From dc2fb6695f44e3e01088e8a986ae1ac98b1743b1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 29 May 2018 07:42:26 +0200
Subject: update SL2.0 module to support more than one VDA backend

---
 .../moa/id/auth/modules/sl20_auth/Constants.java   |  7 +++---
 .../sl20_auth/tasks/CreateQualeIDRequestTask.java  | 29 +++++++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
index 7a58648cc..920187bfb 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -5,9 +5,8 @@ public class Constants {
 	public static final String HTTP_ENDPOINT_DATAURL = "/sl20/dataUrl";
 	
 	public static final String CONFIG_PROP_PREFIX = "modules.sl20";
-	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
-	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";
-	
+	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
+	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";	
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PATH = CONFIG_PROP_PREFIX + ".security.keystore.path";
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD = CONFIG_PROP_PREFIX + ".security.keystore.password";
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS = CONFIG_PROP_PREFIX + ".security.sign.alias";
@@ -15,6 +14,8 @@ public class Constants {
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS = CONFIG_PROP_PREFIX + ".security.encryption.alias";;
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD = CONFIG_PROP_PREFIX + ".security.encryption.password";
 	
+	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST = CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ".";
+	public static final String CONFIG_PROP_SP_LIST = CONFIG_PROP_PREFIX + ".sp.entityIds.";
 	
 	public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";
 	
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index b1dfa9b0d..d9ff9d93c 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Map.Entry;
 import java.util.UUID;
 
 import javax.net.ssl.SSLSocketFactory;
@@ -38,6 +39,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -59,9 +61,9 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration();
 				
 				//get basic configuration parameters
-				String vdaQualeIDUrl = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID);				
+				String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig);				
 				if (MiscUtil.isEmpty(vdaQualeIDUrl)) {
-					Logger.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID + ")");
+					Logger.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ")");
 					throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"});
 					
 				}
@@ -165,8 +167,29 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				
 			}
 			
+	}
+	
+	private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig) {		
+		Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
+		Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST);
+		
+		for (Entry<String, String> el : listOfSPs.entrySet()) {
+			List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue());
+			if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) {
+				Logger.trace("Select VDA endPoint with Id: " + el.getKey());
+				if (listOfVDAs.containsKey(el.getKey()))					
+					return listOfVDAs.get(el.getKey());
+				
+				else
+					Logger.info("No VDA endPoint with Id: " + el.getKey());
+				
+			} else
+				Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix());
 			
-
+		}
+		
+		Logger.debug("NO SP specific VDA endpoint found. Use default VDA");
+		return authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT);
 		
 	}
 
-- 
cgit v1.2.3


From 52ad604e54cb91073503d708cd0c50ff0121174a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 30 May 2018 06:29:29 +0200
Subject: add additional validation to SL20 module

---
 .../modules/sl20_auth/sl20/JsonSecurityUtils.java  |  67 +++++++++--
 .../sl20/verifier/QualifiedeIDVerifier.java        | 132 +++++++++++++++++++++
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        |   5 +-
 3 files changed, 193 insertions(+), 11 deletions(-)
 create mode 100644 id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index e0965c712..d00ef8a04 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -5,6 +5,9 @@ import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
 import java.util.List;
 
 import javax.annotation.PostConstruct;
@@ -14,6 +17,8 @@ import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
 import org.jose4j.jwe.JsonWebEncryption;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwx.JsonWebStructure;
+import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
 import org.jose4j.lang.JoseException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
@@ -33,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.utils.X509Utils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.KeyStoreUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 @Service
 public class JsonSecurityUtils implements IJOSETools{
@@ -44,6 +50,8 @@ public class JsonSecurityUtils implements IJOSETools{
 	private Key encPrivKey = null;
 	private X509Certificate[] encCertChain = null;
 	
+	private List<X509Certificate> trustedCerts = new ArrayList<X509Certificate>();
+	
 	@PostConstruct
 	protected void initalize() {
 		Logger.info("Initialize SL2.0 authentication security constrains ... ");
@@ -83,6 +91,21 @@ public class JsonSecurityUtils implements IJOSETools{
 		
 			}
 			
+			//load trusted certificates
+			Enumeration<String> aliases = keyStore.aliases();
+			while(aliases.hasMoreElements()) {
+				String el = aliases.nextElement();
+				Logger.trace("Process TrustStoreEntry: " + el);
+				if (keyStore.isCertificateEntry(el)) {
+					Certificate cert = keyStore.getCertificate(el); 
+					if (cert != null && cert instanceof X509Certificate)
+						trustedCerts.add((X509Certificate) cert);
+					else
+						Logger.info("Can not process entry: " + el + ". Reason: " + cert.toString());
+					
+				}
+			}
+			
 			//some short validation
 			if (signPrivKey == null || !(signPrivKey instanceof PrivateKey)) {
 				Logger.info("Can NOT open privateKey for SL2.0 signing. KeyStore=" + getKeyStoreFilePath());
@@ -144,18 +167,42 @@ public class JsonSecurityUtils implements IJOSETools{
 					SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])));
 			
 			//load signinc certs
+			Key selectedKey = null;
 			List<X509Certificate> x5cCerts = jws.getCertificateChainHeaderValue();
-			List<X509Certificate> sortedX5cCerts  = null;
-			if (x5cCerts == null || x5cCerts.size() < 1) {
-				Logger.info("Signed SL2.0 response contains NO signature certificate");
-				throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate");
+			String x5t256 = jws.getX509CertSha256ThumbprintHeaderValue();
+			if (x5cCerts != null) {
+				Logger.debug("Found x509 certificate in JOSE header ... ");
+				Logger.trace("Sorting received X509 certificates ... ");
+				List<X509Certificate> sortedX5cCerts  = X509Utils.sortCertificates(x5cCerts);
+				
+				if (trustedCerts.contains(sortedX5cCerts.get(0))) {
+					selectedKey = sortedX5cCerts.get(0).getPublicKey();
+					
+				} else {
+					Logger.info("Can NOT find JOSE certificate in truststore.");
+					Logger.debug("JOSE certificate: " + sortedX5cCerts.get(0).toString());
+					
+				}
 				
-			} 
-			Logger.trace("Sorting received X509 certificates ... ");
-			sortedX5cCerts = X509Utils.sortCertificates(x5cCerts);
-							
+			} else if (MiscUtil.isNotEmpty(x5t256)) {
+				Logger.debug("Found x5t256 fingerprint in JOSE header .... ");
+				X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(trustedCerts);
+				selectedKey = x509VerificationKeyResolver.resolveKey(jws, Collections.<JsonWebStructure>emptyList());
+				
+			} else {
+				Logger.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
+				throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
+				
+			}
+					
+			if (selectedKey == null) {
+				Logger.info("Can NOT select verification key for JWS. Signature verification FAILED.");
+				throw new SLCommandoParserException("Can NOT select verification key for JWS. Signature verification FAILED");
+				
+			}
+			
 			//set verification key
-			jws.setKey(sortedX5cCerts.get(0).getPublicKey());
+			jws.setKey(selectedKey);
 			
 			//validate signature
 			boolean valid = jws.verifySignature();
@@ -169,7 +216,7 @@ public class JsonSecurityUtils implements IJOSETools{
 			//load payLoad
 			JsonElement sl20Req = new JsonParser().parse(jws.getPayload());
 			
-			return new VerificationResult(sl20Req.getAsJsonObject(), sortedX5cCerts, valid) ;
+			return new VerificationResult(sl20Req.getAsJsonObject(), null, valid) ;
 			
 		} catch (JoseException e) {
 			Logger.warn("SL2.0 commando signature validation FAILED", e);
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
new file mode 100644
index 000000000..7d03a43ac
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -0,0 +1,132 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;
+
+import java.io.IOException;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+
+import javax.xml.bind.DatatypeConverter;
+import javax.xml.transform.TransformerException;
+
+import org.jaxen.SimpleNamespaceContext;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
+import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.auth.exception.ServiceException;
+import at.gv.egovernment.moa.id.auth.exception.ValidateException;
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
+import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
+import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;
+import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureRequestBuilder;
+import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.api.impl.VerifyXMLSignatureRequestImpl;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
+
+
+public class QualifiedeIDVerifier {
+
+	 /** Xpath expression to the dsig:Signature element */
+	  private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature";
+	  
+	  private static final String XADES_1_1_1_SIGNINGTIME_PATH = "//" + Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime";
+	  private static final String XADES_1_3_2_SIGNINGTIME_PATH = "//" + Constants.XADES_1_3_2_NS_PREFIX + ":SigningTime";
+	  
+	  
+	  private static final long MAX_DIFFERENCE_IN_MILLISECONDS = 600000; // 10min
+	  
+
+	  private static SimpleNamespaceContext NS_CONTEXT;
+	  static {
+	    NS_CONTEXT = new SimpleNamespaceContext();
+	    NS_CONTEXT.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI);
+	    NS_CONTEXT.addNamespace(Constants.XADES_1_2_2_NS_PREFIX, Constants.XADES_1_2_2_NS_URI);
+	    NS_CONTEXT.addNamespace(Constants.XADES_1_3_2_NS_PREFIX, Constants.XADES_1_3_2_NS_URI);
+	    NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI);
+	  }
+	
+	public static boolean verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {		
+		// validates the identity link
+		IdentityLinkValidator.getInstance().validate(idl);
+		
+		// builds a <VerifyXMLSignatureRequest> for a call of MOA-SP
+		Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
+				.build(idl, authConfig.getMoaSpIdentityLinkTrustProfileID(oaParam.isUseIDLTestTrustStore()));
+
+		// invokes the call
+		Element domVerifyXMLSignatureResponse = SignatureVerificationInvoker.getInstance()
+				.verifyXMLSignature(domVerifyXMLSignatureRequest);
+		
+		// parses the <VerifyXMLSignatureResponse>
+		IVerifiyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(domVerifyXMLSignatureResponse).parseData();
+				
+		// validates the <VerifyXMLSignatureResponse>
+		VerifyXMLSignatureResponseValidator.getInstance().validate(
+			verifyXMLSignatureResponse,
+			authConfig.getIdentityLinkX509SubjectNames(),
+			VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
+			oaParam);
+
+		
+		return false;
+		
+	}
+	
+	public static IVerifiyXMLSignatureResponse verifyAuthBlock(byte[] authblock, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {
+		String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore());
+		List<String> verifyTransformsInfoProfileID = null;
+		
+		SignatureVerificationUtils sigVerify = new SignatureVerificationUtils();
+		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(authblock, trustProfileId , verifyTransformsInfoProfileID);
+						
+		// validates the <VerifyXMLSignatureResponse>
+		VerifyXMLSignatureResponseValidator.getInstance().validate(sigVerifyResult,
+					null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, oaParam);
+
+		return sigVerifyResult;
+				
+	}
+	
+	public static boolean checkIDLAgainstAuthblock(IVerifiyXMLSignatureResponse sigVerifyResult, IIdentityLink idl, byte[] authBlock) throws ValidateException {
+		
+		try {        
+			// compares the public keys from the identityLink with the AuthBlock
+			VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(sigVerifyResult, idl);
+
+			
+			// Compare AuthBlock Data with information stored in session, especially
+			// date and time
+			validateSigningDateTime(sigVerifyResult);
+			
+		} catch ( ValidateException e) {
+			Logger.error("Signature verification error. ", e);
+			throw e; 
+			
+		}
+		
+		
+		return false;
+		
+	}
+	
+	private static boolean validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult) throws ValidateException {
+		Date signingDate = sigVerifyResult.getSigningDateTime();
+		
+		
+			  
+		return false;
+	  }
+	
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 698546a4f..90e19326e 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -37,6 +37,7 @@ import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONBuilderUtils
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONExtractorUtils;
 import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
@@ -128,11 +129,13 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				
 				
 				//TODO: validate results
+				IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink();
+				
 				
 				
 				//add into session
 				defaultTaskInitialization(request, executionContext);
-				moasession.setIdentityLink(new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink());
+				moasession.setIdentityLink(idl);
 				moasession.setBkuURL(ccsURL);
 				//TODO: from AuthBlock
 				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()));
-- 
cgit v1.2.3


From ecf9de84e76dde785ced8c1632c7909d1d57f94a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 30 May 2018 14:36:39 +0200
Subject: add error handling and some more validation to SL2.0 module

---
 .../moa/id/auth/modules/sl20_auth/Constants.java   |   4 +
 .../auth/modules/sl20_auth/SL20SignalServlet.java  |   7 +-
 .../exceptions/SL20eIDDataValidationException.java |  16 +
 .../modules/sl20_auth/sl20/JsonSecurityUtils.java  |   2 +-
 .../auth/modules/sl20_auth/sl20/SL20Constants.java |   2 +
 .../sl20_auth/sl20/SL20JSONExtractorUtils.java     |  61 +++-
 .../sl20/verifier/QualifiedeIDVerifier.java        |  99 +++++--
 .../sl20_auth/tasks/CreateQualeIDRequestTask.java  |  29 +-
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        | 327 +++++++++++----------
 .../sl20_auth/tasks/VerifyQualifiedeIDTask.java    | 180 ++++++++++++
 10 files changed, 529 insertions(+), 198 deletions(-)
 create mode 100644 id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java
 create mode 100644 id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
index 920187bfb..a3648220d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth;
 public class Constants {
 
 	public static final String HTTP_ENDPOINT_DATAURL = "/sl20/dataUrl";
+	public static final String HTTP_ENDPOINT_RESUME = "/sl20/resume";
 	
 	public static final String CONFIG_PROP_PREFIX = "modules.sl20";
 	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
@@ -17,6 +18,9 @@ public class Constants {
 	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST = CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ".";
 	public static final String CONFIG_PROP_SP_LIST = CONFIG_PROP_PREFIX + ".sp.entityIds.";
 	
+	public static final String CONFIG_PROP_DISABLE_EID_VALIDATION = CONFIG_PROP_PREFIX + ".security.eID.validation.disable";
+	public static final String CONFIG_PROP_DISABLE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.enabled";
+	
 	public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";
 	
