From d43f23a470adbdde847233af0b6b71714368afa5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 7 Jul 2020 15:29:48 +0200 Subject: switch to next snapshot version --- id/server/auth-edu/pom.xml | 2 +- id/server/auth-final/pom.xml | 2 +- id/server/idserverlib/pom.xml | 2 +- id/server/moa-id-commons/pom.xml | 2 +- id/server/moa-id-frontend-resources/pom.xml | 2 +- id/server/moa-id-jaxb_classes/pom.xml | 2 +- id/server/moa-id-spring-initializer/pom.xml | 2 +- id/server/modules/moa-id-modul-citizencard_authentication/pom.xml | 2 +- id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml | 2 +- id/server/modules/moa-id-module-E-ID_connector/pom.xml | 2 +- id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml | 2 +- id/server/modules/moa-id-module-eIDAS/pom.xml | 2 +- id/server/modules/moa-id-module-elga_mandate_service/pom.xml | 2 +- id/server/modules/moa-id-module-openID/pom.xml | 2 +- id/server/modules/moa-id-module-sl20_authentication/pom.xml | 2 +- id/server/modules/moa-id-module-ssoTransfer/pom.xml | 2 +- id/server/modules/moa-id-modules-federated_authentication/pom.xml | 2 +- id/server/modules/moa-id-modules-saml1/pom.xml | 2 +- id/server/modules/module-monitoring/pom.xml | 2 +- id/server/modules/pom.xml | 2 +- id/server/pom.xml | 2 +- 21 files changed, 21 insertions(+), 21 deletions(-) (limited to 'id/server') diff --git a/id/server/auth-edu/pom.xml b/id/server/auth-edu/pom.xml index f346c17f8..d4a92dfa6 100644 --- a/id/server/auth-edu/pom.xml +++ b/id/server/auth-edu/pom.xml @@ -2,7 +2,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT 4.0.0 diff --git a/id/server/auth-final/pom.xml b/id/server/auth-final/pom.xml index 2bd934688..14f0a68b4 100644 --- a/id/server/auth-final/pom.xml +++ b/id/server/auth-final/pom.xml @@ -2,7 +2,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT 4.0.0 diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index 75a2be499..e40bc9217 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -4,7 +4,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT MOA.id.server diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index f1f6edfe9..ee2c61fd1 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -4,7 +4,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT moa-id-commons moa-id-commons diff --git a/id/server/moa-id-frontend-resources/pom.xml b/id/server/moa-id-frontend-resources/pom.xml index 87f9cbed7..bd27a49c1 100644 --- a/id/server/moa-id-frontend-resources/pom.xml +++ b/id/server/moa-id-frontend-resources/pom.xml @@ -3,7 +3,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT MOA.id.server diff --git a/id/server/moa-id-jaxb_classes/pom.xml b/id/server/moa-id-jaxb_classes/pom.xml index 30f1bc5d4..009bbc948 100644 --- a/id/server/moa-id-jaxb_classes/pom.xml +++ b/id/server/moa-id-jaxb_classes/pom.xml @@ -3,7 +3,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT MOA.id.server moa-id-jaxb_classes diff --git a/id/server/moa-id-spring-initializer/pom.xml b/id/server/moa-id-spring-initializer/pom.xml index 8912ae83b..c2f67d9ad 100644 --- a/id/server/moa-id-spring-initializer/pom.xml +++ b/id/server/moa-id-spring-initializer/pom.xml @@ -3,7 +3,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT MOA.id.server diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml b/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml index 2eecc391a..9e943055b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml +++ b/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-modul-citizencard_authentication diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml index 27acb2223..fb5e5b288 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml @@ -5,7 +5,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-AT_eIDAS_connector moa-id-module-AT_eIDAS_connector diff --git a/id/server/modules/moa-id-module-E-ID_connector/pom.xml b/id/server/modules/moa-id-module-E-ID_connector/pom.xml index ac73237ae..8e6a3a2c1 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/pom.xml +++ b/id/server/modules/moa-id-module-E-ID_connector/pom.xml @@ -5,7 +5,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-EID_connector moa-id-module-E-ID_connector diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml index bd2eafa4d..1b638bb15 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-bkaMobilaAuthSAML2Test BKA MobileAuth Test for SAML2 applications diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index f3f352c93..254d0e2bd 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-eIDAS MOA-ID eIDAS Module diff --git a/id/server/modules/moa-id-module-elga_mandate_service/pom.xml b/id/server/modules/moa-id-module-elga_mandate_service/pom.xml index 91c50e60b..541d16788 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/pom.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-elga_mandate_service ${moa-id-module-elga_mandate_client} diff --git a/id/server/modules/moa-id-module-openID/pom.xml b/id/server/modules/moa-id-module-openID/pom.xml index a24876a80..9a6bba67c 100644 --- a/id/server/modules/moa-id-module-openID/pom.xml +++ b/id/server/modules/moa-id-module-openID/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-openID diff --git a/id/server/modules/moa-id-module-sl20_authentication/pom.xml b/id/server/modules/moa-id-module-sl20_authentication/pom.xml index cfb4bad4f..1af870e48 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/pom.xml +++ b/id/server/modules/moa-id-module-sl20_authentication/pom.xml @@ -5,7 +5,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-sl20_authentication moa-id-module-sl20_authentication diff --git a/id/server/modules/moa-id-module-ssoTransfer/pom.xml b/id/server/modules/moa-id-module-ssoTransfer/pom.xml index 88a197ab4..6a5c13cdc 