0MzEyWjBoMQswCQYDVQQGEwJBVDEbMBkGA1UEAwwSZS1UcmVz\r\n" + + "b3IgRnJlbWQtYlBLMRIwEAYDVQQEDAlGcmVtZC1iUEsxETAPBgNVBCoMCGUtVHJl\r\n" + + "c29yMRUwEwYDVQQFEwwxMTc3MDQwMzU4MjUwggEgMA0GCSqGSIb3DQEBAQUAA4IB\r\n" + + "DQAwggEIAoIBAQC9jQHCrCK4r8bKsist/h53yP7RzqDZhDGy3j6BLiGMGeQ8Qekf\r\n" + + "k+Onmy6k7PfOfBZgiOd/Zs8JXZMISycz5/G9WJp0d1iFjmRDNWmM4MEN8k+mAnW+\r\n" + + "Omn7sTJStaL5hRME/YdJpI/k08MasQuc13M6i6szpKA0eMfLf0nTWgEWt5e/x3Gj\r\n" + + "+Br7dxYtv8RDeHHVhk5EkXwbhuVi9fO/UCNEAEsKCkiTGCwVRek/c+LQ42cnuLKN\r\n" + + "Kg4LKJaIrr9uyMkibYpDZi1nXwQR9Jxsg4lzfpyAvSJIZtqMN0C66cwnzflLt9M8\r\n" + + "GwO08KzvONEo4oiodKx7IcMGGbjukHX2NY7BAgERo4IBZzCCAWMwdAYIKwYBBQUH\r\n" + + "AQEEaDBmMDsGCCsGAQUFBzAChi9odHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMv\r\n" + + "YS1zaWduLWxpZ2h0LTA1LmNydDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10\r\n" + + "cnVzdC5hdC9vY3NwMBMGA1UdIwQMMAqACEhCh7VWr5ysMB0GA1UdEQQWMBSBEnRl\r\n" + + "Y2huaWtAYS10cnVzdC5hdDARBgNVHQ4ECgQIRnNIDj8iCQcwDgYDVR0PAQH/BAQD\r\n" + + "AgSwMAkGA1UdEwQCMAAwTQYDVR0gBEYwRDBCBgYqKAARAQkwODA2BggrBgEFBQcC\r\n" + + "ARYqaHR0cDovL3d3dy5hLXRydXN0LmF0L2RvY3MvY3AvYS1zaWduLWxpZ2h0MDoG\r\n" + + "A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuYS10cnVzdC5hdC9jcmwvYS1zaWdu\r\n" + + "LWxpZ2h0LTA1MA0GCSqGSIb3DQEBCwUAA4ICAQAh7plfW9U3hh5brYS0OmWhKJrM\r\n" + + "jBDn9TyKsdetZ3AU3/GJONSq1GrZbTv6dq6vAH0G20cNQaLSNl2/9U3WBqX2T2Ik\r\n" + + "vek8925+9HAFRVZiwnNX5CT0dQGNkqkagVzfd8dj8n+KiQZZZN9WroR9MoRXNlw1\r\n" + + "DERzlXLlYFtK+F4323LtbolSLnN793p/6al4k8RheKG0Jy+pEtpCy6KNohkl34ZE\r\n" + + "xtGrQLrJDtRtbCJcJ1t2fsM8iP9vi+K+0hOolIM7qwELRftwhvLyB+Gtlke2zLod\r\n" + + "SR0AA6fLoNISdKpSEIu1OJ88R70T3q3sEYWLHc8GHPO6WjaF/tq8iI/lPeUc0c2u\r\n" + + "gZOpH6Q3jWZo9UmhAbcyIwQTtVg9lS35EM3xPt+GC9DTsyNkTJObICZXUGsUswCp\r\n" + + "Vj76888biAR/ey9pr6fctj11w4jEwOP5pIcKdv1vX6KZl58O8kIUV3IUbvFY/M1n\r\n" + + "bfCrmm8uT4780NAIv3v8jgB/wK6EjntXoACPyGwB3lbdWJ2lZ4y5QCYEbW/8LLzJ\r\n" + + "6kGERNrFGBn4pK8GhZg8Tq1GigOyUrGteHeYUylKqLRoIvby53tYHnMx5fS/N/OU\r\n" + + "uKuAqGNHDTNkYI2jWhS6gFjUdTiaVVdKo/GSS4eDU5hsKOBRHTKWLT9E1DryCUkD\r\n" + + "u4SwB63SrCEshSczfA==\r\n"); + + } + + return result; } @Override diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java new file mode 100644 index 000000000..e340d4c86 --- /dev/null +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthSession.java @@ -0,0 +1,287 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.util.Date; +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; +import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; +import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; +import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; +import iaik.x509.X509Certificate; + +public class DummyAuthSession implements IAuthenticationSession { + + private IIdentityLink idl; + + @Override + public boolean isAuthenticated() { + return true; + } + + @Override + public void setAuthenticated(boolean authenticated) { + // TODO Auto-generated method stub + + } + + @Override + public X509Certificate getSignerCertificate() { + // TODO Auto-generated method stub + return null; + } + + @Override + public byte[] getEncodedSignerCertificate() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setSignerCertificate(X509Certificate signerCertificate) { + // TODO Auto-generated method stub + + } + + @Override + public IIdentityLink getIdentityLink() { + return this.idl; + } + + @Override + public String getSessionID() { + return "123456789abcd"; + } + + @Override + public void setIdentityLink(IIdentityLink identityLink) { + this.idl = identityLink; + + } + + @Override + public void setSessionID(String sessionId) { + // TODO Auto-generated method stub + + } + + @Override + public String getBkuURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setBkuURL(String bkuURL) { + // TODO Auto-generated method stub + + } + + @Override + public String getAuthBlock() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setAuthBlock(String authBlock) { + // TODO Auto-generated method stub + + } + + @Override + public List getExtendedSAMLAttributesAUTH() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setExtendedSAMLAttributesAUTH(List extendedSAMLAttributesAUTH) { + // TODO Auto-generated method stub + + } + + @Override + public List getExtendedSAMLAttributesOA() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setExtendedSAMLAttributesOA(List extendedSAMLAttributesOA) { + // TODO Auto-generated method stub + + } + + @Override + public boolean getSAMLAttributeGebeORwbpk() { + // TODO