From 5b697c424d24a7523dccd210454d029368e34898 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 21 Aug 2013 13:12:26 +0200 Subject: Update QC/SSCD check WSDL location updated --- .../gv/egovernment/moa/spss/api/SPSSFactory.java | 4 +- .../moa/spss/api/common/SignerInfo.java | 6 +- .../moa/spss/api/impl/SPSSFactoryImpl.java | 4 +- .../moa/spss/api/impl/SignerInfoImpl.java | 10 + .../moa/spss/api/xmlbind/ResponseBuilderUtils.java | 20 +- .../xmlbind/VerifyCMSSignatureResponseBuilder.java | 4 +- .../xmlbind/VerifyXMLSignatureResponseBuilder.java | 3 +- .../server/config/ConfigurationPartsBuilder.java | 9 - .../moa/spss/server/init/SystemInitializer.java | 10 +- .../invoke/CMSSignatureVerificationInvoker.java | 209 +++------------ .../invoke/VerifyCMSSignatureResponseBuilder.java | 5 +- .../invoke/VerifyXMLSignatureResponseBuilder.java | 6 +- .../invoke/XMLSignatureVerificationInvoker.java | 104 ++------ .../moa/spss/tsl/connector/TSLConnector.java | 252 ++++++++++++++++++ .../moa/spss/tsl/timer/TSLUpdaterTimerTask.java | 200 ++++++++------ .../moa/spss/util/CertificateUtils.java | 286 +++++++++++++++++++++ .../gv/egovernment/moa/spss/util/QCSSCDResult.java | 37 +++ 17 files changed, 806 insertions(+), 363 deletions(-) create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java (limited to 'spss/server/serverlib/src/main/java/at/gv/egovernment') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index 80f996b36..b5cc96a04 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -1101,6 +1101,7 @@ public abstract class SPSSFactory { * signature based on a SSDC, otherwise false. * @param sscdSourceTSL true, if the SSCD information comes from the TSL, * otherwise false. + * @param issuerCountryCode contains the signer certificate issuer country code. * @return The SignerInfo containing the above data. * * @pre signerCertSubjectName != null @@ -1114,7 +1115,8 @@ public abstract class SPSSFactory { boolean publicAuthority, String publicAuthorityID, boolean sscd, - boolean sscdSourceTSL); + boolean sscdSourceTSL, + String issuerCountryCode); /** * Create a new X509IssuerSerial object. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java index 337f775bf..777365ad3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java @@ -68,7 +68,11 @@ public interface SignerInfo { */ public String getQCSource(); - + /** + * Returns the signer certificate issuer country code + * @return + */ + public String getIssuerCountryCode(); /** * Checks, whether the certificate contained in this object is a * public authority certificate. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java index 74f65cb70..8e3bb7636 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java @@ -626,7 +626,8 @@ public class SPSSFactoryImpl extends SPSSFactory { boolean publicAuthority, String publicAuthorityID, boolean sscd, - boolean sscdSourceTSL) { + boolean sscdSourceTSL, + String issuerCountryCode) { SignerInfoImpl signerInfo = new SignerInfoImpl(); signerInfo.setSignerCertificate(signerCertificate); signerInfo.setQualifiedCertificate(qualifiedCertificate); @@ -635,6 +636,7 @@ public class SPSSFactoryImpl extends SPSSFactory { signerInfo.setPublicAuhtorityID(publicAuthorityID); signerInfo.setSSCD(sscd); signerInfo.setSSCDSourceTSL(sscdSourceTSL); + signerInfo.setIssuerCountryCode(issuerCountryCode); return signerInfo; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java index 5d26397c5..7a108e8a4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java @@ -56,6 +56,9 @@ public class SignerInfoImpl implements SignerInfo { /** Determines, if the QC check bases upon on TSL */ private boolean qcSourceTSL; + /** The certificate issuer country code */ + private String issuerCountryCode; + /** * Sets the signer certificate. * @@ -118,6 +121,13 @@ public class SignerInfoImpl implements SignerInfo { return "Certificate"; } + public void setIssuerCountryCode(String issuerCountryCode) { + this.issuerCountryCode = issuerCountryCode; + } + public String getIssuerCountryCode() { + return issuerCountryCode; + } + /** * Sets, whether the certificate contained in this object is an * e-government certificate or not. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index 505303bc1..2e2afaf7c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -121,7 +121,8 @@ class ResponseBuilderUtils { boolean isPublicAuthority, String publicAuthorityID, boolean isSSCD, - String sscdSource) + String sscdSource, + String issuerCountryCode) throws MOAApplicationException { Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo"); @@ -147,6 +148,12 @@ class ResponseBuilderUtils { isSSCD ? response.createElementNS(MOA_NS_URI, "SecureSignatureCreationDevice") : null; + Element issuerCountryCodeElem = null; + if (issuerCountryCode != null) { + issuerCountryCodeElem = response.createElementNS(MOA_NS_URI, "IssuerCountryCode"); + issuerCountryCodeElem.setTextContent(issuerCountryCode); + } + Element publicAuthorityElem = isPublicAuthority ? response.createElementNS(MOA_NS_URI, "PublicAuthority") @@ -184,8 +191,10 @@ class ResponseBuilderUtils { x509DataElem.appendChild(x509IssuerSerialElem); x509DataElem.appendChild(x509CertificateElem); if (isQualified) { - qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); - x509DataElem.appendChild(qualifiedCertificateElem); + if (qcSource.compareToIgnoreCase("TSL") == 0) + qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); + + x509DataElem.appendChild(qualifiedCertificateElem); } if (isPublicAuthority) { x509DataElem.appendChild(publicAuthorityElem); @@ -195,9 +204,12 @@ class ResponseBuilderUtils { } } if (isSSCD) { - sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource); + sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource); x509DataElem.appendChild(sscdElem); } + if (issuerCountryCodeElem != null) + x509DataElem.appendChild(issuerCountryCodeElem); + signerInfoElem.appendChild(x509DataElem); root.appendChild(signerInfoElem); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java index 238875351..b11560b28 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java @@ -99,7 +99,6 @@ public class VerifyCMSSignatureResponseBuilder { CheckResult signatureCheck = responseElement.getSignatureCheck(); CheckResult certCheck = responseElement.getCertificateCheck(); - //TODO ResponseBuilderUtils.addSignerInfo( responseDoc, responseElem, @@ -109,7 +108,8 @@ public class VerifyCMSSignatureResponseBuilder { signerInfo.isPublicAuthority(), signerInfo.getPublicAuhtorityID(), signerInfo.isSSCD(), - signerInfo.getSSCDSource()); + signerInfo.getSSCDSource(), + signerInfo.getIssuerCountryCode()); ResponseBuilderUtils.addCodeInfoElement( responseDoc, diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java index 8673fba1c..dd4e13ad9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java @@ -100,7 +100,8 @@ public class VerifyXMLSignatureResponseBuilder { response.getSignerInfo().isPublicAuthority(), response.getSignerInfo().getPublicAuhtorityID(), response.getSignerInfo().isSSCD(), - response.getSignerInfo().getSSCDSource()); + response.getSignerInfo().getSSCDSource(), + response.getSignerInfo().getIssuerCountryCode()); // add HashInputData elements responseData = response.getHashInputDatas(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index d2ee75116..0908d88c9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -1225,7 +1225,6 @@ public class ConfigurationPartsBuilder { tp.mkdir(); if (!tp.isDirectory()) { error("config.50", new Object[] { tp.getPath() }); - // TODO? } File tpid = new File(tp, id); @@ -1233,11 +1232,8 @@ public class ConfigurationPartsBuilder { tpid.mkdir(); if (!tpid.isDirectory()) { error("config.50", new Object[] { tpid.getPath() }); - // TODO? } - - //System.out.println("tps: " + tpid.getAbsolutePath()); // create profile profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries); @@ -1257,10 +1253,6 @@ public class ConfigurationPartsBuilder { FileUtils.copyFile(file, new File(tpid, file.getName())); } -// System.out.println("ID: " + id); -// System.out.println("Str: " + trustAnchorsLocStr); -// System.out.println("URI: " + trustAnchorsLocURI.toString()); -// System.out.println("tslWorkingDir: " + tslWorkingDir); } else { @@ -1698,7 +1690,6 @@ public class ConfigurationPartsBuilder { map.put(x509IssuerName, interval); } - //System.out.println("Name: " + x509IssuerName + " - Interval: " + interval); } return map; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 3640dc23f..12d8b0126 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -119,7 +119,7 @@ public class SystemInitializer { try { ConfigurationProvider config = ConfigurationProvider.getInstance(); ConfigurationData configData = new IaikConfigurator().configure(config); - + //initialize TSL module TSLConfiguration tslconfig = config.getTSLConfiguration(); @@ -131,13 +131,11 @@ public class SystemInitializer { } -// System.out.println("Hashcache 1: " + BinaryHashCache.DIR); //start TSL Update TSLUpdaterTimerTask.tslconnector_ = tslconnector; TSLUpdaterTimerTask.update(); -// System.out.println("Hashcache 2: " + BinaryHashCache.DIR); //initialize TSL Update Task initTSLUpdateTask(tslconfig); @@ -156,13 +154,13 @@ public class SystemInitializer { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (TrustStoreException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (CertificateException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (FileNotFoundException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } catch (IOException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } + } catch (CertificateException e) { + Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); + } // set IXSIL debug output IXSILInit.setPrintDebugLog( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 6aa34573e..7a4103957 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult; /** * A class providing an interface to the @@ -185,6 +186,8 @@ public class CMSSignatureVerificationInvoker { } } + QCSSCDResult qcsscdresult = new QCSSCDResult(); + // build the response: for each signatory add the result to the response signatories = request.getSignatories(); if (signatories == VerifyCMSSignatureRequest.ALL_SIGNATORIES) { @@ -192,61 +195,28 @@ public class CMSSignatureVerificationInvoker { for (resultIter = results.iterator(); resultIter.hasNext();) { result = (CMSSignatureVerificationResult) resultIter.next(); - boolean sscdSourceTSL = false; - boolean qcSourceTSL = false; - - boolean checkQC = false; - boolean checkSSCD = false; - - List chain = result.getCertificateValidationResult().getCertificateChain(); - // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain); - - if (!checkSSCDFromTSL) { - - boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0)); - boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0)); - - if (checkQCPPlus) - checkSSCD = true; - if (checkQcEuSSCD) - checkSSCD = true; - - sscdSourceTSL = false; - - System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); - System.out.println("checkQCPPlus: " + checkQCPPlus); - System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); - } - else { - checkSSCD = true; - sscdSourceTSL = true; - } - - if (!checkQCFromTSL) { - - boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0)); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0)); - - if (checkQCP) - checkQC = true; - if (checkQcEuCompliance) - checkQC = true; - - qcSourceTSL = false; - - System.out.println("checkQCFromTSL: " + checkQCFromTSL); - System.out.println("checkQCP: " + checkQCP); - System.out.println("checkQcEuCompliance: " + checkQcEuCompliance); - } - else { - checkQC = true; - qcSourceTSL = true; + String issuerCountryCode = null; + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; + } + + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + + // get signer certificate issuer country code + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + } - - responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL); + responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode); } } else { int i; @@ -257,64 +227,27 @@ public class CMSSignatureVerificationInvoker { try { result = (CMSSignatureVerificationResult) results.get(signatories[i] - 1); - boolean sscdSourceTSL = false; - boolean qcSourceTSL = false; - boolean checkQC = false; - boolean checkSSCD = false; - - List chain = result.getCertificateValidationResult().getCertificateChain(); - // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain); - - if (!checkSSCDFromTSL) { - - boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0)); - boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0)); - - if (checkQCPPlus) - checkSSCD = true; - if (checkQcEuSSCD) - checkSSCD = true; - - sscdSourceTSL = false; - - System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); - System.out.println("checkQCPPlus: " + checkQCPPlus); - System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); - } - else { - checkSSCD = true; - sscdSourceTSL = true; - } - - if (!checkQCFromTSL) { - - boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0)); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0)); - - if (checkQCP) - checkQC = true; - if (checkQcEuCompliance) - checkQC = true; - - qcSourceTSL = false; - - System.out.println("checkQCFromTSL: " + checkQCFromTSL); - System.out.println("checkQCP: " + checkQCP); - System.out.println("checkQcEuCompliance: " + checkQcEuCompliance); - - } - else { - checkQC = true; - qcSourceTSL = true; + String issuerCountryCode = null; + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int j = 0; + while(it.hasNext()) { + chain[j] = (X509Certificate)it.next(); + j++; + } + + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); } - - - - responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL); + responseBuilder.addResult(result, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode); } catch (IndexOutOfBoundsException e) { throw new MOAApplicationException( "2249", @@ -326,65 +259,7 @@ public class CMSSignatureVerificationInvoker { return responseBuilder.getResponse(); } - private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) { - boolean checkQCFromTSL = false; - try { - if (tslEnabledTrustProfile) { - if (chainlist != null) { - X509Certificate[] chain = new X509Certificate[chainlist.size()]; - - Iterator it = chainlist.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - } - } - } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } - - return checkQCFromTSL; - } - - private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) { - boolean checkSSCDFromTSL = false; - try { - if (tslEnabledTrustProfile) { - if (chainlist != null) { - X509Certificate[] chain = new X509Certificate[chainlist.size()]; - - Iterator it = chainlist.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - } - } - } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } - - return checkSSCDFromTSL; - } - + /** * Get the signed content contained either in the request itself or given as a * reference to external data. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index f44cce62a..1ea10cb4e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -79,7 +79,7 @@ public class VerifyCMSSignatureResponseBuilder { * otherwise false. * @throws MOAException */ - public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL) + public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode) throws MOAException { CertificateValidationResult certResult = @@ -104,7 +104,8 @@ public class VerifyCMSSignatureResponseBuilder { certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), checkSSCD, - sscdSourceTSL); + sscdSourceTSL, + issuerCountryCode); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 4fdb1eeb7..193495171 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -142,7 +142,8 @@ public class VerifyXMLSignatureResponseBuilder { boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, - boolean isTSLEnabledTrustprofile) + boolean isTSLEnabledTrustprofile, + String issuerCountryCode) throws MOAApplicationException { CertificateValidationResult certResult = @@ -167,7 +168,8 @@ public class VerifyXMLSignatureResponseBuilder { certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), checkSSCD, - sscdSourceTSL); + sscdSourceTSL, + issuerCountryCode); // Create HashInputData Content objects referenceDataList = result.getReferenceDataList(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index c3cc8bfe8..c90bc534a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -24,10 +24,7 @@ package at.gv.egovernment.moa.spss.server.invoke; -import at.gv.egovernment.moa.spss.util.CertificateUtils; - import iaik.ixsil.exceptions.URIException; - import iaik.ixsil.util.URI; import iaik.server.modules.IAIKException; import iaik.server.modules.IAIKRuntimeException; @@ -43,8 +40,6 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory; import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile; import iaik.server.modules.xmlverify.XMLSignatureVerificationResult; import iaik.x509.X509Certificate; -import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; -import