From bdc7311ce86c6d39c3ff96b38c33b36ee6a28d1d Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Wed, 5 Jun 2013 10:51:23 +0200 Subject: SAML Attribute Constants, Dynamic Attribute building system, Take metadata attributes into account for authnResponse --- .../auth/servlet/StartAuthenticationServlet.java | 1 + .../moa/id/moduls/AuthenticationManager.java | 2 - .../at/gv/egovernment/moa/id/moduls/IRequest.java | 1 + .../gv/egovernment/moa/id/moduls/RequestImpl.java | 9 +- .../moa/id/protocols/pvp2x/MetadataAction.java | 15 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 5 + .../moa/id/protocols/pvp2x/PVPConstants.java | 230 +++++++++++++++++++++ .../pvp2x/builder/PVPAttributeBuilder.java | 62 ++++++ .../builder/attributes/BPKAttributeBuilder.java | 26 +++ .../builder/attributes/BaseAttributeBuilder.java | 59 ++++++ .../attributes/BirthdateAttributeBuilder.java | 42 ++++ .../EIDCitizenQAALevelAttributeBuilder.java | 24 +++ .../EIDIssuingNationAttributeBuilder.java | 27 +++ .../attributes/EIDSectorForIDAttributeBuilder.java | 23 +++ .../attributes/GivenNameAttributeBuilder.java | 21 ++ .../builder/attributes/IAttributeBuilder.java | 11 + .../attributes/PVPVersionAttributeBuilder.java | 21 ++ .../attributes/PrincipalNameAttributeBuilder.java | 21 ++ .../protocols/pvp2x/config/PVPConfiguration.java | 32 +++ .../pvp2x/metadata/MOAMetadataProvider.java | 7 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 49 ++++- .../protocols/pvp2x/signer/CredentialProvider.java | 75 ++++++- .../moa/id/protocols/pvp2x/utils/Digester.java | 26 +++ .../pvp2x/validation/SAMLSignatureValidator.java | 23 ++- .../pvp2x/verification/EntityVerifier.java | 74 +++++++ .../verification/MetadataSignatureFilter.java | 56 +++++ .../pvp2x/verification/TrustEngineFactory.java | 4 + .../moa/id/protocols/saml1/GetArtifactServlet.java | 3 + .../moa/id/protocols/saml1/SAML1Protocol.java | 3 + 29 files changed, 922 insertions(+), 30 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java index 54d96ee2e..5f59b6f9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java @@ -131,6 +131,7 @@ public class StartAuthenticationServlet extends AuthServlet { action = StringEscapeUtils.escapeHtml(action); oaURL = request.getOAURL(); + target = request.getTarget(); setNoCachingHeadersInHttpRespone(req, resp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index a45540726..3254927ed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -130,8 +130,6 @@ public class AuthenticationManager implements MOAIDAuthConstants { throws ServletException, IOException, MOAIDException { HttpSession session = request.getSession(); Logger.info("Starting authentication ..."); - String modul = target.requestedModule(); - String protocol = target.requestedAction(); if (!ParamValidatorUtils.isValidOA(target.getOAURL())) throw new WrongParametersException("StartAuthentication", PARAM_OA, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index 51e375b82..91b88acb9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -9,4 +9,5 @@ public interface IRequest { public String requestedAction(); public void setModule(String module); public void setAction(String action); + public String getTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 44b00a6c0..29f9ff69b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -8,6 +8,7 @@ public class RequestImpl implements IRequest { private boolean ssosupport = false; private String module = null; private String action = null; + private String target = null; public void setOAURL(String value) { @@ -57,6 +58,12 @@ public class RequestImpl implements IRequest { public void setAction(String action) { this.action = action; } - + public String getTarget() { + return target; + } + + public void setTarget(String target) { + this.target = target; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index a2bc664e9..d9129165e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -28,11 +28,10 @@ import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory.BasicKeyInfoGenerator; -import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureException; import org.opensaml.xml.signature.Signer; @@ -41,6 +40,7 @@ import org.w3c.dom.Document; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -66,9 +66,10 @@ public class MetadataAction implements IAction { idpEntityDescriptor.setOrganization(PVPConfiguration.getInstance() .getIDPOrganisation()); - BasicKeyInfoGeneratorFactory keyInfoFactory = new BasicKeyInfoGeneratorFactory(); + X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory(); keyInfoFactory.setEmitPublicKeyValue(true); keyInfoFactory.setEmitEntityIDAsKeyName(true); + keyInfoFactory.setEmitEntityCertificate(true); KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); Credential credential = CredentialProvider @@ -81,7 +82,7 @@ public class MetadataAction implements IAction { Signature signature = CredentialProvider .getIDPSignature(credential); - + idpEntityDescriptor.setSignature(signature); IDPSSODescriptor idpSSODescriptor = SAML2Utils @@ -129,9 +130,11 @@ public class MetadataAction implements IAction { } idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - + + idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); + idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor); - + DocumentBuilder builder; DocumentBuilderFactory factory = DocumentBuilderFactory .newInstance(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 4633f22d2..5ea596eeb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.ChainSAMLValidator; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.SAMLSignatureValidator; @@ -164,6 +165,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { getSPSSODescriptor(SAMLConstants.SAML20P_NS). getAssertionConsumerServices().get(idx).getLocation(); + String entityID = moaRequest.getEntityMetadata().getEntityID(); + //String oaURL = (String) request.getParameter(PARAM_OA); oaURL = StringEscapeUtils.escapeHtml(oaURL); if (!ParamValidatorUtils.isValidOA(oaURL)) @@ -171,6 +174,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { PARAM_OA, "auth.12"); config.setOAURL(oaURL); config.setRequest(moaRequest); + config.setTarget(PVPConfiguration.getInstance().getTargetForSP(entityID)); + request.getSession().setAttribute(PARAM_OA, oaURL); return config; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java new file mode 100644 index 000000000..b818a2d8a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -0,0 +1,230 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x; + +public interface PVPConstants { + public static final String URN_OID_PREFIX = "urn:oid:"; + + public static final String PVP_VERSION_OID = "1.2.40.0.10.2.1.1.261.10"; + public static final String PVP_VERSION_NAME = URN_OID_PREFIX + PVP_VERSION_OID; + public static final String PVP_VERSION_FRIENDLY_NAME = "PVP-VERSION"; + public static final String PVP_VERSION_2_1 = "2.1"; + + public static final String SECCLASS_FRIENDLY_NAME = "SECCLASS"; + + public static final String PRINCIPAL_NAME_OID = "1.2.40.0.10.2.1.1.261.20"; + public static final String PRINCIPAL_NAME_NAME = URN_OID_PREFIX + PRINCIPAL_NAME_OID; + public static final String PRINCIPAL_NAME_FRIENDLY_NAME = "PRINCIPAL-NAME"; + public static final int PRINCIPAL_NAME_MAX_LENGTH = 128; + + public static final String GIVEN_NAME_OID = "2.5.4.42"; + public static final String GIVEN_NAME_NAME = URN_OID_PREFIX + GIVEN_NAME_OID; + public static final String GIVEN_NAME_FRIENDLY_NAME = "GIVEN-NAME"; + public static final int GIVEN_NAME_MAX_LENGTH = 128; + + public static final String BIRTHDATE_OID = "1.2.40.0.10.2.1.1.55"; + public static final String BIRTHDATE_NAME = URN_OID_PREFIX + BIRTHDATE_OID; + public static final String BIRTHDATE_FRIENDLY_NAME = "BIRTHDATE"; + public static final String BIRTHDATE_FORMAT_PATTERN = "yyyy-MM-dd"; + + public static final String USERID_OID = "0.9.2342.19200300.100.1.1"; + public static final String USERID_NAME = URN_OID_PREFIX + USERID_OID; + public static final String USERID_FRIENDLY_NAME = "USERID"; + public static final int USERID_MAX_LENGTH = 128; + + public static final String GID_OID = "1.2.40.0.10.2.1.1.1"; + public static final String GID_NAME = URN_OID_PREFIX + GID_OID; + public static final String GID_FRIENDLY_NAME = "GID"; + public static final int GID_MAX_LENGTH = 128; + + public static final String BPK_OID = "1.2.40.0.10.2.1.1.149"; + public static final String BPK_NAME = URN_OID_PREFIX + BPK_OID; + public static final String BPK_FRIENDLY_NAME = "BPK"; + public static final int BPK_MAX_LENGTH = 1024; + + public static final String ENC_BPK_LIST_OID = "1.2.40.0.10.2.1.1.261.22"; + public static final String ENC_BPK_LIST_NAME = URN_OID_PREFIX+ENC_BPK_LIST_OID; + public static final String ENC_BPK_LIST_FRIENDLY_NAME = "ENC-BPK-LIST"; + public static final int ENC_BPK_LIST_MAX_LENGTH = 32767; + + public static final String MAIL_OID = "0.9.2342.19200300.100.1.3"; + public static final String MAIL_NAME = URN_OID_PREFIX + MAIL_OID; + public static final String MAIL_FRIENDLY_NAME = "MAIL"; + public static final int MAIL_MAX_LENGTH = 128; + + public static final String TEL_OID = "2.5.4.20"; + public static final String TEL_NAME = URN_OID_PREFIX + TEL_OID; + public static final String TEL_FRIENDLY_NAME = "TEL"; + public static final int TEL_MAX_LENGTH = 32; + + public static final String PARTICIPANT_ID_OID = "1.2.40.0.10.2.1.1.71"; + public static final String PARTICIPANT_ID_NAME = URN_OID_PREFIX + PARTICIPANT_ID_OID; + public static final String PARTICIPANT_ID_FRIENDLY_NAME = "PARTICIPANT-ID"; + public static final int PARTICIPANT_MAX_LENGTH = 39; + + public static final String PARTICIPANT_OKZ_OID = "1.2.40.0.10.2.1.1.261.24"; + public static final String PARTICIPANT_OKZ_NAME = URN_OID_PREFIX + PARTICIPANT_OKZ_OID; + public static final String PARTICIPANT_OKZ_FRIENDLY_NAME = "PARTICIPANT-OKZ"; + public static final int PARTICIPANT_OKZ_MAX_LENGTH = 32; + + public static final String OU_OKZ_OID = "1.2.40.0.10.2.1.1.153"; + public static final String OU_OKZ_NAME = URN_OID_PREFIX + OU_OKZ_OID; + public static final int OU_OKZ_MAX_LENGTH = 32; + + public static final String OU_GV_OU_ID_OID = "1.2.40.0.10.2.1.1.3"; + public static final String OU_GV_OU_ID_NAME = URN_OID_PREFIX + OU_GV_OU_ID_OID; + public static final String OU_GV_OU_ID_FRIENDLY_NAME = "OU-GV-OU-ID"; + public static final int OU_GV_OU_ID_MAX_LENGTH = 39; + + public static final String OU_OID = "2.5.4.11"; + public static final String OU_NAME = URN_OID_PREFIX + OU_OID; + public static final String OU_FRIENDLY_NAME = "OU"; + public static final int OU_MAX_LENGTH = 64; + + public static final String FUNCTION_OID = "1.2.40.0.10.2.1.1.33"; + public static final String FUNCTION_NAME = URN_OID_PREFIX + FUNCTION_OID; + public static final String FUNCTION_FRIENDLY_NAME = "FUNCTION"; + public static final int FUNCTION_MAX_LENGTH = 32; + + public static final String ROLES_OID = "1.2.40.0.10.2.1.1.261.30"; + public static final String ROLES_NAME = URN_OID_PREFIX + ROLES_OID; + public static final String ROLES_FRIENDLY_NAME = "ROLES"; + public static final int ROLES_MAX_LENGTH = 32767; + + public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94"; + public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID; + public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL"; + + public static final String EID_ISSUING_NATION_OID = "1.2.40.0.10.2.1.1.261.32"; + public static final String EID_ISSUING_NATION_NAME = URN_OID_PREFIX + EID_ISSUING_NATION_OID; + public static final String EID_ISSUING_NATION_FRIENDLY_NAME = "EID-ISSUING-NATION"; + public static final int EID_ISSUING_NATION_MAX_LENGTH = 2; + + public static final String EID_SECTOR_FOR_IDENTIFIER_OID = "1.2.40.0.10.2.1.1.261.34"; + public static final String EID_SECTOR_FOR_IDENTIFIER_NAME = URN_OID_PREFIX + EID_SECTOR_FOR_IDENTIFIER_OID; + public static final String EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME = "EID-SECTOR-FOR-IDENTIFIER"; + public static final int EID_SECTOR_FOR_IDENTIFIER_MAX_LENGTH = 255; + + public static final