From 8673d715af90bb7df168f4bac9979ab48ee04e3e Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Feb 2017 15:30:11 +0100
Subject: update javadoc

---
 .../java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
index d2c827d55..fcf4c3ffa 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
@@ -32,7 +32,7 @@ public interface AuthConfiguration extends ConfigurationProvider{
 	 * Get a configuration value from basic file based MOA-ID configuration
 	 * 
 	 * @param key configuration key 
-	 * @return configuration value 
+	 * @return configuration value or null if it is not found
 	 */
 	public String getBasicMOAIDConfiguration(final String key);
 	
-- 
cgit v1.2.3


From 3979e8addd354e59d5601d1ad89b4fad228da2d5 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 10 Mar 2017 16:02:16 +0100
Subject: fix possible DoS Bug

---
 .../src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index fed968443..62a168ac8 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -542,6 +543,7 @@ public class DOMUtils {
   
   /**
    * A convenience method to parse an XML document non validating.
+   * This method disallow DocType declarations 
    * 
    * @param inputStream The <code>InputStream</code> containing the XML
    * document.
@@ -552,10 +554,16 @@ public class DOMUtils {
    * parser.
    */
   public static Element parseXmlNonValidating(InputStream inputStream)
-    throws ParserConfigurationException, SAXException, IOException {
+    throws ParserConfigurationException, SAXException, IOException {	  
     return DOMUtils
-      .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null)
-      .getDocumentElement();
+      .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, 
+    		  Collections.unmodifiableMap(new HashMap<String, Object>() {
+    			  private static final long serialVersionUID = 1L;
+    			  {	
+    				  put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true);
+				
+    			  }
+    		  })).getDocumentElement();
   }
 
   /**
-- 
cgit v1.2.3


From 250a89d7eaeb1c8a905fa7bb2032992946fec40f Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 12 Jul 2017 14:42:09 +0200
Subject: add new demo module for dummy authentication

---
 id/server/auth-edu/pom.xml                         |   7 ++
 .../moa/id/commons/MOAIDAuthConstants.java         |   3 +-
 .../moa-id-module-bkaMobilaAuthSAML2Test/pom.xml   |  10 ++
 .../bkamobileauthtests/BKAMobileAuthModule.java    |  83 ++++++++++++++++
 .../BKAMobileAuthSpringResourceProvider.java       |  62 ++++++++++++
 .../tasks/FirstBKAMobileAuthTask.java              |  56 +++++++++++
 .../tasks/SecondBKAMobileAuthTask.java             | 104 +++++++++++++++++++++
 .../src/main/resources/BKAMobileAuth.process.xml   |  22 +++++
 ...iz.components.spring.api.SpringResourceProvider |   1 +
 .../main/resources/moaid_bka_mobileauth.beans.xml  |  25 +++++
 id/server/modules/pom.xml                          |   1 +
 pom.xml                                            |  10 +-
 12 files changed, 381 insertions(+), 3 deletions(-)
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/SecondBKAMobileAuthTask.java
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
 create mode 100644 id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/moaid_bka_mobileauth.beans.xml

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/auth-edu/pom.xml b/id/server/auth-edu/pom.xml
index 4e01c6260..b8bdad311 100644
--- a/id/server/auth-edu/pom.xml
+++ b/id/server/auth-edu/pom.xml
@@ -202,6 +202,13 @@
 			<artifactId>moa-id-module-ssoTransfer</artifactId>
 			<version>${moa-id-version}</version>
 		</dependency>
+
+		<dependency>
+			<groupId>MOA.id.server.modules</groupId>
+			<artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId>
+			<version>${moa-id-version}</version>
+		</dependency>				
+				
 				
 <!-- 		<dependency>
 			<groupId>org.apache.santuario</groupId>
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index 8d893be9d..b16941f51 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -181,6 +181,7 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication";
   public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection";
   public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest";
+  public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId";
   
   //General protocol-request data-store keys
   public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target";
@@ -189,5 +190,5 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   
   //General MOASession data-store keys
   public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
-  
+    
 }
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
new file mode 100644
index 000000000..0db2b26a8
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
@@ -0,0 +1,10 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>MOA.id.server.modules</groupId>
+    <artifactId>moa-id-modules</artifactId>
+    <version>${moa-id-version}</version>
+  </parent>
+  <artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId>
+  <description>BKA MobileAuth Test for SAML2 applications</description>
+</project>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
new file mode 100644
index 000000000..72087180a
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests;
+
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class BKAMobileAuthModule implements AuthModule {
+
+	private int priority = 1;
+	
+	@Autowired protected AuthConfiguration authConfig;
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+	 */
+	@Override
+	public int getPriority() {
+		return priority;
+	}
+
+	/**
+	 * Sets the priority of this module. Default value is {@code 0}.
+	 * @param priority The priority.
+	 */
+	public void setPriority(int priority) {
+		this.priority = priority;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+	 */
+	@Override
+	public String selectProcess(ExecutionContext context) {
+		String spEntityID = (String) context.get(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER);
+		if (MiscUtil.isNotEmpty(spEntityID)) {
+			String sensitiveSpIdentifier = authConfig.getBasicMOAIDConfiguration("modules.bkamobileAuth.entityID");
+			if (spEntityID.equalsIgnoreCase(sensitiveSpIdentifier))			
+				return "BKAMobileAuthentication";
+			
+		}
+		
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+	 */
+	@Override
+	public String[] getProcessDefinitions() {
+		return new String[] { "classpath:/BKAMobileAuth.process.xml" };
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
new file mode 100644
index 000000000..884129453
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvider {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+	 */
+	@Override
+	public Resource[] getResourcesToLoad() {
+		ClassPathResource authConfig = new ClassPathResource("/moaid_bka_mobileauth.beans.xml", BKAMobileAuthSpringResourceProvider.class);							
+		return new Resource[] {authConfig};
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+	 */
+	@Override
+	public String[] getPackagesToScan() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+	 */
+	@Override
+	public String getName() {
+		return "BKA MobileAuth SAML2 Test";
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
new file mode 100644
index 000000000..66112edc5
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("FirstBKAMobileAuthTask")
+public class FirstBKAMobileAuthTask extends AbstractAuthServletTask {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+
+		Logger.info("Redirect to Second BKA Mobile Auth task");	
+		performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/SecondBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/SecondBKAMobileAuthTask.java
new file mode 100644
index 000000000..4b18e7112
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/SecondBKAMobileAuthTask.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("SecondBKAMobileAuthTask")
+public class SecondBKAMobileAuthTask extends AbstractAuthServletTask {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		
+		try {
+			Logger.info("Add user credentials for BKA MobileAuth SAML2 test and finalize authentication");	
+			parseDemoValuesIntoMOASession(pendingReq, pendingReq.getMOASession());
+
+			// store MOASession into database
+	    	requestStoreage.storePendingRequest(pendingReq);
+						
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}		
+	}
+
+	/**
+	 * @param pendingReq
+	 * @param moaSession
+	 * @throws MOAIDException 
+	 */
+	private void parseDemoValuesIntoMOASession(IRequest pendingReq, IAuthenticationSession moaSession) throws MOAIDException {
+		moaSession.setUseMandates(false);
+		moaSession.setForeigner(false);
+		
+		moaSession.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest");			
+		moaSession.setQAALevel(PVPConstants.STORK_QAA_1_4);
+			
+		try {
+			String idlurl = FileUtils.makeAbsoluteURL(authConfig.getMonitoringTestIdentityLinkURL(), authConfig.getRootConfigFileDir());				
+		  	URL keystoreURL = new URL(idlurl);					
+			InputStream idlstream = keystoreURL.openStream();
+			IIdentityLink identityLink = new IdentityLinkAssertionParser(idlstream).parseIdentityLink();			
+			moaSession.setIdentityLink(identityLink);
+			
+		} catch (ParseException | IOException e) {
+			Logger.error("IdentityLink is not parseable.", e);
+			throw new MOAIDException("IdentityLink is not parseable.", null);
+			
+		}
+			
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
new file mode 100644
index 000000000..4a0f4d5f2
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="BKAMobileAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+<!--
+	STORK authentication both with C-PEPS supporting xml signatures and with C-PEPS not supporting xml signatures.
+-->
+	<pd:Task id="firstStep"                            class="FirstBKAMobileAuthTask" />
+	<pd:Task id="secondStep"                           class="SecondBKAMobileAuthTask" async="true" />
+	<pd:Task id="finalizeAuthentication" 							 class="FinalizeAuthenticationTask" />
+
+	<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
+	<pd:StartEvent id="start" />
+	
+	<pd:Transition from="start" to="firstStep" />	
+	<pd:Transition from="firstStep" to="secondStep"/>		
+	<pd:Transition from="secondStep" to="finalizeAuthentication" />
+	
+	<pd:Transition from="finalizeAuthentication"    to="end" />
+	
+	<pd:EndEvent id="end" />
+
+</pd:ProcessDefinition>
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..42dbf09e7
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.BKAMobileAuthSpringResourceProvider
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/moaid_bka_mobileauth.beans.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/moaid_bka_mobileauth.beans.xml
new file mode 100644
index 000000000..ef13b0348
--- /dev/null
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/moaid_bka_mobileauth.beans.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:aop="http://www.springframework.org/schema/aop"
+	xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+	<bean id="BKAMobileAuthModule" class="at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.BKAMobileAuthModule">
+		<property name="priority" value="1" />
+	</bean>
+ 						
+
+	<bean id="FirstBKAMobileAuthTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.FirstBKAMobileAuthTask"
+				scope="prototype"/>
+				
+	<bean id="SecondBKAMobileAuthTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.SecondBKAMobileAuthTask"
+				scope="prototype"/>
+																						
+</beans>
\ No newline at end of file
diff --git a/id/server/modules/pom.xml b/id/server/modules/pom.xml
index 3ca3497a0..000851a5f 100644
--- a/id/server/modules/pom.xml
+++ b/id/server/modules/pom.xml
@@ -32,6 +32,7 @@
 		<module>moa-id-module-elga_mandate_service</module>
 		
 		<module>moa-id-module-ssoTransfer</module>
+		<module>moa-id-module-bkaMobilaAuthSAML2Test</module>
 	</modules>
 	
 	<dependencies>
diff --git a/pom.xml b/pom.xml
index b834320cb..17ea3499e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -91,13 +91,13 @@
                     <name>local</name>
                     <url>file:${basedir}/../../../repository</url>
                 </repository>
-                <repository>
+<!--                 <repository>
                     <id>hyberjaxb</id>
                     <url>http://repository.highsource.org/maven2/releases/</url>
                     <releases>
                         <enabled>false</enabled>
                     </releases>
-                </repository>
+                </repository> -->
                 <repository>
                     <id>jboss</id>
                     <url>https://repository.jboss.org/nexus/content/repositories/central/</url>
@@ -524,6 +524,12 @@
     		<artifactId>moa-id-module-elga_mandate_service</artifactId>
     		<version>${moa-id-module-elga_mandate_client}</version>
 			</dependency>
+			 
+			<dependency>
+				<groupId>MOA.id.server.modules</groupId>
+				<artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId>
+				<version>${moa-id-version}</version>
+			</dependency>	
 			   			                         