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/pom.xml +++ b/id/server/modules/moa-id-module-ssoTransfer/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-ssoTransfer MOA-ID_SSO_Transfer_modul diff --git a/id/server/modules/moa-id-modules-federated_authentication/pom.xml b/id/server/modules/moa-id-modules-federated_authentication/pom.xml index 0a570f99f..8103f0012 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/pom.xml +++ b/id/server/modules/moa-id-modules-federated_authentication/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-modules-federated_authentication PVP2 ServiceProvider implementation for federated authentication diff --git a/id/server/modules/moa-id-modules-saml1/pom.xml b/id/server/modules/moa-id-modules-saml1/pom.xml index 33aeeee20..59b3b1254 100644 --- a/id/server/modules/moa-id-modules-saml1/pom.xml +++ b/id/server/modules/moa-id-modules-saml1/pom.xml @@ -3,7 +3,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-saml1 diff --git a/id/server/modules/module-monitoring/pom.xml b/id/server/modules/module-monitoring/pom.xml index 4034dbec6..2874f369e 100644 --- a/id/server/modules/module-monitoring/pom.xml +++ b/id/server/modules/module-monitoring/pom.xml @@ -5,7 +5,7 @@ MOA.id.server.modules moa-id-modules - 4.1.2 + 4.1.3-SNAPSHOT moa-id-module-monitoring diff --git a/id/server/modules/pom.xml b/id/server/modules/pom.xml index f1fd94344..a807d2e4b 100644 --- a/id/server/modules/pom.xml +++ b/id/server/modules/pom.xml @@ -5,7 +5,7 @@ MOA.id moa-id - 4.1.2 + 4.1.3-SNAPSHOT MOA.id.server.modules diff --git a/id/server/pom.xml b/id/server/pom.xml index 330b626bb..243d271aa 100644 --- a/id/server/pom.xml +++ b/id/server/pom.xml @@ -4,7 +4,7 @@ MOA id - 4.1.2 + 4.1.3-SNAPSHOT 4.0.0 -- cgit v1.2.3 From 3f860acc984e8bca756919d7025adfee4d5adf50 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 10 Jul 2020 08:59:18 +0200 Subject: add new trusted SSL certificates for OVS client remove Terena_SSL_EV_CA3 because it will be revoked on July 11, 2020 --- ...SA_CA_USERTrust_RSA_Certification_Authority.pem | 39 ++++++++++++++++++++++ ...e CA 3 (DigiCert High Assurance EV Root CA).crt | 29 ---------------- ...fication_Authority_AAA_Certificate_Services.pem | 32 ++++++++++++++++++ ...SA_CA_USERTrust_RSA_Certification_Authority.pem | 39 ++++++++++++++++++++++ ...fication_Authority_AAA_Certificate_Services.pem | 32 ++++++++++++++++++ 5 files changed, 142 insertions(+), 29 deletions(-) create mode 100644 id/server/data/deploy/conf/moa-id/certs/ca-certs/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem delete mode 100644 id/server/data/deploy/conf/moa-id/certs/ca-certs/TERENA SSL High Assurance CA 3 (DigiCert High Assurance EV Root CA).crt create mode 100644 id/server/data/deploy/conf/moa-id/certs/ca-certs/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem create mode 100644 id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem create mode 100644 id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem (limited to 'id/server') diff --git a/id/server/data/deploy/conf/moa-id/certs/ca-certs/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem b/id/server/data/deploy/conf/moa-id/certs/ca-certs/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem new file mode 100644 index 000000000..43cf98983 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/certs/ca-certs/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIIG5TCCBM2gAwIBAgIRANpDvROb0li7TdYcrMTz2+AwDQYJKoZIhvcNAQEMBQAw +gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK +ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD +VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIw +MDIxODAwMDAwMFoXDTMzMDUwMTIzNTk1OVowRDELMAkGA1UEBhMCTkwxGTAXBgNV +BAoTEEdFQU5UIFZlcmVuaWdpbmcxGjAYBgNVBAMTEUdFQU5UIE9WIFJTQSBDQSA0 +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApYhi1aEiPsg9ZKRMAw9Q +r8Mthsr6R20VSfFeh7TgwtLQi6RSRLOh4or4EMG/1th8lijv7xnBMVZkTysFiPmT +PiLOfvz+QwO1NwjvgY+Jrs7fSoVA/TQkXzcxu4Tl3WHi+qJmKLJVu/JOuHud6mOp +LWkIbhODSzOxANJ24IGPx9h4OXDyy6/342eE6UPXCtJ8AzeumTG6Dfv5KVx24lCF +TGUzHUB+j+g0lSKg/Sf1OzgCajJV9enmZ/84ydh48wPp6vbWf1H0O3Rd3LhpMSVn +TqFTLKZSbQeLcx/l9DOKZfBCC9ghWxsgTqW9gQ7v3T3aIfSaVC9rnwVxO0VjmDdP +FNbdoxnh0zYwf45nV1QQgpRwZJ93yWedhp4ch1a6Ajwqs+wv4mZzmBSjovtV0mKw +d+CQbSToalEUP4QeJq4Udz5WNmNMI4OYP6cgrnlJ50aa0DZPlJqrKQPGL69KQQz1 +2WgxvhCuVU70y6ZWAPopBa1ykbsttpLxADZre5cH573lIuLHdjx7NjpYIXRx2+QJ +URnX2qx37eZIxYXz8ggM+wXH6RDbU3V2o5DP67hXPHSAbA+p0orjAocpk2osxHKo +NSE3LCjNx8WVdxnXvuQ28tKdaK69knfm3bB7xpdfsNNTPH9ElcjscWZxpeZ5Iij8 +lyrCG1z0vSWtSBsgSnUyG/sCAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5v1qq +K0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRvHTVJEGwy+lmgnryK6B+VvnF6DDAO +BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUH +AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0 +dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9u +QXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6 +Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAl +BggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B +AQwFAAOCAgEAUtlC3e0xj/1BMfPhdQhUXeLjb0xp8UE28kzWE5xDzGKbfGgnrT2R +lw5gLIx+/cNVrad//+MrpTppMlxq59AsXYZW3xRasrvkjGfNR3vt/1RAl8iI31lG +hIg6dfIX5N4esLkrQeN8HiyHKH6khm4966IkVVtnxz5CgUPqEYn4eQ+4eeESrWBh +AqXaiv7HRvpsdwLYekAhnrlGpioZ/CJIT2PTTxf+GHM6cuUnNqdUzfvrQgA8kt1/ +ASXx2od/M+c8nlJqrGz29lrJveJOSEMX0c/ts02WhsfMhkYa6XujUZLmvR1Eq08r +48/EZ4l+t5L4wt0DV8VaPbsEBF1EOFpz/YS2H6mSwcFaNJbnYqqJHIvm3PLJHkFm +EoLXRVrQXdCT+3wgBfgU6heCV5CYBz/YkrdWES7tiiT8sVUDqXmVlTsbiRNiyLs2 +bmEWWFUl76jViIJog5fongEqN3jLIGTG/mXrJT1UyymIcobnIGrbwwRVz/mpFQo0 +vBYIi1k2ThVh0Dx88BbF9YiP84dd8Fkn5wbE6FxXYJ287qfRTgmhePecPc73Yrzt +apdRcsKVGkOpaTIJP/l+lAHRLZxk/dUtyN95G++bOSQqnOCpVPabUGl2E/OEyFrp +Ipwgu2L/WJclvd6g+ZA/iWkLSMcpnFb+uX6QBqvD6+RNxul1FaB5iHY= +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-id/certs/ca-certs/TERENA SSL High Assurance CA 3 (DigiCert High Assurance EV Root CA).crt b/id/server/data/deploy/conf/moa-id/certs/ca-certs/TERENA SSL High Assurance CA 3 (DigiCert High Assurance EV Root CA).crt deleted file mode 100644 index ebdf72d7f..000000000 --- a/id/server/data/deploy/conf/moa-id/certs/ca-certs/TERENA SSL High Assurance CA 3 (DigiCert High Assurance EV Root CA).crt +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE4DCCA8igAwIBAgIQC1w0NWdbJGfA1zI3+Q1flDANBgkqhkiG9w0BAQsFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTE0MTExODEyMDAwMFoXDTI0MTExODEyMDAwMFowczEL -MAkGA1UEBhMCTkwxFjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFt -c3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMScwJQYDVQQDEx5URVJFTkEgU1NMIEhp -Z2ggQXNzdXJhbmNlIENBIDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQChNsmK4gfxr6c9j2OMBRo3gOA7z5keoaPHiX4rUX+1fF1Brmvf7Uo83sRiXRYQ -RJrD79hzJrulDtdihxgS5HgvIQHqGrp3NRRDUlq/4bItLTp9QCHzLhRQSrSYaFkI -zztYezwb3ABzNiVciqQFk7WR9ebh9ZaCxaXfebcg7LodgQQ4XDvkW2Aknkb1J8NV -nlbKen6PLlNSL4+MLV+uF1e87aTgOxbM9sxZ1/1LRqrOu28z9WA8qUZn2Av+hcP2 -TQIBoMPMQ8dT+6Yx/0Y+2J702OU//dS0pi8gMe7FtYVcZrlcSy/C40I7EFYHEjTm -zH4EGvG6t9wZua2atFKvP/7HAgMBAAGjggF1MIIBcTASBgNVHRMBAf8ECDAGAQH/ -AgEAMA4GA1UdDwEB/wQEAwIBhjB/BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGG -GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0cDovL2Nh -Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENB -LmNydDBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v -RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE -VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT -MB0GA1UdDgQWBBTCuIXX4bkTvdFIvP1e3H2QQnqKqTAfBgNVHSMEGDAWgBSxPsNp -A/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAsCq7NTey6NjZHqT4 -kjZBNU3sItnD+RYAMWx4ZyaELcy7XhndQzX88TYSCYxl/YWB6lCjxx0dL3wTZUbX -r+WRDzz5xX+98kdYrwNCT7fmT4eenv6cCS1sC9hc4sIl5dkb1pguY3ViV5D8/yEB -hadOpw3TwI8xkqe2j/H5fp4Oaf9cFdpf9C85mQgZJwsvtvmmDTQTPcGPRFTgdGtY -2xbWxDah6HjKpX6iI4BTBQhhpX6TJl6/GEaYK07s2Kr8BFPhrgmep9vrepWv61x7 -dnnqz5SeAs6cbSm551qG7Dj8+6f/8e33oqLC5Ldnbt0Ou6PjtZ4O02dN9cnicemR -1B0/YQ== ------END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-id/certs/ca-certs/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem b/id/server/data/deploy/conf/moa-id/certs/ca-certs/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem new file mode 100644 index 000000000..cc2d08bdd --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/certs/ca-certs/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7 +MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD +VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE +AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 +MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 +MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO +ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI +s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG +vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ +Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb +IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0 +tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E +xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV +icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5 +D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ +WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ +5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG +KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg +EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID +ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG +BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t +L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr +BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA +A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+ +rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+ +/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA +CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F +zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA +vGp4z7h/jnZymQyd/teRCBaho1+V +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem new file mode 100644 index 000000000..43cf98983 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/GEANT_OV_RSA_CA_USERTrust_RSA_Certification_Authority.pem @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIIG5TCCBM2gAwIBAgIRANpDvROb0li7TdYcrMTz2+AwDQYJKoZIhvcNAQEMBQAw +gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK +ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD +VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIw +MDIxODAwMDAwMFoXDTMzMDUwMTIzNTk1OVowRDELMAkGA1UEBhMCTkwxGTAXBgNV +BAoTEEdFQU5UIFZlcmVuaWdpbmcxGjAYBgNVBAMTEUdFQU5UIE9WIFJTQSBDQSA0 +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApYhi1aEiPsg9ZKRMAw9Q +r8Mthsr6R20VSfFeh7TgwtLQi6RSRLOh4or4EMG/1th8lijv7xnBMVZkTysFiPmT +PiLOfvz+QwO1NwjvgY+Jrs7fSoVA/TQkXzcxu4Tl3WHi+qJmKLJVu/JOuHud6mOp +LWkIbhODSzOxANJ24IGPx9h4OXDyy6/342eE6UPXCtJ8AzeumTG6Dfv5KVx24lCF +TGUzHUB+j+g0lSKg/Sf1OzgCajJV9enmZ/84ydh48wPp6vbWf1H0O3Rd3LhpMSVn +TqFTLKZSbQeLcx/l9DOKZfBCC9ghWxsgTqW9gQ7v3T3aIfSaVC9rnwVxO0VjmDdP +FNbdoxnh0zYwf45nV1QQgpRwZJ93yWedhp4ch1a6Ajwqs+wv4mZzmBSjovtV0mKw +d+CQbSToalEUP4QeJq4Udz5WNmNMI4OYP6cgrnlJ50aa0DZPlJqrKQPGL69KQQz1 +2WgxvhCuVU70y6ZWAPopBa1ykbsttpLxADZre5cH573lIuLHdjx7NjpYIXRx2+QJ +URnX2qx37eZIxYXz8ggM+wXH6RDbU3V2o5DP67hXPHSAbA+p0orjAocpk2osxHKo +NSE3LCjNx8WVdxnXvuQ28tKdaK69knfm3bB7xpdfsNNTPH9ElcjscWZxpeZ5Iij8 +lyrCG1z0vSWtSBsgSnUyG/sCAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5v1qq +K0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRvHTVJEGwy+lmgnryK6B+VvnF6DDAO +BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUH +AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0 +dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9u +QXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6 +Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAl +BggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B +AQwFAAOCAgEAUtlC3e0xj/1BMfPhdQhUXeLjb0xp8UE28kzWE5xDzGKbfGgnrT2R +lw5gLIx+/cNVrad//+MrpTppMlxq59AsXYZW3xRasrvkjGfNR3vt/1RAl8iI31lG +hIg6dfIX5N4esLkrQeN8HiyHKH6khm4966IkVVtnxz5CgUPqEYn4eQ+4eeESrWBh +AqXaiv7HRvpsdwLYekAhnrlGpioZ/CJIT2PTTxf+GHM6cuUnNqdUzfvrQgA8kt1/ +ASXx2od/M+c8nlJqrGz29lrJveJOSEMX0c/ts02WhsfMhkYa6XujUZLmvR1Eq08r +48/EZ4l+t5L4wt0DV8VaPbsEBF1EOFpz/YS2H6mSwcFaNJbnYqqJHIvm3PLJHkFm +EoLXRVrQXdCT+3wgBfgU6heCV5CYBz/YkrdWES7tiiT8sVUDqXmVlTsbiRNiyLs2 +bmEWWFUl76jViIJog5fongEqN3jLIGTG/mXrJT1UyymIcobnIGrbwwRVz/mpFQo0 +vBYIi1k2ThVh0Dx88BbF9YiP84dd8Fkn5wbE6FxXYJ287qfRTgmhePecPc73Yrzt +apdRcsKVGkOpaTIJP/l+lAHRLZxk/dUtyN95G++bOSQqnOCpVPabUGl2E/OEyFrp +Ipwgu2L/WJclvd6g+ZA/iWkLSMcpnFb+uX6QBqvD6+RNxul1FaB5iHY= +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem new file mode 100644 index 000000000..cc2d08bdd --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/USERTrust_RSA_Certification_Authority_AAA_Certificate_Services.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7 +MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD +VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE +AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 +MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 +MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO +ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI +s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG +vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ +Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb +IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0 +tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E +xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV +icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5 +D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ +WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ +5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG +KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg +EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID +ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG +BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t +L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr +BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA +A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+ +rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+ +/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA +CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F +zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA +vGp4z7h/jnZymQyd/teRCBaho1+V +-----END CERTIFICATE----- -- cgit v1.2.3 From ed28f1a6843b6c04e0a05a4ede049098a6485567 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 30 Jul 2020 07:49:30 +0200 Subject: add new A-Trust Test-Root-05 certs --- .../toBeAdded/A-Trust-Test-Root-05_2016-2024.cer | Bin 0 -> 1506 bytes .../a-sign-Test-Premium-mobile-05_2016-2024.cer | Bin 0 -> 1356 bytes .../A-Trust-Test-Root-05_2016-2024.cer | Bin 0 -> 1506 bytes .../a-sign-Test-Premium-mobile-05_2016-2024.cer | Bin 0 -> 1356 bytes 4 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/A-Trust-Test-Root-05_2016-2024.cer create mode 100644 id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-mobile-05_2016-2024.cer create mode 100644 id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/A-Trust-Test-Root-05_2016-2024.cer create mode 100644 id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-mobile-05_2016-2024.cer (limited to 'id/server') diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/A-Trust-Test-Root-05_2016-2024.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/A-Trust-Test-Root-05_2016-2024.cer new file mode 100644 index 000000000..78b61cfa8 Binary files /dev/null and b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/A-Trust-Test-Root-05_2016-2024.cer differ diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-mobile-05_2016-2024.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-mobile-05_2016-2024.cer new file mode 100644 index 000000000..2766c792f Binary files /dev/null and b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-mobile-05_2016-2024.cer differ diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/A-Trust-Test-Root-05_2016-2024.cer b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/A-Trust-Test-Root-05_2016-2024.cer new file mode 100644 index 000000000..78b61cfa8 Binary files /dev/null and b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/A-Trust-Test-Root-05_2016-2024.cer differ diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-mobile-05_2016-2024.cer b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-mobile-05_2016-2024.cer new file mode 100644 index 000000000..2766c792f Binary files /dev/null and b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-mobile-05_2016-2024.cer differ -- cgit v1.2.3 From f27db66b14e417cbc4b8124842d5525bf3bb8884 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 28 Aug 2020 07:34:08 +0200 Subject: fix possible problems with http proxy --- .../EidasCentralAuthMetadataController.java | 40 ++++++++++----------- .../controller/EIDAuthMetadataController.java | 41 ++++++++++------------ 2 files changed, 38 insertions(+), 43 deletions(-) (limited to 'id/server') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java index a0c1fa30b..5409e3a4c 