String EID_SOURCE_PIN_OID = "1.2.40.0.10.2.1.1.261.36"; + public static final String EID_SOURCE_PIN_NAME = URN_OID_PREFIX + EID_SOURCE_PIN_OID; + public static final String EID_SOURCE_PIN_FRIENDLY_NAME = "EID-SOURCE-PIN"; + public static final int EID_SOURCE_PIN_MAX_LENGTH = 128; + + public static final String EID_SOURCE_PIN_TYPE_OID = "1.2.40.0.10.2.1.1.261.104"; + public static final String EID_SOURCE_PIN_TYPE_NAME = URN_OID_PREFIX + EID_SOURCE_PIN_TYPE_OID; + public static final String EID_SOURCE_PIN_TYPE_FRIENDLY_NAME = "EID-SOURCE-PIN-TYPE"; + public static final int EID_SOURCE_PIN_TYPE_MAX_LENGTH = 128; + + public static final String EID_IDENTITY_LINK_OID = "1.2.40.0.10.2.1.1.261.38"; + public static final String EID_IDENTITY_LINK_NAME = URN_OID_PREFIX + EID_IDENTITY_LINK_OID; + public static final String EID_IDENTITY_LINK_FRIENDLY_NAME = "EID-IDENTITY-LINK"; + public static final int EID_IDENTITY_LINK_MAX_LENGTH = 32767; + + public static final String EID_AUTH_BLOCK_OID = "1.2.40.0.10.2.1.1.261.62"; + public static final String EID_AUTH_BLOCK_NAME = URN_OID_PREFIX + EID_AUTH_BLOCK_OID; + public static final String EID_AUTH_BLOCK_FRIENDLY_NAME = "EID-AUTH-BLOCK"; + public static final int EID_AUTH_BLOCK_MAX_LENGTH = 32767; + + public static final String EID_CCS_URL_OID = "1.2.40.0.10.2.1.1.261.64"; + public static final String EID_CCS_URL_NAME = URN_OID_PREFIX + EID_CCS_URL_OID; + public static final String EID_CCS_URL_FRIENDLY_NAME = "EID-CCS-URL"; + public static final int EID_CCS_URL_MAX_LENGTH = 1024; + + public static final String EID_SIGNER_CERTIFICATE_OID = "1.2.40.0.10.2.1.1.261.66"; + public static final String EID_SIGNER_CERTIFICATE_NAME = URN_OID_PREFIX + EID_SIGNER_CERTIFICATE_OID; + public static final String EID_SIGNER_CERTIFICATE_FRIENDLY_NAME = "EID-SIGNER-CERTIFICATE"; + public static final int EID_SIGNER_CERTIFICATE_MAX_LENGTH = 32767; + + public static final String EID_STORK_TOKEN_OID = "1.2.40.0.10.2.1.1.261.96"; + public static final String EID_STORK_TOKEN_NAME = URN_OID_PREFIX + EID_STORK_TOKEN_OID; + public static final String EID_STORK_TOKEN_FRIENDLY_NAME = "EID-STORK-TOKEN"; + public static final int EID_STORK_TOKEN_MAX_LENGTH = 32767; + + public static final String MANDATE_TYPE_OID = "1.2.40.0.10.2.1.1.261.68"; + public static final String MANDATE_TYPE_NAME = URN_OID_PREFIX + MANDATE_TYPE_OID; + public static final String MANDATE_TYPE_FRIENDLY_NAME = "MANDATE-TYPE"; + public static final int MANDATE_TYPE_MAX_LENGTH = 256; + + public static final String MANDATE_NAT_PER_SOURCE_PIN_OID = "1.2.40.0.10.2.1.1.261.70"; + public static final String MANDATE_NAT_PER_SOURCE_PIN_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_SOURCE_PIN_OID; + public static final String MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-SOURCE-PIN"; + public static final int MANDATE_NAT_PER_SOURCE_PIN_MAX_LENGTH = 128; + + public static final String MANDATE_LEG_PER_SOURCE_PIN_OID = "1.2.40.0.10.2.1.1.261.100"; + public static final String MANDATE_LEG_PER_SOURCE_PIN_NAME = URN_OID_PREFIX + MANDATE_LEG_PER_SOURCE_PIN_OID; + public static final String MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME = "MANDATOR-LEGAL-PERSON-SOURCE-PIN"; + public static final int MANDATE_LEG_PER_SOURCE_PIN_MAX_LENGTH = 128; + + public static final String MANDATE_NAT_PER_SOURCE_PIN_TYPE_OID = "1.2.40.0.10.2.1.1.261.102"; + public static final String MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_SOURCE_PIN_TYPE_OID; + public static final String MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-SOURCE-PIN-TYPE"; + public static final int MANDATE_NAT_PER_SOURCE_PIN_TYPE_MAX_LENGTH = 128; + + public static final String MANDATE_LEG_PER_SOURCE_PIN_TYPE_OID = "1.2.40.0.10.2.1.1.261.76"; + public static final String MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME = URN_OID_PREFIX + MANDATE_LEG_PER_SOURCE_PIN_TYPE_OID; + public static final String MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME = "MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE"; + public static final int MANDATE_LEG_PER_SOURCE_PIN_TYPE_MAX_LENGTH = 128; + + public static final String MANDATE_NAT_PER_BPK_OID = "1.2.40.0.10.2.1.1.261.98"; + public static final String MANDATE_NAT_PER_BPK_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_BPK_OID; + public static final String MANDATE_NAT_PER_BPK_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-BPK"; + public static final int MANDATE_NAT_PER_BPK_MAX_LENGTH = 1024; + + public static final String MANDATE_NAT_PER_ENC_BPK_LIST_OID = "1.2.40.0.10.2.1.1.261.72"; + public static final String MANDATE_NAT_PER_ENC_BPK_LIST_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_ENC_BPK_LIST_OID; + public static final String MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-ENC-BPK-LIST"; + public static final int MANDATE_NAT_PER_ENC_BPK_LIST_MAX_LENGTH = 32767; + + public static final String MANDATE_NAT_PER_GIVEN_NAME_OID = "1.2.40.0.10.2.1.1.261.78"; + public static final String MANDATE_NAT_PER_GIVEN_NAME_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_GIVEN_NAME_OID; + public static final String MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-GIVEN-NAME"; + public static final int MANDATE_NAT_PER_GIVEN_NAME_MAX_LENGTH = 128; + + public static final String MANDATE_NAT_PER_FAMILY_NAME_OID = "1.2.40.0.10.2.1.1.261.80"; + public static final String MANDATE_NAT_PER_FAMILY_NAME_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_FAMILY_NAME_OID; + public static final String MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-FAMILY-NAME"; + public static final int MANDATE_NAT_PER_FAMILY_NAME_MAX_LENGTH = 128; + + public static final String MANDATE_NAT_PER_BIRTHDATE_OID = "1.2.40.0.10.2.1.1.261.82"; + public static final String MANDATE_NAT_PER_BIRTHDATE_NAME = URN_OID_PREFIX + MANDATE_NAT_PER_BIRTHDATE_OID; + public static final String MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME = "MANDATOR-NATURAL-PERSON-BIRTHDATE"; + public static