Commit bc1070f7 authored by Benny Prange's avatar Benny Prange
Browse files

Release eumw-1.0.7

parent 10b5056e
......@@ -15,3 +15,4 @@ cd6877486ad7373dae2fec12f9f74d19e78d1110 eumw-1.0.4
76f405023426c019aee600be45f72020a1f66159 eumw-1.0.4
6220fdf6481bec6cbc12535f3e3ac49ac6bbecff eumw-1.0.5-rc.1
e98bc5c6b60496c8d6533c5655626ba39701cf37 eumw-1.0.5
a642705f08408a92390a630e88983470adb5b6e3 eumw-1.0.6
version: '3'
services:
configuration-wizard:
image: "governikus/eidas-configuration-wizard:1.0.6"
image: "governikus/eidas-configuration-wizard:1.0.7"
ports:
- "443:8080"
environment:
......
version: '3'
services:
configuration-wizard:
image: "governikus/eidas-configuration-wizard:1.0.6"
image: "governikus/eidas-configuration-wizard:1.0.7"
ports:
- "8080:8080"
volumes:
......
FROM governikus/eidas-base-container:1.0.6
FROM governikus/eidas-base-container:1.0.7
MAINTAINER Benny Prange <benny.prange@governikus.de>
# NOTE: Some ENV variables are set in the parent "eidas-base-image"
......
......@@ -14,7 +14,7 @@
<parent>
<groupId>de.governikus.eumw</groupId>
<artifactId>eumw</artifactId>
<version>1.0.6</version>
<version>1.0.7</version>
</parent>
<artifactId>configuration-wizard</artifactId>
......
......@@ -14,7 +14,7 @@
<parent>
<artifactId>eumw</artifactId>
<groupId>de.governikus.eumw</groupId>
<version>1.0.6</version>
<version>1.0.7</version>
</parent>
<artifactId>database-migration</artifactId>
......
......@@ -39,3 +39,14 @@ Changelog
- eIDAS Middleware: Fix bug introduced with version 1.0.5 where two URLs in the SAML response were switched.
- eIDAS Middleware: Improve logging in case of unparsable authentication request.
* 1.0.7
**Security Advisory**
There were two security issues reported to the German POSC and Governikus. This release fixes these issues.
It is strongly recommended to immediately update to this release as the XXE attack allows an unauthenticated remote attacker to read ASCII files from the file system which can be read by the Middleware Java process.
- eIDAS Middleware: **Security Fix** Endpoints that parse XML content like /RequestReceiver or /paosreceiver were vulnerable to XXE attacks. These endpoints are no longer vulnerable against XXE attacks.
- eIDAS Middleware: **Security Fix** The /TcToken endpoint was vulnerable against XXS attacks as requests parameters were inserted in the HTML response. All endpoints that display HTML content no longer insert user input into the HTML content.
- eIDAS Middleware: The Master List Trust Anchor for the POSeIDAS_PRODUCTION.xml template is updated.
......@@ -56,7 +56,7 @@ In case you are using your own environment, copy the JAR file to a folder of you
You can start the application with the following command::
java -jar configuration-wizard-1.0.6.jar
java -jar configuration-wizard-1.0.7.jar
This way the configuration wizard will be available at `http://localhost:8080/config-wizard.`
......@@ -81,7 +81,7 @@ to run the wizard again whenever you need it.
To run the configuration wizard, execute the following command.
It will mount the named volume in the container so that the configuration wizard can store the configuration in the volume. ::
docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -p 8080:8080 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:1.0.6
docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -p 8080:8080 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:1.0.7
Running this command the configuration wizard will be available on http://localhost:8080/config-wizard.
