From 1626ac9867cd5406b83e73651080e33c11fb98d1 Mon Sep 17 00:00:00 2001 From: kstranacher_eGovL Date: Thu, 12 Jul 2012 11:27:13 +0000 Subject: Integration of STORK git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1285 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../.settings/org.eclipse.jdt.core.prefs | 8 +- .../.settings/org.eclipse.wst.common.component | 14 +- .../org.eclipse.wst.common.project.facet.core.xml | 4 +- id/server/idserverlib/pom.xml | 15 +- .../moa/id/auth/AuthenticationServer.java | 394 ++++++++++++++++++-- .../moa/id/auth/MOAIDAuthConstants.java | 2 + .../moa/id/auth/builder/BPKBuilder.java | 4 +- .../builder/CreateXMLSignatureRequestBuilder.java | 49 ++- .../moa/id/auth/data/AuthenticationSession.java | 25 +- .../moa/id/auth/servlet/AuthServlet.java | 64 ++++ .../moa/id/auth/servlet/GetForeignIDServlet.java | 143 ++------ .../id/auth/servlet/GetMISSessionIDServlet.java | 16 +- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 227 ++++++++++++ .../auth/servlet/StartAuthenticationServlet.java | 80 ++-- .../servlet/VerifyAuthenticationBlockServlet.java | 15 +- .../moa/id/auth/stork/AssertionVerifier.java | 56 +++ .../moa/id/auth/stork/CredentialProvider.java | 50 +++ .../id/auth/stork/KeyStoreCredentialProvider.java | 126 +++++++ .../auth/stork/PEPSConnectorAssertionVerifier.java | 241 ++++++++++++ .../auth/stork/PEPSConnectorResponseVerifier.java | 153 ++++++++ .../moa/id/auth/stork/ResponseVerifier.java | 44 +++ .../id/auth/stork/STORKAuthnRequestProcessor.java | 170 +++++++++ .../moa/id/auth/stork/STORKException.java | 42 +++ .../moa/id/auth/stork/STORKResponseProcessor.java | 405 +++++++++++++++++++++ .../moa/id/auth/stork/VelocityProvider.java | 88 +++++ .../moa/id/config/ConfigurationBuilder.java | 322 +++++++++++++++- .../id/config/auth/AuthConfigurationProvider.java | 28 +- .../moa/id/config/auth/OAAuthParameter.java | 60 ++- .../gv/egovernment/moa/id/config/stork/CPEPS.java | 98 +++++ .../moa/id/config/stork/STORKConfig.java | 90 +++++ .../config/stork/SignatureCreationParameter.java | 112 ++++++ .../stork/SignatureVerificationParameter.java | 35 ++ .../at/gv/egovernment/moa/id/util/HTTPUtils.java | 46 +++ .../moa/id/util/ParamValidatorUtils.java | 141 ++++--- .../resources/properties/id_messages_de.properties | 11 + 35 files changed, 3084 insertions(+), 294 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/AssertionVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/CredentialProvider.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/KeyStoreCredentialProvider.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorResponseVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/ResponseVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKAuthnRequestProcessor.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/VelocityProvider.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureCreationParameter.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureVerificationParameter.java (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/.settings/org.eclipse.jdt.core.prefs b/id/server/idserverlib/.settings/org.eclipse.jdt.core.prefs index 8bba65ebb..6d046587d 100644 --- a/id/server/idserverlib/.settings/org.eclipse.jdt.core.prefs +++ b/id/server/idserverlib/.settings/org.eclipse.jdt.core.prefs @@ -1,7 +1,7 @@ -#Thu Sep 20 14:35:41 CEST 2007 eclipse.preferences.version=1 -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.4 -org.eclipse.jdt.core.compiler.compliance=1.4 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5 +org.eclipse.jdt.core.compiler.compliance=1.5 org.eclipse.jdt.core.compiler.problem.assertIdentifier=warning org.eclipse.jdt.core.compiler.problem.enumIdentifier=warning -org.eclipse.jdt.core.compiler.source=1.4 +org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning +org.eclipse.jdt.core.compiler.source=1.5 diff --git a/id/server/idserverlib/.settings/org.eclipse.wst.common.component b/id/server/idserverlib/.settings/org.eclipse.wst.common.component index 87b873d7b..a5eb3d4d8 100644 --- a/id/server/idserverlib/.settings/org.eclipse.wst.common.component +++ b/id/server/idserverlib/.settings/org.eclipse.wst.common.component @@ -1,7 +1,7 @@ - - - - - - - + + + + + + + \ No newline at end of file diff --git a/id/server/idserverlib/.settings/org.eclipse.wst.common.project.facet.core.xml b/id/server/idserverlib/.settings/org.eclipse.wst.common.project.facet.core.xml