From 1ad814ccbbe4f65f430ac738104e3f3c8256c229 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Tue, 16 Apr 2013 14:44:08 +0200 Subject: Update digest algorithm, XAdES version, whitelisting --- .../server/config/ConfigurationPartsBuilder.java | 103 +++++++++++++- .../spss/server/config/ConfigurationProvider.java | 35 ++++- .../moa/spss/server/config/KeyGroup.java | 16 ++- .../xmlsign/XMLSignatureCreationProfileImpl.java | 156 +++++++++++++++++---- .../invoke/XMLSignatureCreationProfileFactory.java | 89 ++++++++++-- .../moa/spss/util/ExternalURIVerifier.java | 45 +++++- 6 files changed, 390 insertions(+), 54 deletions(-) (limited to 'spss/server/serverlib/src/main/java/at/gv') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 09f496c74..e335139aa 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -101,6 +101,10 @@ public class ConfigurationPartsBuilder { ROOT + CONF + "SignatureCreation/" + CONF + "XMLDSig/" + CONF + "DigestMethodAlgorithm"; + private static final String XADES_VERSION_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "XAdES/" + + CONF + "Version"; private static final String C14N_ALGORITHM_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "XMLDSig/" @@ -115,6 +119,13 @@ public class ConfigurationPartsBuilder { ROOT + CONF + "Common/" + CONF + "PermitExternalUris/" + CONF + "BlackListUri"; + private static final String FORBID_EXTERNAL_URIS_XPATH = + ROOT + CONF + "Common/" + + CONF + "ForbidExternalUris"; + private static final String WHITE_LIST_URIS_XPATH = + ROOT + CONF + "Common/" + + CONF + "ForbidExternalUris/" + + CONF + "WhiteListUri"; private static final String HARDWARE_KEY_XPATH = ROOT + CONF + "SignatureCreation/" @@ -263,15 +274,19 @@ public class ConfigurationPartsBuilder { /** The accepted digest method algorithm URIs, as an array */ private static final String[] ACCEPTED_DIGEST_ALGORITHMS_ARRAY = - { Constants.SHA1_URI }; + { Constants.SHA1_URI, + Constants.SHA256_URI, + Constants.SHA384_URI, + Constants.SHA512_URI}; /** The accepted digest method algorithm URIs, as a Set */ private static final Set ACCEPTED_DIGEST_ALGORITHMS = new HashSet(Arrays.asList(ACCEPTED_DIGEST_ALGORITHMS_ARRAY)); - + + /** Default digest algorithm URI, if none/illegal has been configured */ private static final String DIGEST_ALGORITHM_DEFAULT = Constants.SHA1_URI; - + /** The root element of the MOA configuration */ private Element configElem; @@ -333,7 +348,7 @@ public class ConfigurationPartsBuilder { public String getDigestMethodAlgorithmName() { String digestMethod = getElementValue(getConfigElem(), DIGEST_METHOD_XPATH, null); - + if (digestMethod == null || !ACCEPTED_DIGEST_ALGORITHMS.contains(digestMethod)) { info( @@ -344,7 +359,20 @@ public class ConfigurationPartsBuilder { return digestMethod; } - + + /** + * Returns the digest method algorithm name. + * + * @return The digest method algorithm name from the configuration. + */ + public String getXAdESVersion() + { + String xadesVersion = getElementValue(getConfigElem(), XADES_VERSION_XPATH, null); + + return xadesVersion; + } + + /** * Returns the canonicalization algorithm name. * @@ -409,6 +437,7 @@ public class ConfigurationPartsBuilder { } } + /** * * @return @@ -448,10 +477,12 @@ public class ConfigurationPartsBuilder { array[1] = port; blacklist.add(array); - } + } + // set blacklist for iaik-moa ExternalReferenceChecker.setBlacklist(blackListIaikMoa); + if(blacklist.isEmpty()) // no blacklisted uris given info("config.36", null); @@ -459,7 +490,64 @@ public class ConfigurationPartsBuilder { return blacklist; } + + /** + * + * @return + */ + public List buildForbidExternalUris() { + + //info("config.47", null); + + List whitelist = new ArrayList(); + List whiteListIaikMoa = new ArrayList(); + + NodeIterator forbidExtIter = XPathUtils.selectNodeIterator( + getConfigElem(), + WHITE_LIST_URIS_XPATH); + + Element permitExtElem = null; + while ((permitExtElem = (Element) forbidExtIter.nextNode()) != null) { + String host = getElementValue(permitExtElem, CONF + "IP", null); + String port = getElementValue(permitExtElem, CONF + "Port", null); + + // TODO