......@@ -95,7 +95,7 @@ with the alias ``localhost`` and the password ``123456`` for the keystore and th
You can also use PKCS12 keystores,
in this case you must change the value of ``SERVER_SSL_KEY_STORE_TYPE`` to ``PKCS12``. ::
docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v /home/user/keystore.jks:/opt/eidas-middleware/keystore.jks -p 443:8080 -e SERVER_SSL_KEY_STORE=file:/opt/eidas-middleware/keystore.jks -e SERVER_SSL_KEY_STORE_TYPE=JKS -e SERVER_SSL_KEY_STORE_PASSWORD=123456 -e SERVER_SSL_KEY_ALIAS=localhost -e SERVER_SSL_KEY_PASSWORD=123456 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:1.0.6
docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v /home/user/keystore.jks:/opt/eidas-middleware/keystore.jks -p 443:8080 -e SERVER_SSL_KEY_STORE=file:/opt/eidas-middleware/keystore.jks -e SERVER_SSL_KEY_STORE_TYPE=JKS -e SERVER_SSL_KEY_STORE_PASSWORD=123456 -e SERVER_SSL_KEY_ALIAS=localhost -e SERVER_SSL_KEY_PASSWORD=123456 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:1.0.7
Because the application is now bound to the host in port 443,
the configuration wizard is available at https://localhost/config-wizard.
......
......@@ -50,8 +50,8 @@ Using the eIDAS Demo Application
To use the eIDAS Demo Application, start by running the eIDAS Demo Application.
#. Change to the correct directory where the aforementioned configuration is present.
#. If not present, copy the ``eidas-demo-1.0.6.jar`` file in this directory.
#. Start the application by executing ``java -jar eidas-demo-1.0.6.jar``.
#. If not present, copy the ``eidas-demo-1.0.7.jar`` file in this directory.
#. Start the application by executing ``java -jar eidas-demo-1.0.7.jar``.
Now you must configure your eIDAS Middleware to communicate with the eIDAS Demo Application.
......@@ -88,7 +88,7 @@ Also bear in mind that you must use the path of the container file system in the
To run the middleware, execute the following command after you have prepared the configuration, certificate and keystores::
docker run --rm -it -v /path/to/your/config-directory:/opt/eidas-middleware/config -p 8080:8080 governikus/eidas-demo-application:1.0.6
docker run --rm -it -v /path/to/your/config-directory:/opt/eidas-middleware/config -p 8080:8080 governikus/eidas-demo-application:1.0.7
Now you can follow the steps above to configure and test the eIDAS Middleware.
......
......@@ -84,13 +84,13 @@ To run the eIDAS Middleware, execute the following command.
It will mount the named volumes containing the database and configuration in the container
and the application will be available on port 8443. ::
docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:1.0.6
docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:1.0.7
To stop and remove the container, just hit ``CTRL+C``.
To keep the container running longer without being attached to the STDOUT and STDERR, change the command to the following::
docker run -d -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:1.0.6
docker run -d -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:1.0.7
For more information on starting and stopping containers and viewing the logs,
see the `Docker Docs <https://docs.docker.com/engine/reference/run/>`_.
......@@ -134,7 +134,7 @@ Scalability
^^^^^^^^^^^
The performance of the eIDAS Middleware improves by adding more memory (RAM) and using a faster CPU.
In case the memory configuration has changed, the server needs to be restarted.
To start the JVM with more memory, add ``-Xmx`` with the new maximum memory size to the start command, e.g. ``java -Xmx8g -jar eidas-middleware-1.0.6.jar`` for 8 GB.
To start the JVM with more memory, add ``-Xmx`` with the new maximum memory size to the start command, e.g. ``java -Xmx8g -jar eidas-middleware-1.0.7.jar`` for 8 GB.
Monitoring
......@@ -188,5 +188,5 @@ The configuration file must contain the following values. The first three values
Before running the migration tool, please create a backup of your database.
Stop the eIDAS Middleware Application and copy the database file to your backup location, e.g. ``cp /opt/eidas-middleware/database/eidasmw.mv.db /path/to/your/backup-location/eidasmw.mv.db``.
To perform the migration, copy the database migration JAR file to the directory where your configuration file is available and execute the command ``java -jar database-migration-1.0.6.jar``.
To perform the migration, copy the database migration JAR file to the directory where your configuration file is available and execute the command ``java -jar database-migration-1.0.7.jar``.
If there are errors in the log output, please send the complete log output and some information on your environment to eidas-middleware@governikus.com.
