aboutsummaryrefslogtreecommitdiff
path: root/spss/server/serverlib/src/main/java
diff options
context:
space:
mode:
authorAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2013-09-04 09:37:31 +0200
committerAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2013-09-04 09:37:31 +0200
commiteadd6dd97f1b30608b31ffcd90382874fbcdaddc (patch)
tree1e02de018bcb417bf897f06fb79bf64eda9b4b06 /spss/server/serverlib/src/main/java
parent61362f940ca679fe215de34b1683e1110fea8d3e (diff)
parent69f2dfdf3e0b5d976df3cdece6a8ead4848d746a (diff)
downloadmoa-id-spss-eadd6dd97f1b30608b31ffcd90382874fbcdaddc.tar.gz
moa-id-spss-eadd6dd97f1b30608b31ffcd90382874fbcdaddc.tar.bz2
moa-id-spss-eadd6dd97f1b30608b31ffcd90382874fbcdaddc.zip
Merge SPSS
Diffstat (limited to 'spss/server/serverlib/src/main/java')
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java97
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java41
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java49
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java42
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java51
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java58
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java51
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java15
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java7
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java64
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java77
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java60
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java69
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java57
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java41
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java62
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java23
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java247
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java145
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java20
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java5
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java5
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java213
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java52
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java16
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java29
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java249
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java139
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java14
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java396
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java124
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java93
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java11
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java31
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java34
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java37
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java89
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java61
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java3
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java88
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java273
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java194
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java286
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java45
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java37
45 files changed, 3443 insertions, 357 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java
index fbf40be88..b5cc96a04 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java
@@ -35,6 +35,9 @@ import org.apache.commons.discovery.tools.DiscoverClass;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
+import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;
import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
@@ -138,6 +141,26 @@ public abstract class SPSSFactory {
List singleSignatureInfos);
/**
+ * Create a new <code>CreateCMSSignatureRequest</code> object.
+ *
+ * @param keyIdentifier The identifier for the key group to use for signing.
+ * @param singleSignatureInfos A <code>List</code> of
+ * <code>SingleSignatureInfo</code> objects containing information about a
+ * single signature to be created.
+ * @return The <code>CreateCMSSignatureRequest</code> containing the above
+ * data.
+ *
+ * @pre keyIdentifier != null && keyIdentifier.length() > 0
+ * @pre singleSignatureInfos != null
+ * @pre forall Object o in singleSignatureInfos |
+ * o instanceof at.gv.egovernment.moa.spss.api.common.SingleSignatureInfo
+ * @post return != null
+ */
+ public abstract CreateCMSSignatureRequest createCreateCMSSignatureRequest(
+ String keyIdentifier,
+ List singleSignatureInfos);
+
+ /**
* Create a new <code>SingleSignatureInfo</code> object.
*
* @param dataObjectInfos The data objects that will be signed (including
@@ -156,6 +179,23 @@ public abstract class SPSSFactory {
public abstract SingleSignatureInfo createSingleSignatureInfo(
List dataObjectInfos,
CreateSignatureInfo createSignatureInfo, boolean securityLayerConform);
+
+ /**
+ * Create a new <code>SingleSignatureInfo</code> object.
+ *
+ * @param dataObjectInfo The data object that will be signed.
+ * @param securityLayerConform If <code>true</code>, a Security Layer conform
+ * signature manifest is created, otherwise not.
+ * @return The <code>SingleSignatureInfo</code> containing the above data.
+ *
+ * @post return != null
+ */
+ public abstract at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo createSingleSignatureInfoCMS(
+ at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo dataObjectInfo,
+ boolean securityLayerConform);
+
+
+
/**
* Create a new <code>DataObjectInfo</code> object.
@@ -182,6 +222,22 @@ public abstract class SPSSFactory {
CreateTransformsInfoProfile createTransformsInfoProfile);
/**
+ * Create a new <code>DataObjectInfo</code> object.
+ *
+ * @param structure The type of signature to create.
+ * @param dataObject The data object that will be signed.
+ * @return The <code>DataObjectInfo</code> containing the above data.
+ *
+ * @pre DataObjectInfo.STRUCTURE_DETACHED.equals(structure) ||
+ * DataObjectInfo.STRUCTURE_ENVELOPING.equals(structure)
+ * @pre dataObject != null
+ * @post return != null
+ */
+ public abstract at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo createDataObjectInfo(
+ String structure,
+ CMSDataObject dataObject);
+
+ /**
* Create a new <code>CreateTransformsInfoProfile</code> object containing a
* reference to a locally stored profile.
*
@@ -321,6 +377,37 @@ public abstract class SPSSFactory {
*/
public abstract CreateXMLSignatureResponse createCreateXMLSignatureResponse(List responseElements);
+
+ /**
+ * Create a new <code>CreateCMSSignatureResponse</code> object.
+ *
+ * @param responseElements The elements of the response, either
+ * <code>CMSSignatureResponse</code> objects, or
+ * <code>ErrorResponse</code> objects.
+ * @return The new <code>CreateCMSSignatureResponse</code> containing the
+ * above data.
+ *
+ * @pre responseElements != null && responseElements.size() > 0
+ * @pre forall Object o in responseElements |
+ * o instanceof at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse
+ * @post return != null
+ */
+ public abstract CreateCMSSignatureResponse createCreateCMSSignatureResponse(List responseElements);
+
+
+ /**
+ * Create a new <code>SignatureEnvironmentResponse</code> object.
+ *
+ * @param signatureEnvironment The signature environment containing the
+ * signature.
+ * @return The <code>SignatureEnvironmentResponse</code> containing the
+ * <code>signatureEnvironment</code>.
+ *
+ * @pre signatureEnvironment != null
+ * @post return != null
+ */
+ public abstract CMSSignatureResponse createCMSSignatureResponse(String base64value);
+
/**
* Create a new <code>SignatureEnvironmentResponse</code> object.
*
@@ -1003,6 +1090,8 @@ public abstract class SPSSFactory {
* @param signerCertificate The signer certificate in binary form.
* @param qualifiedCertificate <code>true</code>, if the signer certificate is
* a qualified certificate, otherwise <code>false</code>.
+ * @param qcSourceTSL <code>true</code>, if the QC information comes from the TSL,
+ * otherwise <code>false</code>.
* @param publicAuthority <code>true</code>, if the signer certificate is a
* public authority certificate, otherwise <code>false</code>.
* @param publicAuthorityID The identification of the public authority
@@ -1010,6 +1099,9 @@ public abstract class SPSSFactory {
* <code>null</code>.
* @param sscd <code>true</code>, if the TSL check verifies the
* signature based on a SSDC, otherwise <code>false</code>.
+ * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,
+ * otherwise <code>false</code>.
+ * @param issuerCountryCode contains the signer certificate issuer country code.
* @return The <code>SignerInfo</code> containing the above data.
*
* @pre signerCertSubjectName != null
@@ -1019,9 +1111,12 @@ public abstract class SPSSFactory {
public abstract SignerInfo createSignerInfo(
X509Certificate signerCertificate,
boolean qualifiedCertificate,
+ boolean qcSourceTSL,
boolean publicAuthority,
String publicAuthorityID,
- boolean sscd);
+ boolean sscd,
+ boolean sscdSourceTSL,
+ String issuerCountryCode);
/**
* Create a new <code>X509IssuerSerial</code> object.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java
new file mode 100644
index 000000000..10db67627
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.cmssign;
+
+
+/**
+ * Contains the signature if the signature creation was successful.
+ *
+ * @version $Id$
+ */
+public interface CMSSignatureResponse
+ extends CreateCMSSignatureResponseElement {
+ /**
+ * Gets the CMS signature (Base64 encoded).
+ *
+ * @return The CMS signature
+ */
+ public String getCMSSignature();
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java
new file mode 100644
index 000000000..9d5cd7a0d
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.cmssign;
+
+import java.util.List;
+
+
+/**
+ * Object that encapsulates a request to create a CMS Signature.
+ *
+ *
+ * @version $Id$
+ */
+public interface CreateCMSSignatureRequest {
+ /**
+ * Gets the identifier for the keys to be used for the signature.
+ *
+ * @return The identifier for the keys to be used.
+ */
+ public String getKeyIdentifier();
+ /**
+ * Gets the information of the singleSignatureInfo elements.
+ *
+ * @return The information of singleSignatureInfo elements.
+ */
+ public List getSingleSignatureInfos();
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java
new file mode 100644
index 000000000..6062a1162
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.cmssign;
+
+import java.util.List;
+
+/**
+ * Object that encapsulates the response on to a
+ * <code>CreateCMSSignatureRequest</code> to create an XML signature.
+ *
+ * @version $Id$
+ */
+public interface CreateCMSSignatureResponse {
+ /**
+ * Gets the response elements.
+ *
+ * @return The response elements.
+ */
+ public List getResponseElements();
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java
new file mode 100644
index 000000000..8e4e61145
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.cmssign;
+
+/**
+ * Base class for <code>CMSSignature</code> and
+ * <code>ErrorResponse</code> elements in a
+ * <code>CreateXMLSignatureResponse</code>.
+ *
+ * @version $Id$
+ */
+public interface CreateCMSSignatureResponseElement {
+ /**
+ * Indicates that this object contains a <code>CMSSignature</code>.
+ */
+ public static final int CMS_SIGNATURE = 0;
+ /**
+ * Indicates that this objet contains an <code>ErrorResponse</code>.
+ */
+ public static final int ERROR_RESPONSE = 1;
+
+ /**
+ * Gets the type of response object.
+ *
+ * @return The type of response object, either
+ * <code>CMS_SIGNATURE</code> or <code>ERROR_RESPONSE</code>.
+ */
+ public int getResponseType();
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java
new file mode 100644
index 000000000..b9f363061
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.cmssign;
+
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;
+
+/**
+ * Encapsulates information required to create a single signature.
+ *
+ * @version $Id$
+ */
+public interface DataObjectInfo {
+ /**
+ * Indicates that a detached signature will be created.
+ */
+ public static final String STRUCTURE_DETACHED = "detached";
+ /**
+ * Indicates that an enveloping signature will be created.
+ */
+ public static final String STRUCTURE_ENVELOPING = "enveloping";
+
+ /**
+ * Gets the structure of the signature.
+ *
+ * @return The structure of the signature.
+ */
+ public String getStructure();
+
+ /**
+ * Gets information related to a single data object.
+ *
+ * @return Information related to a single data object.
+ */
+ public CMSDataObject getDataObject();
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java
new file mode 100644
index 000000000..1f87a50ca
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.cmssign;
+
+
+
+/**
+ * Encapsulates data to create a single signature.
+ *
+ * @author Patrick Peck
+ * @author Stephan Grill
+ * @version $Id$
+ */
+public interface SingleSignatureInfo {
+ /**
+ * Gets the dataObjectInfo information.
+ *
+ * @return The dataObjectInfo information.
+ */
+ public DataObjectInfo getDataObjectInfo();
+
+ /**
+ * Check whether a Security Layer conform signature manifest will be created.
+ *
+ * @return <code>true</code>, if a Security Layer conform signature manifest
+ * will be created, <code>false</code> otherwise.
+ */
+ public boolean isSecurityLayerConform();
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java
index 7a1942214..777365ad3 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java
@@ -59,6 +59,21 @@ public interface SignerInfo {
public boolean isSSCD();
/**
+ * Returns the source of the SSCD check (TSL or Certificate) *
+ */
+ public String getSSCDSource();
+
+ /**
+ * Returns the source of the QC check (TSL or Certificate) *
+ */
+ public String getQCSource();
+
+ /**
+ * Returns the signer certificate issuer country code
+ * @return
+ */
+ public String getIssuerCountryCode();
+ /**
* Checks, whether the certificate contained in this object is a
* public authority certificate.
*
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java
index fd7d38217..29529322c 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java
@@ -24,6 +24,8 @@
package at.gv.egovernment.moa.spss.api.common;
+import iaik.ixsil.util.URI;
+
import java.util.Date;
@@ -70,5 +72,10 @@ public interface TSLConfiguration {
*/
public String getWorkingDirectory();
+ /**
+ *
+ * @return
+ */
+ public URI getWorkingDirectoryAsURI();
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java
new file mode 100644
index 000000000..b512dd0bd
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.impl;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse;
+
+/**
+ * Default implementation of <code>CMSSignatureResponse</code>.
+ *
+ * @version $Id$
+ */
+public class CMSSignatureResponseImpl
+ implements CMSSignatureResponse {
+
+ /** The base64 value of the CMS signature. */
+ private String cmsSignature;
+
+ /**
+ * Sets the CMS signature.
+ *
+ * @param cmsSignature The Base64 encoded value CMS signature.
+ */
+ public void setCMSSignature(String cmsSignature) {
+ this.cmsSignature = cmsSignature;
+ }
+
+ public String getCMSSignature() {
+ return cmsSignature;
+ }
+
+ /**
+ * Gets the type of <code>CreateCMSSignatureResponseElement</code>.
+ *
+ * @return CMS_SIGNATURE
+ */
+ public int getResponseType() {
+ return CMS_SIGNATURE;
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java
new file mode 100644
index 000000000..e8408bc55
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.impl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+
+/**
+ * Default implementation of <code>CreateCMSSignatureRequest</code>.
+ *
+ * @author Fatemeh Philippi
+ * @version $Id$
+ */
+public class CreateCMSSignatureRequestImpl
+ implements CreateCMSSignatureRequest {
+
+ /** The identifier for selecting the private keys for creating the signature.*/
+ private String keyIdentifier;
+ /** Information for creating a single signature. */
+ private List singleSignatureInfos = new ArrayList();
+
+ /**
+ * Sets the identifier for selecting the private keys for creating the
+ * signature.
+ *
+ * @param keyIdentifier The identifier for selecting the private keys.
+ */
+ public void setKeyIdentifier(String keyIdentifier) {
+ this.keyIdentifier = keyIdentifier;
+ }
+
+ public String getKeyIdentifier() {
+ return keyIdentifier;
+ }
+
+ /**
+ * Sets the information for creating single signatures.
+ *
+ * @param singleSignaureInfos The information for creating single signatures.
+ */
+ public void setSingleSignatureInfos(List singleSignaureInfos) {
+ this.singleSignatureInfos =
+ singleSignaureInfos != null
+ ? Collections.unmodifiableList(new ArrayList(singleSignaureInfos))
+ : null;
+ }
+
+ public List getSingleSignatureInfos() {
+ return singleSignatureInfos;
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java
new file mode 100644
index 000000000..d596058c6
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.impl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
+
+/**
+ * Default implementation of <code>CreateCMSSignatureResponse</code>.
+ *
+ * @version $Id$
+ */
+public class CreateCMSSignatureResponseImpl
+ implements CreateCMSSignatureResponse {
+
+ /** The elements contained in the response. */
+ private List responseElements = new ArrayList();
+
+ /**
+ * Sets the elements contained in the response.
+ *
+ * @param responseElements The response elements.
+ */
+ public void setResponseElements(List responseElements) {
+ this.responseElements =
+ responseElements != null
+ ? Collections.unmodifiableList(new ArrayList(responseElements))
+ : null;
+ }
+
+ public List getResponseElements() {
+ return responseElements;
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java
new file mode 100644
index 000000000..702086b6f
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.impl;
+
+import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;
+
+/**
+ * Default implementation of <code>DataObjectInfo</code> for CMS.
+ *
+ * @author Fatemeh Philippi
+ * @version $Id$
+ */
+public class DataObjectInfoCMSImpl implements DataObjectInfo {
+ /** The signature structure type. */
+ private String stucture;
+ /** The data object to be signed. */
+ private CMSDataObject dataObject;
+
+ /**
+ * Sets the signature structure type.
+ *
+ * @param structure The signature structure type.
+ */
+ public void setStructure(String structure) {
+ this.stucture = structure;
+ }
+
+ public String getStructure() {
+ return stucture;
+ }
+
+
+ /**
+ * Sets the data object to be signed.
+ *
+ * @param dataObject The data object to be signed.