              <dependency>
                 <groupId>MOA.id.server</groupId>
-- 
cgit v1.2.3


From 91d38d59b42ee77346b0d33315f403d8fa678576 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 17 Jul 2017 10:25:02 +0200
Subject: update MOA SAML2 metadata provider to support metadata located on
 file system

---
 .../validation/oa/OAPVP2ConfigValidation.java      | 105 +++++++--------
 .../pvp2x/metadata/MOAMetadataProvider.java        | 145 ++++++++++-----------
 .../pvp2x/metadata/SimpleMOAMetadataProvider.java  | 116 ++++++++++++++++-
 .../moa/id/commons/api/AuthConfiguration.java      |   3 +-
 .../utils/ELGAMandateServiceMetadataProvider.java  |  14 +-
 5 files changed, 244 insertions(+), 139 deletions(-)

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 61a380188..79e7e9252 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -111,81 +111,84 @@ public class OAPVP2ConfigValidation {
 					log.info("MetaDataURL has no valid form.");
 					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request));
 				
-				} else {
-					
+				} else {					
 					if (certSerialized == null) {
 						log.info("No certificate for metadata validation");
 						errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
 						
-					} else {
-						
-						X509Certificate cert = new X509Certificate(certSerialized);
-						BasicX509Credential credential = new BasicX509Credential();
-						credential.setEntityCertificate(cert);
+					} else {						
+						if (form.getMetaDataURL().startsWith("http")) {						
+							X509Certificate cert = new X509Certificate(certSerialized);
+							BasicX509Credential credential = new BasicX509Credential();
+							credential.setEntityCertificate(cert);
 						
-						timer = new Timer();
-						httpClient = new MOAHttpClient();
+							timer = new Timer();
+							httpClient = new MOAHttpClient();
 						
-						if (form.getMetaDataURL().startsWith("https:"))
-							try {
-								MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-										"MOAMetaDataProvider",
-										ConfigurationProvider.getInstance().getCertStoreDirectory(), 
-										ConfigurationProvider.getInstance().getTrustStoreDirectory(),
-										null,
-										"pkix", 
-										true,
-										new String[]{"crl"},
-										false);
+							if (form.getMetaDataURL().startsWith("https:"))
+								try {
+									MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+											"MOAMetaDataProvider",
+											ConfigurationProvider.getInstance().getCertStoreDirectory(), 
+											ConfigurationProvider.getInstance().getTrustStoreDirectory(),
+											null,
+											"pkix", 
+											true,
+											new String[]{"crl"},
+											false);
 								
-									httpClient.setCustomSSLTrustStore(
-											form.getMetaDataURL(), 
-											protoSocketFactory);
+										httpClient.setCustomSSLTrustStore(
+												form.getMetaDataURL(), 
+												protoSocketFactory);
 	
-							} catch (MOAHttpProtocolSocketFactoryException e) {
-								log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
+								} catch (MOAHttpProtocolSocketFactoryException e) {
+									log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
 								
-							} catch (ConfigurationException e) {
-								log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e);
+								} catch (ConfigurationException e) {
+									log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e);
 								
-							} 
+								} 
 
-						List<MetadataFilter> filterList = new ArrayList<MetadataFilter>();
-						filterList.add(new MetaDataVerificationFilter(credential));
+							List<MetadataFilter> filterList = new ArrayList<MetadataFilter>();
+							filterList.add(new MetaDataVerificationFilter(credential));
 						
-						try {
-							filterList.add(new SchemaValidationFilter(
-									ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive()));
+							try {
+								filterList.add(new SchemaValidationFilter(
+										ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive()));
 							
-						} catch (ConfigurationException e) {
-							log.warn("Configuration access FAILED!", e);
+							} catch (ConfigurationException e) {
+								log.warn("Configuration access FAILED!", e);
 							
-						}
+							}
+						
+							MetadataFilterChain filter = new MetadataFilterChain();
+							filter.setFilters(filterList);
 						
-						MetadataFilterChain filter = new MetadataFilterChain();
-						filter.setFilters(filterList);
+							httpProvider = 
+									new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
+							httpProvider.setParserPool(new BasicParserPool());
+							httpProvider.setRequireValidMetadata(true); 
+							httpProvider.setMetadataFilter(filter);
+							httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+							httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
 						
-						httpProvider = 
-								new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
-						httpProvider.setParserPool(new BasicParserPool());
-						httpProvider.setRequireValidMetadata(true); 
-						httpProvider.setMetadataFilter(filter);
-						httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
-						httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+							httpProvider.setRequireValidMetadata(true);
 						
-						httpProvider.setRequireValidMetadata(true);
+							httpProvider.initialize();
 						
-						httpProvider.initialize();
 						
 						
 						
+							if (httpProvider.getMetadata() == null) {
+								log.info("Metadata could be received but validation FAILED.");
+								errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request));
+							}
 						
-						if (httpProvider.getMetadata() == null) {
-							log.info("Metadata could be received but validation FAILED.");
-							errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request));
+						} else {
+							log.info("Metadata load validation skipped, because it's no http(s) metadata: " + form.getMetaDataURL());
+							
 						}
 
-						
 					}
 				}
 			}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index b2597c3cb..5380d7f53 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -38,6 +38,7 @@ import javax.xml.namespace.QName;
 import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.BaseMetadataProvider;
 import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
 import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
@@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
 import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.parse.BasicParserPool;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.IDestroyableObject;
@@ -52,7 +54,6 @@ import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
@@ -154,7 +155,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 			
 			//reload metadata provider 
 			IOAAuthParameters oaParam = 
-					AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
+					authConfig.getOnlineApplicationParameter(entityID);
 			if (oaParam != null) {
 				String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
 				if (MiscUtil.isNotEmpty(metadataURL)) {
@@ -178,10 +179,11 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 							timer = new Timer(true);
 						
 						ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
-						HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, 								 
+						MetadataProvider newMetadataProvider = createNewMoaMetadataProvider(metadataURL, 								 
 								buildMetadataFilterChain(oaParam, metadataURL, cert), 
 								oaFriendlyName,
-								timer);
+								timer,
+								new BasicParserPool());
 						
 						chainProvider.addMetadataProvider(newMetadataProvider);
 						
@@ -203,9 +205,6 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 				Logger.debug("Can not refresh PVP2X metadata: NO onlineApplication with Id: " + entityID);
 				
 						
-		} catch (ConfigurationException e) {
-			Logger.warn("Access MOA-ID configuration FAILED.", e);
-			
 		} catch (MetadataProviderException e) {
 			Logger.warn("Refresh PVP2X metadata for onlineApplication: " 
 					+ entityID + " FAILED.", e);
@@ -268,7 +267,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 									
 			//load all PVP2 OAs form ConfigurationDatabase and 
 			//compare actually loaded Providers with configured PVP2 OAs
-			Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard(
+			Map<String, String> allOAs = authConfig.getConfigurationWithWildCard(
 					MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES 
 					+ ".%." 
 					+ MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER);
@@ -279,7 +278,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 					Entry<String, String> oaKeyPair = oaInterator.next();
 					
 					IOAAuthParameters oaParam = 
-							AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue());
+							authConfig.getOnlineApplicationParameter(oaKeyPair.getValue());
 					if (oaParam != null) {
 						String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
 						
@@ -409,83 +408,79 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 		ChainingMetadataProvider chainProvider = new ChainingMetadataProvider();
 		Logger.info("Loading metadata");		
 		Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>();
-		try {
-			Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard(
-					MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES 
-					+ ".%." 
-					+ MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER);
-			
-			if (allOAs != null) {
-				Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator();
-				while (oaInterator.hasNext()) {
-					Entry<String, String> oaKeyPair = oaInterator.next();
-					
-					IOAAuthParameters oaParam = 
-							AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue());
-					if (oaParam != null) {
-						String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
-						String oaFriendlyName = oaParam.getFriendlyName();
-						HTTPMetadataProvider httpProvider = null;
+		Map<String, String> allOAs = authConfig.getConfigurationWithWildCard(
+				MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES 
+				+ ".%." 
+				+ MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER);
+		
+		if (allOAs != null) {
+			Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator();
+			while (oaInterator.hasNext()) {
+				Entry<String, String> oaKeyPair = oaInterator.next();
 				
-						try {
-							String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
-							if (MiscUtil.isNotEmpty(certBase64) && MiscUtil.isNotEmpty(metadataurl)) {
-								byte[] cert = Base64Utils.decode(certBase64, false);
-								
-								
-								if (timer == null)
-									timer = new Timer(true);
-								
-								Logger.info("Loading metadata for: " + oaFriendlyName);					
-								if (!providersinuse.containsKey(metadataurl)) {					
-									httpProvider = createNewHTTPMetaDataProvider(
-											metadataurl, 
-											buildMetadataFilterChain(oaParam, metadataurl, cert),
-											oaFriendlyName,
-											timer);
-						
-									if (httpProvider != null)
-										providersinuse.put(metadataurl, httpProvider);
+				IOAAuthParameters oaParam = 
+						authConfig.getOnlineApplicationParameter(oaKeyPair.getValue());
+				if (oaParam != null) {
+					String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL);
+					String oaFriendlyName = oaParam.getFriendlyName();
+					MetadataProvider httpProvider = null;
+			
+					try {
+						String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
+						if (MiscUtil.isNotEmpty(certBase64) && MiscUtil.isNotEmpty(metadataurl)) {
+							byte[] cert = Base64Utils.decode(certBase64, false);
 							
-								} else {
-									Logger.info(metadataurl + " are already added.");
-								}
+							
+							if (timer == null)
+								timer = new Timer(true);
+							
+							Logger.info("Loading metadata for: " + oaFriendlyName);					
+							if (!providersinuse.containsKey(metadataurl)) {					
+								httpProvider = createNewMoaMetadataProvider(
+										metadataurl, 
+										buildMetadataFilterChain(oaParam, metadataurl, cert),
+										oaFriendlyName,
+										timer,
+										new BasicParserPool());
+					
+								if (httpProvider != null)
+									providersinuse.put(metadataurl, httpProvider);
 						
 							} else {
-								Logger.info(oaFriendlyName
-										+ " is not a PVP2 Application skipping");
+								Logger.info(metadataurl + " are already added.");
 							}
-						} catch (Throwable e) {
-							Logger.error(
-									"Failed to add Metadata (unhandled reason: "
-											+ e.getMessage(), e);
 					
