aboutsummaryrefslogtreecommitdiff
path: root/spss/server/serverlib/src
diff options
context:
space:
mode:
authorKlaus Stranacher <kstranacher@iaik.tugraz.at>2013-04-16 14:44:08 +0200
committerKlaus Stranacher <kstranacher@iaik.tugraz.at>2013-04-16 14:44:08 +0200
commit1ad814ccbbe4f65f430ac738104e3f3c8256c229 (patch)
tree1a260bdee968138978f32040831e5627d402da1a /spss/server/serverlib/src
parent2e54605e4b6b828137ae92ac91564b833bdb8a14 (diff)
downloadmoa-id-spss-1ad814ccbbe4f65f430ac738104e3f3c8256c229.tar.gz
moa-id-spss-1ad814ccbbe4f65f430ac738104e3f3c8256c229.tar.bz2
moa-id-spss-1ad814ccbbe4f65f430ac738104e3f3c8256c229.zip
Update digest algorithm, XAdES version, whitelisting
Diffstat (limited to 'spss/server/serverlib/src')
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java103
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java35
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java16
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java156
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java89
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java45
-rw-r--r--spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties6
7 files changed, 394 insertions, 56 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 09f496c74..e335139aa 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -101,6 +101,10 @@ public class ConfigurationPartsBuilder {
ROOT + CONF + "SignatureCreation/"
+ CONF + "XMLDSig/"
+ CONF + "DigestMethodAlgorithm";
+ private static final String XADES_VERSION_XPATH =
+ ROOT + CONF + "SignatureCreation/"
+ + CONF + "XAdES/"
+ + CONF + "Version";
private static final String C14N_ALGORITHM_XPATH =
ROOT + CONF + "SignatureCreation/"
+ CONF + "XMLDSig/"
@@ -115,6 +119,13 @@ public class ConfigurationPartsBuilder {
ROOT + CONF + "Common/"
+ CONF + "PermitExternalUris/"
+ CONF + "BlackListUri";
+ private static final String FORBID_EXTERNAL_URIS_XPATH =
+ ROOT + CONF + "Common/"
+ + CONF + "ForbidExternalUris";
+ private static final String WHITE_LIST_URIS_XPATH =
+ ROOT + CONF + "Common/"
+ + CONF + "ForbidExternalUris/"
+ + CONF + "WhiteListUri";
private static final String HARDWARE_KEY_XPATH =
ROOT + CONF + "SignatureCreation/"
@@ -263,15 +274,19 @@ public class ConfigurationPartsBuilder {
/** The accepted digest method algorithm URIs, as an array */
private static final String[] ACCEPTED_DIGEST_ALGORITHMS_ARRAY =
- { Constants.SHA1_URI };
+ { Constants.SHA1_URI,
+ Constants.SHA256_URI,
+ Constants.SHA384_URI,
+ Constants.SHA512_URI};
/** The accepted digest method algorithm URIs, as a Set */
private static final Set ACCEPTED_DIGEST_ALGORITHMS =
new HashSet(Arrays.asList(ACCEPTED_DIGEST_ALGORITHMS_ARRAY));
-
+
+
/** Default digest algorithm URI, if none/illegal has been configured */
private static final String DIGEST_ALGORITHM_DEFAULT = Constants.SHA1_URI;
-
+
/** The root element of the MOA configuration */
private Element configElem;
@@ -333,7 +348,7 @@ public class ConfigurationPartsBuilder {
public String getDigestMethodAlgorithmName()
{
String digestMethod = getElementValue(getConfigElem(), DIGEST_METHOD_XPATH, null);
-
+
if (digestMethod == null || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod))
{
info(
@@ -344,7 +359,20 @@ public class ConfigurationPartsBuilder {
return digestMethod;
}
-
+
+ /**
+ * Returns the digest method algorithm name.
+ *
+ * @return The digest method algorithm name from the configuration.
+ */
+ public String getXAdESVersion()
+ {
+ String xadesVersion = getElementValue(getConfigElem(), XADES_VERSION_XPATH, null);
+
+ return xadesVersion;
+ }
+
+
/**
* Returns the canonicalization algorithm name.
