aboutsummaryrefslogtreecommitdiff
path: root/spss/server/serverlib/src/main
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2014-03-25 22:02:54 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2014-03-25 22:02:54 +0100
commitfc189a2e69c7468c12621b7d4a3c94343d1a672c (patch)
tree89d9e08195bf3c708115ded47a8e588c6e4acbb0 /spss/server/serverlib/src/main
parent242a22849402a13e585fada9d055a85f1c6d1ee8 (diff)
parent1b47a1e5f5787a3d1681cdee8b8bc1ec7a5cd9c9 (diff)
downloadmoa-id-spss-fc189a2e69c7468c12621b7d4a3c94343d1a672c.tar.gz
moa-id-spss-fc189a2e69c7468c12621b7d4a3c94343d1a672c.tar.bz2
moa-id-spss-fc189a2e69c7468c12621b7d4a3c94343d1a672c.zip
merge
Diffstat (limited to 'spss/server/serverlib/src/main')
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java1
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java2
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java147
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java81
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java8
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java1
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java46
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java343
-rw-r--r--spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties1
9 files changed, 445 insertions, 185 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java
index 30eed7001..6cf46c50a 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java
@@ -36,6 +36,7 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.util.Constants;
+
import at.gv.egovernment.moa.spss.util.MessageProvider;
/**
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java
index 6209d8ef9..6b3f4301f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java
@@ -175,7 +175,7 @@ public class VerifyCMSSignatureRequestParser {
excludeByteRangeFrom = new BigDecimal(excludeByteRangeFromStr);
if (excludeByteRangeToStr != null)
excludeByteRangeTo = new BigDecimal(excludeByteRangeToStr);
-
+
return factory.createCMSDataObject(metaInfo, content, excludeByteRangeFrom, excludeByteRangeTo);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 0908d88c9..3d2da8384 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -1268,6 +1268,111 @@ public class ConfigurationPartsBuilder {
}
/**
+ * Build the trust profile mapping.
+ *
+ * @return The profile ID to profile mapping.
+ */
+ public Map buildTrustProfiles()
+ {
+ Map trustProfiles = new HashMap();
+ NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH);
+ Element profileElem;
+
+ while ((profileElem = (Element) profileIter.nextNode()) != null)
+ {
+ String id = getElementValue(profileElem, CONF + "Id", null);
+ String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null);
+ String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null);
+
+ URI trustAnchorsLocURI = null;
+ try
+ {
+ trustAnchorsLocURI = new URI(trustAnchorsLocStr);
+ if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file
+ trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr);
+ }
+ }
+ catch (URIException e) {
+ warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e);
+ continue;
+ }
+ catch (MalformedURLException e)
+ {
+ warn("config.15", new Object[] {id}, e);
+ continue;
+ }
+
+ File profileDir = new File(trustAnchorsLocURI.getPath());
+ if (!profileDir.exists() || !profileDir.isDirectory()) {
+ warn("config.27", new Object[] { "uri", id });
+ continue;
+ }
+
+
+
+ if (trustProfiles.containsKey(id)) {
+ warn("config.04", new Object[] { "TrustProfile", id });
+ continue;
+ }
+
+ URI signerCertsLocURI = null;
+ if (signerCertsLocStr != null && !"".equals(signerCertsLocStr))
+ {
+ try
+ {
+ signerCertsLocURI = new URI(signerCertsLocStr);
+ if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr);
+
+ File signerCertsDir = new File(signerCertsLocURI.getPath());
+ if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) {
+ warn("config.27", new Object[] { "signerCertsUri", id });
+ continue;
+ }
+ }
+ catch (URIException e) {
+ warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e);
+ continue;
+ }
+ catch (MalformedURLException e) {
+ warn("config.15", new Object[] {id}, e);
+ continue;
+ }
+ }
+
+ signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null;
+
+ TrustProfile profile = null;
+
+ profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, false, null);
+
+ trustProfiles.put(id, profile);
+
+ }
+
+ return trustProfiles;
+ }
+
+ /**
+ * checks if a trustprofile with TSL support is enabled
+ *
+ * @return true if TSL support is enabled in at least one trustprofile, else false
+ */
+ public boolean checkTrustProfilesTSLenabled()
+ {
+ NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH);
+ Element profileElem;
+
+ boolean tslSupportEnabled = false;
+ while ((profileElem = (Element) profileIter.nextNode()) != null) {
+ Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL");
+ if (eutslElem != null) //EUTSL element found --> TSL enabled
+ tslSupportEnabled = true;
+ }
+
+ return tslSupportEnabled;
+ }
+
+ /**
* Returns the location of the certificate store.
