diff options
Diffstat (limited to 'spss/server/serverlib/src/main')
8 files changed, 448 insertions, 184 deletions
| diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java index 6209d8ef9..6b3f4301f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java @@ -175,7 +175,7 @@ public class VerifyCMSSignatureRequestParser {      	  excludeByteRangeFrom = new BigDecimal(excludeByteRangeFromStr);        if (excludeByteRangeToStr != null)      	  excludeByteRangeTo = new BigDecimal(excludeByteRangeToStr); -       +        return factory.createCMSDataObject(metaInfo, content, excludeByteRangeFrom, excludeByteRangeTo); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 0908d88c9..3d2da8384 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -1268,6 +1268,111 @@ public class ConfigurationPartsBuilder {    }    /** +   * Build the trust profile mapping. +   *  +   * @return The profile ID to profile mapping. +   */ +  public Map buildTrustProfiles()  +  { +    Map trustProfiles = new HashMap(); +    NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); +    Element profileElem; + +    while ((profileElem = (Element) profileIter.nextNode()) != null) +    { +      String id = getElementValue(profileElem, CONF + "Id", null); +      String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null); +      String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null);       +      +      URI trustAnchorsLocURI = null; +      try +      { +        trustAnchorsLocURI = new URI(trustAnchorsLocStr); +        if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file +          trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr); +        } +      } +      catch (URIException e) { +        warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e); +        continue; +      } +      catch (MalformedURLException e) +      { +        warn("config.15", new Object[] {id}, e); +        continue; +      } + +      File profileDir = new File(trustAnchorsLocURI.getPath()); +      if (!profileDir.exists() || !profileDir.isDirectory()) { +        warn("config.27", new Object[] { "uri", id }); +        continue; +      } +       +       +       +      if (trustProfiles.containsKey(id)) { +        warn("config.04", new Object[] { "TrustProfile", id }); +        continue; +      }  +       +      URI signerCertsLocURI = null; +      if (signerCertsLocStr != null && !"".equals(signerCertsLocStr)) +      { +        try +        { +          signerCertsLocURI = new URI(signerCertsLocStr); +          if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr); +           +          File signerCertsDir = new File(signerCertsLocURI.getPath()); +          if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) { +            warn("config.27", new Object[] { "signerCertsUri", id }); +            continue; +          } +        } +        catch (URIException e) { +          warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e); +          continue; +        } +        catch (MalformedURLException e) { +          warn("config.15", new Object[] {id}, e); +          continue; +        } +      } +       +      signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; +       +      TrustProfile profile = null; +       +      profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, false, null); +       +      trustProfiles.put(id, profile); +       +    } + +    return trustProfiles; +  } +   +  /** +   * checks if a trustprofile with TSL support is enabled +   *  +   * @return true if TSL support is enabled in at least one trustprofile, else false +   */ +  public boolean checkTrustProfilesTSLenabled()  +  { +    NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); +    Element profileElem; + +    boolean tslSupportEnabled = false; +    while ((profileElem = (Element) profileIter.nextNode()) != null)    { +      Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); +      if (eutslElem != null) //EUTSL element found --> TSL enabled +    	  tslSupportEnabled = true; +    } + +    return tslSupportEnabled; +  } +   +  /**     * Returns the location of the certificate store.     *      * @return the location of the certificate store. @@ -1385,6 +1490,22 @@ public class ConfigurationPartsBuilder {      Logger.warn(new LogMsg(txt));      warnings.add(txt);    } +   +  /** +   * Log a warning. +   *  +   * @param messageId The message ID. +   * @param args Additional parameters for the message. +   * @see at.gv.egovernment.moa.spss.server.util.MessageProvider +   */ +  private void debug(String messageId, Object[] args) { +    MessageProvider msg = MessageProvider.getInstance(); +    String txt = msg.getMessage(messageId, args); + +    Logger.debug(new LogMsg(txt)); +   +  } +      /**     * Log a debug message. @@ -1577,31 +1698,31 @@ public class ConfigurationPartsBuilder {    public TSLConfiguration getTSLConfiguration() {  	  TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl(); -	   +	  	    	  String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null);  	  if (StringUtils.isEmpty(euTSLUrl)) {  		  euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL; -		  warn("config.39", new Object[] { "EUTSL", euTSLUrl }); +		  debug("config.39", new Object[] { "EUTSL", euTSLUrl });  	  }  	  String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null);  	  if (StringUtils.isEmpty(updateSchedulePeriod)) {  		  updateSchedulePeriod = TSLConfiguration.DEFAULT_UPDATE_SCHEDULE_PERIOD; -		  warn("config.39", new Object[] { "UpdateSchedule/Period", updateSchedulePeriod }); +		  debug("config.39", new Object[] { "UpdateSchedule/Period", updateSchedulePeriod });  	  }  	  String updateScheduleStartTime = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "StartTime", null);  	  if (StringUtils.isEmpty(updateScheduleStartTime)) {  		  updateScheduleStartTime = TSLConfiguration.DEFAULT_UPDATE_SCHEDULE_STARTTIME; -		  warn("config.39", new Object[] { "UpdateSchedule/StartTime", updateScheduleStartTime }); +		  debug("config.39", new Object[] { "UpdateSchedule/StartTime", updateScheduleStartTime });  	  }  	  String workingDirectoryStr = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "WorkingDirectory", null);  	  if (StringUtils.isEmpty(workingDirectoryStr)) {  		  workingDirectoryStr = TSLConfiguration.DEFAULT_WORKING_DIR; -		  warn("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr }); +		  debug("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr });  	  }  	  // convert update schedule starting time to Date object @@ -1638,24 +1759,12 @@ public class ConfigurationPartsBuilder {            return null;          } -      File hashcache = new File(tslWorkingDir, "hashcache"); -      if (!hashcache.exists()) { -    	  hashcache.mkdir(); -      } -      if (!hashcache.isDirectory()) { -    	  error("config.38", new Object[] { hashcache.getAbsolutePath() }); -          return null;   -      } - -      System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); -//    String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); -//    System.out.println("Hashcache: " + hashcachedir); - +              debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl);        debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod);        debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime);        debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath()); -      debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath()); +        	  // set TSL configuration  	  tslconfiguration.setEuTSLUrl(euTSLUrl); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 2cad35763..d67cbf1b4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -347,6 +347,16 @@ public class ConfigurationProvider      try {        builder = new ConfigurationPartsBuilder(configElem, configRoot); +      if (builder.checkTrustProfilesTSLenabled()) { +    	  debug("TSL support enabled for at least one trustprofile."); +    	  tslconfiguration_ = builder.getTSLConfiguration(); +    	  trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); +      } +      else { +    	  tslconfiguration_ = null; +    	  trustProfiles = builder.buildTrustProfiles(); +      } +              digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName();        canonicalizationAlgorithmName =          builder.getCanonicalizationAlgorithmName(); @@ -361,14 +371,14 @@ public class ConfigurationProvider        keyGroupMappings =          builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); -      tslconfiguration_ = builder.getTSLConfiguration(); -              xadesVersion = builder.getXAdESVersion();        defaultChainingMode = builder.getDefaultChainingMode();        chainingModes = builder.buildChainingModes();        useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess();        autoAddCertificates_ = builder.getAutoAddCertificates(); -      trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); +      //trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); +       +              distributionPoints = builder.buildDistributionPoints();        enableRevocationChecking_ = builder.getEnableRevocationChecking();        maxRevocationAge_ = builder.getMaxRevocationAge(); @@ -379,6 +389,7 @@ public class ConfigurationProvider        revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); +              //check TSL configuration        checkTSLConfiguration(); @@ -428,7 +439,21 @@ public class ConfigurationProvider      }    } -  private void checkTSLConfiguration() throws ConfigurationException { +  private boolean checkTSLenableTrustprofilesExist()throws ConfigurationException { +	  boolean bTSLEnabledTPExist = false; +	  Iterator it = trustProfiles.entrySet().iterator(); +	  while (it.hasNext()) { +	      Map.Entry pairs = (Map.Entry)it.next(); +	      TrustProfile tp = (TrustProfile) pairs.getValue(); +	      if (tp.isTSLEnabled()) +	    	  bTSLEnabledTPExist = bTSLEnabledTPExist || true; +	  } +	   +	  return bTSLEnabledTPExist; +	   +  } +   +  private void  checkTSLConfiguration() throws ConfigurationException {  	  boolean bTSLEnabledTPExist = false;  	  Iterator it = trustProfiles.entrySet().iterator();  	  while (it.hasNext()) { @@ -449,6 +474,43 @@ public class ConfigurationProvider  		  throw new ConfigurationException("config.40", null);  	  } +	  File workingDir = new File(tslconfiguration_.getWorkingDirectory()); +	  File eu_trust = new File(workingDir.getAbsolutePath() + "/trust/eu"); +	  if (!eu_trust.exists()) { +		  error("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"}); +		  throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"}); +	  } +	  else { +		  File[] eutrustFiles = eu_trust.listFiles(); +		  if (eutrustFiles == null) { +			  error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); +			  throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); +		  } +		  else { +			  if (eutrustFiles.length == 0) { +				  error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); +				  throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); +			  } +		  } +			   +	  } +	   +	  File hashcache = new File(tslconfiguration_.getWorkingDirectory(), "hashcache"); +      if (!hashcache.exists()) { +    	  hashcache.mkdir(); +      } +      if (!hashcache.isDirectory()) { +    	  error("config.38", new Object[] { hashcache.getAbsolutePath() }); +          return;   +      } + +      System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); +//    String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +//    System.out.println("Hashcache: " + hashcachedir); + + +      Logger.debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath()); +	      } @@ -759,6 +821,17 @@ public class ConfigurationProvider      Logger.info(new LogMsg(msg.getMessage(messageId, parameters)));    } +  /** +   * Log a debug message. +   *  +   * @param messageId The message ID. +   * @param parameters Additional parameters for the message. +   * @see at.gv.egovernment.moa.spss.server.util.MessageProvider +   */ +  private static void debug(String message) { +    Logger.debug(message); +  } +         /**     * Log a warning.     *  diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 0e5faf790..aca6f5895 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -311,6 +311,12 @@ public class CMSSignatureVerificationInvoker {  	  ByteArrayOutputStream contentOs = new ByteArrayOutputStream(); +	  CMSDataObject dataobject = request.getDataObject(); +	  BigDecimal from = dataobject.getExcludeByteRangeFrom(); +	  BigDecimal to = dataobject.getExcludeByteRangeTo(); +	   +	  if ( (from == null) || (to == null)) +		  return contentIs;  	  BigDecimal counter = new BigDecimal("0");  	  BigDecimal one = new BigDecimal("1"); @@ -318,7 +324,7 @@ public class CMSSignatureVerificationInvoker {  	  try {  		while ((byteRead=contentIs.read()) >= 0) { -			if (inRange(counter, request.getDataObject())) { +			if (inRange(counter, dataobject)) {  				  // if byte is in byte range, set byte to 0x00  				  contentOs.write(0);  			  } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 07da0a998..3a004a81d 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -1,6 +1,7 @@  package at.gv.egovernment.moa.spss.tsl.connector;