*
@@ -409,6 +437,7 @@ public class ConfigurationPartsBuilder {
}
}
+
/**
*
* @return
@@ -448,10 +477,12 @@ public class ConfigurationPartsBuilder {
array[1] = port;
blacklist.add(array);
- }
+ }
+
// set blacklist for iaik-moa
ExternalReferenceChecker.setBlacklist(blackListIaikMoa);
+
if(blacklist.isEmpty()) // no blacklisted uris given
info("config.36", null);
@@ -459,7 +490,64 @@ public class ConfigurationPartsBuilder {
return blacklist;
}
+
+ /**
+ *
+ * @return
+ */
+ public List buildForbidExternalUris() {
+
+ //info("config.47", null);
+
+ List whitelist = new ArrayList();
+ List whiteListIaikMoa = new ArrayList();
+
+ NodeIterator forbidExtIter = XPathUtils.selectNodeIterator(
+ getConfigElem(),
+ WHITE_LIST_URIS_XPATH);
+
+ Element permitExtElem = null;
+ while ((permitExtElem = (Element) forbidExtIter.nextNode()) != null) {
+ String host = getElementValue(permitExtElem, CONF + "IP", null);
+ String port = getElementValue(permitExtElem, CONF + "Port", null);
+
+ // TODO WhiteListeEntry
+// WhiteListEntry entry =null;
+ if (port == null) {
+// entry = new WhiteListEntry(host, -1);
+ info("config.49", new Object[]{host});
+ }
+ else {
+// entry = new WhiteListEntry(host, new Integer(port).intValue());
+ info("config.49", new Object[]{host + ":" + port});
+ }
+//
+// // add entry to iaik-moa whitelist
+// whiteListIaikMoa.add(entry);
+
+
+ String array[] = new String[2];
+ array[0] = host;
+ array[1] = port;
+ whitelist.add(array);
+
+ }
+
+
+ // set whitelist for iaik-moa
+ // TODO
+// ExternalReferenceChecker.setWhitelist(whiteListIaikMoa);
+
+
+ if(whitelist.isEmpty()) // no whitelisted uris given
+ info("config.48", null);
+
+
+ return whitelist;
+ }
+
+
/**
* Build the configured hardware keys.
*
@@ -573,9 +661,10 @@ public class ConfigurationPartsBuilder {
while ((keyGroupElem = (Element) kgIter.nextNode()) != null)
{
String keyGroupId = getElementValue(keyGroupElem, CONF + "Id", null);
+ String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null);
Set keyGroupEntries =
buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem);
- KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries);
+ KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm);
if (keyGroups.containsKey(keyGroupId))
{
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 25fa0d6ad..b40a6bfa5 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -99,7 +99,10 @@ public class ConfigurationProvider
/** The default canonicalization algorithm name */
private String canonicalizationAlgorithmName;
-
+
+ /** The XAdES version used for signature creation */
+ private String xadesVersion;
+
/**
* A <code>List</code> of <code>HardwareCryptoModule</code> objects for
* configuring hardware modules.
@@ -252,6 +255,11 @@ public class ConfigurationProvider
private List blackListedUris_;
/**
+ * A <code>List</code> of white listed URIs (host and port)
+ */
+ private List whiteListedUris_;
+
+ /**
* A <code>TSLConfiguration</code> that represents the global TSL configuration
*/
private TSLConfiguration tslconfiguration_;
@@ -351,6 +359,8 @@ public class ConfigurationProvider
keyGroups = builder.buildKeyGroups(allKeyModules);
keyGroupMappings =
builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL);
+
+ xadesVersion = builder.getXAdESVersion();
defaultChainingMode = builder.getDefaultChainingMode();
chainingModes = builder.buildChainingModes();
useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess();
@@ -382,11 +392,14 @@ public class ConfigurationProvider
allowExternalUris_= builder.allowExternalUris();
- if (allowExternalUris_)
+ if (allowExternalUris_) {
blackListedUris_ = builder.buildPermitExternalUris();
+ whiteListedUris_ = null;
+ }
else {
info("config.35", null);
blackListedUris_ = null;
+ whiteListedUris_ = builder.buildForbidExternalUris();
}
@@ -457,6 +470,16 @@ public class ConfigurationProvider
return digestMethodAlgorithmName;
}
+ /**
+ * Return the XAdES version used for signature creation.
