aboutsummaryrefslogtreecommitdiff
path: root/spss/server/serverlib/src/main/java/at/gv
diff options
context:
space:
mode:
authorKlaus Stranacher <kstranacher@iaik.tugraz.at>2013-08-21 13:12:26 +0200
committerKlaus Stranacher <kstranacher@iaik.tugraz.at>2013-08-21 13:12:26 +0200
commit5b697c424d24a7523dccd210454d029368e34898 (patch)
tree9dc5efda7d874930db0245ae34d3cd676b6c7c11 /spss/server/serverlib/src/main/java/at/gv
parenta52d3300d20837b12b45a0d4fb2b0ee520f6e641 (diff)
downloadmoa-id-spss-5b697c424d24a7523dccd210454d029368e34898.tar.gz
moa-id-spss-5b697c424d24a7523dccd210454d029368e34898.tar.bz2
moa-id-spss-5b697c424d24a7523dccd210454d029368e34898.zip
Update QC/SSCD check
WSDL location updated
Diffstat (limited to 'spss/server/serverlib/src/main/java/at/gv')
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java4
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java6
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java4
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java10
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java20
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java4
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java3
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java9
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java10
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java209
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java5
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java6
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java104
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java252
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java200
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java286
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java37
17 files changed, 806 insertions, 363 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java
index 80f996b36..b5cc96a04 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java
@@ -1101,6 +1101,7 @@ public abstract class SPSSFactory {
* signature based on a SSDC, otherwise <code>false</code>.
* @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,
* otherwise <code>false</code>.
+ * @param issuerCountryCode contains the signer certificate issuer country code.
* @return The <code>SignerInfo</code> containing the above data.
*
* @pre signerCertSubjectName != null
@@ -1114,7 +1115,8 @@ public abstract class SPSSFactory {
boolean publicAuthority,
String publicAuthorityID,
boolean sscd,
- boolean sscdSourceTSL);
+ boolean sscdSourceTSL,
+ String issuerCountryCode);
/**
* Create a new <code>X509IssuerSerial</code> object.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java
index 337f775bf..777365ad3 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java
@@ -68,7 +68,11 @@ public interface SignerInfo {
*/
public String getQCSource();
-
+ /**
+ * Returns the signer certificate issuer country code
+ * @return
+ */
+ public String getIssuerCountryCode();
/**
* Checks, whether the certificate contained in this object is a
* public authority certificate.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java
index 74f65cb70..8e3bb7636 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java
@@ -626,7 +626,8 @@ public class SPSSFactoryImpl extends SPSSFactory {
boolean publicAuthority,
String publicAuthorityID,
boolean sscd,
- boolean sscdSourceTSL) {
+ boolean sscdSourceTSL,
+ String issuerCountryCode) {
SignerInfoImpl signerInfo = new SignerInfoImpl();
signerInfo.setSignerCertificate(signerCertificate);
signerInfo.setQualifiedCertificate(qualifiedCertificate);
@@ -635,6 +636,7 @@ public class SPSSFactoryImpl extends SPSSFactory {
signerInfo.setPublicAuhtorityID(publicAuthorityID);
signerInfo.setSSCD(sscd);
signerInfo.setSSCDSourceTSL(sscdSourceTSL);
+ signerInfo.setIssuerCountryCode(issuerCountryCode);
return signerInfo;
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java
index 5d26397c5..7a108e8a4 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java
@@ -56,6 +56,9 @@ public class SignerInfoImpl implements SignerInfo {
/** Determines, if the QC check bases upon on TSL */
private boolean qcSourceTSL;
+ /** The certificate issuer country code */
+ private String issuerCountryCode;
+
/**
* Sets the signer certificate.
*
@@ -118,6 +121,13 @@ public class SignerInfoImpl implements SignerInfo {
return "Certificate";
}
+ public void setIssuerCountryCode(String issuerCountryCode) {
+ this.issuerCountryCode = issuerCountryCode;
+ }
+ public String getIssuerCountryCode() {
+ return issuerCountryCode;
+ }
+
/**
* Sets, whether the certificate contained in this object is an
* e-government certificate or not.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java
index 505303bc1..2e2afaf7c 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java
@@ -121,7 +121,8 @@ class ResponseBuilderUtils {
boolean isPublicAuthority,
String publicAuthorityID,
boolean isSSCD,
- String sscdSource)
+ String sscdSource,
+ String issuerCountryCode)
throws MOAApplicationException {
Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo");
@@ -147,6 +148,12 @@ class ResponseBuilderUtils {
isSSCD
? response.createElementNS(MOA_NS_URI, "SecureSignatureCreationDevice")
: null;
+ Element issuerCountryCodeElem = null;
+ if (issuerCountryCode != null) {
+ issuerCountryCodeElem = response.createElementNS(MOA_NS_URI, "IssuerCountryCode");
+ issuerCountryCodeElem.setTextContent(issuerCountryCode);
+ }
+
Element publicAuthorityElem =
isPublicAuthority
? response.createElementNS(MOA_NS_URI, "PublicAuthority")
@@ -184,8 +191,10 @@ class ResponseBuilderUtils {
x509DataElem.appendChild(x509IssuerSerialElem);
x509DataElem.appendChild(x509CertificateElem);
if (isQualified) {
- qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource);
- x509DataElem.appendChild(qualifiedCertificateElem);
+ if (qcSource.compareToIgnoreCase("TSL") == 0)
+ qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource);
+
+ x509DataElem.appendChild(qualifiedCertificateElem);
}
if (isPublicAuthority) {
x509DataElem.appendChild(publicAuthorityElem);
@@ -195,9 +204,12 @@ class ResponseBuilderUtils {
}
}
if (isSSCD) {
- sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource);
+ sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource);
x509DataElem.appendChild(sscdElem);
}
+ if (issuerCountryCodeElem != null)
+ x509DataElem.appendChild(issuerCountryCodeElem);
+
signerInfoElem.appendChild(x509DataElem);
root.appendChild(signerInfoElem);
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java
index 238875351..b11560b28 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java
@@ -99,7 +99,6 @@ public class VerifyCMSSignatureResponseBuilder {
CheckResult signatureCheck = responseElement.getSignatureCheck();
CheckResult certCheck = responseElement.getCertificateCheck();
- //TODO
ResponseBuilderUtils.addSignerInfo(
responseDoc,
responseElem,
@@ -109,7 +108,8 @@ public class VerifyCMSSignatureResponseBuilder {
signerInfo.isPublicAuthority(),
signerInfo.getPublicAuhtorityID(),
signerInfo.isSSCD(),
- signerInfo.getSSCDSource());
+ signerInfo.getSSCDSource(),
+ signerInfo.getIssuerCountryCode());
ResponseBuilderUtils.addCodeInfoElement(
responseDoc,
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java
index 8673fba1c..dd4e13ad9 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java
@@ -100,7 +100,8 @@ public class VerifyXMLSignatureResponseBuilder {
response.getSignerInfo().isPublicAuthority(),
response.getSignerInfo().getPublicAuhtorityID(),
response.getSignerInfo().isSSCD(),
- response.getSignerInfo().getSSCDSource());
+ response.getSignerInfo().getSSCDSource(),
+ response.getSignerInfo().getIssuerCountryCode());
// add HashInputData elements
responseData = response.getHashInputDatas();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index d2ee75116..0908d88c9 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -1225,7 +1225,6 @@ public class ConfigurationPartsBuilder {
tp.mkdir();
if (!tp.isDirectory()) {
error("config.50", new Object[] { tp.getPath() });
- // TODO?
}
File tpid = new File(tp, id);
@@ -1233,11 +1232,8 @@ public class ConfigurationPartsBuilder {
tpid.mkdir();
if (!tpid.isDirectory()) {
error("config.50", new Object[] { tpid.getPath() });
- // TODO?
}
-
- //System.out.println("tps: " + tpid.getAbsolutePath());
// create profile
profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries);
@@ -1257,10 +1253,6 @@ public class ConfigurationPartsBuilder {
FileUtils.copyFile(file, new File(tpid, file.getName()));
}
-// System.out.println("ID: " + id);
-// System.out.println("Str: " + trustAnchorsLocStr);
-// System.out.println("URI: " + trustAnchorsLocURI.toString());
-// System.out.println("tslWorkingDir: " + tslWorkingDir);
} else {
@@ -1698,7 +1690,6 @@ public class ConfigurationPartsBuilder {
map.put(x509IssuerName, interval);
}
- //System.out.println("Name: " + x509IssuerName + " - Interval: " + interval);
}
return map;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java
index 3640dc23f..12d8b0126 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java
@@ -119,7 +119,7 @@ public class SystemInitializer {
try {
ConfigurationProvider config = ConfigurationProvider.getInstance();
ConfigurationData configData = new IaikConfigurator().configure(config);
-
+
//initialize TSL module
TSLConfiguration tslconfig = config.getTSLConfiguration();
@@ -131,13 +131,11 @@ public class SystemInitializer {
}
-// System.out.println("Hashcache 1: " + BinaryHashCache.DIR);
//start TSL Update
TSLUpdaterTimerTask.tslconnector_ = tslconnector;
TSLUpdaterTimerTask.update();
-// System.out.println("Hashcache 2: " + BinaryHashCache.DIR);
//initialize TSL Update Task
initTSLUpdateTask(tslconfig);
@@ -156,13 +154,13 @@ public class SystemInitializer {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
} catch (TrustStoreException e) {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
- } catch (CertificateException e) {
- Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
} catch (FileNotFoundException e) {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
} catch (IOException e) {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
- }
+ } catch (CertificateException e) {
+ Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
+ }
// set IXSIL debug output
IXSILInit.setPrintDebugLog(
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
index 6aa34573e..7a4103957 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
import at.gv.egovernment.moa.spss.util.CertificateUtils;
import at.gv.egovernment.moa.spss.util.MessageProvider;
+import at.gv.egovernment.moa.spss.util.QCSSCDResult;
/**
* A class providing an interface to the
@@ -185,6 +186,8 @@ public class CMSSignatureVerificationInvoker {
}
}
+ QCSSCDResult qcsscdresult = new QCSSCDResult();
+
// build the response: for each signatory add the result to the response
signatories = request.getSignatories();
if (signatories == VerifyCMSSignatureRequest.ALL_SIGNATORIES) {
@@ -192,61 +195,28 @@ public class CMSSignatureVerificationInvoker {
for (resultIter = results.iterator(); resultIter.hasNext();) {
result = (CMSSignatureVerificationResult) resultIter.next();
- boolean sscdSourceTSL = false;
- boolean qcSourceTSL = false;
-
- boolean checkQC = false;
- boolean checkSSCD = false;
-
- List chain = result.getCertificateValidationResult().getCertificateChain();
- // check QC and SSCD via TSL (if enabled)
- boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain);
- boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain);
-
- if (!checkSSCDFromTSL) {
-
- boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0));
- boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0));
-
- if (checkQCPPlus)
- checkSSCD = true;
- if (checkQcEuSSCD)
- checkSSCD = true;
-
- sscdSourceTSL = false;
-
- System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL);
- System.out.println("checkQCPPlus: " + checkQCPPlus);
- System.out.println("checkQcEuSSCD: " + checkQcEuSSCD);
- }
- else {
- checkSSCD = true;
- sscdSourceTSL = true;
- }
-
- if (!checkQCFromTSL) {
-
- boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0));
- boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0));
-
- if (checkQCP)
- checkQC = true;
- if (checkQcEuCompliance)
- checkQC = true;
-
- qcSourceTSL = false;
-
- System.out.println("checkQCFromTSL: " + checkQCFromTSL);
- System.out.println("checkQCP: " + checkQCP);
- System.out.println("checkQcEuCompliance: " + checkQcEuCompliance);
- }
- else {
- checkQC = true;
- qcSourceTSL = true;
+ String issuerCountryCode = null;
+ // QC/SSCD check
+ List list = result.getCertificateValidationResult().getCertificateChain();
+ if (list != null) {
+ X509Certificate[] chain = new X509Certificate[list.size()];
+
+ Iterator it = list.iterator();
+ int i = 0;
+ while(it.hasNext()) {
+ chain[i] = (X509Certificate)it.next();
+ i++;
+ }
+
+
+ qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled());
+
+ // get signer certificate issuer country code
+ issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));
+
}
-
- responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL);
+ responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode);
}
} else {
int i;
@@ -257,64 +227,27 @@ public class CMSSignatureVerificationInvoker {
try {
result =
(CMSSignatureVerificationResult) results.get(signatories[i] - 1);
- boolean sscdSourceTSL = false;
- boolean qcSourceTSL = false;
- boolean checkQC = false;
- boolean checkSSCD = false;
-
- List chain = result.getCertificateValidationResult().getCertificateChain();
- // check QC and SSCD via TSL (if enabled)
- boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain);
- boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain);
-
- if (!checkSSCDFromTSL) {
-
- boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0));
- boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0));
-
- if (checkQCPPlus)
- checkSSCD = true;
- if (checkQcEuSSCD)
- checkSSCD = true;
-
- sscdSourceTSL = false;
-
- System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL);
- System.out.println("checkQCPPlus: " + checkQCPPlus);
- System.out.println("checkQcEuSSCD: " + checkQcEuSSCD);
- }
- else {
- checkSSCD = true;
- sscdSourceTSL = true;
- }
-
- if (!checkQCFromTSL) {
-
- boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0));
- boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0));
-
- if (checkQCP)
- checkQC = true;
- if (checkQcEuCompliance)
- checkQC = true;
-
- qcSourceTSL = false;
-
- System.out.println("checkQCFromTSL: " + checkQCFromTSL);
- System.out.println("checkQCP: " + checkQCP);
- System.out.println("checkQcEuCompliance: " + checkQcEuCompliance);
-
- }
- else {
- checkQC = true;
- qcSourceTSL = true;
+ String issuerCountryCode = null;
+ // QC/SSCD check
+ List list = result.getCertificateValidationResult().getCertificateChain();
+ if (list != null) {
+ X509Certificate[] chain = new X509Certificate[list.size()];
+
+ Iterator it = list.iterator();
+ int j = 0;
+ while(it.hasNext()) {
+ chain[j] = (X509Certificate)it.next();
+ j++;
+ }
+
+
+ qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled());
+
+ issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));
}
-
-
-
- responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL);
+ responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode);
} catch (IndexOutOfBoundsException e) {
throw new MOAApplicationException(
"2249",
@@ -326,65 +259,7 @@ public class CMSSignatureVerificationInvoker {
return responseBuilder.getResponse();
}
- private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) {
- boolean checkQCFromTSL = false;
- try {
- if (tslEnabledTrustProfile) {
- if (chainlist != null) {
- X509Certificate[] chain = new X509Certificate[chainlist.size()];
-
- Iterator it = chainlist.iterator();
- int i = 0;
- while(it.hasNext()) {
- chain[i] = (X509Certificate)it.next();
- i++;
- }
-
- checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
- //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
- }
- }
- }
- catch (TSLEngineDiedException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- } catch (TSLSearchException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- }
-
- return checkQCFromTSL;
- }
-
- private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) {
- boolean checkSSCDFromTSL = false;
- try {
- if (tslEnabledTrustProfile) {
- if (chainlist != null) {
- X509Certificate[] chain = new X509Certificate[chainlist.size()];
-
- Iterator it = chainlist.iterator();
- int i = 0;
- while(it.hasNext()) {
- chain[i] = (X509Certificate)it.next();
- i++;
- }
-
- checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
- }
- }
- }
- catch (TSLEngineDiedException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- } catch (TSLSearchException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- }
-
- return checkSSCDFromTSL;
- }
-
+
/**
* Get the signed content contained either in the request itself or given as a
* reference to external data.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java
index f44cce62a..1ea10cb4e 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java
@@ -79,7 +79,7 @@ public class VerifyCMSSignatureResponseBuilder {
* otherwise <code>false</code>.
