From 5b697c424d24a7523dccd210454d029368e34898 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 21 Aug 2013 13:12:26 +0200 Subject: Update QC/SSCD check WSDL location updated --- .../resources/resources/schemas/MOA-SPSS-1.5.2.xsd | 34 +- id/oa/.settings/org.eclipse.jdt.core.prefs | 6 +- id/oa/.settings/org.eclipse.wst.common.component | 10 +- .../org.eclipse.wst.common.project.facet.core.xml | 6 +- .../.settings/org.eclipse.wst.common.component | 3 - .../.settings/org.eclipse.wst.common.component | 7 +- .../.settings/org.eclipse.wst.common.component | 3 - pom.xml | 16 +- spss/handbook/clients/api/.classpath | 82 +-- .../handbook/config/MOA-SPSS-config-1.5.2.xsd | 61 ++- spss/handbook/handbook/config/config.html | 6 +- spss/handbook/handbook/spec/MOA-SPSS-1.5.2.xsd | 104 +++- .../resources/data/deploy/tomcat/unix/moa-env.sh | 5 +- .../data/deploy/tomcat/win32/startTomcat.bat | 5 +- .../gv/egovernment/moa/spss/api/SPSSFactory.java | 4 +- .../moa/spss/api/common/SignerInfo.java | 6 +- .../moa/spss/api/impl/SPSSFactoryImpl.java | 4 +- .../moa/spss/api/impl/SignerInfoImpl.java | 10 + .../moa/spss/api/xmlbind/ResponseBuilderUtils.java | 20 +- .../xmlbind/VerifyCMSSignatureResponseBuilder.java | 4 +- .../xmlbind/VerifyXMLSignatureResponseBuilder.java | 3 +- .../server/config/ConfigurationPartsBuilder.java | 9 - .../moa/spss/server/init/SystemInitializer.java | 10 +- .../invoke/CMSSignatureVerificationInvoker.java | 209 ++------ .../invoke/VerifyCMSSignatureResponseBuilder.java | 5 +- .../invoke/VerifyXMLSignatureResponseBuilder.java | 6 +- .../invoke/XMLSignatureVerificationInvoker.java | 104 +--- .../moa/spss/tsl/connector/TSLConnector.java | 252 ++++++++++ .../moa/spss/tsl/timer/TSLUpdaterTimerTask.java | 200 ++++---- .../moa/spss/util/CertificateUtils.java | 286 +++++++++++ .../gv/egovernment/moa/spss/util/QCSSCDResult.java | 37 ++ spss/server/serverws/pom.xml | 3 +- .../serverws/resources/wsdl/MOA-SPSS-1.5.2.wsdl | 128 ----- .../serverws/resources/wsdl/MOA-SPSS-1.5.2.xsd | 551 --------------------- .../src/main/webapp/WEB-INF/server-config.wsdd | 8 +- 35 files changed, 1046 insertions(+), 1161 deletions(-) create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java delete mode 100644 spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.wsdl delete mode 100644 spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.xsd diff --git a/common/src/main/resources/resources/schemas/MOA-SPSS-1.5.2.xsd b/common/src/main/resources/resources/schemas/MOA-SPSS-1.5.2.xsd index 640f577aa..144918778 100644 --- a/common/src/main/resources/resources/schemas/MOA-SPSS-1.5.2.xsd +++ b/common/src/main/resources/resources/schemas/MOA-SPSS-1.5.2.xsd @@ -147,7 +147,7 @@ - only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any;publicAuthority is included as X509Data/any; SecureSignatureCreationDevice is included as X509Data/any + only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any;publicAuthority is included as X509Data/any; SecureSignatureCreationDevice is included as X509Data/any, IssuingCountry is included as X509Data/any @@ -198,7 +198,7 @@ - only ds:X509Data and ds:RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any; PublicAuthority is included as X509Data/any; SecureSignatureCreationDevice is included as X509Data/any + only ds:X509Data and ds:RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any; PublicAuthority is included as X509Data/any; SecureSignatureCreationDevice is included as X509Data/any, IssuingCountry is included as X509Data/any @@ -454,19 +454,31 @@ - + + + + + + + + + + + + - - - - - - - - + + + + + + + + + diff --git a/id/oa/.settings/org.eclipse.jdt.core.prefs b/id/oa/.settings/org.eclipse.jdt.core.prefs index c788ee346..dc0892a32 100644 --- a/id/oa/.settings/org.eclipse.jdt.core.prefs +++ b/id/oa/.settings/org.eclipse.jdt.core.prefs @@ -1,8 +1,8 @@ eclipse.preferences.version=1 org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7 -org.eclipse.jdt.core.compiler.compliance=1.7 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5 +org.eclipse.jdt.core.compiler.compliance=1.5 org.eclipse.jdt.core.compiler.problem.assertIdentifier=error org.eclipse.jdt.core.compiler.problem.enumIdentifier=error org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning -org.eclipse.jdt.core.compiler.source=1.7 +org.eclipse.jdt.core.compiler.source=1.5 diff --git a/id/oa/.settings/org.eclipse.wst.common.component b/id/oa/.settings/org.eclipse.wst.common.component index 7e38d20b7..beb49b957 100644 --- a/id/oa/.settings/org.eclipse.wst.common.component +++ b/id/oa/.settings/org.eclipse.wst.common.component @@ -1,8 +1,8 @@ - - + - - + + + - \ No newline at end of file + diff --git a/id/oa/.settings/org.eclipse.wst.common.project.facet.core.xml b/id/oa/.settings/org.eclipse.wst.common.project.facet.core.xml index a801c94a0..fec12087a 100644 --- a/id/oa/.settings/org.eclipse.wst.common.project.facet.core.xml +++ b/id/oa/.settings/org.eclipse.wst.common.project.facet.core.xml @@ -2,6 +2,6 @@ - - - \ No newline at end of file + + + diff --git a/id/server/auth/.settings/org.eclipse.wst.common.component b/id/server/auth/.settings/org.eclipse.wst.common.component index e667e1ee5..90413a56a 100644 --- a/id/server/auth/.settings/org.eclipse.wst.common.component +++ b/id/server/auth/.settings/org.eclipse.wst.common.component @@ -6,9 +6,6 @@ uses - - uses - uses diff --git a/id/server/idserverlib/.settings/org.eclipse.wst.common.component b/id/server/idserverlib/.settings/org.eclipse.wst.common.component index 8f3380621..a5eb3d4d8 100644 --- a/id/server/idserverlib/.settings/org.eclipse.wst.common.component +++ b/id/server/idserverlib/.settings/org.eclipse.wst.common.component @@ -1,8 +1,7 @@ - + + - - - + \ No newline at end of file diff --git a/id/server/proxy/.settings/org.eclipse.wst.common.component b/id/server/proxy/.settings/org.eclipse.wst.common.component index cc61830e7..eeb0e2248 100644 --- a/id/server/proxy/.settings/org.eclipse.wst.common.component +++ b/id/server/proxy/.settings/org.eclipse.wst.common.component @@ -6,9 +6,6 @@ uses - - uses - uses diff --git a/pom.xml b/pom.xml index 19674de20..d7e107a2d 100644 --- a/pom.xml +++ b/pom.xml @@ -68,10 +68,10 @@ moa - id/assembly-auth.xml--> - + id/assembly-auth.xml + id/assembly-proxy.xml spss/assembly.xml - + spss/assembly-lib.xml @@ -211,32 +211,32 @@ junit junit - 3.8.1 + 3.8.1 test commons-logging commons-logging - 1.0.4 + 1.0.4 compile javax.servlet servlet-api - 2.4 + 2.4 provide javax.activation activation - 1.1 + 1.1 compile commons-discovery commons-discovery - 0.2 + 0.2 compile diff --git a/spss/handbook/clients/api/.classpath b/spss/handbook/clients/api/.classpath index ea8736aef..53806d1e8 100644 --- a/spss/handbook/clients/api/.classpath +++ b/spss/handbook/clients/api/.classpath @@ -1,43 +1,43 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/spss/handbook/handbook/config/MOA-SPSS-config-1.5.2.xsd b/spss/handbook/handbook/config/MOA-SPSS-config-1.5.2.xsd index 669ebe53f..91d281171 100644 --- a/spss/handbook/handbook/config/MOA-SPSS-config-1.5.2.xsd +++ b/spss/handbook/handbook/config/MOA-SPSS-config-1.5.2.xsd @@ -19,20 +19,36 @@ - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -78,6 +94,7 @@ + @@ -99,6 +116,19 @@ + + + + + + + + + + + + + @@ -147,7 +177,7 @@ - + @@ -283,6 +313,7 @@ + diff --git a/spss/handbook/handbook/config/config.html b/spss/handbook/handbook/config/config.html index 96270bde1..f44bd7dc0 100644 --- a/spss/handbook/handbook/config/config.html +++ b/spss/handbook/handbook/config/config.html @@ -1071,7 +1071,10 @@ Wird der Wert auf -1 gesetzt, dann bedeutet das ein unendlich langes Intervall.