WhiteListeEntry +// WhiteListEntry entry =null; + if (port == null) { +// entry = new WhiteListEntry(host, -1); + info("config.49", new Object[]{host}); + } + else { +// entry = new WhiteListEntry(host, new Integer(port).intValue()); + info("config.49", new Object[]{host + ":" + port}); + } +// +// // add entry to iaik-moa whitelist +// whiteListIaikMoa.add(entry); + + + String array[] = new String[2]; + array[0] = host; + array[1] = port; + whitelist.add(array); + + } + + + // set whitelist for iaik-moa + // TODO +// ExternalReferenceChecker.setWhitelist(whiteListIaikMoa); + + + if(whitelist.isEmpty()) // no whitelisted uris given + info("config.48", null); + + + return whitelist; + } + + /** * Build the configured hardware keys. * @@ -573,9 +661,10 @@ public class ConfigurationPartsBuilder { while ((keyGroupElem = (Element) kgIter.nextNode()) != null) { String keyGroupId = getElementValue(keyGroupElem, CONF + "Id", null); + String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries); + KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); if (keyGroups.containsKey(keyGroupId)) { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 25fa0d6ad..b40a6bfa5 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -99,7 +99,10 @@ public class ConfigurationProvider /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; - + + /** The XAdES version used for signature creation */ + private String xadesVersion; + /** * A List of HardwareCryptoModule objects for * configuring hardware modules. @@ -251,6 +254,11 @@ public class ConfigurationProvider */ private List blackListedUris_; + /** + * A List of white listed URIs (host and port) + */ + private List whiteListedUris_; + /** * A TSLConfiguration that represents the global TSL configuration */ @@ -351,6 +359,8 @@ public class ConfigurationProvider keyGroups = builder.buildKeyGroups(allKeyModules); keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); + + xadesVersion = builder.getXAdESVersion(); defaultChainingMode = builder.getDefaultChainingMode(); chainingModes = builder.buildChainingModes(); useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess(); @@ -382,11 +392,14 @@ public class ConfigurationProvider allowExternalUris_= builder.allowExternalUris(); - if (allowExternalUris_) + if (allowExternalUris_) { blackListedUris_ = builder.buildPermitExternalUris(); + whiteListedUris_ = null; + } else { info("config.35", null); blackListedUris_ = null; + whiteListedUris_ = builder.buildForbidExternalUris(); } @@ -457,6 +470,16 @@ public class ConfigurationProvider return digestMethodAlgorithmName; } + /** + * Return the XAdES version used for signature creation. + * + * @return The XAdES version used for signature creation, or an empty String, + * if none has been configured. + */ + public String getXAdESVersion() { + return xadesVersion; + } + public boolean getAllowExternalUris() { return this.allowExternalUris_; } @@ -464,6 +487,9 @@ public class ConfigurationProvider public List getBlackListedUris() { return this.blackListedUris_; } + public List getWhiteListedUris() { + return this.whiteListedUris_; + } /** * Return the name of the canonicalization algorithm used during signature @@ -515,6 +541,11 @@ public class ConfigurationProvider public Map getKeyGroups() { return keyGroups; } + + public KeyGroup getKeyGroup(String keyGroupId) { + KeyGroup keyGroup = (KeyGroup) keyGroups.get(keyGroupId); + return keyGroup; + } /** * Return the set of KeyGroupEntrys of a given key group, which a diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index 22ed8ae83..c2490f9a3 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -40,16 +40,20 @@ public class KeyGroup { private Set keyGroupEntries; /** The key group ID. */ private String id; + /** The digest method algorithm for the key group */ + private String digestMethodAlgorithm; /** * Create a KeyGroup. * * @param id The ID of this KeyGroup. * @param keyGroupEntries The keys belonging to this KeyGroup. + * @param digestMethodAlgorithm The signature algorithm used for this key group */ - public KeyGroup(String id, Set