From 656b8b4910798dec7b253ea8f4b7dbec77715012 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Sep 2017 14:32:14 +0200 Subject: update eIDAS bPK target validation --- .../moa/id/auth/modules/eidas/Constants.java | 2 ++ .../moa/id/protocols/eidas/EIDASProtocol.java | 33 ++++++++++++++++++---- 2 files changed, 30 insertions(+), 5 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index c0101b553..d975b6e0a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -69,6 +69,8 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url"; + public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target."; + //timeouts and clock skews diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 940b91b44..4b67370d6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; @@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } else { String[] splittedTarget = eIDASTarget.split("\\+"); if (!splittedTarget[2].equalsIgnoreCase(reqCC)) { - Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() + Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() + " Destination Country from request (" + reqCC - + ") does not match to configuration:" + eIDASTarget); - throw new MOAIDException("eIDAS.01", - new Object[]{"Destination Country from request does not match to configuration"}); + + ") does not match to configuration:" + eIDASTarget + + " --> Perform additional organisation check ..."); + + //check if eIDAS domain for bPK calculation is a valid target + if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) { + throw new MOAIDException("eIDAS.01", + new Object[]{"Destination Country from request does not match to configuration"}); + + } + } - Logger.debug("CountryCode from request matches eIDAS-node configuration target"); + Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget); + } @@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { return false; } + + private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) { + if (MiscUtil.isNotEmpty(reqCC)) { + List allowedOrganisations = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase())); + if (allowedOrganisations.contains(bPKTargetArea)) { + Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC); + return true; + } + } + + Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC); + return false; + } } -- cgit v1.2.3 From 77c0e0bf1c565766eb2cecfb31b509b51c92b3d7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Sep 2017 14:33:54 +0200 Subject: update error handling for wrong encoded BKU error responses --- .../moa/id/auth/parser/ErrorResponseParser.java | 39 +++++++++++++++++----- .../id/auth/parser/InfoboxReadResponseParser.java | 1 + 2 files changed, 31 insertions(+), 9 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java index a09f0a2a8..602914229 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java @@ -46,10 +46,16 @@ package at.gv.egovernment.moa.id.auth.parser; +import java.io.IOException; + +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.util.DOMUtils; /** * Parses an <ErrorResponse>. @@ -84,15 +90,30 @@ public class ErrorResponseParser { */ public ErrorResponseParser(Element errorElement) throws ParseException { if (errorElement != null) { - String namespace = errorElement.getNamespaceURI(); - NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); - if (nl.getLength() == 1) { - errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } - nl = errorElement.getElementsByTagNameNS(namespace, "Info"); - if (nl.getLength() == 1) { - errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } + try { + String namespace = errorElement.getNamespaceURI(); + NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); + if (nl.getLength() == 1) { + errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + } + nl = errorElement.getElementsByTagNameNS(namespace, "Info"); + if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) { + errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + + } + } catch ( Exception e) { + try { + if (Logger.isDebugEnabled()) + Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ; + else + Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ; + + } catch (TransformerException | IOException e1) { + Logger.warn("Can not extract error code from BKU response.", e); + Logger.warn("Can not serialize error response.", e1); + + } + } } } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java index 275a85129..154092b03 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java @@ -150,6 +150,7 @@ public class InfoboxReadResponseParser { if ("InfoboxReadResponse".equals(responseElem.getLocalName())) { infoBoxElem_ = responseElem; + } else { ErrorResponseParser erp = new ErrorResponseParser(responseElem); throw new BKUException("auth.08", -- cgit v1.2.3 From 9b0dd388aca4bea80055284e558b6c16edefcec6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Sep 2017 15:53:07 +0200 Subject: update wrong log message --- .../modules/eidas/tasks/GenerateAuthnRequestTask.java | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 6f1d75bfe..3e7a4e875 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -22,16 +22,17 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks; +import java.awt.PageAttributes.MediaType; import java.io.StringWriter; import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.logging.Logger; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.BooleanUtils; -import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -41,8 +42,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; - -import com.google.common.net.MediaType; +import org.springframework.util.StringUtils; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; @@ -53,16 +53,8 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; -import at.gv.egovernment.moa.id.commons.api.data.CPEPS; -import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EidasStringUtil; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder; @@ -306,7 +298,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { context.put("RelayState", pendingReq.getRequestID()); - Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation()); + Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); context.put("action", authnReqEndpoint.getLocation()); Logger.debug("Starting template merge"); -- cgit v1.2.3 From 3c81d3fef06204f2259b6c0377c8a2a00974c614 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Sep 2017 12:15:20 +0200 Subject: make SAML2 http POST-Binding template and mandate-service selection-template configurable for every online application --- .../modules/eidas/tasks/GenerateAuthnRequestTask.java | 12 ++++++++++-- .../elgamandates/tasks/SelectMandateServiceTask.java | 15 +++++++++------ 2 files changed, 19 insertions(+), 8 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 3e7a4e875..c55b5a749 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -22,12 +22,10 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks; -import java.awt.PageAttributes.MediaType; import java.io.StringWriter; import java.util.ArrayList; import java.util.Collection; import java.util.List; -import java.util.logging.Logger; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -44,6 +42,8 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.util.StringUtils; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; @@ -53,8 +53,16 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EidasStringUtil; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java index 98f8d13c7..52970e240 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java @@ -30,7 +30,7 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils; import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; @@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask { //check if Service-Provider allows ELGA-mandates if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) { Logger.trace("Build GUI for mandate-service selection ..."); - - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( - pendingReq, - ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, - GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, + GeneralProcessEngineSignalController.ENDPOINT_GENERIC, + authConfig.getRootConfigFileDir()); guiBuilder.build(response, config, "Mandate-Service selection"); -- cgit v1.2.3 From 765c5bc8694275b08f56797ac417b176cb30fff0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 22 Sep 2017 10:24:19 +0200 Subject: update eIDAS attribute builder for legalPersonIdentifier --- .../builder/eIDASAttrLegalPersonIdentifier.java | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java index c008048cb..ea5a002e0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java @@ -22,7 +22,13 @@ */ package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -30,6 +36,31 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonS */ public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute { + @Override + public ATT build(IOAAuthParameters oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + if(authData.isUseMandate()) { + + //extract eIDAS unique Id prefix from naturalPerson bPK identifier + if (MiscUtil.isEmpty(authData.getBPKType()) + || !