diff options
Diffstat (limited to 'spss/server/serverlib/src/main/java/at')
45 files changed, 3443 insertions, 357 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index fbf40be88..b5cc96a04 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -35,6 +35,9 @@ import org.apache.commons.discovery.tools.DiscoverClass; import org.w3c.dom.Element; import org.w3c.dom.NodeList; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; @@ -138,6 +141,26 @@ public abstract class SPSSFactory { List singleSignatureInfos); /** + * Create a new <code>CreateCMSSignatureRequest</code> object. + * + * @param keyIdentifier The identifier for the key group to use for signing. + * @param singleSignatureInfos A <code>List</code> of + * <code>SingleSignatureInfo</code> objects containing information about a + * single signature to be created. + * @return The <code>CreateCMSSignatureRequest</code> containing the above + * data. + * + * @pre keyIdentifier != null && keyIdentifier.length() > 0 + * @pre singleSignatureInfos != null + * @pre forall Object o in singleSignatureInfos | + * o instanceof at.gv.egovernment.moa.spss.api.common.SingleSignatureInfo + * @post return != null + */ + public abstract CreateCMSSignatureRequest createCreateCMSSignatureRequest( + String keyIdentifier, + List singleSignatureInfos); + + /** * Create a new <code>SingleSignatureInfo</code> object. * * @param dataObjectInfos The data objects that will be signed (including @@ -156,6 +179,23 @@ public abstract class SPSSFactory { public abstract SingleSignatureInfo createSingleSignatureInfo( List dataObjectInfos, CreateSignatureInfo createSignatureInfo, boolean securityLayerConform); + + /** + * Create a new <code>SingleSignatureInfo</code> object. + * + * @param dataObjectInfo The data object that will be signed. + * @param securityLayerConform If <code>true</code>, a Security Layer conform + * signature manifest is created, otherwise not. + * @return The <code>SingleSignatureInfo</code> containing the above data. + * + * @post return != null + */ + public abstract at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo createSingleSignatureInfoCMS( + at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo dataObjectInfo, + boolean securityLayerConform); + + + /** * Create a new <code>DataObjectInfo</code> object. @@ -182,6 +222,22 @@ public abstract class SPSSFactory { CreateTransformsInfoProfile createTransformsInfoProfile); /** + * Create a new <code>DataObjectInfo</code> object. + * + * @param structure The type of signature to create. + * @param dataObject The data object that will be signed. + * @return The <code>DataObjectInfo</code> containing the above data. + * + * @pre DataObjectInfo.STRUCTURE_DETACHED.equals(structure) || + * DataObjectInfo.STRUCTURE_ENVELOPING.equals(structure) + * @pre dataObject != null + * @post return != null + */ + public abstract at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo createDataObjectInfo( + String structure, + CMSDataObject dataObject); + + /** * Create a new <code>CreateTransformsInfoProfile</code> object containing a * reference to a locally stored profile. * @@ -321,6 +377,37 @@ public abstract class SPSSFactory { */ public abstract CreateXMLSignatureResponse createCreateXMLSignatureResponse(List responseElements); + + /** + * Create a new <code>CreateCMSSignatureResponse</code> object. + * + * @param responseElements The elements of the response, either + * <code>CMSSignatureResponse</code> objects, or + * <code>ErrorResponse</code> objects. + * @return The new <code>CreateCMSSignatureResponse</code> containing the + * above data. + * + * @pre responseElements != null && responseElements.size() > 0 + * @pre forall Object o in responseElements | + * o instanceof at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse + * @post return != null + */ + public abstract CreateCMSSignatureResponse createCreateCMSSignatureResponse(List responseElements); + + + /** + * Create a new <code>SignatureEnvironmentResponse</code> object. + * + * @param signatureEnvironment The signature environment containing the + * signature. + * @return The <code>SignatureEnvironmentResponse</code> containing the + * <code>signatureEnvironment</code>. + * + * @pre signatureEnvironment != null + * @post return != null + */ + public abstract CMSSignatureResponse createCMSSignatureResponse(String base64value); + /** * Create a new <code>SignatureEnvironmentResponse</code> object. * @@ -1003,6 +1090,8 @@ public abstract class SPSSFactory { * @param signerCertificate The signer certificate in binary form. * @param qualifiedCertificate <code>true</code>, if the signer certificate is * a qualified certificate, otherwise <code>false</code>. + * @param qcSourceTSL <code>true</code>, if the QC information comes from the TSL, + * otherwise <code>false</code>. * @param publicAuthority <code>true</code>, if the signer certificate is a * public authority certificate, otherwise <code>false</code>. * @param publicAuthorityID The identification of the public authority @@ -1010,6 +1099,9 @@ public abstract class SPSSFactory { * <code>null</code>. * @param sscd <code>true</code>, if the TSL check verifies the * signature based on a SSDC, otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL, + * otherwise <code>false</code>. + * @param issuerCountryCode contains the signer certificate issuer country code. * @return The <code>SignerInfo</code> containing the above data. * * @pre signerCertSubjectName != null @@ -1019,9 +1111,12 @@ public abstract class SPSSFactory { public abstract SignerInfo createSignerInfo( X509Certificate signerCertificate, boolean qualifiedCertificate, + boolean qcSourceTSL, boolean publicAuthority, String publicAuthorityID, - boolean sscd); + boolean sscd, + boolean sscdSourceTSL, + String issuerCountryCode); /** * Create a new <code>X509IssuerSerial</code> object. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java new file mode 100644 index 000000000..10db67627 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CMSSignatureResponse.java @@ -0,0 +1,41 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + + +/** + * Contains the signature if the signature creation was successful. + * + * @version $Id$ + */ +public interface CMSSignatureResponse + extends CreateCMSSignatureResponseElement { + /** + * Gets the CMS signature (Base64 encoded). + * + * @return The CMS signature + */ + public String getCMSSignature(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java new file mode 100644 index 000000000..9d5cd7a0d --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureRequest.java @@ -0,0 +1,49 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +import java.util.List; + + +/** + * Object that encapsulates a request to create a CMS Signature. + * + * + * @version $Id$ + */ +public interface CreateCMSSignatureRequest { + /** + * Gets the identifier for the keys to be used for the signature. + * + * @return The identifier for the keys to be used. + */ + public String getKeyIdentifier(); + /** + * Gets the information of the singleSignatureInfo elements. + * + * @return The information of singleSignatureInfo elements. + */ + public List getSingleSignatureInfos(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java new file mode 100644 index 000000000..6062a1162 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponse.java @@ -0,0 +1,42 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +import java.util.List; + +/** + * Object that encapsulates the response on to a + * <code>CreateCMSSignatureRequest</code> to create an XML signature. + * + * @version $Id$ + */ +public interface CreateCMSSignatureResponse { + /** + * Gets the response elements. + * + * @return The response elements. + */ + public List getResponseElements(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java new file mode 100644 index 000000000..8e4e61145 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/CreateCMSSignatureResponseElement.java @@ -0,0 +1,51 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +/** + * Base class for <code>CMSSignature</code> and + * <code>ErrorResponse</code> elements in a + * <code>CreateXMLSignatureResponse</code>. + * + * @version $Id$ + */ +public interface CreateCMSSignatureResponseElement { + /** + * Indicates that this object contains a <code>CMSSignature</code>. + */ + public static final int CMS_SIGNATURE = 0; + /** + * Indicates that this objet contains an <code>ErrorResponse</code>. + */ + public static final int ERROR_RESPONSE = 1; + + /** + * Gets the type of response object. + * + * @return The type of response object, either + * <code>CMS_SIGNATURE</code> or <code>ERROR_RESPONSE</code>. + */ + public int getResponseType(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java new file mode 100644 index 000000000..b9f363061 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/DataObjectInfo.java @@ -0,0 +1,58 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; + +/** + * Encapsulates information required to create a single signature. + * + * @version $Id$ + */ +public interface DataObjectInfo { + /** + * Indicates that a detached signature will be created. + */ + public static final String STRUCTURE_DETACHED = "detached"; + /** + * Indicates that an enveloping signature will be created. + */ + public static final String STRUCTURE_ENVELOPING = "enveloping"; + + /** + * Gets the structure of the signature. + * + * @return The structure of the signature. + */ + public String getStructure(); + + /** + * Gets information related to a single data object. + * + * @return Information related to a single data object. + */ + public CMSDataObject getDataObject(); + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java new file mode 100644 index 000000000..1f87a50ca --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/cmssign/SingleSignatureInfo.java @@ -0,0 +1,51 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.cmssign; + + + +/** + * Encapsulates data to create a single signature. + * + * @author Patrick Peck + * @author Stephan Grill + * @version $Id$ + */ +public interface SingleSignatureInfo { + /** + * Gets the dataObjectInfo information. + * + * @return The dataObjectInfo information. + */ + public DataObjectInfo getDataObjectInfo(); + + /** + * Check whether a Security Layer conform signature manifest will be created. + * + * @return <code>true</code>, if a Security Layer conform signature manifest + * will be created, <code>false</code> otherwise. + */ + public boolean isSecurityLayerConform(); +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java index 7a1942214..777365ad3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java @@ -59,6 +59,21 @@ public interface SignerInfo { public boolean isSSCD(); /** + * Returns the source of the SSCD check (TSL or Certificate) * + */ + public String getSSCDSource(); + + /** + * Returns the source of the QC check (TSL or Certificate) * + */ + public String getQCSource(); + + /** + * Returns the signer certificate issuer country code + * @return + */ + public String getIssuerCountryCode(); + /** * Checks, whether the certificate contained in this object is a * public authority certificate. * diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java index fd7d38217..29529322c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.spss.api.common;
+import iaik.ixsil.util.URI;
+
import java.util.Date;
@@ -70,5 +72,10 @@ public interface TSLConfiguration { */
public String getWorkingDirectory();
+ /**
+ *
+ * @return
+ */
+ public URI getWorkingDirectoryAsURI();
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java new file mode 100644 index 000000000..b512dd0bd --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CMSSignatureResponseImpl.java @@ -0,0 +1,64 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; + +/** + * Default implementation of <code>CMSSignatureResponse</code>. + * + * @version $Id$ + */ +public class CMSSignatureResponseImpl + implements CMSSignatureResponse { + + /** The base64 value of the CMS signature. */ + private String cmsSignature; + + /** + * Sets the CMS signature. + * + * @param cmsSignature The Base64 encoded value CMS signature. + */ + public void setCMSSignature(String cmsSignature) { + this.cmsSignature = cmsSignature; + } + + public String getCMSSignature() { + return cmsSignature; + } + + /** + * Gets the type of <code>CreateCMSSignatureResponseElement</code>. + * + * @return CMS_SIGNATURE + */ + public int getResponseType() { + return CMS_SIGNATURE; + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java new file mode 100644 index 000000000..e8408bc55 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureRequestImpl.java @@ -0,0 +1,77 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; + +/** + * Default implementation of <code>CreateCMSSignatureRequest</code>. + * + * @author Fatemeh Philippi + * @version $Id$ + */ +public class CreateCMSSignatureRequestImpl + implements CreateCMSSignatureRequest { + + /** The identifier for selecting the private keys for creating the signature.*/ + private String keyIdentifier; + /** Information for creating a single signature. */ + private List singleSignatureInfos = new ArrayList(); + + /** + * Sets the identifier for selecting the private keys for creating the + * signature. + * + * @param keyIdentifier The identifier for selecting the private keys. + */ + public void setKeyIdentifier(String keyIdentifier) { + this.keyIdentifier = keyIdentifier; + } + + public String getKeyIdentifier() { + return keyIdentifier; + } + + /** + * Sets the information for creating single signatures. + * + * @param singleSignaureInfos The information for creating single signatures. + */ + public void setSingleSignatureInfos(List singleSignaureInfos) { + this.singleSignatureInfos = + singleSignaureInfos != null + ? Collections.unmodifiableList(new ArrayList(singleSignaureInfos)) + : null; + } + + public List getSingleSignatureInfos() { + return singleSignatureInfos; + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java new file mode 100644 index 000000000..d596058c6 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateCMSSignatureResponseImpl.java @@ -0,0 +1,60 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; + +/** + * Default implementation of <code>CreateCMSSignatureResponse</code>. + * + * @version $Id$ + */ +public class CreateCMSSignatureResponseImpl + implements CreateCMSSignatureResponse { + + /** The elements contained in the response. */ + private List responseElements = new ArrayList(); + + /** + * Sets the elements contained in the response. + * + * @param responseElements The response elements. + */ + public void setResponseElements(List responseElements) { + this.responseElements = + responseElements != null + ? Collections.unmodifiableList(new ArrayList(responseElements)) + : null; + } + + public List getResponseElements() { + return responseElements; + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java new file mode 100644 index 000000000..702086b6f --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/DataObjectInfoCMSImpl.java @@ -0,0 +1,69 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; + +/** + * Default implementation of <code>DataObjectInfo</code> for CMS. + * + * @author Fatemeh Philippi + * @version $Id$ + */ +public class DataObjectInfoCMSImpl implements DataObjectInfo { + /** The signature structure type. */ + private String stucture; + /** The data object to be signed. */ + private CMSDataObject dataObject; + + /** + * Sets the signature structure type. + * + * @param structure The signature structure type. + */ + public void setStructure(String structure) { + this.stucture = structure; + } + + public String getStructure() { + return stucture; + } + + + /** + * Sets the data object to be signed. + * + * @param dataObject The data object to be signed. + */ + public void setDataObject(CMSDataObject dataObject) { + this.dataObject = dataObject; + } + + public CMSDataObject getDataObject() { + return dataObject; + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java index a23a1d98f..8e3bb7636 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.spss.api.impl; import