summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/pom.xml10
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java78
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java38
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java22
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java58
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.crt3
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.jws1
-rw-r--r--eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java28
-rw-r--r--eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java8
-rw-r--r--eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java50
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java7
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java20
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java19
-rw-r--r--pom.xml2
14 files changed, 281 insertions, 63 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/pom.xml b/eaaf_modules/eaaf_module_auth_sl20/pom.xml
index b40e8add..e67f0dc0 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/pom.xml
+++ b/eaaf_modules/eaaf_module_auth_sl20/pom.xml
@@ -79,6 +79,16 @@
<artifactId>provider</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>iaik.prod</groupId>
+ <artifactId>iaik_jce_full</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>iaik.prod</groupId>
+ <artifactId>iaik_eccelerate</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java
index d8c39931..48b10580 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java
@@ -2,12 +2,19 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils;
import java.io.IOException;
import java.security.Key;
+import java.security.KeyFactory;
import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
import java.security.Provider;
+import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -15,13 +22,8 @@ import java.util.Map.Entry;
import javax.annotation.Nonnull;
-import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
-
import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jose4j.jca.ProviderContext;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jws.AlgorithmIdentifiers;
@@ -32,6 +34,11 @@ import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.springframework.util.Base64Utils;
+import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
@@ -45,6 +52,8 @@ import lombok.extern.slf4j.Slf4j;
@Slf4j
public class JoseUtils {
+ private static final Provider provider = new BouncyCastleProvider();
+
/**
* Create a JWS signature.
*
@@ -161,7 +170,10 @@ public class JoseUtils {
// set signing information
final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
keyStore.getFirst(), keyAlias, keyPassword, true, friendlyNameForLogging);
- jws.setKey(signingCred.getFirst());
+
+ // set verification key
+ jws.setKey(convertToBcKeyIfRequired(signingCred.getFirst()));
+
jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(
jws.getKey(), rsaAlgToUse, eccAlgToUse, friendlyNameForLogging));
@@ -173,7 +185,7 @@ public class JoseUtils {
keyStore.getSecond().getName());
jws.setProviderContext(providerCtx);
- }
+ }
if (addFullCertChain) {
jws.setCertificateChainHeaderValue(signingCred.getSecond());
@@ -216,6 +228,8 @@ public class JoseUtils {
log.trace("Sorting received X509 certificates ... ");
final List<X509Certificate> sortedX5cCerts = X509Utils.sortCertificates(x5cCerts);
+
+
if (trustedCerts.contains(sortedX5cCerts.get(0))) {
selectedKey = sortedX5cCerts.get(0).getPublicKey();
@@ -247,10 +261,10 @@ public class JoseUtils {
throw new JoseException("Can NOT select verification key for JWS. Signature verification FAILED");
}
-
+
// set verification key
- jws.setKey(selectedKey);
-
+ jws.setKey(convertToBcKeyIfRequired(selectedKey));
+
// load payLoad
return new JwsResult(
jws.verifySignature(),
@@ -260,6 +274,48 @@ public class JoseUtils {
}
+
+ /**
+ * Convert an ECC public-key into BouncyCastle implementation.
+ *
+ * <p> IAIK JCE / Eccelerate ECC Keys are not compatible to JWS impl.</p>
+ * @param input Key
+ * @return input Key, or BC ECC-Key in case of a ECC Key
+ */
+ public static Key convertToBcKeyIfRequired(Key input) {
+ try {
+ if (input instanceof ECPublicKey
+ && "iaik.security.ec.common.ECPublicKey".equals(input.getClass().getName())) {
+
+ //convert Key to BouncyCastle KeyImplemenation because there is an
+ //incompatibility with IAIK EC Keys and JWS signature-verfification implementation
+ PublicKey publicKey = KeyFactory.getInstance(
+ input.getAlgorithm(), provider).generatePublic(
+ new X509EncodedKeySpec(input.getEncoded()));
+ return publicKey;
+
+ } else if (input instanceof ECPrivateKey
+ && "iaik.security.ec.common.ECPrivateKey".equals(input.getClass().getName())) {
+ //convert Key to BouncyCastle KeyImplemenation because there is an
+ //incompatibility with IAIK EC Keys and JWS signature-creation implementation
+ Key privateKey = KeyFactory.getInstance(
+ input.getAlgorithm(), provider).generatePrivate(
+ new PKCS8EncodedKeySpec(input.getEncoded()));
+
+ return privateKey;
+
+ }
+
+ } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+ log.warn("Can NOT convert {} to {}. The verification may FAIL.",
+ input.getClass().getName(), PublicKey.class.getName(), e);
+
+ }
+
+ return input;
+
+ }
+
/**
* Select signature algorithm for a given credential.