*
* @return the location of the certificate store.
@@ -1385,6 +1490,22 @@ public class ConfigurationPartsBuilder {
Logger.warn(new LogMsg(txt));
warnings.add(txt);
}
+
+ /**
+ * Log a warning.
+ *
+ * @param messageId The message ID.
+ * @param args Additional parameters for the message.
+ * @see at.gv.egovernment.moa.spss.server.util.MessageProvider
+ */
+ private void debug(String messageId, Object[] args) {
+ MessageProvider msg = MessageProvider.getInstance();
+ String txt = msg.getMessage(messageId, args);
+
+ Logger.debug(new LogMsg(txt));
+
+ }
+
/**
* Log a debug message.
@@ -1577,31 +1698,31 @@ public class ConfigurationPartsBuilder {
public TSLConfiguration getTSLConfiguration() {
TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl();
-
+
String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null);
if (StringUtils.isEmpty(euTSLUrl)) {
euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL;
- warn("config.39", new Object[] { "EUTSL", euTSLUrl });
+ debug("config.39", new Object[] { "EUTSL", euTSLUrl });
}
String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null);
if (StringUtils.isEmpty(updateSchedulePeriod)) {
updateSchedulePeriod = TSLConfiguration.DEFAULT_UPDATE_SCHEDULE_PERIOD;
- warn("config.39", new Object[] { "UpdateSchedule/Period", updateSchedulePeriod });
+ debug("config.39", new Object[] { "UpdateSchedule/Period", updateSchedulePeriod });
}
String updateScheduleStartTime = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "StartTime", null);
if (StringUtils.isEmpty(updateScheduleStartTime)) {
updateScheduleStartTime = TSLConfiguration.DEFAULT_UPDATE_SCHEDULE_STARTTIME;
- warn("config.39", new Object[] { "UpdateSchedule/StartTime", updateScheduleStartTime });
+ debug("config.39", new Object[] { "UpdateSchedule/StartTime", updateScheduleStartTime });
}
String workingDirectoryStr = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "WorkingDirectory", null);
if (StringUtils.isEmpty(workingDirectoryStr)) {
workingDirectoryStr = TSLConfiguration.DEFAULT_WORKING_DIR;
- warn("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr });
+ debug("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr });
}
// convert update schedule starting time to Date object
@@ -1638,24 +1759,12 @@ public class ConfigurationPartsBuilder {
return null;
}
- File hashcache = new File(tslWorkingDir, "hashcache");
- if (!hashcache.exists()) {
- hashcache.mkdir();
- }
- if (!hashcache.isDirectory()) {
- error("config.38", new Object[] { hashcache.getAbsolutePath() });
- return null;
- }
-
- System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath());
-// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
-// System.out.println("Hashcache: " + hashcachedir);
-
+
debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl);
debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod);
debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime);
debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath());
- debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath());
+
// set TSL configuration
tslconfiguration.setEuTSLUrl(euTSLUrl);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 2cad35763..d67cbf1b4 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -347,6 +347,16 @@ public class ConfigurationProvider
try {
builder = new ConfigurationPartsBuilder(configElem, configRoot);
+ if (builder.checkTrustProfilesTSLenabled()) {
+ debug("TSL support enabled for at least one trustprofile.");
+ tslconfiguration_ = builder.getTSLConfiguration();
+ trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
+ }
+ else {