+ */
+ public void setDataObject(CMSDataObject dataObject) {
+ this.dataObject = dataObject;
+ }
+
+ public CMSDataObject getDataObject() {
+ return dataObject;
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java
index a23a1d98f..8e3bb7636 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java
@@ -25,6 +25,7 @@
package at.gv.egovernment.moa.spss.api.impl;
import java.io.InputStream;
+
import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.Date;
@@ -35,6 +36,9 @@ import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import at.gv.egovernment.moa.spss.api.SPSSFactory;
+import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;
import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
@@ -90,6 +94,32 @@ public class SPSSFactoryImpl extends SPSSFactory {
createXMLSignatureRequest.setSingleSignatureInfos(singleSignatureInfos);
return createXMLSignatureRequest;
}
+
+ public CreateCMSSignatureRequest createCreateCMSSignatureRequest(
+ String keyIdentifier,
+ List singleSignatureInfos) {
+ CreateCMSSignatureRequestImpl createCMSSignatureRequest =
+ new CreateCMSSignatureRequestImpl();
+ createCMSSignatureRequest.setKeyIdentifier(keyIdentifier);
+ createCMSSignatureRequest.setSingleSignatureInfos(singleSignatureInfos);
+ return createCMSSignatureRequest;
+
+ }
+
+ public CreateCMSSignatureResponse createCreateCMSSignatureResponse(List responseElements) {
+ CreateCMSSignatureResponseImpl createCMSSignatureResponse = new CreateCMSSignatureResponseImpl();
+ createCMSSignatureResponse.setResponseElements(responseElements);
+ return createCMSSignatureResponse;
+ }
+
+
+ public CMSSignatureResponse createCMSSignatureResponse(String base64value) {
+ CMSSignatureResponseImpl cmsSignatureResponse = new CMSSignatureResponseImpl();
+ cmsSignatureResponse.setCMSSignature(base64value);
+
+ return cmsSignatureResponse;
+ }
+
public SingleSignatureInfo createSingleSignatureInfo(
List dataObjectInfos,
@@ -101,6 +131,16 @@ public class SPSSFactoryImpl extends SPSSFactory {
singleSignatureInfo.setSecurityLayerConform(securityLayerConform);
return singleSignatureInfo;
}
+
+ public at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo createSingleSignatureInfoCMS(
+ at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo dataObjectInfo,
+ boolean securityLayerConform) {
+ SingleSignatureInfoCMSImpl singleSignatureInfo = new SingleSignatureInfoCMSImpl();
+ singleSignatureInfo.setDataObjectInfo(dataObjectInfo);
+ singleSignatureInfo.setSecurityLayerConform(securityLayerConform);
+ return singleSignatureInfo;
+ }
+
public DataObjectInfo createDataObjectInfo(
String structure,
boolean childOfManifest,
@@ -113,6 +153,15 @@ public class SPSSFactoryImpl extends SPSSFactory {
dataObjectInfo.setCreateTransformsInfoProfile(createTransformsInfoProfile);
return dataObjectInfo;
}
+
+ public at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo createDataObjectInfo(
+ String structure,
+ CMSDataObject dataObject) {
+ DataObjectInfoCMSImpl dataObjectInfo = new DataObjectInfoCMSImpl();
+ dataObjectInfo.setStructure(structure);
+ dataObjectInfo.setDataObject(dataObject);
+ return dataObjectInfo;
+ }
public CreateTransformsInfoProfile createCreateTransformsInfoProfile(String profileID) {
@@ -573,15 +622,21 @@ public class SPSSFactoryImpl extends SPSSFactory {
public SignerInfo createSignerInfo(
X509Certificate signerCertificate,
boolean qualifiedCertificate,
+ boolean qcSourceTSL,
boolean publicAuthority,
String publicAuthorityID,
- boolean sscd) {
+ boolean sscd,
+ boolean sscdSourceTSL,
+ String issuerCountryCode) {
SignerInfoImpl signerInfo = new SignerInfoImpl();
signerInfo.setSignerCertificate(signerCertificate);
signerInfo.setQualifiedCertificate(qualifiedCertificate);
+ signerInfo.setQCSourceTSL(qcSourceTSL);
signerInfo.setPublicAuthority(publicAuthority);
signerInfo.setPublicAuhtorityID(publicAuthorityID);
signerInfo.setSSCD(sscd);
+ signerInfo.setSSCDSourceTSL(sscdSourceTSL);
+ signerInfo.setIssuerCountryCode(issuerCountryCode);
return signerInfo;
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java
index 56a9004fc..7a108e8a4 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java
@@ -49,6 +49,16 @@ public class SignerInfoImpl implements SignerInfo {
/** Determines, whether the signature is based on an SSCD */
private boolean sscd;
+
+ /** Determines, if the SSCD check bases upon on TSL */
+ private boolean sscdSourceTSL;
+
+ /** Determines, if the QC check bases upon on TSL */
+ private boolean qcSourceTSL;
+
+ /** The certificate issuer country code */
+ private String issuerCountryCode;
+
/**
* Sets the signer certificate.
*
@@ -87,8 +97,37 @@ public class SignerInfoImpl implements SignerInfo {
}
public boolean isSSCD() {
return sscd;
- }
+ }
+
+ public void setSSCDSourceTSL(boolean sscdSourceTSL) {
+ this.sscdSourceTSL = sscdSourceTSL;
+ }
+ public String getSSCDSource() {
+ if (sscdSourceTSL)
+ return "TSL";
+ else
+ return "Certificate";
+ }
+
+ public void setQCSourceTSL(boolean qcSourceTSL) {
+ this.qcSourceTSL = qcSourceTSL;
+ }
+
+ public String getQCSource() {
+ if (qcSourceTSL)
+ return "TSL";
+ else
+ return "Certificate";
+ }
+
+ public void setIssuerCountryCode(String issuerCountryCode) {
+ this.issuerCountryCode = issuerCountryCode;
+ }
+ public String getIssuerCountryCode() {
+ return issuerCountryCode;
+ }
+
/**
* Sets, whether the certificate contained in this object is an
* e-government certificate or not.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java
new file mode 100644
index 000000000..cb3651587
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.impl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo;
+import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo;
+
+/**
+ * @version $Id$
+ */
+public class SingleSignatureInfoCMSImpl implements SingleSignatureInfo {
+
+ private DataObjectInfo dataObjectInfo = null;
+
+
+ private boolean securityLayerConform = true;
+
+ public void setDataObjectInfo(DataObjectInfo dataObjectInfo) {
+ this.dataObjectInfo = dataObjectInfo;
+ }
+
+ public DataObjectInfo getDataObjectInfo() {
+ return dataObjectInfo;
+ }
+
+
+
+ public void setSecurityLayerConform(boolean securityLayerConform) {
+ this.securityLayerConform = securityLayerConform;
+ }
+
+ public boolean isSecurityLayerConform() {
+ return securityLayerConform;
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java
index 15d66614e..87314e1f7 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java
@@ -24,6 +24,8 @@
package at.gv.egovernment.moa.spss.api.impl;
+import iaik.ixsil.util.URI;
+
import java.util.Date;
import at.gv.egovernment.moa.spss.api.common.TSLConfiguration;
@@ -38,7 +40,7 @@ public class TSLConfigurationImpl implements TSLConfiguration {
/** The EU TSL URL. */
-// private String euTSLUrl;
+ private String euTSLUrl;
/** update period in milliseconds */
private long updateSchedulePeriod;
@@ -48,9 +50,12 @@ public class TSLConfigurationImpl implements TSLConfiguration {
/** Working directory */
private String workingDirectory;
+
+ /** Working directory */
+ private URI workingDirectoryAsURI;
public String getEuTSLUrl() {
- return this.DEFAULT_EU_TSL_URL;
+ return this.euTSLUrl;
}
public long getUpdateSchedulePeriod() {
@@ -64,10 +69,14 @@ public class TSLConfigurationImpl implements TSLConfiguration {
public String getWorkingDirectory() {
return this.workingDirectory;
}
+
+ public URI getWorkingDirectoryAsURI() {
+ return this.workingDirectoryAsURI;
+ }
-// public void setEuTSLUrl(String euTSLUrl) {
-// this.euTSLUrl = euTSLUrl;
-// }
+ public void setEuTSLUrl(String euTSLUrl) {
+ this.euTSLUrl = euTSLUrl;
+ }
public void setUpdateSchedulePeriod(long updateSchedulePeriod) {
this.updateSchedulePeriod = updateSchedulePeriod;
@@ -80,6 +89,10 @@ public class TSLConfigurationImpl implements TSLConfiguration {
public void setWorkingDirectory(String workingDirectory) {
this.workingDirectory = workingDirectory;
}
+
+ public void setWorkingDirectoryURI(URI workingDirectoryAsURI) {
+ this.workingDirectoryAsURI = workingDirectoryAsURI;
+ }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java
new file mode 100644
index 000000000..737915ecd
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java
@@ -0,0 +1,247 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.xmlbind;
+
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.traversal.NodeIterator;
+
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.spss.api.SPSSFactory;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo;
+import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;
+import at.gv.egovernment.moa.spss.api.common.Content;
+import at.gv.egovernment.moa.spss.api.common.MetaInfo;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.BoolUtils;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
+
+/**
+ * A parser to parse <code>CreateCMSSignatureRequest</code> DOM trees into
+ * <code>CreateCMSSignatureRequest</code> API objects.
+ *
+ * @author Patrick Peck
+ * @version $Id$
+ */
+public class CreateCMSSignatureRequestParser {
+
+ //
+ // XPath expresssions to select elements in the CreateCMSSignatureRequest
+ //
+ private static final String MOA = Constants.MOA_PREFIX + ":";
+ private static final String KEY_IDENTIFIER_XPATH =
+ "/" + MOA + "CreateCMSSignatureRequest/" + MOA + "KeyIdentifier";
+ private static final String SINGLE_SIGNATURE_INFO_XPATH =
+ "/" + MOA + "CreateCMSSignatureRequest/" + MOA + "SingleSignatureInfo";
+ private static final String DATA_OBJECT_INFO_XPATH = MOA + "DataObjectInfo";
+ private static final String DATA_OBJECT_XPATH = MOA + "DataObject";
+
+ private static final String SL_CONFORM_ATTR_NAME = "SecurityLayerConformity";
+
+ private static final String META_INFO_XPATH = MOA + "MetaInfo";
+ private static final String CONTENT_XPATH = MOA + "Content";
+ private static final String BASE64_CONTENT_XPATH = MOA + "Base64Content";
+
+
+ /** The factory to create API objects. */
+ private SPSSFactory factory;
+
+ /**
+ * Create a new <code>CreateCMSSignatureRequestParser</code>.
+ */
+ public CreateCMSSignatureRequestParser() {
+ this.factory = SPSSFactory.getInstance();
+ }
+
+ /**
+ * Parse a <code>CreateCMSSignatureRequest</code> DOM element, as defined
+ * by the MOA schema.
+ *
+ * @param requestElem The <code>CreateCMSSignatureRequest</code> to parse. The
+ * request must have been successfully parsed against the schema for this
+ * method to succeed.
+ * @return A <code>CreateCMSSignatureRequest</code> API object containing
+ * the data from the DOM element.
+ * @throws MOAApplicationException An error occurred parsing the request.
+ */
+ public CreateCMSSignatureRequest parse(Element requestElem)
+ throws MOAApplicationException {
+
+ List singleSignatureInfos = parseSingleSignatureInfos(requestElem);
+ String keyIdentifier =
+ XPathUtils.getElementValue(requestElem, KEY_IDENTIFIER_XPATH, null);
+
+ return factory.createCreateCMSSignatureRequest(
+ keyIdentifier,
+ singleSignatureInfos);
+ }
+
+ /**
+ * Parse all <code>SingleSignatureInfo</code> elements of the
+ * <code>CreateCMSSignatureRequest</code>.
+ *
+ * @param requestElem The <code>CreateCMSSignatureRequest</code> to parse.
+ * @return A <code>List</code> of <code>SingleSignatureInfo</code> API
+ * objects.
+ * @throws MOAApplicationException An error occurred parsing on of the
+ * <code>SingleSignatureInfo</code> elements.
+ */
+ private List parseSingleSignatureInfos(Element requestElem)
+ throws MOAApplicationException {
+
+ List singleSignatureInfos = new ArrayList();
+ NodeIterator sigInfoElems =
+ XPathUtils.selectNodeIterator(requestElem, SINGLE_SIGNATURE_INFO_XPATH);
+ Element sigInfoElem;
+
+ while ((sigInfoElem = (Element) sigInfoElems.nextNode()) != null) {
+ singleSignatureInfos.add(parseSingleSignatureInfo(sigInfoElem));
+ }
+
+ return singleSignatureInfos;
+ }
+
+ /**
+ * Parse a <code>SingleSignatureInfo</code> DOM element.
+ *
+ * @param sigInfoElem The <code>SingleSignatureInfo</code> DOM element to
+ * parse.
+ * @return A <code>SingleSignatureInfo</code> API object containing the
+ * information of <code>sigInfoElem</code>.
+ * @throws MOAApplicationException An error occurred parsing the
+ * <code>SingleSignatureInfo</code>.
+ */
+ private SingleSignatureInfo parseSingleSignatureInfo(Element sigInfoElem)
+ throws MOAApplicationException {
+
+ DataObjectInfo dataObjectInfo = parseDataObjectInfo(sigInfoElem);
+ boolean securityLayerConform;
+
+ if (sigInfoElem.hasAttribute(SL_CONFORM_ATTR_NAME)) {
+ securityLayerConform =
+ BoolUtils.valueOf(sigInfoElem.getAttribute(SL_CONFORM_ATTR_NAME));
+ } else {
+ securityLayerConform = true;
+ }
+
+ return factory.createSingleSignatureInfoCMS(
+ dataObjectInfo,
+ securityLayerConform);
+ }
+
+ /**
+ * Parse the <code>DataObjectInfo</code> DOM elements contained in the given
+ * <code>SingleSignatureInfo</code> DOM element.
+ *
+ * @param sigInfoElem The <code>SingleSignatureInfo</code> DOM element
+ * whose <code>DataObjectInfo</code>s to parse.
+ * @return A <code>List</code> of <code>DataObjectInfo</code> API objects
+ * containing the data from the <code>DataObjectInfo</code> DOM elements.
+ * @throws MOAApplicationException An error occurred parsing one of the
+ * <code>DataObjectInfo</code>s.
+ */
+ private DataObjectInfo parseDataObjectInfo(Element sigInfoElem)
+ throws MOAApplicationException {
+
+ Element dataObjInfoElem = (Element)XPathUtils.selectSingleNode(sigInfoElem, DATA_OBJECT_INFO_XPATH);
+
+ String structure = dataObjInfoElem.getAttribute("Structure");
+ Element dataObjectElem =
+ (Element) XPathUtils.selectSingleNode(dataObjInfoElem, DATA_OBJECT_XPATH);
+
+ CMSDataObject dataObject = parseDataObject(dataObjectElem);
+
+ return factory.createDataObjectInfo(
+ structure,
+ dataObject);
+
+ }
+
+
+
+
+
+ /**
+ * Parse a the <code>DataObject</code> DOM element contained in a given
+ * <code>CreateCMSSignatureRequest</code> DOM element.
+ *
+ * @param requestElem The DataObject DOM element of the <code>VerifyCMSSignatureRequest</code>
+ * to parse.
+ * @return The <code>CMSDataObject</code> API object containing the data
+ * from the <code>DataObject</code> DOM element.
+ */
+ private CMSDataObject parseDataObject(Element dataObjectElem) {
+
+ if (dataObjectElem != null) {
+ Element metaInfoElem = (Element) XPathUtils.selectSingleNode(dataObjectElem, META_INFO_XPATH);
+ MetaInfo metaInfo = null;
+ Element contentElem = (Element) XPathUtils.selectSingleNode(dataObjectElem, CONTENT_XPATH);
+ CMSContent content = parseContent(contentElem);
+
+ if (metaInfoElem != null) {
+ metaInfo = RequestParserUtils.parseMetaInfo(metaInfoElem);
+ }
+
+ return factory.createCMSDataObject(metaInfo, content);
+ }
+ else {
+ return null;
+ }
+ }
+
+
+
+ /**
+ * Parse the content contained in a <code>CMSContentBaseType</code> kind of
+ * DOM element.
+ *
+ * @param contentElem The <code>CMSContentBaseType</code> kind of element to
+ * parse.
+ * @return A <code>CMSDataObject</code> API object containing the data
+ * from the given DOM element.
+ */
+ private CMSContent parseContent(Element contentElem) {
+ Element base64ContentElem =
+ (Element) XPathUtils.selectSingleNode(contentElem, BASE64_CONTENT_XPATH);
+
+ if (base64ContentElem != null) {
+ String base64Str = DOMUtils.getText(base64ContentElem);
+ InputStream binaryContent = Base64Utils.decodeToStream(base64Str, true);
+ return factory.createCMSContent(binaryContent);
+ } else {
+ return factory.createCMSContent(
+ contentElem.getAttribute("Reference"));
+ }
+ }
+
+} \ No newline at end of file
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java
new file mode 100644
index 000000000..907f90d32
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.api.xmlbind;
+
+import java.io.IOException;
+import java.util.Iterator;
+
+import javax.xml.transform.TransformerException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.spss.MOASystemException;
+import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponseElement;
+import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse;
+import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+/**
+ * Convert a <code>CreateCMSSignatureResponse</code> API object into its
+ * XML representation, according to the MOA XML schema.
+ *
+ * @version $Id$
+ */
+public class CreateCMSSignatureResponseBuilder {
+ private static final String MOA_NS_URI = Constants.MOA_NS_URI;
+
+ /** The XML document containing the response element. */
+ private Document responseDoc;
+ /** The response <code>CreateCMSSignatureResponse</code> DOM element. */
+ private Element responseElem;
+
+ /**
+ * Create a new <code>CreateCMSSignatureResponseBuilder</code>:
+ *
+ * @throws MOASystemException An error occurred setting up the resulting
+ * XML document.
