Release eumw-3.1.0

Author: bennypi

.gitignore

@@ -2,6 +2,7 @@ target/
 packer/
 *Jenkinsfile*
 .hg/
+/helm/
 
 # IntelliJ project files
 *.iml

.hgtags

@@ -88,3 +88,11 @@ d81108e3cb7cf619e4231a71d84317e319fb21d1 eumw-3.0.0-RC6
 02253d61abbe8013d216f4fcdd13dc6fa88c48a1 eumw-3.0.1-RC1
 9e38e2d47e711f0ca27a851302112e8a1703b659 eumw-3.0.1-RC2
 e47ad279d13621f2b75f0d21ff991f89c2dc47af eumw-3.0.1-RC3
+78451b6ef42eafefc8a59f64d96280b0fd25b7f9 eumw-3.0.1
+cf90c08204b82e67f44df5b4a2a2b05d0ebb1e2f eumw-3.1.0-RC1
+cb306bc9c833171c91c68c53af88889159e251bc eumw-3.1.0-RC2
+3a7ef86fd6e3d06189a19f3d4e3699ac16c71b2f eumw-3.1.0-RC3
+00ab59b980e1898b6c7b917302018430482a857b eumw-3.1.0-RC4
+2a5a673eec7f98bb6c01d06ead7dea24afa921fc eumw-3.1.0-RC5
+37226259f9f45fb2dfd85e010b4dffe8875e52fc eumw-3.1.0-RC6
+147895b9dbe033030c2f31e52e6f8ff265e3a8a0 eumw-3.1.0-RC7

README.md

@@ -11,8 +11,8 @@ The signed release artifacts will be released on github as well.
 We are using maven to build and test the software.
 
 To build the software, execute the following command:
-```
-maven clean install
+```console
+$ mvn clean install
 ```
 You can find the compiled JARs in the `target/` directory of each module.
 
@@ -24,11 +24,11 @@ on how to install sphinx on your system.
 
 To create the pdf file, issue the following commands:
 
-```
-cd doc && make clean latexpdf
+```console
+$ (cd doc && make clean latexpdf)
 ```
 
-The created pdf document can be found at `_build/latex/eIDASMiddleware.pdf`.
+The created pdf document can be found at `doc/_build/latex/eIDASMiddleware.pdf`.
 
 ## Documentation
 The user documentation for each release is available in the release artifacts.

configuration-migration/pom.xml

@@ -3,7 +3,7 @@
     <parent>
         <artifactId>eumw</artifactId>
         <groupId>de.governikus.eumw</groupId>
-        <version>3.0.1</version>
+        <version>3.1.0</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -19,6 +19,10 @@
             <groupId>de.governikus.eumw</groupId>
             <artifactId>poseidas</artifactId>
         </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>eidas-base-container</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>commons-io</groupId>
@@ -56,6 +60,9 @@
                             <name>governikus/eidas-middleware-configuration-migration:${project.version}
                             </name>
                             <build>
+                                <tags>
+                                    <tag>latest</tag>
+                                </tags>
                                 <contextDir>.</contextDir>
                                 <assembly>
                                     <descriptorRef>artifact</descriptorRef>

configuration-migration/src/main/java/de/governikus/eumw/configuration/migration/models/eidas/ConfigHolder.java

@@ -46,16 +46,6 @@ public class ConfigHolder
    */
   public static final String KEY_APP_SIGN_ALIAS = "MIDDLEWARE_SIGN_ALIAS";
 
-  /**
-   * Pin of the decryption key for the SAML interface
-   */
-  public static final String KEY_APP_CRYPT_PIN = "MIDDLEWARE_CRYPT_PIN";
-
-  /**
-   * Alias of the decryption key for the SAML interface
-   */
-  public static final String KEY_APP_CRYPT_ALIAS = "MIDDLEWARE_CRYPT_ALIAS";
-
   /**
    * Contact Person Details for the idp metadata.xml
    */
@@ -116,20 +106,13 @@ public class ConfigHolder
    */
   private static final String KEY_APP_SIGN_KEY = "MIDDLEWARE_SIGN_KEY";
 
-  /**
-   * Path to the decryption keystore for the SAML interface
-   */
-  private static final String KEY_APP_CRYPT_KEY = "MIDDLEWARE_CRYPT_KEY";
-
   @Getter
   private Properties properties;
 
   private X509Certificate metadataSigner;
 
   private X509KeyPair signKey;
 