 	/**
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java
index 87d306822..4f8ef0a76 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java
@@ -44,11 +44,14 @@ public class SL20SignalServlet extends AbstractProcessEngineSignalController {
 	public SL20SignalServlet() {
 		super();
 		Logger.debug("Registering servlet " + getClass().getName() + 
-				" with mappings '"+ Constants.HTTP_ENDPOINT_DATAURL + "'.");
+				" with mappings '"+ Constants.HTTP_ENDPOINT_DATAURL + 
+				" and " + Constants.HTTP_ENDPOINT_RESUME + 
+				"'.");
 		
 	}
 	
-	@RequestMapping(value = { Constants.HTTP_ENDPOINT_DATAURL 							  
+	@RequestMapping(value = { Constants.HTTP_ENDPOINT_DATAURL,
+							  Constants.HTTP_ENDPOINT_RESUME
 							}, 
 					method = {RequestMethod.POST, RequestMethod.GET})
 	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java
new file mode 100644
index 000000000..957ace0fb
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/exceptions/SL20eIDDataValidationException.java
@@ -0,0 +1,16 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions;
+
+public class SL20eIDDataValidationException extends SL20Exception {
+	private static final long serialVersionUID = 1L;
+
+	public SL20eIDDataValidationException(Object[] parameters) {
+		super("sl20.07", parameters);
+		
+	}
+	
+	public SL20eIDDataValidationException(Object[] parameters, Throwable e) {
+		super("sl20.07", parameters, e);
+		
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index d00ef8a04..2563c7f7d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -105,7 +105,7 @@ public class JsonSecurityUtils implements IJOSETools{
 					
 				}
 			}
-			
+
 			//some short validation
 			if (signPrivKey == null || !(signPrivKey instanceof PrivateKey)) {
 				Logger.info("Can NOT open privateKey for SL2.0 signing. KeyStore=" + getKeyStoreFilePath());
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
index b855c3cac..33bb4fe36 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
@@ -12,6 +12,8 @@ public class SL20Constants {
 	
 	//http binding parameters
 	public static final String PARAM_SL20_REQ_COMMAND_PARAM = "slcommand";
+	public static final String PARAM_SL20_REQ_COMMAND_PARAM_OLD = "sl2command";
+	
 	public static final String PARAM_SL20_REQ_ICP_RETURN_URL_PARAM = "slIPCReturnUrl";
 	public static final String PARAM_SL20_REQ_TRANSACTIONID = "slTransactionID";
 	
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index e01945df0..6949b7a18 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -9,6 +9,7 @@ import java.util.Map;
 import java.util.Map.Entry;
 
 import org.apache.http.Header;
+import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.log4j.Logger;
@@ -163,19 +164,23 @@ public class SL20JSONExtractorUtils {
 			return result;
 		
 		else if (encryptedResult != null && encryptedResult.isJsonPrimitive()) {
-			/*TODO:
-			 * 
-			 * Remove dummy code and test real decryption!!!!!
-			 * 
-			 */			
-
-			//return decrypter.decryptPayload(encryptedResult.getAsString());
+			try {
+				return decrypter.decryptPayload(encryptedResult.getAsString());
+				
+			} catch (Exception e) {
+				log.info("Can NOT decrypt SL20 result. Reason:" + e.getMessage());
+				if (!mustBeEncrypted) {
+					log.warn("Decrypted results are disabled by configuration. Parse result in plain if it is possible");
 
-			//dummy code
-			String[] signedPayload = encryptedResult.toString().split("\\.");
-			JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
-			return payLoad;
-			
+					//dummy code
+					String[] signedPayload = encryptedResult.toString().split("\\.");
+					JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
+					return payLoad;
+					
+				} else
+					throw e;	
+				
+			}
 			
 		} else
 			throw new SLCommandoParserException("Internal build error");
@@ -241,13 +246,21 @@ public class SL20JSONExtractorUtils {
 			
 			} else if (httpResp.getStatusLine().getStatusCode() == 200) {
 				if (!httpResp.getEntity().getContentType().getValue().equals("application/json;charset=UTF-8"))
-					throw new SLCommandoParserException("SL20 response with a wrong ContentType: " + httpResp.getEntity().getContentType().getValue());
-					
-				sl20Resp = new JsonParser().parse(new InputStreamReader(httpResp.getEntity().getContent())).getAsJsonObject();
+					throw new SLCommandoParserException("SL20 response with a wrong ContentType: " + httpResp.getEntity().getContentType().getValue());					
+				sl20Resp = parseSL20ResultFromResponse(httpResp.getEntity());
 		
+			} else if ( (httpResp.getStatusLine().getStatusCode() == 500) || 
+					(httpResp.getStatusLine().getStatusCode() == 401) || 
+					(httpResp.getStatusLine().getStatusCode() == 400) ) {
+				log.info("SL20 response with http-code: " + httpResp.getStatusLine().getStatusCode() 
+						+ ". Search for error message");				
+				sl20Resp = parseSL20ResultFromResponse(httpResp.getEntity());
+				
+				
 			} else
 				throw new SLCommandoParserException("SL20 response with http-code: " + httpResp.getStatusLine().getStatusCode());
-				
+
+			log.info("Find JSON object in http response");
 			return sl20Resp;
 			
 		} catch (Exception e) {
@@ -256,6 +269,22 @@ public class SL20JSONExtractorUtils {
 		}		
 	}
 	
+	private static JsonObject parseSL20ResultFromResponse(HttpEntity resp) throws Exception {
+		if (resp != null && resp.getContent() != null) {			
+			JsonElement sl20Resp = new JsonParser().parse(new InputStreamReader(resp.getContent()));
+			if (sl20Resp != null && sl20Resp.isJsonObject()) {
+				return sl20Resp.getAsJsonObject();
+				
+			} else
+				throw new SLCommandoParserException("SL2.0 can NOT parse to a JSON object");
+			
+			
+		} else
+			throw new SLCommandoParserException("Can NOT find content in http response");
+ 					
+	}
+	
+	
 	private static JsonElement getAndCheck(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {
 		JsonElement internal = input.get(keyID);
 		
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
index 7d03a43ac..d07d7a78a 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -1,24 +1,17 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;
 
 import java.io.IOException;
-import java.util.Calendar;
 import java.util.Date;
-import java.util.GregorianCalendar;
 import java.util.List;
 
-import javax.xml.bind.DatatypeConverter;
-import javax.xml.transform.TransformerException;
-
 import org.jaxen.SimpleNamespaceContext;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
-import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
-import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.ServiceException;
 import at.gv.egovernment.moa.id.auth.exception.ValidateException;
 import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
 import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
 import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;
 import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureRequestBuilder;
@@ -27,13 +20,12 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
-import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.spss.api.impl.VerifyXMLSignatureRequestImpl;
+import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
+import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.DOMUtils;
-import at.gv.egovernment.moa.util.XPathUtils;
 
 
 public class QualifiedeIDVerifier {
@@ -57,7 +49,7 @@ public class QualifiedeIDVerifier {
 	    NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI);
 	  }
 	
-	public static boolean verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {		
+	public static void verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {		
 		// validates the identity link
 		IdentityLinkValidator.getInstance().validate(idl);
 		
@@ -79,17 +71,15 @@ public class QualifiedeIDVerifier {
 			VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
 			oaParam);
 
-		
-		return false;
-		
+				
 	}
 	
-	public static IVerifiyXMLSignatureResponse verifyAuthBlock(byte[] authblock, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {
+	public static IVerifiyXMLSignatureResponse verifyAuthBlock(String authBlockB64, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException, IOException {
 		String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore());
 		List<String> verifyTransformsInfoProfileID = null;
 		
 		SignatureVerificationUtils sigVerify = new SignatureVerificationUtils();
-		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(authblock, trustProfileId , verifyTransformsInfoProfileID);
+		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(Base64Utils.decode(authBlockB64, false), trustProfileId , verifyTransformsInfoProfileID);
 						
 		// validates the <VerifyXMLSignatureResponse>
 		VerifyXMLSignatureResponseValidator.getInstance().validate(sigVerifyResult,
@@ -99,20 +89,43 @@ public class QualifiedeIDVerifier {
 				
 	}
 	
-	public static boolean checkIDLAgainstAuthblock(IVerifiyXMLSignatureResponse sigVerifyResult, IIdentityLink idl, byte[] authBlock) throws ValidateException {
+	public static boolean checkConsistencyOfeIDData(String sl20ReqId, IIdentityLink idl, AssertionAttributeExtractor authBlockExtractor, IVerifiyXMLSignatureResponse sigVerifyResult) throws SL20eIDDataValidationException {
 		
 		try {        
 			// compares the public keys from the identityLink with the AuthBlock
 			VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(sigVerifyResult, idl);
 
+			//compare requestId from SL20 qualifiedeID command to ID from SAML2 assertion
+			String authBlockId = authBlockExtractor.getAssertionID();
+			if (MiscUtil.isEmpty(authBlockId)) {
+				Logger.info("AuthBlock containts no ID, but ID MUST be included");
+				throw new SL20eIDDataValidationException(new Object[] {
+						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+						"AuthBlock containts no ID, but ID MUST be included"
+				});
+			}
 			
+			if (!authBlockId.equals(sl20ReqId)) {
+				Logger.info("SL20 'requestId' does NOT match to AuthBlock Id."
+						+ " Expected : " + sl20ReqId
+						+ " Authblock: " + authBlockId);
+				throw new SL20eIDDataValidationException(new Object[] {
+						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+						"SL20 'requestId' does NOT match to AuthBlock Id."
+				});
+			}
+			
+						
 			// Compare AuthBlock Data with information stored in session, especially
 			// date and time
-			validateSigningDateTime(sigVerifyResult);
+			validateSigningDateTime(sigVerifyResult, authBlockExtractor);
 			
 		} catch ( ValidateException e) {
-			Logger.error("Signature verification error. ", e);
-			throw e; 
+			Logger.warn("Validation of eID information FAILED. ", e);
+			throw new SL20eIDDataValidationException(new Object[] {
+					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL,
+					e.getMessage()
+			});
 			
 		}
 		
@@ -121,12 +134,46 @@ public class QualifiedeIDVerifier {
 		
 	}
 	
-	private static boolean validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult) throws ValidateException {
+	private static void validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult, AssertionAttributeExtractor authBlockExtractor) throws SL20eIDDataValidationException {
 		Date signingDate = sigVerifyResult.getSigningDateTime();
+		Date notBefore = authBlockExtractor.getAssertionNotBefore();
+		Date notOrNotAfter = authBlockExtractor.getAssertionNotOnOrAfter();
 		
+		if (signingDate == null) {
+			Logger.info("AuthBlock signature contains NO signing data");
+			throw new SL20eIDDataValidationException(new Object[] {
+					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+					"AuthBlock signature contains NO signing data"
+			});
+			
+		}
 		
-			  
-		return false;
+		Logger.debug("AuthBlock signing data: " + signingDate.toString());
+
+		if (notBefore == null || notOrNotAfter == null) {
+			Logger.info("AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates");
+			throw new SL20eIDDataValidationException(new Object[] {
+					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+					"AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates"
+			});
+			
+		}
+		
+		Logger.debug("AuthBlock valid period."
+				+ " NotBefore:" + notBefore.toString() 
+				+ " NotOrNotAfter:" + notOrNotAfter.toString());
+		
+		if (signingDate.after(notBefore) || signingDate.before(notOrNotAfter))
+			Logger.debug("Signing date validation successfull");
+		
+		else {
+			Logger.info("AuthBlock signing date does NOT match to AuthBlock constrains");
+			throw new SL20eIDDataValidationException(new Object[] {
+					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+					"AuthBlock signing date does NOT match to AuthBlock constrains"
+			});
+			
+		}		
 	  }
 	
 }
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index d9ff9d93c..763454639 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -5,7 +5,6 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.UUID;
 
 import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
@@ -30,6 +29,7 @@ import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.IJOSETools;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20HttpBindingUtils;
@@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
 import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moaspss.logging.Logger;
@@ -91,7 +92,8 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 						qualifiedeIDParams, 
 						joseTools.getEncryptionCertificate());
 								
-				String qualeIDReqId = UUID.randomUUID().toString();
+				//String qualeIDReqId = UUID.randomUUID().toString();
+				String qualeIDReqId = SAML2Utils.getSecureIdentifier();
 				String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools);
 				JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand);
 								
@@ -107,9 +109,16 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build());								
 				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
 				List<NameValuePair> parameters = new ArrayList<NameValuePair>();;
-				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Req.toString()));
+				
+				//correct one
+				//parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())));
+				
+				//A-Trust current version
+				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM_OLD, sl20Req.toString()));
 				httpReq.setEntity(new UrlEncodedFormEntity(parameters ));				
 				
+				
+				
 				//request VDA
 				HttpResponse httpResp = httpClient.execute(httpReq);
 								
@@ -147,10 +156,22 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 					//TODO: maybe add SL2ClientType Header from execution context
 					SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL);
 													
+				} else if (respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString()
+						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR)) { 
+					JsonObject result = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_RESULT, false);
+					if (result  == null)
+						result = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, false);
+					
+					String errorCode = SL20JSONExtractorUtils.getStringValue(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE, true);
+					String errorMsg = SL20JSONExtractorUtils.getStringValue(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE, true);
+					
+					Logger.info("Receive SL2.0 error. Code:" + errorCode + " Msg:" + errorMsg);
+					throw new SL20Exception("sl20.08", new Object[]{errorCode, errorMsg});
+					
 				} else {
 					//TODO: update to add error handling
 					Logger.warn("Received an unrecognized command: " + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString());
-				
+					throw new SLCommandoParserException("Received an unrecognized command: \" + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString()");
 				}
 				
 				
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 90e19326e..b7fe579a3 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -1,9 +1,8 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
 