final String MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN = BIRTHDATE_FORMAT_PATTERN; + + public static final String MANDATE_LEG_PER_FULL_NAME_OID = "1.2.40.0.10.2.1.1.261.84"; + public static final String MANDATE_LEG_PER_FULL_NAME_NAME = URN_OID_PREFIX + MANDATE_LEG_PER_FULL_NAME_OID; + public static final String MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME = "MANDATOR-LEGAL-PERSON-FULL-NAME"; + public static final int MANDATE_LEG_PER_FULL_NAME_MAX_LENGTH = 256; + + public static final String MANDATE_PROF_REP_OID_OID = "1.2.40.0.10.2.1.1.261.86"; + public static final String MANDATE_PROF_REP_OID_NAME = URN_OID_PREFIX + MANDATE_PROF_REP_OID_OID; + public static final String MANDATE_PROF_REP_OID_FRIENDLY_NAME = "MANDATOR-PROF-REP-OID"; + public static final int MANDATE_PROF_REP_OID_MAX_LENGTH = 256; + + public static final String MANDATE_PROF_REP_DESC_OID = "1.2.40.0.10.2.1.1.261.88"; + public static final String MANDATE_PROF_REP_DESC_NAME = URN_OID_PREFIX + MANDATE_PROF_REP_DESC_OID; + public static final String MANDATE_PROF_REP_DESC_FRIENDLY_NAME = "MANDATOR-PROF-REP-DESCRIPTION"; + public static final int MANDATE_PROF_REP_DESC_MAX_LENGTH = 1024; + + public static final String MANDATE_REFERENCE_VALUE_OID = "1.2.40.0.10.2.1.1.261.90"; + public static final String MANDATE_REFERENCE_VALUE_NAME = URN_OID_PREFIX + MANDATE_REFERENCE_VALUE_OID; + public static final String MANDATE_REFERENCE_VALUE_FRIENDLY_NAME = "MANDATE-REFERENCE-VALUE"; + public static final int MANDATE_REFERENCE_VALUE_MAX_LENGTH = 100; + + public static final String MANDATE_FULL_MANDATE_OID = "1.2.40.0.10.2.1.1.261.92"; + public static final String MANDATE_FULL_MANDATE_NAME = URN_OID_PREFIX + MANDATE_FULL_MANDATE_OID; + public static final String MANDATE_FULL_MANDATE_FRIENDLY_NAME = "MANDATE-FULL-MANDATE"; + public static final int MANDATE_FULL_MANDATE_MAX_LENGTH = 32767; + + public static final String INVOICE_RECPT_ID_OID = "1.2.40.0.10.2.1.1.261.40"; + public static final String INVOICE_RECPT_ID_NAME = URN_OID_PREFIX + INVOICE_RECPT_ID_OID; + public static final String INVOICE_RECPT_ID_FRIENDLY_NAME = "INVOICE-RECPT-ID"; + public static final int INVOICE_RECPT_ID_MAX_LENGTH = 64; + + public static final String COST_CENTER_ID_OID = "1.2.40.0.10.2.1.1.261.50"; + public static final String COST_CENTER_ID_NAME = URN_OID_PREFIX + COST_CENTER_ID_OID; + public static final String COST_CENTER_ID_FRIENDLY_NAME = "COST-CENTER-ID"; + public static final int COST_CENTER_ID_MAX_LENGTH = 32767; + + public static final String CHARGE_CODE_OID = "1.2.40.0.10.2.1.1.261.60"; + public static final String CHARGE_CODE_NAME = URN_OID_PREFIX + CHARGE_CODE_OID; + public static final String CHARGE_CODE_FRIENDLY_NAME = "CHARGE-CODE"; + public static final int CHARGE_CODE_MAX_LENGTH = 32767; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java new file mode 100644 index 000000000..dc0a2884a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -0,0 +1,62 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Iterator; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BirthdateAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCitizenQAALevelAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIssuingNationAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSectorForIDAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.GivenNameAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.PVPVersionAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.PrincipalNameAttributeBuilder; + +public class PVPAttributeBuilder { + + private static HashMap builders; + + private static void addBuilder(IAttributeBuilder builder) { + builders.put(builder.getName(), builder); + } + + static { + builders = new HashMap(); + addBuilder(new PVPVersionAttributeBuilder()); + addBuilder(new PrincipalNameAttributeBuilder()); + addBuilder(new GivenNameAttributeBuilder()); + addBuilder(new BirthdateAttributeBuilder()); + addBuilder(new BPKAttributeBuilder()); + addBuilder(new EIDCitizenQAALevelAttributeBuilder()); + addBuilder(new EIDIssuingNationAttributeBuilder()); + addBuilder(new EIDSectorForIDAttributeBuilder()); + } + + public static Attribute buildAttribute(String name, + AuthenticationSession authSession) { + if (builders.containsKey(name)) { + return builders.get(name).build(authSession); + } + return null; + } + + public static List buildSupportedEmptyAttributes() { + List attributes = new ArrayList(); + Iterator builderIt = builders.values().iterator(); + while (builderIt.hasNext()) { + IAttributeBuilder builder = builderIt.next(); + Attribute emptyAttribute = builder.buildEmpty(); + if (emptyAttribute != null) { + attributes.add(emptyAttribute); + } + } + return attributes; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java new file mode 100644 index 000000000..0b1d80e0d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -0,0 +1,26 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class BPKAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return BPK_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + String bpk = authSession.getIdentityLink().getIdentificationValue(); + if(bpk.length() > BPK_MAX_LENGTH) { + bpk = bpk.substring(0, BPK_MAX_LENGTH); + } + return buildStringAttribute(BPK_FRIENDLY_NAME, BPK_NAME, bpk); + } + + + public Attribute buildEmpty() { + return buildemptyAttribute(BPK_FRIENDLY_NAME, BPK_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java new file mode 100644 index 000000000..d62cf72b1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BaseAttributeBuilder.java @@ -0,0 +1,59 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeValue; +import org.opensaml.xml.Configuration; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.schema.XSInteger; +import org.opensaml.xml.schema.XSString; +import org.opensaml.xml.schema.impl.XSIntegerBuilder; +import org.opensaml.xml.schema.impl.XSStringBuilder; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; + +public abstract class BaseAttributeBuilder implements