diff options
| author | Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> | 2013-09-04 09:37:31 +0200 | 
|---|---|---|
| committer | Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> | 2013-09-04 09:37:31 +0200 | 
| commit | eadd6dd97f1b30608b31ffcd90382874fbcdaddc (patch) | |
| tree | 1e02de018bcb417bf897f06fb79bf64eda9b4b06 /spss/server/serverlib/src/main/java | |
| parent | 61362f940ca679fe215de34b1683e1110fea8d3e (diff) | |
| parent | 69f2dfdf3e0b5d976df3cdece6a8ead4848d746a (diff) | |
| download | moa-id-spss-eadd6dd97f1b30608b31ffcd90382874fbcdaddc.tar.gz moa-id-spss-eadd6dd97f1b30608b31ffcd90382874fbcdaddc.tar.bz2 moa-id-spss-eadd6dd97f1b30608b31ffcd90382874fbcdaddc.zip | |
Merge SPSS
Diffstat (limited to 'spss/server/serverlib/src/main/java')
45 files changed, 3443 insertions, 357 deletions
| diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index fbf40be88..b5cc96a04 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -35,6 +35,9 @@ import org.apache.commons.discovery.tools.DiscoverClass;  import org.w3c.dom.Element;  import org.w3c.dom.NodeList; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;  import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;  import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;  import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; @@ -138,6 +141,26 @@ public abstract class SPSSFactory {      List singleSignatureInfos);    /** +   * Create a new <code>CreateCMSSignatureRequest</code> object. +   *  +   * @param keyIdentifier The identifier for the key group to use for signing. +   * @param singleSignatureInfos A <code>List</code> of  +   * <code>SingleSignatureInfo</code> objects containing information about a +   * single signature to be created. +   * @return The <code>CreateCMSSignatureRequest</code> containing the above +   * data. +   *  +   * @pre keyIdentifier != null && keyIdentifier.length() > 0 +   * @pre singleSignatureInfos != null +   * @pre forall Object o in singleSignatureInfos |  +   *        o instanceof at.gv.egovernment.moa.spss.api.common.SingleSignatureInfo  +   * @post return != null +   */ +  public abstract CreateCMSSignatureRequest createCreateCMSSignatureRequest( +    String keyIdentifier, +    List singleSignatureInfos); +   +  /**     * Create a new <code>SingleSignatureInfo</code> object.     *      * @param dataObjectInfos The data objects that will be signed (including @@ -156,6 +179,23 @@ public abstract class SPSSFactory {    public abstract SingleSignatureInfo createSingleSignatureInfo(      List dataObjectInfos,      CreateSignatureInfo createSignatureInfo, boolean securityLayerConform); +   +  /** +   * Create a new <code>SingleSignatureInfo</code> object. +   *  +   * @param dataObjectInfo The data object that will be signed. +   * @param securityLayerConform If <code>true</code>, a Security Layer conform +   * signature manifest is created, otherwise not. +   * @return The <code>SingleSignatureInfo</code> containing the above data. +   *  +   * @post return != null +   */ +  public abstract at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo createSingleSignatureInfoCMS(	 +    at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo dataObjectInfo, +    boolean securityLayerConform); +   + +      /**     * Create a new <code>DataObjectInfo</code> object. @@ -182,6 +222,22 @@ public abstract class SPSSFactory {      CreateTransformsInfoProfile createTransformsInfoProfile);    /** +   * Create a new <code>DataObjectInfo</code> object. +   *  +   * @param structure The type of signature to create. +   * @param dataObject The data object that will be signed. +   * @return The <code>DataObjectInfo</code> containing the above data. +   *  +   * @pre DataObjectInfo.STRUCTURE_DETACHED.equals(structure) || +   *      DataObjectInfo.STRUCTURE_ENVELOPING.equals(structure) +   * @pre dataObject != null +   * @post return != null +   */ +  public abstract at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo createDataObjectInfo( +    String structure, +    CMSDataObject dataObject); +   +  /**     * Create a new <code>CreateTransformsInfoProfile</code> object containing a     * reference to a locally stored profile.     *  @@ -321,6 +377,37 @@ public abstract class SPSSFactory {     */    public abstract CreateXMLSignatureResponse createCreateXMLSignatureResponse(List responseElements); +   +  /** +   * Create a new <code>CreateCMSSignatureResponse</code> object. +   *  +   * @param responseElements The elements of the response, either  +   * <code>CMSSignatureResponse</code> objects, or  +   * <code>ErrorResponse</code> objects. +   * @return The new <code>CreateCMSSignatureResponse</code> containing the +   * above data. +   *  +   * @pre responseElements != null && responseElements.size() > 0 +   * @pre forall Object o in responseElements |  +   *        o instanceof at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse +   * @post return != null +   */ +  public abstract CreateCMSSignatureResponse createCreateCMSSignatureResponse(List responseElements); +   +   +  /** +   * Create a new <code>SignatureEnvironmentResponse</code> object. +   *  +   * @param signatureEnvironment The signature environment containing the +   * signature. +   * @return The <code>SignatureEnvironmentResponse</code> containing the +   * <code>signatureEnvironment</code>. +   *  +   * @pre signatureEnvironment != null +   * @post return != null +   */ +  public abstract CMSSignatureResponse createCMSSignatureResponse(String base64value); +      /**     * Create a new <code>SignatureEnvironmentResponse</code> object.     *  @@ -1003,6 +1090,8 @@ public abstract class SPSSFactory {     * @param signerCertificate The signer certificate in binary form.     * @param qualifiedCertificate <code>true</code>, if the signer certificate is     * a qualified certificate, otherwise <code>false</code>. +   * @param qcSourceTSL <code>true</code>, if the QC information comes from the TSL,  +   * 		otherwise <code>false</code>.     * @param publicAuthority <code>true</code>, if the signer certificate is a     * public authority certificate, otherwise <code>false</code>.     * @param publicAuthorityID The identification of the public authority @@ -1010,6 +1099,9 @@ public abstract class SPSSFactory {     * <code>null</code>.     * @param sscd <code>true</code>, if the TSL check verifies the      * 		signature based on a SSDC, otherwise <code>false</code>. +   * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,  +   * 		otherwise <code>false</code>. +   * @param issuerCountryCode contains the signer certificate issuer country code.     * @return The <code>SignerInfo</code> containing the above data.     *      * @pre signerCertSubjectName != null @@ -1019,9 +1111,12 @@ public abstract class SPSSFactory {    public abstract SignerInfo createSignerInfo(      X509Certificate signerCertificate,      boolean qualifiedCertificate, +    boolean qcSourceTSL,      boolean publicAuthority,      String publicAuthorityID, -    boolean sscd); +    boolean sscd, +    boolean sscdSourceTSL, +    String issuerCountryCode);    /**     * Create a new <code>X509IssuerSerial</code> object. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java new file mode 100644 index 000000000..10db67627 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java @@ -0,0 +1,41 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + + +/** + * Contains the signature if the signature creation was successful. + *   + * @version $Id$ + */ +public interface CMSSignatureResponse +  extends CreateCMSSignatureResponseElement { +  /**  +   * Gets the CMS signature (Base64 encoded). +   *  +   * @return The CMS signature +   */ +  public String getCMSSignature(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java new file mode 100644 index 000000000..9d5cd7a0d --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java @@ -0,0 +1,49 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +import java.util.List; + + +/** + * Object that encapsulates a request to create a CMS Signature. + *  + *  + * @version $Id$ + */ +public interface CreateCMSSignatureRequest { +  /** +   * Gets the identifier for the keys to be used for the signature. +   *  +   * @return The identifier for the keys to be used. +   */ +  public String getKeyIdentifier(); +  /** +   * Gets the information of the singleSignatureInfo elements.  +   *  +   * @return The information of singleSignatureInfo elements. +   */ +  public List getSingleSignatureInfos(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java new file mode 100644 index 000000000..6062a1162 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java @@ -0,0 +1,42 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +import java.util.List; + +/** + * Object that encapsulates the response on to a  + * <code>CreateCMSSignatureRequest</code> to create an XML signature. + *  + * @version $Id$ + */ +public interface CreateCMSSignatureResponse { +  /** +   * Gets the response elements. +   *  +   * @return The response elements. +   */ +  public List getResponseElements(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java new file mode 100644 index 000000000..8e4e61145 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java @@ -0,0 +1,51 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +/** + * Base class for <code>CMSSignature</code> and  + * <code>ErrorResponse</code> elements in a  + * <code>CreateXMLSignatureResponse</code>. + *  + * @version $Id$ + */ +public interface CreateCMSSignatureResponseElement { +  /** +   * Indicates that this object contains a <code>CMSSignature</code>. +   */ +  public static final int CMS_SIGNATURE = 0; +  /** +   * Indicates that this objet contains an <code>ErrorResponse</code>. +   */ +  public static final int ERROR_RESPONSE = 1; +   +  /** +   * Gets the type of response object. +   *  +   * @return The type of response object, either  +   * <code>CMS_SIGNATURE</code> or <code>ERROR_RESPONSE</code>. +   */ +  public int getResponseType(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java new file mode 100644 index 000000000..b9f363061 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java @@ -0,0 +1,58 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; + +/** + * Encapsulates information required to create a single signature. + *  + * @version $Id$ + */ +public interface DataObjectInfo { +  /** +   * Indicates that a detached signature will be created. +   */ +  public static final String STRUCTURE_DETACHED = "detached";  +  /** +   * Indicates that an enveloping signature will be created. +   */ +  public static final String STRUCTURE_ENVELOPING = "enveloping"; + +  /** +   * Gets the structure of the signature. +   *  +   * @return The structure of the signature. +   */ +  public String getStructure(); + +  /** +   * Gets information related to a single data object. +   *  +   * @return Information related to a single data object. +   */ +  public CMSDataObject getDataObject(); +   +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java new file mode 100644 index 000000000..1f87a50ca --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java @@ -0,0 +1,51 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + + + +/** + * Encapsulates data to create a single signature. + *  + * @author Patrick Peck + * @author Stephan Grill + * @version $Id$ + */ +public interface SingleSignatureInfo { +  /** +   * Gets the dataObjectInfo information. +   *  +   * @return The dataObjectInfo information. +   */ +  public DataObjectInfo getDataObjectInfo(); +   +  /** +   * Check whether a Security Layer conform signature manifest will be created. +   *  +   * @return <code>true</code>, if a Security Layer conform signature manifest  +   * will be created, <code>false</code> otherwise. +   */ +  public boolean isSecurityLayerConform(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java index 7a1942214..777365ad3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java @@ -59,6 +59,21 @@ public interface SignerInfo {    public boolean isSSCD();    /** +   * Returns the source of the SSCD check (TSL or Certificate)   *  +   */ +  public String getSSCDSource(); + +  /** +   * Returns the source of the QC check (TSL or Certificate)   *  +   */ +  public String getQCSource(); + +  /** +   * Returns the signer certificate issuer country code +   * @return +   */ +  public String getIssuerCountryCode(); +  /**     * Checks, whether the certificate contained in this object is a      * public authority certificate.     *  diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java index fd7d38217..29529322c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java @@ -24,6 +24,8 @@  package at.gv.egovernment.moa.spss.api.common;
 +import iaik.ixsil.util.URI;
 +
  import java.util.Date;
 @@ -70,5 +72,10 @@ public interface TSLConfiguration {     */
    public String getWorkingDirectory();
 +  /**
 +   * 
 +   * @return
 +   */
 +  public URI getWorkingDirectoryAsURI();
  }
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java new file mode 100644 index 000000000..b512dd0bd --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java @@ -0,0 +1,64 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; + +/** + * Default implementation of <code>CMSSignatureResponse</code>. + *  + * @version $Id$ + */ +public class CMSSignatureResponseImpl +  implements CMSSignatureResponse { + +  /** The base64 value of the CMS signature. */ +  private String cmsSignature; + +  /**  +   * Sets the CMS signature. +   *  +   * @param cmsSignature The Base64 encoded value CMS signature. +   */ +  public void setCMSSignature(String cmsSignature) { +    this.cmsSignature = cmsSignature; +  } + +  public String getCMSSignature() { +    return cmsSignature; +  } + +  /** +   * Gets the type of <code>CreateCMSSignatureResponseElement</code>. +   *  +   * @return CMS_SIGNATURE +   */ +  public int getResponseType() { +    return CMS_SIGNATURE; +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java new file mode 100644 index 000000000..e8408bc55 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java @@ -0,0 +1,77 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; + +/** + * Default implementation of <code>CreateCMSSignatureRequest</code>. + *  + * @author Fatemeh Philippi + * @version $Id$ + */ +public class CreateCMSSignatureRequestImpl +  implements CreateCMSSignatureRequest { + +  /** The identifier for selecting the private keys for creating the signature.*/ +  private String keyIdentifier; +  /** Information for creating a single signature. */ +  private List singleSignatureInfos = new ArrayList(); + +  /** +   * Sets the identifier for selecting the private keys for creating the  +   * signature. +   *  +   * @param keyIdentifier The identifier for selecting the private keys. +   */ +  public void setKeyIdentifier(String keyIdentifier) { +    this.keyIdentifier = keyIdentifier; +  } + +  public String getKeyIdentifier() { +    return keyIdentifier; +  } + +  /** +   * Sets the information for creating single signatures. +   *  +   * @param singleSignaureInfos The information for creating single signatures. +   */ +  public void setSingleSignatureInfos(List singleSignaureInfos) { +    this.singleSignatureInfos = +      singleSignaureInfos != null +        ? Collections.unmodifiableList(new ArrayList(singleSignaureInfos)) +        : null; +  } + +  public List getSingleSignatureInfos() { +    return singleSignatureInfos; +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java new file mode 100644 index 000000000..d596058c6 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java @@ -0,0 +1,60 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; + +/** + * Default implementation of <code>CreateCMSSignatureResponse</code>. + *  + * @version $Id$ + */ +public class CreateCMSSignatureResponseImpl +  implements CreateCMSSignatureResponse { + +  /** The elements contained in the response. */ +  private List responseElements = new ArrayList(); + +  /** +   * Sets the elements contained in the response. +   *  +   * @param responseElements The response elements. +   */ +  public void setResponseElements(List responseElements) { +    this.responseElements = +      responseElements != null +        ? Collections.unmodifiableList(new ArrayList(responseElements)) +        : null; +  } + +  public List getResponseElements() { +    return responseElements; +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java new file mode 100644 index 000000000..702086b6f --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java @@ -0,0 +1,69 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; + +/** + * Default implementation of <code>DataObjectInfo</code> for CMS. + *  + * @author Fatemeh Philippi + * @version $Id$ + */ +public class DataObjectInfoCMSImpl implements DataObjectInfo { +  /** The signature structure type. */ +  private String stucture; +  /** The data object to be signed. */ +  private CMSDataObject dataObject; + +  /** +   * Sets the signature structure type. +   *  +   * @param structure The signature structure type. +   */ +  public void setStructure(String structure) { +    this.stucture = structure; +  } + +  public String getStructure() { +    return stucture; +  } + + +  /** +   * Sets the data object to be signed. +   *  +   * @param dataObject The data object to be signed. +   */ +  public void setDataObject(CMSDataObject dataObject) { +    this.dataObject = dataObject; +  } + +  public CMSDataObject getDataObject() { +    return dataObject; +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java index a23a1d98f..8e3bb7636 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java @@ -25,6 +25,7 @@  package at.gv.egovernment.moa.spss.api.impl;  import java.io.InputStream; +  import java.math.BigInteger;  import java.security.cert.X509Certificate;  import java.util.Date; @@ -35,6 +36,9 @@ import org.w3c.dom.Element;  import org.w3c.dom.NodeList;  import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;  import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;  import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject;  import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; @@ -90,6 +94,32 @@ public class SPSSFactoryImpl extends SPSSFactory {      createXMLSignatureRequest.setSingleSignatureInfos(singleSignatureInfos);      return createXMLSignatureRequest;    } +   +  public CreateCMSSignatureRequest createCreateCMSSignatureRequest( +    String keyIdentifier, +    List singleSignatureInfos) { +	  CreateCMSSignatureRequestImpl createCMSSignatureRequest = +		      new CreateCMSSignatureRequestImpl(); +	  createCMSSignatureRequest.setKeyIdentifier(keyIdentifier); +	  createCMSSignatureRequest.setSingleSignatureInfos(singleSignatureInfos); +	  return createCMSSignatureRequest; +	   +  } +   +  public CreateCMSSignatureResponse createCreateCMSSignatureResponse(List responseElements) { +	  CreateCMSSignatureResponseImpl createCMSSignatureResponse = new CreateCMSSignatureResponseImpl(); +	  createCMSSignatureResponse.setResponseElements(responseElements); +	  return createCMSSignatureResponse; +  } +   +   +  public CMSSignatureResponse createCMSSignatureResponse(String base64value) { +	  CMSSignatureResponseImpl