From 5fe7b654e6526b34ab917411424faf93586df85f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 May 2018 08:37:48 +0200 Subject: add result decryption for SL2.0 authentication module --- .../id/auth/modules/sl20_auth/sl20/IJOSETools.java | 12 +++++++ .../modules/sl20_auth/sl20/JsonSecurityUtils.java | 39 ++++++++++++++++++++++ .../auth/modules/sl20_auth/sl20/SL20Constants.java | 25 ++++++++++---- .../sl20_auth/sl20/SL20HttpBindingUtils.java | 3 +- .../sl20_auth/sl20/SL20JSONExtractorUtils.java | 21 ++++++++---- .../sl20_auth/tasks/CreateQualeIDRequestTask.java | 5 +-- .../sl20_auth/tasks/ReceiveQualeIDTask.java | 12 +++---- 7 files changed, 93 insertions(+), 24 deletions(-) (limited to 'id') diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java index bcbda3faf..6fd1c3c4d 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/IJOSETools.java @@ -2,8 +2,11 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20; import java.security.cert.X509Certificate; +import com.google.gson.JsonElement; + import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception; +import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20SecurityException; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuildException; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException; @@ -33,5 +36,14 @@ public interface IJOSETools { * @return */ public X509Certificate getEncryptionCertificate(); + + /** + * Decrypt a serialized JWE token + * + * @param compactSerialization Serialized JWE token + * @return decrypted payload + * @throws SL20Exception + */ + public JsonElement decryptPayload(String compactSerialization) throws SL20Exception; } diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java index 7dd5c39ab..e0965c712 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java @@ -11,6 +11,7 @@ import javax.annotation.PostConstruct; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; +import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jws.AlgorithmIdentifiers; import org.jose4j.jws.JsonWebSignature; import org.jose4j.lang.JoseException; @@ -19,6 +20,7 @@ import org.springframework.stereotype.Service; import com.google.gson.JsonElement; import com.google.gson.JsonParser; +import com.google.gson.JsonSyntaxException; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult; @@ -177,6 +179,43 @@ public class JsonSecurityUtils implements IJOSETools{ } + + @Override + public JsonElement decryptPayload(String compactSerialization) throws SL20Exception { + try { + JsonWebEncryption receiverJwe = new JsonWebEncryption(); + + //set security constrains + receiverJwe.setAlgorithmConstraints( + new AlgorithmConstraints(ConstraintType.WHITELIST, + SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()]))); + receiverJwe.setContentEncryptionAlgorithmConstraints( + new AlgorithmConstraints(ConstraintType.WHITELIST, + SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()]))); + + //set payload + receiverJwe.setCompactSerialization(compactSerialization); + + //TODO: validate key from header against key from config + + //decrypt payload + receiverJwe.setKey(encPrivKey); + + return new JsonParser().parse(receiverJwe.getPlaintextString()); + + } catch (JoseException e) { + Logger.warn("SL2.0 result decryption FAILED", e); + throw new SL20SecurityException(new Object[]{e.getMessage()}, e); + + } catch ( JsonSyntaxException e) { + Logger.warn("Decrypted SL2.0 result is NOT a valid JSON.", e); + throw new SLCommandoParserException("Decrypted SL2.0 result is NOT a valid JSON.", e); + + } + + } + + @Override public X509Certificate getEncryptionCertificate() { diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java index e84dacc23..b855c3cac 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20Constants.java @@ -3,6 +3,8 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20; import java.util.Arrays; import java.util.List; +import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; +import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; import org.jose4j.jws.AlgorithmIdentifiers; public class SL20Constants { @@ -41,14 +43,25 @@ public class SL20Constants { JSON_ALGORITHM_SIGNING_PS512 ); - public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = "RSA-OAEP"; - public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = "RSA-OAEP-256"; + public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP = KeyManagementAlgorithmIdentifiers.RSA_OAEP; + public static final String JSON_ALGORITHM_ENC_KEY_RSAOAEP256 = KeyManagementAlgorithmIdentifiers.RSA_OAEP_256; - public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = "A128CBC-HS256"; - public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = "A256CBC-HS512"; - public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = "A128GCM"; - public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = "A256GCM"; + public static final List SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = Arrays.asList( + JSON_ALGORITHM_ENC_KEY_RSAOAEP, + JSON_ALGORITHM_ENC_KEY_RSAOAEP256 + ); + public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256; + public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512 = ContentEncryptionAlgorithmIdentifiers.AES_256_CBC_HMAC_SHA_512; + public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128GCM = ContentEncryptionAlgorithmIdentifiers.AES_128_GCM; + public static final String JSON_ALGORITHM_ENC_PAYLOAD_A256GCM = ContentEncryptionAlgorithmIdentifiers.AES_256_GCM; + + public static final List SL20_ALGORITHM_WHITELIST_ENCRYPTION = Arrays.asList( + JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256, + JSON_ALGORITHM_ENC_PAYLOAD_A256CBCHS512, + JSON_ALGORITHM_ENC_PAYLOAD_A128GCM, + JSON_ALGORITHM_ENC_PAYLOAD_A256GCM + ); //********************************************************************************************* diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java index cfffed881..cc7137a0f 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20HttpBindingUtils.java @@ -34,7 +34,8 @@ public class SL20HttpBindingUtils { Logger.debug("Client request containts is no native client ... "); URIBuilder clientRedirectURI = new URIBuilder(redirectURL); clientRedirectURI.