* @throws MOAException
*/
- public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL)
+ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode)
throws MOAException {
CertificateValidationResult certResult =
@@ -104,7 +104,8 @@ public class VerifyCMSSignatureResponseBuilder {
certResult.isPublicAuthorityCertificate(),
certResult.getPublicAuthorityID(),
checkSSCD,
- sscdSourceTSL);
+ sscdSourceTSL,
+ issuerCountryCode);
// add SignatureCheck element
signatureCheck = factory.createCheckResult(signatureCheckCode, null);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
index 4fdb1eeb7..193495171 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
@@ -142,7 +142,8 @@ public class VerifyXMLSignatureResponseBuilder {
boolean qcSourceTSL,
boolean checkSSCD,
boolean sscdSourceTSL,
- boolean isTSLEnabledTrustprofile)
+ boolean isTSLEnabledTrustprofile,
+ String issuerCountryCode)
throws MOAApplicationException {
CertificateValidationResult certResult =
@@ -167,7 +168,8 @@ public class VerifyXMLSignatureResponseBuilder {
certResult.isPublicAuthorityCertificate(),
certResult.getPublicAuthorityID(),
checkSSCD,
- sscdSourceTSL);
+ sscdSourceTSL,
+ issuerCountryCode);
// Create HashInputData Content objects
referenceDataList = result.getReferenceDataList();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
index c3cc8bfe8..c90bc534a 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
@@ -24,10 +24,7 @@
package at.gv.egovernment.moa.spss.server.invoke;
-import at.gv.egovernment.moa.spss.util.CertificateUtils;
-
import iaik.ixsil.exceptions.URIException;
-
import iaik.ixsil.util.URI;
import iaik.server.modules.IAIKException;
import iaik.server.modules.IAIKRuntimeException;
@@ -43,8 +40,6 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory;
import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile;
import iaik.server.modules.xmlverify.XMLSignatureVerificationResult;
import iaik.x509.X509Certificate;
-import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
-import iaik.xml.crypto.tsl.ex.TSLSearchException;
import java.io.File;
import java.io.FileInputStream;
@@ -90,8 +85,9 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog;
import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
-import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+import at.gv.egovernment.moa.spss.util.CertificateUtils;
import at.gv.egovernment.moa.spss.util.MessageProvider;
+import at.gv.egovernment.moa.spss.util.QCSSCDResult;
import at.gv.egovernment.moa.util.CollectionUtils;
import at.gv.egovernment.moa.util.Constants;
@@ -211,12 +207,7 @@ public class XMLSignatureVerificationInvoker {
requestElement);
}
- boolean sscdSourceTSL = false;
- boolean qcSourceTSL = false;
-
- boolean checkQC = false;
- boolean checkSSCD = false;
-
+ QCSSCDResult qcsscdresult = new QCSSCDResult();
String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId();
ConfigurationProvider config = ConfigurationProvider.getInstance();
TrustProfile tp = config.getTrustProfile(tpID);
@@ -242,73 +233,27 @@ public class XMLSignatureVerificationInvoker {
MOAException moaException = IaikExceptionMapper.getInstance().map(e);
throw moaException;
}
- try {
- if (tp.isTSLEnabled()) {
- List list = result.getCertificateValidationResult().getCertificateChain();
- if (list != null) {
- X509Certificate[] chain = new X509Certificate[list.size()];
-
- Iterator it = list.iterator();
- int i = 0;
- while(it.hasNext()) {
- chain[i] = (X509Certificate)it.next();
- i++;
- }
-
- boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
- boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
-
- if (!checkSSCDFromTSL) {
-
- boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
- boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
-
- if (checkQCPPlus)
- checkSSCD = true;
- if (checkQcEuSSCD)
- checkSSCD = true;
-
- sscdSourceTSL = false;
- }
- else {
- checkSSCD = true;
- sscdSourceTSL = true;
- }
-
- if (!checkQCFromTSL) {
-
- boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
- boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
-
- if (checkQCP)
- checkQC = true;
- if (checkQcEuCompliance)
- checkQC = true;
-
- qcSourceTSL = false;
- }
- else {
- checkQC = true;
- qcSourceTSL = true;
- }
-
-// System.out.println("chain[0]: " + chain[0]);
-//
-// System.out.println("checkQCFromTSL: " + checkQCFromTSL);
-// System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL);
-// System.out.println("checkQCPPlus: " + checkQCPPlus);
-// System.out.println("checkQcEuSSCD: " + checkQcEuSSCD);
+
+
+ // QC/SSCD check
+ List list = result.getCertificateValidationResult().getCertificateChain();
+ if (list != null) {
+ X509Certificate[] chain = new X509Certificate[list.size()];
+
+ Iterator it = list.iterator();
+ int i = 0;
+ while(it.hasNext()) {
+ chain[i] = (X509Certificate)it.next();
+ i++;
}
- }
+
+ qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled());
}
- catch (TSLEngineDiedException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- } catch (TSLSearchException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- }
+
+ // get signer certificate issuer country code
+ String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));
+
// swap back in the request as root document
if (requestElement != signatureEnvironment.getElement()) {
requestElement.getOwnerDocument().replaceChild(
@@ -325,14 +270,9 @@ public class XMLSignatureVerificationInvoker {
TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());
CheckResult certificateCheck = validateSignerCertificate(result, trustProfile);
-// System.out.println("checkQC: " + checkQC);
-// System.out.println("qcSourceTSL: " + qcSourceTSL);
-// System.out.println("checkSSCD: " + checkSSCD);
-// System.out.println("sscdSourceTSL: " + sscdSourceTSL);
// build the response
- responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL, tp.isTSLEnabled());
-
+ responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode);
return responseBuilder.getResponse();
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
index 49f715cb8..07da0a998 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
@@ -83,6 +83,15 @@ public class TSLConnector implements TSLConnectorInterface {
return updateAndGetQualifiedCACertificates(dateTime, null, serviceLevelStatus);
}
+ public void updateTSLs(Date dateTime,
+ String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
+
+ if (Configurator.is_isInitialised() == false)
+ new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ updateTSLs(dateTime, null, serviceLevelStatus);
+ }
+
public ArrayList<File> updateAndGetQualifiedCACertificates(Date dateTime,
String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
@@ -326,6 +335,249 @@ public class TSLConnector implements TSLConnectorInterface {
return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
}
+ public void updateTSLs(Date dateTime,
+ String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
+
+ if (Configurator.is_isInitialised() == false)
+ new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("hashcachedir: " + hashcachedir);
+// if (hashcachedir==null)
+// hashcachedir = DEFAULT_HASHCACHE_DIR;
+
+// File hashcachefile = new File(hashcachedir);
+// File[] filelist = hashcachefile.listFiles();
+// if (filelist != null) {
+// for (File f : filelist)
+// f.delete();
+// }
+
+ File tsldownloadfile = new File(tsldownloaddir);
+ if (!tsldownloadfile.exists()) {
+ tsldownloadfile.mkdir();
+ }
+ File[] tslfilelist = tsldownloadfile.listFiles();
+ if (tslfilelist != null) {
+ for (File f : tslfilelist)
+ f.delete();
+ }
+
+ //create sqlLite database
+ File dbFile = new File(Configurator.get_TempdbFile());
+ try {
+ dbFile.delete();
+ dbFile.createNewFile();
+ } catch (IOException e) {
+ throw new TSLEngineDiedException("Could not create temporary data base file", e);
+ }
+
+ //the TSL library uses the iaik.util.logging environment.
