diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl')
6 files changed, 787 insertions, 0 deletions
diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/MOASigSpringResourceProvider.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/MOASigSpringResourceProvider.java new file mode 100644 index 00000000..ecda7eb1 --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/MOASigSpringResourceProvider.java @@ -0,0 +1,27 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; + +import at.gv.egiz.components.spring.api.SpringResourceProvider; + +public class MOASigSpringResourceProvider implements SpringResourceProvider { + + @Override + public Resource[] getResourcesToLoad() { + ClassPathResource moaSigConfig = new ClassPathResource("/moa-sig-service.beans.xml", MOASigSpringResourceProvider.class); + return new Resource[] {moaSigConfig}; + } + + @Override + public String[] getPackagesToScan() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getName() { + return "Signature-verification service based on MOA-Sig (MOA-SPSS)"; + } + +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java new file mode 100644 index 00000000..b2ea5cb7 --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java @@ -0,0 +1,348 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; + +import java.io.ByteArrayInputStream; +import java.security.Provider; +import java.security.Security; +import java.security.cert.CertificateEncodingException; +import java.util.List; + +import javax.annotation.PostConstruct; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.lang.Nullable; +import org.springframework.stereotype.Service; +import org.springframework.util.Base64Utils; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ICMSSignatureVerificationResponse; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceBuilderException; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceConfigurationException; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.parser.VerifyXMLSignatureResponseParser; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.Configurator; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl; +import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser; +import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; +import at.gv.egovernment.moaspss.logging.LoggingContext; +import at.gv.egovernment.moaspss.logging.LoggingContextManager; +import at.gv.egovernment.moaspss.util.Constants; +import iaik.asn1.structures.AlgorithmID; +import iaik.security.ec.provider.ECCelerate; +import iaik.security.provider.IAIK; + + +/** + * @author tlenz + * + */ +@Service +public class SignatureVerificationService implements ISignatureVerificationService { + private static final Logger log = LoggerFactory.getLogger(SignatureVerificationService.class); + + private static final String XMLNS_NS_URI = Constants.XMLNS_NS_URI; + private static final String MOA_NS_URI = Constants.MOA_NS_URI; + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + + private at.gv.egovernment.moa.spss.api.SignatureVerificationService svs; + + @PostConstruct + private void initialize() throws MOASigServiceConfigurationException { + log.info("Initializing MOA-Sig signature-verification service ... "); + + log.info("Loading Java security providers."); + IAIK.addAsProvider(); + ECCelerate.addAsProvider(); + + try { + LoggingContextManager.getInstance().setLoggingContext( + new LoggingContext("startup")); + log.debug("MOA-Sig library initialization process ... "); + Configurator.getInstance().init(); + log.info("MOA-Sig library initialization complete "); + + } catch (final MOAException e) { + log.error("MOA-SP initialization FAILED!", e.getWrapped()); + throw new MOASigServiceConfigurationException("service.moasig.04", new Object[] { e + .toString() }, e); + } + + Security.insertProviderAt(IAIK.getInstance(), 0); + + final ECCelerate eccProvider = ECCelerate.getInstance(); + if (Security.getProvider(eccProvider.getName()) != null) + Security.removeProvider(eccProvider.getName()); + Security.addProvider(new ECCelerate()); + + fixJava8_141ProblemWithSSLAlgorithms(); + + if (log.isDebugEnabled()) { + log.debug("Loaded Security Provider:"); + final Provider[] providerList = Security.getProviders(); + for (int i=0; i<providerList.length; i++) + log.debug(i + ": " + providerList[i].getName() + " Version " + providerList[i].getVersion()); + + } + + log.debug("Instanzing SignatureVerificationService implementation ... "); + svs = at.gv.egovernment.moa.spss.api.SignatureVerificationService.getInstance(); + + log.info("MOA-Sig signature-verification service initialized"); + } + + + + /* (non-Javadoc) + * @see at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.ISignatureVerificationService#verifyCMSSignature(byte[], java.lang.String) + */ + @Override + @Nullable + public ICMSSignatureVerificationResponse verifyCMSSignature(byte[] signature, String trustProfileID) throws MOASigServiceException { + try { + final VerifyCMSSignatureRequest cmsSigVerifyReq = buildVerfifyCMSRequest(signature, trustProfileID, false, false); + final VerifyCMSSignatureResponse cmsSigVerifyResp = svs.verifyCMSSignature(cmsSigVerifyReq ); + return parseCMSVerificationResult(cmsSigVerifyResp); + + } catch (final MOAException e) { + log.warn("CMS signature verification has an error.", e); + throw new MOASigServiceException("service.03", new Object[] { e.toString()}, e); + + } catch (final CertificateEncodingException e) { + log.warn("Can NOT serialize X509 certificate from CMS/CAdES signature-verification response", e); + throw new MOASigServiceException("service.03", new Object[] { e.toString()}, e); + + } + + } + + private ICMSSignatureVerificationResponse parseCMSVerificationResult(VerifyCMSSignatureResponse cmsSigVerifyResp) throws CertificateEncodingException { + + if (cmsSigVerifyResp.getResponseElements() == null || + cmsSigVerifyResp.getResponseElements().isEmpty()) { + log.info("No CMS signature FOUND. "); + return null; + + } + + if (cmsSigVerifyResp.getResponseElements().size() > 1) + log.warn("CMS or CAdES signature contains more than one technical signatures. Only validate the first signature"); + + final VerifyCMSSignatureResponseElement firstSig = (VerifyCMSSignatureResponseElement) cmsSigVerifyResp.getResponseElements().get(0); + + final at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyCMSSignatureResponse result = + new at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyCMSSignatureResponse(); + + //parse results into response container + result.setSignatureCheckCode(firstSig.getSignatureCheck().getCode()); + result.setCertificateCheckCode(firstSig.getCertificateCheck().getCode()); + + if (firstSig.getSignerInfo() != null) { + result.setSigningDateTime(firstSig.getSignerInfo().getSigningTime()); + result.setX509CertificateEncoded(firstSig.getSignerInfo().getSignerCertificate().getEncoded()); + result.setQualifiedCertificate(firstSig.getSignerInfo().isQualifiedCertificate()); + + result.setPublicAuthority(firstSig.getSignerInfo().isPublicAuthority()); + result.setPublicAuthorityCode(firstSig.getSignerInfo().getPublicAuhtorityID()); + + } else + log.info("CMS or CAdES verification result contains no SignerInfo"); + + return result; + } + + + + /* (non-Javadoc) + * @see at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.ISignatureVerificationService#verifyXMLSignature(byte[], java.lang.String) + */ + @Override + public IXMLSignatureVerificationResponse verifyXMLSignature(byte[] signature, String trustProfileID) throws MOASigServiceException { + return verifyXMLSignature(signature, trustProfileID, null); + + } + + /* (non-Javadoc) + * @see at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.ISignatureVerificationService#verifyXMLSignature(byte[], java.lang.String, java.util.List) + */ + @Override + public IXMLSignatureVerificationResponse verifyXMLSignature(byte[] signature, String trustProfileID, List<String> verifyTransformsInfoProfileID) throws MOASigServiceException { + try { + //build signature-verification request + final Element domVerifyXMLSignatureRequest = buildVerifyXMLRequest(signature, trustProfileID, verifyTransformsInfoProfileID); + + //send signature-verification to MOA-Sig + final VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(domVerifyXMLSignatureRequest); + final VerifyXMLSignatureResponse vsresponse = svs.verifyXMLSignature(vsrequest); + final Document result = new VerifyXMLSignatureResponseBuilder(true).build(vsresponse); + + // parses the <IXMLSignatureVerificationResponse> + final IXMLSignatureVerificationResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(result.getDocumentElement()).parseData(); + + return verifyXMLSignatureResponse; + + } catch (final MOASigServiceException e) { + throw e; + + } catch (final MOAException e) { + log.warn("MOA-Sig signature-verification has an internal error." + + " MsgCode: " + e.getMessageId() + + " Msg: " + e.getMessage(), + e); + throw new MOASigServiceException("service.moasig.03", new Object[]{e.getMessage()}, e); + + } + } + + /** + * Build a VerifyCMS-Siganture request for MOA-Sig. + * <br><br> + * This builder only generates verification-request for enveloped CMS or CAdES signatures + * <br> + * This + * + * @param signature CMS or CAdES signature + * @param trustProfileID trustProfileID MOA-Sig Trust-Profile + * @param isPdfSignature Make CAdES signature as part of an PAdES document + * @param performExtendedValidation To extended validation. See MOA-Sig documentation for detailed information + * @return + */ + private VerifyCMSSignatureRequest buildVerfifyCMSRequest(byte[] signature, String trustProfileID, + boolean isPdfSignature, boolean performExtendedValidation) { + final VerifyCMSSignatureRequestImpl verifyCMSSignatureRequest = new VerifyCMSSignatureRequestImpl(); + verifyCMSSignatureRequest.setDateTime(null); + verifyCMSSignatureRequest.setCMSSignature(new ByteArrayInputStream(signature)); + verifyCMSSignatureRequest.setDataObject(null); + verifyCMSSignatureRequest.setTrustProfileId(trustProfileID); + verifyCMSSignatureRequest.setSignatories(VerifyCMSSignatureRequest.ALL_SIGNATORIES); + verifyCMSSignatureRequest.setPDF(isPdfSignature); + verifyCMSSignatureRequest.setExtended(performExtendedValidation); + return verifyCMSSignatureRequest; + + } + + /** + * Build a VerifyXML-Signature request for MOA-Sig + * + * @param signature Serialized XML signature + * @param trustProfileID MOA-Sig Trust-Profile + * @param verifyTransformsInfoProfileID {@link List} of Transformation-Profiles used for validation + * @return + * @throws MOASigServiceBuilderException + */ + private Element buildVerifyXMLRequest(byte[] signature, String trustProfileID, List<String> verifyTransformsInfoProfileID) throws MOASigServiceBuilderException { + try { + //build empty document + final Document requestDoc_ = getNewDocumentBuilder(); + final Element requestElem_ = requestDoc_.createElementNS(MOA_NS_URI, "VerifyXMLSignatureRequest"); + requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns", MOA_NS_URI); + requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns:" + Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); + requestDoc_.appendChild(requestElem_); + + + // build the request + final Element verifiySignatureInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); + requestElem_.appendChild(verifiySignatureInfoElem); + final Element verifySignatureEnvironmentElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment"); + verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem); + final Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content"); + verifySignatureEnvironmentElem.appendChild(base64ContentElem); + + // insert the base64 encoded signature + String base64EncodedAssertion = Base64Utils.encodeToString(signature); + //replace all '\r' characters by no char. + final StringBuffer replaced = new StringBuffer(); + for (int i = 0; i < base64EncodedAssertion.length(); i ++) { + final char c = base64EncodedAssertion.charAt(i); + if (c != '\r') { + replaced.append(c); + } + } + base64EncodedAssertion = replaced.toString(); + final Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion); + base64ContentElem.appendChild(base64Content); + + // specify the signature location + final Element verifySignatureLocationElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation"); + verifiySignatureInfoElem.appendChild(verifySignatureLocationElem); + final Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature"); + verifySignatureLocationElem.appendChild(signatureLocation); + + // signature manifest params + final Element signatureManifestCheckParamsElem = requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); + + //verify transformations + if (verifyTransformsInfoProfileID != null && !verifyTransformsInfoProfileID.isEmpty()) { + final Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); + signatureManifestCheckParamsElem.appendChild(referenceInfoElem); + for (final String element : verifyTransformsInfoProfileID) { + final Element verifyTransformsInfoProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID"); + referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem); + verifyTransformsInfoProfileIDElem.appendChild(requestDoc_.createTextNode(element)); + + } + } + + //hashinput data + final Element returnHashInputDataElem = requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); + requestElem_.appendChild(returnHashInputDataElem); + + //add trustProfileID + final Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID"); + trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID)); + requestElem_.appendChild(trustProfileIDElem); + + return requestElem_; + + } catch (final Throwable t) { + log.warn("Can NOT build VerifyXML-Signature request for MOA-Sig", t); + throw new MOASigServiceBuilderException("service.moasig.03", new Object[] { t.getMessage() }, t); + + } + + } + + /** + * Get a new {@link Document} from {@link DocumentBuilder} in synchronized form, because + * {@link DocumentBuilderFactory} and {@link DocumentBuilder} are not thread-safe. + * + * @return {@link Document} + * @throws ParserConfigurationException + */ + private synchronized Document getNewDocumentBuilder() throws ParserConfigurationException { + final DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + return docBuilder.newDocument(); + + } + + private static void fixJava8_141ProblemWithSSLAlgorithms() { + log.info("Change AlgorithmIDs to fix problems with Java8 >= 141 ..."); + //new AlgorithmID("1.2.840.113549.1.1.4", "md5WithRSAEncryption", new String[] { "MD5withRSA", "MD5/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption", + new String[] { "SHA1withRSA" , "SHA1/RSA", "SHA-1/RSA", "SHA/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.14", "sha224WithRSAEncryption", + new String[] { "SHA224withRSA", "SHA224/RSA", "SHA-224/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.11", "sha256WithRSAEncryption", + new String[] { "SHA256withRSA", "SHA256/RSA", "SHA-256/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.12", "sha384WithRSAEncryption", + new String[] { "SHA384withRSA", "SHA384/RSA", "SHA-384/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.13", "sha512WithRSAEncryption", + new String[] { "SHA512withRSA", "SHA512/RSA", "SHA-512/RSA" }, null, true); + + log.info("Change AlgorithmIDs finished"); + } +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/GenericSignatureVerificationResponse.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/GenericSignatureVerificationResponse.java new file mode 100644 index 00000000..f3c724d8 --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/GenericSignatureVerificationResponse.java @@ -0,0 +1,130 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data; + +import java.io.Serializable; +import java.security.cert.CertificateException; +import iaik.x509.X509Certificate; +import java.util.Date; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IGenericSignatureVerificationResponse; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceParserException; + +public class GenericSignatureVerificationResponse implements IGenericSignatureVerificationResponse, Serializable { + + private static final long serialVersionUID = -7751001050689401118L; + private static final Logger log = LoggerFactory.getLogger(GenericSignatureVerificationResponse.class); + + + /** The signing time */ + private Date signingDateTime; + + /** The signatureCheckCode to be stored */ + private int signatureCheckCode; + + /** The certificateCheckCode to be stored */ + private int certificateCheckCode; + + /** The publicAuthority to be stored */ + private boolean publicAuthority; + + /** The publicAuthorityCode to be stored */ + private String publicAuthorityCode; + + /** The qualifiedCertificate to be stored */ + private boolean qualifiedCertificate; + + private byte[] x509CertificateEncoded; + + @Override + public Date getSigningDateTime() { + return this.signingDateTime; + + } + + @Override + public int getSignatureCheckCode() { + return this.signatureCheckCode; + + } + + @Override + public int getCertificateCheckCode() { + return this.certificateCheckCode; + + } + + @Override + public boolean isQualifiedCertificate() { + return this.qualifiedCertificate; + + } + + @Override + public X509Certificate getX509Certificate() throws MOASigServiceException { + if (x509CertificateEncoded != null) { + try { + return new X509Certificate(x509CertificateEncoded); + + } catch (CertificateException e) { + log.error("Can NOT parse X509 certifcate in " + GenericSignatureVerificationResponse.class.getName(), e); + throw new MOASigServiceParserException("service.moasig.01", null, e); + } + + } + + return null; + + } + + @Override + public byte[] getX509CertificateEncoded() { + return this.getX509CertificateEncoded(); + + } + + @Override + public boolean isPublicAuthority() { + return this.publicAuthority; + + } + + @Override + public String getPublicAuthorityCode() { + return this.publicAuthorityCode; + + } + + public void setSigningDateTime(Date signingDateTime) { + this.signingDateTime = signingDateTime; + } + + public void setSignatureCheckCode(int signatureCheckCode) { + this.signatureCheckCode = signatureCheckCode; + } + + public void setCertificateCheckCode(int certificateCheckCode) { + this.certificateCheckCode = certificateCheckCode; + } + + public void setPublicAuthority(boolean publicAuthority) { + this.publicAuthority = publicAuthority; + } + + public void setPublicAuthorityCode(String publicAuthorityCode) { + this.publicAuthorityCode = publicAuthorityCode; + } + + public void setQualifiedCertificate(boolean qualifiedCertificate) { + this.qualifiedCertificate = qualifiedCertificate; + } + + public void setX509CertificateEncoded(byte[] x509CertificateEncoded) { + this.x509CertificateEncoded = x509CertificateEncoded; + } + + + +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/VerifyCMSSignatureResponse.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/VerifyCMSSignatureResponse.java new file mode 100644 index 00000000..2c177c71 --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/VerifyCMSSignatureResponse.java @@ -0,0 +1,9 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ICMSSignatureVerificationResponse; + +public class VerifyCMSSignatureResponse extends GenericSignatureVerificationResponse implements ICMSSignatureVerificationResponse{ + + private static final long serialVersionUID = 708260904158070696L; + +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/VerifyXMLSignatureResponse.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/VerifyXMLSignatureResponse.java new file mode 100644 index 00000000..0646bda7 --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/data/VerifyXMLSignatureResponse.java @@ -0,0 +1,93 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; + +/** + * + * + * @author tlenz + * + */ + +public class VerifyXMLSignatureResponse extends GenericSignatureVerificationResponse implements IXMLSignatureVerificationResponse { + + private static final long serialVersionUID = 8386070769565711601L; + +/** The xmlDsigSubjectName to be stored */ + private String xmlDsigSubjectName; + + /** The xmlDSIGManifestCheckCode to be stored */ + private int xmlDSIGManifestCheckCode; + /** The xmlDSIGManigest to be stored */ + private boolean xmlDSIGManigest; + + /** + * The result of the signature manifest check. The default value <code>-1</code> + * indicates that the signature manifest has not been checked. + */ + private int signatureManifestCheckCode = -1; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#getXmlDSIGManifestCheckCode() + */ + @Override +public int getXmlDSIGManifestCheckCode() { + return xmlDSIGManifestCheckCode; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#getXmlDsigSubjectName() + */ + @Override +public String getXmlDsigSubjectName() { + return xmlDsigSubjectName; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#setXmlDSIGManifestCheckCode(int) + */ +public void setXmlDSIGManifestCheckCode(int xmlDSIGManifestCheckCode) { + this.xmlDSIGManifestCheckCode = xmlDSIGManifestCheckCode; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#setXmlDsigSubjectName(java.lang.String) + */ +public void setXmlDsigSubjectName(String xmlDsigSubjectName) { + this.xmlDsigSubjectName = xmlDsigSubjectName; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#isXmlDSIGManigest() + */ + @Override +public boolean isXmlDSIGManigest() { + return xmlDSIGManigest; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#setXmlDSIGManigest(boolean) + */ +public void setXmlDSIGManigest(boolean xmlDSIGManigest) { + this.xmlDSIGManigest = xmlDSIGManigest; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#getSignatureManifestCheckCode() + */ + @Override +public int getSignatureManifestCheckCode() { + return signatureManifestCheckCode; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.data.IVerifiyXMLSignatureResponse#setSignatureManifestCheckCode(int) + */ +public void setSignatureManifestCheckCode(int signatureManifestCheckCode) { + this.signatureManifestCheckCode = signatureManifestCheckCode; + } + +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/parser/VerifyXMLSignatureResponseParser.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/parser/VerifyXMLSignatureResponseParser.java new file mode 100644 index 00000000..e581394b --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/parser/VerifyXMLSignatureResponseParser.java @@ -0,0 +1,180 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.parser; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +import org.joda.time.DateTime; +import org.joda.time.format.ISODateTimeFormat; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.lang.NonNull; +import org.w3c.dom.Element; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceParserException; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moaspss.util.Constants; +import at.gv.egovernment.moaspss.util.DOMUtils; +import at.gv.egovernment.moaspss.util.XPathUtils; +import iaik.utils.Base64InputStream; +import iaik.x509.X509Certificate; + + +public class VerifyXMLSignatureResponseParser { + private static final Logger log = LoggerFactory.getLogger(VerifyXMLSignatureResponseParser.class); + + // + // XPath namespace prefix shortcuts + // + /** Xpath prefix for reaching MOA Namespaces */ + private static final String MOA = Constants.MOA_PREFIX + ":"; + /** Xpath prefix for reaching DSIG Namespaces */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + /** Xpath expression to the root element */ + private static final String ROOT = "/" + MOA + "VerifyXMLSignatureResponse/"; + + /** Xpath expression to the X509SubjectName element */ + private static final String DSIG_SUBJECT_NAME_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + DSIG + "X509SubjectName"; + /** Xpath expression to the X509Certificate element */ + private static final String DSIG_X509_CERTIFICATE_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + DSIG + "X509Certificate"; + /** Xpath expression to the PublicAuthority element */ + private static final String PUBLIC_AUTHORITY_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + MOA + "PublicAuthority"; + /** Xpath expression to the PublicAuthorityCode element */ + private static final String PUBLIC_AUTHORITY_CODE_XPATH = + PUBLIC_AUTHORITY_XPATH + "/" + MOA + "Code"; + /** Xpath expression to the QualifiedCertificate element */ + private static final String QUALIFIED_CERTIFICATE_XPATH = + ROOT + MOA + "SignerInfo/" + DSIG + "X509Data/" + + MOA + "QualifiedCertificate"; + + /** Xpath expression to the SignatureCheckCode element */ + private static final String SIGNATURE_CHECK_CODE_XPATH = + ROOT + MOA + "SignatureCheck/" + MOA + "Code"; + /** Xpath expression to the XMLDSIGManifestCheckCode element */ + private static final String XMLDSIG_MANIFEST_CHECK_CODE_XPATH = + ROOT + MOA + "XMLDSIGManifestCheck/" + MOA + "Code"; + /** Xpath expression to the SignatureManifestCheckCode element */ + private static final String SIGNATURE_MANIFEST_CHECK_CODE_XPATH = + ROOT + MOA + "SignatureManifestCheck/" + MOA + "Code"; + /** Xpath expression to the CertificateCheckCode element */ + private static final String CERTIFICATE_CHECK_CODE_XPATH = + ROOT + MOA + "CertificateCheck/" + MOA + "Code"; + + private static final String SIGNING_TIME_XPATH = + ROOT + MOA + "SigningTime"; + + + /** This is the root element of the XML-Document provided by the Security Layer Card*/ + private Element verifyXMLSignatureResponse; + + /** + * Constructor for VerifyXMLSignatureResponseParser. + * A DOM-representation