+ */
+ public CreateCMSSignatureResponseBuilder() throws MOASystemException {
+ responseDoc =
+ ResponseBuilderUtils.createResponse("CreateCMSSignatureResponse");
+ responseElem = responseDoc.getDocumentElement();
+ }
+
+ /**
+ * Build a document containing a <code>CreateCMSSignatureResponse</code>
+ * DOM element being the XML representation of the given
+ * <code>CreateCMSSignatureResponse</code> API object.
+ *
+ * @param response The <code>CreateCMSSignatureResponse</code> to convert
+ * to XML.
+ * @return A document containing the <code>CreateCMSSignatureResponse</code>
+ * DOM element.
+ */
+ public Document build(CreateCMSSignatureResponse response) {
+ Iterator iter;
+
+
+ for (iter = response.getResponseElements().iterator(); iter.hasNext();) {
+ CreateCMSSignatureResponseElement responseElement =
+ (CreateCMSSignatureResponseElement) iter.next();
+
+ switch (responseElement.getResponseType()) {
+ case CreateCMSSignatureResponseElement.CMS_SIGNATURE :
+ CMSSignatureResponse cmsSignatureResponse = (CMSSignatureResponse) responseElement;
+ addCMSSignature(cmsSignatureResponse);
+ break;
+
+ case CreateCMSSignatureResponseElement.ERROR_RESPONSE :
+ ErrorResponse errorResponse = (ErrorResponse) responseElement;
+ addErrorResponse(errorResponse);
+ break;
+ }
+
+ }
+
+ return responseDoc;
+ }
+
+
+
+ /**
+ * Add a <code>CMSSignature</code> element to the response.
+ *
+ * @param cmsSignatureResponse The content to put under the
+ * <code>CMSSignature</code> element.
+ */
+ private void addCMSSignature(CMSSignatureResponse cmsSignatureResponse) {
+ String base64Value = cmsSignatureResponse.getCMSSignature();
+
+ Element cmsSignature = responseDoc.createElementNS(MOA_NS_URI, "CMSSignature");
+ cmsSignature.setTextContent(base64Value);
+
+ responseElem.appendChild(cmsSignature);
+
+}
+
+ /**
+ * Add a <code>ErrorResponse</code> element to the response.
+ *
+ * @param errorResponse The API object containing the information to put into
+ * the <code>ErrorResponse</code> DOM element.
+ */
+ private void addErrorResponse(ErrorResponse errorResponse) {
+ Element errorElem =
+ responseDoc.createElementNS(MOA_NS_URI, "ErrorResponse");
+ Element errorCodeElem =
+ responseDoc.createElementNS(MOA_NS_URI, "ErrorCode");
+ Element infoElem = responseDoc.createElementNS(MOA_NS_URI, "Info");
+ String errorCodeStr = Integer.toString(errorResponse.getErrorCode());
+
+ errorCodeElem.appendChild(responseDoc.createTextNode(errorCodeStr));
+ errorElem.appendChild(errorCodeElem);
+ infoElem.appendChild(responseDoc.createTextNode(errorResponse.getInfo()));
+ errorElem.appendChild(errorCodeElem);
+ errorElem.appendChild(infoElem);
+ responseElem.appendChild(errorElem);
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java
index a228a0db8..2e2afaf7c 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java
@@ -117,9 +117,12 @@ class ResponseBuilderUtils {
Element root,
X509Certificate cert,
boolean isQualified,
+ String qcSource,
boolean isPublicAuthority,
String publicAuthorityID,
- boolean isSSCD)
+ boolean isSSCD,
+ String sscdSource,
+ String issuerCountryCode)
throws MOAApplicationException {
Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo");
@@ -145,6 +148,12 @@ class ResponseBuilderUtils {
isSSCD
? response.createElementNS(MOA_NS_URI, "SecureSignatureCreationDevice")
: null;
+ Element issuerCountryCodeElem = null;
+ if (issuerCountryCode != null) {
+ issuerCountryCodeElem = response.createElementNS(MOA_NS_URI, "IssuerCountryCode");
+ issuerCountryCodeElem.setTextContent(issuerCountryCode);
+ }
+
Element publicAuthorityElem =
isPublicAuthority
? response.createElementNS(MOA_NS_URI, "PublicAuthority")
@@ -182,7 +191,10 @@ class ResponseBuilderUtils {
x509DataElem.appendChild(x509IssuerSerialElem);
x509DataElem.appendChild(x509CertificateElem);
if (isQualified) {
- x509DataElem.appendChild(qualifiedCertificateElem);
+ if (qcSource.compareToIgnoreCase("TSL") == 0)
+ qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource);
+
+ x509DataElem.appendChild(qualifiedCertificateElem);
}
if (isPublicAuthority) {
x509DataElem.appendChild(publicAuthorityElem);
@@ -192,8 +204,12 @@ class ResponseBuilderUtils {
}
}
if (isSSCD) {
+ sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource);
x509DataElem.appendChild(sscdElem);
}
+ if (issuerCountryCodeElem != null)
+ x509DataElem.appendChild(issuerCountryCodeElem);
+
signerInfoElem.appendChild(x509DataElem);
root.appendChild(signerInfoElem);
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java
index 7ad838822..b11560b28 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java
@@ -104,9 +104,12 @@ public class VerifyCMSSignatureResponseBuilder {
responseElem,
signerInfo.getSignerCertificate(),
signerInfo.isQualifiedCertificate(),
+ signerInfo.getQCSource(),
signerInfo.isPublicAuthority(),
signerInfo.getPublicAuhtorityID(),
- signerInfo.isSSCD());
+ signerInfo.isSSCD(),
+ signerInfo.getSSCDSource(),
+ signerInfo.getIssuerCountryCode());
ResponseBuilderUtils.addCodeInfoElement(
responseDoc,
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java
index 0d3e0c18e..dd4e13ad9 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java
@@ -96,9 +96,12 @@ public class VerifyXMLSignatureResponseBuilder {
responseElem,
response.getSignerInfo().getSignerCertificate(),
response.getSignerInfo().isQualifiedCertificate(),
+ response.getSignerInfo().getQCSource(),
response.getSignerInfo().isPublicAuthority(),
response.getSignerInfo().getPublicAuhtorityID(),
- response.getSignerInfo().isSSCD());
+ response.getSignerInfo().isSSCD(),
+ response.getSignerInfo().getSSCDSource(),
+ response.getSignerInfo().getIssuerCountryCode());
// add HashInputData elements
responseData = response.getHashInputDatas();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 09f496c74..0908d88c9 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -30,6 +30,7 @@ import iaik.pki.pathvalidation.ChainingModes;
import iaik.pki.revocation.RevocationSourceTypes;
import iaik.server.modules.xml.BlackListEntry;
import iaik.server.modules.xml.ExternalReferenceChecker;
+import iaik.server.modules.xml.WhiteListEntry;
import iaik.utils.RFC2253NameParser;
import iaik.utils.RFC2253NameParserException;
@@ -66,6 +67,7 @@ import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl;
import at.gv.egovernment.moa.spss.util.MessageProvider;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.StringUtils;
import at.gv.egovernment.moa.util.XPathUtils;
@@ -101,6 +103,10 @@ public class ConfigurationPartsBuilder {
ROOT + CONF + "SignatureCreation/"
+ CONF + "XMLDSig/"
+ CONF + "DigestMethodAlgorithm";
+ private static final String XADES_VERSION_XPATH =
+ ROOT + CONF + "SignatureCreation/"
+ + CONF + "XAdES/"
+ + CONF + "Version";
private static final String C14N_ALGORITHM_XPATH =
ROOT + CONF + "SignatureCreation/"
+ CONF + "XMLDSig/"
@@ -115,6 +121,13 @@ public class ConfigurationPartsBuilder {
ROOT + CONF + "Common/"
+ CONF + "PermitExternalUris/"
+ CONF + "BlackListUri";
+ private static final String FORBID_EXTERNAL_URIS_XPATH =
+ ROOT + CONF + "Common/"
+ + CONF + "ForbidExternalUris";
+ private static final String WHITE_LIST_URIS_XPATH =
+ ROOT + CONF + "Common/"
+ + CONF + "ForbidExternalUris/"
+ + CONF + "WhiteListUri";
private static final String HARDWARE_KEY_XPATH =
ROOT + CONF + "SignatureCreation/"
@@ -263,15 +276,22 @@ public class ConfigurationPartsBuilder {
/** The accepted digest method algorithm URIs, as an array */
private static final String[] ACCEPTED_DIGEST_ALGORITHMS_ARRAY =
- { Constants.SHA1_URI };
+ { Constants.SHA1_URI,
+ Constants.SHA256_URI,
+ Constants.SHA384_URI,
+ Constants.SHA512_URI};
/** The accepted digest method algorithm URIs, as a Set */
private static final Set ACCEPTED_DIGEST_ALGORITHMS =
new HashSet(Arrays.asList(ACCEPTED_DIGEST_ALGORITHMS_ARRAY));
-
- /** Default digest algorithm URI, if none/illegal has been configured */
- private static final String DIGEST_ALGORITHM_DEFAULT = Constants.SHA1_URI;
-
+
+
+ /** Default digest algorithm URI, if none/illegal has been configured (for XAdES 1.1.1) */
+ private static final String DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1 = Constants.SHA1_URI;
+
+ /** Default digest algorithm URI, if none/illegal has been configured (for XAdES 1.4.2) */
+ private static final String DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2 = Constants.SHA256_URI;
+
/** The root element of the MOA configuration */
private Element configElem;
@@ -333,18 +353,42 @@ public class ConfigurationPartsBuilder {
public String getDigestMethodAlgorithmName()
{
String digestMethod = getElementValue(getConfigElem(), DIGEST_METHOD_XPATH, null);
-
+
if (digestMethod == null || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod))
{
- info(
- "config.23",
- new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT });
- digestMethod = DIGEST_ALGORITHM_DEFAULT;
+ String xadesVersion = this.getXAdESVersion();
+ if (xadesVersion == null) {
+ info(
+ "config.23",
+ new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1 });
+ digestMethod = DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1;
+ }
+ else {
+ info(
+ "config.23",
+ new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2 });
+ digestMethod = DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2;
+ }
+
+
}
return digestMethod;
}
-
+
+ /**
+ * Returns the digest method algorithm name.
+ *
+ * @return The digest method algorithm name from the configuration.
+ */
+ public String getXAdESVersion()
+ {
+ String xadesVersion = getElementValue(getConfigElem(), XADES_VERSION_XPATH, null);
+
+ return xadesVersion;
+ }
+
+
/**
* Returns the canonicalization algorithm name.
*
@@ -409,6 +453,7 @@ public class ConfigurationPartsBuilder {
}
}
+
/**
*
* @return
@@ -448,10 +493,12 @@ public class ConfigurationPartsBuilder {
array[1] = port;
blacklist.add(array);
- }
+ }
+
// set blacklist for iaik-moa
ExternalReferenceChecker.setBlacklist(blackListIaikMoa);
+
if(blacklist.isEmpty()) // no blacklisted uris given
info("config.36", null);
@@ -459,7 +506,63 @@ public class ConfigurationPartsBuilder {
return blacklist;
}
+
+ /**
+ *
+ * @return
+ */
+ public List buildForbidExternalUris() {
+
+ //info("config.47", null);
+
+ List whitelist = new ArrayList();
+ List whiteListIaikMoa = new ArrayList();
+
+ NodeIterator forbidExtIter = XPathUtils.selectNodeIterator(
+ getConfigElem(),
+ WHITE_LIST_URIS_XPATH);
+
+ Element permitExtElem = null;
+ while ((permitExtElem = (Element) forbidExtIter.nextNode()) != null) {
+ String host = getElementValue(permitExtElem, CONF + "IP", null);
+ String port = getElementValue(permitExtElem, CONF + "Port", null);
+
+ // WhiteListeEntry
+ WhiteListEntry entry =null;
+ if (port == null) {
+ entry = new WhiteListEntry(host, -1);
+ info("config.49", new Object[]{host});
+ }
+ else {
+ entry = new WhiteListEntry(host, new Integer(port).intValue());
+ info("config.49", new Object[]{host + ":" + port});
+ }
+
+ // add entry to iaik-moa whitelist
+ whiteListIaikMoa.add(entry);
+
+
+ String array[] = new String[2];
+ array[0] = host;
+ array[1] = port;
+ whitelist.add(array);
+
+ }
+
+
+ // set whitelist for iaik-moa
+ ExternalReferenceChecker.setWhitelist(whiteListIaikMoa);
+
+
+ if(whitelist.isEmpty()) // no whitelisted uris given
+ info("config.48", null);
+
+
+ return whitelist;
+ }
+
+
/**
* Build the configured hardware keys.
*
@@ -573,9 +676,10 @@ public class ConfigurationPartsBuilder {
while ((keyGroupElem = (Element) kgIter.nextNode()) != null)
{
String keyGroupId = getElementValue(keyGroupElem, CONF + "Id", null);
+ String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null);
Set keyGroupEntries =
buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem);
- KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries);
+ KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm);
if (keyGroups.containsKey(keyGroupId))
{
@@ -1032,11 +1136,11 @@ public class ConfigurationPartsBuilder {
}
/**
- * Bulid the trust profile mapping.
+ * Build the trust profile mapping.
*
* @return The profile ID to profile mapping.
*/
- public Map buildTrustProfiles()
+ public Map buildTrustProfiles(String tslWorkingDir)
{
Map trustProfiles = new HashMap();
NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH);
@@ -1110,8 +1214,54 @@ public class ConfigurationPartsBuilder {
}
signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null;
- TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries);
+
+ TrustProfile profile = null;
+
+ if (tslEnabled) {
+ // create new trust anchor location (=tslworking trust profile)
+ File fTslWorkingDir = new File(tslWorkingDir);
+ File tp = new File(fTslWorkingDir, "trustprofiles");
+ if (!tp.exists())
+ tp.mkdir();
+ if (!tp.isDirectory()) {
+ error("config.50", new Object[] { tp.getPath() });
+ }
+
+ File tpid = new File(tp, id);
+ if (!tpid.exists())
+ tpid.mkdir();
+ if (!tpid.isDirectory()) {
+ error("config.50", new Object[] { tpid.getPath() });
+ }
+
+
+ // create profile
+ profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries);
+
+ // set original uri (save original trust anchor location)
+ profile.setUriOrig(trustAnchorsLocURI.getPath());
+
+ // delete files in tslworking trust profile
+ File[] files = tpid.listFiles();
+ for (File file : files)
+ file.delete();
+
+ // copy files from trustAnchorsLocURI into tslworking trust profile kopieren
+ File src = new File(trustAnchorsLocURI.getPath());
+ files = src.listFiles();
+ for (File file : files) {
+ FileUtils.copyFile(file, new File(tpid, file.getName()));
+ }
+
+
+ } else {
+
+ profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries);
+
+ }
+
trustProfiles.put(id, profile);
+
}
return trustProfiles;
@@ -1428,11 +1578,11 @@ public class ConfigurationPartsBuilder {
TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl();
-// String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null);
-// if (StringUtils.isEmpty(euTSLUrl)) {
-// warn("config.39", new Object[] { "EUTSL", euTSLUrl });
-// return null;
-// }
+ String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null);
+ if (StringUtils.isEmpty(euTSLUrl)) {
+ euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL;
+ warn("config.39", new Object[] { "EUTSL", euTSLUrl });
+ }
String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null);
@@ -1488,17 +1638,31 @@ public class ConfigurationPartsBuilder {
return null;
}
+ File hashcache = new File(tslWorkingDir, "hashcache");
+ if (!hashcache.exists()) {
+ hashcache.mkdir();
+ }
+ if (!hashcache.isDirectory()) {
+ error("config.38", new Object[] { hashcache.getAbsolutePath() });
+ return null;
+ }
+
+ System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath());
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("Hashcache: " + hashcachedir);
+
+ debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl);
debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod);
debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime);
debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath());
+ debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath());
// set TSL configuration
- //tslconfiguration.setEuTSLUrl(euTSLUrl);
+ tslconfiguration.setEuTSLUrl(euTSLUrl);
tslconfiguration.setUpdateSchedulePeriod(Long.valueOf(updateSchedulePeriod).longValue());
tslconfiguration.setUpdateScheduleStartTime(updateScheduleStartTimeDate);
tslconfiguration.setWorkingDirectory(tslWorkingDir.getAbsolutePath());
-
-
+ tslconfiguration.setWorkingDirectoryURI(workingDirectoryURI);
return tslconfiguration;
}
@@ -1526,7 +1690,6 @@ public class ConfigurationPartsBuilder {
map.put(x509IssuerName, interval);
}
- //System.out.println("Name: " + x509IssuerName + " - Interval: " + interval);
}
return map;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 25fa0d6ad..2cad35763 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -41,6 +41,7 @@ import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Map.Entry;
import java.util.Set;
import org.w3c.dom.Element;
@@ -99,7 +100,10 @@ public class ConfigurationProvider
/** The default canonicalization algorithm name */
private String canonicalizationAlgorithmName;
-
+
+ /** The XAdES version used for signature creation */
+ private String xadesVersion;
+
/**
* A <code>List</code> of <code>HardwareCryptoModule</code> objects for
* configuring hardware modules.