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller; import java.io.IOException; +import java.net.URL; import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -76,29 +77,26 @@ public class EidasCentralAuthMetadataController extends AbstractController { public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { //check PublicURL prefix try { - String authURL = HTTPUtils.extractAuthURLFromRequest(req); - if (!authConfig.getPublicURLPrefix().contains(authURL)) { - resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL"); - return; - - } else { - //initialize metadata builder configuration - EidasCentralAuthMetadataConfiguration metadataConfig = - new EidasCentralAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration); - metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); - - - //build metadata - String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); - - //write response - byte[] content = xmlMetadata.getBytes("UTF-8"); - resp.setStatus(HttpServletResponse.SC_OK); - resp.setContentLength(content.length); - resp.setContentType(MediaType.XML_UTF_8.toString()); + String authUrlString = HTTPUtils.extractAuthURLFromRequest(req); + String authURL = authConfig.validateIDPURL(new URL(authUrlString)); + Logger.trace("Build eIDAS Metadata for requestUrl: " + authURL); + + //initialize metadata builder configuration + EidasCentralAuthMetadataConfiguration metadataConfig = + new EidasCentralAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration); + metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); + + + //build metadata + String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); + + //write response + byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); + resp.setContentType(MediaType.XML_UTF_8.toString()); resp.getOutputStream().write(content); - } } catch (Exception e) { Logger.warn("Build federated-authentication PVP metadata FAILED.", e); diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java index 90ecb0942..9fbe04b98 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller; import java.io.IOException; +import java.net.URL; import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -76,28 +77,24 @@ public class EIDAuthMetadataController extends AbstractController { public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { //check PublicURL prefix try { - String authURL = HTTPUtils.extractAuthURLFromRequest(req); - if (!authConfig.getPublicURLPrefix().contains(authURL)) { - resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL"); - return; - - } else { - //initialize metadata builder configuration - EIDAuthMetadataConfiguration metadataConfig = - new EIDAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration); - metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); - - //build metadata - String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); - - //write response - byte[] content = xmlMetadata.getBytes("UTF-8"); - resp.setStatus(HttpServletResponse.SC_OK); - resp.setContentLength(content.length); - resp.setContentType(MediaType.XML_UTF_8.toString()); - resp.getOutputStream().write(content); - - } + String authUrlString = HTTPUtils.extractAuthURLFromRequest(req); + String authURL = authConfig.validateIDPURL(new URL(authUrlString)); + Logger.trace("Build E-ID Metadata for requestUrl: " + authURL); + + //initialize metadata builder configuration + EIDAuthMetadataConfiguration metadataConfig = + new EIDAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration); + metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); + + //build metadata + String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); + + //write response + byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); + resp.setContentType(MediaType.XML_UTF_8.toString()); + resp.getOutputStream().write(content); } catch (Exception e) { Logger.warn("Build E-ID Proxy PVP metadata FAILED.", e); -- cgit v1.2.3 From c4633dffe99d4cc41e25fe165b6b8b5013ea34bd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 28 Aug 2020 07:34:55 +0200 Subject: fix wrong SAML2 SubjectNameGeneration in case of mandate-attribute processing in proxy-mode --- .../auth/builder/MOAIDSubjectNameIdGenerator.java | 128 +++++++++++++-------- 1 file changed, 79 insertions(+), 49 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java index 3dfba9cca..6864d4ec3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java @@ -1,6 +1,5 @@ package at.gv.egovernment.moa.id.auth.builder; -import org.apache.commons.lang3.StringUtils; import org.springframework.stereotype.Service; import org.w3c.dom.Element; @@ -18,9 +17,11 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; import at.gv.egovernment.moa.id.data.IMOAAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil; import at.gv.egovernment.moa.util.Constants; @Service("MOASAML2SubjectNameIDGenerator") @@ -31,8 +32,8 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator { //build nameID and nameID Format from moasessio if (authData instanceof IMOAAuthData && ((IMOAAuthData)authData).isUseMandate()) { - String bpktype = null; - String bpk = null; + String identifier = null; + String identifierType = null; Element mandate = ((IMOAAuthData)authData).getMandate(); if(mandate != null) { @@ -56,59 +57,88 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAvailableException(); } - - bpktype = id.getType(); - bpk = id.getValue().getValue(); - + + identifier = id.getValue().getValue(); + identifierType = id.getType(); + } else { Logger.debug("Read mandator bPK|baseID from PVP attributes ... "); - bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); - bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); - - if (StringUtils.isEmpty(bpk)) { - //no sourcePin is