Versions Compared

Old Version 15

changes.mady.by.user Thomas Kilden Nielsen

Saved on

compared with

New Version Current

changes.mady.by.user Jacob Qvortrup

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Navitabs
rootSeal.Java 3 - Leverancebeskrivelse
includeroottrue


 Indledning

Denne omveksling kan modtage et JSON Web Token og omveksle det til en NSP OIO IDWS sikkerhedsbillet.

...

Der findes et komplet eksempel (incl. STS omveksling) sidst på siden.

Eksempel

 JWT Token

Læs JWT Token fra IdP

Et JWT Token der stammer fra en Identity Provider kan Seal.Java parse til en Jwt struktur indeholdende alle oplysninger fra JWT Token:

Code Block
JWTToIdentityTokenRequest request = ...;

String jwt = request.getJsonWebToken();
Jws<Claims> claimsJws = jwtParser.parseClaimsJws(jwt);

Opbyg JWT Token

Seal.Java kan anvendes til at opbygge et JWT Token. Dette vil typisk ske i forbindelse med test.

...

Code Block
String audience = "http://audience.nspoop.dk/dds";

String sub = "urn:dk:healthcare:eid:uuid:global:person:594f7fc0-30cf-4b83-8521-4d3f810b3107";
String acr = "https://data.gov.dk/concept/core/nsis/loa/Substantial";
String cpr = "1111901113";

JwtBuilder builder = Jwts.builder();
String jtph = builder.header()
                .keyId("test_foces3_2027")
                .and().claims()
                .issuer("http://sts-tester")
                .id(UUID.randomUUID().toString())
                .audience().add(audience).and()
                .issuedAt(notBefore)
                .expiration(notOnOrAfter)
                .subject(sub)
                .add("scope", "clear sosi-sts ignoredScope")
                .add("system_name", "MyTestSystem")
                .add("auth_time", String.valueOf(notBefore))
                .add("acr", acr)
                .add("iss-policy", "urn:dk:sundhed:oidc:policy_strict")
                .add("cpr", cpr)
                .add("cpr_uuid", "594f7fc0-30cf-4b83-8521-4d3f810b3107")
                .add("over_15", "true")
                .and().signWith(SignatureAlgorithm.RS256, signingVault.getSystemCredentialPair().getPrivateKey())
                .compact();

STS Request

Det samlede STS request med et JWT Token (JTP-H profil) opbygges på denne måde.

...

Nu vil en STS kunne modtage det og veksle det til et NSP OIO IDWS Identity Token. Eksempel på hvordan Seal.Java kan anvendes til denne omveksling findes her: Seal.Java 3 - Guide til anvendere (STS) - JSON Web token (JWT) til OIO IDWS token

Request som stream

En consumer vil typisk have et JWT Token som en stream der kan sendes direkte til en STS. Dette vil man selv kunne deserialisere hvis man vil se indholdet:

...

Værdien af BinarySecurityToken indeholder JWT Token og det kan parses her: https://www.jwt.io/. Hvis det er signeret med en private key kan signaturen valideres vha den tilhørende public key.

STS Response

Når consumeren modtager svaret fra STS, så skal det først indlæses i et W3C Document:

...

Code Block
// Hent Identity Token fra STS svar
IdentityToken identityTokenResponse = consumerStsResponse.getIdentityToken();

// Verificer at det er et IDWS Identity Token samt at værdierne for de to attributter AudienceRestriction og Cpr er som forventet:
Assert.assertEquals("DK-SAML-2.0", identityTokenResponse.getSpecVersion());
Assert.assertEquals("http://audience.nspoop.dk/dds", identityTokenResponse.getAudienceRestriction());
Assert.assertEquals(cpr, identityTokenResponse.getCpr());

Service Request

Når vi har STS svaret kan service requestet opbygges:

...

