diff options
20 files changed, 985 insertions, 774 deletions
diff --git a/spss.server/res/resources/properties/spss_messages_de.properties b/spss.server/res/resources/properties/spss_messages_de.properties index a4ae8e563..dfa435df0 100644 --- a/spss.server/res/resources/properties/spss_messages_de.properties +++ b/spss.server/res/resources/properties/spss_messages_de.properties @@ -124,14 +124,13 @@ config.20=Fehler beim Aktualisieren der MOA SP/SS Konfiguration. Die bestehende config.21=Lade Konfiguration von {0} config.22=Lade {0} mit id={1} von Datei {2} config.23=Fehler in der Konfiguration: {0} nicht konfiguriert oder ungültig, verwende den Default-Wert: {1} -config.24=Fehler in der Konfiguration: Die GenericConfiguration mit name={0} ist bereits gesetzt config.25=Fehler in der Konfiguration: Das SoftwareKeyModule mit id={0} konnte nicht geladen werden, da die Datei {1} nicht existiert oder ein Verzeichnis bezeichnet config.26=Fehler beim Erstellen der KeyGroup mit id={0}: KeyModule mit id={1} unbekannt config.27=Fehler in der Konfiguration: Das Attribut {0} des TrustProfiles mit id={1} zeigt nicht auf ein existierendes Verzeichnis config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei. config.29=Es sind folgende leichte Fehler aufgetreten: -config.30=Fehler in der Konfiguration: Die GenericConfiguration {0} zeigt nicht auf ein existierendes Verzeichnis oder das Verzeichnis konnte nicht erstellt werden config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden +config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}). handler.00=Starte neue Transaktion: TID={0}, Service={1} handler.01=Aufruf von Adresse={0} diff --git a/spss.server/res/resources/tools/ConfigurationMapper.xsl b/spss.server/res/resources/tools/ConfigurationMapper.xsl index 62551f0b3..9498dca97 100644 --- a/spss.server/res/resources/tools/ConfigurationMapper.xsl +++ b/spss.server/res/resources/tools/ConfigurationMapper.xsl @@ -163,6 +163,10 @@ <xsl:with-param name="DefaultValue" select="'0'"/> </xsl:call-template> </cfg:MaxRevocationAge> + <cfg:ServiceOrder> + <cfg:Service>OCSP</cfg:Service> + <cfg:Service>CRL</cfg:Service> + </cfg:ServiceOrder> <cfg:Archiving> <cfg:EnableArchiving> <xsl:call-template name="GetGenericValue"> diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java b/spss.server/src/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java new file mode 100644 index 000000000..bd78012ef --- /dev/null +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java @@ -0,0 +1,165 @@ +package at.gv.egovernment.moa.spss.server.config; + +import iaik.pki.revocation.RevocationSourceTypes; + +import java.util.HashMap; +import java.util.Map; +import java.util.StringTokenizer; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; + +import at.gv.egovernment.moa.spss.util.MessageProvider; + +/** + * A class representing a CRL distribution point. + * + * @author Sven Aigner + * @author Patrick Peck + * @version $Id$ + */ +public class CRLDistributionPoint + extends DistributionPoint + implements iaik.pki.revocation.CRLDistributionPoint +{ + + private static Map RC_MAPPING = new HashMap(); + + static { + + // create the mapping between reason code strings and their integer values + RC_MAPPING.put( + "unused", + new Integer(iaik.asn1.structures.DistributionPoint.unused)); + RC_MAPPING.put( + "keyCompromise", + new Integer(iaik.asn1.structures.DistributionPoint.keyCompromise)); + RC_MAPPING.put( + "cACompromise", + new Integer(iaik.asn1.structures.DistributionPoint.cACompromise)); + RC_MAPPING.put( + "affiliationChanged", + new Integer(iaik.asn1.structures.DistributionPoint.affiliationChanged)); + RC_MAPPING.put( + "superseded", + new Integer(iaik.asn1.structures.DistributionPoint.superseded)); + RC_MAPPING.put( + "cessationOfOperation", + new Integer(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); + RC_MAPPING.put( + "certificateHold", + new Integer(iaik.asn1.structures.DistributionPoint.certificateHold)); + RC_MAPPING.put( + "privilegeWithdrawn", + new Integer(iaik.asn1.structures.DistributionPoint.privilegeWithdrawn)); + RC_MAPPING.put( + "aACompromise", + new Integer(iaik.asn1.structures.DistributionPoint.aACompromise)); + } + + /** + * The name of the CA issuing the CRL referred to by this DP. + */ + private String issuerName_; + + /** + * The reason codes applicable for the distribution point. + */ + private int reasonCodes; + + /** + * Create a <code>CRLDistributionPoint</code>. + * + * @param issuerName The name of the CA issuing the CRL referred to by this DP. + * + * @param uri The URI of the distribution point. + * + * @param reasonCodeStr A list of reason codes (a space-separated enumeration). + */ + public CRLDistributionPoint(String issuerName, String uri, String reasonCodeStr) + { + super(uri); + issuerName_ = issuerName; + this.reasonCodes = extractReasonCodes(reasonCodeStr); + } + + /** + * @see DistributionPoint#getType() + */ + public String getType() + { + return RevocationSourceTypes.CRL; + } + + /** + * Convert a list of reason codes provided as a <code>String</code> to a + * binary representation. + * + * @param reasonCodeStr A <code>String</code> containing a blank-separated, + * textual representation of reason codes. + * @return int A binary representation of reason codes. + * @see iaik.asn1.structures.DistributionPoint + */ + private int extractReasonCodes(String reasonCodeStr) { + int codes = 0; + StringTokenizer tokenizer = new StringTokenizer(reasonCodeStr); + String token; + Integer reasonCode; + + while (tokenizer.hasMoreTokens()) { + token = tokenizer.nextToken(); + reasonCode = (Integer) RC_MAPPING.get(token); + if (reasonCode != null) { + codes |= reasonCode.intValue(); + } else { + MessageProvider msg = MessageProvider.getInstance(); + Logger.warn( + new LogMsg(msg.getMessage("config.07", new Object[] { token }))); + } + } + + // If reasonCodeStr is empty, set all possible reason codes + if (codes == 0) codes = + iaik.asn1.structures.DistributionPoint.unused | + iaik.asn1.structures.DistributionPoint.keyCompromise | + iaik.asn1.structures.DistributionPoint.cACompromise | + iaik.asn1.structures.DistributionPoint.affiliationChanged | + iaik.asn1.structures.DistributionPoint.superseded | + iaik.asn1.structures.DistributionPoint.cessationOfOperation | + iaik.asn1.structures.DistributionPoint.certificateHold | + iaik.asn1.structures.DistributionPoint.privilegeWithdrawn | + iaik.asn1.structures.DistributionPoint.aACompromise; + + return codes; + } + + /** + * Return a binary representation of the reason codes of this distribution + * point. + * + * @return The binary representation of the reason codes. + */ + public int getReasonCodes() { + return reasonCodes; + } + + /** + * Return a <code>String</code> representation of this distribution point. + * + * @return The <code>String</code> representation of this distribution point. + * @see java.lang.Object#toString() + */ + public String toString() { + return "(DistributionPoint - " + + ("URI<" + getUri()) + + ("> REASONCODES<" + getReasonCodes() + ">)"); + } + + /** + * @see iaik.pki.revocation.CRLDistributionPoint#getIssuerName() + */ + public String getIssuerName() + { + return issuerName_; + } +} diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 96a90980d..b5bb461d1 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -27,6 +27,7 @@ import org.xml.sax.SAXException; import iaik.ixsil.exceptions.URIException; import iaik.ixsil.util.URI; import iaik.pki.pathvalidation.ChainingModes; +import iaik.pki.revocation.RevocationSourceTypes; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; @@ -65,52 +66,130 @@ public class ConfigurationPartsBuilder { // private static final String ROOT = "/" + CONF + "MOAConfiguration/"; + private static final String DIGEST_METHOD_XPATH = - ROOT + CONF + "DigestMethodAlgorithm/@name"; + ROOT + CONF + "SignatureCreation/" + + CONF + "XMLDSIG/" + + CONF + "DigestMethodAlgorithm"; private static final String C14N_ALGORITHM_XPATH = - ROOT + CONF + "CanonicalizationAlgorithm/@name"; + ROOT + CONF + "SignatureCreation/" + + CONF + "XMLDSIG/" + + CONF + "CanonicalizationAlgorithm"; private static final String HARDWARE_CRYPTO_MODULE_XPATH = ROOT + CONF + "HardwareCryptoModule"; private static final String HARDWARE_KEY_XPATH = - ROOT + CONF + "HardwareKeyModule"; + ROOT + CONF + "SignatureCreation/" + + CONF + "KeyModules/" + + CONF + "HardwareKeyModule"; private static final String SOFTWARE_KEY_XPATH = - ROOT + CONF + "SoftwareKeyModule"; - private static final String KEYGROUP_XPATH = ROOT + CONF + "KeyGroup"; - private static final String KEY_XPATH = CONF + "Key"; - private static final String KEY_MODULE_ID_XPATH = CONF + "KeyModuleID"; - private static final String KEY_CERT_XPATH = CONF + "KeyCertIssuerSerial"; + ROOT + CONF + "SignatureCreation/" + + CONF + "KeyModules/" + + CONF + "SoftwareKeyModule"; + private static final String KEYGROUP_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "KeyGroup"; private static final String KEYGROUP_MAPPING_XPATH = - ROOT + CONF + "KeyGroupMapping"; - private static final String KEYGROUP_MAPPING_KEYGROUP_XPATH = - CONF + "KeyGroup"; - private static final String ISSUER_SERIAL_XPATH = CONF + "X509IssuerSerial"; - private static final String ISSUER_XPATH = DSIG + "X509IssuerName"; - private static final String SERIAL_XPATH = DSIG + "X509SerialNumber"; + ROOT + CONF + "SignatureCreation/" + + CONF + "KeyGroupMapping"; + private static final String ISSUER_XPATH = + DSIG + "X509IssuerName"; + private static final String SERIAL_XPATH = + DSIG + "X509SerialNumber"; + private static final String CERTSTORE_LOCATION_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "PathConstruction/" + + CONF + "CertificateStore" + + CONF + "DirectoryStore" + + CONF + "Location"; + private static final String AUTO_ADD_CERTIFICATES_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "PathConstruction/" + + CONF + "AutoAddCertificates"; + private static final String USE_AUTHORITY_INFO_ACCESS_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "PathConstruction/" + + CONF + "UseAuthorityInformationAccess"; private static final String CHAINING_MODES_XPATH = - ROOT + CONF + "ChainingModes"; + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "PathValidation/" + + CONF + "ChainingMode"; private static final String CHAINING_MODES_DEFAULT_XPATH = - CHAINING_MODES_XPATH + "/@systemDefaultMode"; + CHAINING_MODES_XPATH + + CONF + "/DefaultMode"; private static