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) { + Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType()); + throw new AttributeException("Suspect bPKType for eIDAS identifier generation"); + + } + + //add eIDAS eID prefix to legal person identifier + String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1); + String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData); + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, + MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID); + + } + + return null; + + } + @Override public String getName() { return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString(); -- cgit v1.2.3 From 588b730eff977fa7fba62612ec7b4bb1bc56ebd8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 3 Oct 2017 16:17:17 +0200 Subject: update mobile-auth module for eGov KU 2017/18 --- .../moa-id-module-bkaMobilaAuthSAML2Test/pom.xml | 31 +++ .../bkamobileauthtests/BKAMobileAuthModule.java | 24 +- .../BKAMobileAuthSpringResourceProvider.java | 2 +- .../tasks/FirstBKAMobileAuthTask.java | 257 ++++++++++++++++++++- .../src/main/resources/BKAMobileAuth.process.xml | 6 +- 5 files changed, 309 insertions(+), 11 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml index 0db2b26a8..0207eb6c9 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml @@ -7,4 +7,35 @@ moa-id-module-bkaMobilaAuthSAML2Test BKA MobileAuth Test for SAML2 applications + + + + org.bouncycastle + bcprov-jdk15on + 1.52 + + + org.bouncycastle + bcpkix-jdk15on + 1.52 + + + + + com.googlecode.jsontoken + jsontoken + 1.1 + + + javax.servlet + servlet-api + + + google-collections + com.google.collections + + + + + \ No newline at end of file diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java index 44554e21d..b31985542 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java @@ -30,9 +30,11 @@ import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.FirstBKAMobileAuthTask; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -45,7 +47,8 @@ public class BKAMobileAuthModule implements AuthModule { private int priority = 1; - @Autowired protected AuthConfiguration authConfig; + @Autowired(required=true) protected AuthConfiguration authConfig; + @Autowired(required=true) private AuthenticationManager authManager; private List uniqueIDsDummyAuthEnabled = new ArrayList(); @@ -77,7 +80,10 @@ public class BKAMobileAuthModule implements AuthModule { for (String el : uniqueIDsDummyAuthEnabled) Logger.info(" EntityID: " + el); } - } + } + + //parameter to whiteList + authManager.addParameterNameToWhiteList(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW); } /* (non-Javadoc) @@ -87,9 +93,17 @@ public class BKAMobileAuthModule implements AuthModule { public String selectProcess(ExecutionContext context) { String spEntityID = (String) context.get(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER); if (MiscUtil.isNotEmpty(spEntityID)) { - if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) - return "BKAMobileAuthentication"; - + if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) { + String eIDBlob = (String)context.get(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW); + if (eIDBlob != null && MiscUtil.isNotEmpty(eIDBlob.trim())) { + return "BKAMobileAuthentication"; + + } else { + Logger.debug("Dummy-auth are enabled for " + spEntityID + " but no '" + + FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW + "' req. parameter available."); + + } + } } return null; diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java index 884129453..f8c4e8ce9 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java @@ -56,7 +56,7 @@ public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvid */ @Override public String getName() { - return "BKA MobileAuth SAML2 Test"; + return "SSL Client-Certificate authentication"; } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java index 66112edc5..d6e814a9d 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java @@ -22,16 +22,56 @@ */ package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; +import javax.security.cert.CertificateException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; +import org.bouncycastle.cms.CMSSignedData; +import org.joda.time.DateTime; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import com.google.gson.JsonObject; +import com.google.gson.JsonParseException; +import com.google.gson.JsonParser; + +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; /** @@ -41,6 +81,20 @@ import at.gv.egovernment.moa.logging.Logger; @Component("FirstBKAMobileAuthTask") public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { + private static final String CONF_MOASPSS_TRUSTPROFILE = "modules.bkamobileAuth.verify.trustprofile"; + private static final String CONF_SIGNING_TIME_JITTER = "modules.bkamobileAuth.verify.time.jitter"; + private static final String CONF_EID_TOKEN_ENCRYPTION_KEY = "modules.bkamobileAuth.eIDtoken.encryption.pass"; + + private static final String EIDCONTAINER_KEY_SALT = "salt"; + private static final String EIDCONTAINER_KEY_IV = "iv"; + private static final String EIDCONTAINER_EID = "eid"; + private static final String EIDCONTAINER_KEY_IDL = "idl"; + private static final String EIDCONTAINER_KEY_BINDINGCERT = "cert"; + + public static final String REQ_PARAM_eID_BLOW = "eidToken"; + + @Autowired(required=true) private AuthConfiguration authConfig; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @@ -48,9 +102,206 @@ public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - Logger.info("Redirect to Second BKA Mobile Auth task"); - performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + try { + String eIDBlobRawB64 = request.getParameter(REQ_PARAM_eID_BLOW); + if (MiscUtil.isEmpty(eIDBlobRawB64)) { + //TODO: add dummy-auth functionality + + Logger.warn("NO eID data blob included!"); + throw new MOAIDException("NO eID data blob included!", null); + } + + parseDemoValuesIntoMOASession(pendingReq, pendingReq.getMOASession(), eIDBlobRawB64); + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (Exception e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + + //Logger.info("Redirect to Second BKA Mobile Auth task"); + //performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + } + + /** + * @param pendingReq + * @param moaSession + * @param eIDBlobRaw + * @throws MOAIDException + * @throws IOException + */ + private void parseDemoValuesIntoMOASession(IRequest pendingReq, IAuthenticationSession moaSession, String eIDBlobRawB64) throws MOAIDException, IOException { + Logger.debug("Check eID blob signature ... "); + byte[] eIDBlobRaw = Base64Utils.decode(eIDBlobRawB64.trim(), false); + + VerifyCMSSignatureResponse cmsResp = SignatureVerificationInvoker.getInstance().verifyCMSSignature( + createCMSVerificationReq(eIDBlobRaw)); + + if (cmsResp.getResponseElements().isEmpty()) { + Logger.warn("No CMS signature-verification response"); + throw new MOAIDException("Signature verification FAILED: No response", null); + + } + VerifyCMSSignatureResponseElement sigVerifyResp = (VerifyCMSSignatureResponseElement) cmsResp.getResponseElements().get(0); + analyseCMSSignatureVerificationResponse(sigVerifyResp); + + + Logger.info("eID blob signature is VALID!"); + byte[] decRawEidBlob = null; + byte[] signedData = null; + try { + Logger.debug("Starting eID information extraction ... "); + CMSSignedData cmsContent = new CMSSignedData(eIDBlobRaw); + signedData = (byte[])cmsContent.getSignedContent().getContent(); + if (!cmsContent.getSignedContent().getContentType().equals(CMSObjectIdentifiers.data)) { + Logger.warn("Signature contains NO 'data' OID 1.2.840.113549.1.7.1"); + throw new MOAIDException("Signature contains NO 'data' OID 1.2.840.113549.1.7.1", null); + } + if (signedData == null) { + Logger.warn("CMS SignedData is empty or null"); + throw new MOAIDException("CMS SignedData is empty or null", null); + } + Logger.info("Signed content extracted"); + + + Logger.debug("Starting signed content decryption ... "); + JsonParser parser = new JsonParser(); + JsonObject signedDataJson = (JsonObject) parser.parse(new String(signedData, "UTF-8")); + byte[] salt = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_SALT).getAsString(), false); + byte[] ivraw = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_IV).getAsString(), false); + byte[] encRawEidBlob = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_EID).getAsString(), false); + SecretKey seckey = generateDecryptionKey(salt); + IvParameterSpec iv = new IvParameterSpec(ivraw); + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + cipher.init(Cipher.DECRYPT_MODE, seckey, iv); + decRawEidBlob = cipher.doFinal(encRawEidBlob); + Logger.info("eID data decryption completed"); + + + Logger.debug("Starting eID-blob parsing ..."); + JsonObject eIDBlobJson = (JsonObject) parser.parse(new String(decRawEidBlob, "UTF-8")); + String idlB64 = eIDBlobJson.get( + EIDCONTAINER_KEY_IDL).getAsString(); + String bindingCertB64 = eIDBlobJson.get( + EIDCONTAINER_KEY_BINDINGCERT).getAsString(); + javax.security.cert.X509Certificate bindingCert = javax.security.cert.X509Certificate.getInstance(Base64Utils.decode(bindingCertB64, false)); + if (!sigVerifyResp.getSignerInfo().getSignerCertificate().equals(bindingCert)) { + Logger.error("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!"); + Logger.info("BindingCert: " + bindingCert.toString()); + Logger.info("SigningCert: " + sigVerifyResp.getSignerInfo().getSignerCertificate().toString()); + throw new MOAIDException("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!", null); + + } + Logger.info("eID-blob parsing completed"); + + + Logger.debug("Parse eID information into MOA-Session ..."); + byte[] rawIDL = Base64Utils.decode(idlB64, false); + IIdentityLink identityLink = new IdentityLinkAssertionParser(new ByteArrayInputStream(rawIDL)).parseIdentityLink(); + moaSession.setIdentityLink(identityLink); + moaSession.setUseMandates(false); + moaSession.setForeigner(false); + moaSession.