java.io.InputStream; + import java.math.BigInteger; import java.security.cert.X509Certificate; import java.util.Date; @@ -35,6 +36,9 @@ import org.w3c.dom.Element; import org.w3c.dom.NodeList; import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; @@ -90,6 +94,32 @@ public class SPSSFactoryImpl extends SPSSFactory { createXMLSignatureRequest.setSingleSignatureInfos(singleSignatureInfos); return createXMLSignatureRequest; } + + public CreateCMSSignatureRequest createCreateCMSSignatureRequest( + String keyIdentifier, + List singleSignatureInfos) { + CreateCMSSignatureRequestImpl createCMSSignatureRequest = + new CreateCMSSignatureRequestImpl(); + createCMSSignatureRequest.setKeyIdentifier(keyIdentifier); + createCMSSignatureRequest.setSingleSignatureInfos(singleSignatureInfos); + return createCMSSignatureRequest; + + } + + public CreateCMSSignatureResponse createCreateCMSSignatureResponse(List responseElements) { + CreateCMSSignatureResponseImpl createCMSSignatureResponse = new CreateCMSSignatureResponseImpl(); + createCMSSignatureResponse.setResponseElements(responseElements); + return createCMSSignatureResponse; + } + + + public CMSSignatureResponse createCMSSignatureResponse(String base64value) { + CMSSignatureResponseImpl cmsSignatureResponse = new CMSSignatureResponseImpl(); + cmsSignatureResponse.setCMSSignature(base64value); + + return cmsSignatureResponse; + } + public SingleSignatureInfo createSingleSignatureInfo( List dataObjectInfos, @@ -101,6 +131,16 @@ public class SPSSFactoryImpl extends SPSSFactory { singleSignatureInfo.setSecurityLayerConform(securityLayerConform); return singleSignatureInfo; } + + public at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo createSingleSignatureInfoCMS( + at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo dataObjectInfo, + boolean securityLayerConform) { + SingleSignatureInfoCMSImpl singleSignatureInfo = new SingleSignatureInfoCMSImpl(); + singleSignatureInfo.setDataObjectInfo(dataObjectInfo); + singleSignatureInfo.setSecurityLayerConform(securityLayerConform); + return singleSignatureInfo; + } + public DataObjectInfo createDataObjectInfo( String structure, boolean childOfManifest, @@ -113,6 +153,15 @@ public class SPSSFactoryImpl extends SPSSFactory { dataObjectInfo.setCreateTransformsInfoProfile(createTransformsInfoProfile); return dataObjectInfo; } + + public at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo createDataObjectInfo( + String structure, + CMSDataObject dataObject) { + DataObjectInfoCMSImpl dataObjectInfo = new DataObjectInfoCMSImpl(); + dataObjectInfo.setStructure(structure); + dataObjectInfo.setDataObject(dataObject); + return dataObjectInfo; + } public CreateTransformsInfoProfile createCreateTransformsInfoProfile(String profileID) { @@ -573,15 +622,21 @@ public class SPSSFactoryImpl extends SPSSFactory { public SignerInfo createSignerInfo( X509Certificate signerCertificate, boolean qualifiedCertificate, + boolean qcSourceTSL, boolean publicAuthority, String publicAuthorityID, - boolean sscd) { + boolean sscd, + boolean sscdSourceTSL, + String issuerCountryCode) { SignerInfoImpl signerInfo = new SignerInfoImpl(); signerInfo.setSignerCertificate(signerCertificate); signerInfo.setQualifiedCertificate(qualifiedCertificate); + signerInfo.setQCSourceTSL(qcSourceTSL); signerInfo.setPublicAuthority(publicAuthority); signerInfo.setPublicAuhtorityID(publicAuthorityID); signerInfo.setSSCD(sscd); + signerInfo.setSSCDSourceTSL(sscdSourceTSL); + signerInfo.setIssuerCountryCode(issuerCountryCode); return signerInfo; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java index 56a9004fc..7a108e8a4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java @@ -49,6 +49,16 @@ public class SignerInfoImpl implements SignerInfo { /** Determines, whether the signature is based on an SSCD */ private boolean sscd; + + /** Determines, if the SSCD check bases upon on TSL */ + private boolean sscdSourceTSL; + + /** Determines, if the QC check bases upon on TSL */ + private boolean qcSourceTSL; + + /** The certificate issuer country code */ + private String issuerCountryCode; + /** * Sets the signer certificate. * @@ -87,8 +97,37 @@ public class SignerInfoImpl implements SignerInfo { } public boolean isSSCD() { return sscd; - } + } + + public void setSSCDSourceTSL(boolean sscdSourceTSL) { + this.sscdSourceTSL = sscdSourceTSL; + } + public String getSSCDSource() { + if (sscdSourceTSL) + return "TSL"; + else + return "Certificate"; + } + + public void setQCSourceTSL(boolean qcSourceTSL) { + this.qcSourceTSL = qcSourceTSL; + } + + public String getQCSource() { + if (qcSourceTSL) + return "TSL"; + else + return "Certificate"; + } + + public void setIssuerCountryCode(String issuerCountryCode) { + this.issuerCountryCode = issuerCountryCode; + } + public String getIssuerCountryCode() { + return issuerCountryCode; + } + /** * Sets, whether the certificate contained in this object is an * e-government certificate or not. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java new file mode 100644 index 000000000..cb3651587 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SingleSignatureInfoCMSImpl.java @@ -0,0 +1,62 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.impl; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo; + +/** + * @version $Id$ + */ +public class SingleSignatureInfoCMSImpl implements SingleSignatureInfo { + + private DataObjectInfo dataObjectInfo = null; + + + private boolean securityLayerConform = true; + + public void setDataObjectInfo(DataObjectInfo dataObjectInfo) { + this.dataObjectInfo = dataObjectInfo; + } + + public DataObjectInfo getDataObjectInfo() { + return dataObjectInfo; + } + + + + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java index 15d66614e..87314e1f7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.spss.api.impl;
+import iaik.ixsil.util.URI;
+
import java.util.Date;
import at.gv.egovernment.moa.spss.api.common.TSLConfiguration;
@@ -38,7 +40,7 @@ public class TSLConfigurationImpl implements TSLConfiguration { /** The EU TSL URL. */
-// private String euTSLUrl;
+ private String euTSLUrl;
/** update period in milliseconds */
private long updateSchedulePeriod;
@@ -48,9 +50,12 @@ public class TSLConfigurationImpl implements TSLConfiguration { /** Working directory */
private String workingDirectory;
+
+ /** Working directory */
+ private URI workingDirectoryAsURI;
public String getEuTSLUrl() {
- return this.DEFAULT_EU_TSL_URL;
+ return this.euTSLUrl;
}
public long getUpdateSchedulePeriod() {
@@ -64,10 +69,14 @@ public class TSLConfigurationImpl implements TSLConfiguration { public String getWorkingDirectory() {
return this.workingDirectory;
}
+
+ public URI getWorkingDirectoryAsURI() {
+ return this.workingDirectoryAsURI;
+ }
-// public void setEuTSLUrl(String euTSLUrl) {
-// this.euTSLUrl = euTSLUrl;
-// }
+ public void setEuTSLUrl(String euTSLUrl) {
+ this.euTSLUrl = euTSLUrl;
+ }
public void setUpdateSchedulePeriod(long updateSchedulePeriod) {
this.updateSchedulePeriod = updateSchedulePeriod;
@@ -80,6 +89,10 @@ public class TSLConfigurationImpl implements TSLConfiguration { public void setWorkingDirectory(String workingDirectory) {
this.workingDirectory = workingDirectory;
}
+
+ public void setWorkingDirectoryURI(URI workingDirectoryAsURI) {
+ this.workingDirectoryAsURI = workingDirectoryAsURI;
+ }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java new file mode 100644 index 000000000..737915ecd --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureRequestParser.java @@ -0,0 +1,247 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.xmlbind; + +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +import org.w3c.dom.Element; +import org.w3c.dom.traversal.NodeIterator; + +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.MetaInfo; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.BoolUtils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * A parser to parse <code>CreateCMSSignatureRequest</code> DOM trees into + * <code>CreateCMSSignatureRequest</code> API objects. + * + * @author Patrick Peck + * @version $Id$ + */ +public class CreateCMSSignatureRequestParser { + + // + // XPath expresssions to select elements in the CreateCMSSignatureRequest + // + private static final String MOA = Constants.MOA_PREFIX + ":"; + private static final String KEY_IDENTIFIER_XPATH = + "/" + MOA + "CreateCMSSignatureRequest/" + MOA + "KeyIdentifier"; + private static final String SINGLE_SIGNATURE_INFO_XPATH = + "/" + MOA + "CreateCMSSignatureRequest/" + MOA + "SingleSignatureInfo"; + private static final String DATA_OBJECT_INFO_XPATH = MOA + "DataObjectInfo"; + private static final String DATA_OBJECT_XPATH = MOA + "DataObject"; + + private static final String SL_CONFORM_ATTR_NAME = "SecurityLayerConformity"; + + private static final String META_INFO_XPATH = MOA + "MetaInfo"; + private static final String CONTENT_XPATH = MOA + "Content"; + private static final String BASE64_CONTENT_XPATH = MOA + "Base64Content"; + + + /** The factory to create API objects. */ + private SPSSFactory factory; + + /** + * Create a new <code>CreateCMSSignatureRequestParser</code>. + */ + public CreateCMSSignatureRequestParser() { + this.factory = SPSSFactory.getInstance(); + } + + /** + * Parse a <code>CreateCMSSignatureRequest</code> DOM element, as defined + * by the MOA schema. + * + * @param requestElem The <code>CreateCMSSignatureRequest</code> to parse. The + * request must have been successfully parsed against the schema for this + * method to succeed. + * @return A <code>CreateCMSSignatureRequest</code> API object containing + * the data from the DOM element. + * @throws MOAApplicationException An error occurred parsing the request. + */ + public CreateCMSSignatureRequest parse(Element requestElem) + throws MOAApplicationException { + + List singleSignatureInfos = parseSingleSignatureInfos(requestElem); + String keyIdentifier = + XPathUtils.getElementValue(requestElem, KEY_IDENTIFIER_XPATH, null); + + return factory.createCreateCMSSignatureRequest( + keyIdentifier, + singleSignatureInfos); + } + + /** + * Parse all <code>SingleSignatureInfo</code> elements of the + * <code>CreateCMSSignatureRequest</code>. + * + * @param requestElem The <code>CreateCMSSignatureRequest</code> to parse. + * @return A <code>List</code> of <code>SingleSignatureInfo</code> API + * objects. + * @throws MOAApplicationException An error occurred parsing on of the + * <code>SingleSignatureInfo</code> elements. + */ + private List parseSingleSignatureInfos(Element requestElem) + throws MOAApplicationException { + + List singleSignatureInfos = new ArrayList(); + NodeIterator sigInfoElems = + XPathUtils.selectNodeIterator(requestElem, SINGLE_SIGNATURE_INFO_XPATH); + Element sigInfoElem; + + while ((sigInfoElem = (Element) sigInfoElems.nextNode()) != null) { + singleSignatureInfos.add(parseSingleSignatureInfo(sigInfoElem)); + } + + return singleSignatureInfos; + } + + /** + * Parse a <code>SingleSignatureInfo</code> DOM element. + * + * @param sigInfoElem The <code>SingleSignatureInfo</code> DOM element to + * parse. + * @return A <code>SingleSignatureInfo</code> API object containing the + * information of <code>sigInfoElem</code>. + * @throws MOAApplicationException An error occurred parsing the + * <code>SingleSignatureInfo</code>. + */ + private SingleSignatureInfo parseSingleSignatureInfo(Element sigInfoElem) + throws MOAApplicationException { + + DataObjectInfo dataObjectInfo = parseDataObjectInfo(sigInfoElem); + boolean securityLayerConform; + + if (sigInfoElem.hasAttribute(SL_CONFORM_ATTR_NAME)) { + securityLayerConform = + BoolUtils.valueOf(sigInfoElem.getAttribute(SL_CONFORM_ATTR_NAME)); + } else { + securityLayerConform = true; + } + + return factory.createSingleSignatureInfoCMS( + dataObjectInfo, + securityLayerConform); + } + + /** + * Parse the <code>DataObjectInfo</code> DOM elements contained in the given + * <code>SingleSignatureInfo</code> DOM element. + * + * @param sigInfoElem The <code>SingleSignatureInfo</code> DOM element + * whose <code>DataObjectInfo</code>s to parse. + * @return A <code>List</code> of <code>DataObjectInfo</code> API objects + * containing the data from the <code>DataObjectInfo</code> DOM elements. + * @throws MOAApplicationException An error occurred parsing one of the + * <code>DataObjectInfo</code>s. + */ + private DataObjectInfo parseDataObjectInfo(Element sigInfoElem) + throws MOAApplicationException { + + Element dataObjInfoElem = (Element)XPathUtils.selectSingleNode(sigInfoElem, DATA_OBJECT_INFO_XPATH); + + String structure = dataObjInfoElem.getAttribute("Structure"); + Element dataObjectElem = + (Element) XPathUtils.selectSingleNode(dataObjInfoElem, DATA_OBJECT_XPATH); + + CMSDataObject dataObject = parseDataObject(dataObjectElem); + + return factory.createDataObjectInfo( + structure, + dataObject); + + } + + + + + + /** + * Parse a the <code>DataObject</code> DOM element contained in a given + * <code>CreateCMSSignatureRequest</code> DOM element. + * + * @param requestElem The DataObject DOM element of the <code>VerifyCMSSignatureRequest</code> + * to parse. + * @return The <code>CMSDataObject</code> API object containing the data + * from the <code>DataObject</code> DOM element. + */ + private CMSDataObject parseDataObject(Element dataObjectElem) { + + if (dataObjectElem != null) { + Element metaInfoElem = (Element) XPathUtils.selectSingleNode(dataObjectElem, META_INFO_XPATH); + MetaInfo metaInfo = null; + Element contentElem = (Element) XPathUtils.selectSingleNode(dataObjectElem, CONTENT_XPATH); + CMSContent content = parseContent(contentElem); + + if (metaInfoElem != null) { + metaInfo = RequestParserUtils.parseMetaInfo(metaInfoElem); + } + + return factory.createCMSDataObject(metaInfo, content); + } + else { + return null; + } + } + + + + /** + * Parse the content contained in a <code>CMSContentBaseType</code> kind of + * DOM element. + * + * @param contentElem The <code>CMSContentBaseType</code> kind of element to + * parse. + * @return A <code>CMSDataObject</code> API object containing the data + * from the given DOM element. + */ + private CMSContent parseContent(Element contentElem) { + Element base64ContentElem = + (Element) XPathUtils.selectSingleNode(contentElem, BASE64_CONTENT_XPATH); + + if (base64ContentElem != null) { + String base64Str = DOMUtils.getText(base64ContentElem); + InputStream binaryContent = Base64Utils.decodeToStream(base64Str, true); + return factory.createCMSContent(binaryContent); + } else { + return factory.createCMSContent( + contentElem.getAttribute("Reference")); + } + } + +}