Code Block
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:sbf="urn:liberty:sb" xmlns:sbfprofile="urn:liberty:sb:profile"
    xmlns:wsa="http://www.w3.org/2005/08/addressing"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header>
        <wsse:Security mustUnderstand="1" wsu:Id="security">
            <wsu:Timestamp wsu:Id="ts">
                <wsu:Created>2025-10-01T08:22:32Z</wsu:Created>
            </wsu:Timestamp>
            <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema"
                ID="_e4a54ff4-105c-4182-9774-4b19cb874694" IssueInstant="2025-10-01T08:15:08Z"
                Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:Issuer>TEST1-NSP-STS</saml:Issuer>
                <ds:Signature Id="OCESSignature">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <ds:Reference URI="#_e4a54ff4-105c-4182-9774-4b19cb874694">
                            <ds:Transforms>
                                <ds:Transform
                                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <ds:DigestValue>t4wqMk/MRNJ1xydWLiqKNpBlmHc=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>
                        NqvsqcfcxsvnupApj+gwHgQ7eQWA5puAqvk4FCFOedhfpu6Pd9vMlEW6NSEXBsOBHGQnHgcgRyWGXdPOggjSVuF21h4LcP2QTZ+IVyQEnKANInqmZ9pvVtYowA9yGZizRRAvdVDizcrb/vBfPozrqfGE0hoVeGWJgs9CycOZgNWibRR/0wv+VLHaLF5ihnuv1FJHkC+gS5M0bNL/3547fB9U5Kjj3ViV/I2pH5gB3kh9nZSmyDtB5+XndNioQgH4nx86rjSVIU4JuTsRUTMBtEkA7T5IRuD6etjaz2TRxDLOURxDA7SakVzi3bEowrMi9Pq8qJ5NxIxaYUzIYNHxYkzj8Ora26bNOH7YMI38s2N6D8ZXQHunQ1wzZwKbSafftASRU+wDHYb0IlTuswgCbXb9vSRYU357ZnEBWDsRiK9EpH1tpGspS3CcKMEbq7akeLr+gFhtFoPbGMZRiH0QxRi3Tkys0robLF+4UBawA/JAfNy8TmofD6gJhg50iJzO</ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>
                                MIIGiDCCBLygAwIBAgIUR5IfpZdXnxp/UHxA0KWAcKzWcm4wQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yMzA1MTIxMTIzMDFaFw0yNjA1MTExMTIzMDBaMIGeMR0wGwYDVQQDDBRTT1NJIFRlc3QgRmVkZXJhdGlvbjE3MDUGA1UEBRMuVUk6REstTzpHOjU4ZjEwNDNkLTNkMmYtNGRlZC1hYjUwLTk0MGRiNDc3NmExODEeMBwGA1UECgwVU3VuZGhlZHNkYXRhc3R5cmVsc2VuMRcwFQYDVQRhDA5OVFJESy0zMzI1Nzg3MjELMAkGA1UEBhMCREswggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCDqOcDXr2tsBXp3QqYpoZCyJAJQ4+rEtmOLJL/Qyol+5e2NyBOqIGdpXdcSI6hCTYEQu/67EDFRcO9yU6yD/u7xOcy+t3eCqx1ydOy20AZCdcKwRmxBzyQN5er+mBErG2+iprTWJdpwCw0mwjNt5edusm7Nwufk0AkN5nxvEEynwesTdTqgLzL99Jk1zdg0uokROg1s13CCvpenYks8+yXwgddO/36WmUn9V8N+1MIu+UpwsULB9zsNCU8qlDzlgg1u6nr8nnKTBBwT2mXl4xCOF2EEJF5lGUaJ+NOu/ljI2WN2pEUsiqpZPvsI14teJKucH4zCV2y7PhyCBacuti7rEZjuZ6ELeTiUvgs+TqqTFGn3dxCq6FOgz5z5N2ypPTPzg/ntBH0CqkjFn+loh5GIBcA8ff5AHNjqM3Ygu/u1p+BwszeGJLAwk0AUtp67aB4QBGuh73vWsaeERwg4Hc1HeNldv/I4iyMQFlp1qsZoAC6cApeoM6umihYcTfi7rMCAwEAAaOCAYYwggGCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUfyif2XGZQuJ159c1di5NCCVtdl4wewYIKwYBBQUHAQEEbzBtMEMGCCsGAQUFBzAChjdodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY2FjZXJ0L2lzc3VpbmcuY2VyMCYGCCsGAQUFBzABhhpodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2NzcDAhBgNVHSAEGjAYMAgGBgQAj3oBATAMBgoqgVCBKQEBAQMHMDsGCCsGAQUFBwEDBC8wLTArBggrBgEFBQcLAjAfBgcEAIvsSQECMBSGEmh0dHBzOi8vdWlkLmdvdi5kazBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY3JsL2lzc3VpbmcuY3JsMB0GA1UdDgQWBBQoPAINYQR2GfgN1KAQMauutePL6jAOBgNVHQ8BAf8EBAMCBaAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBgQC31Dtgc8+hxB0v+/RL1N3SsyfIxKNVJBhkl2Rfihn700Or5E+0ETyP8mV8MadraDBDYbwMkd3TNOzuF6Ct8c4X5mv+XKr8m0eDPlh7I7mMZ5zzpVw5Co4Wiwwiv9Hb59P/c182FaSPAA1bpmko9AH+duPcquiQELoSRfqW23B2cejACd95XbyXQVFdbCdhyCGAexbJ4egChJsXPU2zAOXq1/pa5bNSmJMsJgqP36bTbA6r+mjv0FArkrL76W1kmchpj6F4tSuDaaJlUmKvmzzBomwhlQRr/vxZc0FOamnJ8is9wC49tOaEMUx2l2iSWZKXMh4C6LQC8hQsjiXnYsERAWgeqwzqtVE3iKaGhOv+W7ECKFndGjYM95bdVK8x9BymTrPun63BCiVGqhMzsEc2RkvbKgBpb7L+Ont0EAahwcTshBzfe0jhA2thWHNGFxXpNqI0ZaAo/NKJpHK3I0EACAB0/VjiQZ/inSKtPnof1/nQZ32QWX3ij0VkX2mE2Pw=</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