Das Element cfg:TSLConfiguration legt die TSL Konfiguration fest, wenn Vertrauensprofile mit TSL Unterstützung konfiguriert sind. Das Element weist folgende Kind-Elemente auf:

      -
    • Element cfg:UpdateSchedule: Dieses Element legt fest wann und in welchem Intervall die EU-TSL erneut eingelesen werden soll. Das Element cfg:UpdateSchedule besteht dabei aus folgenden Kind-Elementen:
    • +
    • Element cfg:EUTSLUrl: Dieses optionale Element legt die URL zur EU-TSL fest.
      +
    • + Hinweis: Wird kein cfg:EUTSLUrl Element angegeben so wird defaultmäßig https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml als EU-TSL URL herangezogen. +
    • Element cfg:UpdateSchedule: Dieses optionale Element legt fest wann und in welchem Intervall die EU-TSL erneut eingelesen werden soll. Das Element cfg:UpdateSchedule besteht dabei aus folgenden Kind-Elementen:
      • Element cfg:StartTime: Legt eine Startzeit im Format hh:mm:ss fest.
      • Element cfg:Period: Legt das Intervall (in Millisekunden) fest, in welchem die EU-TSL erneut eingelesen werden soll
      • @@ -1085,7 +1088,6 @@ Wird der Wert auf -1 gesetzt, dann bedeutet das ein unendlich langes Intervall. Wichtig: Das angegebene Verzeichnis muss jedenfalls die Unterverzeichnis "trust" aus der Beispiel-Konfiguration beinhalten. In dessen Unterverzeichnis "eu" müssen jene vertrauenswürdigen Zertifikate angegeben werden, mit denen die EU-TSL signiert ist.
      -

      Wichtig: Beim Tomcat-Start muss zusätzlich noch ein so genannten Hashcache Verzeichnis angegeben werden. Dies erfolgt mit dem Parameter iaik.xml.crypto.tsl.BinaryHashCache.DIR (siehe auch Starten und Stoppen von Tomcat).

      Hinweis: Um die TSL Überprüfung zu aktivieren muss auch (zumindest) ein Vertrauensprofil mit TSL Überprüfung konfiguriert werden (siehe Vertrauensprofil)

      diff --git a/spss/handbook/handbook/spec/MOA-SPSS-1.5.2.xsd b/spss/handbook/handbook/spec/MOA-SPSS-1.5.2.xsd index 137ad6deb..144918778 100644 --- a/spss/handbook/handbook/spec/MOA-SPSS-1.5.2.xsd +++ b/spss/handbook/handbook/spec/MOA-SPSS-1.5.2.xsd @@ -1,15 +1,56 @@ - - - + + + + + + + + + + + + + Ermöglichung der Stapelsignatur durch wiederholte Angabe dieses Elements + + + + + + + + + + + + + + + + + + + + + + Kardinalität 1..oo erlaubt die Antwort auf eine Stapelsignatur-Anfrage + + + + Resultat, falls die Signaturerstellung erfolgreich war + + + + + @@ -106,7 +147,7 @@ - only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any;publicAuthority is included as X509Data/any + only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any;publicAuthority is included as X509Data/any; SecureSignatureCreationDevice is included as X509Data/any, IssuingCountry is included as X509Data/any @@ -157,7 +198,7 @@ - only ds:X509Data and ds:RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any; PublicAuthority is included as X509Data/any + only ds:X509Data and ds:RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any; PublicAuthority is included as X509Data/any; SecureSignatureCreationDevice is included as X509Data/any, IssuingCountry is included as X509Data/any @@ -228,6 +269,25 @@ + + + + + + + + + + + + + + + + + + + @@ -246,6 +306,12 @@ + + + + + + @@ -388,7 +454,31 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/spss/server/serverlib/resources/data/deploy/tomcat/unix/moa-env.sh b/spss/server/serverlib/resources/data/deploy/tomcat/unix/moa-env.sh index 6d5be35c0..f114a40f8 100644 --- a/spss/server/serverlib/resources/data/deploy/tomcat/unix/moa-env.sh +++ b/spss/server/serverlib/resources/data/deploy/tomcat/unix/moa-env.sh @@ -3,14 +3,11 @@ MOA_START=`pwd` CONFIG_OPT=-Dmoa.spss.server.configuration=$MOA_START/conf/moa-spss/spss.config.xml LOGGING_OPT=-Dlog4j.configuration=file:$MOA_START/conf/moa-spss/log4j.properties -# Hashcache Parameter für TSL Unterstuetzung bei MOA-SP -#PARAM_HASHCACHE=-Diaik.xml.crypto.tsl.BinaryHashCache.DIR=$MOA_START/conf/moa-spss/hashcache/ - # NODE_ID_OPT=-Dmoa.node-id=node1 # TRUST_STORE_OPT=-Djavax.net.ssl.trustStore=truststore.jks # TRUST_STORE_PASS_OPT=-Djavax.net.ssl.trustStorePassword=changeit # TRUST_STORE_TYPE_OPT=-Djavax.net.ssl.trustStoreType=jks -export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $NODE_ID_OPT $PARAM_HASHCACHE $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT" +export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $NODE_ID_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT" echo CATALINA_OPTS=$CATALINA_OPTS diff --git a/spss/server/serverlib/resources/data/deploy/tomcat/win32/startTomcat.bat b/spss/server/serverlib/resources/data/deploy/tomcat/win32/startTomcat.bat index 729bddbf3..de36fd5c4 100644 --- a/spss/server/serverlib/resources/data/deploy/tomcat/win32/startTomcat.bat +++ b/spss/server/serverlib/resources/data/deploy/tomcat/win32/startTomcat.bat @@ -15,10 +15,7 @@ set PARAM_SPSSCONFIG=-Dmoa.spss.server.configuration=%MOA_SPSS_CFG_HOME%\spss.co set PARAM_LOGGING=-Dlog4j.configuration=file:%MOA_SPSS_CFG_HOME%\log4j.properties set PARAM_NODEID=-Dmoa.node-id=Node1 -rem Hashcache Parameter für TSL Unterstuetzung bei MOA-SP -rem set PARAM_HASHCACHE=-Diaik.xml.crypto.tsl.BinaryHashCache.DIR=%MOA_SPSS_CFG_HOME%\hashcache\ - -set PARAMS_MOA=%PARAM_SPSSCONFIG% %PARAM_LOGGING% %PARAM_NODEID% %PARAM_HASHCACHE% +set PARAMS_MOA=%PARAM_SPSSCONFIG% %PARAM_LOGGING% %PARAM_NODEID% rem set PARAM_TRUST_STORE=-Djavax.net.ssl.trustStore=truststore.jks rem set PARAM_TRUST_STORE_PASS=-Djavax.net.ssl.trustStorePassword=changeit diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index 80f996b36..b5cc96a04 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -1101,6 +1101,7 @@ public abstract class SPSSFactory { * signature based on a SSDC, otherwise false. * @param sscdSourceTSL true, if the SSCD information comes from the TSL, * otherwise false. + * @param issuerCountryCode contains the signer certificate issuer country code. * @return The SignerInfo containing the above data. * * @pre signerCertSubjectName != null @@ -1114,7 +1115,8 @@ public abstract class SPSSFactory { boolean publicAuthority, String publicAuthorityID, boolean sscd, - boolean sscdSourceTSL); + boolean sscdSourceTSL, + String issuerCountryCode); /** * Create a new X509IssuerSerial object. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java index 337f775bf..777365ad3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java @@ -68,7 +68,11 @@ public interface SignerInfo { */ public String getQCSource(); - + /** + * Returns the signer certificate issuer country code + * @return + */ + public String getIssuerCountryCode(); /** * Checks, whether the certificate contained in this object is a * public authority certificate. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java index 74f65cb70..8e3bb7636 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java @@ -626,7 +626,8 @@ public class SPSSFactoryImpl extends SPSSFactory { boolean publicAuthority, String publicAuthorityID, boolean sscd, - boolean sscdSourceTSL) { + boolean sscdSourceTSL, + String issuerCountryCode) { SignerInfoImpl signerInfo = new SignerInfoImpl(); signerInfo.setSignerCertificate(signerCertificate); signerInfo.setQualifiedCertificate(qualifiedCertificate); @@ -635,6 +636,7 @@ public class SPSSFactoryImpl extends SPSSFactory { signerInfo.setPublicAuhtorityID(publicAuthorityID); signerInfo.setSSCD(sscd); signerInfo.setSSCDSourceTSL(sscdSourceTSL); + signerInfo.setIssuerCountryCode(issuerCountryCode); return signerInfo; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java index 5d26397c5..7a108e8a4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java @@ -56,6 +56,9 @@ public class SignerInfoImpl implements SignerInfo { /** Determines, if the QC check bases upon on TSL */ private boolean qcSourceTSL; + /** The certificate issuer country code */ + private String issuerCountryCode; + /** * Sets the signer certificate. * @@ -118,6 +121,13 @@ public class SignerInfoImpl implements SignerInfo { return "Certificate"; } + public void setIssuerCountryCode(String issuerCountryCode) { + this.issuerCountryCode = issuerCountryCode; + } + public String getIssuerCountryCode() { + return issuerCountryCode; + } + /** * Sets, whether the certificate contained in this object is an * e-government certificate or not. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index 505303bc1..2e2afaf7c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -121,7 +121,8 @@ class ResponseBuilderUtils { boolean isPublicAuthority, String publicAuthorityID, boolean isSSCD, - String sscdSource) + String sscdSource, + String issuerCountryCode) throws MOAApplicationException { Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo"); @@ -147,6 +148,12 @@ class ResponseBuilderUtils { isSSCD ? response.createElementNS(MOA_NS_URI, "SecureSignatureCreationDevice") : null; + Element issuerCountryCodeElem = null; + if (issuerCountryCode != null) { + issuerCountryCodeElem = response.createElementNS(MOA_NS_URI, "IssuerCountryCode"); + issuerCountryCodeElem.setTextContent(issuerCountryCode); + } + Element publicAuthorityElem = isPublicAuthority ? response.createElementNS(MOA_NS_URI, "PublicAuthority") @@ -184,8 +191,10 @@ class ResponseBuilderUtils { x509DataElem.appendChild(x509IssuerSerialElem); x509DataElem.appendChild(x509CertificateElem); if (isQualified) { - qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); - x509DataElem.appendChild(qualifiedCertificateElem); + if (qcSource.compareToIgnoreCase("TSL") == 0) + qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); + + x509DataElem.appendChild(qualifiedCertificateElem); } if (isPublicAuthority) { x509DataElem.appendChild(publicAuthorityElem); @@ -195,9 +204,12 @@ class ResponseBuilderUtils { } } if (isSSCD) { - sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource); + sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource); x509DataElem.appendChild(sscdElem); } + if (issuerCountryCodeElem != null) + x509DataElem.appendChild(issuerCountryCodeElem); + signerInfoElem.appendChild(x509DataElem); root.appendChild(signerInfoElem); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java index 238875351..b11560b28 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java @@ -99,7 +99,6 @@ public class VerifyCMSSignatureResponseBuilder { CheckResult signatureCheck = responseElement.getSignatureCheck(); CheckResult certCheck = responseElement.getCertificateCheck(); - //TODO ResponseBuilderUtils.addSignerInfo( responseDoc, responseElem, @@ -109,7 +108,8 @@ public class VerifyCMSSignatureResponseBuilder { signerInfo.isPublicAuthority(), signerInfo.getPublicAuhtorityID(), signerInfo.isSSCD(), - signerInfo.getSSCDSource()); + signerInfo.getSSCDSource(), + signerInfo.getIssuerCountryCode()); ResponseBuilderUtils.addCodeInfoElement( responseDoc, diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java index 8673fba1c..dd4e13ad9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java @@ -100,7 +100,8 @@ public class VerifyXMLSignatureResponseBuilder { response.getSignerInfo().isPublicAuthority(), response.getSignerInfo().getPublicAuhtorityID(), response.getSignerInfo().isSSCD(), - response.getSignerInfo().getSSCDSource()); + response.getSignerInfo().getSSCDSource(), + response.getSignerInfo().getIssuerCountryCode()); // add HashInputData elements responseData = response.getHashInputDatas(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index d2ee75116..0908d88c9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -1225,7 +1225,6 @@ public class ConfigurationPartsBuilder { tp.mkdir(); if (!tp.isDirectory()) { error("config.50", new Object[] { tp.getPath() }); - // TODO? } File tpid = new File(tp, id); @@ -1233,11 +1232,8 @@ public class ConfigurationPartsBuilder { tpid.mkdir(); if (!tpid.isDirectory()) { error("config.50", new Object[] { tpid.getPath() }); - // TODO? } - - //System.out.println("tps: " + tpid.getAbsolutePath()); // create profile profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries); @@ -1257,10 +1253,6 @@ public class ConfigurationPartsBuilder { FileUtils.copyFile(file, new File(tpid, file.getName())); } -// System.out.println("ID: " + id); -// System.out.println("Str: " + trustAnchorsLocStr); -// System.out.println("URI: " + trustAnchorsLocURI.toString()); -// System.out.println("tslWorkingDir: " + tslWorkingDir); } else { @@ -1698,7 +1690,6 @@ public class ConfigurationPartsBuilder { map.put(x509IssuerName, interval); } - //System.out.println("Name: " + x509IssuerName + " - Interval: " + interval); } return map; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 3640dc23f..12d8b0126 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -119,7 +119,7 @@ public class SystemInitializer { try { ConfigurationProvider config = ConfigurationProvider.getInstance(); ConfigurationData configData = new IaikConfigurator().configure(config); - + //initialize TSL module TSLConfiguration tslconfig = config.getTSLConfiguration(); @@ -131,13 +131,11 @@ public class SystemInitializer { } -// System.out.println("Hashcache 1: " + BinaryHashCache.DIR); //start TSL Update TSLUpdaterTimerTask.tslconnector_ = tslconnector; TSLUpdaterTimerTask.update(); -// System.out.println("Hashcache 2: " + BinaryHashCache.DIR); //initialize TSL Update Task initTSLUpdateTask(tslconfig); @@ -156,13 +154,13 @@ public class SystemInitializer { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (TrustStoreException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (CertificateException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (FileNotFoundException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (IOException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } + } catch (CertificateException e) { + Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); + } // set IXSIL debug output IXSILInit.setPrintDebugLog( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 6aa34573e..7a4103957 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult; /** * A class providing an interface to the @@ -185,6 +186,8 @@ public class CMSSignatureVerificationInvoker { } } + QCSSCDResult qcsscdresult = new QCSSCDResult(); + // build the response: for each signatory add the result to the response signatories = request.getSignatories(); if (signatories == VerifyCMSSignatureRequest.ALL_SIGNATORIES) { @@ -192,61 +195,28 @@ public class CMSSignatureVerificationInvoker { for (resultIter = results.iterator(); resultIter.hasNext();) { result = (CMSSignatureVerificationResult) resultIter.next(); - boolean sscdSourceTSL = false; - boolean qcSourceTSL = false; - - boolean checkQC = false; - boolean checkSSCD = false; - - List chain = result.getCertificateValidationResult().getCertificateChain(); - // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain); - - if (!checkSSCDFromTSL) { - - boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0)); - boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0)); - - if (checkQCPPlus) - checkSSCD = true; - if (checkQcEuSSCD) - checkSSCD = true; - - sscdSourceTSL = false; - - System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); - System.out.println("checkQCPPlus: " + checkQCPPlus); - System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); - } - else { - checkSSCD = true; - sscdSourceTSL = true; - } - - if (!checkQCFromTSL) { - - boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0)); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0)); - - if (checkQCP) - checkQC = true; - if (checkQcEuCompliance) - checkQC = true; - - qcSourceTSL = false; - - System.out.println("checkQCFromTSL: " + checkQCFromTSL); - System.out.println("checkQCP: " + checkQCP); - System.out.println("checkQcEuCompliance: " + checkQcEuCompliance); - } - else { - checkQC = true; - qcSourceTSL = true; + String issuerCountryCode = null; + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; + } + + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + + // get signer certificate issuer country code + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + } - - responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL); + responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode); } } else { int i; @@ -257,64 +227,27 @@ public class CMSSignatureVerificationInvoker { try { result = (CMSSignatureVerificationResult) results.get(signatories[i] - 1); - boolean sscdSourceTSL = false; - boolean qcSourceTSL = false; - boolean checkQC = false; - boolean checkSSCD = false; - - List chain = result.getCertificateValidationResult().getCertificateChain(); - // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain); - - if (!checkSSCDFromTSL) { - - boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0)); - boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0)); - - if (checkQCPPlus) - checkSSCD = true; - if (checkQcEuSSCD) - checkSSCD = true; - - sscdSourceTSL = false; - - System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); - System.out.println("checkQCPPlus: " + checkQCPPlus); - System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); - } - else { - checkSSCD = true; - sscdSourceTSL = true; - } - - if (!checkQCFromTSL) { - - boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0)); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0)); - - if (checkQCP) - checkQC = true; - if (checkQcEuCompliance) - checkQC = true; - - qcSourceTSL = false; - - System.out.println("checkQCFromTSL: " + checkQCFromTSL); - System.out.println("checkQCP: " + checkQCP); - System.out.println("checkQcEuCompliance: " + checkQcEuCompliance); - - } - else { - checkQC = true; - qcSourceTSL = true; + String issuerCountryCode = null; + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int j = 0; + while(it.hasNext()) { + chain[j] = (X509Certificate)it.next(); + j++; + } + + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); } - - - - responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL); + responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode); } catch (IndexOutOfBoundsException e) { throw new MOAApplicationException( "2249", @@ -326,65 +259,7 @@ public class CMSSignatureVerificationInvoker { return responseBuilder.getResponse(); } - private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) { - boolean checkQCFromTSL = false; - try { - if (tslEnabledTrustProfile) { - if (chainlist != null) { - X509Certificate[] chain = new X509Certificate[chainlist.size()]; - - Iterator it = chainlist.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - } - } - } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } - - return checkQCFromTSL; - } - - private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) { - boolean checkSSCDFromTSL = false; - try { - if (tslEnabledTrustProfile) { - if (chainlist != null) { - X509Certificate[] chain = new X509Certificate[chainlist.size()]; - - Iterator it = chainlist.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - } - } - } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } - - return checkSSCDFromTSL; - } - + /** * Get the signed content contained either in the request itself or given as a * reference to external data. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index f44cce62a..1ea10cb4e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -79,7 +79,7 @@ public class VerifyCMSSignatureResponseBuilder { * otherwise false. * @throws MOAException */ - public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL) + public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode) throws MOAException { CertificateValidationResult certResult = @@ -104,7 +104,8 @@ public class VerifyCMSSignatureResponseBuilder { certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), checkSSCD, - sscdSourceTSL); + sscdSourceTSL, + issuerCountryCode); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 4fdb1eeb7..193495171 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -142,7 +142,8 @@ public class VerifyXMLSignatureResponseBuilder { boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, - boolean isTSLEnabledTrustprofile) + boolean isTSLEnabledTrustprofile, + String issuerCountryCode) throws MOAApplicationException { CertificateValidationResult certResult = @@ -167,7 +168,8 @@ public class VerifyXMLSignatureResponseBuilder { certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), checkSSCD, - sscdSourceTSL); + sscdSourceTSL, + issuerCountryCode); // Create HashInputData Content objects referenceDataList = result.getReferenceDataList(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index c3cc8bfe8..c90bc534a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -24,10 +24,7 @@ package at.gv.egovernment.moa.spss.server.invoke; -import at.gv.egovernment.moa.spss.util.CertificateUtils; - import iaik.ixsil.exceptions.URIException; - import iaik.ixsil.util.URI; import iaik.server.modules.IAIKException; import iaik.server.modules.IAIKRuntimeException; @@ -43,8 +40,6 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory; import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile; import iaik.server.modules.xmlverify.XMLSignatureVerificationResult; import iaik.x509.X509Certificate; -import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; -import iaik.xml.crypto.tsl.ex.TSLSearchException; import java.io.File; import java.io.FileInputStream; @@ -90,8 +85,9 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; -import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult; import at.gv.egovernment.moa.util.CollectionUtils; import at.gv.egovernment.moa.util.Constants; @@ -211,12 +207,7 @@ public class XMLSignatureVerificationInvoker { requestElement); } - boolean sscdSourceTSL = false; - boolean qcSourceTSL = false; - - boolean checkQC = false; - boolean checkSSCD = false; - + QCSSCDResult qcsscdresult = new QCSSCDResult(); String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId(); ConfigurationProvider config = ConfigurationProvider.getInstance(); TrustProfile tp = config.getTrustProfile(tpID); @@ -242,73 +233,27 @@ public class XMLSignatureVerificationInvoker { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; } - try { - if (tp.isTSLEnabled()) { - List list = result.getCertificateValidationResult().getCertificateChain(); - if (list != null) { - X509Certificate[] chain = new X509Certificate[list.size()]; - - Iterator it = list.