PVPConstants, IAttributeBuilder { + + + protected static XMLObject buildAttributeStringValue(String value) { + XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); + XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME); + stringValue.setValue(value); + return stringValue; + } + + protected static XMLObject buildAttributeIntegerValue(int value) { + XSIntegerBuilder integerBuilder = (XSIntegerBuilder) Configuration.getBuilderFactory().getBuilder(XSInteger.TYPE_NAME); + XSInteger integerValue = integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME); + integerValue.setValue(value); + return integerValue; + } + + protected static Attribute buildStringAttribute(String friendlyName, + String name, String value) { + Attribute attribute = + SAML2Utils.createSAMLObject(Attribute.class); + attribute.setFriendlyName(friendlyName); + attribute.setName(name); + attribute.getAttributeValues().add(buildAttributeStringValue(value)); + return attribute; + } + + protected static Attribute buildIntegerAttribute(String friendlyName, + String name, int value) { + Attribute attribute = + SAML2Utils.createSAMLObject(Attribute.class); + attribute.setFriendlyName(friendlyName); + attribute.setName(name); + attribute.getAttributeValues().add(buildAttributeIntegerValue(value)); + return attribute; + } + + protected static Attribute buildemptyAttribute(String friendlyName, String name) { + Attribute attribute = + SAML2Utils.createSAMLObject(Attribute.class); + attribute.setFriendlyName(friendlyName); + attribute.setName(name); + return attribute; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java new file mode 100644 index 000000000..84011436e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java @@ -0,0 +1,42 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Date; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class BirthdateAttributeBuilder extends BaseAttributeBuilder { + + public static final String IDENTITY_LINK_DATE_FORMAT = "yyyy-MM-dd"; + + public String getName() { + return BIRTHDATE_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + try { + DateFormat identityLinkFormat = new SimpleDateFormat( + IDENTITY_LINK_DATE_FORMAT); + Date date = identityLinkFormat.parse(authSession.getIdentityLink() + .getDateOfBirth()); + DateFormat pvpDateFormat = new SimpleDateFormat( + BIRTHDATE_FORMAT_PATTERN); + String dateString = pvpDateFormat.format(date); + return buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, + BIRTHDATE_NAME, dateString); + } catch (ParseException e) { + e.printStackTrace(); + return null; + } + } + + public Attribute buildEmpty() { + return buildemptyAttribute(BIRTHDATE_FRIENDLY_NAME, + BIRTHDATE_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java new file mode 100644 index 000000000..5524ed44d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java @@ -0,0 +1,24 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class EIDCitizenQAALevelAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return EID_CITIZEN_QAA_LEVEL_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + return buildIntegerAttribute(EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, + EID_CITIZEN_QAA_LEVEL_NAME, 2); + } + + + public Attribute buildEmpty() { + return buildemptyAttribute(EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, + EID_CITIZEN_QAA_LEVEL_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java new file mode 100644 index 000000000..251d263d9 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java @@ -0,0 +1,27 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class EIDIssuingNationAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return EID_ISSUING_NATION_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + String countryCode = "AT"; + if(authSession.getStorkAuthnRequest() != null) { + countryCode = authSession.getStorkAuthnRequest().getCitizenCountryCode(); + } + return buildStringAttribute(EID_ISSUING_NATION_FRIENDLY_NAME, + EID_ISSUING_NATION_NAME, countryCode); + } + + public Attribute buildEmpty() { + return buildemptyAttribute(EID_ISSUING_NATION_FRIENDLY_NAME, + EID_ISSUING_NATION_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java new file mode 100644 index 000000000..c91a87548 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -0,0 +1,23 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class EIDSectorForIDAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return EID_SECTOR_FOR_IDENTIFIER_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + return buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, + EID_SECTOR_FOR_IDENTIFIER_NAME, authSession.getIdentityLink().getIdentificationType()); + } + + public Attribute buildEmpty() { + return buildemptyAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, + EID_SECTOR_FOR_IDENTIFIER_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java new file mode 100644 index 000000000..f9a217810 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java @@ -0,0 +1,21 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class GivenNameAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return GIVEN_NAME_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + return buildStringAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME, authSession.getIdentityLink().getGivenName()); + } + + public Attribute buildEmpty() { + return buildemptyAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java new file mode 100644 index 000000000..96c12f413 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java @@ -0,0 +1,11 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public interface IAttributeBuilder { + public String getName(); + public Attribute build(AuthenticationSession authSession); + public Attribute buildEmpty(); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java new file mode 100644 index 000000000..a901a54ea --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java @@ -0,0 +1,21 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class PVPVersionAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return