-import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.StringWriter;
 import java.security.cert.X509Certificate;
-import java.util.Calendar;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -13,7 +12,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.http.entity.ContentType;
-import org.jose4j.keys.X509Util;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -35,18 +33,12 @@ import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.IJOSETools;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONBuilderUtils;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONExtractorUtils;
-import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
-import at.gv.egovernment.moa.util.Base64Utils;
-import at.gv.egovernment.moa.util.DateTimeUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moaspss.logging.Logger;
-import iaik.esi.sva.util.X509Utils;
-import iaik.utils.Util;
+
 
 @Component("ReceiveQualeIDTask")
 public class ReceiveQualeIDTask extends AbstractAuthServletTask {
@@ -57,173 +49,210 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
 			throws TaskExecutionException {
 		
-		Logger.debug("Receiving SL2.0 response process .... ");
 		try {
-			//get SL2.0 command or result from HTTP request
-			Map<String, String> reqParams = getParameters(request);
-			String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); 			
-			if (MiscUtil.isEmpty(sl20Result)) {
-				Logger.info("NO SL2.0 commando or result FOUND.");
-				throw new SL20Exception("sl20.04", null);
-				
-			}
-			
-			
-			//parse SL2.0 command/result into JSON
+			Logger.debug("Receiving SL2.0 response process .... ");
 			JsonObject sl20ReqObj = null;
 			try {
-				JsonParser jsonParser = new JsonParser();
-				JsonElement sl20Req = jsonParser.parse(sl20Result);
-				sl20ReqObj = sl20Req.getAsJsonObject();
+				//get SL2.0 command or result from HTTP request
+				Map<String, String> reqParams = getParameters(request);
+				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); 			
+				if (MiscUtil.isEmpty(sl20Result)) {
+					Logger.info("NO SL2.0 commando or result FOUND.");
+					throw new SL20Exception("sl20.04", null);
+					
+				}
+							
+				//parse SL2.0 command/result into JSON			
+				try {
+					JsonParser jsonParser = new JsonParser();
+					JsonElement sl20Req = jsonParser.parse(sl20Result);
+					sl20ReqObj = sl20Req.getAsJsonObject();
+					
+				} catch (JsonSyntaxException e) {
+					Logger.warn("SL2.0 command or result is NOT valid JSON.", e);
+					Logger.debug("SL2.0 msg: " + sl20Result);
+					throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e);
+					
+				}
 				
-			} catch (JsonSyntaxException e) {
-				Logger.warn("SL2.0 command or result is NOT valid JSON.", e);
-				Logger.debug("SL2.0 msg: " + sl20Result);
-				throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e);
+				//validate reqId with inResponseTo 
+				String sl20ReqId = pendingReq.getGenericData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class);
+				String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true);
+				if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) {
+					Logger.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+					throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+				}
 				
-			}
-			
-			//validate reqId with inResponseTo 
-			String sl20ReqId = pendingReq.getGenericData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class);
-			String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true);
-			if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) {
-				Logger.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
-				throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
-			}
-			
-			
-			//validate signature
-			VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
-			if (payLoadContainer.isValidSigned() == null || 
-					!payLoadContainer.isValidSigned()) {
-				Logger.info("SL20 result from VDA was not valid signed");
-				throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
 				
-			}
-			
-			//TODO validate certificate
-			List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
-			
-			
-			//extract payloaf
-			JsonObject payLoad = payLoadContainer.getPayload();
-			
-			//check response type
-			if (SL20JSONExtractorUtils.getStringValue(
-					payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
-						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) {
-				Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... ");
-								
-				//TODO: activate decryption in 'SL20JSONExtractorUtils.extractSL20Result'
-				JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, joseTools, false);
-								
-				//extract attributes from result
-				String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-										SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);
-				String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true);
-				String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true);
-				String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true);
+				//validate signature
+				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
+				if (payLoadContainer.isValidSigned() == null || 
+						!payLoadContainer.isValidSigned()) {
+					Logger.info("SL20 result from VDA was not valid signed");
+					throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+					
+				}
 				
+				/*TODO validate certificate by using MOA-SPSS
+				* currently, the certificate is validated in IJOSETools by using a pkcs12 or jks keystore
+				*/
+				List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
 				
-				//TODO: validate results
-				IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink();
 				
+				//extract payloaf
+				JsonObject payLoad = payLoadContainer.getPayload();
 				
+				//check response type
+				if (SL20JSONExtractorUtils.getStringValue(
+						payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
+							.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) {
+					Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... ");
+									
+					JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(
+							payLoad, joseTools, 
+							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true));
+					
+					//extract attributes from result
+					String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
+											SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);
+					String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
+							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true);
+					String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
+							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true);
+					String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
+							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true);
+					
+					//cache qualified eID data into pending request
+					pendingReq.setGenericDataToSession(
+							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, 
+							idlB64);
+					pendingReq.setGenericDataToSession(
+							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, 
+							authBlockB64);
+					pendingReq.setGenericDataToSession(
+							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, 
+							ccsURL);
+					pendingReq.setGenericDataToSession(
+							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, 
+							LoA);
+																										
+				} else {
+					Logger.info("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
+					throw new SLCommandoParserException("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
+				}
 				
-				//add into session
-				defaultTaskInitialization(request, executionContext);
-				moasession.setIdentityLink(idl);
-				moasession.setBkuURL(ccsURL);
-				//TODO: from AuthBlock
-				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()));
-				moasession.setQAALevel(LoA);
 				
-				//mark as authenticated
-				moasession.setAuthenticated(true);
-				pendingReq.setAuthenticated(true);
-								
-				//store pending request
-				requestStoreage.storePendingRequest(pendingReq);
-								
-				//create response 
-				Map<String, String> reqParameters = new HashMap<String, String>();
-				reqParameters.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID());
-				JsonObject callReqParams = SL20JSONBuilderUtils.createCallCommandParameters(
-						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, null), 
-						SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET, 
-						false, 
-						reqParameters);
-				JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
+			} catch (MOAIDException  e) {
+				Logger.warn("SL2.0 processing error:", e);
+				pendingReq.setGenericDataToSession(
+						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
+						new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e));
 				
-				//build first redirect command for app
-				JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true);
-				JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
-								
-				//build second redirect command for IDP
-				JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
-						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, null), 
-						redirectOneCommand, null, true);
-				JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
+			} catch (Exception e) {
+				Logger.warn("ERROR:", e);
+				Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
+				pendingReq.setGenericDataToSession(
+						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
+						new TaskExecutionException(pendingReq, e.getMessage(), e));
 				
-				//build generic SL2.0 response container								
-				String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
-				JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest(
-						UUID.randomUUID().toString(), 
-						transactionId, 
-						redirectTwoCommand, 
-						null); 
+			} finally {
+					//store pending request
+					requestStoreage.storePendingRequest(pendingReq);
 				
-				if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
-						request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					
-					Logger.debug("Client request containts 'native client' header ... ");												
-					StringWriter writer = new StringWriter();
-					writer.write(respContainer.toString());						
-					final byte[] content = writer.toString().getBytes("UTF-8");
-					response.setStatus(HttpServletResponse.SC_OK);
-					response.setContentLength(content.length);
-					response.setContentType(ContentType.APPLICATION_JSON.toString());						
-					response.getOutputStream().write(content);
+					//write SL2.0 response
+					if (sl20ReqObj != null)				
+						buildResponse(request, response, sl20ReqObj);
+					else 
+						buildErrorResponse(request, response, "2000", "General transport Binding error");					
 					
-					
-				} else {
-					Logger.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'");
-					throw new SL20Exception("sl20.06", 
-							new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"});
-					
-				}
-												
-			} else {
-				Logger.info("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
-				throw new SLCommandoParserException("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
 			}
-			
-			
-		} catch (MOAIDException  e) {
-			Logger.warn("ERROR:", e);
-			throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e);
-			
+		
 		} catch (Exception e) {
-			Logger.warn("ERROR:", e);
-			Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
-			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding
+			Logger.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e);
+			try {
+				response.sendError(500, "Internal Server Error.");
+				
+			} catch (IOException e1) {
+				Logger.error("Can NOT send error message. SOMETHING IS REALY WRONG!", e);
+				
+			}	
 			
-		} finally {				
+		} finally {
 			TransactionIDUtils.removeTransactionId();
 			TransactionIDUtils.removeSessionId();
 			
 		}
 	}
 
-	
-	private JsonObject createRedirectCommand() {
-		
+	private void buildErrorResponse(HttpServletRequest request, HttpServletResponse response, String errorCode, String errorMsg) throws Exception {				
+		JsonObject error = SL20JSONBuilderUtils.createErrorCommandResult(errorCode, errorMsg);
+		JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest(
+				UUID.randomUUID().toString(), 
+				null, 
+				error , 
+				null);
+			
+		Logger.debug("Client request containts 'native client' header ... ");												
+		StringWriter writer = new StringWriter();
+		writer.write(respContainer.toString());						
+		final byte[] content = writer.toString().getBytes("UTF-8");
+		response.setStatus(HttpServletResponse.SC_OK);
+		response.setContentLength(content.length);
+		response.setContentType(ContentType.APPLICATION_JSON.toString());						
+		response.getOutputStream().write(content);
+				
+	}
+
+	private void buildResponse(HttpServletRequest request, HttpServletResponse response, JsonObject sl20ReqObj) throws IOException, SL20Exception {		
+		//create response 
+		Map<String, String> reqParameters = new HashMap<String, String>();
+		reqParameters.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID());
+		JsonObject callReqParams = SL20JSONBuilderUtils.createCallCommandParameters(
+				new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null), 
+				SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET, 
+				false, 
+				reqParameters);
+		JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
 		
-		return null;
+		//build first redirect command for app
+		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true);
+		JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
+						
+		//build second redirect command for IDP
+		JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+				new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null), 
+				redirectOneCommand, null, true);
+		JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
 		
+		//build generic SL2.0 response container								
+		String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
+		JsonObject respContainer = SL20JSONBuilderUtils.createGenericRequest(
+				UUID.randomUUID().toString(), 
+				transactionId, 
+				redirectTwoCommand, 
+				null); 
 		
+		if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
+				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					
+			Logger.debug("Client request containts 'native client' header ... ");												
+			StringWriter writer = new StringWriter();
+			writer.write(respContainer.toString());						
+			final byte[] content = writer.toString().getBytes("UTF-8");
+			response.setStatus(HttpServletResponse.SC_OK);
+			response.setContentLength(content.length);
+			response.setContentType(ContentType.APPLICATION_JSON.toString());						
+			response.getOutputStream().write(content);
+			
+			
+		} else {
+			Logger.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'");
+			throw new SL20Exception("sl20.06", 
+					new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"});
+			
+		}
 	}
+
+	
 	
 }
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
new file mode 100644
index 000000000..b5c84d315
--- /dev/null
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
@@ -0,0 +1,180 @@
+package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
+
+import java.io.ByteArrayInputStream;
+import java.util.Calendar;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.Configuration;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.io.Unmarshaller;
+import org.opensaml.xml.io.UnmarshallerFactory;
+import org.springframework.stereotype.Component;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
+import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier.QualifiedeIDVerifier;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+
+@Component("VerifyQualifiedeIDTask")
+public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
+	
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		
+		Logger.debug("Verify qualified eID data from SL20 response .... ");
+		try {
+			//check if there was an error 
+			TaskExecutionException sl20Error = pendingReq.getGenericData(
+					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR,
+					TaskExecutionException.class);			
+			if (sl20Error != null) {
+				Logger.info("Found SL2.0 error after redirect ... ");
+				throw sl20Error;
+				
+			}
+			
+			//get data from pending request
+			String sl20ReqId = pendingReq.getGenericData(
+					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, 
+					String.class);
+			String idlB64 =  pendingReq.getGenericData(
+					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL,
+					String.class);
+			String authBlockB64 = pendingReq.getGenericData(
+					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, 
+					String.class);
+			String ccsURL = pendingReq.getGenericData(
+					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, 
+					String.class);
+			String LoA = pendingReq.getGenericData(
+					Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, 
+					String.class);
+							
+			//parse eID data
+			IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink();
+			IVerifiyXMLSignatureResponse authBlockVerificationResult = null;
+			try {				
+				Assertion authBlock = parseAuthBlockToSaml2Assertion(authBlockB64);
+				AssertionAttributeExtractor authBlockExtractor = new AssertionAttributeExtractor(authBlock);
+
+			
+				//validate eID data			
+				QualifiedeIDVerifier.verifyIdentityLink(idl, pendingReq.getOnlineApplicationConfiguration(), authConfig);
+				authBlockVerificationResult = QualifiedeIDVerifier.verifyAuthBlock(
+							authBlockB64, pendingReq.getOnlineApplicationConfiguration(), authConfig);
+				QualifiedeIDVerifier.checkConsistencyOfeIDData(sl20ReqId, idl, authBlockExtractor, authBlockVerificationResult);
+			
+				//TODO: add LoA verification
+				
+			} catch (SL20eIDDataValidationException e) {
+				if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_VALIDATION, false)) {
+					Logger.warn("SL20 eID data validation IS DISABLED!!");
+					Logger.warn("SL20 eID data IS NOT VALID!!! Reason: " + e.getMessage(), e);
+					
+				} else
+					throw e;
+				
+			}
+							
+			//add into session
+			defaultTaskInitialization(request, executionContext);
+			moasession.setIdentityLink(idl);
+			moasession.setBkuURL(ccsURL);
+			//TODO: from AuthBlock
+			if (authBlockVerificationResult != null)
+				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(authBlockVerificationResult.getSigningDateTime()));
+			else
+				moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()));
+			
+			moasession.setQAALevel(LoA);
+
+			//store pending request
+			requestStoreage.storePendingRequest(pendingReq);
+						
+		} catch (MOAIDException  e) {
+			Logger.warn("ERROR:", e);
+			throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.warn("ERROR:", e);
+			Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} finally {				
+			TransactionIDUtils.removeTransactionId();
+			TransactionIDUtils.removeSessionId();
+			
+		}
+	}
+
+	private Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException {
+		try {
+			//parse authBlock into SAML2 Assertion
+			byte[] authBlockBytes = Base64Utils.decode(authblockB64, false);			
+			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes));
+			UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
+			Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM);			 
+			XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM);
+			
+			//validate SAML2 Assertion
+			SAML2Utils.schemeValidation(samlAssertion);
+			
+			if (samlAssertion instanceof Assertion)			
+				return (Assertion) samlAssertion;			
+			else 
+				throw new SL20eIDDataValidationException(
+						new Object[] {
+							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+							"AuthBlock is NOT of type SAML2 Assertion"
+						});
+				
+		} catch (SL20eIDDataValidationException e) {
+			throw e;
+				
+		} catch (SAXException e) {
+			Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage());
+			throw new SL20eIDDataValidationException(
+					new Object[] {
+						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+						e.getMessage()
+					}, 
+					e);
+			
+		} catch (Exception e) {
+			Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage());
+			Logger.trace("FullAuthBlock: " + authblockB64);
+			throw new SL20eIDDataValidationException(
+					new Object[] {
+						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+						e.getMessage()
+					}, 
+					e);
+		
+		}
+						
+	}
+
+	
+	
+}
-- 
cgit v1.2.3