\ No newline at end of file diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java new file mode 100644 index 000000000..907f90d32 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/CreateCMSSignatureResponseBuilder.java @@ -0,0 +1,145 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.api.xmlbind; + +import java.io.IOException; +import java.util.Iterator; + +import javax.xml.transform.TransformerException; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.spss.MOASystemException; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; + +/** + * Convert a <code>CreateCMSSignatureResponse</code> API object into its + * XML representation, according to the MOA XML schema. + * + * @version $Id$ + */ +public class CreateCMSSignatureResponseBuilder { + private static final String MOA_NS_URI = Constants.MOA_NS_URI; + + /** The XML document containing the response element. */ + private Document responseDoc; + /** The response <code>CreateCMSSignatureResponse</code> DOM element. */ + private Element responseElem; + + /** + * Create a new <code>CreateCMSSignatureResponseBuilder</code>: + * + * @throws MOASystemException An error occurred setting up the resulting + * XML document. + */ + public CreateCMSSignatureResponseBuilder() throws MOASystemException { + responseDoc = + ResponseBuilderUtils.createResponse("CreateCMSSignatureResponse"); + responseElem = responseDoc.getDocumentElement(); + } + + /** + * Build a document containing a <code>CreateCMSSignatureResponse</code> + * DOM element being the XML representation of the given + * <code>CreateCMSSignatureResponse</code> API object. + * + * @param response The <code>CreateCMSSignatureResponse</code> to convert + * to XML. + * @return A document containing the <code>CreateCMSSignatureResponse</code> + * DOM element. + */ + public Document build(CreateCMSSignatureResponse response) { + Iterator iter; + + + for (iter = response.getResponseElements().iterator(); iter.hasNext();) { + CreateCMSSignatureResponseElement responseElement = + (CreateCMSSignatureResponseElement) iter.next(); + + switch (responseElement.getResponseType()) { + case CreateCMSSignatureResponseElement.CMS_SIGNATURE : + CMSSignatureResponse cmsSignatureResponse = (CMSSignatureResponse) responseElement; + addCMSSignature(cmsSignatureResponse); + break; + + case CreateCMSSignatureResponseElement.ERROR_RESPONSE : + ErrorResponse errorResponse = (ErrorResponse) responseElement; + addErrorResponse(errorResponse); + break; + } + + } + + return responseDoc; + } + + + + /** + * Add a <code>CMSSignature</code> element to the response. + * + * @param cmsSignatureResponse The content to put under the + * <code>CMSSignature</code> element. + */ + private void addCMSSignature(CMSSignatureResponse cmsSignatureResponse) { + String base64Value = cmsSignatureResponse.getCMSSignature(); + + Element cmsSignature = responseDoc.createElementNS(MOA_NS_URI, "CMSSignature"); + cmsSignature.setTextContent(base64Value); + + responseElem.appendChild(cmsSignature); + +} + + /** + * Add a <code>ErrorResponse</code> element to the response. + * + * @param errorResponse The API object containing the information to put into + * the <code>ErrorResponse</code> DOM element. + */ + private void addErrorResponse(ErrorResponse errorResponse) { + Element errorElem = + responseDoc.createElementNS(MOA_NS_URI, "ErrorResponse"); + Element errorCodeElem = + responseDoc.createElementNS(MOA_NS_URI, "ErrorCode"); + Element infoElem = responseDoc.createElementNS(MOA_NS_URI, "Info"); + String errorCodeStr = Integer.toString(errorResponse.getErrorCode()); + + errorCodeElem.appendChild(responseDoc.createTextNode(errorCodeStr)); + errorElem.appendChild(errorCodeElem); + infoElem.appendChild(responseDoc.createTextNode(errorResponse.getInfo())); + errorElem.appendChild(errorCodeElem); + errorElem.appendChild(infoElem); + responseElem.appendChild(errorElem); + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index a228a0db8..2e2afaf7c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -117,9 +117,12 @@ class ResponseBuilderUtils { Element root, X509Certificate cert, boolean isQualified, + String qcSource, boolean isPublicAuthority, String publicAuthorityID, - boolean isSSCD) + boolean isSSCD, + String sscdSource, + String issuerCountryCode) throws MOAApplicationException { Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo"); @@ -145,6 +148,12 @@ class ResponseBuilderUtils { isSSCD ? response.createElementNS(MOA_NS_URI, "SecureSignatureCreationDevice") : null; + Element issuerCountryCodeElem = null; + if (issuerCountryCode != null) { + issuerCountryCodeElem = response.createElementNS(MOA_NS_URI, "IssuerCountryCode"); + issuerCountryCodeElem.setTextContent(issuerCountryCode); + } + Element publicAuthorityElem = isPublicAuthority ? response.createElementNS(MOA_NS_URI, "PublicAuthority") @@ -182,7 +191,10 @@ class ResponseBuilderUtils { x509DataElem.appendChild(x509IssuerSerialElem); x509DataElem.appendChild(x509CertificateElem); if (isQualified) { - x509DataElem.appendChild(qualifiedCertificateElem); + if (qcSource.compareToIgnoreCase("TSL") == 0) + qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); + + x509DataElem.appendChild(qualifiedCertificateElem); } if (isPublicAuthority) { x509DataElem.appendChild(publicAuthorityElem); @@ -192,8 +204,12 @@ class ResponseBuilderUtils { } } if (isSSCD) { + sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource); x509DataElem.appendChild(sscdElem); } + if (issuerCountryCodeElem != null) + x509DataElem.appendChild(issuerCountryCodeElem); + signerInfoElem.appendChild(x509DataElem); root.appendChild(signerInfoElem); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java index 7ad838822..b11560b28 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java @@ -104,9 +104,12 @@ public class VerifyCMSSignatureResponseBuilder { responseElem, signerInfo.getSignerCertificate(), signerInfo.isQualifiedCertificate(), + signerInfo.getQCSource(), signerInfo.isPublicAuthority(), signerInfo.getPublicAuhtorityID(), - signerInfo.isSSCD()); + signerInfo.isSSCD(), + signerInfo.getSSCDSource(), + signerInfo.getIssuerCountryCode()); ResponseBuilderUtils.addCodeInfoElement( responseDoc, diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java index 0d3e0c18e..dd4e13ad9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java @@ -96,9 +96,12 @@ public class VerifyXMLSignatureResponseBuilder { responseElem, response.getSignerInfo().getSignerCertificate(), response.getSignerInfo().isQualifiedCertificate(), + response.getSignerInfo().getQCSource(), response.getSignerInfo().isPublicAuthority(), response.getSignerInfo().getPublicAuhtorityID(), - response.getSignerInfo().isSSCD()); + response.getSignerInfo().isSSCD(), + response.getSignerInfo().getSSCDSource(), + response.getSignerInfo().getIssuerCountryCode()); // add HashInputData elements responseData = response.getHashInputDatas(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 09f496c74..0908d88c9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -30,6 +30,7 @@ import iaik.pki.pathvalidation.ChainingModes; import iaik.pki.revocation.RevocationSourceTypes; import iaik.server.modules.xml.BlackListEntry; import iaik.server.modules.xml.ExternalReferenceChecker; +import iaik.server.modules.xml.WhiteListEntry; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; @@ -66,6 +67,7 @@ import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; import at.gv.egovernment.moa.util.XPathUtils; @@ -101,6 +103,10 @@ public class ConfigurationPartsBuilder { ROOT + CONF + "SignatureCreation/" + CONF + "XMLDSig/" + CONF + "DigestMethodAlgorithm"; + private static final String XADES_VERSION_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "XAdES/" + + CONF + "Version"; private static final String C14N_ALGORITHM_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "XMLDSig/" @@ -115,6 +121,13 @@ public class ConfigurationPartsBuilder { ROOT + CONF + "Common/" + CONF + "PermitExternalUris/" + CONF + "BlackListUri"; + private static final String FORBID_EXTERNAL_URIS_XPATH = + ROOT + CONF + "Common/" + + CONF + "ForbidExternalUris"; + private static final String WHITE_LIST_URIS_XPATH = + ROOT + CONF + "Common/" + + CONF + "ForbidExternalUris/" + + CONF + "WhiteListUri"; private static final String HARDWARE_KEY_XPATH = ROOT + CONF + "SignatureCreation/" @@ -263,15 +276,22 @@ public class ConfigurationPartsBuilder { /** The accepted digest method algorithm URIs, as an array */ private static final String[] ACCEPTED_DIGEST_ALGORITHMS_ARRAY = - { Constants.SHA1_URI }; + { Constants.SHA1_URI, + Constants.SHA256_URI, + Constants.SHA384_URI, + Constants.SHA512_URI}; /** The accepted digest method algorithm URIs, as a Set */ private static final Set ACCEPTED_DIGEST_ALGORITHMS = new HashSet(Arrays.asList(ACCEPTED_DIGEST_ALGORITHMS_ARRAY)); - - /** Default digest algorithm URI, if none/illegal has been configured */ - private static final String DIGEST_ALGORITHM_DEFAULT = Constants.SHA1_URI; - + + + /** Default digest algorithm URI, if none/illegal has been configured (for XAdES 1.1.1) */ + private static final String DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1 = Constants.SHA1_URI; + + /** Default digest algorithm URI, if none/illegal has been configured (for XAdES 1.4.2) */ + private static final String DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2 = Constants.SHA256_URI; + /** The root element of the MOA configuration */ private Element configElem; @@ -333,18 +353,42 @@ public class ConfigurationPartsBuilder { public String getDigestMethodAlgorithmName() { String digestMethod = getElementValue(getConfigElem(), DIGEST_METHOD_XPATH, null); - + if (digestMethod == null || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod)) { - info( - "config.23", - new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT }); - digestMethod = DIGEST_ALGORITHM_DEFAULT; + String xadesVersion = this.getXAdESVersion(); + if (xadesVersion == null) { + info( + "config.23", + new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1 }); + digestMethod = DIGEST_ALGORITHM_DEFAULT_XADES_1_1_1; + } + else { + info( + "config.23", + new Object[] { "DigestMethodAlgorithm", DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2 }); + digestMethod = DIGEST_ALGORITHM_DEFAULT_XADES_1_4_2; + } + + } return digestMethod; } - + + /** + * Returns the digest method algorithm name. + * + * @return The digest method algorithm name from the configuration. + */ + public String getXAdESVersion() + { + String xadesVersion = getElementValue(getConfigElem(), XADES_VERSION_XPATH, null); + + return xadesVersion; + } + + /** * Returns the canonicalization algorithm name. * @@ -409,6 +453,7 @@ public class ConfigurationPartsBuilder { } } + /** * * @return @@ -448,10 +493,12 @@ public class ConfigurationPartsBuilder { array[1] = port; blacklist.add(array); - } + } + // set blacklist for iaik-moa ExternalReferenceChecker.setBlacklist(blackListIaikMoa); + if(blacklist.isEmpty()) // no blacklisted uris given info("config.36", null); @@ -459,7 +506,63 @@ public class ConfigurationPartsBuilder { return blacklist; } + + /** + * + * @return + */ + public List buildForbidExternalUris() { + + //info("config.47", null); + + List whitelist = new ArrayList(); + List whiteListIaikMoa = new ArrayList(); + + NodeIterator forbidExtIter = XPathUtils.selectNodeIterator( + getConfigElem(), + WHITE_LIST_URIS_XPATH); + + Element permitExtElem = null; + while ((permitExtElem = (Element) forbidExtIter.nextNode()) != null) { + String host = getElementValue(permitExtElem, CONF + "IP", null); + String port = getElementValue(permitExtElem, CONF + "Port", null); + + // WhiteListeEntry + WhiteListEntry entry =null; + if (port == null) { + entry = new WhiteListEntry(host, -1); + info("config.49", new Object[]{host}); + } + else { + entry = new WhiteListEntry(host, new Integer(port).intValue()); + info("config.49", new Object[]{host + ":" + port}); + } + + // add entry to iaik-moa whitelist + whiteListIaikMoa.add(entry); + + + String array[] = new String[2]; + array[0] = host; + array[1] = port; + whitelist.add(array); + + } + + + // set whitelist for iaik-moa + ExternalReferenceChecker.setWhitelist(whiteListIaikMoa); + + + if(whitelist.isEmpty()) // no whitelisted uris given + info("config.48", null); + + + return whitelist; + } + + /** * Build the configured hardware keys. * @@ -573,9 +676,10 @@ public class ConfigurationPartsBuilder { while ((keyGroupElem = (Element) kgIter.nextNode()) != null) { String keyGroupId = getElementValue(keyGroupElem, CONF + "Id", null); + String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries); + KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); if (keyGroups.containsKey(keyGroupId)) { @@ -1032,11 +1136,11 @@ public class ConfigurationPartsBuilder { } /** - * Bulid the trust profile mapping. + * Build the trust profile mapping. * * @return The profile ID to profile mapping. */ - public Map buildTrustProfiles() + public Map buildTrustProfiles(String tslWorkingDir) { Map trustProfiles = new HashMap(); NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); @@ -1110,8 +1214,54 @@ public class ConfigurationPartsBuilder { } signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; - TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); + + TrustProfile profile = null; + + if (tslEnabled) { + // create new trust anchor location (=tslworking trust profile) + File fTslWorkingDir = new File(tslWorkingDir); + File tp = new File(fTslWorkingDir, "trustprofiles"); + if (!tp.exists()) + tp.mkdir(); + if (!tp.isDirectory()) { + error("config.50", new Object[] { tp.getPath() }); + } + + File tpid = new File(tp, id); + if (!tpid.exists()) + tpid.mkdir(); + if (!tpid.isDirectory()) { + error("config.50", new Object[] { tpid.getPath() }); + } + + + // create profile + profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries); + + // set original uri (save original trust anchor location) + profile.setUriOrig(trustAnchorsLocURI.getPath()); + + // delete files in tslworking trust profile + File[] files = tpid.listFiles(); + for (File file : files) + file.delete(); + + // copy files from trustAnchorsLocURI into tslworking trust profile kopieren + File src = new File(trustAnchorsLocURI.getPath()); + files = src.listFiles(); + for (File file : files) { + FileUtils.copyFile(file, new File(tpid, file.getName())); + } + + + } else { + + profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); + + } + trustProfiles.put(id, profile); + } return trustProfiles; @@ -1428,11 +1578,11 @@ public class ConfigurationPartsBuilder { TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl(); -// String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); -// if (StringUtils.isEmpty(euTSLUrl)) { -// warn("config.39", new Object[] { "EUTSL", euTSLUrl }); -// return null; -// } + String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); + if (StringUtils.isEmpty(euTSLUrl)) { + euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL; + warn("config.39", new Object[] { "EUTSL", euTSLUrl }); + } String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null); @@ -1488,17 +1638,31 @@ public class ConfigurationPartsBuilder { return null; } + File hashcache = new File(tslWorkingDir, "hashcache"); + if (!hashcache.exists()) { + hashcache.mkdir(); + } + if (!hashcache.isDirectory()) { + error("config.38", new Object[] { hashcache.getAbsolutePath() }); + return null; + } + + System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); +// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +// System.out.println("Hashcache: " + hashcachedir); + + debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl); debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod); debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime); debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath()); + debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath()); // set TSL configuration - //tslconfiguration.setEuTSLUrl(euTSLUrl); + tslconfiguration.setEuTSLUrl(euTSLUrl); tslconfiguration.setUpdateSchedulePeriod(Long.valueOf(updateSchedulePeriod).longValue()); tslconfiguration.setUpdateScheduleStartTime(updateScheduleStartTimeDate); tslconfiguration.setWorkingDirectory(tslWorkingDir.getAbsolutePath()); - - + tslconfiguration.setWorkingDirectoryURI(workingDirectoryURI); return tslconfiguration; } @@ -1526,7 +1690,6 @@ public class ConfigurationPartsBuilder { map.put(x509IssuerName, interval); } - //System.out.println("Name: " + x509IssuerName + " - Interval: " + interval); } return map; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 25fa0d6ad..2cad35763 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -41,6 +41,7 @@ import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Map.Entry; import java.util.Set; import org.w3c.dom.Element; @@ -99,7 +100,10 @@ public class ConfigurationProvider /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; - + + /** The XAdES version used for signature creation */ + private String xadesVersion; + /** * A <code>List</code> of <code>HardwareCryptoModule</code> objects for * configuring hardware modules. @@ -252,6 +256,11 @@ public class ConfigurationProvider private List blackListedUris_; /** + * A <code>List</code> of white listed URIs (host and port) + */ + private List whiteListedUris_; + + /** * A <code>TSLConfiguration</code> that represents the global TSL configuration */ private TSLConfiguration tslconfiguration_; @@ -351,11 +360,15 @@ public class ConfigurationProvider keyGroups = builder.buildKeyGroups(allKeyModules); keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); + + tslconfiguration_ = builder.getTSLConfiguration(); + + xadesVersion = builder.getXAdESVersion(); defaultChainingMode = builder.getDefaultChainingMode(); chainingModes = builder.buildChainingModes(); useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess(); autoAddCertificates_ = builder.getAutoAddCertificates(); - trustProfiles = builder.buildTrustProfiles(); + trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); distributionPoints = builder.buildDistributionPoints(); enableRevocationChecking_ = builder.getEnableRevocationChecking(); maxRevocationAge_ = builder.getMaxRevocationAge(); @@ -365,7 +378,7 @@ public class ConfigurationProvider revocationArchiveJDBCURL_ = builder.getRevocationArchiveJDBCURL(); revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); - tslconfiguration_ = builder.getTSLConfiguration(); + //check TSL configuration checkTSLConfiguration(); @@ -382,11 +395,14 @@ public class ConfigurationProvider allowExternalUris_= builder.allowExternalUris(); - if (allowExternalUris_) + if (allowExternalUris_) { blackListedUris_ = builder.buildPermitExternalUris(); + whiteListedUris_ = null; + } else { info("config.35", null); blackListedUris_ = null; + whiteListedUris_ = builder.buildForbidExternalUris(); } @@ -457,6 +473,16 @@ public class ConfigurationProvider return digestMethodAlgorithmName; } + /** + * Return the XAdES version used for signature creation. + * + * @return The XAdES version used for signature creation, or an empty <code>String</code>, + * if none has been configured. + */ + public String getXAdESVersion() { + return xadesVersion; + } + public boolean getAllowExternalUris() { return this.allowExternalUris_; } @@ -464,6 +490,9 @@ public class ConfigurationProvider public List getBlackListedUris() { return this.blackListedUris_; } + public List getWhiteListedUris() { + return this.whiteListedUris_; + } /** * Return the name of the canonicalization algorithm used during signature @@ -515,6 +544,11 @@ public class ConfigurationProvider public Map getKeyGroups() { return keyGroups; } + + public KeyGroup getKeyGroup(String keyGroupId) { + KeyGroup keyGroup = (KeyGroup) keyGroups.get(keyGroupId); + return keyGroup; + } /** * Return the set of <code>KeyGroupEntry</code>s of a given key group, which a @@ -542,6 +576,16 @@ public class ConfigurationProvider issuerAndSerial = new IssuerAndSerial(issuer, serial); } +// System.out.println("Issuer: " + issuer); +// System.out.println("serial: " + serial); +// +// Iterator entries = keyGroupMappings.entrySet().iterator(); +// while (entries.hasNext()) { +// Entry thisEntry = (Entry) entries.next(); +// System.out.println("Entry: " + thisEntry.getKey()); +// System.out.println("Value: " + thisEntry.getValue()); +// } + mapping = (Map) keyGroupMappings.get(issuerAndSerial); if (mapping != null) { KeyGroup keyGroup = (KeyGroup) mapping.get(keyGroupId); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index 22ed8ae83..c2490f9a3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -40,16 +40,20 @@ public class KeyGroup { private Set keyGroupEntries; /** The key group ID. */ private String id; + /** The digest method algorithm for the key group */ + private String digestMethodAlgorithm; /** * Create a <code>KeyGroup</code>. * * @param id The ID of this <code>KeyGroup</code>. * @param keyGroupEntries The keys belonging to this <code>KeyGroup</code>. + * @param digestMethodAlgorithm The signature algorithm used for this key group */ - public KeyGroup(String id, Set keyGroupEntries) { + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { this.id = id; this.keyGroupEntries = keyGroupEntries; + this.digestMethodAlgorithm = digestMethodAlgorithm; } /** @@ -60,6 +64,14 @@ public class KeyGroup { public Set getKeyGroupEntries() { return keyGroupEntries; } + + /** + * Returnd the digest method algorithm used for this key group + * @return The digest method signature algorithm used for this key group + */ + public String getDigestMethodAlgorithm() { + return digestMethodAlgorithm; + } /** * Return the ID of this <code>KeyGroup</code>. @@ -87,7 +99,7 @@ public class KeyGroup { sb.append(" " + i.next()); } } - return "(KeyGroup - ID:" + id + " " + sb.toString() + ")"; + return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " + digestMethodAlgorithm; } } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 1b5f4473d..21063c77f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -41,6 +41,8 @@ public class TrustProfile { private String signerCertsUri; /** Defines if Trustprofile makes use of EU TSL*/ private boolean tslEnabled; + /** The original URI (out of the configuration) giving the location of the trust profile (used when TSL is enabled) */ + private String uriOrig; /** The countries given */ private String countries; /** */ @@ -80,6 +82,15 @@ public class TrustProfile { public String getUri() { return uri; } + + /** + * Return the original URI of this <code>TrustProfile</code>. + * + * @return The original URI of <code>TrustProfile</code>. + */ + public String getUriOrig() { + return uriOrig; + } /** * Return the URI giving the location of the allowed signer certificates @@ -108,20 +119,14 @@ public class TrustProfile { return countries; } + /** - * Return the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update - * @return The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update + * Sets the original URI of this <code>TrustProfile</code>. + * + * @return The original URI of <code>TrustProfile</code>. */ - public X509Certificate[] getCertficatesToBeRemoved() { - return certificatesToBeRemoved; + public void setUriOrig(String uriOrig) { + this.uriOrig = uriOrig; } - /** - * Sets the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update - * @param certificates The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update - */ - public void setCertificatesToBeRemoved(X509Certificate[] certificates) { - this.certificatesToBeRemoved = new X509Certificate[certificates.length]; - this.certificatesToBeRemoved = certificates; - } } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java new file mode 100644 index 000000000..49e5ecc10 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -0,0 +1,249 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.iaik.cmssign; + +import iaik.server.modules.algorithms.SignatureAlgorithms; +import iaik.server.modules.cmssign.CMSSignatureCreationProfile; +import iaik.server.modules.keys.AlgorithmUnavailableException; +import iaik.server.modules.keys.KeyEntryID; +import iaik.server.modules.keys.KeyModule; +import iaik.server.modules.keys.KeyModuleFactory; +import iaik.server.modules.keys.UnknownKeyException; + +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.server.logging.TransactionId; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; + +/** + * An object providing auxiliary information for creating a CMS signature. + * + * @author Patrick Peck + * @version $Id$ + */ +public class CMSSignatureCreationProfileImpl + implements CMSSignatureCreationProfile { + + /** The set of keys available to the signing process. */ + private Set keySet; + /** The MIME type of the data to be signed*/ + private String mimeType; + /** Whether the created signature is to be Security Layer conform. */ + private boolean securityLayerConform; + /** Properties to be signed during signature creation. */ + private List signedProperties; + /** Specifies whether the content data shall be included in the CMS SignedData or shall be not included. */ + private boolean includeData; + /** Digest Method algorithm */ + private String digestMethod; + + + /** + * Create a new <code>XMLSignatureCreationProfileImpl</code>. + * + * @param createProfileCount Provides external information about the + * number of calls to the signature creation module, using the same request. + * @param reservedIDs The set of IDs that must not be used while generating + * new IDs. + */ + public CMSSignatureCreationProfileImpl( + Set keySet, + String digestMethod, + List signedProperties, + boolean securityLayerConform, + boolean includeData, + String mimeType) { + this.keySet = keySet; + this.signedProperties = signedProperties; + this.securityLayerConform = securityLayerConform; + this.includeData = includeData; + this.mimeType = mimeType; + this.digestMethod = digestMethod; + + } + + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getKeySet() + */ + public Set getKeySet() { + return keySet; + } + + /** + * Set the set of <code>KeyEntryID</code>s which may be used for signature + * creation. + * + * @param keySet The set of <code>KeyEntryID</code>s to set. + */ + public void setKeySet(Set keySet) { + this.keySet = keySet; + } + + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureAlgorithmName(KeyEntryID) + */ + public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) + throws AlgorithmUnavailableException { + + + TransactionContext context = + TransactionContextManager.getInstance().getTransactionContext(); + TransactionId tid = new TransactionId(context.getTransactionID()); + KeyModule module = KeyModuleFactory.getInstance(tid); + Set algorithms; + + try { + algorithms = module.getSupportedSignatureAlgorithms(selectedKeyID); + } catch (UnknownKeyException e) { + throw new AlgorithmUnavailableException( + "Unknown key entry: " + selectedKeyID, + e, + null); + } + + if (digestMethod.compareTo("SHA-1") == 0) { + Logger.warn("SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); + + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + return SignatureAlgorithms.SHA1_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { + return SignatureAlgorithms.ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + + } else if (digestMethod.compareTo("SHA-256") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + return SignatureAlgorithms.SHA256_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { + return SignatureAlgorithms.SHA256_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethod.compareTo("SHA-384") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + return SignatureAlgorithms.SHA384_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { + return SignatureAlgorithms.SHA384_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethod.compareTo("SHA-512") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + return SignatureAlgorithms.SHA512_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { + return SignatureAlgorithms.SHA512_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + throw new AlgorithmUnavailableException( + "No signature algorithm found for digest algorithm '" + digestMethod, + null, + null); + } + + + } + + + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + public List getSignedProperties() { + return signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature + * is to be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + + public void setDigestMethod(String digestMethod) { + this.digestMethod = digestMethod; + } + + + public String getMimeType() { + return mimeType; + } + + public boolean includeData() { + return this.includeData; + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 9b5dce883..7d0c5a062 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -24,9 +24,6 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign; -import java.util.List; -import java.util.Set; - import iaik.server.modules.algorithms.SignatureAlgorithms; import iaik.server.modules.keys.AlgorithmUnavailableException; import iaik.server.modules.keys.KeyEntryID; @@ -37,6 +34,10 @@ import iaik.server.modules.xml.Canonicalization; import iaik.server.modules.xmlsign.XMLSignatureCreationProfile; import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation; +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -75,7 +76,10 @@ public class XMLSignatureCreationProfileImpl private IdGenerator dsigManifestIDGenerator; /** The ID generator for signed property IDs. */ private IdGenerator propertyIDGenerator; - + /** The selected digest method algorithm if XAdES 1.4.2 is used */ + private String digestMethodXAdES142; + + /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. * @@ -86,7 +90,8 @@ public class XMLSignatureCreationProfileImpl */ public XMLSignatureCreationProfileImpl( int createProfileCount, - Set reservedIDs) { + Set reservedIDs, + String digestMethodXAdES142) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -95,6 +100,7 @@ public class XMLSignatureCreationProfileImpl new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs); propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); + this.digestMethodXAdES142 = digestMethodXAdES142; } /** @@ -168,27 +174,110 @@ public class XMLSignatureCreationProfileImpl e, null); } - - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) // TODO retournierten Algorithmus abhängig von der Schlüssellänge machen (bei längeren Schlüsseln SHA256 statt SHA1) - || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { - - return SignatureAlgorithms.SHA1_WITH_RSA; - } else if ( - algorithms.contains(SignatureAlgorithms.ECDSA)) { - return SignatureAlgorithms.ECDSA; - } else if ( - algorithms.contains(SignatureAlgorithms.DSA)) { - return SignatureAlgorithms.DSA; - } else { - throw new AlgorithmUnavailableException( - "No algorithm for key entry: " + selectedKeyID, - null, - null); + + if (digestMethodXAdES142 == null) { + // XAdES 1.4.2 not enabled - legacy MOA + if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + + return SignatureAlgorithms.SHA1_WITH_RSA; + } else if ( + algorithms.contains(SignatureAlgorithms.ECDSA)) { + return SignatureAlgorithms.ECDSA; + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + // XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method + if (digestMethodXAdES142.compareTo("SHA-1") == 0) { + Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); + + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + return SignatureAlgorithms.SHA1_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { + return SignatureAlgorithms.ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + + } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + return SignatureAlgorithms.SHA256_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { + return SignatureAlgorithms.SHA256_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + return SignatureAlgorithms.SHA384_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { + return SignatureAlgorithms.SHA384_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + return SignatureAlgorithms.SHA512_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { + return SignatureAlgorithms.SHA512_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + throw new AlgorithmUnavailableException( + "No signature algorithm found for digest algorithm '" + digestMethodXAdES142, + null, + null); + } + } + + } /** diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index c9b76dd7e..12d8b0126 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -31,15 +31,12 @@ import iaik.server.ConfigurationData; import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; import iaik.xml.crypto.tsl.ex.TSLSearchException; -import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.security.cert.CertificateException; -import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.GregorianCalendar; -import java.util.Iterator; import java.util.Timer; import at.gv.egovernment.moa.logging.LogMsg; @@ -122,9 +119,10 @@ public class SystemInitializer { try { ConfigurationProvider config = ConfigurationProvider.getInstance(); ConfigurationData configData = new IaikConfigurator().configure(config); - + //initialize TSL module TSLConfiguration tslconfig = config.getTSLConfiguration(); + TSLConnector tslconnector = new TSLConnector(); if (tslconfig != null) { //Logger.info(new LogMsg(msg.getMessage("init.01", null))); @@ -133,10 +131,12 @@ public class SystemInitializer { } + //start TSL Update TSLUpdaterTimerTask.tslconnector_ = tslconnector; TSLUpdaterTimerTask.update(); + //initialize TSL Update Task initTSLUpdateTask(tslconfig); @@ -154,13 +154,13 @@ public class SystemInitializer { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (TrustStoreException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (CertificateException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (FileNotFoundException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (IOException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } + } catch (CertificateException e) { + Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); + } // set IXSIL debug output IXSILInit.setPrintDebugLog( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java new file mode 100644 index 000000000..e058c8a4b --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -0,0 +1,396 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.invoke; + +import iaik.server.modules.algorithms.HashAlgorithms; +import iaik.server.modules.cmssign.CMSSignature; +import iaik.server.modules.cmssign.CMSSignatureCreationException; +import iaik.server.modules.cmssign.CMSSignatureCreationModule; +import iaik.server.modules.cmssign.CMSSignatureCreationModuleFactory; +import iaik.server.modules.cmssign.CMSSignatureCreationProfile; +import iaik.server.modules.keys.KeyEntryID; +import iaik.server.modules.keys.KeyModule; +import iaik.server.modules.keys.KeyModuleFactory; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.math.BigInteger; +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.logging.LoggingContext; +import at.gv.egovernment.moa.logging.LoggingContextManager; +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.MOASystemException; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.cmssign.SingleSignatureInfo; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContentExcplicit; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSContentReference; +import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; +import at.gv.egovernment.moa.spss.api.common.MetaInfo; +import at.gv.egovernment.moa.spss.api.impl.CreateCMSSignatureResponseImpl; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry; +import at.gv.egovernment.moa.spss.server.iaik.cmssign.CMSSignatureCreationProfileImpl; +import at.gv.egovernment.moa.spss.server.logging.TransactionId; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.util.Constants; + +/** + * A class providing an API based interface to the + * <code>CMSSignatureCreationModule</code>. + * + * This class performs the invocation of the + * <code>iaik.server.modules.cmssign.CMSSignatureCreationModule</code> from a + * <code>CreateCMSSignatureRequest</code> given as an API object. The result of + * the invocation is integrated into a <code>CreateCMSSignatureResponse</code> + * and returned. + * + * @version $Id$ + */ +public class CMSSignatureCreationInvoker { + + private static Map HASH_ALGORITHM_MAPPING; + + static { + HASH_ALGORITHM_MAPPING = new HashMap(); + HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); + HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); + HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); + HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512); + } + + + /** The single instance of this class. */ + private static CMSSignatureCreationInvoker instance = null; + + /** + * Get the only instance of this class. + * + * @return The only instance of this class. + */ + public static synchronized CMSSignatureCreationInvoker getInstance() { + if (instance == null) { + instance = new CMSSignatureCreationInvoker(); + } + return instance; + } + + /** + * Create a new <code>CMSSignatureCreationInvoker</code>. + * + * Protected to disallow multiple instances. + */ + protected CMSSignatureCreationInvoker() { + } + + + + /** + * Process the <code>CreateCMSSignatureRequest<code> message and invoke the + * <code>XMLSignatureCreationModule</code> for every + * <code>SingleSignatureInfo</code> contained in the request. + * + * @param request A <code>CreateCMSSignatureRequest<code> API object + * containing the information for creating the signature(s). + * @param reserved A <code>Set</code> of reserved object IDs. + * + * @return A <code>CreateCMSSignatureResponse</code> API object containing + * the created signature(s). The response contains either a + * <code>SignatureEnvironment</code> or a <code>ErrorResponse</code> + * for each <code>SingleSignatureInfo</code> in the request. + * @throws MOAException An error occurred during signature creation. + */ + public CreateCMSSignatureResponse createCMSSignature( + CreateCMSSignatureRequest request, + Set reserved) + throws MOAException { + + TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + //LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); + + CreateCMSSignatureResponseBuilder responseBuilder = new CreateCMSSignatureResponseBuilder(); + CreateCMSSignatureResponse response = new CreateCMSSignatureResponseImpl(); + + boolean isSecurityLayerConform = false; + String structure = null; + String mimetype = null; + + // select the SingleSignatureInfo elements + Iterator singleSignatureInfoIter = request.getSingleSignatureInfos().iterator(); + + // iterate over all the SingleSignatureInfo elements in the request + while (singleSignatureInfoIter.hasNext()) { + SingleSignatureInfo singleSignatureInfo = (SingleSignatureInfo) singleSignatureInfoIter.next(); + isSecurityLayerConform = singleSignatureInfo.isSecurityLayerConform(); + + + DataObjectInfo dataObjectInfo = singleSignatureInfo.getDataObjectInfo(); + structure = dataObjectInfo.getStructure(); + + CMSDataObject dataobject = dataObjectInfo.getDataObject(); + MetaInfo metainfo = dataobject.getMetaInfo(); + mimetype = metainfo.getMimeType(); + + CMSContent content = dataobject.getContent(); + InputStream contentIs = null; + // build the content data + switch (content.getContentType()) { + case CMSContent.EXPLICIT_CONTENT : + contentIs = ((CMSContentExcplicit) content).getBinaryContent(); + break; + case CMSContent.REFERENCE_CONTENT : + String reference = ((CMSContentReference) content).getReference(); + if (!"".equals(reference)) { + ExternalURIResolver resolver = new ExternalURIResolver(); + contentIs = resolver.resolve(reference); + } else { + throw new MOAApplicationException("2301", null); + } + break; + default : { + throw new MOAApplicationException("2301", null); + } + } + + // create CMSSignatureCreationModuleFactory + CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance(); + + List signedProperties = null; + boolean includeData = true; + if (structure.compareTo("enveloping") == 0) + includeData = true; + if (structure.compareTo("detached") == 0) + includeData = false; + + ConfigurationProvider config = context.getConfiguration(); + + // get the key group id + String keyGroupID = request.getKeyIdentifier(); + // set the key set + Set keySet = buildKeySet(keyGroupID); + if (keySet == null) { + throw new MOAApplicationException("2231", null); + } else if (keySet.size() == 0) { + throw new MOAApplicationException("2232", null); + } + + // get digest algorithm + String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + + // create CMSSignatureCreation profile: + CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( + keySet, + digestAlgorithm, + signedProperties, + isSecurityLayerConform, + includeData, + mimetype); + + // create CMSSignature from the CMSSignatureCreationModule + // build the additionalSignedProperties + List additionalSignedProperties = buildAdditionalSignedProperties(); + TransactionId tid = new TransactionId(context.getTransactionID()); + try { + CMSSignature signature = module.createSignature(profile, additionalSignedProperties, tid); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + // get CMS SignedData output stream from the CMSSignature and wrap it around out + boolean base64 = true; + OutputStream signedDataStream = signature.getSignature(out, base64); + + // now write the data to be signed to the signedDataStream + byte[] buf = new byte[4096]; + int bytesRead; + while ((bytesRead = contentIs.read(buf)) >= 0) { + signedDataStream.write(buf, 0, bytesRead); + } + + // finish SignedData processing by closing signedDataStream + signedDataStream.close(); + String base64value = out.toString(); + + responseBuilder.addCMSSignature(base64value); + + + } catch (CMSSignatureCreationException e) { + MOAException moaException = IaikExceptionMapper.getInstance().map(e); + + responseBuilder.addError( + moaException.getMessageId(), + moaException.getMessage()); + Logger.warn(moaException.getMessage(), e); + + } + catch (IOException e) { + throw new MOAApplicationException("2301", null, e); + } + + } + + + return responseBuilder.getResponse(); + } + + + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { + // get digest method on key group level (if configured) + String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) + String configDigestMethod = config.getDigestMethodAlgorithmName(); + + + String digestMethod = null; + if (configDigestMethodKG != null) { + // if KG specific digest method is configured + digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); + if (digestMethod == null) { + error( + "config.17", + new Object[] { configDigestMethodKG}); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethod + "(configured in KeyGroup)"); + } + else { + // else get default configured digest method + digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); + if (digestMethod == null) { + error( + "config.17", + new Object[] { configDigestMethod}); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethod + "(default)"); + + } + return digestMethod; + } + + /** + * Utility function to issue an error message to the log. + * + * @param messageId The ID of the message to log. + * @param parameters Additional message parameters. + */ + private static void error(String messageId, Object[] parameters) { + MessageProvider msg = MessageProvider.getInstance(); + + Logger.error(new LogMsg(msg.getMessage(messageId, parameters))); + } + + /** + * Build the set of <code>KeyEntryID</code>s available to the given + * <code>keyGroupID</code>. + * + * @param keyGroupID The keygroup ID for which the available keys should be + * returned. + * @return The <code>Set</code> of <code>KeyEntryID</code>s + * identifying the available keys. + */ + private Set buildKeySet(String keyGroupID) { + TransactionContext context = + TransactionContextManager.getInstance().getTransactionContext(); + ConfigurationProvider config = context.getConfiguration(); + Set keyGroupEntries; + + // get the KeyGroup entries from the configuration + if (context.getClientCertificate() != null) { + X509Certificate cert = context.getClientCertificate()[0]; + Principal issuer = cert.getIssuerDN(); + BigInteger serialNumber = cert.getSerialNumber(); + + keyGroupEntries = + config.getKeyGroupEntries(issuer, serialNumber, keyGroupID); + } else { + keyGroupEntries = config.getKeyGroupEntries(null, null, keyGroupID); + } + + // map the KeyGroup entries to a set of KeyEntryIDs + if (keyGroupEntries == null) { + return null; + } else if (keyGroupEntries.size() == 0) { + return Collections.EMPTY_SET; + } else { + KeyModule module = + KeyModuleFactory.getInstance( + new TransactionId(context.getTransactionID())); + Set keyEntryIDs = module.getPrivateKeyEntryIDs(); + Set keySet = new HashSet(); + Iterator iter; + + // filter out the keys that do not exist in the IAIK configuration + // by walking through the key entries and checking if the exist in the + // keyGroupEntries + for (iter = keyEntryIDs.iterator(); iter.hasNext();) { + KeyEntryID entryID = (KeyEntryID) iter.next(); + KeyGroupEntry entry = + new KeyGroupEntry( + entryID.getModuleID(), + entryID.getCertificateIssuer(), + entryID.getCertificateSerialNumber()); + if (keyGroupEntries.contains(entry)) { + keySet.add(entryID); + } + } + return keySet; + } + } + + /** + * Build the list of additional signed properties. + * + * Based on the generic configuration setting + * <code>ConfigurationProvider.TEST_SIGNING_TIME_PROPERTY</code>, a + * constant <code>SigningTime</code> will be added to the properties. + * + * @return The <code>List</code> of additional signed properties. + */ + private List buildAdditionalSignedProperties() { + TransactionContext context = + TransactionContextManager.getInstance().getTransactionContext(); + ConfigurationProvider config = context.getConfiguration(); + List additionalSignedProperties = Collections.EMPTY_LIST; + + return additionalSignedProperties; + } + +}
\ No newline at end of file diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 2c4bbd4eb..7a4103957 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -24,8 +24,8 @@ package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException; import iaik.server.modules.cmsverify.CMSSignatureVerificationModule; import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory; import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile; @@ -58,7 +58,9 @@ import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult; /** * A class providing an interface to the @@ -136,7 +138,7 @@ public class CMSSignatureVerificationInvoker { try { // get the signed content signedContent = getSignedContent(request); - + // build the profile profile = profileFactory.createProfile(); @@ -159,6 +161,7 @@ public class CMSSignatureVerificationInvoker { while (input.read(buf) > 0); results = module.verifySignature(signingTime); + } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; @@ -183,6 +186,8 @@ public class CMSSignatureVerificationInvoker { } } + QCSSCDResult qcsscdresult = new QCSSCDResult(); + // build the response: for each signatory add the result to the response signatories = request.getSignatories(); if (signatories == VerifyCMSSignatureRequest.ALL_SIGNATORIES) { @@ -190,12 +195,28 @@ public class CMSSignatureVerificationInvoker { for (resultIter = results.iterator(); resultIter.hasNext();) { result = (CMSSignatureVerificationResult) resultIter.next(); + String issuerCountryCode = null; + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; + } + + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + + // get signer certificate issuer country code + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + + } - // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; - - responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); + responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode); } } else { int i; @@ -206,12 +227,27 @@ public class CMSSignatureVerificationInvoker { try { result = (CMSSignatureVerificationResult) results.get(signatories[i] - 1); - // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; - - - responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); + + String issuerCountryCode = null; + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int j = 0; + while(it.hasNext()) { + chain[j] = (X509Certificate)it.next(); + j++; + } + + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + } + + responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode); } catch (IndexOutOfBoundsException e) { throw new MOAApplicationException( "2249", @@ -223,65 +259,7 @@ public class CMSSignatureVerificationInvoker { return responseBuilder.getResponse(); } - private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) { - boolean checkQCFromTSL = false; - try { - if (tslEnabledTrustProfile) { - if (chainlist != null) { - X509Certificate[] chain = new X509Certificate[chainlist.size()]; - - Iterator it = chainlist.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - } - } - } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } - - return checkQCFromTSL; - } - - private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) { - boolean checkSSCDFromTSL = false; - try { - if (tslEnabledTrustProfile) { - if (chainlist != null) { - X509Certificate[] chain = new X509Certificate[chainlist.size()]; - - Iterator it = chainlist.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - } - } - } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } - - return checkSSCDFromTSL; - } - + /** * Get the signed content contained either in the request itself or given as a * reference to external data. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java new file mode 100644 index 000000000..aa52fe09a --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java @@ -0,0 +1,93 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.invoke; + +import java.util.ArrayList; +import java.util.List; + +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; + +/** + * A class to build a <code>CreateCMSSignatureResponse</code>. + * + * <p>The methods <code>addSignature()</code> and <code>addError()</code> may be + * called in any combination to add <code>CMSignature</code> and + * <code>ErrorResponse</code> elements to the response. One of these functions + * must be called at least once to produce a + * <code>CreateCMSSignatureResponse</code>.