index 30c02fe23..656f15b87 100644 --- a/id/server/idserverlib/.settings/org.eclipse.wst.common.project.facet.core.xml +++ b/id/server/idserverlib/.settings/org.eclipse.wst.common.project.facet.core.xml @@ -2,6 +2,6 @@ - - + + \ No newline at end of file diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index 24d9452c2..7fbde1c6a 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -131,10 +131,23 @@ commons-lang 2.6 + + MOA.id + stork-saml-engine + 1.5.2 + + + org.apache.maven.plugins + maven-compiler-plugin + + 1.5 + 1.5 + + org.apache.maven.plugins maven-jar-plugin @@ -179,7 +192,7 @@ http://java.sun.com/j2se/1.5.0/docs/api/ http://logging.apache.org/log4j/docs/api/ - 1.4 + 1.5 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a58f5fce2..a57ab5262 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -29,8 +29,12 @@ import iaik.x509.X509Certificate; import java.io.ByteArrayInputStream; import java.io.File; import java.io.IOException; +import java.io.InputStream; import java.security.GeneralSecurityException; import java.security.Principal; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.HashMap; @@ -41,18 +45,24 @@ import java.util.Map; import java.util.Set; import java.util.Vector; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.apache.xpath.XPathAPI; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.xml.util.Base64; +import org.opensaml.xml.util.XMLHelper; import org.w3c.dom.Document; import org.w3c.dom.Element; -import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.ServiceException; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; @@ -83,6 +93,9 @@ import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; +import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor; +import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -90,6 +103,9 @@ import at.gv.egovernment.moa.id.auth.validator.ValidateException; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.id.auth.validator.parep.ParepValidator; +import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; +import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; +import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; @@ -98,6 +114,8 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter; import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters; +import at.gv.egovernment.moa.id.config.stork.CPEPS; +import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -113,6 +131,15 @@ import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; +import eu.stork.mw.messages.saml.STORKAuthnRequest; +import eu.stork.vidp.messages.builder.STORKMessagesBuilder; +import eu.stork.vidp.messages.common.STORKConstants; +import eu.stork.vidp.messages.exception.SAMLException; +import eu.stork.vidp.messages.exception.SAMLValidationException; +import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; +import eu.stork.vidp.messages.stork.RequestedAttributes; +import eu.stork.vidp.messages.util.SAMLUtil; +import eu.stork.vidp.messages.util.XMLUtil; /** * API for MOA ID Authentication Service.
{@link AuthenticationSession} is @@ -543,16 +570,16 @@ public class AuthenticationServer implements MOAIDAuthConstants { int b = xmlInfoboxReadResponse.indexOf(se); if (b != -1) { // no identity link found Logger - .info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als ausländische eID."); + .info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als ausl�ndische eID."); return null; } - // spezifikationsgemäßer (SL1.2) Errorcode + // spezifikationsgem��er (SL1.2) Errorcode se = "ErrorCode>4002"; // b = xmlInfoboxReadResponse.contains(se); b = xmlInfoboxReadResponse.indexOf(se); if (b != -1) { // Unbekannter Infoboxbezeichner Logger - .info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als ausländische eID."); + .info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als ausl�ndische eID."); return null; } @@ -1732,7 +1759,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // builds authentication data and stores it together with a SAML // artifact AuthenticationData authData = buildAuthenticationData(session, vsresp, - useUTC); + useUTC, false); if (session.getUseMandate()) { // mandate mode @@ -2037,17 +2064,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthenticationSession session = getSession(sessionID); // AuthConfigurationProvider authConf = // AuthConfigurationProvider.getInstance(); - try { - String serializedAssertion = DOMUtils.serializeNode(session - .getIdentityLink().getSamlAssertion()); - session.setAuthBlock(serializedAssertion); - } catch (TransformerException e) { - throw new ParseException("parser.04", new Object[] { - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE }); - } catch (IOException e) { - throw new ParseException("parser.04", new Object[] { - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE }); - } + // post processing of the infoboxes Iterator iter = session.getInfoboxValidatorIterator(); boolean formpending = false; @@ -2097,7 +2114,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { boolean useCondition = oaParam.getUseCondition(); int conditionLength = oaParam.getConditionLength(); AuthenticationData authData = buildAuthenticationData(session, vsresp, - useUTC); + useUTC, true); String samlAssertion = new AuthenticationDataAssertionBuilder().build( authData, session.getAssertionPrPerson(), session @@ -2141,6 +2158,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { * authentication session * @param verifyXMLSigResp * VerifyXMLSignatureResponse from MOA-SP + * @param useUTC uses correct UTC time format + * @param useUTC indicates that authenticated citizen is a foreigner + * @param isForeigner indicates whether Austrian (false) or foreigner (true) authenticates * @return AuthenticationData object * @throws ConfigurationException * while accessing configuration data @@ -2149,7 +2169,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ private AuthenticationData buildAuthenticationData( AuthenticationSession session, - VerifyXMLSignatureResponse verifyXMLSigResp, boolean useUTC) + VerifyXMLSignatureResponse verifyXMLSigResp, boolean useUTC, boolean isForeigner) throws ConfigurationException, BuildException { IdentityLink identityLink = session.getIdentityLink(); @@ -2196,21 +2216,44 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } authData.setSignerCertificate(signerCertificateBase64); - if (businessService) { - authData.setWBPK(identityLink.getIdentificationValue()); + if(!isForeigner) { + //we have Austrian citizen + if (businessService) { + authData.setWBPK(identityLink.getIdentificationValue()); + } else { + authData.setBPK(identityLink.getIdentificationValue()); + + // BZ.., calculation of bPK already before sending AUTHBlock + /* + * if(identityLink.getIdentificationType().equals(Constants. + * URN_PREFIX_BASEID)) { // only compute bPK if online + * application is a public service and we have the Stammzahl + * String bpkBase64 = new BPKBuilder().buildBPK( + * identityLink.getIdentificationValue(), session.getTarget()); + * authData.setBPK(bpkBase64); } + */ + + } } else { - authData.setBPK(identityLink.getIdentificationValue()); - - // BZ.., calculation of bPK already before sending AUTHBlock - /* - * if(identityLink.getIdentificationType().equals(Constants. - * URN_PREFIX_BASEID)) { // only compute bPK if online - * application is a public service and we have the Stammzahl - * String bpkBase64 = new BPKBuilder().buildBPK( - * identityLink.getIdentificationValue(), session.getTarget()); - * authData.setBPK(bpkBase64); } - */ - + //we have foreigner, thus we have to calculate bPK and wbPK now (after receiving identity link from SZR-GW + if (businessService) { + //since we have foreigner, wbPK is not calculated in BKU + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), session.getDomainIdentifier()); + authData.setWBPK(wbpkBase64); + } + + } else { + + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), session.getTarget()); + authData.setBPK(bpkBase64); + } + + + } + } String ilAssertion = oaParam.getProvideIdentityLink() ? identityLink .getSerializedSamlAssertion() @@ -2227,8 +2270,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setAssertionBusinessService(businessService); session.setAssertionIlAssertion(ilAssertion); session.setAssertionPrPerson(prPerson); - session - .setAssertionSignerCertificateBase64(signerCertificateBase64); + session.setAssertionSignerCertificateBase64(signerCertificateBase64); return authData; @@ -2482,4 +2524,288 @@ public class AuthenticationServer implements MOAIDAuthConstants { return value; } + + /** + * Does the request to the SZR-GW + * @param signature XMLDSIG signature + * @return Identity link assertion + * @throws SZRGWClientException + */ + public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException { + + SZRGWClient client = new SZRGWClient(); + + try { + AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); + ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter(); + + client.setAddress(connectionParameters.getUrl()); + if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) { + Logger.debug("Initialisiere SSL Verbindung"); + try { + client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters)); + } catch (IOException e) { + Logger.error("Could not initialize SSL Factory", e); + throw new SZRGWClientException("Could not initialize SSL Factory"); + } catch (GeneralSecurityException e) { + Logger.error("Could not initialize SSL Factory", e); + throw new SZRGWClientException("Could not initialize SSL Factory"); + } catch (PKIException e) { + Logger.error("Could not initialize SSL Factory", e); + throw new SZRGWClientException("Could not initialize SSL Factory"); + } + } + Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")..."); + } + catch (ConfigurationException e) { + Logger.warn(e); + Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null )); + } + + // create request + CreateIdentityLinkResponse response = null; + Element request = null; + try { + Document doc = client.buildGetIdentityLinkRequest(PEPSIdentifier, PEPSFirstname, PEPSFamilyname, PEPSDateOfBirth, signature); + request = doc.getDocumentElement(); + + // send request + response = client.createIdentityLinkResponse(request); + } catch (SZRGWClientException e) { + // give him a second try - Nach dem Starten des Tomcat wird beim ersten Mal das Client-Zertifikat offenbar vom HTTPClient nicht mitgeschickt. + try { + response = client.createIdentityLinkResponse(request); + } + catch (SZRGWClientException e1) { + throw new SZRGWClientException(e1); + } + } + + + return response; + + } + + /** + * Starts a MOA-ID authentication process using STORK + * @param req HttpServletRequest + * @param resp HttpServletResponse + * @param ccc Citizen country code + * @param oaURL URL of the online application + * @param target Target parameter + * @param targetFriendlyName Friendly Name of Target + * @param authURL Authentication URL + * @param sourceID SourceID parameter + * @throws MOAIDException + * @throws AuthenticationException + * @throws WrongParametersException + * @throws ConfigurationException + */ + public static void startSTORKAuthentication( + HttpServletRequest req, + HttpServletResponse resp, + String ccc, + String oaURL, + String target, + String targetFriendlyName, + String authURL, + String sourceID) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException { + + //read configuration paramters of OA + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); + if (oaParam == null) + throw new AuthenticationException("auth.00", new Object[] { oaURL }); + + if (!oaParam.getBusinessService()) { + if (StringUtils.isEmpty(target)) + throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.05"); + } else { + target = null; + } + + //create MOA session + AuthenticationSession moaSession = newSession(); + Logger.info("MOASession " + moaSession.getSessionID() + " angelegt"); + moaSession.setTarget(target); + moaSession.setTargetFriendlyName(targetFriendlyName); + moaSession.setOAURLRequested(oaURL); + moaSession.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); + moaSession.setAuthURL(authURL); + moaSession.setBusinessService(oaParam.getBusinessService()); + moaSession.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); + if (sourceID != null) + moaSession.setSourceID(sourceID); + + //Start of STORK Processing + STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); + + CPEPS cpeps = storkConfig.getCPEPS(ccc); + + Logger.debug("Preparing to assemble STORK AuthnRequest witht the following values:"); + String destination = cpeps.getPepsURL().toExternalForm(); + Logger.debug("C-PEPS URL: " + destination); + + String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); + + String providerName= oaParam.getFriendlyName(); + String issuerValue = HTTPUtils.getBaseURL(req); + Logger.debug("Issuer value: " + issuerValue); + + QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); + Logger.debug("QAALevel: " + qaaLevel.getValue()); + + RequestedAttributes requestedAttributes; + + requestedAttributes = oaParam.getRequestedAttributes(); + requestedAttributes.detach(); + List reqAttributeList = new ArrayList(); + List