final String TRUST_ANCHOR_XPATH = - ROOT + CONF + "ChainingModes/" + CONF + "TrustAnchor"; - private static final String CRL_DISTRIBUTION_POINT_XPATH = - ROOT + CONF + "CRLDistributionPoint"; - private static final String CA_ISSUER_DN_XPATH = CONF + "CAIssuerDN"; - private static final String DISTRIBUTION_POINT_XPATH = - CONF + "DistributionPoint"; - private static final String CRL_ARCHIVE_XPATH = ROOT + CONF + "CRLArchive"; - private static final String GENERIC_CONFIGURATION_XPATH = - ROOT + CONF + "GenericConfiguration"; + CHAINING_MODES_XPATH + + CONF + "TrustAnchor"; + private static final String TRUST_PROFILE_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "PathValidation/" + + CONF + "TrustProfile"; + private static final String DISTRIBUTION_POINTS_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "DistributionPoints"; + private static final String ENABLE_REVOCATION_CHECKING_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "EnableChecking"; + private static final String MAX_REVOCATION_AGE_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "MaxRevocationAge"; + private static final String REVOCATION_SERVICEORDER_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "ServiceOrder" + + CONF + "Service"; + private static final String ENABLE_ARCHIVING_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "Archiving/" + + CONF + "EnableArchiving"; + private static final String CRL_ARCHIVE_DURATION_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "Archiving/" + + CONF + "ArchiveDuration"; + private static final String ACHIVE_JDBC_URL_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "Archiving/" + + CONF + "Archive/" + + CONF + "DatabaseArchive" + + CONF + "JDBCURL"; + private static final String ACHIVE_JDBC_DRIVER_CLASS_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "Archiving/" + + CONF + "Archive/" + + CONF + "DatabaseArchive" + + CONF + "JDBCDriverClassName"; private static final String CREATE_TRANSFORMS_INFO_PROFILE_XPATH = - ROOT + CONF + "CreateTransformsInfoProfile"; + ROOT + CONF + "SignatureCreation/" + + CONF + "CreateTransformsInfoProfile"; private static final String CREATE_SIGNATURE_ENVIRONMENT_PROFILE_XPATH = - ROOT + CONF + "CreateSignatureEnvironmentProfile"; + ROOT + CONF + "SignatureCreation/" + + CONF + "CreateSignatureEnvironmentProfile"; private static final String VERIFY_TRANSFORMS_INFO_PROFILE_XPATH = - ROOT + CONF + "VerifyTransformsInfoProfile"; + ROOT + CONF + "SignatureVerification/" + + CONF + "VerifyTransformsInfoProfile"; private static final String SUPPLEMENT_PROFILE_XPATH = - ROOT + CONF + "SupplementProfile"; - private static final String TRUST_PROFILE_XPATH = - ROOT + CONF + "TrustProfile"; - + ROOT + CONF + "SignatureVerification/" + + CONF + "SupplementProfile"; + // // default values for configuration parameters // @@ -143,6 +222,11 @@ public class ConfigurationPartsBuilder { /** The root element of the MOA configuration */ private Element configElem; + + /** + * The directory containing the underlying configuration file. + */ + private File configRoot_; /** Whether any warnings were encountered building the configuration. */ private List warnings = new ArrayList(); @@ -151,9 +235,13 @@ public class ConfigurationPartsBuilder { * Create a new <code>ConfigurationPartsBuilder</code>. * * @param configElem The root element of the MOA configuration. + * + * @param configRoot The directory containing the underlying configuration file. */ - public ConfigurationPartsBuilder(Element configElem) { + public ConfigurationPartsBuilder(Element configElem, File configRoot) + { this.configElem = configElem; + configRoot_ = configRoot; } /** @@ -164,6 +252,16 @@ public class ConfigurationPartsBuilder { public Element getConfigElem() { return configElem; } + + /** + * Returns the directory containing the underlying configuration file. + * + * @return the directory containing the underlying configuration file. + */ + public File getConfigRoot() + { + return configRoot_; + } /** * Returns the warnings encountered during building the configuration. @@ -180,12 +278,12 @@ public class ConfigurationPartsBuilder { * * @return The digest method algorithm name from the configuration. */ - public String getDigestMethodAlgorithmName() { - String digestMethod = - getAttributeValue(getConfigElem(), DIGEST_METHOD_XPATH, null); + public String getDigestMethodAlgorithmName() + { + String digestMethod = getElementValue(getConfigElem(), DIGEST_METHOD_XPATH, null); - if (digestMethod == null - || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod)) { + if (digestMethod == null || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod)) + { warn( "config.23", new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT }); @@ -200,12 +298,12 @@ public class ConfigurationPartsBuilder { * * @return The canonicalization algorithm name from the configuration. */ - public String getCanonicalizationAlgorithmName() { - String c14nAlgorithm = - getAttributeValue(getConfigElem(), C14N_ALGORITHM_XPATH, null); + public String getCanonicalizationAlgorithmName() + { + String c14nAlgorithm = getElementValue(getConfigElem(), C14N_ALGORITHM_XPATH, null); - if (c14nAlgorithm == null - || !ACCEPTED_C14N_ALGORITHMS.contains(c14nAlgorithm)) { + if (c14nAlgorithm == null || !ACCEPTED_C14N_ALGORITHMS.contains(c14nAlgorithm)) + { warn( "config.23", new Object[] { "CanonicalizationAlgorithm", C14N_ALGORITHM_DEFAULT }); @@ -216,52 +314,23 @@ public class ConfigurationPartsBuilder { } /** - * Build the mapping of generic configuration properties. - * - * @return The mapping of generic configuration properties (a name to value - * mapping) from the configuration. - */ - public Map buildGenericConfiguration() { - Map genericConfiguration = new HashMap(); - NodeIterator gcIter = - XPathUtils.selectNodeIterator( - getConfigElem(), - GENERIC_CONFIGURATION_XPATH); - Element gcElem; - - while ((gcElem = (Element) gcIter.nextNode()) != null) { - String gcName = gcElem.getAttribute("name"); - String gcValue = gcElem.getAttribute("value"); - - if (genericConfiguration.containsKey(gcName)) { - warn("config.24", new Object[] { gcName }); - } else { - genericConfiguration.put(gcName, gcValue); - } - } - - return genericConfiguration; - } - - /** * Build the configured hardware crypto modules. * * @return The hardware crypto modules from the configuration. */ - public List buildHardwareCryptoModules() { + public List buildHardwareCryptoModules() + { List modules = new ArrayList(); - NodeIterator modIter = - XPathUtils.selectNodeIterator( - getConfigElem(), - HARDWARE_CRYPTO_MODULE_XPATH); - Element modElem; + NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + HARDWARE_CRYPTO_MODULE_XPATH); + Element modElem; while ((modElem = (Element) modIter.nextNode()) != null) { - String name = modElem.getAttribute("name"); - String slotID = modElem.getAttribute("slotID"); - String userPIN = modElem.getAttribute("userPIN"); - HardwareCryptoModule module = - new HardwareCryptoModule(name, slotID, userPIN); + String name = getElementValue(modElem, CONF + "Name", null); + String slotId = getElementValue(modElem, CONF + "SlotId", null); + String userPIN = getElementValue(modElem, CONF + "UserPIN", null); + HardwareCryptoModule module = new HardwareCryptoModule(name, slotId, userPIN); modules.add(module); } @@ -275,25 +344,30 @@ public class ConfigurationPartsBuilder { * prevent multiple key modules with the same ID. * @return The hardware keys contained in the configuration. */ - public List buildHardwareKeyModules(List keyModules) { + public List buildHardwareKeyModules(List keyModules) + { Set existingIds = toIdSet(keyModules); List hardwareKeys = new ArrayList(); NodeIterator hkIter = XPathUtils.selectNodeIterator(getConfigElem(), HARDWARE_KEY_XPATH); Element keyElem; - while ((keyElem = (Element) hkIter.nextNode()) != null) { - String id = keyElem.getAttribute("id"); - String name = keyElem.getAttribute("name"); - String slotID = keyElem.getAttribute("slotID"); - String userPIN = keyElem.getAttribute("userPIN"); + while ((keyElem = (Element) hkIter.nextNode()) != null) + { + String id = getElementValue(keyElem, CONF + "Id", null); + String name = getElementValue(keyElem, CONF + "Name", null); + String slotId = getElementValue(keyElem, CONF + "SlotId", null); + String userPIN = getElementValue(keyElem, CONF + "UserPIN", null); - if (existingIds.contains(id)) { + if (existingIds.contains(id)) + { warn( "config.04", new Object[] { "Hardware- oder SoftwareKeyModule", id }); - } else { - KeyModule key = new HardwareKeyModule(id, name, slotID, userPIN); + } + else + { + KeyModule key = new HardwareKeyModule(id, name, slotId, userPIN); hardwareKeys.add(key); existingIds.add(id); } @@ -307,36 +381,39 @@ public class ConfigurationPartsBuilder { * Build the configured software keys. * * @param The keyModules that the configuration already knows about. To - * prevent multiple key modules with the same ID. - * @param configRoot The directory containing the main configuration file. - * Used to resolve keystore files configured using a relative URI. + * prevent multiple key modules with the same ID. + * * @return The software keys contained in the configuration. */ - public List buildSoftwareKeyModules(List keyModules, File configRoot) { + public List buildSoftwareKeyModules(List keyModules) + { Set existingIds = toIdSet(keyModules); List softwareKeys = new ArrayList(); NodeIterator skIter = XPathUtils.selectNodeIterator(getConfigElem(), SOFTWARE_KEY_XPATH); Element keyElem; + while ((keyElem = (Element) skIter.nextNode()) != null) + { + String id = getElementValue(keyElem, CONF + "Id", null); + String fileName = getElementValue(keyElem, CONF + "Filename", null); + String passWord = getElementValue(keyElem, CONF + "Password", null); - while ((keyElem = (Element) skIter.nextNode()) != null) { - String id = keyElem.getAttribute("id"); - String fileName = keyElem.getAttribute("filename"); - String passWord = keyElem.getAttribute("password"); - - if (existingIds.contains(id)) { + if (existingIds.contains(id)) + { warn( "config.04", new Object[] { "Hardware- oder SoftwareKeyModule", id }); - } else { + } + else + { File keyFile; KeyModule key; // make keyFile absolute keyFile = new File(fileName); if (!keyFile.isAbsolute()) { - keyFile = new File(configRoot, fileName); + keyFile = new File(configRoot_, fileName); } // check for existence @@ -349,7 +426,6 @@ public class ConfigurationPartsBuilder { existingIds.add(id); } } - } return