*
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 10cfeafa..27f06276 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -13,24 +13,6 @@ import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
-import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
-import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException;
-import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult;
-
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jca.ProviderContext;
import org.jose4j.jwa.AlgorithmConstraints;
@@ -50,6 +32,24 @@ import org.springframework.util.Base64Utils;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.databind.JsonNode;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
+import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult;
+
@Service
public class JsonSecurityUtils implements IJoseTools {
private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class);
@@ -269,7 +269,7 @@ public class JsonSecurityUtils implements IJoseTools {
}
// set key
- receiverJwe.setKey(encryptionCred.getFirst());
+ receiverJwe.setKey(JoseUtils.convertToBcKeyIfRequired(encryptionCred.getFirst()));
// decrypt payload
return mapper.getMapper().readTree(receiverJwe.getPlaintextString());
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
index 917ef1e0..8516a0ed 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
@@ -9,15 +9,6 @@ import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
-import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
-
import org.apache.commons.lang3.RandomStringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jose4j.base64url.Base64Url;
@@ -38,6 +29,15 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import com.fasterxml.jackson.databind.JsonNode;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
public abstract class AbstractJsonSecurityUtilsTest {
@@ -78,7 +78,7 @@ public abstract class AbstractJsonSecurityUtilsTest {
final JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
- jwe.setKey(joseTools.getEncryptionCertificate().getPublicKey());
+ jwe.setKey(JoseUtils.convertToBcKeyIfRequired(joseTools.getEncryptionCertificate().getPublicKey()));
jwe.setX509CertSha256ThumbprintHeaderValue(joseTools.getEncryptionCertificate());
jwe.setPayload(payLoad);
@@ -141,7 +141,7 @@ public abstract class AbstractJsonSecurityUtilsTest {
final JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
- jwe.setKey(key.getSecond()[0].getPublicKey());
+ jwe.setKey(JoseUtils.convertToBcKeyIfRequired(key.getSecond()[0].getPublicKey()));
jwe.setPayload(payLoad);
// set special provider if required
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java
new file mode 100644
index 00000000..7771ce60
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java
@@ -0,0 +1,58 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.utils;
+
+import java.io.IOException;
+import java.security.NoSuchProviderException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.io.IOUtils;
+import org.jose4j.jwa.AlgorithmConstraints;
+import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+public class JoseUtilsTest {
+
+ private static final List<String> BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList(
+ Arrays.asList(
+ AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256,
+ AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512,
+ AlgorithmIdentifiers.RSA_PSS_USING_SHA256,
+ AlgorithmIdentifiers.RSA_PSS_USING_SHA512));
+
+ @Test
+ public void testBindingAuthBlock() throws JoseException, IOException, CertificateException, NoSuchProviderException {
+
+ final String serializedContent = IOUtils.toString(JoseUtils.class.getResourceAsStream(
+ "/data/bindingAuth1.jws"), "UTF-8");
+
+ final iaik.x509.X509Certificate trustedCert = new iaik.x509.X509Certificate(JoseUtils.class
+ .getResourceAsStream("/data/bindingAuth1.crt"));
+
+ final List<X509Certificate> trustedCerts = Arrays.asList(trustedCert);
+ final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT,
+ BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING
+ .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()]));
+
+ final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints);
+
+ Assert.assertNotNull("JWS verify result", result);
+ Assert.assertTrue("JWS not valid", result.isValid());
+ Assert.assertNotNull("JWS payload", result.getPayLoad());
+ Assert.assertNotNull("JWS Headers", result.getFullJoseHeader());
+ Assert.assertNotNull("JWS Signercerts", result.getX5cCerts());
+ Assert.assertEquals("Signercerts size", 1, result.getX5cCerts().size());
+ Assert.assertArrayEquals("Signercerts", trustedCert.getEncoded(), result.getX5cCerts().get(0).getEncoded());
+
+ }
+}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.crt
new file mode 100644
index 00000000..11c17e71
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIBXzCCAQWgAwIBAgIIPuBGtvo16nUwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAwwPRHVtbXlQa2lTZXJ2aWNlMB4XDTIwMTAwNzEyMTAyMVoXDTIxMTAwNzEyMTAyMVowUTEpMCcGA1UEAwwgNWMzM2Q3MjdlY2YzZTAyYTE2NmYzYWI2NWZiYTEzOGExFDASBgNVBAoMC0VJRC1ERVYtUEtJMQ4wDAYDVQQLDAVULUVudjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABACA6RBPYIX3i0+TqYq2gb3XAD0B1/tee3/lP8sPc+tt6GFDN0Vsos77VojhRQnGRndmoWi9OW7KS5uQe+5++W8wCgYIKoZIzj0EAwIDSAAwRQIhAO7NlM4YfnapZ9Vam/LF/5ASPGbN4SK0fK4bhGHQw8yIAiB77JHkZIaDtgCcv7CSPf/mvldSf5ViPelhuZBPSLRUsQ==
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.jws b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.jws
new file mode 100644
index 00000000..6ba84d97
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/bindingAuth1.jws
@@ -0,0 +1 @@
+eyJ4NWMiOlsiTUlJQlh6Q0NBUVdnQXdJQkFnSUlQdUJHdHZvMTZuVXdDZ1lJS29aSXpqMEVBd0l3R2pFWU1CWUdBMVVFQXd3UFJIVnRiWGxRYTJsVFpYSjJhV05sTUI0WERUSXdNVEF3TnpFeU1UQXlNVm9YRFRJeE1UQXdOekV5TVRBeU1Wb3dVVEVwTUNjR0ExVUVBd3dnTldNek0yUTNNamRsWTJZelpUQXlZVEUyTm1ZellXSTJOV1ppWVRFek9HRXhGREFTQmdOVkJBb01DMFZKUkMxRVJWWXRVRXRKTVE0d0RBWURWUVFMREFWVUxVVnVkakJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCQUNBNlJCUFlJWDNpMCtUcVlxMmdiM1hBRDBCMVwvdGVlM1wvbFA4c1BjK3R0NkdGRE4wVnNvczc3Vm9qaFJRbkdSbmRtb1dpOU9XN0tTNXVRZSs1KytXOHdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWhBTzdObE00WWZuYXBaOVZhbVwvTEZcLzVBU1BHYk40U0swZks0YmhHSFF3OHlJQWlCNzdKSGtaSWFEdGdDY3Y3Q1NQZlwvbXZsZFNmNVZpUGVsaHVaQlBTTFJVc1E9PSJdLCJ0eXAiOiJiaW5kaW5nQXV0aCIsImFsZyI6IkVTMjU2In0.MzIxZmVmYTQtODVkOC00YmE5LWE0MmUtYWY4MzM3YTEyNTA1.diiXXegwv3Gu6ezJRxf7F5BnRxNhTnBXJ0D5RX4OqDxs2QvfzSPA4mOkUed18_56aILMBLVL-XIMszNILfp7OA \ No newline at end of file
diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java
index 7c009b68..e4577cae 100644
--- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java
+++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java
@@ -2,6 +2,7 @@ package at.gv.egiz.eaaf.modules.sigverify.moasig.api;
import java.util.Date;
import java.util.List;
+import java.util.Map;
import at.gv.egiz.eaaf.modules.sigverify.moasig.api.data.ICmsSignatureVerificationResponse;
import at.gv.egiz.eaaf.modules.sigverify.moasig.api.data.IXmlSignatureVerificationResponse;
@@ -115,4 +116,31 @@ public interface ISignatureVerificationService {
List<String> verifyTransformsInfoProfileID, String signatureLocationXpath, Date signingDate)
throws MoaSigServiceException;
+
+ /**
+ * Verify a XML or XAdES signature. <br>
+ * <br>
+ * <i>This method only validates the first XML or XAdES signature if more than
+ * one signature exists</i>
+ *
+ * @param signature Serialized XML or XAdES signature
+ * @param trustProfileID Id of the Trust-Profile from MOA-Sig
+ * configuration
+ * @param verifyTransformsInfoProfileID {@link List} of XML Transformations that
+ * should be used for
+ * signature-verification
+ * @param signatureLocationXpath Xpath that points to location of
+ * Signature element
+ * @param signingDate Signature timestamp
+ * @param supplementContent Map that contains supplement profile content; keyed by references. Each entry
+ * in this map becomes a Content/Base64Content child in the SupplementProfile
+ * node.
