From a722ad1f7e8506c58f594ac84dfdedac88a556d4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 30 Jul 2020 11:02:10 +0200 Subject: update MOA-Sig verification API to set signature-verification timestamp --- .../eaaf/core/impl/idp/auth/data/IdentityLink.java | 29 +++++++++- .../eaaf/core/api/idp/auth/data/IIdentityLink.java | 10 +++- .../moasig/api/ISignatureVerificationService.java | 20 ++++++- .../moasig/impl/SignatureVerificationService.java | 64 ++++++++++++++-------- 4 files changed, 96 insertions(+), 27 deletions(-) diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/data/IdentityLink.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/data/IdentityLink.java index ee1037a1..8327b544 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/data/IdentityLink.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/data/IdentityLink.java @@ -23,15 +23,20 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.Serializable; import java.security.PublicKey; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Date; import javax.xml.transform.TransformerException; -import org.w3c.dom.Element; - import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; +import org.w3c.dom.Element; + +import lombok.extern.slf4j.Slf4j; + /** * Data contained in an identity link issued by BMI, relevant to the MOA ID * component.
@@ -41,10 +46,13 @@ import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; * @author Paul Ivancsics * @version $Id$ */ +@Slf4j public class IdentityLink implements Serializable, IIdentityLink { private static final long serialVersionUID = 1L; + public static final String PATTERN_ISSUE_INSTANT = "yyyy-MM-dd'T'HH:mm:ssXXX"; + /** * "identificationValue" is the translation of * "Stammzahl". @@ -372,6 +380,23 @@ public class IdentityLink implements Serializable, IIdentityLink { return issueInstant; } + @Override + public Date getIssueInstantDate() { + final SimpleDateFormat f = new SimpleDateFormat(PATTERN_ISSUE_INSTANT); + try { + if (issueInstant != null) { + return f.parse(issueInstant); + + } + + } catch (final ParseException e) { + log.error("Can NOT parse Date from String: {}", issueInstant, null, e); + + } + + return null; + } + /* * (non-Javadoc) * diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java index 74c82181..a2288a5b 100644 --- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java +++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java @@ -21,6 +21,7 @@ package at.gv.egiz.eaaf.core.api.idp.auth.data; import java.io.IOException; import java.security.PublicKey; +import java.util.Date; import javax.xml.transform.TransformerException; @@ -28,7 +29,7 @@ import org.w3c.dom.Element; /** * Deprecated IdentityLink interface. - * + * * @author tlenz * */ @@ -187,6 +188,13 @@ public interface IIdentityLink { */ String getIssueInstant(); + /** + * Returns the issuing time of the identity link SAML assertion. + * + * @return The issuing time of the identity link SAML assertion. + */ + Date getIssueInstantDate(); + /** * Sets the issuing time of the identity link SAML assertion. * diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/ISignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/ISignatureVerificationService.java index 67e9e29d..f7a33395 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/ISignatureVerificationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/api/ISignatureVerificationService.java @@ -1,5 +1,6 @@ package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api; +import java.util.Date; import java.util.List; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ICmsSignatureVerificationResponse; @@ -38,6 +39,22 @@ public interface ISignatureVerificationService { IXmlSignatureVerificationResponse verifyXmlSignature(byte[] signature, String trustProfileID) throws MoaSigServiceException; + /** + * Verify a XML or XAdES signature.
+ *
+ * This method only validates the first XML or XAdES signature if more than + * one signature exists + * + * @param signature Serialized XML or XAdES signature + * @param trustProfileID Id of the Trust-Profile from MOA-Sig configuration + * @param signingDate Signature timestamp + * @return @link {@link IXmlSignatureVerificationResponse}, or null if no + * signature was found + * @throws MoaSigServiceException on signatue-verification error + */ + IXmlSignatureVerificationResponse verifyXmlSignature(byte[] signature, String trustProfileID, + Date signingDate) throws MoaSigServiceException; + /** * Verify a XML or XAdES signature.