softwareKeys; @@ -362,7 +438,8 @@ public class ConfigurationPartsBuilder { * knows about. Used to check for errors in the configuration. * @return The mapping between key group IDs and key groups. */ - public Map buildKeyGroups(List keyModules) { + public Map buildKeyGroups(List keyModules) + { Set keyModuleIds = toIdSet(keyModules); Map keyGroups = new HashMap(); NodeIterator kgIter; @@ -370,15 +447,19 @@ public class ConfigurationPartsBuilder { // select all KeyGroup elements and build the KeyGroup objects from them kgIter = XPathUtils.selectNodeIterator(getConfigElem(), KEYGROUP_XPATH); - while ((keyGroupElem = (Element) kgIter.nextNode()) != null) { - String keyGroupId = keyGroupElem.getAttribute("id"); + while ((keyGroupElem = (Element) kgIter.nextNode()) != null) + { + String keyGroupId = getElementValue(keyGroupElem, CONF + "Id", null); Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries); - if (keyGroups.containsKey(keyGroupId)) { + if (keyGroups.containsKey(keyGroupId)) + { warn("config.04", new Object[] { "KeyGroup", keyGroupId }); - } else { + } + else + { keyGroups.put(keyGroup.getId(), keyGroup); } } @@ -425,12 +506,11 @@ public class ConfigurationPartsBuilder { Element keyEntryElem; // select all Key elements and put them into the Map - keyEntryIter = XPathUtils.selectNodeIterator(keyGroupElem, KEY_XPATH); - while ((keyEntryElem = (Element) keyEntryIter.nextNode()) != null) { - String keyModuleId = - getElementValue(keyEntryElem, KEY_MODULE_ID_XPATH, ""); - Element keyCertElem = - (Element) XPathUtils.selectSingleNode(keyEntryElem, KEY_CERT_XPATH); + keyEntryIter = XPathUtils.selectNodeIterator(keyGroupElem, CONF + "Key"); + while ((keyEntryElem = (Element) keyEntryIter.nextNode()) != null) + { + String keyModuleId = getElementValue(keyEntryElem, CONF + "KeyModuleId", ""); + Element keyCertElem = (Element) XPathUtils.selectSingleNode(keyEntryElem, CONF + "KeyCertIsuerSerial"); IssuerAndSerial issuerSerial = buildIssuerAndSerial(keyCertElem); if (!keyModuleIds.contains(keyModuleId)) { @@ -461,15 +541,18 @@ public class ConfigurationPartsBuilder { XPathUtils.selectNodeIterator(getConfigElem(), KEYGROUP_MAPPING_XPATH); // build the mapping for each KeyGroupMapping element - while ((mappingElem = (Element) mappingIter.nextNode()) != null) { - Element issuerSerialElem = - (Element) XPathUtils.selectSingleNode(mappingElem, ISSUER_SERIAL_XPATH); - IssuerAndSerial issuerAndSerial; + while ((mappingElem = (Element) mappingIter.nextNode()) != null) + { + Element issuerSerialElem = (Element) XPathUtils.selectSingleNode(mappingElem, CONF + "CustomerId"); // build the IssuerAndSerial who has access to the key groups - if (issuerSerialElem != null) { + IssuerAndSerial issuerAndSerial; + if (issuerSerialElem != null) + { issuerAndSerial = buildIssuerAndSerial(issuerSerialElem); - } else { + } + else + { // IssuerSerial element: the keygroup is generally available issuerAndSerial = anonymous; } @@ -480,24 +563,25 @@ public class ConfigurationPartsBuilder { NodeIterator keyGroupIter; Element keyGroupElem; - if (groups == null) { + if (groups == null) + { // no mapping exist -> build one groups = new HashMap(); mappings.put(issuerAndSerial, groups); } // select the available key groups and add them to the mapping - keyGroupIter = - XPathUtils.selectNodeIterator( - mappingElem, - KEYGROUP_MAPPING_KEYGROUP_XPATH); - while ((keyGroupElem = (Element) keyGroupIter.nextNode()) != null) { - String keyGroupId = keyGroupElem.getAttribute("id"); + keyGroupIter = XPathUtils.selectNodeIterator(mappingElem, CONF + "KeyGroupId"); + while ((keyGroupElem = (Element) keyGroupIter.nextNode()) != null) + { + String keyGroupId = getElementValue(keyGroupElem, ".", null); KeyGroup keyGroup = (KeyGroup) keyGroups.get(keyGroupId); - if (keyGroup != null) { + if (keyGroup != null) + { groups.put(keyGroupId, keyGroup); - } else { + } else + { warn("config.00", new Object[] { keyGroupId }); } } @@ -512,12 +596,12 @@ public class ConfigurationPartsBuilder { * * @return The default chaining mode. */ - public String getDefaultChainingMode() { - String defaultChaining = - getAttributeValue( - getConfigElem(), - CHAINING_MODES_DEFAULT_XPATH, - CM_CHAINING); + public String getDefaultChainingMode() + { + String defaultChaining = getElementValue( + getConfigElem(), + CHAINING_MODES_DEFAULT_XPATH, + CM_CHAINING); return translateChainingMode(defaultChaining); @@ -528,17 +612,20 @@ public class ConfigurationPartsBuilder { * * @return The mapping from trust anchors to chaining modes. */ - public Map buildChainingModes() { + public Map buildChainingModes() + { Map chainingModes = new HashMap(); - NodeIterator trustIter = - XPathUtils.selectNodeIterator(getConfigElem(), TRUST_ANCHOR_XPATH); - Element trustAnchorElem; + NodeIterator trustIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_ANCHOR_XPATH); - while ((trustAnchorElem = (Element) trustIter.nextNode()) != null) { - IssuerAndSerial issuerAndSerial = buildIssuerAndSerial(trustAnchorElem); - String mode = trustAnchorElem.getAttribute("mode"); + Element trustAnchorElem; + while ((trustAnchorElem = (Element) trustIter.nextNode()) != null) + { + IssuerAndSerial issuerAndSerial = buildIssuerAndSerial( + (Element)XPathUtils.selectSingleNode(trustAnchorElem, CONF + "Identification")); + String mode = getElementValue(trustAnchorElem, CONF + "Mode", null); - if (issuerAndSerial != null) { + if (issuerAndSerial != null) + { chainingModes.put(issuerAndSerial, translateChainingMode(mode)); } } @@ -595,89 +682,111 @@ public class ConfigurationPartsBuilder { } /** - * Build the CRL distribution points mapping. + * Build the distribution points mapping. * * @return The mapping from certificate authorities to distribution points. */ - public Map buildCRLDistributionPoints() { - Map crlDps = new HashMap(); - NodeIterator crlDpIter; - Element crlDpElem; + public Map buildDistributionPoints() + { + Map dPs = new HashMap(); + NodeIterator dPIter; + Element dPElem; - // select all CRLDistributionPoint elements and build the - // CRLDistributionPoints - crlDpIter = - XPathUtils.selectNodeIterator( - getConfigElem(), - CRL_DISTRIBUTION_POINT_XPATH); + // select all DistributionPoint elements + dPIter = XPathUtils.selectNodeIterator(getConfigElem(), DISTRIBUTION_POINTS_XPATH); // build the mapping of CA name to distribution points - while ((crlDpElem = (Element) crlDpIter.nextNode()) != null) { - String caIssuerDNText = - getElementValue(crlDpElem, CA_ISSUER_DN_XPATH, ""); + while ((dPElem = (Element) dPIter.nextNode()) != null) { + String caIssuerDNText = getElementValue(dPElem, CONF + "CAIssuerDN", ""); RFC2253NameParser nameParser = new RFC2253NameParser(caIssuerDNText); - NodeIterator dpIter = - XPathUtils.selectNodeIterator(crlDpElem, DISTRIBUTION_POINT_XPATH); - String caIssuerDN; - Set dps; - Element dpElem; + NodeIterator cRLDPIter = XPathUtils.selectNodeIterator(dPElem, CONF + "CRLDP"); + NodeIterator oCSPDPPIter = XPathUtils.selectNodeIterator(dPElem, CONF + "OCSPDP"); - try { - caIssuerDN = nameParser.parse().getName(); + try + { + String caIssuerDN = nameParser.parse().getName(); // check, if a mapping exists or make a new mapping - dps = (Set) crlDps.get(caIssuerDN); - if (dps == null) { - dps = new HashSet(); - crlDps.put(caIssuerDN, dps); + Set dPsForCA = (Set) dPs.get(caIssuerDN); + if (dPsForCA == null) + { + dPsForCA = new HashSet(); + dPs.put(caIssuerDN, dPsForCA); } - // add the distribution points of this CA to the set - while ((dpElem = (Element) dpIter.nextNode()) != null) { - DistributionPoint dp = buildDistributionPoint(dpElem); - dps.add(dp); + // add the CRL distribution points of this CA to the set + Element cRLDPElem; + while ((cRLDPElem = (Element) cRLDPIter.nextNode()) != null) + { + CRLDistributionPoint cRLDP = (CRLDistributionPoint) buildDistributionPoint(cRLDPElem, caIssuerDN); + dPsForCA.add(cRLDP); } - } catch (RFC2253NameParserException e) { + + // add the OCSP distribution points of this CA to the set + Element oCSPPElem; + while ((oCSPPElem = (Element) oCSPDPPIter.nextNode()) != null) + { + OCSPDistributionPoint oCSPDP = (OCSPDistributionPoint) buildDistributionPoint(cRLDPElem, null); + dPsForCA.add(oCSPDP); + } +} + catch (RFC2253NameParserException e) + { warn("config.13", new Object[] { caIssuerDNText }, e); } } - return crlDps; + return dPs; } /** * Build a distribution point from the DOM representation. * * @param dpElem The root element of the distribution point. + * + * @param issuerName The name of the CA issuing the CRL referred to by this DP, or <code>null</code> + * if this DP refers to an OCSP responder. + * * @return The distribution point. */ - private DistributionPoint buildDistributionPoint(Element dpElem) { - String uri = dpElem.getAttribute("uri"); - String reasonCodes = dpElem.getAttribute("reasonCodes"); - - return new DistributionPoint(uri, reasonCodes != null ? reasonCodes : ""); + private DistributionPoint buildDistributionPoint(Element dpElem, String issuerName) + { + String uri = getElementValue(dpElem, CONF + "Location", null); + + if ("CRLDP".equals(dpElem.getLocalName())) + { + NodeIterator reasonCodesIter = XPathUtils.selectNodeIterator(dpElem, CONF + "ReasonCode"); + Element reasonCodeElem; + StringBuffer reasonCodesSB = new StringBuffer(); + while ((reasonCodeElem = (Element)reasonCodesIter.nextNode()) != null) + { + if (reasonCodesSB.length() > 0) reasonCodesSB.append(" "); + reasonCodesSB.append(getElementValue(reasonCodeElem, ".", "").trim()); + } + return new CRLDistributionPoint(uri, reasonCodesSB.toString(), issuerName); + } + else + { + return new OCSPDistributionPoint(uri); + } } /** * Return the CRL archive duration. * - * @return The value of the CRL archive duration setting from the - * configuration. + * @return The value of the CRL archive duration setting from the configuration, or <code>0</code> if + * no value is set in the configuration. */ - public int getCRLArchiveDuration() { - Element crlArchiveElem = - (Element) XPathUtils.selectSingleNode(getConfigElem(), CRL_ARCHIVE_XPATH); - String crlArchiveDuration; - - if (crlArchiveElem == null) { - return 0; - } - - try { - crlArchiveDuration = crlArchiveElem.getAttribute("duration"); - return Integer.parseInt(crlArchiveDuration); - } catch (NumberFormatException e) { + public int getRevocationArchiveDuration() + { + String archiveDuration = getElementValue(getConfigElem(), CRL_ARCHIVE_DURATION_XPATH, null); + try + { + return