/*
* Copyright 2003 Federal Chancellery Austria
* MOA-ID has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
*
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
* the European Commission - subsequent versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
* http://www.osor.eu/eupl/
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the Licence is distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and
* limitations under the Licence.
*
* This product combines work with different licenses. See the "NOTICE" text
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
package at.gv.egovernment.moa.id.auth;
import iaik.pki.PKIException;
import iaik.x509.CertificateFactory;
import iaik.x509.X509Certificate;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.CertificateException;
//import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import org.apache.xpath.XPathAPI;
import org.opensaml.saml2.metadata.RequestedAttribute;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.AuthenticationException;
import at.gv.egovernment.moa.id.BuildException;
import at.gv.egovernment.moa.id.MOAIDException;
import at.gv.egovernment.moa.id.ParseException;
import at.gv.egovernment.moa.id.ServiceException;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder;
import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilder;
import at.gv.egovernment.moa.id.auth.builder.InfoboxValidatorParamsBuilder;
import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
import at.gv.egovernment.moa.id.auth.builder.SelectBKUFormBuilder;
import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult;
import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser;
import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser;
import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser;
import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser;
import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet;
import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor;
import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;
import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator;
import at.gv.egovernment.moa.id.auth.validator.ValidateException;
import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
import at.gv.egovernment.moa.id.auth.validator.parep.ParepValidator;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter;
import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters;
import at.gv.egovernment.moa.id.config.stork.CPEPS;
import at.gv.egovernment.moa.id.config.stork.STORKConfig;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
import at.gv.egovernment.moa.logging.LogMsg;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.DateTimeUtils;
import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.StringUtils;
import eu.stork.mw.messages.saml.STORKAuthnRequest;
import eu.stork.vidp.messages.builder.STORKMessagesBuilder;
import eu.stork.vidp.messages.common.STORKConstants;
import eu.stork.vidp.messages.exception.SAMLException;
import eu.stork.vidp.messages.exception.SAMLValidationException;
import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel;
import eu.stork.vidp.messages.stork.RequestedAttributes;
import eu.stork.vidp.messages.util.SAMLUtil;
import eu.stork.vidp.messages.util.XMLUtil;
/**
* API for MOA ID Authentication Service.
{@link AuthenticationSession} is
* stored in a session store and retrieved by giving the session ID.
*
* @author Paul Ivancsics
* @version $Id: AuthenticationServer.java 1273 2012-02-27 14:50:18Z kstranacher
* $
*/
public class AuthenticationServer implements MOAIDAuthConstants {
/** single instance */
private static AuthenticationServer instance;
/** session data store (session ID -> AuthenticationSession) */
//private static Map sessionStore = new HashMap();
/**
* time out in milliseconds used by {@link cleanup} for session store
*/
private long sessionTimeOut = 10 * 60 * 1000; // default 10 minutes
/**
* time out in milliseconds used by {@link cleanup} for authentication data
* store
*/
private long authDataTimeOut = 2 * 60 * 1000; // default 2 minutes
/**
* Returns the single instance of AuthenticationServer.
*
* @return the single instance of AuthenticationServer
*/
public static AuthenticationServer getInstance() {
if (instance == null)
instance = new AuthenticationServer();
return instance;
}
/**
* Constructor for AuthenticationServer.
*/
public AuthenticationServer() {
super();
}
/**
* Processes request to select a BKU.
* Processing depends on value of
* {@link AuthConfigurationProvider#getBKUSelectionType}.
* For bkuSelectionType==HTMLComplete, a returnURI
* for the "BKU Auswahl" service is returned.
* For bkuSelectionType==HTMLSelect, an HTML form for BKU
* selection is returned.
*
* @param authURL
* base URL of MOA-ID Auth component
* @param target
* "Geschäftsbereich"
* @param oaURL
* online application URL requested
* @param bkuSelectionTemplateURL
* template for BKU selection form to be used in case of
* HTMLSelect; may be null
* @param templateURL
* URL providing an HTML template for the HTML form to be used
* for call startAuthentication
* @return for bkuSelectionType==HTMLComplete, the
* returnURI for the "BKU Auswahl" service; for
* bkuSelectionType==HTMLSelect, an HTML form for BKU
* selection
* @throws WrongParametersException
* upon missing parameters
* @throws AuthenticationException
* when the configured BKU selection service cannot be reached,
* and when the given bkuSelectionTemplateURL cannot be reached
* @throws ConfigurationException
* on missing configuration data
* @throws BuildException
* while building the HTML form
*/
public String selectBKU(String authURL, String target, String oaURL,
String bkuSelectionTemplateURL, String templateURL)
throws WrongParametersException, AuthenticationException,
ConfigurationException, BuildException {
// check if HTTP Connection may be allowed (through
// FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY)
String boolStr = AuthConfigurationProvider
.getInstance()
.getGenericConfigurationParameter(
AuthConfigurationProvider.FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY);
if ((!authURL.startsWith("https:"))
&& (false == BoolUtils.valueOf(boolStr)))
throw new AuthenticationException("auth.07", new Object[] { authURL
+ "*" });
if (isEmpty(authURL))
throw new WrongParametersException("StartAuthentication",
"AuthURL", "auth.05");
if (isEmpty(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA,
"auth.05");
ConnectionParameter bkuConnParam = AuthConfigurationProvider
.getInstance().getBKUConnectionParameter();
if (bkuConnParam == null)
throw new ConfigurationException("config.08",
new Object[] { "BKUSelection/ConnectionParameter" });
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(oaURL);
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { oaURL });
if (!oaParam.getBusinessService()) {
if (isEmpty(target))
throw new WrongParametersException("StartAuthentication",
PARAM_TARGET, "auth.05");
} else {
if (!isEmpty(target)) {
Logger
.info("Ignoring target parameter thus application type is \"businessService\"");
}
target = null;
}
AuthenticationSession session = newSession();
Logger.info("MOASession " + session.getSessionID() + " angelegt");
session.setTarget(target);
session.setOAURLRequested(oaURL);
session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
session.setAuthURL(authURL);
session.setTemplateURL(templateURL);
session.setBusinessService(oaParam.getBusinessService());
try {
AuthenticationSessionStoreage.storeSession(session);
} catch (MOADatabaseException e) {
throw new AuthenticationException("", null);
}
String returnURL = new DataURLBuilder().buildDataURL(authURL,
REQ_START_AUTHENTICATION, session.getSessionID());
String bkuSelectionType = AuthConfigurationProvider.getInstance()
.getBKUSelectionType();
if (bkuSelectionType
.equals(AuthConfigurationProvider.BKU_SELECTION_TYPE_HTMLCOMPLETE)) {
// bkuSelectionType==HTMLComplete
String redirectURL = bkuConnParam.getUrl() + "?"
+ AuthServlet.PARAM_RETURN + "=" + returnURL;
return redirectURL;
} else {
// bkuSelectionType==HTMLSelect
String bkuSelectTag;
try {
bkuSelectTag = readBKUSelectTag(AuthConfigurationProvider
.getInstance(), bkuConnParam);
} catch (Throwable ex) {
throw new AuthenticationException("auth.11", new Object[] {
bkuConnParam.getUrl(), ex.toString() }, ex);
}
String bkuSelectionTemplate = null;
// override template url by url from configuration file
if (oaParam.getBkuSelectionTemplateURL() != null) {
bkuSelectionTemplateURL = oaParam.getBkuSelectionTemplateURL();
}
if (bkuSelectionTemplateURL != null) {
try {
bkuSelectionTemplate = new String(FileUtils
.readURL(bkuSelectionTemplateURL));
} catch (IOException ex) {
throw new AuthenticationException("auth.03", new Object[] {
bkuSelectionTemplateURL, ex.toString() }, ex);
}
}
String htmlForm = new SelectBKUFormBuilder().build(
bkuSelectionTemplate, returnURL, bkuSelectTag);
return htmlForm;
}
}
/**
* Method readBKUSelectTag.
*
* @param conf
* the ConfigurationProvider
* @param connParam
* the ConnectionParameter for that connection
* @return String
* @throws ConfigurationException
* on config-errors
* @throws PKIException
* on PKI errors
* @throws IOException
* on any data error
* @throws GeneralSecurityException
* on security errors
*/
private String readBKUSelectTag(ConfigurationProvider conf,
ConnectionParameter connParam) throws ConfigurationException,
PKIException, IOException, GeneralSecurityException {
if (connParam.isHTTPSURL())
return SSLUtils.readHttpsURL(conf, connParam);
else
return HTTPUtils.readHttpURL(connParam.getUrl());
}
/**
* Processes the beginning of an authentication session.
*
* - Starts an authentication session
* - Creates an
<InfoboxReadRequest>
* - Creates an HTML form for querying the identity link from the security
* layer implementation.
* Form parameters include
*
* - the
<InfoboxReadRequest>
* - the data URL where the security layer implementation sends it
* response to
*
*
*
* @param authURL
* URL of the servlet to be used as data URL
* @param target
* "Geschäftsbereich" of the online application requested
* @param targetFriendlyName
* Friendly name of the target if the target is configured via
* configuration
* @param oaURL
* online application URL requested
* @param bkuURL
* URL of the "Bürgerkartenumgebung" to be used; may be
* null; in this case, the default location will be
* used
* @param useMandate
* Indicates if mandate is used or not
* @param templateURL
* URL providing an HTML template for the HTML form generated
* @param templateMandteURL
* URL providing an HTML template for the HTML form generated
* (for signing in mandates mode)
* @param scheme
* determines the protocol used
* @param sourceID
* @return HTML form
* @throws AuthenticationException
* @see GetIdentityLinkFormBuilder
* @see InfoboxReadRequestBuilder
*/
public String startAuthentication(AuthenticationSession session, String scheme) throws WrongParametersException,
AuthenticationException, ConfigurationException, BuildException {
if (session == null) {
throw new AuthenticationException("auth.18", new Object[] { });
}
//load OnlineApplication configuration
OAAuthParameter oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix());
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { session.getPublicOAURLPrefix() });
//load Template
String template = null;
if (session.getTemplateURL() != null) {
try {
template = new String(FileUtils.readURL(session.getTemplateURL()));
} catch (IOException ex) {
throw new AuthenticationException("auth.03", new Object[] {
session.getTemplateURL(), ex.toString() }, ex);
}
}
//build ReadInfobox request
String infoboxReadRequest = new InfoboxReadRequestBuilder().build(
oaParam.getSlVersion12(), oaParam.getBusinessService(), oaParam
.getIdentityLinkDomainIdentifier());
String dataURL = new DataURLBuilder().buildDataURL(
session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session
.getSessionID());
String pushInfobox = "";
VerifyInfoboxParameters verifyInfoboxParameters = oaParam
.getVerifyInfoboxParameters();
if (verifyInfoboxParameters != null) {
pushInfobox = verifyInfoboxParameters.getPushInfobox();
session.setPushInfobox(pushInfobox);
}
//build CertInfo request
String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder()
.build(oaParam.getSlVersion12());
String certInfoDataURL = new DataURLBuilder()
.buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION,
session.getSessionID());
String htmlForm = new GetIdentityLinkFormBuilder().build(template,
session.getBkuURL(), infoboxReadRequest, dataURL, certInfoRequest,
certInfoDataURL, pushInfobox);
return htmlForm;
}
/**
* Processes an <InfoboxReadResponse> sent by the
* security layer implementation.