+ //iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.WARN);
+ iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.OFF);
+
+ log.info("Starting EU TSL import.");
+
+ // Certificates in Germany, Estonia, Greece, Cyprus,
+ // Lithuainia, Hungary, Poland, Finland, Norway use SURNAME
+ log.debug("### SURNAME registered as " + ObjectID.surName + " ###");
+ RFC2253NameParser.register("SURNAME", ObjectID.surName);
+
+ XSecProvider.addAsProvider(false);
+
+ TSLEngine tslEngine;
+ TslSqlConnectionWrapper connection = null;
+
+ try {
+ // register the Https JSSE Wrapper
+ TLS.register();
+ log.trace("### Https JSSE Wrapper registered ###");
+
+
+ log.debug("### Connect to Database.###");
+ connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
+
+ log.trace("### Connected ###");
+
+ // empty the database and recreate the tables
+ tslEngine = new TSLEngine(dbFile, Configurator.get_TSLWorkingDirectoryPath(),
+ connection, true, true);
+
+ } catch (TSLEngineFatalException e1) {
+ throw new TSLEngineDiedException(e1);
+
+ }
+
+ // H.2.2.1 Same-scheme searching
+ // H.2.2.2 Known scheme searching
+ // H.2.2.3 "Blind" (unknown) scheme searching
+ Number tId = null;
+ Countries euTerritory = Countries.EU;
+ TSLImportContext topLevelTslContext = new TSLEUImportFromFileContext(
+ euTerritory, Configurator.get_euTSLURL(), Configurator.get_TSLWorkingDirectoryPath(),
+ Configurator.is_sqlMultithreaded(),
+ Configurator.is_throwExceptions(), Configurator.is_logExceptions(),
+ Configurator.is_throwWarnings(), Configurator.is_logWarnings(),
+ Configurator.is_nullRedundancies());
+
+ TSLEngineEU tslengineEU;
+ try {
+ tslengineEU = tslEngine.new TSLEngineEU();
+
+ } catch (TSLEngineFatalException e1) {
+ throw new TSLEngineDiedException(e1);
+ }
+
+ // establish EU TSL trust anchor
+ ListIterator<java.security.cert.X509Certificate> expectedEuTslSignerCerts =
+ tslEngine.loadCertificatesFromResource(
+ Configurator.get_euTrustAnchorsPath(), topLevelTslContext);
+
+ log.debug("Process EU TSL");
+ // process the EU TSL to receive the pointers to the other TSLs
+ // and the trust anchors for the TSL signers
+ Set<Entry<Number, LocationAndCertHash>> pointersToMsTSLs = null;
+
+ try {
+
+ tId = tslengineEU.processEUTSL(topLevelTslContext, expectedEuTslSignerCerts);
+ log.info("Process EU TSL finished");
+
+ log.debug(Thread.currentThread() + " waiting for other threads ...");
+
+ topLevelTslContext.waitForAllOtherThreads();
+ log.debug(Thread.currentThread()
+ + " reactivated after other threads finished ...");
+
+
+ // get the TSLs pointed from the EU TSL
+ LinkedHashMap<Number, LocationAndCertHash> tslMap = tslengineEU
+ .getOtherTslMap(tId, topLevelTslContext);
+
+ pointersToMsTSLs = tslMap.entrySet();
+
+ //set Errors and Warrnings
+
+ } catch (TSLEngineFatalRuntimeException e) {
+ throw new TSLEngineDiedException(topLevelTslContext.dumpFatals());
+
+ } catch (TSLTransactionFailedRuntimeException e) {
+ throw new TSLEngineDiedException(topLevelTslContext.dumpTransactionFaliures());
+ }
+
+ //Backup implementation if the EU TSL includes a false signer certificate
+ // establish additional trust anchors for member states
+// Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {
+// Countries.CZ,
+// Countries.LU,
+// Countries.ES,
+// Countries.AT,
+// };
+ Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {};
+
+ Map<Countries, java.util.ListIterator<java.security.cert.X509Certificate>>
+ trustAnchorsWrongOnEuTsl = loadCertificatesFromResource(
+ Configurator.get_msTrustAnchorsPath(), tslEngine, topLevelTslContext,
+ countriesWithPotentiallyWrongCertsOnEuTsl);
+
+ log.info("Starting EU member TSL import.");
+
+ for (Entry<Number, LocationAndCertHash> entry : pointersToMsTSLs) {
+
+ TSLImportContext msTslContext;
+
+ Countries expectedTerritory = entry.getValue().getSchemeTerritory();
+ try {
+
+// if (expectedTerritory.equals("RO"))
+// System.out.println("Stop");
+
+ Number otpId = entry.getKey();
+ LocationAndCertHash lac = entry.getValue();
+
+ URL uriReference = null;
+ try {
+ uriReference = new URL(lac.getUrl());
+
+ } catch (MalformedURLException e) {
+ log.warn("Could not process: " + uriReference, e);
+ continue;
+ }
+
+ String baseURI = uriReference == null ? "" : "" + uriReference;
+
+ msTslContext = new TSLImportFromFileContext(
+ expectedTerritory, uriReference, otpId, Configurator.get_TSLWorkingDirectoryPath(),
+ Configurator.is_sqlMultithreaded(),
+ Configurator.is_throwExceptions(), Configurator.is_logExceptions(),
+ Configurator.is_throwWarnings(), Configurator.is_logWarnings(),
+ Configurator.is_nullRedundancies(), baseURI, trustAnchorsWrongOnEuTsl,
+ topLevelTslContext);
+
+ ListIterator<X509Certificate> expectedTslSignerCerts = null;
+ expectedTslSignerCerts = tslEngine.getCertificates(lac, msTslContext);
+
+ if (expectedTslSignerCerts == null) {
+
+ // no signer certificate on the EU TSL
+ // ignore this msTSL and log a warning
+ log.warn("NO signer certificate found on EU TSL! "
+ + lac.getSchemeTerritory() + "TSL ignored.");
+
+ }
+ else {
+ tslEngine.processMSTSL(topLevelTslContext, msTslContext, expectedTslSignerCerts);
+ }
+
+ } catch (TSLExceptionB e) {
+ log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
+ + " TSL ignored.");
+ log.debug("Failed to process TSL. " + entry, e);
+ continue;
+ } catch (TSLRuntimeException e) {
+ log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
+ + " TSL ignored.");
+ log.debug("Failed to process TSL. " + entry, e);
+ continue;
+ }
+ }
+
+ log.debug(Thread.currentThread() + " waiting for other threads ...");
+ topLevelTslContext.waitForAllOtherThreads();
+
+ log.debug(_.dumpAllThreads());
+ log.debug(Thread.currentThread() + " reactivated after other threads finished ...");
+
+ connection = null;
+ try {
+ connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
+ tslEngine.recreateTablesInvalidatedByImport(connection);
+
+
+ //TODO: implement database copy operation!