+ *
+ * @return The XAdES version used for signature creation, or an empty <code>String</code>,
+ * if none has been configured.
+ */
+ public String getXAdESVersion() {
+ return xadesVersion;
+ }
+
public boolean getAllowExternalUris() {
return this.allowExternalUris_;
}
@@ -464,6 +487,9 @@ public class ConfigurationProvider
public List getBlackListedUris() {
return this.blackListedUris_;
}
+ public List getWhiteListedUris() {
+ return this.whiteListedUris_;
+ }
/**
* Return the name of the canonicalization algorithm used during signature
@@ -515,6 +541,11 @@ public class ConfigurationProvider
public Map getKeyGroups() {
return keyGroups;
}
+
+ public KeyGroup getKeyGroup(String keyGroupId) {
+ KeyGroup keyGroup = (KeyGroup) keyGroups.get(keyGroupId);
+ return keyGroup;
+ }
/**
* Return the set of <code>KeyGroupEntry</code>s of a given key group, which a
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java
index 22ed8ae83..c2490f9a3 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java
@@ -40,16 +40,20 @@ public class KeyGroup {
private Set keyGroupEntries;
/** The key group ID. */
private String id;
+ /** The digest method algorithm for the key group */
+ private String digestMethodAlgorithm;
/**
* Create a <code>KeyGroup</code>.
*
* @param id The ID of this <code>KeyGroup</code>.
* @param keyGroupEntries The keys belonging to this <code>KeyGroup</code>.
+ * @param digestMethodAlgorithm The signature algorithm used for this key group
*/
- public KeyGroup(String id, Set keyGroupEntries) {
+ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) {
this.id = id;
this.keyGroupEntries = keyGroupEntries;
+ this.digestMethodAlgorithm = digestMethodAlgorithm;
}
/**
@@ -60,6 +64,14 @@ public class KeyGroup {
public Set getKeyGroupEntries() {
return keyGroupEntries;
}
+
+ /**
+ * Returnd the digest method algorithm used for this key group
+ * @return The digest method signature algorithm used for this key group
+ */
+ public String getDigestMethodAlgorithm() {
+ return digestMethodAlgorithm;
+ }
/**
* Return the ID of this <code>KeyGroup</code>.
@@ -87,7 +99,7 @@ public class KeyGroup {
sb.append(" " + i.next());
}
}
- return "(KeyGroup - ID:" + id + " " + sb.toString() + ")";
+ return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " + digestMethodAlgorithm;
}
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
index 9b5dce883..479f0aac9 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
@@ -24,9 +24,6 @@
package at.gv.egovernment.moa.spss.server.iaik.xmlsign;
-import java.util.List;
-import java.util.Set;
-
import iaik.server.modules.algorithms.SignatureAlgorithms;
import iaik.server.modules.keys.AlgorithmUnavailableException;
import iaik.server.modules.keys.KeyEntryID;
@@ -37,6 +34,10 @@ import iaik.server.modules.xml.Canonicalization;
import iaik.server.modules.xmlsign.XMLSignatureCreationProfile;
import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation;
+import java.util.List;
+import java.util.Set;
+
+import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
@@ -75,7 +76,10 @@ public class XMLSignatureCreationProfileImpl
private IdGenerator dsigManifestIDGenerator;
/** The ID generator for signed property IDs. */
private IdGenerator propertyIDGenerator;
-
+ /** The selected digest method algorithm if XAdES 1.4.2 is used */
+ private String digestMethodXAdES142;
+
+
/**
* Create a new <code>XMLSignatureCreationProfileImpl</code>.