oaReqAttributeList = new ArrayList(oaParam.getRequestedAttributes().getRequestedAttributes()); + //check if country specific attributes must be additionally requested + if (!cpeps.getCountrySpecificRequestedAttributes().isEmpty()) { + //add country specific attributes to be requested (Hierarchy: default oa attributes > country specific attributes > oa specific attributes + Logger.debug("We have addtional country specific attributes to be requested from the C-PEPS of country: " + ccc); + Logger.debug("The following attributes are requested for this specific country:"); + List countrySpecificReqAttributeList = new ArrayList(cpeps.getCountrySpecificRequestedAttributes()); + for (RequestedAttribute csReqAttr : countrySpecificReqAttributeList) { + csReqAttr.detach(); + if (!STORKConstants.DEFAULT_STORK_REQUESTED_ATTRIBUTE_SET.contains(csReqAttr.getName())) { + //this country specific attribute does not override default attribute + if (SAMLUtil.containsAttribute(oaReqAttributeList, csReqAttr.getName())) { + //the same attribute is requested for OA, applying hierachy + //remove oa attribute + oaReqAttributeList.remove(SAMLUtil.getAttribute(oaReqAttributeList, csReqAttr.getName())); + //add country specific attribute instead + Logger.debug("Requested Attribute (" + csReqAttr.getName() + ") is also requested by OA but we use Country Specific value instead"); + } + oaReqAttributeList.add(csReqAttr); + Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired()); + } else { + Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired() + " tries to overwrite default requested and required attributes, hence we skip it."); + } + + } + reqAttributeList.addAll(oaReqAttributeList); + } else { + //no country specific requested attributes + reqAttributeList.addAll(oaReqAttributeList); + } + + reqAttributeList = (List) SAMLUtil.releaseDOM(reqAttributeList); + requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes(reqAttributeList); + + if (Logger.isDebugEnabled()) { + Logger.debug("The following attributes are requested for this OA:"); + for (RequestedAttribute logReqAttr : reqAttributeList) { + Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isRequired()); + + } + } + + String spSector = StringUtils.isEmpty(target) ? "Business" : target; + String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); + String spApplication = spInstitution; + String spCountry = "AT"; + + String textToBeSigned = + CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moaSession); + + //generate AuthnRquest + STORKAuthnRequest storkAuthnRequest = STORKAuthnRequestProcessor.generateSTORKAuthnRequest( + destination, + acsURL, + providerName, + issuerValue, + qaaLevel, + requestedAttributes, + spSector, + spInstitution, + spApplication, + spCountry, + textToBeSigned, + "application/xhtml+xml"); + + Logger.debug("STORK AuthnRequest succesfully assembled."); + + //sign AuthnRequest + String keyStorePath = storkConfig.getSignatureCreationParameter().getKeyStorePath(); + String keyStorePassword = storkConfig.getSignatureCreationParameter().getKeyStorePassword(); + String keyName = storkConfig.getSignatureCreationParameter().getKeyName(); + String keyPassword = storkConfig.getSignatureCreationParameter().getKeyPassword(); + + Logger.debug("Starting signing process of STORK AuthnRequest."); + Logger.trace("Using the following Keystore and Key for that:"); + Logger.trace("KeyStore: " + keyStorePath); + Logger.trace("KeyName: " + keyName); + + try { + storkAuthnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(storkAuthnRequest, keyStorePath, keyStorePassword, keyName, keyPassword); + } catch (SAMLException e) { + Logger.error("Could not sign STORK SAML AuthnRequest.", e); + throw new MOAIDException("stork.00", null); + } + + Logger.info("STORK AuthnRequest successfully signed!"); + + //validate AuthnRequest + try { + STORKAuthnRequestProcessor.validateSTORKAuthnRequest(storkAuthnRequest); + } catch (SAMLValidationException e) { + Logger.error("STORK SAML AuthnRequest not valid.", e); + throw new MOAIDException("stork.01", null); + } + + Logger.debug("STORK AuthnRequest successfully internally validated."); + + //send + moaSession.setStorkAuthnRequest(storkAuthnRequest); + HttpSession httpSession = req.getSession(); + httpSession.setAttribute("MOA-Session-ID", moaSession.getSessionID()); + + Logger.debug("Preparing to send STORK AuthnRequest."); + + try { + STORKAuthnRequestProcessor.sendSTORKAuthnRequest(req, resp, storkAuthnRequest); + } catch (Exception e) { + Logger.error("Error sending STORK SAML AuthnRequest.", e); + httpSession.invalidate(); + throw new MOAIDException("stork.02", new Object[] { destination }); + } + + Logger.info("STORK AuthnRequest successfully sent to: " + storkAuthnRequest.getDestination()); + Logger.debug("STORKAuthnRequest sent (pretty print): "); + Logger.debug(XMLHelper.prettyPrintXML(storkAuthnRequest.getDOM())); + Logger.trace("STORKAuthnRequest sent (original): "); + Logger.trace(XMLUtil.printXML(storkAuthnRequest.getDOM())); + + } + + /** + * Extracts an X509 Certificate out of an XML signagture element + * @param signedXML XML signature element + * @return X509Certificate + * @throws CertificateException + */ + public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException { + + NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate"); + + String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList); + + if (StringUtils.isEmpty(base64CertString)) { + String msg = "XML does not contain a X509Certificate element."; + Logger.error(msg); + throw new CertificateException(msg); + } + + InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString)); + + CertificateFactory cf; + X509Certificate cert = null; + cf = CertificateFactory.getInstance("X.509"); + cert = (X509Certificate)cf.generateCertificate(is); + + return cert; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index f3be98ef0..7d5835f20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -47,6 +47,8 @@ public interface MOAIDAuthConstants { public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ public static final String PARAM_BKUTEMPLATE = "BKUSelectionTemplate"; + /** servlet parameter "CCC (Citizen Country Code)" */ + public static final String PARAM_CCC = "CCC"; /** servlet parameter "BKUSelectionTemplate" */ public static final String PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE = "InputProcessorSignTemplate"; /** default BKU URL */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index b6ba5871d..fa9789530 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -56,7 +56,7 @@ public class BPKBuilder { target.length() == 0)) { throw new BuildException("builder.00", - new Object[] {"BPK", "Unvollständige Parameterangaben: identificationValue=" + + new Object[] {"BPK", "Unvollständige Parameterangaben: identificationValue=" + identificationValue + ",target=" + target}); } String basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; @@ -86,7 +86,7 @@ public class BPKBuilder { registerAndOrdNr.length() == 0)) { throw new BuildException("builder.00", - new Object[] {"wbPK", "Unvollständige Parameterangaben: identificationValue=" + + new Object[] {"wbPK", "Unvollständige Parameterangaben: identificationValue=" + identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); } String basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index 9c696f245..2da7db2b2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -129,7 +129,31 @@ public class CreateXMLSignatureRequestBuilder implements Constants { * @return String representation of <CreateXMLSignatureRequest> */ public String buildForeignID(String subject, OAAuthParameter oaParam, AuthenticationSession session) { + + String request = ""; + request += ""; + request += "SecureSignatureKeypair"; + request += ""; + request += ""; + request += ""; + + request += buildForeignIDTextToBeSigned(subject, oaParam, session); + request += ""; + request += ""; + request += ""; + request += ""; + request += "application/xhtml+xml"; + request += ""; + request += ""; + request += ""; + request += ""; + + return request; + } + + public static String buildForeignIDTextToBeSigned(String subject, OAAuthParameter oaParam, AuthenticationSession session) { + String target = session.getTarget(); String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); @@ -137,14 +161,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants { String date = DateTimeUtils.buildDate(cal); String time = DateTimeUtils.buildTime(cal); - String request = ""; - request += ""; - request += "SecureSignatureKeypair"; - request += ""; - request += ""; - request += ""; - - request += ""; + String request = ""; + request += ""; //application/xhtml+xml text/html + //request += ""; request += ""; request += "Signatur der Anmeldedaten"; request += "