+ tslconfiguration_ = null;
+ trustProfiles = builder.buildTrustProfiles();
+ }
+
digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName();
canonicalizationAlgorithmName =
builder.getCanonicalizationAlgorithmName();
@@ -361,14 +371,14 @@ public class ConfigurationProvider
keyGroupMappings =
builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL);
- tslconfiguration_ = builder.getTSLConfiguration();
-
xadesVersion = builder.getXAdESVersion();
defaultChainingMode = builder.getDefaultChainingMode();
chainingModes = builder.buildChainingModes();
useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess();
autoAddCertificates_ = builder.getAutoAddCertificates();
- trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
+ //trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
+
+
distributionPoints = builder.buildDistributionPoints();
enableRevocationChecking_ = builder.getEnableRevocationChecking();
maxRevocationAge_ = builder.getMaxRevocationAge();
@@ -379,6 +389,7 @@ public class ConfigurationProvider
revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass();
+
//check TSL configuration
checkTSLConfiguration();
@@ -428,7 +439,21 @@ public class ConfigurationProvider
}
}
- private void checkTSLConfiguration() throws ConfigurationException {
+ private boolean checkTSLenableTrustprofilesExist()throws ConfigurationException {
+ boolean bTSLEnabledTPExist = false;
+ Iterator it = trustProfiles.entrySet().iterator();
+ while (it.hasNext()) {
+ Map.Entry pairs = (Map.Entry)it.next();
+ TrustProfile tp = (TrustProfile) pairs.getValue();
+ if (tp.isTSLEnabled())
+ bTSLEnabledTPExist = bTSLEnabledTPExist || true;
+ }
+
+ return bTSLEnabledTPExist;
+
+ }
+
+ private void checkTSLConfiguration() throws ConfigurationException {
boolean bTSLEnabledTPExist = false;
Iterator it = trustProfiles.entrySet().iterator();
while (it.hasNext()) {
@@ -449,6 +474,43 @@ public class ConfigurationProvider
throw new ConfigurationException("config.40", null);
}
+ File workingDir = new File(tslconfiguration_.getWorkingDirectory());
+ File eu_trust = new File(workingDir.getAbsolutePath() + "/trust/eu");
+ if (!eu_trust.exists()) {
+ error("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"});
+ throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"});
+ }
+ else {
+ File[] eutrustFiles = eu_trust.listFiles();
+ if (eutrustFiles == null) {
+ error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+ throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+ }
+ else {
+ if (eutrustFiles.length == 0) {
+ error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+ throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+ }
+ }
+
+ }
+
+ File hashcache = new File(tslconfiguration_.getWorkingDirectory(), "hashcache");
+ if (!hashcache.exists()) {
+ hashcache.mkdir();
+ }
+ if (!hashcache.isDirectory()) {
+ error("config.38", new Object[] { hashcache.getAbsolutePath() });
+ return;
+ }
+
+ System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath());
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("Hashcache: " + hashcachedir);
+
+
+ Logger.debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath());
+
}
@@ -759,6 +821,17 @@ public class ConfigurationProvider
Logger.info(new LogMsg(msg.getMessage(messageId, parameters)));
}
+ /**
+ * Log a debug message.
+ *
+ * @param messageId The message ID.
+ * @param parameters Additional parameters for the message.
+ * @see at.gv.egovernment.moa.spss.server.util.MessageProvider
+ */
+ private static void debug(String message) {
+ Logger.debug(message);
+ }
+
/**
* Log a warning.
