From f7d20da1c2ab2a952ae64a9447f189bfafd4e2a5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Jun 2014 08:53:18 +0200 Subject: new test credentials include a certificate with a test OID as x509 extension add test OID checks --- .../moa/id/auth/AuthenticationServer.java | 12 ++--- .../moa/id/auth/MOAIDAuthConstants.java | 4 ++ .../VerifyXMLSignatureResponseValidator.java | 54 ++++++++++++++++++++-- .../id/config/auth/AuthConfigurationProvider.java | 7 ++- .../moa/id/config/auth/IOAAuthParameters.java | 4 ++ .../moa/id/config/auth/OAAuthParameter.java | 27 +++++++++++ .../config/auth/data/DynamicOAAuthParameters.java | 18 ++++++++ .../moa/id/monitoring/IdentityLinkTestModule.java | 8 +++- .../resources/properties/id_messages_de.properties | 1 + .../id/auth/invoke/SignatureVerificationTest.java | 6 ++- .../src/main/resources/config/moaid_config_2.0.xsd | 10 +++- 11 files changed, 135 insertions(+), 16 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e7abf0f9a..44453afe3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -414,17 +414,12 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - // if OA is type is business service the manifest validation result has - // to be ignored - boolean ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true - : false; - // validates the VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, - ignoreManifestValidationResult); + oaParam); session.setIdentityLink(identityLink); // now validate the extended infoboxes @@ -1214,10 +1209,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + // validates the VerifyXMLSignatureResponseValidator.getInstance().validate(vsresp, null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, - false); + oaParam); // Compare AuthBlock Data with information stored in session, especially // date and time diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index e2c0c1f18..497c79c1e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -142,6 +142,10 @@ public interface MOAIDAuthConstants { public static final String PARAM_APPLET_HEIGTH = "heigth"; public static final String PARAM_APPLET_WIDTH = "width"; + //TODO: set correct OID!!! + public static final String TESTCREDENTIALROOTOID = "1.2.40.0.10.1"; + + public static final Map COUNTRYCODE_XX_TO_NAME = Collections.unmodifiableMap(new HashMap() { private static final long serialVersionUID = 1L; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 4fd7fa965..2b687a0c8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -46,6 +46,7 @@ package at.gv.egovernment.moa.id.auth.validator; +import iaik.asn1.ObjectID; import iaik.asn1.structures.Name; import iaik.security.ecc.ecdsa.ECPublicKey; import iaik.utils.RFC2253NameParserException; @@ -54,7 +55,10 @@ import iaik.x509.X509ExtensionInitException; import java.security.PublicKey; import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Iterator; import java.util.List; +import java.util.Set; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; @@ -62,6 +66,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; @@ -99,7 +104,7 @@ public class VerifyXMLSignatureResponseValidator { * @param verifyXMLSignatureResponse the <VerifyXMLSignatureResponse> * @param identityLinkSignersSubjectDNNames subject names configured * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated - * @param ignoreManifestValidationResult specifies whether the validation result of the + * @param oaParam specifies whether the validation result of the * manifest has to be ignored (identityLink validation if * the OA is a business service) or not * @throws ValidateException on any validation error @@ -108,7 +113,7 @@ public class VerifyXMLSignatureResponseValidator { public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, List identityLinkSignersSubjectDNNames, String whatToCheck, - boolean ignoreManifestValidationResult) + IOAAuthParameters oaParam) throws ValidateException, ConfigurationException { if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) @@ -137,8 +142,49 @@ public class VerifyXMLSignatureResponseValidator { //check QC if (AuthConfigurationProvider.getInstance().isCertifiacteQCActive() && !whatToCheck.equals(CHECK_IDENTITY_LINK) && - !verifyXMLSignatureResponse.isQualifiedCertificate()) - throw new ValidateException("validator.71", null); + !verifyXMLSignatureResponse.isQualifiedCertificate()) { + + //check if testcards are active and certificate has an extension for test credentials + if (oaParam.isTestCredentialEnabled()) { + boolean foundTestCredentialOID = false; + try { + X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate(); + + List validOIDs = new ArrayList(); + if (oaParam.getTestCredentialOIDs() != null) + validOIDs.addAll(oaParam.getTestCredentialOIDs()); + else + validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID); + + Set extentsions = signerCert.getCriticalExtensionOIDs(); + extentsions.addAll(signerCert.getNonCriticalExtensionOIDs()); + Iterator extit = extentsions.iterator(); + while(extit.hasNext()) { + String certOID = extit.next(); + for (String el : validOIDs) { + if (certOID.startsWith(el)) + foundTestCredentialOID = true; + } + } + + } catch (Exception e) { + Logger.warn("Test credential OID