From 1ac9b47983c51ac9528f54acdb11c750fa71b618 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Mon, 21 Sep 2020 13:42:59 +0200 Subject: Extend ISignatureVerificationService: Add Supplement Content Add additional method to ISignatureVerificationService (verifyXmlSignature), that accepts the additional parameter "Map supplementContent". This parameter allows a caller to specify content for the SupplementProfile Node. With this additional parameter, the caller can specify the content of a reference, which is useful in the case where the caller wants to verify a detached signature, but the validation service cannot resolve the reference. --- .../moasig/api/ISignatureVerificationService.java | 28 ++++++++++++ .../moasig/impl/SignatureVerificationService.java | 50 +++++++++++++++++++--- 2 files changed, 71 insertions(+), 7 deletions(-) (limited to 'eaaf_modules/eaaf_module_moa-sig') diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java index 7c009b68..e4577cae 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/api/ISignatureVerificationService.java @@ -2,6 +2,7 @@ package at.gv.egiz.eaaf.modules.sigverify.moasig.api; import java.util.Date; import java.util.List; +import java.util.Map; import at.gv.egiz.eaaf.modules.sigverify.moasig.api.data.ICmsSignatureVerificationResponse; import at.gv.egiz.eaaf.modules.sigverify.moasig.api.data.IXmlSignatureVerificationResponse; @@ -115,4 +116,31 @@ public interface ISignatureVerificationService { List verifyTransformsInfoProfileID, String signatureLocationXpath, Date signingDate) throws MoaSigServiceException; + + /** + * Verify a XML or XAdES signature.
+ *
+ * This method only validates the first XML or XAdES signature if more than + * one signature exists + * + * @param signature Serialized XML or XAdES signature + * @param trustProfileID Id of the Trust-Profile from MOA-Sig + * configuration + * @param verifyTransformsInfoProfileID {@link List} of XML Transformations that + * should be used for + * signature-verification + * @param signatureLocationXpath Xpath that points to location of + * Signature element + * @param signingDate Signature timestamp + * @param supplementContent Map that contains supplement profile content; keyed by references. Each entry + * in this map becomes a Content/Base64Content child in the SupplementProfile + * node. + * @return @link {@link IXmlSignatureVerificationResponse}, or null if no + * signature was found + * @throws MoaSigServiceException on signatue-verification error + */ + IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, + final String trustProfileID, final List verifyTransformsInfoProfileID, + final String signatureLocationXpath, Date signingDate, + final Map supplementContent) throws MoaSigServiceException; } diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java index 0818a260..9ee6d0aa 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/SignatureVerificationService.java @@ -2,8 +2,10 @@ package at.gv.egiz.eaaf.modules.sigverify.moasig.impl; import java.io.ByteArrayInputStream; import java.security.cert.CertificateEncodingException; +import java.util.Collections; import java.util.Date; import java.util.List; +import java.util.Map; import javax.annotation.PostConstruct; @@ -103,7 +105,8 @@ public class SignatureVerificationService extends AbstractSignatureService @Override public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, final String trustProfileID) throws MoaSigServiceException { - return verifyXmlSignature(signature, trustProfileID, null, DEFAULT_XPATH_SIGNATURE_LOCATION, null); + return verifyXmlSignature(signature, trustProfileID, null, DEFAULT_XPATH_SIGNATURE_LOCATION, null, + Collections.EMPTY_MAP); } @@ -119,7 +122,7 @@ public class SignatureVerificationService extends AbstractSignatureService final String trustProfileID, final List verifyTransformsInfoProfileID) throws MoaSigServiceException { return verifyXmlSignature(signature, trustProfileID, verifyTransformsInfoProfileID, - DEFAULT_XPATH_SIGNATURE_LOCATION, null); + DEFAULT_XPATH_SIGNATURE_LOCATION, null, Collections.EMPTY_MAP); } /* @@ -133,27 +136,37 @@ public class SignatureVerificationService extends AbstractSignatureService public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, final String trustProfileID, final String signatureLocationXpath) throws MoaSigServiceException { - return verifyXmlSignature(signature, trustProfileID, null, signatureLocationXpath, null); + return verifyXmlSignature(signature, trustProfileID, null, signatureLocationXpath, null, Collections.EMPTY_MAP); } @Override public