  import iaik.asn1.ObjectID;
 +
  import iaik.util._;
  import iaik.util.logging._l;
  import iaik.utils.RFC2253NameParser;
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index 0cb18a08e..e06abe44d 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -46,7 +46,9 @@ public class TSLUpdaterTimerTask extends TimerTask {  	public void run() {
  		try {
 +			Logger.info("Start TSL Update");
  			update();
 +			Logger.info("Finished TSL Update");
  		} catch (TSLEngineDiedException e) {
  			MessageProvider msg = MessageProvider.getInstance();
  			Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e);
 @@ -170,30 +172,35 @@ public class TSLUpdaterTimerTask extends TimerTask {  				        	fis.close();
  				        }
 -				        // convert ArrayList<File> to X509Certificate[]										
 -						X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
 -						Iterator itcert = tsl_certs.iterator();
 -						i = 0;
 -						File f = null;
 -						while(itcert.hasNext()) {
 -							f = (File)itcert.next();
 -							FileInputStream fis = new FileInputStream(f);
 -							X509Certificate cert = new X509Certificate(fis);
 -							addCertificatesTSL[i] = cert;
 +				        // convert ArrayList<File> to X509Certificate[]						
 +				        if (tsl_certs == null) {
 +				        	Logger.warn("No certificates from TSL imported.");
 +				        	//throw new TSLSearchException("No certificates from TSL imported.");
 +				        }
 +				        else {
 +				        
 +				        	X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()];
 +				        	Iterator itcert = tsl_certs.iterator();
 +				        	i = 0;
 +				        	File f = null;
 +				        	while(itcert.hasNext()) {
 +				        		f = (File)itcert.next();
 +				        		FileInputStream fis = new FileInputStream(f);
 +				        		X509Certificate cert = new X509Certificate(fis);
 +				        		addCertificatesTSL[i] = cert;
 -							i++;
 -							fis.close();
 -						}
 +				        		i++;
 +				        		fis.close();
 +				        	}
 -						Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
 -						storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
 -						storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
 +				        	Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates."));
 +				        	storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid);
 +				        	storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid);
 -						Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
 -						storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
 -						storeUpdater.addCertificatesToCertStores(addCertificates, tid);
 -			
 -			            
 +				        	Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates."));
 +				        	storeUpdater.addCertificatesToTrustStores(addCertificates, tid);
 +				        	storeUpdater.addCertificatesToCertStores(addCertificates, tid);
 +				        }			            
  					}
  				}
  			}
 diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java index f0dbd779e..492d10eda 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java @@ -1,6 +1,7 @@  package at.gv.egovernment.moa.spss.tsl.utils;
  import iaik.util.logging._l;
 +
  import iaik.util.logging.Log.MultiThreadLoggingGroup;
  import iaik.utils.RFC2253NameParserException;
  import iaik.utils.Util;
 @@ -15,6 +16,7 @@ import iaik.xml.crypto.tsl.TSLOpenURIException;  import iaik.xml.crypto.tsl.TSLThreadContext;
  import iaik.xml.crypto.tsl.ValidationFixupFilter;
  import iaik.xml.crypto.tsl.ValidationFixupFilter.AttributeValueFixup;
 +import iaik.xml.crypto.tsl.ValidationFixupFilter.DeleteAttrFixup;
  import iaik.xml.crypto.tsl.ValidationFixupFilter.ElementStringValueFixup;
  import iaik.xml.crypto.tsl.ValidationFixupFilter.FixedSaxLevelValidationExcption;
  import iaik.xml.crypto.tsl.ValidationFixupFilter.Fixup;
 @@ -97,44 +99,34 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  	  trustAnchorsWrongOnEuTsl_;
