From 9122bf6862fe34881e5454f54c69692b7f5ed083 Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Fri, 31 Jan 2014 16:21:13 +0100
Subject: fixed outgoing signrequest - mostly tested

---
 .../moa/id/auth/AuthenticationServer.java          | 40 +++++++++++++----
 .../moa/id/auth/servlet/PEPSConnectorServlet.java  | 52 +++++++++++++++++-----
 .../moa/id/auth/stork/STORKResponseProcessor.java  | 51 ---------------------
 3 files changed, 73 insertions(+), 70 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 209743f45..146137a2c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -31,6 +31,7 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringWriter;
+import java.math.BigInteger;
 import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.cert.CertificateException;
@@ -49,6 +50,7 @@ import javax.servlet.http.HttpSession;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
@@ -123,7 +125,6 @@ import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
 import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.Random;
-import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.XMLUtil;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
 import at.gv.egovernment.moa.logging.LogMsg;
@@ -142,10 +143,14 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest.PEPSData;
 import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
 import at.gv.util.xsd.srzgw.MISType;
 import at.gv.util.xsd.srzgw.MISType.Filters;
+import eu.stork.oasisdss.api.AdditionalProfiles;
 import eu.stork.oasisdss.api.ApiUtils;
 import eu.stork.oasisdss.api.ApiUtilsException;
+import eu.stork.oasisdss.api.Profiles;
+import eu.stork.oasisdss.api.QualityLevels;
+import eu.stork.oasisdss.api.SignatureTypes;
+import eu.stork.oasisdss.profile.AnyType;
 import eu.stork.oasisdss.profile.DocumentType;
-import eu.stork.oasisdss.profile.InputDocuments;
 import eu.stork.oasisdss.profile.SignRequest;
 import eu.stork.peps.auth.commons.PEPSUtil;
 import eu.stork.peps.auth.commons.PersonalAttribute;
@@ -1912,7 +1917,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     	PersonalAttribute newAttribute = new PersonalAttribute();
     	newAttribute.setName("signedDoc");
     	List<String> value = new ArrayList<String>();
-    	value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im  Signaturzertifikat (as in my signature certificate)", oaParam, moasession), "application/xhtml+xml"));
+    	value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im  Signaturzertifikat (as in my signature certificate)", oaParam, moasession),
+    			"application/xhtml+xml",
+    			moasession.getCcc()));
     	newAttribute.setValue(value);
     	attributeList.add(newAttribute);
 
@@ -2004,20 +2011,37 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination());
 	}
 
-	private static String generateDssSignRequest(String text, String  mimeType) {
+	private static String generateDssSignRequest(String text, String  mimeType, String citizenCountry) {
 		IdentifierGenerator idGenerator;
 		try {
 			idGenerator = new SecureRandomIdentifierGenerator();
 			
 			DocumentType doc = new DocumentType();
-			doc.setBase64XML(Base64.encodeBytes(text.getBytes()).getBytes());
+			doc.setBase64XML(text.getBytes());
+			doc.setID(idGenerator.generateIdentifier());
 			
 			SignRequest request = new SignRequest();
 			request.setInputDocuments(ApiUtils.createInputDocuments(doc));
 			
-			request.setRequestID(idGenerator.generateIdentifier());
+			String id = idGenerator.generateIdentifier();
+			request.setRequestID(id);
+			request.setDocUI(id);
 			
-			return ApiUtils.marshalToDocument(request).getTextContent();
+			request.setProfile(Profiles.XADES_BES.toString());
+			request.setNumberOfSigners(BigInteger.ONE);
+			request.setTargetCountry(citizenCountry);
+
+			// no, no todo. PEPS will alter this value anyhow.
+			request.setReturnURL("http://invalid_return");
+			
+			AnyType required = new AnyType();
+			required.getAny().add(ApiUtils.createSignatureType(SignatureTypes.XMLSIG_RFC3275.toString()));
+			required.getAny().add(ApiUtils.createAdditionalProfile(AdditionalProfiles.XADES.toString()));
+			required.getAny().add(ApiUtils.createQualityRequirements(QualityLevels.QUALITYLEVEL_QUALIFIEDSIG));
+			required.getAny().add(ApiUtils.createIncludeObject(doc));
+			request.setOptionalInputs(required);
+			
+			return IOUtils.toString(ApiUtils.marshalToInputStream(request));
 		} catch (NoSuchAlgorithmException e) {
 			Logger.error("Cannot generate id", e);
 			throw new RuntimeException(e);
@@ -2027,7 +2051,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		} catch (DOMException e) {
 			Logger.error("Could not create SignRequest", e);
 			throw new RuntimeException(e);
-		} catch (ParserConfigurationException e) {
+		} catch (IOException e) {
 			Logger.error("Could not create SignRequest", e);
 			throw new RuntimeException(e);
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 9dfce7838..a3c8ebe4d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -1,7 +1,10 @@
 package at.gv.egovernment.moa.id.auth.servlet;
 
