diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_moa-sig/src/main/java')
4 files changed, 203 insertions, 160 deletions
diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java index d796c165..d9778156 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/AbstractSignatureService.java @@ -1,118 +1,23 @@ package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; -import java.io.IOException; -import java.io.InputStream; -import java.security.Provider; -import java.security.Security; -import java.util.Iterator; -import java.util.Map.Entry; - -import javax.annotation.PostConstruct; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; import org.w3c.dom.Document; -import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ISchemaRessourceProvider; -import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceConfigurationException; -import at.gv.egovernment.moa.spss.MOAException; -import at.gv.egovernment.moa.spss.api.Configurator; +import at.gv.egovernment.moa.spss.server.config.ConfigurationException; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; -import at.gv.egovernment.moaspss.util.DOMUtils; -import iaik.asn1.structures.AlgorithmID; -import iaik.security.ec.provider.ECCelerate; -import iaik.security.provider.IAIK; public abstract class AbstractSignatureService { private static final Logger log = LoggerFactory.getLogger(AbstractSignatureService.class); - private static boolean isMOASigInitialized = false; - - @Autowired(required=false) ISchemaRessourceProvider[] schemas; - - @PostConstruct - private synchronized void initialize() throws MOASigServiceConfigurationException { - - if (!isMOASigInitialized) { - log.info("Initializing MOA-Sig signature-verification service ... "); - log.info("Loading Java security providers."); - IAIK.addAsProvider(); - ECCelerate.addAsProvider(); - - try { - LoggingContextManager.getInstance().setLoggingContext( - new LoggingContext("startup")); - log.debug("MOA-Sig library initialization process ... "); - Configurator.getInstance().init(); - log.info("MOA-Sig library initialization complete "); - - } catch (final MOAException e) { - log.error("MOA-SP initialization FAILED!", e.getWrapped()); - throw new MOASigServiceConfigurationException("service.moasig.04", new Object[] { e - .toString() }, e); - } - - Security.insertProviderAt(IAIK.getInstance(), 0); - - final ECCelerate eccProvider = ECCelerate.getInstance(); - if (Security.getProvider(eccProvider.getName()) != null) - Security.removeProvider(eccProvider.getName()); - Security.addProvider(new ECCelerate()); - - fixJava8_141ProblemWithSSLAlgorithms(); - - if (log.isDebugEnabled()) { - log.debug("Loaded Security Provider:"); - final Provider[] providerList = Security.getProviders(); - for (int i=0; i<providerList.length; i++) - log.debug(i + ": " + providerList[i].getName() + " Version " + providerList[i].getVersion()); - - } - - - //Inject additional XML schemes - if (schemas != null && schemas.length > 0) { - log.debug("Infjecting additional XML schemes ... "); - for (final ISchemaRessourceProvider el : schemas) { - final Iterator<Entry<String, InputStream>> xmlSchemeIt = el.getSchemas().entrySet().iterator(); - while (xmlSchemeIt.hasNext()) { - final Entry<String, InputStream> xmlDef = xmlSchemeIt.next(); - try { - DOMUtils.addSchemaToPool(xmlDef.getValue(), xmlDef.getKey()); - log.info("Inject XML scheme: {}", xmlDef.getKey()); - - } catch (final IOException e) { - log.warn("Can NOT inject XML scheme: " + xmlDef.getKey(), e); - - } - - } - } - - } else - log.trace("No additional XML schemes to inject. Skip this feature"); - - - isMOASigInitialized = true; - - } else - log.info("MOA-Sig is already initialized. Skipping this steps ... "); - - internalInitializer(); - - } - - /** - * Executed in <code>@PostConstruct</code> as last step - * - */ - abstract protected void internalInitializer(); - /** * Get a new {@link Document} from {@link DocumentBuilder} in synchronized form, because * {@link DocumentBuilderFactory} and {@link DocumentBuilder} are not thread-safe. @@ -126,20 +31,29 @@ public abstract class AbstractSignatureService { } - private static void fixJava8_141ProblemWithSSLAlgorithms() { - log.info("Change AlgorithmIDs to fix problems with Java8 >= 141 ..."); - //new AlgorithmID("1.2.840.113549.1.1.4", "md5WithRSAEncryption", new String[] { "MD5withRSA", "MD5/RSA", }, null, true); - new AlgorithmID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption", - new String[] { "SHA1withRSA" , "SHA1/RSA", "SHA-1/RSA", "SHA/RSA", }, null, true); - new AlgorithmID("1.2.840.113549.1.1.14", "sha224WithRSAEncryption", - new String[] { "SHA224withRSA", "SHA224/RSA", "SHA-224/RSA", }, null, true); - new AlgorithmID("1.2.840.113549.1.1.11", "sha256WithRSAEncryption", - new