*
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
index 0e5faf790..aca6f5895 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
@@ -311,6 +311,12 @@ public class CMSSignatureVerificationInvoker {
ByteArrayOutputStream contentOs = new ByteArrayOutputStream();
+ CMSDataObject dataobject = request.getDataObject();
+ BigDecimal from = dataobject.getExcludeByteRangeFrom();
+ BigDecimal to = dataobject.getExcludeByteRangeTo();
+
+ if ( (from == null) || (to == null))
+ return contentIs;
BigDecimal counter = new BigDecimal("0");
BigDecimal one = new BigDecimal("1");
@@ -318,7 +324,7 @@ public class CMSSignatureVerificationInvoker {
try {
while ((byteRead=contentIs.read()) >= 0) {
- if (inRange(counter, request.getDataObject())) {
+ if (inRange(counter, dataobject)) {
// if byte is in byte range, set byte to 0x00
contentOs.write(0);
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
index 07da0a998..3a004a81d 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.spss.tsl.connector;
import iaik.asn1.ObjectID;
+
import iaik.util._;
import iaik.util.logging._l;
import iaik.utils.RFC2253NameParser;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
index 5456701c0..e06abe44d 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java
@@ -46,7 +46,9 @@ public class TSLUpdaterTimerTask extends TimerTask {
public void run() {
try {
+ Logger.info("Start TSL Update");
update();
+ Logger.info("Finished TSL Update");
} catch (TSLEngineDiedException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
@@ -172,33 +174,33 @@ public class TSLUpdaterTimerTask extends TimerTask {
// convert ArrayList<File> to X509Certificate[]
if (tsl_certs == null) {
- Logger.error("No certificates from TSL imported.");
- throw new TSLSearchException("No certificates from TSL imported.");
+ Logger.warn("No certificates from TSL imported.");
+ //throw new TSLSearchException("No certificates from TSL imported.");
}
+ else {
- X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
- Iterator itcert = tsl_certs.iterator();
- i = 0;
- File f = null;
- while(itcert.hasNext()) {
- f = (File)itcert.next();
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = new X509Certificate(fis);
- addCertificatesTSL[i] = cert;
+ X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
+ Iterator itcert = tsl_certs.iterator();
+ i = 0;
+ File f = null;
+ while(itcert.hasNext()) {
+ f = (File)itcert.next();
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = new X509Certificate(fis);
+ addCertificatesTSL[i] = cert;
- i++;
- fis.close();
- }
+ i++;
+ fis.close();
+ }
- Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
- storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
- storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
+ Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
- Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
- storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
- storeUpdater.addCertificatesToCertStores(addCertificates, tid);
-
-
+ Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificates, tid);
+ }
}
}
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java
index f0dbd779e..492d10eda 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.spss.tsl.utils;
import iaik.util.logging._l;
+
import iaik.util.logging.Log.MultiThreadLoggingGroup;
import iaik.utils.RFC2253NameParserException;
import iaik.utils.Util;
@@ -15,6 +16,7 @@ import iaik.xml.crypto.tsl.TSLOpenURIException;
import iaik.xml.crypto.tsl.TSLThreadContext;
import iaik.xml.crypto.tsl.ValidationFixupFilter;
import iaik.xml.crypto.tsl.ValidationFixupFilter.AttributeValueFixup;
+import iaik.xml.crypto.tsl.ValidationFixupFilter.DeleteAttrFixup;
import iaik.xml.crypto.tsl.ValidationFixupFilter.ElementStringValueFixup;
import iaik.xml.crypto.tsl.ValidationFixupFilter.FixedSaxLevelValidationExcption;
import iaik.xml.crypto.tsl.ValidationFixupFilter.Fixup;
@@ -97,44 +99,34 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
trustAnchorsWrongOnEuTsl_;
public TSLImportFromFileContext(
- Countries expectedTerritory,
- URL url,
- Number otherTslPointerId,
- String workingdirectory,
- boolean sqlMultithreaded,
- boolean throwExceptions,
- boolean logExceptions,
- boolean throwWarnings,
- boolean logWarnings,
- boolean nullRedundancies,
- String baseuri,
- Map <Countries, ListIterator<X509Certificate>> trustAnchorsWrongOnEuTsl,
- TSLThreadContext parentContext) {
- super(
- expectedTerritory,
- url,
- otherTslPointerId,
- workingdirectory,
- sqlMultithreaded,
- throwExceptions,
- logExceptions,
- throwWarnings,
- logWarnings,
- nullRedundancies,
- parentContext);
- baseuri_ = baseuri;
- trustAnchorsWrongOnEuTsl_ = trustAnchorsWrongOnEuTsl;
- }
-