IXmlSignatureVerificationResponse verifyXmlSignature(byte[] signature, String trustProfileID, Date signingDate) throws MoaSigServiceException { return verifyXmlSignature(signature, trustProfileID, null, - DEFAULT_XPATH_SIGNATURE_LOCATION, signingDate); + DEFAULT_XPATH_SIGNATURE_LOCATION, signingDate, Collections.EMPTY_MAP); } + @Override public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, final String trustProfileID, final List verifyTransformsInfoProfileID, final String xpathSignatureLocation, Date signingDate) throws MoaSigServiceException { + return verifyXmlSignature(signature, trustProfileID, verifyTransformsInfoProfileID, xpathSignatureLocation, + signingDate, Collections.EMPTY_MAP); + } + + @Override + public IXmlSignatureVerificationResponse verifyXmlSignature(final byte[] signature, + final String trustProfileID, final List verifyTransformsInfoProfileID, + final String xpathSignatureLocation, Date signingDate, final Map supplementContent) + throws MoaSigServiceException { try { // setup context setUpContexts(Thread.currentThread().getName()); // build signature-verification request final Element domVerifyXmlSignatureRequest = buildVerifyXmlRequest(signature, trustProfileID, - verifyTransformsInfoProfileID, xpathSignatureLocation, signingDate); + verifyTransformsInfoProfileID, xpathSignatureLocation, signingDate, supplementContent); // send signature-verification to MOA-Sig final VerifyXMLSignatureRequest vsrequest = @@ -262,13 +275,17 @@ public class SignatureVerificationService extends AbstractSignatureService * used for validation * @param xpathSignatureLocation Xpath that points to location of * Signature element - * @param sigValDate Signature timestamp + * @param sigValDate Signature timestamp + * @param supplementContent Map that contains supplement profile content; keyed by references. Each entry + * in this map becomes a Content/Base64Content child in the SupplementProfile + * node. Use this map to specify content of references that the verification + * service cannot resolve. * @return MOA-Sig verification request element * @throws MoaSigServiceBuilderException In case of an error */ private Element buildVerifyXmlRequest(final byte[] signature, final String trustProfileID, final List verifyTransformsInfoProfileID, final String xpathSignatureLocation, - Date sigValDate) throws MoaSigServiceBuilderException { + Date sigValDate, final Map supplementContent) throws MoaSigServiceBuilderException { try { // build empty document final Document requestDoc_ = getNewDocumentBuilder(); @@ -352,6 +369,25 @@ public class SignatureVerificationService extends AbstractSignatureService trustProfileIdElem.appendChild(requestDoc_.createTextNode(trustProfileID)); requestElem_.appendChild(trustProfileIdElem); + // add supplement profile + if (!supplementContent.isEmpty()) { + + final Element supplementProfile = requestDoc_.createElementNS(MOA_NS_URI, "SupplementProfile"); + + for (Map.Entry entry: supplementContent.entrySet()) { + String reference = entry.getKey(); + byte[] contentBytes = entry.getValue(); + final Element content = requestDoc_.createElementNS(MOA_NS_URI, "Content"); + content.setAttribute("Reference", reference); + final Element b64content = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content"); + b64content.setTextContent(Base64Utils.encodeToString(contentBytes)); + content.appendChild(b64content); + supplementProfile.appendChild(content); + } + + requestElem_.appendChild(supplementProfile); + } + return requestElem_; } catch (final Throwable t) { -- cgit v1.2.3 From c9cdc12f87ea6ee188de6862ce4935d9b8ef36ce Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 Oct 2020 20:32:11 +0200 Subject: implement work-around to fix possible incompatibility between IAIK JCE/Eccelerate and JWS lib in case of ECC keys --- .../eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'eaaf_modules/eaaf_module_moa-sig') diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java index ae8c2c97..880b3791 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java @@ -49,9 +49,11 @@ public class MoaSigInitializer { log.info("Initializing MOA-Sig signature-verification service ... "); log.info("Loading Java security providers."); - IAIK.addAsProvider(); - ECCelerate.addAsProvider(); - + //IAIK.addAsProvider(); + //ECCelerate.addAsProvider(); + Security.addProvider(new IAIK()); + Security.addProvider(new ECCelerate()); + try { LoggingContextManager.getInstance().setLoggingContext(new LoggingContext("startup")); log.debug("MOA-Sig library initialization process ... "); -- cgit v1.2.3