  	public TSLImportFromFileContext(
 -		Countries expectedTerritory,
 -		URL url,
 -		Number otherTslPointerId,
 -		String workingdirectory,
 -		boolean sqlMultithreaded,
 -		boolean throwExceptions,
 -		boolean logExceptions,
 -		boolean throwWarnings,
 -		boolean logWarnings,
 -		boolean nullRedundancies,
 -		String baseuri,
 -		Map <Countries, ListIterator<X509Certificate>> trustAnchorsWrongOnEuTsl, 
 -		TSLThreadContext parentContext) {
 -		super(
 -			expectedTerritory,
 -			url,
 -			otherTslPointerId,
 -			workingdirectory,
 -			sqlMultithreaded,
 -			throwExceptions,
 -			logExceptions,
 -			throwWarnings,
 -			logWarnings,
 -			nullRedundancies,
 -			parentContext);
 -		baseuri_ = baseuri;
 -		trustAnchorsWrongOnEuTsl_ = trustAnchorsWrongOnEuTsl;
 -	}
 -	
 -	public List<ThrowableAndLocatorAndMitigation> getErrorsAndWarnings() {
 -		List<ThrowableAndLocatorAndMitigation> errorsAndWarnings = new ArrayList<ThrowableAndLocatorAndMitigation>();
 -		errorsAndWarnings.addAll(this.fatals_);
 -		errorsAndWarnings.addAll(this.faildTransactions_);
 -		errorsAndWarnings.addAll(this.warnings_);
 -		
 -		return errorsAndWarnings;
 -	}
 -	
 +			Countries expectedTerritory,
 +			URL url,
 +			Number otherTslPointerId,
 +			String workingdirectory,
 +			boolean sqlMultithreaded,
 +			boolean throwExceptions,
 +			boolean logExceptions,
 +			boolean throwWarnings,
 +			boolean logWarnings,
 +			boolean nullRedundancies,
 +			String baseuri,
 +			Map <Countries, ListIterator<X509Certificate>> trustAnchorsWrongOnEuTsl, 
 +			TSLThreadContext parentContext) {
 +			super(
 +				expectedTerritory,
 +				url,
 +				otherTslPointerId,
 +				workingdirectory,
 +				sqlMultithreaded,
 +				throwExceptions,
 +				logExceptions,
 +				throwWarnings,
 +				logWarnings,
 +				nullRedundancies,
 +				parentContext);
 +			baseuri_ = baseuri;
 +			trustAnchorsWrongOnEuTsl_ = trustAnchorsWrongOnEuTsl;
 +		}
  	/* (non-Javadoc)
  	 * @see iaik.xml.crypto.tsl.TSLImportFromFileContext#getbaseURI()
  	 */
 @@ -142,67 +134,80 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  	public String getbaseURI() {
  		return this.baseuri_;
  	}
 -	
 +
 +
 +
 +
  	//@Override
 -	protected RuntimeException wrapException(Throwable t, Locator l, Mitigation m) {
 -		return super.wrapException(t, l, m);
 -	}
 +		protected RuntimeException wrapException(Throwable t, Locator l, Mitigation m) {
 +			return super.wrapException(t, l, m);
 +		}
  	@Override
 -	public synchronized void throwException(Throwable e) {
 +  public
 +	synchronized void throwException(Throwable e) {
  		if (e instanceof TSLValidationException) {
  			// we do not throw dom validation errors for testing
  			// and just collect them
  			wrapException(e);
 -			
  		} else if (e instanceof TSLVerificationException) {
 +			
 +			boolean corrected = false;
  			// we do not throw verification errors for testing
  			// and just collect them
 -			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NO_TSL_SIGNATURE
 -			    .getClass().getName(), "true"))
 -			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NO_TSL_SIGNATURE) {
 -				
 -				//TSL with no signature are ignored!!!!
 -				l.warn("TSL IS NOT SIGNED! " 
 -						+ this.expectedTerritory_.name() + " TSL ignored.");
 -			}
 -			
 -			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE
 -			    .getClass().getName(), "true"))
 -			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE) {
 -				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 -			}
 -			
 -			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE
 -			    .getClass().getName(), "true"))
 -			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE) {
 -				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 -			}
 -			
 -			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE
 -			    .getClass().getName(), "true"))
 -			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE) {
 -				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 -			}
 -			
 -			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE
 -			    .getClass().getName(), "true"))
 -			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE) {
 -				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 -			}
 +//			// NEVER DO THIS! unless you want to import TSLs without signatures.