*
@@ -89,12 +106,13 @@ public interface ISignatureVerificationService { * signature-verification * @param signatureLocationXpath Xpath that points to location of * Signature element + * @param signingDate Signature timestamp * @return @link {@link IXmlSignatureVerificationResponse}, or null if no * signature was found * @throws MoaSigServiceException on signatue-verification error */ IXmlSignatureVerificationResponse verifyXmlSignature(byte[] signature, String trustProfileID, - List verifyTransformsInfoProfileID, String signatureLocationXpath) + List verifyTransformsInfoProfileID, String signatureLocationXpath, Date signingDate) throws MoaSigServiceException; } diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java index 8fc4086e..be27383c 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eid/authhandler/modules/sigverify/moasig/impl/SignatureVerificationService.java @@ -2,19 +2,11 @@ package at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl; import java.io.ByteArrayInputStream; import java.security.cert.CertificateEncodingException; +import java.util.Date; import java.util.List; import javax.annotation.PostConstruct; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.lang.Nullable; -import org.springframework.stereotype.Service; -import org.springframework.util.Base64Utils; -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.Node; - import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.ICmsSignatureVerificationResponse; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXmlSignatureVerificationResponse; @@ -34,6 +26,16 @@ import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureVerificationInvoker; import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureVerificationInvoker; import at.gv.egovernment.moaspss.util.Constants; +import org.apache.commons.lang3.time.DateFormatUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.lang.Nullable; +import org.springframework.stereotype.Service; +import org.springframework.util.Base64Utils; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + /** * MOA-Sig based signature verification implementation. * @@ -50,6 +52,8 @@ public class SignatureVerificationService extends AbstractSignatureService private static final String DSIG = Constants.DSIG_PREFIX + ":"; private static final String DEFAULT_XPATH_SIGNATURE_LOCATION = "//" + DSIG + "Signature"; + public static final String PATTERN_ISSUE_INSTANT = "yyyy-MM-dd'T'HH:mm:ssXXX"; + private CMSSignatureVerificationInvoker cadesInvoker; private XMLSignatureVerificationInvoker xadesInvocer; @@ -99,7 +103,7 @@ public class SignatureVerificationService extends AbstractSignatureService @Override public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, final String trustProfileID) throws MoaSigServiceException { - return verifyXmlSignature(signature, trustProfileID, null, DEFAULT_XPATH_SIGNATURE_LOCATION); + return verifyXmlSignature(signature, trustProfileID, null, DEFAULT_XPATH_SIGNATURE_LOCATION, null); } @@ -115,7 +119,7 @@ public class SignatureVerificationService extends AbstractSignatureService final String trustProfileID, final List verifyTransformsInfoProfileID) throws MoaSigServiceException { return verifyXmlSignature(signature, trustProfileID, verifyTransformsInfoProfileID, - DEFAULT_XPATH_SIGNATURE_LOCATION); + DEFAULT_XPATH_SIGNATURE_LOCATION, null); } /* @@ -129,27 +133,27 @@ public class SignatureVerificationService extends AbstractSignatureService public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, final String trustProfileID, final String signatureLocationXpath) throws MoaSigServiceException { - return verifyXmlSignature(signature, trustProfileID, null, signatureLocationXpath); + return verifyXmlSignature(signature, trustProfileID, null, signatureLocationXpath, null); + } + + @Override + public IXmlSignatureVerificationResponse verifyXmlSignature(byte[] signature, String trustProfileID, + Date signingDate) throws MoaSigServiceException { + return verifyXmlSignature(signature, trustProfileID, null, + DEFAULT_XPATH_SIGNATURE_LOCATION, signingDate); } - /* - * (non-Javadoc) - * - * @see at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl. - * ISignatureVerificationService# verifyXMLSignature(byte[], java.lang.String, - * java.util.List, java.lang.String) - */ @Override public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, final String trustProfileID, final List verifyTransformsInfoProfileID, - final String xpathSignatureLocation) throws MoaSigServiceException { + final String xpathSignatureLocation, Date signingDate) throws MoaSigServiceException { try { // setup context setUpContexts(Thread.currentThread().getName()); // build signature-verification request final Element domVerifyXmlSignatureRequest = buildVerifyXmlRequest(signature, trustProfileID, - verifyTransformsInfoProfileID, xpathSignatureLocation); + verifyTransformsInfoProfileID, xpathSignatureLocation, signingDate); // send signature-verification to MOA-Sig final VerifyXMLSignatureRequest vsrequest = @@ -258,15 +262,17 @@ public class SignatureVerificationService extends AbstractSignatureService * used for validation * @param xpathSignatureLocation Xpath that points to location of * Signature element + * @param sigValDate Signature timestamp * @return MOA-Sig verification request element * @throws MoaSigServiceBuilderException In case of an error */ private Element buildVerifyXmlRequest(final byte[] signature, final String trustProfileID, - final List verifyTransformsInfoProfileID, final String xpathSignatureLocation) - throws MoaSigServiceBuilderException { + final List verifyTransformsInfoProfileID, final String xpathSignatureLocation, + Date sigValDate) throws MoaSigServiceBuilderException { try { // build empty document final Document requestDoc_ = getNewDocumentBuilder(); + final Element requestElem_ = requestDoc_.createElementNS(MOA_NS_URI, "VerifyXMLSignatureRequest"); requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns", MOA_NS_URI); @@ -275,6 +281,18 @@ public class SignatureVerificationService extends AbstractSignatureService requestDoc_.appendChild(requestElem_); // build the request + + // build set signing time + if (sigValDate != null) { + final Element dateTimeElem = requestDoc_.createElementNS(MOA_NS_URI, "DateTime"); + requestElem_.appendChild(dateTimeElem); + final Node dateTime = requestDoc_.createTextNode( + DateFormatUtils.format(sigValDate, PATTERN_ISSUE_INSTANT)); + dateTimeElem.appendChild(dateTime); + + } + + //set other parameters final Element verifiySignatureInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); requestElem_.appendChild(verifiySignatureInfoElem); -- cgit v1.2.3