- public List<ThrowableAndLocatorAndMitigation> getErrorsAndWarnings() {
- List<ThrowableAndLocatorAndMitigation> errorsAndWarnings = new ArrayList<ThrowableAndLocatorAndMitigation>();
- errorsAndWarnings.addAll(this.fatals_);
- errorsAndWarnings.addAll(this.faildTransactions_);
- errorsAndWarnings.addAll(this.warnings_);
-
- return errorsAndWarnings;
- }
-
+ Countries expectedTerritory,
+ URL url,
+ Number otherTslPointerId,
+ String workingdirectory,
+ boolean sqlMultithreaded,
+ boolean throwExceptions,
+ boolean logExceptions,
+ boolean throwWarnings,
+ boolean logWarnings,
+ boolean nullRedundancies,
+ String baseuri,
+ Map <Countries, ListIterator<X509Certificate>> trustAnchorsWrongOnEuTsl,
+ TSLThreadContext parentContext) {
+ super(
+ expectedTerritory,
+ url,
+ otherTslPointerId,
+ workingdirectory,
+ sqlMultithreaded,
+ throwExceptions,
+ logExceptions,
+ throwWarnings,
+ logWarnings,
+ nullRedundancies,
+ parentContext);
+ baseuri_ = baseuri;
+ trustAnchorsWrongOnEuTsl_ = trustAnchorsWrongOnEuTsl;
+ }
/* (non-Javadoc)
* @see iaik.xml.crypto.tsl.TSLImportFromFileContext#getbaseURI()
*/
@@ -142,67 +134,80 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
public String getbaseURI() {
return this.baseuri_;
}
-
+
+
+
+
//@Override
- protected RuntimeException wrapException(Throwable t, Locator l, Mitigation m) {
- return super.wrapException(t, l, m);
- }
+ protected RuntimeException wrapException(Throwable t, Locator l, Mitigation m) {
+ return super.wrapException(t, l, m);
+ }
@Override
- public synchronized void throwException(Throwable e) {
+ public
+ synchronized void throwException(Throwable e) {
if (e instanceof TSLValidationException) {
// we do not throw dom validation errors for testing
// and just collect them
wrapException(e);
-
} else if (e instanceof TSLVerificationException) {
+
+ boolean corrected = false;
// we do not throw verification errors for testing
// and just collect them
- if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NO_TSL_SIGNATURE
- .getClass().getName(), "true"))
- && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NO_TSL_SIGNATURE) {
-
- //TSL with no signature are ignored!!!!
- l.warn("TSL IS NOT SIGNED! "
- + this.expectedTerritory_.name() + " TSL ignored.");
- }
-
- if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE
- .getClass().getName(), "true"))
- && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE) {
- ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
- }
-
- if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE
- .getClass().getName(), "true"))
- && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE) {
- ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
- }
-
- if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE
- .getClass().getName(), "true"))
- && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE) {
- ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
- }
-
- if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE
- .getClass().getName(), "true"))
- && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE) {
- ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
- }
+// // NEVER DO THIS! unless you want to import TSLs without signatures.
+// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NO_TSL_SIGNATURE
+// .getClass().getName(), "true"))
+// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NO_TSL_SIGNATURE) {
+// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
+// }
+//
+// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE
+// .getClass().getName(), "true"))
+// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE) {
+// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
+// }
- wrapException(e);
+// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE
+// .getClass().getName(), "true"))
+// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE) {
+// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
+//
+// corrected = true;
+// }
+//
+//
+// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE
+// .getClass().getName(), "true"))
+// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE) {
+// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
+//
+// corrected = true;
+// }
+//
+// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE
+// .getClass().getName(), "true"))
+// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE) {
+// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
+//
+// corrected = true;
+// }
+//
+// if (corrected)
+// wrapException(e);
+// else
+// super.throwException(e);
+
+ super.throwException(e);
} else if (e instanceof FileNotFoundException) {
// we do not stop and continue processing
wrapException(e);
-