keyGroupEntries) { + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { this.id = id; this.keyGroupEntries = keyGroupEntries; + this.digestMethodAlgorithm = digestMethodAlgorithm; } /** @@ -60,6 +64,14 @@ public class KeyGroup { public Set getKeyGroupEntries() { return keyGroupEntries; } + + /** + * Returnd the digest method algorithm used for this key group + * @return The digest method signature algorithm used for this key group + */ + public String getDigestMethodAlgorithm() { + return digestMethodAlgorithm; + } /** * Return the ID of this KeyGroup. @@ -87,7 +99,7 @@ public class KeyGroup { sb.append(" " + i.next()); } } - return "(KeyGroup - ID:" + id + " " + sb.toString() + ")"; + return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " + digestMethodAlgorithm; } } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 9b5dce883..479f0aac9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -24,9 +24,6 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign; -import java.util.List; -import java.util.Set; - import iaik.server.modules.algorithms.SignatureAlgorithms; import iaik.server.modules.keys.AlgorithmUnavailableException; import iaik.server.modules.keys.KeyEntryID; @@ -37,6 +34,10 @@ import iaik.server.modules.xml.Canonicalization; import iaik.server.modules.xmlsign.XMLSignatureCreationProfile; import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation; +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -75,7 +76,10 @@ public class XMLSignatureCreationProfileImpl private IdGenerator dsigManifestIDGenerator; /** The ID generator for signed property IDs. */ private IdGenerator propertyIDGenerator; - + /** The selected digest method algorithm if XAdES 1.4.2 is used */ + private String digestMethodXAdES142; + + /** * Create a new XMLSignatureCreationProfileImpl. * @@ -86,7 +90,8 @@ public class XMLSignatureCreationProfileImpl */ public XMLSignatureCreationProfileImpl( int createProfileCount, - Set reservedIDs) { + Set reservedIDs, + String digestMethodXAdES142) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -95,6 +100,7 @@ public class XMLSignatureCreationProfileImpl new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs); propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); + this.digestMethodXAdES142 = digestMethodXAdES142; } /** @@ -168,27 +174,127 @@ public class XMLSignatureCreationProfileImpl e, null); } - - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) // TODO retournierten Algorithmus abhängig von der Schlüssellänge machen (bei längeren Schlüsseln SHA256 statt SHA1) - || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { - - return SignatureAlgorithms.SHA1_WITH_RSA; - } else if ( - algorithms.contains(SignatureAlgorithms.ECDSA)) { - return SignatureAlgorithms.ECDSA; - } else if ( - algorithms.contains(SignatureAlgorithms.DSA)) { - return SignatureAlgorithms.DSA; - } else { - throw new AlgorithmUnavailableException( - "No algorithm for key entry: " + selectedKeyID, - null, - null); + + if (digestMethodXAdES142 == null) { + // XAdES 1.4.2 not enabled - legacy MOA + if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + + return SignatureAlgorithms.SHA1_WITH_RSA; + } else if ( + algorithms.contains(SignatureAlgorithms.ECDSA)) { + return SignatureAlgorithms.ECDSA; + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + // XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method + if (digestMethodXAdES142.compareTo("SHA-1") == 0) { + Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); + if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) //? + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) //? + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA_OLD) //? + || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.WHIRLPOOL_WITH_RSA)) { //? + + return SignatureAlgorithms.SHA1_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.ECDSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_ECDSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_ECDSA_PLAIN) + || algorithms.contains(SignatureAlgorithms.WHIRLPOOL_WITH_ECDSA) + || algorithms.contains(SignatureAlgorithms.SHA1_WITH_ECDSA_PLAIN)) { + return