From 6e409edd540fb7e2bb6a66f14adeb72e550669c1 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Wed, 2 Jul 2014 16:02:45 +0200 Subject: added support for splitting authnrequest &signrequest --- .../src/main/webapp/jsp/editMOAConfig.jsp | 3 +- .../auth/src/main/webapp/WEB-INF/urlrewrite.xml | 4 +- id/server/auth/src/main/webapp/WEB-INF/web.xml | 13 +- .../moa/id/auth/AuthenticationServer.java | 44 +- .../moa/id/auth/data/AuthenticationSession.java | 57 +- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 8 +- .../PEPSConnectorWithLocalSigningServlet.java | 790 +++++++++++++++++++++ .../gv/egovernment/moa/id/config/stork/CPEPS.java | 20 +- .../moa/id/config/stork/STORKConfig.java | 2 +- .../id/protocols/stork2/AuthenticationRequest.java | 46 +- .../SignedDocAttributeRequestProvider.java | 8 +- .../src/main/resources/config/moaid_config_2.0.xsd | 9 +- 12 files changed, 947 insertions(+), 57 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java (limited to 'id') diff --git a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp index 6f266f865..4589a3381 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp @@ -249,10 +249,11 @@ labelposition="left" />

<%=LanguageHelper.getGUIString("webpages.moaconfig.stork.pepslist", request) %>

- + + diff --git a/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml b/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml index 23737452a..54debca81 100644 --- a/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml +++ b/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml @@ -86,8 +86,8 @@ /dispatcher?mod=id_stork2&action=AuthenticationRequest&%{query-string} - ^/stork2/SendPEPSAuthnRequest$ - /dispatcher?mod=id_stork2&action=AuthenticationRequest&%{query-string} + ^/stork2/SendPEPSAuthnRequestWithoutSignedDoc$ + /dispatcher?mod=id_stork2&action=AuthenticationRequest1&%{query-string} ^/stork2/RetrieveMandate$ diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml index 4efda0c79..42085b01e 100644 --- a/id/server/auth/src/main/webapp/WEB-INF/web.xml +++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml @@ -107,6 +107,14 @@ at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet + + PEPSConnectorWithLocalSigningServlet + PEPSConnectorWithLocalSigningServlet + Servlet receiving STORK SAML Response Messages from + different C-PEPS + + at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a8cf5014f..c2eefa3d8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -76,6 +76,7 @@ import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; +import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -1795,12 +1796,37 @@ public class AuthenticationServer implements MOAIDAuthConstants { PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName("signedDoc"); List value = new ArrayList(); - value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), - "application/xhtml+xml", - moasession.getCcc())); - newAttribute.setValue(value); - attributeList.add(newAttribute); - + + Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported()); + if(cpeps.isXMLSignatureSupported())//Send SignRequest to PEPS + { + value.add(generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", moasession.getCcc())); + newAttribute.setValue(value); + attributeList.add(newAttribute); + } + else//Process SignRequest locally with MOCCA + { + String target = moasession.getTarget(); + moasession.setTarget("AT"); + String signedDoc = (generateDssSignRequest(CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession), + "application/xhtml+xml", "AT"));//moasession.getCcc() + moasession.setTarget(target); + Logger.warn("signedDoc to store:"+signedDoc); + //attributeList.add(newAttribute); + + //store SignRequest for later... + moasession.setSignedDoc(signedDoc); + + acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + try { + AuthenticationSessionStoreage.storeSession(moasession); + } catch (MOADatabaseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + } if (Logger.isDebugEnabled()) { Logger.debug("The following attributes are requested for this OA:"); @@ -1817,7 +1843,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { //generate AuthnRquest STORKAuthnRequest authnRequest = new STORKAuthnRequest(); authnRequest.setDestination(destination); - authnRequest.setAssertionConsumerServiceURL(acsURL); + authnRequest.setAssertionConsumerServiceURL(acsURL);//PEPSConnectorWithLocalSigning authnRequest.setProviderName(providerName); authnRequest.setIssuer(issuerValue); authnRequest.setQaa(oaParam.getQaaLevel()); @@ -1834,7 +1860,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { authnRequest.setCitizenCountryCode(moasession.getCcc()); - Logger.debug("STORK AuthnRequest succesfully assembled."); STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); @@ -1842,7 +1867,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (samlEngine == null) { Logger.error("Could not initalize STORK SAML engine."); throw new MOAIDException("stork.00", null); - } try { @@ -1905,7 +1929,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { idGenerator = new SecureRandomIdentifierGenerator(); DocumentType doc = new