                        dk:gov:saml:attribute:CprNumberIdentifier:0311800590</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                        <saml:SubjectConfirmationData NotOnOrAfter="2025-10-01T09:05:08Z"
                            Recipient="https://fsk">
                            <ds:KeyInfo>
                                <ds:X509Data>
                                    <ds:X509Certificate>
                                        MIIGjTCCBMGgAwIBAgIUFy4h2LTxF4eZW2LC1kay4XM2HOkwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yMjExMjkwOTMwMjVaFw0yNTExMjgwOTMwMjRaMIGjMSIwIAYDVQQDDBlOU1AgVGVzdCBTZXJ2aWNlIENvbnN1bWVyMTcwNQYDVQQFEy5VSTpESy1POkc6OGQzZmEwNDctYzc3ZS00N2U0LWJkZDItZTkxNDg4NjEwY2U2MR4wHAYDVQQKDBVTdW5kaGVkc2RhdGFzdHlyZWxzZW4xFzAVBgNVBGEMDk5UUkRLLTMzMjU3ODcyMQswCQYDVQQGEwJESzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALyJRrV1jHkQtPZ5Yb1BQsVv7CsH2G7xMebZh6o7Opm/Pb2+u8QKnPK2dkPXtFDn4efC6adwMN7EeDulIOC+6S/2yNcUQvD9Nbk40TBX6wqHjcQoMA9a725m1cqQiHPGxlHhQVMRzeJLjpEVnkdush3NCZFfndu48bdtsxM2n6sJgB3wJhvVAb8PdABfZETRcpMVIU8gBEWhMFHZhKlzmZqPUf7OQCtF2Hd1N7F4Qzus/NCP98p9z92h07sVprZD8iwWLlN9GukssDoZTbHpYmeFRE74WnxibQwau8FRFXxHZVSMQ+b3rOPLw0fLL09wDIDcBdJZyK2S/qHWzCfxxNwUCMd5g5aEvXElxiVnNdSBNVz+9phvMz3T66Za64DxFbQ/cfQcCJgSQyGpGpAOEuv2Rl9xxiNHFkoYVTR85bsHPFm6zda7/WSRZbjrhWRsbcTNunu+ucK1STkb0jiupk951zwlGN/HFGPtYP6GEMbaln01Rc7XrQDO7Rc4VKBVlwIDAQABo4IBhjCCAYIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR/KJ/ZcZlC4nXn1zV2Lk0IJW12XjB7BggrBgEFBQcBAQRvMG0wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jYWNlcnQvaXNzdWluZy5jZXIwJgYIKwYBBQUHMAGGGmh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY3NwMCEGA1UdIAQaMBgwCAYGBACPegEBMAwGCiqBUIEpAQEBAwcwOwYIKwYBBQUHAQMELzAtMCsGCCsGAQUFBwsCMB8GBwQAi+xJAQIwFIYSaHR0cHM6Ly91aWQuZ292LmRrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jcmwvaXNzdWluZy5jcmwwHQYDVR0OBBYEFFNN5GI5Bd91v2k+3gh2tB79kMiJMA4GA1UdDwEB/wQEAwIFoDBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggGBAAg7zaoHb0a4EKKoVc2SVcp6/x4Np2CfUmduosmoWxd5SboR2NV93MinTkhJRLPXjTYjETLKLNbmgrDm1oFtnw4rVRdKtpy06D0Zh5hKmR3KDjfXt/+KiHtjqs5fmB8GVo3TxFHGnS4sOmph6l/KG4tOPhMabVWcX7vJQfIBVJMak1QHWzig4ooREvupqefYTpvP13GIG4DsyRabAlR2M3pyvdrSAU899gxASvWI6LBQlEdd4tPodAvdEEb3fHS2pnWmI56Im881jOdVtmmjWMCyPD4kP6SaBUxs7XhqZMwH8X98d5NMwPUYyyKwOVJfPrsWdfhupshcdyn2AWpVLU5GfhdRkmSdLdTKzzJOt7pPH+fS95R5MyV0febSJnSOXgNq7ICdQdiKO/HQ8/zmePRq8Ax/7DGrEA0zXENH2un6AV+7bZtELmNoU+B0MoN/AuSteAxmfTTnc8Xu45rTIXh3Vx1OS3NFggGSBvawlVkE7kWKej3o2sKtfot8a+ILzw==</ds:X509Certificate>
                                </ds:X509Data>
                            </ds:KeyInfo>
                        </saml:SubjectConfirmationData>
                    </saml:SubjectConfirmation>
                </saml:Subject>
                <saml:Conditions NotBefore="2025-10-01T08:10:08Z"
                    NotOnOrAfter="2025-10-01T09:05:08Z">
                    <saml:AudienceRestriction>
                        <saml:Audience>https://fsk</saml:Audience>
                    </saml:AudienceRestriction>
                </saml:Conditions>
                <saml:AttributeStatement>