*
@@ -86,7 +90,8 @@ public class XMLSignatureCreationProfileImpl
*/
public XMLSignatureCreationProfileImpl(
int createProfileCount,
- Set reservedIDs) {
+ Set reservedIDs,
+ String digestMethodXAdES142) {
signatureIDGenerator =
new IdGenerator("signature-" + createProfileCount, reservedIDs);
manifestIDGenerator =
@@ -95,6 +100,7 @@ public class XMLSignatureCreationProfileImpl
new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs);
propertyIDGenerator =
new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs);
+ this.digestMethodXAdES142 = digestMethodXAdES142;
}
/**
@@ -168,27 +174,127 @@ public class XMLSignatureCreationProfileImpl
e,
null);
}
-
- if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) // TODO retournierten Algorithmus abhängig von der Schlüssellänge machen (bei längeren Schlüsseln SHA256 statt SHA1)
- || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
- || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
-
- return SignatureAlgorithms.SHA1_WITH_RSA;
- } else if (
- algorithms.contains(SignatureAlgorithms.ECDSA)) {
- return SignatureAlgorithms.ECDSA;
- } else if (
- algorithms.contains(SignatureAlgorithms.DSA)) {
- return SignatureAlgorithms.DSA;
- } else {
- throw new AlgorithmUnavailableException(
- "No algorithm for key entry: " + selectedKeyID,
- null,
- null);
+
+ if (digestMethodXAdES142 == null) {
+ // XAdES 1.4.2 not enabled - legacy MOA
+ if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+
+ return SignatureAlgorithms.SHA1_WITH_RSA;
+ } else if (
+ algorithms.contains(SignatureAlgorithms.ECDSA)) {
+ return SignatureAlgorithms.ECDSA;
+ } else if (
+ algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ }
+ else {
+ // XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method
+ if (digestMethodXAdES142.compareTo("SHA-1") == 0) {
+ Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)");
+ if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) //?
+ || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) //?
+ || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA_OLD) //?
+ || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.WHIRLPOOL_WITH_RSA)) { //?
+
+ return SignatureAlgorithms.SHA1_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.ECDSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_ECDSA)
+ || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_ECDSA_PLAIN)
+ || algorithms.contains(SignatureAlgorithms.WHIRLPOOL_WITH_ECDSA)
+ || algorithms.contains(SignatureAlgorithms.SHA1_WITH_ECDSA_PLAIN)) {
+ return SignatureAlgorithms.ECDSA;
+ } else if (
+ algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA224_WITH_RSA)
+ || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+
+ return SignatureAlgorithms.SHA256_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA224_WITH_ECDSA)
+ || algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)
+ || algorithms.contains(SignatureAlgorithms.SHA224_WITH_ECDSA_PLAIN)
+ || algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA_PLAIN)) {
+ return SignatureAlgorithms.SHA256_WITH_ECDSA;
+
+ } else if (
+ algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
+
+ return SignatureAlgorithms.SHA384_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)
+ || algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA_PLAIN)) {
+ return SignatureAlgorithms.SHA384_WITH_ECDSA;
+
+ } else if (
+ algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) {
+ if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
+
+ return SignatureAlgorithms.SHA512_WITH_RSA;
+
+ } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)
+ || algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA_PLAIN)) {
+ return SignatureAlgorithms.SHA512_WITH_ECDSA;
+
+ } else if (
+ algorithms.contains(SignatureAlgorithms.DSA)) {
+ return SignatureAlgorithms.DSA;
+ } else {
+ throw new AlgorithmUnavailableException(
+ "No algorithm for key entry: " + selectedKeyID,
+ null,
+ null);
+ }
+ }
+ else {
+ throw new AlgorithmUnavailableException(
+ "No signature algorithm found for digest algorithm '" + digestMethodXAdES142,
+ null,
+ null);
+ }
+
}
+
+
}
/**
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java
index 5c4a2c76a..d1281c1f1 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest;