cmsSignatureResponse = new CMSSignatureResponseImpl(); +	  cmsSignatureResponse.setCMSSignature(base64value); +	   +	  return cmsSignatureResponse; +  } +      public SingleSignatureInfo createSingleSignatureInfo(      List dataObjectInfos, @@ -101,6 +131,16 @@ public class SPSSFactoryImpl extends SPSSFactory {      singleSignatureInfo.setSecurityLayerConform(securityLayerConform);      return singleSignatureInfo;    } +   +  public at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo createSingleSignatureInfoCMS( +		  at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo dataObjectInfo,		     +		    boolean securityLayerConform) { +		    SingleSignatureInfoCMSImpl singleSignatureInfo = new SingleSignatureInfoCMSImpl(); +		    singleSignatureInfo.setDataObjectInfo(dataObjectInfo); +		    singleSignatureInfo.setSecurityLayerConform(securityLayerConform); +		    return singleSignatureInfo; +		  } +      public DataObjectInfo createDataObjectInfo(      String structure,      boolean childOfManifest, @@ -113,6 +153,15 @@ public class SPSSFactoryImpl extends SPSSFactory {      dataObjectInfo.setCreateTransformsInfoProfile(createTransformsInfoProfile);      return dataObjectInfo;    } +   +  public at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo createDataObjectInfo( +		    String structure, +		    CMSDataObject dataObject) { +		    DataObjectInfoCMSImpl dataObjectInfo = new DataObjectInfoCMSImpl(); +		    dataObjectInfo.setStructure(structure); +		    dataObjectInfo.setDataObject(dataObject); +		    return dataObjectInfo; +		  }    public CreateTransformsInfoProfile createCreateTransformsInfoProfile(String profileID) { @@ -573,15 +622,21 @@ public class SPSSFactoryImpl extends SPSSFactory {    public SignerInfo createSignerInfo(      X509Certificate signerCertificate,      boolean qualifiedCertificate, +    boolean qcSourceTSL,      boolean publicAuthority,      String publicAuthorityID,  -    boolean sscd) { +    boolean sscd, +    boolean sscdSourceTSL, +    String issuerCountryCode) {      SignerInfoImpl signerInfo = new SignerInfoImpl();      signerInfo.setSignerCertificate(signerCertificate);      signerInfo.setQualifiedCertificate(qualifiedCertificate); +    signerInfo.setQCSourceTSL(qcSourceTSL);      signerInfo.setPublicAuthority(publicAuthority);      signerInfo.setPublicAuhtorityID(publicAuthorityID);      signerInfo.setSSCD(sscd); +    signerInfo.setSSCDSourceTSL(sscdSourceTSL); +    signerInfo.setIssuerCountryCode(issuerCountryCode);      return signerInfo;    } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java index 56a9004fc..7a108e8a4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java @@ -49,6 +49,16 @@ public class SignerInfoImpl implements SignerInfo {    /** Determines, whether the signature is based on an SSCD */    private boolean sscd; +   +  /** Determines, if the SSCD check bases upon on TSL */ +  private boolean sscdSourceTSL; +   +  /** Determines, if the QC check bases upon on TSL */ +  private boolean qcSourceTSL; +   +  /** The certificate issuer country code */ +  private String issuerCountryCode; +      /**    * Sets the signer certificate.    *  @@ -87,8 +97,37 @@ public class SignerInfoImpl implements SignerInfo {    }    public boolean isSSCD() {  	    return sscd; -	  } +  } +   +  public void setSSCDSourceTSL(boolean sscdSourceTSL) { +	  this.sscdSourceTSL = sscdSourceTSL; +  } +  public String getSSCDSource() { +	  if (sscdSourceTSL) +		  return "TSL"; +	  else +		  return "Certificate"; +  } +   +  public void setQCSourceTSL(boolean qcSourceTSL) { +	  this.qcSourceTSL = qcSourceTSL; +  } +   +  public String getQCSource() { +	  if (qcSourceTSL) +		  return "TSL"; +	  else +		  return "Certificate"; +  } +   +  public void setIssuerCountryCode(String issuerCountryCode) { +	    this.issuerCountryCode = issuerCountryCode; +  } +	  public String getIssuerCountryCode() { +		    return issuerCountryCode; +	  } +	      /**     * Sets, whether the certificate contained in this object is an      * e-government certificate or not. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java new file mode 100644 index 000000000..cb3651587 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java @@ -0,0 +1,62 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo; + +/** + * @version $Id$ + */ +public class SingleSignatureInfoCMSImpl implements SingleSignatureInfo { + +  private DataObjectInfo dataObjectInfo = null; + + +  private boolean securityLayerConform = true; + +  public void setDataObjectInfo(DataObjectInfo dataObjectInfo) { +    this.dataObjectInfo = dataObjectInfo; +  } + +  public DataObjectInfo getDataObjectInfo() { +    return dataObjectInfo; +  } + + + +  public void setSecurityLayerConform(boolean securityLayerConform) { +    this.securityLayerConform = securityLayerConform; +  } + +  public boolean isSecurityLayerConform() { +    return securityLayerConform; +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java index 15d66614e..87314e1f7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java @@ -24,6 +24,8 @@  package at.gv.egovernment.moa.spss.api.impl;
 +import iaik.ixsil.util.URI;
 +
  import java.util.Date;
  import at.gv.egovernment.moa.spss.api.common.TSLConfiguration;
 @@ -38,7 +40,7 @@ public class TSLConfigurationImpl implements TSLConfiguration {  	/** The EU TSL URL. */
 -//	private String euTSLUrl;
 +	private String euTSLUrl;
  	/** update period in milliseconds */
  	private long updateSchedulePeriod;
 @@ -48,9 +50,12 @@ public class TSLConfigurationImpl implements TSLConfiguration {  	/** Working directory */
  	private String workingDirectory;
 +	
 +	/** Working directory */
 +	private URI workingDirectoryAsURI;
    public String getEuTSLUrl() {
 -	  return this.DEFAULT_EU_TSL_URL;
 +	  return this.euTSLUrl;
    }
    public long getUpdateSchedulePeriod() {
 @@ -64,10 +69,14 @@ public class TSLConfigurationImpl implements TSLConfiguration {    public String getWorkingDirectory() {
  	  return this.workingDirectory;
    }
 +  
 +  public URI getWorkingDirectoryAsURI() {
 +	  return this.workingDirectoryAsURI;
 +  }
 -//	public void setEuTSLUrl(String euTSLUrl) {
 -//		this.euTSLUrl = euTSLUrl;
 -//	}
 +	public void setEuTSLUrl(String euTSLUrl) {
 +		this.euTSLUrl = euTSLUrl;
 +	}
  	public void setUpdateSchedulePeriod(long updateSchedulePeriod) {
  		this.updateSchedulePeriod = updateSchedulePeriod;
 @@ -80,6 +89,10 @@ public class TSLConfigurationImpl implements TSLConfiguration {  	public void setWorkingDirectory(String workingDirectory) {
  		this.workingDirectory = workingDirectory;
  	}
 +	
 +	public void setWorkingDirectoryURI(URI workingDirectoryAsURI) {
 +		this.workingDirectoryAsURI = workingDirectoryAsURI;
 +	}
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java new file mode 100644 index 000000000..737915ecd --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java @@ -0,0 +1,247 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.xmlbind; + +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +import org.w3c.dom.Element; +import org.w3c.dom.traversal.NodeIterator; + +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.MetaInfo; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.BoolUtils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * A parser to parse <code>CreateCMSSignatureRequest</code> DOM trees into + * <code>CreateCMSSignatureRequest</code> API objects. + *  + * @author Patrick Peck + * @version $Id$ + */ +public class CreateCMSSignatureRequestParser { + +  // +  // XPath expresssions to select elements in the CreateCMSSignatureRequest +  // +  private static final String MOA = Constants.MOA_PREFIX + ":"; +  private static final String KEY_IDENTIFIER_XPATH = +    "/" + MOA + "CreateCMSSignatureRequest/" + MOA + "KeyIdentifier"; +  private static final String SINGLE_SIGNATURE_INFO_XPATH = +    "/" + MOA + "CreateCMSSignatureRequest/" + MOA + "SingleSignatureInfo"; +  private static final String DATA_OBJECT_INFO_XPATH = MOA + "DataObjectInfo"; +  private static final String DATA_OBJECT_XPATH = MOA + "DataObject"; +   +  private static final String SL_CONFORM_ATTR_NAME = "SecurityLayerConformity"; + +  private static final String META_INFO_XPATH = MOA + "MetaInfo"; +  private static final String CONTENT_XPATH = MOA + "Content"; +  private static final String BASE64_CONTENT_XPATH = MOA + "Base64Content"; + +   +  /** The factory to create API objects. */ +  private SPSSFactory factory; + +  /** +   * Create a new <code>CreateCMSSignatureRequestParser</code>. +   */ +  public CreateCMSSignatureRequestParser() { +    this.factory = SPSSFactory.getInstance(); +  } + +  /** +   * Parse a <code>CreateCMSSignatureRequest</code> DOM element, as defined +   * by the MOA schema. +   *  +   * @param requestElem The <code>CreateCMSSignatureRequest</code> to parse. The +   * request must have been successfully parsed against the schema for this +   * method to succeed. +   * @return A <code>CreateCMSSignatureRequest</code> API object containing +   * the data from the DOM element. +   * @throws MOAApplicationException An error occurred parsing the request. +   */ +  public CreateCMSSignatureRequest parse(Element requestElem) +    throws MOAApplicationException { + +    List singleSignatureInfos = parseSingleSignatureInfos(requestElem); +    String keyIdentifier = +      XPathUtils.getElementValue(requestElem, KEY_IDENTIFIER_XPATH, null); + +    return factory.createCreateCMSSignatureRequest( +      keyIdentifier, +      singleSignatureInfos); +  } + +  /** +   * Parse all <code>SingleSignatureInfo</code> elements of the  +   * <code>CreateCMSSignatureRequest</code>. +   *  +   * @param requestElem The <code>CreateCMSSignatureRequest</code> to parse. +   * @return A <code>List</code> of <code>SingleSignatureInfo</code> API  +   * objects. +   * @throws MOAApplicationException An error occurred parsing on of the  +   * <code>SingleSignatureInfo</code> elements. +   */ +  private List parseSingleSignatureInfos(Element requestElem) +    throws MOAApplicationException { + +    List singleSignatureInfos = new ArrayList(); +    NodeIterator sigInfoElems = +      XPathUtils.selectNodeIterator(requestElem, SINGLE_SIGNATURE_INFO_XPATH); +    Element sigInfoElem; + +    while ((sigInfoElem = (Element) sigInfoElems.nextNode()) != null) { +      singleSignatureInfos.add(parseSingleSignatureInfo(sigInfoElem)); +    } + +    return singleSignatureInfos; +  } + +  /** +   * Parse a <code>SingleSignatureInfo</code> DOM element. +   *  +   * @param sigInfoElem The <code>SingleSignatureInfo</code> DOM element to  +   * parse. +   * @return A <code>SingleSignatureInfo</code> API object containing the  +   * information of <code>sigInfoElem</code>. +   * @throws MOAApplicationException An error occurred parsing the  +   * <code>SingleSignatureInfo</code>. +   */ +  private SingleSignatureInfo parseSingleSignatureInfo(Element sigInfoElem) +    throws MOAApplicationException { + +    DataObjectInfo dataObjectInfo = parseDataObjectInfo(sigInfoElem); +    boolean securityLayerConform; + +    if (sigInfoElem.hasAttribute(SL_CONFORM_ATTR_NAME)) { +      securityLayerConform = +        BoolUtils.valueOf(sigInfoElem.getAttribute(SL_CONFORM_ATTR_NAME)); +    } else { +      securityLayerConform = true; +    } + +    return factory.createSingleSignatureInfoCMS( +      dataObjectInfo, +      securityLayerConform); +  } + +  /** +   * Parse the <code>DataObjectInfo</code> DOM elements contained in the given +   * <code>SingleSignatureInfo</code> DOM element. +   *  +   * @param sigInfoElem The  <code>SingleSignatureInfo</code> DOM element +   * whose <code>DataObjectInfo</code>s to parse. +   * @return A <code>List</code> of <code>DataObjectInfo</code> API objects +   * containing the data from the <code>DataObjectInfo</code> DOM elements. +   * @throws MOAApplicationException An error occurred parsing one of the +   * <code>DataObjectInfo</code>s. +   */ +  private DataObjectInfo parseDataObjectInfo(Element sigInfoElem) +    throws MOAApplicationException { + +	  Element dataObjInfoElem = (Element)XPathUtils.selectSingleNode(sigInfoElem, DATA_OBJECT_INFO_XPATH); +	   +	  String structure = dataObjInfoElem.getAttribute("Structure"); +	    Element dataObjectElem = +	      (Element) XPathUtils.selectSingleNode(dataObjInfoElem, DATA_OBJECT_XPATH); +	   +	    CMSDataObject dataObject = parseDataObject(dataObjectElem); + +	    return factory.createDataObjectInfo( +	      structure, +	      dataObject); +	     +  } +   +  + +  + +  /** +   * Parse a the <code>DataObject</code> DOM element contained in a given  +   * <code>CreateCMSSignatureRequest</code> DOM element. +   *  +   * @param requestElem The DataObject DOM element of the <code>VerifyCMSSignatureRequest</code>  +   * to parse. +   * @return The <code>CMSDataObject</code> API object containing the data +   * from the <code>DataObject</code> DOM element. +   */ +  private CMSDataObject parseDataObject(Element dataObjectElem) { + +    if (dataObjectElem != null) { +      Element metaInfoElem = (Element) XPathUtils.selectSingleNode(dataObjectElem, META_INFO_XPATH); +      MetaInfo metaInfo = null; +      Element contentElem = (Element) XPathUtils.selectSingleNode(dataObjectElem, CONTENT_XPATH); +      CMSContent content = parseContent(contentElem); + +      if (metaInfoElem != null) { +        metaInfo = RequestParserUtils.parseMetaInfo(metaInfoElem); +      } + +      return factory.createCMSDataObject(metaInfo, content); +    }  +    else { +      return null; +    } +  } + +     + +    /** +     * Parse the content contained in a <code>CMSContentBaseType</code> kind of +     * DOM element. +     *  +     * @param contentElem The <code>CMSContentBaseType</code> kind of element to +     * parse. +     * @return A <code>CMSDataObject</code> API object containing the data +     * from the given DOM element. +     */ +    private CMSContent parseContent(Element contentElem) { +      Element base64ContentElem = +        (Element) XPathUtils.selectSingleNode(contentElem, BASE64_CONTENT_XPATH); + +      if (base64ContentElem != null) { +        String base64Str = DOMUtils.getText(base64ContentElem); +        InputStream binaryContent = Base64Utils.decodeToStream(base64Str, true); +        return factory.createCMSContent(binaryContent); +      } else { +        return factory.createCMSContent( +          contentElem.getAttribute("Reference")); +      } +    }  + +}
\ No newline at end of file diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java new file mode 100644 index 000000000..907f90d32 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java @@ -0,0 +1,145 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.xmlbind; + +import java.io.IOException; +import java.util.Iterator; + +import javax.xml.transform.TransformerException; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.spss.MOASystemException; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; + +/** + * Convert a <code>CreateCMSSignatureResponse</code> API object into its + * XML representation, according to the MOA XML schema. + *  + * @version $Id$ + */ +public class CreateCMSSignatureResponseBuilder { +  private static final String MOA_NS_URI = Constants.MOA_NS_URI; + +  /** The XML document containing the response element. */ +  private Document responseDoc; +  /** The response <code>CreateCMSSignatureResponse</code> DOM element. */ +  private Element responseElem; + +  /** +   * Create a new <code>CreateCMSSignatureResponseBuilder</code>: +   *  +   * @throws MOASystemException An error occurred setting up the resulting +   * XML document. +   */ +  public CreateCMSSignatureResponseBuilder() throws MOASystemException { +    responseDoc = +      ResponseBuilderUtils.createResponse("CreateCMSSignatureResponse"); +    responseElem = responseDoc.getDocumentElement(); +  } + +  /** +   * Build a document containing a <code>CreateCMSSignatureResponse</code> +   * DOM element being the XML representation of the given  +   * <code>CreateCMSSignatureResponse</code> API object. +   *  +   * @param response The <code>CreateCMSSignatureResponse</code> to convert +   * to XML. +   * @return A document containing the <code>CreateCMSSignatureResponse</code> +   * DOM element. +   */ +  public Document build(CreateCMSSignatureResponse response) { +    Iterator iter; + +         +    for (iter = response.getResponseElements().iterator(); iter.hasNext();) { +      CreateCMSSignatureResponseElement responseElement = +        (CreateCMSSignatureResponseElement) iter.next(); +       +      switch (responseElement.getResponseType()) { +        case CreateCMSSignatureResponseElement.CMS_SIGNATURE : +        	CMSSignatureResponse cmsSignatureResponse = (CMSSignatureResponse) responseElement; +        	addCMSSignature(cmsSignatureResponse); +          break; + +        case CreateCMSSignatureResponseElement.ERROR_RESPONSE : +          ErrorResponse errorResponse = (ErrorResponse) responseElement; +          addErrorResponse(errorResponse); +          break; +      } + +    } + +    return responseDoc; +  } + + + +  /** +   * Add a <code>CMSSignature</code> element to the response. +   *  +   * @param cmsSignatureResponse The content to put under the +   * <code>CMSSignature</code> element. +   */ +  private void addCMSSignature(CMSSignatureResponse cmsSignatureResponse) { +	  String base64Value = cmsSignatureResponse.getCMSSignature(); +	   +	  Element cmsSignature = responseDoc.createElementNS(MOA_NS_URI, "CMSSignature");	   +	  cmsSignature.setTextContent(base64Value); +	   +	  responseElem.appendChild(cmsSignature); +	   +} +   +  /** +   * Add a <code>ErrorResponse</code> element to the response. +   *   +   * @param errorResponse The API object containing the information to put into +   * the <code>ErrorResponse</code> DOM element. +   */ +  private void addErrorResponse(ErrorResponse errorResponse) { +    Element errorElem = +      responseDoc.createElementNS(MOA_NS_URI, "ErrorResponse"); +    Element errorCodeElem = +      responseDoc.createElementNS(MOA_NS_URI, "ErrorCode"); +    Element infoElem = responseDoc.createElementNS(MOA_NS_URI, "Info"); +    String errorCodeStr = Integer.toString(errorResponse.getErrorCode()); + +    errorCodeElem.appendChild(responseDoc.createTextNode(errorCodeStr)); +    errorElem.appendChild(errorCodeElem); +    infoElem.appendChild(responseDoc.createTextNode(errorResponse.getInfo())); +    errorElem.appendChild(errorCodeElem); +    errorElem.appendChild(infoElem); +    responseElem.appendChild(errorElem); +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index a228a0db8..2e2afaf7c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -117,9 +117,12 @@ class ResponseBuilderUtils {      Element root,      X509Certificate cert,      boolean isQualified, +    String qcSource,      boolean isPublicAuthority,      String publicAuthorityID, -    boolean isSSCD) +    boolean isSSCD, +    String sscdSource, +    String issuerCountryCode)      throws MOAApplicationException {      Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo"); @@ -145,6 +148,12 @@ class ResponseBuilderUtils {              isSSCD                ? response.createElementNS(MOA_NS_URI, "SecureSignatureCreationDevice")                : null; +    Element issuerCountryCodeElem = null; +    if (issuerCountryCode != null) { +    	issuerCountryCodeElem = response.createElementNS(MOA_NS_URI, "IssuerCountryCode"); +    	issuerCountryCodeElem.setTextContent(issuerCountryCode);    	 +    } +                    Element publicAuthorityElem =        isPublicAuthority          ? response.createElementNS(MOA_NS_URI, "PublicAuthority") @@ -182,7 +191,10 @@ class ResponseBuilderUtils {      x509DataElem.appendChild(x509IssuerSerialElem);      x509DataElem.appendChild(x509CertificateElem);      if (isQualified) { -      x509DataElem.appendChild(qualifiedCertificateElem); +    	if (qcSource.compareToIgnoreCase("TSL") == 0) +    		qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); +    	 +    	x509DataElem.appendChild(qualifiedCertificateElem);      }      if (isPublicAuthority) {        x509DataElem.appendChild(publicAuthorityElem); @@ -192,8 +204,12 @@ class ResponseBuilderUtils {        }      }      if (isSSCD) { +   		sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource);          x509DataElem.appendChild(sscdElem);        } +    if (issuerCountryCodeElem != null) +    	x509DataElem.appendChild(issuerCountryCodeElem); +          signerInfoElem.appendChild(x509DataElem);      root.appendChild(signerInfoElem);    } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java index 7ad838822..b11560b28 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java @@ -104,9 +104,12 @@ public class VerifyCMSSignatureResponseBuilder {        responseElem,        signerInfo.getSignerCertificate(),        signerInfo.isQualifiedCertificate(), +      signerInfo.getQCSource(),        signerInfo.isPublicAuthority(),        signerInfo.getPublicAuhtorityID(), -      signerInfo.isSSCD()); +      signerInfo.isSSCD(), +      signerInfo.getSSCDSource(), +      signerInfo.getIssuerCountryCode());      ResponseBuilderUtils.addCodeInfoElement(        responseDoc, diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java index 0d3e0c18e..dd4e13ad9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java @@ -96,9 +96,12 @@ public class VerifyXMLSignatureResponseBuilder {        responseElem,        response.getSignerInfo().getSignerCertificate(),        response.getSignerInfo().isQualifiedCertificate(), +      response.getSignerInfo().getQCSource(),        response.getSignerInfo().isPublicAuthority(),        response.getSignerInfo().getPublicAuhtorityID(), -      response.getSignerInfo().isSSCD()); +      response.getSignerInfo().isSSCD(), +      response.getSignerInfo().getSSCDSource(), +      response.getSignerInfo().getIssuerCountryCode());      // add HashInputData elements      responseData = response.getHashInputDatas(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 09f496c74..0908d88c9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -30,6 +30,7 @@ import iaik.pki.pathvalidation.ChainingModes;  import iaik.pki.revocation.RevocationSourceTypes;  import iaik.server.modules.xml.BlackListEntry;  import iaik.server.modules.xml.ExternalReferenceChecker; +import iaik.server.modules.xml.WhiteListEntry;  import iaik.utils.RFC2253NameParser;  import iaik.utils.RFC2253NameParserException; @@ -66,6 +67,7 @@ import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl;  import at.gv.egovernment.moa.spss.util.MessageProvider;  import at.gv.egovernment.moa.util.Constants;  import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.FileUtils;  import at.gv.egovernment.moa.util.StringUtils;  import at.gv.egovernment.moa.util.XPathUtils; @@ -101,6 +103,10 @@ public class ConfigurationPartsBuilder {      ROOT + CONF + "SignatureCreation/"       + CONF + "XMLDSig/"       + CONF + "DigestMethodAlgorithm"; +  private static final String XADES_VERSION_XPATH = +		    ROOT + CONF + "SignatureCreation/"  +		    + CONF + "XAdES/"  +		    + CONF + "Version";    private static final String C14N_ALGORITHM_XPATH =      ROOT + CONF + "SignatureCreation/"       + CONF + "XMLDSig/"  @@ -115,6 +121,13 @@ public class ConfigurationPartsBuilder {  	    ROOT + CONF + "Common/"  	    + CONF + "PermitExternalUris/"  	    + CONF + "BlackListUri"; +  private static final String FORBID_EXTERNAL_URIS_XPATH = +		    ROOT + CONF + "Common/" +		    + CONF + "ForbidExternalUris"; +  private static final String WHITE_LIST_URIS_XPATH = +		    ROOT + CONF + "Common/" +		    + CONF + "ForbidExternalUris/" +		    + CONF + "WhiteListUri";    private static final String HARDWARE_KEY_XPATH =      ROOT + CONF + "SignatureCreation/"  @@ -263,15 +276,22 @@ public class ConfigurationPartsBuilder {    /** The accepted digest method algorithm URIs, as an array */    private static final String[] ACCEPTED_DIGEST_ALGORITHMS_ARRAY = -    { Constants.SHA1_URI }; +    { Constants.SHA1_URI, +	  Constants.SHA256_URI, +	  Constants.SHA384_URI, +	  Constants.SHA512_URI};    /** The accepted digest method algorithm URIs, as a Set */    private static final Set ACCEPTED_DIGEST_ALGORITHMS =      new HashSet(Arrays.asList(ACCEPTED_DIGEST_ALGORITHMS_ARRAY)); - -  /** Default digest algorithm URI, if none/illegal has been configured */ -  private static final String DIGEST_ALGORITHM_DEFAULT = Constants.SHA1_URI; - +   +   +  /** Default digest algorithm URI, if none/illegal has been configured (for XAdES 1.1.1) */ +  private static final String DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1 = Constants.SHA1_URI; +   +  /** Default digest algorithm URI, if none/illegal has been configured (for XAdES 1.4.2) */ +  private static final String DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2 = Constants.SHA256_URI; +      /** The root element of the MOA configuration */    private Element configElem; @@ -333,18 +353,42 @@ public class ConfigurationPartsBuilder {    public String getDigestMethodAlgorithmName()     {      String digestMethod = getElementValue(getConfigElem(), DIGEST_METHOD_XPATH, null); - +          if (digestMethod == null || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod))      { -      info( -        "config.23", -        new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT }); -      digestMethod = DIGEST_ALGORITHM_DEFAULT; +    	String xadesVersion = this.getXAdESVersion(); +    	if (xadesVersion == null) { +    		info( +    		        "config.23", +    		        new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1 }); +    		      digestMethod = DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1;	 +    	} +    	else { +    		info( +    		        "config.23", +    		        new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2 }); +    		      digestMethod = DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2; +    	} +    	 +            }      return digestMethod;    } - +   +  /** +   * Returns the digest method algorithm name. +   *  +   * @return The digest method algorithm name from the configuration. +   */ +  public String getXAdESVersion()  +  { +    String xadesVersion = getElementValue(getConfigElem(), XADES_VERSION_XPATH, null); +     +    return xadesVersion; +  } +   +      /**     * Returns the canonicalization algorithm name.     *  @@ -409,6 +453,7 @@ public class ConfigurationPartsBuilder {  	  }    } +      /**     *      * @return @@ -448,10 +493,12 @@ public class ConfigurationPartsBuilder {  	      array[1] = port;  	      blacklist.add(array); -	    } +	  } +	    	  // set blacklist for iaik-moa  	  ExternalReferenceChecker.setBlacklist(blackListIaikMoa); +  	  if(blacklist.isEmpty()) // no blacklisted uris given  		  info("config.36", null); @@ -459,7 +506,63 @@ public class ConfigurationPartsBuilder {  	  return blacklist;    } +   +  /** +   *  +   * @return +   */ +  public List buildForbidExternalUris() { +	     +	  //info("config.47", null); +	   +	  List whitelist = new ArrayList(); +	  List whiteListIaikMoa = new ArrayList(); +	   +	  NodeIterator forbidExtIter = XPathUtils.selectNodeIterator( +			  getConfigElem(), +			  WHITE_LIST_URIS_XPATH); +	   +	  Element permitExtElem = null; +	  while ((permitExtElem = (Element) forbidExtIter.nextNode()) != null) { +	      String host = getElementValue(permitExtElem, CONF + "IP", null); +	      String port = getElementValue(permitExtElem, CONF + "Port", null); +	       +	      // WhiteListeEntry +	      WhiteListEntry entry =null; +	      if (port == null) { +	    	  entry = new WhiteListEntry(host, -1); +	    	  info("config.49", new Object[]{host}); +      } +	      else {	    	   +	    	  entry = new WhiteListEntry(host, new Integer(port).intValue()); +	    	  info("config.49", new Object[]{host + ":" + port}); +	      } +	       +	      // add entry to iaik-moa whitelist	       +	      whiteListIaikMoa.add(entry); +	      	        +	       +	      String array[] = new String[2]; +	      array[0] = host; +	      array[1] = port; +	      whitelist.add(array); +	       +	  } +	   +	   +	  // set whitelist for iaik-moa +	  ExternalReferenceChecker.setWhitelist(whiteListIaikMoa); + +	   +	  if(whitelist.isEmpty()) // no whitelisted uris given +		  info("config.48", null); +		   +	   +	  return whitelist; +  } +  +      /**     * Build the configured hardware keys.      *  @@ -573,9 +676,10 @@ public class ConfigurationPartsBuilder {      while ((keyGroupElem = (Element) kgIter.nextNode()) != null)       {        String keyGroupId = getElementValue(keyGroupElem, CONF + "Id", null); +      String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null);        Set keyGroupEntries =          buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); -      KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries); +      KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm);        if (keyGroups.containsKey(keyGroupId))         { @@ -1032,11 +1136,11 @@ public class ConfigurationPartsBuilder {    }    /** -   * Bulid the trust profile mapping. +   * Build the trust profile mapping.     *      * @return The profile ID to profile mapping.     */ -  public Map buildTrustProfiles()  +  public Map buildTrustProfiles(String tslWorkingDir)     {      Map trustProfiles = new HashMap();      NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); @@ -1110,8 +1214,54 @@ public class ConfigurationPartsBuilder {        }        signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; -      TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); +       +      TrustProfile profile = null; +       +      if (tslEnabled) { +    	  // create new trust anchor location (=tslworking trust profile) +    	  File fTslWorkingDir = new File(tslWorkingDir); +    	  File tp = new File(fTslWorkingDir, "trustprofiles"); +    	  if (!tp.exists()) +    		  tp.mkdir(); +    	  if (!tp.isDirectory()) { +        	  error("config.50", new Object[] { tp.getPath() }); +          } +    	   +    	  File tpid = new File(tp, id);        	  +    	  if (!tpid.exists()) +              tpid.mkdir(); +    	  if (!tpid.isDirectory()) { +        	  error("config.50", new Object[] { tpid.getPath() }); +          } + +        	   +    	  // create profile +    	  profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries); +    	   +    	  // set original uri (save original trust anchor location)    	     +    	  profile.setUriOrig(trustAnchorsLocURI.getPath()); +    	   +    	  // delete files in tslworking trust profile +    	  File[] files = tpid.listFiles(); +			for (File file : files)  +	              file.delete(); +    	   +    	  // copy files from trustAnchorsLocURI into tslworking trust profile kopieren +    	  File src = new File(trustAnchorsLocURI.getPath()); +    	  files = src.listFiles();                     +          for (File file : files) {  +              FileUtils.copyFile(file, new File(tpid, file.getName()));   +          }  +           +           +      } else { +       +    	  profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); +       +      } +              trustProfiles.put(id, profile); +            }      return trustProfiles; @@ -1428,11 +1578,11 @@ public class ConfigurationPartsBuilder {  	  TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl(); -//	  String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); -//	  if (StringUtils.isEmpty(euTSLUrl)) { -//		  warn("config.39", new Object[] { "EUTSL", euTSLUrl }); -//		  return null; -//	  } +	  String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); +	  if (StringUtils.isEmpty(euTSLUrl)) { +		  euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL; +		  warn("config.39", new Object[] { "EUTSL", euTSLUrl }); +	  }  	  String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null); @@ -1488,17 +1638,31 @@ public class ConfigurationPartsBuilder {            return null;          } +      File hashcache = new File(tslWorkingDir, "hashcache"); +      if (!hashcache.exists()) { +    	  hashcache.mkdir(); +      } +      if (!hashcache.isDirectory()) { +    	  error("config.38", new Object[] { hashcache.getAbsolutePath() }); +          return null;   +      } + +      System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); +//    String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +//    System.out.println("Hashcache: " + hashcachedir); + +      debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl);        debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod);        debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime);        debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath()); +      debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath());  	  // set TSL configuration -	  //tslconfiguration.setEuTSLUrl(euTSLUrl); +	  tslconfiguration.setEuTSLUrl(euTSLUrl);  	  tslconfiguration.setUpdateSchedulePeriod(Long.valueOf(updateSchedulePeriod).longValue());  	  tslconfiguration.setUpdateScheduleStartTime(updateScheduleStartTimeDate);  	  tslconfiguration.setWorkingDirectory(tslWorkingDir.getAbsolutePath()); -	   -	   +	  tslconfiguration.setWorkingDirectoryURI(workingDirectoryURI);  	  return tslconfiguration;    } @@ -1526,7 +1690,6 @@ public class ConfigurationPartsBuilder {             map.put(x509IssuerName, interval);          } -        //System.out.println("Name: " + x509IssuerName + " - Interval: " + interval);       }       return map; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 25fa0d6ad..2cad35763 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -41,6 +41,7 @@ import java.util.Collections;  import java.util.Iterator;  import java.util.List;  import java.util.Map; +import java.util.Map.Entry;  import java.util.Set;  import org.w3c.dom.Element; @@ -99,7 +100,10 @@ public class ConfigurationProvider    /** The default canonicalization algorithm name */    private String canonicalizationAlgorithmName; - +   +  /** The XAdES version used for signature creation */ +  private String xadesVersion; +      /**      * A <code>List</code> of <code>HardwareCryptoModule</code> objects for      * configuring hardware modules. @@ -252,6 +256,11 @@ public class ConfigurationProvider    private List blackListedUris_;    /** +   * A <code>List</code> of white listed URIs (host and port) +   */ +  private List whiteListedUris_; +   +  /**     * A <code>TSLConfiguration</code> that represents the global TSL configuration     */    private TSLConfiguration tslconfiguration_; @@ -351,11 +360,15 @@ public class ConfigurationProvider        keyGroups = builder.buildKeyGroups(allKeyModules);        keyGroupMappings =          builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); +       +      tslconfiguration_ = builder.getTSLConfiguration(); +       +      xadesVersion = builder.getXAdESVersion();        defaultChainingMode = builder.getDefaultChainingMode();        chainingModes = builder.buildChainingModes();        useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess();        autoAddCertificates_ = builder.getAutoAddCertificates(); -      trustProfiles = builder.buildTrustProfiles(); +      trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());        distributionPoints = builder.buildDistributionPoints();        enableRevocationChecking_ = builder.getEnableRevocationChecking();        maxRevocationAge_ = builder.getMaxRevocationAge(); @@ -365,7 +378,7 @@ public class ConfigurationProvider        revocationArchiveJDBCURL_ = builder.getRevocationArchiveJDBCURL();        revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); -      tslconfiguration_ = builder.getTSLConfiguration(); +              //check TSL configuration        checkTSLConfiguration(); @@ -382,11 +395,14 @@ public class ConfigurationProvider        allowExternalUris_= builder.allowExternalUris(); -      if (allowExternalUris_)  +      if (allowExternalUris_) {       	  blackListedUris_ = builder.buildPermitExternalUris(); +    	  whiteListedUris_ = null; +      }        else {      	  info("config.35", null);      	  blackListedUris_ = null; +    	  whiteListedUris_ = builder.buildForbidExternalUris();        } @@ -457,6 +473,16 @@ public class ConfigurationProvider      return digestMethodAlgorithmName;    } +  /** +   * Return the XAdES version used for signature creation. +   *  +   * @return The XAdES version used for signature creation, or an empty <code>String</code>, +   * if none has been configured. +   */ +  public String getXAdESVersion() { +    return xadesVersion; +  } +     public boolean getAllowExternalUris() {  	  return this.allowExternalUris_;    } @@ -464,6 +490,9 @@ public class ConfigurationProvider    public List getBlackListedUris() {  	  return this.blackListedUris_;    } +  public List getWhiteListedUris() { +	  return this.whiteListedUris_; +  }    /**     * Return the name of the canonicalization algorithm used during signature @@ -515,6 +544,11 @@ public class ConfigurationProvider    public Map getKeyGroups() {      return keyGroups;    } +   +  public KeyGroup getKeyGroup(String keyGroupId) {	   +	  KeyGroup keyGroup = (KeyGroup) keyGroups.get(keyGroupId); +	  return keyGroup; +  }    /**     * Return the set of <code>KeyGroupEntry</code>s of a given key group, which a @@ -542,6 +576,16 @@ public class ConfigurationProvider        issuerAndSerial = new IssuerAndSerial(issuer, serial);      } +//    System.out.println("Issuer: " + issuer); +//    System.out.println("serial: " + serial); +//     +//    Iterator entries = keyGroupMappings.entrySet().iterator(); +//    while (entries.hasNext()) { +//      Entry thisEntry = (Entry) entries.next(); +//      System.out.println("Entry: " + thisEntry.getKey()); +//      System.out.println("Value: " + thisEntry.getValue()); +//    }       +          mapping = (Map) keyGroupMappings.get(issuerAndSerial);      if (mapping != null) {        KeyGroup keyGroup = (KeyGroup) mapping.get(keyGroupId); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index 22ed8ae83..c2490f9a3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -40,16 +40,20 @@ public class KeyGroup {    private Set keyGroupEntries;    /** The key group ID. */    private String id; +  /** The digest method algorithm for the key group */ +  private String digestMethodAlgorithm;    /**     * Create a <code>KeyGroup</code>.     *      * @param id The ID of this <code>KeyGroup</code>.     * @param keyGroupEntries The keys belonging to this <code>KeyGroup</code>. +   * @param digestMethodAlgorithm The signature algorithm used for this key group     */ -  public KeyGroup(String id, Set keyGroupEntries) { +  public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) {      this.id = id;      this.keyGroupEntries = keyGroupEntries; +    this.digestMethodAlgorithm = digestMethodAlgorithm;     }    /** @@ -60,6 +64,14 @@ public class KeyGroup {    public Set getKeyGroupEntries() {      return keyGroupEntries;    } +   +  /** +   * Returnd the digest method algorithm used for this key group +   * @return The digest method signature algorithm used for this key group +   */ +  public String getDigestMethodAlgorithm() { +	  return digestMethodAlgorithm; +  }    /**     * Return the ID of this <code>KeyGroup</code>. @@ -87,7 +99,7 @@ public class KeyGroup {          sb.append(" " + i.next());        }      } -    return "(KeyGroup - ID:" + id + " " + sb.toString() + ")"; +    return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " + digestMethodAlgorithm;    }  } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 1b5f4473d..21063c77f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -41,6 +41,8 @@ public class TrustProfile {    private String signerCertsUri;    /** Defines if Trustprofile makes use of EU TSL*/    private boolean tslEnabled; +  /** The original URI (out of the configuration) giving the location of the trust profile (used when TSL is enabled) */ +  private String uriOrig;    /** The countries given */      private String countries;    /** */ @@ -80,6 +82,15 @@ public class TrustProfile {    public String getUri() {      return uri;    } +   +  /** +   * Return the original URI of this <code>TrustProfile</code>. +   *  +   * @return The original URI of <code>TrustProfile</code>. +   */ +  public String getUriOrig() { +    return uriOrig; +  }    /**     * Return the URI giving the location of the allowed signer certificates @@ -108,20 +119,14 @@ public class TrustProfile {  		  return countries;    } +         /** -   * Return the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update -   * @return The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update +   * Sets the original URI of this <code>TrustProfile</code>. +   *  +   * @return The original URI of <code>TrustProfile</code>.     */ -  public X509Certificate[] getCertficatesToBeRemoved() { -	  return certificatesToBeRemoved; +  public void setUriOrig(String uriOrig) { +    this.uriOrig = uriOrig;    } -  /** -   * Sets the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update -   * @param certificates The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update -   */ -  public void setCertificatesToBeRemoved(X509Certificate[] certificates) { -	  this.certificatesToBeRemoved = new X509Certificate[certificates.length]; -	  this.certificatesToBeRemoved = certificates; -  }  } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java new file mode 100644 index 000000000..49e5ecc10 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -0,0 +1,249 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.iaik.cmssign; + +import iaik.server.modules.algorithms.SignatureAlgorithms; +import iaik.server.modules.cmssign.CMSSignatureCreationProfile; +import iaik.server.modules.keys.AlgorithmUnavailableException; +import iaik.server.modules.keys.KeyEntryID; +import iaik.server.modules.keys.KeyModule; +import iaik.server.modules.keys.KeyModuleFactory; +import iaik.server.modules.keys.UnknownKeyException; + +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.server.logging.TransactionId; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; + +/** + * An object providing auxiliary information for creating a CMS signature. + *  + * @author Patrick Peck + * @version $Id$ + */ +public class CMSSignatureCreationProfileImpl +  implements CMSSignatureCreationProfile { + +  /** The set of keys available to the signing process. */ +  private Set keySet; +  /** The MIME type of the data to be signed*/ +  private String mimeType; +  /** Whether the created signature is to be Security Layer conform. */  +  private boolean securityLayerConform; +  /** Properties to be signed during signature creation. */  +  private List signedProperties; +  /** Specifies whether the content data shall be included in the CMS SignedData or shall be not included. */ +  private boolean includeData; +  /** Digest Method algorithm  */ +  private String digestMethod; +   +   +  /** +   * Create a new <code>XMLSignatureCreationProfileImpl</code>. +   *  +   * @param createProfileCount Provides external information about the  +   * number of calls to the signature creation module, using the same request. +   * @param reservedIDs The set of IDs that must not be used while generating +   * new IDs. +   */ +  public CMSSignatureCreationProfileImpl( +    Set keySet, +    String digestMethod, +    List signedProperties, +    boolean securityLayerConform, +    boolean includeData, +    String mimeType) { +	  this.keySet = keySet; +	  this.signedProperties = signedProperties; +	  this.securityLayerConform = securityLayerConform; +	  this.includeData = includeData; +	  this.mimeType = mimeType; +	  this.digestMethod = digestMethod; + +  } + +   +  /** +   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getKeySet() +   */ +  public Set getKeySet() { +    return keySet; +  } + +  /** +   * Set the set of <code>KeyEntryID</code>s which may be used for signature +   * creation. +   *  +   * @param keySet The set of <code>KeyEntryID</code>s to set. +   */ +  public void setKeySet(Set keySet) { +    this.keySet = keySet; +  } + + +  /** +   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureAlgorithmName(KeyEntryID) +   */ +  public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) +    throws AlgorithmUnavailableException { + +	   +    TransactionContext context = +      TransactionContextManager.getInstance().getTransactionContext(); +    TransactionId tid = new TransactionId(context.getTransactionID()); +    KeyModule module = KeyModuleFactory.getInstance(tid); +    Set algorithms; + +    try { +      algorithms = module.getSupportedSignatureAlgorithms(selectedKeyID); +    } catch (UnknownKeyException e) { +      throw new AlgorithmUnavailableException( +        "Unknown key entry: " + selectedKeyID, +        e, +        null); +    } +     +      	if (digestMethod.compareTo("SHA-1") == 0) { +    		Logger.warn("SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); +    		 +    		if  (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { +                  return SignatureAlgorithms.SHA1_WITH_RSA; +                   +    		} else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { +                  return SignatureAlgorithms.ECDSA; +                   +    		} else if (algorithms.contains(SignatureAlgorithms.DSA)) { +    			return SignatureAlgorithms.DSA; +    			 +    		} else { +    			throw new AlgorithmUnavailableException( +    					"No algorithm for key entry: " + selectedKeyID, +                         null, +                         null); +             } +    		 +    	} else if (digestMethod.compareTo("SHA-256") == 0) { +    		if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {  +             	return SignatureAlgorithms.SHA256_WITH_RSA; +             	 +    		} else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { +             	return SignatureAlgorithms.SHA256_WITH_ECDSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.DSA)) { +             	return SignatureAlgorithms.DSA; +             	 +             } else { +             	throw new AlgorithmUnavailableException( +             			"No algorithm for key entry: " + selectedKeyID, +             			null, +             	        null); +             } +    	} else if (digestMethod.compareTo("SHA-384") == 0) { +    		if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { +             	return SignatureAlgorithms.SHA384_WITH_RSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { +             	return SignatureAlgorithms.SHA384_WITH_ECDSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.DSA)) { +             	return SignatureAlgorithms.DSA; +             	 +             } else { +             	throw new AlgorithmUnavailableException( +             			"No algorithm for key entry: " + selectedKeyID, +             			null, +             	        null); +             } +    	} else if (digestMethod.compareTo("SHA-512") == 0) { +    		if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { +             	return SignatureAlgorithms.SHA512_WITH_RSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { +             	return SignatureAlgorithms.SHA512_WITH_ECDSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.DSA)) { +             	return SignatureAlgorithms.DSA;  +             	 +             } else { +             	throw new AlgorithmUnavailableException( +             			"No algorithm for key entry: " + selectedKeyID, +             			null, +             	        null); +             } +    	}	 +    	else { +         	throw new AlgorithmUnavailableException( +         			"No signature algorithm found for digest algorithm '" + digestMethod, +         			null, +         	        null); +         } +   + +  } + + +  +  /** +   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() +   */ +  public List getSignedProperties() { +    return signedProperties; +  } + +  /** +   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() +   */ +  public boolean isSecurityLayerConform() { +    return securityLayerConform; +  } + +  /** +   * Sets the security layer conformity. +   *  +   * @param securityLayerConform <code>true</code>, if the created signature +   * is to be conform to the Security Layer specification. +   */ +  public void setSecurityLayerConform(boolean securityLayerConform) { +    this.securityLayerConform = securityLayerConform; +  } + +  +  public void setDigestMethod(String digestMethod) { +	  this.digestMethod = digestMethod; +  } +  + +  public String getMimeType() { +	  return mimeType; +  } + +  public boolean includeData() { +	return this.includeData; +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 9b5dce883..7d0c5a062 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -24,9 +24,6 @@  package at.gv.egovernment.moa.spss.server.iaik.xmlsign; -import java.util.List; -import java.util.Set; -  import iaik.server.modules.algorithms.SignatureAlgorithms;  import iaik.server.modules.keys.AlgorithmUnavailableException;  import iaik.server.modules.keys.KeyEntryID; @@ -37,6 +34,10 @@ import iaik.server.modules.xml.Canonicalization;  import iaik.server.modules.xmlsign.XMLSignatureCreationProfile;  import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation; +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.spss.server.logging.TransactionId;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -75,7 +76,10 @@ public class XMLSignatureCreationProfileImpl    private IdGenerator dsigManifestIDGenerator;    /** The ID generator for signed property IDs. */    private IdGenerator propertyIDGenerator; - +  /** The selected digest method algorithm if XAdES 1.4.2 is used   */ +  private String digestMethodXAdES142; +   +      /**     * Create a new <code>XMLSignatureCreationProfileImpl</code>.     *  @@ -86,7 +90,8 @@ public class XMLSignatureCreationProfileImpl     */    public XMLSignatureCreationProfileImpl(      int createProfileCount, -    Set reservedIDs) { +    Set reservedIDs, +    String digestMethodXAdES142) {      signatureIDGenerator =        new IdGenerator("signature-" + createProfileCount, reservedIDs);      manifestIDGenerator = @@ -95,6 +100,7 @@ public class XMLSignatureCreationProfileImpl        new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs);      propertyIDGenerator =        new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); +    this.digestMethodXAdES142 = digestMethodXAdES142;    }    /** @@ -168,27 +174,110 @@ public class XMLSignatureCreationProfileImpl          e,          null);      } - -    if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)  // TODO retournierten Algorithmus abhängig von der Schlüssellänge machen (bei längeren Schlüsseln SHA256 statt SHA1) -      || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) -      || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) -      || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) -      || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) -      || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { - -      return SignatureAlgorithms.SHA1_WITH_RSA; -    } else if ( -      algorithms.contains(SignatureAlgorithms.ECDSA)) { -      return SignatureAlgorithms.ECDSA; -    } else if ( -      algorithms.contains(SignatureAlgorithms.DSA)) { -      return SignatureAlgorithms.DSA;  -    } else { -      throw new AlgorithmUnavailableException( -        "No algorithm for key entry: " + selectedKeyID, -        null, -        null); +     +    if (digestMethodXAdES142 == null) { +    	// XAdES 1.4.2 not enabled - legacy MOA +        if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)   +        		|| algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) +        		|| algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) +        		|| algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) +        		|| algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) +        		|| algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + +        	return SignatureAlgorithms.SHA1_WITH_RSA; +        } else if ( +        		algorithms.contains(SignatureAlgorithms.ECDSA)) { +        	return SignatureAlgorithms.ECDSA; +        } else if ( +        		algorithms.contains(SignatureAlgorithms.DSA)) { +        	return SignatureAlgorithms.DSA;  +        } else { +        	throw new AlgorithmUnavailableException( +        			"No algorithm for key entry: " + selectedKeyID, +        			null, +        	        null); +        } +    } +    else { +    	// XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method +    	if (digestMethodXAdES142.compareTo("SHA-1") == 0) { +    		Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); +    		 +    		if  (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { +                  return SignatureAlgorithms.SHA1_WITH_RSA; +                   +    		} else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { +                  return SignatureAlgorithms.ECDSA; +                   +    		} else if (algorithms.contains(SignatureAlgorithms.DSA)) { +    			return SignatureAlgorithms.DSA; +    			 +    		} else { +    			throw new AlgorithmUnavailableException( +    					"No algorithm for key entry: " + selectedKeyID, +                         null, +                         null); +             } +    		 +    	} else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { +    		if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {  +             	return SignatureAlgorithms.SHA256_WITH_RSA; +             	 +    		} else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { +             	return SignatureAlgorithms.SHA256_WITH_ECDSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.DSA)) { +             	return SignatureAlgorithms.DSA; +             	 +             } else { +             	throw new AlgorithmUnavailableException( +             			"No algorithm for key entry: " + selectedKeyID, +             			null, +             	        null); +             } +    	} else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { +    		if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { +             	return SignatureAlgorithms.SHA384_WITH_RSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { +             	return SignatureAlgorithms.SHA384_WITH_ECDSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.DSA)) { +             	return SignatureAlgorithms.DSA; +             	 +             } else { +             	throw new AlgorithmUnavailableException( +             			"No algorithm for key entry: " + selectedKeyID, +             			null, +             	        null); +             } +    	} else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { +    		if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { +             	return SignatureAlgorithms.SHA512_WITH_RSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { +             	return SignatureAlgorithms.SHA512_WITH_ECDSA; +             	 +             } else if (algorithms.contains(SignatureAlgorithms.DSA)) { +             	return SignatureAlgorithms.DSA;  +             	 +             } else { +             	throw new AlgorithmUnavailableException( +             			"No algorithm for key entry: " + selectedKeyID, +             			null, +             	        null); +             } +    	}	 +    	else { +         	throw new AlgorithmUnavailableException( +         			"No signature algorithm found for digest algorithm '" + digestMethodXAdES142, +         			null, +         	        null); +         } +    	      } +     +    }    /** diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index c9b76dd7e..12d8b0126 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -31,15 +31,12 @@ import iaik.server.ConfigurationData;  import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;  import iaik.xml.crypto.tsl.ex.TSLSearchException; -import java.io.File;  import java.io.FileNotFoundException;  import java.io.IOException;  import java.security.cert.CertificateException; -import java.util.ArrayList;  import java.util.Calendar;  import java.util.Date;  import java.util.GregorianCalendar; -import java.util.Iterator;  import java.util.Timer;  import at.gv.egovernment.moa.logging.LogMsg; @@ -122,9 +119,10 @@ public class SystemInitializer {      try {        ConfigurationProvider config = ConfigurationProvider.getInstance();        ConfigurationData configData = new IaikConfigurator().configure(config); - +              //initialize TSL module        TSLConfiguration tslconfig = config.getTSLConfiguration(); +              TSLConnector tslconnector = new TSLConnector();        if (tslconfig != null) {      	  //Logger.info(new LogMsg(msg.getMessage("init.01", null))); @@ -133,10 +131,12 @@ public class SystemInitializer {        } +              //start TSL Update        TSLUpdaterTimerTask.tslconnector_ = tslconnector;        TSLUpdaterTimerTask.update(); +              //initialize TSL Update Task        initTSLUpdateTask(tslconfig); @@ -154,13 +154,13 @@ public class SystemInitializer {      	Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);      } catch (TrustStoreException e) {      	Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); -    } catch (CertificateException e) { -    	Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);      } catch (FileNotFoundException e) {      	Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e);      } catch (IOException e) {      	Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); -    } +    } catch (CertificateException e) { +    	Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +	}      // set IXSIL debug output      IXSILInit.setPrintDebugLog( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java new file mode 100644 index 000000000..e058c8a4b --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -0,0 +1,396 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.invoke; + +import iaik.server.modules.algorithms.HashAlgorithms; +import iaik.server.modules.cmssign.CMSSignature; +import iaik.server.modules.cmssign.CMSSignatureCreationException; +import iaik.server.modules.cmssign.CMSSignatureCreationModule; +import iaik.server.modules.cmssign.CMSSignatureCreationModuleFactory; +import iaik.server.modules.cmssign.CMSSignatureCreationProfile; +import iaik.server.modules.keys.KeyEntryID; +import iaik.server.modules.keys.KeyModule; +import iaik.server.modules.keys.KeyModuleFactory; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.math.BigInteger; +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.logging.LoggingContext; +import at.gv.egovernment.moa.logging.LoggingContextManager; +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.MOASystemException; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContentExcplicit; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContentReference; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; +import at.gv.egovernment.moa.spss.api.common.MetaInfo; +import at.gv.egovernment.moa.spss.api.impl.CreateCMSSignatureResponseImpl; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry; +import at.gv.egovernment.moa.spss.server.iaik.cmssign.CMSSignatureCreationProfileImpl; +import at.gv.egovernment.moa.spss.server.logging.TransactionId; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.util.Constants; + +/** + * A class providing an API based interface to the + * <code>CMSSignatureCreationModule</code>. + *  + * This class performs the invocation of the  + * <code>iaik.server.modules.cmssign.CMSSignatureCreationModule</code> from a + * <code>CreateCMSSignatureRequest</code> given as an API object. The result of + * the invocation is integrated into a <code>CreateCMSSignatureResponse</code> + * and returned. + *  + * @version $Id$ + */ +public class CMSSignatureCreationInvoker { +	 +	 private static Map HASH_ALGORITHM_MAPPING; + +	  static { +	    HASH_ALGORITHM_MAPPING = new HashMap(); +	    HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); +	    HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); +	    HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); +	    HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512); +	  } +	   + +  /** The single instance of this class. */ +  private static CMSSignatureCreationInvoker instance = null; + +  /** +   * Get the only instance of this class. +   *  +   * @return The only instance of this class. +   */ +  public static synchronized CMSSignatureCreationInvoker getInstance() { +    if (instance == null) { +      instance = new CMSSignatureCreationInvoker(); +    } +    return instance; +  } + +  /** +   * Create a new <code>CMSSignatureCreationInvoker</code>. +   *  +   * Protected to disallow multiple instances. +   */ +  protected CMSSignatureCreationInvoker() { +  } +   +  + +  /** +   * Process the <code>CreateCMSSignatureRequest<code> message and invoke the +   * <code>XMLSignatureCreationModule</code> for every +   * <code>SingleSignatureInfo</code> contained in the request. +   *  +   * @param request A <code>CreateCMSSignatureRequest<code> API object +   * containing the information for creating the signature(s). +   * @param reserved A <code>Set</code> of reserved object IDs. +   *  +   * @return A <code>CreateCMSSignatureResponse</code> API object containing +   * the created signature(s). The response contains either a +   * <code>SignatureEnvironment</code> or a <code>ErrorResponse</code> +   * for each <code>SingleSignatureInfo</code> in the request. +   * @throws MOAException An error occurred during signature creation.  +   */ +  public CreateCMSSignatureResponse createCMSSignature( +    CreateCMSSignatureRequest request, +    Set reserved) +    throws MOAException { + +	  TransactionContext context = TransactionContextManager.getInstance().getTransactionContext();	   +	  //LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); + +	  CreateCMSSignatureResponseBuilder responseBuilder = new CreateCMSSignatureResponseBuilder(); +	  CreateCMSSignatureResponse response = new CreateCMSSignatureResponseImpl(); + +	  boolean isSecurityLayerConform = false; +	  String structure = null; +	  String mimetype = null; +	   +	  // select the SingleSignatureInfo elements +	  Iterator singleSignatureInfoIter = request.getSingleSignatureInfos().iterator(); + +    // iterate over all the SingleSignatureInfo elements in the request +	  while (singleSignatureInfoIter.hasNext()) { +		  SingleSignatureInfo singleSignatureInfo = (SingleSignatureInfo) singleSignatureInfoIter.next(); +		  isSecurityLayerConform = singleSignatureInfo.isSecurityLayerConform(); +		   +		   +		  DataObjectInfo dataObjectInfo = singleSignatureInfo.getDataObjectInfo(); +		  structure = dataObjectInfo.getStructure(); +		   +		  CMSDataObject dataobject = dataObjectInfo.getDataObject(); +		  MetaInfo metainfo = dataobject.getMetaInfo(); +		  mimetype = metainfo.getMimeType(); +			   +		  CMSContent content = dataobject.getContent(); +		  InputStream contentIs = null; +		  // build the content data +		  switch (content.getContentType()) { +		  	case CMSContent.EXPLICIT_CONTENT :			    	   +		  		contentIs = ((CMSContentExcplicit) content).getBinaryContent(); +		  		break; +		  	case CMSContent.REFERENCE_CONTENT : +		  		String reference = ((CMSContentReference) content).getReference(); +		  		if (!"".equals(reference)) { +		  			ExternalURIResolver resolver = new ExternalURIResolver(); +		  			contentIs = resolver.resolve(reference); +		  		} else { +		  			throw new MOAApplicationException("2301", null); +		  		} +			    break; +		  	default : { +		  		throw new MOAApplicationException("2301", null); +		  	} +		  } +			 +		  // create CMSSignatureCreationModuleFactory +		  CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance();			     +			     +		  List signedProperties = null; +		  boolean includeData = true; +		  if (structure.compareTo("enveloping") == 0) +			  includeData = true; +		  if (structure.compareTo("detached") == 0) +			  includeData = false; +			     +		  ConfigurationProvider config = context.getConfiguration(); +			     +		  // get the key group id +		  String keyGroupID = request.getKeyIdentifier(); +		  // set the key set +		  Set keySet = buildKeySet(keyGroupID); +		  if (keySet == null) { +			  throw new MOAApplicationException("2231", null); +		  } else if (keySet.size() == 0) { +			  throw new MOAApplicationException("2232", null); +		  } +			     +		  // get digest algorithm +		  String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); +			     +		  // create CMSSignatureCreation profile:			     +		  CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( +				  keySet, +				  digestAlgorithm,  +				  signedProperties, +				  isSecurityLayerConform,  +				  includeData,  +				  mimetype); +		   +		  // create CMSSignature from the CMSSignatureCreationModule +		  // build the additionalSignedProperties +		  List additionalSignedProperties = buildAdditionalSignedProperties(); +		  TransactionId tid = new TransactionId(context.getTransactionID()); +		  try { +			  CMSSignature signature = module.createSignature(profile, additionalSignedProperties, tid); +			  ByteArrayOutputStream out = new ByteArrayOutputStream(); +			  // get CMS SignedData output stream from the CMSSignature and wrap it around out +			  boolean base64 = true; +			  OutputStream  signedDataStream = signature.getSignature(out, base64); +					  +			  // now write the data to be signed to the signedDataStream +			  byte[] buf = new byte[4096]; +			  int bytesRead; +			  while ((bytesRead = contentIs.read(buf)) >= 0) { +				  signedDataStream.write(buf, 0, bytesRead); +			  }  +					  +			  // finish SignedData processing by closing signedDataStream +			  signedDataStream.close(); +			  String base64value = out.toString(); +					  +			  responseBuilder.addCMSSignature(base64value); +					 +					 +		  } catch (CMSSignatureCreationException e) { +			  MOAException moaException = IaikExceptionMapper.getInstance().map(e); + +	          responseBuilder.addError( +	            moaException.getMessageId(), +	            moaException.getMessage()); +	          Logger.warn(moaException.getMessage(), e); +	           +		  }  +		  catch (IOException e) { +			  throw new MOAApplicationException("2301", null, e);			   +		  } +			 +	  } +	   + +    return responseBuilder.getResponse(); +  } + +   +  private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { +	// get digest method on key group level (if configured) +	    String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); +	    // get default digest method (if configured) +	    String configDigestMethod = config.getDigestMethodAlgorithmName(); +	     +	     +	    String digestMethod = null; +	    if (configDigestMethodKG != null) { +	    	// if KG specific digest method is configured +	    	digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); +	    	if (digestMethod == null) { +	    		error( +	    				"config.17", +	    				new Object[] { configDigestMethodKG}); +	    		throw new MOASystemException("2900", null);    			 +	    	} +	    	Logger.debug("Digest algorithm: " + digestMethod + "(configured in KeyGroup)"); +	    }	    	 +	    else { +	    	// else get default configured digest method +	    	digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); +	    	if (digestMethod == null) { +	    		error( +	    				"config.17", +	    				new Object[] { configDigestMethod}); +	    		throw new MOASystemException("2900", null);	 +	    	} +	    	Logger.debug("Digest algorithm: " + digestMethod + "(default)"); +	    	 +	    } +		return digestMethod; +  } +   +  /** +   * Utility function to issue an error message to the log. +   *  +   * @param messageId The ID of the message to log. +   * @param parameters Additional message parameters. +   */ +  private static void error(String messageId, Object[] parameters) { +    MessageProvider msg = MessageProvider.getInstance(); + +    Logger.error(new LogMsg(msg.getMessage(messageId, parameters))); +  } +   +  /** +   * Build the set of <code>KeyEntryID</code>s available to the given +   * <code>keyGroupID</code>. +   *  +   * @param keyGroupID The keygroup ID for which the available keys should be +   * returned. +   * @return The <code>Set</code> of <code>KeyEntryID</code>s +   * identifying the available keys. +   */ +  private Set buildKeySet(String keyGroupID) { +    TransactionContext context = +      TransactionContextManager.getInstance().getTransactionContext(); +    ConfigurationProvider config = context.getConfiguration(); +    Set keyGroupEntries; + +    // get the KeyGroup entries from the configuration +    if (context.getClientCertificate() != null) { +      X509Certificate cert = context.getClientCertificate()[0]; +      Principal issuer = cert.getIssuerDN(); +      BigInteger serialNumber = cert.getSerialNumber(); + +      keyGroupEntries = +        config.getKeyGroupEntries(issuer, serialNumber, keyGroupID); +    } else { +      keyGroupEntries = config.getKeyGroupEntries(null, null, keyGroupID); +    } + +    // map the KeyGroup entries to a set of KeyEntryIDs +    if (keyGroupEntries == null) { +      return null; +    } else if (keyGroupEntries.size() == 0) { +      return Collections.EMPTY_SET; +    } else { +      KeyModule module = +        KeyModuleFactory.getInstance( +          new TransactionId(context.getTransactionID())); +      Set keyEntryIDs = module.getPrivateKeyEntryIDs(); +      Set keySet = new HashSet(); +      Iterator iter; + +      // filter out the keys that do not exist in the IAIK configuration +      // by walking through the key entries and checking if the exist in the +      // keyGroupEntries +      for (iter = keyEntryIDs.iterator(); iter.hasNext();) { +        KeyEntryID entryID = (KeyEntryID) iter.next(); +        KeyGroupEntry entry = +          new KeyGroupEntry( +            entryID.getModuleID(), +            entryID.getCertificateIssuer(), +            entryID.getCertificateSerialNumber()); +        if (keyGroupEntries.contains(entry)) { +          keySet.add(entryID); +        } +      } +      return keySet; +    } +  } + +  /** +   * Build the list of additional signed properties. +   *  +   * Based on the generic configuration setting +   * <code>ConfigurationProvider.TEST_SIGNING_TIME_PROPERTY</code>, a +   * constant <code>SigningTime</code> will be added to the properties. +   *  +   * @return The <code>List</code> of additional signed properties. +   */ +  private List buildAdditionalSignedProperties() { +    TransactionContext context = +      TransactionContextManager.getInstance().getTransactionContext(); +    ConfigurationProvider config = context.getConfiguration(); +    List additionalSignedProperties = Collections.EMPTY_LIST; + +    return additionalSignedProperties; +  } + +}
\ No newline at end of file diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 2c4bbd4eb..7a4103957 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -24,8 +24,8 @@  package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException;  import iaik.server.modules.cmsverify.CMSSignatureVerificationModule;  import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory;  import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile; @@ -58,7 +58,9 @@ import at.gv.egovernment.moa.spss.server.logging.TransactionId;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;  import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils;  import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult;  /**   * A class providing an interface to the @@ -136,7 +138,7 @@ public class CMSSignatureVerificationInvoker {      try {        // get the signed content        signedContent = getSignedContent(request); - +              // build the profile        profile = profileFactory.createProfile(); @@ -159,6 +161,7 @@ public class CMSSignatureVerificationInvoker {        while (input.read(buf) > 0);        results = module.verifySignature(signingTime); +            } catch (IAIKException e) {        MOAException moaException = IaikExceptionMapper.getInstance().map(e);        throw moaException; @@ -183,6 +186,8 @@ public class CMSSignatureVerificationInvoker {        }      } +    QCSSCDResult qcsscdresult = new QCSSCDResult(); +          // build the response: for each signatory add the result to the response      signatories = request.getSignatories();      if (signatories == VerifyCMSSignatureRequest.ALL_SIGNATORIES) { @@ -190,12 +195,28 @@ public class CMSSignatureVerificationInvoker {        for (resultIter = results.iterator(); resultIter.hasNext();) {          result = (CMSSignatureVerificationResult) resultIter.next(); +        String issuerCountryCode = null; +        // QC/SSCD check +        List list = result.getCertificateValidationResult().getCertificateChain(); +        if (list != null) { +            X509Certificate[] chain = new X509Certificate[list.size()]; +             +            Iterator it = list.iterator(); +            int i = 0; +            while(it.hasNext()) { +            	chain[i] = (X509Certificate)it.next(); +            	i++; +            } +             +             +            qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + +            // get signer certificate issuer country code +            issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + +        } -        // check QC and SSCD via TSL (if enabled) -        boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); -	    boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; -         -        responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); +        responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode);        }      } else {        int i; @@ -206,12 +227,27 @@ public class CMSSignatureVerificationInvoker {          try {            result =              (CMSSignatureVerificationResult) results.get(signatories[i] - 1); -          // check QC and SSCD via TSL (if enabled) -          boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); -  	      boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; - -  	     -          responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); +           +          String issuerCountryCode = null; +          // QC/SSCD check +          List list = result.getCertificateValidationResult().getCertificateChain(); +          if (list != null) { +              X509Certificate[] chain = new X509Certificate[list.size()]; +               +              Iterator it = list.iterator(); +              int j = 0; +              while(it.hasNext()) { +              	chain[j] = (X509Certificate)it.next(); +              	j++; +              } +               +               +              qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); +               +              issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0));  +          } +             +          responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode);          } catch (IndexOutOfBoundsException e) {            throw new MOAApplicationException(              "2249", @@ -223,65 +259,7 @@ public class CMSSignatureVerificationInvoker {      return responseBuilder.getResponse();    } -  private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) { -	  boolean checkQCFromTSL = false; -	  try { -          if (tslEnabledTrustProfile) { -            if (chainlist != null) { -    	        X509Certificate[] chain = new X509Certificate[chainlist.size()]; -    	              	         -    	        Iterator it = chainlist.iterator(); -    	        int i = 0; -    	        while(it.hasNext()) { -    	        	chain[i] = (X509Certificate)it.next(); -    	        	i++; -    	        } -    	         -    	        checkQCFromTSL =  TSLUpdaterTimerTask.tslconnector_.checkQC(chain); -    	        //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); -            } -          }  -        } -       catch (TSLEngineDiedException e) { -        	MessageProvider msg = MessageProvider.getInstance(); -            Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); -    	} catch (TSLSearchException e) { -        	MessageProvider msg = MessageProvider.getInstance(); -            Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); -    	} -    	 -    	return checkQCFromTSL; -  } -   -  private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) { -	  boolean checkSSCDFromTSL = false; -	  try { -          if (tslEnabledTrustProfile) { -            if (chainlist != null) { -    	        X509Certificate[] chain = new X509Certificate[chainlist.size()]; -    	              	         -    	        Iterator it = chainlist.iterator(); -    	        int i = 0; -    	        while(it.hasNext()) { -    	        	chain[i] = (X509Certificate)it.next(); -    	        	i++; -    	        } -    	         -    	        checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); -            } -          }  -        } -       catch (TSLEngineDiedException e) { -        	MessageProvider msg = MessageProvider.getInstance(); -            Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); -    	} catch (TSLSearchException e) { -        	MessageProvider msg = MessageProvider.getInstance(); -            Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); -    	} -    	 -    	return checkSSCDFromTSL;    	 -  } -   +     /**     * Get the signed content contained either in the request itself or given as a     * reference to external data. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java new file mode 100644 index 000000000..aa52fe09a --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java @@ -0,0 +1,93 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.invoke; + +import java.util.ArrayList; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; + +/** + * A class to build a <code>CreateCMSSignatureResponse</code>. + *  + * <p>The methods <code>addSignature()</code> and <code>addError()</code> may be + * called in any combination to add <code>CMSignature</code> and + * <code>ErrorResponse</code> elements to the response. One of these functions + * must be called at least once to produce a  + * <code>CreateCMSSignatureResponse</code>.</p> + *  + * <p>The <code>getResponseElement()</code> method then returns the + * <code>CreateXMLSignatureResponse</code> built so far.</p> + *  + * @author Patrick Peck + * @version $Id$ + */ +public class CreateCMSSignatureResponseBuilder { + +  /** The <code>SPSSFactory</code> for creating API objects. */ +  private SPSSFactory factory = SPSSFactory.getInstance(); +  /** The elements to add to the response. */ +  private List responseElements = new ArrayList(); + +  /** +   * Get the <code>CreateCMSSignatureResponse</code> built so far. +   *  +   * @return The <code>CreateCMSSignatureResponse</code> built so far. +   */ +  public CreateCMSSignatureResponse getResponse() { +    return factory.createCreateCMSSignatureResponse(responseElements); +  } + +  /** +   * Add a <code>SignatureEnvironment</code> element to the response. +   *  +   * @param signatureEnvironment The content to put under the +   * <code>SignatureEnvironment</code> element. This should either be a +   * <code>dsig:Signature</code> element (in case of a detached signature) or +   * the signature environment containing the signature (in case of +   * an enveloping signature). +   */ +  public void addCMSSignature(String base64value) { +    CMSSignatureResponse responseElement =  +      factory.createCMSSignatureResponse(base64value); +    responseElements.add(responseElement); +  } + +  /** +   * Add a <code>ErrorResponse</code> element to the response. +   *   +   * @param errorCode The error code. +   * @param info Additional information about the error. +   */ +  public void addError(String errorCode, String info) { +    ErrorResponse errorResponse =  +      factory.createErrorResponse(Integer.parseInt(errorCode), info); +    responseElements.add(errorResponse); +  } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java index 869cfefa1..1136ff2f8 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java @@ -24,8 +24,8 @@  package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException;  import java.lang.reflect.Constructor;  import java.util.HashMap; @@ -51,8 +51,8 @@ public class IaikExceptionMapper {    /** The exception mapping, as an array. */    private static final Object[][] MESSAGES =      { -      { iaik.IAIKException.class, "9900", MOASystemException.class }, -      { iaik.IAIKRuntimeException.class, "9901", MOASystemException.class }, +      { iaik.server.modules.IAIKException.class, "9900", MOASystemException.class }, +      { iaik.server.modules.IAIKRuntimeException.class, "9901", MOASystemException.class },        { iaik.server.modules.xmlsign.XMLSignatureCreationException.class, "2220", MOAApplicationException.class },        { iaik.server.modules.xmlsign.XMLSignatureCreationRuntimeException.class, "2220", MOAApplicationException.class },        { iaik.server.modules.xmlsign.InvalidKeyException.class, "2221", MOAApplicationException.class },  @@ -85,7 +85,8 @@ public class IaikExceptionMapper {        { iaik.server.modules.xmlverify.TransformationException.class, "2265", MOAApplicationException.class },        { iaik.server.modules.xmlverify.TransformationParsingException.class, "2269", MOAApplicationException.class },        { iaik.xml.crypto.tsl.ex.TSLEngineDiedException.class, "2290", MOAApplicationException.class }, -      { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class } +      { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class } , +      { iaik.server.modules.cmssign.CMSSignatureCreationException.class, "2300", MOAApplicationException.class } ,    }; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 3b82c6caf..1ea10cb4e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -73,13 +73,15 @@ public class VerifyCMSSignatureResponseBuilder {     * @param trustprofile The actual trustprofile     * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the      * 		certificate as qualified, otherwise <code>false</code>. -   * @param checkSSCDFromTSL <code>true</code>, if the TSL check verifies the  +   * @param checkSSCD <code>true</code>, if the TSL check verifies the      * 		signature based on a SSDC, otherwise <code>false</code>. +   * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,  +   * 		otherwise <code>false</code>.   * @throws MOAException      */ -  public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQCFromTSL, boolean checkSSCDFromTSL) +  public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode)      throws MOAException { - +	        CertificateValidationResult certResult =        result.getCertificateValidationResult();      int signatureCheckCode = @@ -90,28 +92,20 @@ public class VerifyCMSSignatureResponseBuilder {      SignerInfo signerInfo;      CheckResult signatureCheck;      CheckResult certificateCheck; -     -     -    boolean qualifiedCertificate = false; -     -    // verify qualified certificate checks (certificate or TSL) -    if (trustProfile.isTSLEnabled()) { -    	// take TSL result -    	qualifiedCertificate = checkQCFromTSL;   -    } -    else { -    	// take result from certificate -    	qualifiedCertificate = certResult.isQualifiedCertificate(); -    } + +    boolean qualifiedCertificate = checkQC;      // add SignerInfo element      signerInfo =        factory.createSignerInfo(          (X509Certificate) certResult.getCertificateChain().get(0),          qualifiedCertificate, +        qcSourceTSL,          certResult.isPublicAuthorityCertificate(),          certResult.getPublicAuthorityID(), -        checkSSCDFromTSL); +        checkSSCD, +        sscdSourceTSL, +        issuerCountryCode);      // add SignatureCheck element      signatureCheck = factory.createCheckResult(signatureCheckCode, null); @@ -119,9 +113,6 @@ public class VerifyCMSSignatureResponseBuilder {      // add CertificateCheck element      certificateCheck = factory.createCheckResult(certificateCheckCode, null); -     -    -      // build the response element      responseElement =        factory.createVerifyCMSSignatureResponseElement( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 755ca82b6..193495171 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -125,10 +125,12 @@ public class VerifyXMLSignatureResponseBuilder {     * @param transformsSignatureManifestCheck The overall result for the signature      *        manifest check.     * @param certificateCheck The overall result for the certificate check. -   * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the  -   * 		certificate as qualified, otherwise <code>false</code>. -   * @param checkSSCDFromTSL <code>true</code>, if the TSL check verifies the  -   * 		signature based on a SSDC, otherwise <code>false</code>. +   * @param checkQC <code>true</code>, if the certificate is QC, otherwise <code>false</code>. +   * @param qcSourceTSL <code>true</code>, if the QC information comes from the TSL,  +   * 		otherwise <code>false</code>. +   * @param checkSSCD <code>true</code>, if the signature is created by an SSCD, otherwise <code>false</code>. +   * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL,  +   * 		otherwise <code>false</code>.     * @throws MOAApplicationException An error occurred adding the result.     */    public void setResult( @@ -136,9 +138,12 @@ public class VerifyXMLSignatureResponseBuilder {      XMLSignatureVerificationProfile profile,      ReferencesCheckResult transformsSignatureManifestCheck,      CheckResult certificateCheck,  -    boolean checkQCFromTSL, -    boolean checkSSCDFromTSL, -    boolean isTSLEnabledTrustprofile) +    boolean checkQC, +    boolean qcSourceTSL, +    boolean checkSSCD, +    boolean sscdSourceTSL, +    boolean isTSLEnabledTrustprofile, +    String issuerCountryCode)      throws MOAApplicationException {      CertificateValidationResult certResult = @@ -152,24 +157,19 @@ public class VerifyXMLSignatureResponseBuilder {      boolean qualifiedCertificate = false; -    // verify qualified certificate checks (certificate or TSL) -    if (isTSLEnabledTrustprofile) { -    	// take TSL result -    	qualifiedCertificate = checkQCFromTSL;   -    } -    else { -    	// take result from certificate -    	qualifiedCertificate = certResult.isQualifiedCertificate(); -    } +    qualifiedCertificate = checkQC;      // create the SignerInfo;      signerInfo =        factory.createSignerInfo(          (X509Certificate) certResult.getCertificateChain().get(0),          qualifiedCertificate, +        qcSourceTSL,          certResult.isPublicAuthorityCertificate(),          certResult.getPublicAuthorityID(), -        checkSSCDFromTSL); +        checkSSCD, +        sscdSourceTSL, +        issuerCountryCode);      // Create HashInputData Content objects      referenceDataList = result.getReferenceDataList(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java index 759af813c..7debb7b3a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java @@ -24,8 +24,8 @@  package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException;  import iaik.server.modules.xml.DataObject;  import iaik.server.modules.xml.XMLDataObject;  import iaik.server.modules.xml.XMLSignature; @@ -243,14 +243,31 @@ public class XMLSignatureCreationInvoker {          }          try { -          // create the signature -          signature = -            module.createSignature( -              dataObjectList, -              profile, -              additionalSignedProperties, -              signatureParent, -              new TransactionId(context.getTransactionID())); +        	ConfigurationProvider config = context.getConfiguration(); +        	String xadesVersion = config.getXAdESVersion(); + +        	if (xadesVersion!= null && xadesVersion.compareTo(XMLSignatureCreationModule.XADES_VERSION_1_4_2) == 0) { +                // create the signature (XAdES 1.4.2) +                signature = +                  module.createSignature( +                    dataObjectList, +                    profile, +                    additionalSignedProperties, +                    signatureParent, +                    XMLSignatureCreationModule.XADES_VERSION_1_4_2, +                    new TransactionId(context.getTransactionID())); +        	} +        	else { +                // create the signature (XAdES 1.1.1 = default) +                signature = +                  module.createSignature( +                    dataObjectList, +                    profile, +                    additionalSignedProperties, +                    signatureParent, +                    XMLSignatureCreationModule.XADES_VERSION_1_1_1, +                    new TransactionId(context.getTransactionID())); +        	}            // insert the result into the response            if (signatureParent != null) { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index 5c4a2c76a..d1281c1f1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest;  import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo;  import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo;  import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.KeyGroup;  import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry;  import at.gv.egovernment.moa.spss.server.iaik.xml.CanonicalizationImpl;  import at.gv.egovernment.moa.spss.server.iaik.xmlsign.DataObjectTreatmentImpl; @@ -83,6 +84,9 @@ public class XMLSignatureCreationProfileFactory {    static {      HASH_ALGORITHM_MAPPING = new HashMap();      HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); +    HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); +    HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); +    HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512);    }    /** The <code>CreateXMLSignatureRequest</code> for which to create the @@ -129,18 +133,62 @@ public class XMLSignatureCreationProfileFactory {      HashSet allReservedIDs = new HashSet(reserved);      allReservedIDs.addAll(sigInfoReservedIDs); -    XMLSignatureCreationProfileImpl profile = -      new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs);      TransactionContext context =        TransactionContextManager.getInstance().getTransactionContext();      ConfigurationProvider config = context.getConfiguration();      CanonicalizationImpl canonicalization;      List dataObjectTreatmentList; -    String keyGroupID;      Set keySet;      List transformationSupplements;      List createTransformsProfiles; +    // get the key group id +    String keyGroupID = request.getKeyIdentifier(); +    // get digest method on key group level (if configured) +    String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); +    // get default digest method (if configured) +    String configDigestMethod = config.getDigestMethodAlgorithmName(); +     +    String xadesVersion = config.getXAdESVersion(); +     +    String digestMethodXAdES142 = null; +    boolean isXAdES142 = false; +    // if XAdES Version 1.4.2 is configured +    if (xadesVersion != null && xadesVersion.compareTo("1.4.2") == 0) { +    	isXAdES142 = true; +    	Logger.debug("XAdES version '" + xadesVersion + "' used"); +    } +    	 +    if (isXAdES142) { +    	if (configDigestMethodKG != null) { +    		// if KG specific digest method is configured +    		digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); +    		if (digestMethodXAdES142 == null) { +    			error( +    					"config.17", +    					new Object[] { configDigestMethodKG}); +    			throw new MOASystemException("2900", null);    			 +    		} +    		Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(configured in KeyGroup)"); +    	}	    	 +    	else { +    		// else get default configured digest method +    		digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); +    		if (digestMethodXAdES142 == null) { +    			error( +    					"config.17", +    					new Object[] { configDigestMethod}); +    			throw new MOASystemException("2900", null);	 +    		} +    		Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(default)"); +    		 +    	} +    } +     +    XMLSignatureCreationProfileImpl profile = +    	      new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + +          // build the transformation supplements      createTransformsProfiles =        getCreateTransformsInfoProfiles(singleSignatureInfo); @@ -153,11 +201,11 @@ public class XMLSignatureCreationProfileFactory {          singleSignatureInfo,          createTransformsProfiles,          transformationSupplements, -        allReservedIDs); +        allReservedIDs,  +        digestMethodXAdES142);      profile.setDataObjectTreatmentList(dataObjectTreatmentList);      // set the key set -    keyGroupID = request.getKeyIdentifier();      keySet = buildKeySet(keyGroupID);      if (keySet == null) {        throw new MOAApplicationException("2231", null); @@ -184,7 +232,7 @@ public class XMLSignatureCreationProfileFactory {      canonicalization =        new CanonicalizationImpl(config.getCanonicalizationAlgorithmName());      profile.setSignedInfoCanonicalization(canonicalization); - +          // set the signed properties      profile.setSignedProperties(Collections.EMPTY_LIST); @@ -299,7 +347,8 @@ public class XMLSignatureCreationProfileFactory {      SingleSignatureInfo singleSignatureInfo,      List createTransformsInfoProfiles,      List transformationSupplements, -    Set reservedIDs) +    Set reservedIDs, +    String digestMethodXAdES142)      throws MOASystemException, MOAApplicationException {      TransactionContext context = @@ -329,15 +378,25 @@ public class XMLSignatureCreationProfileFactory {        treatment.setTransformationList(buildTransformationList(profile));        treatment.setReferenceInManifest(dataObjInfo.isChildOfManifest()); -      hashAlgorithmName = -        (String) HASH_ALGORITHM_MAPPING.get( -          config.getDigestMethodAlgorithmName()); -      if (hashAlgorithmName == null) { -        error( -          "config.17", -          new Object[] { config.getDigestMethodAlgorithmName()}); -        throw new MOASystemException("2900", null); +      // if XAdES version is 1.4.2 +      if (digestMethodXAdES142 != null) { +    	  // use configured digest algorithm +    	  hashAlgorithmName = digestMethodXAdES142; +      } +      else { +    	  // stay as it is +    	  hashAlgorithmName = (String) HASH_ALGORITHM_MAPPING.get( +    		          config.getDigestMethodAlgorithmName()); +    	  if (hashAlgorithmName == null) { +    	        error( +    	          "config.17", +    	          new Object[] { config.getDigestMethodAlgorithmName()}); +    	        throw new MOASystemException("2900", null); +    	      }        } +       +       +              treatment.setHashAlgorithmName(hashAlgorithmName);        treatment.setIncludedInSignature( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index 8a5b6f5b7..c90bc534a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -24,10 +24,10 @@  package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException;  import iaik.ixsil.exceptions.URIException;  import iaik.ixsil.util.URI; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException;  import iaik.server.modules.xml.DataObject;  import iaik.server.modules.xml.XMLDataObject;  import iaik.server.modules.xml.XMLSignature; @@ -40,8 +40,6 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory;  import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile;  import iaik.server.modules.xmlverify.XMLSignatureVerificationResult;  import iaik.x509.X509Certificate; -import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; -import iaik.xml.crypto.tsl.ex.TSLSearchException;  import java.io.File;  import java.io.FileInputStream; @@ -87,8 +85,9 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog;  import at.gv.egovernment.moa.spss.server.logging.TransactionId;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; -import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils;  import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult;  import at.gv.egovernment.moa.util.CollectionUtils;  import at.gv.egovernment.moa.util.Constants; @@ -208,9 +207,7 @@ public class XMLSignatureVerificationInvoker {          requestElement);      } -    boolean checkQCFromTSL = false; -    boolean checkSSCDFromTSL = false; -     +    QCSSCDResult qcsscdresult = new QCSSCDResult();      String tpID =  