String[] { "SHA256withRSA", "SHA256/RSA", "SHA-256/RSA", }, null, true); - new AlgorithmID("1.2.840.113549.1.1.12", "sha384WithRSAEncryption", - new String[] { "SHA384withRSA", "SHA384/RSA", "SHA-384/RSA", }, null, true); - new AlgorithmID("1.2.840.113549.1.1.13", "sha512WithRSAEncryption", - new String[] { "SHA512withRSA", "SHA512/RSA", "SHA-512/RSA" }, null, true); - - log.info("Change AlgorithmIDs finished"); - } + /** + * Set up the thread-local context information needed for calling the various + * <code>Invoker</code> classes. + * + * @throws ConfigurationException An error occurred setting up the + * configuration in the <code>TransactionContext</code>. + */ + protected final void setUpContexts( String transactionID) throws ConfigurationException { + final TransactionContextManager txMgr = TransactionContextManager.getInstance(); + final LoggingContextManager logMgr = LoggingContextManager.getInstance(); + + if (txMgr.getTransactionContext() == null) { + final TransactionContext ctx = new TransactionContext(transactionID, null, ConfigurationProvider.getInstance()); + txMgr.setTransactionContext(ctx); + + } + + if (logMgr.getLoggingContext() == null) { + final LoggingContext ctx = new LoggingContext(transactionID); + logMgr.setLoggingContext(ctx); + + } + + } + } diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/MoaSigInitializer.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/MoaSigInitializer.java new file mode 100644 index 00000000..b287357c --- /dev/null +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/MoaSigInitializer.java @@ -0,0 +1,108 @@ +package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; + +import java.io.IOException; +import java.io.InputStream; +import java.security.Provider; +import java.security.Security; +import java.util.Iterator; +import java.util.Map.Entry; + +import javax.annotation.PostConstruct; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ISchemaRessourceProvider; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceConfigurationException; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.Configurator; +import at.gv.egovernment.moaspss.logging.LoggingContext; +import at.gv.egovernment.moaspss.logging.LoggingContextManager; +import at.gv.egovernment.moaspss.util.DOMUtils; +import iaik.asn1.structures.AlgorithmID; +import iaik.security.ec.provider.ECCelerate; +import iaik.security.provider.IAIK; + +public class MoaSigInitializer { + private static final Logger log = LoggerFactory.getLogger(MoaSigInitializer.class); + + @Autowired(required=false) ISchemaRessourceProvider[] schemas; + + @PostConstruct + private synchronized void initialize() throws MOASigServiceConfigurationException { + log.info("Initializing MOA-Sig signature-verification service ... "); + + log.info("Loading Java security providers."); + IAIK.addAsProvider(); + ECCelerate.addAsProvider(); + + try { + LoggingContextManager.getInstance().setLoggingContext( + new LoggingContext("startup")); + log.debug("MOA-Sig library initialization process ... "); + Configurator.getInstance().init(); + log.info("MOA-Sig library initialization complete "); + + } catch (final MOAException e) { + log.error("MOA-SP initialization FAILED!", e.getWrapped()); + throw new MOASigServiceConfigurationException("service.moasig.04", new Object[] { e + .toString() }, e); + } + + Security.insertProviderAt(IAIK.getInstance(), 0); + + final ECCelerate eccProvider = ECCelerate.getInstance(); + if (Security.getProvider(eccProvider.getName()) != null) + Security.removeProvider(eccProvider.getName()); + Security.addProvider(new ECCelerate()); + + fixJava8_141ProblemWithSSLAlgorithms(); + + if (log.isDebugEnabled()) { + log.debug("Loaded Security Provider:"); + final Provider[] providerList = Security.getProviders(); + for (int i=0; i<providerList.length; i++) + log.debug(i + ": " + providerList[i].getName() + " Version " + providerList[i].getVersion()); + + } + + + //Inject additional XML schemes + if (schemas != null && schemas.length > 0) { + log.debug("Infjecting additional XML schemes ... "); + for (final ISchemaRessourceProvider el : schemas) { + final Iterator<Entry<String, InputStream>> xmlSchemeIt = el.getSchemas().entrySet().iterator(); + while (xmlSchemeIt.hasNext()) { + final Entry<String, InputStream> xmlDef = xmlSchemeIt.next(); + try { + DOMUtils.addSchemaToPool(xmlDef.getValue(), xmlDef.getKey()); + log.info("Inject XML scheme: {}", xmlDef.getKey()); + + } catch (final IOException e) { + log.warn("Can NOT inject XML scheme: " + xmlDef.getKey(), e); + + } + + } + } + } + } + + private static void fixJava8_141ProblemWithSSLAlgorithms() { + log.info("Change AlgorithmIDs to fix problems with Java8 >= 141 ..."); + //new AlgorithmID("1.2.840.113549.1.1.4", "md5WithRSAEncryption", new