DocumentType(); - doc.setBase64XML(text.getBytes()); + doc.setBase64XML(text.getBytes("UTF-8")); doc.setID(idGenerator.generateIdentifier()); SignRequest request = new SignRequest(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 8726c1618..26c22fb4a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -51,6 +51,7 @@ import org.w3c.dom.Element; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; @@ -291,9 +292,58 @@ public class AuthenticationSession implements Serializable { private boolean isForeigner; private IPersonalAttributeList storkAttributes; - + + + //Temporary store SignRequest for local processing + private String signedDoc; + //Temporary store SAMLResponse for processing after user signed signedDoc locally + private String SAMLResponse; + // + private StringBuffer returnURL; + private IPersonalAttributeList authnResponseGetPersonalAttributeList; + private String authnContextClassRef; // private String requestedProtocolURL = null; + public String getAuthnContextClassRef() { + return authnContextClassRef; + } + + public void setAuthnContextClassRef(String authnContextClassRef) { + this.authnContextClassRef = authnContextClassRef; + } + + public IPersonalAttributeList getAuthnResponseGetPersonalAttributeList() { + return authnResponseGetPersonalAttributeList; + } + + public void setAuthnResponseGetPersonalAttributeList(IPersonalAttributeList authnResponseGetPersonalAttributeList) { + this.authnResponseGetPersonalAttributeList = authnResponseGetPersonalAttributeList; + } + + public String getSAMLResponse() { + return SAMLResponse; + } + + public void setSAMLResponse(String samlResponse) { + SAMLResponse = samlResponse; + } + + public StringBuffer getReturnURL() { + return returnURL; + } + + public void setReturnURL(StringBuffer returnURL) { + this.returnURL = returnURL; + } + + public String getSignedDoc() { + return signedDoc; + } + + public void setSignedDoc(String signedDoc) { + this.signedDoc = signedDoc; + } + public String getModul() { return modul; } @@ -1060,9 +1110,6 @@ public class AuthenticationSession implements Serializable { */ public Date getSessionCreated() { return sessionCreated; - } - - - + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index a82a51d07..0ba144b80 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -23,16 +23,17 @@ package at.gv.egovernment.moa.id.auth.servlet; import iaik.x509.X509Certificate; + import java.io.IOException; import java.io.InputStream; import java.io.StringWriter; import java.util.ArrayList; + import javax.activation.DataSource; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; import javax.xml.transform.stream.StreamSource; @@ -50,18 +51,15 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.ModulUtils; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.StringUtils; @@ -188,7 +186,6 @@ public class PEPSConnectorServlet extends AuthServlet { //load MOASession from database AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); - //change MOASessionID moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); @@ -248,6 +245,7 @@ public class PEPSConnectorServlet extends AuthServlet { String citizenSignature = null; try { String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); // fetch signed doc diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java new file mode 100644 index 000000000..ee0ae4b87 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorWithLocalSigningServlet.java @@ -0,0 +1,790 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +package at.gv.egovernment.moa.id.auth.servlet; + +import iaik.x509.X509Certificate; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.StringWriter; +import java.io.UnsupportedEncodingException; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import javax.activation.DataSource; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Source; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.stream.StreamSource; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.velocity.Template; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; +import org.opensaml.saml2.core.StatusCode; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.BKUException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.auth.exception.ServiceException; +import at.gv.egovernment.moa.id.auth.stork.STORKException; +import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.VelocityProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.SignatureVerificationService; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureLocation; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.xmldsig.SignatureType; +import at.gv.util.xsd.xmldsig.X509DataType; +import eu.stork.oasisdss.api.ApiUtils; +import eu.stork.oasisdss.api.LightweightSourceResolver; +import eu.stork.oasisdss.api.exceptions.ApiUtilsException; +import eu.stork.oasisdss.api.exceptions.UtilsException; +import eu.stork.oasisdss.profile.SignRequest; +import eu.stork.oasisdss.profile.SignResponse; +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.PEPSUtil; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse; +import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.exceptions.STORKSAMLEngineException; +//import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; + +/** + * Endpoint