*
* - Validates given
<InfoboxReadResponse>
* - Parses identity link enclosed in
*
<InfoboxReadResponse>
* - Verifies identity link by calling the MOA SP component
* - Checks certificate authority of identity link
* - Stores identity link in the session
* - Verifies all additional infoboxes returned from the BKU
* - Creates an authentication block to be signed by the user
* - Creates and returns a
<CreateXMLSignatureRequest>
* containg the authentication block, meant to be returned to the security
* layer implementation
*
*
* @param sessionID
* ID of associated authentication session data
* @param infoboxReadResponseParameters
* The parameters from the response returned from the BKU
* including the <InfoboxReadResponse>
* @return String representation of the
* <CreateXMLSignatureRequest>
*/
public String verifyIdentityLink(AuthenticationSession session,
Map infoboxReadResponseParameters) throws AuthenticationException,
BuildException, ParseException, ConfigurationException,
ValidateException, ServiceException {
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_IDENTITY_LINK, PARAM_SESSIONID });
String xmlInfoboxReadResponse = (String) infoboxReadResponseParameters
.get(PARAM_XMLRESPONSE);
// System.out.println("PB: " + xmlInfoboxReadResponse);
if (isEmpty(xmlInfoboxReadResponse))
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE });
// AuthenticationSession session = getSession(sessionID);
// if (session.getTimestampIdentityLink() != null)
// throw new AuthenticationException("auth.01",
// new Object[] { sessionID });
session.setTimestampIdentityLink();
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
// check if an identity link was found
// Errorcode 2911 von Trustdesk BKU (nicht spezifikationskonform
// (SL1.2))
// CharSequence se = "ErrorCode>2911".substring(0);
// boolean b = xmlInfoboxReadResponse.contains(se);
String se = "ErrorCode>2911";
int b = xmlInfoboxReadResponse.indexOf(se);
if (b != -1) { // no identity link found
Logger
.info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als auslaendische eID.");
return null;
}
// spezifikationsgemaess (SL1.2) Errorcode
se = "ErrorCode>4002";
// b = xmlInfoboxReadResponse.contains(se);
b = xmlInfoboxReadResponse.indexOf(se);
if (b != -1) { // Unbekannter Infoboxbezeichner
Logger
.info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als auslaendische eID.");
return null;
}
// for testing new identity link certificate
// xmlInfoboxReadResponse = null;
// try {
// File file = new File("c:/temp/XXXMuster.xml");
// FileInputStream fis;
//
// fis = new FileInputStream(file);
// byte[] array = Utils.readFromInputStream(fis);
//
// xmlInfoboxReadResponse = new String(array);
// System.out.println(xmlInfoboxReadResponse);
//
// } catch (FileNotFoundException e) {
// e.printStackTrace();
// } catch (UtilsException e) {
// e.printStackTrace();
// }
// parses the
IdentityLink identityLink = new InfoboxReadResponseParser(
xmlInfoboxReadResponse).parseIdentityLink();
// validates the identity link
IdentityLinkValidator.getInstance().validate(identityLink);
// builds a for a call of MOA-SP
Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
.build(identityLink, authConf
.getMoaSpIdentityLinkTrustProfileID());
// invokes the call
Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
.verifyXMLSignature(domVerifyXMLSignatureRequest);
// parses the
VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
domVerifyXMLSignatureResponse).parseData();
if (identityLink.getIdentificationType().equalsIgnoreCase(
Constants.URN_PREFIX_BASEID)) {
}
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
// if OA is type is business service the manifest validation result has
// to be ignored
boolean ignoreManifestValidationResult = oaParam.getBusinessService() ? true
: false;
// validates the
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,
authConf.getIdentityLinkX509SubjectNames(),
VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
ignoreManifestValidationResult);
session.setIdentityLink(identityLink);
// now validate the extended infoboxes
verifyInfoboxes(session, infoboxReadResponseParameters, !oaParam
.getProvideStammzahl());
//TODO: make it better!!
return "found!";
}
/**
* Processes an <InfoboxReadResponse> sent by the
* security layer implementation.
*
* - Validates given
<InfoboxReadResponse>
* - Parses identity link enclosed in
*
<InfoboxReadResponse>
* - Verifies identity link by calling the MOA SP component
* - Checks certificate authority of identity link
* - Stores identity link in the session
* - Verifies all additional infoboxes returned from the BKU
* - Creates an authentication block to be signed by the user
* - Creates and returns a
<CreateXMLSignatureRequest>
* containg the authentication block, meant to be returned to the security
* layer implementation
*
*
* @param sessionID
* ID of associated authentication session data
* @param infoboxReadResponseParameters
* The parameters from the response returned from the BKU
* including the <InfoboxReadResponse>
* @return String representation of the
* <CreateXMLSignatureRequest>
*/
public String verifyCertificate(AuthenticationSession session,
X509Certificate certificate) throws AuthenticationException,
BuildException, ParseException, ConfigurationException,
ValidateException, ServiceException, MOAIDException{
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID });
// check if person is a Organwalter
// if true - don't show bPK in AUTH Block
boolean isOW = false;
// String oid = null;
// if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER))
// isOW = true;
//
// AuthenticationSession session = getSession(sessionID);
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session,
authConf, oaParam, isOW);
return returnvalue;
}
/**
* Processes an Mandate sent by the MIS.
*
* - Validates given
Mandate
* - Verifies Mandate by calling the MOA SP component
* - Creates an authentication block to be signed by the user
* - Creates and returns a
<CreateXMLSignatureRequest>
* containg the authentication block, meant to be returned to the security
* layer implementation
*
*
* @param sessionID
* ID of associated authentication session data
* @param infoboxReadResponseParameters
* The parameters from the response returned from the BKU
* including the <InfoboxReadResponse>
* @return String representation of the
* <CreateXMLSignatureRequest>
*/
public void verifyMandate(AuthenticationSession session, MISMandate mandate)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ValidateException, ServiceException {
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
GET_MIS_SESSIONID, PARAM_SESSIONID });
String sMandate = new String(mandate.getMandate());
if (sMandate == null | sMandate.compareToIgnoreCase("") == 0) {
Logger.error("Mandate is empty.");
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID });
}
//AuthenticationSession session = getSession(sessionID);
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
try {
// sets the extended SAML attributes for OID (Organwalter)
setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam
.getBusinessService());
} catch (SAXException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
} catch (IOException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
} catch (ParserConfigurationException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
} catch (TransformerException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
}
if (oaParam.getProvideFullMandatorData()) {
try {
// set extended SAML attributes if provideMandatorData is true
setExtendedSAMLAttributeForMandates(session, mandate, oaParam
.getBusinessService(), oaParam.getProvideStammzahl());
//AuthenticationSessionStoreage.storeSession(session);
} catch (SAXException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
} catch (IOException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
} catch (ParserConfigurationException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
} catch (TransformerException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
}
}
}
/**
*
* @param session
* @param authConf
* @param oaParam
* @return
* @throws ConfigurationException
* @throws BuildException
* @throws ValidateException
*/
public String getCreateXMLSignatureRequestAuthBlockOrRedirect(
AuthenticationSession session, AuthConfigurationProvider authConf,
OAAuthParameter oaParam) throws ConfigurationException,
BuildException, ValidateException {
// check for intermediate processing of the infoboxes
if (session.isValidatorInputPending())
return "Redirect to Input Processor";
if (authConf == null)
authConf = AuthConfigurationProvider.getInstance();
if (oaParam == null)
oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(
session.getPublicOAURLPrefix());
//TODO: CHECK!! is moved to buildAuthenticationBlock to hold the baseID in identitylink
// if (!fromMandate) {
// BZ.., calculate bPK for signing to be already present in AuthBlock
// IdentityLink identityLink = session.getIdentityLink();
// if (identityLink.getIdentificationType().equals(
// Constants.URN_PREFIX_BASEID)) {
// // only compute bPK if online application is a public service and we
// // have the Stammzahl
// String bpkBase64 = new BPKBuilder().buildBPK(identityLink
// .getIdentificationValue(), session.getTarget());
// identityLink.setIdentificationValue(bpkBase64);
// identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
// }
// ..BZ
// }
// builds the AUTH-block
String authBlock = buildAuthenticationBlock(session, oaParam);
// session.setAuthBlock(authBlock);
// builds the
String[] transformsInfos = oaParam.getTransformsInfos();
if ((transformsInfos == null) || (transformsInfos.length == 0)) {
// no OA specific transforms specified, use default ones
transformsInfos = authConf.getTransformsInfos();
}
String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
.build(authBlock, oaParam.getKeyBoxIdentifier(),
transformsInfos, oaParam.getSlVersion12());
return createXMLSignatureRequest;
}
/**
*
* @param session
* @param authConf
* @param oaParam
* @return
* @throws ConfigurationException
* @throws BuildException
* @throws ValidateException
*/
public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
AuthenticationSession session, AuthConfigurationProvider authConf,
OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
BuildException, ValidateException {
// check for intermediate processing of the infoboxes
if (session.isValidatorInputPending())
return "Redirect to Input Processor";
if (authConf == null)
authConf = AuthConfigurationProvider.getInstance();
if (oaParam == null)
oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(
session.getPublicOAURLPrefix());
// BZ.., calculate bPK for signing to be already present in AuthBlock
IdentityLink identityLink = session.getIdentityLink();
if (identityLink.getIdentificationType().equals(
Constants.URN_PREFIX_BASEID)) {
// only compute bPK if online application is a public service and we
// have the Stammzahl
if (isOW) {
// if person is OW, delete identification value (bPK is calculated via MIS)
identityLink.setIdentificationValue(null);
identityLink.setIdentificationType(null);
}
else {
String bpkBase64 = new BPKBuilder().buildBPK(identityLink
.getIdentificationValue(), session.getTarget());
identityLink.setIdentificationValue(bpkBase64);
//TODO: insert correct Type!!!!
identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
}
}
// ..BZ
// }
// builds the AUTH-block
String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
// session.setAuthBlock(authBlock);
// builds the
String[] transformsInfos = oaParam.getTransformsInfos();
if ((transformsInfos == null) || (transformsInfos.length == 0)) {
// no OA specific transforms specified, use default ones
transformsInfos = authConf.getTransformsInfos();
}
String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
.build(authBlock, oaParam.getKeyBoxIdentifier(),
transformsInfos, oaParam.getSlVersion12());
System.out.println("XML: " + createXMLSignatureRequest);
return createXMLSignatureRequest;
}
/**
* Returns an CreateXMLSignatureRequest for signing the ERnP statement.