iaik.xml.crypto.tsl.ex.TSLSearchException; import java.io.File; import java.io.FileInputStream; @@ -90,8 +85,9 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; -import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.spss.util.QCSSCDResult; import at.gv.egovernment.moa.util.CollectionUtils; import at.gv.egovernment.moa.util.Constants; @@ -211,12 +207,7 @@ public class XMLSignatureVerificationInvoker { requestElement); } - boolean sscdSourceTSL = false; - boolean qcSourceTSL = false; - - boolean checkQC = false; - boolean checkSSCD = false; - + QCSSCDResult qcsscdresult = new QCSSCDResult(); String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId(); ConfigurationProvider config = ConfigurationProvider.getInstance(); TrustProfile tp = config.getTrustProfile(tpID); @@ -242,73 +233,27 @@ public class XMLSignatureVerificationInvoker { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; } - try { - if (tp.isTSLEnabled()) { - List list = result.getCertificateValidationResult().getCertificateChain(); - if (list != null) { - X509Certificate[] chain = new X509Certificate[list.size()]; - - Iterator it = list.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); - - if (!checkSSCDFromTSL) { - - boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); - boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); - - if (checkQCPPlus) - checkSSCD = true; - if (checkQcEuSSCD) - checkSSCD = true; - - sscdSourceTSL = false; - } - else { - checkSSCD = true; - sscdSourceTSL = true; - } - - if (!checkQCFromTSL) { - - boolean checkQCP = CertificateUtils.checkQCP(chain[0]); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); - - if (checkQCP) - checkQC = true; - if (checkQcEuCompliance) - checkQC = true; - - qcSourceTSL = false; - } - else { - checkQC = true; - qcSourceTSL = true; - } - -// System.out.println("chain[0]: " + chain[0]); -// -// System.out.println("checkQCFromTSL: " + checkQCFromTSL); -// System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); -// System.out.println("checkQCPPlus: " + checkQCPPlus); -// System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); + + + // QC/SSCD check + List list = result.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; } - } + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled()); } - catch (TSLEngineDiedException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } catch (TSLSearchException e) { - MessageProvider msg = MessageProvider.getInstance(); - Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); - } + + // get signer certificate issuer country code + String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); + // swap back in the request as root document if (requestElement != signatureEnvironment.getElement()) { requestElement.getOwnerDocument().replaceChild( @@ -325,14 +270,9 @@ public class XMLSignatureVerificationInvoker { TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); -// System.out.println("checkQC: " + checkQC); -// System.out.println("qcSourceTSL: " + qcSourceTSL); -// System.out.println("checkSSCD: " + checkSSCD); -// System.out.println("sscdSourceTSL: " + sscdSourceTSL); // build the response - responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL, tp.isTSLEnabled()); - + responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode); return responseBuilder.getResponse(); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 49f715cb8..07da0a998 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -83,6 +83,15 @@ public class TSLConnector implements TSLConnectorInterface { return updateAndGetQualifiedCACertificates(dateTime, null, serviceLevelStatus); } + public void updateTSLs(Date dateTime, + String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { + + if (Configurator.is_isInitialised() == false) + new TSLEngineFatalException("The TSL Engine is not initialized!"); + + updateTSLs(dateTime, null, serviceLevelStatus); + } + public ArrayList updateAndGetQualifiedCACertificates(Date dateTime, String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { @@ -326,6 +335,249 @@ public class TSLConnector implements TSLConnectorInterface { return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus); } + public void updateTSLs(Date dateTime, + String[] countries, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { + + if (Configurator.is_isInitialised() == false) + new TSLEngineFatalException("The TSL Engine is not initialized!"); + + String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload"; + +// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +// System.out.println("hashcachedir: " + hashcachedir); +// if (hashcachedir==null) +// hashcachedir = DEFAULT_HASHCACHE_DIR; + +// File hashcachefile = new File(hashcachedir); +// File[] filelist = hashcachefile.listFiles(); +// if (filelist != null) { +// for (File f : filelist) +// f.delete(); +// } + + File tsldownloadfile = new File(tsldownloaddir); + if (!tsldownloadfile.exists()) { + tsldownloadfile.mkdir(); + } + File[] tslfilelist = tsldownloadfile.listFiles(); + if (tslfilelist != null) { + for (File f : tslfilelist) + f.delete(); + } + + //create sqlLite database + File dbFile = new File(Configurator.get_TempdbFile()); + try { + dbFile.delete(); + dbFile.createNewFile(); + } catch (IOException e) { + throw new TSLEngineDiedException("Could not create temporary data base file", e); + } + + //the TSL library uses the iaik.util.logging environment. + //iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.WARN); + iaik.util.logging.Log.setLogLevel(iaik.util.logging.LogLevels.OFF); + + log.info("Starting EU TSL import."); + + // Certificates in Germany, Estonia, Greece, Cyprus, + // Lithuainia, Hungary, Poland, Finland, Norway use SURNAME + log.debug("### SURNAME registered as " + ObjectID.surName + " ###"); + RFC2253NameParser.register("SURNAME", ObjectID.surName); + + XSecProvider.addAsProvider(false); + + TSLEngine tslEngine; + TslSqlConnectionWrapper connection = null; + + try { + // register the Https JSSE Wrapper + TLS.register(); + log.trace("### Https JSSE Wrapper registered ###"); + + + log.debug("### Connect to Database.