+ * @return @link {@link IXmlSignatureVerificationResponse}, or null if no
+ * signature was found
+ * @throws MoaSigServiceException on signatue-verification error
+ */
+ IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature,
+ final String trustProfileID, final List<String> verifyTransformsInfoProfileID,
+ final String signatureLocationXpath, Date signingDate,
+ final Map<String, byte[]> supplementContent) throws MoaSigServiceException;
}
diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java
index ae8c2c97..880b3791 100644
--- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java
+++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java
@@ -49,9 +49,11 @@ public class MoaSigInitializer {
log.info("Initializing MOA-Sig signature-verification service ... ");
log.info("Loading Java security providers.");
- IAIK.addAsProvider();
- ECCelerate.addAsProvider();
-
+ //IAIK.addAsProvider();
+ //ECCelerate.addAsProvider();
+ Security.addProvider(new IAIK());
+ Security.addProvider(new ECCelerate());
+
try {
LoggingContextManager.getInstance().setLoggingContext(new LoggingContext("startup"));
log.debug("MOA-Sig library initialization process ... ");
diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java
index 0818a260..9ee6d0aa 100644
--- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java
+++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java
@@ -2,8 +2,10 @@ package at.gv.egiz.eaaf.modules.sigverify.moasig.impl;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateEncodingException;
+import java.util.Collections;
import java.util.Date;
import java.util.List;
+import java.util.Map;
import javax.annotation.PostConstruct;
@@ -103,7 +105,8 @@ public class SignatureVerificationService extends AbstractSignatureService
@Override
public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature,
final String trustProfileID) throws MoaSigServiceException {
- return verifyXmlSignature(signature, trustProfileID, null, DEFAULT_XPATH_SIGNATURE_LOCATION, null);
+ return verifyXmlSignature(signature, trustProfileID, null, DEFAULT_XPATH_SIGNATURE_LOCATION, null,
+ Collections.EMPTY_MAP);
}
@@ -119,7 +122,7 @@ public class SignatureVerificationService extends AbstractSignatureService
final String trustProfileID, final List<String> verifyTransformsInfoProfileID)
throws MoaSigServiceException {
return verifyXmlSignature(signature, trustProfileID, verifyTransformsInfoProfileID,
- DEFAULT_XPATH_SIGNATURE_LOCATION, null);
+ DEFAULT_XPATH_SIGNATURE_LOCATION, null, Collections.EMPTY_MAP);
}
/*
@@ -133,27 +136,37 @@ public class SignatureVerificationService extends AbstractSignatureService
public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature,
final String trustProfileID, final String signatureLocationXpath)
throws MoaSigServiceException {
- return verifyXmlSignature(signature, trustProfileID, null, signatureLocationXpath, null);
+ return verifyXmlSignature(signature, trustProfileID, null, signatureLocationXpath, null, Collections.EMPTY_MAP);
}
@Override
public IXmlSignatureVerificationResponse verifyXmlSignature(byte[] signature, String trustProfileID,
Date signingDate) throws MoaSigServiceException {
return verifyXmlSignature(signature, trustProfileID, null,
- DEFAULT_XPATH_SIGNATURE_LOCATION, signingDate);
+ DEFAULT_XPATH_SIGNATURE_LOCATION, signingDate, Collections.EMPTY_MAP);
}
+
@Override
public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature,
final String trustProfileID, final List<String> verifyTransformsInfoProfileID,
final String xpathSignatureLocation, Date signingDate) throws MoaSigServiceException {
+ return verifyXmlSignature(signature, trustProfileID, verifyTransformsInfoProfileID, xpathSignatureLocation,
+ signingDate, Collections.EMPTY_MAP);
+ }
+
+ @Override
+ public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature,
+ final String trustProfileID, final List<String> verifyTransformsInfoProfileID,
+ final String xpathSignatureLocation, Date signingDate, final Map<String, byte[]> supplementContent)
+ throws MoaSigServiceException {
try {
// setup context
setUpContexts(Thread.currentThread().getName());
// build signature-verification request
final Element domVerifyXmlSignatureRequest = buildVerifyXmlRequest(signature, trustProfileID,
- verifyTransformsInfoProfileID, xpathSignatureLocation, signingDate);
+ verifyTransformsInfoProfileID, xpathSignatureLocation, signingDate, supplementContent);
// send signature-verification to MOA-Sig
final VerifyXMLSignatureRequest vsrequest =
@@ -262,13 +275,17 @@ public class SignatureVerificationService extends AbstractSignatureService
* used for validation
* @param xpathSignatureLocation Xpath that points to location of
* Signature element
- * @param sigValDate Signature timestamp
+ * @param sigValDate Signature timestamp
+ * @param supplementContent Map that contains supplement profile content; keyed by references. Each entry
+ * in this map becomes a Content/Base64Content child in the SupplementProfile
+ * node. Use this map to specify content of references that the verification
+ * service cannot resolve.