} else if (e instanceof IllegalArgumentException) {
// we do not stop and continue processing
wrapException(e);
-
} else {
// all other errors are treated as per default
super.throwException(e);
@@ -221,9 +226,6 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
if(
e instanceof FixedSaxLevelValidationExcption &&
enclosingMethod.getDeclaringClass().equals(ValidationFixupFilter.class)){
-
-
-
wrapException(e,
((LocatorAspect) e).getLocator(),
new FixedValidationMitigation("Performed SAX Level Fixup."));
@@ -247,7 +249,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
if (parameters[0] instanceof DOMError) {
DOMError domError = (DOMError) parameters[0];
- l.info(""+domError.getRelatedData());
+ _l.warn(""+domError.getRelatedData());
// domError.getRelatedData().getClass().getField("")
@@ -308,6 +310,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
}
});
return mitigatedResult;
+
}
}
@@ -378,11 +381,43 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
}
}
- l.error("Ignoring download error using old: " + parameters[0], null);
+ _l.err("Ignoring download error using old: " + parameters[0], null);
wrapException(e);
return parameters[1];
}
+// if (
+// expectedTerritory_ == Countries.PL &&(
+// (e.getCause() instanceof java.io.EOFException ||
+// e.getCause() instanceof iaik.security.ssl.SSLException) &&
+// parameters[0] instanceof URL &&
+// ((URL)parameters[0]).getProtocol().equalsIgnoreCase("https")
+// )){
+// File f = null;
+// System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
+// TLS.register("TLSv1");
+// try {
+// f = (File) enclosingMethod.invoke(thisObject, parameters);
+// } catch (IllegalAccessException e1) {
+// wrapException(e1);
+// } catch (InvocationTargetException e1) {
+// wrapException(e1);
+// }
+//
+// // System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", null);
+// TLS.register();
+//
+// if (f != null){
+// wrapException(e, null, new Mitigation() {
+// @Override
+// public String getReport() {
+// return "Trying TLSv1 and sun.security.ssl.allowUnsafeRenegotiation=true";
+// }
+// });
+// return f;
+// }
+// }
+
if (
e instanceof TSLSecurityException &&
enclosingMethod.getDeclaringClass().equals(TSLContext.class) &&
@@ -406,14 +441,14 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
wrapException(e1);
}
wrapException(e, getLocator(),
- new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation(){
- @Override
- public String getReport() {
- return "make an exception for " + expectedTerritory_ + " who have the wrong certificate in " +
- "the EU TSL and allow the certificate " +
- parameters[1];
- }
- });
+ new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation(){
+ @Override
+ public String getReport() {
+ return "make an exception for " + expectedTerritory_ + " who have the wrong certificate in " +
+ "the EU TSL and allow the certificate " +
+ parameters[1];
+ }
+ });
return null;
}
X509Certificate crt = (X509Certificate)parameters[1];
@@ -530,47 +565,45 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
}
}
-// //TODO: CONSIDER, IF WE REALLY WANT THIS PART OF CODE!
-// //ugly hack to accept a certificate which uses a crazy X509SubjectName!!
-// if ( expectedTerritory_ == Countries.DK &&
-// e instanceof KeySelectorException &&
-// parameters[0] instanceof X509DataImpl){
-// if (e.getMessage().equals("KeyInfo X509SubjectName (CN=Adam Arndt Digst,serialNumber=CVR:34051178-RID:25902029,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) does not match SubjectDN (serialNumber=CVR:34051178-RID:25902029+CN=Adam Arndt Digst,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) of KeyInfo X509Certificate.\n"+
-// "Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key.")) {
-//
-// X509DataImpl x509DataImpl = (X509DataImpl) parameters[0];
-//
-// Node child = x509DataImpl.getNode().getFirstChild().getNextSibling();
-// Node child1 = x509DataImpl.getNode().getFirstChild();
-//
-// x509DataImpl.getNode().removeChild(child);
-// x509DataImpl.getNode().removeChild(child1);
-//
-//
-// parameters[0] = (X509Data) x509DataImpl
-//
-// Object mitigatedResult = null;
-// try {
-//
-// mitigatedResult = enclosingMethod.invoke(thisObject, parameters);
-// } catch (IllegalAccessException e1) {
-// wrapException(e1);
-// } catch (InvocationTargetException e1) {
-// wrapException(e1);
-// }
-//
-// if (mitigatedResult != null){
-// wrapException(e, null, new Mitigation(null) {
-// @Override
-// public String getReport() {
-// return "Deleted wrong X509SubjectName from XMLDSIG Signature.";
-// }
-// });
-// return mitigatedResult;
-// }
-// }
-// }
-
+ if ( expectedTerritory_ == Countries.DK &&
+ e instanceof KeySelectorException &&
+ parameters[0] instanceof X509DataImpl){