                    <saml:Attribute Name="dk:gov:saml:attribute:SpecVer"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xsi:type="xs:string">0311800590</saml:AttributeValue>
                    </saml:Attribute>
                </saml:AttributeStatement>
            </saml:Assertion>
            <wsse:SecurityTokenReference
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wsswssecurity-secext-1.1.xsd"
                wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                wsu:Id="str">
                <wsse:KeyIdentifier
                    ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                    _e4a54ff4-105c-4182-9774-4b19cb874694</wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
            <ds:Signature>
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                    <ds:Reference URI="#body">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>yk1iAXsw+8ZSLDSlnTBOEJEM+Gc=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#ts">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>sTpOwvgImpB/toJAiVXXKeqJsO0=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#str">
                        <ds:Transforms>
                            <ds:Transform
                                Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <ds:CanonicalizationMethod
                                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                </wsse:TransformationParameters>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>7zf4yqsN62tK01yUYc/CQ3M6SDE=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#messageID">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>bJqALBV6n3SdL2q4IUc4OcTY4rY=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#action">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>EPsXDrW02TuinvrWfcD9St3Tprc=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#sbf">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>DrMuEoWp7Uik1KTUOuvtisxvpXA=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
                    jDGK+H6wI66iDjACIvk7t8H/kuYuhvQyOHOveKMRSnjx2GiRiu3Op/apOuN20rlXO4SPdIqEVq5+4k0T01ME/YKm+lMr/+WX4laiq3A8nTOXGW/WxcAdpAifAExPcv0P3CSSrJEIDe+99J8rIG+5jYmNJwYRx2JLl4vKiCwOLkpFQDyNy6msP1timt7e0UG9RWu7tg6gxsMk11RfIQcKiqsqFwWappfc2iBvYZ6TCp7nfn2AWWKkcyU9w6KPex+EU4AsIwxmFMgVrnZ4C2hXF6nXQ60/YJBLAfcX8cWQLtjpb0uu8AIe/5rylrd+GBm6ds0qmFe6gsrJlAfGaL25zoYih36eRakpMX0qq+gppMdzLjXP6WxokG1VLs9z1rNrZw4mPiGQf48znFYlHIxlkbMm8RYFboKMCzELtWxlJzU7AE5ZGPtTOPUv+lWp3p1KPC/eMzyMYYToL4ntPcjF7A3OuGMQdUo9sQuAG54g4oLEOIzO08JM08hugBrlpH97</ds:SignatureValue>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wsswssecurity-secext-1.1.xsd"
                        wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                        wsu:Id="sigStr">
                        <wsse:KeyIdentifier
                            ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                            _e4a54ff4-105c-4182-9774-4b19cb874694</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
        <wsa:MessageID wsu:Id="messageID">d3a32a85-63d2-4e53-8067-3ce144b83180</wsa:MessageID>
        <wsa:Action wsu:Id="action">
            http://sundhedsdatastyrelsen.dk/fsk/2019/08/01#GetPersonalDataCard</wsa:Action>
        <sbf:Framework sbfprofile:profile="urn:liberty:sb:profile:basic" version="2.0" wsu:Id="sbf" />
    </soapenv:Header>
    <soapenv:Body wsu:Id="body">
        ...
    </soapenv:Body>
</soapenv:Envelope>