Integer.parseInt(archiveDuration); + } + catch (NumberFormatException e) + { warn("config.01", null); return 0; } @@ -686,106 +795,92 @@ public class ConfigurationPartsBuilder { /** * Build the <code>CreateTransformsInfoProfile</code>s. * - * @param configRoot The directory of the main configuration file. Used for - * lookup of profiles with relative file names. * @return The mapping from profile ID to profile. */ - public Map buildCreateTransformsInfoProfiles(File configRoot) { - return loadProfiles( - configRoot, - CREATE_TRANSFORMS_INFO_PROFILE_XPATH, - "CreateTransformsInfoProfile"); + public Map buildCreateTransformsInfoProfiles() + { + return loadProfiles(CREATE_TRANSFORMS_INFO_PROFILE_XPATH, "CreateTransformsInfoProfile"); } /** * Build the <code>CreateSignatureEnvironmentProfile</code>s. * - * @param configRoot The directory of the main configuration file. Used for - * lookup of profiles with relative file names. * @return The mapping from profile ID to profile. */ - public Map buildCreateSignatureEnvironmentProfiles(File configRoot) { - return loadProfiles( - configRoot, - CREATE_SIGNATURE_ENVIRONMENT_PROFILE_XPATH, - "CreateSignatureEnvironmentProfile"); + public Map buildCreateSignatureEnvironmentProfiles() + { + return loadProfiles(CREATE_SIGNATURE_ENVIRONMENT_PROFILE_XPATH, "CreateSignatureEnvironmentProfile"); } /** * Build the <code>VerifyTransformsInfoProfile</code>s. * - * @param configRoot The directory of the main configuration file. Used for - * lookup of profiles with relative file names. * @return The mapping from profile ID to profile. */ - public Map buildVerifyTransformsInfoProfiles(File configRoot) { - return loadProfiles( - configRoot, - VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, - "VerifyTransformsInfoProfile"); + public Map buildVerifyTransformsInfoProfiles() + { + return loadProfiles(VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, "VerifyTransformsInfoProfile"); } /** * Build the <code>SupplementProfile</code>s. * - * @param configRoot The directory of the main configuration file. Used for - * lookup of profiles with relative file names. * @return The mapping from profile ID to profile. */ - public Map buildSupplementProfiles(File configRoot) { - return loadProfiles( - configRoot, - SUPPLEMENT_PROFILE_XPATH, - "SupplementProfile"); + public Map buildSupplementProfiles() + { + return loadProfiles(SUPPLEMENT_PROFILE_XPATH, "SupplementProfile"); } /** * Load a profile mapping. * - * @param root The absolute directory path of the main configuration file. * @param xpath The XPath to select the profiles from the configuration. + * * @param profileRoot The name of the profile root element. + * * @return Map The profile ID to profile mapping. */ - private Map loadProfiles(File root, String xpath, String profileRoot) { + private Map loadProfiles(String xpath, String profileRoot) + { Map profiles = new HashMap(); - NodeIterator profileIter = - XPathUtils.selectNodeIterator(getConfigElem(), xpath); + NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), xpath); Element profileElem; - while ((profileElem = (Element) profileIter.nextNode()) != null) { - String id = profileElem.getAttribute("id"); - String fileName = profileElem.getAttribute("filename"); + while ((profileElem = (Element) profileIter.nextNode()) != null) + { + String id = getElementValue(profileElem, CONF + "Id", null); + String fileName = getElementValue(profileElem, CONF + "Location", null); - if (profiles.containsKey(id)) { + if (profiles.containsKey(id)) + { warn("config.04", new Object[] { profileRoot, id }); - } else { - Element profile; - - try { + } + else + { + try + { File profileFile = new File(fileName); // make profileFile absolute - if (!profileFile.isAbsolute()) { - profileFile = new File(root, fileName); - } + if (!profileFile.isAbsolute()) profileFile = new File(configRoot_, fileName); // load the profile - info( - "config.22", - new Object[] { profileRoot, id, profileFile.getAbsoluteFile()}); - profile = loadProfile(profileFile); + info("config.22", new Object[] { profileRoot, id, profileFile.getAbsoluteFile()}); + Element profile = loadProfile(profileFile); - if (profile.getTagName().equals(profileRoot)) { + if (profile.getTagName().equals(profileRoot)) + { profiles.put(id, profile); - } else { + } + else + { warn("config.02", new Object[] { profileRoot, id, fileName }); } } catch (ConfigurationException e) { warn("config.03", new Object[] { profileRoot, id }); } } - } return profiles; @@ -815,30 +910,30 @@ public class ConfigurationPartsBuilder { /** * Bulid the trust profile mapping. * - * @param configRoot The absolute path to the main configuration file. * @return The profile ID to profile mapping. */ - public Map buildTrustProfiles(File configRoot) { + public Map buildTrustProfiles() + { Map trustProfiles = new HashMap(); - NodeIterator profileIter = - XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); + NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); Element profileElem; - while ((profileElem = (Element) profileIter.nextNode()) != null) { - String id = profileElem.getAttribute("id"); - String uriStr = profileElem.getAttribute("uri"); - String signerCertsUriStr = profileElem.getAttribute("signerCertsUri"); + while ((profileElem = (Element) profileIter.nextNode()) != null) + { + String id = getElementValue(profileElem, CONF + "Id", null); + String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null); + String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null); - URI uri = null; + URI trustAnchorsLocURI = null; try { - uri = new URI(uriStr); - if (!uri.isAbsolute()) { // make it absolute to the config file - uri = new URI(configRoot.toURL() + uriStr); + trustAnchorsLocURI = new URI(trustAnchorsLocStr); + if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file + trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr); } } catch (URIException e) { - warn("config.14", new Object[] { "uri", id, uriStr }, e); + warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e); continue; } catch (MalformedURLException e) @@ -847,7 +942,7 @@ public class ConfigurationPartsBuilder { continue; } - File profileDir = new File(uri.getPath()); + File profileDir = new File(trustAnchorsLocURI.getPath()); if (!profileDir.exists() || !profileDir.isDirectory()) { warn("config.27", new Object[] { "uri", id }); continue; @@ -858,22 +953,22 @@ public class ConfigurationPartsBuilder { continue; } - URI signerCertsUri = null; - if (signerCertsUriStr != null && !"".equals(signerCertsUriStr)) + URI signerCertsLocURI = null; + if (signerCertsLocStr != null && !"".equals(signerCertsLocStr)) { try { - signerCertsUri = new URI(signerCertsUriStr); - if (!signerCertsUri.isAbsolute()) signerCertsUri = new URI(configRoot.toURL() + signerCertsUriStr); + signerCertsLocURI = new URI(signerCertsLocStr); + if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr); - File signerCertsDir = new File(signerCertsUri.getPath()); + File signerCertsDir = new File(signerCertsLocURI.getPath()); if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) { warn("config.27", new Object[] { "signerCertsUri", id }); continue; } } catch (URIException e) { - warn("config.14", new Object[] { "signerCertsUri", id, uriStr }, e); + warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e); continue; } catch (MalformedURLException e) { @@ -882,13 +977,50 @@ public class ConfigurationPartsBuilder { } } - signerCertsUriStr = (signerCertsUri != null) ? signerCertsUri.toString() : null; - TrustProfile profile = new TrustProfile(id, uri.toString(), signerCertsUriStr); + signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; + TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr); trustProfiles.put(id, profile); } return trustProfiles; } + + /** + * Returns the location of the certificate store. + * + * @return the location of the certificate store. + */ + public String getCertStoreLocation() + { + String certStoreLocStr = getElementValue(getConfigElem(), CERTSTORE_LOCATION_XPATH, null); + File certStoreLocFile; + + // Make cert store location an absolute value + certStoreLocFile = new File(certStoreLocStr); + if (!certStoreLocFile.isAbsolute()) + { + certStoreLocFile = new File(configRoot_, certStoreLocStr); + } + + // Check if cert store location exists, eventually try to create it + if (!certStoreLocFile.isDirectory()) + { + boolean created = false; + try + { + created = certStoreLocFile.mkdirs(); + } + finally + { + if (!created) + { + warn("config.32", new Object[] { certStoreLocFile.getAbsolutePath() }); + } + } + } + + return certStoreLocFile.getAbsolutePath(); + } // // various utility methods @@ -984,4 +1116,107 @@ public class ConfigurationPartsBuilder { warnings.add(txt); } + /** + * Returns whether revocation information should be archived. + * + * @return whether revocation information should be archived. + */ + public boolean getEnableRevocationArchiving() + { + String enableArchiving = getElementValue(getConfigElem(), ENABLE_ARCHIVING_XPATH, null); + return Boolean.valueOf(enableArchiving).booleanValue(); + } + + /** + * Returns the JDBC URL for the revocation archive database. + * + * @return the JDBC URL for the revocation archive database, or <code>null</code, if the corresponding + * parameter is not set in the configuration. + */ + public String getRevocationArchiveJDBCURL() + { + String jDBCURL = getElementValue(getConfigElem(), ACHIVE_JDBC_URL_, null); + return jDBCURL; + } + + /** + * Returns the JDBC driver class name for the revocation archive database. + * + * @return the JDBC driver class name for the revocation archive database, or <code>null</code, + * if the corresponding parameter is not set in the configuration. + */ + public String getRevocationArchiveJDBCDriverClass() + { + String jDBCDriverClass = getElementValue(getConfigElem(), ACHIVE_JDBC_DRIVER_CLASS_, null); + return jDBCDriverClass; + } + + /** + * Returns whether revocation information should be archived. + */ + public boolean getEnableRevocationChecking() + { + String enableChecking = getElementValue(getConfigElem(), ENABLE_REVOCATION_CHECKING_XPATH_, null); + return Boolean.valueOf(enableChecking).booleanValue(); + } + + /** + * Returns the maximum age of a revocation information for considering it + * still as valid. + * + * @return the maximum age of a revocation information for considering it + * still as valid. + */ + public long getMaxRevocationAge() + { + String maxRevocationAge = getElementValue(getConfigElem(), MAX_REVOCATION_AGE_XPATH_, null); + return Long.valueOf(maxRevocationAge).longValue(); + } + + /** + * Returns the service order for revocation checking. + * + * @return the service order for revocation checking. Valid array entries are + * {@link evocationSourceTypes#OCSP} and {@link RevocationSourceTypes#CRL}. + * An empty array will be returned if no service order is specified in the + * configuration. + */ + public String[] getServiceOrder() + { + ArrayList list = new ArrayList(); + NodeIterator serviceIter = XPathUtils.selectNodeIterator(getConfigElem(), REVOCATION_SERVICEORDER_XPATH_); + Element currentServiceNode; + while ((currentServiceNode = (Element)serviceIter.nextNode()) != null) + { + list.add(getElementValue(currentServiceNode, ".", null)); + } + return (String[])list.toArray(); + } + + /** + * Returns whether the certificate extension Authority Info Access should + * be used during certificate path construction. + * + * @return whether the certificate extension Authority Info Access should + * be used during certificate path construction. + */ + public boolean getUseAuthorityInfoAccess() + { + String useAIA = getElementValue(getConfigElem(), USE_AUTHORITY_INFO_ACCESS_XPATH_, null); + return Boolean.valueOf(useAIA).booleanValue(); + } + + /** + * Returns whether certificates found during certificate path construction + * should be added to the certificate store. + * + * @return whether certificates found during certificate path construction + * should be added to the certificate store. + */ + public boolean getAutoAddCertificates() + { + String autoAdd = getElementValue(getConfigElem(), AUTO_ADD_CERTIFICATES_XPATH_, null); + return Boolean.valueOf(autoAdd).booleanValue(); + } + } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 4927bb9b0..a6cbcc159 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -16,6 +16,7 @@ import java.util.Set; import org.w3c.dom.Element; import iaik.asn1.structures.Name; +import iaik.pki.revocation.RevocationSourceTypes; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; @@ -42,8 +43,8 @@ import at.gv.egovernment.moa.spss.util.MessageProvider; * @author Sven Aigner * @version $Id$ */ -public class ConfigurationProvider { - +public class ConfigurationProvider +{ /** * The name of the system property which contains the file name of the * configuration file. @@ -51,54 +52,6 @@ public class ConfigurationProvider { public static final String CONFIG_PROPERTY_NAME = "moa.spss.server.configuration"; - /** - * The name of the generic configuration property giving the root directory of - * a directory based cert store. - */ - public static final String DIRECTORY_CERTSTORE_PARAMETER_PROPERTY = - "DirectoryCertStoreParameters.RootDir"; - - /** The name of the generic configuration property which determines if - * certificates should be added to the cert store automatically. */ - public static final String AUTO_ADD_CERTIFICATES_PROPERTY = - "autoAddCertificates"; - - /** The name of the generic configuration property whether the authority - * info access should be used. */ - public static final String USE_AUTHORITY_INFO_ACCESS_PROPERTY = - "useAuthorityInfoAccess"; - - /** The name of the generic configuration property determining the maximum - * age of CRL entries. */ - public static final String MAX_REVOCATION_AGE_PROPERTY = "maxRevocationAge"; - - /** - * The name of the generic configuration property giving the database URL of - * the CRL archive. - */ - public static final String DATABASE_ARCHIVE_PARAMETER_URL_PROPERTY = - "DataBaseArchiveParameter.JDBCUrl"; - - /** - * The name of the generic configuration property giving the JDBC driver - * class name for accessing the database used for the the CRL archive. - */ - public static final String DATABASE_ARCHIVE_PARAMETER_DRIVERCLASS_PROPERTY = - "DataBaseArchiveParameter.JDBCDriverClass"; - - /** The name of the generic configuration property determining whether - * to check the revocation status of signer certificates. */ - public static final String REVOCATION_CHECKING_PROPERTY = "checkRevocation"; - - /** The name of the generic configuration property determining whether to - * archive revocation information. */ - public static final String ARCHIVE_REVOCATION_INFO_PROPERTY = - "archiveRevocationInfo"; - - /** The name of the generic configuration property used for setting the - * signing time to a predefined value. (Use for testing purposes only). */ - public static final String TEST_SIGNING_TIME_PROPERTY = "test.SigningTime"; - /** * A fake <code>IssuerAndSerial</code> object for storing KeyGroup information * accessible by all clients. @@ -122,13 +75,6 @@ public class ConfigurationProvider { /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; - /** - * A <code>Map</code> which contains generic configuration information. Maps a - * configuration name (a <code>String</code>) to a configuration value (also a - * <code>String</code>). - */ - private Map genericConfiguration; - /** * A <code>List</code> of <code>HardwareCryptoModule</code> objects for * configuring hardware modules. @@ -173,10 +119,22 @@ public class ConfigurationProvider { * to distribution points (a <code>Set</code> of * <code>DistributionPoint</code>s) mapping. */ - private Map crlDistributionPoints; + private Map distributionPoints; - /** The CRL archive duration. */ + /** + * The CRL archive duration. + */ private int cRLArchiveDuration; + + /** + * Indicates whether revocation information should be archived. + */ + private boolean enableRevocationArchiving_; + + /** + * The location of the certificate store. + */ + private String certStoreLocation_; /** * A <code>Map</code> which contains a mapping from @@ -213,6 +171,43 @@ public class ConfigurationProvider { private Map trustProfiles; /** + * The JDBC URL for the revocation archive database. + */ + private String revocationArchiveJDBCURL_; + + /** + * The JDBC driver class name for the revocation archive database. + */ + private String revocationArchiveJDBCDriverClass_; + + /** + * Indicates whether revocation checking should be done. + */ + private boolean enableRevocationChecking_; + + /** + * The maximum age of a revocation information for considering it still as valid. + */ + private long maxRevocationAge_; + + /** + * The service order for revocation checking. + */ + private String[] serviceOrder_; + + /** + * Indicates whether certificates found during certificate path construction + * should be added to the certificate store. + */ + private boolean autoAddCertificates_; + + /** + * Indicates whether the certificate extension Authority Info Access should + * be used during certificate path construction. + */ + private boolean useAuthorityInfoAccess_; + + /** * Return the single instance of configuration data. * * @return MOAConfigurationProvider The current configuration data. @@ -291,7 +286,7 @@ public class ConfigurationProvider { // build the internal datastructures try { - builder = new ConfigurationPartsBuilder(configElem); + builder = new ConfigurationPartsBuilder(configElem, configRoot); digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -299,7 +294,7 @@ public class ConfigurationProvider { hardwareKeyModules = builder.buildHardwareKeyModules(Collections.EMPTY_LIST); softwareKeyModules = - builder.buildSoftwareKeyModules(hardwareKeyModules, configRoot); + builder.buildSoftwareKeyModules(hardwareKeyModules); allKeyModules = new ArrayList(hardwareKeyModules); allKeyModules.addAll(softwareKeyModules); keyGroups = builder.buildKeyGroups(allKeyModules); @@ -307,20 +302,23 @@ public class ConfigurationProvider { builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); defaultChainingMode = builder.getDefaultChainingMode(); chainingModes = builder.buildChainingModes(); - crlDistributionPoints = builder.buildCRLDistributionPoints(); - cRLArchiveDuration = builder.getCRLArchiveDuration(); - genericConfiguration = builder.buildGenericConfiguration(); - absolutizeCertStoreRoot(configRoot); - createTransformsInfoProfiles = - builder.buildCreateTransformsInfoProfiles(configRoot); - createSignatureEnvironmentProfiles = - builder.buildCreateSignatureEnvironmentProfiles(configRoot); - verifyTransformsInfoProfiles = - builder.buildVerifyTransformsInfoProfiles(configRoot); - supplementProfiles = builder.buildSupplementProfiles(configRoot); - trustProfiles = builder.buildTrustProfiles(configRoot); + useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess(); + autoAddCertificates_ = builder.getAutoAddCertificates(); + distributionPoints = builder.buildDistributionPoints(); + enableRevocationChecking_ = builder.getEnableRevocationChecking(); + maxRevocationAge_ = builder.getMaxRevocationAge(); + serviceOrder_ = builder.getServiceOrder(); + enableRevocationArchiving_ = builder.getEnableRevocationArchiving(); + cRLArchiveDuration = builder.getRevocationArchiveDuration(); + revocationArchiveJDBCURL_ = builder.getRevocationArchiveJDBCURL(); + revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); + certStoreLocation_ = builder.getCertStoreLocation(); + createTransformsInfoProfiles = builder.buildCreateTransformsInfoProfiles(); + createSignatureEnvironmentProfiles = builder.buildCreateSignatureEnvironmentProfiles(); + verifyTransformsInfoProfiles = builder.buildVerifyTransformsInfoProfiles(); + supplementProfiles = builder.buildSupplementProfiles(); + trustProfiles = builder.buildTrustProfiles(); warnings = new ArrayList(builder.getWarnings()); - checkConsistency(); } catch (Throwable t) { throw new ConfigurationException("config.11", null, t); } finally { @@ -345,63 +343,6 @@ public class ConfigurationProvider { } /** - * Make the <code>DIRECTORY_CERTSTORE_PARAMETER_PROPERTY</code> generic - * configuration value an absolute file name. - * - * @param configRoot The root directory of the main configuration file. - */ - private void absolutizeCertStoreRoot(File configRoot) { - String certStoreRoot = - getGenericConfiguration(DIRECTORY_CERTSTORE_PARAMETER_PROPERTY); - - if (certStoreRoot != null) { - if (!new File(certStoreRoot).isAbsolute()) { - // make the cert store absolute - File absCertStore = new File(configRoot, certStoreRoot); - - setGenericConfiguration( - DIRECTORY_CERTSTORE_PARAMETER_PROPERTY, - absCertStore.getAbsolutePath()); - } - } else { - // no value given: set it to a reasonable (absolute) default - File absCertStore = new File(configRoot, "certstore"); - - setGenericConfiguration( - DIRECTORY_CERTSTORE_PARAMETER_PROPERTY, - absCertStore.getAbsolutePath()); - } - } - - /** - * Do