+ File working_database = new File(Configurator.get_dbFile());
+ working_database.delete();
+ copy(dbFile, working_database);
+
+
+ } catch (TSLEngineFatalException e) {
+ throw new TSLEngineDiedException(e);
+
+ } finally {
+ try {
+ connection.closeConnection();
+
+ } catch (TSLEngineFatalException e) {
+ throw new TSLEngineDiedException(e);
+
+ }
+ }
+
+ //return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
+ }
+
public ArrayList<File> getQualifiedCACertificates(Date dateTime,
String[] serviceLevelStatus) throws TSLEngineDiedException,
TSLSearchException {
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
index 76be8217a..0cb18a08e 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
@@ -33,13 +33,14 @@ import at.gv.egovernment.moa.spss.server.iaik.pki.store.truststore.TrustStorePro
import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.tsl.connector.TSLConnector;
import at.gv.egovernment.moa.spss.util.MessageProvider;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.StringUtils;
public class TSLUpdaterTimerTask extends TimerTask {
public static TSLConnector tslconnector_;
+
+ public static ConfigurationData configData_ = null;
@Override
public void run() {
@@ -49,10 +50,6 @@ public class TSLUpdaterTimerTask extends TimerTask {
} catch (TSLEngineDiedException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
-
- // TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur
- // Verfügung stehen?
-
} catch (TSLSearchException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
@@ -68,105 +65,138 @@ public class TSLUpdaterTimerTask extends TimerTask {
} catch (TrustStoreException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (CertificateException e) {
+ } catch (FileNotFoundException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (FileNotFoundException e) {
+ } catch (IOException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (IOException e) {
+ } catch (CertificateException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
}
}
- public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException {
+ public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, IOException {
MessageProvider msg = MessageProvider.getInstance();
- //get TSl configuration
- ConfigurationProvider config = ConfigurationProvider.getInstance();
- ConfigurationData configData = new IaikConfigurator().configure(config);
- TSLConfiguration tslconfig = config.getTSLConfiguration();
- if (tslconfig != null) {
-
- Logger.info(new LogMsg(msg.getMessage("config.42", null)));
+ //TrustProfile tp = null;
+ TrustStoreProfile tsp = null;
+ StoreUpdater storeUpdater = null;
+ TransactionId tid = null;
+
+ //get TSl configuration
+ ConfigurationProvider config = ConfigurationProvider.getInstance();
+ if (configData_ == null)
+ configData_ = new IaikConfigurator().configure(config);
- // get certstore parameters
- CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters();
+ TSLConfiguration tslconfig = config.getTSLConfiguration();
+ if (tslconfig != null) {
- // iterate over all truststores
- Map mapTrustProfiles = config.getTrustProfiles();
- Iterator it = mapTrustProfiles.entrySet().iterator();
- while (it.hasNext()) {
- Map.Entry pairs = (Map.Entry)it.next();
- TrustProfile tp = (TrustProfile) pairs.getValue();
- if (tp.isTSLEnabled()) {
- TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId());
- TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
- trustStoreProfiles[0] = tsp;
-
- Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
-
- TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId());
- ArrayList tsl_certs = null;
- if (StringUtils.isEmpty(tp.getCountries())) {
- Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
-
- // get certificates from TSL from all countries
- tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
- }
- else {
- Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
- // get selected countries as array
- String countries = tp.getCountries();
- String[] array = countries.split(",");
- for (int i = 0; i < array.length; i++)
- array[i] = array[i].trim();
-
- // get certificates from TSL from given countries
- tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
- }
-
- // create store updater for each TSL enabled truststore
- Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
- StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
-
-
- // delete files in trustprofile
- File ftp = new File(tp.getUri());
- File[] files = ftp.listFiles();
- for (File file : files)
- file.delete();
+ tslconnector_.updateTSLs(new Date(), new String[]{"accredited","undersupervision"});
+
+ Logger.info(new LogMsg(msg.getMessage("config.42", null)));
+
+ // get certstore parameters
+ CertStoreParameters[] certStoreParameters = configData_.getPKIConfiguration().getCertStoreConfiguration().getParameters();
- // convert ArrayList<File> to X509Certificate[]
- X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()];
- Iterator itcert = tsl_certs.iterator();
- int i = 0;
- while(itcert.hasNext()) {
- File f = (File)itcert.next();
- X509Certificate cert = new X509Certificate(new FileInputStream(f));
- addCertificates[i] = cert;
+ // iterate over all truststores
+ Map mapTrustProfiles = config.getTrustProfiles();
+ Iterator it = mapTrustProfiles.entrySet().iterator();
+ while (it.hasNext()) {
+ Map.Entry pairs = (Map.Entry)it.next();
+ TrustProfile tp = (TrustProfile) pairs.getValue();
+ if (tp.isTSLEnabled()) {
+ tsp = new TrustStoreProfileImpl(config, tp.getId());
+ TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
+ trustStoreProfiles[0] = tsp;
+
+ Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
+
+ tid = new TransactionId("TSLConfigurator-" + tp.getId());
