Update trustprofiles and certstore

Update TSL processing (working directory handling)
Update groupId of IAIK dependencies

8 files changed, 206 insertions, 38 deletions

diff --git a/spss/server/history.txt b/spss/server/history.txt
index 02419a3fa..d2ea71698 100644
--- a/spss/server/history.txt
+++ b/spss/server/history.txt
@@ -5,7 +5,9 @@
 - Signaturerstellung:
   - Unterstuetzung von XAdES Version 1.4.2
   - Unterstuetzung von CMS/CAdES Signaturen Version 2.2.1
-- TSL Unterstuetzung                                                  
+- Signaturpruefung:
+  - Trust-service Status List (TSL) Unterstuetzung               
+- Update der Standard Trustprofile und Standard Konfigurationen                                   
 - Sicherheitsupdates
   - Angabe einer Whitelist um das Aufloesen externer Referenzen von den angegebenen Quellen zu aktivieren.
 - Libraries aktualisiert bzw. hinzugefuegt:
diff --git a/spss/server/readme.update.txt b/spss/server/readme.update.txt
index 28796ddcb..4f40604bb 100644
--- a/spss/server/readme.update.txt
+++ b/spss/server/readme.update.txt
@@ -26,9 +26,9 @@ Update Variante A
 	Ihrer MOA-SPSS-Installation.
 	
 2.)	Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
-	JAVA_HOME\jre\lib\ext, und l�schen Sie diese Dateien danach.
+	JAVA_HOME\jre\lib\ext, und loeschen Sie diese Dateien danach.
 
-3.)	F�hren Sie eine Neuinstallation gemaess Handbuch durch.
+3.)	Fuehren Sie eine Neuinstallation gemaess Handbuch durch.
 
 4.)	Kopieren Sie etwaige Konfigurationsdateien, Trust-Profile und Key-Stores, 
 	die Sie aus Ihrer alten Installation beibehalten moechten, aus Ihrer
@@ -110,7 +110,7 @@ Update Variante B
 10.)	Update des Cert-Stores.
 		a)	Kopieren Sie den Inhalt des Verzeichnisses MOA_SPSS_INST\conf\moa-spss\certstore 
 			in das Verzeichnis CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie 
-			vorhandene Dateien oder Unterverzeichnisse �berschreiben sollen, dann bejahen Sie das.
+			vorhandene Dateien oder Unterverzeichnisse ueberschreiben sollen, dann bejahen Sie das.
 	
 		b) 	Falls vorhanden, loeschen Sie die Datei "890A4C8282E95EBB398685D9501486EF213941B5" aus dem  
 			Verzeichnis CATALINA_HOME\conf\moa-spss\certstore\10F17BDACD8DEAA1E8F23FBEAE7B3EC3D9773D1D.
@@ -123,7 +123,7 @@ Update Variante B
 			CATALINA_HOME\conf\moa-spss\certstore\10F17BDACD8DEAA1E8F23FBEAE7B3EC3D9773D1D.
 	
 11.)	Nur wenn alte Installation aelter als Version 1.3.0: 
-	Mit dem Wechsel auf Version 1.3.0 verwendet MOA SP ein neues Format f�r die 
+	Mit dem Wechsel auf Version 1.3.0 verwendet MOA SP ein neues Format fuer die 
 	XML-Konfigurationsdatei. Sie muessen die Konfigurationsdatei fuer MOA-SP aus 
 	Ihrer alten Installation auf das neue Format konvertieren. Details dazu 
 	finden Sie im MOA-SPSS-Installationshandbuch.
\ No newline at end of file
diff --git a/spss/server/serverlib/pom.xml b/spss/server/serverlib/pom.xml
index 2a6fd382f..5a2f001d4 100644
--- a/spss/server/serverlib/pom.xml
+++ b/spss/server/serverlib/pom.xml
@@ -143,16 +143,16 @@
 		</dependency>

 		