for receiving STORK response messages + */ +public class PEPSConnectorWithLocalSigningServlet extends AuthServlet { + private static final long serialVersionUID = 1L; + + public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnectorWithLocalSigning"; + + private String oasisDssWebFormURL = "http://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";//TODO load from config + + + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) + */ + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + super.doGet(request, response); + } + + /** + * Handles the reception of a STORK response message + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) + */ + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException + { + String moaSessionID1 = request.getParameter("moaSessionID"); + String signResponse = request.getParameter("signresponse"); + Logger.info("moaSessionID1:"+moaSessionID1); + Logger.info("signResponse:"+signResponse); + if(moaSessionID1!=null) + { + if(signResponse!=null) + { + //redirect from oasis with signresponse + handleSignResponse(request, response); + } + else + { + //should not occur + throw new IOException("should not occur"); + } + } + else + { + if(signResponse!=null) + { + //should not occur + throw new IOException("should not occur"); + } + else + { + //normal saml response + handleSAMLResponse(request, response); + } + } + return; + } + + private void handleSignResponse(HttpServletRequest request, HttpServletResponse response) { + Logger.info("handleSignResponse started"); + String moaSessionID = request.getParameter("moaSessionID"); + String signResponse = request.getParameter("signresponse"); + Logger.info("moaSessionID:"+moaSessionID); + Logger.info("signResponse:"+signResponse); + String pendingRequestID = null; + try{ + + + //load MOASession from database + AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); + //change MOASessionID + moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); + Logger.info("pendingRequestID:"+pendingRequestID); + String signResponseString = new String(Base64.decodeBase64(signResponse), "UTF8"); + Logger.info("RECEIVED signresponse:"+signResponseString); + //create SignResponse object + Source response1 = new StreamSource(new java.io.StringReader(signResponseString)); + SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class); + + // SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(Base64.signResponse))); + + String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + + // memorize signature into authblock + moaSession.setAuthBlock(citizenSignature); + + X509Certificate cert = getSignerCertificate(citizenSignature); + moaSession.setSignerCertificate(cert); + VerifyXMLSignatureResponse xMLVerifySignatureResponse = verifyXMLSignature(citizenSignature); + at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse tmp = convert(xMLVerifySignatureResponse); + + + moaSession.setXMLVerifySignatureResponse(tmp); + try{ + IPersonalAttributeList personalAttributeList = moaSession.getAuthnResponseGetPersonalAttributeList(); + //Add signResponse + List values = new ArrayList(); + //values.add(signResponseString); + values.add(citizenSignature); + Logger.debug("Assembling signedDoc attribute"); + PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, + "Available"); + personalAttributeList.add(signedDocAttribute); + + String authnContextClassRef = moaSession.getAuthnContextClassRef(); + SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef); + } catch (STORKException e) { + // this is really nasty but we work against the system here. We are supposed to get the gender attribute from + // stork. If we do not, we cannot register the person in the ERnP - we have to have the + // gender for the represented person. So here comes the dirty hack. + if(e.getCause() instanceof STORKException && e.getCause().getMessage().equals("gender not found in response")) { + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html"); + VelocityContext context = new VelocityContext(); + context.put("SAMLResponse", request.getParameter("SAMLResponse")); + context.put("action", request.getRequestURL()); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + response.getOutputStream().write(writer.toString().getBytes()); + } catch (Exception e1) { + Logger.error("Error sending gender retrival form.", e1); + // httpSession.invalidate(); + throw new MOAIDException("stork.10", null); + } + + return; + } + + Logger.error("Error connecting SZR Gateway", e); + throw new MOAIDException("stork.10", null); + } + + Logger.debug("Add full STORK AuthnResponse to MOA session"); + moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? + + //session is implicit stored in changeSessionID!!