From 7cba2dfc31076ac4ec9f4a46bc4901e7dd082121 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Nov 2017 12:43:57 +0100 Subject: add eIDAS request validation regarding minimum data-set and SPType --- .../moa/id/auth/modules/eidas/Constants.java | 18 +++++++++ .../moa/id/protocols/eidas/EIDASProtocol.java | 47 +++++++++++++++------- 2 files changed, 51 insertions(+), 14 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index d975b6e0a..74cf665ca 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -22,10 +22,17 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas; +import java.net.URI; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + import org.apache.xml.security.signature.XMLSignature; import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.signature.SignatureConstants; +import at.gv.egovernment.moa.id.data.Trible; + /** * @author tlenz * @@ -119,4 +126,15 @@ public class Constants { EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128 + ";" + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256; + public static final List NATURALPERSONMINIMUMDATASETLIST = Collections.unmodifiableList(new ArrayList() { + private static final long serialVersionUID = 1L; + { + add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME.getNameUri()); + add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME.getNameUri()); + add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.DATE_OF_BIRTH.getNameUri()); + add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri()); + } + }); + + } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 1ce900ebb..8fb81082f 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.eidas; import java.io.IOException; import java.io.StringWriter; +import java.net.URI; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -62,6 +63,7 @@ import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EidasStringUtil; +import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.protocol.IAuthenticationRequest; import eu.eidas.auth.commons.protocol.IResponseMessage; import eu.eidas.auth.commons.protocol.eidas.IEidasAuthenticationRequest; @@ -302,7 +304,37 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } - + //validate service-provider type from eIDAS request + String spType = null; + if (eIDASSamlReq.getSpType() != null) + spType = eIDASSamlReq.getSpType(); + + if (MiscUtil.isEmpty(spType)) + spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc); + + if (MiscUtil.isNotEmpty(spType)) + Logger.debug("eIDAS request has SPType:" + spType); + else { + Logger.warn("eIDAS request and eIDAS metadata contains NO 'SPType' element."); + throw new EIDASAuthnRequestProcessingException("eIDAS.06", + new Object[]{"eIDAS request and eIDAS metadata contains NO 'SPType' element."}); + + } + + //validate if minimal data-set if it is not fully requested + //TODO: must be tested!!!! + ImmutableAttributeMap reqAttrList = eIDASSamlReq.getRequestedAttributes(); + for (URI el : Constants.NATURALPERSONMINIMUMDATASETLIST) { + if(reqAttrList.getAttributeValuesByNameUri(el) == null) { + Logger.warn("Minimum data-set attribute: " + el + " is not requested."); + throw new EIDASAuthnRequestProcessingException("eIDAS.06", + new Object[]{"eIDAS request does not contain all attributes of minimum data-set for natural person"}); + + } + } + + + //************************************************* //***** store eIDAS request information ********* //************************************************* @@ -335,19 +367,6 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { // - memorize OA config pendingReq.setOnlineApplicationConfiguration(oaConfig); - - // - memorize service-provider type from eIDAS request - String spType = null; - if (eIDASSamlReq.getSpType() != null) - spType = eIDASSamlReq.getSpType(); - - if (MiscUtil.isEmpty(spType)) - spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc); - - if (MiscUtil.isNotEmpty(spType)) - Logger.debug("eIDAS request has SPType:" + spType); - else - Logger.info("eIDAS request and eIDAS metadata contains NO 'SPType' element."); } catch (MOAIDException e) { Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage()); -- cgit v1.2.3 From cc09b52b5cb1c93543d8b4353dfc59b8192e79af Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Sun, 26 Nov 2017 21:04:51 +0100 Subject: add String escaping on same methods --- .../moa/id/auth/validator/parep/ParepUtils.java | 36 +++++++++++----------- .../oauth20/protocol/OAuth20AuthAction.java | 2 +- .../ssotransfer/servlet/SSOTransferServlet.java | 7 ++--- 3 files changed, 22 insertions(+), 23 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 09c64c267..7bb07df74 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -94,24 +94,24 @@ public class ParepUtils { return str == null || "".equals(str); } - /** - * Reads a XML document from an input stream (namespace-aware). - * - * @param is - * the input stream to read from. - * @return the read XML document. - * @throws SZRGWClientException - * if an error occurs reading the document from the input stream. - */ - public static Document readDocFromIs(InputStream is) throws SZRGWClientException { - try { - DocumentBuilderFactory f = DocumentBuilderFactory.newInstance(); - f.setNamespaceAware(true); - return f.newDocumentBuilder().parse(is); - } catch (Exception e) { - throw new SZRGWClientException(e); - } - } +// /** +// * Reads a XML document from an input stream (namespace-aware). +// * +// * @param is +// * the input stream to read from. +// * @return the read XML document. +// * @throws SZRGWClientException +// * if an error occurs reading the document from the input stream. +// */ +// public static Document readDocFromIs(InputStream is) throws SZRGWClientException { +// try { +// DocumentBuilderFactory f = DocumentBuilderFactory.newInstance(); +// f.setNamespaceAware(true); +// return f.newDocumentBuilder().parse(is); +// } catch (Exception e) { +// throw new SZRGWClientException(e); +// } +// } // /* // * diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index b2522ea33..b7c54203f 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -71,7 +71,7 @@ class OAuth20AuthAction implements IAction { revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST); - String code = Random.nextRandom(); + String code = Random.nextHexRandom32(); try { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java index 7d1bfd7b9..a37beac70 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -50,6 +50,7 @@ import javax.security.cert.X509Certificate; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.Extension; @@ -186,7 +187,7 @@ public class SSOTransferServlet{ Logger.debug("Receive " + this.getClass().getName() + " request"); Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN); if (tokenObj != null && tokenObj instanceof String) { - String token = (String)tokenObj; + String token = StringEscapeUtils.escapeHtml((String)tokenObj); try { Logger.debug("Load token:" + token + " from storage."); SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000); @@ -285,7 +286,7 @@ public class SSOTransferServlet{ Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN); if (tokenObj != null && tokenObj instanceof String) { - String token = (String)tokenObj; + String token = StringEscapeUtils.escapeHtml((String)tokenObj); try { SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut); if (container != null) { @@ -402,8 +403,6 @@ public class SSOTransferServlet{ null); if (ssomanager.isValidSSOSession(ssoid, null)) { - //Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR); - //create first step of SSO Transfer GUI IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid); -- cgit v1.2.3