 		<dependency>

-			<groupId>iaik.prod</groupId>

+			<groupId>iaik</groupId>

 			<artifactId>iaik_tsl</artifactId>

 		</dependency>

 		<dependency>

-			<groupId>iaik.prod</groupId>

+			<groupId>iaik</groupId>

 			<artifactId>iaik_util</artifactId>

 		</dependency>

 		<dependency>

-			<groupId>iaik.prod</groupId>

-			<artifactId>iaik_xsect</artifactId>

+			<groupId>iaik</groupId>

+			<artifactId>iaik_xsect_eval</artifactId>

 		</dependency>

 		<dependency>

 			<groupId>javax.xml.bind</groupId>

@@ -167,7 +167,7 @@
 		  	<artifactId>sqlite-jdbc</artifactId>

   		</dependency>

 		<dependency>

-			<groupId>iaik.prod</groupId>

+			<groupId>iaik</groupId>

 		  	<artifactId>iaik_jsse</artifactId>

   		</dependency>

 		

diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 287d8225b..3d2da8384 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -1268,6 +1268,111 @@ public class ConfigurationPartsBuilder {
   }
   
   /**
+   * Build the trust profile mapping.
+   * 
+   * @return The profile ID to profile mapping.
+   */
+  public Map buildTrustProfiles() 
+  {
+    Map trustProfiles = new HashMap();
+    NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH);
+    Element profileElem;
+
+    while ((profileElem = (Element) profileIter.nextNode()) != null)
+    {
+      String id = getElementValue(profileElem, CONF + "Id", null);
+      String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null);
+      String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null);      
+     
+      URI trustAnchorsLocURI = null;
+      try
+      {
+        trustAnchorsLocURI = new URI(trustAnchorsLocStr);
+        if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file
+          trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr);
+        }
+      }
+      catch (URIException e) {
+        warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e);
+        continue;
+      }
+      catch (MalformedURLException e)
+      {
+        warn("config.15", new Object[] {id}, e);
+        continue;
+      }
+
+      File profileDir = new File(trustAnchorsLocURI.getPath());
+      if (!profileDir.exists() || !profileDir.isDirectory()) {
+        warn("config.27", new Object[] { "uri", id });
+        continue;
+      }
+      
+      
+      
+      if (trustProfiles.containsKey(id)) {
+        warn("config.04", new Object[] { "TrustProfile", id });
+        continue;
+      } 
+      
+      URI signerCertsLocURI = null;
+      if (signerCertsLocStr != null && !"".equals(signerCertsLocStr))
+      {
+        try
+        {
+          signerCertsLocURI = new URI(signerCertsLocStr);
+          if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr);
+          
+          File signerCertsDir = new File(signerCertsLocURI.getPath());
+          if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) {
+            warn("config.27", new Object[] { "signerCertsUri", id });
+            continue;
+          }
+        }
+        catch (URIException e) {
+          warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e);
+          continue;
+        }
+        catch (MalformedURLException e) {
+          warn("config.15", new Object[] {id}, e);
+          continue;
+        }
+      }
+      
+      signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null;
+      
+      TrustProfile profile = null;
+      
+      profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, false, null);
+      
+      trustProfiles.put(id, profile);
+      
+    }
+
+    return trustProfiles;
+  }
+  
+  /**
+   * checks if a trustprofile with TSL support is enabled
+   * 
+   * @return true if TSL support is enabled in at least one trustprofile, else false
+   */
+  public boolean checkTrustProfilesTSLenabled() 
+  {
+    NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH);
+    Element profileElem;
+
+    boolean tslSupportEnabled = false;
+    while ((profileElem = (Element) profileIter.nextNode()) != null)    {
+      Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL");
+      if (eutslElem != null) //EUTSL element found --> TSL enabled
+    	  tslSupportEnabled = true;
+    }
+
+    return tslSupportEnabled;
+  }
+  
+  /**
    * Returns the location of the certificate store.
    * 
    * @return the location of the certificate store.
@@ -1593,7 +1698,7 @@ public class ConfigurationPartsBuilder {
   public TSLConfiguration getTSLConfiguration() {
 	  TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl();
 	  