@@ -252,6 +256,11 @@ public class ConfigurationProvider
private List blackListedUris_;
/**
+ * A <code>List</code> of white listed URIs (host and port)
+ */
+ private List whiteListedUris_;
+
+ /**
* A <code>TSLConfiguration</code> that represents the global TSL configuration
*/
private TSLConfiguration tslconfiguration_;
@@ -351,11 +360,15 @@ public class ConfigurationProvider
keyGroups = builder.buildKeyGroups(allKeyModules);
keyGroupMappings =
builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL);
+
+ tslconfiguration_ = builder.getTSLConfiguration();
+
+ xadesVersion = builder.getXAdESVersion();
defaultChainingMode = builder.getDefaultChainingMode();
chainingModes = builder.buildChainingModes();
useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess();
autoAddCertificates_ = builder.getAutoAddCertificates();
- trustProfiles = builder.buildTrustProfiles();
+ trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
distributionPoints = builder.buildDistributionPoints();
enableRevocationChecking_ = builder.getEnableRevocationChecking();
maxRevocationAge_ = builder.getMaxRevocationAge();
@@ -365,7 +378,7 @@ public class ConfigurationProvider
revocationArchiveJDBCURL_ = builder.getRevocationArchiveJDBCURL();
revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass();
- tslconfiguration_ = builder.getTSLConfiguration();
+
//check TSL configuration
checkTSLConfiguration();
@@ -382,11 +395,14 @@ public class ConfigurationProvider
allowExternalUris_= builder.allowExternalUris();
- if (allowExternalUris_)
+ if (allowExternalUris_) {
blackListedUris_ = builder.buildPermitExternalUris();
+ whiteListedUris_ = null;
+ }
else {
info("config.35", null);
blackListedUris_ = null;
+ whiteListedUris_ = builder.buildForbidExternalUris();
}
@@ -457,6 +473,16 @@ public class ConfigurationProvider
return digestMethodAlgorithmName;
}
+ /**
+ * Return the XAdES version used for signature creation.
+ *
+ * @return The XAdES version used for signature creation, or an empty <code>String</code>,
+ * if none has been configured.
+ */
+ public String getXAdESVersion() {
+ return xadesVersion;
+ }
+
public boolean getAllowExternalUris() {
return this.allowExternalUris_;
}
@@ -464,6 +490,9 @@ public class ConfigurationProvider
public List getBlackListedUris() {
return this.blackListedUris_;
}
+ public List getWhiteListedUris() {
+ return this.whiteListedUris_;
+ }
/**
* Return the name of the canonicalization algorithm used during signature
@@ -515,6 +544,11 @@ public class ConfigurationProvider
public Map getKeyGroups() {
return keyGroups;
}
+
+ public KeyGroup getKeyGroup(String keyGroupId) {
+ KeyGroup keyGroup = (KeyGroup) keyGroups.get(keyGroupId);
+ return keyGroup;
+ }
/**
* Return the set of <code>KeyGroupEntry</code>s of a given key group, which a
@@ -542,6 +576,16 @@ public class ConfigurationProvider
issuerAndSerial = new IssuerAndSerial(issuer, serial);
}
+// System.out.println("Issuer: " + issuer);
+// System.out.println("serial: " + serial);
+//
+// Iterator entries = keyGroupMappings.entrySet().iterator();
+// while (entries.hasNext()) {
+// Entry thisEntry = (Entry) entries.next();
+// System.out.println("Entry: " + thisEntry.getKey());
+// System.out.println("Value: " + thisEntry.getValue());
+// }
+
mapping = (Map) keyGroupMappings.get(issuerAndSerial);
if (mapping != null) {
KeyGroup keyGroup = (KeyGroup) mapping.get(keyGroupId);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java
index 22ed8ae83..c2490f9a3 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java
@@ -40,16 +40,20 @@ public class KeyGroup {
private Set keyGroupEntries;
/** The key group ID. */
private String id;
+ /** The digest method algorithm for the key group */
+ private String digestMethodAlgorithm;
/**
* Create a <code>KeyGroup</code>.
*
* @param id The ID of this <code>KeyGroup</code>.
* @param keyGroupEntries The keys belonging to this <code>KeyGroup</code>.
+ * @param digestMethodAlgorithm The signature algorithm used for this key group
*/
- public KeyGroup(String id, Set keyGroupEntries) {
+ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) {
this.id = id;
this.keyGroupEntries = keyGroupEntries;
+ this.digestMethodAlgorithm = digestMethodAlgorithm;
}
/**
@@ -60,6 +64,14 @@ public class KeyGroup {
public Set getKeyGroupEntries() {
return keyGroupEntries;
}
+
+ /**
+ * Returnd the digest method algorithm used for this key group
+ * @return The digest method signature algorithm used for this key group
+ */
+ public String getDigestMethodAlgorithm() {
+ return digestMethodAlgorithm;
+ }
/**
* Return the ID of this <code>KeyGroup</code>.
@@ -87,7 +99,7 @@ public class KeyGroup {
sb.append(" " + i.next());
}
}
- return "(KeyGroup - ID:" + id + " " + sb.toString() + ")";
+ return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " + digestMethodAlgorithm;
}
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java
index 1b5f4473d..21063c77f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java
@@ -41,6 +41,8 @@ public class TrustProfile {
private String signerCertsUri;
/** Defines if Trustprofile makes use of EU TSL*/
private boolean tslEnabled;
+ /** The original URI (out of the configuration) giving the location of the trust profile (used when TSL is enabled) */
+ private String uriOrig;
/** The countries given */
private String countries;
/** */
@@ -80,6 +82,15 @@ public class TrustProfile {
public String getUri() {
return uri;
}
+
+ /**
+ * Return the original URI of this <code>TrustProfile</code>.
+ *
+ * @return The original URI of <code>TrustProfile</code>.
+ */
+ public String getUriOrig() {
+ return uriOrig;
+ }
/**
* Return the URI giving the location of the allowed signer certificates
@@ -108,20 +119,14 @@ public class TrustProfile {
return countries;
}
+
/**
- * Return the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update
- * @return The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update
+ * Sets the original URI of this <code>TrustProfile</code>.
+ *
+ * @return The original URI of <code>TrustProfile</code>.
*/
- public X509Certificate[] getCertficatesToBeRemoved() {
- return certificatesToBeRemoved;
+ public void setUriOrig(String uriOrig) {
+ this.uriOrig = uriOrig;
}
- /**
- * Sets the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update
- * @param certificates The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update
- */
- public void setCertificatesToBeRemoved(X509Certificate[] certificates) {
- this.certificatesToBeRemoved = new X509Certificate[certificates.length];
- this.certificatesToBeRemoved = certificates;
- }
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java
new file mode 100644
index 000000000..49e5ecc10
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java
@@ -0,0 +1,249 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.server.iaik.cmssign;
+
+import iaik.server.modules.algorithms.SignatureAlgorithms;
+import iaik.server.modules.cmssign.CMSSignatureCreationProfile;
+import iaik.server.modules.keys.AlgorithmUnavailableException;
+import iaik.server.modules.keys.KeyEntryID;
+import iaik.server.modules.keys.KeyModule;
+import iaik.server.modules.keys.KeyModuleFactory;
+import iaik.server.modules.keys.UnknownKeyException;
+
+import java.util.List;
+import java.util.Set;
+
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.server.logging.TransactionId;
+import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
+import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+
+/**
+ * An object providing auxiliary information for creating a CMS signature.
+ *
+ * @author Patrick Peck
+ * @version $Id$
+ */
+public class CMSSignatureCreationProfileImpl
+ implements CMSSignatureCreationProfile {
+
+ /** The set of keys available to the signing process. */
+ private Set keySet;
+ /** The MIME type of the data to be signed*/
+ private String mimeType;
+ /** Whether the created signature is to be Security Layer conform. */
+ private boolean securityLayerConform;
+ /** Properties to be signed during signature creation. */
+ private List signedProperties;
+ /** Specifies whether the content data shall be included in the CMS SignedData or shall be not included. */
+ private boolean includeData;
+ /** Digest Method algorithm */
+ private String digestMethod;
+
+
+ /**
+ * Create a new <code>XMLSignatureCreationProfileImpl</code>.
+ *
+ * @param createProfileCount Provides external information about the
+ * number of calls to the signature creation module, using the same request.
+ * @param reservedIDs The set of IDs that must not be used while generating
+ * new IDs.
+ */
+ public CMSSignatureCreationProfileImpl(
+ Set keySet,
+ String digestMethod,
+ List signedProperties,
+ boolean securityLayerConform,
+ boolean includeData,
+ String mimeType) {
+ this.keySet = keySet;
+ this.signedProperties = signedProperties;
+ this.securityLayerConform = securityLayerConform;
+ this.includeData = includeData;
+ this.mimeType = mimeType;
+ this.digestMethod = digestMethod;
+
+ }
+
+
+ /**
+ * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getKeySet()
+ */
+ public Set getKeySet() {
+ return keySet;
+ }
+
+ /**
+ * Set the set of <code>KeyEntryID</code>s which may be used for signature
+ * creation.
+ *
+ * @param keySet The set of <code>KeyEntryID</code>s to set.
+ */
+ public void setKeySet(Set keySet) {
+ this.keySet = keySet;
+ }
+
+
+ /**
+ * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureAlgorithmName(KeyEntryID)
+ */
+ public String getSignatureAlgorithmName(KeyEntryID selectedKeyID)
+ throws AlgorithmUnavailableException {
+
+
+ TransactionContext context =
+ TransactionContextManager.getInstance().getTransactionContext();
+ TransactionId tid = new TransactionId(context.getTransactionID());
+ KeyModule module = KeyModuleFactory.getInstance(tid);
+ Set algorithms;
+
+ try {
+ algorithms = module.getSupportedSignatureAlgorithms(selectedKeyID);
+ } catch (UnknownKeyException e) {
+ throw new AlgorithmUnavailableException(
+ "Unknown key entry: " + selectedKeyID,
+ e,
+ null);
+ }
+
+ if (digestMethod.compareTo("SHA-1") == 0) {
+ Logger.warn("SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)");
+
+ if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) {
+ return SignatureAlgorithms.SHA1_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) {
+ return SignatureAlgorithms.ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+
+ } else if (digestMethod.compareTo("SHA-256") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+ return SignatureAlgorithms.SHA256_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) {
+ return SignatureAlgorithms.SHA256_WITH_ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethod.compareTo("SHA-384") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
+ return SignatureAlgorithms.SHA384_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) {
+ return SignatureAlgorithms.SHA384_WITH_ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethod.compareTo("SHA-512") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
+ return SignatureAlgorithms.SHA512_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) {
+ return SignatureAlgorithms.SHA512_WITH_ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ }
+ else {
+ throw new AlgorithmUnavailableException(
+ "No signature algorithm found for digest algorithm '" + digestMethod,
+ null,
+ null);
+ }
+
+
+ }
+
+
+
+ /**
+ * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties()
+ */
+ public List getSignedProperties() {
+ return signedProperties;
+ }
+
+ /**
+ * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform()
+ */
+ public boolean isSecurityLayerConform() {
+ return securityLayerConform;
+ }
+
+ /**
+ * Sets the security layer conformity.
+ *
+ * @param securityLayerConform <code>true</code>, if the created signature
+ * is to be conform to the Security Layer specification.
+ */
+ public void setSecurityLayerConform(boolean securityLayerConform) {
+ this.securityLayerConform = securityLayerConform;
+ }
+
+
+ public void setDigestMethod(String digestMethod) {
+ this.digestMethod = digestMethod;
+ }
+
+
+ public String getMimeType() {
+ return mimeType;
+ }
+
+ public boolean includeData() {
+ return this.includeData;
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
index 9b5dce883..7d0c5a062 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
@@ -24,9 +24,6 @@
package at.gv.egovernment.moa.spss.server.iaik.xmlsign;
-import java.util.List;
-import java.util.Set;
-
import iaik.server.modules.algorithms.SignatureAlgorithms;
import iaik.server.modules.keys.AlgorithmUnavailableException;
import iaik.server.modules.keys.KeyEntryID;
@@ -37,6 +34,10 @@ import iaik.server.modules.xml.Canonicalization;
import iaik.server.modules.xmlsign.XMLSignatureCreationProfile;
import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation;
+import java.util.List;
+import java.util.Set;
+
+import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
@@ -75,7 +76,10 @@ public class XMLSignatureCreationProfileImpl
private IdGenerator dsigManifestIDGenerator;
/** The ID generator for signed property IDs. */
private IdGenerator propertyIDGenerator;
-
+ /** The selected digest method algorithm if XAdES 1.4.2 is used */
+ private String digestMethodXAdES142;
+
+
/**
* Create a new <code>XMLSignatureCreationProfileImpl</code>.
*
@@ -86,7 +90,8 @@ public class XMLSignatureCreationProfileImpl
*/
public XMLSignatureCreationProfileImpl(
int createProfileCount,
- Set reservedIDs) {
+ Set reservedIDs,
+ String digestMethodXAdES142) {
signatureIDGenerator =
new IdGenerator("signature-" + createProfileCount, reservedIDs);
manifestIDGenerator =
@@ -95,6 +100,7 @@ public class XMLSignatureCreationProfileImpl
new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs);
propertyIDGenerator =
new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs);
+ this.digestMethodXAdES142 = digestMethodXAdES142;
}
/**
@@ -168,27 +174,110 @@ public class XMLSignatureCreationProfileImpl
e,
null);
}
-
- if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) // TODO retournierten Algorithmus abhängig von der Schlüssellänge machen (bei längeren Schlüsseln SHA256 statt SHA1)
- || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
-
- return SignatureAlgorithms.SHA1_WITH_RSA;
- } else if (
- algorithms.contains(SignatureAlgorithms.ECDSA)) {
- return SignatureAlgorithms.ECDSA;
- } else if (
- algorithms.contains(SignatureAlgorithms.DSA)) {
- return SignatureAlgorithms.DSA;
- } else {
- throw new AlgorithmUnavailableException(
- "No algorithm for key entry: " + selectedKeyID,
- null,
- null);
+
+ if (digestMethodXAdES142 == null) {
+ // XAdES 1.4.2 not enabled - legacy MOA
+ if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+
+ return SignatureAlgorithms.SHA1_WITH_RSA;
+ } else if (
+ algorithms.contains(SignatureAlgorithms.ECDSA)) {
+ return SignatureAlgorithms.ECDSA;
+ } else if (
+ algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ }
+ else {
+ // XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method
+ if (digestMethodXAdES142.compareTo("SHA-1") == 0) {
+ Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)");
+
+ if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) {
+ return SignatureAlgorithms.SHA1_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) {
+ return SignatureAlgorithms.ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+
+ } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+ return SignatureAlgorithms.SHA256_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) {
+ return SignatureAlgorithms.SHA256_WITH_ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
+ return SignatureAlgorithms.SHA384_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) {
+ return SignatureAlgorithms.SHA384_WITH_ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
+ return SignatureAlgorithms.SHA512_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) {
+ return SignatureAlgorithms.SHA512_WITH_ECDSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ }
+ else {
+ throw new AlgorithmUnavailableException(
+ "No signature algorithm found for digest algorithm '" + digestMethodXAdES142,
+ null,
+ null);
+ }
+
}
+
+
}
/**
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java
index c9b76dd7e..12d8b0126 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java
@@ -31,15 +31,12 @@ import iaik.server.ConfigurationData;
import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
import iaik.xml.crypto.tsl.ex.TSLSearchException;
-import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.cert.CertificateException;
-import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
-import java.util.Iterator;
import java.util.Timer;
import at.gv.egovernment.moa.logging.LogMsg;
@@ -122,9 +119,10 @@ public class SystemInitializer {
try {
ConfigurationProvider config = ConfigurationProvider.getInstance();
ConfigurationData configData = new IaikConfigurator().configure(config);
-
+
//initialize TSL module
TSLConfiguration tslconfig = config.getTSLConfiguration();
+
TSLConnector tslconnector = new TSLConnector();
if (tslconfig != null) {
//Logger.info(new LogMsg(msg.getMessage("init.01", null)));
@@ -133,10 +131,12 @@ public class SystemInitializer {
}
+
//start TSL Update
TSLUpdaterTimerTask.tslconnector_ = tslconnector;
TSLUpdaterTimerTask.update();
+
//initialize TSL Update Task
initTSLUpdateTask(tslconfig);
@@ -154,13 +154,13 @@ public class SystemInitializer {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
} catch (TrustStoreException e) {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
- } catch (CertificateException e) {
- Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
} catch (FileNotFoundException e) {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
} catch (IOException e) {
Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
- }
+ } catch (CertificateException e) {
+ Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);
+ }
// set IXSIL debug output
IXSILInit.setPrintDebugLog(
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java
new file mode 100644
index 000000000..e058c8a4b
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.server.invoke;
+
+import iaik.server.modules.algorithms.HashAlgorithms;
+import iaik.server.modules.cmssign.CMSSignature;
+import iaik.server.modules.cmssign.CMSSignatureCreationException;
+import iaik.server.modules.cmssign.CMSSignatureCreationModule;
+import iaik.server.modules.cmssign.CMSSignatureCreationModuleFactory;
+import iaik.server.modules.cmssign.CMSSignatureCreationProfile;
+import iaik.server.modules.keys.KeyEntryID;
+import iaik.server.modules.keys.KeyModule;
+import iaik.server.modules.keys.KeyModuleFactory;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.logging.LoggingContext;
+import at.gv.egovernment.moa.logging.LoggingContextManager;
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.spss.MOAException;
+import at.gv.egovernment.moa.spss.MOASystemException;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo;
+import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSContentExcplicit;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSContentReference;
+import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;
+import at.gv.egovernment.moa.spss.api.common.MetaInfo;
+import at.gv.egovernment.moa.spss.api.impl.CreateCMSSignatureResponseImpl;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry;
+import at.gv.egovernment.moa.spss.server.iaik.cmssign.CMSSignatureCreationProfileImpl;
+import at.gv.egovernment.moa.spss.server.logging.TransactionId;
+import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
+import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+import at.gv.egovernment.moa.spss.util.MessageProvider;
+import at.gv.egovernment.moa.util.Constants;
+
+/**
+ * A class providing an API based interface to the
+ * <code>CMSSignatureCreationModule</code>.