###"); + connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON); + + log.trace("### Connected ###"); + + // empty the database and recreate the tables + tslEngine = new TSLEngine(dbFile, Configurator.get_TSLWorkingDirectoryPath(), + connection, true, true); + + } catch (TSLEngineFatalException e1) { + throw new TSLEngineDiedException(e1); + + } + + // H.2.2.1 Same-scheme searching + // H.2.2.2 Known scheme searching + // H.2.2.3 "Blind" (unknown) scheme searching + Number tId = null; + Countries euTerritory = Countries.EU; + TSLImportContext topLevelTslContext = new TSLEUImportFromFileContext( + euTerritory, Configurator.get_euTSLURL(), Configurator.get_TSLWorkingDirectoryPath(), + Configurator.is_sqlMultithreaded(), + Configurator.is_throwExceptions(), Configurator.is_logExceptions(), + Configurator.is_throwWarnings(), Configurator.is_logWarnings(), + Configurator.is_nullRedundancies()); + + TSLEngineEU tslengineEU; + try { + tslengineEU = tslEngine.new TSLEngineEU(); + + } catch (TSLEngineFatalException e1) { + throw new TSLEngineDiedException(e1); + } + + // establish EU TSL trust anchor + ListIterator expectedEuTslSignerCerts = + tslEngine.loadCertificatesFromResource( + Configurator.get_euTrustAnchorsPath(), topLevelTslContext); + + log.debug("Process EU TSL"); + // process the EU TSL to receive the pointers to the other TSLs + // and the trust anchors for the TSL signers + Set> pointersToMsTSLs = null; + + try { + + tId = tslengineEU.processEUTSL(topLevelTslContext, expectedEuTslSignerCerts); + log.info("Process EU TSL finished"); + + log.debug(Thread.currentThread() + " waiting for other threads ..."); + + topLevelTslContext.waitForAllOtherThreads(); + log.debug(Thread.currentThread() + + " reactivated after other threads finished ..."); + + + // get the TSLs pointed from the EU TSL + LinkedHashMap tslMap = tslengineEU + .getOtherTslMap(tId, topLevelTslContext); + + pointersToMsTSLs = tslMap.entrySet(); + + //set Errors and Warrnings + + } catch (TSLEngineFatalRuntimeException e) { + throw new TSLEngineDiedException(topLevelTslContext.dumpFatals()); + + } catch (TSLTransactionFailedRuntimeException e) { + throw new TSLEngineDiedException(topLevelTslContext.dumpTransactionFaliures()); + } + + //Backup implementation if the EU TSL includes a false signer certificate + // establish additional trust anchors for member states +// Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = { +// Countries.CZ, +// Countries.LU, +// Countries.ES, +// Countries.AT, +// }; + Countries[] countriesWithPotentiallyWrongCertsOnEuTsl = {}; + + Map> + trustAnchorsWrongOnEuTsl = loadCertificatesFromResource( + Configurator.get_msTrustAnchorsPath(), tslEngine, topLevelTslContext, + countriesWithPotentiallyWrongCertsOnEuTsl); + + log.info("Starting EU member TSL import."); + + for (Entry entry : pointersToMsTSLs) { + + TSLImportContext msTslContext; + + Countries expectedTerritory = entry.getValue().getSchemeTerritory(); + try { + +// if (expectedTerritory.equals("RO")) +// System.out.println("Stop"); + + Number otpId = entry.getKey(); + LocationAndCertHash lac = entry.getValue(); + + URL uriReference = null; + try { + uriReference = new URL(lac.getUrl()); + + } catch (MalformedURLException e) { + log.warn("Could not process: " + uriReference, e); + continue; + } + + String baseURI = uriReference == null ? "" : "" + uriReference; + + msTslContext = new TSLImportFromFileContext( + expectedTerritory, uriReference, otpId, Configurator.get_TSLWorkingDirectoryPath(), + Configurator.is_sqlMultithreaded(), + Configurator.is_throwExceptions(), Configurator.is_logExceptions(), + Configurator.is_throwWarnings(), Configurator.is_logWarnings(), + Configurator.is_nullRedundancies(), baseURI, trustAnchorsWrongOnEuTsl, + topLevelTslContext); + + ListIterator expectedTslSignerCerts = null; + expectedTslSignerCerts = tslEngine.getCertificates(lac, msTslContext); + + if (expectedTslSignerCerts == null) { + + // no signer certificate on the EU TSL + // ignore this msTSL and log a warning + log.warn("NO signer certificate found on EU TSL! " + + lac.getSchemeTerritory() + "TSL ignored."); + + } + else { + tslEngine.processMSTSL(topLevelTslContext, msTslContext, expectedTslSignerCerts); + } + + } catch (TSLExceptionB e) { + log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory() + + " TSL ignored."); + log.debug("Failed to process TSL. " + entry, e); + continue; + } catch (TSLRuntimeException e) { + log.warn("Failed to process TSL. " + entry.getValue().getSchemeTerritory() + + " TSL ignored."); + log.debug("Failed to process TSL. " + entry, e); + continue; + } + } + + log.debug(Thread.currentThread() + " waiting for other threads ..."); + topLevelTslContext.waitForAllOtherThreads(); + + log.debug(_.dumpAllThreads()); + log.debug(Thread.currentThread() + " reactivated after other threads finished ..."); + + connection = null; + try { + connection = DbTables.connectToDatabaBase(dbFile, MODE.AUTO_COMMIT_ON); + tslEngine.recreateTablesInvalidatedByImport(connection); + + + //TODO: implement database copy operation! + File working_database = new File(Configurator.get_dbFile()); + working_database.delete(); + copy(dbFile, working_database); + + + } catch (TSLEngineFatalException e) { + throw new TSLEngineDiedException(e); + + } finally { + try { + connection.closeConnection(); + + } catch (TSLEngineFatalException e) { + throw new TSLEngineDiedException(e); + + } + } + + //return getQualifiedCACertificates(dateTime, countries, serviceLevelStatus); + } + public ArrayList getQualifiedCACertificates(Date dateTime, String[] serviceLevelStatus) throws TSLEngineDiedException, TSLSearchException { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index 76be8217a..0cb18a08e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -33,13 +33,14 @@ import at.gv.egovernment.moa.spss.server.iaik.pki.store.truststore.TrustStorePro import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.tsl.connector.TSLConnector; import at.gv.egovernment.moa.spss.util.MessageProvider; -import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; public class TSLUpdaterTimerTask extends TimerTask { public static TSLConnector tslconnector_; + + public static ConfigurationData configData_ = null; @Override public void run() { @@ -49,10 +50,6 @@ public class TSLUpdaterTimerTask extends TimerTask { } catch (TSLEngineDiedException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - - // TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur - // Verfügung stehen? - } catch (TSLSearchException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); @@ -68,105 +65,138 @@ public class TSLUpdaterTimerTask extends TimerTask { } catch (TrustStoreException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - } catch (CertificateException e) { + } catch (FileNotFoundException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - } catch (FileNotFoundException e) { + } catch (IOException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); - } catch (IOException e) { + } catch (CertificateException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); } } - public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException { + public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, IOException { MessageProvider msg = MessageProvider.getInstance(); - //get TSl configuration - ConfigurationProvider config = ConfigurationProvider.getInstance(); - ConfigurationData configData = new IaikConfigurator().configure(config); - TSLConfiguration tslconfig = config.getTSLConfiguration(); - if (tslconfig != null) { - - Logger.info(new LogMsg(msg.getMessage("config.42", null))); + //TrustProfile tp = null; + TrustStoreProfile tsp = null; + StoreUpdater storeUpdater = null; + TransactionId tid = null; + + //get TSl configuration + ConfigurationProvider config = ConfigurationProvider.getInstance(); + if (configData_ == null) + configData_ = new IaikConfigurator().configure(config); - // get certstore parameters - CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters(); + TSLConfiguration tslconfig = config.getTSLConfiguration(); + if (tslconfig != null) { - // iterate over all truststores - Map mapTrustProfiles = config.getTrustProfiles(); - Iterator it = mapTrustProfiles.entrySet().iterator(); - while (it.hasNext()) { - Map.Entry pairs = (Map.Entry)it.next(); - TrustProfile tp = (TrustProfile) pairs.getValue(); - if (tp.isTSLEnabled()) { - TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId()); - TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1]; - trustStoreProfiles[0] = tsp; - - Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()}))); - - TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId()); - ArrayList tsl_certs = null; - if (StringUtils.isEmpty(tp.getCountries())) { - Logger.debug(new LogMsg(msg.getMessage("config.44", null))); - - // get certificates from TSL from all countries - tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"}); - } - else { - Logger.debug(new LogMsg(msg.getMessage("config.44", null))); - // get selected countries as array - String countries = tp.getCountries(); - String[] array = countries.split(","); - for (int i = 0; i < array.length; i++) - array[i] = array[i].trim(); - - // get certificates from TSL from given countries - tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"}); - } - - // create store updater for each TSL enabled truststore - Logger.debug(new LogMsg(msg.getMessage("config.45", null))); - StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); - - - // delete files in trustprofile - File ftp = new File(tp.getUri()); - File[] files = ftp.listFiles(); - for (File file : files) - file.delete(); + tslconnector_.updateTSLs(new Date(), new String[]{"accredited","undersupervision"}); + + Logger.info(new LogMsg(msg.getMessage("config.42", null))); + + // get certstore parameters + CertStoreParameters[] certStoreParameters = configData_.getPKIConfiguration().getCertStoreConfiguration().getParameters(); - // convert ArrayList to X509Certificate[] - X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()]; - Iterator itcert = tsl_certs.iterator(); - int i = 0; - while(itcert.hasNext()) { - File f = (File)itcert.next(); - X509Certificate cert = new X509Certificate(new FileInputStream(f)); - addCertificates[i] = cert; + // iterate over all truststores + Map mapTrustProfiles = config.getTrustProfiles(); + Iterator it = mapTrustProfiles.entrySet().iterator(); + while (it.hasNext()) { + Map.Entry pairs = (Map.Entry)it.next(); + TrustProfile tp = (TrustProfile) pairs.getValue(); + if (tp.isTSLEnabled()) { + tsp = new TrustStoreProfileImpl(config, tp.getId()); + TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1]; + trustStoreProfiles[0] = tsp; + + Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()}))); + + tid = new TransactionId("TSLConfigurator-" + tp.getId()); + ArrayList tsl_certs = null; + if (StringUtils.isEmpty(tp.getCountries())) { + Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + + // get certificates from TSL from all countries + tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"}); + } + else { + Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + // get selected countries as array + String countries = tp.getCountries(); + String[] array = countries.split(","); + for (int i = 0; i < array.length; i++) + array[i] = array[i].trim(); + + // get certificates from TSL from given countries + tsl_certs = tslconnector_.getQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"}); + } + + // create store updater for each TSL enabled truststore + Logger.debug(new LogMsg(msg.getMessage("config.45", null))); + storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); + + // delete files in trustprofile + + File ftp = new File(tp.getUri()); + File[] files = ftp.listFiles(); + X509Certificate[] removeCertificates = new X509Certificate[files.length]; + int i = 0; + for (File file : files) { + FileInputStream fis = new FileInputStream(file); + removeCertificates[i] = new X509Certificate(fis); + i++; + fis.close(); + //file.delete(); + } + + // remove all certificates + storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid); + storeUpdater.removeCertificatesFromCertStores(removeCertificates, tid); + - i++; + // copy files from original trustAnchorsLocURI into tslworking trust profile + File src = new File(tp.getUriOrig()); + files = src.listFiles(); + X509Certificate[] addCertificates = new X509Certificate[files.length]; + i = 0; + for (File file : files) { + FileInputStream fis = new FileInputStream(file); + addCertificates[i] = new X509Certificate(fis); + //FileUtils.copyFile(file, new File(tp.getUri(), file.getName())); + i++; + fis.close(); + } + + // convert ArrayList to X509Certificate[] + X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()]; + Iterator itcert = tsl_certs.iterator(); + i = 0; + File f = null; + while(itcert.hasNext()) { + f = (File)itcert.next(); + FileInputStream fis = new FileInputStream(f); + X509Certificate cert = new X509Certificate(fis); + addCertificatesTSL[i] = cert; + + i++; + fis.close(); + } + + Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid); + storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid); + + Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificates, tid); + storeUpdater.addCertificatesToCertStores(addCertificates, tid); + + } - - - // copy files from original trustAnchorsLocURI into tslworking trust profile - File src = new File(tp.getUriOrig()); - files = src.listFiles(); - for (File file : files) { - FileUtils.copyFile(file, new File(tp.getUri(), file.getName())); - } - - Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); - storeUpdater.addCertificatesToTrustStores(addCertificates, tid); - storeUpdater.addCertificatesToCertStores(addCertificates, tid); - - } } - } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java new file mode 100644 index 000000000..544ea916c --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -0,0 +1,286 @@ +package at.gv.egovernment.moa.spss.util; + +import iaik.asn1.ObjectID; +import iaik.asn1.structures.Name; +import iaik.asn1.structures.PolicyInformation; +import iaik.utils.RFC2253NameParser; +import iaik.utils.RFC2253NameParserException; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import iaik.x509.extensions.CertificatePolicies; +import iaik.x509.extensions.qualified.QCStatements; +import iaik.x509.extensions.qualified.structures.QCStatement; +import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance; +import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD; +import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; +import iaik.xml.crypto.tsl.ex.TSLSearchException; + +import java.security.Principal; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; + +public class CertificateUtils { + + + /** + * Verifies if the given certificate contains QCP+ statement + * @param cert X509Certificate + * @return true if the given certificate contains QCP+ statement, else false + */ + private static boolean checkQCPPlus(X509Certificate cert) { + Logger.debug("Checking QCP+ extension"); + String OID_QCPPlus = "0.4.0.1456.1.1"; + try { + CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); + if (certPol == null) { + Logger.debug("No CertificatePolicies extension found"); + return false; + } + + PolicyInformation[] polInfo = certPol.getPolicyInformation(); + if (polInfo == null) { + Logger.debug("No policy information found"); + return false; + } + + for (int i = 0; i < polInfo.length; i++) { + ObjectID oid = polInfo[i].getPolicyIdentifier(); + String oidStr = oid.getID(); + if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) { + Logger.debug("QCP+ extension found"); + return true; + } + } + + Logger.debug("No QCP+ extension found"); + + return false; + } catch (X509ExtensionInitException e) { + Logger.debug("No QCP+ extension found"); + + return false; + } + + } + + /** + * Verifies if the given certificate contains QCP statement + * @param cert X509Certificate + * @return true if the given certificate contains QCP statement, else false + */ + private static boolean checkQCP(X509Certificate cert) { + Logger.debug("Checking QCP extension"); + String OID_QCP = "0.4.0.1456.1.2"; + try { + CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); + if (certPol == null) { + Logger.debug("No CertificatePolicies extension found"); + return false; + } + + PolicyInformation[] polInfo = certPol.getPolicyInformation(); + if (polInfo == null) { + Logger.debug("No policy information found"); + return false; + } + + for (int i = 0; i < polInfo.length; i++) { + ObjectID oid = polInfo[i].getPolicyIdentifier(); + String oidStr = oid.getID(); + if (oidStr.compareToIgnoreCase(OID_QCP) == 0) { + Logger.debug("QCP extension found"); + return true; + } + + } + + Logger.debug("No QCP extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QCP extension found"); + return false; + } + + } + + /** + * Verifies if the given certificate contains QcEuCompliance statement + * @param cert X509Certificate + * @return true if the given certificate contains QcEuCompliance statement, else false + */ + private static boolean checkQcEuCompliance(X509Certificate cert) { + Logger.debug("Checking QcEUCompliance extension"); + try { + QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); + + if (qcStatements == null) { + Logger.debug("No QcStatements extension found"); + return false; + } + + QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID); + + if (qcEuCompliance != null) { + Logger.debug("QcEuCompliance extension found"); + return true; + } + + Logger.debug("No QcEuCompliance extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QcEuCompliance extension found"); + return false; + } + + } + + /** + * Verifies if the given certificate contains QcEuSSCD statement + * @param cert X509Certificate + * @return true if the given certificate contains QcEuSSCD statement, else false + */ + private static boolean checkQcEuSSCD(X509Certificate cert) { + Logger.debug("Checking QcEuSSCD extension"); + try { + QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); + if (qcStatements == null) { + Logger.debug("No QcStatements extension found"); + return false; + } + + QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID); + + if (qcEuSSCD != null) { + Logger.debug("QcEuSSCD extension found"); + return true; + } + + Logger.debug("No QcEuSSCD extension found"); + return false; + + } catch (X509ExtensionInitException e) { + Logger.debug("No QcEuSSCD extension found"); + return false; + } + + } + + public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) { + + boolean qc = false; + boolean qcSourceTSL = false; + boolean sscd = false; + boolean sscdSourceTSL = false; + + try { + + if (isTSLenabledTrustprofile) { + // perform QC check via TSL + boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); + if (!checkQCFromTSL) { + // if QC check via TSL returns false + // try certificate extensions QCP and QcEuCompliance + Logger.debug("QC check via TSL returned false - checking certificate extensions"); + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP || checkQcEuCompliance) { + Logger.debug("Certificate is QC (Source: Certificate)"); + qc = true; + } + + qcSourceTSL = false; + } + else { + // use TSL result + Logger.debug("Certificate is QC (Source: TSL)"); + qc = true; + qcSourceTSL = true; + } + + // perform SSCD check via TSL + boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + if (!checkSSCDFromTSL) { + // if SSCD check via TSL returns false + // try certificate extensions QCP+ and QcEuSSCD + Logger.debug("SSCD check via TSL returned false - checking certificate extensions"); + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus || checkQcEuSSCD) { + Logger.debug("Certificate is SSCD (Source: Certificate)"); + sscd = true; + } + + sscdSourceTSL = false; + } + else { + // use TSL result + Logger.debug("Certificate is SSCD (Source: TSL)"); + sscd = true; + sscdSourceTSL = true; + } + + } + else { + // Trustprofile is not TSL enabled - use certificate extensions only + + // perform QC check + // try certificate extensions QCP and QcEuCompliance + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP || checkQcEuCompliance) + qc = true; + + qcSourceTSL = false; + + // perform SSCD check + // try certificate extensions QCP+ and QcEuSSCD + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus || checkQcEuSSCD) + sscd = true; + + sscdSourceTSL = false; + } + } + catch (TSLEngineDiedException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } catch (TSLSearchException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } + + QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL); + + return result; + } + + /** + * Gets the country from the certificate issuer + * @param cert X509 certificate + * @return Country code from the certificate issuer + */ + public static String getIssuerCountry(X509Certificate cert) { + String country = null; + Principal issuerdn = cert.getIssuerX500Principal(); + RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName()); + + try { + Name name = nameParser.parse(); + country = name.getRDN(ObjectID.country); + } catch (RFC2253NameParserException e) { + Logger.warn("Could not get country code from issuer."); + } + + + return country; + } +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java new file mode 100644 index 000000000..99af84308 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/QCSSCDResult.java @@ -0,0 +1,37 @@ +package at.gv.egovernment.moa.spss.util; + +public class QCSSCDResult { + + private boolean qc; + private boolean qcSourceTSL; + + private boolean sscd; + private boolean sscdSourceTSL; + + public QCSSCDResult() { + this.qc = false; + this.qcSourceTSL = false; + this.sscd = false; + this.sscdSourceTSL = false; + } + + public QCSSCDResult(boolean qc, boolean qcSourceTSL, boolean sscd, boolean sscdSourceTSL) { + this.qc = qc; + this.qcSourceTSL = qcSourceTSL; + this.sscd = sscd; + this.sscdSourceTSL = sscdSourceTSL; + } + + public boolean isQC() { + return this.qc; + } + public boolean isQCSourceTSL() { + return this.qcSourceTSL; + } + public boolean isSSCD() { + return this.sscd; + } + public boolean isSSCDSourceTSL() { + return this.sscdSourceTSL; + } +} -- cgit v1.2.3