* @return MOA-Sig verification request element
* @throws MoaSigServiceBuilderException In case of an error
*/
private Element buildVerifyXmlRequest(final byte[] signature, final String trustProfileID,
final List<String> verifyTransformsInfoProfileID, final String xpathSignatureLocation,
- Date sigValDate) throws MoaSigServiceBuilderException {
+ Date sigValDate, final Map<String, byte[]> supplementContent) throws MoaSigServiceBuilderException {
try {
// build empty document
final Document requestDoc_ = getNewDocumentBuilder();
@@ -352,6 +369,25 @@ public class SignatureVerificationService extends AbstractSignatureService
trustProfileIdElem.appendChild(requestDoc_.createTextNode(trustProfileID));
requestElem_.appendChild(trustProfileIdElem);
+ // add supplement profile
+ if (!supplementContent.isEmpty()) {
+
+ final Element supplementProfile = requestDoc_.createElementNS(MOA_NS_URI, "SupplementProfile");
+
+ for (Map.Entry<String, byte[]> entry: supplementContent.entrySet()) {
+ String reference = entry.getKey();
+ byte[] contentBytes = entry.getValue();
+ final Element content = requestDoc_.createElementNS(MOA_NS_URI, "Content");
+ content.setAttribute("Reference", reference);
+ final Element b64content = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content");
+ b64content.setTextContent(Base64Utils.encodeToString(contentBytes));
+ content.appendChild(b64content);
+ supplementProfile.appendChild(content);
+ }
+
+ requestElem_.appendChild(supplementProfile);
+ }
+
return requestElem_;
} catch (final Throwable t) {
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java
index 2f058af8..b213425d 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java
@@ -39,4 +39,11 @@ public interface IPvp2MetadataProvider extends ExtendedRefreshableMetadataResolv
@Nullable
EntityDescriptor getEntityDescriptor(@Nonnull String entityID) throws ResolverException;
+
+ /**
+ * Destroy this Metadata resolver, if it supports destroying.
+ *
+ */
+ void doDestroy();
+
}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java
index 40448b45..28f5d618 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java
@@ -33,13 +33,6 @@ import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.naming.ConfigurationException;
-import at.gv.egiz.components.spring.api.IDestroyableObject;
-import at.gv.egiz.eaaf.core.api.IGarbageCollectorProcessing;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpAddableChainingMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
@@ -50,6 +43,12 @@ import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import at.gv.egiz.components.spring.api.IDestroyableObject;
+import at.gv.egiz.eaaf.core.api.IGarbageCollectorProcessing;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpAddableChainingMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.IdentifiedComponent;
@@ -464,7 +463,12 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec
final AbstractMetadataResolver httpprovider = (AbstractMetadataResolver) resolver;
log.debug("Destroy metadata resolver with id: {}", httpprovider.getId());
httpprovider.destroy();
-
+
+ } else if (resolver instanceof IPvp2MetadataProvider) {
+ final IPvp2MetadataProvider httpprovider = (IPvp2MetadataProvider) resolver;
+ log.debug("Destroy metadata resolver with id: {}", httpprovider.getId());
+ httpprovider.doDestroy();
+
} else {
log.warn("Metadata resolver: {} can not be destroyed. Reason: unsupported type: {}",
resolver.getId(), resolver.getClass().getName());
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java
index d2b861dc..4115cc7c 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java
@@ -1,14 +1,14 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.metadata;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
+import org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
@@ -112,4 +112,17 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre
}
}
+ @Override
+ public void doDestroy() {
+ if (internalProvider instanceof AbstractMetadataResolver) {
+ ((AbstractMetadataResolver) internalProvider).destroy();
+
+ } else {
+ log.info("MetadataResolver: {} does not support destroying",
+ internalProvider.getClass().getName());
+
+ }
+
+ }
+
}
diff --git a/pom.xml b/pom.xml
index b1b5caea..c0374fc6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -33,7 +33,7 @@
<iaik.prod.iaik_eccelerate.version>5.01</iaik.prod.iaik_eccelerate.version>
<iaik.prod.iaik_eccelerate_addon.version>5.01</iaik.prod.iaik_eccelerate_addon.version>
<iaik.prod.iaik_eccelerate_cms.version>5.01</iaik.prod.iaik_eccelerate_cms.version>
- <iaik.prod.iaik_jce_full.version>5.52_moa</iaik.prod.iaik_jce_full.version>
+ <iaik.prod.iaik_jce_full.version>5.61_MOA</iaik.prod.iaik_jce_full.version>
<iaik.prod.iaik_jsse.version>4.4</iaik.prod.iaik_jsse.version>
<iaik.prod.iaik_moa.version>2.06</iaik.prod.iaik_moa.version>
<iaik.prod.iaik_pki_module.version>2.01_moa</iaik.prod.iaik_pki_module.version>