*
* - Creates an CreateXMLSignatureRequest to be signed by the user
*
*
* @param sessionID
* ID of associated authentication session data
* @param cert
* The certificate from the user
* @return String representation of the
* <CreateXMLSignatureRequest>
*/
public String createXMLSignatureRequestForeignID(AuthenticationSession session,
X509Certificate cert) throws AuthenticationException,
BuildException, ParseException, ConfigurationException,
ValidateException, ServiceException {
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID });
// AuthenticationSession session = getSession(sessionID);
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
//session.setSignerCertificate(cert);
return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam,
cert);
}
public String getCreateXMLSignatureRequestForeigID(
AuthenticationSession session, AuthConfigurationProvider authConf,
OAAuthParameter oaParam, X509Certificate cert)
throws ConfigurationException {
// check for intermediate processing of the infoboxes
if (session.isValidatorInputPending())
return "Redirect to Input Processor";
if (authConf == null)
authConf = AuthConfigurationProvider.getInstance();
if (oaParam == null)
oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(
session.getPublicOAURLPrefix());
Principal subject = cert.getSubjectDN();
String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
.buildForeignID(subject.toString(), oaParam, session);
return createXMLSignatureRequest;
}
/**
* Processes an <CreateXMLSignatureResponse> sent by the
* security layer implementation.
*
* - Validates given
<CreateXMLSignatureResponse>
* - Parses response enclosed in
*
<CreateXMLSignatureResponse>
* - Verifies signature by calling the MOA SP component
* - Returns the signer certificate
*
*
* @param sessionID
* ID of associated authentication session data
* @param createXMLSignatureResponseParameters
* The parameters from the response returned from the BKU
* including the <CreateXMLSignatureResponse>
*/
public X509Certificate verifyXMLSignature(String sessionID,
Map createXMLSignatureResponseParameters)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ValidateException, ServiceException {
if (isEmpty(sessionID))
throw new AuthenticationException("auth.10", new Object[] {
REQ_GET_FOREIGN_ID, PARAM_SESSIONID });
String xmlCreateXMLSignatureResponse = (String) createXMLSignatureResponseParameters
.get(PARAM_XMLRESPONSE);
if (isEmpty(xmlCreateXMLSignatureResponse))
throw new AuthenticationException("auth.10", new Object[] {
REQ_GET_FOREIGN_ID, PARAM_XMLRESPONSE });
//AuthenticationSession session = getSession(sessionID);
/*
* if (session.getTimestampIdentityLink() != null) throw new
* AuthenticationException("auth.01", new Object[] { sessionID });
*/
// session.setTimestampIdentityLink();
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
// parses the
CreateXMLSignatureResponseParser p = new CreateXMLSignatureResponseParser(
xmlCreateXMLSignatureResponse);
CreateXMLSignatureResponse createXMLSignatureResponse = p
.parseResponseDsig();
// builds a for a call of MOA-SP
Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder()
.buildDsig(createXMLSignatureResponse, authConf
.getMoaSpAuthBlockTrustProfileID());
// invokes the call
Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker()
.verifyXMLSignature(domVerifyXMLSignatureRequest);
// parses the
VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
domVerifyXMLSignatureResponse).parseData();
// int code = verifyXMLSignatureResponse.getSignatureCheckCode();
return verifyXMLSignatureResponse.getX509certificate();
}
/**
* Processes an <CreateXMLSignatureResponse> sent by the
* security layer implementation.
*
* - Validates given
<CreateXMLSignatureResponse>
* - Parses response enclosed in
*
<CreateXMLSignatureResponse>
* - Verifies signature by calling the MOA SP component
* - Returns the signer certificate
*
*
* @param sessionID
* ID of associated authentication session data
* @param readInfoboxResponseParameters
* The parameters from the response returned from the BKU
* including the <ReadInfoboxResponse>
*/
public X509Certificate getCertificate(String sessionID,
Map readInfoboxResponseParameters) throws AuthenticationException,
BuildException, ParseException, ConfigurationException,
ValidateException, ServiceException {
if (isEmpty(sessionID))
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID });
String xmlReadInfoboxResponse = (String) readInfoboxResponseParameters
.get(PARAM_XMLRESPONSE);
if (isEmpty(xmlReadInfoboxResponse))
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_CERTIFICATE, PARAM_XMLRESPONSE });
// parses the
InfoboxReadResponseParser p = new InfoboxReadResponseParser(
xmlReadInfoboxResponse);
X509Certificate cert = p.parseCertificate();
return cert;
}
/**
* Builds an authentication block <saml:Assertion> from
* given session data.
*
* @param session
* authentication session
*
* @return <saml:Assertion> as a String
*
* @throws BuildException
* If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
*/
private String buildAuthenticationBlock(AuthenticationSession session,
OAAuthParameter oaParam) throws BuildException {
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
String gebDat = identityLink.getDateOfBirth();
String identificationValue = null;
String identificationType = null;
if (identityLink.getIdentificationType().equals(
Constants.URN_PREFIX_BASEID)) {
// only compute bPK if online application is a public service and we
// have the Stammzahl
String bpkBase64 = new BPKBuilder().buildBPK(identityLink
.getIdentificationValue(), session.getTarget());
identificationValue = bpkBase64;
identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget();
// identityLink.setIdentificationValue(bpkBase64);
// identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());
} else {
identificationValue = identityLink.getIdentificationValue();
identificationType = identityLink.getIdentificationType();
}
String issueInstant = DateTimeUtils.buildDateTime(Calendar
.getInstance(), oaParam.getUseUTC());
session.setIssueInstant(issueInstant);
String authURL = session.getAuthURL();
String target = session.getTarget();
String targetFriendlyName = session.getTargetFriendlyName();
// Bug #485
// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
// String oaURL = session.getPublicOAURLPrefix();
String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&");
List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
String authBlock = new AuthenticationBlockAssertionBuilder()
.buildAuthBlock(issuer, issueInstant, authURL, target,
targetFriendlyName, identificationValue,
identificationType, oaURL, gebDat,
extendedSAMLAttributes, session);
return authBlock;
}
/**
* Builds an authentication block <saml:Assertion> from
* given session data.
*
* @param session
* authentication session
*
* @return <saml:Assertion> as a String
*
* @throws BuildException
* If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
*/
private String buildAuthenticationBlockForOW(AuthenticationSession session,
OAAuthParameter oaParam, boolean isOW) throws BuildException {
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
String gebDat = identityLink.getDateOfBirth();
String identificationValue = identityLink.getIdentificationValue();
String identificationType = identityLink.getIdentificationType();
String issueInstant = DateTimeUtils.buildDateTime(Calendar
.getInstance(), oaParam.getUseUTC());
session.setIssueInstant(issueInstant);
String authURL = session.getAuthURL();
String target = session.getTarget();
String targetFriendlyName = session.getTargetFriendlyName();
// Bug #485
// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
// String oaURL = session.getPublicOAURLPrefix();
String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&");
List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
Iterator it = extendedSAMLAttributes.iterator();
// delete bPK attribute from extended SAML attributes
if (isOW) {
ExtendedSAMLAttribute toDelete = null;
while (it.hasNext()) {
ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
if (attr.getName().equalsIgnoreCase("bPK"))
toDelete = attr;
}
if (toDelete != null)
extendedSAMLAttributes.remove(toDelete);
}
String authBlock = new AuthenticationBlockAssertionBuilder()
.buildAuthBlock(issuer, issueInstant, authURL, target,
targetFriendlyName, identificationValue,
identificationType, oaURL, gebDat,
extendedSAMLAttributes, session);
return authBlock;
}
/**
* Verifies the infoboxes (except of the identity link infobox) returned by
* the BKU by calling appropriate validator classes.
*
* @param session
* The actual authentication session.
* @param infoboxReadResponseParams
* The parameters returned from the BKU as response to an infobox
* read request (including the infobox tokens to be verified).
* @param hideStammzahl
* Indicates whether source pins (Stammzahlen)
* should be hidden in any SAML attribute that may be returned by
* a validator.
*
* @throws AuthenticationException
* If the verification of at least one infobox fails.
* @throws ConfigurationException
* If the OAuthParameter cannot be extracted.