of the incoming String will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as String + * @throws MOASigServiceParserException on any parsing error + */ + public VerifyXMLSignatureResponseParser(String xmlResponse) throws MOASigServiceParserException { + try { + final InputStream s = new ByteArrayInputStream(xmlResponse.getBytes("UTF-8")); + verifyXMLSignatureResponse = DOMUtils.parseXmlValidating(s); + + } catch (final Throwable t) { + log.warn("Can not parse MOA-Sig response." , t); + throw new MOASigServiceParserException("service.moasig.02", new Object[] { t.toString() }, t); + + } + } + + /** + * Constructor for VerifyXMLSignatureResponseParser. + * A DOM-representation of the incoming Inputstream will be created + * @param xmlResponse <code><InfoboxReadResponse></code> as InputStream + * @throws MOASigServiceParserException on any parsing error + */ + public VerifyXMLSignatureResponseParser(InputStream xmlResponse) throws MOASigServiceParserException { + try { + verifyXMLSignatureResponse = DOMUtils.parseXmlValidating(xmlResponse); + + } catch (final Throwable t) { + log.warn("Can not parse MOA-Sig response." , t); + throw new MOASigServiceParserException("service.moasig.02", new Object[] { t.toString() }, t); + + } + } + + /** + * Constructor for VerifyXMLSignatureResponseParser. + * The incoming Element will be used for further operations + * @param xmlResponse <code><InfoboxReadResponse></code> as Element + */ + public VerifyXMLSignatureResponseParser(Element xmlResponse) { + verifyXMLSignatureResponse =xmlResponse; + + } + +/** + * Parse MOA-Sig signatur-verification result into {@link IXMLSignatureVerificationResponse} + * + * @return {@link IXMLSignatureVerificationResponse} + * @throws MOASigServiceException on any parsing error + */ + @NonNull + public IXMLSignatureVerificationResponse parseData() throws MOASigServiceException { + try { + final VerifyXMLSignatureResponse respData = new VerifyXMLSignatureResponse(); + respData.setXmlDsigSubjectName(XPathUtils.getElementValue(verifyXMLSignatureResponse,DSIG_SUBJECT_NAME_XPATH,"")); + final Element e = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,QUALIFIED_CERTIFICATE_XPATH); + respData.setQualifiedCertificate(e!=null); + + final Base64InputStream in = new Base64InputStream(new ByteArrayInputStream(XPathUtils.getElementValue( + verifyXMLSignatureResponse,DSIG_X509_CERTIFICATE_XPATH,"").getBytes("UTF-8")),true); + + respData.setX509CertificateEncoded(new X509Certificate(in).getEncoded()); + + final Element publicAuthority = (Element)XPathUtils.selectSingleNode(verifyXMLSignatureResponse,PUBLIC_AUTHORITY_XPATH); + respData.setPublicAuthority(publicAuthority != null); + respData.setPublicAuthorityCode(XPathUtils.getElementValue(verifyXMLSignatureResponse,PUBLIC_AUTHORITY_CODE_XPATH,"")); + respData.setSignatureCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNATURE_CHECK_CODE_XPATH,"")).intValue()); + + final String xmlDsigCheckCode = XPathUtils.getElementValue(verifyXMLSignatureResponse,XMLDSIG_MANIFEST_CHECK_CODE_XPATH,null); + if (xmlDsigCheckCode!=null) { + respData.setXmlDSIGManigest(true); + respData.setXmlDSIGManifestCheckCode(new Integer(xmlDsigCheckCode).intValue()); + + } else { + respData.setXmlDSIGManigest(false); + + } + + final String signatureManifestCheckCode = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNATURE_MANIFEST_CHECK_CODE_XPATH,null); + if (signatureManifestCheckCode != null) { + respData.setSignatureManifestCheckCode(new Integer(signatureManifestCheckCode).intValue()); + + } + respData.setCertificateCheckCode(new Integer(XPathUtils.getElementValue(verifyXMLSignatureResponse,CERTIFICATE_CHECK_CODE_XPATH,"")).intValue()); + + final String signingTimeElement = XPathUtils.getElementValue(verifyXMLSignatureResponse,SIGNING_TIME_XPATH,""); + if (signingTimeElement != null && !signingTimeElement.isEmpty()) { + final DateTime datetime = ISODateTimeFormat.dateOptionalTimeParser().parseDateTime(signingTimeElement); + respData.setSigningDateTime(datetime.toDate()); + + } + + return respData; + + } catch (final Throwable t) { + log.warn("Can not parse MOA-Sig response." , t); + throw new MOASigServiceParserException("service.moasig.02", new Object[] { t.toString() }, t); + } + + } + + +} |