......@@ -21,7 +21,7 @@
MIIEMTCCAxmgAwIBAgIDGMKjMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkRFMRkwFwYDVQQKExBFQUMgQW53ZW5kZXIgUEtJMRQwEgYDVQQLEwtFQUMgU3lzdGVtZTEdMBsGA1UEAxMURUFDIFN5c3RlbSBDQSAxIDIwMTQwHhcNMTYxMDI2MDkzMDEzWhcNMTkwNjE4MDgyMTM3WjBvMQswCQYDVQQGEwJERTEUMBIGA1UEChMLRUFDIFN5c3RlbWUxEDAOBgNVBAsTB0Fwb2xsb24xIzAhBgNVBAMTGkJDQVAgRFZTRCBCbGFja2xpc3QgU2lnbmVyMRMwEQYDVQQFEwoyODAyNzkwNjkyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiuG9IgN0IGk8eyjDw8tBOkRQiuN6rK/GAh5uE5XD12Nw8QBzdOWaj7c6uzS36BTkb7WhsfQaBPO89Z9de4bBmk8U4j3nRK1stAIchKcfTLqPjVknisZhlNh/TBjDtZ8yxk/SeFmszALA2pNd14vMwuvXjvkLreP9nZmuc8v35JUBPE/YRJpM/py117t36Hy4z0e8uPBnexVp2pTS/lgJx5J79Cj/9BltA0u/WwsSH2BNaARqDY5++73M9+WX5+8pdmswYpCK3LiNVv1u7VlbVajByrMZvpDGPu2DF+IFmENHTlAVUyiWTjZtjq62xM5bxW/dgXg2cWxdhkMGsArB5QIDAQABo4HnMIHkMB8GA1UdIwQYMBaAFK6n9MJdvNI/yYVbvrmrzZnSWCFbMBYGA1UdIAQPMA0wCwYJKoIUAFAHg3QKMHoGA1UdHwRzMHEwb6BtoGuGM2h0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2VhY19zeXN0ZW1fY2FfMV8yMDE0LmNybIY0aHR0cHM6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2VhY19zeXN0ZW1fY2FfMV8yMDE0LmNybDAdBgNVHQ4EFgQU8csAobRtd+DNeQNuvCmF7PXeBjMwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQCgNtj2JidGISyuIdLCaL9xRZmBDGV6fT8Rqzl8DigKyO5fdkrKvfpeTOK983VkiX0v652hfYFl+7JwlgV5g9Daql9aAiw35Qti68Fpr3mIwkZAn/Ee2ZDFVUQBQi1Ka2NKpANniFtldwWnbRORH4OA/KKI0IDmRpe1bkkYvYyvmCwswu3Sb3++8x1c3HRJRdPrSYgTKz6Gi311YR03XI/YJy+4wIpbUY24g4J2ZwND0Q5axJ6qrXO/v3iA+6VMgF+JGlb/PLLy2+RsFQFL5hDIDi5ONcFB8jIc59onvDlLEv0TlvM19iGcL/mvJOlBHO756LNedjg6fHpOhRLR9IaZ
</blackListTrustAnchor>
<masterListTrustAnchor>
MIIEHjCCA6SgAwIBAgIBVzAKBggqhkjOPQQDAzBPMQswCQYDVQQGEwJERTENMAsGA1UECgwEYnVuZDEMMAoGA1UECwwDYnNpMQwwCgYDVQQFEwMxMDExFTATBgNVBAMMDGNzY2EtZ2VybWFueTAeFw0xNDAxMTQwOTM1NDVaFw0yNDA3MTQyMzU5NTlaMFsxCzAJBgNVBAYTAkRFMQ0wCwYDVQQKDARidW5kMQwwCgYDVQQLDANic2kxDTALBgNVBAUTBDAwMTUxIDAeBgNVBAMMF0NTQ0EgTWFzdGVyIExpc3QgU2lnbmVyMIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEAqftX26Huqbw+ZgqQnYONcm479iPVJiAoIBNIHR9uU3cwRAQgfVoJdfwsMFfu9nUwQXr/5/uAVcEm3Fxs6UpLRPMwtdkEICbcXGzpSktE8zC12bvXfL+VhBYpXPfhzmvM3Bj/jAe2BEEEi9Kuuct+V8ssS0gv/IG3r7neJ+HjvSPCOkRTvZrOMmJUfvg1w9rE/Zf4RhoUYR3JwndFEy3tjlRcHVTHLwRplwIhAKn7V9uh7qm8PmYKkJ2DjXGMOXqjtWGm95AeDoKXSFanAgEBA0IABF2wMBq63Bl3GPYLjjfaj5CbyHXmDGSe9PQu1oxCcrQrbj3LIOS5pGf6fb2stvSQVXh0su9WPaqYjIdXfbdU8ZyjggGHMIIBgzAfBgNVHSMEGDAWgBTBe6kV91zd0ms9YJojVN4S7j8OxjAdBgNVHQ4EFgQUFRLOrxV8CYCdWdEKfuideUFg+6QwDgYDVR0PAQH/BAQDAgeAMCsGA1UdEAQkMCKADzIwMTQwMTE0MDkzNTQ1WoEPMjAxNDA1MTQyMzU5NTlaMBYGA1UdIAQPMA0wCwYJBAB/AAcDAQEBMFEGA1UdEQRKMEiBGGNzY2EtZ2VybWFueUBic2kuYnVuZC5kZYYcaHR0cHM6Ly93d3cuYnNpLmJ1bmQuZGUvY3NjYaQOMAwxCjAIBgNVBAcMAUQwUQYDVR0SBEowSIEYY3NjYS1nZXJtYW55QGJzaS5idW5kLmRlhhxodHRwczovL3d3dy5ic2kuYnVuZC5kZS9jc2NhpA4wDDEKMAgGA1UEBwwBRDAUBgNVHSUBAf8ECjAIBgZngQgBAQMwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3d3dy5ic2kuYnVuZC5kZS9jc2NhX2NybDAKBggqhkjOPQQDAwNoADBlAjAPY46Vy2r7CMrorSyDlqu+rZxBMRnElxeP0qOq9zNfqhrJvvmujU9u8cbRj7R9+pACMQCFnUcAsOjHqZb+e0oQ/LHOmukN2eMXmy7zfejQ+FzhDUHgaJooLaXpk+wiEJz9kvs=
MIIEHjCCA6WgAwIBAgICAJkwCgYIKoZIzj0EAwMwTzELMAkGA1UEBhMCREUxDTALBgNVBAoMBGJ1bmQxDDAKBgNVBAsMA2JzaTEMMAoGA1UEBRMDMTAxMRUwEwYDVQQDDAxjc2NhLWdlcm1hbnkwHhcNMTYwNzA1MDg1NTAyWhcNMjcwMTA1MjM1OTU5WjBbMQswCQYDVQQGEwJERTENMAsGA1UECgwEYnVuZDEMMAoGA1UECwwDYnNpMQ0wCwYDVQQFEwQwMDI3MSAwHgYDVQQDDBdDU0NBIE1hc3RlciBMaXN0IFNpZ25lcjCCATMwgewGByqGSM49AgEwgeACAQEwLAYHKoZIzj0BAQIhAKn7V9uh7qm8PmYKkJ2DjXJuO/Yj1SYgKCATSB0fblN3MEQEIH1aCXX8LDBX7vZ1MEF6/+f7gFXBJtxcbOlKS0TzMLXZBCAm3Fxs6UpLRPMwtdm713y/lYQWKVz34c5rzNwY/4wHtgRBBIvSrrnLflfLLEtIL/yBt6+53ifh470jwjpEU72azjJiVH74NcPaxP2X+EYaFGEdycJ3RRMt7Y5UXB1Uxy8EaZcCIQCp+1fboe6pvD5mCpCdg41xjDl6o7VhpveQHg6Cl0hWpwIBAQNCAARWreEnBitecKA7VBgYXXS9Vij2ASnm9Fg/5aDMe7kIADBJp68bP4M4p/N1yu4Wbwstnt4eux+8fPRsa8rPDuIro4IBhzCCAYMwHwYDVR0jBBgwFoAUwXupFfdc3dJrPWCaI1TeEu4/DsYwHQYDVR0OBBYEFJZYZYol4GeYB9BcN/HSOWZFtJx3MA4GA1UdDwEB/wQEAwIHgDArBgNVHRAEJDAigA8yMDE2MDcwNTA4NTUwMlqBDzIwMTYxMTA1MjM1OTU5WjAWBgNVHSAEDzANMAsGCQQAfwAHAwEBATBRBgNVHREESjBIgRhjc2NhLWdlcm1hbnlAYnNpLmJ1bmQuZGWGHGh0dHBzOi8vd3d3LmJzaS5idW5kLmRlL2NzY2GkDjAMMQowCAYDVQQHDAFEMFEGA1UdEgRKMEiBGGNzY2EtZ2VybWFueUBic2kuYnVuZC5kZYYcaHR0cHM6Ly93d3cuYnNpLmJ1bmQuZGUvY3NjYaQOMAwxCjAIBgNVBAcMAUQwFAYDVR0lAQH/BAowCAYGZ4EIAQEDMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly93d3cuYnNpLmJ1bmQuZGUvY3NjYV9jcmwwCgYIKoZIzj0EAwMDZwAwZAIwSzwRiGekt9rljYvU2gaXdYx5GhZiTNpC6PpZJGWWrhsKN+e7n1Ey6ww63slw9AZKAjBFFEdWWSjQ29cMPxRfG8g2xr9coom4eJ1YbjVPqiFQnBewmKpObWQ6ap9RkusO1Gc=
</masterListTrustAnchor>
<defectListTrustAnchor>
MIIEHTCCA6SgAwIBAgIBWDAKBggqhkjOPQQDAzBPMQswCQYDVQQGEwJERTENMAsGA1UECgwEYnVuZDEMMAoGA1UECwwDYnNpMQwwCgYDVQQFEwMxMDExFTATBgNVBAMMDGNzY2EtZ2VybWFueTAeFw0xNDAxMTQwOTM4MDlaFw0yNDA3MTQyMzU5NTlaMFsxCzAJBgNVBAYTAkRFMQ0wCwYDVQQKDARidW5kMQwwCgYDVQQLDANic2kxDTALBgNVBAUTBDAwMTUxIDAeBgNVBAMMF0NTQ0EgRGVmZWN0IExpc3QgU2lnbmVyMIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEAqftX26Huqbw+ZgqQnYONcm479iPVJiAoIBNIHR9uU3cwRAQgfVoJdfwsMFfu9nUwQXr/5/uAVcEm3Fxs6UpLRPMwtdkEICbcXGzpSktE8zC12bvXfL+VhBYpXPfhzmvM3Bj/jAe2BEEEi9Kuuct+V8ssS0gv/IG3r7neJ+HjvSPCOkRTvZrOMmJUfvg1w9rE/Zf4RhoUYR3JwndFEy3tjlRcHVTHLwRplwIhAKn7V9uh7qm8PmYKkJ2DjXGMOXqjtWGm95AeDoKXSFanAgEBA0IABDxxoiI6RiEjxED83XfpG5/vrX5QE20ytOcTQFXtpEaCmOQrxCEhWQRbnQkY30FMT2DkrFg4N2MgARQ/ic7rvRKjggGHMIIBgzAfBgNVHSMEGDAWgBTBe6kV91zd0ms9YJojVN4S7j8OxjAdBgNVHQ4EFgQUvLpFCKT7YNs79ffzmzMSYjLRKOowDgYDVR0PAQH/BAQDAgeAMCsGA1UdEAQkMCKADzIwMTQwMTE0MDkzODA5WoEPMjAxNDA1MTQyMzU5NTlaMBYGA1UdIAQPMA0wCwYJBAB/AAcDAQEBMFEGA1UdEQRKMEiBGGNzY2EtZ2VybWFueUBic2kuYnVuZC5kZYYcaHR0cHM6Ly93d3cuYnNpLmJ1bmQuZGUvY3NjYaQOMAwxCjAIBgNVBAcMAUQwUQYDVR0SBEowSIEYY3NjYS1nZXJtYW55QGJzaS5idW5kLmRlhhxodHRwczovL3d3dy5ic2kuYnVuZC5kZS9jc2NhpA4wDDEKMAgGA1UEBwwBRDAUBgNVHSUBAf8ECjAIBgZngQgBAQMwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3d3dy5ic2kuYnVuZC5kZS9jc2NhX2NybDAKBggqhkjOPQQDAwNnADBkAjAx3r+Kcp3MwzbPvtxee3BWvLOia/A6cONUZm4dP1HQlrVWhnaXOXGhNeulPkhbXecCMHNSJuIW42v0Ag/anK1V0YTOtmqTm9pEI9IYJsocNCMAKDeCzoPfJ2Qqs0RGh+Lx6Q==
......