From cd5cef47db73c85cbb2defdec3b283655fdc859b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 10:46:41 +0200
Subject: update SL20 implementation

---
 .../sl20_auth/SL20AuthenticationModulImpl.java     | 26 +++++--
 .../modules/sl20_auth/sl20/JsonSecurityUtils.java  | 15 +++-
 .../auth/modules/sl20_auth/sl20/SL20Constants.java |  8 +-
 .../sl20_auth/sl20/SL20HttpBindingUtils.java       |  6 +-
 .../sl20_auth/sl20/SL20JSONBuilderUtils.java       | 15 +++-
 .../sl20_auth/sl20/SL20JSONExtractorUtils.java     | 89 +++++++++++++---------
 .../sl20/verifier/QualifiedeIDVerifier.java        | 76 ++++++++++++++++--
 .../sl20_auth/tasks/CreateQualeIDRequestTask.java  | 79 +++++++++++--------
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        | 41 ++++++----
 .../sl20_auth/tasks/VerifyQualifiedeIDTask.java    | 62 +--------------
 10 files changed, 256 insertions(+), 161 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
index a4044ce21..367e7b604 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
@@ -22,6 +22,9 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth;
 
+import java.util.Arrays;
+import java.util.List;
+
 import javax.annotation.PostConstruct;
 
 import org.apache.commons.lang3.StringUtils;
@@ -38,10 +41,10 @@ import at.gv.egovernment.moa.logging.Logger;
  * @author tlenz
  *
  */
-public class SL20AuthenticationModulImpl implements AuthModule {
-
+public class SL20AuthenticationModulImpl implements AuthModule {	
 	private int priority = 3;
-
+	public static final List<String> VDA_TYPE_IDS = Arrays.asList("1", "2", "3", "4");
+	
 	@Autowired(required=true) protected AuthConfiguration authConfig;
 	@Autowired(required=true) private AuthenticationManager authManager;
 	
@@ -62,6 +65,7 @@ public class SL20AuthenticationModulImpl implements AuthModule {
 	protected void initalSL20Authentication() {
 		//parameter to whiteList
 		authManager.addHeaderNameToWhiteList(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE);
+		authManager.addHeaderNameToWhiteList(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE);
 		
 	}
 	
@@ -71,17 +75,23 @@ public class SL20AuthenticationModulImpl implements AuthModule {
 	 */
 	@Override
 	public String selectProcess(ExecutionContext context) {
-		if (StringUtils.isNotBlank((String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase())) ||
-				StringUtils.isNotBlank((String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE))) { 
-			Logger.trace(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");
+		String sl20ClientTypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase());
+		String sl20VDATypeHeader = (String)  context.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
+		
+		if ( StringUtils.isNotBlank(sl20ClientTypeHeader) 
+//				&& (
+//						StringUtils.isNotBlank(sl20VDATypeHeader) 
+//						//&& VDA_TYPE_IDS.contains(sl20VDATypeHeader.trim())
+//				   ) 
+				) {
+			Logger.trace(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");			
 			return "SL20Authentication";
 			
 		} else {
 			Logger.trace("No '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");
 			return null;
 			
-		}
-		
+		}		
 	}
 
 	/* (non-Javadoc)
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index 2563c7f7d..c95e0b731 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -1,9 +1,11 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
 
+import java.io.IOException;
 import java.security.Key;
 import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -36,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoPars
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.utils.X509Utils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.KeyStoreUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -143,8 +146,11 @@ public class JsonSecurityUtils implements IJOSETools{
 			//set signing information
 			jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
 			jws.setKey(signPrivKey);
-			jws.setCertificateChainHeaderValue(signCertChain);
-		
+			
+			//TODO:
+			//jws.setCertificateChainHeaderValue(signCertChain);
+			jws.setX509CertSha256ThumbprintHeaderValue(signCertChain[0]);
+						
 			return jws.getCompactSerialization();
 			
 		} catch (JoseException e) {
@@ -181,6 +187,11 @@ public class JsonSecurityUtils implements IJOSETools{
 				} else {
 					Logger.info("Can NOT find JOSE certificate in truststore.");
 					Logger.debug("JOSE certificate: " + sortedX5cCerts.get(0).toString());
+					try {
+						Logger.debug("Cert: " + Base64Utils.encode(sortedX5cCerts.get(0).getEncoded()));
+					} catch (CertificateEncodingException | IOException e) {
+						e.printStackTrace();
+					}
 					
 				}
 				
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
index 33bb4fe36..658384578 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
@@ -8,7 +8,7 @@ import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
 import org.jose4j.jws.AlgorithmIdentifiers;
 
 public class SL20Constants {
-	public static final String CURRENT_SL20_VERSION = "10";
+	public static final int CURRENT_SL20_VERSION = 10;
 	
 	//http binding parameters
 	public static final String PARAM_SL20_REQ_COMMAND_PARAM = "slcommand";
@@ -18,6 +18,7 @@ public class SL20Constants {
 	public static final String PARAM_SL20_REQ_TRANSACTIONID = "slTransactionID";
 	
 	public static final String HTTP_HEADER_SL20_CLIENT_TYPE = "SL2ClientType";
+	public static final String HTTP_HEADER_SL20_VDA_TYPE = "X-MOA-VDA";
 	public static final String HTTP_HEADER_VALUE_NATIVE = "nativeApp";
 	
 	
@@ -129,8 +130,9 @@ public class SL20Constants {
 	public static final String SL20_COMMAND_PARAM_EID_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL; 
 	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES = "attributes";
 	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE = "MANDATE-REFERENCE-VALUE";
-	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID = "SP-FRIENDLYNAME";
-	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME = "SP-UNIQUEID";
+	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID = "SP-UNIQUEID";
+	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME = "SP-FRIENDLYNAME";
+	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE = "SP-COUNTRYCODE";
 	public static final String SL20_COMMAND_PARAM_EID_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
 	public static final String SL20_COMMAND_PARAM_EID_RESULT_IDL = "EID-IDENTITY-LINK";
 	public static final String SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK = "EID-AUTH-BLOCK";
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
index cc7137a0f..169cb8e73 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java
@@ -2,7 +2,6 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
 
 import java.io.IOException;
 import java.io.StringWriter;
-import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
 
 import javax.servlet.http.HttpServletRequest;
@@ -10,6 +9,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.entity.ContentType;
+import org.jose4j.base64url.Base64Url;
 
 import com.google.gson.JsonObject;
 
@@ -33,7 +33,9 @@ public class SL20HttpBindingUtils {
 		} else {
 			Logger.debug("Client request containts is no native client ... ");
 			URIBuilder clientRedirectURI = new URIBuilder(redirectURL);
-			clientRedirectURI.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Forward.toString());
+			clientRedirectURI.addParameter(
+					SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, 
+					Base64Url.encode(sl20Forward.toString().getBytes()));
 			response.setStatus(307);
 			response.setHeader("Location", clientRedirectURI.build().toString());
 			
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java
index 52d7e1e67..d5dec1fe1 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONBuilderUtils.java
@@ -387,7 +387,7 @@ public class SL20JSONBuilderUtils {
 	 */
 	public static JsonObject createGenericRequest(String reqId, String transactionId, JsonElement payLoad, String signedPayload) throws SLCommandoBuildException {
 		JsonObject req = new JsonObject();
-		addSingleStringElement(req, SL20Constants.SL20_VERSION, SL20Constants.CURRENT_SL20_VERSION, true);
+		addSingleIntegerElement(req, SL20Constants.SL20_VERSION, SL20Constants.CURRENT_SL20_VERSION, true);
 		addSingleStringElement(req, SL20Constants.SL20_REQID, reqId, true);
 		addSingleStringElement(req, SL20Constants.SL20_TRANSACTIONID, transactionId, false);		
 		addOnlyOnceOfTwo(req, SL20Constants.SL20_PAYLOAD, SL20Constants.SL20_SIGNEDPAYLOAD, 
@@ -411,7 +411,7 @@ public class SL20JSONBuilderUtils {
 			JsonElement payLoad, String signedPayload) throws SLCommandoBuildException {
 		
 		JsonObject req = new JsonObject();
-		addSingleStringElement(req, SL20Constants.SL20_VERSION, SL20Constants.CURRENT_SL20_VERSION, true);
+		addSingleIntegerElement(req, SL20Constants.SL20_VERSION, SL20Constants.CURRENT_SL20_VERSION, true);
 		addSingleStringElement(req, SL20Constants.SL20_RESPID, respId, true);
 		addSingleStringElement(req, SL20Constants.SL20_INRESPTO, inResponseTo, true);
 		addSingleStringElement(req, SL20Constants.SL20_TRANSACTIONID, transactionId, false);		
@@ -568,6 +568,17 @@ public class SL20JSONBuilderUtils {
 		
 	}
 	
+	private static void addSingleIntegerElement(JsonObject parent, String keyId, Integer value, boolean isRequired) throws SLCommandoBuildException {
+		validateParentAndKey(parent, keyId);
+		
+		if (isRequired && value == null)
+			throw new SLCommandoBuildException(keyId + " has an empty value");
+		
+		else if (value != null)
+			parent.addProperty(keyId, value);
+		
+	}
+	
 	private static void addSingleJSONElement(JsonObject parent, String keyId, JsonElement element, boolean isRequired) throws SLCommandoBuildException {
 		validateParentAndKey(parent, keyId);
 		
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index 6949b7a18..2e81d9c64 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -1,7 +1,6 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
 
 import java.io.InputStreamReader;
-import java.net.URLDecoder;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -13,6 +12,7 @@ import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.log4j.Logger;
+import org.jose4j.base64url.Base64Url;
 
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
@@ -107,45 +107,64 @@ public class SL20JSONExtractorUtils {
 	}
 	
 	/**
-	 * Extract Map of Key/Value pairs from a JSON Array 
+	 * Extract Map of Key/Value pairs from a JSON Element
 	 * 
-	 * @param input
-	 * @param keyID
+	 * @param input parent JSON object
+	 * @param keyID KeyId of the child that should be parsed
 	 * @param isRequired
 	 * @return
 	 * @throws SLCommandoParserException
 	 */
 	public static Map<String, String> getMapOfStringElements(JsonObject input, String keyID, boolean isRequired) throws SLCommandoParserException {
 		JsonElement internal = getAndCheck(input, keyID, isRequired);
+		return getMapOfStringElements(internal);
 		
+	}
+	
+	/**
+	 * Extract Map of Key/Value pairs from a JSON Element 
+	 * 
+	 * @param input
+	 * @return
+	 * @throws SLCommandoParserException
+	 */
+	public static Map<String, String> getMapOfStringElements(JsonElement input) throws SLCommandoParserException {		
 		Map<String, String> result = new HashMap<String, String>();
 				
-		if (internal != null) {
-			if (!internal.isJsonArray())
-				throw new SLCommandoParserException("JSON Element IS NOT a JSON array");
-
-			Iterator<JsonElement> arrayIterator = internal.getAsJsonArray().iterator();
-			while(arrayIterator.hasNext()) {
-				//JsonObject next = arrayIterator.next().getAsJsonObject();
-				//result.put(
-				//		next.get(SL20Constants.SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_KEY).getAsString(), 
-				//		next.get(SL20Constants.SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_VALUE).getAsString());
-				JsonElement next = arrayIterator.next();				
-				Iterator<Entry<String, JsonElement>> entry = next.getAsJsonObject().entrySet().iterator();
-				while (entry.hasNext()) {
-					Entry<String, JsonElement> el = entry.next();
-					if (result.containsKey(el.getKey()))
-						log.info("Attr. Map already contains Element with Key: " + el.getKey() + ". Overwrite element ... ");
-						
-					result.put(el.getKey(), el.getValue().getAsString());
+		if (input != null) {
+			if (input.isJsonArray()) {			
+				Iterator<JsonElement> arrayIterator = input.getAsJsonArray().iterator();
+				while(arrayIterator.hasNext()) {
+					JsonElement next = arrayIterator.next();				
+					Iterator<Entry<String, JsonElement>> entry = next.getAsJsonObject().entrySet().iterator();
+					entitySetToMap(result, entry);
 					
-				}				
-			}						
+				}
+				
+			} else if (input.isJsonObject()) {
+				Iterator<Entry<String, JsonElement>> objectKeys = input.getAsJsonObject().entrySet().iterator();
+				entitySetToMap(result, objectKeys);
+				
+			} else
+				throw new SLCommandoParserException("JSON Element IS NOT a JSON array or a JSON object");
+			
 		}
 		
 		return result;
 	}
 	
+	private static void entitySetToMap(Map<String, String> result, Iterator<Entry<String, JsonElement>> entry) {
+		while (entry.hasNext()) {
+			Entry<String, JsonElement> el = entry.next();
+			if (result.containsKey(el.getKey()))
+				log.info("Attr. Map already contains Element with Key: " + el.getKey() + ". Overwrite element ... ");
+			
+			result.put(el.getKey(), el.getValue().getAsString());
+		
+		}
+		
+	}
+	
 	
 	public static JsonElement extractSL20Result(JsonObject command, IJOSETools decrypter, boolean mustBeEncrypted) throws SL20Exception {
 		JsonElement result = command.get(SL20Constants.SL20_COMMAND_CONTAINER_RESULT);
@@ -207,19 +226,21 @@ public class SL20JSONExtractorUtils {
 		if (sl20Payload == null && sl20SignedPayload == null)
 			throw new SLCommandoParserException("NO payLoad OR signedPayload FOUND.");		
 		