+ *
+ * This class performs the invocation of the
+ * <code>iaik.server.modules.cmssign.CMSSignatureCreationModule</code> from a
+ * <code>CreateCMSSignatureRequest</code> given as an API object. The result of
+ * the invocation is integrated into a <code>CreateCMSSignatureResponse</code>
+ * and returned.
+ *
+ * @version $Id$
+ */
+public class CMSSignatureCreationInvoker {
+
+ private static Map HASH_ALGORITHM_MAPPING;
+
+ static {
+ HASH_ALGORITHM_MAPPING = new HashMap();
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512);
+ }
+
+
+ /** The single instance of this class. */
+ private static CMSSignatureCreationInvoker instance = null;
+
+ /**
+ * Get the only instance of this class.
+ *
+ * @return The only instance of this class.
+ */
+ public static synchronized CMSSignatureCreationInvoker getInstance() {
+ if (instance == null) {
+ instance = new CMSSignatureCreationInvoker();
+ }
+ return instance;
+ }
+
+ /**
+ * Create a new <code>CMSSignatureCreationInvoker</code>.
+ *
+ * Protected to disallow multiple instances.
+ */
+ protected CMSSignatureCreationInvoker() {
+ }
+
+
+
+ /**
+ * Process the <code>CreateCMSSignatureRequest<code> message and invoke the
+ * <code>XMLSignatureCreationModule</code> for every
+ * <code>SingleSignatureInfo</code> contained in the request.
+ *
+ * @param request A <code>CreateCMSSignatureRequest<code> API object
+ * containing the information for creating the signature(s).
+ * @param reserved A <code>Set</code> of reserved object IDs.
+ *
+ * @return A <code>CreateCMSSignatureResponse</code> API object containing
+ * the created signature(s). The response contains either a
+ * <code>SignatureEnvironment</code> or a <code>ErrorResponse</code>
+ * for each <code>SingleSignatureInfo</code> in the request.
+ * @throws MOAException An error occurred during signature creation.
+ */
+ public CreateCMSSignatureResponse createCMSSignature(
+ CreateCMSSignatureRequest request,
+ Set reserved)
+ throws MOAException {
+
+ TransactionContext context = TransactionContextManager.getInstance().getTransactionContext();
+ //LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext();
+
+ CreateCMSSignatureResponseBuilder responseBuilder = new CreateCMSSignatureResponseBuilder();
+ CreateCMSSignatureResponse response = new CreateCMSSignatureResponseImpl();
+
+ boolean isSecurityLayerConform = false;
+ String structure = null;
+ String mimetype = null;
+
+ // select the SingleSignatureInfo elements
+ Iterator singleSignatureInfoIter = request.getSingleSignatureInfos().iterator();
+
+ // iterate over all the SingleSignatureInfo elements in the request
+ while (singleSignatureInfoIter.hasNext()) {
+ SingleSignatureInfo singleSignatureInfo = (SingleSignatureInfo) singleSignatureInfoIter.next();
+ isSecurityLayerConform = singleSignatureInfo.isSecurityLayerConform();
+
+
+ DataObjectInfo dataObjectInfo = singleSignatureInfo.getDataObjectInfo();
+ structure = dataObjectInfo.getStructure();
+
+ CMSDataObject dataobject = dataObjectInfo.getDataObject();
+ MetaInfo metainfo = dataobject.getMetaInfo();
+ mimetype = metainfo.getMimeType();
+
+ CMSContent content = dataobject.getContent();
+ InputStream contentIs = null;
+ // build the content data
+ switch (content.getContentType()) {
+ case CMSContent.EXPLICIT_CONTENT :
+ contentIs = ((CMSContentExcplicit) content).getBinaryContent();
+ break;
+ case CMSContent.REFERENCE_CONTENT :
+ String reference = ((CMSContentReference) content).getReference();
+ if (!"".equals(reference)) {
+ ExternalURIResolver resolver = new ExternalURIResolver();
+ contentIs = resolver.resolve(reference);
+ } else {
+ throw new MOAApplicationException("2301", null);
+ }
+ break;
+ default : {
+ throw new MOAApplicationException("2301", null);
+ }
+ }
+
+ // create CMSSignatureCreationModuleFactory
+ CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance();
+
+ List signedProperties = null;
+ boolean includeData = true;
+ if (structure.compareTo("enveloping") == 0)
+ includeData = true;
+ if (structure.compareTo("detached") == 0)
+ includeData = false;
+
+ ConfigurationProvider config = context.getConfiguration();
+
+ // get the key group id
+ String keyGroupID = request.getKeyIdentifier();
+ // set the key set
+ Set keySet = buildKeySet(keyGroupID);
+ if (keySet == null) {
+ throw new MOAApplicationException("2231", null);
+ } else if (keySet.size() == 0) {
+ throw new MOAApplicationException("2232", null);
+ }
+
+ // get digest algorithm
+ String digestAlgorithm = getDigestAlgorithm(config, keyGroupID);
+
+ // create CMSSignatureCreation profile:
+ CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl(
+ keySet,
+ digestAlgorithm,
+ signedProperties,
+ isSecurityLayerConform,
+ includeData,
+ mimetype);
+
+ // create CMSSignature from the CMSSignatureCreationModule
+ // build the additionalSignedProperties
+ List additionalSignedProperties = buildAdditionalSignedProperties();
+ TransactionId tid = new TransactionId(context.getTransactionID());
+ try {
+ CMSSignature signature = module.createSignature(profile, additionalSignedProperties, tid);
+ ByteArrayOutputStream out = new ByteArrayOutputStream();
+ // get CMS SignedData output stream from the CMSSignature and wrap it around out
+ boolean base64 = true;
+ OutputStream signedDataStream = signature.getSignature(out, base64);
+
+ // now write the data to be signed to the signedDataStream
+ byte[] buf = new byte[4096];
+ int bytesRead;
+ while ((bytesRead = contentIs.read(buf)) >= 0) {
+ signedDataStream.write(buf, 0, bytesRead);
+ }
+
+ // finish SignedData processing by closing signedDataStream
+ signedDataStream.close();
+ String base64value = out.toString();
+
+ responseBuilder.addCMSSignature(base64value);
+
+
+ } catch (CMSSignatureCreationException e) {
+ MOAException moaException = IaikExceptionMapper.getInstance().map(e);
+
+ responseBuilder.addError(
+ moaException.getMessageId(),
+ moaException.getMessage());
+ Logger.warn(moaException.getMessage(), e);
+
+ }
+ catch (IOException e) {
+ throw new MOAApplicationException("2301", null, e);
+ }
+
+ }
+
+
+ return responseBuilder.getResponse();
+ }
+
+
+ private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException {
+ // get digest method on key group level (if configured)
+ String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm();
+ // get default digest method (if configured)
+ String configDigestMethod = config.getDigestMethodAlgorithmName();
+
+
+ String digestMethod = null;
+ if (configDigestMethodKG != null) {
+ // if KG specific digest method is configured
+ digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG);
+ if (digestMethod == null) {
+ error(
+ "config.17",
+ new Object[] { configDigestMethodKG});
+ throw new MOASystemException("2900", null);
+ }
+ Logger.debug("Digest algorithm: " + digestMethod + "(configured in KeyGroup)");
+ }
+ else {
+ // else get default configured digest method
+ digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod);
+ if (digestMethod == null) {
+ error(
+ "config.17",
+ new Object[] { configDigestMethod});
+ throw new MOASystemException("2900", null);
+ }
+ Logger.debug("Digest algorithm: " + digestMethod + "(default)");
+
+ }
+ return digestMethod;
+ }
+
+ /**
+ * Utility function to issue an error message to the log.
+ *
+ * @param messageId The ID of the message to log.
+ * @param parameters Additional message parameters.
+ */
+ private static void error(String messageId, Object[] parameters) {
+ MessageProvider msg = MessageProvider.getInstance();
+
+ Logger.error(new LogMsg(msg.getMessage(messageId, parameters)));
+ }
+
+ /**
+ * Build the set of <code>KeyEntryID</code>s available to the given
+ * <code>keyGroupID</code>.
+ *
+ * @param keyGroupID The keygroup ID for which the available keys should be
+ * returned.
+ * @return The <code>Set</code> of <code>KeyEntryID</code>s
+ * identifying the available keys.
+ */
+ private Set buildKeySet(String keyGroupID) {
+ TransactionContext context =
+ TransactionContextManager.getInstance().getTransactionContext();
+ ConfigurationProvider config = context.getConfiguration();
+ Set keyGroupEntries;
+
+ // get the KeyGroup entries from the configuration
+ if (context.getClientCertificate() != null) {
+ X509Certificate cert = context.getClientCertificate()[0];
+ Principal issuer = cert.getIssuerDN();
+ BigInteger serialNumber = cert.getSerialNumber();
+
+ keyGroupEntries =
+ config.getKeyGroupEntries(issuer, serialNumber, keyGroupID);
+ } else {
+ keyGroupEntries = config.getKeyGroupEntries(null, null, keyGroupID);
+ }
+
+ // map the KeyGroup entries to a set of KeyEntryIDs
+ if (keyGroupEntries == null) {
+ return null;
+ } else if (keyGroupEntries.size() == 0) {
+ return Collections.EMPTY_SET;
+ } else {
+ KeyModule module =
+ KeyModuleFactory.getInstance(
+ new TransactionId(context.getTransactionID()));
+ Set keyEntryIDs = module.getPrivateKeyEntryIDs();
+ Set keySet = new HashSet();
+ Iterator iter;
+
+ // filter out the keys that do not exist in the IAIK configuration
+ // by walking through the key entries and checking if the exist in the
+ // keyGroupEntries
+ for (iter = keyEntryIDs.iterator(); iter.hasNext();) {
+ KeyEntryID entryID = (KeyEntryID) iter.next();
+ KeyGroupEntry entry =
+ new KeyGroupEntry(
+ entryID.getModuleID(),
+ entryID.getCertificateIssuer(),
+ entryID.getCertificateSerialNumber());
+ if (keyGroupEntries.contains(entry)) {
+ keySet.add(entryID);
+ }
+ }
+ return keySet;
+ }
+ }
+
+ /**
+ * Build the list of additional signed properties.
+ *
+ * Based on the generic configuration setting
+ * <code>ConfigurationProvider.TEST_SIGNING_TIME_PROPERTY</code>, a
+ * constant <code>SigningTime</code> will be added to the properties.
+ *
+ * @return The <code>List</code> of additional signed properties.
+ */
+ private List buildAdditionalSignedProperties() {
+ TransactionContext context =
+ TransactionContextManager.getInstance().getTransactionContext();
+ ConfigurationProvider config = context.getConfiguration();
+ List additionalSignedProperties = Collections.EMPTY_LIST;
+
+ return additionalSignedProperties;
+ }
+
+} \ No newline at end of file
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
index 2c4bbd4eb..7a4103957 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
@@ -24,8 +24,8 @@
package at.gv.egovernment.moa.spss.server.invoke;
-import iaik.IAIKException;
-import iaik.IAIKRuntimeException;
+import iaik.server.modules.IAIKException;
+import iaik.server.modules.IAIKRuntimeException;
import iaik.server.modules.cmsverify.CMSSignatureVerificationModule;
import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory;
import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile;
@@ -58,7 +58,9 @@ import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+import at.gv.egovernment.moa.spss.util.CertificateUtils;
import at.gv.egovernment.moa.spss.util.MessageProvider;
+import at.gv.egovernment.moa.spss.util.QCSSCDResult;
/**
* A class providing an interface to the
@@ -136,7 +138,7 @@ public class CMSSignatureVerificationInvoker {
try {
// get the signed content
signedContent = getSignedContent(request);
-
+
// build the profile
profile = profileFactory.createProfile();
@@ -159,6 +161,7 @@ public class CMSSignatureVerificationInvoker {
while (input.read(buf) > 0);
results = module.verifySignature(signingTime);
+
} catch (IAIKException e) {
MOAException moaException = IaikExceptionMapper.getInstance().map(e);
throw moaException;
@@ -183,6 +186,8 @@ public class CMSSignatureVerificationInvoker {
}
}
+ QCSSCDResult qcsscdresult = new QCSSCDResult();
+
// build the response: for each signatory add the result to the response
signatories = request.getSignatories();
if (signatories == VerifyCMSSignatureRequest.ALL_SIGNATORIES) {
@@ -190,12 +195,28 @@ public class CMSSignatureVerificationInvoker {
for (resultIter = results.iterator(); resultIter.hasNext();) {
result = (CMSSignatureVerificationResult) resultIter.next();
+ String issuerCountryCode = null;
+ // QC/SSCD check
+ List list = result.getCertificateValidationResult().getCertificateChain();
+ if (list != null) {
+ X509Certificate[] chain = new X509Certificate[list.size()];
+
+ Iterator it = list.iterator();
+ int i = 0;
+ while(it.hasNext()) {
+ chain[i] = (X509Certificate)it.next();
+ i++;
+ }
+
+
+ qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled());
+
+ // get signer certificate issuer country code
+ issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));
+
+ }
- // check QC and SSCD via TSL (if enabled)
- boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());
- boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());;
-
- responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL);
+ responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode);
}
} else {
int i;
@@ -206,12 +227,27 @@ public class CMSSignatureVerificationInvoker {
try {
result =
(CMSSignatureVerificationResult) results.get(signatories[i] - 1);
- // check QC and SSCD via TSL (if enabled)
- boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());
- boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());;
-
-
- responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL);
+
+ String issuerCountryCode = null;
+ // QC/SSCD check
+ List list = result.getCertificateValidationResult().getCertificateChain();
+ if (list != null) {
+ X509Certificate[] chain = new X509Certificate[list.size()];
+
+ Iterator it = list.iterator();
+ int j = 0;
+ while(it.hasNext()) {
+ chain[j] = (X509Certificate)it.next();
+ j++;
+ }
+
+
+ qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled());
+
+ issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));
+ }
+
+ responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode);
} catch (IndexOutOfBoundsException e) {
throw new MOAApplicationException(
"2249",
@@ -223,65 +259,7 @@ public class CMSSignatureVerificationInvoker {
return responseBuilder.getResponse();
}
- private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) {
- boolean checkQCFromTSL = false;
- try {
- if (tslEnabledTrustProfile) {
- if (chainlist != null) {
- X509Certificate[] chain = new X509Certificate[chainlist.size()];
-
- Iterator it = chainlist.iterator();
- int i = 0;
- while(it.hasNext()) {
- chain[i] = (X509Certificate)it.next();
- i++;
- }
-
- checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
- //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
- }
- }
- }
- catch (TSLEngineDiedException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- } catch (TSLSearchException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- }
-
- return checkQCFromTSL;
- }
-
- private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) {
- boolean checkSSCDFromTSL = false;
- try {
- if (tslEnabledTrustProfile) {
- if (chainlist != null) {
- X509Certificate[] chain = new X509Certificate[chainlist.size()];
-
- Iterator it = chainlist.iterator();
- int i = 0;
- while(it.hasNext()) {
- chain[i] = (X509Certificate)it.next();
- i++;
- }
-
- checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
- }
- }
- }
- catch (TSLEngineDiedException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- } catch (TSLSearchException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- }
-
- return checkSSCDFromTSL;
- }
-
+
/**
* Get the signed content contained either in the request itself or given as a
* reference to external data.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java
new file mode 100644
index 000000000..aa52fe09a
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-SPSS has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.spss.server.invoke;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.api.SPSSFactory;
+import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse;
+
+/**
+ * A class to build a <code>CreateCMSSignatureResponse</code>.