</p> + * + * <p>The <code>getResponseElement()</code> method then returns the + * <code>CreateXMLSignatureResponse</code> built so far.</p> + * + * @author Patrick Peck + * @version $Id$ + */ +public class CreateCMSSignatureResponseBuilder { + + /** The <code>SPSSFactory</code> for creating API objects. */ + private SPSSFactory factory = SPSSFactory.getInstance(); + /** The elements to add to the response. */ + private List responseElements = new ArrayList(); + + /** + * Get the <code>CreateCMSSignatureResponse</code> built so far. + * + * @return The <code>CreateCMSSignatureResponse</code> built so far. + */ + public CreateCMSSignatureResponse getResponse() { + return factory.createCreateCMSSignatureResponse(responseElements); + } + + /** + * Add a <code>SignatureEnvironment</code> element to the response. + * + * @param signatureEnvironment The content to put under the + * <code>SignatureEnvironment</code> element. This should either be a + * <code>dsig:Signature</code> element (in case of a detached signature) or + * the signature environment containing the signature (in case of + * an enveloping signature). + */ + public void addCMSSignature(String base64value) { + CMSSignatureResponse responseElement = + factory.createCMSSignatureResponse(base64value); + responseElements.add(responseElement); + } + + /** + * Add a <code>ErrorResponse</code> element to the response. + * + * @param errorCode The error code. + * @param info Additional information about the error. + */ + public void addError(String errorCode, String info) { + ErrorResponse errorResponse = + factory.createErrorResponse(Integer.parseInt(errorCode), info); + responseElements.add(errorResponse); + } + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java index 869cfefa1..1136ff2f8 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java @@ -24,8 +24,8 @@ package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException; import java.lang.reflect.Constructor; import java.util.HashMap; @@ -51,8 +51,8 @@ public class IaikExceptionMapper { /** The exception mapping, as an array. */ private static final Object[][] MESSAGES = { - { iaik.IAIKException.class, "9900", MOASystemException.class }, - { iaik.IAIKRuntimeException.class, "9901", MOASystemException.class }, + { iaik.server.modules.IAIKException.class, "9900", MOASystemException.class }, + { iaik.server.modules.IAIKRuntimeException.class, "9901", MOASystemException.class }, { iaik.server.modules.xmlsign.XMLSignatureCreationException.class, "2220", MOAApplicationException.class }, { iaik.server.modules.xmlsign.XMLSignatureCreationRuntimeException.class, "2220", MOAApplicationException.class }, { iaik.server.modules.xmlsign.InvalidKeyException.class, "2221", MOAApplicationException.class }, @@ -85,7 +85,8 @@ public class IaikExceptionMapper { { iaik.server.modules.xmlverify.TransformationException.class, "2265", MOAApplicationException.class }, { iaik.server.modules.xmlverify.TransformationParsingException.class, "2269", MOAApplicationException.class }, { iaik.xml.crypto.tsl.ex.TSLEngineDiedException.class, "2290", MOAApplicationException.class }, - { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class } + { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class } , + { iaik.server.modules.cmssign.CMSSignatureCreationException.class, "2300", MOAApplicationException.class } , }; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 3b82c6caf..1ea10cb4e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -73,13 +73,15 @@ public class VerifyCMSSignatureResponseBuilder { * @param trustprofile The actual trustprofile * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the * certificate as qualified, otherwise <code>false</code>. - * @param checkSSCDFromTSL <code>true</code>, if the TSL check verifies the + * @param checkSSCD <code>true</code>, if the TSL check verifies the * signature based on a SSDC, otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL, + * otherwise <code>false</code>. * @throws MOAException */ - public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQCFromTSL, boolean checkSSCDFromTSL) + public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode) throws MOAException { - + CertificateValidationResult certResult = result.getCertificateValidationResult(); int signatureCheckCode = @@ -90,28 +92,20 @@ public class VerifyCMSSignatureResponseBuilder { SignerInfo signerInfo; CheckResult signatureCheck; CheckResult certificateCheck; - - - boolean qualifiedCertificate = false; - - // verify qualified certificate checks (certificate or TSL) - if (trustProfile.isTSLEnabled()) { - // take TSL result - qualifiedCertificate = checkQCFromTSL; - } - else { - // take result from certificate - qualifiedCertificate = certResult.isQualifiedCertificate(); - } + + boolean qualifiedCertificate = checkQC; // add SignerInfo element signerInfo = factory.createSignerInfo( (X509Certificate) certResult.getCertificateChain().get(0), qualifiedCertificate, + qcSourceTSL, certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), - checkSSCDFromTSL); + checkSSCD, + sscdSourceTSL, + issuerCountryCode); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); @@ -119,9 +113,6 @@ public class VerifyCMSSignatureResponseBuilder { // add CertificateCheck element certificateCheck = factory.createCheckResult(certificateCheckCode, null); - - - // build the response element responseElement = factory.createVerifyCMSSignatureResponseElement( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 755ca82b6..193495171 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -125,10 +125,12 @@ public class VerifyXMLSignatureResponseBuilder { * @param transformsSignatureManifestCheck The overall result for the signature * manifest check. * @param certificateCheck The overall result for the certificate check. - * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the - * certificate as qualified, otherwise <code>false</code>. - * @param checkSSCDFromTSL <code>true</code>, if the TSL check verifies the - * signature based on a SSDC, otherwise <code>false</code>. + * @param checkQC <code>true</code>, if the certificate is QC, otherwise <code>false</code>. + * @param qcSourceTSL <code>true</code>, if the QC information comes from the TSL, + * otherwise <code>false</code>. + * @param checkSSCD <code>true</code>, if the signature is created by an SSCD, otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from the TSL, + * otherwise <code>false</code>. * @throws MOAApplicationException An error occurred adding the result. */ public void setResult( @@ -136,9 +138,12 @@ public class VerifyXMLSignatureResponseBuilder { XMLSignatureVerificationProfile profile, ReferencesCheckResult transformsSignatureManifestCheck, CheckResult certificateCheck, - boolean checkQCFromTSL, - boolean checkSSCDFromTSL, - boolean isTSLEnabledTrustprofile) + boolean checkQC, + boolean qcSourceTSL, + boolean checkSSCD, + boolean sscdSourceTSL, + boolean isTSLEnabledTrustprofile, + String issuerCountryCode) throws MOAApplicationException { CertificateValidationResult certResult = @@ -152,24 +157,19 @@ public class VerifyXMLSignatureResponseBuilder { boolean qualifiedCertificate = false; - // verify qualified certificate checks (certificate or TSL) - if (isTSLEnabledTrustprofile) { - // take TSL result - qualifiedCertificate = checkQCFromTSL; - } - else { - // take result from certificate - qualifiedCertificate = certResult.isQualifiedCertificate(); - } + qualifiedCertificate = checkQC; // create the SignerInfo; signerInfo = factory.createSignerInfo( (X509Certificate) certResult.getCertificateChain().get(0), qualifiedCertificate, + qcSourceTSL, certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), - checkSSCDFromTSL); + checkSSCD, + sscdSourceTSL, + issuerCountryCode); // Create HashInputData Content objects referenceDataList = result.getReferenceDataList(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java index 759af813c..7debb7b3a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationInvoker.java @@ -24,8 +24,8 @@ package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException; import iaik.server.modules.xml.DataObject; import iaik.server.modules.xml.XMLDataObject; import iaik.server.modules.xml.XMLSignature; @@ -243,14 +243,31 @@ public class XMLSignatureCreationInvoker { } try { - // create the signature - signature = - module.createSignature( - dataObjectList, - profile, - additionalSignedProperties, - signatureParent, - new TransactionId(context.getTransactionID())); + ConfigurationProvider config = context.getConfiguration(); + String xadesVersion = config.getXAdESVersion(); + + if (xadesVersion!= null && xadesVersion.compareTo(XMLSignatureCreationModule.XADES_VERSION_1_4_2) == 0) { + // create the signature (XAdES 1.4.2) + signature = + module.createSignature( + dataObjectList, + profile, + additionalSignedProperties, + signatureParent, + XMLSignatureCreationModule.XADES_VERSION_1_4_2, + new TransactionId(context.getTransactionID())); + } + else { + // create the signature (XAdES 1.1.1 = default) + signature = + module.createSignature( + dataObjectList, + profile, + additionalSignedProperties, + signatureParent, + XMLSignatureCreationModule.XADES_VERSION_1_1_1, + new TransactionId(context.getTransactionID())); + } // insert the result into the response if (signatureParent != null) { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index 5c4a2c76a..d1281c1f1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo; import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.KeyGroup; import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry; import at.gv.egovernment.moa.spss.server.iaik.xml.CanonicalizationImpl; import at.gv.egovernment.moa.spss.server.iaik.xmlsign.DataObjectTreatmentImpl; @@ -83,6 +84,9 @@ public class XMLSignatureCreationProfileFactory { static { HASH_ALGORITHM_MAPPING = new HashMap(); HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); + HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); + HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); + HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512); } /** The <code>CreateXMLSignatureRequest</code> for which to create the @@ -129,18 +133,62 @@ public class XMLSignatureCreationProfileFactory { HashSet allReservedIDs = new HashSet(reserved); allReservedIDs.addAll(sigInfoReservedIDs); - XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs); TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); ConfigurationProvider config = context.getConfiguration(); CanonicalizationImpl canonicalization; List dataObjectTreatmentList; - String keyGroupID; Set keySet; List transformationSupplements; List createTransformsProfiles; + // get the key group id + String keyGroupID = request.getKeyIdentifier(); + // get digest method on key group level (if configured) + String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) + String configDigestMethod = config.getDigestMethodAlgorithmName(); + + String xadesVersion = config.getXAdESVersion(); + + String digestMethodXAdES142 = null; + boolean isXAdES142 = false; + // if XAdES Version 1.4.2 is configured + if (xadesVersion != null && xadesVersion.compareTo("1.4.2") == 0) { + isXAdES142 = true; + Logger.debug("XAdES version '" + xadesVersion + "' used"); + } + + if (isXAdES142) { + if (configDigestMethodKG != null) { + // if KG specific digest method is configured + digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); + if (digestMethodXAdES142 == null) { + error( + "config.17", + new Object[] { configDigestMethodKG}); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(configured in KeyGroup)"); + } + else { + // else get default configured digest method + digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); + if (digestMethodXAdES142 == null) { + error( + "config.17", + new Object[] { configDigestMethod}); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(default)"); + + } + } + + XMLSignatureCreationProfileImpl profile = + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + + // build the transformation supplements createTransformsProfiles = getCreateTransformsInfoProfiles(singleSignatureInfo); @@ -153,11 +201,11 @@ public class XMLSignatureCreationProfileFactory { singleSignatureInfo, createTransformsProfiles, transformationSupplements, - allReservedIDs); + allReservedIDs, + digestMethodXAdES142); profile.setDataObjectTreatmentList(dataObjectTreatmentList); // set the key set - keyGroupID = request.getKeyIdentifier(); keySet = buildKeySet(keyGroupID); if (keySet == null) { throw new MOAApplicationException("2231", null); @@ -184,7 +232,7 @@ public class XMLSignatureCreationProfileFactory { canonicalization = new CanonicalizationImpl(config.getCanonicalizationAlgorithmName()); profile.setSignedInfoCanonicalization(canonicalization); - + // set the signed properties profile.setSignedProperties(Collections.EMPTY_LIST); @@ -299,7 +347,8 @@ public class XMLSignatureCreationProfileFactory { SingleSignatureInfo singleSignatureInfo, List createTransformsInfoProfiles, List transformationSupplements, - Set reservedIDs) + Set reservedIDs, + String digestMethodXAdES142) throws MOASystemException, MOAApplicationException { TransactionContext context = @@ -329,15 +378,25 @@ public class XMLSignatureCreationProfileFactory { treatment.setTransformationList(buildTransformationList(profile)); treatment.setReferenceInManifest(dataObjInfo.isChildOfManifest()); - hashAlgorithmName = - (String) HASH_ALGORITHM_MAPPING.get( - config.getDigestMethodAlgorithmName()); - if (hashAlgorithmName == null) { - error( - "config.17", - new Object[] { config.getDigestMethodAlgorithmName()}); - throw new MOASystemException("2900", null); + // if XAdES version is 1.4.2 + if (digestMethodXAdES142 != null) { + // use configured digest algorithm + hashAlgorithmName = digestMethodXAdES142; + } + else { + // stay as it is + hashAlgorithmName = (String) HASH_ALGORITHM_MAPPING.get( + config.getDigestMethodAlgorithmName()); + if (hashAlgorithmName == null) { + error( + "config.17", + new Object[] { config.getDigestMethodAlgorithmName()}); + throw new MOASystemException("2900", null); + } } + + + treatment.setHashAlgorithmName(hashAlgorithmName); treatment.setIncludedInSignature( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index 8a5b6f5b7..c90bc534a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -24,10 +24,10 @@ package at.gv.egovernment.moa.spss.server.invoke; -import iaik.IAIKException; -import iaik.IAIKRuntimeException; import iaik.ixsil.exceptions.URIException; import iaik.ixsil.util.URI; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException; import iaik.server.modules.xml.DataObject; import iaik.server.modules.xml.XMLDataObject; import iaik.server.modules.xml.XMLSignature; @@ -40,8 +40,6 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory; import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile; import iaik.server.modules.xmlverify.XMLSignatureVerificationResult; import iaik.x509.X509Certificate; -import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; -import iaik.xml.crypto.tsl.ex.TSLSearchException; import java.io.File; import java.io.FileInputStream; @@ -87,8 +85,9 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; -import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult; import at.gv.egovernment.moa.util.CollectionUtils; import at.gv.egovernment.moa.util.Constants; @@ -208,9 +207,7 @@ public class XMLSignatureVerificationInvoker { requestElement); } - boolean checkQCFromTSL = false; - boolean checkSSCDFromTSL = false; - + QCSSCDResult qcsscdresult = new QCSSCDResult(); String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId(); ConfigurationProvider config = ConfigurationProvider.getInstance(); TrustProfile tp = config.getTrustProfile(tpID); @@ -236,33 +233,27 @@ public class XMLSignatureVerificationInvoker { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; } - try { - if (tp.isTSLEnabled()) { - List list = result.getCertificateValidationResult().getCertificateChain(); - if (list != null) { - X509Certificate[] chain = new X509Certificate[list.size()]; - - - Iterator it = list.