-		else if (sl20Payload == null && sl20SignedPayload == null) 
-			throw new SLCommandoParserException("payLoad AND signedPayload FOUND. Can not used twice");
-		
+		//TODO:
+		//else if (sl20Payload != null && sl20SignedPayload != null) { 
+		    //log.warn("Find 'signed' AND 'unsigned' SL2.0 payload");
+			//throw new SLCommandoParserException("payLoad AND signedPayload FOUND. Can not used twice");
+		//}
 		else if (sl20SignedPayload == null && mustBeSigned)
 			throw new SLCommandoParserException("payLoad MUST be signed.");
+
+		else if (joseTools != null && sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive()) {	
+			return joseTools.validateSignature(sl20SignedPayload.getAsString());
 		
-		else if (sl20Payload != null)
+		} else if (sl20Payload != null)
 			return new VerificationResult(sl20Payload.getAsJsonObject());
 		
-		else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive()) {	
-			return joseTools.validateSignature(sl20SignedPayload.getAsString());
-						
-		} else
+		 else
 			throw new SLCommandoParserException("Internal build error");
 			
 		
@@ -242,10 +263,10 @@ public class SL20JSONExtractorUtils {
 					throw new SLCommandoParserException("Find Redirect statuscode but not Location header");
 			
 				String sl20RespString = new URIBuilder(locationHeader[0].getValue()).getQueryParams().get(0).getValue();
-				sl20Resp = new JsonParser().parse(URLDecoder.decode(sl20RespString)).getAsJsonObject();
+				sl20Resp = new JsonParser().parse(Base64Url.encode((sl20RespString.getBytes()))).getAsJsonObject();
 			
 			} else if (httpResp.getStatusLine().getStatusCode() == 200) {
-				if (!httpResp.getEntity().getContentType().getValue().equals("application/json;charset=UTF-8"))
+				if (!httpResp.getEntity().getContentType().getValue().startsWith("application/json"))
 					throw new SLCommandoParserException("SL20 response with a wrong ContentType: " + httpResp.getEntity().getContentType().getValue());					
 				sl20Resp = parseSL20ResultFromResponse(httpResp.getEntity());
 		
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
index d07d7a78a..a7253c2c6 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -1,14 +1,22 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 
 import org.jaxen.SimpleNamespaceContext;
+import org.opensaml.Configuration;
+import org.opensaml.DefaultBootstrap;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.io.Unmarshaller;
+import org.opensaml.xml.io.UnmarshallerFactory;
 import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
-import at.gv.egovernment.moa.id.auth.exception.ValidateException;
 import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
@@ -22,10 +30,12 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
 import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
 
 
 public class QualifiedeIDVerifier {
@@ -69,21 +79,22 @@ public class QualifiedeIDVerifier {
 			verifyXMLSignatureResponse,
 			authConfig.getIdentityLinkX509SubjectNames(),
 			VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
-			oaParam);
+			oaParam,
+			authConfig);
 
 				
 	}
 	
 	public static IVerifiyXMLSignatureResponse verifyAuthBlock(String authBlockB64, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException, IOException {
 		String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore());
-		List<String> verifyTransformsInfoProfileID = null;
+		List<String> verifyTransformsInfoProfileID = Arrays.asList("SL20Authblock_v1.0");
 		
 		SignatureVerificationUtils sigVerify = new SignatureVerificationUtils();
 		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(Base64Utils.decode(authBlockB64, false), trustProfileId , verifyTransformsInfoProfileID);
 						
 		// validates the <VerifyXMLSignatureResponse>
 		VerifyXMLSignatureResponseValidator.getInstance().validate(sigVerifyResult,
-					null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, oaParam);
+					null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, oaParam, authConfig);
 
 		return sigVerifyResult;
 				
@@ -120,7 +131,7 @@ public class QualifiedeIDVerifier {
 			// date and time
 			validateSigningDateTime(sigVerifyResult, authBlockExtractor);
 			
-		} catch ( ValidateException e) {
+		} catch ( Exception e) {
 			Logger.warn("Validation of eID information FAILED. ", e);
 			throw new SL20eIDDataValidationException(new Object[] {
 					SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL,
@@ -134,6 +145,59 @@ public class QualifiedeIDVerifier {
 		
 	}
 	
+	public static Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException {
+		try {
+			//parse authBlock into SAML2 Assertion
+			byte[] authBlockBytes = Base64Utils.decode(authblockB64, false);			
+			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes));			
+				
+			//A-Trust workarounda
+//			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authblockB64.getBytes()));
+//			Element authBlockDOM = DOMUtils.parseXmlNonValidating(new ByteArrayInputStream(authblockB64.getBytes()));
+			
+			DefaultBootstrap.bootstrap();
+			UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
+			Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM);			 
+			XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM);
+			
+			//validate SAML2 Assertion
+			SAML2Utils.schemeValidation(samlAssertion);
+			
+			if (samlAssertion instanceof Assertion)			
+				return (Assertion) samlAssertion;			
+			else 
+				throw new SL20eIDDataValidationException(
+						new Object[] {
+							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+							"AuthBlock is NOT of type SAML2 Assertion"
+						});
+				
+		} catch (SL20eIDDataValidationException e) {
+			throw e;
+				
+		} catch (SAXException e) {
+			Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage());
+			throw new SL20eIDDataValidationException(
+					new Object[] {
+						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+						e.getMessage()
+					}, 
+					e);
+			
+		} catch (Exception e) {
+			Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage());
+			Logger.trace("FullAuthBlock: " + authblockB64);
+			throw new SL20eIDDataValidationException(
+					new Object[] {
+						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
+						e.getMessage()
+					}, 
+					e);
+		
+		}
+						
+	}
+	
 	private static void validateSigningDateTime( IVerifiyXMLSignatureResponse sigVerifyResult, AssertionAttributeExtractor authBlockExtractor) throws SL20eIDDataValidationException {
 		Date signingDate = sigVerifyResult.getSigningDateTime();
 		Date notBefore = authBlockExtractor.getAssertionNotBefore();
@@ -163,7 +227,7 @@ public class QualifiedeIDVerifier {
 				+ " NotBefore:" + notBefore.toString() 
 				+ " NotOrNotAfter:" + notOrNotAfter.toString());
 		
-		if (signingDate.after(notBefore) || signingDate.before(notOrNotAfter))
+		if (signingDate.after(notBefore) && signingDate.before(notOrNotAfter))
 			Logger.debug("Signing date validation successfull");
 		
 		else {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 763454639..26283cab2 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -4,7 +4,6 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 
 import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
@@ -17,6 +16,7 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.message.BasicNameValuePair;
+import org.jose4j.base64url.Base64Url;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -39,7 +39,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
-import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
@@ -62,7 +61,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration();
 				
 				//get basic configuration parameters
-				String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig);				
+				String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig, executionContext);				
 				if (MiscUtil.isEmpty(vdaQualeIDUrl)) {
 					Logger.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ")");
 					throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"});
@@ -83,17 +82,21 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				//build qualifiedeID command
 				Map<String, String> qualifiedeIDParams = new HashMap<String, String>();
 				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID, oaConfig.getPublicURLPrefix());
-				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName());			
+				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName());
+				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE, "AT");
 				//qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE, UUID.randomUUID().toString());
 
+				//TODO:
 				JsonObject qualeIDCommandParams = SL20JSONBuilderUtils.createQualifiedeIDCommandParameters(
 						authBlockId, 
 						dataURL, 
 						qualifiedeIDParams, 
-						joseTools.getEncryptionCertificate());
+						//joseTools.getEncryptionCertificate());
+						null);
 								
 				//String qualeIDReqId = UUID.randomUUID().toString();
-				String qualeIDReqId = SAML2Utils.getSecureIdentifier();
+				//TODO: work-Around for A-trust
+				String qualeIDReqId = SAML2Utils.getSecureIdentifier().substring(0, 12);
 				String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools);
 				JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand);
 								
@@ -105,19 +108,21 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 						sslFactory,
 						authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true));
 				
-				//build post request
+				//build http POST request
 				HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build());								
-				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
 				List<NameValuePair> parameters = new ArrayList<NameValuePair>();;
-				
-				//correct one
-				//parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())));
-				
-				//A-Trust current version
-				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM_OLD, sl20Req.toString()));
+				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())));
 				httpReq.setEntity(new UrlEncodedFormEntity(parameters ));				
 				
+				//build http GET request
+//				URIBuilder sl20ReqUri = new URIBuilder(vdaQualeIDUrl);
+//				sl20ReqUri.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes()));
+//				HttpGet httpReq = new HttpGet(sl20ReqUri.build());
 				
+				//set native client header
+				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
+
+				Logger.trace("Request VDA via SL20 with: " + Base64Url.encode(sl20Req.toString().getBytes()));
 				
 				//request VDA
 				HttpResponse httpResp = httpClient.execute(httpReq);
@@ -190,26 +195,40 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 			
 	}
 	
-	private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig) {		
-		Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
-		Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST);
+	private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig, ExecutionContext executionContext) {		
 		
-		for (Entry<String, String> el : listOfSPs.entrySet()) {
-			List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue());
-			if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) {
-				Logger.trace("Select VDA endPoint with Id: " + el.getKey());
-				if (listOfVDAs.containsKey(el.getKey()))					
-					return listOfVDAs.get(el.getKey());
-				
-				else
-					Logger.info("No VDA endPoint with Id: " + el.getKey());
-				
-			} else
-				Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix());
+		//selection based on EntityID
+//		Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
+//		Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST);
+//		
+//		for (Entry<String, String> el : listOfSPs.entrySet()) {
+//			List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue());
+//			if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) {
+//				Logger.trace("Select VDA endPoint with Id: " + el.getKey());
+//				if (listOfVDAs.containsKey(el.getKey()))					
+//					return listOfVDAs.get(el.getKey());
+//				
+//				else
+//					Logger.info("No VDA endPoint with Id: " + el.getKey());
+//				
+//			} else
+//				Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix());
+//			
+//		}
+
+		//selection based on request Header
+		String sl20VDATypeHeader = (String)  executionContext.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
+		if (MiscUtil.isNotEmpty(sl20VDATypeHeader)) {
+			String vdaURL = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST + sl20VDATypeHeader);
+			if (MiscUtil.isNotEmpty(vdaURL))
+				return vdaURL.trim();
 			
+			else
+				Logger.info("Can NOT find VDA with Id: " + sl20VDATypeHeader + ". Use default VDA");
+						
 		}
 		
-		Logger.debug("NO SP specific VDA endpoint found. Use default VDA");
+		Logger.info("NO SP specific VDA endpoint found. Use default VDA");
 		return authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT);
 		
 	}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index b7fe579a3..357ecb6ec 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -12,6 +12,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.http.entity.ContentType;
+import org.jose4j.base64url.Base64Url;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moa.util.StreamUtils;
 import at.gv.egovernment.moaspss.logging.Logger;
 
 
@@ -55,17 +57,30 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			try {
 				//get SL2.0 command or result from HTTP request
 				Map<String, String> reqParams = getParameters(request);
-				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); 			
+				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+				
 				if (MiscUtil.isEmpty(sl20Result)) {
-					Logger.info("NO SL2.0 commando or result FOUND.");
-					throw new SL20Exception("sl20.04", null);
+					
+					//TODO: remove
+					//Workaround for SIC Handy-Signature, because it sends result in InputStream
+					String test = StreamUtils.readStream(request.getInputStream(), "UTF-8");					
+					if (MiscUtil.isNotEmpty(test)) {
+						Logger.info("Use SIC Handy-Signature work-around!");
+						sl20Result = test.substring("slcommand=".length());
+						
+					} else {					
+						Logger.info("NO SL2.0 commando or result FOUND.");
+						throw new SL20Exception("sl20.04", null);
+					}
 					
 				}
-							
+
+				Logger.trace("Received SL2.0 result: " + sl20Result);
+				
 				//parse SL2.0 command/result into JSON			
 				try {
 					JsonParser jsonParser = new JsonParser();
-					JsonElement sl20Req = jsonParser.parse(sl20Result);
+					JsonElement sl20Req = jsonParser.parse(Base64Url.decodeToUtf8String(sl20Result));
 					sl20ReqObj = sl20Req.getAsJsonObject();
 					
 				} catch (JsonSyntaxException e) {
@@ -111,16 +126,13 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 					JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(
 							payLoad, joseTools, 
 							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true));
-					
+
 					//extract attributes from result
-					String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-											SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);
-					String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true);
-					String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true);
-					String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true);
+					Map<String, String> eIDData = SL20JSONExtractorUtils.getMapOfStringElements(qualeIDResult);
+					String idlB64 = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL);					
+					String authBlockB64 = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK);
+					String ccsURL  = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL);					
+					String LoA = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA);
 					
 					//cache qualified eID data into pending request
 					pendingReq.setGenericDataToSession(
@@ -233,6 +245,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				redirectTwoCommand, 
 				null); 
 		
+		//workaround for SIC VDA
 		if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
 				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					
 			Logger.debug("Client request containts 'native client' header ... ");												
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
index b5c84d315..cc74bb11a 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
@@ -6,14 +6,8 @@ import java.util.Calendar;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.opensaml.Configuration;
 import org.opensaml.saml2.core.Assertion;
-import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.io.Unmarshaller;
-import org.opensaml.xml.io.UnmarshallerFactory;
 import org.springframework.stereotype.Component;
-import org.w3c.dom.Element;
-import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -28,9 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.util.Base64Utils;
-import at.gv.egovernment.moa.util.DOMUtils;
 import at.gv.egovernment.moa.util.DateTimeUtils;
 import at.gv.egovernment.moaspss.logging.Logger;
 