Auto-generated method stub + return false; + } + + @Override + public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) { + // TODO Auto-generated method stub + + } + + @Override + public String getIssueInstant() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setIssueInstant(String issueInstant) { + // TODO Auto-generated method stub + + } + + @Override + public void setUseMandate(String useMandate) { + // TODO Auto-generated method stub + + } + + @Override + public void setUseMandates(boolean useMandates) { + // TODO Auto-generated method stub + + } + + @Override + public boolean isMandateUsed() { + // TODO Auto-generated method stub + return false; + } + + @Override + public void setMISSessionID(String misSessionID) { + // TODO Auto-generated method stub + + } + + @Override + public String getMISSessionID() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMandateReferenceValue() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setMandateReferenceValue(String mandateReferenceValue) { + // TODO Auto-generated method stub + + } + + @Override + public boolean isForeigner() { + // TODO Auto-generated method stub + return false; + } + + @Override + public void setForeigner(boolean isForeigner) { + // TODO Auto-generated method stub + + } + + @Override + public IVerifiyXMLSignatureResponse getXMLVerifySignatureResponse() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setXMLVerifySignatureResponse(IVerifiyXMLSignatureResponse xMLVerifySignatureResponse) { + // TODO Auto-generated method stub + + } + + @Override + public IMISMandate getMISMandate() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setMISMandate(IMISMandate mandate) { + // TODO Auto-generated method stub + + } + + @Override + public boolean isOW() { + // TODO Auto-generated method stub + return false; + } + + @Override + public void setOW(boolean isOW) { + // TODO Auto-generated method stub + + } + + @Override + public String getAuthBlockTokken() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setAuthBlockTokken(String authBlockTokken) { + // TODO Auto-generated method stub + + } + + @Override + public String getQAALevel() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setQAALevel(String qAALevel) { + // TODO Auto-generated method stub + + } + + @Override + public Date getSessionCreated() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Map getGenericSessionDataStorage() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Object getGenericDataFromSession(String key) { + // TODO Auto-generated method stub + return null; + } + + @Override + public T getGenericDataFromSession(String key, Class clazz) { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setGenericDataToSession(String key, Object object) throws SessionDataStorageException { + // TODO Auto-generated method stub + + } + + +} diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java new file mode 100644 index 000000000..76e0a83c6 --- /dev/null +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthStorage.java @@ -0,0 +1,186 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.util.Date; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; +import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; + +public class DummyAuthStorage implements IAuthenticationSessionStoreage { + + @Override + public boolean isAuthenticated(String internalSsoSessionID) { + // TODO Auto-generated method stub + return false; + } + + @Override + public AuthenticationSession createInternalSSOSession(IRequest target) throws MOADatabaseException, BuildException { + // TODO Auto-generated method stub + return null; + } + + @Override + public AuthenticationSession getInternalSSOSession(String internalSsoSessionID) throws MOADatabaseException { + // TODO Auto-generated method stub + return null; + } + + @Override + public AuthenticationSessionExtensions getAuthenticationSessionExtensions(String internalSsoSessionID) + throws MOADatabaseException { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setAuthenticationSessionExtensions(String internalSsoSessionID, + AuthenticationSessionExtensions sessionExtensions) throws MOADatabaseException { + // TODO Auto-generated method stub + + } + + @Override + public void destroyInternalSSOSession(String internalSsoSessionID) throws MOADatabaseException { + // TODO Auto-generated method stub + + } + + @Override + public void setAuthenticated(String internalSsoSessionID, boolean isAuthenticated) { + // TODO