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID); + + //redirect + String redirectURL = null; + redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(), + ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); + redirectURL = response.encodeRedirectURL(redirectURL); + + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", redirectURL); + Logger.info("REDIRECT TO: " + redirectURL); + + } catch (AuthenticationException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (MOAIDException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (Exception e) { + Logger.error("PEPSConnector has an interal Error.", e); + } + + finally { + ConfigurationDBUtils.closeSession(); + } + } + + private void handleSAMLResponse(HttpServletRequest request, HttpServletResponse response) { + Logger.info("handleSAMLResponse started"); + String pendingRequestID = null; + + try { + Logger.info("PEPSConnector Servlet invoked, expecting C-PEPS message."); + Logger.debug("This ACS endpoint is: " + HTTPUtils.getBaseURL(request)); + + super.setNoCachingHeadersInHttpRespone(request, response); + Logger.trace("No Caching headers set for HTTP response"); + + //check if https or only http + super.checkIfHTTPisAllowed(request.getRequestURL().toString()); + + Logger.debug("Beginning to extract SAMLResponse out of HTTP Request"); + + //extract STORK Response from HTTP Request + //Decodes SAML Response + byte[] decSamlToken; + try { + decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse")); + Logger.debug("SAMLResponse: " + new String(decSamlToken)); + + } catch(NullPointerException e) { + Logger.error("Unable to retrieve STORK Response", e); + throw new MOAIDException("stork.04", null); + } + + //Get SAMLEngine instance + STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing"); + + STORKAuthnResponse authnResponse = null; + try { + //validate SAML Token + Logger.debug("Starting validation of SAML response"); + authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + Logger.info("SAML response succesfully verified!"); + }catch(STORKSAMLEngineException e){ + Logger.error("Failed to verify STORK SAML Response", e); + throw new MOAIDException("stork.05", null); + } + + Logger.info("STORK SAML Response message succesfully extracted"); + Logger.debug("STORK response: "); + Logger.debug(authnResponse.toString()); + + Logger.debug("Trying to find MOA Session-ID ..."); + //String moaSessionID = request.getParameter(PARAM_SESSIONID); + //first use SAML2 relayState + String moaSessionID = request.getParameter("RelayState"); + + // escape parameter strings + moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); + + //check if SAML2 relaystate includes a MOA sessionID + if (StringUtils.isEmpty(moaSessionID)) { + //if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier + + moaSessionID = authnResponse.getInResponseTo(); + moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); + + if (StringUtils.isEmpty(moaSessionID)) { + //No authentication session has been started before + Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started"); + Logger.debug("PEPSConnectorURL was: " + request.getRequestURL()); + throw new AuthenticationException("auth.02", new Object[] { moaSessionID }); + + } else + Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute."); + + } else + //Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter."); + Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState."); + + /*INFO!!!! + * SAML message IDs has an different format then MOASessionIDs + * This is only a workaround because many PEPS does not support SAML2 relayState or + * MOASessionID as AttributConsumerServiceURL GET parameter + */ + // if (!ParamValidatorUtils.isValidSessionID(moaSessionID)) + // throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12"); + + pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); + + //load MOASession from database + AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); + //change MOASessionID + moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + Logger.info("Found MOA sessionID: " + moaSessionID); + + + + String statusCodeValue = authnResponse.getStatusCode(); + + if (!statusCodeValue.equals(StatusCode.SUCCESS_URI)) { + Logger.error("Received ErrorResponse from PEPS: " + statusCodeValue); + throw new MOAIDException("stork.06", new Object[] { statusCodeValue }); + } + + Logger.info("Got SAML response with authentication success message."); + + Logger.debug("MOA session is still valid"); + + STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest(); + + if (storkAuthnRequest == null) { + Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); + throw new MOAIDException("stork.07", null); + } + + Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); + + ////////////// incorporate gender from parameters if not in stork response + + IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + + // but first, check if we have a representation case + if(STORKResponseProcessor.hasAttribute("mandateContent", attributeList) || STORKResponseProcessor.hasAttribute("representative", attributeList) || STORKResponseProcessor.hasAttribute("represented", attributeList)) { + // in a representation case... + moaSession.setUseMandate("true"); + + // and check if we have the gender value + PersonalAttribute gender = attributeList.get("gender"); + if(null == gender) { + String gendervalue = (String) request.getParameter("gender"); + if(null != gendervalue) { + gender = new PersonalAttribute(); + gender.setName("gender"); + ArrayList tmp = new ArrayList(); + tmp.add(gendervalue); + gender.setValue(tmp); + + authnResponse.getPersonalAttributeList().add(gender); + } + } + } + + ////////////////////////////////////////////////////////////////////////// + + Logger.debug("Starting extraction of signedDoc attribute"); + //extract signed doc element and citizen signature + String citizenSignature = null; + try { + PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + String signatureInfo = null; + if(signedDoc!