extraction FAILED.", e); + + } + //throw Exception if not TestCredentialOID is found + if (!foundTestCredentialOID) + throw new ValidateException("validator.72", null); + + } else + throw new ValidateException("validator.71", null); + } + + // if OA is type is business service the manifest validation result has + // to be ignored + boolean ignoreManifestValidationResult = false; + if (whatToCheck.equals(CHECK_IDENTITY_LINK)) + ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true + : false; if (ignoreManifestValidationResult) { Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index dca0958f3..6fc1d28c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -279,7 +279,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //Load MOAID-2.0 properties file File propertiesFile = new File(fileName); - FileInputStream fis; + FileInputStream fis = null; props = new Properties(); // determine the directory of the root config file @@ -364,6 +364,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } catch (ExceptionInInitializerError e) { throw new ConfigurationException("config.17", null, e); + + } finally { + if (fis != null) + fis.close(); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index a59cc10e0..6398de34f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -144,5 +144,9 @@ public interface IOAAuthParameters { * @return */ boolean isOutboundSSOInterfederationAllowed(); + + boolean isTestCredentialEnabled(); + List getTestCredentialOIDs(); + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 7fc5746ee..f6360f4cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -67,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; +import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.config.ConfigurationUtils; import at.gv.egovernment.moa.id.config.OAParameter; @@ -520,4 +521,30 @@ public boolean isIDPPublicService() { } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled() + */ +@Override +public boolean isTestCredentialEnabled() { + TestCredentials testing = oa_auth.getTestCredentials(); + if (testing != null && testing.isEnableTestCredentials()) + return true; + else + return false; +} + + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs() + */ +@Override +public List getTestCredentialOIDs() { + TestCredentials testing = oa_auth.getTestCredentials(); + if (testing != null && testing.getCredentialOID().size() > 0) + return testing.getCredentialOID(); + else + return null; +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index 02ac09d70..eddf605a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -381,6 +381,24 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled() + */ + @Override + public boolean isTestCredentialEnabled() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs() + */ + @Override + public List getTestCredentialOIDs() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 6c2f3e75a..b5220914c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -38,6 +38,8 @@ import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -75,12 +77,14 @@ public class IdentityLinkTestModule implements TestModuleInterface { VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( domVerifyXMLSignatureResponse).parseData(); - + DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); + oaParam.setBusinessService(true); + VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, config.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, - true); + oaParam); } catch (ValidateException e) { //check if default Monitoring IDL is used then error is ignored diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 232411fd8..0f9792e79 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -201,6 +201,7 @@ validator.68=SigningTime im AUTH-Block konnte nicht eruiert werden. validator.69=SigningTime im AUTH-Block und Serverzeit weichen zu stark ab ({0}). validator.70=Das einmale Tokken im signierten AuthBlock ({0}) stimmt nicht mit dem von generierten Tokken ({1}) \u00FCberein. validator.71=Das Signaturzertifikat ist nicht qualifiziert. +validator.72=Das Signaturzertifikat ist nicht qualifiziert und es wurde keine OID f\u00FCr Test Identit\u00E4ten gefunden. ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java index 14bb1e4cc..0876cfac6 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java @@ -61,6 +61,7 @@ import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.util.DOMUtils; @@ -130,7 +131,10 @@ System.setProperty( VerifyXMLSignatureResponseParser vParser = new VerifyXMLSignatureResponseParser(response); VerifyXMLSignatureResponse vData = vParser.parseData(); VerifyXMLSignatureResponseValidator vValidate = VerifyXMLSignatureResponseValidator.getInstance(); - vValidate.validate(vData, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, true); + + DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); + oaParam.setBusinessService(true); + vValidate.validate(vData, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, oaParam); vValidate.validateCertificate(vData,idl); // check the result diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 3a2914cb4..2d5542b98 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -484,7 +484,7 @@ - + @@ -530,6 +530,14 @@ + + + + + + + + -- cgit v1.2.3