SignatureAlgorithms.ECDSA; + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA224_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + + return SignatureAlgorithms.SHA256_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA224_WITH_ECDSA) + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA) + || algorithms.contains(SignatureAlgorithms.SHA224_WITH_ECDSA_PLAIN) + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA_PLAIN)) { + return SignatureAlgorithms.SHA256_WITH_ECDSA; + + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + + return SignatureAlgorithms.SHA384_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA_PLAIN)) { + return SignatureAlgorithms.SHA384_WITH_ECDSA; + + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + + return SignatureAlgorithms.SHA512_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA_PLAIN)) { + return SignatureAlgorithms.SHA512_WITH_ECDSA; + + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + throw new AlgorithmUnavailableException( + "No signature algorithm found for digest algorithm '" + digestMethodXAdES142, + null, + null); + } + } + + } /** diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index 5c4a2c76a..d1281c1f1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo; import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.KeyGroup; import at.gv.egovernment.moa.spss.server.config.KeyGroupEntry; import at.gv.egovernment.moa.spss.server.iaik.xml.CanonicalizationImpl; import at.gv.egovernment.moa.spss.server.iaik.xmlsign.DataObjectTreatmentImpl; @@ -83,6 +84,9 @@ public class XMLSignatureCreationProfileFactory { static { HASH_ALGORITHM_MAPPING = new HashMap(); HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); + HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); + HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); + HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512); } /** The CreateXMLSignatureRequest for which to create the @@ -129,18 +133,62 @@ public class XMLSignatureCreationProfileFactory { HashSet allReservedIDs = new HashSet(reserved); allReservedIDs.addAll(sigInfoReservedIDs); - XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs); TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); ConfigurationProvider config = context.getConfiguration(); CanonicalizationImpl canonicalization; List dataObjectTreatmentList; - String keyGroupID; Set keySet; List transformationSupplements; List createTransformsProfiles; + // get the key group id + String keyGroupID = request.getKeyIdentifier(); + // get digest method on key group level (if configured) + String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) + String configDigestMethod = config.getDigestMethodAlgorithmName(); + + String xadesVersion = config.getXAdESVersion(); + + String digestMethodXAdES142 = null; + boolean isXAdES142 = false; + // if XAdES Version 1.4.2 is configured + if (xadesVersion != null && xadesVersion.compareTo("1.4.2") == 0) { + isXAdES142 = true; + Logger.debug("XAdES version '" + xadesVersion + "' used"); + } + + if (isXAdES142) { + if (configDigestMethodKG != null) { + // if KG specific digest method is configured + digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); + if (digestMethodXAdES142 == null) { + error( + "config.17", + new Object[] { configDigestMethodKG}); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(configured in KeyGroup)"); + } + else { + // else get default configured digest method + digestMethodXAdES142 = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); + if (digestMethodXAdES142 == null) { + error( + "config.17", + new Object[] { configDigestMethod}); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethodXAdES142 + "(default)"); + + } + } + + XMLSignatureCreationProfileImpl profile = + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + + // build the transformation supplements createTransformsProfiles = getCreateTransformsInfoProfiles(singleSignatureInfo); @@ -153,11 +201,11 @@ public class XMLSignatureCreationProfileFactory { singleSignatureInfo, createTransformsProfiles, transformationSupplements, - allReservedIDs); + allReservedIDs, + digestMethodXAdES142); profile.setDataObjectTreatmentList(dataObjectTreatmentList); // set the key set - keyGroupID = request.getKeyIdentifier(); keySet = buildKeySet(keyGroupID); if (keySet == null) { throw new MOAApplicationException("2231", null); @@ -184,7 +232,7 @@ public class XMLSignatureCreationProfileFactory { canonicalization = new CanonicalizationImpl(config.getCanonicalizationAlgorithmName()); profile.setSignedInfoCanonicalization(canonicalization); - + // set the signed properties profile.setSignedProperties(Collections.EMPTY_LIST); @@ -299,7 +347,8 @@ public class XMLSignatureCreationProfileFactory { SingleSignatureInfo singleSignatureInfo, List createTransformsInfoProfiles, List transformationSupplements, - Set reservedIDs) + Set reservedIDs, + String digestMethodXAdES142) throws MOASystemException, MOAApplicationException { TransactionContext context = @@ -329,15 +378,25 @@ public class XMLSignatureCreationProfileFactory { treatment.setTransformationList(buildTransformationList(profile)); treatment.setReferenceInManifest(dataObjInfo.isChildOfManifest()); - hashAlgorithmName = - (String) HASH_ALGORITHM_MAPPING.get( - config.getDigestMethodAlgorithmName()); - if (hashAlgorithmName == null) { - error( - "config.17", - new Object[] { config.getDigestMethodAlgorithmName()}); - throw new MOASystemException("2900", null); + // if XAdES version is 1.4.2 + if (digestMethodXAdES142 != null) { + // use configured digest algorithm + hashAlgorithmName = digestMethodXAdES142; + } + else { + // stay as it is + hashAlgorithmName = (String) HASH_ALGORITHM_MAPPING.get( + config.getDigestMethodAlgorithmName()); + if (hashAlgorithmName == null) { + error( + "config.17", + new Object[] { config.getDigestMethodAlgorithmName()}); + throw new MOASystemException("2900", null); + } } + + + treatment.setHashAlgorithmName(hashAlgorithmName); treatment.setIncludedInSignature( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index dafb89f16..219bb7cdf 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -26,12 +26,14 @@ public class ExternalURIVerifier { boolean allowExternalUris = config.getAllowExternalUris(); List blacklist = config.getBlackListedUris(); + List whitelist = config.getWhiteListedUris(); InetAddress hostInetAddress = InetAddress.getByName(host); String ip = hostInetAddress.getHostAddress(); if (allowExternalUris) { + // external URIs are allowed - check blacklist Iterator it = blacklist.iterator(); while (it.hasNext()) { String[] array = (String[])it.next(); @@ -55,9 +57,46 @@ public class ExternalURIVerifier { } } } - else { - Logger.debug(new LogMsg("No external URIs allowed (" + host + ")")); - throw new MOAApplicationException("4001", new Object[]{host}); + else { + // external uris are forbidden - check whitelist + Iterator it = whitelist.iterator(); + boolean allowed = false; + while (it.hasNext()) { + String[] array = (String[])it.next(); + String bhost = array[0]; + String bport = array[1]; + if (bport == null || port == -1) { + // check only host + if (ip.startsWith(bhost)) { + Logger.debug(new LogMsg("Whitelist check: " + host + " (" + ip + ") whitelisted")); + allowed = true; + //throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"}); + } + } + else { + // check host and port + int iport = new Integer(bport).intValue(); + if (ip.startsWith(bhost) && (iport == port)) { + Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port + " whitelisted")); + //throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"}); + allowed = true; + } + + } + } + + if (!allowed) { + if (port != -1) { + Logger.debug(new LogMsg("No external URIs allowed (" + host + ")")); + throw new MOAApplicationException("4001", new Object[]{host + "(" + ip + ")"}); + } + else { + Logger.debug(new LogMsg("No external URIs allowed (" + host + ":" + port + ")")); + throw new MOAApplicationException("4001", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"}); + } + + } + } Logger.debug(new LogMsg("URI allowed: " + ip + ":" + port)); -- cgit v1.2.3