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + + + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; } - } + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled()); } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } + + // get signer certificate issuer country code + String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + // swap back in the request as root document if (requestElement != signatureEnvironment.getElement()) { requestElement.getOwnerDocument().replaceChild( @@ -278,10 +269,10 @@ public class XMLSignatureVerificationInvoker { // Check if signer certificate is in trust profile's allowed signer certificates pool TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); - - // build the response - responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQCFromTSL, checkSSCDFromTSL, tp.isTSLEnabled()); + + // build the response + responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode); return responseBuilder.getResponse(); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java index 6bf2317b4..591e26ac2 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java @@ -393,6 +393,7 @@ public class AxisHandler extends BasicHandler { try { String filename = MOA_SPSS_WSDL_RESOURCE_; + File file = new File(filename); if (file.exists()) { //if this resolves to a file, load it @@ -400,7 +401,7 @@ public class AxisHandler extends BasicHandler { } else { //else load a named resource in our classloader. instream = this.getClass().getResourceAsStream(filename); - if (instream == null) { + if (instream == null) { String errorText = Messages.getMessage("wsdlFileMissing", filename); throw new AxisFault(errorText); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java index 7a7bb88bb..e5b12bd8c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java @@ -35,10 +35,15 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.MOASystemException; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureRequestParser; +import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureResponseBuilder; import at.gv.egovernment.moa.spss.api.xmlbind.CreateXMLSignatureRequestParser; import at.gv.egovernment.moa.spss.api.xmlbind.CreateXMLSignatureResponseBuilder; import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureCreationInvoker; import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureCreationInvoker; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -52,6 +57,89 @@ import at.gv.egovernment.moa.util.StreamUtils; * @version $Id$ */ public class SignatureCreationService { + + /** + * Handle a <code>CreateXMLSignatureRequest</code>. + * + * @param request The <code>CreateXMLSignatureRequest</code> to work on + * (contained in the 0th element of the array). + * @return A <code>CreateXMLSignatureResponse</code> as the only element of + * the <code>Element</code> array. + * @throws AxisFault An error occurred during handling of the message. + */ + public Element[] CreateCMSSignatureRequest(Element[] request) + throws AxisFault { + Logger.trace("---- Entering SignatureCreationService"); + CMSSignatureCreationInvoker invoker = + CMSSignatureCreationInvoker.getInstance(); + Element[] response = new Element[1]; + + // check that we have a CreateXMLSignatureRequest; if not, create an + // AxisFault, just like the org.apache.axis.providers.java.MsgProvider + if (!Constants.MOA_SPSS_CREATE_CMS_REQUEST.equals(request[0].getLocalName()) || + !Constants.MOA_NS_URI.equals(request[0].getNamespaceURI())) + { + QName qname = + new QName(request[0].getNamespaceURI(), request[0].getLocalName()); + throw new AxisFault( + Messages.getMessage("noOperationForQName", qname.toString())); // TODO GK Operation name does not make it into the error repsonse + } + + // handle the request + try { + + // create a parser and builder for binding API objects to/from XML + CreateCMSSignatureRequestParser requestParser = + new CreateCMSSignatureRequestParser(); + CreateCMSSignatureResponseBuilder responseBuilder = + new CreateCMSSignatureResponseBuilder(); + Element reparsedReq; + CreateCMSSignatureRequest requestObj; + CreateCMSSignatureResponse responseObj; + + //since Axis (1.1 ff) has problem with namespaces we take the raw request stored by the Axishandler. + TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + + // validate the request + reparsedReq = ServiceUtils.reparseRequest(request[0]);//context.getRequest()); + + // convert to API objects + Logger.trace(">>> preparsing Request"); + requestObj = requestParser.parse(reparsedReq); + Logger.trace("<<< preparsed Request"); + + Logger.trace(">>> creating Signature"); + // invoke the core logic + responseObj = invoker.createCMSSignature(requestObj, Collections.EMPTY_SET); + Logger.trace("<<< created Signature"); + + Logger.trace(">>> building Response"); + // map back to XML + response[0] = responseBuilder.build(responseObj).getDocumentElement(); + Logger.trace("<<< built Response"); + + // save response in transaction + context.setResponse(response[0]); + Logger.trace("---- Leaving SignatureCreationService"); + + + } catch (MOAException e) { + AxisFault fault = AxisFault.makeFault(e); + fault.setFaultDetail(new Element[] { e.toErrorResponse()}); + Logger.debug("Anfrage zur Signaturerstellung wurde nicht erfolgreich beendet:" + + System.getProperty("line.separator") + StreamUtils.getStackTraceAsString(e)); + throw fault; + } catch (Throwable t) { + MOASystemException e = new MOASystemException("2900", null, t); + AxisFault fault = AxisFault.makeFault(e); + fault.setFaultDetail(new Element[] { e.toErrorResponse()}); + Logger.debug("Anfrage zur Signaturerstellung wurde nicht erfolgreich beendet:" + + System.getProperty("line.separator") + StreamUtils.getStackTraceAsString(e)); + throw fault; + } + + return response; + } /** * Handle a <code>CreateXMLSignatureRequest</code>. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 2e4af2817..07da0a998 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -83,28 +83,277 @@ public class TSLConnector implements TSLConnectorInterface { return updateAndGetQualifiedCACertificates(dateTime, null, serviceLevelStatus);
}
+ public void updateTSLs(Date dateTime,
+ String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
+
+ if (Configurator.is_isInitialised() == false)
+ new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ updateTSLs(dateTime, null, serviceLevelStatus);
+ }
+
public ArrayList<File> updateAndGetQualifiedCACertificates(Date dateTime,
String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
if (Configurator.is_isInitialised() == false)
new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("hashcachedir: " + hashcachedir);
+// if (hashcachedir==null)
+// hashcachedir = DEFAULT_HASHCACHE_DIR;
+
+// File hashcachefile = new File(hashcachedir);
+// File[] filelist = hashcachefile.listFiles();
+// if (filelist != null) {
+// for (File f : filelist)
+// f.delete();
+// }
- //TODO: clean hascash and TLS Download folder
- String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+ File tsldownloadfile = new File(tsldownloaddir);
+ if (!tsldownloadfile.exists()) {
+ tsldownloadfile.mkdir();
+ }
+ File[] tslfilelist = tsldownloadfile.listFiles();
+ if (tslfilelist != null) {
+ for (File f : tslfilelist)
+ f.delete();
+ }
- if (hashcachedir==null)
- hashcachedir = DEFAULT_HASHCACHE_DIR;
-
- String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+ //create sqlLite database
+ File dbFile = new File(Configurator.get_TempdbFile());
+ try {
+ dbFile.delete();
+ dbFile.createNewFile();
+ } catch (IOException e) {
+ throw new TSLEngineDiedException("Could not create temporary data base file", e);
+ }
+
+ //the TSL library uses the iaik.util.logging environment.
+ //iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.WARN);
+ iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.OFF);
+
+ log.info("Starting EU TSL import.");
+
+ // Certificates in Germany, Estonia, Greece, Cyprus,
+ // Lithuainia, Hungary, Poland, Finland, Norway use SURNAME
+ log.debug("### SURNAME registered as " + ObjectID.surName + " ###");
+ RFC2253NameParser.register("SURNAME", ObjectID.surName);
+
+ XSecProvider.addAsProvider(false);
+
+ TSLEngine tslEngine;
+ TslSqlConnectionWrapper connection = null;
+
+ try {
+ // register the Https JSSE Wrapper
+ TLS.register();
+ log.trace("### Https JSSE Wrapper registered ###");
+
+
+ log.debug("### Connect to Database.###");
+ connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
+
+ log.trace("### Connected ###");
+
+ // empty the database and recreate the tables
+ tslEngine = new TSLEngine(dbFile, Configurator.get_TSLWorkingDirectoryPath(),
+ connection, true, true);
+
+ } catch (TSLEngineFatalException e1) {
+ throw new TSLEngineDiedException(e1);
+
+ }
+
+ // H.2.2.1 Same-scheme searching
+ // H.2.2.2 Known scheme searching
+ // H.2.2.3 "Blind" (unknown) scheme searching
+ Number tId = null;
+ Countries euTerritory = Countries.EU;
+ TSLImportContext topLevelTslContext = new TSLEUImportFromFileContext(
+ euTerritory, Configurator.get_euTSLURL(), Configurator.get_TSLWorkingDirectoryPath(),
+ Configurator.is_sqlMultithreaded(),
+ Configurator.is_throwExceptions(), Configurator.is_logExceptions(),
+ Configurator.is_throwWarnings(), Configurator.is_logWarnings(),
+ Configurator.is_nullRedundancies());
+
+ TSLEngineEU tslengineEU;
+ try {
+ tslengineEU = tslEngine.new TSLEngineEU();
+
+ } catch (TSLEngineFatalException e1) {
+ throw new TSLEngineDiedException(e1);
+ }
+
+ // establish EU TSL trust anchor
+ ListIterator<java.security.cert.X509Certificate> expectedEuTslSignerCerts =
+ tslEngine.loadCertificatesFromResource(
+ Configurator.get_euTrustAnchorsPath(), topLevelTslContext);
+
+ log.debug("Process EU TSL");
+ // process the EU TSL to receive the pointers to the other TSLs
+ // and the trust anchors for the TSL signers
+ Set<Entry<Number, LocationAndCertHash>> pointersToMsTSLs = null;
- File hashcachefile = new File(hashcachedir);
+ try {
+
+ tId = tslengineEU.processEUTSL(topLevelTslContext, expectedEuTslSignerCerts);
+ log.info("Process EU TSL finished");
+
+ log.debug(Thread.currentThread() + " waiting for other threads ...");
+
+ topLevelTslContext.waitForAllOtherThreads();
+ log.debug(Thread.currentThread()
+ + " reactivated after other threads finished ...");
+
+
+ // get the TSLs pointed from the EU TSL
+ LinkedHashMap<Number, LocationAndCertHash> tslMap = tslengineEU
+ .getOtherTslMap(tId, topLevelTslContext);
+
+ pointersToMsTSLs = tslMap.entrySet();
+
+ //set Errors and Warrnings
+
+ } catch (TSLEngineFatalRuntimeException e) {
+ throw new TSLEngineDiedException(topLevelTslContext.dumpFatals());
+
+ } catch (TSLTransactionFailedRuntimeException e) {
+ throw new TSLEngineDiedException(topLevelTslContext.dumpTransactionFaliures());
+ }
+
+ //Backup implementation if the EU TSL includes a false signer certificate
+ // establish additional trust anchors for member states
+// Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {
+// Countries.CZ,
+// Countries.LU,
+// Countries.ES,
+// Countries.AT,
+// };
+ Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {};
+
+ Map<Countries, java.util.ListIterator<java.security.cert.X509Certificate>>
+ trustAnchorsWrongOnEuTsl = loadCertificatesFromResource(
+ Configurator.get_msTrustAnchorsPath(), tslEngine, topLevelTslContext,
+ countriesWithPotentiallyWrongCertsOnEuTsl);
+
+ log.info("Starting EU member TSL import.");
+
+ for (Entry<Number, LocationAndCertHash> entry : pointersToMsTSLs) {
+
+ TSLImportContext msTslContext;
+
+ Countries expectedTerritory = entry.getValue().getSchemeTerritory();
+ try {
+
+// if (expectedTerritory.equals("RO"))
+// System.out.println("Stop");
+ Number otpId = entry.getKey();
+ LocationAndCertHash lac = entry.getValue();
+
+ URL uriReference = null;
+ try {
+ uriReference = new URL(lac.getUrl());
+
+ } catch (MalformedURLException e) {
+ log.warn("Could not process: " + uriReference, e);
+ continue;
+ }
+
+ String baseURI = uriReference == null ? "" : "" + uriReference;
+
+ msTslContext = new TSLImportFromFileContext(
+ expectedTerritory, uriReference, otpId, Configurator.get_TSLWorkingDirectoryPath(),
+ Configurator.is_sqlMultithreaded(),
+ Configurator.is_throwExceptions(), Configurator.is_logExceptions(),
+ Configurator.is_throwWarnings(), Configurator.is_logWarnings(),
+ Configurator.is_nullRedundancies(), baseURI, trustAnchorsWrongOnEuTsl,
+ topLevelTslContext);
+
+ ListIterator<X509Certificate> expectedTslSignerCerts = null;
+ expectedTslSignerCerts = tslEngine.getCertificates(lac, msTslContext);
+
+ if (expectedTslSignerCerts == null) {
+
+ // no signer certificate on the EU TSL
+ // ignore this msTSL and log a warning
+ log.warn("NO signer certificate found on EU TSL! "
+ + lac.getSchemeTerritory() + "TSL ignored.");
+
+ }
+ else {
+ tslEngine.processMSTSL(topLevelTslContext, msTslContext, expectedTslSignerCerts);
+ }
+
+ } catch (TSLExceptionB e) {
+ log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
+ + " TSL ignored.");
+ log.debug("Failed to process TSL. " + entry, e);
+ continue;
+ } catch (TSLRuntimeException e) {
+ log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory()
+ + " TSL ignored.");
+ log.debug("Failed to process TSL. " + entry, e);
+ continue;
+ }
+ }
+
+ log.debug(Thread.currentThread() + " waiting for other threads ...");
+ topLevelTslContext.waitForAllOtherThreads();
+
+ log.debug(_.dumpAllThreads());
+ log.debug(Thread.currentThread() + " reactivated after other threads finished ...");
+
+ connection = null;
+ try {
+ connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON);
+ tslEngine.recreateTablesInvalidatedByImport(connection);
- File[] filelist = hashcachefile.listFiles();
- if (filelist != null) {
- for (File f : filelist)
- f.delete();
+
+ //TODO: implement database copy operation!
+ File working_database = new File(Configurator.get_dbFile());
+ working_database.delete();
+ copy(dbFile, working_database);
+
+
+ } catch (TSLEngineFatalException e) {
+ throw new TSLEngineDiedException(e);
+
+ } finally {
+ try {
+ connection.closeConnection();
+
+ } catch (TSLEngineFatalException e) {
+ throw new TSLEngineDiedException(e);
+
+ }
}
+
+ return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
+ }
+
+ public void updateTSLs(Date dateTime,
+ String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException {
+
+ if (Configurator.is_isInitialised() == false)
+ new TSLEngineFatalException("The TSL Engine is not initialized!");
+
+ String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload";
+
+// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR");
+// System.out.println("hashcachedir: " + hashcachedir);
+// if (hashcachedir==null)
+// hashcachedir = DEFAULT_HASHCACHE_DIR;
+
+// File hashcachefile = new File(hashcachedir);
+// File[] filelist = hashcachefile.listFiles();
+// if (filelist != null) {
+// for (File f : filelist)
+// f.delete();
+// }
File tsldownloadfile = new File(tsldownloaddir);
if (!tsldownloadfile.exists()) {
@@ -326,7 +575,7 @@ public class TSLConnector implements TSLConnectorInterface { }
}
- return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
+ //return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus);
}
public ArrayList<File> getQualifiedCACertificates(Date dateTime,
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index c365a1121..0cb18a08e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -39,6 +39,8 @@ import at.gv.egovernment.moa.util.StringUtils; public class TSLUpdaterTimerTask extends TimerTask {
public static TSLConnector tslconnector_;
+
+ public static ConfigurationData configData_ = null;
@Override
public void run() {
@@ -48,10 +50,6 @@ public class TSLUpdaterTimerTask extends TimerTask { } catch (TSLEngineDiedException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
-
- // TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur
- // Verfügung stehen?