+ ArrayList tsl_certs = null;
+ if (StringUtils.isEmpty(tp.getCountries())) {
+ Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
+
+ // get certificates from TSL from all countries
+ tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
+ }
+ else {
+ Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
+ // get selected countries as array
+ String countries = tp.getCountries();
+ String[] array = countries.split(",");
+ for (int i = 0; i < array.length; i++)
+ array[i] = array[i].trim();
+
+ // get certificates from TSL from given countries
+ tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
+ }
+
+ // create store updater for each TSL enabled truststore
+ Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
+ storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
+
+ // delete files in trustprofile
+
+ File ftp = new File(tp.getUri());
+ File[] files = ftp.listFiles();
+ X509Certificate[] removeCertificates = new X509Certificate[files.length];
+ int i = 0;
+ for (File file : files) {
+ FileInputStream fis = new FileInputStream(file);
+ removeCertificates[i] = new X509Certificate(fis);
+ i++;
+ fis.close();
+ //file.delete();
+ }
+
+ // remove all certificates
+ storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
+ storeUpdater.removeCertificatesFromCertStores(removeCertificates, tid);
+
- i++;
+ // copy files from original trustAnchorsLocURI into tslworking trust profile
+ File src = new File(tp.getUriOrig());
+ files = src.listFiles();
+ X509Certificate[] addCertificates = new X509Certificate[files.length];
+ i = 0;
+ for (File file : files) {
+ FileInputStream fis = new FileInputStream(file);
+ addCertificates[i] = new X509Certificate(fis);
+ //FileUtils.copyFile(file, new File(tp.getUri(), file.getName()));
+ i++;
+ fis.close();
+ }
+
+ // convert ArrayList<File> to X509Certificate[]
+ X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
+ Iterator itcert = tsl_certs.iterator();
+ i = 0;
+ File f = null;
+ while(itcert.hasNext()) {
+ f = (File)itcert.next();
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = new X509Certificate(fis);
+ addCertificatesTSL[i] = cert;
+
+ i++;
+ fis.close();
+ }
+
+ Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
+
+ Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificates, tid);
+
+
}
-
-
- // copy files from original trustAnchorsLocURI into tslworking trust profile
- File src = new File(tp.getUriOrig());
- files = src.listFiles();
- for (File file : files) {
- FileUtils.copyFile(file, new File(tp.getUri(), file.getName()));
- }
-
- Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
- storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
- storeUpdater.addCertificatesToCertStores(addCertificates, tid);
-
-
}
}
- }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
new file mode 100644
index 000000000..544ea916c
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
@@ -0,0 +1,286 @@
+package at.gv.egovernment.moa.spss.util;
+
+import iaik.asn1.ObjectID;
+import iaik.asn1.structures.Name;
+import iaik.asn1.structures.PolicyInformation;
+import iaik.utils.RFC2253NameParser;
+import iaik.utils.RFC2253NameParserException;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+import iaik.x509.extensions.CertificatePolicies;
+import iaik.x509.extensions.qualified.QCStatements;
+import iaik.x509.extensions.qualified.structures.QCStatement;
+import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance;
+import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD;
+import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
+import iaik.xml.crypto.tsl.ex.TSLSearchException;
+
+import java.security.Principal;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+
+public class CertificateUtils {
+
+
+ /**
+ * Verifies if the given certificate contains QCP+ statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QCP+ statement, else false
+ */
+ private static boolean checkQCPPlus(X509Certificate cert) {
+ Logger.debug("Checking QCP+ extension");
+ String OID_QCPPlus = "0.4.0.1456.1.1";
+ try {
+ CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid);
+ if (certPol == null) {
+ Logger.debug("No CertificatePolicies extension found");
+ return false;
+ }
+
+ PolicyInformation[] polInfo = certPol.getPolicyInformation();
+ if (polInfo == null) {
+ Logger.debug("No policy information found");
+ return false;
+ }
+
+ for (int i = 0; i < polInfo.length; i++) {
+ ObjectID oid = polInfo[i].getPolicyIdentifier();
+ String oidStr = oid.getID();
+ if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) {
+ Logger.debug("QCP+ extension found");
+ return true;
+ }
+ }
+
+ Logger.debug("No QCP+ extension found");
+
+ return false;
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QCP+ extension found");
+
+ return false;
+ }
+
+ }
+
+ /**
+ * Verifies if the given certificate contains QCP statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QCP statement, else false
+ */
+ private static boolean checkQCP(X509Certificate cert) {
+ Logger.debug("Checking QCP extension");
+ String OID_QCP = "0.4.0.1456.1.2";
+ try {
+ CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid);
+ if (certPol == null) {
+ Logger.debug("No CertificatePolicies extension found");
+ return false;
+ }
+
+ PolicyInformation[] polInfo = certPol.getPolicyInformation();
+ if (polInfo == null) {
+ Logger.debug("No policy information found");
+ return false;
+ }
+
+ for (int i = 0; i < polInfo.length; i++) {
+ ObjectID oid = polInfo[i].getPolicyIdentifier();
+ String oidStr = oid.getID();
+ if (oidStr.compareToIgnoreCase(OID_QCP) == 0) {
+ Logger.debug("QCP extension found");
+ return true;
+ }
+
+ }
+
+ Logger.debug("No QCP extension found");
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QCP extension found");