+ *
+ * <p>The methods <code>addSignature()</code> and <code>addError()</code> may be
+ * called in any combination to add <code>CMSignature</code> and
+ * <code>ErrorResponse</code> elements to the response. One of these functions
+ * must be called at least once to produce a
+ * <code>CreateCMSSignatureResponse</code>.</p>
+ *
+ * <p>The <code>getResponseElement()</code> method then returns the
+ * <code>CreateXMLSignatureResponse</code> built so far.</p>
+ *
+ * @author Patrick Peck
+ * @version $Id$
+ */
+public class CreateCMSSignatureResponseBuilder {
+
+ /** The <code>SPSSFactory</code> for creating API objects. */
+ private SPSSFactory factory = SPSSFactory.getInstance();
+ /** The elements to add to the response. */
+ private List responseElements = new ArrayList();
+
+ /**
+ * Get the <code>CreateCMSSignatureResponse</code> built so far.
+ *
+ * @return The <code>CreateCMSSignatureResponse</code> built so far.
+ */
+ public CreateCMSSignatureResponse getResponse() {
+ return factory.createCreateCMSSignatureResponse(responseElements);
+ }
+
+ /**
+ * Add a <code>SignatureEnvironment</code> element to the response.
+ *
+ * @param signatureEnvironment The content to put under the
+ * <code>SignatureEnvironment</code> element. This should either be a
+ * <code>dsig:Signature</code> element (in case of a detached signature) or
+ * the signature environment containing the signature (in case of
+ * an enveloping signature).
+ */
+ public void addCMSSignature(String base64value) {
+ CMSSignatureResponse responseElement =
+ factory.createCMSSignatureResponse(base64value);
+ responseElements.add(responseElement);
+ }
+
+ /**
+ * Add a <code>ErrorResponse</code> element to the response.
+ *
+ * @param errorCode The error code.
+ * @param info Additional information about the error.
+ */
+ public void addError(String errorCode, String info) {
+ ErrorResponse errorResponse =
+ factory.createErrorResponse(Integer.parseInt(errorCode), info);
+ responseElements.add(errorResponse);
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java
index 869cfefa1..1136ff2f8 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java
@@ -24,8 +24,8 @@
package at.gv.egovernment.moa.spss.server.invoke;
-import iaik.IAIKException;
-import iaik.IAIKRuntimeException;
+import iaik.server.modules.IAIKException;
+import iaik.server.modules.IAIKRuntimeException;
import java.lang.reflect.Constructor;
import java.util.HashMap;
@@ -51,8 +51,8 @@ public class IaikExceptionMapper {
/** The exception mapping, as an array. */
private static final Object[][] MESSAGES =
{
- { iaik.IAIKException.class, "9900", MOASystemException.class },
- { iaik.IAIKRuntimeException.class, "9901", MOASystemException.class },
+ { iaik.server.modules.IAIKException.class, "9900", MOASystemException.class },
+ { iaik.server.modules.IAIKRuntimeException.class, "9901", MOASystemException.class },
{ iaik.server.modules.xmlsign.XMLSignatureCreationException.class, "2220", MOAApplicationException.class },
{ iaik.server.modules.xmlsign.XMLSignatureCreationRuntimeException.class, "2220", MOAApplicationException.class },
{ iaik.server.modules.xmlsign.InvalidKeyException.class, "2221", MOAApplicationException.class },
@@ -85,7 +85,8 @@ public class IaikExceptionMapper {
{ iaik.server.modules.xmlverify.TransformationException.class, "2265", MOAApplicationException.class },
{ iaik.server.modules.xmlverify.TransformationParsingException.class, "2269", MOAApplicationException.class },
{ iaik.xml.crypto.tsl.ex.TSLEngineDiedException.class, "2290", MOAApplicationException.class },
- { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class }
+ { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class } ,
+ { iaik.server.modules.cmssign.CMSSignatureCreationException.class, "2300", MOAApplicationException.class } ,
};
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java
index 3b82c6caf..1ea10cb4e 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java
@@ -73,13 +73,15 @@ public class VerifyCMSSignatureResponseBuilder {
* @param trustprofile The actual trustprofile
* @param checkQCFromTSL <code>true</code>, if the TSL check verifies the
* certificate as qualified, otherwise <code>false</code>.
- * @param checkSSCDFromTSL <code>true</code>, if the TSL check verifies the
+ * @param checkSSCD <code>true</code>, if the TSL check verifies the
* signature based on a SSDC, otherwise <code>false</code>.
+ * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,
+ * otherwise <code>false</code>.
* @throws MOAException
*/
- public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQCFromTSL, boolean checkSSCDFromTSL)
+ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode)
throws MOAException {
-
+
CertificateValidationResult certResult =
result.getCertificateValidationResult();
int signatureCheckCode =
@@ -90,28 +92,20 @@ public class VerifyCMSSignatureResponseBuilder {
SignerInfo signerInfo;
CheckResult signatureCheck;
CheckResult certificateCheck;
-
-
- boolean qualifiedCertificate = false;
-
- // verify qualified certificate checks (certificate or TSL)
- if (trustProfile.isTSLEnabled()) {
- // take TSL result
- qualifiedCertificate = checkQCFromTSL;
- }
- else {
- // take result from certificate
- qualifiedCertificate = certResult.isQualifiedCertificate();
- }
+
+ boolean qualifiedCertificate = checkQC;
// add SignerInfo element
signerInfo =
factory.createSignerInfo(
(X509Certificate) certResult.getCertificateChain().get(0),
qualifiedCertificate,
+ qcSourceTSL,
certResult.isPublicAuthorityCertificate(),
certResult.getPublicAuthorityID(),
- checkSSCDFromTSL);
+ checkSSCD,
+ sscdSourceTSL,
+ issuerCountryCode);
// add SignatureCheck element
signatureCheck = factory.createCheckResult(signatureCheckCode, null);
@@ -119,9 +113,6 @@ public class VerifyCMSSignatureResponseBuilder {
// add CertificateCheck element
certificateCheck = factory.createCheckResult(certificateCheckCode, null);
-
-
-
// build the response element
responseElement =
factory.createVerifyCMSSignatureResponseElement(
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
index 755ca82b6..193495171 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
@@ -125,10 +125,12 @@ public class VerifyXMLSignatureResponseBuilder {
* @param transformsSignatureManifestCheck The overall result for the signature
* manifest check.
* @param certificateCheck The overall result for the certificate check.
- * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the
- * certificate as qualified, otherwise <code>false</code>.
- * @param checkSSCDFromTSL <code>true</code>, if the TSL check verifies the
- * signature based on a SSDC, otherwise <code>false</code>.
+ * @param checkQC <code>true</code>, if the certificate is QC, otherwise <code>false</code>.
+ * @param qcSourceTSL <code>true</code>, if the QC information comes from the TSL,
+ * otherwise <code>false</code>.
+ * @param checkSSCD <code>true</code>, if the signature is created by an SSCD, otherwise <code>false</code>.
+ * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,
+ * otherwise <code>false</code>.
* @throws MOAApplicationException An error occurred adding the result.
*/
public void setResult(
@@ -136,9 +138,12 @@ public class VerifyXMLSignatureResponseBuilder {
XMLSignatureVerificationProfile profile,
ReferencesCheckResult transformsSignatureManifestCheck,
CheckResult certificateCheck,
- boolean checkQCFromTSL,
- boolean checkSSCDFromTSL,
- boolean isTSLEnabledTrustprofile)
+ boolean checkQC,
+ boolean qcSourceTSL,
+ boolean checkSSCD,
+ boolean sscdSourceTSL,
+ boolean isTSLEnabledTrustprofile,
+ String issuerCountryCode)
throws MOAApplicationException {
CertificateValidationResult certResult =
@@ -152,24 +157,19 @@ public class VerifyXMLSignatureResponseBuilder {
boolean qualifiedCertificate = false;
- // verify qualified certificate checks (certificate or TSL)
- if (isTSLEnabledTrustprofile) {
- // take TSL result
- qualifiedCertificate = checkQCFromTSL;
- }
- else {
- // take result from certificate
- qualifiedCertificate = certResult.isQualifiedCertificate();
- }
+ qualifiedCertificate = checkQC;
// create the SignerInfo;
signerInfo =
factory.createSignerInfo(
(X509Certificate) certResult.getCertificateChain().get(0),
qualifiedCertificate,
+ qcSourceTSL,
certResult.isPublicAuthorityCertificate(),
certResult.getPublicAuthorityID(),
- checkSSCDFromTSL);
+ checkSSCD,
+ sscdSourceTSL,
+ issuerCountryCode);
// Create HashInputData Content objects
referenceDataList = result.getReferenceDataList();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java
index 759af813c..7debb7b3a 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java
@@ -24,8 +24,8 @@
package at.gv.egovernment.moa.spss.server.invoke;
-import iaik.IAIKException;
-import iaik.IAIKRuntimeException;
+import iaik.server.modules.IAIKException;
+import iaik.server.modules.IAIKRuntimeException;
import iaik.server.modules.xml.DataObject;
import iaik.server.modules.xml.XMLDataObject;
import iaik.server.modules.xml.XMLSignature;
@@ -243,14 +243,31 @@ public class XMLSignatureCreationInvoker {
}
try {
- // create the signature
- signature =
- module.createSignature(
- dataObjectList,
- profile,
- additionalSignedProperties,
- signatureParent,
- new TransactionId(context.getTransactionID()));
+ ConfigurationProvider config = context.getConfiguration();
+ String xadesVersion = config.getXAdESVersion();
+
+ if (xadesVersion!= null && xadesVersion.compareTo(XMLSignatureCreationModule.XADES_VERSION_1_4_2) == 0) {
+ // create the signature (XAdES 1.4.2)
+ signature =
+ module.createSignature(
+ dataObjectList,
+ profile,
+ additionalSignedProperties,
+ signatureParent,
+ XMLSignatureCreationModule.XADES_VERSION_1_4_2,
+ new TransactionId(context.getTransactionID()));
+ }
+ else {
+ // create the signature (XAdES 1.1.1 = default)
+ signature =
+ module.createSignature(
+ dataObjectList,
+ profile,
+ additionalSignedProperties,
+ signatureParent,
+ XMLSignatureCreationModule.XADES_VERSION_1_1_1,
+ new TransactionId(context.getTransactionID()));
+ }
// insert the result into the response
if (signatureParent != null) {
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java
index 5c4a2c76a..d1281c1f1 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest;
import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo;
import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo;
import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moa.spss.server.config.KeyGroup;
import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry;
import at.gv.egovernment.moa.spss.server.iaik.xml.CanonicalizationImpl;
import at.gv.egovernment.moa.spss.server.iaik.xmlsign.DataObjectTreatmentImpl;
@@ -83,6 +84,9 @@ public class XMLSignatureCreationProfileFactory {
static {
HASH_ALGORITHM_MAPPING = new HashMap();
HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512);
}
/** The <code>CreateXMLSignatureRequest</code> for which to create the
@@ -129,18 +133,62 @@ public class XMLSignatureCreationProfileFactory {
HashSet allReservedIDs = new HashSet(reserved);
allReservedIDs.addAll(sigInfoReservedIDs);
- XMLSignatureCreationProfileImpl profile =
- new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs);
TransactionContext context =
TransactionContextManager.getInstance().getTransactionContext();
ConfigurationProvider config = context.getConfiguration();
CanonicalizationImpl canonicalization;
List dataObjectTreatmentList;
- String keyGroupID;
Set keySet;
List transformationSupplements;
List createTransformsProfiles;
+ // get the key group id
+ String keyGroupID = request.getKeyIdentifier();
+ // get digest method on key group level (if configured)
+ String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm();
+ // get default digest method (if configured)
+ String configDigestMethod = config.getDigestMethodAlgorithmName();
+
+ String xadesVersion = config.getXAdESVersion();
+
+ String digestMethodXAdES142 = null;
+ boolean isXAdES142 = false;
+ // if XAdES Version 1.4.2 is configured
+ if (xadesVersion != null && xadesVersion.compareTo("1.4.2") == 0) {
+ isXAdES142 = true;
+ Logger.debug("XAdES version '" + xadesVersion + "' used");
+ }
+
+ if (isXAdES142) {
+ if (configDigestMethodKG != null) {
+ // if KG specific digest method is configured
+ digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG);
+ if (digestMethodXAdES142 == null) {
+ error(
+ "config.17",
+ new Object[] { configDigestMethodKG});
+ throw new MOASystemException("2900", null);
+ }
+ Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(configured in KeyGroup)");
+ }
+ else {
+ // else get default configured digest method
+ digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod);
+ if (digestMethodXAdES142 == null) {
+ error(
+ "config.17",
+ new Object[] { configDigestMethod});
+ throw new MOASystemException("2900", null);
+ }
+ Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(default)");
+
+ }
+ }
+
+ XMLSignatureCreationProfileImpl profile =
+ new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142);
+
+
// build the transformation supplements
createTransformsProfiles =
getCreateTransformsInfoProfiles(singleSignatureInfo);
@@ -153,11 +201,11 @@ public class XMLSignatureCreationProfileFactory {
singleSignatureInfo,
createTransformsProfiles,
transformationSupplements,
- allReservedIDs);
+ allReservedIDs,
+ digestMethodXAdES142);
profile.setDataObjectTreatmentList(dataObjectTreatmentList);
// set the key set
- keyGroupID = request.getKeyIdentifier();
keySet = buildKeySet(keyGroupID);
if (keySet == null) {
throw new MOAApplicationException("2231", null);
@@ -184,7 +232,7 @@ public class XMLSignatureCreationProfileFactory {
canonicalization =
new CanonicalizationImpl(config.getCanonicalizationAlgorithmName());
profile.setSignedInfoCanonicalization(canonicalization);
-
+
// set the signed properties
profile.setSignedProperties(Collections.EMPTY_LIST);
@@ -299,7 +347,8 @@ public class XMLSignatureCreationProfileFactory {
SingleSignatureInfo singleSignatureInfo,
List createTransformsInfoProfiles,
List transformationSupplements,
- Set reservedIDs)
+ Set reservedIDs,
+ String digestMethodXAdES142)
throws MOASystemException, MOAApplicationException {
TransactionContext context =
@@ -329,15 +378,25 @@ public class XMLSignatureCreationProfileFactory {
treatment.setTransformationList(buildTransformationList(profile));
treatment.setReferenceInManifest(dataObjInfo.isChildOfManifest());
- hashAlgorithmName =
- (String) HASH_ALGORITHM_MAPPING.get(
- config.getDigestMethodAlgorithmName());
- if (hashAlgorithmName == null) {
- error(
- "config.17",
- new Object[] { config.getDigestMethodAlgorithmName()});
- throw new MOASystemException("2900", null);
+ // if XAdES version is 1.4.2
+ if (digestMethodXAdES142 != null) {
+ // use configured digest algorithm
+ hashAlgorithmName = digestMethodXAdES142;
+ }
+ else {
+ // stay as it is
+ hashAlgorithmName = (String) HASH_ALGORITHM_MAPPING.get(
+ config.getDigestMethodAlgorithmName());
+ if (hashAlgorithmName == null) {
+ error(
+ "config.17",
+ new Object[] { config.getDigestMethodAlgorithmName()});
+ throw new MOASystemException("2900", null);
+ }
}
+
+
+
treatment.setHashAlgorithmName(hashAlgorithmName);
treatment.setIncludedInSignature(
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
index 8a5b6f5b7..c90bc534a 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
@@ -24,10 +24,10 @@
package at.gv.egovernment.moa.spss.server.invoke;
-import iaik.IAIKException;
-import iaik.IAIKRuntimeException;
import iaik.ixsil.exceptions.URIException;
import iaik.ixsil.util.URI;
+import iaik.server.modules.IAIKException;
+import iaik.server.modules.IAIKRuntimeException;
import iaik.server.modules.xml.DataObject;
import iaik.server.modules.xml.XMLDataObject;
import iaik.server.modules.xml.XMLSignature;
@@ -40,8 +40,6 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory;
import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile;
import iaik.server.modules.xmlverify.XMLSignatureVerificationResult;
import iaik.x509.X509Certificate;
-import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
-import iaik.xml.crypto.tsl.ex.TSLSearchException;
import java.io.File;
import java.io.FileInputStream;
@@ -87,8 +85,9 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog;
import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
-import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+import at.gv.egovernment.moa.spss.util.CertificateUtils;
import at.gv.egovernment.moa.spss.util.MessageProvider;
+import at.gv.egovernment.moa.spss.util.QCSSCDResult;
import at.gv.egovernment.moa.util.CollectionUtils;
import at.gv.egovernment.moa.util.Constants;
@@ -208,9 +207,7 @@ public class XMLSignatureVerificationInvoker {
requestElement);
}
- boolean checkQCFromTSL = false;
- boolean checkSSCDFromTSL = false;
-
+ QCSSCDResult qcsscdresult = new QCSSCDResult();
String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId();
ConfigurationProvider config = ConfigurationProvider.getInstance();
TrustProfile tp = config.getTrustProfile(tpID);
@@ -236,33 +233,27 @@ public class XMLSignatureVerificationInvoker {
MOAException moaException = IaikExceptionMapper.getInstance().map(e);
throw moaException;
}
- try {
- if (tp.isTSLEnabled()) {
- List list = result.getCertificateValidationResult().getCertificateChain();
- if (list != null) {
- X509Certificate[] chain = new X509Certificate[list.size()];
-
-
- Iterator it = list.iterator();
- int i = 0;
- while(it.hasNext()) {
- chain[i] = (X509Certificate)it.next();
- i++;
- }
-
- checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
- checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
+
+
+ // QC/SSCD check
+ List list = result.getCertificateValidationResult().getCertificateChain();
+ if (list != null) {
+ X509Certificate[] chain = new X509Certificate[list.size()];
+
+ Iterator it = list.iterator();
+ int i = 0;
+ while(it.hasNext()) {
+ chain[i] = (X509Certificate)it.next();
+ i++;
}
- }
+
+ qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled());
}
- catch (TSLEngineDiedException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- } catch (TSLSearchException e) {
- MessageProvider msg = MessageProvider.getInstance();
- Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
- }
+
+ // get signer certificate issuer country code
+ String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));
+
// swap back in the request as root document
if (requestElement != signatureEnvironment.getElement()) {
requestElement.getOwnerDocument().replaceChild(
@@ -278,10 +269,10 @@ public class XMLSignatureVerificationInvoker {
// Check if signer certificate is in trust profile's allowed signer certificates pool
TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());
CheckResult certificateCheck = validateSignerCertificate(result, trustProfile);
-
- // build the response
- responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQCFromTSL, checkSSCDFromTSL, tp.isTSLEnabled());
+
+ // build the response
+ responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode);
return responseBuilder.getResponse();
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
index 6bf2317b4..591e26ac2 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
@@ -393,6 +393,7 @@ public class AxisHandler extends BasicHandler {
try {
String filename = MOA_SPSS_WSDL_RESOURCE_;
+
File file = new File(filename);
if (file.exists()) {
//if this resolves to a file, load it
@@ -400,7 +401,7 @@ public class AxisHandler extends BasicHandler {
} else {
//else load a named resource in our classloader.