PVP_VERSION_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + return buildStringAttribute(PVP_VERSION_FRIENDLY_NAME, PVP_VERSION_NAME, PVP_VERSION_2_1); + } + + public Attribute buildEmpty() { + return buildemptyAttribute(PVP_VERSION_FRIENDLY_NAME, PVP_VERSION_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java new file mode 100644 index 000000000..7ffdca50e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java @@ -0,0 +1,21 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class PrincipalNameAttributeBuilder extends BaseAttributeBuilder { + + public String getName() { + return PRINCIPAL_NAME_NAME; + } + + public Attribute build(AuthenticationSession authSession) { + return buildStringAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME, authSession.getIdentityLink().getFamilyName()); + } + + public Attribute buildEmpty() { + return buildemptyAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 1f8dfa153..d38c900bc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -35,6 +35,7 @@ import org.opensaml.xml.validation.Validator; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.Digester; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -53,6 +54,9 @@ public class PVPConfiguration { public static final String IDP_KEYALIAS = "idp.ks.alias"; public static final String IDP_KS_PASS = "idp.ks.kspassword"; public static final String IDP_KEY_PASS = "idp.ks.keypassword"; + + public static final String IDP_ISSUER_NAME = "idp.issuer.name"; + public static final String METADATA_FILE = "md.file"; public static final String IDP_ENTITY = "idp.entityid"; @@ -64,6 +68,9 @@ public class PVPConfiguration { public static final String IDP_REDIRECT_SSO_SERVICE = "idp.sso.redirect"; public static final String IDP_SOAP_RESOLVE_SERVICE = "idp.resolve.soap"; + public static final String IDP_TRUST_STORE = "idp.truststore"; + public static final String SP_TARGET_PREFIX = "sp.target."; + public static final String IDP_CONTACT_PREFIX = "idp.contact"; public static final String IDP_CONTACT_LIST = "idp.contact_list"; @@ -120,10 +127,35 @@ public class PVPConfiguration { return props.getProperty(IDP_KEY_PASS); } + public String getIDPIssuerName() { + return props.getProperty(IDP_ISSUER_NAME); + } + public String getMetadataFile() { return props.getProperty(METADATA_FILE); } + public String getTargetForSP(String sp) { + String spHash = Digester.toSHA1(sp.getBytes()); + Logger.info("SHA hash for sp: " + sp + " => " + spHash); + return props.getProperty(SP_TARGET_PREFIX + spHash); + } + + public String getTrustEntityCertificate(String entityID) { + String path = props.getProperty(IDP_TRUST_STORE); + if(path == null) { + return null; + } + + if(!path.endsWith("/")) { + path = path + "/"; + } + + String entityIDHash = Digester.toSHA1(entityID.getBytes()); + + return path + entityIDHash; + } + public List getIDPContacts() { List list = new ArrayList(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 94741df73..71de16a97 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -16,19 +16,20 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter; public class MOAMetadataProvider implements MetadataProvider { MetadataProvider internalProvider; - private static final String MD_FILE = "/home/afitzek/server/moaid_conf/moaid/metadata/samplePVP_MD.xml"; - //private static final String MD_FILE = "/home/afitzek/server/moaid_conf/moaid/metadata/md_provider.xml"; - public MOAMetadataProvider() throws MetadataProviderException { FilesystemMetadataProvider fsProvider = new FilesystemMetadataProvider( new File(PVPConfiguration.getInstance().getMetadataFile())); fsProvider.setParserPool(new BasicParserPool()); internalProvider = fsProvider; + internalProvider.setRequireValidMetadata(true); + MetadataFilter filter = new MetadataSignatureFilter(); + internalProvider.setMetadataFilter(filter); fsProvider.initialize(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 5fc1dc785..964c19208 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; +import java.util.Iterator; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -7,6 +9,8 @@ import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.ArtifactResponse; import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.AuthnContext; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnRequest; @@ -14,6 +18,9 @@ import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; @@ -23,7 +30,8 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.CitizenTokenBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; public class AuthnRequestHandler implements IRequestHandler { @@ -55,26 +63,54 @@ public class AuthnRequestHandler implements IRequestHandler { assertion.getAuthnStatements().add(authnStatement); + SPSSODescriptor spSSODescriptor = obj.getEntityMetadata(). + getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + AttributeConsumingService attributeConsumingService = + spSSODescriptor.getAttributeConsumingServices().iterator().next(); + + AuthenticationSession authSession = AuthenticationManager.getAuthenticationSession(req.getSession()); + AttributeStatement attributeStatement = SAML2Utils.createSAMLObject(AttributeStatement.class); + + Iterator it = attributeConsumingService.getRequestAttributes().iterator(); + while(it.hasNext()) { + RequestedAttribute reqAttribut = it.next(); + Attribute attr = PVPAttributeBuilder.buildAttribute(reqAttribut.getName(), authSession); + if(attr == null) { + if(reqAttribut.isRequired()) { + throw new MOAIDException("Cannot provide requested attribute " + reqAttribut.getName(), null); + } + } else { + attributeStatement.getAttributes().add(attr); + } + } + + if(attributeStatement.getAttributes().size() > 0) { + assertion.getAttributeStatements().add(attributeStatement); + } + Subject subject = SAML2Utils.createSAMLObject(Subject.class); NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); subjectNameID.setFormat(NameID.PERSISTENT); subjectNameID.setValue(authSession.getAuthData().getIdentificationValue()); subject.setNameID(subjectNameID); - assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession)); + //assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession)); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue("pvpIDP"); + issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); + issuer.setFormat(NameID.ENTITY); assertion.setIssuer(issuer); assertion.setSubject(subject); ArtifactResponse authResponse = SAML2Utils.createSAMLObject(ArtifactResponse.