included --> search for bPK - bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); - - try { - if (bpk.contains(":")) - bpk = bpk.split(":")[1]; - - } catch (Exception e) { - Logger.warn("Can not split bPK from mandator attribute!", e); - - } - - //set bPK-Type from configuration, because it MUST be equal to service-provider type - bpktype = spConfig.getAreaSpecificTargetIdentifier(); - - } else { - //sourcePin is include --> check sourcePinType - if (StringUtils.isEmpty(bpktype)) - bpktype = Constants.URN_PREFIX_BASEID; - - } - } - - if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) { - throw new NoMandateDataAvailableException(); + String natSourcePin = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); + String natSourcePinType = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); + String natBpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); - } - - if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - try { - return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier()); + String jurSourcePin = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); + String jurSourcePinType = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); + + if ( (MiscUtil.isNotEmpty(jurSourcePin) || MiscUtil.isNotEmpty(jurSourcePinType)) + && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natBpk))) { + Logger.warn("Found mandate attributes for legal- AND natural-person. " + + "Both not allowed during on authentication. Process stops now!"); + throw new MandateAttributesNotHandleAbleException(); + + } + + if (MiscUtil.isNotEmpty(jurSourcePin) && MiscUtil.isNotEmpty(jurSourcePinType)) { + Logger.debug("Find jur. person sourcepin. Build SubjectNameId from this ... "); + return Pair.newInstance(jurSourcePin, jurSourcePinType); + + + } else if (MiscUtil.isNotEmpty(natSourcePin)) { + Logger.debug("Find nat. person sourcepin. Build SubjectNameId from this ... "); + identifier = natSourcePin; + + if (MiscUtil.isNotEmpty(natSourcePinType)) { + identifierType = natSourcePinType; + + } else { + identifierType = Constants.URN_PREFIX_BASEID; + + } + + } else if (MiscUtil.isNotEmpty(natBpk)) { + Logger.debug("Find nat. person bPK. Build SubjectNameId from this ... "); + try { + if (natBpk.contains(":")) { + natBpk = natBpk.split(":")[1]; + + } + + } catch (Exception e) { + Logger.warn("Can not split bPK from mandator attribute!", e); + Logger.info("Use nat. person bPK as it is"); + + } + + return Pair.newInstance(natBpk, + spConfig.getAreaSpecificTargetIdentifier()); + + } else { + throw new NoMandateDataAvailableException(); + + } + } + + if (identifierType.equals(Constants.URN_PREFIX_BASEID)) { + try { + return BPKBuilder.generateAreaSpecificPersonIdentifier( + identifier, spConfig.getAreaSpecificTargetIdentifier()); - } catch (EAAFBuilderException e) { - Logger.warn("Can NOT generate SubjectNameId." , e); - throw new ResponderErrorException("pvp2.01", null); + } catch (EAAFBuilderException e) { + Logger.warn("Can NOT generate SubjectNameId." , e); + throw new ResponderErrorException("pvp2.01", null); - } + } - } else - return Pair.newInstance(bpk, bpktype); - - } else + } else { + return Pair.newInstance(identifier, identifierType); + + } + + //no mandate available. Use bPK from authenticated entity + } else { return Pair.newInstance(authData.getBPK(), authData.getBPKType()); + + } } -- cgit v1.2.3 From e10256fe93208ef786d2e38a68a98e2548d501ee Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 31 Aug 2020 10:22:11 +0200 Subject: fix SSRF bug in SAML1 parameter validator --- .../data/deploy/conf/moa-id/moa-id.properties | 3 +- id/server/doc/handbook/config/config.html | 7 + .../StartAuthentificationParameterParser.java | 12 +- .../auth/AuthConfigurationProviderFactory.java | 15 + .../PropertyBasedAuthConfigurationProvider.java | 2 + .../moa/id/util/ParamValidatorUtils.java | 139 ++--- .../moa/id/config/auth/data/DummyAuthConfig.java | 50 +- .../moa/id/util/ParamValidatorUtilsTest.java | 588 +++++++++++++++++++++ 8 files changed, 739 insertions(+), 77 deletions(-) create mode 100644 id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java (limited to 'id/server') diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index beeab5375..ba883d1a1 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -19,7 +19,8 @@ configuration.moaconfig.key=ConfigurationEncryptionKey configuration.ssl.validation.revocation.method.order=ocsp,crl general.moaidmode.active=true #configuration.ssl.validation.hostname=false -#configuration.validate.authblock.targetfriendlyname=true< +#configuration.validate.authblock.targetfriendlyname=true +#configuration.validate.saml1.parameter.strict=true #MOA-ID 3.x Monitoring Servlet diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 9a90d1c49..62bde84bc 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -431,6 +431,13 @@ UNIX: moa.id.configuration=file:C:/Programme/apache/tomcat-8.x.x/conf/moa-id/moa

Hiermit kann die SSL Hostname validation für das abholen von PVP Metadaten deaktiviert werden.

Hinweis: Workaround, da der httpClient der openSAML2 Implementierung kein SNI (Server Name Indication) unterstützt.

+ + configuration.validate.saml1.parameter.strict + true / false +

Aktiviert oder deaktiviert die strikte Validierung von SecurityLayer Template URLs welche via HTTP Parameter "template" (siehe SAML1 Protokoll) angegeben werden können. Wenn dieser Parameter aktiviert (true) sind ausschließlich Tempalte URLs erlaubt die entweder in Allgemeinen Konfiguration oder in der jeweiligen SP Konfiguration konfiguriert sind. Ist die strikte Validierung deaktiviert (false) sind zusätzlich alle Template URLs erlaubut welche vom selben Host liegen wie die MOA-ID Instanz.