import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo;
import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo;
import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moa.spss.server.config.KeyGroup;
import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry;
import at.gv.egovernment.moa.spss.server.iaik.xml.CanonicalizationImpl;
import at.gv.egovernment.moa.spss.server.iaik.xmlsign.DataObjectTreatmentImpl;
@@ -83,6 +84,9 @@ public class XMLSignatureCreationProfileFactory {
static {
HASH_ALGORITHM_MAPPING = new HashMap();
HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384);
+ HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512);
}
/** The <code>CreateXMLSignatureRequest</code> for which to create the
@@ -129,18 +133,62 @@ public class XMLSignatureCreationProfileFactory {
HashSet allReservedIDs = new HashSet(reserved);
allReservedIDs.addAll(sigInfoReservedIDs);
- XMLSignatureCreationProfileImpl profile =
- new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs);
TransactionContext context =
TransactionContextManager.getInstance().getTransactionContext();
ConfigurationProvider config = context.getConfiguration();
CanonicalizationImpl canonicalization;
List dataObjectTreatmentList;
- String keyGroupID;
Set keySet;
List transformationSupplements;
List createTransformsProfiles;
+ // get the key group id
+ String keyGroupID = request.getKeyIdentifier();
+ // get digest method on key group level (if configured)
+ String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm();
+ // get default digest method (if configured)
+ String configDigestMethod = config.getDigestMethodAlgorithmName();
+
+ String xadesVersion = config.getXAdESVersion();
+
+ String digestMethodXAdES142 = null;
+ boolean isXAdES142 = false;
+ // if XAdES Version 1.4.2 is configured
+ if (xadesVersion != null && xadesVersion.compareTo("1.4.2") == 0) {
+ isXAdES142 = true;
+ Logger.debug("XAdES version '" + xadesVersion + "' used");
+ }
+
+ if (isXAdES142) {
+ if (configDigestMethodKG != null) {
+ // if KG specific digest method is configured
+ digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG);
+ if (digestMethodXAdES142 == null) {
+ error(
+ "config.17",
+ new Object[] { configDigestMethodKG});
+ throw new MOASystemException("2900", null);
+ }
+ Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(configured in KeyGroup)");
+ }
+ else {
+ // else get default configured digest method
+ digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod);
+ if (digestMethodXAdES142 == null) {
+ error(
+ "config.17",
+ new Object[] { configDigestMethod});
+ throw new MOASystemException("2900", null);
+ }
+ Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(default)");
+
+ }
+ }
+
+ XMLSignatureCreationProfileImpl profile =
+ new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142);
+
+
// build the transformation supplements
createTransformsProfiles =
getCreateTransformsInfoProfiles(singleSignatureInfo);
@@ -153,11 +201,11 @@ public class XMLSignatureCreationProfileFactory {
singleSignatureInfo,
createTransformsProfiles,
transformationSupplements,
- allReservedIDs);
+ allReservedIDs,
+ digestMethodXAdES142);
profile.setDataObjectTreatmentList(dataObjectTreatmentList);
// set the key set
- keyGroupID = request.getKeyIdentifier();
keySet = buildKeySet(keyGroupID);
if (keySet == null) {
throw new MOAApplicationException("2231", null);
@@ -184,7 +232,7 @@ public class XMLSignatureCreationProfileFactory {
canonicalization =
new CanonicalizationImpl(config.getCanonicalizationAlgorithmName());
profile.setSignedInfoCanonicalization(canonicalization);
-
+
// set the signed properties
profile.setSignedProperties(Collections.EMPTY_LIST);
@@ -299,7 +347,8 @@ public class XMLSignatureCreationProfileFactory {
SingleSignatureInfo singleSignatureInfo,
List createTransformsInfoProfiles,
List transformationSupplements,
- Set reservedIDs)
+ Set reservedIDs,
+ String digestMethodXAdES142)
throws MOASystemException, MOAApplicationException {
TransactionContext context =
@@ -329,15 +378,25 @@ public class XMLSignatureCreationProfileFactory {
treatment.setTransformationList(buildTransformationList(profile));
treatment.setReferenceInManifest(dataObjInfo.isChildOfManifest());
- hashAlgorithmName =