-
} catch (TSLSearchException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
@@ -67,100 +65,138 @@ public class TSLUpdaterTimerTask extends TimerTask { } catch (TrustStoreException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (CertificateException e) {
+ } catch (FileNotFoundException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (FileNotFoundException e) {
+ } catch (IOException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
- } catch (IOException e) {
+ } catch (CertificateException e) {
MessageProvider msg = MessageProvider.getInstance();
Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
}
}
- public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException {
+ public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, IOException {
MessageProvider msg = MessageProvider.getInstance();
- //get TSl configuration
- ConfigurationProvider config = ConfigurationProvider.getInstance();
- ConfigurationData configData = new IaikConfigurator().configure(config);
- TSLConfiguration tslconfig = config.getTSLConfiguration();
- if (tslconfig != null) {
-
- Logger.info(new LogMsg(msg.getMessage("config.42", null)));
+ //TrustProfile tp = null;
+ TrustStoreProfile tsp = null;
+ StoreUpdater storeUpdater = null;
+ TransactionId tid = null;
+
+ //get TSl configuration
+ ConfigurationProvider config = ConfigurationProvider.getInstance();
+ if (configData_ == null)
+ configData_ = new IaikConfigurator().configure(config);
- // get certstore parameters
- CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters();
+ TSLConfiguration tslconfig = config.getTSLConfiguration();
+ if (tslconfig != null) {
- // iterate over all truststores
- Map mapTrustProfiles = config.getTrustProfiles();
- Iterator it = mapTrustProfiles.entrySet().iterator();
- while (it.hasNext()) {
- Map.Entry pairs = (Map.Entry)it.next();
- TrustProfile tp = (TrustProfile) pairs.getValue();
- if (tp.isTSLEnabled()) {
- TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId());
- TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
- trustStoreProfiles[0] = tsp;
-
- Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
-
- TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId());
- ArrayList tsl_certs = null;
- if (StringUtils.isEmpty(tp.getCountries())) {
- Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
-
- // get certificates from TSL from all countries
- tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
- }
- else {
- Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
- // get selected countries as array
- String countries = tp.getCountries();
- String[] array = countries.split(",");
- for (int i = 0; i < array.length; i++)
- array[i] = array[i].trim();
-
- // get certificates from TSL from given countries
- tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
- }
+ tslconnector_.updateTSLs(new Date(), new String[]{"accredited","undersupervision"});
+
+ Logger.info(new LogMsg(msg.getMessage("config.42", null)));
+
+ // get certstore parameters
+ CertStoreParameters[] certStoreParameters = configData_.getPKIConfiguration().getCertStoreConfiguration().getParameters();
- // create store updater for each TSL enabled truststore
- Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
- StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
-
- // convert ArrayList<File> to X509Certificate[]
- X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()];
- Iterator itcert = tsl_certs.iterator();
- int i = 0;
- while(itcert.hasNext()) {
- File f = (File)itcert.next();
- X509Certificate cert = new X509Certificate(new FileInputStream(f));
- addCertificates[i] = cert;
+ // iterate over all truststores
+ Map mapTrustProfiles = config.getTrustProfiles();
+ Iterator it = mapTrustProfiles.entrySet().iterator();
+ while (it.hasNext()) {
+ Map.Entry pairs = (Map.Entry)it.next();
+ TrustProfile tp = (TrustProfile) pairs.getValue();
+ if (tp.isTSLEnabled()) {
+ tsp = new TrustStoreProfileImpl(config, tp.getId());
+ TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1];
+ trustStoreProfiles[0] = tsp;
- i++;
+ Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()})));
+
+ tid = new TransactionId("TSLConfigurator-" + tp.getId());
+ ArrayList tsl_certs = null;
+ if (StringUtils.isEmpty(tp.getCountries())) {
+ Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
+
+ // get certificates from TSL from all countries
+ tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"});
+ }
+ else {
+ Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
+ // get selected countries as array
+ String countries = tp.getCountries();
+ String[] array = countries.split(",");
+ for (int i = 0; i < array.length; i++)
+ array[i] = array[i].trim();
+
+ // get certificates from TSL from given countries
+ tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"});
+ }
+
+ // create store updater for each TSL enabled truststore
+ Logger.debug(new LogMsg(msg.getMessage("config.45", null)));
+ storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid);
+
+ // delete files in trustprofile
+
+ File ftp = new File(tp.getUri());
+ File[] files = ftp.listFiles();
+ X509Certificate[] removeCertificates = new X509Certificate[files.length];
+ int i = 0;
+ for (File file : files) {
+ FileInputStream fis = new FileInputStream(file);
+ removeCertificates[i] = new X509Certificate(fis);
+ i++;
+ fis.close();
+ //file.delete();
+ }
+
+ // remove all certificates
+ storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
+ storeUpdater.removeCertificatesFromCertStores(removeCertificates, tid);
+
+
+ // copy files from original trustAnchorsLocURI into tslworking trust profile
+ File src = new File(tp.getUriOrig());
+ files = src.listFiles();
+ X509Certificate[] addCertificates = new X509Certificate[files.length];
+ i = 0;
+ for (File file : files) {
+ FileInputStream fis = new FileInputStream(file);
+ addCertificates[i] = new X509Certificate(fis);
+ //FileUtils.copyFile(file, new File(tp.getUri(), file.getName()));
+ i++;
+ fis.close();
+ }
+
+ // convert ArrayList<File> to X509Certificate[]
+ X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
+ Iterator itcert = tsl_certs.iterator();
+ i = 0;
+ File f = null;
+ while(itcert.hasNext()) {
+ f = (File)itcert.next();
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = new X509Certificate(fis);
+ addCertificatesTSL[i] = cert;
+
+ i++;
+ fis.close();
+ }
+
+ Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
+
+ Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
+ storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
+ storeUpdater.addCertificatesToCertStores(addCertificates, tid);
+
+
}
-
- // get certificates to be removed
- X509Certificate[] removeCertificates = tp.getCertficatesToBeRemoved();
-
-
- //Logger.debug(new LogMsg(msg.getMessage("config.44", null)));
- Logger.debug(new LogMsg("Remove " + removeCertificates.length + " certificates."));
- storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid);
-
-
- Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
- storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
-
- // set the certifcates to be removed for the next TSL update
- tp.setCertificatesToBeRemoved(addCertificates);
-
}
}
- }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java new file mode 100644 index 000000000..544ea916c --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -0,0 +1,286 @@ +package at.gv.egovernment.moa.spss.util; + +import iaik.asn1.ObjectID; +import iaik.asn1.structures.Name; +import iaik.asn1.structures.PolicyInformation; +import iaik.utils.RFC2253NameParser; +import iaik.utils.RFC2253NameParserException; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import iaik.x509.extensions.CertificatePolicies; +import iaik.x509.extensions.qualified.QCStatements; +import iaik.x509.extensions.qualified.structures.QCStatement; +import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance; +import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD; +import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; +import iaik.xml.crypto.tsl.ex.TSLSearchException; + +import java.security.Principal; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; + +public class CertificateUtils { + + + /** + * Verifies if the given certificate contains QCP+ statement + * @param cert X509Certificate + * @return true if the given certificate contains QCP+ statement, else false + */ + private static boolean checkQCPPlus(X509Certificate cert) { + Logger.debug("Checking QCP+ extension"); + String OID_QCPPlus = "0.4.0.1456.1.1"; + try { + CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); + if (certPol == null) { + Logger.debug("No CertificatePolicies extension found"); + return false; + } + + PolicyInformation[] polInfo = certPol.getPolicyInformation(); + if (polInfo == null) { + Logger.debug("No policy information found"); + return false; + } + + for (int i = 0; i < polInfo.length; i++) { + ObjectID oid = polInfo[i].getPolicyIdentifier(); + String oidStr = oid.getID(); + if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) { + Logger.debug("QCP+ extension found"); + return true; + } + } + + Logger.debug("No QCP+ extension found"); + + return false; + } catch (X509ExtensionInitException e) { + Logger.debug("No QCP+ extension found"); + + return false; + } + + } + + /** + * Verifies if the given certificate contains QCP statement + * @param cert X509Certificate + * @return true if the given certificate contains QCP statement, else false + */ + private static boolean checkQCP(X509Certificate cert) { + Logger.debug("Checking QCP extension"); + String OID_QCP = "0.4.0.1456.1.2"; + try { + CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); + if (certPol == null) { + Logger.debug("No CertificatePolicies extension found"); + return false; + } + + PolicyInformation[] polInfo = certPol.getPolicyInformation(); + if (polInfo == null) { + Logger.debug("No policy information found"); + return false; + } + + for (int i = 0; i < polInfo.length; i++) { + ObjectID oid = polInfo[i].getPolicyIdentifier(); + String oidStr = oid.getID(); + if (oidStr.compareToIgnoreCase(OID_QCP) == 0) { + Logger.debug("QCP extension found"); + return true; + } + + } + + Logger.debug("No QCP extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QCP extension found"); + return false; + } + + } + + /** + * Verifies if the given certificate contains QcEuCompliance statement + * @param cert X509Certificate + * @return true if the given certificate contains QcEuCompliance statement, else false + */ + private static boolean checkQcEuCompliance(X509Certificate cert) { + Logger.debug("Checking QcEUCompliance extension"); + try { + QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); + + if (qcStatements == null) { + Logger.debug("No QcStatements extension found"); + return false; + } + + QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID); + + if (qcEuCompliance != null) { + Logger.debug("QcEuCompliance extension found"); + return true; + } + + Logger.debug("No QcEuCompliance extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QcEuCompliance extension found"); + return false; + } + + } + + /** + * Verifies if the given certificate contains QcEuSSCD statement + * @param cert X509Certificate + * @return true if the given certificate contains QcEuSSCD statement, else false + */ + private static boolean checkQcEuSSCD(X509Certificate cert) { + Logger.debug("Checking QcEuSSCD extension"); + try { + QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); + if (qcStatements == null) { + Logger.debug("No QcStatements extension found"); + return false; + } + + QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID); + + if (qcEuSSCD != null) { + Logger.debug("QcEuSSCD extension found"); + return true; + } + + Logger.debug("No QcEuSSCD extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QcEuSSCD extension found"); + return false; + } + + } + + public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) { + + boolean qc = false; + boolean qcSourceTSL = false; + boolean sscd = false; + boolean sscdSourceTSL = false; + + try { + + if (isTSLenabledTrustprofile) { + // perform QC check via TSL + boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); + if (!checkQCFromTSL) { + // if QC check via TSL returns false + // try certificate extensions QCP and QcEuCompliance + Logger.debug("QC check via TSL returned false - checking certificate extensions"); + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP || checkQcEuCompliance) { + Logger.debug("Certificate is QC (Source: Certificate)"); + qc = true; + } + + qcSourceTSL = false; + } + else { + // use TSL result + Logger.debug("Certificate is QC (Source: TSL)"); + qc = true; + qcSourceTSL = true; + } + + // perform SSCD check via TSL + boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + if (!checkSSCDFromTSL) { + // if SSCD check via TSL returns false + // try certificate extensions QCP+ and QcEuSSCD + Logger.debug("SSCD check via TSL returned false - checking certificate extensions"); + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus || checkQcEuSSCD) { + Logger.debug("Certificate is SSCD (Source: Certificate)"); + sscd = true; + } + + sscdSourceTSL = false; + } + else { + // use TSL result + Logger.debug("Certificate is SSCD (Source: TSL)"); + sscd = true; + sscdSourceTSL = true; + } + + } + else { + // Trustprofile is not TSL enabled - use certificate extensions only + + // perform QC check + // try certificate extensions QCP and QcEuCompliance + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP || checkQcEuCompliance) + qc = true; + + qcSourceTSL = false; + + // perform SSCD check + // try certificate extensions QCP+ and QcEuSSCD + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus || checkQcEuSSCD) + sscd = true; + + sscdSourceTSL = false; + } + } + catch (TSLEngineDiedException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } catch (TSLSearchException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } + + QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL); + + return result; + } + + /** + * Gets the country from the certificate issuer + * @param cert X509 certificate + * @return Country code from the certificate issuer + */ + public static String getIssuerCountry(X509Certificate cert) { + String country = null; + Principal issuerdn = cert.getIssuerX500Principal(); + RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName()); + + try { + Name name = nameParser.parse(); + country = name.getRDN(ObjectID.country); + } catch (RFC2253NameParserException e) { + Logger.warn("Could not get country code from issuer."); + } + + + return country; + } +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index dafb89f16..219bb7cdf 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -26,12 +26,14 @@ public class ExternalURIVerifier { boolean allowExternalUris = config.getAllowExternalUris();
List blacklist = config.getBlackListedUris();
+ List whitelist = config.getWhiteListedUris();
InetAddress hostInetAddress = InetAddress.getByName(host);
String ip = hostInetAddress.getHostAddress();
if (allowExternalUris) {
+ // external URIs are allowed - check blacklist
Iterator it = blacklist.iterator();
while (it.hasNext()) {
String[] array = (String[])it.next();
@@ -55,9 +57,46 @@ public class ExternalURIVerifier { }
}
}
- else {
- Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
- throw new MOAApplicationException("4001", new Object[]{host});
+ else {
+ // external uris are forbidden - check whitelist
+ Iterator it = whitelist.iterator();
+ boolean allowed = false;
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null || port == -1) {
+ // check only host
+ if (ip.startsWith(bhost)) {
+ Logger.debug(new LogMsg("Whitelist check: " + host + " (" + ip + ") whitelisted"));
+ allowed = true;
+ //throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (ip.startsWith(bhost) && (iport == port)) {
+ Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port + " whitelisted"));
+ //throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
+ allowed = true;
+ }
+
+ }
+ }
+
+ if (!allowed) {
+ if (port != -1) {
+ Logger.debug(new LogMsg("No external URIs allowed (" + host + ")"));
+ throw new MOAApplicationException("4001", new Object[]{host + "(" + ip + ")"});
+ }
+ else {
+ Logger.debug(new LogMsg("No external URIs allowed (" + host + ":" + port + ")"));
+ throw new MOAApplicationException("4001", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
+ }
+
+ }
+
}
Logger.debug(new LogMsg("URI allowed: " + ip + ":" + port));
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java new file mode 100644 index 000000000..99af84308 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java @@ -0,0 +1,37 @@ +package at.gv.egovernment.moa.spss.util; + +public class QCSSCDResult { + + private boolean qc; + private boolean qcSourceTSL; + + private boolean sscd; + private boolean sscdSourceTSL; + + public QCSSCDResult() { + this.qc = false; + this.qcSourceTSL = false; + this.sscd = false; + this.sscdSourceTSL = false; + } + + public QCSSCDResult(boolean qc, boolean qcSourceTSL, boolean sscd, boolean sscdSourceTSL) { + this.qc = qc; + this.qcSourceTSL = qcSourceTSL; + this.sscd = sscd; + this.sscdSourceTSL = sscdSourceTSL; + } + + public boolean isQC() { + return this.qc; + } + public boolean isQCSourceTSL() { + return this.qcSourceTSL; + } + public boolean isSSCD() { + return this.sscd; + } + public boolean isSSCDSourceTSL() { + return this.sscdSourceTSL; + } +} |