v25.0.2

README.md

@@ -16,9 +16,8 @@ The **IDP-Global** project consists of various sub-projects. These are
   <br>
 
 * **IDP-Sektoral:** PoC for a sectoral IDP in the Fast Track context
-* **IDP-Fedmaster:** PoC for a federation master in the context of federated IDPs
 
-The last 2 sub-projects in the list above are not part of the reference implementation published on
+The last sub-project "IDP-Sektoral" in the list above is not part of the reference implementation published on
 github.
 
 ### Idp-Server as docker image
@@ -53,7 +52,7 @@ or use docker compose:
 
 ```console
 $ mvn clean install -pl idp-server -am -Dskip.unittests -Dskip.inttests
-$ export appVersion=25.0.1
+$ export appVersion=25.0.2
 $ export serverLoglevel=info (default)
 $ docker-compose --project-name myidp -f docker-compose-ref.yml up -d
 ```

ReleaseNotes.md

@@ -1,3 +1,10 @@
+# Release 25.0.2
+
+- fix open redirect vulnerability
+- fixes in testsuite and idp-server for cr31
+- update test certificates
+- update dependencies
+
 # Release 25.0.1
 
 - TokenClaimExtraction extended

idp-client/pom.xml

@@ -7,13 +7,13 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>25.0.1</version>
+    <version>25.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <groupId>de.gematik.idp</groupId>
   <artifactId>idp-client</artifactId>
 
-  <version>25.0.1</version>
+  <version>25.0.2</version>
   <packaging>jar</packaging>
 
   <dependencies>

idp-commons/pom.xml

@@ -6,12 +6,12 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>25.0.1</version>
+    <version>25.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <artifactId>idp-commons</artifactId>
 
-  <version>25.0.1</version>
+  <version>25.0.2</version>
 
   <dependencies>
 

idp-commons/src/main/java/de/gematik/idp/IdpConstants.java

@@ -39,15 +39,9 @@ public final class IdpConstants {
   public static final String FED_AUTH_ENDPOINT = "/auth";
   public static final String FED_AUTH_APP_ENDPOINT = "/auth/app";
 
-  public static final String FED_LIST_ENDPOINT = "/federation_list";
-
   public static final String SEKTORAL_IDP_AUTHORIZATION_ENDPOINT = "/authorization";
   public static final String ENTITY_STATEMENT_ENDPOINT = "/.well-known/openid-federation";
-
   public static final String IDP_LIST_ENDPOINT = "/.well-known/idp_list";
-
-  public static final String FEDMASTER_FEDERATION_FETCH_ENDPOINT = "/federation_fetch_endpoint";
-
   public static final String ENTITY_STATEMENT_TYP = "entity-statement+jwt";
 
   public static final String OPENID = "openid";

idp-commons/src/main/java/de/gematik/idp/authentication/AuthenticationChallengeVerifier.java

@@ -25,7 +25,6 @@
 import de.gematik.idp.exceptions.NoNestedJwtFoundException;
 import de.gematik.idp.field.ClaimName;
 import de.gematik.idp.token.JsonWebToken;
-import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.time.ZonedDateTime;
 import java.util.Map;
@@ -36,7 +35,6 @@
 import org.jose4j.jwa.AlgorithmConstraints;
 import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
 import org.jose4j.jws.AlgorithmIdentifiers;
-import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.jwt.consumer.JwtConsumer;
 import org.jose4j.jwt.consumer.JwtConsumerBuilder;
 
@@ -64,11 +62,6 @@ public void verifyResponseWithCertAndThrowExceptionIfFail(
     performClientSignatureValidation(authCert, authenticationResponse.getRawString());
   }
 
-  public void verifyResponseWithPublicKeyAndThrowExceptionIfFail(
-      final PublicKey publicKey, final JsonWebToken authenticationResponse) {
-    performClientSignatureValidationWithKey(publicKey, authenticationResponse.getRawString());
-  }
-
   private void performClientSignatureValidation(
       final X509Certificate clientCertificate, final String authResponse) {
     final JwtConsumer serverJwtConsumer =
@@ -88,17 +81,6 @@ private void performClientSignatureValidation(
     }
   }
 
-  private void performClientSignatureValidationWithKey(
-      final PublicKey publicKey, final String authResponse) {
-    final JwtConsumer serverJwtConsumer =
-        new JwtConsumerBuilder().setVerificationKey(publicKey).build();
-    try {
-      serverJwtConsumer.process(authResponse);
-    } catch (final InvalidJwtException e) {
-      throw new ChallengeSignatureInvalidException(e);
-    }
-  }
-
   private void performServerSignatureValidationOfNjwt(final JsonWebToken authenticationResponse) {
     final JsonWebToken serverChallenge =
         authenticationResponse