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, sl20Forward.toString()); - response.sendRedirect(clientRedirectURI.build().toString()); + response.setStatus(307); + response.setHeader("Location", clientRedirectURI.build().toString()); } diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java index e1444c95f..e01945df0 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/SL20JSONExtractorUtils.java @@ -146,7 +146,7 @@ public class SL20JSONExtractorUtils { } - public static JsonElement extractSL20Result(JsonObject command, JsonSecurityUtils encrypter, boolean mustBeEncrypted) throws SLCommandoParserException { + public static JsonElement extractSL20Result(JsonObject command, IJOSETools decrypter, boolean mustBeEncrypted) throws SL20Exception { JsonElement result = command.get(SL20Constants.SL20_COMMAND_CONTAINER_RESULT); JsonElement encryptedResult = command.get(SL20Constants.SL20_COMMAND_CONTAINER_ENCRYPTEDRESULT); @@ -162,12 +162,21 @@ public class SL20JSONExtractorUtils { else if (result != null) return result; - else if (encryptedResult != null) { - //TODO: Add correct signature validation + else if (encryptedResult != null && encryptedResult.isJsonPrimitive()) { + /*TODO: + * + * Remove dummy code and test real decryption!!!!! + * + */ + + //return decrypter.decryptPayload(encryptedResult.getAsString()); + + //dummy code String[] signedPayload = encryptedResult.toString().split("\\."); JsonElement payLoad = new JsonParser().parse(new String(Base64.getUrlDecoder().decode(signedPayload[1]))); return payLoad; + } else throw new SLCommandoParserException("Internal build error"); @@ -202,10 +211,10 @@ public class SL20JSONExtractorUtils { else if (sl20Payload != null) return new VerificationResult(sl20Payload.getAsJsonObject()); - else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive()) + else if (sl20SignedPayload != null && sl20SignedPayload.isJsonPrimitive()) { return joseTools.validateSignature(sl20SignedPayload.getAsString()); - - else + + } else throw new SLCommandoParserException("Internal build error"); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java index 1e15e893e..b1dfa9b0d 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java @@ -1,6 +1,5 @@ package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks; -import java.io.StringWriter; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -16,7 +15,6 @@ import org.apache.http.NameValuePair; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.utils.URIBuilder; -import org.apache.http.entity.ContentType; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.message.BasicNameValuePair; import org.springframework.beans.factory.annotation.Autowired; @@ -78,8 +76,6 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { //build DataURL for qualified eID response String dataURL = new DataURLBuilder().buildDataURL( pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID()); -// String dataURL = new DataURLBuilder().buildDataURL( -// "http://labda.iaik.tugraz.at:8080/moa-id-auth/", Constants.HTTP_ENDPOINT_DATAURL, pendingReq.getRequestID()); //build qualifiedeID command Map qualifiedeIDParams = new HashMap(); @@ -146,6 +142,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { requestStoreage.storePendingRequest(pendingReq); //forward SL2.0 command + //TODO: maybe add SL2ClientType Header from execution context SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL); } else { diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java index 6d2163ff1..698546a4f 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java @@ -92,7 +92,6 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { //validate signature - //TODO: VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, true); if (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned()) { @@ -104,6 +103,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { //TODO validate certificate List sigCertChain = payLoadContainer.getCertChain(); + //extract payloaf JsonObject payLoad = payLoadContainer.getPayload(); @@ -112,12 +112,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true) .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID)) { Logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result .... "); - - - //TODO: add decryption - JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, null, false); - - + + //TODO: activate decryption in 'SL20JSONExtractorUtils.extractSL20Result' + JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(payLoad, joseTools, false); + //extract attributes from result String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true); -- cgit v1.2.3