profile.getCertificateValidationProfile().getTrustStoreProfile().getId();      ConfigurationProvider config = ConfigurationProvider.getInstance();      TrustProfile tp = config.getTrustProfile(tpID); @@ -236,33 +233,27 @@ public class XMLSignatureVerificationInvoker {          MOAException moaException = IaikExceptionMapper.getInstance().map(e);          throw moaException;      }  -    try { -      if (tp.isTSLEnabled()) { -        List list = result.getCertificateValidationResult().getCertificateChain(); -        if (list != null) { -	        X509Certificate[] chain = new X509Certificate[list.size()]; -	         -	         -	        Iterator it = list.iterator(); -	        int i = 0; -	        while(it.hasNext()) { -	        	chain[i] = (X509Certificate)it.next(); -	        	i++; -	        } -	         -	        checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); -	        checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); +     + +    // QC/SSCD check +    List list = result.getCertificateValidationResult().getCertificateChain(); +    if (list != null) { +        X509Certificate[] chain = new X509Certificate[list.size()]; +         +        Iterator it = list.iterator(); +        int i = 0; +        while(it.hasNext()) { +        	chain[i] = (X509Certificate)it.next(); +        	i++;          } -      }  +         +        qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled());      } -   catch (TSLEngineDiedException e) { -    	MessageProvider msg = MessageProvider.getInstance(); -        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); -	} catch (TSLSearchException e) { -    	MessageProvider msg = MessageProvider.getInstance(); -        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); -	} +    	 +    // get signer certificate issuer country code +    String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); +          // swap back in the request as root document      if (requestElement != signatureEnvironment.getElement()) {        requestElement.getOwnerDocument().replaceChild( @@ -278,10 +269,10 @@ public class XMLSignatureVerificationInvoker {      // Check if signer certificate is in trust profile's allowed signer certificates pool      TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());      CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); -    -    // build the response -    responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQCFromTSL, checkSSCDFromTSL, tp.isTSLEnabled()); + +    // build the response +    responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode);      return responseBuilder.getResponse();    } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java index 6bf2317b4..591e26ac2 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java @@ -393,6 +393,7 @@ public class AxisHandler extends BasicHandler {      try {        String filename = MOA_SPSS_WSDL_RESOURCE_; +              File file = new File(filename);        if (file.exists()) {          //if this resolves to a file, load it @@ -400,7 +401,7 @@ public class AxisHandler extends BasicHandler {        } else {          //else load a named resource in our classloader.           instream = this.getClass().getResourceAsStream(filename); -        if (instream == null) { +        if (instream == null) {        	            String errorText = Messages.getMessage("wsdlFileMissing", filename);            throw new AxisFault(errorText);          } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java index 7a7bb88bb..e5b12bd8c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java @@ -35,10 +35,15 @@ import org.w3c.dom.Element;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.spss.MOAException;  import at.gv.egovernment.moa.spss.MOASystemException; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureRequestParser; +import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureResponseBuilder;  import at.gv.egovernment.moa.spss.api.xmlbind.CreateXMLSignatureRequestParser;  import at.gv.egovernment.moa.spss.api.xmlbind.CreateXMLSignatureResponseBuilder;  import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest;  import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureCreationInvoker;  import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureCreationInvoker;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;  import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -52,6 +57,89 @@ import at.gv.egovernment.moa.util.StreamUtils;   * @version $Id$   */  public class SignatureCreationService { +	 +	 /** +	   * Handle a <code>CreateXMLSignatureRequest</code>. +	   *  +	   * @param request The <code>CreateXMLSignatureRequest</code> to work on +	   * (contained in the 0th element of the array). +	   * @return A <code>CreateXMLSignatureResponse</code> as the only element of +	   * the <code>Element</code> array. +	   * @throws AxisFault An error occurred during handling of the message. +	   */ +	  public Element[] CreateCMSSignatureRequest(Element[] request) +	    throws AxisFault { +		  Logger.trace("---- Entering SignatureCreationService"); +	    CMSSignatureCreationInvoker invoker = +	      CMSSignatureCreationInvoker.getInstance(); +	    Element[] response = new Element[1]; + +	    // check that we have a CreateXMLSignatureRequest; if not, create an +	    // AxisFault, just like the org.apache.axis.providers.java.MsgProvider +	    if (!Constants.MOA_SPSS_CREATE_CMS_REQUEST.equals(request[0].getLocalName()) || +	      !Constants.MOA_NS_URI.equals(request[0].getNamespaceURI())) +	    { +	      QName qname = +	        new QName(request[0].getNamespaceURI(), request[0].getLocalName()); +	      throw new AxisFault( +	        Messages.getMessage("noOperationForQName", qname.toString())); // TODO GK Operation name does not make it into the error repsonse +	    } + +	    // handle the request +	    try { +	         +	      // create a parser and builder for binding API objects to/from XML +	      CreateCMSSignatureRequestParser requestParser = +	        new CreateCMSSignatureRequestParser(); +	      CreateCMSSignatureResponseBuilder responseBuilder = +	        new CreateCMSSignatureResponseBuilder(); +	      Element reparsedReq; +	      CreateCMSSignatureRequest requestObj; +	      CreateCMSSignatureResponse responseObj; + +	      //since Axis (1.1 ff) has problem with namespaces we take the raw request stored by the Axishandler. +	      TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); +	   +	      // validate the request +	      reparsedReq = ServiceUtils.reparseRequest(request[0]);//context.getRequest()); + +	      // convert to API objects +		  Logger.trace(">>> preparsing Request"); +	      requestObj = requestParser.parse(reparsedReq); +		  Logger.trace("<<< preparsed Request"); +	       +		  Logger.trace(">>> creating Signature"); +	      // invoke the core logic +	      responseObj = invoker.createCMSSignature(requestObj, Collections.EMPTY_SET); +		  Logger.trace("<<< created Signature"); + +		  Logger.trace(">>> building Response"); +	      // map back to XML +	      response[0] = responseBuilder.build(responseObj).getDocumentElement(); +		  Logger.trace("<<< built Response"); +	       +	      // save response in transaction +	      context.setResponse(response[0]); +		  Logger.trace("---- Leaving SignatureCreationService"); +		   + +	    } catch (MOAException e) { +	      AxisFault fault = AxisFault.makeFault(e); +	      fault.setFaultDetail(new Element[] { e.toErrorResponse()}); +	      Logger.debug("Anfrage zur Signaturerstellung wurde nicht erfolgreich beendet:"  +	        + System.getProperty("line.separator") + StreamUtils.getStackTraceAsString(e)); +	      throw fault; +	    } catch (Throwable t) { +	      MOASystemException e = new MOASystemException("2900", null, t); +	      AxisFault fault = AxisFault.makeFault(e); +	      fault.setFaultDetail(new Element[] { e.toErrorResponse()}); +	      Logger.debug("Anfrage zur Signaturerstellung wurde nicht erfolgreich beendet:"  +	        + System.getProperty("line.separator") + StreamUtils.getStackTraceAsString(e)); +	      throw fault; +	    } + +	    return response; +	  }    /**     * Handle a <code>CreateXMLSignatureRequest</code>. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 2e4af2817..07da0a998 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -83,28 +83,277 @@ public class TSLConnector implements TSLConnectorInterface {  		return updateAndGetQualifiedCACertificates(dateTime, null, serviceLevelStatus);
  	}
 +	public void updateTSLs(Date dateTime,
 +			String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
 +		
 +		if (Configurator.is_isInitialised() == false)
 +			new TSLEngineFatalException("The TSL Engine is not initialized!");
 +		
 +		updateTSLs(dateTime, null, serviceLevelStatus);
 +	}
 +	
  	public ArrayList<File> updateAndGetQualifiedCACertificates(Date dateTime,
  			String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
  		if (Configurator.is_isInitialised() == false)
  			new TSLEngineFatalException("The TSL Engine is not initialized!");
 +
 +		String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
 +		
 +//		String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
 +//		System.out.println("hashcachedir: " + hashcachedir);
 +//		if (hashcachedir==null)
 +//			hashcachedir = DEFAULT_HASHCACHE_DIR;
 +
 +//		File hashcachefile = new File(hashcachedir);
 +//		File[] filelist = hashcachefile.listFiles();
 +//		if (filelist != null) {
 +//			for (File f : filelist)
 +//				f.delete();
 +//		}
 -		//TODO: clean hascash and TLS Download folder	
 -		String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
 +		File tsldownloadfile = new File(tsldownloaddir);
 +		if (!tsldownloadfile.exists()) {
 +			tsldownloadfile.mkdir();
 +		}
 +		File[] tslfilelist = tsldownloadfile.listFiles();
 +		if (tslfilelist != null) {
 +			for (File f : tslfilelist)
 +				f.delete();
 +		}
 -		if (hashcachedir==null)
 -			hashcachedir = DEFAULT_HASHCACHE_DIR;
 -				
 -		String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
 +		//create sqlLite database
 +		File dbFile = new File(Configurator.get_TempdbFile());
 +		try {
 +			dbFile.delete();
 +			dbFile.createNewFile();
 +		} catch (IOException e) {
 +			throw new TSLEngineDiedException("Could not create temporary data base file", e);
 +		}
 +		
 +		//the TSL library uses the iaik.util.logging environment.
 +		//iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.WARN);
 +		iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.OFF);
 +		
 +		log.info("Starting EU TSL import.");
 +
 +		// Certificates in Germany, Estonia, Greece, Cyprus,
 +		// Lithuainia, Hungary, Poland, Finland, Norway use SURNAME
 +		log.debug("### SURNAME registered as " + ObjectID.surName + " ###");
 +		RFC2253NameParser.register("SURNAME", ObjectID.surName);
 +
 +		XSecProvider.addAsProvider(false);
 +
 +		TSLEngine tslEngine;
 +		TslSqlConnectionWrapper connection = null;
 +
 +		try {
 +			// register the Https JSSE Wrapper
 +			TLS.register();
 +			log.trace("### Https JSSE Wrapper registered ###");
 +			
 +
 +			log.debug("### Connect to Database.###");
 +			connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
 +
 +			log.trace("### Connected ###");
 +
 +			// empty the database and recreate the tables
 +			tslEngine = new TSLEngine(dbFile, Configurator.get_TSLWorkingDirectoryPath(), 
 +					connection, true, true);
 +			
 +		} catch (TSLEngineFatalException e1) {
 +			throw new TSLEngineDiedException(e1);
 +			
 +		}
 +
 +		// H.2.2.1 Same-scheme searching
 +		// H.2.2.2 Known scheme searching
 +		// H.2.2.3 "Blind" (unknown) scheme searching
 +		Number tId = null;
 +		Countries euTerritory = Countries.EU;
 +		TSLImportContext topLevelTslContext = new TSLEUImportFromFileContext(
 +			euTerritory, Configurator.get_euTSLURL(), Configurator.get_TSLWorkingDirectoryPath(), 
 +			Configurator.is_sqlMultithreaded(), 
 +			Configurator.is_throwExceptions(), Configurator.is_logExceptions(), 
 +			Configurator.is_throwWarnings(), Configurator.is_logWarnings(), 
 +			Configurator.is_nullRedundancies());
 +
 +		TSLEngineEU tslengineEU;
 +		try {
 +			tslengineEU = tslEngine.new TSLEngineEU();
 +			
 +		} catch (TSLEngineFatalException e1) {
 +			throw new TSLEngineDiedException(e1);
 +		}
 +
 +		// establish EU TSL trust anchor
 +		ListIterator<java.security.cert.X509Certificate> expectedEuTslSignerCerts =
 +			tslEngine.loadCertificatesFromResource(
 +			Configurator.get_euTrustAnchorsPath(), topLevelTslContext);
 +
 +		log.debug("Process EU TSL");
 +		// process the EU TSL to receive the pointers to the other TSLs
 +		// and the trust anchors for the TSL signers
 +		Set<Entry<Number, LocationAndCertHash>> pointersToMsTSLs = null;
 -		File hashcachefile = new File(hashcachedir);
 +		try {
 +			
 +			tId = tslengineEU.processEUTSL(topLevelTslContext, expectedEuTslSignerCerts);
 +			log.info("Process EU TSL finished");
 +			
 +			log.debug(Thread.currentThread() + " waiting for other threads ...");
 +			
 +			topLevelTslContext.waitForAllOtherThreads();
 +			log.debug(Thread.currentThread()
 +				+ " reactivated after other threads finished ...");
 +
 +
 +			// get the TSLs pointed from the EU TSL
 +			LinkedHashMap<Number, LocationAndCertHash> tslMap = tslengineEU
 +				.getOtherTslMap(tId, topLevelTslContext);
 +
 +			pointersToMsTSLs = tslMap.entrySet();
 +			
 +			//set Errors and Warrnings
 +			
 +		} catch (TSLEngineFatalRuntimeException e) {
 +			throw new TSLEngineDiedException(topLevelTslContext.dumpFatals());
 +			
 +		} catch (TSLTransactionFailedRuntimeException e) {
 +			throw new TSLEngineDiedException(topLevelTslContext.dumpTransactionFaliures());
 +		}
 +
 +		//Backup implementation if the EU TSL includes a false signer certificate 
 +		// establish additional trust anchors for member states
 +//			Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {
 +//				Countries.CZ,
 +//				Countries.LU,
 +//				Countries.ES,
 +//				Countries.AT,
 +//			};
 +		Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {};
 +
 +		Map<Countries, java.util.ListIterator<java.security.cert.X509Certificate>>
 +			trustAnchorsWrongOnEuTsl = loadCertificatesFromResource(
 +					Configurator.get_msTrustAnchorsPath(), tslEngine, topLevelTslContext,
 +					countriesWithPotentiallyWrongCertsOnEuTsl);
 +
 +		log.info("Starting EU member TSL import.");
 +		
 +		for (Entry<Number, LocationAndCertHash> entry : pointersToMsTSLs) {
 +
 +			TSLImportContext msTslContext;
 +			
 +			Countries expectedTerritory = entry.getValue().getSchemeTerritory();
 +			try {
 +				
 +//				if (expectedTerritory.equals("RO"))
 +//					System.out.println("Stop");
 +				Number otpId = entry.getKey();
 +				LocationAndCertHash lac = entry.getValue();
 +
 +				URL uriReference = null;
 +				try {
 +					uriReference = new URL(lac.getUrl());
 +					
 +				} catch (MalformedURLException e) {
 +					log.warn("Could not process: " + uriReference, e);
 +					continue;
 +				}
 +
 +				String baseURI = uriReference == null ? "" : "" + uriReference;
 +
 +				msTslContext = new TSLImportFromFileContext(
 +					expectedTerritory, uriReference, otpId, Configurator.get_TSLWorkingDirectoryPath(),
 +					Configurator.is_sqlMultithreaded(),
 +					Configurator.is_throwExceptions(), Configurator.is_logExceptions(), 
 +					Configurator.is_throwWarnings(), Configurator.is_logWarnings(), 
 +					Configurator.is_nullRedundancies(), baseURI, trustAnchorsWrongOnEuTsl, 
 +					topLevelTslContext);
 +
 +				ListIterator<X509Certificate> expectedTslSignerCerts = null;
 +				expectedTslSignerCerts = tslEngine.getCertificates(lac, msTslContext);
 +
 +				if (expectedTslSignerCerts == null) {
 +					
 +					// no signer certificate on the EU TSL
 +					// ignore this msTSL and log a warning
 +					log.warn("NO signer certificate found on EU TSL! " 
 +							+ lac.getSchemeTerritory() + "TSL ignored.");
 +					
 +				}
 +				else {
 +					tslEngine.processMSTSL(topLevelTslContext, msTslContext, expectedTslSignerCerts);
 +				}
 +				
 +			} catch (TSLExceptionB e) {
 +				log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory() 
 +						+ " TSL ignored.");
 +				log.debug("Failed to process TSL. " + entry, e);
 +				continue;
 +			} catch (TSLRuntimeException e) {
 +				log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
 +						+ " TSL ignored.");
 +				log.debug("Failed to process TSL. " + entry, e);
 +				continue;
 +			}				
 +		}
 +				
 +		log.debug(Thread.currentThread() + " waiting for other threads ...");
 +		topLevelTslContext.waitForAllOtherThreads();
 +
 +		log.debug(_.dumpAllThreads());
 +		log.debug(Thread.currentThread() + " reactivated after other threads finished ...");
 +		
 +		connection = null;
 +		try {
 +			connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);				
 +			tslEngine.recreateTablesInvalidatedByImport(connection);
 -		File[] filelist = hashcachefile.listFiles();
 -		if (filelist != null) {
 -			for (File f : filelist)
 -				f.delete();
 +			
 +			//TODO: implement database copy operation!
 +			File working_database = new File(Configurator.get_dbFile());
 +			working_database.delete();
 +			copy(dbFile, working_database);
 +
 +			
 +		} catch (TSLEngineFatalException e) {
 +			throw new TSLEngineDiedException(e);
 +			
 +		} finally {
 +			try {
 +				connection.closeConnection();
 +				
 +			} catch (TSLEngineFatalException e) {
 +				throw new TSLEngineDiedException(e);
 +				
 +			}
  		}
 +		
 +		return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
 +	}
 +
 +	public void updateTSLs(Date dateTime,
 +			String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
 +		
 +		if (Configurator.is_isInitialised() == false)
 +			new TSLEngineFatalException("The TSL Engine is not initialized!");
 +
 +		String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
 +		
 +//		String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
 +//		System.out.println("hashcachedir: " + hashcachedir);
 +//		if (hashcachedir==null)
 +//			hashcachedir = DEFAULT_HASHCACHE_DIR;
 +
 +//		File hashcachefile = new File(hashcachedir);
 +//		File[] filelist = hashcachefile.listFiles();
 +//		if (filelist != null) {
 +//			for (File f : filelist)
 +//				f.delete();
 +//		}
  		File tsldownloadfile = new File(tsldownloaddir);
  		if (!tsldownloadfile.exists()) {
 @@ -326,7 +575,7 @@ public class TSLConnector implements TSLConnectorInterface {  			}
  		}
 -		return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
 +		//return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
  	}
  	public ArrayList<File> getQualifiedCACertificates(Date dateTime,
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index c365a1121..0cb18a08e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -39,6 +39,8 @@ import at.gv.egovernment.moa.util.StringUtils;  public class TSLUpdaterTimerTask extends TimerTask {
  	public static TSLConnector tslconnector_;
 +	
 +	public static ConfigurationData configData_ = null;
  	@Override
  	public void run() {
 @@ -48,10 +50,6 @@ public class TSLUpdaterTimerTask extends TimerTask {  		} catch (TSLEngineDiedException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
 -
 -			// 		TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur 
 -			// Verfügung stehen?