-							if (httpProvider != null) {
-								Logger.debug("Destroy failed Metadata provider");
-								httpProvider.destroy();
-							}
-						}			
-					}
-				}
+						} else {
+							Logger.info(oaFriendlyName
+									+ " is not a PVP2 Application skipping");
+						}
+					} catch (Throwable e) {
+						Logger.error(
+								"Failed to add Metadata (unhandled reason: "
+										+ e.getMessage(), e);
 				
-			} else 
-				Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!");
-					
-			try {
-				chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values()));
-				
-			} catch (MetadataProviderException e) {
-				Logger.error(
-						"Failed to add Metadata (unhandled reason: "
-								+ e.getMessage(), e);
+						if (httpProvider != null && httpProvider instanceof BaseMetadataProvider) {
+							Logger.debug("Destroy failed Metadata provider");
+							((BaseMetadataProvider)httpProvider).destroy();
+							
+						}
+					}			
+				}
 			}
 			
-			internalProvider = chainProvider;
-			
-		} catch (ConfigurationException e) {
-			Logger.error("Access MOA-ID configuration FAILED.", e);
+		} else 
+			Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!");
+				
+		try {
+			chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values()));
 			
+		} catch (MetadataProviderException e) {
+			Logger.error(
+					"Failed to add Metadata (unhandled reason: "
+							+ e.getMessage(), e);
 		}
+		
+		internalProvider = chainProvider;
 				
 	}
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
index d5c7d9100..e060e18e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
@@ -22,15 +22,19 @@
  */
 package at.gv.egovernment.moa.id.protocols.pvp2x.metadata;
 
+import java.io.File;
 import java.util.Timer;
 
 import javax.net.ssl.SSLHandshakeException;
 
 import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
 import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.parse.ParserPool;
+import org.springframework.beans.factory.annotation.Autowired;
 
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
@@ -40,6 +44,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
 
 /**
  * @author tlenz
@@ -47,6 +52,104 @@ import at.gv.egovernment.moa.logging.Logger;
  */
 public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 	
+	private static final String URI_PREFIX_HTTP = "http:";
+	private static final String URI_PREFIX_HTTPS = "https:";
+	private static final String URI_PREFIX_FILE = "file:";
+	
+	
+	@Autowired 
+	protected AuthConfiguration authConfig;
+	
+	/**
+	 * Create a single SAML2 MOA specific metadata provider
+	 * 
+	 * @param metadataLocation where the metadata should be loaded, but never null. If the location starts with http(s):, than a http
+	 *  based metadata provider is used. If the location starts with file:, than a filesystem based metadata provider is used
+	 * @param filter Filters, which should be used to validate the metadata
+	 * @param IdForLogging Id, which is used for Logging
+	 * @param timer {@link Timer} which is used to schedule metadata refresh operations
+	 * 
+	 * @return SAML2 Metadata Provider, or null if the metadata provider can not initialized
+	 */
+	protected MetadataProvider createNewMoaMetadataProvider(String metadataLocation, MetadataFilter filter, 
+			String IdForLogging, Timer timer, ParserPool pool) {
+		if (metadataLocation.startsWith(URI_PREFIX_HTTP) || metadataLocation.startsWith(URI_PREFIX_HTTPS)) 
+			return createNewHTTPMetaDataProvider(metadataLocation, filter, IdForLogging, timer, pool);
+		
+		else {
+			String absoluteMetadataLocation = FileUtils.makeAbsoluteURL(
+					metadataLocation,
+					authConfig.getRootConfigFileDir());
+			
+			if (absoluteMetadataLocation.startsWith(URI_PREFIX_FILE)) {
+				File metadataFile = new File(absoluteMetadataLocation);
+				if (metadataFile.exists())
+					return createNewFileSystemMetaDataProvider(metadataFile, filter, IdForLogging, timer, pool);
+				
+				else {
+					Logger.warn("SAML2 metadata file: " + absoluteMetadataLocation + " not found or not exist");
+					return null;
+				}
+				
+			}			
+		}
+		
+		Logger.warn("SAML2 metadata has an unsupported metadata location prefix: " + metadataLocation);		
+		return null;
+		
+	}
+	
+	
+	/**
+	 * Create a single SAML2 filesystem based metadata provider
+	 * 
+	 * @param metadataFile File, where the metadata should be loaded
+	 * @param filter Filters, which should be used to validate the metadata
+	 * @param IdForLogging Id, which is used for Logging
+	 * @param timer {@link Timer} which is used to schedule metadata refresh operations
+	 * @param pool 
+	 * 
+	 * @return SAML2 Metadata Provider
+	 */	
+	private MetadataProvider createNewFileSystemMetaDataProvider(File metadataFile, MetadataFilter filter, String IdForLogging, Timer timer, ParserPool pool) {
+		FilesystemMetadataProvider fileSystemProvider = null;
+		try {
+			fileSystemProvider = new FilesystemMetadataProvider(timer, metadataFile);
+			fileSystemProvider.setParserPool(pool);
+			fileSystemProvider.setRequireValidMetadata(true);
+			fileSystemProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+			fileSystemProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+			//httpProvider.setRefreshDelayFactor(0.1F);
+			
+			fileSystemProvider.setMetadataFilter(filter);
+			fileSystemProvider.initialize();
+			
+			fileSystemProvider.setRequireValidMetadata(true);
+			
+			return fileSystemProvider;
+						
+		} catch (Exception e) {
+			Logger.warn(
+					"Failed to load Metadata file for "
+							+ IdForLogging + "[ "
+							+ "File: " + metadataFile.getAbsolutePath()
+							+ " Msg: " + e.getMessage() + " ]", e);
+			
+			
+			Logger.warn("Can not initialize SAML2 metadata provider from filesystem: " + metadataFile.getAbsolutePath()
+					+ " Reason: " + e.getMessage(), e);
+			
+			if (fileSystemProvider != null)
+				fileSystemProvider.destroy();
+			
+		}
+				
+		return null;
+				
+	}
+	
+	
+	
 	/**
 	 * Create a single SAML2 HTTP metadata provider
 	 * 
@@ -54,16 +157,21 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 	 * @param filter Filters, which should be used to validate the metadata
 	 * @param IdForLogging Id, which is used for Logging
 	 * @param timer {@link Timer} which is used to schedule metadata refresh operations
+	 * @param pool 
 	 * 
 	 * @return SAML2 Metadata Provider
 	 */
-	protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer) {
+	private MetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer, ParserPool pool) {
 		HTTPMetadataProvider httpProvider = null;
 		//Timer timer= null;
 		MOAHttpClient httpClient = null;
 		try {			
 			httpClient = new MOAHttpClient();
 			
+			HttpClientParams httpClientParams = new HttpClientParams();
+			httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+			httpClient.setParams(httpClientParams);
+			
 			if (metadataURL.startsWith("https:")) {
 				try {
 					//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
@@ -88,7 +196,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 //			timer = new Timer(true);
 			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
 					metadataURL);
-			httpProvider.setParserPool(new BasicParserPool());
+			httpProvider.setParserPool(pool);
 			httpProvider.setRequireValidMetadata(true);
 			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
 			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
@@ -115,7 +223,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 						+ metadataURL + " FAILED.", e);								
 			}
 			
-			Logger.error(
+			Logger.warn(
 					"Failed to load Metadata file for "
 							+ IdForLogging + "[ "
 							+ e.getMessage() + " ]", e);
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
index fcf4c3ffa..4df11b35c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
@@ -16,7 +16,8 @@ public interface AuthConfiguration extends ConfigurationProvider{
 	
 	public static final String DEFAULT_X509_CHAININGMODE = "pkix";
 
-
+	public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000;  	//20 seconds metadata socked timeout
+	
 	
 	public Properties getGeneralPVP2ProperiesConfig();
 
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
index b35ffdf62..adc2a310b 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -36,12 +36,11 @@ import org.opensaml.saml2.metadata.provider.MetadataFilter;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.xml.XMLObject;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.opensaml.xml.parse.BasicParserPool;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.IDestroyableObject;
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
-import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
@@ -57,8 +56,6 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Service("ELGAMandate_MetadataProvider")
 public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvider
 	implements IDestroyableObject {
-
-	@Autowired AuthConfiguration authConfig;
 	
 	private ChainingMetadataProvider metadataProvider = new ChainingMetadataProvider();
 	private Timer timer = null;
@@ -256,11 +253,12 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvide
 			filter.addFilter(new SchemaValidationFilter(true));
 			filter.addFilter(new MOASPMetadataSignatureFilter(trustProfileID));
 		
-			HTTPMetadataProvider idpMetadataProvider = createNewHTTPMetaDataProvider(metdataURL, 
+			MetadataProvider idpMetadataProvider = createNewMoaMetadataProvider(metdataURL, 
 					filter, 
-					ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
-					timer);
-		
+					ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,					
+					timer,
+					new BasicParserPool());
+			
 			if (idpMetadataProvider == null) {
 				Logger.error("Create ELGA Mandate-Service Client FAILED.");
 				throw new MetadataProviderException("Can not initialize ELGA Mandate-Service metadata provider.");
-- 
cgit v1.2.3


From c4fe089610dba3d6e8929f6e163538dfae0d18da Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 25 Jul 2017 12:07:59 +0200
Subject: betaversion for a workaround to solve problem with Java8 >= 141 and
 SHA1 certificates in certificate chain