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - - if (!checkSSCDFromTSL) { - - boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); - boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); - - if (checkQCPPlus) - checkSSCD = true; - if (checkQcEuSSCD) - checkSSCD = true; - - sscdSourceTSL = false; - } - else { - checkSSCD = true; - sscdSourceTSL = true; - } - - if (!checkQCFromTSL) { - - boolean checkQCP = CertificateUtils.checkQCP(chain[0]); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); - - if (checkQCP) - checkQC = true; - if (checkQcEuCompliance) - checkQC = true; - - qcSourceTSL = false; - } - else { - checkQC = true; - qcSourceTSL = true; - } - -// System.out.println("chain[0]: " + chain[0]); -// -// System.out.println("checkQCFromTSL: " + checkQCFromTSL); -// System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); -// System.out.println("checkQCPPlus: " + checkQCPPlus); -// System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); + + + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; } - } + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled()); } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } + + // get signer certificate issuer country code + String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + // swap back in the request as root document if (requestElement != signatureEnvironment.getElement()) { requestElement.getOwnerDocument().replaceChild( @@ -325,14 +270,9 @@ public class XMLSignatureVerificationInvoker { TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); -// System.out.println("checkQC: " + checkQC); -// System.out.println("qcSourceTSL: " + qcSourceTSL); -// System.out.println("checkSSCD: " + checkSSCD); -// System.out.println("sscdSourceTSL: " + sscdSourceTSL); // build the response - responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL, tp.isTSLEnabled()); - + responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode); return responseBuilder.getResponse(); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 49f715cb8..07da0a998 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -83,6 +83,15 @@ public class TSLConnector implements TSLConnectorInterface { return updateAndGetQualifiedCACertificates(dateTime, null, serviceLevelStatus); } + public void updateTSLs(Date dateTime, + String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { + + if (Configurator.is_isInitialised() == false) + new TSLEngineFatalException("The TSL Engine is not initialized!"); + + updateTSLs(dateTime, null, serviceLevelStatus); + } + public ArrayList updateAndGetQualifiedCACertificates(Date dateTime, String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { @@ -326,6 +335,249 @@ public class TSLConnector implements TSLConnectorInterface { return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus); } + public void updateTSLs(Date dateTime, + String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { + + if (Configurator.is_isInitialised() == false) + new TSLEngineFatalException("The TSL Engine is not initialized!"); + + String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload"; + +// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +// System.out.println("hashcachedir: " + hashcachedir); +// if (hashcachedir==null) +// hashcachedir = DEFAULT_HASHCACHE_DIR; + +// File hashcachefile = new File(hashcachedir); +// File[] filelist = hashcachefile.listFiles(); +// if (filelist != null) { +// for (File f : filelist) +// f.delete(); +// } + + File tsldownloadfile = new File(tsldownloaddir); + if (!tsldownloadfile.exists()) { + tsldownloadfile.mkdir(); + } + File[] tslfilelist = tsldownloadfile.listFiles(); + if (tslfilelist != null) { + for (File f : tslfilelist) + f.delete(); + } + + //create sqlLite database + File dbFile = new File(Configurator.get_TempdbFile()); + try { + dbFile.delete(); + dbFile.createNewFile(); + } catch (IOException e) { + throw new TSLEngineDiedException("Could not create temporary data base file", e); + } + + //the TSL library uses the iaik.util.logging environment. + //iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.WARN); + iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.OFF); + + log.info("Starting EU TSL import."); + + // Certificates in Germany, Estonia, Greece, Cyprus, + // Lithuainia, Hungary, Poland, Finland, Norway use SURNAME + log.debug("### SURNAME registered as " + ObjectID.surName + " ###"); + RFC2253NameParser.register("SURNAME", ObjectID.surName); + + XSecProvider.addAsProvider(false); + + TSLEngine tslEngine; + TslSqlConnectionWrapper connection = null; + + try { + // register the Https JSSE Wrapper + TLS.register(); + log.trace("### Https JSSE Wrapper registered ###"); + + + log.debug("### Connect to Database.###"); + connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON); + + log.trace("### Connected ###"); + + // empty the database and recreate the tables + tslEngine = new TSLEngine(dbFile, Configurator.get_TSLWorkingDirectoryPath(), + connection, true, true); + + } catch (TSLEngineFatalException e1) { + throw new TSLEngineDiedException(e1); + + } + + // H.2.2.1 Same-scheme searching + // H.2.2.2 Known scheme searching + // H.2.2.3 "Blind" (unknown) scheme searching + Number tId = null; + Countries euTerritory = Countries.EU; + TSLImportContext topLevelTslContext = new TSLEUImportFromFileContext( + euTerritory, Configurator.get_euTSLURL(), Configurator.get_TSLWorkingDirectoryPath(), + Configurator.is_sqlMultithreaded(), + Configurator.is_throwExceptions(), Configurator.is_logExceptions(), + Configurator.is_throwWarnings(), Configurator.is_logWarnings(), + Configurator.is_nullRedundancies()); + + TSLEngineEU tslengineEU; + try { + tslengineEU = tslEngine.new TSLEngineEU(); + + } catch (TSLEngineFatalException e1) { + throw new TSLEngineDiedException(e1); + } + + // establish EU TSL trust anchor + ListIterator expectedEuTslSignerCerts = + tslEngine.loadCertificatesFromResource( + Configurator.get_euTrustAnchorsPath(), topLevelTslContext); + + log.debug("Process EU TSL"); + // process the EU TSL to receive the pointers to the other TSLs + // and the trust anchors for the TSL signers + Set> pointersToMsTSLs = null; + + try { + + tId = tslengineEU.processEUTSL(topLevelTslContext, expectedEuTslSignerCerts); + log.info("Process EU TSL finished"); + + log.debug(Thread.currentThread() + " waiting for other threads ..."); + + topLevelTslContext.waitForAllOtherThreads(); + log.debug(Thread.currentThread() + + " reactivated after other threads finished ..."); + + + // get the TSLs pointed from the EU TSL + LinkedHashMap tslMap = tslengineEU + .getOtherTslMap(tId, topLevelTslContext); + + pointersToMsTSLs = tslMap.entrySet(); + + //set Errors and Warrnings + + } catch (TSLEngineFatalRuntimeException e) { + throw new TSLEngineDiedException(topLevelTslContext.dumpFatals()); + + } catch (TSLTransactionFailedRuntimeException e) { + throw new TSLEngineDiedException(topLevelTslContext.dumpTransactionFaliures()); + } + + //Backup implementation if the EU TSL includes a false signer certificate + // establish additional trust anchors for member states +// Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = { +// Countries.CZ, +// Countries.LU, +// Countries.ES, +// Countries.AT, +// }; + Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {}; + + Map> + trustAnchorsWrongOnEuTsl = loadCertificatesFromResource( + Configurator.get_msTrustAnchorsPath(), tslEngine, topLevelTslContext, + countriesWithPotentiallyWrongCertsOnEuTsl); + + log.info("Starting EU member TSL import."); + + for (Entry entry : pointersToMsTSLs) { + + TSLImportContext msTslContext; + + Countries expectedTerritory = entry.getValue().getSchemeTerritory(); + try { + +// if (expectedTerritory.equals("RO")) +// System.out.println("Stop"); + + Number otpId = entry.getKey(); + LocationAndCertHash lac = entry.getValue(); + + URL uriReference = null; + try { + uriReference = new URL(lac.getUrl()); + + } catch (MalformedURLException e) { + log.warn("Could not process: " + uriReference, e); + continue; + } + + String baseURI = uriReference == null ? "" : "" + uriReference; + + msTslContext = new TSLImportFromFileContext( + expectedTerritory, uriReference, otpId, Configurator.get_TSLWorkingDirectoryPath(), + Configurator.is_sqlMultithreaded(), + Configurator.is_throwExceptions(), Configurator.is_logExceptions(), + Configurator.is_throwWarnings(), Configurator.is_logWarnings(), + Configurator.is_nullRedundancies(), baseURI, trustAnchorsWrongOnEuTsl, + topLevelTslContext); + + ListIterator