-	  
+	  	  
 	  String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null);
 	  if (StringUtils.isEmpty(euTSLUrl)) {
 		  euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL;
@@ -1654,24 +1759,12 @@ public class ConfigurationPartsBuilder {
           return null;  
       }
       
-      File hashcache = new File(tslWorkingDir, "hashcache");
-      if (!hashcache.exists()) {
-    	  hashcache.mkdir();
-      }
-      if (!hashcache.isDirectory()) {
-    	  error("config.38", new Object[] { hashcache.getAbsolutePath() });
-          return null;  
-      }
-
-      System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath());
-//    String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
-//    System.out.println("Hashcache: " + hashcachedir);
-
+      
       debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl);
       debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod);
       debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime);
       debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath());
-      debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath());
+      
       
 	  // set TSL configuration
 	  tslconfiguration.setEuTSLUrl(euTSLUrl);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 87a4b50f4..d67cbf1b4 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -347,7 +347,15 @@ public class ConfigurationProvider
     try {
       builder = new ConfigurationPartsBuilder(configElem, configRoot);
       
-      tslconfiguration_ = builder.getTSLConfiguration();
+      if (builder.checkTrustProfilesTSLenabled()) {
+    	  debug("TSL support enabled for at least one trustprofile.");
+    	  tslconfiguration_ = builder.getTSLConfiguration();
+    	  trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
+      }
+      else {
+    	  tslconfiguration_ = null;
+    	  trustProfiles = builder.buildTrustProfiles();
+      }
       
       digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName();
       canonicalizationAlgorithmName =
@@ -368,7 +376,9 @@ public class ConfigurationProvider
       chainingModes = builder.buildChainingModes();
       useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess();
       autoAddCertificates_ = builder.getAutoAddCertificates();
-      trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
+      //trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory());
+      
+      
       distributionPoints = builder.buildDistributionPoints();
       enableRevocationChecking_ = builder.getEnableRevocationChecking();
       maxRevocationAge_ = builder.getMaxRevocationAge();
@@ -429,7 +439,21 @@ public class ConfigurationProvider
     }
   }
   
-  private void checkTSLConfiguration() throws ConfigurationException {
+  private boolean checkTSLenableTrustprofilesExist()throws ConfigurationException {
+	  boolean bTSLEnabledTPExist = false;
+	  Iterator it = trustProfiles.entrySet().iterator();
+	  while (it.hasNext()) {
+	      Map.Entry pairs = (Map.Entry)it.next();
+	      TrustProfile tp = (TrustProfile) pairs.getValue();
+	      if (tp.isTSLEnabled())
+	    	  bTSLEnabledTPExist = bTSLEnabledTPExist || true;
+	  }
+	  
+	  return bTSLEnabledTPExist;
+	  
+  }
+  
+  private void  checkTSLConfiguration() throws ConfigurationException {
 	  boolean bTSLEnabledTPExist = false;
 	  Iterator it = trustProfiles.entrySet().iterator();
 	  while (it.hasNext()) {
@@ -450,6 +474,43 @@ public class ConfigurationProvider
 		  throw new ConfigurationException("config.40", null);
 	  }
 	  
+	  File workingDir = new File(tslconfiguration_.getWorkingDirectory());
+	  File eu_trust = new File(workingDir.getAbsolutePath() + "/trust/eu");
+	  if (!eu_trust.exists()) {
+		  error("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"});
+		  throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"});
+	  }
+	  else {
+		  File[] eutrustFiles = eu_trust.listFiles();
+		  if (eutrustFiles == null) {
+			  error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+			  throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+		  }
+		  else {
+			  if (eutrustFiles.length == 0) {
+				  error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+				  throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"});
+			  }
+		  }
+			  
+	  }
+	  
+	  File hashcache = new File(tslconfiguration_.getWorkingDirectory(), "hashcache");
+      if (!hashcache.exists()) {
+    	  hashcache.mkdir();
+      }
+      if (!hashcache.isDirectory()) {
+    	  error("config.38", new Object[] { hashcache.getAbsolutePath() });
+          return;  
+      }
+
+      System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath());
+//    String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+//    System.out.println("Hashcache: " + hashcachedir);
+
+
+      Logger.debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath());
+	  
       