---
 .../utils/ssl/MOASSLAlgorithmConstraints.java      | 175 ++++++++++++++
 .../commons/utils/ssl/MOATrustManagerWrapper.java  | 267 +++++++++++++++++++++
 .../moa/id/commons/utils/ssl/SSLUtils.java         |   4 +-
 .../commons/validation/MOASSLAlgorithmChecker.java | 226 +++++++++++++++++
 4 files changed, 671 insertions(+), 1 deletion(-)
 create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
 create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
 create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
new file mode 100644
index 000000000..8f367598d
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
@@ -0,0 +1,175 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import java.security.AlgorithmConstraints;
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.Key;
+import java.util.Set;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASSLAlgorithmConstraints implements AlgorithmConstraints {
+	   
+	   private AlgorithmConstraints userAlgConstraints = null;
+	   private AlgorithmConstraints peerAlgConstraints = null;
+	 
+	   private boolean enabledX509DisabledAlgConstraints = true;
+	 
+	 
+	   static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null);
+
+	   
+	   public MOASSLAlgorithmConstraints()
+	   {
+		   		   
+	   }
+
+	 
+	   static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false);
+
+	   MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints)
+	   {
+		   this.userAlgConstraints = paramAlgorithmConstraints;
+		   		   
+	   }
+	   
+	   
+	   MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean)
+	   {
+	     if (paramSSLSocket != null) {
+	       this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints();
+	 
+	    }
+	 
+	     if (!(paramBoolean))
+	       this.enabledX509DisabledAlgConstraints = false;
+	   }
+	 
+	 
+	   MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean)
+	   {
+	     if (paramSSLEngine != null) {
+	       this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints();
+	 
+	     }
+	 
+	     if (!(paramBoolean))
+	       this.enabledX509DisabledAlgConstraints = false;
+	   }
+	   
+	   MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean)
+	   {
+	     if (paramSSLSocket != null) {
+	       this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints();
+	 
+	       //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString);
+	 
+	     }
+	 
+	     if (!(paramBoolean))
+	       this.enabledX509DisabledAlgConstraints = false;
+	   }
+	 
+	 
+//	   MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean)
+//	   {
+//	     if (paramSSLEngine != null) {
+//	       this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints();
+//	 
+//	       this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString);
+//	 
+//	     }
+//	 
+//	     if (!(paramBoolean))
+//	       this.enabledX509DisabledAlgConstraints = false;
+//	   }
+	   
+	
+	/* (non-Javadoc)
+	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters)
+	 */
+	@Override
+	public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) {
+         boolean bool = true;
+
+         if (this.peerAlgConstraints != null) {
+           bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters);
+           
+         }
+	     
+         if ((bool) && (this.userAlgConstraints != null)) {
+           bool = this.userAlgConstraints.permits(primitives, algorithm, parameters);
+     
+         }
+	    	     
+        return bool;
+	
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key)
+	 */
+	@Override
+	public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
+		 boolean bool = true;
+		  
+		     if (this.peerAlgConstraints != null) {
+		       bool = this.peerAlgConstraints.permits(primitives, key);
+		     }
+		  
+		     if ((bool) && (this.userAlgConstraints != null)) {
+		       bool = this.userAlgConstraints.permits(primitives, key);
+		     }
+		     
+		     return bool;
+				
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters)
+	 */
+	@Override
+	public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters) {
+		boolean bool = true;
+		 
+		     if (this.peerAlgConstraints != null) {
+		       bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters);
+		
+		     }
+		 
+		     if ((bool) && (this.userAlgConstraints != null)) {
+		       bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters);
+		 
+		     }
+		     
+		     return bool;
+	}
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
new file mode 100644
index 000000000..c71d50161
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
@@ -0,0 +1,267 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import java.lang.reflect.Constructor;
+import java.net.Socket;
+import java.security.AlgorithmConstraints;
+import java.security.Timestamp;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.HashSet;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+import sun.security.provider.certpath.AlgorithmChecker;
+import sun.security.util.DisabledAlgorithmConstraints;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager {
+
+	private X509TrustManager internalTrustManager = null; 
+	
+	
+	/**
+	 * 
+	 */
+	public MOATrustManagerWrapper(X509TrustManager trustManger) {
+		this.internalTrustManager = trustManger;
+		
+	}
+	
+	
+	
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
+	 */
+	@Override
+	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
+			throws CertificateException {
+		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
+
+	}
+
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
+	 */
+	@Override
+	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
+			throws CertificateException {
+		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
+
+	}
+
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
+	 */
+	@Override
+	public X509Certificate[] getAcceptedIssuers() {
+		return internalTrustManager.getAcceptedIssuers();
+	}
+
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket)
+	 */
+	@Override
+	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
+			Socket paramSocket) throws CertificateException {
+		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
+		
+		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true);
+
+	}
+
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket)
+	 */
+	@Override
+	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
+			Socket paramSocket) throws CertificateException {
+		
+		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
+		
+		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false);
+
+	}
+
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine)
+	 */
+	@Override
+	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
+			SSLEngine paramSSLEngine) throws CertificateException {
+		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
+		
+		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true);
+
+	}
+
+	/* (non-Javadoc)
+	 * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine)
+	 */
+	@Override
+	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
+			SSLEngine paramSSLEngine) throws CertificateException {
+		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
+		
+		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false);
+	}
+	
+	
+	
+	private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, 
+			String paramString, Socket paramSocket, boolean isClient) throws CertificateException {
+		if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) {
+			return;
+	       
+	    }
+		
+	    SSLSocket localSSLSocket = (SSLSocket)paramSocket;
+	    SSLSession localSSLSession = localSSLSocket.getHandshakeSession();
+	    if (localSSLSession == null) {
+	    	throw new CertificateException("No handshake session");
+	    }
+	 
+	    String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();	
+	    if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) {	    	
+	    	String peerHost = localSSLSession.getPeerHost();
+	    	checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo);
+	 
+	    }
+	    	 
+		AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");	 
+	    checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient);
+	}
+	
+	private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, 
+			SSLEngine paramSSLEngine, boolean isClient) throws CertificateException {
+		if (paramSSLEngine != null) {
+			SSLSession localSSLSession = paramSSLEngine.getHandshakeSession();
+			if (localSSLSession == null) {
+				throw new CertificateException("No handshake session");
+ 
+			}
+ 
+			String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
+			if ((str != null) && (str.length() != 0)) {
+				String peerHost = localSSLSession.getPeerHost();
+				checkIdentity(peerHost, paramArrayOfX509Certificate[0], str);
+				
+			}
+	 
+			AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
+		    checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient);
+		}
+	}
+	   
+	private void checkAlgorithmConstraints(X509Certificate[] certificates, 
+			java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException {
+		try {
+			int i = certificates.length - 1;		 
+		    HashSet<X509Certificate> localHashSet = new HashSet<X509Certificate>();	
+		    X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers();
+		    
+		    if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) {
+		    	Collections.addAll(localHashSet, arrayOfX509Certificate);
+
+		    }
+		 
+		    if (localHashSet.contains(certificates[i])) {
+		    	--i;
+		    }
+		 
+		    if (i >= 0) {
+		    	PKIXCertPathChecker localAlgorithmChecker = null;
+		        Class<?> algorithCheckerClass = null;
+		        try {		        	
+		        	algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker");
+		        	Constructor<?> algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class);
+		        	localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server");
+		        	Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ...");
+		        	
+		        } catch (Throwable e) {
+		        	try {
+		        		Constructor<?> algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class);
+		        		localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint);
+		        		
+		        		Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ...");
+		        		
+		        	} catch (Throwable e1) {
+		        		Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1);
+		        		Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ...");
+		        		localAlgorithmChecker = new MOASSLAlgorithmChecker();
+		        		
+		        	}		        			        	
+		        }
+		    	
+		    	
+		    	localAlgorithmChecker.init(false);
+		        
+		        for (int j = i; j >= 0; --j) {
+		        	X509Certificate localX509Certificate = certificates[j];
+		 		        	
+		        	//localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet());
+		        	localAlgorithmChecker.check((Certificate)localX509Certificate, null);
+		        }
+		    }
+		} catch (CertPathValidatorException localCertPathValidatorException) {
+			throw new CertificateException("Certificates does not conform to algorithm constraints");
+		       
+		}
+	}
+	
+	private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) 
+			throws CertificateException {
+		if (MiscUtil.isEmpty(endpointIdenfificationAlgo))
+			return;
+		
+		if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) {
+			peerHost = peerHost.substring(1, peerHost.length() - 1);
+			
+		}
+		
+		if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) {
+			sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate);
+			
+		} else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) {
+			sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate);
+			
+		} else
+			throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo);
+	}
+	
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 109390132..3e793e4d1 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -147,6 +147,7 @@ public class SSLUtils {
     SSLContext ctx = SSLContext.getInstance("TLS");
     ctx.init(kms, tms, null);    
     ssf = ctx.getSocketFactory();
+        
     // store SSLSocketFactory
     sslSocketFactories.put(url, ssf);
     
@@ -259,7 +260,8 @@ public class SSLUtils {
     MOAIDTrustManager.initializeLoggingContext();    
     MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL);
     tm.init(cfg, profile);
-    return new TrustManager[] {tm};
+    return new TrustManager[] {new MOATrustManagerWrapper(tm)};
+    
   }
     
 }
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
new file mode 100644
index 000000000..990b5d3b1
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
@@ -0,0 +1,226 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.validation;
+
+import java.math.BigInteger;
+import java.security.AlgorithmConstraints;
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.PKIXReason;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPublicKey;
+import java.security.spec.DSAPublicKeySpec;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
+
+import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.x509.X509CertImpl;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASSLAlgorithmChecker extends PKIXCertPathChecker {
+
+	private final AlgorithmConstraints constraints;
+	private final PublicKey trustedPubKey;
+	private PublicKey prevPubKey;
+	private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));	 
+	private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT));
+	
+	private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
+
+	/**
+	 * 
+	 */
+	public MOASSLAlgorithmChecker() {
+		this.prevPubKey = null;
+		this.trustedPubKey = null;
+		this.constraints = certPathDefaultConstraints;
+		
+	}
+	
+	public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) {
+		this.prevPubKey = null;
+		this.trustedPubKey = null;
+		this.constraints = paramAlgorithmConstraints;
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#init(boolean)
+	 */
+	@Override
+	public void init(boolean forward) throws CertPathValidatorException {
+		if (!(forward)) {
+			if (this.trustedPubKey != null)
+				this.prevPubKey = this.trustedPubKey;
+			
+			else
+				this.prevPubKey = null;
+			
+		} else 
+			throw new CertPathValidatorException("forward checking not supported");
+
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported()
+	 */
+	@Override
+	public boolean isForwardCheckingSupported() {
+		return false;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions()
+	 */
+	@Override
+	public Set<String> getSupportedExtensions() {
+		return null;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection)
+	 */
+	@Override
+	public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
+		if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) {
+			return;	
+		
+		}
+ 
+		X509CertImpl localX509CertImpl = null;
+		try {
+			localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert);
+			
+		} catch (CertificateException localCertificateException1) {
+			throw new CertPathValidatorException(localCertificateException1);
+		
+		}
+		
+		PublicKey localPublicKey = localX509CertImpl.getPublicKey();
+		String str = localX509CertImpl.getSigAlgName();
+		 
+
+		//check algorithms
+		AlgorithmParameters localAlgorithmParameters = null;
+		try {
+			sun.security.x509.AlgorithmId localAlgorithmId = null;
+			localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm");
+			localAlgorithmParameters = localAlgorithmId.getParameters();
+				
+			if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) {
+				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+			
+			}
+			
+		} catch (CertificateParsingException localCertificateException2) {
+			throw new CertPathValidatorException(localCertificateException2);
+			
+		}
+ 
+
+		//check key usage
+		boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage();
+		if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9))
+			throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
+		
+		if (arrayOfBoolean != null) {
+			Set<CryptoPrimitive> cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class);
+			if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) {
+				cryptoPrimitives.add(CryptoPrimitive.SIGNATURE);
+			
+			}
+ 						
+			if (arrayOfBoolean[2] == true) {
+				cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
+				
+			}
+ 
+			if (arrayOfBoolean[3] == true) {
+				cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
+			
+			}
+			
+			if (arrayOfBoolean[4] == true) {
+				cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT);	
+			
+			}
+			
+			if ((!(cryptoPrimitives.isEmpty())) &&  (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) {	
+				throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+				
+			}
+		}
+ 
+		//check pubKeys
+		if (this.prevPubKey != null) {
+			if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) {
+				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+				
+			}
+			
+			if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) {
+				if (!(this.prevPubKey instanceof DSAPublicKey)) {
+					throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters");
+					
+				}
+ 
+				DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams();
+				if (localObject == null) {
+					throw new CertPathValidatorException("Key parameters missing");	
+					
+				}
+
+				try {
+					BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY();
+					KeyFactory localKeyFactory = KeyFactory.getInstance("DSA");
+					DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG());
+					localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec);
+					
+				} catch (GeneralSecurityException localGeneralSecurityException) {	
+					throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException);
+
+				}
+			}
+		}
+		
+		this.prevPubKey = localPublicKey;
+	}
+
+
+}
-- 
cgit v1.2.3


From 040e51d335d3af127c3894bd5558a484ddd9b9ea Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 25 Jul 2017 16:11:25 +0200
Subject: Revert "betaversion for a workaround to solve problem with Java8 >=
 141 and SHA1 certificates in certificate chain"

This reverts commit c4fe089610dba3d6e8929f6e163538dfae0d18da.
---
 .../utils/ssl/MOASSLAlgorithmConstraints.java      | 175 --------------
 .../commons/utils/ssl/MOATrustManagerWrapper.java  | 267 ---------------------
 .../moa/id/commons/utils/ssl/SSLUtils.java         |   4 +-
 .../commons/validation/MOASSLAlgorithmChecker.java | 226 -----------------
 4 files changed, 1 insertion(+), 671 deletions(-)
 delete mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
 delete mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
 delete mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
deleted file mode 100644
index 8f367598d..000000000
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.commons.utils.ssl;
-
-import java.security.AlgorithmConstraints;
-import java.security.AlgorithmParameters;
-import java.security.CryptoPrimitive;
-import java.security.Key;
-import java.util.Set;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLSocket;
-
-/**
- * @author tlenz
- *
- */
-public class MOASSLAlgorithmConstraints implements AlgorithmConstraints {
-	   
-	   private AlgorithmConstraints userAlgConstraints = null;
-	   private AlgorithmConstraints peerAlgConstraints = null;
-	 
-	   private boolean enabledX509DisabledAlgConstraints = true;
-	 
-	 
-	   static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null);
-
-	   
-	   public MOASSLAlgorithmConstraints()
-	   {
-		   		   
-	   }
-
-	 
-	   static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false);
-
-	   MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints)
-	   {
-		   this.userAlgConstraints = paramAlgorithmConstraints;
-		   		   
-	   }
-	   
-	   
-	   MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean)
-	   {
-	     if (paramSSLSocket != null) {
-	       this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints();
-	 
-	    }
-	 
-	     if (!(paramBoolean))
-	       this.enabledX509DisabledAlgConstraints = false;
-	   }
-	 
-	 
-	   MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean)
-	   {
-	     if (paramSSLEngine != null) {
-	       this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints();
-	 
-	     }
-	 
-	     if (!(paramBoolean))
-	       this.enabledX509DisabledAlgConstraints = false;
-	   }
-	   
-	   MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean)
-	   {
-	     if (paramSSLSocket != null) {
-	       this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints();
-	 
-	       //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString);
-	 
-	     }
-	 
-	     if (!(paramBoolean))
-	       this.enabledX509DisabledAlgConstraints = false;
-	   }
-	 
-	 
-//	   MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean)
-//	   {
-//	     if (paramSSLEngine != null) {
-//	       this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints();
-//	 
-//	       this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString);
-//	 
-//	     }
-//	 
-//	     if (!(paramBoolean))
-//	       this.enabledX509DisabledAlgConstraints = false;
-//	   }
-	   
-	
-	/* (non-Javadoc)
-	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters)
-	 */
-	@Override
-	public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) {
-         boolean bool = true;
-
-         if (this.peerAlgConstraints != null) {
-           bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters);
-           
-         }
-	     
-         if ((bool) && (this.userAlgConstraints != null)) {
-           bool = this.userAlgConstraints.permits(primitives, algorithm, parameters);
-     
-         }
-	    	     
-        return bool;
-	
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key)
-	 */
-	@Override
-	public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
-		 boolean bool = true;
-		  
-		     if (this.peerAlgConstraints != null) {
-		       bool = this.peerAlgConstraints.permits(primitives, key);
-		     }
-		  
-		     if ((bool) && (this.userAlgConstraints != null)) {
-		       bool = this.userAlgConstraints.permits(primitives, key);
-		     }
-		     
-		     return bool;
-				
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters)
-	 */
-	@Override
-	public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters) {
-		boolean bool = true;
-		 
-		     if (this.peerAlgConstraints != null) {
-		       bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters);
-		
-		     }
-		 
-		     if ((bool) && (this.userAlgConstraints != null)) {
-		       bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters);
-		 
-		     }
-		     
-		     return bool;
-	}
-
-}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
deleted file mode 100644
index c71d50161..000000000
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.commons.utils.ssl;
-
-import java.lang.reflect.Constructor;
-import java.net.Socket;
-import java.security.AlgorithmConstraints;
-import java.security.Timestamp;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.HashSet;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.X509ExtendedTrustManager;
-import javax.net.ssl.X509TrustManager;
-
-import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
-import sun.security.provider.certpath.AlgorithmChecker;
-import sun.security.util.DisabledAlgorithmConstraints;
-
-/**
- * @author tlenz
- *
- */
-public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager {
-
-	private X509TrustManager internalTrustManager = null; 
-	
-	
-	/**
-	 * 
-	 */
-	public MOATrustManagerWrapper(X509TrustManager trustManger) {
-		this.internalTrustManager = trustManger;
-		
-	}
-	
-	
-	
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
-	 */
-	@Override
-	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
-			throws CertificateException {
-		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
-	 */
-	@Override
-	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
-			throws CertificateException {
-		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
-	 */
-	@Override
-	public X509Certificate[] getAcceptedIssuers() {
-		return internalTrustManager.getAcceptedIssuers();
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket)
-	 */
-	@Override
-	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			Socket paramSocket) throws CertificateException {
-		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket)
-	 */
-	@Override
-	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			Socket paramSocket) throws CertificateException {
-		
-		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine)
-	 */
-	@Override
-	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			SSLEngine paramSSLEngine) throws CertificateException {
-		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine)
-	 */
-	@Override
-	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			SSLEngine paramSSLEngine) throws CertificateException {
-		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false);
-	}
-	
-	
-	
-	private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, 
-			String paramString, Socket paramSocket, boolean isClient) throws CertificateException {
-		if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) {
-			return;
-	       
-	    }
-		
-	    SSLSocket localSSLSocket = (SSLSocket)paramSocket;
-	    SSLSession localSSLSession = localSSLSocket.getHandshakeSession();
-	    if (localSSLSession == null) {
-	    	throw new CertificateException("No handshake session");
-	    }
-	 
-	    String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();	
-	    if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) {	    	
-	    	String peerHost = localSSLSession.getPeerHost();
-	    	checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo);
-	 
-	    }
-	    	 
-		AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");	 
-	    checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient);
-	}
-	
-	private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, 
-			SSLEngine paramSSLEngine, boolean isClient) throws CertificateException {
-		if (paramSSLEngine != null) {
-			SSLSession localSSLSession = paramSSLEngine.getHandshakeSession();
-			if (localSSLSession == null) {
-				throw new CertificateException("No handshake session");
- 
-			}
- 
-			String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
-			if ((str != null) && (str.length() != 0)) {
-				String peerHost = localSSLSession.getPeerHost();
-				checkIdentity(peerHost, paramArrayOfX509Certificate[0], str);
-				
-			}
-	 
-			AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
-		    checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient);
-		}
-	}
-	   
-	private void checkAlgorithmConstraints(X509Certificate[] certificates, 
-			java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException {
-		try {
-			int i = certificates.length - 1;		 
-		    HashSet<X509Certificate> localHashSet = new HashSet<X509Certificate>();	
-		    X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers();
-		    
-		    if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) {
-		    	Collections.addAll(localHashSet, arrayOfX509Certificate);
-
-		    }
-		 
-		    if (localHashSet.contains(certificates[i])) {
-		    	--i;
-		    }
-		 
-		    if (i >= 0) {
-		    	PKIXCertPathChecker localAlgorithmChecker = null;
-		        Class<?> algorithCheckerClass = null;
-		        try {		        	
-		        	algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker");
-		        	Constructor<?> algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class);
-		        	localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server");
-		        	Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ...");
-		        	
-		        } catch (Throwable e) {
-		        	try {
-		        		Constructor<?> algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class);
-		        		localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint);
-		        		
-		        		Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ...");
-		        		
-		        	} catch (Throwable e1) {
-		        		Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1);
-		        		Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ...");
-		        		localAlgorithmChecker = new MOASSLAlgorithmChecker();
-		        		
-		        	}		        			        	
-		        }
-		    	
-		    	
-		    	localAlgorithmChecker.init(false);
-		        
-		        for (int j = i; j >= 0; --j) {
-		        	X509Certificate localX509Certificate = certificates[j];
-		 		        	
-		        	//localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet());
-		        	localAlgorithmChecker.check((Certificate)localX509Certificate, null);
-		        }
-		    }
-		} catch (CertPathValidatorException localCertPathValidatorException) {
-			throw new CertificateException("Certificates does not conform to algorithm constraints");
-		       
-		}
-	}
-	
-	private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) 
-			throws CertificateException {
-		if (MiscUtil.isEmpty(endpointIdenfificationAlgo))
-			return;
-		
-		if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) {
-			peerHost = peerHost.substring(1, peerHost.length() - 1);
-			
-		}
-		
-		if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) {
-			sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate);
-			
-		} else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) {
-			sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate);
-			
-		} else
-			throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo);
-	}
-	
-}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 3e793e4d1..109390132 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -147,7 +147,6 @@ public class SSLUtils {
     SSLContext ctx = SSLContext.getInstance("TLS");
     ctx.init(kms, tms, null);    
     ssf = ctx.getSocketFactory();
-        
     // store SSLSocketFactory
     sslSocketFactories.put(url, ssf);
     
@@ -260,8 +259,7 @@ public class SSLUtils {
     MOAIDTrustManager.initializeLoggingContext();    
     MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL);
     tm.init(cfg, profile);
-    return new TrustManager[] {new MOATrustManagerWrapper(tm)};
-    
+    return new TrustManager[] {tm};
   }
     