some additional consistency checks on the configuration. - */ - private void checkConsistency() { - // check for valid DirectoryCertStoreParameters.RootDir - String certStoreRoot = - getGenericConfiguration(DIRECTORY_CERTSTORE_PARAMETER_PROPERTY); - - if (certStoreRoot != null) { - File certStore = new File(certStoreRoot); - - if (!certStore.exists() && !certStore.isDirectory()) { - boolean created = false; - - try { - created = certStore.mkdirs(); - } finally { - if (!created) { - warn( - "config.30", - new Object[] { DIRECTORY_CERTSTORE_PARAMETER_PROPERTY }); - } - } - } - } - - } - - /** * Return the name of the digest algorithm used during signature creation. * * @return The digest method algorithm name, or an empty <code>String</code>, @@ -530,20 +471,22 @@ public class ConfigurationProvider { } /** - * Return the CRL distribution points for a given CA. + * Return the distribution points for a given CA. + * + * @param cert The certificate for which the distribution points should be + * looked up. The issuer information is used to perform the lookup. * - * @param cert The certificate for which the CRL distribution points should be - * looked up. The issuer information is used to perform the lookup. * @return A <code>Set</code> of <code>DistributionPoint</code> objects. The - * set will be empty, if no distribution points have been configured for this - * certificate. + * set will be empty, if no distribution points have been configured + * for this certificate. */ - public Set getCRLDP(X509Certificate cert) { + public Set getDistributionPoints(X509Certificate cert) + { try { RFC2253NameParser nameParser = new RFC2253NameParser(cert.getIssuerDN().toString()); String caIssuerDN = nameParser.parse().getName(); - Set dps = (Set) crlDistributionPoints.get(caIssuerDN); + Set dps = (Set) distributionPoints.get(caIssuerDN); if (dps == null) { return Collections.EMPTY_SET; @@ -563,42 +506,25 @@ public class ConfigurationProvider { public int getCRLArchiveDuration() { return cRLArchiveDuration; } - - /** - * Sets a generic configuration value. - * - * Existing values are overridden. - * - * @param name The name of the generic configuration. - * @param value The new value of the generic configuration. - */ - private void setGenericConfiguration(String name, String value) { - genericConfiguration.put(name, value); - } - + /** - * Return the value of a generic configuration. + * Returns whether revocation information should be archived. * - * @param name The name of the generic configuration. - * @return The value of the generic configuration with the given name, or - * <code>null</code>, if none can be found. + * @return whether revocation information should be archived. */ - public String getGenericConfiguration(String name) { - return (String) genericConfiguration.get(name); + public boolean getEnableRevocationArchiving() + { + return enableRevocationArchiving_; } - + /** - * Return the value of a generic configuration, or a given default value. + * Returns the location of the certificate store. * - * @param name The name of the generic configuration. - * @param defaultValue A default value to be returned in case that the generic - * configuration with the given name does not exist. - * @return The value of the generic configuration with the given name, or the - * <code>defaultValue</code>, if none can be found. + * @return the location of the certificate store. */ - public String getGenericConfiguration(String name, String defaultValue) { - String value = (String) genericConfiguration.get(name); - return value != null ? value : defaultValue; + public String getCertStoreLocation() + { + return certStoreLocation_; } /** @@ -683,4 +609,81 @@ public class ConfigurationProvider { warnings.add(txt); } + /** + * Returns the JDBC URL for the revocation archive database. + * + * @return the JDBC URL for the revocation archive database. + */ + public String getRevocationArchiveJDBCURL() + { + return revocationArchiveJDBCURL_; + } + + /** + * Returns the JDBC driver class name for the revocation archive database. + * + * @return the JDBC driver class name for the revocation archive database. + */ + public String getRevocationArchiveJDBCDriverClass() + { + return revocationArchiveJDBCDriverClass_; + } + + /** + * Returns whether revocation checking should be done. + * + * @return whether revocation checking should be done. + */ + public boolean getEnableRevocationChecking() + { + return enableRevocationChecking_; + } + + /** + * Returns the maximum age of a revocation information for considering it + * still as valid. + * + * @return the maximum age of a revocation information for considering it + * still as valid. + */ + public long getMaxRevocationAge() + { + return maxRevocationAge_; + } + + /** + * Returns the service order for revocation checking. + * + * @return the service order for revocation checking. Valid array entries are + * {@link evocationSourceTypes#OCSP} and {@link RevocationSourceTypes#CRL}. + */ + public String[] getServiceOrder() + { + return serviceOrder_; + } + + /** + * Returns whether certificates found during certificate path construction + * should be added to the certificate store. + * + * @return whether certificates found during certificate path construction + * should be added to the certificate store. + */ + public boolean getAutoAddCertificates() + { + return autoAddCertificates_; + } + + /** + * Returns whether the certificate extension Authority Info Access should + * be used during certificate path construction. + * + * @return whether the certificate extension Authority Info Access should + * be used during certificate path construction. + */ + public boolean getUseAuthorityInfoAccess() + { + return useAuthorityInfoAccess_; + } + }
\ No newline at end of file diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/config/DistributionPoint.java b/spss.server/src/at/gv/egovernment/moa/spss/server/config/DistributionPoint.java index 7863eabe1..5c0646449 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/config/DistributionPoint.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/config/DistributionPoint.java @@ -1,146 +1,38 @@ package at.gv.egovernment.moa.spss.server.config; -import java.util.HashMap; -import java.util.Map; -import java.util.StringTokenizer; - -import at.gv.egovernment.moa.logging.LogMsg; -import at.gv.egovernment.moa.logging.Logger; - -import at.gv.egovernment.moa.spss.util.MessageProvider; - /** - * A class containing information about a CRL distribution point. + * Abstract base class for distribution points. * - * @author Sven Aigner - * @author Patrick Peck + * @author Gregor Karlinger * @version $Id$ - */ -public class DistributionPoint { - - private static Map RC_MAPPING = new HashMap(); - - static { - - // create the mapping between reason code strings and their integer values - RC_MAPPING.put( - "unused", - new Integer(iaik.asn1.structures.DistributionPoint.unused)); - RC_MAPPING.put( - "keyCompromise", - new Integer(iaik.asn1.structures.DistributionPoint.keyCompromise)); - RC_MAPPING.put( - "cACompromise", - new Integer(iaik.asn1.structures.DistributionPoint.cACompromise)); - RC_MAPPING.put( - "affiliationChanged", - new Integer(iaik.asn1.structures.DistributionPoint.affiliationChanged)); - RC_MAPPING.put( - "superseded", - new Integer(iaik.asn1.structures.DistributionPoint.superseded)); - RC_MAPPING.put( - "cessationOfOperation", - new Integer(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); - RC_MAPPING.put( - "certificateHold", - new Integer(iaik.asn1.structures.DistributionPoint.certificateHold)); - RC_MAPPING.put( - "privilegeWithdrawn", - new Integer(iaik.asn1.structures.DistributionPoint.privilegeWithdrawn)); - RC_MAPPING.put( - "aACompromise", - new Integer(iaik.asn1.structures.DistributionPoint.aACompromise)); - } - - /** The distribution point URI. */ - private String uri; - /** The reason codes applicable for the distribution point. */ - private int reasonCodes; - - /** - * Create a <code>DistributionPoint</code> with a URI and a list of reason - * codes. - * - * @param uri The URI of the distribution point. - * @param reasonCodeStr A list of reason codes (a space-separated - * enumeration). - */ - public DistributionPoint(String uri, String reasonCodeStr) { - this.uri = uri; - this.reasonCodes = extractReasonCodes(reasonCodeStr); - } - - /** - * Convert a list of reason codes provided as a <code>String</code> to a - * binary representation. - * - * @param reasonCodeStr A <code>String</code> containing a blank-separated, - * textual representation of reason codes. - * @return int A binary representation of reason codes. - * @see iaik.asn1.structures.DistributionPoint + * */ +public abstract class DistributionPoint implements iaik.pki.revocation.DistributionPoint +{ + /** + * The distribution point URI. */ - private int extractReasonCodes(String reasonCodeStr) { - int codes = 0; - StringTokenizer tokenizer = new StringTokenizer(reasonCodeStr); - String token; - Integer reasonCode; - - while (tokenizer.hasMoreTokens()) { - token = tokenizer.nextToken(); - reasonCode = (Integer) RC_MAPPING.get(token); - if (reasonCode != null) { - codes |= reasonCode.intValue(); - } else { - MessageProvider msg = MessageProvider.getInstance(); - Logger.warn( - new LogMsg(msg.getMessage("config.07", new Object[] { token }))); - } - } - - // If reasonCodeStr is empty, set all possible reason codes - if (codes == 0) codes = - iaik.asn1.structures.DistributionPoint.unused | - iaik.asn1.structures.DistributionPoint.keyCompromise | - iaik.asn1.structures.DistributionPoint.cACompromise | - iaik.asn1.structures.DistributionPoint.affiliationChanged | - iaik.asn1.structures.DistributionPoint.superseded | - iaik.asn1.structures.DistributionPoint.cessationOfOperation | - iaik.asn1.structures.DistributionPoint.certificateHold | - iaik.asn1.structures.DistributionPoint.privilegeWithdrawn | - iaik.asn1.structures.DistributionPoint.aACompromise; - - return codes; - } + private String uri_; /** - * Return the URI of the distribution point. + * Create a <code>DistributionPoint</code> with a URI. * - * @return The URI of the distribution point. + * @param uri The URI of the distribution point. */ - public String getUri() { - return uri; + public DistributionPoint(String uri) + { + uri_ = uri; } - + /** - * Return a binary representation of the reason codes of this distribution - * point. - * - * @return The binary representation of the reason codes. + * @see iaik.pki.revocation.DistributionPoint#getType() */ - public int getReasonCodes() { - return reasonCodes; - } + public abstract String getType(); /** - * Return a <code>String</code> representation of this distribution point. - * - * @return The <code>String</code> representation of this distribution point. - * @see java.lang.Object#toString() + * @see iaik.pki.revocation.DistributionPoint#getUri() */ - public String toString() { - return "(DistributionPoint - " - + ("URI<" + getUri()) - + ("> REASONCODES<" + getReasonCodes() + ">)"); + public String getUri() + { + return uri_; } - } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/config/OCSPDistributionPoint.java b/spss.server/src/at/gv/egovernment/moa/spss/server/config/OCSPDistributionPoint.java new file mode 100644 index 000000000..e4509ac97 --- /dev/null +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/config/OCSPDistributionPoint.java @@ -0,0 +1,33 @@ +package at.gv.egovernment.moa.spss.server.config; + +import iaik.pki.revocation.RevocationSourceTypes; + +/** + * A class representing a CRL distribution point. + * + * @author Gregor Karlinger + * @version $Id$ + */ +public class OCSPDistributionPoint + extends DistributionPoint + implements iaik.pki.revocation.DistributionPoint +{ + /** + * Create a <code>OCSPDistributionPoint</code> with a URI. + * + * @param uri The URI of the ocsp distribution point. + */ + public OCSPDistributionPoint(String uri) + { + super(uri); + } + + /** + * @see iaik.pki.revocation.DistributionPoint#getType() + */ + public String getType() + { + return RevocationSourceTypes.OCSP; + } + +} diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/ArchiveConfigurationImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/ArchiveConfigurationImpl.java index daff07bd2..bf56d437c 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/ArchiveConfigurationImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/ArchiveConfigurationImpl.java @@ -28,23 +28,17 @@ public class ArchiveConfigurationImpl /** * Create a new <code>ArchiveConfigurationImpl</code>. * - * @param config The MOA configuration from which the configuration data is - * being read. + * @param config The MOA configuration from which the configuration data is being read. */ - public ArchiveConfigurationImpl(ConfigurationProvider config) { - String jdbcUrl = - config.getGenericConfiguration( - ConfigurationProvider.DATABASE_ARCHIVE_PARAMETER_URL_PROPERTY); - - if (jdbcUrl != null) { - this.archiveParameters = new DataBaseArchiveParameterImpl(jdbcUrl); - } + public ArchiveConfigurationImpl(ConfigurationProvider config) + { + String jdbcUrl = config.getRevocationArchiveJDBCURL(); + this.archiveParameters = new DataBaseArchiveParameterImpl(jdbcUrl); - // Register JDBC driver class specified in generic configuration parameters - String jdbcDriverClass = config.getGenericConfiguration( - ConfigurationProvider.DATABASE_ARCHIVE_PARAMETER_DRIVERCLASS_PROPERTY); - if (jdbcDriverClass != null) + // Register JDBC driver class + if (jdbcUrl != null) { + String jdbcDriverClass = config.getRevocationArchiveJDBCDriverClass(); try { Class.forName(jdbcDriverClass); diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CRLDistributionPointAdapter.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CRLDistributionPointAdapter.java deleted file mode 100644 index 1c2df80a5..000000000 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CRLDistributionPointAdapter.java +++ /dev/null @@ -1,54 +0,0 @@ -package at.gv.egovernment.moa.spss.server.iaik.config; - -import iaik.pki.revocation.CRLDistributionPoint; -import iaik.pki.revocation.RevocationSourceTypes; - -import at.gv.egovernment.moa.spss.server.config.DistributionPoint; - -/** - * A class that wraps an - * at.gv.egovernment.moa.spss.server.config.DistributionPoint as a - * iaik.pki.revocation.CRLDistributionPoint. - * - * @see iaik.pki.revocation.CRLDistributionPoint - * @author Patrick Peck - * @version $Id$ - */ -public class CRLDistributionPointAdapter implements CRLDistributionPoint { - - /** The wrapped <code>DistributionPoint</code>. */ - private DistributionPoint distributionPoint; - - /** - * Create a new <code>CRLDistributionPointAdapter</code>. - * - * @param distributionPoint The <code>DistributionPoint</code> to wrap. It - * contains the data configured in the MOA configuration. - */ - public CRLDistributionPointAdapter(DistributionPoint distributionPoint) { - this.distributionPoint = distributionPoint; - } - - /** - * @see iaik.pki.revocation.CRLDistributionPoint#getReasonCodes() - */ - public int getReasonCodes() { - return distributionPoint.getReasonCodes(); - } - - /** - * @return <code>RevocationSourceTypes.CRL</code> - * @see iaik.pki.revocation.DistributionPoint#getType() - */ - public String getType() { - return RevocationSourceTypes.CRL; - } - - /** - * @see iaik.pki.revocation.DistributionPoint#getUri() - */ - public String getUri() { - return distributionPoint.getUri(); - } - -} diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java index c9be3fc2b..e6e084e11 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java @@ -27,21 +27,17 @@ public class CertStoreConfigurationImpl * @param config The MOA configuration from which the configuration data is * being read. */ - public CertStoreConfigurationImpl(ConfigurationProvider config) { - String certStoreRoot = - config.getGenericConfiguration( - ConfigurationProvider.DIRECTORY_CERTSTORE_PARAMETER_PROPERTY, - "certstore"); - - if (certStoreRoot != null) { - DirectoryCertStoreParameters dirParameters = - new DirectoryCertStoreParametersImpl( - "MOA Directory CertStore", - certStoreRoot, - true, - false); - parameters = new CertStoreParameters[] { dirParameters }; - } + public CertStoreConfigurationImpl(ConfigurationProvider config) + { + String certStoreRoot = config.getCertStoreLocation(); + + DirectoryCertStoreParameters dirParameters = new DirectoryCertStoreParametersImpl( + "MOA Directory CertStore", + certStoreRoot, + true, + false); + + parameters = new CertStoreParameters[] { dirParameters }; } /** diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/IaikConfigurator.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/IaikConfigurator.java index 6562ef1f4..a7ec91472 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/IaikConfigurator.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/IaikConfigurator.java @@ -61,7 +61,7 @@ public class IaikConfigurator { dumpKeyEntryIDs(); checkKeyGroupConfig(moaConfig); - TrustStoreFactory.reset(); + TrustStoreFactory.removeAllHandlers(); } catch (iaik.server.ConfigurationException e) { throw new ConfigurationException("config.08", null, e); } catch (Throwable t) { diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/PKIConfigurationImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/PKIConfigurationImpl.java index 0703cd326..1c42cc4af 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/PKIConfigurationImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/PKIConfigurationImpl.java @@ -5,9 +5,6 @@ import iaik.pki.pathvalidation.ValidationConfiguration; import iaik.pki.revocation.RevocationConfiguration; import iaik.pki.store.certstore.CertStoreConfiguration; import iaik.pki.store.revocation.archive.ArchiveConfiguration; - -import at.gv.egovernment.moa.util.BoolUtils; - import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; /** @@ -35,19 +32,17 @@ public class PKIConfigurationImpl implements PKIConfiguration { * the configuration data contained in this object. */ public PKIConfigurationImpl(ConfigurationProvider config) { - String archiveInfo; this.certStoreConfiguration = new CertStoreConfigurationImpl(config); - this.revocationConfiguration = new RevocationConfigurationImpl(config); - archiveInfo = - config.getGenericConfiguration( - ConfigurationProvider.ARCHIVE_REVOCATION_INFO_PROPERTY, - "false"); - if (archiveInfo != null && BoolUtils.valueOf(archiveInfo)) { + boolean archiveInfo = config.getEnableRevocationArchiving(); + if (archiveInfo) + { this.archiveConfiguration = new ArchiveConfigurationImpl(config); - } else { + } + else + { this.archiveConfiguration = null; } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java index 466234a11..bccb04a09 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java @@ -1,16 +1,11 @@ package at.gv.egovernment.moa.spss.server.iaik.config; +import iaik.pki.revocation.RevocationConfiguration; + import java.security.cert.X509Certificate; import java.util.Date; -import java.util.HashSet; -import java.util.Iterator; import java.util.Set; -import iaik.pki.revocation.RevocationConfiguration; - -import at.gv.egovernment.moa.util.BoolUtils; - -import at.gv.egovernment.moa.spss.server.config.DistributionPoint; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; /** @@ -40,34 +35,19 @@ public class RevocationConfigurationImpl } /** - * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints(java.security.cert.X509Certificate, java.util.Date) + * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints */ - public Set getAlternativeDistributionPoints( - X509Certificate cert, - Date date) { - - Set configuredPoints = config.getCRLDP(cert); - Set distributionPoints = new HashSet(); - Iterator iter; - - for (iter = configuredPoints.iterator(); iter.hasNext();) { - DistributionPoint dp = (DistributionPoint) iter.next(); - distributionPoints.add(new CRLDistributionPointAdapter(dp)); - } - - return distributionPoints; + public Set getAlternativeDistributionPoints(X509Certificate cert, X509Certificate issuer, Date date) + { + return config.getDistributionPoints(cert); } /** * @see iaik.pki.revocation.RevocationConfiguration#archiveRevocationInfo(java.lang.String, java.lang.String) */ - public boolean archiveRevocationInfo(String type, String uri) { - String info = - config.getGenericConfiguration( - ConfigurationProvider.ARCHIVE_REVOCATION_INFO_PROPERTY, - "false"); - - return info != null ? BoolUtils.valueOf(info) : false; + public boolean archiveRevocationInfo(String type, String uri) + { + return config.getEnableRevocationArchiving(); } } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java index c204eface..76f03ae07 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java @@ -4,9 +4,6 @@ import iaik.pki.PKIProfile; import iaik.pki.pathvalidation.ValidationProfile; import iaik.pki.revocation.RevocationProfile; import