@@ -75,7 +67,7 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 			IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink();
 			IVerifiyXMLSignatureResponse authBlockVerificationResult = null;
 			try {				
-				Assertion authBlock = parseAuthBlockToSaml2Assertion(authBlockB64);
+				Assertion authBlock = QualifiedeIDVerifier.parseAuthBlockToSaml2Assertion(authBlockB64);
 				AssertionAttributeExtractor authBlockExtractor = new AssertionAttributeExtractor(authBlock);
 
 			
@@ -126,55 +118,5 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 			TransactionIDUtils.removeSessionId();
 			
 		}
-	}
-
-	private Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException {
-		try {
-			//parse authBlock into SAML2 Assertion
-			byte[] authBlockBytes = Base64Utils.decode(authblockB64, false);			
-			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes));
-			UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
-			Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM);			 
-			XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM);
-			
-			//validate SAML2 Assertion
-			SAML2Utils.schemeValidation(samlAssertion);
-			
-			if (samlAssertion instanceof Assertion)			
-				return (Assertion) samlAssertion;			
-			else 
-				throw new SL20eIDDataValidationException(
-						new Object[] {
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
-							"AuthBlock is NOT of type SAML2 Assertion"
-						});
-				
-		} catch (SL20eIDDataValidationException e) {
-			throw e;
-				
-		} catch (SAXException e) {
-			Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage());
-			throw new SL20eIDDataValidationException(
-					new Object[] {
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
-						e.getMessage()
-					}, 
-					e);
-			
-		} catch (Exception e) {
-			Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage());
-			Logger.trace("FullAuthBlock: " + authblockB64);
-			throw new SL20eIDDataValidationException(
-					new Object[] {
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
-						e.getMessage()
-					}, 
-					e);
-		
-		}
-						
-	}
-
-	
-	
+	}	
 }
-- 
cgit v1.2.3


From f6be7465031504f3b9764d1e7a687f5ba491e7b5 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 11:22:47 +0200
Subject: some more SL20 authentication module updates

---
 .../moa/id/auth/modules/sl20_auth/Constants.java            |  7 +++++--
 .../auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java |  5 -----
 .../sl20_auth/sl20/verifier/QualifiedeIDVerifier.java       |  8 ++++++--
 .../modules/sl20_auth/tasks/CreateQualeIDRequestTask.java   | 13 ++++++++++---
 .../id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java |  6 ++++--
 5 files changed, 25 insertions(+), 14 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
index a3648220d..10a95501b 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -7,7 +7,8 @@ public class Constants {
 	
 	public static final String CONFIG_PROP_PREFIX = "modules.sl20";
 	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
-	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";	
+	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";
+	public static final String CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID = CONFIG_PROP_PREFIX + ".vda.authblock.transformation.id";	
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PATH = CONFIG_PROP_PREFIX + ".security.keystore.path";
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD = CONFIG_PROP_PREFIX + ".security.keystore.password";
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS = CONFIG_PROP_PREFIX + ".security.sign.alias";
@@ -19,7 +20,9 @@ public class Constants {
 	public static final String CONFIG_PROP_SP_LIST = CONFIG_PROP_PREFIX + ".sp.entityIds.";
 	
 	public static final String CONFIG_PROP_DISABLE_EID_VALIDATION = CONFIG_PROP_PREFIX + ".security.eID.validation.disable";
-	public static final String CONFIG_PROP_DISABLE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.enabled";
+	public static final String CONFIG_PROP_ENABLE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.enabled";
+	public static final String CONFIG_PROP_FORCE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.required";
+	public static final String CONFIG_PROP_FORCE_EID_SIGNED_RESULT = CONFIG_PROP_PREFIX + ".security.eID.signed.result.required";
 	
 	public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";
 	
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index 2e81d9c64..fa52634a3 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -226,11 +226,6 @@ public class SL20JSONExtractorUtils {
 		if (sl20Payload == null && sl20SignedPayload == null)
 			throw new SLCommandoParserException("NO payLoad OR signedPayload FOUND.");		
 		
-		//TODO:
-		//else if (sl20Payload != null && sl20SignedPayload != null) { 
-		    //log.warn("Find 'signed' AND 'unsigned' SL2.0 payload");
-			//throw new SLCommandoParserException("payLoad AND signedPayload FOUND. Can not used twice");
-		//}
 		else if (sl20SignedPayload == null && mustBeSigned)
 			throw new SLCommandoParserException("payLoad MUST be signed.");
 
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
index a7253c2c6..0c93e7886 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -2,7 +2,6 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 
@@ -29,6 +28,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
@@ -87,7 +87,11 @@ public class QualifiedeIDVerifier {
 	
 	public static IVerifiyXMLSignatureResponse verifyAuthBlock(String authBlockB64, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException, IOException {
 		String trustProfileId = authConfig.getMoaSpAuthBlockTrustProfileID(oaParam.isUseAuthBlockTestTestStore());
-		List<String> verifyTransformsInfoProfileID = Arrays.asList("SL20Authblock_v1.0");
+		List<String> verifyTransformsInfoProfileID = 
+				KeyValueUtils.getListOfCSVValues(
+						KeyValueUtils.normalizeCSVValueString(
+								authConfig.getBasicMOAIDConfiguration(
+										at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants.CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID))); 
 		
 		SignatureVerificationUtils sigVerify = new SignatureVerificationUtils();
 		IVerifiyXMLSignatureResponse sigVerifyResult = sigVerify.verify(Base64Utils.decode(authBlockB64, false), trustProfileId , verifyTransformsInfoProfileID);
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 26283cab2..c425ca0a7 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -1,5 +1,6 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks;
 
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -86,13 +87,19 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE, "AT");
 				//qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE, UUID.randomUUID().toString());
 
-				//TODO:
+				
+				X509Certificate encCert = null;
+				if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_ENABLE_EID_ENCRYPTION, true))
+					encCert = joseTools.getEncryptionCertificate();
+				else
+					Logger.info("eID data encryption is disabled by configuration");
+				
 				JsonObject qualeIDCommandParams = SL20JSONBuilderUtils.createQualifiedeIDCommandParameters(
 						authBlockId, 
 						dataURL, 
 						qualifiedeIDParams, 
-						//joseTools.getEncryptionCertificate());
-						null);
+						encCert
+						);
 								
 				//String qualeIDReqId = UUID.randomUUID().toString();
 				//TODO: work-Around for A-trust
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 357ecb6ec..9262e43e9 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -100,7 +100,9 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				
 				
 				//validate signature
-				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true);
+				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, 
+						authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true));
+				
 				if (payLoadContainer.isValidSigned() == null || 
 						!payLoadContainer.isValidSigned()) {
 					Logger.info("SL20 result from VDA was not valid signed");
@@ -125,7 +127,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 									
 					JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(
 							payLoad, joseTools, 
-							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true));
+							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_ENCRYPTION, true));
 
 					//extract attributes from result
 					Map<String, String> eIDData = SL20JSONExtractorUtils.getMapOfStringElements(qualeIDResult);
-- 
cgit v1.2.3


From a06f94c9da130af5cf755b7d6465c8905d37d75b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 15:05:50 +0200
Subject: add one method to AssertionAttributeExtractor and add some log
 messages

---
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        | 44 +++++++++++++++-------
 1 file changed, 30 insertions(+), 14 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 9262e43e9..03db52695 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -49,15 +49,16 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
-			throws TaskExecutionException {
+			throws TaskExecutionException {		
+		String sl20Result = null;
 		
 		try {
 			Logger.debug("Receiving SL2.0 response process .... ");
-			JsonObject sl20ReqObj = null;
+			JsonObject sl20ReqObj = null;			
 			try {
 				//get SL2.0 command or result from HTTP request
 				Map<String, String> reqParams = getParameters(request);
-				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+				sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
 				
 				if (MiscUtil.isEmpty(sl20Result)) {
 					
@@ -103,10 +104,15 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, 
 						authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true));
 				
-				if (payLoadContainer.isValidSigned() == null || 
-						!payLoadContainer.isValidSigned()) {
-					Logger.info("SL20 result from VDA was not valid signed");
-					throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+				if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) {
+					if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) {
+						Logger.info("SL20 result from VDA was not valid signed");
+						throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+						
+					} else {
+						Logger.warn("SL20 result from VDA is NOT valid signed, but signatures-verification is DISABLED by configuration!");
+						
+					}
 					
 				}
 				
@@ -158,6 +164,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				
 			} catch (MOAIDException  e) {
 				Logger.warn("SL2.0 processing error:", e);
+				if (sl20Result != null)
+					Logger.debug("Received SL2.0 result: " + sl20Result);
 				pendingReq.setGenericDataToSession(
 						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
 						new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e));
@@ -165,6 +173,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			} catch (Exception e) {
 				Logger.warn("ERROR:", e);
 				Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
+				if (sl20Result != null)
+					Logger.debug("Received SL2.0 result: " + sl20Result);
 				pendingReq.setGenericDataToSession(
 						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
 						new TaskExecutionException(pendingReq, e.getMessage(), e));
@@ -182,8 +192,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			}
 		
 		} catch (Exception e) {
-			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding
+			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding			
 			Logger.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e);
+			if (sl20Result != null)
+				Logger.debug("Received SL2.0 result: " + sl20Result);
 			try {
 				response.sendError(500, "Internal Server Error.");
 				
@@ -207,7 +219,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				error , 
 				null);
 			
-		Logger.debug("Client request containts 'native client' header ... ");												
+		Logger.debug("Client request containts 'native client' header ... ");	
+		Logger.trace("SL20 response to VDA: " + respContainer);
 		StringWriter writer = new StringWriter();
 		writer.write(respContainer.toString());						
 		final byte[] content = writer.toString().getBytes("UTF-8");
@@ -230,13 +243,14 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 		JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
 		
 		//build first redirect command for app
-		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true);
+		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", 
+				callCommand, null, true);
 		JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
 						
 		//build second redirect command for IDP
 		JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
 				new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null), 
-				redirectOneCommand, null, true);
+				redirectOneCommand, null, false);
 		JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
 		
 		//build generic SL2.0 response container								
@@ -247,10 +261,12 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				redirectTwoCommand, 
 				null); 
 		
-		//workaround for SIC VDA
+		//workaround for A-Trust
 		if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
-				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					
-			Logger.debug("Client request containts 'native client' header ... ");												
+				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)
+					|| true) {					
+			Logger.debug("Client request containts 'native client' header ... ");
+			Logger.trace("SL20 response to VDA: " + respContainer);
 			StringWriter writer = new StringWriter();
 			writer.write(respContainer.toString());						
 			final byte[] content = writer.toString().getBytes("UTF-8");
-- 
cgit v1.2.3


From 4fa07676d5f2763cc9795c31fd95b1b6959dacb9 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 15:46:15 +0200
Subject: make IPC return URL configurable for debug purposes

---
 .../at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java     | 2 ++
 .../moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java        | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
index 10a95501b..9fcb3aa58 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -24,6 +24,8 @@ public class Constants {
 	public static final String CONFIG_PROP_FORCE_EID_ENCRYPTION = CONFIG_PROP_PREFIX + ".security.eID.encryption.required";
 	public static final String CONFIG_PROP_FORCE_EID_SIGNED_RESULT = CONFIG_PROP_PREFIX + ".security.eID.signed.result.required";
 	
+	public static final String CONFIG_PROP_IPC_RETURN_URL = CONFIG_PROP_PREFIX + ".ipc.return.url";
+	
 	public static final String PENDING_REQ_STORAGE_PREFIX = "SL20_AUTH_";
 	
 	/**
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 03db52695..d35d113f9 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -243,7 +243,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 		JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
 		
 		//build first redirect command for app
-		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", 
+		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+				authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_IPC_RETURN_URL), 
 				callCommand, null, true);
 		JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
 						
-- 
cgit v1.2.3


From 2376b4247adab09ad5e6991ba2a1511a8683bda7 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 6 Jun 2018 11:22:42 +0200
Subject: some small update

---
 .../sl20/verifier/QualifiedeIDVerifier.java        | 10 ++-----
 .../sl20_auth/tasks/CreateQualeIDRequestTask.java  |  3 +-
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        | 34 ++++++++++++++++++----
 3 files changed, 32 insertions(+), 15 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
index 0c93e7886..a437e3411 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -7,7 +7,6 @@ import java.util.List;
 
 import org.jaxen.SimpleNamespaceContext;
 import org.opensaml.Configuration;
-import org.opensaml.DefaultBootstrap;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.io.Unmarshaller;
@@ -154,12 +153,7 @@ public class QualifiedeIDVerifier {
 			//parse authBlock into SAML2 Assertion
 			byte[] authBlockBytes = Base64Utils.decode(authblockB64, false);			
 			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes));			
-				
-			//A-Trust workarounda
-//			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authblockB64.getBytes()));
-//			Element authBlockDOM = DOMUtils.parseXmlNonValidating(new ByteArrayInputStream(authblockB64.getBytes()));
 			
-			DefaultBootstrap.bootstrap();
 			UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
 			Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM);			 
 			XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM);
@@ -231,8 +225,10 @@ public class QualifiedeIDVerifier {
 				+ " NotBefore:" + notBefore.toString() 
 				+ " NotOrNotAfter:" + notOrNotAfter.toString());
 		
-		if (signingDate.after(notBefore) && signingDate.before(notOrNotAfter))
+		if ((signingDate.after(notBefore) || signingDate.equals(notBefore)) 
+				&& signingDate.before(notOrNotAfter))
 			Logger.debug("Signing date validation successfull");
+			
 		
 		else {
 			Logger.info("AuthBlock signing date does NOT match to AuthBlock constrains");
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index c425ca0a7..b87d614c5 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -102,8 +102,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 						);
 								