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest"); + moaSession.setQAALevel(PVPConstants.STORK_QAA_1_3); + Logger.info("Session Restore completed"); + + + } catch (MOAIDException e) { + throw e; + + } catch (JsonParseException e) { + if (decRawEidBlob != null) + Logger.error("eID-blob parse error! blob: " + new String(decRawEidBlob, "UTF-8"), e); + + if (signedData != null) + Logger.error("eID-blob parse error! blob: " + new String(signedData, "UTF-8"), e); + + if (decRawEidBlob == null && signedData == null) + Logger.error("eID-blob parse error!", e); + + throw new MOAIDException("eID-blob parse error!", null); + + } catch (org.bouncycastle.cms.CMSException e) { + Logger.error("Can not parse CMS signature.", e); + throw new MOAIDException("Can not parse CMS signature.", null, e); + + } catch (InvalidAlgorithmParameterException| NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) { + Logger.error("Can not decrypte eID data.", e); + throw new MOAIDException("Can not decrypte eID data", null, e); + } catch (CertificateException e) { + Logger.error("Can not extract mobile-app binding-certificate from eID blob.", e); + throw new MOAIDException("Can not extract mobile-app binding-certificate from eID blob.", null, e); + + } finally { + + } + + } + + private SecretKey generateDecryptionKey(byte[] salt) throws MOAIDException { + String decryptionPassPhrase = authConfig.getBasicMOAIDConfiguration(CONF_EID_TOKEN_ENCRYPTION_KEY, "DEFAULTPASSWORD"); + try { + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); + KeySpec spec = new PBEKeySpec(decryptionPassPhrase.toCharArray(), salt, 2000, 128); + SecretKey derivedKey = factory.generateSecret(spec); + SecretKeySpec symKeySpec = new SecretKeySpec(derivedKey.getEncoded(), "AES"); + return symKeySpec; + +// KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2"); +// PBEKeyAndParameterSpec parameterSpec = +// new PBEKeyAndParameterSpec(decryptionPassPhrase.getBytes(), salt, 2000, 16); +// pbkdf2.init(parameterSpec, random); +// SecretKey derivedKey = pbkdf2.generateKey(); +// +// SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), "AES"); +// SecretKeyFactory kf = SecretKeyFactory.getInstance("AES"); +// return kf.generateSecret(spec); + + } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { + Logger.error("Mobile-Auth Module has an internal errror.", e); + throw new MOAIDException("Mobile-Auth Module has an internal errror.", null, e); + + } + } + + /** + * @throws MOAIDException + * + */ + private void analyseCMSSignatureVerificationResponse(VerifyCMSSignatureResponseElement verifySigResult) throws MOAIDException { + //validate CMS signature verification response + if (verifySigResult.getSignatureCheck().getCode() != 0) { + Logger.warn("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode()); + throw new MOAIDException("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode(), null); + + } + if (verifySigResult.getCertificateCheck().getCode() != 0) { + Logger.warn("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode()); + throw new MOAIDException("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode(), null); + + } + SignerInfo signerInfos = verifySigResult.getSignerInfo(); + DateTime date = new DateTime(signerInfos.getSigningTime().getTime()); + Integer signingTimeJitter = Integer.valueOf(authConfig.getBasicMOAIDConfiguration(CONF_SIGNING_TIME_JITTER, "5")); + if (date.plusMinutes(signingTimeJitter).isBeforeNow()) { + Logger.warn("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter)); + throw new MOAIDException("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter), null); + + } + } + private VerifyCMSSignatureRequest createCMSVerificationReq(byte[] eIDBlobRaw) { + VerifyCMSSignatureRequestImpl cmsSigVerifyReq = new VerifyCMSSignatureRequestImpl(); + cmsSigVerifyReq.setSignatories(VerifyCMSSignatureRequestImpl.ALL_SIGNATORIES); + cmsSigVerifyReq.setExtended(false); + cmsSigVerifyReq.setPDF(false); + cmsSigVerifyReq.setTrustProfileId(authConfig.getBasicMOAIDConfiguration(CONF_MOASPSS_TRUSTPROFILE, "!!NOT SET!!!")); + cmsSigVerifyReq.setCMSSignature(new ByteArrayInputStream(eIDBlobRaw)); + return cmsSigVerifyReq; + } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml index 4a0f4d5f2..6f41f347a 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml @@ -12,8 +12,10 @@ - - + + + -- cgit v1.2.3 From b04b2db585d4878272778641edfbb24f4fdba89d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 4 Oct 2017 12:46:27 +0200 Subject: update eID decryption implementation in mobile-auth module --- .../bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java index d6e814a9d..43043ddd6 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java @@ -250,17 +250,7 @@ public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { SecretKey derivedKey = factory.generateSecret(spec); SecretKeySpec symKeySpec = new SecretKeySpec(derivedKey.getEncoded(), "AES"); return symKeySpec; - -// KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2"); -// PBEKeyAndParameterSpec parameterSpec = -// new PBEKeyAndParameterSpec(decryptionPassPhrase.getBytes(), salt, 2000, 16); -// pbkdf2.init(parameterSpec, random); -// SecretKey derivedKey = pbkdf2.generateKey(); -// -// SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), "AES"); -// SecretKeyFactory kf = SecretKeyFactory.getInstance("AES"); -// return kf.generateSecret(spec); - + } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { Logger.error("Mobile-Auth Module has an internal errror.", e); throw new MOAIDException("Mobile-Auth Module has an internal errror.", null, e); -- cgit v1.2.3 From 546bc276ded107edff4bb7546c4a6761494a09c6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 4 Oct 2017 13:27:11 +0200 Subject: add additional logging --- .../id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java | 8 ++++++-- .../bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java index b31985542..0cef4cb41 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java @@ -103,8 +103,12 @@ public class BKAMobileAuthModule implements AuthModule { + FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW + "' req. parameter available."); } - } - } + + } else + Logger.debug("Unique SP-Id: " + spEntityID + " is not in whitelist of mobile-auth module."); + + } else + Logger.debug("No unique service-provider identifier!"); return null; } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java index f8c4e8ce9..aa16a9172 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java @@ -56,7 +56,7 @@ public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvid */ @Override public String getName() { - return "SSL Client-Certificate authentication"; + return "Module for 'Mobile-Auth with Crypto-Binding'"; } } -- cgit v1.2.3 From e9523fa25a76887419a268668013a2438cb51212 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 9 Oct 2017 14:44:34 +0200 Subject: switch to eIDAS SAML-engine 1.4.0 --- id/server/modules/moa-id-module-eIDAS/pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index f3d8eeb36..cf3325d24 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -12,11 +12,11 @@ ${basedir}/../../../../repository - 1.4.0-SNAPSHOT - 1.4.0-SNAPSHOT - 1.4.0-SNAPSHOT - 1.4.0-SNAPSHOT - 1.4.0-SNAPSHOT + 1.4.0 + 1.4.0 + 1.4.0 + 1.4.0 + 1.4.0 -- cgit v1.2.3 From d703b4201def4ea55bc865da87010972d13a434e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Oct 2017 13:18:11 +0200 Subject: enable mandates for eIDAS nodes --- .../moa/id/auth/AuthenticationServer.java | 94 ++-- .../AuthenticationBlockAssertionBuilder.java | 514 ++++++++------------- .../tasks/InitializeBKUAuthenticationTask.java | 9 +- .../internal/tasks/PrepareGetMISMandateTask.java | 10 +- .../CreateXMLSignatureResponseValidator.java | 491 ++++++++++---------- .../VerifyXMLSignatureResponseValidator.java | 2 +- .../moa/id/auth/validator/parep/ParepUtils.java | 23 +- .../eidas/tasks/GenerateAuthnRequestTask.java | 2 +- .../moa/id/protocols/eidas/EIDASProtocol.java | 2 +- .../elgamandates/tasks/RequestELGAMandateTask.java | 4 +- .../data/SSOTransferAuthenticationData.java | 17 +- .../data/SSOTransferOnlineApplication.java | 89 ++-- .../moa/id/protocols/saml1/GetArtifactAction.java | 7 +- .../protocols/saml1/SAML1AuthenticationServer.java | 50 +- .../moa/id/protocols/saml1/SAML1Protocol.java | 18 +- .../moa/id/monitoring/IdentityLinkTestModule.java | 3 +- 16 files changed, 607 insertions(+), 728 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 9294f3658..0a2371575 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.Logger; @@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer { Logger.debug("Non-SSO Login requested or SSO not allowed/possible"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.getBusinessService(), oaParam - .getIdentityLinkDomainIdentifier()); + oaParam.hasBaseIdInternalProcessingRestriction(), oaParam + .getAreaSpecificTargetIdentifier()); } @@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer { try { // sets the extended SAML attributes for OID (Organwalter) setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam - .getBusinessService()); + .hasBaseIdTransferRestriction()); - validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction()); } catch (SAXException e) { @@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { * @return <saml:Assertion> as a String * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. + * @throws ConfigurationException */ private String buildAuthenticationBlock(IAuthenticationSession session, - IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException { + IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException { IIdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); @@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer { String identificationValue = null; String identificationType = null; + String identificationTypeFriendlyName = null; //get processing data from pending-request String authURL = pendingReq.getAuthURL(); - String requestedTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( + + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); @@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer { if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) { identificationType = ""; identificationValue = ""; - + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - - String bpkBase64 = new BPKBuilder().buildWBPK(identityLink - .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); - identificationValue = bpkBase64; - - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = oaParam.getIdentityLinkDomainIdentifier(); - else - identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), requestedTarget); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget; + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) { + Logger.debug("Build AuthBlock bPK from SAML1 requested target"); + Pair calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = saml1RequestedFriendlyName; + + } else { + Pair calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } - } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } //set AuthBlock generation time to session - String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance()); + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()); session.setIssueInstant(issueInstant); - // Bug #485 - // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) - // String oaURL = session.getPublicOAURLPrefix(); - + //load extend attributes List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + //load special authblock text patterns for replacement + Map authBlockTextPatterns = AuthenticationBlockAssertionBuilder. + generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant); + String authBlock = null; if (pendingReq.needSingleSignOnFunctionality()) { String oaURL = pendingReq.getAuthURL(); @@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer { oaURL = oaURL.replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - + .buildAuthBlockSSO(issuer, issueInstant, authURL, + oaURL, gebDat, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } else { String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlock(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); + .buildAuthBlock(issuer, issueInstant, authURL, + identificationValue, + identificationType, + gebDat, + oaURL, + identificationTypeFriendlyName, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } @@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Value"); - String bpkBase64 = new BPKBuilder().buildBPK(baseid, target); + Pair targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target); + valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( - bpkBase64)); + targedId.getFirst())); Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Type"); typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index ecc91991e..80702795b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -28,7 +28,11 @@ import java.io.StringWriter; import java.text.MessageFormat; import java.text.SimpleDateFormat; import java.util.Calendar; +import java.util.HashMap; +import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; import javax.xml.bind.DatatypeConverter; import javax.xml.transform.Result; @@ -46,7 +50,9 @@ import org.w3c.dom.Node; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion public static final int NUM_OF_SAML_ATTRIBUTES = 5; public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4; + public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\""; + + public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#"; + public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#"; + public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#"; + public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#"; + + public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap"; + /** * Constructor for AuthenticationBlockAssertionBuilder. */ @@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion super(); } + public static Map generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) { + Map result = new HashMap(); + + //convert issueInstant + Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); + SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); + SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); + + //set default values + result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer); + result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat); + result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime())); + result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime())); + + //set other values from pendingReq if exists + Map processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class); + if (processSpecificElements != null && !processSpecificElements.isEmpty()) { + Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ..."); + Iterator mapIterator = processSpecificElements.entrySet().iterator(); + while (mapIterator.hasNext()) { + Object objEl = mapIterator.next(); + if (objEl instanceof Entry) { + try { + @SuppressWarnings("unchecked") + Entry el = (Entry) objEl; + Logger.trace(" Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue()); + if (result.containsKey(el.getKey())) + Logger.warn(" Can not add pattern: " + el.getKey() + " , because it already exists."); + else + result.put(el.getKey(), el.getValue()); + + } catch (Exception e) { + Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e); + + } + } + } + } + + return result; + } + + /** - * Builds the authentication block <saml:Assertion> - * - * @param issuer authentication block issuer; "GivenName FamilyName" - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe null if the application - * is a business application - * @param identityLinkValue the content of the <pr:Value> - * child element of the <pr:Identification> - * element derived from the Identitylink; this is the - * value of the wbPK; - * maybe null if the application is a public service - * @param identityLinkType the content of the <pr:Type> - * child element of the <pr:Identification> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe null if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. * - * @return String representation of authentication block - * <saml:Assertion> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. + * @param issuer + * @param issueInstant + * @param authURL + * @param sectorSpecificUniqueId + * @param sectorSpecificUniqueIdType + * @param gebDat + * @param oaURL + * @param spTargetAreaFriendlyName + * @param extendedSAMLAttributes + * @param session + * @param oaParam + * @return + * @throws BuildException + * @throws ConfigurationException */ public String buildAuthBlock( String issuer, String issueInstant, - String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, + String authURL, + String sectorSpecificUniqueId, + String sectorSpecificUniqueIdType, + String gebDat, + String oaURL, + String spTargetAreaFriendlyName, List extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + IOAAuthParameters oaParam, + Map specialAuthBlockTextPatterns) + throws BuildException, ConfigurationException { + + //initialize state + session.setSAMLAttributeGebeORwbpk(true); + String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY; + String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY; + + + if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK + + if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) { + //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator + publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType}); + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; - //adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + //adding type of wbPK domain identifier + ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = + new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); + extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } + } else { + // We do not have a wbPK, therefore no SAML-Attribute is provided + session.setSAMLAttributeGebeORwbpk(false); + + } + } else { + // OA is a govermental application + + //convert sector identifier into