-  private X509KeyPair cryptKey;
-
   private EidasContactPerson contactPerson;
 
   private String entityIdInt;
@@ -245,46 +228,6 @@ public String getAppSignatureKeyStoreType()
     return keyStoreFileName.toLowerCase(Locale.GERMAN).endsWith("jks") ? "JKS" : "PKCS12";
   }
 
-  /**
-   * Get the type of the encryption key store
-   *
-   * @return the type of the keystore
-   */
-  public String getAppCryptionKeyStoreType()
-  {
-    String keyStoreFileName = properties.getProperty(KEY_APP_CRYPT_KEY);
-    return keyStoreFileName.toLowerCase(Locale.GERMAN).endsWith("jks") ? "JKS" : "PKCS12";
-  }
-
-  /**
-   * Get the depryption key pair
-   *
-   * @return the decryption key pair
-   * @throws IOException when the key pair cannot be read
-   * @throws GeneralSecurityException when the key pair cannot be loaded
-   */
-  public X509KeyPair getAppDecryptionKeyPair() throws IOException, GeneralSecurityException
-  {
-    if (cryptKey == null)
-    {
-      String keystoreFileName = getCanonicalPath(properties.getProperty(KEY_APP_CRYPT_KEY));
-      try (FileInputStream fis = new FileInputStream(keystoreFileName))
-      {
-        cryptKey = Utils.readKeyAndCert(fis,
-                                        getAppCryptionKeyStoreType(),
-                                        properties.getProperty(KEY_APP_CRYPT_PIN).toCharArray(),
-                                        properties.getProperty(KEY_APP_CRYPT_ALIAS),
-                                        properties.getProperty(KEY_APP_CRYPT_PIN).toCharArray(),
-                                        true);
-        return cryptKey;
-      }
-    }
-    else
-    {
-      return cryptKey;
-    }
-  }
-
   /**
    * Get the contact person from the eidasmiddleware.properties
    *

configuration-migration/src/main/java/de/governikus/eumw/configuration/migration/service/ConfigurationMigrationService.java

@@ -185,20 +185,6 @@ private EidasMiddlewareConfig.EidasConfiguration migrateEidasProperties(ConfigHo
       log.error("Cannot migrate eidas middleware signature keystore", e);
     }
     try
-    {
-      String decryption = createAndGetKeyStoreName(configHolder,
-                                                   configHolder.getAppCryptionKeyStoreType(),
-                                                   ConfigHolder.KEY_APP_CRYPT_ALIAS,
-                                                   ConfigHolder.KEY_APP_CRYPT_PIN,
-                                                   "Decryption",
-                                                   configHolder.getAppDecryptionKeyPair());
-      eidasConfiguration.setDecryptionKeyPairName(decryption);
-    }
-    catch (Exception e)
-    {
-      log.error("Cannot migrate eidas middleware decryption keystore", e);
-    }
-    try
     {
       CertificateType metadataSignatureVerifyCertificate = new CertificateType(METADATA_SIGNATURE_VERIFICATION_CERTIFICATE,
                                                                                configHolder.getMetadataSignatureCert()

configuration-migration/src/test/java/de/governikus/eumw/configuration/migration/service/ConfigurationMigrationServiceTest.java

@@ -46,8 +46,6 @@ class ConfigurationMigrationServiceTest
 
   private static final String MIDDLEWARE_SIGNING_KEY_PAIR = "middlewareSigningKeyPair";
 
-  private static final String MIDDLEWARE_DECRYPTION_KEY_PAIR = "middlewareDecryptionKeyPair";
-
   private static final String BLACK_LIST_TRUST_ANCHOR = "BlackListTrustAnchor";
 