 				//String qualeIDReqId = UUID.randomUUID().toString();
-				//TODO: work-Around for A-trust
-				String qualeIDReqId = SAML2Utils.getSecureIdentifier().substring(0, 12);
+				String qualeIDReqId = SAML2Utils.getSecureIdentifier();
 				String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools);
 				JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand);
 								
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index d35d113f9..bb66f452a 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -61,13 +61,11 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
 				
 				if (MiscUtil.isEmpty(sl20Result)) {
-					
-					//TODO: remove
 					//Workaround for SIC Handy-Signature, because it sends result in InputStream
-					String test = StreamUtils.readStream(request.getInputStream(), "UTF-8");					
-					if (MiscUtil.isNotEmpty(test)) {
+					String isReqInput = StreamUtils.readStream(request.getInputStream(), "UTF-8");					
+					if (MiscUtil.isNotEmpty(isReqInput)) {
 						Logger.info("Use SIC Handy-Signature work-around!");
-						sl20Result = test.substring("slcommand=".length());
+						sl20Result = isReqInput.substring("slcommand=".length());
 						
 					} else {					
 						Logger.info("NO SL2.0 commando or result FOUND.");
@@ -244,7 +242,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 		
 		//build first redirect command for app
 		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
-				authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_IPC_RETURN_URL), 
+				generateICPRedirectURLForDebugging(), 
 				callCommand, null, true);
 		JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
 						
@@ -285,6 +283,30 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 		}
 	}
 
+	/**
+	 * Generates a IPC redirect URL that is configured on IDP side
+	 * 
+	 * @return IPC ReturnURL, or null if no URL is configured
+	 */
+	private String generateICPRedirectURLForDebugging() {
+		final String PATTERN_PENDING_REQ_ID = "#PENDINGREQID#";
+		
+		String ipcRedirectURLConfig = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_IPC_RETURN_URL);				
+		if (MiscUtil.isNotEmpty(ipcRedirectURLConfig)) {			
+			if (ipcRedirectURLConfig.contains(PATTERN_PENDING_REQ_ID)) {
+				Logger.trace("Find 'pendingReqId' pattern in IPC redirect URL. Update url ... ");
+				ipcRedirectURLConfig = ipcRedirectURLConfig.replaceAll(
+						"#PENDINGREQID#", 
+						MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingReq.getRequestID());
+				
+			}
+			
+			return ipcRedirectURLConfig;
+		}
+		
+		return null;
+		
+	}
 	
 	
 }
-- 
cgit v1.2.3


From 23201ce112d9aa132783f984e0765c0cacca95a5 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 12 Jun 2018 06:25:12 +0200
Subject: update SL20 module and add an additional jUnit test

---
 .../id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java |  2 +-
 .../modules/sl20_auth/sl20/SL20JSONExtractorUtils.java    | 15 ++++++---------
 .../auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java  |  9 +++++++++
 3 files changed, 16 insertions(+), 10 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index c95e0b731..a5696d36d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -148,7 +148,7 @@ public class JsonSecurityUtils implements IJOSETools{
 			jws.setKey(signPrivKey);
 			
 			//TODO:
-			//jws.setCertificateChainHeaderValue(signCertChain);
+			jws.setCertificateChainHeaderValue(signCertChain);
 			jws.setX509CertSha256ThumbprintHeaderValue(signCertChain[0]);
 						
 			return jws.getCompactSerialization();
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index fa52634a3..0dc2e762d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -172,16 +172,10 @@ public class SL20JSONExtractorUtils {
 		
 		if (result == null && encryptedResult == null)
 			throw new SLCommandoParserException("NO result OR encryptedResult FOUND.");		
-		
-		else if (result == null && encryptedResult == null) 
-			throw new SLCommandoParserException("result AND encryptedResultFOUND. Can not used twice");
-		
+				
 		else if (encryptedResult == null && mustBeEncrypted)
 			throw new SLCommandoParserException("result MUST be signed.");
-		
-		else if (result != null)
-			return result;
-		
+				
 		else if (encryptedResult != null && encryptedResult.isJsonPrimitive()) {
 			try {
 				return decrypter.decryptPayload(encryptedResult.getAsString());
@@ -200,7 +194,10 @@ public class SL20JSONExtractorUtils {
 					throw e;	
 				
 			}
-			
+
+		} else if (result != null) {
+				return result;
+
 		} else
 			throw new SLCommandoParserException("Internal build error");
 		
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index bb66f452a..2f062b71d 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -140,6 +140,15 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 					String ccsURL  = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL);					
 					String LoA = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA);
 					
+					
+					
+					if (MiscUtil.isEmpty(idlB64) || MiscUtil.isEmpty(authBlockB64) 
+							|| MiscUtil.isEmpty(LoA) || MiscUtil.isEmpty(ccsURL)) {
+						Logger.info("SL20 'qualifiedeID' result does NOT contain all required attributes.");
+						throw new SLCommandoParserException("SL20 'qualifiedeID' result does NOT contain all required attributes.");
+						
+					}
+					
 					//cache qualified eID data into pending request
 					pendingReq.setGenericDataToSession(
 							Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, 
-- 
cgit v1.2.3


From c4405efdb0177c6319c0a3a0b9f5d3f4d0967748 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 12 Jun 2018 12:07:41 +0200
Subject: add log message

---
 .../moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java           | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index a5696d36d..f7e635b3b 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -223,8 +223,10 @@ public class JsonSecurityUtils implements IJOSETools{
 				throw new SL20SecurityException("JWS signature invalide.");
 				
 			}
+				
 			
 			//load payLoad
+			Logger.debug("SL2.0 commando signature validation sucessfull");
 			JsonElement sl20Req = new JsonParser().parse(jws.getPayload());
 			
 			return new VerificationResult(sl20Req.getAsJsonObject(), null, valid) ;
-- 
cgit v1.2.3


From fcb3d17f73a880fb19c4a6a2ea7f7009051553cf Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 12 Jun 2018 12:59:26 +0200
Subject: update jUnit tests for SIC mobile-phone signature

---
 .../sl20/verifier/QualifiedeIDVerifier.java        | 24 +---------------------
 1 file changed, 1 insertion(+), 23 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
index a437e3411..18428e554 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java
@@ -5,7 +5,6 @@ import java.io.IOException;
 import java.util.Date;
 import java.util.List;
 
-import org.jaxen.SimpleNamespaceContext;
 import org.opensaml.Configuration;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.xml.XMLObject;
@@ -33,31 +32,10 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
 import at.gv.egovernment.moa.util.Base64Utils;
-import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DOMUtils;
 
 
-public class QualifiedeIDVerifier {
-
-	 /** Xpath expression to the dsig:Signature element */
-	  private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature";
-	  
-	  private static final String XADES_1_1_1_SIGNINGTIME_PATH = "//" + Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime";
-	  private static final String XADES_1_3_2_SIGNINGTIME_PATH = "//" + Constants.XADES_1_3_2_NS_PREFIX + ":SigningTime";
-	  
-	  
-	  private static final long MAX_DIFFERENCE_IN_MILLISECONDS = 600000; // 10min
-	  
-
-	  private static SimpleNamespaceContext NS_CONTEXT;
-	  static {
-	    NS_CONTEXT = new SimpleNamespaceContext();
-	    NS_CONTEXT.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI);
-	    NS_CONTEXT.addNamespace(Constants.XADES_1_2_2_NS_PREFIX, Constants.XADES_1_2_2_NS_URI);
-	    NS_CONTEXT.addNamespace(Constants.XADES_1_3_2_NS_PREFIX, Constants.XADES_1_3_2_NS_URI);
-	    NS_CONTEXT.addNamespace(Constants.XADES_1_4_1_NS_PREFIX, Constants.XADES_1_4_1_NS_URI);
-	  }
-	
+public class QualifiedeIDVerifier {	
 	public static void verifyIdentityLink(IIdentityLink idl, IOAAuthParameters oaParam, AuthConfiguration authConfig) throws MOAIDException {		
 		// validates the identity link
 		IdentityLinkValidator.getInstance().validate(idl);
-- 
cgit v1.2.3


From fc41c6901072a2711f577b96c38f894798ce7a31 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 14 Jun 2018 07:31:14 +0200
Subject: fix problem in Exception handling

---
 .../moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
index cc74bb11a..f2a93e3ed 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
@@ -13,7 +13,6 @@ import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
-import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier.QualifiedeIDVerifier;
 import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
@@ -79,7 +78,7 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 			
 				//TODO: add LoA verification
 				
-			} catch (SL20eIDDataValidationException e) {
+			} catch (MOAIDException e) {
 				if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_VALIDATION, false)) {
 					Logger.warn("SL20 eID data validation IS DISABLED!!");
 					Logger.warn("SL20 eID data IS NOT VALID!!! Reason: " + e.getMessage(), e);
-- 
cgit v1.2.3


From 30e324851d67bd900471457e3c30a19b4073ec77 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 25 Jun 2018 13:22:20 +0200
Subject: add SP specific configuration for SL2.0

---
 .../moa/id/auth/modules/sl20_auth/Constants.java   |  5 ++-
 .../sl20_auth/SL20AuthenticationModulImpl.java     | 43 +++++++++++++++++-----
 .../sl20_auth/tasks/CreateQualeIDRequestTask.java  | 37 ++++++++-----------
 3 files changed, 52 insertions(+), 33 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
index 9fcb3aa58..f474461bf 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/Constants.java
@@ -6,7 +6,8 @@ public class Constants {
 	public static final String HTTP_ENDPOINT_RESUME = "/sl20/resume";
 	
 	public static final String CONFIG_PROP_PREFIX = "modules.sl20";
-	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint";
+	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID = CONFIG_PROP_PREFIX + ".vda.urls.qualeID.endpoint.";
+	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT = "default";
 	public static final String CONFIG_PROP_VDA_AUTHBLOCK_ID = CONFIG_PROP_PREFIX + ".vda.authblock.id";
 	public static final String CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID = CONFIG_PROP_PREFIX + ".vda.authblock.transformation.id";	
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_PATH = CONFIG_PROP_PREFIX + ".security.keystore.path";
@@ -16,7 +17,7 @@ public class Constants {
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS = CONFIG_PROP_PREFIX + ".security.encryption.alias";;
 	public static final String CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD = CONFIG_PROP_PREFIX + ".security.encryption.password";
 	
-	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST = CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ".";
+	public static final String CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST = CONFIG_PROP_VDA_ENDPOINT_QUALeID;
 	public static final String CONFIG_PROP_SP_LIST = CONFIG_PROP_PREFIX + ".sp.entityIds.";
 	
 	public static final String CONFIG_PROP_DISABLE_EID_VALIDATION = CONFIG_PROP_PREFIX + ".security.eID.validation.disable";
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
index 367e7b604..2c106b52e 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java
@@ -27,15 +27,18 @@ import java.util.List;
 
 import javax.annotation.PostConstruct;
 
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import at.gv.egovernment.moa.id.auth.modules.AuthModule;
 import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -75,23 +78,43 @@ public class SL20AuthenticationModulImpl implements AuthModule {
 	 */
 	@Override
 	public String selectProcess(ExecutionContext context) {
+		Object spConfigObj = context.get(MOAIDAuthConstants.PROCESSCONTEXT_SP_CONFIG);
+		IOAAuthParameters spConfig = null;
+		if (spConfigObj != null && spConfigObj instanceof IOAAuthParameters)
+			spConfig = (IOAAuthParameters)spConfigObj;
+					
 		String sl20ClientTypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase());
 		String sl20VDATypeHeader = (String)  context.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
 		
-		if ( StringUtils.isNotBlank(sl20ClientTypeHeader) 
-//				&& (
-//						StringUtils.isNotBlank(sl20VDATypeHeader) 
-//						//&& VDA_TYPE_IDS.contains(sl20VDATypeHeader.trim())
-//				   ) 
-				) {
-			Logger.trace(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");			
+		if (spConfig != null && 
+				MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENABLED)) &&
+					Boolean.valueOf(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENABLED))) {
+			Logger.debug("SL2.0 is enabled for " + spConfig.getPublicURLPrefix());
+			Logger.trace(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  ": " + sl20ClientTypeHeader);			
+			Logger.trace(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE +  ": " + sl20VDATypeHeader);
 			return "SL20Authentication";
 			
 		} else {
-			Logger.trace("No '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");
+			Logger.trace("SL2.0 is NOT enabled for " + spConfig.getPublicURLPrefix());
 			return null;
 			
-		}		
+		}
+		
+		
+//		if ( StringUtils.isNotBlank(sl20ClientTypeHeader) 
+////				&& (
+////						StringUtils.isNotBlank(sl20VDATypeHeader) 
+////						//&& VDA_TYPE_IDS.contains(sl20VDATypeHeader.trim())
+////				   ) 
+//				) {
+//			Logger.trace(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");			
+//			return "SL20Authentication";
+//			
+//		} else {
+//			Logger.trace("No '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE +  "' header found");
+//			return null;
+//			
+//		}		
 	}
 
 	/* (non-Javadoc)
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index b87d614c5..883ae07f2 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -39,7 +39,9 @@ import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20JSONExtractorUti
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
@@ -202,30 +204,22 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 	}
 	
 	private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig, ExecutionContext executionContext) {		
+		String spSpecificVDAEndpoints = oaConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS);		
+		Map<String, String> endPointMap = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
+		if (MiscUtil.isNotEmpty(spSpecificVDAEndpoints)) {
+			endPointMap.putAll(KeyValueUtils.convertListToMap(
+							KeyValueUtils.getListOfCSVValues(
+								KeyValueUtils.normalizeCSVValueString(spSpecificVDAEndpoints))));
+			Logger.debug("Find OA specific SL2.0 endpoints. Updating endPoint list ... ");
+			
+		} 
+		
+		Logger.trace("Find #" + endPointMap.size() + " SL2.0 endpoints ... ");
 		