   }
   
@@ -760,6 +821,17 @@ public class ConfigurationProvider
     Logger.info(new LogMsg(msg.getMessage(messageId, parameters)));
   }
   
+  /**
+   * Log a debug message.
+   * 
+   * @param messageId The message ID.
+   * @param parameters Additional parameters for the message.
+   * @see at.gv.egovernment.moa.spss.server.util.MessageProvider
+   */
+  private static void debug(String message) {
+    Logger.debug(message);
+  }
+  
      /**
    * Log a warning.
    * 
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index e4ee607c0..9e2e0e490 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -159,6 +159,7 @@ config.46=Start periodical TSL update task at {0} and then every {1} millisecond
 config.48=No whitelisted URIs given.

 config.49=Whitelisted URI: {0}.

 config.50=Fehler beim Erstellen des TSL Vertrauensprofils: Das Verzeichnis ({0}) ist kein Verzeichnis.

+config.51=Fehler beim Erstellen der TSL Konfiguration: TSL-Arbeitsverzeichnis ist fehlerhaft ({0}).

 

 handler.00=Starte neue Transaktion: TID={0}, Service={1}

 handler.01=Aufruf von Adresse={0}

diff --git a/spss/server/serverws/.settings/org.eclipse.wst.common.component b/spss/server/serverws/.settings/org.eclipse.wst.common.component
index 463d07fe3..5efe131f3 100644
--- a/spss/server/serverws/.settings/org.eclipse.wst.common.component
+++ b/spss/server/serverws/.settings/org.eclipse.wst.common.component
@@ -2,6 +2,9 @@
   <wb-module deploy-name="moa-spss-ws">

         <wb-resource deploy-path="/" source-path="/target/m2e-wtp/web-resources"/>

         <wb-resource deploy-path="/" source-path="/src/main/webapp" tag="defaultRootSource"/>

+        <dependent-module archiveName="moa-spss-lib-1.5.2.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/moa-spss-lib/moa-spss-lib">

+            <dependency-type>uses</dependency-type>

+        </dependent-module>

         <dependent-module archiveName="moa-common-1.5.2.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/moa-common/moa-common">

             <dependency-type>uses</dependency-type>

         </dependent-module>

diff --git a/spss/server/serverws/pom.xml b/spss/server/serverws/pom.xml
index 0314cb454..a99a573c1 100644
--- a/spss/server/serverws/pom.xml
+++ b/spss/server/serverws/pom.xml
@@ -70,7 +70,7 @@
 			<artifactId>iaik_ixsil</artifactId>
 		</dependency>
         <dependency>
-			<groupId>iaik.prod</groupId>
+			<groupId>iaik</groupId>
 			<artifactId>iaik_tsl</artifactId>
 		</dependency>
 		<dependency>
@@ -78,12 +78,12 @@
 			<artifactId>log4j</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>iaik.prod</groupId>
+			<groupId>iaik</groupId>
 			<artifactId>iaik_util</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>iaik.prod</groupId>
-			<artifactId>iaik_xsect</artifactId>
+			<groupId>iaik</groupId>
+			<artifactId>iaik_xsect_eval</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>javax.xml.bind</groupId>
@@ -98,13 +98,10 @@
 		  	<artifactId>sqlite-jdbc</artifactId>
   		</dependency>
 		<dependency>
-			<groupId>iaik.prod</groupId>
+			<groupId>iaik</groupId>
 		  	<artifactId>iaik_jsse</artifactId>
-  		</dependency>		
-		<dependency>
-			<groupId>iaik.prod</groupId>
-			<artifactId>iaik_util</artifactId>
-		</dependency>
+  		</dependency>	
+		
         <!-- transitive dependencies we don't want to include into the war -->
         <dependency>
             <groupId>iaik.prod</groupId>