 }
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
deleted file mode 100644
index 990b5d3b1..000000000
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
+++ /dev/null
@@ -1,226 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.commons.validation;
-
-import java.math.BigInteger;
-import java.security.AlgorithmConstraints;
-import java.security.AlgorithmParameters;
-import java.security.CryptoPrimitive;
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.PublicKey;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.PKIXReason;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAParams;
-import java.security.interfaces.DSAPublicKey;
-import java.security.spec.DSAPublicKeySpec;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.EnumSet;
-import java.util.Set;
-
-import sun.security.util.DisabledAlgorithmConstraints;
-import sun.security.x509.X509CertImpl;
-
-/**
- * @author tlenz
- *
- */
-public class MOASSLAlgorithmChecker extends PKIXCertPathChecker {
-
-	private final AlgorithmConstraints constraints;
-	private final PublicKey trustedPubKey;
-	private PublicKey prevPubKey;
-	private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));	 
-	private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT));
-	
-	private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
-
-	/**
-	 * 
-	 */
-	public MOASSLAlgorithmChecker() {
-		this.prevPubKey = null;
-		this.trustedPubKey = null;
-		this.constraints = certPathDefaultConstraints;
-		
-	}
-	
-	public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) {
-		this.prevPubKey = null;
-		this.trustedPubKey = null;
-		this.constraints = paramAlgorithmConstraints;
-	}
-	
-	
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#init(boolean)
-	 */
-	@Override
-	public void init(boolean forward) throws CertPathValidatorException {
-		if (!(forward)) {
-			if (this.trustedPubKey != null)
-				this.prevPubKey = this.trustedPubKey;
-			
-			else
-				this.prevPubKey = null;
-			
-		} else 
-			throw new CertPathValidatorException("forward checking not supported");
-
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported()
-	 */
-	@Override
-	public boolean isForwardCheckingSupported() {
-		return false;
-		
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions()
-	 */
-	@Override
-	public Set<String> getSupportedExtensions() {
-		return null;
-		
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection)
-	 */
-	@Override
-	public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
-		if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) {
-			return;	
-		
-		}
- 
-		X509CertImpl localX509CertImpl = null;
-		try {
-			localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert);
-			
-		} catch (CertificateException localCertificateException1) {
-			throw new CertPathValidatorException(localCertificateException1);
-		
-		}
-		
-		PublicKey localPublicKey = localX509CertImpl.getPublicKey();
-		String str = localX509CertImpl.getSigAlgName();
-		 
-
-		//check algorithms
-		AlgorithmParameters localAlgorithmParameters = null;
-		try {
-			sun.security.x509.AlgorithmId localAlgorithmId = null;
-			localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm");
-			localAlgorithmParameters = localAlgorithmId.getParameters();
-				
-			if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) {
-				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
-			
-			}
-			
-		} catch (CertificateParsingException localCertificateException2) {
-			throw new CertPathValidatorException(localCertificateException2);
-			
-		}
- 
-
-		//check key usage
-		boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage();
-		if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9))
-			throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
-		
-		if (arrayOfBoolean != null) {
-			Set<CryptoPrimitive> cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class);
-			if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) {
-				cryptoPrimitives.add(CryptoPrimitive.SIGNATURE);
-			
-			}
- 						
-			if (arrayOfBoolean[2] == true) {
-				cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
-				
-			}
- 
-			if (arrayOfBoolean[3] == true) {
-				cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
-			
-			}
-			
-			if (arrayOfBoolean[4] == true) {
-				cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT);	
-			
-			}
-			
-			if ((!(cryptoPrimitives.isEmpty())) &&  (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) {	
-				throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
-				
-			}
-		}
- 
-		//check pubKeys
-		if (this.prevPubKey != null) {
-			if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) {
-				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
-				
-			}
-			
-			if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) {
-				if (!(this.prevPubKey instanceof DSAPublicKey)) {
-					throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters");
-					
-				}
- 
-				DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams();
-				if (localObject == null) {
-					throw new CertPathValidatorException("Key parameters missing");	
-					
-				}
-
-				try {
-					BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY();
-					KeyFactory localKeyFactory = KeyFactory.getInstance("DSA");
-					DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG());
-					localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec);
-					
-				} catch (GeneralSecurityException localGeneralSecurityException) {	
-					throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException);
-
-				}
-			}
-		}
-		
-		this.prevPubKey = localPublicKey;
-	}
-
-
-}
-- 
cgit v1.2.3


From f912da9959267d214bb10a2be8e412af731141ed Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 26 Jul 2017 10:24:55 +0200
Subject: refactor MOA metadataprovider to load metadata from file system

---
 .../moa/id/auth/IPostStartupInitializable.java     | 41 ++++++++++++++++++++++
 .../moa/id/auth/MOAIDAuthInitializer.java          |  2 +-
 .../PropertyBasedAuthConfigurationProvider.java    |  5 +++
 .../pvp2x/metadata/SimpleMOAMetadataProvider.java  |  9 +++--
 .../resources/properties/id_messages_de.properties |  2 +-
 .../moa/id/commons/api/AuthConfiguration.java      | 10 ++++++
 .../moa/id/commons/utils/KeyValueUtils.java        | 22 ++++++++++++
 .../moa/id/auth/MOAIDAuthSpringInitializer.java    | 16 ++++++++-
 .../moa/id/auth/modules/eidas/Constants.java       |  2 ++
 .../engine/MOAeIDASChainingMetadataProvider.java   | 30 +++++++++++++++-
 10 files changed, 130 insertions(+), 9 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java
new file mode 100644
index 000000000..d918be463
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth;
+
+
+/**
+ * 
+ * @author tlenz
+ *
+ * Interface initialize a Object when the MOA-ID-Auth start-up process is fully completed
+ *
+ */
+public interface IPostStartupInitializable {
+
+	/**
+	 * This method is called once when MOA-ID-Auth start-up process is fully completed
+	 * 
+	 */
+	public void executeAfterStartup();
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index 65ea2fd90..3d45e2468 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -127,7 +127,7 @@ public class MOAIDAuthInitializer {
         Random.seedRandom();
         Logger.debug("Random-number generator is seeded.");
         
-        // Initialize configuration provider
+        // Initialize configuration provider for non-spring managed parts 
        	AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(rootContext);
 
        	//test, if MOA-ID is already configured
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 7e0f48744..35d052acd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -235,6 +235,11 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
 		return properties.getProperty(key, defaultValue);
 		
 	}
+		
+	public Map<String, String> getBasicMOAIDConfigurationWithPrefix(final String prefix) {
+		return KeyValueUtils.getSubSetWithPrefix(KeyValueUtils.concertPropertiesToMap(properties), prefix);
+		
+	}
 	
 	
 	/* (non-Javadoc)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
index e060e18e1..6c2235654 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
@@ -39,7 +39,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
 import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
@@ -177,12 +176,12 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 					//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
 					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
 							PVPConstants.SSLSOCKETFACTORYNAME, 
-							AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
+							authConfig.getTrustedCACertificates(),
 							null,
 							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
-							AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
-							AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
-							AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean(
+							authConfig.isTrustmanagerrevoationchecking(),
+							authConfig.getRevocationMethodOrder(),
+							authConfig.getBasicMOAIDConfigurationBoolean(
 									AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
 					
 					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 1a2f0d1d3..50b2c5ece 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -53,7 +53,7 @@ auth.32=Federated authentication FAILED. No configuration for IDP {0}
 auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages. 
 auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
 
-init.00=MOA ID Authentisierung wurde erfolgreich gestartet
+init.00=MOA-ID-Auth wurde erfolgreich gestartet
 init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
 init.02=Fehler beim Starten des Service MOA-ID-Auth
 init.04=Fehler beim Datenbankzugriff mit der SessionID {0}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
index 4df11b35c..07b07d980 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
@@ -47,6 +47,16 @@ public interface AuthConfiguration extends ConfigurationProvider{
 	 */
 	public String getBasicMOAIDConfiguration(final String key, final String defaultValue);
 	
+	/**
+	 * Get a set of configuration values from basic file based MOA-ID configuration that starts with this prefix
+	 * <br><br>
+	 * <b>Important:</b> The configuration values must be of type String! 
+	 * 
+	 * @param prefix Prefix of the configuration key
+	 * @return Map<String, String> without prefix, but never null
+	 */
+	public Map<String, String> getBasicMOAIDConfigurationWithPrefix(final String prefix);
+	
 	public int getTransactionTimeOut();
 	public int getSSOCreatedTimeOut();
 	public int getSSOUpdatedTimeOut();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java
index bc567e5d2..40ef5a23a 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java
@@ -29,6 +29,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Properties;
 import java.util.Set;
 
 import org.apache.commons.lang3.StringUtils;
@@ -44,6 +45,27 @@ public class KeyValueUtils {
 	public static final String KEY_DELIMITER = ".";
 	public static final String CSV_DELIMITER = ",";
 	
+	/**
+	 * Convert Java properties into a Map<String, String>
+	 * <br><br>
+	 * <b>Important:</b> The key/values from properties must be of type String! 
+	 * 
+	 * @param properties
+	 * @return
+	 */
+	public static Map<String, String> concertPropertiesToMap(Properties properties) {
+		return new HashMap<String, String>((Map) properties);
+				
+		//INFO Java8 solution ;)
+		//		return properties.entrySet().stream().collect(
+//			    Collectors.toMap(
+//			            e -> e.getKey().toString(),
+//			            e -> e.getValue().toString()
+//			       )
+//			   );
+		
+	}
+	
 	/**
 	 * Extract the first child of an input key after a the prefix
 	 * 
diff --git a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java
index 07ba6a89e..b6fd8de8e 100644
--- a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java
+++ b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java
@@ -1,5 +1,8 @@
 package at.gv.egovernment.moa.id.auth;
 
+import java.util.Map;
+import java.util.Map.Entry;
+
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRegistration;
@@ -147,8 +150,19 @@ public class MOAIDAuthSpringInitializer implements WebApplicationInitializer {
 //			servletContext.addFilter("vHost RequestFilter", new VHostUrlRewriteServletFilter(rootContext))
 //				.addMappingForUrlPatterns(null, false, "/*");
 						
-			Logger.info("Basic Context initalisation finished --> Start MOA-ID-Auth initialisation process ...");
+			Logger.info("Basic Context initalisation finished --> Start MOA-ID-Auth initialization process ...");
 			MOAIDAuthInitializer.initialize(rootContext);
+			
+			
+			//initialize object that implements the IPostStartupInitializeable interface
+			Map<String, IPostStartupInitializable> objForInitialization = rootContext.getBeansOfType(IPostStartupInitializable.class);
+			for (Entry<String, IPostStartupInitializable> el : objForInitialization.entrySet()) {
+				Logger.debug("Starting post start-up initialization of '" + el.getKey() + "' ..." );
+				el.getValue().executeAfterStartup();
+				Logger.info("Post start-up initialization of '" + el.getKey() + "' finished." );
+				
+			}
+							
 			Logger.info(MOAIDMessageProvider.getInstance().getMessage(
 					"init.00", null));			
 			Logger.info("MOA-ID-Auth initialization finished.");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 01b202a88..adf6c4979 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -67,6 +67,8 @@ public class Constants {
 	public static final String CONIG_PROPS_EIDAS_NODE_COUNTRY = CONIG_PROPS_EIDAS_NODE + ".country";
 	public static final String CONIG_PROPS_EIDAS_NODE_LoA = CONIG_PROPS_EIDAS_NODE + ".LoA";	
 	