 +//			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NO_TSL_SIGNATURE
 +//			    .getClass().getName(), "true"))
 +//			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NO_TSL_SIGNATURE) {
 +//				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 +//			}
 +//			
 +//			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE
 +//			    .getClass().getName(), "true"))
 +//			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE) {
 +//				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 +//			}
 -			wrapException(e);
 +//			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE
 +//			    .getClass().getName(), "true"))
 +//			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE) {
 +//				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 +//				
 +//				corrected = true;
 +//			}
 +//			
 +//			
 +//			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE
 +//			    .getClass().getName(), "true"))
 +//			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE) {
 +//				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 +//
 +//				corrected = true;
 +//			}
 +//			
 +//			if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE
 +//			    .getClass().getName(), "true"))
 +//			    && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE) {
 +//				((TSLVerificationException) e).setMitigation(Mitigation.IGNORED);
 +//				
 +//				corrected = true;
 +//			}
 +//			
 +//			if (corrected)
 +//				wrapException(e);
 +//			else
 +//				super.throwException(e);
 +
 +			super.throwException(e);
  		} else if (e instanceof FileNotFoundException) {
  			// we do not stop and continue processing
  			wrapException(e);
 -			
  		} else if (e instanceof IllegalArgumentException) {
  			// we do not stop and continue processing
  			wrapException(e);
 -			
  		} else {
  			// all other errors are treated as per default
  			super.throwException(e);
 @@ -221,9 +226,6 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  			if(
  				e instanceof FixedSaxLevelValidationExcption &&
  				enclosingMethod.getDeclaringClass().equals(ValidationFixupFilter.class)){
 -				
 -				
 -				
  				wrapException(e,
  					((LocatorAspect) e).getLocator(),
  					new FixedValidationMitigation("Performed SAX Level Fixup."));
 @@ -247,7 +249,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  				if (parameters[0] instanceof DOMError) {
  					DOMError domError = (DOMError) parameters[0];
 -					l.info(""+domError.getRelatedData());
 +					_l.warn(""+domError.getRelatedData());
  					//					domError.getRelatedData().getClass().getField("")
 @@ -308,6 +310,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  							}
  						});
  						return mitigatedResult;
 +						
  					}
  				}
 @@ -378,11 +381,43 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  					}
  				}
 -				l.error("Ignoring download error using old: " + parameters[0], null);
 +				_l.err("Ignoring download error using old: " + parameters[0], null);
  				wrapException(e);
  				return parameters[1];
  			}
 +//		if (
 +//		expectedTerritory_ == Countries.PL &&(
 +//			(e.getCause() instanceof java.io.EOFException ||
 +//				e.getCause() instanceof iaik.security.ssl.SSLException) &&
 +//				parameters[0] instanceof URL &&
 +//				((URL)parameters[0]).getProtocol().equalsIgnoreCase("https")
 +//		)){
 +//		File f = null;
 +//		System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
 +//		TLS.register("TLSv1");
 +//		try {
 +//			f = (File) enclosingMethod.invoke(thisObject, parameters);
 +//		} catch (IllegalAccessException e1) {
 +//			wrapException(e1);
 +//		} catch (InvocationTargetException e1) {
 +//			wrapException(e1);
 +//		}
 +//
 +//		//					System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", null);
 +//		TLS.register();
 +//
 +//		if (f != null){
 +//			wrapException(e, null, new Mitigation() {
 +//				@Override
 +//				public String getReport() {
 +//					return "Trying TLSv1 and sun.security.ssl.allowUnsafeRenegotiation=true";
 +//				}
 +//			});
 +//			return f;
 +//		}
 +//	}
 +
  			if (
  				e instanceof TSLSecurityException &&
  				enclosingMethod.getDeclaringClass().equals(TSLContext.class) &&
 @@ -406,14 +441,14 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  						wrapException(e1);
  					}
  					wrapException(e, getLocator(),
 -						new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation(){
 -						@Override
 -						public String getReport() {
 -							return "make an exception for " + expectedTerritory_ + " who have the wrong certificate in " +
 -							"the EU TSL and allow the certificate " +
 -							parameters[1];
 -						}
 -					});
 +							new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation(){
 +							@Override
 +							public String getReport() {
 +								return "make an exception for " + expectedTerritory_ + " who have the wrong certificate in " +
 +								"the EU TSL and allow the certificate " +
 +								parameters[1];
 +							}
 +						});
  					return null;
  				}
  				X509Certificate crt = (X509Certificate)parameters[1];
 @@ -530,47 +565,45 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  				}
  			}
 -//			//TODO: CONSIDER, IF WE REALLY WANT THIS PART OF CODE!