friendly name and add it to AuthBlock + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType); + if (StringUtils.isEmpty(sectorName)) { + if (spTargetAreaFriendlyName != null) + sectorName = spTargetAreaFriendlyName; + + } + publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, + new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" }); - } else { - // OA is a govermental application - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - - - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - - //no business service, adding bPK - if (identityLinkValue != null) { - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - // String s = xmlToString(bpkSamlValueElement); - // System.out.println("bpkSamlValueElement: " + s); - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(bpkAttribute); - } - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); - - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } - - - - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - } - - //adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); + //add bPK to AuthBlock if it is not empty + if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) { + Element bpkSamlValueElement; + try { + bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); + + } catch (Exception e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + + } + + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(bpkAttribute); + } + + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; + } + //check if mandates should be used + if (session.isMandateUsed()) { + + //generate mandate reference value + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } + + //adding friendly name of OA + String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + //generate special AuthBlock text + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + } + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); + + //generate unique AuthBlock tokken + String uniquetokken = Random.nextProcessReferenceValue(); + session.setAuthBlockTokken(uniquetokken); String assertion; try { assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, + usedwbPKbPKNamespaceDeclaration, issuer, issueInstant, authURL, - gebeORwbpk, + publicSectorIdOrwbPK, oaURL, gebDat, specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); - } catch (ParseException e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - return assertion; - - } - - /** - * Builds the authentication block <saml:Assertion> - * - * @param issuer authentication block issuer; "GivenName FamilyName" - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe null if the application - * is a business application - * @param identityLinkValue the content of the <pr:Value> - * child element of the <pr:Identification> - * element derived from the Identitylink; this is the - * value of the wbPK; - * maybe null if the application is a public service - * @param identityLinkType the content of the <pr:Type> - * child element of the <pr:Identification> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe null if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. - * - * @return String representation of authentication block - * <saml:Assertion> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. - */ - public String buildAuthBlockForeignID( - String issuer, - String issueInstant, - String authURL, - String target, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, - List extendedSAMLAttributes, - IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - - //BZ.., adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - //..BZ - - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } - } else { - // OA is a govermental application - //BZ.. - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - //..BZ - - //BZ.., no business service, adding bPK - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(bpkAttribute); - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //..BZ - } - - //BZ.., adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //..BZ - - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); - - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); - - String assertion; - try { - assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, - issuer, - issueInstant, - authURL, - gebeORwbpk, - oaURL, - gebDat, - specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } return assertion; } - public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) { - Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); - SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); - SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); - - String text = inputtext.replaceAll("#NAME#", issuer); - text = text.replaceAll("#BIRTHDAY#", gebDat); - text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime())); - text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime())); - - return text; + public static String generateSpecialText(String inputtext, Map specialAuthBlockTextPatterns) { + Iterator> it = specialAuthBlockTextPatterns.entrySet().iterator(); + String text = inputtext; + while (it.hasNext()) { + Entry el = it.next(); + text = text.replaceAll(el.getKey(), el.getValue()); + + } + + return text; + } public static String xmlToString(Node node) { @@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String issuer, String issueInstant, String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, String oaURL, String gebDat, List extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + Map specialAuthBlockTextPatterns) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - - if (target != null) { - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); + + //add mandate reference-value if mandates are used + if (session.isMandateUsed()) { + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } + extendedSAMLAttributes.add(mandateReferenceValueAttribute); } + //adding friendly name of OA String friendlyname; try { - friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - - - String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); + friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); + + //generate special AuthBlock text + String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); if (MiscUtil.isEmpty(text)) text=""; String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); + //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); + String uniquetokken = Random.nextProcessReferenceValue(); session.setAuthBlockTokken(uniquetokken); - String assertion; - - assertion = MessageFormat.format( + String assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index 608f50200..88a235978 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { //get Target from config or from request in case of SAML 1 String target = null; - if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && + if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) && pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol")) - target = pendingReq.getGenericData("target", String.class); - else - target = oaParam.getTarget(); - + target = pendingReq.getGenericData("saml1_target", String.class); + + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java index 975dec429..d2fd4d1de 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java @@ -35,7 +35,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask { byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8"); //TODO: check in case of SSO!!! - String targetType = null; - if(oaParam.getBusinessService()){ - targetType = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } + String targetType = oaParam.getAreaSpecificTargetIdentifier(); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index a227ab5be..da96bfe54 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; @@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; @@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator { * @param session * @param pendingReq * @throws ValidateException + * @throws BuildException + * @throws ConfigurationException */ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq) - throws ValidateException { + throws ValidateException, BuildException, ConfigurationException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - String gbTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); String oaURL = oaParam.getPublicURLPrefix(); - boolean businessService = oaParam.getBusinessService(); - IIdentityLink identityLink = session.getIdentityLink(); + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); + + Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); + + //validate issuer String issuer = samlAssertion.getAttribute("Issuer"); if (issuer == null) { // should not happen, because parser would dedect this throw new ValidateException("validator.32", null); } // replace ' in name with ' - issuer = issuer.replaceAll("'", "'"); + issuer = issuer.replaceAll("'", "'"); + if (!issuer.equals(identityLink.getName())) + throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()}); + + //validate issuerInstant String issueInstant = samlAssertion.getAttribute("IssueInstant"); - if (!issueInstant.equals(session.getIssueInstant())) { - throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - } + if (!issueInstant.equals(session.getIssueInstant())) + throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - String name = identityLink.getName(); - if (!issuer.equals(name)) { - throw new ValidateException("validator.33", new Object[] {issuer, name}); - } - + //validate extended attributes SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; @@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator { boolean foundWBPK = false; int offset = 0; - // check number of SAML aatributes + // check number of SAML attributes List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); int extendedSAMLAttributesNum = 0; if (extendedSAMLAttributes != null) { - extendedSAMLAttributesNum = extendedSAMLAttributes.size(); + extendedSAMLAttributesNum = extendedSAMLAttributes.size(); } - int expectedSAMLAttributeNumber = - AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + + //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; + + //check number of attributes in AuthBlock response against expected number of attributes int actualSAMLAttributeNumber = samlAttributes.length; if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { - Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + - expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); - throw new ValidateException( - "validator.36", - new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + + expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); + throw new ValidateException("validator.36", + new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + } - SAMLAttribute samlAttribute; - if (session.getSAMLAttributeGebeORwbpk()) { - // check the first attribute ("Geschaeftsbereich" or "wbPK") - samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } - } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - gbTarget = gbTarget + " (" + sectorName + ")"; - //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")"; + //now check every single attribute + SAMLAttribute samlAttribute = null; + Pair userSectorId = null; + if (session.getSAMLAttributeGebeORwbpk()) { + //check the first attribute ("Geschaeftsbereich" or "wbPK") + samlAttribute = samlAttributes[0]; + + //calculate bPK or wbPK as reference value for validation + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + else + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + + //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix + // is internally handled as an AuthBlock with wbPK + if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (!samlAttribute.getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geschaeftsbereich")) { + throw new ValidateException("validator.26", null); + + } else { + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); + } + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlAttribute.getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(userSectorId.getFirst())) + throw new ValidateException("validator.28", null); - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } - } - } else { - offset--; - } + if (!type.equals(userSectorId.getSecond())) + throw new ValidateException("validator.28", null); + + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + + } else + throw new ValidateException("validator.30", null); + + } else { + if (!samlAttribute.getName().equals("Geschaeftsbereich")) { + if (samlAttribute.getName().equals("wbPK")) + throw new ValidateException("validator.26", null); + + else + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond()); + if (StringUtils.isEmpty(sectorName)) { + if (saml1RequestedFriendlyName != null) + sectorName = saml1RequestedFriendlyName; + else + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } + + String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; + if (!refValueSector.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.13", null); + + } else + throw new ValidateException("validator.12", null); + + } + + } else + //check nothing if wbPK or public SP target is not part of AuthBlock + offset--; + + // check the second attribute (must be "OA") + samlAttribute = samlAttributes[1 + offset]; + if (!samlAttribute.getName().equals("OA")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); + + } else + throw new ValidateException("validator.15", null); - // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1 + offset]; - if (!samlAttribute.getName().equals("OA")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundOA = true; - if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); - } - } else { - throw new ValidateException("validator.15", null); - } - // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2 + offset]; - if (!samlAttribute.getName().equals("Geburtsdatum")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlDateOfBirth = (String)samlAttribute.getValue(); - String dateOfBirth = identityLink.getDateOfBirth(); - if (!samlDateOfBirth.equals(dateOfBirth)) { - throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); - } - } else { - throw new ValidateException("validator.35", null); - } + // check the third attribute (must be "Geburtsdatum") + samlAttribute = samlAttributes[2 + offset]; + if (!samlAttribute.getName().equals("Geburtsdatum")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + + } else + throw new ValidateException("validator.35", null); - // check four attribute could be a special text - samlAttribute = samlAttributes[3 + offset]; - if (!samlAttribute.getName().equals("SpecialText")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlSpecialText = (String)samlAttribute.getValue(); - samlSpecialText = samlSpecialText.replaceAll("'", "'"); + // check four attribute could be a special text + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("SpecialText")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } - } else { - throw new ValidateException("validator.35", null); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); + if (!samlSpecialText.equals(specialText)) + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + + } else + throw new ValidateException("validator.35", null); - } - - - //check unique AuthBlock tokken - samlAttribute = samlAttributes[4 + offset]; - if (!samlAttribute.getName().equals("UniqueTokken")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String uniquetokken = (String)samlAttribute.getValue(); + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); - if (!uniquetokken.equals(session.getAuthBlockTokken())) { - throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); - } - } else { - throw new ValidateException("validator.35", null); - } - - - // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; - if (extendedSAMLAttributes != null) { - Iterator it = extendedSAMLAttributes.iterator(); - while (it.hasNext()) { - ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); - samlAttribute = samlAttributes[i]; - String actualName = samlAttribute.getName(); - String expectedName = extendedSAMLAttribute.getName(); - if (!actualName.equals(expectedName)) { - throw new ValidateException( - "validator.38", - new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); - } - String actualNamespace = samlAttribute.getNamespace(); - String expectedNamespace = extendedSAMLAttribute.getNameSpace(); - if (!actualNamespace.equals(expectedNamespace)) { - throw new ValidateException( - "validator.38", - new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); - } - Object expectedValue = extendedSAMLAttribute.getValue(); - Object actualValue = samlAttribute.getValue(); - try { - if (expectedValue instanceof String) { - // replace \r\n because text might be base64-encoded - String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); - expValue = StringUtils.replaceAll(expValue,"\n",""); - String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); - actValue = StringUtils.replaceAll(actValue,"\n",""); - if (!expValue.equals(actValue)) { - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); - } - } else if (expectedValue instanceof Element) { - // only check the name of the element - String actualElementName = ((Element)actualValue).getNodeName(); - String expectedElementName = ((Element)expectedValue).getNodeName(); - if (!(expectedElementName.equals(actualElementName))){ - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); - } - } else { - // should not happen - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); - } - } catch (ClassCastException e) { - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); - } - i++; - } - } - + if (!uniquetokken.equals(session.getAuthBlockTokken())) + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } else + throw new ValidateException("validator.35", null); - if (!foundOA) throw new ValidateException("validator.14", null); - if (businessService) { - if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); - } else { - if (!foundGB) throw new ValidateException("validator.11", null); - } + + // now check the extended SAML attributes + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; + if (extendedSAMLAttributes != null) { + Iterator it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + samlAttribute = samlAttributes[i]; + String actualName = samlAttribute.getName(); + String expectedName = extendedSAMLAttribute.getName(); + if (!actualName.equals(expectedName)) + throw new ValidateException("validator.38", + new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); + + String actualNamespace = samlAttribute.getNamespace(); + String expectedNamespace = extendedSAMLAttribute.getNameSpace(); + if (!actualNamespace.equals(expectedNamespace)) + throw new ValidateException("validator.38", + new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); + + Object expectedValue = extendedSAMLAttribute.getValue(); + Object actualValue = samlAttribute.getValue(); + try { + if (expectedValue instanceof String) { + // replace \r\n because text might be base64-encoded + String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); + expValue = StringUtils.replaceAll(expValue,"\n",""); + String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); + actValue = StringUtils.replaceAll(actValue,"\n",""); + if (!expValue.equals(actValue)) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); + + } else if (expectedValue instanceof Element) { + // only check the name of the element + String actualElementName = ((Element)actualValue).getNodeName(); + String expectedElementName = ((Element)expectedValue).getNodeName(); + if (!