String[] { "MD5withRSA", "MD5/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption", + new String[] { "SHA1withRSA" , "SHA1/RSA", "SHA-1/RSA", "SHA/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.14", "sha224WithRSAEncryption", + new String[] { "SHA224withRSA", "SHA224/RSA", "SHA-224/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.11", "sha256WithRSAEncryption", + new String[] { "SHA256withRSA", "SHA256/RSA", "SHA-256/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.12", "sha384WithRSAEncryption", + new String[] { "SHA384withRSA", "SHA384/RSA", "SHA-384/RSA", }, null, true); + new AlgorithmID("1.2.840.113549.1.1.13", "sha512WithRSAEncryption", + new String[] { "SHA512withRSA", "SHA512/RSA", "SHA-512/RSA" }, null, true); + + log.info("Change AlgorithmIDs finished"); + } +} diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureCreationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureCreationService.java index 0dcb0960..59e7b516 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureCreationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureCreationService.java @@ -1,21 +1,28 @@ package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; +import javax.annotation.PostConstruct; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureCreationService; +import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureCreationInvoker; +import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureCreationInvoker; @Service(value="moaSigCreateService") public class SignatureCreationService extends AbstractSignatureService implements ISignatureCreationService{ private static final Logger log = LoggerFactory.getLogger(SignatureCreationService.class); - private at.gv.egovernment.moa.spss.api.SignatureCreationService scs = null; + private XMLSignatureCreationInvoker xadesInvoker; + private CMSSignatureCreationInvoker cadesInvoker; + - @Override + @PostConstruct protected void internalInitializer() { log.debug("Instanzing SignatureCreationService implementation ... "); - scs = at.gv.egovernment.moa.spss.api.SignatureCreationService.getInstance(); + xadesInvoker = XMLSignatureCreationInvoker.getInstance(); + cadesInvoker = CMSSignatureCreationInvoker.getInstance(); log.info("MOA-Sig signature-creation service initialized"); } diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java index e09bc8b4..c77f3097 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java @@ -4,6 +4,8 @@ import java.io.ByteArrayInputStream; import java.security.cert.CertificateEncodingException; import java.util.List; +import javax.annotation.PostConstruct; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.lang.Nullable; @@ -28,6 +30,8 @@ import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser; import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureVerificationInvoker; +import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureVerificationInvoker; import at.gv.egovernment.moaspss.util.Constants; @@ -44,7 +48,8 @@ public class SignatureVerificationService extends AbstractSignatureService imple private static final String DSIG = Constants.DSIG_PREFIX + ":"; private static final String DEFAULT_XPATH_SIGNATURE_LOCATION = "//" + DSIG + "Signature"; - private at.gv.egovernment.moa.spss.api.SignatureVerificationService svs; + private CMSSignatureVerificationInvoker cadesInvoker; + private XMLSignatureVerificationInvoker xadesInvocer; /* (non-Javadoc) * @see at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.ISignatureVerificationService#verifyCMSSignature(byte[], java.lang.String) @@ -53,8 +58,12 @@ public class SignatureVerificationService extends AbstractSignatureService imple @Nullable public ICMSSignatureVerificationResponse verifyCMSSignature(byte[] signature, String trustProfileID) throws MOASigServiceException { try { + //setup context + setUpContexts(Thread.currentThread().getName()); + + //verify signature final VerifyCMSSignatureRequest cmsSigVerifyReq = buildVerfifyCMSRequest(signature, trustProfileID, false, false); - final VerifyCMSSignatureResponse cmsSigVerifyResp = svs.verifyCMSSignature(cmsSigVerifyReq ); + final VerifyCMSSignatureResponse cmsSigVerifyResp = cadesInvoker.verifyCMSSignature(cmsSigVerifyReq ); return parseCMSVerificationResult(cmsSigVerifyResp); } catch (final MOAException e) { @@ -69,43 +78,6 @@ public class SignatureVerificationService extends AbstractSignatureService imple } - private ICMSSignatureVerificationResponse parseCMSVerificationResult(VerifyCMSSignatureResponse cmsSigVerifyResp) throws CertificateEncodingException { - - if (cmsSigVerifyResp.getResponseElements() == null || - cmsSigVerifyResp.getResponseElements().isEmpty()) { - log.info("No CMS signature FOUND. "); - return null; - - } - - if (cmsSigVerifyResp.getResponseElements().size() > 1) - log.warn("CMS