*/
private void verifyInfoboxes(AuthenticationSession session,
Map infoboxReadResponseParams, boolean hideStammzahl)
throws ValidateException, ConfigurationException {
AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider
.getInstance();
// get the default VerifyInfobox parameters
Map defaultInfoboxParameters = null;
VerifyInfoboxParameters defaultVerifyInfoboxParameters = authConfigurationProvider
.getDefaultVerifyInfoboxParameters();
if (defaultVerifyInfoboxParameters != null) {
defaultInfoboxParameters = defaultVerifyInfoboxParameters
.getInfoboxParameters();
}
// get the OA specific VerifyInfobox parameters
Map infoboxParameters = null;
OAAuthParameter oaParam = authConfigurationProvider
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
VerifyInfoboxParameters verifyInfoboxParameters = oaParam
.getVerifyInfoboxParameters();
session.setExtendedSAMLAttributesAUTH(new Vector()); // Initialize SAML
// Attributes
session.setExtendedSAMLAttributesOA(new Vector());
// System.out.println("SAML set: " +
// session.getExtendedSAMLAttributesAUTH().size());
if (verifyInfoboxParameters != null) {
infoboxParameters = verifyInfoboxParameters.getInfoboxParameters();
// get the list of infobox identifiers
List identifiers = verifyInfoboxParameters.getIdentifiers();
if (identifiers != null) {
// step through the identifiers and verify the infoboxes
Iterator it = identifiers.iterator();
while (it.hasNext()) {
String identifier = (String) it.next();
// get the infobox read response from the map of parameters
String infoboxReadResponse = (String) infoboxReadResponseParams
.get(identifier);
// get the configuration parameters
VerifyInfoboxParameter verifyInfoboxParameter = null;
Object object = infoboxParameters.get(identifier);
// if not present, use default
if ((object == null) && (defaultInfoboxParameters != null)) {
object = defaultInfoboxParameters.get(identifier);
}
if (object != null) {
verifyInfoboxParameter = (VerifyInfoboxParameter) object;
}
if (infoboxReadResponse != null) {
if (verifyInfoboxParameter == null) {
// should not happen because of the pushinfobox
// mechanism; check it anyway
Logger.error("No validator for verifying \""
+ identifier + "\"-infobox configured.");
throw new ValidateException("validator.41",
new Object[] { identifier });
} else {
String friendlyName = verifyInfoboxParameter
.getFriendlyName();
boolean isParepRequest = false;
// parse the infobox read reponse
List infoboxTokenList = null;
try {
infoboxTokenList = ExtendedInfoboxReadResponseParser
.parseInfoboxReadResponse(
infoboxReadResponse,
friendlyName);
} catch (ParseException e) {
Logger
.error("InfoboxReadResponse for \""
+ identifier
+ "\"-infobox could not be parsed successfully: "
+ e.getMessage());
throw new ValidateException("validator.43",
new Object[] { friendlyName });
}
// set compatibility mode for mandates infobox and
// all infoboxes (it is possible to be a parep
// infobox)
// session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams()));
// check for party representation in mandates
// infobox
if (Constants.INFOBOXIDENTIFIER_MANDATES
.equalsIgnoreCase(identifier)
&& !((infoboxTokenList == null || infoboxTokenList
.size() == 0))) {
// We need app specific parameters
if (null == verifyInfoboxParameter
.getApplicationSpecificParams()) {
throw new ValidateException("validator.66",
new Object[] { friendlyName });
}
Element mandate = ParepValidator
.extractPrimaryToken(infoboxTokenList);
// ParepUtils.serializeElement(mandate,
// System.out);
String mandateID = ParepUtils
.extractRepresentativeID(mandate);
if (!isEmpty(mandateID)
&& ("*".equals(mandateID) || mandateID
.startsWith(MOAIDAuthConstants.PARTY_REPRESENTATION_OID_NUMBER))) {
isParepRequest = true;
}
if (!isParepRequest) {
// if mandates validator is disabled we must
// throw an error in this case
if (!ParepUtils
.isValidatorEnabled(verifyInfoboxParameter
.getApplicationSpecificParams())) {
throw new ValidateException(
"validator.60",
new Object[] { friendlyName });
}
}
}
// get the class for validating the infobox
InfoboxValidator infoboxValidator = null;
try {
Class validatorClass = null;
if (isParepRequest) {
// Mandates infobox in party representation
// mode
validatorClass = Class
.forName("at.gv.egovernment.moa.id.auth.validator.parep.ParepValidator");
} else {
validatorClass = Class
.forName(verifyInfoboxParameter
.getValidatorClassName());
}
infoboxValidator = (InfoboxValidator) validatorClass
.newInstance();
} catch (Exception e) {
Logger
.error("Could not load validator class \""
+ verifyInfoboxParameter
.getValidatorClassName()
+ "\" for \""
+ identifier
+ "\"-infobox: "
+ e.getMessage());
throw new ValidateException("validator.42",
new Object[] { friendlyName });
}
Logger
.debug("Successfully loaded validator class \""
+ verifyInfoboxParameter
.getValidatorClassName()
+ "\" for \""
+ identifier
+ "\"-infobox.");
// build the parameters for validating the infobox
InfoboxValidatorParams infoboxValidatorParams = InfoboxValidatorParamsBuilder
.buildInfoboxValidatorParams(session,
verifyInfoboxParameter,
infoboxTokenList, oaParam);
// now validate the infobox
InfoboxValidationResult infoboxValidationResult = null;
try {
infoboxValidationResult = infoboxValidator
.validate(infoboxValidatorParams);
} catch (ValidateException e) {
Logger.error("Error validating " + identifier
+ " infobox:" + e.getMessage());
throw new ValidateException("validator.44",
new Object[] { friendlyName });
}
if (!infoboxValidationResult.isValid()) {
Logger.info("Validation of " + identifier
+ " infobox failed.");
throw new ValidateException("validator.40",
new Object[] {
friendlyName,
infoboxValidationResult
.getErrorMessage() });
}
Logger.info(identifier
+ " infobox successfully validated.");
// store the validator for post processing
session.addInfoboxValidator(identifier,
friendlyName, infoboxValidator);
// get the SAML attributes to be appended to the
// AUTHBlock or to the final
// SAML Assertion
AddAdditionalSAMLAttributes(session,
infoboxValidationResult
.getExtendedSamlAttributes(),
identifier, friendlyName);
}
} else {
if ((verifyInfoboxParameter != null)
&& (verifyInfoboxParameter.isRequired())) {
Logger
.info("Infobox \""
+ identifier
+ "\" is required, but not returned from the BKU");
throw new ValidateException("validator.48",
new Object[] { verifyInfoboxParameter
.getFriendlyName() });
}
Logger.debug("Infobox \"" + identifier
+ "\" not returned from BKU.");
}
}
}
}
}
/**
* Verifies the infoboxes (except of the identity link infobox) returned by
* the BKU by calling appropriate validator classes.
*
* @param session
* The actual authentication session.
* @param mandate
* The Mandate from the MIS
*
* @throws AuthenticationException
* @throws ConfigurationException
* @throws TransformerException
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
*/
private void setExtendedSAMLAttributeForMandates(
AuthenticationSession session, MISMandate mandate,
boolean business, boolean provideStammzahl)
throws ValidateException, ConfigurationException, SAXException,
IOException, ParserConfigurationException, TransformerException {
ExtendedSAMLAttribute[] extendedSamlAttributes = addExtendedSamlAttributes(
mandate, business, provideStammzahl);
AddAdditionalSAMLAttributes(session, extendedSamlAttributes,
"MISService", "MISService");
}
/**
* Verifies the infoboxes (except of the identity link infobox) returned by
* the BKU by calling appropriate validator classes.
*
* @param session
* The actual authentication session.
* @param mandate
* The Mandate from the MIS
*
* @throws AuthenticationException
* @throws ConfigurationException
* @throws TransformerException
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
*/
private void setExtendedSAMLAttributeForMandatesOID(
AuthenticationSession session, MISMandate mandate, boolean business)
throws ValidateException, ConfigurationException, SAXException,
IOException, ParserConfigurationException, TransformerException {
ExtendedSAMLAttribute[] extendedSamlAttributes = addExtendedSamlAttributesOID(
mandate, business);
AddAdditionalSAMLAttributes(session, extendedSamlAttributes,
"MISService", "MISService");
}
/**
* Intermediate processing of the infoboxes. The first pending infobox
* validator may validate the provided input
*
* @param session
* The current authentication session
* @param parameters
* The parameters got returned by the user input fields
*/
public static void processInput(AuthenticationSession session,
Map parameters) throws ValidateException {
// post processing of the infoboxes
Iterator iter = session.getInfoboxValidatorIterator();
if (iter != null) {
while (iter.hasNext()) {
Vector infoboxValidatorVector = (Vector) iter.next();
InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
.get(2);
if (!ParepUtils.isEmpty(infoboxvalidator.getForm())) {
String identifier = (String) infoboxValidatorVector.get(0);
String friendlyName = (String) infoboxValidatorVector
.get(1);
InfoboxValidationResult infoboxValidationResult = null;
try {
infoboxValidationResult = infoboxvalidator
.validate(parameters);
} catch (ValidateException e) {
Logger.error("Error validating " + identifier
+ " infobox:" + e.getMessage());
throw new ValidateException("validator.44",
new Object[] { friendlyName });
}
if (!infoboxValidationResult.isValid()) {
Logger.info("Validation of " + identifier
+ " infobox failed.");
throw new ValidateException("validator.40",
new Object[] {
friendlyName,
infoboxValidationResult
.getErrorMessage() });
}
AddAdditionalSAMLAttributes(
session,
infoboxValidationResult.getExtendedSamlAttributes(),
identifier, friendlyName);
}
}
}
}
/**
* Adds given SAML Attributes to the current session. They will be appended
* to the final SAML Assertion or the AUTH block. If the attributes are
* already in the list, they will be replaced.
*
* @param session
* The current session
* @param extendedSAMLAttributes
* The SAML attributes to add
* @param identifier
* The infobox identifier for debug purposes
* @param friendlyNam
* The friendly name of the infobox for debug purposes
*/
private static void AddAdditionalSAMLAttributes(
AuthenticationSession session,
ExtendedSAMLAttribute[] extendedSAMLAttributes, String identifier,
String friendlyName) throws ValidateException {
if (extendedSAMLAttributes == null)
return;
List oaAttributes = session.getExtendedSAMLAttributesOA();
if (oaAttributes == null)
oaAttributes = new Vector();
List authAttributes = session.getExtendedSAMLAttributesAUTH();
if (authAttributes == null)
authAttributes = new Vector();
int length = extendedSAMLAttributes.length;
for (int i = 0; i < length; i++) {
ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i];
Object value = verifySAMLAttribute(samlAttribute, i, identifier,
friendlyName);
if ((value instanceof String) || (value instanceof Element)) {
switch (samlAttribute.getAddToAUTHBlock()) {
case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY:
replaceExtendedSAMLAttribute(authAttributes, samlAttribute);
break;
case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK:
replaceExtendedSAMLAttribute(authAttributes, samlAttribute);
replaceExtendedSAMLAttribute(oaAttributes, samlAttribute);
break;
case ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK:
replaceExtendedSAMLAttribute(oaAttributes, samlAttribute);
break;
default:
Logger
.info("Invalid return value from method \"getAddToAUTHBlock()\" ("
+ samlAttribute.getAddToAUTHBlock()
+ ") in SAML attribute number "
+ (i + 1)
+ " for infobox " + identifier);
throw new ValidateException("validator.47", new Object[] {
friendlyName, String.valueOf((i + 1)) });
}
} else {
Logger
.info("The type of SAML-Attribute number "
+ (i + 1)
+ " returned from "
+ identifier
+ "-infobox validator is not valid. Must be either \"java.Lang.String\""
+ " or \"org.w3c.dom.Element\"");
throw new ValidateException("validator.46", new Object[] {
identifier, String.valueOf((i + 1)) });
}
}
session.setExtendedSAMLAttributesAUTH(authAttributes);
session.setExtendedSAMLAttributesOA(oaAttributes);
}
// /**
// * Adds given SAML Attributes to the current session. They will be
// appended
// * to the final SAML Assertion or the AUTH block. If the attributes are
// * already in the list, they will be replaced.
