diff options
author | gregor <gregor@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2005-07-15 13:22:13 +0000 |
---|---|---|
committer | gregor <gregor@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2005-07-15 13:22:13 +0000 |
commit | c09f1913c1ac92c76b1baaba705d09c52eeec7db (patch) | |
tree | e19214ee5704ce37131e5890657ef34b2f74a557 /spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java | |
parent | 01f3255645de31b4250c375f299bf8231efa2fa2 (diff) | |
download | moa-id-spss-c09f1913c1ac92c76b1baaba705d09c52eeec7db.tar.gz moa-id-spss-c09f1913c1ac92c76b1baaba705d09c52eeec7db.tar.bz2 moa-id-spss-c09f1913c1ac92c76b1baaba705d09c52eeec7db.zip |
Fix für Bug 267 erstellt. Noch absolut ungetestet.tags/Build-ID-1.2.0.D10-svn
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@381 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java')
-rw-r--r-- | spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java | 116 |
1 files changed, 99 insertions, 17 deletions
diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index e192b66a2..e8b2a5e10 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -1,20 +1,9 @@ package at.gv.egovernment.moa.spss.server.invoke; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.w3c.dom.Element; -import org.w3c.dom.Node; - import iaik.IAIKException; import iaik.IAIKRuntimeException; +import iaik.ixsil.exceptions.URIException; +import iaik.ixsil.util.URI; import iaik.server.modules.xml.DataObject; import iaik.server.modules.xml.XMLDataObject; import iaik.server.modules.xml.XMLSignature; @@ -26,18 +15,33 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModule; import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory; import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile; import iaik.server.modules.xmlverify.XMLSignatureVerificationResult; +import iaik.x509.X509Certificate; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.w3c.dom.Element; +import org.w3c.dom.Node; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; -import at.gv.egovernment.moa.util.CollectionUtils; -import at.gv.egovernment.moa.util.Constants; - import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.MOASystemException; import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.common.CheckResult; import at.gv.egovernment.moa.spss.api.common.XMLDataObjectAssociation; import at.gv.egovernment.moa.spss.api.xmlverify.ReferenceInfo; import at.gv.egovernment.moa.spss.api.xmlverify.ReferencesCheckResult; @@ -50,12 +54,15 @@ import at.gv.egovernment.moa.spss.api.xmlverify.VerifyTransformsInfoProfileExpli import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.TrustProfile; import at.gv.egovernment.moa.spss.server.iaik.xml.XMLSignatureImpl; import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.util.CollectionUtils; +import at.gv.egovernment.moa.util.Constants; /** * A class providing a DOM based interface to the @@ -208,13 +215,88 @@ public class XMLSignatureVerificationInvoker { signatureManifestCheck = validateSignatureManifest(request, result, profile); + // Check if signer certificate is in trust profile's allowed signer certificates pool + TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); + CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); + // build the response - responseBuilder.setResult(result, profile, signatureManifestCheck); + responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck); return responseBuilder.getResponse(); } /** + * Checks if the signer certificate matches one of the allowed signer certificates specified + * in the provided <code>trustProfile</code>. + * + * @param result The result produced by the <code>XMLSignatureVerificationModule</code>. + * + * @param trustProfile The trust profile the signer certificate is validated against. + * + * @return The overal result of the certificate validation for the signer certificate. + * + * @throws MOAException if one of the signer certificates specified in the <code>trustProfile</code> + * cannot be read from the file system. + */ + private CheckResult validateSignerCertificate(XMLSignatureVerificationResult result, TrustProfile trustProfile) + throws MOAException + { + int resultCode = result.getCertificateValidationResult().getValidationResultCode().intValue(); + if (resultCode == 0 && trustProfile.getSignerCertsUri() != null) + { + X509Certificate signerCertificate = (X509Certificate) result.getCertificateValidationResult().getCertificateChain().get(0); + + File signerCertsDir = null; + try + { + signerCertsDir = new File(new URI(trustProfile.getSignerCertsUri()).getPath()); + } + catch (URIException e) + { + throw new MOASystemException("2900", null, e); // Should not happen, already checked at loading the MOA configuration + } + + File[] files = signerCertsDir.listFiles(); + if (files == null) resultCode = 1; + int i; + for (i = 0; i < files.length; i++) + { + if (!files[i].isDirectory()) + { + FileInputStream currentFIS = null; + try + { + currentFIS = new FileInputStream(files[i]); + } + catch (FileNotFoundException e) { + throw new MOASystemException("2900", null, e); + } + + try + { + X509Certificate currentCert = new X509Certificate(currentFIS); + if (currentCert.equals(signerCertificate)) break; + } + catch (Exception e) + { + // Simply ignore file if it cannot be interpreted as certificate + Logger.warn("Signatorzertifiat aus Trustprofile mit id=" + + trustProfile.getId() + " kann nicht geparst werden: " + + e.getMessage()); + } + } + } + if (i >= files.length) + { + resultCode = 1; // No signer certificate from the trustprofile pool matches the actual signer certificate + } + } + + SPSSFactory factory = SPSSFactory.getInstance(); + return factory.createCheckResult(resultCode, null); + } + + /** * Select the <code>dsig:Signature</code> DOM element within the signature * environment. * |