or CAdES signature contains more than one technical signatures. Only validate the first signature"); - - final VerifyCMSSignatureResponseElement firstSig = (VerifyCMSSignatureResponseElement) cmsSigVerifyResp.getResponseElements().get(0); - - final at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyCMSSignatureResponse result = - new at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyCMSSignatureResponse(); - - //parse results into response container - result.setSignatureCheckCode(firstSig.getSignatureCheck().getCode()); - result.setCertificateCheckCode(firstSig.getCertificateCheck().getCode()); - - if (firstSig.getSignerInfo() != null) { - result.setSigningDateTime(firstSig.getSignerInfo().getSigningTime()); - result.setX509CertificateEncoded(firstSig.getSignerInfo().getSignerCertificate().getEncoded()); - result.setQualifiedCertificate(firstSig.getSignerInfo().isQualifiedCertificate()); - - result.setPublicAuthority(firstSig.getSignerInfo().isPublicAuthority()); - result.setPublicAuthorityCode(firstSig.getSignerInfo().getPublicAuhtorityID()); - - } else - log.info("CMS or CAdES verification result contains no SignerInfo"); - - return result; - } - - - /* (non-Javadoc) * @see at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.ISignatureVerificationService#verifyXMLSignature(byte[], java.lang.String) */ @@ -137,12 +109,15 @@ public class SignatureVerificationService extends AbstractSignatureService imple @Override public IXMLSignatureVerificationResponse verifyXMLSignature(byte[] signature, String trustProfileID, List<String> verifyTransformsInfoProfileID, String xpathSignatureLocation) throws MOASigServiceException { try { + //setup context + setUpContexts(Thread.currentThread().getName()); + //build signature-verification request final Element domVerifyXMLSignatureRequest = buildVerifyXMLRequest(signature, trustProfileID, verifyTransformsInfoProfileID, xpathSignatureLocation); //send signature-verification to MOA-Sig final VerifyXMLSignatureRequest vsrequest = new VerifyXMLSignatureRequestParser().parse(domVerifyXMLSignatureRequest); - final VerifyXMLSignatureResponse vsresponse = svs.verifyXMLSignature(vsrequest); + final VerifyXMLSignatureResponse vsresponse = xadesInvocer.verifyXMLSignature(vsrequest); final Document result = new VerifyXMLSignatureResponseBuilder(true).build(vsresponse); // parses the <IXMLSignatureVerificationResponse> @@ -163,6 +138,41 @@ public class SignatureVerificationService extends AbstractSignatureService imple } } +private ICMSSignatureVerificationResponse parseCMSVerificationResult(VerifyCMSSignatureResponse cmsSigVerifyResp) throws CertificateEncodingException { + + if (cmsSigVerifyResp.getResponseElements() == null || + cmsSigVerifyResp.getResponseElements().isEmpty()) { + log.info("No CMS signature FOUND. "); + return null; + + } + + if (cmsSigVerifyResp.getResponseElements().size() > 1) + log.warn("CMS or CAdES signature contains more than one technical signatures. Only validate the first signature"); + + final VerifyCMSSignatureResponseElement firstSig = (VerifyCMSSignatureResponseElement) cmsSigVerifyResp.getResponseElements().get(0); + + final at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyCMSSignatureResponse result = + new at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.data.VerifyCMSSignatureResponse(); + + //parse results into response container + result.setSignatureCheckCode(firstSig.getSignatureCheck().getCode()); + result.setCertificateCheckCode(firstSig.getCertificateCheck().getCode()); + + if (firstSig.getSignerInfo() != null) { + result.setSigningDateTime(firstSig.getSignerInfo().getSigningTime()); + result.setX509CertificateEncoded(firstSig.getSignerInfo().getSignerCertificate().getEncoded()); + result.setQualifiedCertificate(firstSig.getSignerInfo().isQualifiedCertificate()); + + result.setPublicAuthority(firstSig.getSignerInfo().isPublicAuthority()); + result.setPublicAuthorityCode(firstSig.getSignerInfo().getPublicAuhtorityID()); + + } else + log.info("CMS or CAdES verification result contains no SignerInfo"); + + return result; + } + /** * Build a VerifyCMS-Siganture request for MOA-Sig. * <br><br> @@ -274,10 +284,14 @@ public class SignatureVerificationService extends AbstractSignatureService imple } - @Override + + + @PostConstruct protected void internalInitializer() { log.debug("Instanzing SignatureVerificationService implementation ... "); - svs = at.gv.egovernment.moa.spss.api.SignatureVerificationService.getInstance(); + //svs = at.gv.egovernment.moa.spss.api.SignatureVerificationService.getInstance(); + cadesInvoker = CMSSignatureVerificationInvoker.getInstance(); + xadesInvocer = XMLSignatureVerificationInvoker.getInstance(); log.info("MOA-Sig signature-verification service initialized"); } |