+ if (e.getMessage().equals("KeyInfo X509SubjectName (CN=Adam Arndt Digst,serialNumber=CVR:34051178-RID:25902029,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) does not match SubjectDN (serialNumber=CVR:34051178-RID:25902029+CN=Adam Arndt Digst,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) of KeyInfo X509Certificate.\n"+
+ "Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key.")) {
+
+ X509DataImpl x509DataImpl = (X509DataImpl) parameters[0];
+
+ ListIterator li = x509DataImpl.getContent().listIterator();
+ li.next();
+ String sn = (String) li.next();
+
+ _l.err(sn, null);
+
+ System.exit(1);
+
+ Object mitigatedResult = null;
+ try {
+
+ mitigatedResult = enclosingMethod.invoke(thisObject, parameters);
+ } catch (IllegalAccessException e1) {
+ wrapException(e1);
+ } catch (InvocationTargetException e1) {
+ wrapException(e1);
+ }
+
+ if (mitigatedResult != null){
+ wrapException(e, null, new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation() {
+ @Override
+ public String getReport() {
+ return "Deleted wrong X509SubjectName from XMLDSIG Signature.";
+ }
+ });
+ return mitigatedResult;
+
+ }
+ }
+ }
+
} else {
if (e instanceof MitigatedTSLSecurityException){
@@ -578,7 +611,6 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
// and collect them
wrapException(e);
return null;
-
} else if (e instanceof FixedSaxLevelValidationExcption) {
// we allow to mitigate Sax Level Fixup for testing
// and collect them
@@ -607,7 +639,11 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
if(expectedTerritory_ == Countries.EL){
//fix the whitespace in Greece TSL
status = status.trim();
- }
+ }
+ if (status != null && status.startsWith("http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/")) {
+ status = status.substring("http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/".length());
+ }
+
return super.compressStatus(status);
}
@@ -625,6 +661,37 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
@Override
public iaik.xml.crypto.tsl.ValidationFixupFilter.Fixup getSaxLevelValidationFixup(SAXParseException e) {
+ if (expectedTerritory_ == Countries.AT){
+ if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
+ return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
+ }
+ }
+
+ if (expectedTerritory_ == Countries.CZ){
+ if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
+ return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
+ }
+ }
+
+ if (expectedTerritory_ == Countries.FR){
+ if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
+ return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
+ }
+ }
+
+ if (expectedTerritory_ == Countries.NO){
+ if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
+ return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
+ }
+ }
+
+ if (expectedTerritory_ == Countries.SK){
+ if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
+ return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
+ }
+ }
+
+
if (expectedTerritory_ == Countries.ES && getDownloadLocation().toString().contains(".es/")){
if (e.getMessage().equals("cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'tslx:CertSubjectDNAttributeType'.")){
return new LocalNameFixup("CertSubjectDNAttributeType","CertSubjectDNAttribute",e, this);
@@ -734,7 +801,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
String msg = e.getMessage();
- l.info(msg);
+ _l.info(msg);
return(
msg.startsWith("["+SQLiteErrorCode.SQLITE_CONSTRAINT.name()+"]") &&
msg.contains("column " + DbTables.TSLDownload.C.rawHash + " is not unique")
@@ -748,7 +815,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
@Override
protected long howLongWaitForThreads() {
// TODO Auto-generated method stub
- return 10000;
+ return 100000;
}
@Override
@@ -768,7 +835,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF
synchronized (log) {
parentContext_.print("<" + ncName + " state=\"" + currentThread.getState()
+ "\" " + " id=\"" + currentThread.getId() + "\">\n" + log.toString() + "</"
- + ncName + ">\n");
+ + ncName + ">" + _.LB);
parentContext_.flushLog();
log.setLength(0);
}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index e4ee607c0..9e2e0e490 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -159,6 +159,7 @@ config.46=Start periodical TSL update task at {0} and then every {1} millisecond
config.48=No whitelisted URIs given.
config.49=Whitelisted URI: {0}.
config.50=Fehler beim Erstellen des TSL Vertrauensprofils: Das Verzeichnis ({0}) ist kein Verzeichnis.
+config.51=Fehler beim Erstellen der TSL Konfiguration: TSL-Arbeitsverzeichnis ist fehlerhaft ({0}).
handler.00=Starte neue Transaktion: TID={0}, Service={1}
handler.01=Aufruf von Adresse={0}