instream = this.getClass().getResourceAsStream(filename);
- if (instream == null) {
+ if (instream == null) {
String errorText = Messages.getMessage("wsdlFileMissing", filename);
throw new AxisFault(errorText);
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
index 7a7bb88bb..e5b12bd8c 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
@@ -35,10 +35,15 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.spss.MOAException;
import at.gv.egovernment.moa.spss.MOASystemException;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureRequestParser;
+import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureResponseBuilder;
import at.gv.egovernment.moa.spss.api.xmlbind.CreateXMLSignatureRequestParser;
import at.gv.egovernment.moa.spss.api.xmlbind.CreateXMLSignatureResponseBuilder;
import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest;
import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureCreationInvoker;
import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureCreationInvoker;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
@@ -52,6 +57,89 @@ import at.gv.egovernment.moa.util.StreamUtils;
* @version $Id$
*/
public class SignatureCreationService {
+
+ /**
+ * Handle a <code>CreateXMLSignatureRequest</code>.
+ *
+ * @param request The <code>CreateXMLSignatureRequest</code> to work on
+ * (contained in the 0th element of the array).
+ * @return A <code>CreateXMLSignatureResponse</code> as the only element of
+ * the <code>Element</code> array.
+ * @throws AxisFault An error occurred during handling of the message.
+ */
+ public Element[] CreateCMSSignatureRequest(Element[] request)
+ throws AxisFault {
+ Logger.trace("---- Entering SignatureCreationService");
+ CMSSignatureCreationInvoker invoker =
+ CMSSignatureCreationInvoker.getInstance();
+ Element[] response = new Element[1];
+
+ // check that we have a CreateXMLSignatureRequest; if not, create an
+ // AxisFault, just like the org.apache.axis.providers.java.MsgProvider
+ if (!Constants.MOA_SPSS_CREATE_CMS_REQUEST.equals(request[0].getLocalName()) ||
+ !Constants.MOA_NS_URI.equals(request[0].getNamespaceURI()))
+ {
+ QName qname =
+ new QName(request[0].getNamespaceURI(), request[0].getLocalName());
+ throw new AxisFault(
+ Messages.getMessage("noOperationForQName", qname.toString())); // TODO GK Operation name does not make it into the error repsonse
+ }
+
+ // handle the request
+ try {
+
+ // create a parser and builder for binding API objects to/from XML
+ CreateCMSSignatureRequestParser requestParser =
+ new CreateCMSSignatureRequestParser();
+ CreateCMSSignatureResponseBuilder responseBuilder =
+ new CreateCMSSignatureResponseBuilder();
+ Element reparsedReq;
+ CreateCMSSignatureRequest requestObj;
+ CreateCMSSignatureResponse responseObj;
+
+ //since Axis (1.1 ff) has problem with namespaces we take the raw request stored by the Axishandler.
+ TransactionContext context = TransactionContextManager.getInstance().getTransactionContext();
+
+ // validate the request
+ reparsedReq = ServiceUtils.reparseRequest(request[0]);//context.getRequest());
+
+ // convert to API objects
+ Logger.trace(">>> preparsing Request");
+ requestObj = requestParser.parse(reparsedReq);
+ Logger.trace("<<< preparsed Request");
+
+ Logger.trace(">>> creating Signature");
+ // invoke the core logic
+ responseObj = invoker.createCMSSignature(requestObj, Collections.EMPTY_SET);
+ Logger.trace("<<< created Signature");
+
+ Logger.trace(">>> building Response");
+ // map back to XML
+ response[0] = responseBuilder.build(responseObj).getDocumentElement();
+ Logger.trace("<<< built Response");
+
+ // save response in transaction
+ context.setResponse(response[0]);
+ Logger.trace("---- Leaving SignatureCreationService");
+
+
+ } catch (MOAException e) {
+ AxisFault fault = AxisFault.makeFault(e);
+ fault.setFaultDetail(new Element[] { e.toErrorResponse()});
+ Logger.debug("Anfrage zur Signaturerstellung wurde nicht erfolgreich beendet:"
+ + System.getProperty("line.separator") + StreamUtils.getStackTraceAsString(e));
+ throw fault;
+ } catch (Throwable t) {
+ MOASystemException e = new MOASystemException("2900", null, t);
+ AxisFault fault = AxisFault.makeFault(e);
+ fault.setFaultDetail(new Element[] { e.toErrorResponse()});
+ Logger.debug("Anfrage zur Signaturerstellung wurde nicht erfolgreich beendet:"
+ + System.getProperty("line.separator") + StreamUtils.getStackTraceAsString(e));
+ throw fault;
+ }
+
+ return response;
+ }
/**
* Handle a <code>CreateXMLSignatureRequest</code>.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
index 2e4af2817..07da0a998 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
@@ -83,28 +83,277 @@ public class TSLConnector implements TSLConnectorInterface {
return updateAndGetQualifiedCACertificates(dateTime, null, serviceLevelStatus);
}
+ public void updateTSLs(Date dateTime,
+ String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
+
+ if (Configurator.is_isInitialised() == false)
+ new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ updateTSLs(dateTime, null, serviceLevelStatus);
+ }
+
public ArrayList<File> updateAndGetQualifiedCACertificates(Date dateTime,
String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
if (Configurator.is_isInitialised() == false)
new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("hashcachedir: " + hashcachedir);
+// if (hashcachedir==null)
+// hashcachedir = DEFAULT_HASHCACHE_DIR;
+
+// File hashcachefile = new File(hashcachedir);
+// File[] filelist = hashcachefile.listFiles();
+// if (filelist != null) {
+// for (File f : filelist)
+// f.delete();
+// }
- //TODO: clean hascash and TLS Download folder
- String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+ File tsldownloadfile = new File(tsldownloaddir);
+ if (!tsldownloadfile.exists()) {
+ tsldownloadfile.mkdir();
+ }
+ File[] tslfilelist = tsldownloadfile.listFiles();
+ if (tslfilelist != null) {
+ for (File f : tslfilelist)
+ f.delete();
+ }
- if (hashcachedir==null)
- hashcachedir = DEFAULT_HASHCACHE_DIR;
-
- String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+ //create sqlLite database
+ File dbFile = new File(Configurator.get_TempdbFile());
+ try {
+ dbFile.delete();
+ dbFile.createNewFile();
+ } catch (IOException e) {
+ throw new TSLEngineDiedException("Could not create temporary data base file", e);
+ }
+
+ //the TSL library uses the iaik.util.logging environment.
+ //iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.WARN);
+ iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.OFF);
+
+ log.info("Starting EU TSL import.");
+
+ // Certificates in Germany, Estonia, Greece, Cyprus,
+ // Lithuainia, Hungary, Poland, Finland, Norway use SURNAME
+ log.debug("### SURNAME registered as " + ObjectID.surName + " ###");
+ RFC2253NameParser.register("SURNAME", ObjectID.surName);
+
+ XSecProvider.addAsProvider(false);
+
+ TSLEngine tslEngine;
+ TslSqlConnectionWrapper connection = null;
+
+ try {
+ // register the Https JSSE Wrapper
+ TLS.register();
+ log.trace("### Https JSSE Wrapper registered ###");
+
+
+ log.debug("### Connect to Database.###");
+ connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
+
+ log.trace("### Connected ###");
+
+ // empty the database and recreate the tables
+ tslEngine = new TSLEngine(dbFile, Configurator.get_TSLWorkingDirectoryPath(),
+ connection, true, true);
+
+ } catch (TSLEngineFatalException e1) {
+ throw new TSLEngineDiedException(e1);
+
+ }
+
+ // H.2.2.1 Same-scheme searching
+ // H.2.2.2 Known scheme searching
+ // H.2.2.3 "Blind" (unknown) scheme searching
+ Number tId = null;
+ Countries euTerritory = Countries.EU;
+ TSLImportContext topLevelTslContext = new TSLEUImportFromFileContext(
+ euTerritory, Configurator.get_euTSLURL(), Configurator.get_TSLWorkingDirectoryPath(),
+ Configurator.is_sqlMultithreaded(),
+ Configurator.is_throwExceptions(), Configurator.is_logExceptions(),
+ Configurator.is_throwWarnings(), Configurator.is_logWarnings(),
+ Configurator.is_nullRedundancies());
+
+ TSLEngineEU tslengineEU;
+ try {
+ tslengineEU = tslEngine.new TSLEngineEU();
+
+ } catch (TSLEngineFatalException e1) {
+ throw new TSLEngineDiedException(e1);
+ }
+
+ // establish EU TSL trust anchor
+ ListIterator<java.security.cert.X509Certificate> expectedEuTslSignerCerts =
+ tslEngine.loadCertificatesFromResource(
+ Configurator.get_euTrustAnchorsPath(), topLevelTslContext);
+
+ log.debug("Process EU TSL");
+ // process the EU TSL to receive the pointers to the other TSLs
+ // and the trust anchors for the TSL signers
+ Set<Entry<Number, LocationAndCertHash>> pointersToMsTSLs = null;
- File hashcachefile = new File(hashcachedir);
+ try {
+
+ tId = tslengineEU.processEUTSL(topLevelTslContext, expectedEuTslSignerCerts);
+ log.info("Process EU TSL finished");
+
+ log.debug(Thread.currentThread() + " waiting for other threads ...");
+
+ topLevelTslContext.waitForAllOtherThreads();
+ log.debug(Thread.currentThread()
+ + " reactivated after other threads finished ...");
+
+
+ // get the TSLs pointed from the EU TSL
+ LinkedHashMap<Number, LocationAndCertHash> tslMap = tslengineEU
+ .getOtherTslMap(tId, topLevelTslContext);
+
+ pointersToMsTSLs = tslMap.entrySet();
+
+ //set Errors and Warrnings
+
+ } catch (TSLEngineFatalRuntimeException e) {
+ throw new TSLEngineDiedException(topLevelTslContext.dumpFatals());
+
+ } catch (TSLTransactionFailedRuntimeException e) {
+ throw new TSLEngineDiedException(topLevelTslContext.dumpTransactionFaliures());
+ }
+
+ //Backup implementation if the EU TSL includes a false signer certificate
+ // establish additional trust anchors for member states
+// Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {
+// Countries.CZ,
+// Countries.LU,
+// Countries.ES,
+// Countries.AT,
+// };
+ Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {};
+
+ Map<Countries, java.util.ListIterator<java.security.cert.X509Certificate>>
+ trustAnchorsWrongOnEuTsl = loadCertificatesFromResource(
+ Configurator.get_msTrustAnchorsPath(), tslEngine, topLevelTslContext,
+ countriesWithPotentiallyWrongCertsOnEuTsl);
+
+ log.info("Starting EU member TSL import.");
+
+ for (Entry<Number, LocationAndCertHash> entry : pointersToMsTSLs) {
+
+ TSLImportContext msTslContext;
+
+ Countries expectedTerritory = entry.getValue().getSchemeTerritory();
+ try {
+
+// if (expectedTerritory.equals("RO"))
+// System.out.println("Stop");
+ Number otpId = entry.getKey();
+ LocationAndCertHash lac = entry.getValue();
+
+ URL uriReference = null;
+ try {
+ uriReference = new URL(lac.getUrl());
+
+ } catch (MalformedURLException e) {
+ log.warn("Could not process: " + uriReference, e);
+ continue;
+ }
+
+ String baseURI = uriReference == null ? "" : "" + uriReference;
+
+ msTslContext = new TSLImportFromFileContext(
+ expectedTerritory, uriReference, otpId, Configurator.get_TSLWorkingDirectoryPath(),
+ Configurator.is_sqlMultithreaded(),
+ Configurator.is_throwExceptions(), Configurator.is_logExceptions(),
+ Configurator.is_throwWarnings(), Configurator.is_logWarnings(),
+ Configurator.is_nullRedundancies(), baseURI, trustAnchorsWrongOnEuTsl,
+ topLevelTslContext);
+
+ ListIterator<X509Certificate> expectedTslSignerCerts = null;
+ expectedTslSignerCerts = tslEngine.getCertificates(lac, msTslContext);
+
+ if (expectedTslSignerCerts == null) {
+
+ // no signer certificate on the EU TSL
+ // ignore this msTSL and log a warning
+ log.warn("NO signer certificate found on EU TSL! "
+ + lac.getSchemeTerritory() + "TSL ignored.");
+
+ }
+ else {
+ tslEngine.processMSTSL(topLevelTslContext, msTslContext, expectedTslSignerCerts);
+ }
+
+ } catch (TSLExceptionB e) {
+ log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
+ + " TSL ignored.");
+ log.debug("Failed to process TSL. " + entry, e);
+ continue;
+ } catch (TSLRuntimeException e) {
+ log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
+ + " TSL ignored.");
+ log.debug("Failed to process TSL. " + entry, e);
+ continue;
+ }
+ }
+
+ log.debug(Thread.currentThread() + " waiting for other threads ...");
+ topLevelTslContext.waitForAllOtherThreads();
+
+ log.debug(_.dumpAllThreads());
+ log.debug(Thread.currentThread() + " reactivated after other threads finished ...");
+
+ connection = null;
+ try {
+ connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
+ tslEngine.recreateTablesInvalidatedByImport(connection);
- File[] filelist = hashcachefile.listFiles();
- if (filelist != null) {
- for (File f : filelist)
- f.delete();
+
+ //TODO: implement database copy operation!