Service Response

Seal.Java kan nu benyttes til at validere det samlede response fra servicen. Ved kald til en IDWS service kan man vha. kald til Seal.Java tjekke om svaret indeholder en fejl og evt. fejlbesked og fejlkode.

...

Code Block
Federation federation = new SOSITestFederation(new Properties());

OIOBootstrapToIdentityTokenResponse response = new OIOBootstrapToIdentityTokenResponseModelBuilder().build(serviceConsumerResponseDocument);

// Verify IDWS service response for errors
if (response.isFault()) {
   log.error("Response error: " + response.getFaultString() + ", error code: " + response.getFaultCode());
   return false;
}

// Validate IDWS service response
try {
   response.validateSignature();
   response.validateSignatureAndTrust(federation);
} catch (ModelBuildException e) {
   log.error("Validation error: " + e.getMessage());
   return false;
}

return true;


Komplet eksempel (incl. STS delen)


Code Block
collapsetrue
public class TestFactoryFlow {

    @Test
    public void testJWT2Idws() {

        /**
         * Consumer sender request
         */

        // CredentialVault og Factory
        CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
        CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
        OIOSAMLFactory factory = new OIOSAMLFactory();

        // Byg Jwt token (JTP-H profil)
        String audience = "http://audience.nspoop.dk/dds";

        String sub = "urn:dk:healthcare:eid:uuid:global:person:594f7fc0-30cf-4b83-8521-4d3f810b3107";
        String acr = "https://data.gov.dk/concept/core/nsis/loa/Substantial";
        String cpr = "1111901113";

        JwtBuilder builder = Jwts.builder();
        String jtph = builder.header()
                .keyId("test_foces3_2027")
                .and().claims()
                .issuer("http://sts-tester")
                .id(UUID.randomUUID().toString())
                .audience().add(audience).and()
                .issuedAt(notBefore)
                .expiration(notOnOrAfter)
                .subject(sub)
                .add("scope", "clear sosi-sts ignoredScope")
                .add("system_name", "MyTestSystem")
                .add("auth_time", String.valueOf(notBefore))
                .add("acr", acr)
                .add("iss-policy", "urn:dk:sundhed:oidc:policy_strict")
                .add("cpr", cpr)
                .add("cpr_uuid", "594f7fc0-30cf-4b83-8521-4d3f810b3107")
                .add("over_15", "true")
                .and().signWith(SignatureAlgorithm.RS256, signingVault.getSystemCredentialPair().getPrivateKey())
                .compact();