+

 

+

Defaultwert: false

+ configuration.validate.authblock.targetfriendlyname true / false diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index ead80b117..03fd225e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -42,6 +42,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; +import at.gv.egovernment.moa.id.config.auth.PropertyBasedAuthConfigurationProvider; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -182,14 +183,14 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ List defaulTemplateURLList = authConfig.getSLRequestTemplates(); - if ( templateURLList != null && templateURLList.size() > 0 + if ( templateURLList != null && !templateURLList.isEmpty() && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); - } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { + } else if ( !defaulTemplateURLList.isEmpty() && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { templateURL = FileUtils.makeAbsoluteURL( defaulTemplateURLList.get(0), authConfig.getRootConfigFileDir()); @@ -203,8 +204,13 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ } - if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL())) + if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL(), + authConfig.getBasicConfigurationBoolean( + PropertyBasedAuthConfigurationProvider.PROP_STRICT_SAML1_PARAM_VALIDATION, + false))) { throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); + + } protocolReq.setRawDataToTransaction( MOAIDAuthConstants.AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java index 94bcae672..cf3e0efd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java @@ -57,4 +57,19 @@ public class AuthConfigurationProviderFactory { return instance; } + + /** + * Set AuthConfig programmatically + * + * @param authConfig + */ + public static void setAuthConfig(AuthConfiguration authConfig) { + if (instance != null) { + throw new RuntimeException("AuthConfig can ONLY set once!"); + + } + + instance = authConfig; + + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index f299e0e94..1ffdaa524 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -52,6 +52,8 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide public static final String PROP_MOAID_MODE = "general.moaidmode.active"; + public static final String PROP_STRICT_SAML1_PARAM_VALIDATION = + "configuration.validate.saml1.parameter.strict"; private static final boolean TRUST_MANAGER_REVOCATION_CHECKING_DEFAULT = true; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index a44d8c1b6..065615666 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -220,11 +220,11 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } // check if template is a valid URL - try { + try { + URL bkuUrl = new URL(bkuURI); // check if bku url starts with http or https - if (bkuURI.startsWith("http") || bkuURI.startsWith("https")) { - new URL(bkuURI); - + if (bkuUrl.getProtocol().equals("http") || bkuUrl.getProtocol().equals("https")) { + // check if bkuURI is a local BKU if (bkuURI.compareToIgnoreCase("https://localhost:3496/https-security-layer-request") == 0 || bkuURI.compareToIgnoreCase("http://localhost:3495/http-security-layer-request") == 0 || @@ -232,8 +232,8 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ bkuURI.compareToIgnoreCase("https://127.0.0.1:3496/https-security-layer-request") == 0) { Logger.debug("Parameter bkuURI erfolgreich ueberprueft"); return true; - } - else { + + } else { Logger.debug("Parameter bkuURI ist keine lokale BKU. Ueberpruefe Liste der vertrauenswuerdigen BKUs."); boolean b = allowedBKUs.contains(bkuURI); if (b) { @@ -246,17 +246,17 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ return false; } } - } - else if (MOAIDAuthConstants.REQ_BKU_TYPES.contains(bkuURI)) { + + } else if (MOAIDAuthConstants.REQ_BKU_TYPES.contains(bkuURI)) { Logger.debug("Parameter bkuURI from configuration is used."); return true; } else { Logger.error("Fehler Ueberpruefung Parameter bkuURI. bkuURI beginnt nicht mit http or https"); return false; + } - } catch (MalformedURLException e) { Logger.error("Fehler Ueberpruefung Parameter bkuURI", e); return false; @@ -268,9 +268,12 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ * Checks if the given template is valid * @param req * @param template + * @param oaSlTemplates + * @param useStrictValidation Enables strict validation with URLs from configuration, otherwise always allow templates from same host. * @return */ - public static boolean isValidTemplate(HttpServletRequest req, String template, List oaSlTemplates) { + public static boolean isValidTemplate(HttpServletRequest req, String template, + List oaSlTemplates, boolean useStrictValidation) { Logger.debug("Ueberpruefe Parameter Template bzw. bkuSelectionTemplateURL"); @@ -282,65 +285,38 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ // check if template is a valid URL try { - - // check if template url starts with http or https - if (template.startsWith("http") || template.startsWith("https")) { - - // check if template url is from same server - String name = req.getServerName(); - String httpName = "http://" + name; - String httpsName = "https://" + name; - - if (template.startsWith(httpName) || template.startsWith(httpsName)) { - new URL(template); - Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft"); - return true; - } - else { - //check against configured trustet template urls - AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance(); - List trustedTemplateURLs = authConf.getSLRequestTemplates(); - - //get OA specific template URLs - if (oaSlTemplates != null && oaSlTemplates.size() > 0) { - for (String el : oaSlTemplates) - if (MiscUtil.isNotEmpty(el)) - trustedTemplateURLs.add(el); - } - - boolean b = trustedTemplateURLs.contains(template); - if (b) { - Logger.debug("Parameter Template erfolgreich ueberprueft"); - return true; - } - else { - Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Parameter liegt nicht am gleichen Server wie die MOA-Instanz (" + req.getServerName() + ") bzw. ist nicht auf Liste der vertrauenswuerdigen Template URLs (Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)"); - return false; - } - - } - - } else if (template.startsWith("file")){ - new URL(template); - Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft"); - Logger.debug("Load SL-Layer Template from local filesystem " + template); - return true; - - } else { - Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https."); - return false; - } + if (useStrictValidation) { + Logger.trace("Use strict validation of Template bzw. bkuSelectionTemplateURL"); + return validateTemplateUrlToWhiteList(template, oaSlTemplates); + + } else { + Logger.trace("Use lazy validation of Template bzw. bkuSelectionTemplateURL"); + URL templateUrl = new URL(template); + String serverName = req.getServerName(); + + // check if template url starts with http or https + if (((templateUrl.getProtocol().startsWith("http") + || templateUrl.getProtocol().startsWith("https"))) + && templateUrl.getHost().equals(serverName)) { + Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft" + + " Lazy check is activ and template is on same host as MOA-ID"); + return true; + + + } else { + return validateTemplateUrlToWhiteList(template, oaSlTemplates); + + } + } - } catch (MalformedURLException e) { + } catch (MalformedURLException | ConfigurationException e) { Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e); return false; - } catch (ConfigurationException e) { - Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e); - return false; - } + + } } - /** + /** * Checks if the given sessionID is valid * @param target HTTP parameter from request * @return @@ -540,13 +516,44 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } catch (WrongParametersException e) { return false; + } - if (StringUtils.isEmpty(bkuURL) && StringUtils.isEmpty(useeIDAS)) + if (StringUtils.isEmpty(bkuURL) && StringUtils.isEmpty(useeIDAS)) { return false; - else + + } else { return true; + + } } + + private static boolean validateTemplateUrlToWhiteList(String template, List oaSlTemplates) + throws ConfigurationException { + //check against configured trustet template urls + AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance(); + List trustedTemplateURLs = authConf.getSLRequestTemplates(); + + //get OA specific template URLs + if (oaSlTemplates != null && oaSlTemplates.size() > 0) { + for (String el : oaSlTemplates) + if (MiscUtil.isNotEmpty(el)) + trustedTemplateURLs.add(el); + } + + boolean b = trustedTemplateURLs.contains(template); + if (b) { + Logger.debug("Parameter Template erfolgreich ueberprueft"); + return true; + + } else { + Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. " + + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs " + + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)"); + return false; + + } + } } diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index 1ab54471c..7707f3b90 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -26,6 +26,9 @@ public class DummyAuthConfig implements AuthConfiguration { private Boolean isIDLEscapingEnabled = null; + private Map basicConfig = new HashMap<>(); + private List slRequestTemplates; + @Override public String getRootConfigFileDir() { // TODO Auto-generated method stub @@ -100,7 +103,10 @@ public class DummyAuthConfig implements AuthConfiguration { } else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) { return "urn:publicid:gv.at:cdid+ZP-MH"; - } + } else if (basicConfig.containsKey(key)) { + return basicConfig.get(key); + + } return null; @@ -108,8 +114,13 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public String getBasicConfiguration(String key, String defaultValue) { - // TODO Auto-generated method stub - return null; + if (basicConfig.containsKey(key)) { + return basicConfig.get(key); + + } else { + return defaultValue; + + } } @Override @@ -235,8 +246,8 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public List getSLRequestTemplates() throws ConfigurationException { - // TODO Auto-generated method stub - return null; + return slRequestTemplates; + } @Override @@ -428,8 +439,14 @@ public class DummyAuthConfig implements AuthConfiguration { } + if (basicConfig.containsKey(key)) { + return Boolean.parseBoolean(basicConfig.get(key)); + + } else { + return defaultValue; + + } - return false; } @Override @@ -462,8 +479,27 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public Boolean getBasicConfigurationBoolean(String key) { - // TODO Auto-generated method stub + if (basicConfig.containsKey(key)) { + return Boolean.parseBoolean(basicConfig.get(key)); + + } + return null; } + public void putIntoBasicConfig(String key, String value) { + basicConfig.put(key, value); + + } + + public void removeFromBasicConfig(String key) { + basicConfig.remove(key); + + } + + public void setSlRequestTemplateUrls(List templates) { + slRequestTemplates = templates; + + } + } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java new file mode 100644 index 000000000..ad9e2c90e --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -0,0 +1,588 @@ +package test.at.gv.egovernment.moa.id.util; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Enumeration; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +import javax.servlet.AsyncContext; +import javax.servlet.DispatcherType; +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import javax.servlet.http.Part; + +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; + +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; + +@RunWith(BlockJUnit4ClassRunner.class) +public class ParamValidatorUtilsTest { + + private static DummyAuthConfig config; + + @BeforeClass + public static void classInitializer() { + config = new DummyAuthConfig(); + AuthConfigurationProviderFactory.setAuthConfig(config); + config.setSlRequestTemplateUrls(new ArrayList()); + + } + + @Test + public void templateStrictWhitelistFirst() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/bbbb"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); + + } + + @Test + public void templateStrictWhitelistSecond() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); + + } + + @Test + public void templateLazyWhitelistFirst() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/bbbb"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSecond() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistThird() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistFour() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "http://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistFife() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "http://junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSix() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSeven() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should Not be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + private HttpServletRequest getDummyHttpRequest(final String serverName) { + return new HttpServletRequest() { + + @Override + public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) + throws IllegalStateException { + // TODO Auto-generated method stub + return null; + } + + @Override + public AsyncContext startAsync() throws IllegalStateException { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setCharacterEncoding(String env) throws UnsupportedEncodingException { + // TODO Auto-generated method stub + + } + + @Override + public void setAttribute(String name, Object o) { + // TODO Auto-generated method stub + + } + + @Override + public void removeAttribute(String name) { + // TODO Auto-generated method stub + + } + + @Override + public boolean isSecure() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isAsyncSupported() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isAsyncStarted() { + // TODO Auto-generated method stub + return false; + } + + @Override + public ServletContext getServletContext() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getServerPort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getServerName() { + return serverName; + + } + + @Override + public String getScheme() { + // TODO Auto-generated method stub + return null; + } + + @Override + public RequestDispatcher getRequestDispatcher(String path) { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getRemotePort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getRemoteHost() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRemoteAddr() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRealPath(String path) { + // TODO Auto-generated method stub + return null; + } + + @Override + public BufferedReader getReader() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getProtocol() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String[] getParameterValues(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getParameterNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Map getParameterMap() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getParameter(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getLocales() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Locale getLocale() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getLocalPort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getLocalName() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getLocalAddr() { + // TODO Auto-generated method stub + return null; + } + + @Override + public ServletInputStream getInputStream() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public DispatcherType getDispatcherType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getContentType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getContentLength() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getCharacterEncoding() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getAttributeNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Object getAttribute(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public AsyncContext getAsyncContext() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void logout() throws ServletException { + // TODO Auto-generated method stub + + } + + @Override + public void login(String username, String password) throws ServletException { + // TODO Auto-generated method stub + + } + + @Override + public boolean isUserInRole(String role) { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdValid() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromUrl() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromURL() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromCookie() { + // TODO Auto-generated method stub + return false; + } + + @Override + public Principal getUserPrincipal() { + // TODO Auto-generated method stub + return null; + } + + @Override + public HttpSession getSession(boolean create) { + // TODO Auto-generated method stub + return null; + } + + @Override + public HttpSession getSession() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getServletPath() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRequestedSessionId() { + // TODO Auto-generated method stub + return null; + } + + @Override + public StringBuffer getRequestURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRequestURI() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRemoteUser() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getQueryString() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPathTranslated() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPathInfo() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Collection getParts() throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public Part getPart(String name) throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMethod() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getIntHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + @Override + public Enumeration getHeaders(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getHeaderNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getHeader(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public long getDateHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + @Override + public Cookie[] getCookies() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getContextPath() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getAuthType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean authenticate(HttpServletResponse response) throws IOException, ServletException { + // TODO Auto-generated method stub + return false; + } + }; + } +} -- cgit v1.2.3 From 8322112004a0334a5d73795760880e635813793b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 31 Aug 2020 10:54:37 +0200 Subject: update third-party libs add readme_4.1.3.txt and update history.txt --- id/server/idserverlib/pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index e40bc9217..15cc51007 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -503,13 +503,13 @@ org.apache.commons commons-pool2 - 2.6.2 + 2.8.1 redis.clients jedis - 3.1.0 + 3.3.0