Auto-generated method stub + + } + + @Override + public AuthenticationSession getInternalMOASessionWithSSOID(String SSOSessionID) throws MOADatabaseException { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isSSOSession(String sessionID) throws MOADatabaseException { + // TODO Auto-generated method stub + return false; + } + + @Override + public AuthenticatedSessionStore isValidSessionWithSSOID(String SSOId) { + // TODO Auto-generated method stub + return null; + } + + @Override + public void addSSOInformation(String moaSessionID, String SSOSessionID, SLOInformationInterface SLOInfo, + IRequest protocolRequest) throws AuthenticationException { + // TODO Auto-generated method stub + + } + + @Override + public List getAllActiveOAFromMOASession(IAuthenticationSession moaSession) { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getAllActiveIDPsFromMOASession(IAuthenticationSession moaSession) { + // TODO Auto-generated method stub + return null; + } + + @Override + public IAuthenticationSession searchMOASessionWithNameIDandOAID(String oaID, String userNameID) { + // TODO Auto-generated method stub + return null; + } + + @Override + public OASessionStore searchActiveOASSOSession(IAuthenticationSession moaSession, String oaID, + String protocolType) { + // TODO Auto-generated method stub + return null; + } + + @Override + public IAuthenticationSession getSessionWithUserNameID(String nameID) { + // TODO Auto-generated method stub + return null; + } + + @Override + public InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASession(String sessionID) { + // TODO Auto-generated method stub + return null; + } + + @Override + public InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASessionIDPID(String sessionID, + String idpID) { + // TODO Auto-generated method stub + return null; + } + + @Override + public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) + throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { + // TODO Auto-generated method stub + + } + + @Override + public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID) { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean removeInterfederetedSession(String entityID, String pedingRequestID) { + // TODO Auto-generated method stub + return false; + } + + @Override + public void clean(Date now, long authDataTimeOutCreated, long authDataTimeOutUpdated) { + // TODO Auto-generated method stub + + } + + @Override + public void markOAWithAttributeQueryUsedFlag(IAuthenticationSession session, String oaurl, String requestedModule) { + // TODO Auto-generated method stub + + } + + @Override + public void deleteIdpInformation(InterfederationSessionStore nextIDPInformation) { + // TODO Auto-generated method stub + + } + + @Override + public void persistIdpInformation(InterfederationSessionStore nextIDPInformation) { + // TODO Auto-generated method stub + + } + + @Override + public OldSSOSessionIDStore checkSSOTokenAlreadyUsed(String ssoId) { + // TODO Auto-generated method stub + return null; + } + +} diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java new file mode 100644 index 000000000..44e3d5e2a --- /dev/null +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyOAConfig.java @@ -0,0 +1,289 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.security.PrivateKey; +import java.util.Collection; +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; + +public class DummyOAConfig implements IOAAuthParameters { + + private List foreignbPKSectors; + private String target; + private boolean hasBaseIdTransferRestriction; + + @Override + public Map getFullConfiguration() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getConfigurationValue(String key) { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getFriendlyName() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPublicURLPrefix() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return false; + } + + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return hasBaseIdTransferRestriction; + } + + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + return target; + } + + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isInderfederationIDP() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isSTORKPVPGateway() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRemovePBKFromAuthBlock() { + // TODO Auto-generated method stub + return false; + } + + @Override + public String getKeyBoxIdentifier() { + // TODO Auto-generated method stub + return null; + } + + @Override + public SAML1ConfigurationParameters getSAML1Parameter() { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getTemplateURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getAditionalAuthBlockText() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getBKUURL(String bkutype) { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getBKUURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean useSSO() { + return false; + } + + @Override + public boolean useSSOQuestion() { + // TODO Auto-generated method stub + return false; + } + + @Override + public List getMandateProfiles() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isShowMandateCheckBox() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isOnlyMandateAllowed() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isShowStorkLogin() { + // TODO Auto-generated method stub + return false; + } + + @Override + public String getQaaLevel() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isRequireConsentForStorkAttributes() { + // TODO Auto-generated method stub + return false; + } + + @Override + public Collection getRequestedSTORKAttributes() { + // TODO Auto-generated method stub + return null; + } + + @Override + public byte[] getBKUSelectionTemplate() { + // TODO Auto-generated method stub + return null; + } + + @Override + public byte[] getSendAssertionTemplate() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Collection getPepsList() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getIDPAttributQueryServiceURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isInboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isInterfederationSSOStorageAllowed() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isOutboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isTestCredentialEnabled() { + // TODO Auto-generated method stub + return false; + } + + @Override + public List getTestCredentialOIDs() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isUseIDLTestTrustStore() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isUseAuthBlockTestTestStore() { + // TODO Auto-generated method stub + return false; + } + + @Override + public PrivateKey getBPKDecBpkDecryptionKey() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean isPassivRequestUsedForInterfederation() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isPerformLocalAuthenticationOnInterfederationError() { + // TODO Auto-generated method stub + return false; + } + + @Override + public Collection getStorkAPs() { + // TODO Auto-generated method stub + return null; + } + + @Override + public List getReversionsLoggingEventCodes() { + // TODO Auto-generated method stub + return null; + } + + @Override + public List foreignbPKSectorsRequested() { + return foreignbPKSectors; + + } + + public void setForeignbPKSectors(List foreignSectors) { + this.foreignbPKSectors = foreignSectors; + + } + + public void setTarget(String target) { + this.target = target; + } + + public void setHasBaseIdTransferRestriction(boolean hasBaseIdTransferRestriction) { + this.hasBaseIdTransferRestriction = hasBaseIdTransferRestriction; + } + + +} diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java index 71956990e..3cd9d9476 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/UserRestrictionWhiteListTest.java @@ -1,16 +1,10 @@ package at.gv.egovernment.moa.id.config.auth.data; -import java.io.IOException; -import java.io.InputStreamReader; - -import org.apache.commons.io.IOUtils; -import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; -import org.opensaml.xml.ConfigurationException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; @RunWith(SpringJUnit4ClassRunner.class) diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java index 3ecbb84a2..ebed519f1 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java @@ -38,6 +38,8 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageExcepti public class TestRequestImpl implements IRequest { private String processInstanceID = null; + + public static final String DUMMY_AUTH_URL = "http://dummyIDP/"; /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IRequest#requestedModule() @@ -152,8 +154,7 @@ public class TestRequestImpl implements IRequest { */ @Override public String getAuthURL() { - // TODO Auto-generated method stub - return null; + return DUMMY_AUTH_URL; } /* (non-Javadoc) diff --git a/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv index 099fc0f7e..c33de9970 100644 --- a/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv +++ b/id/server/idserverlib/src/test/resources/BPK-Whitelist_20180607.csv @@ -7,4 +7,6 @@ ZP-MH:DJ6nGg2JgcPH768BhqTNXVsGhOY=, JWiLzwktCITGg+ztRKEAwWloSNM=, ZP-MH:+cyQbhr1fQ8hLhazL62tFRq47iY=, ZP-MH:AFmfywfYPHcl2Lxp138upielmrs=, -ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0= +ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0=, +ZP-MH:yPAOTsc9LY5/jnbkWn2MWY6hjg0=:asdfadsfasdf, +ZP-AT:yPAOTsc9LY5/jnbkWn2MWY6hjg0= diff --git a/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml index 85788714a..65e48987a 100644 --- a/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml +++ b/id/server/idserverlib/src/test/resources/SpringTest-context_basic_user_whitelist.xml @@ -9,10 +9,21 @@ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + + + + + + + + +
-- cgit v1.2.3 From 92982d1ee7f13e5206ea192776b0a042d2ddea2f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 12 Jun 2018 12:08:12 +0200 Subject: fix wrong encoding in EncryptedBPKAttributeBuilder --- .../egovernment/moa/id/auth/builder/BPKBuilder.java | 3 ++- .../attributes/EncryptedBPKAttributeBuilder.java | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 14de65e36..865f7e6b4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -171,7 +171,8 @@ public class BPKBuilder { try { byte[] inputBytes = input.getBytes("ISO-8859-1"); result = encrypt(inputBytes, publicKey); - return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); + + return new String(java.util.Base64.getEncoder().encode(result), "ISO-8859-1").replaceAll("\r\n", ""); } catch (Exception e) { throw new BuildException("bPK encryption FAILED", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java index f5c48b826..d15f545ae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -23,12 +23,9 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { @@ -40,10 +37,10 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { IAttributeGenerator g) throws AttributeException { if (authData.getEncbPKList() != null && - authData.getEncbPKList().size() > 0) { - String value = "(" + authData.getEncbPKList().get(0) + ")"; + authData.getEncbPKList().size() > 0) { + String value = addPreAndSufix(authData.getEncbPKList().get(0)); for (int i=1; i Date: Fri, 15 Jun 2018 13:33:59 +0200 Subject: Add operation identifier for signature validation step --- .../moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java | 2 +- .../src/main/resources/resources/properties/id_messages_de.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 407454c2a..cc26b8b6e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -118,7 +118,7 @@ public class VerifyXMLSignatureResponseValidator { throws ValidateException, ConfigurationException { if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) - throw new ValidateException("validator.06", null); + throw new ValidateException("validator.06", new Object[] {whatToCheck}); if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { String checkFailedReason =""; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 799b32025..49ef8220d 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -154,7 +154,7 @@ validator.03=Der Namespace eines \u00F6ffentlicher Schl\u00FCssels ist ung\u00FC validator.04=Es wurde ein SAML\:Attribut ohne \u00F6ffentlichen Schl\u00FCssel gefunden {0} validator.05=Es wurde {0} keine DSIG:Signature gefunden -validator.06=Die Signatur ist ung\u00FCltig +validator.06=Die Signatur ist ung\u00FCltig. Operation: {0} validator.07=Das Zertifikat der Personenbindung ist ung\u00FCltig.
{0} validator.08=Das Manifest ist ung\u00FCltig validator.09=Die \u00F6ffentlichen Schl\u00FCssel des Identitiy Link stimmen nicht mit dem retournierten Zertifikat \u00FCberein -- cgit v1.2.3 From 30e324851d67bd900471457e3c30a19b4073ec77 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 25 Jun 2018 13:22:20 +0200 Subject: add SP specific configuration for SL2.0 --- .../java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index e093ce1e2..db0170e54 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -476,7 +476,9 @@ public class AuthenticationManager extends MOAIDAuthConstants { try { //put pending-request ID on execurtionContext executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID()); - + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SP_CONFIG, pendingReq.getOnlineApplicationConfiguration()); + + // create process instance String processDefinitionId = ModuleRegistration.getInstance().selectProcess(executionContext); -- cgit v1.2.3