expectedTslSignerCerts = null; + expectedTslSignerCerts = tslEngine.getCertificates(lac, msTslContext); + + if (expectedTslSignerCerts == null) { + + // no signer certificate on the EU TSL + // ignore this msTSL and log a warning + log.warn("NO signer certificate found on EU TSL! " + + lac.getSchemeTerritory() + "TSL ignored."); + + } + else { + tslEngine.processMSTSL(topLevelTslContext, msTslContext, expectedTslSignerCerts); + } + + } catch (TSLExceptionB e) { + log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory() + + " TSL ignored."); + log.debug("Failed to process TSL. " + entry, e); + continue; + } catch (TSLRuntimeException e) { + log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory() + + " TSL ignored."); + log.debug("Failed to process TSL. " + entry, e); + continue; + } + } + + log.debug(Thread.currentThread() + " waiting for other threads ..."); + topLevelTslContext.waitForAllOtherThreads(); + + log.debug(_.dumpAllThreads()); + log.debug(Thread.currentThread() + " reactivated after other threads finished ..."); + + connection = null; + try { + connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON); + tslEngine.recreateTablesInvalidatedByImport(connection); + + + //TODO: implement database copy operation! + File working_database = new File(Configurator.get_dbFile()); + working_database.delete(); + copy(dbFile, working_database); + + + } catch (TSLEngineFatalException e) { + throw new TSLEngineDiedException(e); + + } finally { + try { + connection.closeConnection(); + + } catch (TSLEngineFatalException e) { + throw new TSLEngineDiedException(e); + + } + } + + //return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus); + } + public ArrayList getQualifiedCACertificates(Date dateTime, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index 76be8217a..0cb18a08e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -33,13 +33,14 @@ import at.gv.egovernment.moa.spss.server.iaik.pki.store.truststore.TrustStorePro import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.tsl.connector.TSLConnector; import at.gv.egovernment.moa.spss.util.MessageProvider; -import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; public class TSLUpdaterTimerTask extends TimerTask { public static TSLConnector tslconnector_; + + public static ConfigurationData configData_ = null; @Override public void run() { @@ -49,10 +50,6 @@ public class TSLUpdaterTimerTask extends TimerTask { } catch (TSLEngineDiedException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - - // TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur - // Verfügung stehen? - } catch (TSLSearchException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); @@ -68,105 +65,138 @@ public class TSLUpdaterTimerTask extends TimerTask { } catch (TrustStoreException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - } catch (CertificateException e) { + } catch (FileNotFoundException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - } catch (FileNotFoundException e) { + } catch (IOException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - } catch (IOException e) { + } catch (CertificateException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); } } - public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException { + public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, IOException { MessageProvider msg = MessageProvider.getInstance(); - //get TSl configuration - ConfigurationProvider config = ConfigurationProvider.getInstance(); - ConfigurationData configData = new IaikConfigurator().configure(config); - TSLConfiguration tslconfig = config.getTSLConfiguration(); - if (tslconfig != null) { - - Logger.info(new LogMsg(msg.getMessage("config.42", null))); + //TrustProfile tp = null; + TrustStoreProfile tsp = null; + StoreUpdater storeUpdater = null; + TransactionId tid = null; + + //get TSl configuration + ConfigurationProvider config = ConfigurationProvider.getInstance(); + if (configData_ == null) + configData_ = new IaikConfigurator().configure(config); - // get certstore parameters - CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters(); + TSLConfiguration tslconfig = config.getTSLConfiguration(); + if (tslconfig != null) { - // iterate over all truststores - Map mapTrustProfiles = config.getTrustProfiles(); - Iterator it = mapTrustProfiles.entrySet().iterator(); - while (it.hasNext()) { - Map.Entry pairs = (Map.Entry)it.next(); - TrustProfile tp = (TrustProfile) pairs.getValue(); - if (tp.isTSLEnabled()) { - TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId()); - TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1]; - trustStoreProfiles[0] = tsp; - - Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()}))); - - TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId()); - ArrayList tsl_certs = null; - if (StringUtils.isEmpty(tp.getCountries())) { - Logger.debug(new LogMsg(msg.getMessage("config.44", null))); - - // get certificates from TSL from all countries - tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"}); - } - else { - Logger.debug(new LogMsg(msg.getMessage("config.44", null))); - // get selected countries as array - String countries = tp.getCountries(); - String[] array = countries.split(","); - for (int i = 0; i < array.length; i++) - array[i] = array[i].trim(); - - // get certificates from TSL from given countries - tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"}); - } - - // create store updater for each TSL enabled truststore - Logger.debug(new LogMsg(msg.getMessage("config.45", null))); - StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); - - - // delete files in trustprofile - File ftp = new File(tp.getUri()); - File[] files = ftp.listFiles(); - for (File file : files) - file.delete(); + tslconnector_.updateTSLs(new Date(), new String[]{"accredited","undersupervision"}); + + Logger.info(new LogMsg(msg.getMessage("config.42", null))); + + // get certstore parameters + CertStoreParameters[] certStoreParameters = configData_.getPKIConfiguration().getCertStoreConfiguration().getParameters(); - // convert ArrayList to X509Certificate[] - X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()]; - Iterator itcert = tsl_certs.iterator(); - int i = 0; - while(itcert.hasNext()) { - File f = (File)itcert.next(); - X509Certificate cert = new X509Certificate(new FileInputStream(f)); - addCertificates[i] = cert; + // iterate over all truststores + Map mapTrustProfiles = config.getTrustProfiles(); + Iterator it = mapTrustProfiles.entrySet().iterator(); + while (it.hasNext()) { + Map.Entry pairs = (Map.Entry)it.next(); + TrustProfile tp = (TrustProfile) pairs.getValue(); + if (tp.isTSLEnabled()) { + tsp = new TrustStoreProfileImpl(config, tp.getId()); + TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1]; + trustStoreProfiles[0] = tsp; + + Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()}))); + + tid = new TransactionId("TSLConfigurator-" + tp.getId()); + ArrayList tsl_certs = null; + if (StringUtils.isEmpty(tp.getCountries())) { + Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + + // get certificates from TSL from all countries + tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"}); + } + else { + Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + // get selected countries as array + String countries = tp.getCountries(); + String[] array = countries.split(","); + for (int i = 0; i < array.length; i++) + array[i] = array[i].trim(); + + // get certificates from TSL from given countries + tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"}); + } + + // create store updater for each TSL enabled truststore + Logger.debug(new LogMsg(msg.getMessage("config.45", null))); + storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); + + // delete files in trustprofile + + File ftp = new File(tp.getUri()); + File[] files = ftp.listFiles(); + X509Certificate[] removeCertificates = new X509Certificate[files.length]; + int i = 0; + for (File file : files) { + FileInputStream fis = new FileInputStream(file); + removeCertificates[i] = new X509Certificate(fis); + i++; + fis.close(); + //file.delete(); + } + + // remove all certificates + storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid); + storeUpdater.removeCertificatesFromCertStores(removeCertificates, tid); + - i++; + // copy files from original trustAnchorsLocURI into tslworking trust profile + File src = new File(tp.getUriOrig()); + files = src.listFiles(); + X509Certificate[] addCertificates = new X509Certificate[files.length]; + i = 0; + for (File file : files) { + FileInputStream fis = new FileInputStream(file); + addCertificates[i] = new X509Certificate(fis); + //FileUtils.copyFile(file, new File(tp.getUri(), file.getName())); + i++; + fis.close(); + } + + // convert ArrayList to X509Certificate[] + X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()]; + Iterator itcert = tsl_certs.iterator(); + i = 0; + File f = null; + while(itcert.hasNext()) { + f = (File)itcert.next(); + FileInputStream fis = new FileInputStream(f); + X509Certificate cert = new X509Certificate(fis); + addCertificatesTSL[i] = cert; + + i++; + fis.close(); + } + + Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid); + storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid); + + Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificates, tid); + storeUpdater.addCertificatesToCertStores(addCertificates, tid); + + } - - - // copy files from original trustAnchorsLocURI into tslworking trust profile - File src = new File(tp.getUriOrig()); - files = src.listFiles(); - for (File file : files) { - FileUtils.copyFile(file, new File(tp.getUri(), file.getName())); - } - - Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); - storeUpdater.addCertificatesToTrustStores(addCertificates, tid); - storeUpdater.addCertificatesToCertStores(addCertificates, tid); - - } } - } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java new file mode 100644 index 000000000..544ea916c --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -0,0 +1,286 @@ +package at.gv.egovernment.moa.spss.util; + +import iaik.asn1.ObjectID; +import iaik.asn1.structures.Name; +import iaik.asn1.structures.PolicyInformation; +import iaik.utils.RFC2253NameParser; +import iaik.utils.RFC2253NameParserException; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import iaik.x509.extensions.CertificatePolicies; +import iaik.x509.extensions.qualified.QCStatements; +import iaik.x509.extensions.qualified.structures.QCStatement; +import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance; +import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD; +import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; +import iaik.xml.crypto.tsl.ex.TSLSearchException; + +import java.security.Principal; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; + +public class CertificateUtils { + + + /** + * Verifies if the given certificate contains QCP+ statement + * @param cert X509Certificate + * @return true if the given certificate contains QCP+ statement, else false + */ + private static boolean checkQCPPlus(X509Certificate cert) { + Logger.debug("Checking QCP+ extension"); + String OID_QCPPlus = "0.4.0.1456.1.1"; + try { + CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); + if (certPol == null) { + Logger.debug("No CertificatePolicies extension found"); + return false; + } + + PolicyInformation[] polInfo = certPol.getPolicyInformation(); + if (polInfo == null) { + Logger.debug("No policy information found"); + return false; + } + + for (int i = 0; i < polInfo.length; i++) { + ObjectID oid = polInfo[i].getPolicyIdentifier(); + String oidStr = oid.getID(); + if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) { + Logger.debug("QCP+ extension found"); + return true; + } + } + + Logger.debug("No QCP+ extension found"); + + return false; + } catch (X509ExtensionInitException e) { + Logger.debug("No QCP+ extension found"); + + return false; + } + + } + + /** + * Verifies if the given certificate contains QCP statement + * @param cert X509Certificate + * @return true if the given certificate contains QCP statement, else false + */ + private static boolean checkQCP(X509Certificate cert) { + Logger.debug("Checking QCP extension"); + String OID_QCP = "0.4.0.1456.1.2"; + try { + CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); + if (certPol == null) { + Logger.debug("No CertificatePolicies extension found"); + return false; + } + + PolicyInformation[] polInfo = certPol.getPolicyInformation(); + if (polInfo == null) { + Logger.debug("No policy information found"); + return false; + } + + for (int i = 0; i < polInfo.length; i++) { + ObjectID oid = polInfo[i].getPolicyIdentifier(); + String oidStr = oid.getID(); + if (oidStr.compareToIgnoreCase(OID_QCP) == 0) { + Logger.debug("QCP extension found"); + return true; + } + + } + + Logger.debug("No QCP extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QCP extension found"); + return false; + } + + } + + /** + * Verifies if the given certificate contains QcEuCompliance statement + * @param cert X509Certificate + * @return true if the given certificate contains QcEuCompliance statement, else false + */ + private static boolean checkQcEuCompliance(X509Certificate cert) { + Logger.debug("Checking QcEUCompliance extension"); + try { + QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); + + if (qcStatements == null) { + Logger.debug("No QcStatements extension found"); + return false; + } + + QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID); + + if (qcEuCompliance != null) { + Logger.debug("QcEuCompliance extension found"); + return true; + } + + Logger.debug("No QcEuCompliance extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QcEuCompliance extension found"); + return false; + } + + } + + /** + * Verifies if the given certificate contains QcEuSSCD statement + * @param cert X509Certificate + * @return true if the given certificate contains QcEuSSCD statement, else false + */ + private static boolean checkQcEuSSCD(X509Certificate cert) { + Logger.debug("Checking QcEuSSCD extension"); + try { + QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); + if (qcStatements == null) { + Logger.debug("No QcStatements extension found"); + return false; + } + + QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID); + + if (qcEuSSCD != null) { + Logger.debug("QcEuSSCD extension found"); + return true; + } + + Logger.debug("No QcEuSSCD extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QcEuSSCD extension found"); + return false; + } + + } + + public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) { + + boolean qc = false; + boolean qcSourceTSL = false; + boolean sscd = false; + boolean sscdSourceTSL = false; + + try { + + if (isTSLenabledTrustprofile) { + // perform QC check via TSL + boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); + if (!checkQCFromTSL) { + // if QC check via TSL returns false + // try certificate extensions QCP and QcEuCompliance + Logger.debug("QC check via TSL returned false - checking certificate extensions"); + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP || checkQcEuCompliance) { + Logger.debug("Certificate is QC (Source: Certificate)"); + qc = true; + } + + qcSourceTSL = false; + } + else { + // use TSL result + Logger.debug("Certificate is QC (Source: TSL)"); + qc = true; + qcSourceTSL = true; + } + + // perform SSCD check via TSL + boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + if (!checkSSCDFromTSL) { + // if SSCD check via TSL returns false + // try certificate extensions QCP+ and QcEuSSCD + Logger.debug("SSCD check via TSL returned false - checking certificate extensions"); + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus || checkQcEuSSCD) { + Logger.debug("Certificate is SSCD (Source: Certificate)"); + sscd = true; + } + + sscdSourceTSL = false; + } + else { + // use TSL result + Logger.debug("Certificate is SSCD (Source: TSL)"); + sscd = true; + sscdSourceTSL = true; + } + + } + else { + // Trustprofile is not TSL enabled - use certificate extensions only + + // perform QC check + // try certificate extensions QCP and QcEuCompliance + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP || checkQcEuCompliance) + qc = true; + + qcSourceTSL = false; + + // perform SSCD check + // try certificate extensions QCP+ and QcEuSSCD + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus || checkQcEuSSCD) + sscd = true; + + sscdSourceTSL = false; + } + } + catch (TSLEngineDiedException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } catch (TSLSearchException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } + + QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL); + + return result; + } + + /** + * Gets the country from the certificate issuer + * @param cert X509 certificate + * @return Country code from the certificate issuer + */ + public static String getIssuerCountry(X509Certificate cert) { + String country = null; + Principal issuerdn = cert.getIssuerX500Principal(); + RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName()); + + try { + Name name = nameParser.parse(); + country = name.getRDN(ObjectID.country); + } catch (RFC2253NameParserException e) { + Logger.warn("Could not get country code from issuer."); + } + + + return country; + } +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java new file mode 100644 index 000000000..99af84308 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java @@ -0,0 +1,37 @@ +package at.gv.egovernment.moa.spss.util; + +public class QCSSCDResult { + + private boolean qc; + private boolean qcSourceTSL; + + private boolean sscd; + private boolean sscdSourceTSL; + + public QCSSCDResult() { + this.qc = false; + this.qcSourceTSL = false; + this.sscd = false; + this.sscdSourceTSL = false; + } + + public QCSSCDResult(boolean qc, boolean qcSourceTSL, boolean sscd, boolean sscdSourceTSL) { + this.qc = qc; + this.qcSourceTSL = qcSourceTSL; + this.sscd = sscd; + this.sscdSourceTSL = sscdSourceTSL; + } + + public boolean isQC() { + return this.qc; + } + public boolean isQCSourceTSL() { + return this.qcSourceTSL; + } + public boolean isSSCD() { + return this.sscd; + } + public boolean isSSCDSourceTSL() { + return this.sscdSourceTSL; + } +} diff --git a/spss/server/serverws/pom.xml b/spss/server/serverws/pom.xml index 101b16882..4372c76d0 100644 --- a/spss/server/serverws/pom.xml +++ b/spss/server/serverws/pom.xml @@ -38,7 +38,8 @@ ${basedir}/resources/wsdl resources/schemas - *.xsd + *.xsd + *.wsdl diff --git a/spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.wsdl b/spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.wsdl deleted file mode 100644 index 135f26f68..000000000 --- a/spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.wsdl +++ /dev/null @@ -1,128 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.xsd b/spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.xsd deleted file mode 100644 index 06232f189..000000000 --- a/spss/server/serverws/resources/wsdl/MOA-SPSS-1.5.2.xsd +++ /dev/null @@ -1,551 +0,0 @@ - - - - - - - - - - - - - - - - - - - - Ermöglichung der Stapelsignatur durch wiederholte Angabe dieses Elements - - - - - - - - - - - - - - - - - - - - - - Kardinalität 1..oo erlaubt die Antwort auf eine Stapelsignatur-Anfrage - - - - Resultat, falls die Signaturerstellung erfolgreich war - - - - - - - - - - - - - - - - - - - - Ermöglichung der Stapelsignatur durch wiederholte Angabe dieses Elements - - - - - - - - - - - - - - - - - - - Auswahl: Entweder explizite Angabe des Signaturorts sowie ggf. sinnvoller Supplements im Zshg. mit der Signaturumgebung, oder Verweis auf ein benanntes Profil - - - - - - - - - - - - - - - - - - Kardinalität 1..oo erlaubt die Antwort auf eine Stapelsignatur-Anfrage - - - - Resultat, falls die Signaturerstellung erfolgreich war - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - mit diesem Profil wird eine Menge von vertrauenswürdigen Wurzelzertifikaten spezifiziert - - - - - - - - - - - only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any;publicAuthority is included as X509Data/any - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Pro dsig:Reference-Element in der zu überprüfenden XML-Signatur muss hier ein ReferenceInfo-Element erscheinen. Die Reihenfolge der einzelnen ReferenceInfo Elemente entspricht jener der dsig:Reference Elemente in der XML-Signatur. - - - - - - - - - - mit diesem Profil wird eine Menge von vertrauenswürdigen Wurzelzertifikaten spezifiziert - - - - - - - - - - - only ds:X509Data and ds:RetrievalMethod is supported; QualifiedCertificate is included as X509Data/any; PublicAuthority is included as X509Data/any - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Auswahl: Entweder explizite Angabe EINER Transformationskette inklusive ggf. sinnvoller Supplements oder Verweis auf ein benanntes Profil - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Resultat, falls die Signaturerstellung gescheitert ist - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ein oder mehrere Transformationswege können von der Applikation an MOA mitgeteilt werden. Die zu prüfende Signatur hat zumindest einem dieser Transformationswege zu entsprechen. Die Angabe kann explizit oder als Profilbezeichner erfolgen. - - - - - Profilbezeichner für einen Transformationsweg - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Die Angabe des Transformationsparameters (explizit oder als Hashwert) kann unterlassen werden, wenn die Applikation von der Unveränderlichkeit des Inhalts der in "Transformationsparamter", Attribut "URI" angegebenen URI ausgehen kann. - - - - Der Transformationsparameter explizit angegeben. - - - - - Der Hashwert des Transformationsparameters. - - - - - - - - - - - - - - - - - - - - - - Explizite Angabe des Transformationswegs - - - - - - - Alle impliziten Transformationsparameter, die zum Durchlaufen der oben angeführten Transformationskette bekannt sein müssen, müssen hier angeführt werden. Das Attribut "URI" bezeichnet den Transformationsparameter in exakt jener Weise, wie er in der zu überprüfenden Signatur gebraucht wird. - - - - - - - - - - - - - - - - diff --git a/spss/server/serverws/src/main/webapp/WEB-INF/server-config.wsdd b/spss/server/serverws/src/main/webapp/WEB-INF/server-config.wsdd index eaa50865d..86d37c8bc 100644 --- a/spss/server/serverws/src/main/webapp/WEB-INF/server-config.wsdd +++ b/spss/server/serverws/src/main/webapp/WEB-INF/server-config.wsdd @@ -1,6 +1,6 @@ http://reference.e-government.gv.at/namespace/moa/20020822# - - C:\eclipse_workspaces\MOA_Git01\moa-idspss\spss\server\serverws\resources\wsdl\MOA-SPSS-1.5.2.wsdl + webapps/moa-spss/resources/schemas/MOA-SPSS-1.5.2.wsdl - @@ -32,7 +30,7 @@ http://reference.e-government.gv.at/namespace/moa/20020822# - /resources/wsdl/MOA-SPSS-1.5.2.wsdl + webapps/moa-spss/resources/schemas/MOA-SPSS-1.5.2.wsdl -- cgit v1.2.3