 -//			//ugly hack to accept a certificate which uses a crazy X509SubjectName!!
 -//			if	( expectedTerritory_ == Countries.DK && 
 -//					e instanceof KeySelectorException &&
 -//					parameters[0] instanceof X509DataImpl){
 -//				if (e.getMessage().equals("KeyInfo X509SubjectName (CN=Adam Arndt                Digst,serialNumber=CVR:34051178-RID:25902029,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) does not match SubjectDN (serialNumber=CVR:34051178-RID:25902029+CN=Adam Arndt                Digst,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) of KeyInfo X509Certificate.\n"+
 -//						"Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key.")) {
 -//						
 -//			    	X509DataImpl x509DataImpl = (X509DataImpl) parameters[0];
 -//
 -//			    	Node child = x509DataImpl.getNode().getFirstChild().getNextSibling();
 -//			    	Node child1 = x509DataImpl.getNode().getFirstChild();
 -//			    	
 -//			    	x509DataImpl.getNode().removeChild(child);
 -//			    	x509DataImpl.getNode().removeChild(child1);
 -//			    	
 -//			    	
 -//			    	parameters[0] = (X509Data) x509DataImpl
 -//			    				    				    	
 -//						Object mitigatedResult = null;
 -//						try {
 -//
 -//							mitigatedResult = enclosingMethod.invoke(thisObject, parameters);
 -//						} catch (IllegalAccessException e1) {
 -//							wrapException(e1);
 -//						} catch (InvocationTargetException e1) {
 -//							wrapException(e1);
 -//						}
 -//
 -//						if (mitigatedResult != null){
 -//							wrapException(e, null, new Mitigation(null) {
 -//								@Override
 -//								public String getReport() {
 -//									return "Deleted wrong X509SubjectName from XMLDSIG Signature.";
 -//								}
 -//							});
 -//							return mitigatedResult;
 -//						}
 -//					}
 -//			}
 -			
 +			if	( expectedTerritory_ == Countries.DK && 
 +					e instanceof KeySelectorException &&
 +					parameters[0] instanceof X509DataImpl){
 +				if (e.getMessage().equals("KeyInfo X509SubjectName (CN=Adam Arndt                Digst,serialNumber=CVR:34051178-RID:25902029,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) does not match SubjectDN (serialNumber=CVR:34051178-RID:25902029+CN=Adam Arndt                Digst,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) of KeyInfo X509Certificate.\n"+
 +						"Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key.")) {
 +						
 +			    	X509DataImpl x509DataImpl = (X509DataImpl) parameters[0];
 +			    		
 +			    	ListIterator li = x509DataImpl.getContent().listIterator();
 +			    	li.next();
 +			    	String sn = (String) li.next();
 +			    	
 +			    	_l.err(sn, null);
 +			    	
 +			    	System.exit(1);
 +			    	
 +						Object mitigatedResult = null;
 +						try {
 +
 +							mitigatedResult = enclosingMethod.invoke(thisObject, parameters);
 +						} catch (IllegalAccessException e1) {
 +							wrapException(e1);
 +						} catch (InvocationTargetException e1) {
 +							wrapException(e1);
 +						}
 +
 +						if (mitigatedResult != null){
 +							wrapException(e, null, new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation() {
 +								@Override
 +								public String getReport() {
 +									return "Deleted wrong X509SubjectName from XMLDSIG Signature.";
 +								}
 +							});
 +							return mitigatedResult;
 +							
 +						}
 +					}
 +			}
 +
  		} else {
  			if (e instanceof MitigatedTSLSecurityException){
 @@ -578,7 +611,6 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  				// and collect them
  				wrapException(e);
  				return null;
 -				