 -			
  		} catch (TSLSearchException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
 @@ -67,100 +65,138 @@ public class TSLUpdaterTimerTask extends TimerTask {  		} catch (TrustStoreException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
 -		} catch (CertificateException e) {
 +		}  catch (FileNotFoundException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
 -		} catch (FileNotFoundException e) {
 +		} catch (IOException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
 -		} catch (IOException e) {
 +		} catch (CertificateException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
  		}
  	}
 -	public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException {
 +	public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, IOException {
  		MessageProvider msg = MessageProvider.getInstance();
 -		//get TSl configuration
 -		ConfigurationProvider config = ConfigurationProvider.getInstance();
 -		ConfigurationData configData = new IaikConfigurator().configure(config);
 -		TSLConfiguration tslconfig = config.getTSLConfiguration();
 -		if (tslconfig != null) {
 -			
 -			Logger.info(new LogMsg(msg.getMessage("config.42", null)));
 +		//TrustProfile tp = null;
 +		TrustStoreProfile tsp = null;
 +		StoreUpdater storeUpdater = null;
 +		TransactionId tid = null;
 +		
 +			//get TSl configuration
 +			ConfigurationProvider config = ConfigurationProvider.getInstance();
 +			if (configData_ == null)
 +				configData_ = new IaikConfigurator().configure(config);
 -			// get certstore parameters
 -			CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters();
 +			TSLConfiguration tslconfig = config.getTSLConfiguration();
 +			if (tslconfig != null) {
 -			// iterate over all truststores
 -			Map mapTrustProfiles = config.getTrustProfiles();
 -			Iterator it = mapTrustProfiles.entrySet().iterator();
 -			while (it.hasNext()) {
 -				Map.Entry pairs = (Map.Entry)it.next();
 -				TrustProfile tp = (TrustProfile) pairs.getValue();
 -				if (tp.isTSLEnabled()) {
 -					TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId());
 -					TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
 -					trustStoreProfiles[0] = tsp;
 -					
 -					Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
 -		         
 -					TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId());
 -					ArrayList tsl_certs = null;
 -					if (StringUtils.isEmpty(tp.getCountries())) {
 -						Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
 -
 -						// get certificates from TSL from all countries
 -						tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
 -					}
 -					else {
 -						Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
 -						// get selected countries as array
 -						String countries = tp.getCountries();
 -						String[] array = countries.split(",");
 -						for (int i = 0; i < array.length; i++)
 -							array[i] = array[i].trim();
 -		                	  
 -						// get certificates from TSL from given countries
 -						tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
 -					}
 +				tslconnector_.updateTSLs(new Date(), new String[]{"accredited","undersupervision"});
 +				
 +				Logger.info(new LogMsg(msg.getMessage("config.42", null)));
 +				
 +				// get certstore parameters
 +				CertStoreParameters[] certStoreParameters = configData_.getPKIConfiguration().getCertStoreConfiguration().getParameters();
 -					// create store updater for each TSL enabled truststore 
 -					Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
 -					StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
 -		            
 -					// convert ArrayList<File> to X509Certificate[]										
 -					X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()];
 -					Iterator itcert = tsl_certs.iterator();
 -					int i = 0;
 -					while(itcert.hasNext()) {
 -						File f = (File)itcert.next();
 -						X509Certificate cert = new X509Certificate(new FileInputStream(f));
 -						addCertificates[i] = cert;
 +				// iterate over all truststores
 +				Map mapTrustProfiles = config.getTrustProfiles();
 +				Iterator it = mapTrustProfiles.entrySet().iterator();
 +				while (it.hasNext()) {
 +					Map.Entry pairs = (Map.Entry)it.next();
 +					TrustProfile tp = (TrustProfile) pairs.getValue();
 +					if (tp.isTSLEnabled()) {
 +						tsp = new TrustStoreProfileImpl(config, tp.getId());
 +						TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
 +						trustStoreProfiles[0] = tsp;
 -						i++;
 +						Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
 +			         
 +						tid = new TransactionId("TSLConfigurator-" + tp.getId());
 +						ArrayList tsl_certs = null;
 +						if (StringUtils.isEmpty(tp.getCountries())) {
 +							Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
 +	
 +							// get certificates from TSL from all countries
 +							tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
 +						}
 +						else {
 +							Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
 +							// get selected countries as array
 +							String countries = tp.getCountries();
 +							String[] array = countries.split(",");
 +							for (int i = 0; i < array.length; i++)
 +								array[i] = array[i].trim();
 +			                	  
 +							// get certificates from TSL from given countries
 +							tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
 +						}
 +						
 +						// create store updater for each TSL enabled truststore 
 +						Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
 +						storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
 +						
 +						// delete files in trustprofile
 +						
 +						File ftp = new File(tp.getUri());
 +						File[] files = ftp.listFiles();
 +						X509Certificate[] removeCertificates = new X509Certificate[files.length];
 +						int i = 0;
 +						for (File file : files) {
 +							FileInputStream fis = new FileInputStream(file);
 +							removeCertificates[i] = new X509Certificate(fis);
 +							i++;
 +							fis.close();
 +								//file.delete();
 +						}
 +						
 +						// remove all certificates
 +						storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
 +						storeUpdater.removeCertificatesFromCertStores(removeCertificates, tid);
 +						
 +						
 +						// copy files from original trustAnchorsLocURI into tslworking trust profile
 +				    	File src = new File(tp.getUriOrig());
 +				    	files = src.listFiles();
 +				    	X509Certificate[] addCertificates = new X509Certificate[files.length];
 +				    	i = 0;
 +				        for (File file : files) {
 +				        	FileInputStream fis = new FileInputStream(file);
 +				        	addCertificates[i] = new X509Certificate(fis);
 +				        	//FileUtils.copyFile(file, new File(tp.getUri(), file.getName()));
 +				        	i++;
 +				        	fis.close();
 +				        }
 +						
 +				        // convert ArrayList<File> to X509Certificate[]										
 +						X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
 +						Iterator itcert = tsl_certs.iterator();
 +						i = 0;
 +						File f = null;
 +						while(itcert.hasNext()) {
 +							f = (File)itcert.next();
 +							FileInputStream fis = new FileInputStream(f);
 +							X509Certificate cert = new X509Certificate(fis);
 +							addCertificatesTSL[i] = cert;
 +								
 +							i++;
 +							fis.close();
 +						}
 +						  
 +						Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
 +						storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
 +						storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
 +						
 +						Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
 +						storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
 +						storeUpdater.addCertificatesToCertStores(addCertificates, tid);
 +			
 +			            
  					}
 -					
 -					// get certificates to be removed
 -					X509Certificate[] removeCertificates = tp.getCertficatesToBeRemoved();
 -					
 -										
 -					//Logger.debug(new LogMsg(msg.getMessage("config.44", null)));	
 -					Logger.debug(new LogMsg("Remove " + removeCertificates.length + " certificates."));
 -					storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
 -					
 -					
 -					Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
 -					storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
 -		
 -					// set the certifcates to be removed for the next TSL update
 -					tp.setCertificatesToBeRemoved(addCertificates);
 -		            
  				}
  			}
 -		}
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java new file mode 100644 index 000000000..544ea916c --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -0,0 +1,286 @@ +package at.gv.egovernment.moa.spss.util; + +import iaik.asn1.ObjectID; +import iaik.asn1.structures.Name; +import iaik.asn1.structures.PolicyInformation; +import iaik.utils.RFC2253NameParser; +import iaik.utils.RFC2253NameParserException; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import iaik.x509.extensions.CertificatePolicies; +import iaik.x509.extensions.qualified.QCStatements; +import iaik.x509.extensions.qualified.structures.QCStatement; +import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance; +import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD; +import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; +import iaik.xml.crypto.tsl.ex.TSLSearchException; + +import java.security.Principal; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; + +public class CertificateUtils { +	 +	 +	/** +	 * Verifies if the given certificate contains QCP+ statement +	 * @param cert X509Certificate +	 * @return true if the given certificate contains QCP+ statement, else false +	 */ +	private static boolean checkQCPPlus(X509Certificate cert) { +		Logger.debug("Checking QCP+ extension"); +		String OID_QCPPlus = "0.4.0.1456.1.1"; +		try { +			CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); +			if (certPol == null) { +				Logger.debug("No CertificatePolicies extension found"); +				return false; +			} +			 +			PolicyInformation[] polInfo = certPol.getPolicyInformation(); +			if (polInfo == null) { +				Logger.debug("No policy information found"); +				return false; +			} +			 +			for (int i = 0; i < polInfo.length; i++) { +				ObjectID oid = polInfo[i].getPolicyIdentifier(); +				String oidStr = oid.getID(); +				if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) { +					Logger.debug("QCP+ extension found"); +					return true; +				} +			} +			 +			Logger.debug("No QCP+ extension found"); +			 +			return false; +		} catch (X509ExtensionInitException e) { +			Logger.debug("No QCP+ extension found"); +			 +			return false; +		} +		 +	} +	 +	/** +	 * Verifies if the given certificate contains QCP statement +	 * @param cert X509Certificate +	 * @return true if the given certificate contains QCP statement, else false +	 */ +	private static boolean checkQCP(X509Certificate cert) { +		Logger.debug("Checking QCP extension"); +		String OID_QCP = "0.4.0.1456.1.2"; +		try { +			CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); +			if (certPol == null) { +				Logger.debug("No CertificatePolicies extension found"); +				return false; +			} +			 +			PolicyInformation[] polInfo = certPol.getPolicyInformation(); +			if (polInfo == null) { +				Logger.debug("No policy information found"); +				return false; +			} +			 +			for (int i = 0; i < polInfo.length; i++) { +				ObjectID oid = polInfo[i].getPolicyIdentifier(); +				String oidStr = oid.getID(); +				if (oidStr.compareToIgnoreCase(OID_QCP) == 0) { +					Logger.debug("QCP extension found"); +					return true; +				} +				 +			} +			 +			Logger.debug("No QCP extension found"); +			return false; + +		} catch (X509ExtensionInitException e) { +			Logger.debug("No QCP extension found"); +			return false; +		} +		 +	} +	 +	/** +	 * Verifies if the given certificate contains QcEuCompliance statement +	 * @param cert X509Certificate +	 * @return true if the given certificate contains QcEuCompliance statement, else false +	 */ +	private static boolean checkQcEuCompliance(X509Certificate cert) { +		Logger.debug("Checking QcEUCompliance extension"); +		try { +			QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); +			 +			if (qcStatements == null) { +				Logger.debug("No QcStatements extension found"); +				return false; +			} +			 +			QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID); +			 +			if (qcEuCompliance != null) { +				Logger.debug("QcEuCompliance extension found"); +				return true; +			} +			 +			Logger.debug("No QcEuCompliance extension found"); +			return false; + +		} catch (X509ExtensionInitException e) { +			Logger.debug("No QcEuCompliance extension found"); +			return false; +		} +		 +	} +	 +	/** +	 * Verifies if the given certificate contains QcEuSSCD statement +	 * @param cert X509Certificate +	 * @return true if the given certificate contains QcEuSSCD statement, else false +	 */ +	private static boolean checkQcEuSSCD(X509Certificate cert) { +		Logger.debug("Checking QcEuSSCD extension"); +		try { +			QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); +			if (qcStatements == null) { +				Logger.debug("No QcStatements extension found"); +				return false; +			} +			 +			QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID); +			 +			if (qcEuSSCD != null) { +				Logger.debug("QcEuSSCD extension found"); +				return true; +			} +						 +			Logger.debug("No QcEuSSCD extension found"); +			return false; + +		} catch (X509ExtensionInitException e) { +			Logger.debug("No QcEuSSCD extension found"); +			return false; +		} +		 +	} + +	public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) { +		 +		boolean qc = false; +		boolean qcSourceTSL = false; +		boolean sscd = false; +		boolean sscdSourceTSL = false; +		 +		try {  +		 +			if (isTSLenabledTrustprofile) { +				// perform QC check via TSL +				boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); +				if (!checkQCFromTSL) {  +					// if QC check via TSL returns false +					// try certificate extensions QCP and QcEuCompliance +					Logger.debug("QC check via TSL returned false - checking certificate extensions"); +			     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]); +			        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); +			         +			        if (checkQCP || checkQcEuCompliance) { +			        	Logger.debug("Certificate is QC (Source: Certificate)"); +			        	qc = true;			        	 +			        } +			         +		        	qcSourceTSL = false; +		        } +		        else { +		        	// use TSL result +		        	Logger.debug("Certificate is QC (Source: TSL)"); +		        	qc = true; +		        	qcSourceTSL = true; +		        } +				 +				// perform SSCD check via TSL +	        	boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); +	        	if (!checkSSCDFromTSL) { +	        		// if SSCD check via TSL returns false +					// try certificate extensions QCP+ and QcEuSSCD			        +	        		Logger.debug("SSCD check via TSL returned false - checking certificate extensions"); +		        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); +			        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); +			         +			        if (checkQCPPlus || checkQcEuSSCD) { +			        	Logger.debug("Certificate is SSCD (Source: Certificate)"); +			        	sscd = true; +			        } +			         +		        	sscdSourceTSL = false; +		        } +		        else { +		        	// use TSL result +		        	Logger.debug("Certificate is SSCD (Source: TSL)"); +		        	sscd = true; +		        	sscdSourceTSL = true; +		        } +	        	 +			} +			else { +				// Trustprofile is not TSL enabled - use certificate extensions only + +				// perform QC check +				// try certificate extensions QCP and QcEuCompliance +		     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]); +		        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); +		         +		        if (checkQCP || checkQcEuCompliance) +		        	qc = true; +		         +	        	qcSourceTSL = false; +	        	 +	        	// perform SSCD check +	        	// try certificate extensions QCP+ and QcEuSSCD			        +	        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); +		        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); +		         +		        if (checkQCPPlus || checkQcEuSSCD) +		        	sscd = true; +		         +	        	sscdSourceTSL = false; +			} +		} +		catch (TSLEngineDiedException e) { +	    	MessageProvider msg = MessageProvider.getInstance(); +	        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); +		} catch (TSLSearchException e) { +	    	MessageProvider msg = MessageProvider.getInstance(); +	        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); +		} +		 +		QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL); +		 +		return result; +	} +	 +	/** +	    * Gets the country from the certificate issuer +	    * @param cert X509 certificate +	    * @return Country code from the certificate issuer +	    */ +	   public static String getIssuerCountry(X509Certificate cert) { +		   String country = null; +		   Principal issuerdn = cert.getIssuerX500Principal(); +		   RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName()); +		    +		   try { +			   Name name = nameParser.parse(); +			   country = name.getRDN(ObjectID.country); +		   } catch (RFC2253NameParserException e) { +			   Logger.warn("Could not get country code from issuer."); +		   } +		    +		     +		   return country; +	   } +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index dafb89f16..219bb7cdf 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -26,12 +26,14 @@ public class ExternalURIVerifier {  				boolean allowExternalUris = config.getAllowExternalUris();
  				List blacklist = config.getBlackListedUris();
 +				List whitelist = config.getWhiteListedUris();
  				InetAddress hostInetAddress = InetAddress.getByName(host);
  				String ip = hostInetAddress.getHostAddress();
  				if (allowExternalUris) {
 +					// external URIs are allowed - check blacklist
  					Iterator it = blacklist.iterator();
  					while (it.hasNext()) {
  						String[] array = (String[])it.next();
 @@ -55,9 +57,46 @@ public class ExternalURIVerifier {  						}
  					}
  				}
 -				else {					
 -					Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
 -					throw new MOAApplicationException("4001", new Object[]{host});					
 +				else {	
 +					// external uris are forbidden - check whitelist
 +					Iterator it = whitelist.iterator();
 +					boolean allowed = false;
 +					while (it.hasNext()) {
 +						String[] array = (String[])it.next();
 +						String bhost = array[0];
 +						String bport = array[1];
 +						if (bport == null || port == -1) {
 +							// check only host
 +							if (ip.startsWith(bhost)) {
 +								Logger.debug(new LogMsg("Whitelist check: " + host + " (" + ip + ") whitelisted"));
 +								allowed = true;
 +								//throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
 +							}
 +						}
 +						else {
 +							// check host and port
 +							int iport = new Integer(bport).intValue();
 +							if (ip.startsWith(bhost) && (iport == port)) {
 +								Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port + " whitelisted"));
 +								//throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
 +								allowed = true;
 +							}
 +								
 +						}
 +					}
 +					
 +					if (!allowed) {
 +						if (port != -1) {
 +							Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
 +							throw new MOAApplicationException("4001", new Object[]{host + "(" + ip + ")"});
 +						}							
 +						else {
 +							Logger.debug(new LogMsg("No external URIs allowed (" + host + ":" + port + ")"));
 +							throw new MOAApplicationException("4001", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
 +						}
 +							
 +					}
 +					
  				}
  				Logger.debug(new LogMsg("URI allowed: " + ip + ":" + port));
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java new file mode 100644 index 000000000..99af84308 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java @@ -0,0 +1,37 @@ +package at.gv.egovernment.moa.spss.util; + +public class QCSSCDResult { + +	private boolean qc; +	private boolean qcSourceTSL; +	 +	private boolean sscd; +	private boolean sscdSourceTSL; +	 +	public QCSSCDResult() { +		this.qc = false; +		this.qcSourceTSL = false; +		this.sscd = false; +		this.sscdSourceTSL = false; +	} +	 +	public QCSSCDResult(boolean qc, boolean qcSourceTSL, boolean sscd, boolean sscdSourceTSL) { +		this.qc = qc; +		this.qcSourceTSL = qcSourceTSL; +		this.sscd = sscd; +		this.sscdSourceTSL = sscdSourceTSL; +	} +	 +	public boolean isQC() { +		return this.qc; +	} +	public boolean isQCSourceTSL() { +		return this.qcSourceTSL; +	} +	public boolean isSSCD() { +		return this.sscd; +	} +	public boolean isSSCDSourceTSL() { +		return this.sscdSourceTSL; +	} +} | 