=null) + { + signatureInfo = signedDoc.getValue().get(0); + //should not occur + } + else + { + + //store SAMLResponse + moaSession.setSAMLResponse(request.getParameter("SAMLResponse")); + //store authnResponse + + //moaSession.setAuthnResponse(authnResponse);//not serializable + moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList()); + + String authnContextClassRef = null; + try { + authnContextClassRef = authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(); + } catch (Throwable e) { + Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); + } + + moaSession.setAuthnContextClassRef(authnContextClassRef); + moaSession.setReturnURL(request.getRequestURL()); + + //load signedDoc + String signRequest = moaSession.getSignedDoc(); + + //session is implicit stored in changeSessionID!!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + //set return url to PEPSConnectorWithLocalSigningServlet and add newMOASessionID + //signRequest + + String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + String acsURL = issuerValue + PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + + String url = acsURL+"?moaSessionID="+newMOASessionID; + //redirect to OASIS module and sign there + performRedirect(url,request,response,signRequest); + + return; + } + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); + + citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + + // memorize signature into authblock + moaSession.setAuthBlock(citizenSignature); + + X509Certificate cert = getSignerCertificate(citizenSignature); + moaSession.setSignerCertificate(cert); + + + } catch (Throwable e) { + Logger.error("Could not extract citizen signature from C-PEPS", e); + throw new MOAIDException("stork.09", null); + } + + try{ + SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions().get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); + } catch (STORKException e) { + // this is really nasty but we work against the system here. We are supposed to get the gender attribute from + // stork. If we do not, we cannot register the person in the ERnP - we have to have the + // gender for the represented person. So here comes the dirty hack. + if(e.getCause() instanceof STORKException && e.getCause().getMessage().equals("gender not found in response")) { + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html"); + VelocityContext context = new VelocityContext(); + context.put("SAMLResponse", request.getParameter("SAMLResponse")); + context.put("action", request.getRequestURL()); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + response.getOutputStream().write(writer.toString().getBytes()); + } catch (Exception e1) { + Logger.error("Error sending gender retrival form.", e1); + // httpSession.invalidate(); + throw new MOAIDException("stork.10", null); + } + + return; + } + + Logger.error("Error connecting SZR Gateway", e); + throw new MOAIDException("stork.10", null); + } + + Logger.debug("Add full STORK AuthnResponse to MOA session"); + moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));//TODO ask Florian/Thomas authnResponse? + + //session is implicit stored in changeSessionID!!!! + String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + + Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID); + + //redirect + String redirectURL = null; + redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(), + ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID), newMOASessionID); + redirectURL = response.encodeRedirectURL(redirectURL); + + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", redirectURL); + Logger.info("REDIRECT TO: " + redirectURL); + + } catch (AuthenticationException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (MOAIDException e) { + handleError(null, e, request, response, pendingRequestID); + + } catch (Exception e) { + Logger.error("PEPSConnector has an interal Error.", e); + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + } + + private void performRedirect(String url, HttpServletRequest req, HttpServletResponse resp, String signRequestString) + throws MOAIDException { + + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/oasis_dss_webform_binding.vm"); + VelocityContext context = new VelocityContext(); + + Logger.debug("performRedirect, signrequest:"+signRequestString); + Source signDoc = new StreamSource(new java.io.StringReader(signRequestString)); + SignRequest signRequest = ApiUtils.unmarshal(signDoc, SignRequest.class); + signRequest.setReturnURL("TODO"); + signRequestString = IOUtils.toString(ApiUtils.marshalToInputStream(signRequest)); + context.put("signrequest", Base64.encodeBase64String(signRequestString.getBytes("UTF8"))); + context.put("clienturl", url); + context.put("action", oasisDssWebFormURL ); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + resp.getOutputStream().write(writer.toString().getBytes()); + } catch (Exception e) { + Logger.error("Error sending DSS signrequest.", e); + throw new MOAIDException("stork.11", null); + } + } + + private String getCitizienSignatureFromSignResponseFromSAML(STORKAuthnResponse authnResponse) throws ApiUtilsException, IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, MOAIDException + { + PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + String signatureInfo = null; + if(signedDoc==null) + { + Logger.error("SignedDoc = null, failed to extract Signresponse from authnResponse"); + throw new MOAIDException("stork.09", null); + } + signatureInfo = signedDoc.getValue().get(0); + + SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); + String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse); + return citizenSignature; + + } + + private String getCitizienSignatureFromSignResponse(SignResponse dssSignResponse) throws IllegalArgumentException, TransformerConfigurationException, UtilsException, TransformerException, TransformerFactoryConfigurationError, IOException, ApiUtilsException + { + // fetch signed doc + DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse); + if(ds == null){ + throw new ApiUtilsException("No datasource found in response"); + } + + InputStream incoming = ds.getInputStream(); + String citizenSignature = IOUtils.toString(incoming); + incoming.close(); + + return citizenSignature; + } + + private X509Certificate getSignerCertificate(String citizenSignature) throws CertificateException, JAXBException + { + JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName()); + SignatureType root = ((JAXBElement) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue(); + + // extract certificate + for(Object current : root.getKeyInfo().getContent()) + if(((JAXBElement) current).getValue() instanceof X509DataType) { + for(Object currentX509Data : ((JAXBElement) current).getValue().getX509IssuerSerialOrX509SKIOrX509SubjectName()) { + JAXBElement casted = ((JAXBElement) currentX509Data); + if(casted.getName().getLocalPart().equals("X509Certificate")) { + return new X509Certificate(((String)casted.getValue()).getBytes()); + } + } + } + return null; + } + + private void SZRGInsertion(AuthenticationSession moaSession, IPersonalAttributeList personalAttributeList, String authnContextClassRef) throws STORKException, MOAIDException + { + Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)"); + Logger.debug("Citizen signature will be verified by SZR Gateway!"); + + Logger.debug("fetching OAParameters from database"); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix()); + if (oaParam == null) + throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() }); + + // retrieve target + //TODO: check in case of SSO!!! + String targetType = null; + String targetValue = null; + if(oaParam.getBusinessService()) { + String id = oaParam.getIdentityLinkDomainIdentifier(); + if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + else + targetValue = moaSession.getDomainIdentifier(); + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_; + } else { + targetType = AuthenticationSession.TARGET_PREFIX_; + targetValue = oaParam.getTarget(); + } + + Logger.debug("Starting connecting SZR Gateway"); + //contact SZR Gateway + IdentityLink identityLink = null; + + identityLink = STORKResponseProcessor.connectToSZRGateway(personalAttributeList, + oaParam.getFriendlyName(), + targetType, targetValue, + oaParam.getMandateProfiles()); + Logger.debug("SZR communication was successfull"); + + if (identityLink == null) { + Logger.error("SZR Gateway did not return an identity link."); + throw new MOAIDException("stork.10", null); + } + Logger.info("Received Identity Link from SZR Gateway"); + moaSession.setIdentityLink(identityLink); + + Logger.debug("Adding addtional STORK attributes to MOA session"); + moaSession.setStorkAttributes(personalAttributeList); + + //We don't have BKUURL, setting from null to "Not applicable" + moaSession.setBkuURL("Not applicable (STORK Authentication)"); + + // free for single use + moaSession.setAuthenticatedUsed(false); + + // stork did the authentication step + moaSession.setAuthenticated(true); + + //TODO: found better solution, but QAA Level in response could be not supported yet + try { + if(authnContextClassRef==null) + authnContextClassRef = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel(); + moaSession.setQAALevel(authnContextClassRef); + + } catch (Throwable e) { + Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level"); + moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel()); + + } + + } + + private VerifyXMLSignatureResponse verifyXMLSignature(String signature) throws AuthenticationException, ParseException, BKUException, BuildException, ConfigurationException, ServiceException, UnsupportedEncodingException, SAXException, IOException, ParserConfigurationException, MOAException + { + //Based on MOA demo client + // Factory und Service instanzieren + SPSSFactory spssFac = SPSSFactory.getInstance(); + SignatureVerificationService sigVerifyService = SignatureVerificationService.getInstance(); + + Content sigDocContent1 = spssFac.createContent(IOUtils.toInputStream(signature, "UTF-8"), null); + + // Position der zu prüfenden Signatur im Dokument angeben + // (Nachdem im XPath-Ausdruck ein NS-Präfix verwendet wird, muss in einer Lookup-Tabelle + // der damit bezeichnete Namenraum mitgegeben werden) + HashMap nSMap = new HashMap(); + nSMap.put("dsig", "http://www.w3.org/2000/09/xmldsig#"); + VerifySignatureLocation sigLocation = spssFac.createVerifySignatureLocation("//dsig:Signature", nSMap); + + // Zu prüfendes Dokument und Signaturposition zusammenfassen + + VerifySignatureInfo sigInfo = spssFac.createVerifySignatureInfo(sigDocContent1, sigLocation); + + // Prüfrequest zusammenstellen + VerifyXMLSignatureRequest verifyRequest = spssFac.createVerifyXMLSignatureRequest( + null, // Wird Prüfzeit nicht angegeben, wird aktuelle Zeit verwendet + sigInfo, + null, // Keine Ergänzungsobjekte notwendig + null, // Signaturmanifest-Prüfung soll nicht durchgeführt werden + false, // Hash-Inputdaten, d.h. tatsächlich signierte Daten werden nicht zurückgeliefert + "MOAIDBuergerkartePersonenbindungMitTestkarten");//TODO load from config + //"Test-Signaturdienste"); // ID des verwendeten Vertrauensprofils + + VerifyXMLSignatureResponse verifyResponse = null; + try + { + // Aufruf der Signaturprüfung + verifyResponse = sigVerifyService.verifyXMLSignature(verifyRequest); + } + catch (MOAException e) + { + // Service liefert Fehler + System.err.println("Die Signaturprüfung hat folgenden Fehler geliefert:"); + System.err.println("Fehlercode: " + e.getMessageId()); + System.err.println("Fehlernachricht: " + e.getMessage()); + throw e; + } + +// // Auswertung der Response +// System.out.println(); +// System.out.println("Ergebnisse der Signaturprüfung:"); +// System.out.println(); +// +// // Besondere Eigenschaften des Signatorzertifikats +// SignerInfo signerInfo = verifyResponse.getSignerInfo(); +// System.out.println("*** Ist Zertifikat des Signators qualifiziert? " + ((signerInfo.isQualifiedCertificate()) ? "ja" : "nein")); +// System.out.println("*** Ist Zertifikat des Signators von einer Behörde? " + ((signerInfo.isPublicAuthority()) ? "ja" : "nein")); +// +// // Ergebnisse von Signatur- und Zertifikatsprüfung +// System.out.println(); +// System.out.println("Ergebniscode der Signaturprüfung: " + verifyResponse.getSignatureCheck().getCode()); +// System.out.println("Ergebniscode der Zertifikatsprüfung: " + verifyResponse.getCertificateCheck().getCode()); +// +// // Signatorzertifikat +// System.out.println(); +// System.out.println("*** Zertifikat des Signators:"); +// System.out.println("Aussteller: " + signerInfo.getSignerCertificate().getIssuerDN()); +// System.out.println("Subject: " + signerInfo.getSignerCertificate().getSubjectDN()); +// System.out.println("Seriennummer: " + signerInfo.getSignerCertificate().getSerialNumber()); + return verifyResponse; + } + + private at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse convert(VerifyXMLSignatureResponse xMLVerifySignatureResponse) { + at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse response = new at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse(); + response.setCertificateCheckCode(xMLVerifySignatureResponse.getCertificateCheck().getCode()); + response.setPublicAuthority(xMLVerifySignatureResponse.getSignerInfo().isPublicAuthority()); +// response.setPublicAuthorityCode(publicAuthorityCode) + response.setQualifiedCertificate(xMLVerifySignatureResponse.getSignerInfo().isQualifiedCertificate()); + response.setSignatureCheckCode(xMLVerifySignatureResponse.getSignatureCheck().getCode()); + response.setSignatureManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode()); +// response.setSigningDateTime() +// response.setX509certificate(x509certificate) + response.setXmlDSIGManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode()); +// response.setXmlDSIGManigest(xMLVerifySignatureResponse.getSignatureManifestCheck()) +// response.setXmlDsigSubjectName(xmlDsigSubjectName) + return response; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java index 6e67b4219..3f4be5093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java @@ -45,6 +45,8 @@ public class CPEPS { /** URL of C-PEPS */ private URL pepsURL; + private Boolean isXMLSignatureSupported; + /** Specific attributes to be requested for this C-PEPS */ private List countrySpecificRequestedAttributes = new ArrayList(); @@ -53,10 +55,11 @@ public class CPEPS { * @param countryCode ISO Country Code of C-PEPS * @param pepsURL URL of C-PEPS */ - public CPEPS(String countryCode, URL pepsURL) { + public CPEPS(String countryCode, URL pepsURL, Boolean isXMLSignatureSupported) { super(); this.countryCode = countryCode; this.pepsURL = pepsURL; + this.isXMLSignatureSupported = isXMLSignatureSupported; } /** @@ -91,6 +94,21 @@ public class CPEPS { this.pepsURL = pepsURL; } + /** + * Returns weather the C-PEPS