   private static final String MASTER_LIST_TRUST_ANCHOR = "MasterListTrustAnchor";
@@ -96,9 +94,9 @@ void testMigrateOldConfigWithOutHsm() throws Exception
     List<CertificateType> certificates = eidasMiddlewareConfig.getKeyData().getCertificate();
     Assertions.assertEquals(10, certificates.size());
     List<KeyStoreType> keyStores = eidasMiddlewareConfig.getKeyData().getKeyStore();
-    Assertions.assertEquals(13, keyStores.size());
+    Assertions.assertEquals(12, keyStores.size());
     List<KeyPairType> keyPairs = eidasMiddlewareConfig.getKeyData().getKeyPair();
-    Assertions.assertEquals(13, keyPairs.size());
+    Assertions.assertEquals(12, keyPairs.size());
     Assertions.assertEquals(1, eidasMiddlewareConfig.getEidasConfiguration().getConnectorMetadata().size());
     Assertions.assertEquals("https://localhost:8443", eidasMiddlewareConfig.getServerUrl());
     TimerConfigurationType timerConfiguration = eidasMiddlewareConfig.getEidConfiguration().getTimerConfiguration();
@@ -155,8 +153,7 @@ void testMigrateOldConfigWithOutHsm() throws Exception
     Assertions.assertEquals(30, eidasMiddlewareConfig.getEidasConfiguration().getMetadataValidity());
     Assertions.assertNotNull(eidasMiddlewareConfig.getEidasConfiguration().getContactPerson());
     Assertions.assertNotNull(eidasMiddlewareConfig.getEidasConfiguration().getOrganization());
-    Assertions.assertEquals(MIDDLEWARE_DECRYPTION_KEY_PAIR,
-                            eidasMiddlewareConfig.getEidasConfiguration().getDecryptionKeyPairName());
+    Assertions.assertNull(eidasMiddlewareConfig.getEidasConfiguration().getDecryptionKeyPairName());
     Assertions.assertEquals(MIDDLEWARE_SIGNING_KEY_PAIR,
                             eidasMiddlewareConfig.getEidasConfiguration().getSignatureKeyPairName());
     Assertions.assertEquals(METADATA_SIGNATURE_VERIFICATION_CERTIFICATE,
@@ -180,7 +177,6 @@ void testMigrateOldConfigWithOutHsm() throws Exception
     assertKeyPairAndKeyStore(keyPairs, keyStores, "TestbedERSADvcaClientKeyPair", "TestbedERSADvcaKeyStore");
     assertKeyPairAndKeyStore(keyPairs, keyStores, "TestbedFDvcaClientKeyPair", "TestbedFDvcaKeyStore");
     assertKeyPairAndKeyStore(keyPairs, keyStores, "TestbedGDvcaClientKeyPair", "TestbedGDvcaKeyStore");
-    assertKeyPairAndKeyStore(keyPairs, keyStores, MIDDLEWARE_DECRYPTION_KEY_PAIR, "middlewareDecryption", MIDDLEWARE);
     assertKeyPairAndKeyStore(keyPairs, keyStores, MIDDLEWARE_SIGNING_KEY_PAIR, "middlewareSigning", MIDDLEWARE);
   }
 
@@ -217,9 +213,9 @@ void testMigrateOldConfigWithHsm() throws Exception
     List<CertificateType> certificates = eidasMiddlewareConfig.getKeyData().getCertificate();
     Assertions.assertEquals(4, certificates.size());
     List<KeyStoreType> keyStores = eidasMiddlewareConfig.getKeyData().getKeyStore();
-    Assertions.assertEquals(1, keyStores.size());
+    Assertions.assertTrue(keyStores.isEmpty());
     List<KeyPairType> keyPairs = eidasMiddlewareConfig.getKeyData().getKeyPair();
-    Assertions.assertEquals(1, keyPairs.size());
+    Assertions.assertTrue(keyPairs.isEmpty());
     Assertions.assertNull(serviceProviderList.get(0).getClientKeyPairName());
     Assertions.assertNull(eidasMiddlewareConfig.getEidasConfiguration().getSignatureKeyPairName());
   }

databasemigration/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <artifactId>eumw</artifactId>
         <groupId>de.governikus.eumw</groupId>
-        <version>3.0.1</version>
+        <version>3.1.0</version>
     </parent>
     <artifactId>database-migration</artifactId>
 

distribution/pom.xml

@@ -15,22 +15,51 @@
     <parent>
         <groupId>de.governikus.eumw</groupId>
         <artifactId>eumw</artifactId>
-        <version>3.0.1</version>
+        <version>3.1.0</version>
     </parent>
 
     <artifactId>distribution</artifactId>
-    <version>3.0.1</version>
+    <version>3.1.0</version>
     <packaging>pom</packaging>
 