-		//selection based on EntityID
-//		Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
-//		Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST);
-//		
-//		for (Entry<String, String> el : listOfSPs.entrySet()) {
-//			List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue());
-//			if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) {
-//				Logger.trace("Select VDA endPoint with Id: " + el.getKey());
-//				if (listOfVDAs.containsKey(el.getKey()))					
-//					return listOfVDAs.get(el.getKey());
-//				
-//				else
-//					Logger.info("No VDA endPoint with Id: " + el.getKey());
-//				
-//			} else
-//				Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix());
-//			
-//		}
-
 		//selection based on request Header
 		String sl20VDATypeHeader = (String)  executionContext.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
 		if (MiscUtil.isNotEmpty(sl20VDATypeHeader)) {
-			String vdaURL = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST + sl20VDATypeHeader);
+			String vdaURL = endPointMap.get(sl20VDATypeHeader);
 			if (MiscUtil.isNotEmpty(vdaURL))
 				return vdaURL.trim();
 			
@@ -235,7 +229,8 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 		}
 		
 		Logger.info("NO SP specific VDA endpoint found. Use default VDA");
-		return authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT);
+		return endPointMap.getOrDefault(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT,
+				Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT);
 		
 	}
 
-- 
cgit v1.2.3


From 7aded182c8ee6538c9b2fc55e1b73ada926ba6f6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 26 Jun 2018 10:29:39 +0200
Subject: add logging add validation of decryption-key

---
 .../modules/sl20_auth/sl20/JsonSecurityUtils.java  | 50 +++++++++++++++++++---
 .../sl20_auth/sl20/SL20JSONExtractorUtils.java     | 13 ++++--
 .../sl20_auth/tasks/CreateQualeIDRequestTask.java  |  5 +++
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        |  4 +-
 .../sl20_auth/tasks/VerifyQualifiedeIDTask.java    |  9 +++-
 5 files changed, 70 insertions(+), 11 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
index f7e635b3b..8456cfad5 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java
@@ -20,6 +20,7 @@ import org.jose4j.jwe.JsonWebEncryption;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwx.JsonWebStructure;
+import org.jose4j.keys.X509Util;
 import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
 import org.jose4j.lang.JoseException;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -78,7 +79,7 @@ public class JsonSecurityUtils implements IJOSETools{
 			try {
 				encPrivKey = keyStore.getKey(getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
 				if (encPrivKey != null) {
-					Certificate[] certChainEncryption = keyStore.getCertificateChain(getSigningKeyAlias());
+					Certificate[] certChainEncryption = keyStore.getCertificateChain(getEncryptionKeyAlias());
 					encCertChain = new X509Certificate[certChainEncryption.length];
 					for (int i=0; i<certChainEncryption.length; i++) {
 						if (certChainEncryption[i] instanceof X509Certificate) {
@@ -242,9 +243,9 @@ public class JsonSecurityUtils implements IJOSETools{
 
 	@Override
 	public JsonElement decryptPayload(String compactSerialization) throws SL20Exception {
-		try {
+		try {			
 			JsonWebEncryption receiverJwe = new JsonWebEncryption();
-		
+					
 			//set security constrains
 			receiverJwe.setAlgorithmConstraints(
 					new AlgorithmConstraints(ConstraintType.WHITELIST,
@@ -255,12 +256,49 @@ public class JsonSecurityUtils implements IJOSETools{
 		
 			//set payload
 			receiverJwe.setCompactSerialization(compactSerialization);
+
+			
+			//validate key from header against key from config
+			List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue();
+			String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue();
+			if (x5cCerts != null) {
+				Logger.debug("Found x509 certificate in JOSE header ... ");
+				Logger.trace("Sorting received X509 certificates ... ");
+				List<X509Certificate> sortedX5cCerts  = X509Utils.sortCertificates(x5cCerts);
+				
+				if (!sortedX5cCerts.get(0).equals(encCertChain[0])) {
+					Logger.info("Certificate from JOSE header does NOT match encryption certificate");
+					Logger.debug("JOSE certificate: " + sortedX5cCerts.get(0).toString());
 					
-			//TODO: validate key from header against key from config
-		
-			//decrypt payload
+					try {
+						Logger.debug("Cert: " + Base64Utils.encode(sortedX5cCerts.get(0).getEncoded()));
+					} catch (CertificateEncodingException | IOException e) {
+						e.printStackTrace();
+					}
+					throw new SL20Exception("sl20.05", new Object[]{"Certificate from JOSE header does NOT match encryption certificate"});
+				}
+				
+			} else if (MiscUtil.isNotEmpty(x5t256)) {
+				Logger.debug("Found x5t256 fingerprint in JOSE header .... ");
+				String certFingerPrint = X509Util.x5tS256(encCertChain[0]);
+				if (!certFingerPrint.equals(x5t256)) {
+					Logger.info("X5t256 from JOSE header does NOT match encryption certificate");
+					Logger.debug("X5t256 from JOSE header: " + x5t256 + " Encrytption cert: " + certFingerPrint);
+					throw new SL20Exception("sl20.05", new Object[]{"X5t256 from JOSE header does NOT match encryption certificate"});
+					
+				}
+				
+			} else {
+				Logger.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
+				throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
+				
+			}
+						
+			//set key
 			receiverJwe.setKey(encPrivKey);
 			
+						
+			//decrypt payload			
 			return new JsonParser().parse(receiverJwe.getPlaintextString());
 			
 		} catch (JoseException e) {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index 0dc2e762d..6d0a349f4 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -186,9 +186,16 @@ public class SL20JSONExtractorUtils {
 					log.warn("Decrypted results are disabled by configuration. Parse result in plain if it is possible");
 
 					//dummy code
-					String[] signedPayload = encryptedResult.toString().split("\\.");
-					JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
-					return payLoad;
+					try {
+						String[] signedPayload = encryptedResult.toString().split("\\.");
+						JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1])));
+						return payLoad;
+						
+					} catch (Exception e1) {
+						log.debug("DummyCode FAILED, Reason: " + e1.getMessage() + " Ignore it ...");
+						throw new SL20Exception(e.getMessage(), null, e);
+						
+					}
 					
 				} else
 					throw e;	
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 883ae07f2..04daa5999 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -23,6 +23,7 @@ import org.springframework.stereotype.Component;
 
 import com.google.gson.JsonObject;
 
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -59,6 +60,8 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 			
 			Logger.debug("Starting SL2.0 authentication process .... ");
 
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, "sl20auth");
+			
 			try {
 				//get service-provider configuration
 				IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration();
@@ -70,6 +73,8 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 					throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"});
 					
 				}
+				revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_URL, vdaQualeIDUrl);
+				
 				
 				String authBlockId = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_AUTHBLOCK_ID);
 				if (MiscUtil.isEmpty(authBlockId)) {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 2f062b71d..bf42ef9ca 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -21,6 +21,7 @@ import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import com.google.gson.JsonSyntaxException;
 
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -74,7 +75,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 					
 				}
 
-				Logger.trace("Received SL2.0 result: " + sl20Result);
+				Logger.trace("Received SL2.0 result: " + sl20Result);				
+				revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, request.getRemoteAddr());
 				
 				//parse SL2.0 command/result into JSON			
 				try {
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
index f2a93e3ed..06b670d0a 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
@@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.opensaml.saml2.core.Assertion;
 import org.springframework.stereotype.Component;
 
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -72,6 +73,7 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 			
 				//validate eID data			
 				QualifiedeIDVerifier.verifyIdentityLink(idl, pendingReq.getOnlineApplicationConfiguration(), authConfig);
+				
 				authBlockVerificationResult = QualifiedeIDVerifier.verifyAuthBlock(
 							authBlockB64, pendingReq.getOnlineApplicationConfiguration(), authConfig);
 				QualifiedeIDVerifier.checkConsistencyOfeIDData(sl20ReqId, idl, authBlockExtractor, authBlockVerificationResult);
@@ -87,7 +89,12 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 					throw e;
 				
 			}
-							
+			
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_IDL_VALIDATED);
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_AUTHBLOCK_VALIDATED);
+			
+			
+			
 			//add into session
 			defaultTaskInitialization(request, executionContext);
 			moasession.setIdentityLink(idl);
-- 
cgit v1.2.3


From 9ea5b40077c2336f3fb347bc6b20ef0b15c980c0 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 9 Jul 2018 12:29:15 +0200
Subject: update jUnit test and add new method to SL20 extractor

---
 .../auth/modules/sl20_auth/sl20/SL20Constants.java | 41 ++++++++++++++++++++--
 .../sl20_auth/sl20/SL20JSONExtractorUtils.java     | 33 +++++++++++++++++
 2 files changed, 71 insertions(+), 3 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
index 658384578..645b043ce 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java
@@ -91,7 +91,11 @@ public class SL20Constants {
 	public static final String SL20_COMMAND_IDENTIFIER_CALL = "call";
 	public static final String SL20_COMMAND_IDENTIFIER_ERROR = "error";
 	public static final String SL20_COMMAND_IDENTIFIER_QUALIFIEDEID = "qualifiedeID";
-	public static final String SL20_COMMAND_IDENTIFIER_QUALIFIEDSIG = "qualifiedSig";
+	//public static final String SL20_COMMAND_IDENTIFIER_QUALIFIEDSIG = "qualifiedSig";
+	
+	public static final String SL20_COMMAND_IDENTIFIER_GETCERTIFICATE = "getCertificate";
+	public static final String SL20_COMMAND_IDENTIFIER_CREATE_SIG_CADES = "createCAdES";
+	
 	
 	public static final String SL20_COMMAND_IDENTIFIER_BINDING_CREATE_KEY = "createBindingKey";
 	public static final String SL20_COMMAND_IDENTIFIER_BINDING_STORE_CERT = "storeBindingCert";
@@ -106,6 +110,7 @@ public class SL20Constants {
 	public static final String SL20_COMMAND_PARAM_GENERAL_REQPARAMETER_KEY = "key";	
 	public static final String SL20_COMMAND_PARAM_GENERAL_DATAURL = "dataUrl";
 	public static final String SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE = "x5cEnc";
+	public static final String SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONJWK = "jwkEnc";
 	
 	//Redirect command
 	public static final String SL20_COMMAND_PARAM_GENERAL_REDIRECT_URL = "url";
@@ -134,14 +139,44 @@ public class SL20Constants {
 	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME = "SP-FRIENDLYNAME";
 	public static final String SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE = "SP-COUNTRYCODE";
 	public static final String SL20_COMMAND_PARAM_EID_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+	public static final String SL20_COMMAND_PARAM_EID_JWKCENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONJWK;
 	public static final String SL20_COMMAND_PARAM_EID_RESULT_IDL = "EID-IDENTITY-LINK";
 	public static final String SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK = "EID-AUTH-BLOCK";
 	public static final String SL20_COMMAND_PARAM_EID_RESULT_CCSURL = "EID-CCS-URL";
 	public static final String SL20_COMMAND_PARAM_EID_RESULT_LOA = "EID-CITIZEN-QAA-LEVEL";
 	
 	//qualified Signature comamnd
-	public static final String SL20_COMMAND_PARAM_QUALSIG_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
-	public static final String SL20_COMMAND_PARAM_QUALSIG_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+//	public static final String SL20_COMMAND_PARAM_QUALSIG_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+//	public static final String SL20_COMMAND_PARAM_QUALSIG_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+	
+	
+	//getCertificate
+	public static final String SL20_COMMAND_PARAM_GETCERTIFICATE_KEYID = "keyId";
+	public static final String SL20_COMMAND_PARAM_GETCERTIFICATE_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+	public static final String SL20_COMMAND_PARAM_GETCERTIFICATE_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+	public static final String SL20_COMMAND_PARAM_GETCERTIFICATE_JWKCENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONJWK;
+	public static final String SL20_COMMAND_PARAM_GETCERTIFICATE_RESULT_CERTIFICATE = "x5c";
+	
+	//createCAdES Signture
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_KEYID = "keyId";	
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CONTENT = "content";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_MIMETYPE = "mimeType";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_PADES_COMBATIBILTY = "padesComatibility";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_EXCLUDEBYTERANGE = "excludedByteRange";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL = "cadesLevel";	
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_DATAURL = SL20_COMMAND_PARAM_GENERAL_DATAURL;
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_X5CENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONCERTIFICATE;
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_JWKCENC = SL20_COMMAND_PARAM_GENERAL_RESPONSEENCRYPTIONJWK;
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_RESULT_SIGNATURE = "signature";
+	
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL_BASIC = "cAdES";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL_T = "cAdES-T";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL_C = "cAdES-C";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL_X = "cAdES-X";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL_XL = "cAdES-X-L";
+	public static final String SL20_COMMAND_PARAM_CREATE_SIG_CADES_CADESLEVEL_A = "cAdES-A";
+	
+	
 	
 	//create binding key command
 	public static final String SL20_COMMAND_PARAM_BINDING_CREATE_KONTOID = "kontoID";
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
index 6d0a349f4..759d9c838 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java
@@ -1,9 +1,11 @@
 package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20;
 
 import java.io.InputStreamReader;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 
@@ -106,6 +108,37 @@ public class SL20JSONExtractorUtils {
 		}		
 	}
 	
+	/**
+	 * Extract a List of String elements from a JSON element
+	 * 
+	 * @param input
+	 * @return
+	 * @throws SLCommandoParserException
+	 */
+	public static List<String> getListOfStringElements(JsonElement input) throws SLCommandoParserException {
+		List<String> result = new ArrayList<String>();
+		if (input != null) {
+			if (input.isJsonArray()) {			
+				Iterator<JsonElement> arrayIterator = input.getAsJsonArray().iterator();
+				while(arrayIterator.hasNext()) {
+					JsonElement next = arrayIterator.next();
+					if (next.isJsonPrimitive())
+						result.add(next.getAsString());											
+				}
+				
+			} else if (input.isJsonPrimitive()) {
+				result.add(input.getAsString());
+				
+			} else {
+				log.warn("JSON Element IS NOT a JSON array or a JSON Primitive");
+				throw new SLCommandoParserException("JSON Element IS NOT a JSON array or a JSON Primitive");
+				
+			}
+		}
+		
+		return result;
+	}
+	
 	/**
 	 * Extract Map of Key/Value pairs from a JSON Element
 	 * 
-- 
cgit v1.2.3