+ File working_database = new File(Configurator.get_dbFile());
+ working_database.delete();
+ copy(dbFile, working_database);
+
+
+ } catch (TSLEngineFatalException e) {
+ throw new TSLEngineDiedException(e);
+
+ } finally {
+ try {
+ connection.closeConnection();
+
+ } catch (TSLEngineFatalException e) {
+ throw new TSLEngineDiedException(e);
+
+ }
}
+
+ return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
+ }
+
+ public void updateTSLs(Date dateTime,
+ String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
+
+ if (Configurator.is_isInitialised() == false)
+ new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("hashcachedir: " + hashcachedir);
+// if (hashcachedir==null)
+// hashcachedir = DEFAULT_HASHCACHE_DIR;
+
+// File hashcachefile = new File(hashcachedir);
+// File[] filelist = hashcachefile.listFiles();
+// if (filelist != null) {
+// for (File f : filelist)
+// f.delete();
+// }
File tsldownloadfile = new File(tsldownloaddir);
if (!tsldownloadfile.exists()) {
@@ -326,7 +575,7 @@ public class TSLConnector implements TSLConnectorInterface {
}
}
- return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
+ //return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
}
public ArrayList<File> getQualifiedCACertificates(Date dateTime,
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
index c365a1121..0cb18a08e 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
@@ -39,6 +39,8 @@ import at.gv.egovernment.moa.util.StringUtils;
public class TSLUpdaterTimerTask extends TimerTask {
public static TSLConnector tslconnector_;
+
+ public static ConfigurationData configData_ = null;
@Override
public void run() {
@@ -48,10 +50,6 @@ public class TSLUpdaterTimerTask extends TimerTask {
} catch (TSLEngineDiedException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
-
- // TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur
- // Verfügung stehen?
-
} catch (TSLSearchException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
@@ -67,100 +65,138 @@ public class TSLUpdaterTimerTask extends TimerTask {
} catch (TrustStoreException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (CertificateException e) {
+ } catch (FileNotFoundException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (FileNotFoundException e) {
+ } catch (IOException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (IOException e) {
+ } catch (CertificateException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
}
}
- public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException {
+ public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, IOException {
MessageProvider msg = MessageProvider.getInstance();
- //get TSl configuration
- ConfigurationProvider config = ConfigurationProvider.getInstance();
- ConfigurationData configData = new IaikConfigurator().configure(config);
- TSLConfiguration tslconfig = config.getTSLConfiguration();
- if (tslconfig != null) {
-
- Logger.info(new LogMsg(msg.getMessage("config.42", null)));
+ //TrustProfile tp = null;
+ TrustStoreProfile tsp = null;
+ StoreUpdater storeUpdater = null;
+ TransactionId tid = null;
+
+ //get TSl configuration
+ ConfigurationProvider config = ConfigurationProvider.getInstance();
+ if (configData_ == null)
+ configData_ = new IaikConfigurator().configure(config);
- // get certstore parameters
- CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters();
+ TSLConfiguration tslconfig = config.getTSLConfiguration();
+ if (tslconfig != null) {
- // iterate over all truststores
- Map mapTrustProfiles = config.getTrustProfiles();
- Iterator it = mapTrustProfiles.entrySet().iterator();
- while (it.hasNext()) {
- Map.Entry pairs = (Map.Entry)it.next();
- TrustProfile tp = (TrustProfile) pairs.getValue();
- if (tp.isTSLEnabled()) {
- TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId());
- TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
- trustStoreProfiles[0] = tsp;
-
- Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
-
- TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId());
- ArrayList tsl_certs = null;
- if (StringUtils.isEmpty(tp.getCountries())) {
- Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
-
- // get certificates from TSL from all countries
- tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
- }
- else {
- Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
- // get selected countries as array
- String countries = tp.getCountries();
- String[] array = countries.split(",");
- for (int i = 0; i < array.length; i++)
- array[i] = array[i].trim();
-
- // get certificates from TSL from given countries
- tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
- }
+ tslconnector_.updateTSLs(new Date(), new String[]{"accredited","undersupervision"});
+
+ Logger.info(new LogMsg(msg.getMessage("config.42", null)));
+
+ // get certstore parameters
+ CertStoreParameters[] certStoreParameters = configData_.getPKIConfiguration().getCertStoreConfiguration().getParameters();
- // create store updater for each TSL enabled truststore
- Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
- StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
-
- // convert ArrayList<File> to X509Certificate[]
- X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()];
- Iterator itcert = tsl_certs.iterator();
- int i = 0;
- while(itcert.hasNext()) {
- File f = (File)itcert.next();
- X509Certificate cert = new X509Certificate(new FileInputStream(f));
- addCertificates[i] = cert;
+ // iterate over all truststores
+ Map mapTrustProfiles = config.getTrustProfiles();
+ Iterator it = mapTrustProfiles.entrySet().iterator();
+ while (it.hasNext()) {
+ Map.Entry pairs = (Map.Entry)it.next();
+ TrustProfile tp = (TrustProfile) pairs.getValue();
+ if (tp.isTSLEnabled()) {
+ tsp = new TrustStoreProfileImpl(config, tp.getId());
+ TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
+ trustStoreProfiles[0] = tsp;
- i++;
+ Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
+
+ tid = new TransactionId("TSLConfigurator-" + tp.getId());
+ ArrayList tsl_certs = null;
+ if (StringUtils.isEmpty(tp.getCountries())) {
+ Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
+
+ // get certificates from TSL from all countries
+ tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
+ }
+ else {
+ Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
+ // get selected countries as array
+ String countries = tp.getCountries();
+ String[] array = countries.split(",");
+ for (int i = 0; i < array.length; i++)
+ array[i] = array[i].trim();
+
+ // get certificates from TSL from given countries
+ tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
+ }
+
+ // create store updater for each TSL enabled truststore
+ Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
+ storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
+
+ // delete files in trustprofile
+
+ File ftp = new File(tp.getUri());
+ File[] files = ftp.listFiles();
+ X509Certificate[] removeCertificates = new X509Certificate[files.length];
+ int i = 0;
+ for (File file : files) {
+ FileInputStream fis = new FileInputStream(file);
+ removeCertificates[i] = new X509Certificate(fis);
+ i++;
+ fis.close();
+ //file.delete();
+ }
+
+ // remove all certificates
+ storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
+ storeUpdater.removeCertificatesFromCertStores(removeCertificates, tid);
+
+
+ // copy files from original trustAnchorsLocURI into tslworking trust profile
+ File src = new File(tp.getUriOrig());
+ files = src.listFiles();
+ X509Certificate[] addCertificates = new X509Certificate[files.length];
+ i = 0;
+ for (File file : files) {
+ FileInputStream fis = new FileInputStream(file);
+ addCertificates[i] = new X509Certificate(fis);
+ //FileUtils.copyFile(file, new File(tp.getUri(), file.getName()));
+ i++;
+ fis.close();
+ }
+
+ // convert ArrayList<File> to X509Certificate[]
+ X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
+ Iterator itcert = tsl_certs.iterator();
+ i = 0;
+ File f = null;
+ while(itcert.hasNext()) {
+ f = (File)itcert.next();
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = new X509Certificate(fis);
+ addCertificatesTSL[i] = cert;
+
+ i++;
+ fis.close();
+ }
+
+ Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
+
+ Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificates, tid);
+
+
}
-
- // get certificates to be removed
- X509Certificate[] removeCertificates = tp.getCertficatesToBeRemoved();
-
-
- //Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
- Logger.debug(new LogMsg("Remove " + removeCertificates.length + " certificates."));
- storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
-
-
- Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
- storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
-
- // set the certifcates to be removed for the next TSL update
- tp.setCertificatesToBeRemoved(addCertificates);
-
}
}
- }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
new file mode 100644
index 000000000..544ea916c
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
@@ -0,0 +1,286 @@
+package at.gv.egovernment.moa.spss.util;
+
+import iaik.asn1.ObjectID;
+import iaik.asn1.structures.Name;
+import iaik.asn1.structures.PolicyInformation;
+import iaik.utils.RFC2253NameParser;
+import iaik.utils.RFC2253NameParserException;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+import iaik.x509.extensions.CertificatePolicies;
+import iaik.x509.extensions.qualified.QCStatements;
+import iaik.x509.extensions.qualified.structures.QCStatement;
+import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance;
+import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD;
+import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
+import iaik.xml.crypto.tsl.ex.TSLSearchException;
+
+import java.security.Principal;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+
+public class CertificateUtils {
+
+
+ /**
+ * Verifies if the given certificate contains QCP+ statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QCP+ statement, else false
+ */
+ private static boolean checkQCPPlus(X509Certificate cert) {
+ Logger.debug("Checking QCP+ extension");
+ String OID_QCPPlus = "0.4.0.1456.1.1";
+ try {
+ CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid);
+ if (certPol == null) {
+ Logger.debug("No CertificatePolicies extension found");
+ return false;
+ }
+
+ PolicyInformation[] polInfo = certPol.getPolicyInformation();
+ if (polInfo == null) {
+ Logger.debug("No policy information found");
+ return false;
+ }
+
+ for (int i = 0; i < polInfo.length; i++) {
+ ObjectID oid = polInfo[i].getPolicyIdentifier();
+ String oidStr = oid.getID();
+ if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) {
+ Logger.debug("QCP+ extension found");
+ return true;
+ }
+ }
+
+ Logger.debug("No QCP+ extension found");
+
+ return false;
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QCP+ extension found");
+
+ return false;
+ }
+
+ }
+
+ /**
+ * Verifies if the given certificate contains QCP statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QCP statement, else false
+ */
+ private static boolean checkQCP(X509Certificate cert) {
+ Logger.debug("Checking QCP extension");
+ String OID_QCP = "0.4.0.1456.1.2";
+ try {
+ CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid);
+ if (certPol == null) {
+ Logger.debug("No CertificatePolicies extension found");
+ return false;
+ }
+
+ PolicyInformation[] polInfo = certPol.getPolicyInformation();
+ if (polInfo == null) {
+ Logger.debug("No policy information found");
+ return false;
+ }
+
+ for (int i = 0; i < polInfo.length; i++) {
+ ObjectID oid = polInfo[i].getPolicyIdentifier();
+ String oidStr = oid.getID();
+ if (oidStr.compareToIgnoreCase(OID_QCP) == 0) {
+ Logger.debug("QCP extension found");
+ return true;
+ }
+
+ }
+
+ Logger.debug("No QCP extension found");
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QCP extension found");
+ return false;
+ }
+
+ }
+
+ /**
+ * Verifies if the given certificate contains QcEuCompliance statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QcEuCompliance statement, else false
+ */
+ private static boolean checkQcEuCompliance(X509Certificate cert) {
+ Logger.debug("Checking QcEUCompliance extension");
+ try {
+ QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid);
+
+ if (qcStatements == null) {
+ Logger.debug("No QcStatements extension found");
+ return false;
+ }
+
+ QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID);
+
+ if (qcEuCompliance != null) {
+ Logger.debug("QcEuCompliance extension found");
+ return true;
+ }
+
+ Logger.debug("No QcEuCompliance extension found");
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QcEuCompliance extension found");
+ return false;
+ }
+
+ }
+
+ /**
+ * Verifies if the given certificate contains QcEuSSCD statement
+ * @param cert X509Certificate
+ * @return true if the given certificate contains QcEuSSCD statement, else false
+ */
+ private static boolean checkQcEuSSCD(X509Certificate cert) {
+ Logger.debug("Checking QcEuSSCD extension");
+ try {
+ QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid);
+ if (qcStatements == null) {
+ Logger.debug("No QcStatements extension found");
+ return false;
+ }
+
+ QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID);
+
+ if (qcEuSSCD != null) {
+ Logger.debug("QcEuSSCD extension found");
+ return true;
+ }
+
+ Logger.debug("No QcEuSSCD extension found");
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ Logger.debug("No QcEuSSCD extension found");
+ return false;
+ }
+
+ }
+
+ public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) {
+
+ boolean qc = false;
+ boolean qcSourceTSL = false;
+ boolean sscd = false;
+ boolean sscdSourceTSL = false;
+
+ try {
+
+ if (isTSLenabledTrustprofile) {
+ // perform QC check via TSL
+ boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
+ if (!checkQCFromTSL) {
+ // if QC check via TSL returns false
+ // try certificate extensions QCP and QcEuCompliance
+ Logger.debug("QC check via TSL returned false - checking certificate extensions");
+ boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+ boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+
+ if (checkQCP || checkQcEuCompliance) {
+ Logger.debug("Certificate is QC (Source: Certificate)");
+ qc = true;
+ }
+
+ qcSourceTSL = false;
+ }
+ else {
+ // use TSL result
+ Logger.debug("Certificate is QC (Source: TSL)");
+ qc = true;
+ qcSourceTSL = true;
+ }
+
+ // perform SSCD check via TSL
+ boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
+ if (!checkSSCDFromTSL) {
+ // if SSCD check via TSL returns false
+ // try certificate extensions QCP+ and QcEuSSCD
+ Logger.debug("SSCD check via TSL returned false - checking certificate extensions");
+ boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+ boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+
+ if (checkQCPPlus || checkQcEuSSCD) {
+ Logger.debug("Certificate is SSCD (Source: Certificate)");
+ sscd = true;
+ }
+
+ sscdSourceTSL = false;
+ }
+ else {
+ // use TSL result
+ Logger.debug("Certificate is SSCD (Source: TSL)");
+ sscd = true;
+ sscdSourceTSL = true;
+ }
+
+ }
+ else {
+ // Trustprofile is not TSL enabled - use certificate extensions only
+
+ // perform QC check
+ // try certificate extensions QCP and QcEuCompliance
+ boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+ boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+
+ if (checkQCP || checkQcEuCompliance)
+ qc = true;
+
+ qcSourceTSL = false;
+
+ // perform SSCD check
+ // try certificate extensions QCP+ and QcEuSSCD
+ boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+ boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+
+ if (checkQCPPlus || checkQcEuSSCD)
+ sscd = true;
+
+ sscdSourceTSL = false;
+ }
+ }
+ catch (TSLEngineDiedException e) {
+ MessageProvider msg = MessageProvider.getInstance();
+ Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+ } catch (TSLSearchException e) {
+ MessageProvider msg = MessageProvider.getInstance();
+ Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+ }
+
+ QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL);
+
+ return result;
+ }
+
+ /**
+ * Gets the country from the certificate issuer
+ * @param cert X509 certificate
+ * @return Country code from the certificate issuer
+ */
+ public static String getIssuerCountry(X509Certificate cert) {
+ String country = null;
+ Principal issuerdn = cert.getIssuerX500Principal();
+ RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName());
+
+ try {
+ Name name = nameParser.parse();
+ country = name.getRDN(ObjectID.country);
+ } catch (RFC2253NameParserException e) {
+ Logger.warn("Could not get country code from issuer.");
+ }
+
+
+ return country;
+ }
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
index dafb89f16..219bb7cdf 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -26,12 +26,14 @@ public class ExternalURIVerifier {
boolean allowExternalUris = config.getAllowExternalUris();
List blacklist = config.getBlackListedUris();
+ List whitelist = config.getWhiteListedUris();
InetAddress hostInetAddress = InetAddress.getByName(host);
String ip = hostInetAddress.getHostAddress();
if (allowExternalUris) {
+ // external URIs are allowed - check blacklist
Iterator it = blacklist.iterator();
while (it.hasNext()) {
String[] array = (String[])it.next();
@@ -55,9 +57,46 @@ public class ExternalURIVerifier {
}
}
}
- else {
- Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
- throw new MOAApplicationException("4001", new Object[]{host});
+ else {
+ // external uris are forbidden - check whitelist
+ Iterator it = whitelist.iterator();
+ boolean allowed = false;
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null || port == -1) {
+ // check only host
+ if (ip.startsWith(bhost)) {
+ Logger.debug(new LogMsg("Whitelist check: " + host + " (" + ip + ") whitelisted"));
+ allowed = true;
+ //throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (ip.startsWith(bhost) && (iport == port)) {
+ Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port + " whitelisted"));
+ //throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
+ allowed = true;
+ }
+
+ }
+ }
+
+ if (!allowed) {
+ if (port != -1) {
+ Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
+ throw new MOAApplicationException("4001", new Object[]{host + "(" + ip + ")"});
+ }
+ else {
+ Logger.debug(new LogMsg("No external URIs allowed (" + host + ":" + port + ")"));
+ throw new MOAApplicationException("4001", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
+ }
+
+ }
+
}
Logger.debug(new LogMsg("URI allowed: " + ip + ":" + port));
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java
new file mode 100644
index 000000000..99af84308
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java
@@ -0,0 +1,37 @@
+package at.gv.egovernment.moa.spss.util;
+
+public class QCSSCDResult {
+
+ private boolean qc;
+ private boolean qcSourceTSL;
+
+ private boolean sscd;
+ private boolean sscdSourceTSL;
+
+ public QCSSCDResult() {
+ this.qc = false;
+ this.qcSourceTSL = false;
+ this.sscd = false;
+ this.sscdSourceTSL = false;
+ }
+
+ public QCSSCDResult(boolean qc, boolean qcSourceTSL, boolean sscd, boolean sscdSourceTSL) {
+ this.qc = qc;
+ this.qcSourceTSL = qcSourceTSL;
+ this.sscd = sscd;
+ this.sscdSourceTSL = sscdSourceTSL;
+ }
+
+ public boolean isQC() {
+ return this.qc;
+ }
+ public boolean isQCSourceTSL() {
+ return this.qcSourceTSL;
+ }
+ public boolean isSSCD() {
+ return this.sscd;
+ }
+ public boolean isSSCDSourceTSL() {
+ return this.sscdSourceTSL;
+ }
+}