iaik.pki.store.truststore.TrustStoreProfile; - -import at.gv.egovernment.moa.util.BoolUtils; - import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.iaik.pki.pathvalidation.ValidationProfileImpl; @@ -54,14 +51,9 @@ public class PKIProfileImpl implements PKIProfile { /** * @see iaik.pki.PKIProfile#autoAddCertificates() */ - public boolean autoAddCertificates() { - String boolStr = - config.getGenericConfiguration( - ConfigurationProvider.AUTO_ADD_CERTIFICATES_PROPERTY, - "true"); - boolean boolValue = BoolUtils.valueOf(boolStr); - - return useAuthorityInfoAccess() ? true : boolValue; + public boolean autoAddCertificates() + { + return useAuthorityInfoAccess() ? true : config.getAutoAddCertificates(); } /** @@ -116,12 +108,9 @@ public class PKIProfileImpl implements PKIProfile { /** * @see iaik.pki.PKIProfile#useAuthorityInfoAccess() */ - public boolean useAuthorityInfoAccess() { - String boolStr = - config.getGenericConfiguration( - ConfigurationProvider.USE_AUTHORITY_INFO_ACCESS_PROPERTY, - "true"); - return BoolUtils.valueOf(boolStr); + public boolean useAuthorityInfoAccess() + { + return config.getUseAuthorityInfoAccess(); } } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/pathvalidation/ValidationProfileImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/pathvalidation/ValidationProfileImpl.java index a2e3d6766..a4d7ea7fa 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/pathvalidation/ValidationProfileImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/pathvalidation/ValidationProfileImpl.java @@ -2,13 +2,11 @@ package at.gv.egovernment.moa.spss.server.iaik.pki.pathvalidation; import iaik.pki.pathvalidation.ValidationProfile; -import at.gv.egovernment.moa.util.BoolUtils; - -import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; - import java.util.Collections; import java.util.Set; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; + /** * An implementation of the <code>ValidationProfile</code> interface providing * information about certificat path validation. @@ -101,13 +99,9 @@ public class ValidationProfileImpl implements ValidationProfile { /** * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking() */ - public boolean getRevocationChecking() { - String checkingStr = - config.getGenericConfiguration( - ConfigurationProvider.REVOCATION_CHECKING_PROPERTY, - "true"); - - return BoolUtils.valueOf(checkingStr); + public boolean getRevocationChecking() + { + return config.getEnableRevocationChecking(); } }
\ No newline at end of file diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/revocation/RevocationProfileImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/revocation/RevocationProfileImpl.java index 186d24934..164ae8a75 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/revocation/RevocationProfileImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/revocation/RevocationProfileImpl.java @@ -18,7 +18,7 @@ import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; public class RevocationProfileImpl implements RevocationProfile { /** The default service order. */ private static final String[] DEFAULT_SERVICE_ORDER = - { RevocationSourceTypes.CRL }; + { RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL }; /** The <code>ConfigurationProvider</code> to read the MOA configuration data * from. */ private ConfigurationProvider config; @@ -38,14 +38,9 @@ public class RevocationProfileImpl implements RevocationProfile { /** * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(String) */ - public long getMaxRevocationAge(String distributionPointUri) { - String maxRevocationAgeStr = - config.getGenericConfiguration( - ConfigurationProvider.MAX_REVOCATION_AGE_PROPERTY, - "0"); - long revocationAge = Long.parseLong(maxRevocationAgeStr); - - return revocationAge; + public long getMaxRevocationAge(String distributionPointUri) + { + return config.getMaxRevocationAge(); } /** @@ -58,8 +53,11 @@ public class RevocationProfileImpl implements RevocationProfile { /** * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) */ - public String[] getPreferredServiceOrder(X509Certificate cert) { - return DEFAULT_SERVICE_ORDER; + public String[] getPreferredServiceOrder(X509Certificate cert) + { + String[] serviceOrder = config.getServiceOrder(); + if (serviceOrder == null || serviceOrder.length == 0) return DEFAULT_SERVICE_ORDER; + return serviceOrder; } } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java index 8a1161b95..37ded77e6 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java @@ -25,6 +25,12 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { /** The observers of this profile. */ private List observers = new ArrayList(); + + /** + * The trust profile identifier. + */ + private String id_; + /** The type of the trust profile. */ private String type; /** The URI of the trust profile.*/ @@ -46,13 +52,15 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { throws MOAApplicationException { TrustProfile tp = (TrustProfile) config.getTrustProfile(trustProfileId); - if (tp != null) { + if (tp != null) + { + id_ = trustProfileId; setURI(tp.getUri()); setType(TrustStoreTypes.DIRECTORY); - } else { - throw new MOAApplicationException( - "2203", - new Object[] { trustProfileId }); + } + else + { + throw new MOAApplicationException("2203", new Object[] { trustProfileId }); } } @@ -116,4 +124,12 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { } } + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getId() + */ + public String getId() + { + return id_; + } + } diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java b/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java index 15e5955aa..fd207ddea 100644 --- a/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java +++ b/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java @@ -1,6 +1,14 @@ package at.gv.egovernment.moa.spss.server.invoke; -import java.text.ParseException; +import iaik.IAIKException; +import iaik.IAIKRuntimeException; +import iaik.server.modules.xml.DataObject; +import iaik.server.modules.xml.XMLDataObject; +import iaik.server.modules.xml.XMLSignature; +import iaik.server.modules.xmlsign.XMLSignatureCreationModule; +import iaik.server.modules.xmlsign.XMLSignatureCreationModuleFactory; +import iaik.server.modules.xmlsign.XMLSignatureCreationProfile; + import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -14,22 +22,9 @@ import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; -import iaik.server.modules.xml.DataObject; -import iaik.server.modules.xml.XMLDataObject; -import iaik.server.modules.xml.XMLSignature; -import iaik.server.modules.xmlsign.XMLSignatureCreationModule; -import iaik.server.modules.xmlsign.XMLSignatureCreationModuleFactory; -import iaik.server.modules.xmlsign.XMLSignatureCreationProfile; - import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.DateTimeUtils; -import at.gv.egovernment.moa.util.XPathUtils; - import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.MOASystemException; @@ -44,13 +39,14 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse; import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo; import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; -import at.gv.egovernment.moa.spss.server.iaik.xml.SigningTimeImpl; import at.gv.egovernment.moa.spss.server.iaik.xml.XMLDataObjectImpl; import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moa.spss.server.util.IdGenerator; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.XPathUtils; /** * A class providing an API based interface to the @@ -542,21 +538,6 @@ public class XMLSignatureCreationInvoker { TransactionContextManager.getInstance().getTransactionContext(); ConfigurationProvider config = context.getConfiguration(); List additionalSignedProperties = Collections.EMPTY_LIST; - String testSigningTime = - config.getGenericConfiguration( - ConfigurationProvider.TEST_SIGNING_TIME_PROPERTY); - - if (testSigningTime != null) { - try { - SigningTimeImpl signingTime = - new SigningTimeImpl(DateTimeUtils.parseDateTime(testSigningTime)); - additionalSignedProperties = new ArrayList(); - additionalSignedProperties.add(signingTime); - } catch (ParseException e) { - // if we fail here, the signing time will simply not be added to - // the list of signed properties - } - } return additionalSignedProperties; } diff --git a/spss.server/src/test/at/gv/egovernment/moa/spss/server/config/ConfigurationProviderTest.java b/spss.server/src/test/at/gv/egovernment/moa/spss/server/config/ConfigurationProviderTest.java index 07b3c7010..d41b8e4b2 100644 --- a/spss.server/src/test/at/gv/egovernment/moa/spss/server/config/ConfigurationProviderTest.java +++ b/spss.server/src/test/at/gv/egovernment/moa/spss/server/config/ConfigurationProviderTest.java @@ -110,9 +110,9 @@ public class ConfigurationProviderTest extends SPSSTestCase { public void testGetCRLDP() { Set dps; - dps = provider.getCRLDP(atrustCert); + dps = provider.getDistributionPoints(atrustCert); assertEquals(0, dps.size()); - dps = provider.getCRLDP(iaikCert); + dps = provider.getDistributionPoints(iaikCert); assertEquals(3, dps.size()); } @@ -120,15 +120,6 @@ public class ConfigurationProviderTest extends SPSSTestCase { assertEquals(365, provider.getCRLArchiveDuration()); } - public void testGetGenericConfiguration() { - assertEquals( - "tmp/aValidPathName", - provider.getGenericConfiguration("DirectoryCertStoreParameters.RootDir")); - assertNull(provider.getGenericConfiguration("notExisting")); - assertEquals( - "default", - provider.getGenericConfiguration("notExisting", "default")); - } public void testGetCreateTransformsInfoProfile() { Element profile; diff --git a/spss.server/src/test/at/gv/egovernment/moa/spss/server/iaik/config/ConfigurationDataImplTest.java b/spss.server/src/test/at/gv/egovernment/moa/spss/server/iaik/config/ConfigurationDataImplTest.java index 29e00e0e7..be1090e4a 100644 --- a/spss.server/src/test/at/gv/egovernment/moa/spss/server/iaik/config/ConfigurationDataImplTest.java +++ b/spss.server/src/test/at/gv/egovernment/moa/spss/server/iaik/config/ConfigurationDataImplTest.java @@ -97,7 +97,7 @@ public class ConfigurationDataImplTest extends SPSSTestCase { // test revocation configuration distributionPoints = - revocationConfig.getAlternativeDistributionPoints(iaikCert, new Date()); + revocationConfig.getAlternativeDistributionPoints(iaikCert, null, new Date()); assertEquals(3, distributionPoints.size()); found = false; for (iter = distributionPoints.iterator(); iter.hasNext();) { |