// *
// * @param session The current session
// * @param extendedSAMLAttributes The SAML attributes to add
// * @param identifier The infobox identifier for debug purposes
// * @param friendlyNam The friendly name of the infobox for debug purposes
// */
// private static void AddAdditionalSAMLAttributes(AuthenticationSession
// session, MISMandate mandate) throws ValidateException
// {
//
// List oaAttributes = session.getExtendedSAMLAttributesOA();
// if (oaAttributes==null) oaAttributes = new Vector();
// List authAttributes = session.getExtendedSAMLAttributesAUTH();
// if (authAttributes==null) authAttributes = new Vector();
//
//
// addExtendedSamlAttributes(authAttributes, mandate);
//
// session.setExtendedSAMLAttributesAUTH(authAttributes);
// session.setExtendedSAMLAttributesOA(oaAttributes);
// }
/**
* Adds the AUTH block related SAML attributes to the validation result.
* This is needed always before the AUTH block is to be signed, because the
* name of the mandator has to be set
*
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
* @throws TransformerException
*/
private static ExtendedSAMLAttribute[] addExtendedSamlAttributes(
MISMandate mandate, boolean business, boolean provideStammzahl)
throws SAXException, IOException, ParserConfigurationException,
TransformerException {
Vector extendedSamlAttributes = new Vector();
extendedSamlAttributes.clear();
// extendedSamlAttributes.add(new
// ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_RAW,
// mandate, SZRGWConstants.MANDATE_NS,
// ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
// Name
Element domMandate = mandateToElement(mandate);
Element nameSpaceNode = domMandate.getOwnerDocument().createElement(
"NameSpaceNode");
nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX,
Constants.PD_NS_URI);
nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.MANDATE_POSTFIX,
SZRGWConstants.MANDATE_NS);
Element mandator = (Element) XPathAPI.selectSingleNode(domMandate,
"//md:Mandate/md:Mandator", nameSpaceNode);
// first check if physical person
// Element name = (Element) XPathAPI.selectSingleNode(mandator,
// "descendant-or-self::pr:Name/pr:GivenName", nameSpaceNode);
// String mandatorname = ParepUtils.extractMandatorName(mandator);
// extendedSamlAttributes.add(new
// ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_NAME,
// mandatorname, SZRGWConstants.MANDATE_NS,
// ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
// Geburtsdatum
// String dob = ParepUtils.extractMandatorDateOfBirth(mandator);
// if (dob != null && !"".equals(dob)) {
// extendedSamlAttributes.add(new
// ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_DOB, dob,
// SZRGWConstants.MANDATE_NS,
// ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
// }
// Mandate
extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(
ParepValidator.EXT_SAML_MANDATE_RAW, domMandate,
SZRGWConstants.MANDATE_NS,
ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
// (w)bpk
String wbpk = ParepUtils.extractMandatorWbpk(mandator);
if (!ParepUtils.isEmpty(wbpk)) {
if (!ParepUtils.isPhysicalPerson(mandator)) {
String idType = ParepUtils
.extractMandatorIdentificationType(mandator);
if (!ParepUtils.isEmpty(idType)
&& idType.startsWith(Constants.URN_PREFIX_BASEID)) {
extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(
ParepValidator.EXT_SAML_MANDATE_CB_BASE_ID,
ParepUtils.getRegisterString(idType) + ": " + wbpk,
SZRGWConstants.MANDATE_NS,
ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
}
} else if (business) {
extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(
ParepValidator.EXT_SAML_MANDATE_WBPK, wbpk,
SZRGWConstants.MANDATE_NS,
ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
}
}
// String oid = mandate.getProfRep();
// if (oid != null) {
// String oidDescription = mandate.getTextualDescriptionOfOID();
// extendedSamlAttributes.add(new
// ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION,
// oidDescription, SZRGWConstants.MANDATE_NS,
// ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
// }
ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes
.size()];
extendedSamlAttributes.copyInto(ret);
Logger.debug("ExtendedSAML Attributes: " + ret.length);
return ret;
}
/**
* Adds the AUTH block related SAML attributes to the validation result.
* This is needed always before the AUTH block is to be signed, because the
* name of the mandator has to be set
*
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
* @throws TransformerException
*/
private static ExtendedSAMLAttribute[] addExtendedSamlAttributesOID(
MISMandate mandate, boolean business) throws SAXException,
IOException, ParserConfigurationException, TransformerException {
Vector extendedSamlAttributes = new Vector();
extendedSamlAttributes.clear();
// RepresentationType
extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(
ParepValidator.EXT_SAML_MANDATE_REPRESENTATIONTYPE,
ParepValidator.EXT_SAML_MANDATE_REPRESENTATIONTEXT,
SZRGWConstants.MANDATE_NS,
ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
String oid = mandate.getProfRep();
if (oid != null) {
extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(
ParepValidator.EXT_SAML_MANDATE_OID, oid,
SZRGWConstants.MANDATE_NS,
ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
String oidDescription = mandate.getTextualDescriptionOfOID();
extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(
ParepValidator.EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION,
oidDescription, SZRGWConstants.MANDATE_NS,
ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
}
ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes
.size()];
extendedSamlAttributes.copyInto(ret);
Logger.debug("ExtendedSAML Attributes: " + ret.length);
return ret;
}
/**
*
* @param mandate
* @return
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
*/
private static Element mandateToElement(MISMandate mandate)
throws SAXException, IOException, ParserConfigurationException {
ByteArrayInputStream bais = new ByteArrayInputStream(mandate
.getMandate());
Document doc = DOMUtils.parseDocumentSimple(bais);
return doc.getDocumentElement();
}
private static void replaceExtendedSAMLAttribute(List attributes,
ExtendedSAMLAttribute samlAttribute) {
if (null == attributes) {
attributes = new Vector();
} else {
String id = samlAttribute.getName();
int length = attributes.size();
for (int i = 0; i < length; i++) {
ExtendedSAMLAttribute att = (ExtendedSAMLAttribute) attributes
.get(i);
if (id.equals(att.getName())) {
// replace attribute
attributes.set(i, samlAttribute);
return;
}
}
attributes.add(samlAttribute);
}
}
/**
* Processes a <CreateXMLSignatureResponse> sent by the
* security layer implementation.
*
* - Validates given
<CreateXMLSignatureResponse>
* - Parses
<CreateXMLSignatureResponse> for error
* codes
* - Parses authentication block enclosed in
*
<CreateXMLSignatureResponse>
* - Verifies authentication block by calling the MOA SP component
* - Creates authentication data
* - Creates a corresponding SAML artifact
* - Stores authentication data in the authentication data store indexed
* by the SAML artifact
* - Deletes authentication session
* - Returns the SAML artifact, encoded BASE64
*
*
* @param sessionID
* session ID of the running authentication session
* @param xmlCreateXMLSignatureReadResponse
* String representation of the
* <CreateXMLSignatureResponse>
* @return SAML artifact needed for retrieving authentication data, encoded
* BASE64
*/
public String verifyAuthenticationBlock(AuthenticationSession session,
String xmlCreateXMLSignatureReadResponse)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ServiceException, ValidateException {
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
if (isEmpty(xmlCreateXMLSignatureReadResponse))
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
//AuthenticationSession session = getSession(sessionID);
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
// parses
CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser(
xmlCreateXMLSignatureReadResponse).parseResponse();
try {
String serializedAssertion = DOMUtils.serializeNode(csresp
.getSamlAssertion());
session.setAuthBlock(serializedAssertion);
} catch (TransformerException e) {
throw new ParseException("parser.04", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
} catch (IOException e) {
throw new ParseException("parser.04", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
}
// validates
new CreateXMLSignatureResponseValidator().validate(csresp, session);
// builds a for a MOA-SPSS call
String[] vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs();
String tpid = authConf.getMoaSpAuthBlockTrustProfileID();
Element domVsreq = new VerifyXMLSignatureRequestBuilder().build(csresp,
vtids, tpid);
// debug output
// invokes the call
Element domVsresp = new SignatureVerificationInvoker()
.verifyXMLSignature(domVsreq);
// debug output
// parses the
VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponseParser(
domVsresp).parseData();
if (Logger.isTraceEnabled()) {
if (domVsresp != null) {
try {
String xmlVerifyXMLSignatureResponse = DOMUtils
.serializeNode(domVsresp, true);
Logger.trace(new LogMsg(xmlCreateXMLSignatureReadResponse));
Logger.trace(new LogMsg(xmlVerifyXMLSignatureResponse));
} catch (Throwable t) {
t.printStackTrace();
Logger.info(new LogMsg(t.getStackTrace()));
}
}
}
// validates the
VerifyXMLSignatureResponseValidator.getInstance().validate(vsresp,
null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK,
false);
// TODO See Bug #144
// Compare AuthBlock Data with information stored in session, especially
// date and time
// compares the public keys from the identityLink with the AuthBlock
VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(
vsresp, session.getIdentityLink());
// post processing of the infoboxes
Iterator iter = session.getInfoboxValidatorIterator();
boolean formpending = false;
if (iter != null) {
while (!formpending && iter.hasNext()) {
Vector infoboxValidatorVector = (Vector) iter.next();
String identifier = (String) infoboxValidatorVector.get(0);
String friendlyName = (String) infoboxValidatorVector.get(1);
InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
.get(2);
InfoboxValidationResult infoboxValidationResult = null;
try {
infoboxValidationResult = infoboxvalidator.validate(csresp
.getSamlAssertion());
} catch (ValidateException e) {
Logger.error("Error validating " + identifier + " infobox:"
+ e.getMessage());
throw new ValidateException("validator.44",
new Object[] { friendlyName });
}
if (!infoboxValidationResult.isValid()) {
Logger.info("Validation of " + identifier
+ " infobox failed.");
throw new ValidateException("validator.40", new Object[] {
friendlyName,
infoboxValidationResult.getErrorMessage() });
}
String form = infoboxvalidator.getForm();
if (ParepUtils.isEmpty(form)) {
AddAdditionalSAMLAttributes(
session,
infoboxValidationResult.getExtendedSamlAttributes(),
identifier, friendlyName);
} else {
return "Redirect to Input Processor";
}
}
}
// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
// .getOnlineApplicationParameter(session.getPublicOAURLPrefix());
// boolean useUTC = oaParam.getUseUTC();
// boolean useCondition = oaParam.getUseCondition();
// int conditionLength = oaParam.getConditionLength();
//TL: moved to Authentification Data generation
// AuthenticationData authData = buildAuthenticationData(session, vsresp,
// useUTC, false);
//
// //set Authblock
// session.setAuthData(authData);
session.setXMLVerifySignatureResponse(vsresp);
session.setSignerCertificate(vsresp.getX509certificate());
vsresp.setX509certificate(null);
session.setForeigner(false);
if (session.getUseMandate()) {
// mandate mode
return null;
} else {
session.setAuthenticatedUsed(false);
session.setAuthenticated(true);
String oldsessionID = session.getSessionID();
//Session is implicte stored in changeSessionID!!!