+ return false;
+ }
+
+ }
+
+ /**
+ * Verifies if the given certificate contains QcEuCompliance statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QcEuCompliance statement, else false
+ */
+ private static boolean checkQcEuCompliance(X509Certificate cert) {
+ Logger.debug("Checking QcEUCompliance extension");
+ try {
+ QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid);
+
+ if (qcStatements == null) {
+ Logger.debug("No QcStatements extension found");
+ return false;
+ }
+
+ QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID);
+
+ if (qcEuCompliance != null) {
+ Logger.debug("QcEuCompliance extension found");
+ return true;
+ }
+
+ Logger.debug("No QcEuCompliance extension found");
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QcEuCompliance extension found");
+ return false;
+ }
+
+ }
+
+ /**
+ * Verifies if the given certificate contains QcEuSSCD statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QcEuSSCD statement, else false
+ */
+ private static boolean checkQcEuSSCD(X509Certificate cert) {
+ Logger.debug("Checking QcEuSSCD extension");
+ try {
+ QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid);
+ if (qcStatements == null) {
+ Logger.debug("No QcStatements extension found");
+ return false;
+ }
+
+ QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID);
+
+ if (qcEuSSCD != null) {
+ Logger.debug("QcEuSSCD extension found");
+ return true;
+ }
+
+ Logger.debug("No QcEuSSCD extension found");
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QcEuSSCD extension found");
+ return false;
+ }
+
+ }
+
+ public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) {
+
+ boolean qc = false;
+ boolean qcSourceTSL = false;
+ boolean sscd = false;
+ boolean sscdSourceTSL = false;
+
+ try {
+
+ if (isTSLenabledTrustprofile) {
+ // perform QC check via TSL
+ boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
+ if (!checkQCFromTSL) {
+ // if QC check via TSL returns false
+ // try certificate extensions QCP and QcEuCompliance
+ Logger.debug("QC check via TSL returned false - checking certificate extensions");
+ boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+ boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+
+ if (checkQCP || checkQcEuCompliance) {
+ Logger.debug("Certificate is QC (Source: Certificate)");
+ qc = true;
+ }
+
+ qcSourceTSL = false;
+ }
+ else {
+ // use TSL result
+ Logger.debug("Certificate is QC (Source: TSL)");
+ qc = true;
+ qcSourceTSL = true;
+ }
+
+ // perform SSCD check via TSL
+ boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
+ if (!checkSSCDFromTSL) {
+ // if SSCD check via TSL returns false
+ // try certificate extensions QCP+ and QcEuSSCD
+ Logger.debug("SSCD check via TSL returned false - checking certificate extensions");
+ boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+ boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+
+ if (checkQCPPlus || checkQcEuSSCD) {
+ Logger.debug("Certificate is SSCD (Source: Certificate)");
+ sscd = true;
+ }
+
+ sscdSourceTSL = false;
+ }
+ else {
+ // use TSL result
+ Logger.debug("Certificate is SSCD (Source: TSL)");
+ sscd = true;
+ sscdSourceTSL = true;
+ }
+
+ }
+ else {
+ // Trustprofile is not TSL enabled - use certificate extensions only
+
+ // perform QC check
+ // try certificate extensions QCP and QcEuCompliance
+ boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+ boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+
+ if (checkQCP || checkQcEuCompliance)
+ qc = true;
+
+ qcSourceTSL = false;
+
+ // perform SSCD check
+ // try certificate extensions QCP+ and QcEuSSCD
+ boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+ boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+
+ if (checkQCPPlus || checkQcEuSSCD)
+ sscd = true;
+
+ sscdSourceTSL = false;
+ }
+ }
+ catch (TSLEngineDiedException e) {
+ MessageProvider msg = MessageProvider.getInstance();
+ Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+ } catch (TSLSearchException e) {
+ MessageProvider msg = MessageProvider.getInstance();
+ Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+ }
+
+ QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL);
+
+ return result;
+ }
+
+ /**
+ * Gets the country from the certificate issuer
+ * @param cert X509 certificate
+ * @return Country code from the certificate issuer
+ */
+ public static String getIssuerCountry(X509Certificate cert) {
+ String country = null;
+ Principal issuerdn = cert.getIssuerX500Principal();
+ RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName());
+
+ try {
+ Name name = nameParser.parse();
+ country = name.getRDN(ObjectID.country);
+ } catch (RFC2253NameParserException e) {
+ Logger.warn("Could not get country code from issuer.");
+ }
+
+
+ return country;
+ }
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java
new file mode 100644
index 000000000..99af84308
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java
@@ -0,0 +1,37 @@
+package at.gv.egovernment.moa.spss.util;
+
+public class QCSSCDResult {
+
+ private boolean qc;
+ private boolean qcSourceTSL;
+
+ private boolean sscd;
+ private boolean sscdSourceTSL;
+
+ public QCSSCDResult() {
+ this.qc = false;
+ this.qcSourceTSL = false;
+ this.sscd = false;
+ this.sscdSourceTSL = false;
+ }
+
+ public QCSSCDResult(boolean qc, boolean qcSourceTSL, boolean sscd, boolean sscdSourceTSL) {
+ this.qc = qc;
+ this.qcSourceTSL = qcSourceTSL;
+ this.sscd = sscd;
+ this.sscdSourceTSL = sscdSourceTSL;
+ }
+
+ public boolean isQC() {
+ return this.qc;
+ }
+ public boolean isQCSourceTSL() {
+ return this.qcSourceTSL;
+ }
+ public boolean isSSCD() {
+ return this.sscd;
+ }
+ public boolean isSSCDSourceTSL() {
+ return this.sscdSourceTSL;
+ }
+}