+	public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
+	
 	
 	
 	//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index a0330903b..76cc12e44 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -25,18 +25,20 @@ import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.IDestroyableObject;
 import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
+import at.gv.egovernment.moa.id.auth.IPostStartupInitializable;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
 import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.engine.AbstractProtocolEngine;
 
 @Service("eIDASMetadataProvider")
 public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider implements ObservableMetadataProvider, 
-	IGarbageCollectorProcessing, IDestroyableObject, IMOARefreshableMetadataProvider {
+	IGarbageCollectorProcessing, IDestroyableObject, IMOARefreshableMetadataProvider, IPostStartupInitializable{
 
 	private Timer timer = null;
 	
@@ -62,6 +64,31 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider
 		lastAccess = new HashMap<String, Date>();
 				
 	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.IPostStartupInitializable#executeAfterStartup()
+	 */
+	@Override
+	public void executeAfterStartup() {
+		initializeEidasMetadataFromFileSystem();
+		
+	}
+	
+	protected void initializeEidasMetadataFromFileSystem() {
+		Map<String, String> metadataToLoad = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX);
+		if (!metadataToLoad.isEmpty()) {
+			Logger.info("Load static configurated eIDAS metadata ... ");			
+			for (String metaatalocation : metadataToLoad.values()) {
+				String absMetadataLocation = FileUtils.makeAbsoluteURL(metaatalocation, authConfig.getRootConfigFileDir());				
+				Logger.info("  Load eIDAS metadata from: " + absMetadataLocation);
+				refreshMetadataProvider(absMetadataLocation);
+				
+			}
+			
+			Logger.info("Load static configurated eIDAS metadata finished ");
+		}		
+	}
+	
 	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
@@ -358,4 +385,5 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider
 			if (observer != null)
 				observer.onEvent(this);
 	}
+
 }
-- 
cgit v1.2.3


From fab8bb66ea62eb23e806ad280008c5f722d684ec Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 27 Jul 2017 16:58:46 +0200
Subject: add eIDAS to StatisticLogger.java

---
 .../at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java   | 6 +++++-
 .../at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java     | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index 6f700d1cb..b57e6ed69 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -289,7 +289,11 @@ public class StatisticLogger implements IStatisticLogger{
 				if (moasession != null) {
 					if (MiscUtil.isNotEmpty(moasession.getBkuURL())) {
 						dblog.setBkuurl(moasession.getBkuURL());
-						dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA));
+						if (moasession.isForeigner()) {
+							dblog.setBkutype(IOAAuthParameters.EIDAS);
+
+						} else							
+							dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA));
 					}
 		
 					dblog.setMandatelogin(moasession.isMandateUsed());
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index 1aea8d7b6..971e401ca 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -42,6 +42,7 @@ public interface IOAAuthParameters {
 	public static final String HANDYBKU = "handy";
 	public static final String LOCALBKU = "local";
 	public static final String INDERFEDERATEDIDP = "interfederated";
+	public static final String EIDAS = "eIDAS";
 
 	/**
 	 * Get the full key/value configuration for this online application
-- 
cgit v1.2.3


From 41275a296c73a5ecb29d52829116f4b6e99ce006 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 6 Sep 2017 12:39:48 +0200
Subject: add xsd schema for eIDAS specific SAML2 extensions

---
 .../java/at/gv/egovernment/moa/util/Constants.java |  9 ++++++-
 .../resources/schemas/eIDAS_saml_extensions.xsd    | 31 ++++++++++++++++++++++
 .../auth/modules/eidas/utils/SAMLEngineUtils.java  |  4 +++
 .../resources/schema/eIDAS_saml_extensions.xsd     | 31 ++++++++++++++++++++++
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
 create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 129478270..2a4e3b362 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -394,6 +394,12 @@ public interface Constants {
   public static final String SAML2_METADATA_SCHEMA_LOCATION =
     SCHEMA_ROOT + "saml-schema-metadata-2.0.xsd";
   
+  
+  /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/
+  public static final String  SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
+  public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions";
+  public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd";
+  
   /**
    * Contains all namespaces and local schema locations for XML schema
    * definitions relevant for MOA. For use in validating XML parsers.
@@ -427,7 +433,8 @@ public interface Constants {
       + (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ")
       + (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ")
       + (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ")
-      + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION);
+      + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION)
+      + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
 
   /** URN prefix for bPK and wbPK. */
   public static final String URN_PREFIX = "urn:publicid:gv.at";
diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+	<xsd:element name="SPType" type="eidas:SPTypeType"/>
+	<xsd:simpleType name="SPTypeType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="public"/>
+			<xsd:enumeration value="private"/>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	<xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+	<xsd:complexType name="RequestedAttributesType">
+		<xsd:sequence>
+			<xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+	<xsd:complexType name="RequestedAttributeType">
+		<xsd:sequence>
+			<xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+		</xsd:sequence>
+		<xsd:attribute name="Name" type="xsd:string" use="required"/>
+		<xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+		<xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+		<xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+		<xsd:anyAttribute namespace="##other" processContents="lax" />
+	</xsd:complexType>
+	
+</xsd:schema>
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index d469ca28c..02a5df098 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -28,6 +28,7 @@ import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.opensaml.common.xml.SAMLSchemaBuilder;
 import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.XMLConfigurator;
 
@@ -107,6 +108,9 @@ public class SAMLEngineUtils {
 				//overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
 				initOpenSAMLConfig("own-saml-eidasnode-config.xml");
 				
+				//add eIDAS specific SAML2 extensions to eIDAS Schema validatior
+				SAMLSchemaBuilder.addExtensionSchema(
+						at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
 				
 				eIDASEngine = engine;
 				
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+	<xsd:element name="SPType" type="eidas:SPTypeType"/>
+	<xsd:simpleType name="SPTypeType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="public"/>
+			<xsd:enumeration value="private"/>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	<xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+	<xsd:complexType name="RequestedAttributesType">
+		<xsd:sequence>
+			<xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+	<xsd:complexType name="RequestedAttributeType">
+		<xsd:sequence>
+			<xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+		</xsd:sequence>
+		<xsd:attribute name="Name" type="xsd:string" use="required"/>
+		<xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+		<xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+		<xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+		<xsd:anyAttribute namespace="##other" processContents="lax" />
+	</xsd:complexType>
+	
+</xsd:schema>
-- 
cgit v1.2.3


From cfc0d2f6db21b4a07ef80ec31d589cbeb1f32a92 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 6 Sep 2017 14:31:25 +0200
Subject: add static variable and update demo OA

---
 .../egovernment/moa/id/demoOA/Configuration.java   |   8 +
 .../at/gv/egovernment/moa/id/demoOA/Constants.java |   1 +
 .../moa/id/demoOA/servlet/pvp2/Authenticate.java   | 119 ++++++-----
 .../moa/id/demoOA/servlet/pvp2/BuildMetadata.java  |  11 +-
 .../id/demoOA/servlet/pvp2/DemoApplication.java    | 225 ++++++++++++---------
 .../moa/id/commons/api/IOAAuthParameters.java      |   1 +
 6 files changed, 220 insertions(+), 145 deletions(-)

(limited to 'id/server/moa-id-commons/src')

diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
index 95347c265..09069ac7f 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
@@ -174,6 +174,14 @@ public class Configuration {
 	}
 	
 	
+	public boolean useRedirectBindingRequest() {
+		return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.req.redirect", "true"));
+	}
+	
+	public boolean useRedirectBindingResponse() {
+		return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.resp.redirect", "false"));
+	}
+	
 	public void initializePVP2Login() throws ConfigurationException {
 		if (!pvp2logininitialzied)
 			initalPVP2Login();
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
index d6d2b32da..00e7c3619 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
@@ -34,4 +34,5 @@ public class Constants {
 	public static final String SESSION_NAMEID = "pvp2nameID";
 
 	public static final String SESSION_NAMEIDFORMAT = "pvp2nameIDFormat";
+		
 }
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
index 2641797ed..4c909ff80 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
@@ -34,11 +34,15 @@ import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
 import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
 import org.opensaml.saml2.core.AuthnContextClassRef;
 import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
@@ -107,8 +111,13 @@ public class Authenticate extends HttpServlet {
 			SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
 			authReq.setID(gen.generateIdentifier());
 			
+			String relayState = String.valueOf(RandomUtils.nextLong());
 			
-			authReq.setAssertionConsumerServiceIndex(0);
+			if (config.useRedirectBindingResponse())
+				authReq.setAssertionConsumerServiceIndex(1);
+			else
+				authReq.setAssertionConsumerServiceIndex(0);
+				
 			authReq.setAttributeConsumingServiceIndex(0);
 			
 			authReq.setIssueInstant(new DateTime());
@@ -152,17 +161,24 @@ public class Authenticate extends HttpServlet {
 			for (SingleSignOnService sss : 
 					idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
 				
-//				//Get the service address for the binding you wish to use
-//				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { 
-//					redirectEndpoint = sss;  
-//				}
+				//Get the service address for the binding you wish to use
+				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && !config.useRedirectBindingRequest()) { 
+					redirectEndpoint = sss;  
+				}
 				
 				//Get the service address for the binding you wish to use
-				if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { 
+				if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && config.useRedirectBindingRequest()) { 
 					redirectEndpoint = sss;  
 				}  
 				
 			}
+			
+			if (redirectEndpoint == null) {
+				log.warn("Can not find valid EndPoint for SAML2 response");
+				throw new ConfigurationException("Can not find valid EndPoint for SAML2 response");
+				
+			}
+			
 			authReq.setDestination(redirectEndpoint.getLocation());
 			
 			//authReq.setDestination("http://test.test.test");
@@ -195,49 +211,54 @@ public class Authenticate extends HttpServlet {
 			signer.setSigningCredential(authcredential);
 			authReq.setSignature(signer);
 