String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
return newMOASessionID;
/*
String samlAssertion = new AuthenticationDataAssertionBuilder()
.build(authData, session.getAssertionPrPerson(), session
.getAssertionAuthBlock(), session
.getAssertionIlAssertion(), session.getBkuURL(),
session.getAssertionSignerCertificateBase64(),
session.getAssertionBusinessService(), session
.getExtendedSAMLAttributesOA(),
useCondition, conditionLength);
authData.setSamlAssertion(samlAssertion);
String assertionFile = AuthConfigurationProvider.getInstance()
.getGenericConfigurationParameter(
"AuthenticationServer.WriteAssertionToFile");
if (!ParepUtils.isEmpty(assertionFile))
try {
ParepUtils.saveStringToFile(samlAssertion, new File(
assertionFile));
} catch (IOException e) {
throw new BuildException("builder.00", new Object[] {
"AuthenticationData", e.toString() }, e);
}
String samlArtifact = new SAMLArtifactBuilder().build(session
.getAuthURL(), session.getSessionID(), session
.getSourceID());
storeAuthenticationData(samlArtifact, authData);
// invalidates the authentication session
sessionStore.remove(sessionID);
Logger.info("Anmeldedaten zu MOASession " + sessionID
+ " angelegt, SAML Artifakt " + samlArtifact);
return samlArtifact;
*/
}
}
/**
* Processes a <CreateXMLSignatureResponse> sent by the
* security layer implementation.
*
* - Validates given
<CreateXMLSignatureResponse>
* - Parses
<CreateXMLSignatureResponse> for error
* codes
* - Parses authentication block enclosed in
*
<CreateXMLSignatureResponse>
* - Verifies authentication block by calling the MOA SP component
* - Creates authentication data
* - Creates a corresponding SAML artifact
* - Stores authentication data in the authentication data store indexed
* by the SAML artifact
* - Deletes authentication session
* - Returns the SAML artifact, encoded BASE64
*
*
* @param sessionID
* session ID of the running authentication session
* @param xmlCreateXMLSignatureReadResponse
* String representation of the
* <CreateXMLSignatureResponse>
* @return SAML artifact needed for retrieving authentication data, encoded
* BASE64
*/
public String verifyAuthenticationBlockMandate(AuthenticationSession session,
Element mandate) throws AuthenticationException, BuildException,
ParseException, ConfigurationException, ServiceException,
ValidateException {
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
//AuthenticationSession session = getSession(sessionID);
// AuthConfigurationProvider authConf =
// AuthConfigurationProvider.getInstance();
IdentityLink tempIdentityLink = null;
if (session.getUseMandate()) {
tempIdentityLink = new IdentityLink();
Element mandator = ParepUtils.extractMandator(mandate);
String dateOfBirth = "";
Element prPerson = null;
String familyName = "";
String givenName = "";
String identificationType = "";
String identificationValue = "";
if (mandator != null) {
boolean physical = ParepUtils.isPhysicalPerson(mandator);
if (physical) {
familyName = ParepUtils.extractText(mandator,
"descendant-or-self::pr:Name/pr:FamilyName/text()");
givenName = ParepUtils.extractText(mandator,
"descendant-or-self::pr:Name/pr:GivenName/text()");
dateOfBirth = ParepUtils
.extractMandatorDateOfBirth(mandator);
} else {
familyName = ParepUtils.extractMandatorFullName(mandator);
}
identificationType = ParepUtils.getIdentification(mandator,
"Type");
identificationValue = ParepUtils.extractMandatorWbpk(mandator);
prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
if (physical
&& session.getBusinessService()
&& identificationType != null
&& Constants.URN_PREFIX_BASEID
.equals(identificationType)) {
// now we calculate the wbPK and do so if we got it from the
// BKU
identificationType = Constants.URN_PREFIX_WBPK + "+"
+ session.getDomainIdentifier();
identificationValue = new BPKBuilder().buildWBPK(
identificationValue, session.getDomainIdentifier());
ParepUtils
.HideStammZahlen(prPerson, true, null, null, true);
}
tempIdentityLink.setDateOfBirth(dateOfBirth);
tempIdentityLink.setFamilyName(familyName);
tempIdentityLink.setGivenName(givenName);
tempIdentityLink.setIdentificationType(identificationType);
tempIdentityLink.setIdentificationValue(identificationValue);
tempIdentityLink.setPrPerson(prPerson);
try {
tempIdentityLink.setSamlAssertion(session.getIdentityLink()
.getSamlAssertion());
} catch (Exception e) {
throw new ValidateException("validator.64", null);
}
}
}
// builds authentication data and stores it together with a SAML
// artifact
// TODO: Check, if this element is in use!!!!
//AuthenticationData authData = session.getAssertionAuthData(); // buildAuthenticationData(session,
// vsresp,
// replacementIdentityLink);
Element mandatePerson = tempIdentityLink.getPrPerson();
// try {
// System.out.println("MANDATE: " +
// DOMUtils.serializeNode(mandatePerson));
// }
// catch(Exception e) {
// e.printStackTrace();
// }
String mandateData = null;
boolean useCondition = false;
int conditionLength = -1;
try {
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(
session.getPublicOAURLPrefix());
boolean provideStammzahl = oaParam.getProvideStammzahl();
useCondition = oaParam.getUseCondition();
conditionLength = oaParam.getConditionLength();
String oatargetType;
if(session.getBusinessService()) {
oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier();
} else {
oatargetType = AuthenticationSession.TARGET_PREFIX_ + session.getTarget();
}
Element prIdentification = (Element) mandatePerson
.getElementsByTagNameNS(Constants.PD_NS_URI,
"Identification").item(0);
if (!oatargetType.equals(tempIdentityLink.getIdentificationType())) {
String isPrPerson = mandatePerson.getAttribute("xsi:type");
if (!StringUtils.isEmpty(isPrPerson)) {
if (isPrPerson.equalsIgnoreCase("pr:PhysicalPerson")) {
String baseid = getBaseId(mandatePerson);
Element identificationBpK = createIdentificationBPK(mandatePerson,
baseid, session.getTarget());
if (!provideStammzahl) {
prIdentification.getFirstChild().setTextContent("");
}
mandatePerson.insertBefore(identificationBpK,
prIdentification);
}
}
} else {
// Element identificationBpK = mandatePerson.getOwnerDocument()
// .createElementNS(Constants.PD_NS_URI, "Identification");
// Element valueBpK = mandatePerson.getOwnerDocument().createElementNS(
// Constants.PD_NS_URI, "Value");
//
// valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
// tempIdentityLink.getIdentificationValue()));
// Element typeBpK = mandatePerson.getOwnerDocument().createElementNS(
// Constants.PD_NS_URI, "Type");
// typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
// "urn:publicid:gv.at:cdid+bpk"));
// identificationBpK.appendChild(valueBpK);
// identificationBpK.appendChild(typeBpK);
//
// mandatePerson.insertBefore(identificationBpK, prIdentification);
}
mandateData = DOMUtils.serializeNode(mandatePerson);
} catch (TransformerException e1) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID });
} catch (IOException e1) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID });
}
//TODO: Check, if this element is in use!!!
//session.setAuthData(authData);
session.setMandateData(mandateData);
session.setAuthenticatedUsed(false);
session.setAuthenticated(true);
String oldsessionID = session.getSessionID();
//Session is implicite stored in changeSessionID!!!
String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
return newMOASessionID;
/*
String samlAssertion = new AuthenticationDataAssertionBuilder()
.buildMandate(authData, session.getAssertionPrPerson(),
mandateData, session.getAssertionAuthBlock(), session
.getAssertionIlAssertion(),
session.getBkuURL(), session
.getAssertionSignerCertificateBase64(), session
.getAssertionBusinessService(), session
.getSourceID(), session
.getExtendedSAMLAttributesOA(), useCondition,
conditionLength);
authData.setSamlAssertion(samlAssertion);
String assertionFile = AuthConfigurationProvider.getInstance()
.getGenericConfigurationParameter(
"AuthenticationServer.WriteAssertionToFile");
if (!ParepUtils.isEmpty(assertionFile))
try {
ParepUtils.saveStringToFile(samlAssertion, new File(
assertionFile));
} catch (IOException e) {
throw new BuildException("builder.00", new Object[] {
"AuthenticationData", e.toString() }, e);
}
String samlArtifact = new SAMLArtifactBuilder().build(session
.getAuthURL(), session.getSessionID(), session.getSourceID());
storeAuthenticationData(samlArtifact, authData);
// invalidates the authentication session
sessionStore.remove(sessionID);
Logger.info("Anmeldedaten zu MOASession " + sessionID
+ " angelegt, SAML Artifakt " + samlArtifact);
return samlArtifact;*/
}
private Element createIdentificationBPK(Element mandatePerson,
String baseid, String target) throws BuildException {
Element identificationBpK = mandatePerson.getOwnerDocument()
.createElementNS(Constants.PD_NS_URI, "Identification");
Element valueBpK = mandatePerson.getOwnerDocument().createElementNS(
Constants.PD_NS_URI, "Value");
String bpkBase64 = new BPKBuilder().buildBPK(baseid, target);
valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
bpkBase64));
Element typeBpK = mandatePerson.getOwnerDocument().createElementNS(
Constants.PD_NS_URI, "Type");
typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
"urn:publicid:gv.at:cdid+bpk"));
identificationBpK.appendChild(valueBpK);
identificationBpK.appendChild(typeBpK);
return identificationBpK;
}
private String getBaseId(Element mandatePerson)
throws TransformerException, IOException {
NodeList list = mandatePerson.getElementsByTagNameNS(
Constants.PD_NS_URI, "Identification");
for (int i = 0; i < list.getLength(); i++) {
Element identification = (Element) list.item(i);
Element type = (Element) identification.getElementsByTagNameNS(
Constants.PD_NS_URI, "Type").item(0);
if (type.getTextContent().compareToIgnoreCase(
"urn:publicid:gv.at:baseid") == 0) {
Element value = (Element) identification
.getElementsByTagNameNS(Constants.PD_NS_URI, "Value")
.item(0);
return value.getTextContent();
}
}
return null;
}
/**
* Gets the foreign authentication data.
*
* - Creates authentication data
* - Creates a corresponding SAML artifact
* - Stores authentication data in the authentication data store indexed
* by the SAML artifact
* - Deletes authentication session
* - Returns the SAML artifact, encoded BASE64
*
*
* @param sessionID
* session ID of the running authentication session
* @return SAML artifact needed for retrieving authentication data, encoded
* BASE64
*/
public String getForeignAuthenticationData(AuthenticationSession session)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ServiceException, ValidateException {
//TODO: CHECK if STORK parts works correct!!!!
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
//AuthenticationSession session = getSession(sessionID);
// AuthConfigurationProvider authConf =
// AuthConfigurationProvider.getInstance();
// post processing of the infoboxes
Iterator iter = session.getInfoboxValidatorIterator();
boolean formpending = false;
if (iter != null) {
while (!formpending && iter.hasNext()) {
Vector infoboxValidatorVector = (Vector) iter.next();
String identifier = (String) infoboxValidatorVector.get(0);
String friendlyName = (String) infoboxValidatorVector.get(1);
InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
.get(2);
InfoboxValidationResult infoboxValidationResult = null;
try {
infoboxValidationResult = infoboxvalidator.validate(session
.getIdentityLink().getSamlAssertion());
} catch (ValidateException e) {
Logger.error("Error validating " + identifier + " infobox:"
+ e.getMessage());
throw new ValidateException("validator.44",
new Object[] { friendlyName });
}
if (!infoboxValidationResult.isValid()) {
Logger.info("Validation of " + identifier
+ " infobox failed.");
throw new ValidateException("validator.40", new Object[] {
friendlyName,
infoboxValidationResult.getErrorMessage() });
}
String form = infoboxvalidator.getForm();
if (ParepUtils.isEmpty(form)) {
AddAdditionalSAMLAttributes(
session,
infoboxValidationResult.getExtendedSamlAttributes(),
identifier, friendlyName);
} else {
return "Redirect to Input Processor";
}
}
}
VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse();
X509Certificate cert = session.getSignerCertificate();
vsresp.setX509certificate(cert);
// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
// .getOnlineApplicationParameter(session.getPublicOAURLPrefix());
// boolean useUTC = oaParam.getUseUTC();
// boolean useCondition = oaParam.getUseCondition();
// int conditionLength = oaParam.getConditionLength();
//TL: moved to Assertion generation.
// AuthenticationData authData = buildAuthenticationData(session, vsresp,
// useUTC, true);
//
// session.setAuthData(authData);
session.setAuthenticatedUsed(false);
session.setAuthenticated(true);
session.setXMLVerifySignatureResponse(vsresp);
session.setSignerCertificate(vsresp.getX509certificate());
vsresp.setX509certificate(null);
session.setForeigner(true);
return "new Session";
//TODO: regenerate MOASession ID!
/*
String samlAssertion = new AuthenticationDataAssertionBuilder().build(
authData, session.getAssertionPrPerson(), session
.getAssertionAuthBlock(), session
.getAssertionIlAssertion(), session.getBkuURL(),
session.getAssertionSignerCertificateBase64(), session
.getAssertionBusinessService(), session
.getExtendedSAMLAttributesOA(), useCondition,
conditionLength);
authData.setSamlAssertion(samlAssertion);
String assertionFile = AuthConfigurationProvider.getInstance()
.getGenericConfigurationParameter(
"AuthenticationServer.WriteAssertionToFile");
if (!ParepUtils.isEmpty(assertionFile))
try {
ParepUtils.saveStringToFile(samlAssertion, new File(
assertionFile));
} catch (IOException e) {
throw new BuildException("builder.00", new Object[] {
"AuthenticationData", e.toString() }, e);
}
String samlArtifact = new SAMLArtifactBuilder().build(session
.getAuthURL(), session.getSessionID(), session.getSourceID());
storeAuthenticationData(samlArtifact, authData);
// invalidates the authentication session
sessionStore.remove(sessionID);
Logger.info("Anmeldedaten zu MOASession " + sessionID
+ " angelegt, SAML Artifakt " + samlArtifact);
return samlArtifact;*/
}
/**
* Builds the AuthenticationData object together with the corresponding
* <saml:Assertion>
*
* @param session
* authentication session
* @param verifyXMLSigResp
* VerifyXMLSignatureResponse from MOA-SP
* @param useUTC uses correct UTC time format
* @param useUTC indicates that authenticated citizen is a foreigner
* @param isForeigner indicates whether Austrian (false) or foreigner (true) authenticates
* @return AuthenticationData object
* @throws ConfigurationException
* while accessing configuration data
* @throws BuildException
* while building the <saml:Assertion>
*/
public static AuthenticationData buildAuthenticationData(
AuthenticationSession session, OAAuthParameter oaParam, String target)
throws ConfigurationException, BuildException {
IdentityLink identityLink = session.getIdentityLink();
AuthenticationData authData = new AuthenticationData();
// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
// .getOnlineApplicationParameter(session.getPublicOAURLPrefix());
VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse();
boolean useUTC = oaParam.getUseUTC();
boolean isForeigner = session.isForeigner();
boolean businessService = oaParam.getBusinessService();
authData.setMajorVersion(1);
authData.setMinorVersion(0);
authData.setAssertionID(Random.nextRandom());
authData.setIssuer(session.getAuthURL());
authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar
.getInstance(), useUTC));
authData.setIdentificationType(identityLink.getIdentificationType());
authData.setGivenName(identityLink.getGivenName());
authData.setFamilyName(identityLink.getFamilyName());
authData.setDateOfBirth(identityLink.getDateOfBirth());
authData.setQualifiedCertificate(verifyXMLSigResp
.isQualifiedCertificate());
authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority());
authData.setPublicAuthorityCode(verifyXMLSigResp
.getPublicAuthorityCode());
authData.setBkuURL(session.getBkuURL());
authData.setUseUTC(oaParam.getUseUTC());
boolean provideStammzahl = oaParam.getProvideStammzahl();
if (provideStammzahl) {
authData.setIdentificationValue(identityLink
.getIdentificationValue());
}
// String prPerson = new PersonDataBuilder().build(identityLink,
// provideStammzahl);
try {
// String signerCertificateBase64 = "";
// if (oaParam.getProvideCertifcate()) {
// X509Certificate signerCertificate = verifyXMLSigResp
// .getX509certificate();
// if (signerCertificate != null) {
// signerCertificateBase64 = Base64Utils
// .encode(signerCertificate.getEncoded());
// } else {
// Logger
// .info("\"provideCertificate\" is \"true\", but no signer certificate available");
// }
// }
// authData.setSignerCertificate(signerCertificateBase64);
if(!isForeigner) {
//we have Austrian citizen
if (businessService) {
authData.setBPK(identityLink.getIdentificationValue());
authData.setBPKType(identityLink.getIdentificationType());
} else {
// OLD! BZ.., calculation of bPK already before sending AUTHBlock
//TL: identitylLink holds the BASEID, bPK is only calculated for AUTHBlock
//authData.setBPK(identityLink.getIdentificationValue());
// only compute bPK if online application is a public service and we have the Stammzahl
if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
String bpkBase64 = new BPKBuilder().buildBPK(
identityLink.getIdentificationValue(), target);
authData.setBPK(bpkBase64);
authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
}
}
} else {
//we have foreigner, thus we have to calculate bPK and wbPK now (after receiving identity link from SZR-GW
if (businessService) {
//since we have foreigner, wbPK is not calculated in BKU
if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
// If domainIdentifier starts with prefix
// "urn:publicid:gv.at:wbpk+"; remove this prefix
registerAndOrdNr = registerAndOrdNr
.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
+ registerAndOrdNr);
}
String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
authData.setBPK(wbpkBase64);
authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
}
} else {
if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
// only compute bPK if online application is a public service and we have the Stammzahl
String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
authData.setBPK(bpkBase64);
authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
}
}
}
// String ilAssertion = oaParam.getProvideIdentityLink() ? identityLink
// .getSerializedSamlAssertion()
// : "";
// if (!oaParam.getProvideStammzahl()) {
// ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink
// .getIdentificationValue(), "");
// }
// String authBlock = oaParam.getProvideAuthBlock() ? session
// .getAuthBlock() : "";
//TODO: check, if this elements are in use!!!!
// session.setAssertionAuthBlock(authBlock);
// session.setAssertionAuthData(authData);
// session.setAssertionBusinessService(businessService);
// session.setAssertionIlAssertion(ilAssertion);
// session.setAssertionPrPerson(prPerson);
// session.setAssertionSignerCertificateBase64(signerCertificateBase64);
return authData;
} catch (Throwable ex) {
throw new BuildException("builder.00", new Object[] {
"AuthenticationData", ex.toString() }, ex);
}
}
/**
* Creates a new session and puts it into the session store.
*
* @param id
* Session ID
* @return AuthenticationSession created
* @exception AuthenticationException
* thrown when an AuthenticationSession is
* running already for the given session ID
*/
private static AuthenticationSession newSession()
throws AuthenticationException {
try {
return AuthenticationSessionStoreage.createSession();
} catch (MOADatabaseException e) {
throw new AuthenticationException("", null);
}
}
/**
* Retrieves a session from the session store.
*
* @param id
* session ID
* @return AuthenticationSession stored with given session ID,
* null if session ID unknown
*/
public static AuthenticationSession getSession(String id)
throws AuthenticationException {
AuthenticationSession session;
try {
session = AuthenticationSessionStoreage.getSession(id);
/*(AuthenticationSession) sessionStore
.get(id);*/
if (session == null)
throw new AuthenticationException("auth.02", new Object[] { id });
return session;
} catch (MOADatabaseException e) {
throw new AuthenticationException("parser.04", new Object[] { id });
}
}
/**
* Cleans up expired session and authentication data stores.
*/
public void cleanup() {
long now = new Date().getTime();
//clean AuthenticationSessionStore
//TODO: acutally the StartAuthentificaten timestamp is used!!!!!
//TODO: maybe change this to lastupdate timestamp.
AuthenticationSessionStoreage.clean(now, sessionTimeOut);
//clean AssertionStore
AssertionStorage assertionstore = AssertionStorage.getInstance();
assertionstore.clean(now, authDataTimeOut);
}
/**
* Sets the sessionTimeOut.
*
* @param seconds
* Time out of the session in seconds
*/
public void setSecondsSessionTimeOut(long seconds) {
sessionTimeOut = 1000 * seconds;
}
/**
* Sets the authDataTimeOut.
*
* @param seconds
* Time out for signing AuthData in seconds
*/
public void setSecondsAuthDataTimeOut(long seconds) {
authDataTimeOut = 1000 * seconds;
}
/**
* Checks a parameter.