     <dependencies>
+        <!-- add all eumw modules to create an aggregated jacoco coverage report of all modules -->
         <dependency>
             <groupId>de.governikus.eumw</groupId>
-            <artifactId>eidas-middleware</artifactId>
+            <artifactId>configuration-migration</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>database-migration</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>eidas-common</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>eidas-demo</artifactId>
         </dependency>
         <dependency>
             <groupId>de.governikus.eumw</groupId>
             <artifactId>eidas-demo</artifactId>
         </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>eidas-middleware</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>eidas-starterkit</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>poseidas</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.governikus.eumw</groupId>
+            <artifactId>utils</artifactId>
+        </dependency>
     </dependencies>
 
     <profiles>
@@ -61,6 +90,49 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>coverage</id>
+            <activation>
+                <!-- activate automatically when built on Jenkins build server -->
+                <property>
+                    <name>env.JENKINS_URL</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.jacoco</groupId>
+                        <artifactId>jacoco-maven-plugin</artifactId>
+                        <configuration>
+                            <excludes>
+                                <!-- exclude javassist classes (leads to
+                                    runtime exception in coverage) -->
+                                <exclude>*_javassist_*</exclude>
+                                <exclude>org.springframework.*</exclude>
+                                <exclude>com.gargoylesoftware.*</exclude>
+                            </excludes>
+                        </configuration>
+                        <executions>
+                            <!-- aggregate the reports of the other modules for sonarqube -->
+                            <execution>
+                                <id>report-aggregate</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>report-aggregate</goal>
+                                </goals>
+                                <configuration>
+                                    <dataFileIncludes>
+                                        <dataFileInclude>**/jacoco.exec</dataFileInclude>
+                                    </dataFileIncludes>
+                                    <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate
+                                    </outputDirectory>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 
 </project>

distribution/src/main/assembly/distribution.xml

@@ -25,6 +25,10 @@
     </files>
     <dependencySets>
         <dependencySet>
+            <includes>
+                <include>de.governikus.eumw:eidas-middleware</include>
+                <include>de.governikus.eumw:eidas-demo</include>
+            </includes>
             <useTransitiveDependencies>false</useTransitiveDependencies>
         </dependencySet>
     </dependencySets>

doc/source/chapter/Changelog.rst

@@ -212,3 +212,22 @@ Changelog
     - eIDAS Middleware: Update DVCA server certificate in eIDAS_Middleware_configuration_test.xml
     - Configuration Migration: Fix a bug that migrated the wrong URL for communication with the DVCA for production
       systems.
+
+
+* 3.1.0
+
+    - All components: Code cleanups.
+    - eIDAS Middleware: Using identglue to check the availability of the AusweisApp2.
+    - eIDAS Middleware: Added a timer to renew an expired CVC with a
+      :term:`Request Signer Certificate<Request Signer Certificate>` when the current CVC is expired less than two days.
+        - Added a notification in the Admin-UI to indicate that the renewal will be tried.
+    - eIDAS Middleware: Fix unsuccessful indication of a public service provider on certain conditions.
+    - eIDAS Middleware: Obsolete decryption key pair for SAML has been removed in the Admin-UI.
+    - eIDAS Middleware: The used holder reference will be logged if an CVC request is unsuccessful.
+    - eIDAS Middleware: A sequence number is never reused for CVC requests of a service provider.
+    - eIDAS Demo: Improved design and added decrypted assertion on result page.
+    - eIDAS Middleware: Added support for Brainpool elliptic curves on TLS connections.
+    - eIDAS Middleware: Static resources have been moved from the base path to module specific paths.
+    - eIDAS Middleware: SAML redirect binding has been added.
+    - eIDAS Middleware: Added support for the natural person attribute 'Nationality'.
+

doc/source/chapter/Configuration.rst

@@ -222,8 +222,9 @@ eIDAS SP it is imperative that the name matches the ``providerName`` used in eID
 
 The client authentication key pair is used for the communication to the :term:`Authorization CA`.
 The associated certificate must be given to the :term:`Authorization CA`.
-In case you use a PKCS11 HSM, this key must be stored in the HSM using label and ID identical to
-the ``CVCRefID`` of the :term:`eID Service Provider` (usually the same value as the name).
+In case you use a PKCS11 HSM, this key must be stored in the HSM. It is required that the the label and the ID for the
+certificate and key entry in the HSM are identical. As the ID is a hexadecimal value, use the hex-value of the ASCII
+string.
 
 
 eIDAS