(expectedElementName.equals(actualElementName))) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); + + } else + // should not happen + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); + + } catch (ClassCastException e) { + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); + } + + i++; + } + } + + if (!foundOA) + throw new ValidateException("validator.14", null); + + if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) + throw new ValidateException("validator.31", null); + + } else { + if (!foundGB) + throw new ValidateException("validator.11", null); + } - //Check if dsig:Signature exists -// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); -// if (nl.getLength() != 1) { -// throw new ValidateException("validator.05", null); -// } - Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); - if (dsigSignature == null) { - throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; - } + //Check if dsig:Signature exists + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); + if (dsigSignature == null) + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } /** @@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator { try { if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) { text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); - Logger.info("Use addional AuthBlock Text from SSO=" +text); + Logger.debug("Use addional AuthBlock Text from SSO=" +text); } else @@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 4953dad02..c4ea80df9 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator { // to be ignored boolean ignoreManifestValidationResult = false; if (whatToCheck.equals(CHECK_IDENTITY_LINK)) - ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true + ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true : false; if (ignoreManifestValidationResult) { diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 55562176d..09c64c267 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -66,10 +66,10 @@ import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; @@ -688,7 +688,7 @@ public class ParepUtils { * false calculates (w)bPKs and changes also the pr:Identifivation/pr:Type elements. * @return The element where Stammzahlen are hidden. */ - public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank) + public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank) throws BuildException { try { if (hideElement != null) { @@ -706,20 +706,11 @@ public class ParepUtils { } if (blank) { idValueNode.setNodeValue(""); - } else { - String idValue = idValueNode.getNodeValue(); - if (businessApplication) { - // wbPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID); - String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID); - idValueNode.setNodeValue(bpkBase64); - - } else { - // bPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK); - String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target); - idValueNode.setNodeValue(bpkBase64); - } + + } else { + Pair calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId); + idValueNode.setNodeValue(calcId.getFirst()); + } } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index c55b5a749..154006ed8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); //set correct SPType for this online application - if (oaConfig.getBusinessService()) + if (oaConfig.hasBaseIdTransferRestriction()) authnRequestBuilder.spType(SpType.PRIVATE.getValue()); else authnRequestBuilder.spType(SpType.PUBLIC.getValue()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 4b67370d6..1ce900ebb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -270,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { //validate request country-code against eIDAS node config String reqCC = samlReq.getOriginCountryCode(); - String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier(); + String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier(); //validate eIDAS target Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index d65d74c3f..299eb442e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; @@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { String sourcePinType = moasession.getIdentityLink().getIdentificationType(); String sourcePinValue = moasession.getIdentityLink().getIdentificationValue(); if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) { - representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget); + Pair userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget); + representativeBPK = userId.getFirst(); } else { Logger.debug("No 'SourcePin' found for representative. " diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index 2f6a54027..4ce77d861 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -74,14 +74,6 @@ public class SSOTransferAuthenticationData implements IAuthData { return null; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() - */ - @Override - public boolean isBusinessService() { - return this.isIDPPrivateService; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession() */ @@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData { return this.authSession.getGenericDataFromSession(key, clazz); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication() + */ + @Override + public boolean isBaseIDTransferRestrication() { + return this.isIDPPrivateService; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java index 3affa17b3..c2132c1f9 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { public SSOTransferOnlineApplication() { } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return false; - } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() */ @@ -106,33 +99,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return null; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() - */ - @Override - public String getTarget() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() - */ - @Override - public String getTargetFriendlyName() { - // TODO Auto-generated method stub - return null; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() */ @@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() - */ - @Override - public String getIdentityLinkDomainIdentifier() { - // TODO Auto-generated method stub - return null; - } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() @@ -225,15 +183,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return null; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() - */ - @Override - public String getIdentityLinkDomainIdentifierType() { - // TODO Auto-generated method stub - return null; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() */ @@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() + */ + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() + */ + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index d3ebffdfd..9981e8156 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @Service("SAML1_GetArtifactAction") @@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction { String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); + String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class); + if (authData.isSsoSession()) { String url = req.getAuthURL() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); - if (!oaParam.getBusinessService()) + if (MiscUtil.isNotEmpty(oaTargetArea)) url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); @@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction { } else { String redirectURL = oaURL; - if (!oaParam.getBusinessService()) { + if (MiscUtil.isNotEmpty(oaTargetArea)) { redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index df8f13544..bf4a55e46 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.Random; @@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() - || oaParam.getBusinessService(); + || oaParam.hasBaseIdTransferRestriction(); String prPerson = ""; String ilAssertion = ""; @@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { id.setValue(value ); if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && - saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) { + saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) { //add baseID if it is requested and available and SP is publicService