-			//generate Http-POST Binding message
-//			VelocityEngine engine = new VelocityEngine();
-//			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-//			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
-//			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-//			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-//			engine.setProperty("classpath.resource.loader.class",
-//					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
-//			engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
-//					"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
-//			engine.init();
-//
-//			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-//					"templates/pvp_postbinding_template.html");
-//			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
-//					response, true);
-//			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-//			SingleSignOnService service = new SingleSignOnServiceBuilder()
-//					.buildObject();
-//			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
-//			service.setLocation(redirectEndpoint.getLocation());;
-//			
-//			context.setOutboundSAMLMessageSigningCredential(authcredential);
-//			context.setPeerEntityEndpoint(service);
-//			context.setOutboundSAMLMessage(authReq);
-//			context.setOutboundMessageTransport(responseAdapter);
-
-			//generate Redirect Binding message
-			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
-			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
-					response, true);
-			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-			SingleSignOnService service = new SingleSignOnServiceBuilder()
-					.buildObject();
-			service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-			service.setLocation(redirectEndpoint.getLocation());
-			context.setOutboundSAMLMessageSigningCredential(authcredential);
-			context.setPeerEntityEndpoint(service);
-			context.setOutboundSAMLMessage(authReq);
-			context.setOutboundMessageTransport(responseAdapter);
-			//context.setRelayState(relayState);
-			
-			encoder.encode(context);
+		
+			if (!config.useRedirectBindingRequest()) {			
+				//generate Http-POST Binding message
+				VelocityEngine engine = new VelocityEngine();
+				engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+				engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+				engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+				engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+				engine.setProperty("classpath.resource.loader.class",
+						"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+				engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
+						"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
+				engine.init();
+	
+				HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+						"templates/pvp_postbinding_template.html");
+				HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+						response, true);
+				BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+				SingleSignOnService service = new SingleSignOnServiceBuilder()
+						.buildObject();
+				service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+				service.setLocation(redirectEndpoint.getLocation());;				
+				context.setOutboundSAMLMessageSigningCredential(authcredential);
+				context.setPeerEntityEndpoint(service);
+				context.setOutboundSAMLMessage(authReq);
+				context.setOutboundMessageTransport(responseAdapter);
+				context.setRelayState(relayState);
+				encoder.encode(context);
+				
+			} else {
+				//generate Redirect Binding message
+				HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
+				HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+						response, true);
+				BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+				SingleSignOnService service = new SingleSignOnServiceBuilder()
+						.buildObject();
+				service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+				service.setLocation(redirectEndpoint.getLocation());
+				context.setOutboundSAMLMessageSigningCredential(authcredential);
+				context.setPeerEntityEndpoint(service);
+				context.setOutboundSAMLMessage(authReq);
+				context.setOutboundMessageTransport(responseAdapter);			
+				context.setRelayState(relayState);				
+				encoder.encode(context);
+				
+			}
 
 		} catch (Exception e) {
 			log.warn("Authentication Request can not be generated", e);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
index 75b54cfc4..d28f94fd6 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -234,13 +234,20 @@ public class BuildMetadata extends HttpServlet {
 
 			//set HTTP-POST Binding assertion consumer service
 			AssertionConsumerService postassertionConsumerService = 
-					SAML2Utils.createSAMLObject(AssertionConsumerService.class);
-			
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);			
 			postassertionConsumerService.setIndex(0);
 			postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
 			postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);		
 			spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
 			
+			//set HTTP-Redirect Binding assertion consumer service
+			AssertionConsumerService redirectassertionConsumerService = 
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);			
+			redirectassertionConsumerService.setIndex(1);
+			redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+			redirectassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);		
+			spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
+			
 			//set Single Log-Out service
 			SingleLogoutService sloService =  SAML2Utils.createSAMLObject(SingleLogoutService.class);
 			sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
index cfc170011..31a3be7e2 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
@@ -38,6 +38,9 @@ import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeStatement;
 import org.opensaml.saml2.core.EncryptedAssertion;
@@ -46,10 +49,14 @@ import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.encryption.Decrypter;
 import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCredentialResolverFactory;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.security.SecurityPolicyResolver;
+import org.opensaml.ws.security.provider.BasicSecurityPolicy;
+import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
 import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
 import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
@@ -101,11 +108,40 @@ public class DemoApplication extends HttpServlet {
 			return;
 		}
 		
-		if (method.equals("POST")) {
-		
-			try {
-				Configuration config = Configuration.getInstance();
+		try {
+			Configuration config = Configuration.getInstance();
+			Response samlResponse = null;
+			
+			if (method.equals("GET")) {
+				HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool());
+				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+				
+				messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+				messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+				
+				messageContext.setMetadataProvider(config.getMetaDataProvier());
+				
+				MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier());
+				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+				keyInfoProvider.add(new DSAKeyValueProvider());
+				keyInfoProvider.add(new RSAKeyValueProvider());
+				keyInfoProvider.add(new InlineX509DataProvider());
+				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+						keyInfoProvider);
+				ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(
+						resolver, keyInfoResolver);
+				
+				SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine);
+				SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+				BasicSecurityPolicy policy = new BasicSecurityPolicy();
+				policy.getPolicyRules().add(signatureRule);
+				policy.getPolicyRules().add(signedRole);		
+				SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy);		
+				messageContext.setSecurityPolicyResolver(resolver1);
 				
+				decode.decode(messageContext);
+			
+			} else if (method.equals("POST")) {				
 				//Decode with HttpPost Binding
 				HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
 				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
@@ -114,7 +150,7 @@ public class DemoApplication extends HttpServlet {
 							request));
 				decode.decode(messageContext);
 				
-				Response samlResponse = (Response) messageContext.getInboundMessage();
+				samlResponse = (Response) messageContext.getInboundMessage();
 			
 				Signature sign = samlResponse.getSignature();
 				if (sign == null) {
@@ -148,116 +184,117 @@ public class DemoApplication extends HttpServlet {
 				ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
 				trustEngine.validate(sign, criteriaSet);
 				
-				log.info("PVP2 Assertion is valid");
+				log.info("PVP2 Assertion  with POST-Binding is valid");
 				
-				//set assertion
-				org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
-				String assertion = DOMUtils.serializeNode(doc);				
-				bean.setAssertion(assertion);
+			} else {
+				bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+				setAnser(request, response, bean);
+				return;
 				
-				if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+			}
 			
-					List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-					
-					//check encrypted Assertion
-					List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
-					if (encryAssertionList != null && encryAssertionList.size() > 0) {
-						//decrypt assertions
-						
-						log.debug("Found encryped assertion. Start decryption ...");
-						
-						KeyStore keyStore = config.getPVP2KeyStore();
-						
-						X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
-								keyStore, 
-								config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
-								config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
-						
-						
-						StaticKeyInfoCredentialResolver skicr =
-								  new StaticKeyInfoCredentialResolver(authDecCredential);
-						
-						ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
-						encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
-						encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
-						encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-						
-						Decrypter samlDecrypter =
-								new Decrypter(null, skicr, encryptedKeyResolver);
-						
-						for (EncryptedAssertion encAssertion : encryAssertionList) {							
-							saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-
-						}
-						
-						log.debug("Assertion decryption finished. ");
-						
-					} else {
-						saml2assertions = samlResponse.getAssertions();
+			//set assertion
+			org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
+			String assertion = DOMUtils.serializeNode(doc);				
+			bean.setAssertion(assertion);
+			
+			if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+		
+				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
 				
-					}
+				//check encrypted Assertion
+				List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+				if (encryAssertionList != null && encryAssertionList.size() > 0) {
+					//decrypt assertions
 					
-					String givenName = null;
-					String familyName = null;
-					String birthday = null;
+					log.debug("Found encryped assertion. Start decryption ...");
 					
-					for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-						
-						//loop through the nodes to get what we want
-						List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
-						for (int i = 0; i < attributeStatements.size(); i++)
-						{
-							List<Attribute> attributes = attributeStatements.get(i).getAttributes();
-							for (int x = 0; x < attributes.size(); x++)
-							{
-								String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+					KeyStore keyStore = config.getPVP2KeyStore();
+					
+					X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+							keyStore, 
+							config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+							config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+					
+					
+					StaticKeyInfoCredentialResolver skicr =
+							  new StaticKeyInfoCredentialResolver(authDecCredential);
+					
+					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+					
+					Decrypter samlDecrypter =
+							new Decrypter(null, skicr, encryptedKeyResolver);
+					
+					for (EncryptedAssertion encAssertion : encryAssertionList) {							
+						saml2assertions.add(samlDecrypter.decrypt(encAssertion));
 
-								if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
-									familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-								if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
-									givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-								
-								if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
-									birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-								}								
-							}
-						}						
-						request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
-								saml2assertion.getSubject().getNameID().getFormat());
-						request.getSession().setAttribute(Constants.SESSION_NAMEID, 
-								saml2assertion.getSubject().getNameID().getValue());
-						
 					}
-										
-					bean.setDateOfBirth(birthday);
-					bean.setFamilyName(familyName);
-					bean.setGivenName(givenName);
-					bean.setLogin(true);
-										
-					setAnser(request, response, bean);
-					return;
 					
+					log.debug("Assertion decryption finished. ");
 					
 				} else {
-					bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
-					setAnser(request, response, bean);
-					return;
+					saml2assertions = samlResponse.getAssertions();
+			
+				}
+				
+				String givenName = null;
+				String familyName = null;
+				String birthday = null;
+				
+				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+					
+					//loop through the nodes to get what we want
+					List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+					for (int i = 0; i < attributeStatements.size(); i++)
+					{
+						List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+						for (int x = 0; x < attributes.size(); x++)
+						{
+							String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+
+							if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
+								familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+							if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
+								givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+							
+							if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
+								birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+							}								
+						}
+					}						
+					request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
+							saml2assertion.getSubject().getNameID().getFormat());
+					request.getSession().setAttribute(Constants.SESSION_NAMEID, 
+							saml2assertion.getSubject().getNameID().getValue());
 					
 				}
+									
+				bean.setDateOfBirth(birthday);
+				bean.setFamilyName(familyName);
+				bean.setGivenName(givenName);
+				bean.setLogin(true);
+									
+				setAnser(request, response, bean);
+				return;
+				
 				
-			} catch (Exception e) {
-				log.warn(e);
-				bean.setErrorMessage("Internal Error: " + e.getMessage());
+			} else {
+				bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
 				setAnser(request, response, bean);
 				return;
+				
 			}
 			
-		} else {
-			bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+		} catch (Exception e) {
+			log.warn(e);
+			bean.setErrorMessage("Internal Error: " + e.getMessage());
 			setAnser(request, response, bean);
 			return;
-			
 		}
+					
 	}	
 	
 	private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index 971e401ca..bba6d0541 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -43,6 +43,7 @@ public interface IOAAuthParameters {
 	public static final String LOCALBKU = "local";
 	public static final String INDERFEDERATEDIDP = "interfederated";
 	public static final String EIDAS = "eIDAS";
+	public static final String AUTHTYPE_OTHERS = "others";
 
 	/**
 	 * Get the full key/value configuration for this online application
-- 
cgit v1.2.3