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue("pvpIDP"); + nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); + nissuer.setFormat(NameID.ENTITY); authResponse.setIssuer(nissuer); authResponse.setInResponseTo(authnRequest.getID()); authResponse.setMessage(assertion); @@ -87,8 +123,8 @@ public class AuthnRequestHandler implements IRequestHandler { idx = aIdx.intValue(); } - String oaURL = obj.getEntityMetadata(). - getSPSSODescriptor(SAMLConstants.SAML20P_NS). + + String oaURL = spSSODescriptor. getAssertionConsumerServices().get(idx).getLocation(); IEncoder binding = new PostBinding(); @@ -100,5 +136,4 @@ public class AuthnRequestHandler implements IRequestHandler { e.printStackTrace(); } } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index ec65f6bce..5f9f4d63b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -1,13 +1,21 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.signer; +import iaik.x509.X509Certificate; + +import java.io.File; import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.cert.Certificate; +import java.security.cert.CertificateException; + +import javax.jws.soap.SOAPBinding.Use; -import org.opensaml.xml.security.credential.BasicCredential; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.x509.BasicX509Credential; +import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; @@ -27,12 +35,13 @@ public class CredentialProvider { keyStore.load(inputStream, config.getIDPKeyStorePassword().toCharArray()); inputStream.close(); - BasicCredential credentials = new BasicCredential(); - PrivateKey key = (PrivateKey) keyStore.getKey(config.getIDPKeyAlias(), + KeyStoreX509CredentialAdapter credentials = new KeyStoreX509CredentialAdapter(keyStore, config.getIDPKeyAlias(), config.getIDPKeyPassword().toCharArray()); - Certificate cert = keyStore.getCertificate(config.getIDPKeyAlias()); - credentials.setPublicKey(cert.getPublicKey()); - credentials.setPrivateKey(key); + //PrivateKey key = (PrivateKey) keyStore.getKey(config.getIDPKeyAlias(), + // config.getIDPKeyPassword().toCharArray()); + //Certificate cert = keyStore.getCertificate(config.getIDPKeyAlias()); + //credentials.setPublicKey(cert.getPublicKey()); + //credentials.setPrivateKey(key); credentials.setUsageType(UsageType.SIGNING); return credentials; } catch(Exception e) { @@ -49,4 +58,54 @@ public class CredentialProvider { signer.setSigningCredential(credentials); return signer; } + + public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException { + String filename = PVPConfiguration.getInstance().getTrustEntityCertificate(entityID); + + iaik.x509.X509Certificate cert; + try { + cert = new X509Certificate(new FileInputStream(new File(filename))); + } catch (CertificateException e) { + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } catch (FileNotFoundException e) { + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } catch (IOException e) { + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } + + BasicX509Credential credential = new BasicX509Credential(); + credential.setEntityId(entityID); + credential.setUsageType(UsageType.SIGNING); + credential.setPublicKey(cert.getPublicKey()); + + return credential; + } + + public static Credential getTrustedCredential() throws CredentialsNotAvailableException { + String filename = PVPConfiguration.getInstance().getTrustEntityCertificate("sp.crt"); + + iaik.x509.X509Certificate cert; + try { + cert = new X509Certificate(new FileInputStream(new File(filename))); + } catch (CertificateException e) { + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } catch (FileNotFoundException e) { + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } catch (IOException e) { + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } + + BasicX509Credential credential = new BasicX509Credential(); + credential.setEntityId("sp.crt"); + credential.setUsageType(UsageType.SIGNING); + credential.setPublicKey(cert.getPublicKey()); + + return credential; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java new file mode 100644 index 000000000..7d81825d9 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java @@ -0,0 +1,26 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class Digester { + public static String byteArrayToHexString(byte[] b) { + String result = ""; + for (int i=0; i < b.length; i++) { + result += + Integer.toString( ( b[i] & 0xff ) + 0x100, 16).substring( 1 ); + } + return result; + } + + public static String toSHA1(byte[] convertme) { + MessageDigest md = null; + try { + md = MessageDigest.getInstance("SHA-1"); + } + catch(NoSuchAlgorithmException e) { + e.printStackTrace(); + } + return byteArrayToHexString(md.digest(convertme)); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java index 95c548389..df0fec001 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java @@ -1,5 +1,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.validation; +import org.opensaml.common.SignableSAMLObject; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.validation.ValidationException; @@ -11,10 +12,11 @@ public class SAMLSignatureValidator implements ISAMLValidator { public void validateRequest(RequestAbstractType request) throws MOAIDException { - if(request.getSignature() == null) { - throw new SAMLRequestNotSignedException("NOT SIGNED", new Object[] {}); + if (request.getSignature() == null) { + throw new SAMLRequestNotSignedException("NOT SIGNED", + new Object[] {}); } - + try { SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); sigValidator.validate(request.getSignature()); @@ -24,4 +26,19 @@ public class SAMLSignatureValidator implements ISAMLValidator { } } + public static void validateSignable(SignableSAMLObject signableObject) + throws MOAIDException { + if (signableObject.getSignature() == null) { + throw new SAMLRequestNotSignedException("NOT SIGNED", + new Object[] {}); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(signableObject.getSignature()); + } catch (ValidationException e) { + e.printStackTrace(); + throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {}); + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java new file mode 100644 index 000000000..41e9b70cf --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -0,0 +1,74 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.signature.SignatureValidator; +import org.opensaml.xml.validation.ValidationException; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.protocols.pvp2x.SAMLRequestNotSignedException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; + +public class EntityVerifier { + public static void verify(EntityDescriptor entityDescriptor) throws MOAIDException { + if (entityDescriptor.getSignature() == null) { + throw new SAMLRequestNotSignedException("NOT SIGNED", + new Object[] {}); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + e.printStackTrace(); + throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {}); + } + + Credential credential = CredentialProvider.getSPTrustedCredential(entityDescriptor.getEntityID()); + if(credential == null) { + throw new MOAIDException("NO CREDENTIALS FOR " + entityDescriptor.getEntityID(), new Object[] {}); + } + + SignatureValidator sigValidator = new SignatureValidator(credential); + try { + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + // Indicates signature was not cryptographically valid, or possibly a processing error + e.printStackTrace(); + throw new MOAIDException("FAILED TO VERIFY SIGNATURE", new Object[] {}); + } + } + + public static void verify(EntitiesDescriptor entityDescriptor) throws MOAIDException { + if (entityDescriptor.getSignature() == null) { + throw new SAMLRequestNotSignedException("NOT SIGNED", + new Object[] {}); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + e.printStackTrace(); + throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {}); + } + + Credential credential = CredentialProvider.getTrustedCredential(); + if(credential == null) { + throw new MOAIDException("NO CREDENTIALS FOR ", new Object[] {}); + } + + SignatureValidator sigValidator = new SignatureValidator(credential); + try { + sigValidator.validate(entityDescriptor.getSignature()); + } catch (ValidationException e) { + // Indicates signature was not cryptographically valid, or possibly a processing error + e.printStackTrace(); + throw new MOAIDException("FAILED TO VERIFY SIGNATURE", new Object[] {}); + } + } + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java new file mode 100644 index 000000000..19176af1f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -0,0 +1,56 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.Iterator; + +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; + +public class MetadataSignatureFilter implements MetadataFilter { + + public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { + EntityVerifier.verify(desc); + } + + public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { + Iterator entID = desc.getEntitiesDescriptors().iterator(); + + if(desc.getSignature() != null) { + EntityVerifier.verify(desc); + } + + while(entID.hasNext()) { + processEntitiesDescriptor(entID.next()); + } + + Iterator entIT = desc.getEntityDescriptors().iterator(); + + while(entID.hasNext()) { + processEntityDescriptorr(entIT.next()); + } + } + + public void doFilter(XMLObject metadata) throws FilterException { + try { + if (metadata instanceof EntitiesDescriptor) { + EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; + processEntitiesDescriptor(entitiesDescriptor); + } else if (metadata instanceof EntityDescriptor) { + EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; + processEntityDescriptorr(entityDescriptor); + } else { + throw new MOAIDException("Invalid Metadata file", null); + } + Logger.info("Metadata Filter done OK"); + } catch (MOAIDException e) { + e.printStackTrace(); + throw new FilterException(e); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java index 8e4e88031..60de84161 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java @@ -5,6 +5,7 @@ import java.util.List; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.xml.security.credential.CredentialResolver; import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoProvider; @@ -15,6 +16,8 @@ import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; +import sun.security.krb5.Credentials; + import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; @@ -67,4 +70,5 @@ public class TrustEngineFactory { return null; } } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java index f5219f7e9..47050bf28 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java @@ -45,6 +45,9 @@ public class GetArtifactServlet extends AuthServlet { String oaURL = (String) req.getAttribute(PARAM_OA); oaURL = StringEscapeUtils.escapeHtml(oaURL); + String target = (String) req.getAttribute(PARAM_TARGET); + target = StringEscapeUtils.escapeHtml(target); + try { // check parameter diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 1731a738c..678d5f961 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -67,11 +67,14 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { RequestImpl config = new RequestImpl(); String oaURL = (String) request.getParameter(PARAM_OA); oaURL = StringEscapeUtils.escapeHtml(oaURL); + String target = (String) request.getParameter(PARAM_TARGET); + target = StringEscapeUtils.escapeHtml(target); if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); config.setOAURL(oaURL); request.getSession().setAttribute(PARAM_OA, oaURL); + request.getSession().setAttribute(PARAM_TARGET, target); return config; } -- cgit v1.2.3