supports XMl Signatures or not (important for ERnB) + */ + public Boolean isXMLSignatureSupported() { + return isXMLSignatureSupported; + } + + /** + * Sets weather the C-PEPS supports XMl Signatures or not (important for ERnB) + * @param isXMLSignatureSupported C-PEPS XML Signature support + */ + public void setXMLSignatureSupported(boolean isXMLSignatureSupported) { + this.isXMLSignatureSupported = isXMLSignatureSupported; + } + /** * Gets the country specific attributes of this C-PEPS * @return List of country specific attributes diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 2e243b3ae..136b40295 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -81,7 +81,7 @@ public class STORKConfig { for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) { try { - CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL())); + CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL()), cpep.isSupportsXMLSignature()); cpepsMap.put(cpep.getCountryCode(), moacpep); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index a5690a883..b62e6de32 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -75,7 +75,7 @@ public class AuthenticationRequest implements IAction { this.authData = authData; - if ((req instanceof MOASTORKRequest) && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { + if ((req instanceof MOASTORKRequest)) { // && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { this.moaStorkRequest = (MOASTORKRequest) req; @@ -134,10 +134,10 @@ public class AuthenticationRequest implements IAction { return (new AttributeCollector()).processRequest(container, httpReq, httpResp, authData, oaParam); } - // check if we are getting request for citizen of some other country - else if (req instanceof MOASTORKRequest) { - return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); - } +// // check if we are getting request for citizen of some other country +// else if (req instanceof MOASTORKRequest) { +// return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); +// } // Check if we got the response from PEPS // If so then process it and forward to SP @@ -390,24 +390,24 @@ public class AuthenticationRequest implements IAction { public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { - // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country - if (req instanceof MOASTORKRequest) { - MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; - if (moastorkRequest.getStorkAuthnRequest() != null) { - String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); - // check if citizen country is configured in the system - try { - if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { - return false; - } - } catch (MOAIDException e) { - Logger.error("Could not initialize AuthConfigurationProvider"); - } - } - // authentication is not required if received authentication response - } else if (req instanceof MOASTORKResponse) { - return false; - } +// // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country +// if (req instanceof MOASTORKRequest) { +// MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; +// if (moastorkRequest.getStorkAuthnRequest() != null) { +// String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); +// // check if citizen country is configured in the system +// try { +// if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { +// return false; +// } +// } catch (MOAIDException e) { +// Logger.error("Could not initialize AuthConfigurationProvider"); +// } +// } +// // authentication is not required if received authentication response +// } else if (req instanceof MOASTORKResponse) { +// return false; +// } return true; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 72274bada..af973475b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -104,8 +104,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { public SignedDocAttributeRequestProvider(String oasisDssWebFormURL, String attributes) { super(attributes); this.oasisDssWebFormURL = oasisDssWebFormURL; - //TODO load dtlUrl from config - + Properties props = new Properties(); try { props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties")); @@ -144,11 +143,10 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { * .servlet.http.HttpServletRequest) */ public IPersonalAttributeList parse(HttpServletRequest httpReq) throws MOAIDException, UnsupportedAttributeException { - Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request2"); + Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request"); try { - String base64 = httpReq. - getParameter("signresponse"); + String base64 = httpReq.getParameter("signresponse"); Logger.debug("signresponse url: " + httpReq.getRequestURI().toString()); Logger.debug("signresponse querystring: " + httpReq.getQueryString()); Logger.debug("signresponse method: " + httpReq.getMethod()); diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 2d5542b98..5b3075c68 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -821,10 +821,13 @@ - + - - + + + -- cgit v1.2.3
Country ShortcodePEPS URL
Country ShortcodePEPS URLSupports XMLSignatures
" onclick='this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode);'/>