+import iaik.x509.X509Certificate;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.StringWriter;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -10,19 +13,19 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
 import javax.xml.transform.stream.StreamSource;
 
+import org.apache.commons.io.IOUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
-import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.StatusCode;
-import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -33,14 +36,14 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.proxy.parser.SAMLResponseParser;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.DOMUtils;
 import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.util.xsd.xmldsig.SignatureType;
+import at.gv.util.xsd.xmldsig.X509DataType;
 import eu.stork.oasisdss.api.ApiUtils;
-import eu.stork.oasisdss.api.LightweightSourceResolver;
+import eu.stork.oasisdss.profile.DocumentWithSignature;
 import eu.stork.oasisdss.profile.SignResponse;
 import eu.stork.peps.auth.commons.PEPSUtil;
 import eu.stork.peps.auth.commons.PersonalAttribute;
@@ -173,14 +176,41 @@ public class PEPSConnectorServlet extends AuthServlet {
 			//extract signed doc element and citizen signature
 			String citizenSignature = null;
 			try {
-				citizenSignature = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
+				
+				List<DocumentWithSignature> doclocations = ApiUtils.findNamedElement(dssSignResponse.getOptionalOutputs(), DocumentWithSignature.class.getSimpleName(), DocumentWithSignature.class);
+				// TODO handle multiple docs?
+				Logger.debug("trying first doclocation");
+				String docUrl = doclocations.get(0).getDocument().getDocumentURL();
+				Logger.debug("trying first doclocation successful");
+				
+				// fetch signed doc
+				URL url = new URL(docUrl);
+				InputStream incomming = url.openStream();
+				citizenSignature = IOUtils.toString(incomming);
+				incomming.close();
+				
+				JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
+				SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue();
+	            
+				// memorize signature into authblock
 				moaSession.setAuthBlock(citizenSignature);
+
+				// extract certificate
+				for(Object current : root.getKeyInfo().getContent())
+					if(((JAXBElement<?>) current).getValue() instanceof X509DataType) {
+						for(Object currentX509Data : ((JAXBElement<X509DataType>) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
+							JAXBElement<?> casted = ((JAXBElement<?>) currentX509Data);
+							if(casted.getName().getLocalPart().equals("X509Certificate")) {
+								moaSession.setSignerCertificate(new X509Certificate(((String)casted.getValue()).getBytes()));
+								break;
+							}
+						}
+					}
 				
-				// FIXME untested
-				Element sepp = (Element) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(citizenSignature)));
-				moaSession.setSignerCertificate(AuthenticationServer.getCertificateFromXML(sepp));
 				
-			} catch (Exception e) {
+			} catch (Throwable e) {
 				Logger.error("Could not extract citizen signature from C-PEPS", e);
 				throw new MOAIDException("stork.09", null);
 			}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index 20ceb2128..2534110d5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -57,57 +57,6 @@ public class STORKResponseProcessor {
 	/** OASIS DSS Success Message */
 	public static final String OASIS_DSS_SUCCESS_MSG = "urn:oasis:names:tc:dss:1.0:resultmajor:Success";
 	
-	/**
-	 * Extracts the signature value out of a DSS response
-	 * @param signatureResponse DSS signature response
-	 * @return signature 
-	 * @throws STORKException
-	 */
-	private static Element getSignature(Element signatureResponse) throws STORKException {
-		
-		NodeList nList = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "ResultMajor");
-				
-		String resultMajor = XMLUtil.getFirstTextValueFromNodeList(nList);
-		
-		if (StringUtils.isEmpty(resultMajor)) {					
-			String msg = "DSS response not correct, ResultMajor element missing.";
-			Logger.error(msg);
-			throw new STORKException(msg);
-		}
-		
-		Logger.trace("ResultMajor of DSS response: " + resultMajor);
-		
-		if (!OASIS_DSS_SUCCESS_MSG.equals(resultMajor)) {
-			String msg = "DSS response not correct, ResultMajor is " + resultMajor;
-			Logger.error(msg);
-			throw new STORKException(msg);
-		}
-				
-		NodeList nList2 = signatureResponse.getElementsByTagNameNS(OASIS_DSS_NS, "Base64Signature");; 
-		
-		String base64SigString = XMLUtil.getFirstTextValueFromNodeList(nList2);
-		
-		if (StringUtils.isEmpty(base64SigString)) {					
-			String msg = "DSS response not correct, Base64Signature element missing.";
-			Logger.error(msg);
-			throw new STORKException(msg);
-		}
-		
-		Logger.trace("Base64Signature element of DSS response: " + base64SigString);
-		
-		String sigString = new String(Base64.decode(base64SigString));
-		
-		try {
-			return XMLUtil.stringToDOM(sigString);
-		} catch (Exception e) {
-			String msg = "Unable to extract signature from DSS response";
-			Logger.error(msg);
-			throw new STORKException(msg);
-		} 
-		
-		
-	}
-	
 	/**
 	 * Checks for attribute.
 	 *
-- 
cgit v1.2.3