        // Byg STS request
        JWTToIdentityTokenRequestDOMBuilder requestBuilder = factory.createJWTToIdentityTokenRequestDOMBuilder();

        requestBuilder.setCPRNumberClaim(cpr);

        requestBuilder.setJWTToken(jtph);
        requestBuilder.setSigningVault(signingVault);
        requestBuilder.setAudience(audience);

        Document consumerStsRequestDocument = requestBuilder.build();

        /**
         * Send request over netværk
         */
        String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
        consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);

        /**
         *  STS modtager request
         */
        JWTToIdentityTokenRequest stsRequest = factory.createJWTToIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

        // Her vil STS'en verificere JSon Web Token. I dette eksempel verificeres følgende tre attributter:
        final Jws<Claims> claimsJws = JwtParser(signingVault).parseClaimsJws(stsRequest.getJsonWebToken());
        Assert.assertEquals(sub, claimsJws.getBody().get("sub", String.class));
        Assert.assertEquals(acr, claimsJws.getBody().get("acr", String.class));
        Assert.assertEquals(cpr, claimsJws.getBody().get("cpr", String.class));

        /**
         *  STS bygger response
         */

        // Byg IdentityToken
        CitizenIdentityTokenBuilder identityTokenBuilder = factory.createCitizenIdentityTokenBuilder();
        identityTokenBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
        identityTokenBuilder.setRecipientURL("https://fmk");
        identityTokenBuilder.setIssuer("Issuer");
        identityTokenBuilder.setNotBefore(notBefore);
        identityTokenBuilder.setNotOnOrAfter(notOnOrAfter);
        identityTokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        identityTokenBuilder.setCprNumberAttribute(cpr);
        identityTokenBuilder.setSubjectNameID("SubjectNameID");
        identityTokenBuilder.setSubjectNameIDFormat("SubjectNameIDFormat");
        identityTokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
        identityTokenBuilder.setSigningVault(signingVault);

        IdentityToken identityToken = identityTokenBuilder.build();

        // Byg STS response
        JWTToIdentityTokenResponseDOMBuilder responseBuilder = factory.createJWTToIdentityTokenResponseDOMBuilder();
        responseBuilder.setIdentityToken(identityToken);
        responseBuilder.setSigningVault(holderOfKeyVault);
        responseBuilder.setRelatesTo("relatesTo");
        responseBuilder.setContext("context");

        Document consumerStsResponseDocument = responseBuilder.build();

        /**
         *  Send response over netværk
         */
        String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
        consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);

        /**
         *  Consumer modtager response
         */
        JWTToIdentityTokenResponse consumerStsResponse = factory.createJWTToIdentityTokenResponseModelBuilder().build(consumerStsResponseDocument);

        IdentityToken identityTokenResponse = consumerStsResponse.getIdentityToken();
        Assert.assertEquals("DK-SAML-2.0", identityTokenResponse.getSpecVersion());
        Assert.assertEquals("http://audience.nspoop.dk/dds", identityTokenResponse.getAudienceRestriction());
        Assert.assertEquals(cpr, identityTokenResponse.getCpr());
    }

    private static JwtParser JwtParser(CredentialVault signingVault) {
        return Jwts.parser()
                .setSigningKeyResolver(new SigningKeyResolver() {
                    @Override
                    public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                        return signingVault.getSystemCredentialPair().getCertificate().getPublicKey();
                    }

                    @Override
                    public Key resolveSigningKey(JwsHeader jwsHeader, byte[] bytes) {
                        throw new UnsupportedOperationException("Method not implemented");
                    }
                })
                .build();
    }


}

...