value.setValue(authData.getIdentificationValue()); id.setType(authData.getIdentificationType()); @@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - authData.getMISMandate(), oaParam.getBusinessService(), + authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(), saml1parameter.isProvideStammzahl()); if (extendedSAMLAttributes != null) { @@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), oaAttributes, useCondition, conditionLength); @@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), authData.getExtendedSAMLAttributesOA(), useCondition, conditionLength); @@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { prPerson = ParepUtils.extractPrPersonOfMandate(mandate); if (physical - && oaParam.getBusinessService() + && oaParam.hasBaseIdTransferRestriction() && identificationType != null && Constants.URN_PREFIX_BASEID .equals(identificationType)) { // now we calculate the wbPK and do so if we got it from the // BKU - - //load IdentityLinkDomainType from OAParam - String type = oaParam.getIdentityLinkDomainIdentifier(); - if (type.startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = type; - else - identificationType = Constants.URN_PREFIX_WBPK + "+" - + type; - - - identificationValue = new BPKBuilder().buildWBPK( - identificationValue, identificationType); - ParepUtils - .HideStammZahlen(prPerson, true, null, null, true); + //load IdentityLinkDomainType from OAParam + Pair targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identificationValue, oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = targedId.getFirst(); + identificationType = targedId.getSecond(); + + ParepUtils.HideStammZahlen(prPerson, true, null, true); } } @@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl(); - String oatargetType; - if(oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - oatargetType = oaParam.getIdentityLinkDomainIdentifier(); - else - oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } - + String oatargetType = oaParam.getAreaSpecificTargetIdentifier(); Element prIdentification = (Element) prPerson. getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0); @@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { String baseid = getBaseId(prPerson); Element identificationBpK; if (MiscUtil.isNotEmpty(baseid)) { - identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget()); + identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType); if (!provideStammzahl) { prIdentification.getFirstChild().setTextContent(""); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 37d66d29b..19fadb318 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; @@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { //preProcess SAML1 Request preProcess(req, resp, pendingReq); - + performAuthentication(req, resp, pendingReq); return; @@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { if (MiscUtil.isNotEmpty(target)) { pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target); - pendingRequest.setTarget(target); + pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target); + + } else { + String targetArea = oaParam.getAreaSpecificTargetIdentifier(); + pendingRequest.setTarget(targetArea); + + if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, + targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length())); - } - else { - pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget()); - pendingRequest.setTarget(oaParam.getTarget()); } + //AuthnRequest needs authentication pendingRequest.setNeedAuthentication(true); diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 6372fefa8..a56be1f46 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface { domVerifyXMLSignatureResponse).parseData(); DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); - oaParam.setBusinessService(true); + oaParam.setHasBaseIdProcessingRestriction(true); + oaParam.setHasBaseIdTransfergRestriction(true); VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, -- cgit v1.2.3 From 154338abc9ba998bf589b9ab12882ddffa78cf53 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Oct 2017 15:00:25 +0200 Subject: enforce eiDAS legal-person MDS if citizen uses mandates and no legal-person attributes are requested --- .../eidas/eIDASAuthenticationRequest.java | 63 +++++++++++++++------- 1 file changed, 44 insertions(+), 19 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index d0cda38c7..b91bbde9e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction { @Autowired protected MOAReversionLogger revisionsLogger; @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + + @Override public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { EIDASData eidasRequest; @@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction { //gather attributes ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes(); ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder(); - - //generate eIDAS attributes - for(AttributeDefinition attr : reqAttributeList.getDefinitions()) { - Pair, ImmutableSet>> eIDASAttr = eIDASAttributeBuilder.buildAttribute( - attr, req.getOnlineApplicationConfiguration(), authData); - - if(eIDASAttr == null) { - if (attr.isRequired()) { - Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available."); - throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()}); - - } else - Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available."); - } else { - //add attribute to Map - attrMapBuilder.put( - (AttributeDefinition)eIDASAttr.getFirst(), - (ImmutableSet)eIDASAttr.getSecond()); + //generate eIDAS attributes + for(AttributeDefinition attr : reqAttributeList.getDefinitions()) + buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData); + + + //Check if Mandate attributes are requested if mandates was used + if (authData.isUseMandate()) { + if (reqAttributeList.getDefinitionByNameUri( + eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) { + Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'"); + buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData); + + } + + if (reqAttributeList.getDefinitionByNameUri( + eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) { + Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'"); + buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData); } } + //build final attibute set + ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build(); + // construct eIDaS response AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder(); @@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction { responseBuilder.levelOfAssurance(authData.getEIDASQAALevel()); //add attributes - responseBuilder.attributes(attrMapBuilder.build()); + responseBuilder.attributes(eIDASAttrbutMap); //set success statuscode responseBuilder.statusCode(StatusCode.SUCCESS_URI); @@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction { return "eIDAS_AuthnRequest"; } + private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition attr, IRequest req, IAuthData authData) throws MOAIDException { + Pair, ImmutableSet>> eIDASAttr = eIDASAttributeBuilder.buildAttribute( + attr, req.getOnlineApplicationConfiguration(), authData); + + if(eIDASAttr == null) { + if (attr.isRequired()) { + Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available."); + throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()}); + + } else + Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available."); + + } else { + //add attribute to Map + attrMapBuilder.put( + (AttributeDefinition)eIDASAttr.getFirst(), + (ImmutableSet)eIDASAttr.getSecond()); + + } + } -- cgit v1.2.3 From 062c5152361eca0f8a468d66c04de2f7ab46cbd3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 17 Oct 2017 15:03:50 +0200 Subject: update default config --- .../src/test/java/at/gv/egiz/tests/Tests.java | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java index fe859c7bc..8ca087e1d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java @@ -232,6 +232,14 @@ public class Tests { */ public static void main(String[] args) { + String org_resp = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8+PGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU+TWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI+PHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+RHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+bW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+WndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+"; + String org_req = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8%2BPGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BcVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWwycDpTdGF0dXM%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM%2BPHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU%2BTWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI%2BPHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ%2BPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sMjpBdXRobkNvbnRleHQ%2BPC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BRHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BbW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BWndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B"; + String req = java.net.URLEncoder.encode(org_resp); + + System.out.println(org_resp); + System.out.println(req); + System.out.println(org_req); + /* * Test verifyable random functions with RSA -- cgit v1.2.3