- (String) HASH_ALGORITHM_MAPPING.get(
- config.getDigestMethodAlgorithmName());
- if (hashAlgorithmName == null) {
- error(
- "config.17",
- new Object[] { config.getDigestMethodAlgorithmName()});
- throw new MOASystemException("2900", null);
+ // if XAdES version is 1.4.2
+ if (digestMethodXAdES142 != null) {
+ // use configured digest algorithm
+ hashAlgorithmName = digestMethodXAdES142;
+ }
+ else {
+ // stay as it is
+ hashAlgorithmName = (String) HASH_ALGORITHM_MAPPING.get(
+ config.getDigestMethodAlgorithmName());
+ if (hashAlgorithmName == null) {
+ error(
+ "config.17",
+ new Object[] { config.getDigestMethodAlgorithmName()});
+ throw new MOASystemException("2900", null);
+ }
}
+
+
+
treatment.setHashAlgorithmName(hashAlgorithmName);
treatment.setIncludedInSignature(
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
index dafb89f16..219bb7cdf 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -26,12 +26,14 @@ public class ExternalURIVerifier {
boolean allowExternalUris = config.getAllowExternalUris();
List blacklist = config.getBlackListedUris();
+ List whitelist = config.getWhiteListedUris();
InetAddress hostInetAddress = InetAddress.getByName(host);
String ip = hostInetAddress.getHostAddress();
if (allowExternalUris) {
+ // external URIs are allowed - check blacklist
Iterator it = blacklist.iterator();
while (it.hasNext()) {
String[] array = (String[])it.next();
@@ -55,9 +57,46 @@ public class ExternalURIVerifier {
}
}
}
- else {
- Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
- throw new MOAApplicationException("4001", new Object[]{host});
+ else {
+ // external uris are forbidden - check whitelist
+ Iterator it = whitelist.iterator();
+ boolean allowed = false;
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null || port == -1) {
+ // check only host
+ if (ip.startsWith(bhost)) {
+ Logger.debug(new LogMsg("Whitelist check: " + host + " (" + ip + ") whitelisted"));
+ allowed = true;
+ //throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (ip.startsWith(bhost) && (iport == port)) {
+ Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port + " whitelisted"));
+ //throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
+ allowed = true;
+ }
+
+ }
+ }
+
+ if (!allowed) {
+ if (port != -1) {
+ Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
+ throw new MOAApplicationException("4001", new Object[]{host + "(" + ip + ")"});
+ }
+ else {
+ Logger.debug(new LogMsg("No external URIs allowed (" + host + ":" + port + ")"));
+ throw new MOAApplicationException("4001", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
+ }
+
+ }
+
}
Logger.debug(new LogMsg("URI allowed: " + ip + ":" + port));
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index 645ff9f6d..5919cebbc 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -89,7 +89,7 @@
3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
-4001=Externe URI {0} darf nicht geladen werden (externe URIs generell verboten)
+4001=Externe URI {0} darf nicht geladen werden (externe sind URIs verboten und URI befindet sich nicht auf der Whitelist)
4002=Externe URI {0} befindet sich auf der Blacklist und darf nicht geladen werden
4003=IP-Adresse für {0} konnte nicht ermitteln werden
@@ -142,7 +142,7 @@ config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im
config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}).
config.33=External URIs are allowed. Maybe a URI blacklist exists.
config.34=Blacklisted URI: {0}.
-config.35=External URIs not allowed.
+config.35=External URIs not allowed. Maybe a URI whitelist exists.
config.36=No blacklisted URIs given.
config.37=Fehler beim Erstellen der TSL Konfiguration: Name des TSL Arbeits-Verzeichnisses konnte nicht in eine URL umgewandet werden (Wert="{0}")
config.38=Fehler beim Erstellen der TSL Konfiguration: Das TSL Arbeits-Verzeichnis ist kein Verzeichnis (Wert="{0}")
@@ -154,6 +154,8 @@ config.43=Update truststore with id "{0}"
config.44=Retrieve certificates from TSL
config.45=Create store updater
config.46=Start periodical TSL update task at {0} and then every {1} milliseconds
+config.48=No whitelisted URIs given.
+config.49=Whitelisted URI: {0}.
handler.00=Starte neue Transaktion: TID={0}, Service={1}
handler.01=Aufruf von Adresse={0}