*
* @param param
* parameter
* @return true if the parameter is null or empty
*/
private boolean isEmpty(String param) {
return param == null || param.length() == 0;
}
/**
* Checks the correctness of SAML attributes and returns its value.
*
* @param param
* samlAttribute
* @param i
* the number of the verified attribute for messages
* @param identifier
* the infobox identifier for messages
* @param friendlyname
* the friendly name of the infobox for messages
* @return the SAML attribute value (Element or String)
*/
private static Object verifySAMLAttribute(
ExtendedSAMLAttribute samlAttribute, int i, String identifier,
String friendlyName) throws ValidateException {
String name = samlAttribute.getName();
if (name == null) {
Logger.info("The name of SAML-Attribute number " + (i + 1)
+ " returned from " + identifier
+ "-infobox validator is null.");
throw new ValidateException("validator.45", new Object[] {
friendlyName, "Name", String.valueOf((i + 1)), "null" });
}
if (name == "") {
Logger.info("The name of SAML-Attribute number " + (i + 1)
+ " returned from " + identifier
+ "-infobox validator is empty.");
throw new ValidateException("validator.45", new Object[] {
friendlyName, "Name", String.valueOf((i + 1)), "leer" });
}
if (samlAttribute.getNameSpace() == null) {
Logger.info("The namespace of SAML-Attribute number " + (i + 1)
+ " returned from " + identifier
+ "-infobox validator is null.");
throw new ValidateException("validator.45",
new Object[] { friendlyName, "Namespace",
String.valueOf((i + 1)), "null" });
}
Object value = samlAttribute.getValue();
if (value == null) {
Logger.info("The value of SAML-Attribute number " + (i + 1)
+ " returned from " + identifier
+ "-infobox validator is null.");
throw new ValidateException("validator.45", new Object[] {
friendlyName, "Wert", String.valueOf((i + 1)), "null" });
}
return value;
}
/**
* Does the request to the SZR-GW
* @param signature XMLDSIG signature
* @return Identity link assertion
* @throws SZRGWClientException
*/
public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException {
SZRGWClient client = new SZRGWClient();
try {
AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
client.setAddress(connectionParameters.getUrl());
if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
Logger.debug("Initialisiere SSL Verbindung");
try {
client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
} catch (IOException e) {
Logger.error("Could not initialize SSL Factory", e);
throw new SZRGWClientException("Could not initialize SSL Factory");
} catch (GeneralSecurityException e) {
Logger.error("Could not initialize SSL Factory", e);
throw new SZRGWClientException("Could not initialize SSL Factory");
} catch (PKIException e) {
Logger.error("Could not initialize SSL Factory", e);
throw new SZRGWClientException("Could not initialize SSL Factory");
}
}
Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
}
catch (ConfigurationException e) {
Logger.warn(e);
Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null ));
}
// create request
CreateIdentityLinkResponse response = null;
Element request = null;
try {
Document doc = client.buildGetIdentityLinkRequest(PEPSIdentifier, PEPSFirstname, PEPSFamilyname, PEPSDateOfBirth, signature);
request = doc.getDocumentElement();
// send request
response = client.createIdentityLinkResponse(request);
} catch (SZRGWClientException e) {
// give him a second try - Nach dem Starten des Tomcat wird beim ersten Mal das Client-Zertifikat offenbar vom HTTPClient nicht mitgeschickt.
try {
response = client.createIdentityLinkResponse(request);
}
catch (SZRGWClientException e1) {
throw new SZRGWClientException(e1);
}
}
return response;
}
/**
* Starts a MOA-ID authentication process using STORK
* @param req HttpServletRequest
* @param resp HttpServletResponse
* @param ccc Citizen country code
* @param oaURL URL of the online application
* @param target Target parameter
* @param targetFriendlyName Friendly Name of Target
* @param authURL Authentication URL
* @param sourceID SourceID parameter
* @throws MOAIDException
* @throws AuthenticationException
* @throws WrongParametersException
* @throws ConfigurationException
*/
public static void startSTORKAuthentication(
HttpServletRequest req,
HttpServletResponse resp,
AuthenticationSession moasession) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException {
if (moasession == null) {
throw new AuthenticationException("auth.18", new Object[] { });
}
//read configuration paramters of OA
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix());
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { moasession.getPublicOAURLPrefix() });
//Start of STORK Processing
STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig();
CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc());
Logger.debug("Preparing to assemble STORK AuthnRequest witht the following values:");
String destination = cpeps.getPepsURL().toExternalForm();
Logger.debug("C-PEPS URL: " + destination);
String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN;
Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL);
String providerName= oaParam.getFriendlyName();
String issuerValue = HTTPUtils.getBaseURL(req);
Logger.debug("Issuer value: " + issuerValue);
QualityAuthenticationAssuranceLevel qaaLevel = null;//TODO UNCOMMENT AGAIN !! = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue());
//Logger.debug("QAALevel: " + qaaLevel.getValue());
RequestedAttributes requestedAttributes = null;
//TODO UNCOMMENT AGAIN !! requestedAttributes = oaParam.getRequestedAttributes();
requestedAttributes.detach();
List reqAttributeList = new ArrayList();
List oaReqAttributeList = null;
//TODO UNCOMMENT AGAIN !! oaReqAttributeList = new ArrayList(oaParam.getRequestedAttributes().getRequestedAttributes());
//check if country specific attributes must be additionally requested
if (!cpeps.getCountrySpecificRequestedAttributes().isEmpty()) {
//add country specific attributes to be requested (Hierarchy: default oa attributes > country specific attributes > oa specific attributes
Logger.debug("We have addtional country specific attributes to be requested from the C-PEPS of country: " + moasession.getCcc());
Logger.debug("The following attributes are requested for this specific country:");
List countrySpecificReqAttributeList = new ArrayList(cpeps.getCountrySpecificRequestedAttributes());
for (RequestedAttribute csReqAttr : countrySpecificReqAttributeList) {
csReqAttr.detach();
if (!STORKConstants.DEFAULT_STORK_REQUESTED_ATTRIBUTE_SET.contains(csReqAttr.getName())) {
//this country specific attribute does not override default attribute
if (SAMLUtil.containsAttribute(oaReqAttributeList, csReqAttr.getName())) {
//the same attribute is requested for OA, applying hierachy
//remove oa attribute
oaReqAttributeList.remove(SAMLUtil.getAttribute(oaReqAttributeList, csReqAttr.getName()));
//add country specific attribute instead
Logger.debug("Requested Attribute (" + csReqAttr.getName() + ") is also requested by OA but we use Country Specific value instead");
}
oaReqAttributeList.add(csReqAttr);
Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired());
} else {
Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired() + " tries to overwrite default requested and required attributes, hence we skip it.");
}
}
reqAttributeList.addAll(oaReqAttributeList);
} else {
//no country specific requested attributes
reqAttributeList.addAll(oaReqAttributeList);
}
reqAttributeList = (List) SAMLUtil.releaseDOM(reqAttributeList);
requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes(reqAttributeList);
if (Logger.isDebugEnabled()) {
Logger.debug("The following attributes are requested for this OA:");
for (RequestedAttribute logReqAttr : reqAttributeList) {
Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isRequired());
}
}
String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget();
String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName();
String spApplication = spInstitution;
String spCountry = "AT";
String textToBeSigned =
CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession);
//generate AuthnRquest
STORKAuthnRequest storkAuthnRequest = STORKAuthnRequestProcessor.generateSTORKAuthnRequest(
destination,
acsURL,
providerName,
issuerValue,
qaaLevel,
requestedAttributes,
spSector,
spInstitution,
spApplication,
spCountry,
textToBeSigned,
"application/xhtml+xml");
Logger.debug("STORK AuthnRequest succesfully assembled.");
//sign AuthnRequest
String keyStorePath = storkConfig.getSignatureCreationParameter().getKeyStorePath();
String keyStorePassword = storkConfig.getSignatureCreationParameter().getKeyStorePassword();
String keyName = storkConfig.getSignatureCreationParameter().getKeyName();
String keyPassword = storkConfig.getSignatureCreationParameter().getKeyPassword();
Logger.debug("Starting signing process of STORK AuthnRequest.");
Logger.trace("Using the following Keystore and Key for that:");
Logger.trace("KeyStore: " + keyStorePath);
Logger.trace("KeyName: " + keyName);
try {
storkAuthnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(storkAuthnRequest, keyStorePath, keyStorePassword, keyName, keyPassword);
} catch (SAMLException e) {
Logger.error("Could not sign STORK SAML AuthnRequest.", e);
throw new MOAIDException("stork.00", null);
}
Logger.info("STORK AuthnRequest successfully signed!");
//validate AuthnRequest
try {
STORKAuthnRequestProcessor.validateSTORKAuthnRequest(storkAuthnRequest);
} catch (SAMLValidationException e) {
Logger.error("STORK SAML AuthnRequest not valid.", e);
throw new MOAIDException("stork.01", null);
}
Logger.debug("STORK AuthnRequest successfully internally validated.");
//send
moasession.setStorkAuthnRequest(storkAuthnRequest);
HttpSession httpSession = req.getSession();
httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID());
Logger.debug("Preparing to send STORK AuthnRequest.");
try {
STORKAuthnRequestProcessor.sendSTORKAuthnRequest(req, resp, storkAuthnRequest);
} catch (Exception e) {
Logger.error("Error sending STORK SAML AuthnRequest.", e);
httpSession.invalidate();
throw new MOAIDException("stork.02", new Object[] { destination });
}
Logger.info("STORK AuthnRequest successfully sent to: " + storkAuthnRequest.getDestination());
Logger.debug("STORKAuthnRequest sent (pretty print): ");
Logger.debug(XMLHelper.prettyPrintXML(storkAuthnRequest.getDOM()));
Logger.trace("STORKAuthnRequest sent (original): ");
Logger.trace(XMLUtil.printXML(storkAuthnRequest.getDOM()));
}
/**
* Extracts an X509 Certificate out of an XML signagture element
* @param signedXML XML signature element
* @return X509Certificate
* @throws CertificateException
*/
public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException {
NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate");
String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList);
if (StringUtils.isEmpty(base64CertString)) {
String msg = "XML does not contain a X509Certificate element.";
Logger.error(msg);
throw new CertificateException(msg);
}
InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString));
X509Certificate cert;
try {
cert = new X509Certificate(is);
return cert;
} catch (Throwable e) {
throw new CertificateException(e);
}
// CertificateFactory cf;
// X509Certificate cert = null;
// cf = CertificateFactory.getInstance("X.509");
// CertificateFactory
// cert = (X509Certificate)cf.generateCertificate(is);
// return cert;
}
}