......@@ -59,9 +59,9 @@ author = u'Hartje Bruns'
# built documents.
#
# The short X.Y version.
version = '1.0.6'
version = '1.0.7'
# The full version, including alpha/beta/rc tags.
release = '1.0.6'
release = '1.0.7'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
......
FROM governikus/zulu-openjdk:8u172
FROM governikus/zulu-openjdk:8u181
MAINTAINER Benny Prange <benny.prange@governikus.de>
# Define the application version for the subsequent application images
ENV VERSION=1.0.6
ENV VERSION=1.0.7
# Define the spring boot configuration directory
ENV CONFIG_DIR=/opt/eidas-middleware/configuration
......
......@@ -14,7 +14,7 @@
<parent>
<groupId>de.governikus.eumw</groupId>
<artifactId>eumw</artifactId>
<version>1.0.6</version>
<version>1.0.7</version>
</parent>
<artifactId>eid-service</artifactId>
......
......@@ -14,7 +14,7 @@
<parent>
<groupId>de.governikus.eumw</groupId>
<artifactId>eumw</artifactId>
<version>1.0.6</version>
<version>1.0.7</version>
</parent>
<artifactId>eidas-common</artifactId>
......@@ -37,6 +37,11 @@
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>net.shibboleth.utilities</groupId>
<artifactId>java-support</artifactId>
</dependency>
<!-- only for tests -->
<dependency>
<groupId>org.slf4j</groupId>
......
......@@ -31,13 +31,30 @@ import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.UUID;
import java.util.regex.Pattern;
import java.util.zip.ZipInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
/**
......@@ -79,27 +96,24 @@ public final class Utils
/**
* Contains a error page to show if something went wrong.
*/
private static final String HTML_ERROR;
private static final String HTML_ERROR = loadHTMLErrorPage();
/**
* Load the error page.
*/
static
private static String loadHTMLErrorPage()
{
String value = null;
try
{
value = Utils.readFromStream(Utils.class.getResourceAsStream("error.html"));
return Utils.readFromStream(Utils.class.getResourceAsStream("error.html"));
}
catch (IOException e)
{
// OK, no nice page then
value = "${MESSAGE}";
return "${MESSAGE}";
}
HTML_ERROR = value;
}
private Utils()
{
super();
......@@ -293,10 +307,10 @@ public final class Utils
* @param keyPin key password
*/
private static X509KeyPair readKeyAndCert(InputStream ins,
String type,
char[] pin,
String alias,
char[] keyPin)
String type,
char[] pin,
String alias,
char[] keyPin)
throws IOException, GeneralSecurityException
{
if (ins == null)
......@@ -533,11 +547,13 @@ public final class Utils
+ aliasBuf.toString());
}
}
/**
* This functions checks if a String is null or zero
* @param s
* @return
*/
/**
* This functions checks if a String is null or zero
*
* @param s
* @return
*/
public static boolean isNullOrEmpty(String s)
{
return s == null ? true : "".equals(s);
......@@ -545,6 +561,7 @@ public final class Utils
/**
* Encodes a string to Base64
*
* @param s A String
* @return String encoded in Base64
*/
......@@ -555,7 +572,8 @@ public final class Utils
/**
* Decodes a string to Base64
* @param s A String encoded in Base64
*
* @param s A String encoded in Base64
* @return A decoded String
*/
public static String fromBase64(String s)
......@@ -651,4 +669,118 @@ public final class Utils
}
return location;
}
/**
* Returns an initialized {@link BasicParserPool} ready to use, configured with security features preventing
* several XXE attacks.