  			} else if (e instanceof FixedSaxLevelValidationExcption) {
  				// we allow to mitigate Sax Level Fixup for testing
  				// and collect them
 @@ -607,7 +639,11 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  		if(expectedTerritory_ == Countries.EL){
  			//fix the whitespace in Greece TSL
  			status = status.trim();
 -		}
 +		}		
 +		if (status != null && status.startsWith("http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/")) {
 +		        status = status.substring("http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/".length());
 +		      }
 +
  		return super.compressStatus(status);
  	}
 @@ -625,6 +661,37 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  	@Override
  	public iaik.xml.crypto.tsl.ValidationFixupFilter.Fixup getSaxLevelValidationFixup(SAXParseException e) {
 +		if (expectedTerritory_ == Countries.AT){
 +			if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
 +				return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
 +			}
 +		}
 +		
 +		if (expectedTerritory_ == Countries.CZ){
 +			if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
 +				return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
 +			}
 +		}
 +		
 +		if (expectedTerritory_ == Countries.FR){
 +			if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
 +				return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
 +			}
 +		}
 +		
 +		if (expectedTerritory_ == Countries.NO){
 +			if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
 +				return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
 +			}
 +		}
 +		
 +		if (expectedTerritory_ == Countries.SK){
 +			if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){
 +				return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this);
 +			}
 +		}
 +		
 +
  		if (expectedTerritory_ == Countries.ES && getDownloadLocation().toString().contains(".es/")){
  			if (e.getMessage().equals("cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'tslx:CertSubjectDNAttributeType'.")){
  				return new LocalNameFixup("CertSubjectDNAttributeType","CertSubjectDNAttribute",e, this);
 @@ -734,7 +801,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  		String msg = e.getMessage();
 -		l.info(msg);
 +		_l.info(msg);
  		return(
  			msg.startsWith("["+SQLiteErrorCode.SQLITE_CONSTRAINT.name()+"]") &&
  			msg.contains("column " + DbTables.TSLDownload.C.rawHash + " is not unique")
 @@ -748,7 +815,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  	@Override
  	protected long howLongWaitForThreads() {
  		// TODO Auto-generated method stub
 -		return 10000;
 +		return 100000;
  	}
  	@Override
 @@ -768,7 +835,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF  			synchronized (log) {
  				parentContext_.print("<" + ncName + " state=\"" + currentThread.getState()
  				    + "\" " + " id=\"" + currentThread.getId() + "\">\n" + log.toString() + "</"
 -				    + ncName + ">\n");
 +				    + ncName + ">" + _.LB);
  				parentContext_.flushLog();
  				log.setLength(0);
  			}
 diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index e4ee607c0..9e2e0e490 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -159,6 +159,7 @@ config.46=Start periodical TSL update task at {0} and then every {1} millisecond  config.48=No whitelisted URIs given.
  config.49=Whitelisted URI: {0}.
  config.50=Fehler beim Erstellen des TSL Vertrauensprofils: Das Verzeichnis ({0}) ist kein Verzeichnis.
 +config.51=Fehler beim Erstellen der TSL Konfiguration: TSL-Arbeitsverzeichnis ist fehlerhaft ({0}).
  handler.00=Starte neue Transaktion: TID={0}, Service={1}
  handler.01=Aufruf von Adresse={0}
 | 
