From 653fd79254188db598c0b980640fab912c9e39f7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 24 Jan 2014 11:32:38 +0100 Subject: --use differend keys for SAML2 metadata signing and SAML2 assertion signing -- move oAuth idToken generation to OAuth20AuthAction, because MOASession does not exits anymore in OAuth20TokenAction if no SSO is used. --- .../id/protocols/oauth20/OAuth20SessionObject.java | 9 +- .../oauth20/protocol/OAuth20AuthAction.java | 96 +++++++++++++++++++--- .../oauth20/protocol/OAuth20TokenAction.java | 84 +------------------ .../moa/id/protocols/pvp2x/MetadataAction.java | 25 +++--- .../protocols/pvp2x/binding/ArtifactBinding.java | 2 +- .../id/protocols/pvp2x/binding/PostBinding.java | 4 +- .../protocols/pvp2x/binding/RedirectBinding.java | 2 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 2 +- .../protocols/pvp2x/config/PVPConfiguration.java | 27 ++++-- .../protocols/pvp2x/signer/CredentialProvider.java | 58 +++++++++++-- 10 files changed, 177 insertions(+), 132 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java index 4c7d1a37b..d5dd70c11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.id.protocols.oauth20; import java.io.Serializable; +import java.util.Map; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; @@ -15,7 +16,7 @@ public class OAuth20SessionObject implements Serializable { private String code; - private String authDataSession; + private Map authDataSession; public String getScope() { return scope; @@ -40,12 +41,12 @@ public class OAuth20SessionObject implements Serializable { this.code = code; } - public String getAuthDataSession() { + public Map getAuthDataSession() { return authDataSession; } - public void setAuthDataSession(String authDataSession) { - this.authDataSession = authDataSession; + public void setAuthDataSession(Map idToken) { + this.authDataSession = idToken; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 17649487a..a5c8bb16e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -1,18 +1,33 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; +import java.security.SignatureException; +import java.util.HashMap; +import java.util.Map; +import java.util.UUID; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; +import at.gv.egovernment.moa.id.protocols.oauth20.Pair; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil; +import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken; +import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.Random; @@ -23,27 +38,24 @@ class OAuth20AuthAction implements IAction { public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { - OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req; - - // OAAuthParameter oaParam = - // AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); - // AuthenticationData authData = - // AuthenticationServer.buildAuthenticationData(moasession, oaParam, - // oAuthRequest.getTarget()); - + OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req; String responseType = oAuthRequest.getResponseType(); - AuthenticationSession session = null; String code = Random.nextRandom(); try { - + + String accessToken = UUID.randomUUID().toString(); + Logger.debug("Stored session with id: " + code); OAuth20SessionObject o = new OAuth20SessionObject(); if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) { o.setScope(oAuthRequest.getScope()); o.setCode(code); - o.setAuthDataSession(moasession.getSessionID()); + + //generate idToken from MOASession + Map idToken = generateIDToken(o, oAuthRequest, moasession, accessToken); + o.setAuthDataSession(idToken); } else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) { throw new OAuth20ResponseTypeException(); @@ -65,6 +77,8 @@ class OAuth20AuthAction implements IAction { String finalUrl = redirectURI; httpResp.addHeader("Location", finalUrl); Logger.debug("REDIRECT TO: " + finalUrl.toString()); + + return accessToken; } catch (Exception e) { @@ -79,7 +93,65 @@ class OAuth20AuthAction implements IAction { throw new OAuth20ServerErrorException(); } - return null; + } + + private Map generateIDToken(OAuth20SessionObject auth20SessionObject, + OAuth20AuthRequest oAuthRequest, AuthenticationSession moasession, String accessToken) throws SignatureException, MOAIDException { + + // create response + Map params = new HashMap(); + params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken); + params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER); + params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime); + + // build id token and scope + Pair pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, + moasession); + Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); + params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); + Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); + params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond()); + + return params; + + } + + private Pair buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, AuthenticationSession session) + throws MOAIDException, SignatureException { + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); + AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget()); + + OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer()); + OAuthJsonToken token = new OAuthJsonToken(signer); + + StringBuilder resultScopes = new StringBuilder(); + // always fill with open id + OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData); + resultScopes.append("openId"); + + for (String s : scope.split(" ")) { + if (s.equalsIgnoreCase("profile")) { + OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData); + resultScopes.append(" profile"); + } else if (s.equalsIgnoreCase("eID")) { + OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData); + resultScopes.append(" eID"); + } else if (s.equalsIgnoreCase("eID_gov")) { + OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData); + resultScopes.append(" eID_gov"); + } else if (s.equalsIgnoreCase("mandate")) { + OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData); + resultScopes.append(" mandate"); + } + // TODO parser STORK + } + + // add properties and sign + // HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id", + // "super_secure_pwd".getBytes()); + // Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config()); + + return Pair.newInstance(token.serializeAndSign(), resultScopes.toString()); } /* diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java index b975b5594..f3638d63e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -1,35 +1,19 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; -import java.security.SignatureException; -import java.util.HashMap; -import java.util.Map; -import java.util.UUID; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; -import at.gv.egovernment.moa.id.protocols.oauth20.Pair; -import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; -import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException; -import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil; -import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken; -import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner; import at.gv.egovernment.moa.id.storage.AssertionStorage; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import com.google.gson.JsonObject; @@ -61,38 +45,10 @@ class OAuth20TokenAction implements IAction { } else { Logger.debug("Loaded of OAuth20SessionObject was successful"); } - - - Logger.debug("Load MOASession from database"); - AuthenticationSession session = AuthenticationSessionStoreage.getSession(auth20SessionObject.getAuthDataSession()); - if (session == null) { - Logger.warn("NO MOASession found with SessionID " + auth20SessionObject.getAuthDataSession()); - throw new OAuth20UnauthorizedClientException(); - - } else { - Logger.debug("Loading of MOASession was successful."); - - } - - final String accessToken = UUID.randomUUID().toString(); - - // create response - Map params = new HashMap(); - params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken); - params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER); - params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime); - - // build id token and scope - Pair pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, - session); - Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); - params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); - Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); - params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond()); // create response JsonObject jsonObject = new JsonObject(); - OAuth20Util.addProperytiesToJsonObject(jsonObject, params); + OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession()); String jsonResponse = jsonObject.toString(); Logger.debug("JSON Response: " + jsonResponse); @@ -137,43 +93,5 @@ class OAuth20TokenAction implements IAction { public String getDefaultActionName() { return OAuth20Protocol.TOKEN_ACTION; } - - private Pair buildIdToken(String scope, OAuth20TokenRequest oAuthRequest, AuthenticationSession session) - throws MOAIDException, SignatureException { - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); - AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget()); - - OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer()); - OAuthJsonToken token = new OAuthJsonToken(signer); - - StringBuilder resultScopes = new StringBuilder(); - // always fill with open id - OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData); - resultScopes.append("openId"); - for (String s : scope.split(" ")) { - if (s.equalsIgnoreCase("profile")) { - OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData); - resultScopes.append(" profile"); - } else if (s.equalsIgnoreCase("eID")) { - OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData); - resultScopes.append(" eID"); - } else if (s.equalsIgnoreCase("eID_gov")) { - OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData); - resultScopes.append(" eID_gov"); - } else if (s.equalsIgnoreCase("mandate")) { - OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData); - resultScopes.append(" mandate"); - } - // TODO parser STORK - } - - // add properties and sign - // HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id", - // "super_secure_pwd".getBytes()); - // Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config()); - - return Pair.newInstance(token.serializeAndSign(), resultScopes.toString()); - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index e6a8c9661..1c7b1c718 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -78,17 +78,10 @@ public class MetadataAction implements IAction { keyInfoFactory.setEmitEntityIDAsKeyName(true); keyInfoFactory.setEmitEntityCertificate(true); KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); - - Credential credential = CredentialProvider - .getIDPSigningCredential(); - - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential)); - + + Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); Signature signature = CredentialProvider - .getIDPSignature(credential); + .getIDPSignature(metadataSigningCredential); idpEntitiesDescriptor.setSignature(signature); @@ -139,9 +132,17 @@ public class MetadataAction implements IAction { idpSSODescriptor.getArtifactResolutionServices().add( artifactResolutionService); }*/ + + //set assertion signing key + Credential assertionSigingCredential = CredentialProvider + .getIDPAssertionSigningCredential(); + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - + idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); @@ -184,7 +185,7 @@ public class MetadataAction implements IAction { String metadataXML = sw.toString(); - System.out.println("METADATA: " + metadataXML); + //System.out.println("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); httpResp.getOutputStream().write(metadataXML.getBytes()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java index c486d3ff2..57fa50384 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -37,7 +37,7 @@ public class ArtifactBinding implements IDecoder, IEncoder { throws MessageEncodingException, SecurityException { try { Credential credentials = CredentialProvider - .getIDPSigningCredential(); + .getIDPAssertionSigningCredential(); Signature signer = CredentialProvider.getIDPSignature(credentials); response.setSignature(signer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 9319c306b..625782cab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -44,7 +44,7 @@ public class PostBinding implements IDecoder, IEncoder { try { Credential credentials = CredentialProvider - .getIDPSigningCredential(); + .getIDPAssertionSigningCredential(); Logger.debug("create SAML POSTBinding response"); @@ -103,7 +103,7 @@ public class PostBinding implements IDecoder, IEncoder { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); - + MOARequest request = new MOARequest(inboundMessage); request.setVerified(false); request.setEntityMetadata(messageContext.getPeerEntityMetadata()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 78b63e041..0fd639c1b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -49,7 +49,7 @@ public class RedirectBinding implements IDecoder, IEncoder { throws MessageEncodingException, SecurityException { try { Credential credentials = CredentialProvider - .getIDPSigningCredential(); + .getIDPAssertionSigningCredential(); Logger.debug("create SAML RedirectBinding response"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 3974e7fd5..1cfb0103e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -65,7 +65,7 @@ public class SoapBinding implements IDecoder, IEncoder { throws MessageEncodingException, SecurityException, PVP2Exception { try { Credential credentials = CredentialProvider - .getIDPSigningCredential(); + .getIDPAssertionSigningCredential(); HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder(); HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 116d3b740..b41331dab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -46,10 +46,15 @@ public class PVPConfiguration { public static final String PVP2_POST = "/pvp2/post"; public static final String PVP_CONFIG_FILE = "pvp2config.properties"; + public static final String IDP_JAVAKEYSTORE = "idp.ks.file"; - public static final String IDP_KEYALIAS = "idp.ks.alias"; public static final String IDP_KS_PASS = "idp.ks.kspassword"; - public static final String IDP_KEY_PASS = "idp.ks.keypassword"; + + public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias"; + public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword"; + + public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias"; + public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword"; public static final String IDP_ISSUER_NAME = "idp.issuer.name"; @@ -115,17 +120,25 @@ public class PVPConfiguration { public String getIDPKeyStoreFilename() { return props.getProperty(IDP_JAVAKEYSTORE); } - + public String getIDPKeyStorePassword() { return props.getProperty(IDP_KS_PASS); } - public String getIDPKeyAlias() { - return props.getProperty(IDP_KEYALIAS); + public String getIDPKeyAliasMetadata() { + return props.getProperty(IDP_KEYALIASMETADATA); + } + + public String getIDPKeyPasswordMetadata() { + return props.getProperty(IDP_KEY_PASSMETADATA); + } + + public String getIDPKeyAliasAssertionSign() { + return props.getProperty(IDP_KEYALIASASSERTION); } - public String getIDPKeyPassword() { - return props.getProperty(IDP_KEY_PASS); + public String getIDPKeyPasswordAssertionSign() { + return props.getProperty(IDP_KEY_PASSASSERTION); } public String getIDPIssuerName() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index cf0f48f1c..511caa908 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -1,6 +1,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.signer; import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.interfaces.RSAPrivateKey; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; @@ -13,35 +15,73 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moa.util.MiscUtil; public class CredentialProvider { - public static Credential getIDPSigningCredential() + + private static KeyStore keyStore = null; + + public static Credential getIDPMetaDataSigningCredential() throws CredentialsNotAvailableException { - KeyStore keyStore; PVPConfiguration config = PVPConfiguration.getInstance(); try { - keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), - config.getIDPKeyStorePassword()); + + if (keyStore == null) + keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), + config.getIDPKeyStorePassword()); KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( - keyStore, config.getIDPKeyAlias(), config - .getIDPKeyPassword().toCharArray()); + keyStore, config.getIDPKeyAliasMetadata(), config + .getIDPKeyPasswordMetadata().toCharArray()); credentials.setUsageType(UsageType.SIGNING); return credentials; } catch (Exception e) { - Logger.error("Failed to generate IDP Signing credentials"); + Logger.error("Failed to generate IDP Metadata Signing credentials"); e.printStackTrace(); throw new CredentialsNotAvailableException(e.getMessage(), null); } } + public static Credential getIDPAssertionSigningCredential() + throws CredentialsNotAvailableException { + PVPConfiguration config = PVPConfiguration.getInstance(); + try { + if (keyStore == null) + keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), + config.getIDPKeyStorePassword()); + + KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter( + keyStore, config.getIDPKeyAliasAssertionSign(), config + .getIDPKeyPasswordAssertionSign().toCharArray()); + + credentials.setUsageType(UsageType.SIGNING); + return credentials; + } catch (Exception e) { + Logger.error("Failed to generate IDP Assertion Signing credentials"); + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } + } + public static Signature getIDPSignature(Credential credentials) { + + PrivateKey privatekey = credentials.getPrivateKey(); + Signature signer = SAML2Utils.createSAMLObject(Signature.class); - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + + if (privatekey instanceof RSAPrivateKey) { + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + + } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); + + } + + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signer.setSigningCredential(credentials); return signer; + } public static Credential getSPTrustedCredential(String entityID) -- cgit v1.2.3