*
* @return the parser pool
* @throws ComponentInitializationException
*/
public static BasicParserPool getBasicParserPool() throws ComponentInitializationException
{
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);
final HashMap<String, Boolean> features = new HashMap<>();
features.put(XMLConstants.FEATURE_SECURE_PROCESSING, true);
features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
features.put("http://xml.org/sax/features/external-general-entities", false);
features.put("http://xml.org/sax/features/external-parameter-entities", false);
features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
ppMgr.setBuilderFeatures(features);
ppMgr.setXincludeAware(false);
ppMgr.setExpandEntityReferences(false);
ppMgr.initialize();
return ppMgr;
}
/**
* Returns an initialized {@link DocumentBuilder} ready to use, configured with security features preventing
* several XXE attacks.
*
* @return the document builder
* @throws ParserConfigurationException
*/
public static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException
{
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
dbf.setNamespaceAware(true);
return dbf.newDocumentBuilder();
}
/**
* Returns an initialized {@link Transformer} ready to use, configured with security features preventing
* several XXE attacks.
*
* @return the transformer
* @throws TransformerConfigurationException
*/
public static Transformer getTransformer() throws TransformerConfigurationException
{
TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return tf.newTransformer();
}
/**
* Returns an initialized {@link SchemaFactory} ready to use, configured with security features preventing
* several XXE attacks.
*
* @return the schema factory
* @throws SAXNotRecognizedException
* @throws SAXNotSupportedException
*/
public static SchemaFactory getSchemaFactory() throws SAXNotRecognizedException, SAXNotSupportedException
{
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
sf.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
sf.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
return sf;
}
/**
* Returns an initialized {@link Validator} ready to use, configured with security features preventing
* several XXE attacks.
*
* @return the validator
* @throws SAXNotRecognizedException
* @throws SAXNotSupportedException
*/
public static Validator getValidator(Schema schema)
throws SAXNotRecognizedException, SAXNotSupportedException
{
Validator v = schema.newValidator();
v.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
v.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
return v;
}
/**
* Returns an initialized {@link SAXParserFactory} ready to use, configured with security features
* preventing several XXE attacks.
*
* @return the parser factory
* @throws SAXNotRecognizedException
* @throws SAXNotSupportedException
* @throws ParserConfigurationException
*/
public static SAXParserFactory getSAXParserFactory()
throws SAXNotRecognizedException, SAXNotSupportedException, ParserConfigurationException
{
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
return spf;
}
}
version: '3'
services:
eidas-demo-application:
image: "governikus/eidas-demo-application:1.0.6"
image: "governikus/eidas-demo-application:1.0.7"
ports:
- "8080:8080"
volumes:
......
FROM governikus/eidas-base-container:1.0.6
FROM governikus/eidas-base-container:1.0.7
MAINTAINER Benny Prange <benny.prange@governikus.de>
# NOTE: Some ENV variables are set in the parent "eidas-base-image"
......
......@@ -14,7 +14,7 @@
<parent>
<groupId>de.governikus.eumw</groupId>
<artifactId>eumw</artifactId>
<version>1.0.6</version>
<version>1.0.7</version>
</parent>
<artifactId>eidas-demo</artifactId>
......
......@@ -20,11 +20,9 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.XMLConstants;
import javax.xml.bind.DatatypeConverter;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
......@@ -293,10 +291,7 @@ public class NewReceiverServlet
{
Document doc = XMLObjectProviderRegistrySupport.getParserPool().parse(new ByteArrayInputStream(value));
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer trans = transformerFactory.newTransformer();
Transformer trans = Utils.getTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
ByteArrayOutputStream bout = new ByteArrayOutputStream();
trans.transform(new DOMSource(doc), new StreamResult(bout));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment